BASELINE: Update Chromium to 108.0.5359.70

Change-Id: I77334ff232b819600f275bd3cfe41fbaa3619230
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/445904
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

2763 files changed, 35616 insertions, 41086 deletions

diff --git a/chromium/net/BUILD.gn b/chromium/net/BUILD.gn
index 52f286fde3e..e12e5b6936b 100644
--- a/chromium/net/BUILD.gn
+++ b/chromium/net/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright (c) 2013 The Chromium Authors. All rights reserved.
+# Copyright 2013 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -84,7 +84,6 @@ buildflag_header("buildflags") {
     "USE_KERBEROS=$use_kerberos",
     "USE_EXTERNAL_GSSAPI=$use_external_gssapi",
     "TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED=$trial_comparison_cert_verifier_supported",
-    "BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED=$builtin_cert_verifier_feature_supported",
     "CHROME_ROOT_STORE_SUPPORTED=$chrome_root_store_supported",
   ]
 }
@@ -366,6 +365,8 @@ component("net") {
     "cert/pki/signature_algorithm.h",
     "cert/pki/simple_path_builder_delegate.cc",
     "cert/pki/simple_path_builder_delegate.h",
+    "cert/pki/string_util.cc",
+    "cert/pki/string_util.h",
     "cert/pki/trust_store.cc",
     "cert/pki/trust_store.h",
     "cert/pki/trust_store_collection.cc",
@@ -434,16 +435,8 @@ component("net") {
     "cookies/cookie_store.h",
     "cookies/cookie_util.cc",
     "cookies/cookie_util.h",
-    "cookies/first_party_set_entry.cc",
-    "cookies/first_party_set_entry.h",
-    "cookies/first_party_set_metadata.cc",
-    "cookies/first_party_set_metadata.h",
-    "cookies/first_party_sets_context_config.cc",
-    "cookies/first_party_sets_context_config.h",
     "cookies/parsed_cookie.cc",
     "cookies/parsed_cookie.h",
-    "cookies/same_party_context.cc",
-    "cookies/same_party_context.h",
     "cookies/site_for_cookies.cc",
     "cookies/site_for_cookies.h",
     "cookies/static_cookie_policy.cc",
@@ -546,6 +539,20 @@ component("net") {
     "filter/gzip_source_stream.h",
     "filter/source_stream.cc",
     "filter/source_stream.h",
+    "first_party_sets/addition_overlaps_union_find.cc",
+    "first_party_sets/addition_overlaps_union_find.h",
+    "first_party_sets/first_party_set_entry.cc",
+    "first_party_sets/first_party_set_entry.h",
+    "first_party_sets/first_party_set_metadata.cc",
+    "first_party_sets/first_party_set_metadata.h",
+    "first_party_sets/first_party_sets_cache_filter.cc",
+    "first_party_sets/first_party_sets_cache_filter.h",
+    "first_party_sets/first_party_sets_context_config.cc",
+    "first_party_sets/first_party_sets_context_config.h",
+    "first_party_sets/global_first_party_sets.cc",
+    "first_party_sets/global_first_party_sets.h",
+    "first_party_sets/same_party_context.cc",
+    "first_party_sets/same_party_context.h",
     "http/alternative_service.cc",
     "http/alternative_service.h",
     "http/bidirectional_stream.cc",
@@ -1016,8 +1023,6 @@ component("net") {
     "url_request/url_request_context_getter.cc",
     "url_request/url_request_context_getter.h",
     "url_request/url_request_context_getter_observer.h",
-    "url_request/url_request_context_storage.cc",
-    "url_request/url_request_context_storage.h",
     "url_request/url_request_error_job.cc",
     "url_request/url_request_error_job.h",
     "url_request/url_request_filter.cc",
@@ -1058,7 +1063,7 @@ component("net") {
     ":ios_cronet_buildflags",
     ":net_deps",
     "//build:chromeos_buildflags",
-    "//net/data/ssl/ev_roots:gen_ev_root_store_inc",
+    "//net/data/ssl/chrome_root_store:gen_root_store_inc",
     "//net/http:transport_security_state_generated_files",
   ]
 
@@ -1198,6 +1203,10 @@ component("net") {
     ]
   }
 
+  if (is_chromeos) {
+    deps += [ "//third_party/xdg_shared_mime_info" ]
+  }
+
   if (is_mac) {
     sources += [
       "base/network_notification_thread_mac.cc",
@@ -1248,6 +1257,8 @@ component("net") {
       "base/net_errors_win.cc",
       "base/network_change_notifier_win.cc",
       "base/network_change_notifier_win.h",
+      "base/network_cost_change_notifier_win.cc",
+      "base/network_cost_change_notifier_win.h",
       "base/network_interfaces_win.cc",
       "base/network_interfaces_win.h",
       "base/platform_mime_util_win.cc",
@@ -1841,6 +1852,7 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/bad_validity.pem",
     "data/ssl/certificates/can_sign_http_exchanges_draft_extension.pem",
     "data/ssl/certificates/can_sign_http_exchanges_draft_extension_invalid.pem",
+    "data/ssl/certificates/caninesonduty.com.pem",
     "data/ssl/certificates/client-empty-password.p12",
     "data/ssl/certificates/client-nokey.p12",
     "data/ssl/certificates/client-null-password.p12",
@@ -1902,11 +1914,9 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/duplicate_cn_2.p12",
     "data/ssl/certificates/duplicate_cn_2.pem",
     "data/ssl/certificates/eku-test-root.pem",
-    "data/ssl/certificates/ev-multi-oid.pem",
     "data/ssl/certificates/ev_test.pem",
     "data/ssl/certificates/ev_test_state_only.pem",
     "data/ssl/certificates/expired_cert.pem",
-    "data/ssl/certificates/explicit-policy-chain.pem",
     "data/ssl/certificates/foaf.me.chromium-test-cert.der",
     "data/ssl/certificates/gms.hongleong.com.my-verisign-chain.pem",
     "data/ssl/certificates/google.binary.p7b",
@@ -1952,16 +1962,11 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/multi-root-crlset-unrelated.raw",
     "data/ssl/certificates/multi-root.keychain",
     "data/ssl/certificates/multivalue_rdn.pem",
-    "data/ssl/certificates/name-normalization-byteequal.pem",
-    "data/ssl/certificates/name-normalization-case-folding.pem",
-    "data/ssl/certificates/name-normalization-printable-utf8.pem",
-    "data/ssl/certificates/name_constraint_bad.pem",
-    "data/ssl/certificates/name_constraint_good.pem",
+    "data/ssl/certificates/name_constrained_key.pem",
     "data/ssl/certificates/ndn.ca.crt",
     "data/ssl/certificates/nist.der",
     "data/ssl/certificates/no_subject_common_name_cert.pem",
     "data/ssl/certificates/non-crit-codeSigning-chain.pem",
-    "data/ssl/certificates/ocsp-test-root.pem",
     "data/ssl/certificates/ok_cert.pem",
     "data/ssl/certificates/ok_cert_by_intermediate.pem",
     "data/ssl/certificates/post_june_2016.pem",
@@ -1985,7 +1990,6 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/redundant-server-chain.pem",
     "data/ssl/certificates/redundant-validated-chain-root.pem",
     "data/ssl/certificates/redundant-validated-chain.pem",
-    "data/ssl/certificates/reject_intranet_hosts.pem",
     "data/ssl/certificates/root_ca_cert.pem",
     "data/ssl/certificates/salesforce_com_test.pem",
     "data/ssl/certificates/self-signed-invalid-name.pem",
@@ -1997,7 +2001,6 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/subjectAltName_sanity_check.pem",
     "data/ssl/certificates/subjectAltName_www_example_com.pem",
     "data/ssl/certificates/test_names.pem",
-    "data/ssl/certificates/thepaverbros.com.pem",
     "data/ssl/certificates/treadclimber.pem",
     "data/ssl/certificates/treadclimber.sctlist",
     "data/ssl/certificates/unescaped.pem",
@@ -2171,6 +2174,8 @@ static_library("test_support") {
     "test/ssl_test_util.cc",
     "test/ssl_test_util.h",
     "test/test_certificate_data.h",
+    "test/test_connection_cost_observer.cc",
+    "test/test_connection_cost_observer.h",
     "test/test_data_directory.cc",
     "test/test_data_directory.h",
     "test/test_doh_server.cc",
@@ -2190,6 +2195,13 @@ static_library("test_support") {
     "url_request/url_request_test_util.h",
   ]
 
+  if (is_win) {
+    sources += [
+      "test/win/fake_network_cost_manager.cc",
+      "test/win/fake_network_cost_manager.h",
+    ]
+  }
+
   if (is_mac) {
     sources += [
       "test/keychain_test_util_mac.cc",
@@ -3117,8 +3129,8 @@ bundle_data("net_unittests_bundle_data") {
     "data/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/main.test",
     "data/verify_certificate_chain_unittest/intermediate-lacks-signing-key-usage/chain.pem",
     "data/verify_certificate_chain_unittest/intermediate-lacks-signing-key-usage/main.test",
-    "data/verify_certificate_chain_unittest/intermediate-signed-with-md5/chain.pem",
-    "data/verify_certificate_chain_unittest/intermediate-signed-with-md5/main.test",
+    "data/verify_certificate_chain_unittest/intermediate-signed-with-sha1/chain.pem",
+    "data/verify_certificate_chain_unittest/intermediate-signed-with-sha1/main.test",
     "data/verify_certificate_chain_unittest/intermediate-unknown-critical-extension/chain.pem",
     "data/verify_certificate_chain_unittest/intermediate-unknown-critical-extension/main.test",
     "data/verify_certificate_chain_unittest/intermediate-unknown-non-critical-extension/chain.pem",
@@ -3306,8 +3318,8 @@ bundle_data("net_unittests_bundle_data") {
     "data/verify_certificate_chain_unittest/target-signed-by-512bit-rsa/main.test",
     "data/verify_certificate_chain_unittest/target-signed-using-ecdsa/chain.pem",
     "data/verify_certificate_chain_unittest/target-signed-using-ecdsa/main.test",
-    "data/verify_certificate_chain_unittest/target-signed-with-md5/chain.pem",
-    "data/verify_certificate_chain_unittest/target-signed-with-md5/main.test",
+    "data/verify_certificate_chain_unittest/target-signed-with-sha1/chain.pem",
+    "data/verify_certificate_chain_unittest/target-signed-with-sha1/main.test",
     "data/verify_certificate_chain_unittest/target-unknown-critical-extension/chain.pem",
     "data/verify_certificate_chain_unittest/target-unknown-critical-extension/main.test",
     "data/verify_certificate_chain_unittest/target-wrong-signature-no-authority-key-identifier/chain.pem",
@@ -4102,6 +4114,7 @@ test("net_unittests") {
     "cert/pki/path_builder_verify_certificate_chain_unittest.cc",
     "cert/pki/signature_algorithm_unittest.cc",
     "cert/pki/simple_path_builder_delegate_unittest.cc",
+    "cert/pki/string_util_unittest.cc",
     "cert/pki/test_helpers.cc",
     "cert/pki/test_helpers.h",
     "cert/pki/trust_store_collection_unittest.cc",
@@ -4154,6 +4167,10 @@ test("net_unittests") {
     "extras/sqlite/sqlite_persistent_cookie_store_unittest.cc",
     "filter/filter_source_stream_unittest.cc",
     "filter/gzip_source_stream_unittest.cc",
+    "first_party_sets/addition_overlaps_union_find_unittest.cc",
+    "first_party_sets/first_party_sets_cache_filter_unittest.cc",
+    "first_party_sets/first_party_sets_context_config_unittest.cc",
+    "first_party_sets/global_first_party_sets_unittest.cc",
     "http/alternative_service_unittest.cc",
     "http/bidirectional_stream_unittest.cc",
     "http/broken_alternative_services_unittest.cc",
@@ -4183,6 +4200,7 @@ test("net_unittests") {
     "http/http_proxy_client_socket_unittest.cc",
     "http/http_proxy_connect_job_unittest.cc",
     "http/http_request_headers_unittest.cc",
+    "http/http_request_info_unittest.cc",
     "http/http_response_body_drainer_unittest.cc",
     "http/http_response_headers_unittest.cc",
     "http/http_response_info_unittest.cc",
@@ -4394,6 +4412,7 @@ test("net_unittests") {
   if (is_win) {
     sources += [
       "base/network_change_notifier_win_unittest.cc",
+      "base/network_cost_change_notifier_win_unittest.cc",
       "base/network_interfaces_win_unittest.cc",
       "cert/cert_verify_proc_win_unittest.cc",
       "http/http_auth_sspi_win_unittest.cc",
@@ -4544,7 +4563,6 @@ test("net_unittests") {
       "//third_party/fuchsia-sdk/sdk/pkg/fidl_cpp",
     ]
     sources += [ "base/network_change_notifier_fuchsia_unittest.cc" ]
-    use_cfv1 = false
     additional_manifest_fragments =
         [ "//build/config/fuchsia/test/network.shard.test-cml" ]
   }
diff --git a/chromium/net/OWNERS b/chromium/net/OWNERS
index 7f4444852d5..4b7d85e5e54 100644
--- a/chromium/net/OWNERS
+++ b/chromium/net/OWNERS
@@ -12,7 +12,6 @@ nharper@chromium.org
 pauljensen@chromium.org
 rch@chromium.org
 ricea@chromium.org
-yhirano@chromium.org
 
 file://net/quic/OWNERS # For QUICHE rolls only.
 
diff --git a/chromium/net/android/BUILD.gn b/chromium/net/android/BUILD.gn
index 771d681e868..556c205c0d8 100644
--- a/chromium/net/android/BUILD.gn
+++ b/chromium/net/android/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2014 The Chromium Authors. All rights reserved.
+# Copyright 2014 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/android/android_http_util.cc b/chromium/net/android/android_http_util.cc
index 83f8831548f..c38163b328e 100644
--- a/chromium/net/android/android_http_util.cc
+++ b/chromium/net/android/android_http_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/cert_verify_result_android.cc b/chromium/net/android/cert_verify_result_android.cc
index b1c2336b7f1..62339cfccfd 100644
--- a/chromium/net/android/cert_verify_result_android.cc
+++ b/chromium/net/android/cert_verify_result_android.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/cert_verify_result_android.h b/chromium/net/android/cert_verify_result_android.h
index bed863a0c16..c753957a565 100644
--- a/chromium/net/android/cert_verify_result_android.h
+++ b/chromium/net/android/cert_verify_result_android.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/dummy_spnego_authenticator.cc b/chromium/net/android/dummy_spnego_authenticator.cc
index 8a13e7d1e40..3ddea3f9bfc 100644
--- a/chromium/net/android/dummy_spnego_authenticator.cc
+++ b/chromium/net/android/dummy_spnego_authenticator.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "net/android/dummy_spnego_authenticator.h"
diff --git a/chromium/net/android/dummy_spnego_authenticator.h b/chromium/net/android/dummy_spnego_authenticator.h
index 5a221a48469..9b1740e75db 100644
--- a/chromium/net/android/dummy_spnego_authenticator.h
+++ b/chromium/net/android/dummy_spnego_authenticator.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/gurl_utils.cc b/chromium/net/android/gurl_utils.cc
index 71976665a2f..e3df9a42723 100644
--- a/chromium/net/android/gurl_utils.cc
+++ b/chromium/net/android/gurl_utils.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/http_auth_negotiate_android.cc b/chromium/net/android/http_auth_negotiate_android.cc
index 0f63e5bfe7c..30f524ee546 100644
--- a/chromium/net/android/http_auth_negotiate_android.cc
+++ b/chromium/net/android/http_auth_negotiate_android.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/http_auth_negotiate_android.h b/chromium/net/android/http_auth_negotiate_android.h
index de70664b525..e9f449d6b54 100644
--- a/chromium/net/android/http_auth_negotiate_android.h
+++ b/chromium/net/android/http_auth_negotiate_android.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/http_auth_negotiate_android_unittest.cc b/chromium/net/android/http_auth_negotiate_android_unittest.cc
index 9dfaf88d120..aba7e0aaf26 100644
--- a/chromium/net/android/http_auth_negotiate_android_unittest.cc
+++ b/chromium/net/android/http_auth_negotiate_android_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/junit/src/org/chromium/net/HttpNegotiateAuthenticatorTest.java b/chromium/net/android/junit/src/org/chromium/net/HttpNegotiateAuthenticatorTest.java
index 06688a091e1..27a73ac674d 100644
--- a/chromium/net/android/junit/src/org/chromium/net/HttpNegotiateAuthenticatorTest.java
+++ b/chromium/net/android/junit/src/org/chromium/net/HttpNegotiateAuthenticatorTest.java
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -49,7 +49,6 @@ import org.robolectric.annotation.Implementation;
 import org.robolectric.annotation.Implements;
 import org.robolectric.shadows.ShadowAccountManager;
 import org.robolectric.shadows.ShadowApplication;
-import org.robolectric.shadows.multidex.ShadowMultiDex;
 
 import org.chromium.base.ApplicationStatus;
 import org.chromium.base.test.BaseRobolectricTestRunner;
@@ -65,8 +64,7 @@ import java.util.List;
  */
 @RunWith(BaseRobolectricTestRunner.class)
 @Config(manifest = Config.NONE,
-        shadows = {HttpNegotiateAuthenticatorTest.ExtendedShadowAccountManager.class,
-                ShadowMultiDex.class})
+        shadows = {HttpNegotiateAuthenticatorTest.ExtendedShadowAccountManager.class})
 public class HttpNegotiateAuthenticatorTest {
     /**
      * User the AccountManager to inject a mock instance.
diff --git a/chromium/net/android/junit/src/org/chromium/net/NetworkTrafficAnnotationTagTest.java b/chromium/net/android/junit/src/org/chromium/net/NetworkTrafficAnnotationTagTest.java
index fb157b0018a..246539028fd 100644
--- a/chromium/net/android/junit/src/org/chromium/net/NetworkTrafficAnnotationTagTest.java
+++ b/chromium/net/android/junit/src/org/chromium/net/NetworkTrafficAnnotationTagTest.java
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/keystore.cc b/chromium/net/android/keystore.cc
index 4ec8c2a5728..f8405556470 100644
--- a/chromium/net/android/keystore.cc
+++ b/chromium/net/android/keystore.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/keystore.h b/chromium/net/android/keystore.h
index 471cc2feaee..0fd3f013875 100644
--- a/chromium/net/android/keystore.h
+++ b/chromium/net/android/keystore.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/network_change_notifier_android.cc b/chromium/net/android/network_change_notifier_android.cc
index b21eab661a8..167614634ea 100644
--- a/chromium/net/android/network_change_notifier_android.cc
+++ b/chromium/net/android/network_change_notifier_android.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/network_change_notifier_android.h b/chromium/net/android/network_change_notifier_android.h
index f899cea7916..20526fbe4d3 100644
--- a/chromium/net/android/network_change_notifier_android.h
+++ b/chromium/net/android/network_change_notifier_android.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/network_change_notifier_android_unittest.cc b/chromium/net/android/network_change_notifier_android_unittest.cc
index 06a3bd23e7c..af62fec5df7 100644
--- a/chromium/net/android/network_change_notifier_android_unittest.cc
+++ b/chromium/net/android/network_change_notifier_android_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/network_change_notifier_delegate_android.cc b/chromium/net/android/network_change_notifier_delegate_android.cc
index 7c2f8c41968..b72b65d2dc4 100644
--- a/chromium/net/android/network_change_notifier_delegate_android.cc
+++ b/chromium/net/android/network_change_notifier_delegate_android.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/network_change_notifier_delegate_android.h b/chromium/net/android/network_change_notifier_delegate_android.h
index 66d8c929e4b..6c6b934b4df 100644
--- a/chromium/net/android/network_change_notifier_delegate_android.h
+++ b/chromium/net/android/network_change_notifier_delegate_android.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/network_change_notifier_factory_android.cc b/chromium/net/android/network_change_notifier_factory_android.cc
index 35e9ce72b60..06fccc900c8 100644
--- a/chromium/net/android/network_change_notifier_factory_android.cc
+++ b/chromium/net/android/network_change_notifier_factory_android.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/network_change_notifier_factory_android.h b/chromium/net/android/network_change_notifier_factory_android.h
index 7e15474a9c6..7581a1728df 100644
--- a/chromium/net/android/network_change_notifier_factory_android.h
+++ b/chromium/net/android/network_change_notifier_factory_android.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/network_library.cc b/chromium/net/android/network_library.cc
index aee7aff8f5d..61d322e6e20 100644
--- a/chromium/net/android/network_library.cc
+++ b/chromium/net/android/network_library.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/network_library.h b/chromium/net/android/network_library.h
index 9597e9f1e1a..c48da3af537 100644
--- a/chromium/net/android/network_library.h
+++ b/chromium/net/android/network_library.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/network_library_unittest.cc b/chromium/net/android/network_library_unittest.cc
index d1ce81449e4..3abc5f85bc0 100644
--- a/chromium/net/android/network_library_unittest.cc
+++ b/chromium/net/android/network_library_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/radio_activity_tracker.cc b/chromium/net/android/radio_activity_tracker.cc
index 10c2e71a53c..195977d78a6 100644
--- a/chromium/net/android/radio_activity_tracker.cc
+++ b/chromium/net/android/radio_activity_tracker.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/radio_activity_tracker.h b/chromium/net/android/radio_activity_tracker.h
index 268e61ad8b4..284e9bae886 100644
--- a/chromium/net/android/radio_activity_tracker.h
+++ b/chromium/net/android/radio_activity_tracker.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/tools/proxy_test_cases.py b/chromium/net/android/tools/proxy_test_cases.py
index ab93f678314..42c7a70c9f7 100755
--- a/chromium/net/android/tools/proxy_test_cases.py
+++ b/chromium/net/android/tools/proxy_test_cases.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/android/traffic_stats.cc b/chromium/net/android/traffic_stats.cc
index 0aa647f749a..53a6e6b5894 100644
--- a/chromium/net/android/traffic_stats.cc
+++ b/chromium/net/android/traffic_stats.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/traffic_stats.h b/chromium/net/android/traffic_stats.h
index baa062de45e..8f583740ca0 100644
--- a/chromium/net/android/traffic_stats.h
+++ b/chromium/net/android/traffic_stats.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/traffic_stats_unittest.cc b/chromium/net/android/traffic_stats_unittest.cc
index f901590b09f..1e707c31b2e 100644
--- a/chromium/net/android/traffic_stats_unittest.cc
+++ b/chromium/net/android/traffic_stats_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/android/unittest_support/AndroidManifest.xml b/chromium/net/android/unittest_support/AndroidManifest.xml
index 29c12f9e767..43cc4ea95d5 100644
--- a/chromium/net/android/unittest_support/AndroidManifest.xml
+++ b/chromium/net/android/unittest_support/AndroidManifest.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-Copyright 2014 The Chromium Authors. All rights reserved.
+Copyright 2014 The Chromium Authors
 Use of this source code is governed by a BSD-style license that can be
 found in the LICENSE file.
 -->
diff --git a/chromium/net/base/BUILD.gn b/chromium/net/base/BUILD.gn
index 5c005ab659a..315f921ed4b 100644
--- a/chromium/net/base/BUILD.gn
+++ b/chromium/net/base/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2022 The Chromium Authors. All rights reserved.
+# Copyright 2022 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/base/DEPS b/chromium/net/base/DEPS
index fac79a66f61..54ab40cde0e 100644
--- a/chromium/net/base/DEPS
+++ b/chromium/net/base/DEPS
@@ -1,3 +1,9 @@
 include_rules = [
   "+grit",  # For generated headers
 ]
+
+specific_include_rules = {
+  "platform_mime_util_linux\.cc": [
+    "+third_party/xdg_shared_mime_info",
+  ]
+}
diff --git a/chromium/net/base/address_family.cc b/chromium/net/base/address_family.cc
index dbc72262327..3c745ac81e7 100644
--- a/chromium/net/base/address_family.cc
+++ b/chromium/net/base/address_family.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/address_family.h b/chromium/net/base/address_family.h
index 856792caa85..be4310e3baa 100644
--- a/chromium/net/base/address_family.h
+++ b/chromium/net/base/address_family.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/address_family_unittest.cc b/chromium/net/base/address_family_unittest.cc
index 8248c87a34e..5880a049cc1 100644
--- a/chromium/net/base/address_family_unittest.cc
+++ b/chromium/net/base/address_family_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/address_list.cc b/chromium/net/base/address_list.cc
index 95304b0dfec..74850b5f7cf 100644
--- a/chromium/net/base/address_list.cc
+++ b/chromium/net/base/address_list.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/address_list.h b/chromium/net/base/address_list.h
index a93093e41f3..589d605f2f6 100644
--- a/chromium/net/base/address_list.h
+++ b/chromium/net/base/address_list.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/address_list_unittest.cc b/chromium/net/base/address_list_unittest.cc
index d6f29346656..1b5945b6086 100644
--- a/chromium/net/base/address_list_unittest.cc
+++ b/chromium/net/base/address_list_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/address_tracker_linux.cc b/chromium/net/base/address_tracker_linux.cc
index d1a77c6d3ed..242f40f543d 100644
--- a/chromium/net/base/address_tracker_linux.cc
+++ b/chromium/net/base/address_tracker_linux.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/address_tracker_linux.h b/chromium/net/base/address_tracker_linux.h
index c2d4ea8c7ce..4398c5880ad 100644
--- a/chromium/net/base/address_tracker_linux.h
+++ b/chromium/net/base/address_tracker_linux.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/address_tracker_linux_fuzzer.cc b/chromium/net/base/address_tracker_linux_fuzzer.cc
index 124cf3298b5..26119059d26 100644
--- a/chromium/net/base/address_tracker_linux_fuzzer.cc
+++ b/chromium/net/base/address_tracker_linux_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/address_tracker_linux_unittest.cc b/chromium/net/base/address_tracker_linux_unittest.cc
index 83f8051b063..93a28623912 100644
--- a/chromium/net/base/address_tracker_linux_unittest.cc
+++ b/chromium/net/base/address_tracker_linux_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/android/java_templates/NetFeatures.java.tmpl b/chromium/net/base/android/java_templates/NetFeatures.java.tmpl
index d3d8899f2eb..fe11c0b9a64 100644
--- a/chromium/net/base/android/java_templates/NetFeatures.java.tmpl
+++ b/chromium/net/base/android/java_templates/NetFeatures.java.tmpl
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/auth.cc b/chromium/net/base/auth.cc
index 9f27cdd3e76..e915de6b7e7 100644
--- a/chromium/net/base/auth.cc
+++ b/chromium/net/base/auth.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/auth.h b/chromium/net/base/auth.h
index 6bf763475ca..e80006ee9ac 100644
--- a/chromium/net/base/auth.h
+++ b/chromium/net/base/auth.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/backoff_entry.cc b/chromium/net/base/backoff_entry.cc
index 400a4052712..fc47925e450 100644
--- a/chromium/net/base/backoff_entry.cc
+++ b/chromium/net/base/backoff_entry.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/backoff_entry.h b/chromium/net/base/backoff_entry.h
index f4754449e29..45f92a6975e 100644
--- a/chromium/net/base/backoff_entry.h
+++ b/chromium/net/base/backoff_entry.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/backoff_entry_serializer.cc b/chromium/net/base/backoff_entry_serializer.cc
index 2a65462e551..932c204c0f9 100644
--- a/chromium/net/base/backoff_entry_serializer.cc
+++ b/chromium/net/base/backoff_entry_serializer.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,7 +15,7 @@
 
 namespace {
 // This max defines how many times we are willing to call
-// |BackoffEntry::InformOfRequest| in |DeserializeFromValue|.
+// |BackoffEntry::InformOfRequest| in |DeserializeFromList|.
 //
 // This value is meant to large enough that the computed backoff duration can
 // still be saturated. Given that the duration is an int64 and assuming 1.01 as
@@ -34,8 +34,9 @@ bool BackoffDurationSafeToSerialize(const base::TimeDelta& duration) {
 
 namespace net {
 
-base::Value BackoffEntrySerializer::SerializeToValue(const BackoffEntry& entry,
-                                                     base::Time time_now) {
+base::Value::List BackoffEntrySerializer::SerializeToList(
+    const BackoffEntry& entry,
+    base::Time time_now) {
   base::Value::List serialized;
   serialized.Append(SerializationFormatVersion::kVersion2);
 
@@ -68,7 +69,7 @@ base::Value BackoffEntrySerializer::SerializeToValue(const BackoffEntry& entry,
   serialized.Append(
       base::NumberToString(absolute_release_time.ToInternalValue()));
 
-  return base::Value(std::move(serialized));
+  return serialized;
 }
 
 std::unique_ptr<BackoffEntry> BackoffEntrySerializer::DeserializeFromList(
@@ -171,15 +172,4 @@ std::unique_ptr<BackoffEntry> BackoffEntrySerializer::DeserializeFromList(
   return entry;
 }
 
-std::unique_ptr<BackoffEntry> BackoffEntrySerializer::DeserializeFromValue(
-    const base::Value& serialized,
-    const BackoffEntry::Policy* policy,
-    const base::TickClock* tick_clock,
-    base::Time time_now) {
-  if (!serialized.is_list())
-    return nullptr;
-  return DeserializeFromList(serialized.GetList(), policy, tick_clock,
-                             time_now);
-}
-
 }  // namespace net
diff --git a/chromium/net/base/backoff_entry_serializer.h b/chromium/net/base/backoff_entry_serializer.h
index 6a35545981c..4835afa1899 100644
--- a/chromium/net/base/backoff_entry_serializer.h
+++ b/chromium/net/base/backoff_entry_serializer.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -31,7 +31,7 @@ class NET_EXPORT BackoffEntrySerializer {
   BackoffEntrySerializer(const BackoffEntrySerializer&) = delete;
   BackoffEntrySerializer& operator=(const BackoffEntrySerializer&) = delete;
 
-  // Serializes the release time and failure count into a Value that can
+  // Serializes the release time and failure count into a List that can
   // later be passed to Deserialize to re-create the given BackoffEntry. It
   // always serializes using the latest format version. The Policy is not
   // serialized, instead callers must pass an identical Policy* when
@@ -40,8 +40,8 @@ class NET_EXPORT BackoffEntrySerializer {
   // converted to an absolute timestamp, thus the time will continue counting
   // down even whilst the device is powered off, and will be partially
   // vulnerable to changes in the system clock time.
-  static base::Value SerializeToValue(const BackoffEntry& entry,
-                                      base::Time time_now);
+  static base::Value::List SerializeToList(const BackoffEntry& entry,
+                                           base::Time time_now);
 
   // Deserializes a `list` back to a BackoffEntry. It supports all
   // serialization format versions. `policy` MUST be the same Policy as the
@@ -56,16 +56,6 @@ class NET_EXPORT BackoffEntrySerializer {
       const BackoffEntry::Policy* policy,
       const base::TickClock* clock,
       base::Time time_now);
-
-  // Same as `DeserializeFromList` if `serialized` is a list.
-  // Returns `nullptr` otherwise.
-  // TODO(https://crbug.com/1352136) migrated call sites to
-  // DeserializeFromList and remove DeserializeFromValue.
-  static std::unique_ptr<BackoffEntry> DeserializeFromValue(
-      const base::Value& serialized,
-      const BackoffEntry::Policy* policy,
-      const base::TickClock* clock,
-      base::Time time_now);
 };
 
 }  // namespace net
diff --git a/chromium/net/base/backoff_entry_serializer_fuzzer.cc b/chromium/net/base/backoff_entry_serializer_fuzzer.cc
index 04a3d1f5b2b..f08d3d58aa7 100644
--- a/chromium/net/base/backoff_entry_serializer_fuzzer.cc
+++ b/chromium/net/base/backoff_entry_serializer_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -99,21 +99,21 @@ void TestDeserialize(const ProtoTranslator& translator) {
 
   // Attempt to deserialize a BackoffEntry.
   std::unique_ptr<BackoffEntry> entry =
-      BackoffEntrySerializer::DeserializeFromValue(*value, &policy, &clock,
-                                                   translator.parse_time());
+      BackoffEntrySerializer::DeserializeFromList(
+          value->GetList(), &policy, &clock, translator.parse_time());
   if (!entry)
     return;
 
-  base::Value reserialized =
-      BackoffEntrySerializer::SerializeToValue(*entry, translator.parse_time());
+  base::Value::List reserialized =
+      BackoffEntrySerializer::SerializeToList(*entry, translator.parse_time());
 
   // Due to fuzzy interpretation in BackoffEntrySerializer::
-  // DeserializeFromValue, we cannot assert that |*reserialized == *value|.
+  // DeserializeFromList, we cannot assert that |*reserialized == *value|.
   // Rather, we can deserialize |reserialized| and check that some weaker
   // properties are preserved.
   std::unique_ptr<BackoffEntry> entry_reparsed =
-      BackoffEntrySerializer::DeserializeFromValue(
-          reserialized, &policy, &clock, translator.parse_time());
+      BackoffEntrySerializer::DeserializeFromList(reserialized, &policy, &clock,
+                                                  translator.parse_time());
   CHECK(entry_reparsed);
   CHECK_EQ(entry_reparsed->failure_count(), entry->failure_count());
   CHECK_LE(entry_reparsed->GetReleaseTime(), entry->GetReleaseTime());
@@ -128,18 +128,17 @@ void TestSerialize(const ProtoTranslator& translator) {
 
   // Serialize the BackoffEntry.
   BackoffEntry native_entry(&policy);
-  base::Value serialized = BackoffEntrySerializer::SerializeToValue(
+  base::Value::List serialized = BackoffEntrySerializer::SerializeToList(
       native_entry, translator.serialize_time());
-  CHECK(serialized.is_list());
 
   MockClock clock;
   clock.SetNow(translator.now_ticks());
 
   // Deserialize it.
   std::unique_ptr<BackoffEntry> deserialized_entry =
-      BackoffEntrySerializer::DeserializeFromValue(serialized, &policy, &clock,
-                                                   translator.parse_time());
-  // Even though SerializeToValue was successful, we're not guaranteed to have a
+      BackoffEntrySerializer::DeserializeFromList(serialized, &policy, &clock,
+                                                  translator.parse_time());
+  // Even though SerializeToList was successful, we're not guaranteed to have a
   // |deserialized_entry|. One reason deserialization may fail is if the parsed
   // |absolute_release_time_us| is below zero.
   if (!deserialized_entry)
diff --git a/chromium/net/base/backoff_entry_serializer_fuzzer_input.proto b/chromium/net/base/backoff_entry_serializer_fuzzer_input.proto
index 06cb247dd2a..58c9e6064ec 100644
--- a/chromium/net/base/backoff_entry_serializer_fuzzer_input.proto
+++ b/chromium/net/base/backoff_entry_serializer_fuzzer_input.proto
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/backoff_entry_serializer_unittest.cc b/chromium/net/base/backoff_entry_serializer_unittest.cc
index 5bcb3ebea5b..0bb8e0ba629 100644
--- a/chromium/net/base/backoff_entry_serializer_unittest.cc
+++ b/chromium/net/base/backoff_entry_serializer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -25,13 +25,13 @@ const Time kParseTime =
     Time::FromJsTime(1430907555111);  // May 2015 for realism
 
 BackoffEntry::Policy base_policy = {
-  0 /* num_errors_to_ignore */,
-  1000 /* initial_delay_ms */,
-  2.0 /* multiply_factor */,
-  0.0 /* jitter_factor */,
-  20000 /* maximum_backoff_ms */,
-  2000 /* entry_lifetime_ms */,
-  false /* always_use_initial_delay */
+    0 /* num_errors_to_ignore */,
+    1000 /* initial_delay_ms */,
+    2.0 /* multiply_factor */,
+    0.0 /* jitter_factor */,
+    20000 /* maximum_backoff_ms */,
+    2000 /* entry_lifetime_ms */,
+    false /* always_use_initial_delay */
 };
 
 class TestTickClock : public base::TickClock {
@@ -49,10 +49,10 @@ class TestTickClock : public base::TickClock {
 };
 
 // This test exercises the code that computes the "backoff duration" and tests
-// BackoffEntrySerializer::SerializeToValue computes the backoff duration of a
+// BackoffEntrySerializer::SerializeToList computes the backoff duration of a
 // BackoffEntry by subtracting two base::TimeTicks values. Note that
 // base::TimeTicks::operator- does not protect against overflow. Because
-// SerializeToValue never returns null, its resolution strategy is to default to
+// SerializeToList never returns null, its resolution strategy is to default to
 // a zero base::TimeDelta when the subtraction would overflow.
 TEST(BackoffEntrySerializerTest, SpecialCasesOfBackoffDuration) {
   const base::TimeTicks kZeroTicks;
@@ -136,12 +136,12 @@ TEST(BackoffEntrySerializerTest, SpecialCasesOfBackoffDuration) {
     BackoffEntry original(&base_policy, &original_ticks);
     // Set the custom release time.
     original.SetCustomReleaseTime(test_case.release_time);
-    base::Value serialized =
-        BackoffEntrySerializer::SerializeToValue(original, original_time);
+    base::Value::List serialized =
+        BackoffEntrySerializer::SerializeToList(original, original_time);
 
     // Check that the serialized backoff duration matches our expectation.
     const std::string& serialized_backoff_duration_string =
-        serialized.GetList()[2].GetString();
+        serialized[2].GetString();
     int64_t serialized_backoff_duration_us;
     EXPECT_TRUE(base::StringToInt64(serialized_backoff_duration_string,
                                     &serialized_backoff_duration_us));
@@ -152,7 +152,7 @@ TEST(BackoffEntrySerializerTest, SpecialCasesOfBackoffDuration) {
   }
 }
 
-// This test verifies that BackoffEntrySerializer::SerializeToValue will not
+// This test verifies that BackoffEntrySerializer::SerializeToList will not
 // serialize an infinite release time.
 //
 // In pseudocode, this is how absolute_release_time is computed:
@@ -169,19 +169,18 @@ TEST(BackoffEntrySerializerTest, SerializeFiniteReleaseTime) {
   original_ticks.set_now(TimeTicks());
   BackoffEntry original(&base_policy, &original_ticks);
   original.SetCustomReleaseTime(release_time);
-  base::Value serialized =
-      BackoffEntrySerializer::SerializeToValue(original, original_time);
+  base::Value::List serialized =
+      BackoffEntrySerializer::SerializeToList(original, original_time);
 
   // Reach into the serialization and check the string-formatted release time.
-  const std::string& serialized_release_time =
-      serialized.GetList()[3].GetString();
+  const std::string& serialized_release_time = serialized[3].GetString();
   EXPECT_EQ(serialized_release_time, "0");
 
-  // Test that |DeserializeFromValue| notices this zero-valued release time and
+  // Test that |DeserializeFromList| notices this zero-valued release time and
   // does not take it at face value.
   std::unique_ptr<BackoffEntry> deserialized =
-      BackoffEntrySerializer::DeserializeFromValue(serialized, &base_policy,
-                                                   &original_ticks, kParseTime);
+      BackoffEntrySerializer::DeserializeFromList(serialized, &base_policy,
+                                                  &original_ticks, kParseTime);
   ASSERT_TRUE(deserialized.get());
   EXPECT_EQ(original.GetReleaseTime(), deserialized->GetReleaseTime());
 }
@@ -191,11 +190,11 @@ TEST(BackoffEntrySerializerTest, SerializeNoFailures) {
   TestTickClock original_ticks;
   original_ticks.set_now(TimeTicks::Now());
   BackoffEntry original(&base_policy, &original_ticks);
-  base::Value serialized =
-      BackoffEntrySerializer::SerializeToValue(original, original_time);
+  base::Value::List serialized =
+      BackoffEntrySerializer::SerializeToList(original, original_time);
 
   std::unique_ptr<BackoffEntry> deserialized =
-      BackoffEntrySerializer::DeserializeFromValue(
+      BackoffEntrySerializer::DeserializeFromList(
           serialized, &base_policy, &original_ticks, original_time);
   ASSERT_TRUE(deserialized.get());
   EXPECT_EQ(original.failure_count(), deserialized->failure_count());
@@ -218,9 +217,8 @@ TEST(BackoffEntrySerializerTest, DeserializeNeverInfiniteReleaseTime) {
       base::Time::FromDeltaSinceWindowsEpoch(base::Microseconds(-1));
 
   std::unique_ptr<BackoffEntry> entry =
-      BackoffEntrySerializer::DeserializeFromValue(
-          base::Value(std::move(serialized)), &base_policy, &original_ticks,
-          time_now);
+      BackoffEntrySerializer::DeserializeFromList(serialized, &base_policy,
+                                                  &original_ticks, time_now);
   ASSERT_FALSE(entry);
 }
 
@@ -231,13 +229,13 @@ TEST(BackoffEntrySerializerTest, SerializeTimeOffsets) {
   // 2 errors.
   original.InformOfRequest(false);
   original.InformOfRequest(false);
-  base::Value serialized =
-      BackoffEntrySerializer::SerializeToValue(original, original_time);
+  base::Value::List serialized =
+      BackoffEntrySerializer::SerializeToList(original, original_time);
 
   {
     // Test that immediate deserialization round-trips.
     std::unique_ptr<BackoffEntry> deserialized =
-        BackoffEntrySerializer::DeserializeFromValue(
+        BackoffEntrySerializer::DeserializeFromList(
             serialized, &base_policy, &original_ticks, original_time);
     ASSERT_TRUE(deserialized.get());
     EXPECT_EQ(original.failure_count(), deserialized->failure_count());
@@ -249,7 +247,7 @@ TEST(BackoffEntrySerializerTest, SerializeTimeOffsets) {
     // hasn't (e.g. device was rebooted).
     Time later_time = original_time + base::Days(1);
     std::unique_ptr<BackoffEntry> deserialized =
-        BackoffEntrySerializer::DeserializeFromValue(
+        BackoffEntrySerializer::DeserializeFromList(
             serialized, &base_policy, &original_ticks, later_time);
     ASSERT_TRUE(deserialized.get());
     EXPECT_EQ(original.failure_count(), deserialized->failure_count());
@@ -268,7 +266,7 @@ TEST(BackoffEntrySerializerTest, SerializeTimeOffsets) {
     TestTickClock later_ticks;
     later_ticks.set_now(TimeTicks() + base::Days(1));
     std::unique_ptr<BackoffEntry> deserialized =
-        BackoffEntrySerializer::DeserializeFromValue(
+        BackoffEntrySerializer::DeserializeFromList(
             serialized, &base_policy, &later_ticks, original_time);
     ASSERT_TRUE(deserialized.get());
     EXPECT_EQ(original.failure_count(), deserialized->failure_count());
@@ -292,8 +290,8 @@ TEST(BackoffEntrySerializerTest, SerializeTimeOffsets) {
     later_ticks.set_now(TimeTicks() + base::Days(1));
     Time later_time = original_time + base::Days(1);
     std::unique_ptr<BackoffEntry> deserialized =
-        BackoffEntrySerializer::DeserializeFromValue(serialized, &base_policy,
-                                                     &later_ticks, later_time);
+        BackoffEntrySerializer::DeserializeFromList(serialized, &base_policy,
+                                                    &later_ticks, later_time);
     ASSERT_TRUE(deserialized.get());
     EXPECT_EQ(original.failure_count(), deserialized->failure_count());
     // Since both have advanced by the same amount, the absolute release time
@@ -310,7 +308,7 @@ TEST(BackoffEntrySerializerTest, SerializeTimeOffsets) {
     EXPECT_LT(base::Seconds(1), original.GetTimeUntilRelease());
     Time earlier_time = original_time - base::Seconds(1);
     std::unique_ptr<BackoffEntry> deserialized =
-        BackoffEntrySerializer::DeserializeFromValue(
+        BackoffEntrySerializer::DeserializeFromList(
             serialized, &base_policy, &original_ticks, earlier_time);
     ASSERT_TRUE(deserialized.get());
     EXPECT_EQ(original.failure_count(), deserialized->failure_count());
@@ -336,8 +334,8 @@ TEST(BackoffEntrySerializerTest, DeserializeUnknownVersion) {
   serialized.Append(2.0);     // Backoff duration
   serialized.Append("1234");  // Absolute release time
 
-  auto deserialized = BackoffEntrySerializer::DeserializeFromValue(
-      base::Value(std::move(serialized)), &base_policy, nullptr, kParseTime);
+  auto deserialized = BackoffEntrySerializer::DeserializeFromList(
+      serialized, &base_policy, nullptr, kParseTime);
   ASSERT_FALSE(deserialized);
 }
 
@@ -348,8 +346,8 @@ TEST(BackoffEntrySerializerTest, DeserializeVersion1) {
   serialized.Append(2.0);     // Backoff duration in seconds as double
   serialized.Append("1234");  // Absolute release time
 
-  auto deserialized = BackoffEntrySerializer::DeserializeFromValue(
-      base::Value(std::move(serialized)), &base_policy, nullptr, kParseTime);
+  auto deserialized = BackoffEntrySerializer::DeserializeFromList(
+      serialized, &base_policy, nullptr, kParseTime);
   ASSERT_TRUE(deserialized);
 }
 
@@ -360,8 +358,8 @@ TEST(BackoffEntrySerializerTest, DeserializeVersion2) {
   serialized.Append("2000");  // Backoff duration
   serialized.Append("1234");  // Absolute release time
 
-  auto deserialized = BackoffEntrySerializer::DeserializeFromValue(
-      base::Value(std::move(serialized)), &base_policy, nullptr, kParseTime);
+  auto deserialized = BackoffEntrySerializer::DeserializeFromList(
+      serialized, &base_policy, nullptr, kParseTime);
   ASSERT_TRUE(deserialized);
 }
 
@@ -372,8 +370,8 @@ TEST(BackoffEntrySerializerTest, DeserializeVersion2NegativeDuration) {
   serialized.Append("-2000");  // Backoff duration
   serialized.Append("1234");   // Absolute release time
 
-  auto deserialized = BackoffEntrySerializer::DeserializeFromValue(
-      base::Value(std::move(serialized)), &base_policy, nullptr, kParseTime);
+  auto deserialized = BackoffEntrySerializer::DeserializeFromList(
+      serialized, &base_policy, nullptr, kParseTime);
   ASSERT_TRUE(deserialized);
 }
 
@@ -384,8 +382,8 @@ TEST(BackoffEntrySerializerTest, DeserializeVersion1WrongDurationType) {
   serialized.Append("2000");  // Backoff duration in seconds as double
   serialized.Append("1234");  // Absolute release time
 
-  auto deserialized = BackoffEntrySerializer::DeserializeFromValue(
-      base::Value(std::move(serialized)), &base_policy, nullptr, kParseTime);
+  auto deserialized = BackoffEntrySerializer::DeserializeFromList(
+      serialized, &base_policy, nullptr, kParseTime);
   ASSERT_FALSE(deserialized);
 }
 
@@ -396,8 +394,8 @@ TEST(BackoffEntrySerializerTest, DeserializeVersion2WrongDurationType) {
   serialized.Append(2.0);     // Backoff duration
   serialized.Append("1234");  // Absolute release time
 
-  auto deserialized = BackoffEntrySerializer::DeserializeFromValue(
-      base::Value(std::move(serialized)), &base_policy, nullptr, kParseTime);
+  auto deserialized = BackoffEntrySerializer::DeserializeFromList(
+      serialized, &base_policy, nullptr, kParseTime);
   ASSERT_FALSE(deserialized);
 }
 
diff --git a/chromium/net/base/backoff_entry_unittest.cc b/chromium/net/base/backoff_entry_unittest.cc
index 4cebdecbb54..ddd84eec540 100644
--- a/chromium/net/base/backoff_entry_unittest.cc
+++ b/chromium/net/base/backoff_entry_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/cache_metrics.cc b/chromium/net/base/cache_metrics.cc
index 72f5ebcc123..ce21976a2bd 100644
--- a/chromium/net/base/cache_metrics.cc
+++ b/chromium/net/base/cache_metrics.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/cache_metrics.h b/chromium/net/base/cache_metrics.h
index 6979e5dd512..75d11bdf03b 100644
--- a/chromium/net/base/cache_metrics.h
+++ b/chromium/net/base/cache_metrics.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/base/cache_type.h b/chromium/net/base/cache_type.h
index 9a9a002bb03..7e8f82601d1 100644
--- a/chromium/net/base/cache_type.h
+++ b/chromium/net/base/cache_type.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright 2009 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/chunked_upload_data_stream.cc b/chromium/net/base/chunked_upload_data_stream.cc
index fac1432a7e0..3c6521a5bdb 100644
--- a/chromium/net/base/chunked_upload_data_stream.cc
+++ b/chromium/net/base/chunked_upload_data_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/chunked_upload_data_stream.h b/chromium/net/base/chunked_upload_data_stream.h
index a8564f9bded..36f87c46521 100644
--- a/chromium/net/base/chunked_upload_data_stream.h
+++ b/chromium/net/base/chunked_upload_data_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/chunked_upload_data_stream_unittest.cc b/chromium/net/base/chunked_upload_data_stream_unittest.cc
index 37e8f3edf26..8dbb8e59078 100644
--- a/chromium/net/base/chunked_upload_data_stream_unittest.cc
+++ b/chromium/net/base/chunked_upload_data_stream_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/completion_once_callback.h b/chromium/net/base/completion_once_callback.h
index f299bbf09b7..d41ce7a277e 100644
--- a/chromium/net/base/completion_once_callback.h
+++ b/chromium/net/base/completion_once_callback.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/completion_repeating_callback.h b/chromium/net/base/completion_repeating_callback.h
index 0e96e6cd767..44c8e6e178c 100644
--- a/chromium/net/base/completion_repeating_callback.h
+++ b/chromium/net/base/completion_repeating_callback.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/connection_endpoint_metadata.cc b/chromium/net/base/connection_endpoint_metadata.cc
index 1bdf66a4812..10b196849e4 100644
--- a/chromium/net/base/connection_endpoint_metadata.cc
+++ b/chromium/net/base/connection_endpoint_metadata.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/connection_endpoint_metadata.h b/chromium/net/base/connection_endpoint_metadata.h
index 56f9c6be09e..8d81b5ad6e0 100644
--- a/chromium/net/base/connection_endpoint_metadata.h
+++ b/chromium/net/base/connection_endpoint_metadata.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/connection_endpoint_metadata_test_util.cc b/chromium/net/base/connection_endpoint_metadata_test_util.cc
index 837a430c737..78812b903f6 100644
--- a/chromium/net/base/connection_endpoint_metadata_test_util.cc
+++ b/chromium/net/base/connection_endpoint_metadata_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/connection_endpoint_metadata_test_util.h b/chromium/net/base/connection_endpoint_metadata_test_util.h
index 4ec01b4d349..f8737b4c0b6 100644
--- a/chromium/net/base/connection_endpoint_metadata_test_util.h
+++ b/chromium/net/base/connection_endpoint_metadata_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/data_url.cc b/chromium/net/base/data_url.cc
index 42b69399e79..9125ba36eb2 100644
--- a/chromium/net/base/data_url.cc
+++ b/chromium/net/base/data_url.cc
@@ -1,17 +1,16 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // NOTE: based loosely on mozilla's nsDataChannel.cpp
 
-#include <algorithm>
-
 #include "net/base/data_url.h"
 
 #include "base/base64.h"
 #include "base/containers/cxx20_erase.h"
 #include "base/feature_list.h"
 #include "base/features.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/escape.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_split.h"
@@ -24,15 +23,21 @@
 namespace net {
 namespace {
 
+// https://infra.spec.whatwg.org/#ascii-whitespace, which is referenced by
+// https://infra.spec.whatwg.org/#forgiving-base64, does not include \v in the
+// set of ASCII whitespace characters the way Unicode does.
+bool IsBase64Whitespace(char c) {
+  return c != '\v' && base::IsAsciiWhitespace(c);
+}
+
 // A data URL is ready for decode if it:
 //   - Doesn't need any extra padding.
 //   - Does not have any escaped characters.
 //   - Does not have any whitespace.
 bool IsDataURLReadyForDecode(base::StringPiece body) {
-  return (body.length() % 4) == 0 && base::ranges::find_if(body, [](char c) {
-                                       return c == '%' ||
-                                              base::IsAsciiWhitespace(c);
-                                     }) == std::end(body);
+  return (body.length() % 4) == 0 && base::ranges::none_of(body, [](char c) {
+           return c == '%' || IsBase64Whitespace(c);
+         });
 }
 
 }  // namespace
@@ -58,16 +63,12 @@ bool DataURL::Parse(const GURL& url,
     content = content_string;
   }
 
-  base::StringPiece::const_iterator begin = content.begin();
-  base::StringPiece::const_iterator end = content.end();
-
-  base::StringPiece::const_iterator comma = std::find(begin, end, ',');
-
-  if (comma == end)
+  base::StringPiece::const_iterator comma = base::ranges::find(content, ',');
+  if (comma == content.end())
     return false;
 
   std::vector<base::StringPiece> meta_data =
-      base::SplitStringPiece(base::MakeStringPiece(begin, comma), ";",
+      base::SplitStringPiece(base::MakeStringPiece(content.begin(), comma), ";",
                              base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL);
 
   // These are moved to |mime_type| and |charset| on success.
@@ -128,7 +129,7 @@ bool DataURL::Parse(const GURL& url,
     // spaces itself, anyways. Should we just trim leading spaces instead?
     // Allowing random intermediary spaces seems unnecessary.
 
-    auto raw_body = base::MakeStringPiece(comma + 1, end);
+    auto raw_body = base::MakeStringPiece(comma + 1, content.end());
 
     // For base64, we may have url-escaped whitespace which is not part
     // of the data, and should be stripped. Otherwise, the escaped whitespace
@@ -143,7 +144,7 @@ bool DataURL::Parse(const GURL& url,
         std::string unescaped_body = base::UnescapeBinaryURLComponent(raw_body);
 
         // Strip spaces, which aren't allowed in Base64 encoding.
-        base::EraseIf(unescaped_body, base::IsAsciiWhitespace<char>);
+        base::EraseIf(unescaped_body, IsBase64Whitespace);
 
         size_t length = unescaped_body.length();
         size_t padding_needed = 4 - (length % 4);
diff --git a/chromium/net/base/data_url.h b/chromium/net/base/data_url.h
index cb3cbb790cf..066d5d5bc17 100644
--- a/chromium/net/base/data_url.h
+++ b/chromium/net/base/data_url.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/data_url_fuzzer.cc b/chromium/net/base/data_url_fuzzer.cc
index 39afc0383f7..0a3d7e511c6 100644
--- a/chromium/net/base/data_url_fuzzer.cc
+++ b/chromium/net/base/data_url_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/data_url_unittest.cc b/chromium/net/base/data_url_unittest.cc
index 6fe83aad889..7e969852305 100644
--- a/chromium/net/base/data_url_unittest.cc
+++ b/chromium/net/base/data_url_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/datagram_buffer.cc b/chromium/net/base/datagram_buffer.cc
index 255fabbcd53..4b0446bdf21 100644
--- a/chromium/net/base/datagram_buffer.cc
+++ b/chromium/net/base/datagram_buffer.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/datagram_buffer.h b/chromium/net/base/datagram_buffer.h
index b272722b486..e0deee7fc46 100644
--- a/chromium/net/base/datagram_buffer.h
+++ b/chromium/net/base/datagram_buffer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/datagram_buffer_unittest.cc b/chromium/net/base/datagram_buffer_unittest.cc
index d62f7b3989f..0d2f7f778a9 100644
--- a/chromium/net/base/datagram_buffer_unittest.cc
+++ b/chromium/net/base/datagram_buffer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/directory_lister.cc b/chromium/net/base/directory_lister.cc
index b606f7d114f..e006e96987a 100644
--- a/chromium/net/base/directory_lister.cc
+++ b/chromium/net/base/directory_lister.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/directory_lister.h b/chromium/net/base/directory_lister.h
index 3701a5a69c8..991d15b7987 100644
--- a/chromium/net/base/directory_lister.h
+++ b/chromium/net/base/directory_lister.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/directory_lister_unittest.cc b/chromium/net/base/directory_lister_unittest.cc
index ec25e3b1e8c..0dc0fa0dd00 100644
--- a/chromium/net/base/directory_lister_unittest.cc
+++ b/chromium/net/base/directory_lister_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/directory_listing.cc b/chromium/net/base/directory_listing.cc
index 87bf63e896b..82b805c70fe 100644
--- a/chromium/net/base/directory_listing.cc
+++ b/chromium/net/base/directory_listing.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/directory_listing.h b/chromium/net/base/directory_listing.h
index 8df2f2069ef..5cd073f850b 100644
--- a/chromium/net/base/directory_listing.h
+++ b/chromium/net/base/directory_listing.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/directory_listing_unittest.cc b/chromium/net/base/directory_listing_unittest.cc
index 2fcbb0e6fc9..11cf9059bfc 100644
--- a/chromium/net/base/directory_listing_unittest.cc
+++ b/chromium/net/base/directory_listing_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/elements_upload_data_stream.cc b/chromium/net/base/elements_upload_data_stream.cc
index 6d91c8beac7..f034db840ee 100644
--- a/chromium/net/base/elements_upload_data_stream.cc
+++ b/chromium/net/base/elements_upload_data_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/elements_upload_data_stream.h b/chromium/net/base/elements_upload_data_stream.h
index d2e73880463..3b13c259491 100644
--- a/chromium/net/base/elements_upload_data_stream.h
+++ b/chromium/net/base/elements_upload_data_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/elements_upload_data_stream_unittest.cc b/chromium/net/base/elements_upload_data_stream_unittest.cc
index 6516c288eda..22efde4e413 100644
--- a/chromium/net/base/elements_upload_data_stream_unittest.cc
+++ b/chromium/net/base/elements_upload_data_stream_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/expiring_cache.h b/chromium/net/base/expiring_cache.h
index f466ab55a1b..1f958bc42c5 100644
--- a/chromium/net/base/expiring_cache.h
+++ b/chromium/net/base/expiring_cache.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/expiring_cache_unittest.cc b/chromium/net/base/expiring_cache_unittest.cc
index 275bc340594..06bb0f0f9cd 100644
--- a/chromium/net/base/expiring_cache_unittest.cc
+++ b/chromium/net/base/expiring_cache_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/features.cc b/chromium/net/base/features.cc
index a43cca47a57..10e0f6848fa 100644
--- a/chromium/net/base/features.cc
+++ b/chromium/net/base/features.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,17 +11,19 @@
 
 namespace net::features {
 
-const base::Feature kAlpsForHttp2{"AlpsForHttp2",
-                                  base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kAlpsForHttp2, "AlpsForHttp2", base::FEATURE_ENABLED_BY_DEFAULT);
 
-const base::Feature kAvoidH2Reprioritization{"AvoidH2Reprioritization",
-                                             base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kAvoidH2Reprioritization,
+             "AvoidH2Reprioritization",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kCapReferrerToOriginOnCrossOrigin{
-    "CapReferrerToOriginOnCrossOrigin", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kCapReferrerToOriginOnCrossOrigin,
+             "CapReferrerToOriginOnCrossOrigin",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kDnsTransactionDynamicTimeouts{
-    "DnsTransactionDynamicTimeouts", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kDnsTransactionDynamicTimeouts,
+             "DnsTransactionDynamicTimeouts",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
 const base::FeatureParam<double> kDnsTransactionTimeoutMultiplier{
     &kDnsTransactionDynamicTimeouts, "DnsTransactionTimeoutMultiplier", 7.5};
@@ -30,133 +32,98 @@ const base::FeatureParam<base::TimeDelta> kDnsMinTransactionTimeout{
     &kDnsTransactionDynamicTimeouts, "DnsMinTransactionTimeout",
     base::Seconds(12)};
 
-const base::Feature kDnsHttpssvc{"DnsHttpssvc",
-                                 base::FEATURE_DISABLED_BY_DEFAULT};
-
-const base::FeatureParam<bool> kDnsHttpssvcUseHttpssvc{
-    &kDnsHttpssvc, "DnsHttpssvcUseHttpssvc", false};
-
-const base::FeatureParam<bool> kDnsHttpssvcUseIntegrity{
-    &kDnsHttpssvc, "DnsHttpssvcUseIntegrity", false};
-
-const base::FeatureParam<bool> kDnsHttpssvcEnableQueryOverInsecure{
-    &kDnsHttpssvc, "DnsHttpssvcEnableQueryOverInsecure", false};
-
-const base::FeatureParam<int> kDnsHttpssvcExtraTimeMs{
-    &kDnsHttpssvc, "DnsHttpssvcExtraTimeMs", 10};
-
-const base::FeatureParam<int> kDnsHttpssvcExtraTimePercent{
-    &kDnsHttpssvc, "DnsHttpssvcExtraTimePercent", 5};
-
-const base::FeatureParam<std::string> kDnsHttpssvcExperimentDomains{
-    &kDnsHttpssvc, "DnsHttpssvcExperimentDomains", ""};
-
-const base::FeatureParam<std::string> kDnsHttpssvcControlDomains{
-    &kDnsHttpssvc, "DnsHttpssvcControlDomains", ""};
-
-const base::FeatureParam<bool> kDnsHttpssvcControlDomainWildcard{
-    &kDnsHttpssvc, "DnsHttpssvcControlDomainWildcard", false};
-
-namespace dns_httpssvc_experiment {
-base::TimeDelta GetExtraTimeAbsolute() {
-  DCHECK(base::FeatureList::IsEnabled(features::kDnsHttpssvc));
-  return base::Milliseconds(kDnsHttpssvcExtraTimeMs.Get());
-}
-}  // namespace dns_httpssvc_experiment
-
-const base::Feature kUseDnsHttpsSvcb{"UseDnsHttpsSvcb",
-                                     base::FEATURE_DISABLED_BY_DEFAULT};
-
-const base::FeatureParam<bool> kUseDnsHttpsSvcbHttpUpgrade{
-    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbHttpUpgrade", false};
+BASE_FEATURE(kUseDnsHttpsSvcb,
+             "UseDnsHttpsSvcb",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
 const base::FeatureParam<bool> kUseDnsHttpsSvcbEnforceSecureResponse{
     &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbEnforceSecureResponse", false};
 
-const base::FeatureParam<bool> kUseDnsHttpsSvcbEnableInsecure{
-    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbEnableInsecure", false};
-
 const base::FeatureParam<base::TimeDelta> kUseDnsHttpsSvcbInsecureExtraTimeMax{
     &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbInsecureExtraTimeMax",
-    base::TimeDelta()};
+    base::Milliseconds(50)};
 
 const base::FeatureParam<int> kUseDnsHttpsSvcbInsecureExtraTimePercent{
-    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbInsecureExtraTimePercent", 0};
+    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbInsecureExtraTimePercent", 20};
 
 const base::FeatureParam<base::TimeDelta> kUseDnsHttpsSvcbInsecureExtraTimeMin{
     &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbInsecureExtraTimeMin",
-    base::TimeDelta()};
+    base::Milliseconds(5)};
 
 const base::FeatureParam<base::TimeDelta> kUseDnsHttpsSvcbSecureExtraTimeMax{
-    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbSecureExtraTimeMax", base::TimeDelta()};
+    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbSecureExtraTimeMax",
+    base::Milliseconds(50)};
 
 const base::FeatureParam<int> kUseDnsHttpsSvcbSecureExtraTimePercent{
-    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbSecureExtraTimePercent", 0};
+    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbSecureExtraTimePercent", 20};
 
 const base::FeatureParam<base::TimeDelta> kUseDnsHttpsSvcbSecureExtraTimeMin{
-    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbSecureExtraTimeMin", base::TimeDelta()};
-
-const base::FeatureParam<base::TimeDelta> kUseDnsHttpsSvcbExtraTimeAbsolute{
-    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbExtraTimeAbsolute", base::TimeDelta()};
+    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbSecureExtraTimeMin",
+    base::Milliseconds(5)};
 
-const base::FeatureParam<int> kUseDnsHttpsSvcbExtraTimePercent{
-    &kUseDnsHttpsSvcb, "UseDnsHttpsSvcbExtraTimePercent", 0};
+BASE_FEATURE(kUseDnsHttpsSvcbAlpn,
+             "UseDnsHttpsSvcbAlpn",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kUseDnsHttpsSvcbAlpn{"UseDnsHttpsSvcbAlpn",
-                                         base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kEnableTLS13EarlyData,
+             "EnableTLS13EarlyData",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kEnableTLS13EarlyData{"EnableTLS13EarlyData",
-                                          base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kEncryptedClientHello,
+             "EncryptedClientHello",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kEncryptedClientHello{"EncryptedClientHello",
-                                          base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kNetworkQualityEstimator,
+             "NetworkQualityEstimator",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kNetworkQualityEstimator{"NetworkQualityEstimator",
-                                             base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kSplitCacheByIncludeCredentials,
+             "SplitCacheByIncludeCredentials",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kSplitCacheByIncludeCredentials{
-    "SplitCacheByIncludeCredentials", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kSplitCacheByNetworkIsolationKey,
+             "SplitCacheByNetworkIsolationKey",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kSplitCacheByNetworkIsolationKey{
-    "SplitCacheByNetworkIsolationKey", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kSplitHostCacheByNetworkIsolationKey,
+             "SplitHostCacheByNetworkIsolationKey",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kSplitHostCacheByNetworkIsolationKey{
-    "SplitHostCacheByNetworkIsolationKey", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kPartitionConnectionsByNetworkIsolationKey,
+             "PartitionConnectionsByNetworkIsolationKey",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kPartitionConnectionsByNetworkIsolationKey{
-    "PartitionConnectionsByNetworkIsolationKey",
-    base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kForceIsolationInfoFrameOriginToTopLevelFrame,
+             "ForceIsolationInfoFrameOriginToTopLevelFrame",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kForceIsolationInfoFrameOriginToTopLevelFrame{
-    "ForceIsolationInfoFrameOriginToTopLevelFrame",
-    base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kPartitionHttpServerPropertiesByNetworkIsolationKey,
+             "PartitionHttpServerPropertiesByNetworkIsolationKey",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kPartitionHttpServerPropertiesByNetworkIsolationKey{
-    "PartitionHttpServerPropertiesByNetworkIsolationKey",
-    base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kPartitionSSLSessionsByNetworkIsolationKey,
+             "PartitionSSLSessionsByNetworkIsolationKey",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kPartitionSSLSessionsByNetworkIsolationKey{
-    "PartitionSSLSessionsByNetworkIsolationKey",
-    base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kPartitionExpectCTStateByNetworkIsolationKey,
+             "PartitionExpectCTStateByNetworkIsolationKey",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kPartitionExpectCTStateByNetworkIsolationKey{
-    "PartitionExpectCTStateByNetworkIsolationKey",
-    base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kPartitionNelAndReportingByNetworkIsolationKey,
+             "PartitionNelAndReportingByNetworkIsolationKey",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kPartitionNelAndReportingByNetworkIsolationKey{
-    "PartitionNelAndReportingByNetworkIsolationKey",
-    base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kEnableDoubleKeyNetworkAnonymizationKey,
+             "EnableDoubleKeyNetworkAnonymizationKey",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kEnableDoubleKeyNetworkAnonymizationKey{
-    "EnableDoubleKeyNetworkAnonymizationKey",
-    base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kEnableCrossSiteFlagNetworkAnonymizationKey,
+             "EnableCrossSiteFlagNetworkAnonymizationKey",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kEnableCrossSiteFlagNetworkAnonymizationKey{
-    "EnableCrossSiteFlagNetworkAnonymizationKey",
-    base::FEATURE_DISABLED_BY_DEFAULT};
-
-const base::Feature kExpectCTPruning{"ExpectCTPruning",
-                                     base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kExpectCTPruning,
+             "ExpectCTPruning",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
 NET_EXPORT extern const base::FeatureParam<int>
     kExpectCTPruneMax(&kExpectCTPruning, "ExpectCTPruneMax", 2000);
@@ -173,81 +140,85 @@ NET_EXPORT extern const base::FeatureParam<int> kExpectCTMaxEntriesPerNik(
 NET_EXPORT extern const base::FeatureParam<int>
     kExpectCTPruneDelaySecs(&kExpectCTPruning, "ExpectCTPruneDelaySecs", 60);
 
-const base::Feature kTLS13KeyUpdate{"TLS13KeyUpdate",
-                                    base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kTLS13KeyUpdate,
+             "TLS13KeyUpdate",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kPermuteTLSExtensions{"PermuteTLSExtensions",
-                                          base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kPermuteTLSExtensions,
+             "PermuteTLSExtensions",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kPostQuantumCECPQ2{"PostQuantumCECPQ2",
-                                       base::FEATURE_DISABLED_BY_DEFAULT};
-const base::Feature kPostQuantumCECPQ2SomeDomains{
-    "PostQuantumCECPQ2SomeDomains", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kPostQuantumCECPQ2,
+             "PostQuantumCECPQ2",
+             base::FEATURE_DISABLED_BY_DEFAULT);
+BASE_FEATURE(kPostQuantumCECPQ2SomeDomains,
+             "PostQuantumCECPQ2SomeDomains",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 const base::FeatureParam<std::string>
     kPostQuantumCECPQ2Prefix(&kPostQuantumCECPQ2SomeDomains, "prefix", "a");
 
-const base::Feature kNetUnusedIdleSocketTimeout{
-    "NetUnusedIdleSocketTimeout", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kNetUnusedIdleSocketTimeout,
+             "NetUnusedIdleSocketTimeout",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kShortLaxAllowUnsafeThreshold{
-    "ShortLaxAllowUnsafeThreshold", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kShortLaxAllowUnsafeThreshold,
+             "ShortLaxAllowUnsafeThreshold",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kSameSiteDefaultChecksMethodRigorously{
-    "SameSiteDefaultChecksMethodRigorously", base::FEATURE_DISABLED_BY_DEFAULT};
-
-#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
-const base::Feature kCertVerifierBuiltinFeature{
-    "CertVerifierBuiltin", base::FEATURE_DISABLED_BY_DEFAULT};
-#if BUILDFLAG(IS_MAC)
-const base::FeatureParam<int> kCertVerifierBuiltinImpl{
-    &kCertVerifierBuiltinFeature, "impl", 0};
-const base::FeatureParam<int> kCertVerifierBuiltinCacheSize{
-    &kCertVerifierBuiltinFeature, "cachesize", 0};
-#endif /* BUILDFLAG(IS_MAC) */
-#endif
+BASE_FEATURE(kSameSiteDefaultChecksMethodRigorously,
+             "SameSiteDefaultChecksMethodRigorously",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
 #if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
 // Enables the dual certificate verification trial feature.
 // https://crbug.com/649026
-const base::Feature kCertDualVerificationTrialFeature{
-    "CertDualVerificationTrial", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kCertDualVerificationTrialFeature,
+             "CertDualVerificationTrial",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 #if BUILDFLAG(IS_MAC)
 const base::FeatureParam<int> kCertDualVerificationTrialImpl{
     &kCertDualVerificationTrialFeature, "impl", 0};
 const base::FeatureParam<int> kCertDualVerificationTrialCacheSize{
     &kCertDualVerificationTrialFeature, "cachesize", 0};
 #endif /* BUILDFLAG(IS_MAC) */
-#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED) && \
-    BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
-const base::FeatureParam<bool> kCertDualVerificationTrialUseCrs{
-    &kCertDualVerificationTrialFeature, "use_crs", false};
-#endif
 #endif
 
 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
-const base::Feature kChromeRootStoreUsed{"ChromeRootStoreUsed",
-                                         base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kChromeRootStoreUsed,
+             "ChromeRootStoreUsed",
+             base::FEATURE_DISABLED_BY_DEFAULT);
+#if BUILDFLAG(IS_MAC)
+const base::FeatureParam<int> kChromeRootStoreSysImpl{&kChromeRootStoreUsed,
+                                                      "sysimpl", 0};
+const base::FeatureParam<int> kChromeRootStoreSysCacheSize{
+    &kChromeRootStoreUsed, "syscachesize", 0};
+#endif /* BUILDFLAG(IS_MAC) */
 #endif /* BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) */
 
-const base::Feature kTurnOffStreamingMediaCachingOnBattery{
-    "TurnOffStreamingMediaCachingOnBattery", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kTurnOffStreamingMediaCachingOnBattery,
+             "TurnOffStreamingMediaCachingOnBattery",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kTurnOffStreamingMediaCachingAlways{
-    "TurnOffStreamingMediaCachingAlways", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kTurnOffStreamingMediaCachingAlways,
+             "TurnOffStreamingMediaCachingAlways",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kSchemefulSameSite{"SchemefulSameSite",
-                                       base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kSchemefulSameSite,
+             "SchemefulSameSite",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
-const base::Feature kLimitOpenUDPSockets{"LimitOpenUDPSockets",
-                                         base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kLimitOpenUDPSockets,
+             "LimitOpenUDPSockets",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
 extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax(
     &kLimitOpenUDPSockets,
     "LimitOpenUDPSocketsMax",
     6000);
 
-const base::Feature kTimeoutTcpConnectAttempt{
-    "TimeoutTcpConnectAttempt", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kTimeoutTcpConnectAttempt,
+             "TimeoutTcpConnectAttempt",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
 extern const base::FeatureParam<double> kTimeoutTcpConnectAttemptRTTMultiplier(
     &kTimeoutTcpConnectAttempt,
@@ -265,57 +236,91 @@ extern const base::FeatureParam<base::TimeDelta> kTimeoutTcpConnectAttemptMax(
     base::Seconds(30));
 
 #if BUILDFLAG(ENABLE_REPORTING)
-const base::Feature kDocumentReporting{"DocumentReporting",
-                                       base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kDocumentReporting,
+             "DocumentReporting",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 #endif  // BUILDFLAG(ENABLE_REPORTING)
 
 #if BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
-const base::Feature kUdpSocketPosixAlwaysUpdateBytesReceived{
-    "UdpSocketPosixAlwaysUpdateBytesReceived",
-    base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kUdpSocketPosixAlwaysUpdateBytesReceived,
+             "UdpSocketPosixAlwaysUpdateBytesReceived",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 #endif  // BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
 
-const base::Feature kCookieSameSiteConsidersRedirectChain{
-    "CookieSameSiteConsidersRedirectChain", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kCookieSameSiteConsidersRedirectChain,
+             "CookieSameSiteConsidersRedirectChain",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kSamePartyCookiesConsideredFirstParty{
-    "SamePartyCookiesConsideredFirstParty", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kSamePartyCookiesConsideredFirstParty,
+             "SamePartyCookiesConsideredFirstParty",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kPartitionedCookies{"PartitionedCookies",
-                                        base::FEATURE_DISABLED_BY_DEFAULT};
-const base::Feature kPartitionedCookiesBypassOriginTrial{
-    "PartitionedCookiesBypassOriginTrial", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kSamePartyAttributeEnabled,
+             "SamePartyAttributeEnabled",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kNoncedPartitionedCookies{"NoncedPartitionedCookies",
-                                              base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kPartitionedCookies,
+             "PartitionedCookies",
+             base::FEATURE_DISABLED_BY_DEFAULT);
+BASE_FEATURE(kPartitionedCookiesBypassOriginTrial,
+             "PartitionedCookiesBypassOriginTrial",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kExtraCookieValidityChecks{
-    "ExtraCookieValidityChecks", base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kNoncedPartitionedCookies,
+             "NoncedPartitionedCookies",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
-const base::Feature kRecordRadioWakeupTrigger{
-    "RecordRadioWakeupTrigger", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kExtraCookieValidityChecks,
+             "ExtraCookieValidityChecks",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
-const base::Feature kClampCookieExpiryTo400Days(
-    "ClampCookieExpiryTo400Days",
-    base::FEATURE_ENABLED_BY_DEFAULT);
+BASE_FEATURE(kRecordRadioWakeupTrigger,
+             "RecordRadioWakeupTrigger",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
-const base::Feature kStaticKeyPinningEnforcement(
-    "StaticKeyPinningEnforcement",
-    base::FEATURE_ENABLED_BY_DEFAULT);
+BASE_FEATURE(kClampCookieExpiryTo400Days,
+             "ClampCookieExpiryTo400Days",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
-const base::Feature kCookieDomainRejectNonASCII{
-    "CookieDomainRejectNonASCII", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kStaticKeyPinningEnforcement,
+             "StaticKeyPinningEnforcement",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
-const base::Feature kBlockSetCookieHeader{"BlockSetCookieHeader",
-                                          base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kCookieDomainRejectNonASCII,
+             "CookieDomainRejectNonASCII",
+             base::FEATURE_DISABLED_BY_DEFAULT);
+
+BASE_FEATURE(kBlockSetCookieHeader,
+             "BlockSetCookieHeader",
+             base::FEATURE_ENABLED_BY_DEFAULT);
+
+// Run callbacks optimstically for write calls to the blockfile disk cache
+// implementation.
+BASE_FEATURE(kOptimisticBlockfileWrite,
+             "OptimisticBlockfileWrite",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
 // Read as much of the net::URLRequest as there is space in the Mojo data pipe.
-const base::Feature kOptimizeNetworkBuffers{"OptimizeNetworkBuffers2",
-                                            base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kOptimizeNetworkBuffers,
+             "OptimizeNetworkBuffers2",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
 const base::FeatureParam<int> kOptimizeNetworkBuffersBytesReadLimit{
     &kOptimizeNetworkBuffers, "bytes_read_limit", 64 * 1024};
 
+// If InputStream.available() returns less than this,
+// kOptimizeNetworkBuffersMinInputStreamReadSize will be used instead.
+const base::FeatureParam<int>
+    kOptimizeNetworkBuffersMinInputStreamAvailableValueToIgnore{
+        &kOptimizeNetworkBuffers, "min_input_stream_available_value_to_ignore",
+        16};
+
+// The smallest amount we'll try to read at a time if InputStream.available()
+// returned less than
+// kOptimizeNetworkBuffersMinInputStreamAvailableValueToIgnore.
+const base::FeatureParam<int> kOptimizeNetworkBuffersMinInputStreamReadSize{
+    &kOptimizeNetworkBuffers, "min_input_stream_read_size", 1024};
+
 const base::FeatureParam<int>
     kOptimizeNetworkBuffersMaxInputStreamBytesToReadWhenAvailableUnknown{
         &kOptimizeNetworkBuffers, "max_input_stream_bytes_available_unknown",
@@ -329,8 +334,9 @@ const base::FeatureParam<int>
 const base::FeatureParam<bool> kOptimizeNetworkBuffersInputStreamCheckAvailable{
     &kOptimizeNetworkBuffers, "input_stream_check_available", true};
 
-const base::Feature kStorageAccessAPI{"StorageAccessAPI",
-                                      base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kStorageAccessAPI,
+             "StorageAccessAPI",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 constexpr int kStorageAccessAPIDefaultImplicitGrantLimit = 5;
 const base::FeatureParam<int> kStorageAccessAPIImplicitGrantLimit{
     &kStorageAccessAPI, "storage-access-api-implicit-grant-limit",
@@ -339,9 +345,37 @@ const base::FeatureParam<bool> kStorageAccessAPIGrantsUnpartitionedStorage(
     &kStorageAccessAPI,
     "storage-access-api-grants-unpartitioned-storage",
     false);
+const base::FeatureParam<bool> kStorageAccessAPIAutoGrantInFPS{
+    &kStorageAccessAPI, "storage_access_api_auto_grant_in_fps", true};
+const base::FeatureParam<bool> kStorageAccessAPIAutoDenyOutsideFPS{
+    &kStorageAccessAPI, "storage_access_api_auto_deny_outside_fps", true};
 
 // Enables partitioning of third party storage (IndexedDB, CacheStorage, etc.)
 // by the top level site to reduce fingerprinting.
-const base::Feature kThirdPartyStoragePartitioning{
-    "ThirdPartyStoragePartitioning", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kThirdPartyStoragePartitioning,
+             "ThirdPartyStoragePartitioning",
+             base::FEATURE_DISABLED_BY_DEFAULT);
+
+BASE_FEATURE(kAlpsParsing, "AlpsParsing", base::FEATURE_ENABLED_BY_DEFAULT);
+
+BASE_FEATURE(kAlpsClientHintParsing,
+             "AlpsClientHintParsing",
+             base::FEATURE_ENABLED_BY_DEFAULT);
+
+BASE_FEATURE(kShouldKillSessionOnAcceptChMalformed,
+             "ShouldKillSessionOnAcceptChMalformed",
+             base::FEATURE_DISABLED_BY_DEFAULT);
+
+BASE_FEATURE(kCaseInsensitiveCookiePrefix,
+             "CaseInsensitiveCookiePrefix",
+             base::FEATURE_ENABLED_BY_DEFAULT);
+
+BASE_FEATURE(kEnableWebsocketsOverHttp3,
+             "EnableWebsocketsOverHttp3",
+             base::FEATURE_DISABLED_BY_DEFAULT);
+
+BASE_FEATURE(kUseNAT64ForIPv4Literal,
+             "UseNAT64ForIPv4Literal",
+             base::FEATURE_ENABLED_BY_DEFAULT);
+
 }  // namespace net::features
diff --git a/chromium/net/base/features.h b/chromium/net/base/features.h
index 6729475a475..745c3488f09 100644
--- a/chromium/net/base/features.h
+++ b/chromium/net/base/features.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -20,18 +20,18 @@ namespace net::features {
 // Enables ALPS extension of TLS 1.3 for HTTP/2, see
 // https://vasilvv.github.io/tls-alps/draft-vvv-tls-alps.html and
 // https://vasilvv.github.io/httpbis-alps/draft-vvv-httpbis-alps.html.
-NET_EXPORT extern const base::Feature kAlpsForHttp2;
+NET_EXPORT BASE_DECLARE_FEATURE(kAlpsForHttp2);
 
 // Disable H2 reprioritization, in order to measure its impact.
-NET_EXPORT extern const base::Feature kAvoidH2Reprioritization;
+NET_EXPORT BASE_DECLARE_FEATURE(kAvoidH2Reprioritization);
 
 // When kCapReferrerToOriginOnCrossOrigin is enabled, HTTP referrers on cross-
 // origin requests are restricted to contain at most the source origin.
-NET_EXPORT extern const base::Feature kCapReferrerToOriginOnCrossOrigin;
+NET_EXPORT BASE_DECLARE_FEATURE(kCapReferrerToOriginOnCrossOrigin);
 
 // Support for altering the parameters used for DNS transaction timeout. See
 // ResolveContext::SecureTransactionTimeout().
-NET_EXPORT extern const base::Feature kDnsTransactionDynamicTimeouts;
+NET_EXPORT BASE_DECLARE_FEATURE(kDnsTransactionDynamicTimeouts);
 // Multiplier applied to current fallback periods in determining a transaction
 // timeout.
 NET_EXPORT extern const base::FeatureParam<double>
@@ -39,75 +39,10 @@ NET_EXPORT extern const base::FeatureParam<double>
 NET_EXPORT extern const base::FeatureParam<base::TimeDelta>
     kDnsMinTransactionTimeout;
 
-// Enables DNS query-only experiments for HTTPSSVC or INTEGRITY records,
-// depending on feature parameters. Received responses never affect Chrome
-// behavior other than metrics.
-//
-// Not to be confused with `kUseDnsHttpsSvcb` which is querying HTTPS in order
-// to affect Chrome connection behavior.
-NET_EXPORT extern const base::Feature kDnsHttpssvc;
-
-// Determine which kind of record should be queried: HTTPSSVC or INTEGRITY. No
-// more than one of these feature parameters should be enabled at once. In the
-// event that both are enabled, |kDnsHttpssvcUseIntegrity| takes priority, and
-// |kDnsHttpssvcUseHttpssvc| will be ignored.
-NET_EXPORT extern const base::FeatureParam<bool> kDnsHttpssvcUseHttpssvc;
-NET_EXPORT extern const base::FeatureParam<bool> kDnsHttpssvcUseIntegrity;
-
-// Enable HTTPSSVC or INTEGRITY to be queried over insecure DNS.
-NET_EXPORT extern const base::FeatureParam<bool>
-    kDnsHttpssvcEnableQueryOverInsecure;
-
-// If we are still waiting for an HTTPSSVC or INTEGRITY query after all the
-// other queries in a DnsTask have completed, we will compute a timeout for the
-// remaining query. The timeout will be the min of:
-//   (a) |kDnsHttpssvcExtraTimeMs.Get()|
-//   (b) |kDnsHttpssvcExtraTimePercent.Get() / 100 * t|, where |t| is the
-//       number of milliseconds since the first query began.
-NET_EXPORT extern const base::FeatureParam<int> kDnsHttpssvcExtraTimeMs;
-NET_EXPORT extern const base::FeatureParam<int> kDnsHttpssvcExtraTimePercent;
-
-// These parameters, respectively, are the list of experimental and control
-// domains for which we will query HTTPSSVC or INTEGRITY records. We expect
-// valid INTEGRITY results for experiment domains. We expect no INTEGRITY
-// results for control domains.
-//
-// The format of both parameters is a comma-separated list of domains.
-// Whitespace around domain names is permitted. Trailing comma is optional.
-//
-// See helper functions:
-// |dns_httpssvc_experiment::GetDnsHttpssvcExperimentDomains| and
-// |dns_httpssvc_experiment::GetDnsHttpssvcControlDomains|.
-NET_EXPORT extern const base::FeatureParam<std::string>
-    kDnsHttpssvcExperimentDomains;
-NET_EXPORT extern const base::FeatureParam<std::string>
-    kDnsHttpssvcControlDomains;
-
-// This param controls how we determine whether a domain is an experimental or
-// control domain. When false, domains must be in |kDnsHttpssvcControlDomains|
-// to be considered a control. When true, we ignore |kDnsHttpssvcControlDomains|
-// and any non-experiment domain (not in |kDnsHttpssvcExperimentDomains|) is
-// considered a control domain.
-NET_EXPORT extern const base::FeatureParam<bool>
-    kDnsHttpssvcControlDomainWildcard;
-
-namespace dns_httpssvc_experiment {
-// Get the value of |kDnsHttpssvcExtraTimeMs|.
-NET_EXPORT base::TimeDelta GetExtraTimeAbsolute();
-}  // namespace dns_httpssvc_experiment
-
 // Enables querying HTTPS DNS records that will affect results from HostResolver
 // and may be used to affect connection behavior. Whether or not those results
 // are used (e.g. to connect via ECH) may be controlled by separate features.
-//
-// Not to be confused with `kDnsHttpssvc` which is for experiment-only queries
-// where received HTTPS results do not affect Chrome behavior and are only used
-// for metrics.
-NET_EXPORT extern const base::Feature kUseDnsHttpsSvcb;
-
-// Param to control whether or not presence of an HTTPS record for an HTTP
-// request will force an HTTP->HTTPS upgrade redirect.
-NET_EXPORT extern const base::FeatureParam<bool> kUseDnsHttpsSvcbHttpUpgrade;
+NET_EXPORT BASE_DECLARE_FEATURE(kUseDnsHttpsSvcb);
 
 // Param to control whether or not HostResolver, when using Secure DNS, will
 // fail the entire connection attempt when receiving an inconclusive response to
@@ -116,10 +51,6 @@ NET_EXPORT extern const base::FeatureParam<bool> kUseDnsHttpsSvcbHttpUpgrade;
 NET_EXPORT extern const base::FeatureParam<bool>
     kUseDnsHttpsSvcbEnforceSecureResponse;
 
-// Param to control whether HTTPS queries will be allowed via Insecure DNS
-// (instead of just via Secure DNS).
-NET_EXPORT extern const base::FeatureParam<bool> kUseDnsHttpsSvcbEnableInsecure;
-
 // If we are still waiting for an HTTPS transaction after all the
 // other transactions in an insecure DnsTask have completed, we will compute a
 // timeout for the remaining transaction. The timeout will be
@@ -152,65 +83,52 @@ NET_EXPORT extern const base::FeatureParam<int>
 NET_EXPORT extern const base::FeatureParam<base::TimeDelta>
     kUseDnsHttpsSvcbSecureExtraTimeMin;
 
-// Deprecated in favor of `kUseDnsHttpsSvcbInsecureExtraTime...` and
-// `kUseDnsHttpsSvcbSecureExtraTime...` params. Ignored for insecure DnsTasks if
-// any `kUseDnsHttpsSvcbInsecureExtraTime...` params are non-zero, and ignored
-// for secure DnsTasks if any `kUseDnsHttpsSvcbSecureExtraTime...` params are
-// non-zero.
-NET_EXPORT extern const base::FeatureParam<base::TimeDelta>
-    kUseDnsHttpsSvcbExtraTimeAbsolute;
-NET_EXPORT extern const base::FeatureParam<int>
-    kUseDnsHttpsSvcbExtraTimePercent;
-
 // Update protocol using ALPN information in HTTPS DNS records.
-NET_EXPORT extern const base::Feature kUseDnsHttpsSvcbAlpn;
+NET_EXPORT BASE_DECLARE_FEATURE(kUseDnsHttpsSvcbAlpn);
 
 // Enables TLS 1.3 early data.
-NET_EXPORT extern const base::Feature kEnableTLS13EarlyData;
+NET_EXPORT BASE_DECLARE_FEATURE(kEnableTLS13EarlyData);
 
 // Enables the TLS Encrypted ClientHello feature.
 // https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-13
-NET_EXPORT extern const base::Feature kEncryptedClientHello;
+NET_EXPORT BASE_DECLARE_FEATURE(kEncryptedClientHello);
 
 // Enables optimizing the network quality estimation algorithms in network
 // quality estimator (NQE).
-NET_EXPORT extern const base::Feature kNetworkQualityEstimator;
+NET_EXPORT BASE_DECLARE_FEATURE(kNetworkQualityEstimator);
 
 // Splits cache entries by the request's includeCredentials.
-NET_EXPORT extern const base::Feature kSplitCacheByIncludeCredentials;
+NET_EXPORT BASE_DECLARE_FEATURE(kSplitCacheByIncludeCredentials);
 
 // Splits cache entries by the request's NetworkIsolationKey if one is
 // available.
-NET_EXPORT extern const base::Feature kSplitCacheByNetworkIsolationKey;
+NET_EXPORT BASE_DECLARE_FEATURE(kSplitCacheByNetworkIsolationKey);
 
 // Splits host cache entries by the DNS request's NetworkIsolationKey if one is
 // available. Also prevents merging live DNS lookups when there is a NIK
 // mismatch.
-NET_EXPORT extern const base::Feature kSplitHostCacheByNetworkIsolationKey;
+NET_EXPORT BASE_DECLARE_FEATURE(kSplitHostCacheByNetworkIsolationKey);
 
 // Partitions connections based on the NetworkIsolationKey associated with a
 // request.
-NET_EXPORT extern const base::Feature
-    kPartitionConnectionsByNetworkIsolationKey;
+NET_EXPORT BASE_DECLARE_FEATURE(kPartitionConnectionsByNetworkIsolationKey);
 
 // Forces the `frame_origin` value in IsolationInfo to the `top_level_origin`
 // value when an IsolationInfo instance is created. This is to enable
 // expirimenting with double keyed network partitions.
-NET_EXPORT extern const base::Feature
-    kForceIsolationInfoFrameOriginToTopLevelFrame;
+NET_EXPORT BASE_DECLARE_FEATURE(kForceIsolationInfoFrameOriginToTopLevelFrame);
 
 // Partitions HttpServerProperties based on the NetworkIsolationKey associated
 // with a request.
-NET_EXPORT extern const base::Feature
-    kPartitionHttpServerPropertiesByNetworkIsolationKey;
+NET_EXPORT BASE_DECLARE_FEATURE(
+    kPartitionHttpServerPropertiesByNetworkIsolationKey);
 
 // Partitions TLS sessions and QUIC server configs based on the
 // NetworkIsolationKey associated with a request.
 //
 // This feature requires kPartitionConnectionsByNetworkIsolationKey to be
 // enabled to work.
-NET_EXPORT extern const base::Feature
-    kPartitionSSLSessionsByNetworkIsolationKey;
+NET_EXPORT BASE_DECLARE_FEATURE(kPartitionSSLSessionsByNetworkIsolationKey);
 
 // Partitions Expect-CT data by NetworkIsolationKey. This only affects the
 // Expect-CT data itself. Regardless of this value, reports will be uploaded
@@ -219,8 +137,7 @@ NET_EXPORT extern const base::Feature
 // This feature requires kPartitionConnectionsByNetworkIsolationKey,
 // kPartitionHttpServerPropertiesByNetworkIsolationKey, and
 // kPartitionConnectionsByNetworkIsolationKey to all be enabled to work.
-NET_EXPORT extern const base::Feature
-    kPartitionExpectCTStateByNetworkIsolationKey;
+NET_EXPORT BASE_DECLARE_FEATURE(kPartitionExpectCTStateByNetworkIsolationKey);
 
 // Partitions Network Error Logging and Reporting API data by
 // NetworkIsolationKey. Also partitions all reports generated by other consumers
@@ -231,8 +148,7 @@ NET_EXPORT extern const base::Feature
 // NetworkIsolationKey parameters, and they're cleared while loading from the
 // cache, but internal objects can be created with them (e.g., endpoints), for
 // testing.
-NET_EXPORT extern const base::Feature
-    kPartitionNelAndReportingByNetworkIsolationKey;
+NET_EXPORT BASE_DECLARE_FEATURE(kPartitionNelAndReportingByNetworkIsolationKey);
 
 // Creates a <double key + is_cross_site> NetworkAnonymizationKey which is used
 // to partition the network state. This double key will have the following
@@ -242,18 +158,17 @@ NET_EXPORT extern const base::Feature
 // to the frame site. The frame site will not be stored in this key so the value
 // of is_cross_site will be computed at key construction. This feature overrides
 // `kEnableDoubleKeyNetworkAnonymizationKey` if both are enabled.
-NET_EXPORT extern const base::Feature
-    kEnableCrossSiteFlagNetworkAnonymizationKey;
+NET_EXPORT BASE_DECLARE_FEATURE(kEnableCrossSiteFlagNetworkAnonymizationKey);
 
 // Creates a double keyed NetworkAnonymizationKey which is used to partition the
 // network state. This double key will have the following properties:
 // `top_frame_site` -> the schemeful site of the top level page.
 // `frame_site ` -> nullopt
 // `is_cross_site` -> nullopt
-NET_EXPORT extern const base::Feature kEnableDoubleKeyNetworkAnonymizationKey;
+NET_EXPORT BASE_DECLARE_FEATURE(kEnableDoubleKeyNetworkAnonymizationKey);
 
 // Enables limiting the size of Expect-CT table.
-NET_EXPORT extern const base::Feature kExpectCTPruning;
+NET_EXPORT BASE_DECLARE_FEATURE(kExpectCTPruning);
 
 // FeatureParams associated with kExpectCTPruning.
 
@@ -276,25 +191,25 @@ NET_EXPORT extern const base::FeatureParam<int> kExpectCTPruneDelaySecs;
 // to ensure that this corner of the spec is exercised. This is currently
 // disabled by default because we discovered incompatibilities with some
 // servers.
-NET_EXPORT extern const base::Feature kTLS13KeyUpdate;
+NET_EXPORT BASE_DECLARE_FEATURE(kTLS13KeyUpdate);
 
 // Enables permuting TLS extensions in the ClientHello, to reduce the risk of
 // non-compliant servers ossifying parts of the ClientHello and interfering with
 // deployment of future security improvements.
-NET_EXPORT extern const base::Feature kPermuteTLSExtensions;
+NET_EXPORT BASE_DECLARE_FEATURE(kPermuteTLSExtensions);
 
 // Enables CECPQ2, a post-quantum key-agreement, in TLS 1.3 connections.
-NET_EXPORT extern const base::Feature kPostQuantumCECPQ2;
+NET_EXPORT BASE_DECLARE_FEATURE(kPostQuantumCECPQ2);
 
 // Enables CECPQ2, a post-quantum key-agreement, in TLS 1.3 connections for a
 // subset of domains. (This is intended as Finch kill-switch. For testing
 // compatibility with large ClientHello messages, use |kPostQuantumCECPQ2|.)
-NET_EXPORT extern const base::Feature kPostQuantumCECPQ2SomeDomains;
+NET_EXPORT BASE_DECLARE_FEATURE(kPostQuantumCECPQ2SomeDomains);
 NET_EXPORT extern const base::FeatureParam<std::string>
     kPostQuantumCECPQ2Prefix;
 
 // Changes the timeout after which unused sockets idle sockets are cleaned up.
-NET_EXPORT extern const base::Feature kNetUnusedIdleSocketTimeout;
+NET_EXPORT BASE_DECLARE_FEATURE(kNetUnusedIdleSocketTimeout);
 
 // When enabled, the time threshold for Lax-allow-unsafe cookies will be lowered
 // from 2 minutes to 10 seconds. This time threshold refers to the age cutoff
@@ -303,59 +218,46 @@ NET_EXPORT extern const base::Feature kNetUnusedIdleSocketTimeout;
 // of HTTP method (i.e. allowing unsafe methods). This is a convenience for
 // integration tests which may want to test behavior of cookies older than the
 // threshold, but which would not be practical to run for 2 minutes.
-NET_EXPORT extern const base::Feature kShortLaxAllowUnsafeThreshold;
+NET_EXPORT BASE_DECLARE_FEATURE(kShortLaxAllowUnsafeThreshold);
 
 // When enabled, the SameSite by default feature does not add the
 // "Lax-allow-unsafe" behavior. Any cookies that do not specify a SameSite
 // attribute will be treated as Lax only, i.e. POST and other unsafe HTTP
 // methods will not be allowed at all for top-level cross-site navigations.
 // This only has an effect if the cookie defaults to SameSite=Lax.
-NET_EXPORT extern const base::Feature kSameSiteDefaultChecksMethodRigorously;
-
-#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
-// When enabled, use the builtin cert verifier instead of the platform verifier.
-NET_EXPORT extern const base::Feature kCertVerifierBuiltinFeature;
-#if BUILDFLAG(IS_MAC)
-NET_EXPORT extern const base::FeatureParam<int> kCertVerifierBuiltinImpl;
-NET_EXPORT extern const base::FeatureParam<int> kCertVerifierBuiltinCacheSize;
-#endif /* BUILDFLAG(IS_MAC) */
-#endif /* BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED) */
+NET_EXPORT BASE_DECLARE_FEATURE(kSameSiteDefaultChecksMethodRigorously);
 
 #if BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED)
-NET_EXPORT extern const base::Feature kCertDualVerificationTrialFeature;
+NET_EXPORT BASE_DECLARE_FEATURE(kCertDualVerificationTrialFeature);
 #if BUILDFLAG(IS_MAC)
 NET_EXPORT extern const base::FeatureParam<int> kCertDualVerificationTrialImpl;
 NET_EXPORT extern const base::FeatureParam<int>
     kCertDualVerificationTrialCacheSize;
 #endif /* BUILDFLAG(IS_MAC) */
-#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED) && \
-    BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
-// If both builtin verifier+system roots and builtin verifier+CRS flags are
-// supported in the same build, this param can be used to choose which to test
-// in the trial.
-NET_EXPORT extern const base::FeatureParam<bool>
-    kCertDualVerificationTrialUseCrs;
-#endif
 #endif /* BUILDFLAG(TRIAL_COMPARISON_CERT_VERIFIER_SUPPORTED) */
 
 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
 // When enabled, use the Chrome Root Store instead of the system root store
-NET_EXPORT extern const base::Feature kChromeRootStoreUsed;
+NET_EXPORT BASE_DECLARE_FEATURE(kChromeRootStoreUsed);
+#if BUILDFLAG(IS_MAC)
+NET_EXPORT extern const base::FeatureParam<int> kChromeRootStoreSysImpl;
+NET_EXPORT extern const base::FeatureParam<int> kChromeRootStoreSysCacheSize;
+#endif /* BUILDFLAG(IS_MAC) */
 #endif /* BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED) */
 
 // Turns off streaming media caching to disk when on battery power.
-NET_EXPORT extern const base::Feature kTurnOffStreamingMediaCachingOnBattery;
+NET_EXPORT BASE_DECLARE_FEATURE(kTurnOffStreamingMediaCachingOnBattery);
 
 // Turns off streaming media caching to disk always.
-NET_EXPORT extern const base::Feature kTurnOffStreamingMediaCachingAlways;
+NET_EXPORT BASE_DECLARE_FEATURE(kTurnOffStreamingMediaCachingAlways);
 
 // When enabled this feature will cause same-site calculations to take into
 // account the scheme of the site-for-cookies and the request/response url.
-NET_EXPORT extern const base::Feature kSchemefulSameSite;
+NET_EXPORT BASE_DECLARE_FEATURE(kSchemefulSameSite);
 
 // Enables a process-wide limit on "open" UDP sockets. See
 // udp_socket_global_limits.h for details on what constitutes an "open" socket.
-NET_EXPORT extern const base::Feature kLimitOpenUDPSockets;
+NET_EXPORT BASE_DECLARE_FEATURE(kLimitOpenUDPSockets);
 
 // FeatureParams associated with kLimitOpenUDPSockets.
 
@@ -365,7 +267,7 @@ NET_EXPORT extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax;
 
 // Enables a timeout on individual TCP connect attempts, based on
 // the parameter values.
-NET_EXPORT extern const base::Feature kTimeoutTcpConnectAttempt;
+NET_EXPORT BASE_DECLARE_FEATURE(kTimeoutTcpConnectAttempt);
 
 // FeatureParams associated with kTimeoutTcpConnectAttempt.
 
@@ -389,7 +291,7 @@ NET_EXPORT extern const base::FeatureParam<base::TimeDelta>
 // When enabled this feature will allow a new Reporting-Endpoints header to
 // configure reporting endpoints for report delivery. This is used to support
 // the new Document Reporting spec.
-NET_EXPORT extern const base::Feature kDocumentReporting;
+NET_EXPORT BASE_DECLARE_FEATURE(kDocumentReporting);
 #endif  // BUILDFLAG(ENABLE_REPORTING)
 
 #if BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
@@ -398,7 +300,7 @@ NET_EXPORT extern const base::Feature kDocumentReporting;
 // This should reduce the number of wake ups and improve battery consumption.
 // TODO(https://crbug.com/1189805): Cleanup the feature after verifying that it
 // doesn't negatively affect performance.
-NET_EXPORT extern const base::Feature kUdpSocketPosixAlwaysUpdateBytesReceived;
+NET_EXPORT BASE_DECLARE_FEATURE(kUdpSocketPosixAlwaysUpdateBytesReceived);
 #endif  // BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
 
 // When this feature is enabled, redirected requests will be considered
@@ -407,61 +309,75 @@ NET_EXPORT extern const base::Feature kUdpSocketPosixAlwaysUpdateBytesReceived;
 // redirected request was same-site with the target URL (and the
 // site-for-cookies).
 // See spec changes in https://github.com/httpwg/http-extensions/pull/1348
-NET_EXPORT extern const base::Feature kCookieSameSiteConsidersRedirectChain;
+NET_EXPORT BASE_DECLARE_FEATURE(kCookieSameSiteConsidersRedirectChain);
+
+// When this feature is enabled, the SameParty attribute is enabled. (Note that
+// when this feature is disabled, the SameParty attribute is still parsed and
+// saved for cookie-sets, but it has no associated semantics (when setting or
+// reading cookies).)
+NET_EXPORT BASE_DECLARE_FEATURE(kSamePartyAttributeEnabled);
 
 // When enabled, cookies with the SameParty attribute are treated as
 // "first-party" when in same-party contexts, for the purposes of third-party
 // cookie blocking. (Note that as a consequence, some cookies may be blocked
 // while others are allowed on a cross-site, same-party request. Additionally,
 // privacy mode is disabled in same-party contexts.)
-NET_EXPORT extern const base::Feature kSamePartyCookiesConsideredFirstParty;
+NET_EXPORT BASE_DECLARE_FEATURE(kSamePartyCookiesConsideredFirstParty);
 
 // When enabled, sites can opt-in to having their cookies partitioned by
 // top-level site with the Partitioned attribute. Partitioned cookies will only
 // be sent when the browser is on the same top-level site that it was on when
 // the cookie was set.
-NET_EXPORT extern const base::Feature kPartitionedCookies;
+NET_EXPORT BASE_DECLARE_FEATURE(kPartitionedCookies);
 // Flag to bypass the origin trial opt-in to use Partitioned cookies. This
 // allows developers to test Partitioned cookies manually in development
 // environments.
 // TODO(crbug.com/1296161): Remove this feature when the CHIPS OT ends.
-NET_EXPORT extern const base::Feature kPartitionedCookiesBypassOriginTrial;
+NET_EXPORT BASE_DECLARE_FEATURE(kPartitionedCookiesBypassOriginTrial);
 
 // When enabled, then we allow partitioned cookies even if kPartitionedCookies
 // is disabled only if the cookie partition key contains a nonce. So far, this
 // is used to create temporary cookie jar partitions for fenced and anonymous
 // frames.
-NET_EXPORT extern const base::Feature kNoncedPartitionedCookies;
+NET_EXPORT BASE_DECLARE_FEATURE(kNoncedPartitionedCookies);
 
 // When enabled, additional cookie-related APIs will perform cookie field size
 // and character set validation to enforce stricter conformance with RFC6265bis.
 // TODO(crbug.com/1243852) Eventually enable this permanently and remove the
 // feature flag, assuming no breakage occurs with it enabled.
-NET_EXPORT extern const base::Feature kExtraCookieValidityChecks;
+NET_EXPORT BASE_DECLARE_FEATURE(kExtraCookieValidityChecks);
 
 // Enable recording UMAs for network activities which can wake-up radio on
 // Android.
-NET_EXPORT extern const base::Feature kRecordRadioWakeupTrigger;
+NET_EXPORT BASE_DECLARE_FEATURE(kRecordRadioWakeupTrigger);
 
 // When enabled, cookies cannot have an expiry date further than 400 days in the
 // future.
-NET_EXPORT extern const base::Feature kClampCookieExpiryTo400Days;
+NET_EXPORT BASE_DECLARE_FEATURE(kClampCookieExpiryTo400Days);
 
 // Controls whether static key pinning is enforced.
-NET_EXPORT extern const base::Feature kStaticKeyPinningEnforcement;
+NET_EXPORT BASE_DECLARE_FEATURE(kStaticKeyPinningEnforcement);
 
 // When enabled, cookies with a non-ASCII domain attribute will be rejected.
-NET_EXPORT extern const base::Feature kCookieDomainRejectNonASCII;
+NET_EXPORT BASE_DECLARE_FEATURE(kCookieDomainRejectNonASCII);
 
 // Blocks the 'Set-Cookie' request header on outbound fetch requests.
-NET_EXPORT extern const base::Feature kBlockSetCookieHeader;
+NET_EXPORT BASE_DECLARE_FEATURE(kBlockSetCookieHeader);
 
-NET_EXPORT extern const base::Feature kOptimizeNetworkBuffers;
+NET_EXPORT BASE_DECLARE_FEATURE(kOptimisticBlockfileWrite);
+
+NET_EXPORT BASE_DECLARE_FEATURE(kOptimizeNetworkBuffers);
 
 NET_EXPORT
 extern const base::FeatureParam<int> kOptimizeNetworkBuffersBytesReadLimit;
 
 NET_EXPORT extern const base::FeatureParam<int>
+    kOptimizeNetworkBuffersMinInputStreamAvailableValueToIgnore;
+
+NET_EXPORT extern const base::FeatureParam<int>
+    kOptimizeNetworkBuffersMinInputStreamReadSize;
+
+NET_EXPORT extern const base::FeatureParam<int>
     kOptimizeNetworkBuffersMaxInputStreamBytesToReadWhenAvailableUnknown;
 
 NET_EXPORT extern const base::FeatureParam<int>
@@ -471,7 +387,7 @@ NET_EXPORT extern const base::FeatureParam<bool>
     kOptimizeNetworkBuffersInputStreamCheckAvailable;
 
 // Enable the Storage Access API. https://crbug.com/989663.
-NET_EXPORT extern const base::Feature kStorageAccessAPI;
+NET_EXPORT BASE_DECLARE_FEATURE(kStorageAccessAPI);
 
 // Set the default number of "automatic" implicit storage access grants per
 // third party origin that can be granted. This can be overridden via
@@ -484,8 +400,32 @@ NET_EXPORT extern const base::FeatureParam<int>
 // granted if the storage is partitioned.
 NET_EXPORT extern const base::FeatureParam<bool>
     kStorageAccessAPIGrantsUnpartitionedStorage;
+// Whether to auto-grant storage access requests when the top level origin and
+// the requesting origin are in the same First-Party Set.
+NET_EXPORT extern const base::FeatureParam<bool>
+    kStorageAccessAPIAutoGrantInFPS;
+// Whether to auto-deny storage access requests when the top level origin and
+// the requesting origin are not in the same First-Party Set.
+NET_EXPORT extern const base::FeatureParam<bool>
+    kStorageAccessAPIAutoDenyOutsideFPS;
+
+NET_EXPORT BASE_DECLARE_FEATURE(kThirdPartyStoragePartitioning);
+
+// Whether ALPS parsing is on for any type of frame.
+NET_EXPORT BASE_DECLARE_FEATURE(kAlpsParsing);
+
+// Whether ALPS parsing is on for client hint parsing specifically.
+NET_EXPORT BASE_DECLARE_FEATURE(kAlpsClientHintParsing);
+
+// Whether to kill the session on Error::kAcceptChMalformed.
+NET_EXPORT BASE_DECLARE_FEATURE(kShouldKillSessionOnAcceptChMalformed);
+
+NET_EXPORT BASE_DECLARE_FEATURE(kCaseInsensitiveCookiePrefix);
+
+NET_EXPORT BASE_DECLARE_FEATURE(kEnableWebsocketsOverHttp3);
 
-NET_EXPORT extern const base::Feature kThirdPartyStoragePartitioning;
+// Whether to do IPv4 to IPv6 address translation for IPv4 literals.
+NET_EXPORT BASE_DECLARE_FEATURE(kUseNAT64ForIPv4Literal);
 
 }  // namespace net::features
 
diff --git a/chromium/net/base/file_stream.cc b/chromium/net/base/file_stream.cc
index 038f60cd490..c554ecb25d4 100644
--- a/chromium/net/base/file_stream.cc
+++ b/chromium/net/base/file_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/file_stream.h b/chromium/net/base/file_stream.h
index 60f58bdd12f..407f5e1fa14 100644
--- a/chromium/net/base/file_stream.h
+++ b/chromium/net/base/file_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/file_stream_context.cc b/chromium/net/base/file_stream_context.cc
index fabb36e39cf..1b092d9ff08 100644
--- a/chromium/net/base/file_stream_context.cc
+++ b/chromium/net/base/file_stream_context.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/file_stream_context.h b/chromium/net/base/file_stream_context.h
index 16c2b5000c4..493a9e5a683 100644
--- a/chromium/net/base/file_stream_context.h
+++ b/chromium/net/base/file_stream_context.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/file_stream_context_posix.cc b/chromium/net/base/file_stream_context_posix.cc
index 0669b466b38..3a48653b943 100644
--- a/chromium/net/base/file_stream_context_posix.cc
+++ b/chromium/net/base/file_stream_context_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/file_stream_context_win.cc b/chromium/net/base/file_stream_context_win.cc
index 0b1a516375b..93406c97d19 100644
--- a/chromium/net/base/file_stream_context_win.cc
+++ b/chromium/net/base/file_stream_context_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/file_stream_unittest.cc b/chromium/net/base/file_stream_unittest.cc
index 11b672ce80d..3ad6be356ed 100644
--- a/chromium/net/base/file_stream_unittest.cc
+++ b/chromium/net/base/file_stream_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/filename_util.cc b/chromium/net/base/filename_util.cc
index ccd0d3dabb7..1fb7fff6ab9 100644
--- a/chromium/net/base/filename_util.cc
+++ b/chromium/net/base/filename_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/filename_util.h b/chromium/net/base/filename_util.h
index c6fa118b6e4..cc31342c2b1 100644
--- a/chromium/net/base/filename_util.h
+++ b/chromium/net/base/filename_util.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/filename_util_icu.cc b/chromium/net/base/filename_util_icu.cc
index ae061c41117..efecede1c8c 100644
--- a/chromium/net/base/filename_util_icu.cc
+++ b/chromium/net/base/filename_util_icu.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/filename_util_internal.cc b/chromium/net/base/filename_util_internal.cc
index 33a246bae7e..c128560c8a3 100644
--- a/chromium/net/base/filename_util_internal.cc
+++ b/chromium/net/base/filename_util_internal.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/filename_util_internal.h b/chromium/net/base/filename_util_internal.h
index 46a8e58e329..831e5a62fc3 100644
--- a/chromium/net/base/filename_util_internal.h
+++ b/chromium/net/base/filename_util_internal.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/filename_util_unittest.cc b/chromium/net/base/filename_util_unittest.cc
index 239c758053d..664b8bea79c 100644
--- a/chromium/net/base/filename_util_unittest.cc
+++ b/chromium/net/base/filename_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/fuzzer_test_support.cc b/chromium/net/base/fuzzer_test_support.cc
index a977ebc0ab8..f05a3de0bcc 100644
--- a/chromium/net/base/fuzzer_test_support.cc
+++ b/chromium/net/base/fuzzer_test_support.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/hash_value.cc b/chromium/net/base/hash_value.cc
index 4a35bdafb1b..14339fb28dd 100644
--- a/chromium/net/base/hash_value.cc
+++ b/chromium/net/base/hash_value.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/hash_value.h b/chromium/net/base/hash_value.h
index 64b11fc16fb..15b23b88c13 100644
--- a/chromium/net/base/hash_value.h
+++ b/chromium/net/base/hash_value.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/hex_utils.cc b/chromium/net/base/hex_utils.cc
index ea0a093ab25..8790eeb93e7 100644
--- a/chromium/net/base/hex_utils.cc
+++ b/chromium/net/base/hex_utils.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/hex_utils.h b/chromium/net/base/hex_utils.h
index 295091e0d2c..e3e73fe6091 100644
--- a/chromium/net/base/hex_utils.h
+++ b/chromium/net/base/hex_utils.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/host_mapping_rules.cc b/chromium/net/base/host_mapping_rules.cc
index 3cd80277bf2..e9de7436a9a 100644
--- a/chromium/net/base/host_mapping_rules.cc
+++ b/chromium/net/base/host_mapping_rules.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/host_mapping_rules.h b/chromium/net/base/host_mapping_rules.h
index 356a799b4b8..d81baf4c98b 100644
--- a/chromium/net/base/host_mapping_rules.h
+++ b/chromium/net/base/host_mapping_rules.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/host_mapping_rules_unittest.cc b/chromium/net/base/host_mapping_rules_unittest.cc
index 82268586b23..7fd1c2abdd0 100644
--- a/chromium/net/base/host_mapping_rules_unittest.cc
+++ b/chromium/net/base/host_mapping_rules_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/host_port_pair.cc b/chromium/net/base/host_port_pair.cc
index 32e48c53e82..1abe5141d2d 100644
--- a/chromium/net/base/host_port_pair.cc
+++ b/chromium/net/base/host_port_pair.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/host_port_pair.h b/chromium/net/base/host_port_pair.h
index ae37263ac04..b86d3b2c328 100644
--- a/chromium/net/base/host_port_pair.h
+++ b/chromium/net/base/host_port_pair.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/host_port_pair_unittest.cc b/chromium/net/base/host_port_pair_unittest.cc
index f50de395813..89907a77193 100644
--- a/chromium/net/base/host_port_pair_unittest.cc
+++ b/chromium/net/base/host_port_pair_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/http_user_agent_settings.h b/chromium/net/base/http_user_agent_settings.h
index 9fed104e1fa..c3b6762600c 100644
--- a/chromium/net/base/http_user_agent_settings.h
+++ b/chromium/net/base/http_user_agent_settings.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/idempotency.h b/chromium/net/base/idempotency.h
index d1b394d10b7..42b6895f43f 100644
--- a/chromium/net/base/idempotency.h
+++ b/chromium/net/base/idempotency.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/interval.h b/chromium/net/base/interval.h
index 8ac3b5e44d8..db318d37976 100644
--- a/chromium/net/base/interval.h
+++ b/chromium/net/base/interval.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/base/interval_test.cc b/chromium/net/base/interval_test.cc
index a0a61170119..7e8359124af 100644
--- a/chromium/net/base/interval_test.cc
+++ b/chromium/net/base/interval_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/base/io_buffer.cc b/chromium/net/base/io_buffer.cc
index b61780cbe1b..c3a7c6164a4 100644
--- a/chromium/net/base/io_buffer.cc
+++ b/chromium/net/base/io_buffer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/io_buffer.h b/chromium/net/base/io_buffer.h
index b8f9a8abc64..aa2b10f6101 100644
--- a/chromium/net/base/io_buffer.h
+++ b/chromium/net/base/io_buffer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/ip_address.cc b/chromium/net/base/ip_address.cc
index e69bcea5cfd..7ac63312e59 100644
--- a/chromium/net/base/ip_address.cc
+++ b/chromium/net/base/ip_address.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -490,4 +490,148 @@ size_t MaskPrefixLength(const IPAddress& mask) {
                             IPAddress(all_ones->data(), all_ones->size()));
 }
 
+Dns64PrefixLength ExtractPref64FromIpv4onlyArpaAAAA(const IPAddress& address) {
+  DCHECK(address.IsIPv6());
+  IPAddress ipv4onlyarpa0(192, 0, 0, 170);
+  IPAddress ipv4onlyarpa1(192, 0, 0, 171);
+  if (std::equal(ipv4onlyarpa0.bytes().begin(), ipv4onlyarpa0.bytes().end(),
+                 address.bytes().begin() + 12u) ||
+      std::equal(ipv4onlyarpa1.bytes().begin(), ipv4onlyarpa1.bytes().end(),
+                 address.bytes().begin() + 12u)) {
+    return Dns64PrefixLength::k96bit;
+  } else if (std::equal(ipv4onlyarpa0.bytes().begin(),
+                        ipv4onlyarpa0.bytes().end(),
+                        address.bytes().begin() + 9u) ||
+             std::equal(ipv4onlyarpa1.bytes().begin(),
+                        ipv4onlyarpa1.bytes().end(),
+                        address.bytes().begin() + 9u)) {
+    return Dns64PrefixLength::k64bit;
+  } else if ((std::equal(ipv4onlyarpa0.bytes().begin(),
+                         ipv4onlyarpa0.bytes().begin() + 1u,
+                         address.bytes().begin() + 7u) &&
+              std::equal(ipv4onlyarpa0.bytes().begin() + 1u,
+                         ipv4onlyarpa0.bytes().end(),
+                         address.bytes().begin() + 9u)) ||
+             (std::equal(ipv4onlyarpa1.bytes().begin(),
+                         ipv4onlyarpa1.bytes().begin() + 1u,
+                         address.bytes().begin() + 7u) &&
+              std::equal(ipv4onlyarpa1.bytes().begin() + 1u,
+                         ipv4onlyarpa1.bytes().end(),
+                         address.bytes().begin() + 9u))) {
+    return Dns64PrefixLength::k56bit;
+  } else if ((std::equal(ipv4onlyarpa0.bytes().begin(),
+                         ipv4onlyarpa0.bytes().begin() + 2u,
+                         address.bytes().begin() + 6u) &&
+              std::equal(ipv4onlyarpa0.bytes().begin() + 2u,
+                         ipv4onlyarpa0.bytes().end(),
+                         address.bytes().begin() + 9u)) ||
+             ((std::equal(ipv4onlyarpa1.bytes().begin(),
+                          ipv4onlyarpa1.bytes().begin() + 2u,
+                          address.bytes().begin() + 6u) &&
+               std::equal(ipv4onlyarpa1.bytes().begin() + 2u,
+                          ipv4onlyarpa1.bytes().end(),
+                          address.bytes().begin() + 9u)))) {
+    return Dns64PrefixLength::k48bit;
+  } else if ((std::equal(ipv4onlyarpa0.bytes().begin(),
+                         ipv4onlyarpa0.bytes().begin() + 3u,
+                         address.bytes().begin() + 5u) &&
+              std::equal(ipv4onlyarpa0.bytes().begin() + 3u,
+                         ipv4onlyarpa0.bytes().end(),
+                         address.bytes().begin() + 9u)) ||
+             (std::equal(ipv4onlyarpa1.bytes().begin(),
+                         ipv4onlyarpa1.bytes().begin() + 3u,
+                         address.bytes().begin() + 5u) &&
+              std::equal(ipv4onlyarpa1.bytes().begin() + 3u,
+                         ipv4onlyarpa1.bytes().end(),
+                         address.bytes().begin() + 9u))) {
+    return Dns64PrefixLength::k40bit;
+  } else if (std::equal(ipv4onlyarpa0.bytes().begin(),
+                        ipv4onlyarpa0.bytes().end(),
+                        address.bytes().begin() + 4u) ||
+             std::equal(ipv4onlyarpa1.bytes().begin(),
+                        ipv4onlyarpa1.bytes().end(),
+                        address.bytes().begin() + 4u)) {
+    return Dns64PrefixLength::k32bit;
+  } else {
+    // if ipv4onlyarpa address is not found return 0
+    return Dns64PrefixLength::kInvalid;
+  }
+}
+
+IPAddress ConvertIPv4ToIPv4EmbeddedIPv6(const IPAddress& ipv4_address,
+                                        const IPAddress& ipv6_address,
+                                        Dns64PrefixLength prefix_length) {
+  DCHECK(ipv4_address.IsIPv4());
+  DCHECK(ipv6_address.IsIPv6());
+
+  base::StackVector<uint8_t, 16> bytes;
+
+  uint8_t zero_bits[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+
+  switch (prefix_length) {
+    case Dns64PrefixLength::k96bit:
+      bytes->insert(bytes->end(), ipv6_address.bytes().begin(),
+                    ipv6_address.bytes().begin() + 12u);
+      bytes->insert(bytes->end(), ipv4_address.bytes().begin(),
+                    ipv4_address.bytes().end());
+      return IPAddress(bytes->data(), bytes->size());
+    case Dns64PrefixLength::k64bit:
+      bytes->insert(bytes->end(), ipv6_address.bytes().begin(),
+                    ipv6_address.bytes().begin() + 8u);
+      bytes->insert(bytes->end(), std::begin(zero_bits),
+                    std::begin(zero_bits) + 1u);
+      bytes->insert(bytes->end(), ipv4_address.bytes().begin(),
+                    ipv4_address.bytes().end());
+      bytes->insert(bytes->end(), std::begin(zero_bits),
+                    std::begin(zero_bits) + 3u);
+      return IPAddress(bytes->data(), bytes->size());
+    case Dns64PrefixLength::k56bit:
+      bytes->insert(bytes->end(), ipv6_address.bytes().begin(),
+                    ipv6_address.bytes().begin() + 7u);
+      bytes->insert(bytes->end(), ipv4_address.bytes().begin(),
+                    ipv4_address.bytes().begin() + 1u);
+      bytes->insert(bytes->end(), std::begin(zero_bits),
+                    std::begin(zero_bits) + 1u);
+      bytes->insert(bytes->end(), ipv4_address.bytes().begin() + 1u,
+                    ipv4_address.bytes().end());
+      bytes->insert(bytes->end(), std::begin(zero_bits),
+                    std::begin(zero_bits) + 4u);
+      return IPAddress(bytes->data(), bytes->size());
+    case Dns64PrefixLength::k48bit:
+      bytes->insert(bytes->end(), ipv6_address.bytes().begin(),
+                    ipv6_address.bytes().begin() + 6u);
+      bytes->insert(bytes->end(), ipv4_address.bytes().begin(),
+                    ipv4_address.bytes().begin() + 2u);
+      bytes->insert(bytes->end(), std::begin(zero_bits),
+                    std::begin(zero_bits) + 1u);
+      bytes->insert(bytes->end(), ipv4_address.bytes().begin() + 2u,
+                    ipv4_address.bytes().end());
+      bytes->insert(bytes->end(), std::begin(zero_bits),
+                    std::begin(zero_bits) + 5u);
+      return IPAddress(bytes->data(), bytes->size());
+    case Dns64PrefixLength::k40bit:
+      bytes->insert(bytes->end(), ipv6_address.bytes().begin(),
+                    ipv6_address.bytes().begin() + 5u);
+      bytes->insert(bytes->end(), ipv4_address.bytes().begin(),
+                    ipv4_address.bytes().begin() + 3u);
+      bytes->insert(bytes->end(), std::begin(zero_bits),
+                    std::begin(zero_bits) + 1u);
+      bytes->insert(bytes->end(), ipv4_address.bytes().begin() + 3u,
+                    ipv4_address.bytes().end());
+      bytes->insert(bytes->end(), std::begin(zero_bits),
+                    std::begin(zero_bits) + 6u);
+      return IPAddress(bytes->data(), bytes->size());
+    case Dns64PrefixLength::k32bit:
+      bytes->insert(bytes->end(), ipv6_address.bytes().begin(),
+                    ipv6_address.bytes().begin() + 4u);
+      bytes->insert(bytes->end(), ipv4_address.bytes().begin(),
+                    ipv4_address.bytes().end());
+      bytes->insert(bytes->end(), std::begin(zero_bits),
+                    std::begin(zero_bits) + 8u);
+      return IPAddress(bytes->data(), bytes->size());
+    case Dns64PrefixLength::kInvalid:
+      return ipv4_address;
+  }
+}
+
 }  // namespace net
diff --git a/chromium/net/base/ip_address.h b/chromium/net/base/ip_address.h
index b6a5657eedb..ea00438f199 100644
--- a/chromium/net/base/ip_address.h
+++ b/chromium/net/base/ip_address.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -293,6 +293,53 @@ bool IPAddressStartsWith(const IPAddress& address, const uint8_t (&prefix)[N]) {
   return std::equal(prefix, prefix + N, address.bytes().begin());
 }
 
+// According to RFC6052 Section 2.2 IPv4-Embedded IPv6 Address Format.
+// https://www.rfc-editor.org/rfc/rfc6052#section-2.2
+// +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+// |PL| 0-------------32--40--48--56--64--72--80--88--96--104---------|
+// +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+// |32|     prefix    |v4(32)         | u | suffix                    |
+// +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+// |40|     prefix        |v4(24)     | u |(8)| suffix                |
+// +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+// |48|     prefix            |v4(16) | u | (16)  | suffix            |
+// +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+// |56|     prefix                |(8)| u |  v4(24)   | suffix        |
+// +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+// |64|     prefix                    | u |   v4(32)      | suffix    |
+// +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+// |96|     prefix                                    |    v4(32)     |
+// +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+//
+// The NAT64/DNS64 translation prefixes has one of the following lengths.
+enum class Dns64PrefixLength {
+  k32bit,
+  k40bit,
+  k48bit,
+  k56bit,
+  k64bit,
+  k96bit,
+  kInvalid
+};
+
+// Extracts the NAT64 translation prefix from the IPv6 address using the well
+// known address ipv4only.arpa 192.0.0.170 and 192.0.0.171.
+// Returns prefix length on success, or Dns64PrefixLength::kInvalid on failure
+// (when the ipv4only.arpa IPv4 address is not found)
+NET_EXPORT Dns64PrefixLength
+ExtractPref64FromIpv4onlyArpaAAAA(const IPAddress& address);
+
+// Converts an IPv4 address to an IPv4-embedded IPv6 address using the given
+// prefix. For example 192.168.0.1 and 64:ff9b::/96 would be converted to
+// 64:ff9b::192.168.0.1
+// Returns converted IPv6 address when prefix_length is not
+// Dns64PrefixLength::kInvalid, and returns the original IPv4 address when
+// prefix_length is Dns64PrefixLength::kInvalid.
+NET_EXPORT IPAddress
+ConvertIPv4ToIPv4EmbeddedIPv6(const IPAddress& ipv4_address,
+                              const IPAddress& ipv6_address,
+                              Dns64PrefixLength prefix_length);
+
 }  // namespace net
 
 #endif  // NET_BASE_IP_ADDRESS_H_
diff --git a/chromium/net/base/ip_address_unittest.cc b/chromium/net/base/ip_address_unittest.cc
index 3c8baea9d3a..1345bcd7806 100644
--- a/chromium/net/base/ip_address_unittest.cc
+++ b/chromium/net/base/ip_address_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -677,6 +677,160 @@ TEST(IPAddressTest, IsLinkLocal) {
   }
 }
 
+// Tests extraction of the NAT64 translation prefix.
+TEST(IPAddressTest, ExtractPref64FromIpv4onlyArpaAAAA) {
+  // Well Known Prefix 64:ff9b::/96.
+  IPAddress ipv6_address_WKP_0(0, 100, 255, 155, 0, 0, 0, 0, 0, 0, 0, 0, 192, 0,
+                               0, 170);
+  IPAddress ipv6_address_WKP_1(0, 100, 255, 155, 0, 0, 0, 0, 0, 0, 0, 0, 192, 0,
+                               0, 171);
+  Dns64PrefixLength pref64_length_WKP_0 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_WKP_0);
+  Dns64PrefixLength pref64_length_WKP_1 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_WKP_1);
+  EXPECT_EQ(Dns64PrefixLength::k96bit, pref64_length_WKP_0);
+  EXPECT_EQ(Dns64PrefixLength::k96bit, pref64_length_WKP_1);
+
+  // Prefix length 96
+  IPAddress ipv6_address_96_0(32, 1, 13, 184, 1, 34, 3, 68, 0, 0, 0, 0, 192, 0,
+                              0, 170);
+  IPAddress ipv6_address_96_1(32, 1, 13, 184, 1, 34, 3, 68, 0, 0, 0, 0, 192, 0,
+                              0, 171);
+  Dns64PrefixLength pref64_length_96_0 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_96_0);
+  Dns64PrefixLength pref64_length_96_1 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_96_1);
+  EXPECT_EQ(Dns64PrefixLength::k96bit, pref64_length_96_0);
+  EXPECT_EQ(Dns64PrefixLength::k96bit, pref64_length_96_1);
+
+  // Prefix length 64
+  IPAddress ipv6_address_64_0(32, 1, 13, 184, 1, 34, 3, 68, 0, 192, 0, 0, 170,
+                              0, 0, 0);
+  IPAddress ipv6_address_64_1(32, 1, 13, 184, 1, 34, 3, 68, 0, 192, 0, 0, 171,
+                              0, 0, 0);
+  Dns64PrefixLength pref64_length_64_0 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_64_0);
+  Dns64PrefixLength pref64_length_64_1 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_64_1);
+  EXPECT_EQ(Dns64PrefixLength::k64bit, pref64_length_64_0);
+  EXPECT_EQ(Dns64PrefixLength::k64bit, pref64_length_64_1);
+
+  // Prefix length 56
+  IPAddress ipv6_address_56_0(32, 1, 13, 184, 1, 34, 3, 192, 0, 0, 0, 170, 0, 0,
+                              0, 0);
+  IPAddress ipv6_address_56_1(32, 1, 13, 184, 1, 34, 3, 192, 0, 0, 0, 171, 0, 0,
+                              0, 0);
+  Dns64PrefixLength pref64_length_56_0 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_56_0);
+  Dns64PrefixLength pref64_length_56_1 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_56_1);
+  EXPECT_EQ(Dns64PrefixLength::k56bit, pref64_length_56_0);
+  EXPECT_EQ(Dns64PrefixLength::k56bit, pref64_length_56_1);
+
+  // Prefix length 48
+  IPAddress ipv6_address_48_0(32, 1, 13, 184, 1, 34, 192, 0, 0, 0, 170, 0, 0, 0,
+                              0, 0);
+  IPAddress ipv6_address_48_1(32, 1, 13, 184, 1, 34, 192, 0, 0, 0, 171, 0, 0, 0,
+                              0, 0);
+  Dns64PrefixLength pref64_length_48_0 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_48_0);
+  Dns64PrefixLength pref64_length_48_1 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_48_1);
+  EXPECT_EQ(Dns64PrefixLength::k48bit, pref64_length_48_0);
+  EXPECT_EQ(Dns64PrefixLength::k48bit, pref64_length_48_1);
+
+  // Prefix length 40
+  IPAddress ipv6_address_40_0(32, 1, 13, 184, 1, 192, 0, 0, 0, 170, 0, 0, 0, 0,
+                              0, 0);
+  IPAddress ipv6_address_40_1(32, 1, 13, 184, 1, 192, 0, 0, 0, 171, 0, 0, 0, 0,
+                              0, 0);
+  Dns64PrefixLength pref64_length_40_0 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_40_0);
+  Dns64PrefixLength pref64_length_40_1 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_40_1);
+  EXPECT_EQ(Dns64PrefixLength::k40bit, pref64_length_40_0);
+  EXPECT_EQ(Dns64PrefixLength::k40bit, pref64_length_40_1);
+
+  // Prefix length 32
+  IPAddress ipv6_address_32_0(32, 1, 13, 184, 192, 0, 0, 170, 0, 0, 0, 0, 0, 0,
+                              0, 0);
+  IPAddress ipv6_address_32_1(32, 1, 13, 184, 192, 0, 0, 171, 0, 0, 0, 0, 0, 0,
+                              0, 0);
+  Dns64PrefixLength pref64_length_32_0 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_32_0);
+  Dns64PrefixLength pref64_length_32_1 =
+      ExtractPref64FromIpv4onlyArpaAAAA(ipv6_address_32_1);
+  EXPECT_EQ(Dns64PrefixLength::k32bit, pref64_length_32_0);
+  EXPECT_EQ(Dns64PrefixLength::k32bit, pref64_length_32_1);
+}
+
+// Tests mapping an IPv4 address to an IPv6 address.
+TEST(IPAddressTest, ConvertIPv4ToIPv4EmbeddedIPv6) {
+  IPAddress ipv4_address(192, 0, 2, 33);
+
+  // Well Known Prefix 64:ff9b::/96.
+  IPAddress ipv6_address_WKP(0, 100, 255, 155, 0, 0, 0, 0, 0, 0, 0, 0, 192, 0,
+                             0, 170);
+  IPAddress converted_ipv6_address_WKP = ConvertIPv4ToIPv4EmbeddedIPv6(
+      ipv4_address, ipv6_address_WKP, Dns64PrefixLength::k96bit);
+  EXPECT_EQ("0,100,255,155,0,0,0,0,0,0,0,0,192,0,2,33",
+            DumpIPAddress(converted_ipv6_address_WKP));
+  EXPECT_EQ("64:ff9b::c000:221", converted_ipv6_address_WKP.ToString());
+
+  // Prefix length 96
+  IPAddress ipv6_address_96(32, 1, 13, 184, 1, 34, 3, 68, 0, 0, 0, 0, 0, 0, 0,
+                            0);
+  IPAddress converted_ipv6_address_96 = ConvertIPv4ToIPv4EmbeddedIPv6(
+      ipv4_address, ipv6_address_96, Dns64PrefixLength::k96bit);
+  EXPECT_EQ("32,1,13,184,1,34,3,68,0,0,0,0,192,0,2,33",
+            DumpIPAddress(converted_ipv6_address_96));
+  EXPECT_EQ("2001:db8:122:344::c000:221", converted_ipv6_address_96.ToString());
+
+  // Prefix length 64
+  IPAddress ipv6_address_64(32, 1, 13, 184, 1, 34, 3, 68, 0, 0, 0, 0, 0, 0, 0,
+                            0);
+  IPAddress converted_ipv6_address_64 = ConvertIPv4ToIPv4EmbeddedIPv6(
+      ipv4_address, ipv6_address_64, Dns64PrefixLength::k64bit);
+  EXPECT_EQ("32,1,13,184,1,34,3,68,0,192,0,2,33,0,0,0",
+            DumpIPAddress(converted_ipv6_address_64));
+  EXPECT_EQ("2001:db8:122:344:c0:2:2100:0",
+            converted_ipv6_address_64.ToString());
+
+  // Prefix length 56
+  IPAddress ipv6_address_56(32, 1, 13, 184, 1, 34, 3, 0, 0, 0, 0, 0, 0, 0, 0,
+                            0);
+  IPAddress converted_ipv6_address_56 = ConvertIPv4ToIPv4EmbeddedIPv6(
+      ipv4_address, ipv6_address_56, Dns64PrefixLength::k56bit);
+  EXPECT_EQ("32,1,13,184,1,34,3,192,0,0,2,33,0,0,0,0",
+            DumpIPAddress(converted_ipv6_address_56));
+  EXPECT_EQ("2001:db8:122:3c0:0:221::", converted_ipv6_address_56.ToString());
+
+  // Prefix length 48
+  IPAddress ipv6_address_48(32, 1, 13, 184, 1, 34, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+                            0);
+  IPAddress converted_ipv6_address_48 = ConvertIPv4ToIPv4EmbeddedIPv6(
+      ipv4_address, ipv6_address_48, Dns64PrefixLength::k48bit);
+  EXPECT_EQ("32,1,13,184,1,34,192,0,0,2,33,0,0,0,0,0",
+            DumpIPAddress(converted_ipv6_address_48));
+  EXPECT_EQ("2001:db8:122:c000:2:2100::", converted_ipv6_address_48.ToString());
+
+  // Prefix length 40
+  IPAddress ipv6_address_40(32, 1, 13, 184, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+  IPAddress converted_ipv6_address_40 = ConvertIPv4ToIPv4EmbeddedIPv6(
+      ipv4_address, ipv6_address_40, Dns64PrefixLength::k40bit);
+  EXPECT_EQ("32,1,13,184,1,192,0,2,0,33,0,0,0,0,0,0",
+            DumpIPAddress(converted_ipv6_address_40));
+  EXPECT_EQ("2001:db8:1c0:2:21::", converted_ipv6_address_40.ToString());
+
+  // Prefix length 32
+  IPAddress ipv6_address_32(32, 1, 13, 184, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
+  IPAddress converted_ipv6_address_32 = ConvertIPv4ToIPv4EmbeddedIPv6(
+      ipv4_address, ipv6_address_32, Dns64PrefixLength::k32bit);
+  EXPECT_EQ("32,1,13,184,192,0,2,33,0,0,0,0,0,0,0,0",
+            DumpIPAddress(converted_ipv6_address_32));
+  EXPECT_EQ("2001:db8:c000:221::", converted_ipv6_address_32.ToString());
+}
+
 }  // anonymous namespace
 
 }  // namespace net
diff --git a/chromium/net/base/ip_endpoint.cc b/chromium/net/base/ip_endpoint.cc
index 27da99b90bf..05466120b1c 100644
--- a/chromium/net/base/ip_endpoint.cc
+++ b/chromium/net/base/ip_endpoint.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/ip_endpoint.h b/chromium/net/base/ip_endpoint.h
index ef9547a640b..8e0f8a50638 100644
--- a/chromium/net/base/ip_endpoint.h
+++ b/chromium/net/base/ip_endpoint.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/ip_endpoint_unittest.cc b/chromium/net/base/ip_endpoint_unittest.cc
index afa1ad512db..fc100b22878 100644
--- a/chromium/net/base/ip_endpoint_unittest.cc
+++ b/chromium/net/base/ip_endpoint_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/isolation_info.cc b/chromium/net/base/isolation_info.cc
index 3380ec1dd8c..a6fc72fc160 100644
--- a/chromium/net/base/isolation_info.cc
+++ b/chromium/net/base/isolation_info.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,9 +8,11 @@
 
 #include "base/check_op.h"
 #include "base/unguessable_token.h"
-#include "isolation_info.h"
 #include "net/base/features.h"
+#include "net/base/isolation_info.h"
 #include "net/base/isolation_info.pb.h"
+#include "net/base/network_anonymization_key.h"
+#include "net/base/proxy_server.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace net {
@@ -185,14 +187,12 @@ IsolationInfo IsolationInfo::CreatePartial(
   // TODO(https://crbug.com/1148927): Use null origins in this case.
   url::Origin top_frame_origin =
       network_isolation_key.GetTopFrameSite()->site_as_origin_;
-  url::Origin frame_origin;
+  absl::optional<url::Origin> frame_origin;
   if (IsFrameSiteEnabled() &&
       network_isolation_key.GetFrameSite().has_value()) {
     frame_origin = network_isolation_key.GetFrameSite()->site_as_origin_;
-  } else if (request_type == RequestType::kMainFrame) {
-    frame_origin = top_frame_origin;
   } else {
-    frame_origin = url::Origin();
+    frame_origin = absl::nullopt;
   }
 
   const base::UnguessableToken* nonce =
@@ -205,6 +205,48 @@ IsolationInfo IsolationInfo::CreatePartial(
                        absl::nullopt /* party_context */);
 }
 
+IsolationInfo IsolationInfo::DoNotUseCreatePartialFromNak(
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
+  if (!network_anonymization_key.IsFullyPopulated()) {
+    return IsolationInfo();
+  }
+
+  url::Origin top_frame_origin =
+      network_anonymization_key.GetTopFrameSite()->site_as_origin_;
+
+  absl::optional<url::Origin> frame_origin;
+  if (NetworkAnonymizationKey::IsFrameSiteEnabled() &&
+      network_anonymization_key.GetFrameSite().has_value()) {
+    // If frame site is set on the network anonymization key, use it to set the
+    // frame origin on the isolation info.
+    frame_origin = network_anonymization_key.GetFrameSite()->site_as_origin_;
+  } else if (NetworkAnonymizationKey::IsCrossSiteFlagSchemeEnabled() &&
+             network_anonymization_key.GetIsCrossSite().value()) {
+    // If frame site is not set on the network anonymization key but we know
+    // that it is cross site to the top level site, create an empty origin to
+    // use as the frame origin for the isolation info. This should be cross site
+    // with the top level origin.
+    frame_origin = url::Origin();
+  } else {
+    // If frame sit is not set on the network anonymization key and we don't
+    // know that it's cross site to the top level site, use the top frame site
+    // to set the frame origin.
+    frame_origin = top_frame_origin;
+  }
+
+  const base::UnguessableToken* nonce =
+      network_anonymization_key.GetNonce()
+          ? &network_anonymization_key.GetNonce().value()
+          : nullptr;
+
+  auto isolation_info = IsolationInfo::Create(
+      IsolationInfo::RequestType::kOther, top_frame_origin,
+      frame_origin.value(), SiteForCookies(),
+      /*party_context=*/absl::nullopt, nonce);
+  // TODO(crbug/1343856): DCHECK isolation info is fully populated.
+  return isolation_info;
+}
+
 absl::optional<IsolationInfo> IsolationInfo::CreateIfConsistent(
     RequestType request_type,
     const absl::optional<url::Origin>& top_frame_origin,
@@ -240,8 +282,13 @@ IsolationInfo IsolationInfo::CreateForRedirect(
 }
 
 const absl::optional<url::Origin>& IsolationInfo::frame_origin() const {
-  // TODO: @brgoldstein, add CHECK that
-  // `kForceIsolationInfoFrameOriginToTopLevelFrame` is not enabled.
+  // Frame origin will be empty if double-keying is enabled.
+  CHECK(IsolationInfo::IsFrameSiteEnabled());
+  return frame_origin_;
+}
+
+const absl::optional<url::Origin>& IsolationInfo::frame_origin_for_testing()
+    const {
   return frame_origin_;
 }
 
@@ -250,6 +297,7 @@ bool IsolationInfo::IsEqualForTesting(const IsolationInfo& other) const {
           top_frame_origin_ == other.top_frame_origin_ &&
           frame_origin_ == other.frame_origin_ &&
           network_isolation_key_ == other.network_isolation_key_ &&
+          network_anonymization_key_ == other.network_anonymization_key_ &&
           nonce_ == other.nonce_ &&
           site_for_cookies_.IsEquivalent(other.site_for_cookies_) &&
           party_context_ == other.party_context_);
@@ -295,6 +343,44 @@ bool IsolationInfo::IsFrameSiteEnabled() {
       net::features::kForceIsolationInfoFrameOriginToTopLevelFrame);
 }
 
+NetworkAnonymizationKey
+IsolationInfo::CreateNetworkAnonymizationKeyForIsolationInfo(
+    const absl::optional<url::Origin>& top_frame_origin,
+    const absl::optional<url::Origin>& frame_origin,
+    const base::UnguessableToken* nonce) const {
+  if (!top_frame_origin) {
+    return NetworkAnonymizationKey();
+  }
+
+  // When IsolationInfo::IsFrameSiteEnabled and
+  // NetworkAnonymizationKey::IsFrameSiteEnabled set the `nak_frame_site` to the
+  // passed value. When NetworkAnonymizationKey::IsFrameSiteEnabled is false set
+  // the `nak_frame_site` to nullopt. When IsolationInfo::IsFrameSiteEnabled is
+  // false but NetworkAnonymizationKey::IsFrameSiteEnabled is true we might have
+  // the frame_site passed correctly to the constructor OR we might have created
+  // a double key in which case we cannot determine the `nak_frame_site`.
+  absl::optional<SchemefulSite> nak_frame_site =
+      NetworkAnonymizationKey::IsFrameSiteEnabled() && frame_origin.has_value()
+          ? absl::make_optional((SchemefulSite(*frame_origin)))
+          : absl::nullopt;
+
+  bool nak_is_cross_site;
+  if (frame_origin) {
+    SiteForCookies site_for_cookies =
+        net::SiteForCookies::FromOrigin(top_frame_origin.value());
+    nak_is_cross_site = !site_for_cookies.IsFirstParty(frame_origin->GetURL());
+  } else {
+    // If we are unable to determine if the frame is cross site we should create
+    // it as cross site.
+    nak_is_cross_site = true;
+  }
+
+  return NetworkAnonymizationKey(
+      SchemefulSite(*top_frame_origin), nak_frame_site,
+      absl::make_optional(nak_is_cross_site),
+      nonce ? absl::make_optional(*nonce) : absl::nullopt);
+}
+
 IsolationInfo::IsolationInfo(
     RequestType request_type,
     const absl::optional<url::Origin>& top_frame_origin,
@@ -313,6 +399,10 @@ IsolationInfo::IsolationInfo(
                                         ? SchemefulSite(*frame_origin)
                                         : SchemefulSite(),
                                     nonce)),
+      network_anonymization_key_(
+          CreateNetworkAnonymizationKeyForIsolationInfo(top_frame_origin,
+                                                        frame_origin,
+                                                        nonce)),
       site_for_cookies_(site_for_cookies),
       nonce_(nonce ? absl::make_optional(*nonce) : absl::nullopt),
       party_context_(party_context.has_value() &&
diff --git a/chromium/net/base/isolation_info.h b/chromium/net/base/isolation_info.h
index 2a5e3946e49..2c1e01ca23b 100644
--- a/chromium/net/base/isolation_info.h
+++ b/chromium/net/base/isolation_info.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,6 +10,7 @@
 
 #include "base/unguessable_token.h"
 #include "net/base/net_export.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/network_isolation_key.h"
 #include "net/cookies/site_for_cookies.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
@@ -142,6 +143,11 @@ class NET_EXPORT IsolationInfo {
       RequestType request_type,
       const net::NetworkIsolationKey& network_isolation_key);
 
+  // TODO(crbug/1372769): Remove this and create a safer way to ensure NIKs
+  // created from NAKs aren't used by accident.
+  static IsolationInfo DoNotUseCreatePartialFromNak(
+      const net::NetworkAnonymizationKey& network_anonymization_key);
+
   // Returns nullopt if the arguments are not consistent. Otherwise, returns a
   // fully populated IsolationInfo. Any IsolationInfo that can be created by
   // the other construction methods, including the 0-argument constructor, is
@@ -187,6 +193,10 @@ class NET_EXPORT IsolationInfo {
     return network_isolation_key_;
   }
 
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
+  }
+
   const absl::optional<base::UnguessableToken>& nonce() const { return nonce_; }
 
   // The value that should be consulted for the third-party cookie blocking
@@ -197,6 +207,11 @@ class NET_EXPORT IsolationInfo {
   //          policy. It MUST NEVER be used for any kind of SECURITY check.
   const SiteForCookies& site_for_cookies() const { return site_for_cookies_; }
 
+  // Do not use outside of testing. Returns the `frame_origin_` if
+  // `kForceIsolationInfoFrameOriginToTopLevelFrame` is disabled. Else it
+  // returns the `top_frame_origin_` value.
+  const absl::optional<url::Origin>& frame_origin_for_testing() const;
+
   // Return |party_context| which exclude the top frame origin and the frame
   // origin.
   // TODO(mmenke): Make this function PartyContextForTesting() after switching
@@ -208,6 +223,11 @@ class NET_EXPORT IsolationInfo {
 
   bool IsEqualForTesting(const IsolationInfo& other) const;
 
+  NetworkAnonymizationKey CreateNetworkAnonymizationKeyForIsolationInfo(
+      const absl::optional<url::Origin>& top_frame_origin,
+      const absl::optional<url::Origin>& frame_origin,
+      const base::UnguessableToken* nonce) const;
+
   // Serialize the `IsolationInfo` into a string. Fails if transient, returning
   // an empty string.
   std::string Serialize() const;
@@ -231,7 +251,9 @@ class NET_EXPORT IsolationInfo {
 
   // This can be deduced from the two origins above, but keep a cached version
   // to avoid repeated eTLD+1 calculations, when this is using eTLD+1.
-  net::NetworkIsolationKey network_isolation_key_;
+  NetworkIsolationKey network_isolation_key_;
+
+  NetworkAnonymizationKey network_anonymization_key_;
 
   SiteForCookies site_for_cookies_;
 
diff --git a/chromium/net/base/isolation_info.proto b/chromium/net/base/isolation_info.proto
index 252b738245d..9a769ab079c 100644
--- a/chromium/net/base/isolation_info.proto
+++ b/chromium/net/base/isolation_info.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/isolation_info_unittest.cc b/chromium/net/base/isolation_info_unittest.cc
index 43c1b718a5c..2b5b8a2cdc4 100644
--- a/chromium/net/base/isolation_info_unittest.cc
+++ b/chromium/net/base/isolation_info_unittest.cc
@@ -1,13 +1,16 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/isolation_info.h"
-#include <optional>
 
+#include <iostream>
+#include "base/test/gtest_util.h"
 #include "base/test/scoped_feature_list.h"
 #include "base/unguessable_token.h"
+#include "isolation_info.h"
 #include "net/base/features.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/network_isolation_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/cookies/site_for_cookies.h"
@@ -19,22 +22,92 @@
 
 namespace net {
 
+// `IsolationInfoEnabledFeatureFlagsTestingParam ` allows enabling and disabling
+// the feature flags that control the key schemes for IsolationInfo,
+// NetworkIsolationKey and Network AnonymizationKey. This allows us to test the
+// possible combinations of flags that will be allowed for experimentation.
+// Those possible combinations are outlined below. When a property is `true` the
+// flag that enables this scheme will be enabled for testing. When the bool
+// parameter is `false` the flag that enables the scheme will be disabled.
+struct IsolationInfoEnabledFeatureFlagsTestingParam {
+  const bool enableDoubleKeyNetworkAnonymizationKey;
+  const bool enableDoubleKeyIsolationInfo;
+  const bool enableDoubleKeyAndCrossSiteBitNetworkAnonymizationKey;
+};
+
+// The three cases we need to account for:
+//    0. Triple-keying is enabled for both IsolationInfo and
+//    NetworkAnonymizationKey.
+//    1. Double-keying is enabled for both IsolationInfo and
+//    NetworkAnonymizationKey.
+//    2. Triple-keying is enabled for IsolationInfo and double-keying is enabled
+//    for NetworkAnonymizationKey.
+//    3. Triple-keying is enabled for IsolationInfo and double-keying +
+//    cross-site-bit is enabled for NetworkAnonymizationKey.
+// Note: At the current time double-keyed IsolationInfo is only supported when
+// double-keying or double-keying + is cross site bit are enabled for
+// NetworkAnonymizationKey.
+const IsolationInfoEnabledFeatureFlagsTestingParam kFlagsParam[] = {
+    {/*enableDoubleKeyNetworkAnonymizationKey=*/false,
+     /*enableDoubleKeyIsolationInfo=*/false,
+     /*enableDoubleKeyAndCrossSiteBitNetworkAnonymizationKey=*/false},
+    {/*enableDoubleKeyNetworkAnonymizationKey=*/true,
+     /*enableDoubleKeyIsolationInfo=*/true,
+     /*enableDoubleKeyAndCrossSiteBitNetworkAnonymizationKey=*/false},
+    {/*enableDoubleKeyNetworkAnonymizationKey=*/true,
+     /*enableDoubleKeyIsolationInfo=*/false,
+     /*enableDoubleKeyAndCrossSiteBitNetworkAnonymizationKey=*/false},
+    {/*enableDoubleKeyNetworkAnonymizationKey=*/false,
+     /*enableDoubleKeyIsolationInfo=*/false,
+     /*enableDoubleKeyAndCrossSiteBitNetworkAnonymizationKey=*/true}};
+
 namespace {
 
 class IsolationInfoTest : public testing::Test,
-                          public testing::WithParamInterface<bool> {
+                          public testing::WithParamInterface<
+                              IsolationInfoEnabledFeatureFlagsTestingParam> {
  public:
   IsolationInfoTest() {
-    if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-      scoped_feature_list_.InitAndEnableFeature(
+    std::vector<base::test::FeatureRef> enabled_features = {};
+    std::vector<base::test::FeatureRef> disabled_features = {};
+
+    if (IsDoubleKeyIsolationInfoEnabled()) {
+      enabled_features.push_back(
           net::features::kForceIsolationInfoFrameOriginToTopLevelFrame);
     } else {
-      scoped_feature_list_.InitAndDisableFeature(
+      disabled_features.push_back(
           net::features::kForceIsolationInfoFrameOriginToTopLevelFrame);
     }
+
+    if (IsDoubleKeyNetworkAnonymizationKeyEnabled()) {
+      enabled_features.push_back(
+          net::features::kEnableDoubleKeyNetworkAnonymizationKey);
+    } else {
+      disabled_features.push_back(
+          net::features::kEnableDoubleKeyNetworkAnonymizationKey);
+    }
+
+    if (IsDoubleKeyAndCrossSiteBitNetworkAnonymizationKeyEnabled()) {
+      enabled_features.push_back(
+          net::features::kEnableCrossSiteFlagNetworkAnonymizationKey);
+    } else {
+      disabled_features.push_back(
+          net::features::kEnableCrossSiteFlagNetworkAnonymizationKey);
+    }
+
+    scoped_feature_list_.InitWithFeatures(enabled_features, disabled_features);
   }
-  static bool ForceIsolationInfoFrameOriginToTopLevelFrameEnabled() {
-    return GetParam();
+
+  static bool IsDoubleKeyIsolationInfoEnabled() {
+    return GetParam().enableDoubleKeyIsolationInfo;
+  }
+
+  static bool IsDoubleKeyNetworkAnonymizationKeyEnabled() {
+    return GetParam().enableDoubleKeyNetworkAnonymizationKey;
+  }
+
+  static bool IsDoubleKeyAndCrossSiteBitNetworkAnonymizationKeyEnabled() {
+    return GetParam().enableDoubleKeyAndCrossSiteBitNetworkAnonymizationKey;
   }
 
   const url::Origin kOrigin1 = url::Origin::Create(GURL("https://a.foo.test"));
@@ -65,19 +138,18 @@ class IsolationInfoTest : public testing::Test,
   base::test::ScopedFeatureList scoped_feature_list_;
 };
 
-INSTANTIATE_TEST_SUITE_P(
-    All,
-    IsolationInfoTest,
-    /*force_isolation_info_frame_origin_to_top_level_frame=*/testing::Bool());
+INSTANTIATE_TEST_SUITE_P(All,
+                         IsolationInfoTest,
+                         /*IsolationInfoEnabledFeatureFlagsTestingParam */
+                         testing::ValuesIn(kFlagsParam));
 
 void DuplicateAndCompare(const IsolationInfo& isolation_info) {
   absl::optional<IsolationInfo> duplicate_isolation_info =
       IsolationInfo::CreateIfConsistent(
           isolation_info.request_type(), isolation_info.top_frame_origin(),
-          IsolationInfoTest::
-                  ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()
-              ? absl::nullopt
-              : isolation_info.frame_origin(),
+          net::IsolationInfo::IsFrameSiteEnabled()
+              ? isolation_info.frame_origin()
+              : absl::nullopt,
           isolation_info.site_for_cookies(), isolation_info.party_context(),
           isolation_info.nonce().has_value() ? &isolation_info.nonce().value()
                                              : nullptr);
@@ -87,19 +159,104 @@ void DuplicateAndCompare(const IsolationInfo& isolation_info) {
 }
 
 TEST_P(IsolationInfoTest, IsFrameSiteEnabled) {
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
+  if (IsDoubleKeyIsolationInfoEnabled()) {
     EXPECT_FALSE(IsolationInfo::IsFrameSiteEnabled());
   } else {
     EXPECT_TRUE(IsolationInfo::IsFrameSiteEnabled());
   }
 }
 
+TEST_P(IsolationInfoTest, CreateNetworkAnonymizationKeyForIsolationInfo) {
+  IsolationInfo isolation_info = IsolationInfo::Create(
+      IsolationInfo::RequestType::kMainFrame, kOrigin1, kOrigin2,
+      SiteForCookies::FromOrigin(kOrigin1), kPartyContextEmpty, &kNonce1);
+  NetworkAnonymizationKey nak =
+      isolation_info.CreateNetworkAnonymizationKeyForIsolationInfo(
+          kOrigin1, kOrigin2, &kNonce1);
+
+  IsolationInfo same_site_isolation_info = IsolationInfo::Create(
+      IsolationInfo::RequestType::kMainFrame, kOrigin1, kOrigin1,
+      SiteForCookies::FromOrigin(kOrigin1), kPartyContextEmpty, &kNonce1);
+
+  // Top frame should be populated regardless of scheme.
+  EXPECT_EQ(nak.GetTopFrameSite(), SchemefulSite(kOrigin1));
+  EXPECT_EQ(isolation_info.top_frame_origin(), kOrigin1);
+  EXPECT_EQ(isolation_info.network_anonymization_key().GetTopFrameSite(),
+            SchemefulSite(kOrigin1));
+
+  // Nonce should be empty regardless of scheme
+  EXPECT_EQ(nak.GetNonce().value(), kNonce1);
+  EXPECT_EQ(isolation_info.network_anonymization_key().GetNonce().value(),
+            kNonce1);
+  EXPECT_EQ(isolation_info.nonce().value(), kNonce1);
+
+  if (IsDoubleKeyNetworkAnonymizationKeyEnabled() &&
+      !IsDoubleKeyAndCrossSiteBitNetworkAnonymizationKeyEnabled() &&
+      IsDoubleKeyIsolationInfoEnabled()) {
+    // Double-keyed IsolationInfo + double-keyed NetworkAnonymizationKey case.
+    EXPECT_DEATH_IF_SUPPORTED(nak.GetFrameSite(), "");
+    EXPECT_EQ(absl::nullopt, nak.GetFrameSiteForTesting());
+    EXPECT_EQ(kOrigin1, isolation_info.top_frame_origin());
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
+    EXPECT_DEATH_IF_SUPPORTED(
+        isolation_info.network_anonymization_key().GetFrameSite(), "");
+    EXPECT_EQ(
+        absl::nullopt,
+        isolation_info.network_anonymization_key().GetFrameSiteForTesting());
+    // EXPECT_DCHECK_DEATH(
+    //     isolation_info.network_anonymization_key().GetIsCrossSite());
+  } else if (!IsDoubleKeyIsolationInfoEnabled() &&
+             !IsDoubleKeyAndCrossSiteBitNetworkAnonymizationKeyEnabled() &&
+             IsDoubleKeyNetworkAnonymizationKeyEnabled()) {
+    // Triple-keyed IsolationInfo + double-keyed NetworkAnonymizationKey case.
+    EXPECT_DEATH_IF_SUPPORTED(nak.GetFrameSite(), "");
+    EXPECT_EQ(absl::nullopt, nak.GetFrameSiteForTesting());
+    EXPECT_DEATH_IF_SUPPORTED(
+        isolation_info.network_anonymization_key().GetFrameSite(), "");
+    EXPECT_EQ(
+        absl::nullopt,
+        isolation_info.network_anonymization_key().GetFrameSiteForTesting());
+    EXPECT_EQ(isolation_info.frame_origin(), kOrigin2);
+    // EXPECT_DCHECK_DEATH(
+    //     isolation_info.network_anonymization_key().GetIsCrossSite());
+  } else if (!IsDoubleKeyIsolationInfoEnabled() &&
+             !IsDoubleKeyAndCrossSiteBitNetworkAnonymizationKeyEnabled() &&
+             !IsDoubleKeyNetworkAnonymizationKeyEnabled()) {
+    // Triple-keyed IsolationInfo + triple-keyed NetworkAnonymizationKey case.
+    EXPECT_EQ(nak.GetFrameSite(), net::SchemefulSite(kOrigin2));
+    EXPECT_EQ(isolation_info.network_anonymization_key().GetFrameSite(),
+              net::SchemefulSite(kOrigin2));
+    EXPECT_EQ(isolation_info.frame_origin(), kOrigin2);
+    // EXPECT_DCHECK_DEATH(
+    //     isolation_info.network_anonymization_key().GetIsCrossSite());
+  } else if (!IsDoubleKeyIsolationInfoEnabled() &&
+             IsDoubleKeyAndCrossSiteBitNetworkAnonymizationKeyEnabled() &&
+             !IsDoubleKeyNetworkAnonymizationKeyEnabled()) {
+    // Triple-keyed IsolationInfo + double-keyed + cross site bit
+    // NetworkAnonymizationKey case.
+    EXPECT_DEATH_IF_SUPPORTED(nak.GetFrameSite(), "");
+    EXPECT_EQ(absl::nullopt, nak.GetFrameSiteForTesting());
+    EXPECT_DEATH_IF_SUPPORTED(
+        isolation_info.network_anonymization_key().GetFrameSite(), "");
+    EXPECT_EQ(
+        absl::nullopt,
+        isolation_info.network_anonymization_key().GetFrameSiteForTesting());
+    EXPECT_EQ(isolation_info.frame_origin(), kOrigin2);
+    EXPECT_EQ(isolation_info.network_anonymization_key().GetIsCrossSite(),
+              true);
+    EXPECT_EQ(
+        same_site_isolation_info.network_anonymization_key().GetIsCrossSite(),
+        false);
+  }
+}
+
 TEST_P(IsolationInfoTest, CreateDoubleKey) {
   IsolationInfo isolation_info = IsolationInfo::Create(
       IsolationInfo::RequestType::kMainFrame, kOrigin1, kOrigin1,
       SiteForCookies::FromOrigin(kOrigin1), kPartyContextEmpty);
 
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
+  if (IsDoubleKeyIsolationInfoEnabled()) {
     IsolationInfo double_key_isolation_info = IsolationInfo::CreateDoubleKey(
         IsolationInfo::RequestType::kMainFrame, kOrigin1,
         SiteForCookies::FromOrigin(kOrigin1), kPartyContextEmpty);
@@ -107,7 +264,9 @@ TEST_P(IsolationInfoTest, CreateDoubleKey) {
     EXPECT_EQ(IsolationInfo::RequestType::kMainFrame,
               double_key_isolation_info.request_type());
     EXPECT_EQ(kOrigin1, double_key_isolation_info.top_frame_origin());
-    EXPECT_EQ(absl::nullopt, double_key_isolation_info.frame_origin());
+    EXPECT_DEATH_IF_SUPPORTED(double_key_isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt,
+              double_key_isolation_info.frame_origin_for_testing());
     EXPECT_EQ(
         "https://foo.test https://foo.test",
         double_key_isolation_info.network_isolation_key().ToCacheKeyString());
@@ -116,8 +275,6 @@ TEST_P(IsolationInfoTest, CreateDoubleKey) {
 
     // When double keying is enabled Create and CreateDoubleKey should
     // create the same key.
-    EXPECT_EQ(isolation_info.frame_origin(),
-              double_key_isolation_info.frame_origin());
     EXPECT_EQ(isolation_info.top_frame_origin(),
               double_key_isolation_info.top_frame_origin());
     EXPECT_EQ(isolation_info.request_type(),
@@ -146,11 +303,11 @@ TEST_P(IsolationInfoTest, RequestTypeMainFrame) {
             isolation_info.request_type());
   EXPECT_EQ(kOrigin1, isolation_info.top_frame_origin());
 
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
     EXPECT_EQ("https://foo.test https://foo.test",
               isolation_info.network_isolation_key().ToCacheKeyString());
-
   } else {
     EXPECT_EQ(kOrigin1, isolation_info.frame_origin());
     EXPECT_EQ("https://foo.test https://foo.test",
@@ -170,15 +327,17 @@ TEST_P(IsolationInfoTest, RequestTypeMainFrame) {
   EXPECT_EQ(IsolationInfo::RequestType::kMainFrame,
             redirected_isolation_info.request_type());
   EXPECT_EQ(kOrigin3, redirected_isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, redirected_isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(redirected_isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt,
+              redirected_isolation_info.frame_origin_for_testing());
   } else {
     EXPECT_EQ(kOrigin3, redirected_isolation_info.frame_origin());
   }
   EXPECT_TRUE(
       redirected_isolation_info.network_isolation_key().IsFullyPopulated());
   EXPECT_FALSE(redirected_isolation_info.network_isolation_key().IsTransient());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
+  if (IsDoubleKeyIsolationInfoEnabled()) {
     EXPECT_EQ(
         "https://baz.test https://baz.test",
         redirected_isolation_info.network_isolation_key().ToCacheKeyString());
@@ -200,8 +359,9 @@ TEST_P(IsolationInfoTest, RequestTypeSubFrame) {
   EXPECT_EQ(IsolationInfo::RequestType::kSubFrame,
             isolation_info.request_type());
   EXPECT_EQ(kOrigin1, isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
     EXPECT_EQ("https://foo.test https://foo.test",
               isolation_info.network_isolation_key().ToCacheKeyString());
   } else {
@@ -224,8 +384,10 @@ TEST_P(IsolationInfoTest, RequestTypeSubFrame) {
             redirected_isolation_info.request_type());
   EXPECT_EQ(kOrigin1, redirected_isolation_info.top_frame_origin());
 
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, redirected_isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(redirected_isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt,
+              redirected_isolation_info.frame_origin_for_testing());
     EXPECT_EQ(
         "https://foo.test https://foo.test",
         redirected_isolation_info.network_isolation_key().ToCacheKeyString());
@@ -251,8 +413,9 @@ TEST_P(IsolationInfoTest, RequestTypeMainFrameWithNonce) {
   EXPECT_EQ(IsolationInfo::RequestType::kMainFrame,
             isolation_info.request_type());
   EXPECT_EQ(kOrigin1, isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
   } else {
     EXPECT_EQ(kOrigin1, isolation_info.frame_origin());
   }
@@ -272,8 +435,10 @@ TEST_P(IsolationInfoTest, RequestTypeMainFrameWithNonce) {
   EXPECT_EQ(IsolationInfo::RequestType::kMainFrame,
             redirected_isolation_info.request_type());
   EXPECT_EQ(kOrigin3, redirected_isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, redirected_isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(redirected_isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt,
+              redirected_isolation_info.frame_origin_for_testing());
   } else {
     EXPECT_EQ(kOrigin3, redirected_isolation_info.frame_origin());
   }
@@ -296,8 +461,9 @@ TEST_P(IsolationInfoTest, RequestTypeSubFrameWithNonce) {
   EXPECT_EQ(IsolationInfo::RequestType::kSubFrame,
             isolation_info.request_type());
   EXPECT_EQ(kOrigin1, isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
   } else {
     EXPECT_EQ(kOrigin2, isolation_info.frame_origin());
   }
@@ -317,8 +483,10 @@ TEST_P(IsolationInfoTest, RequestTypeSubFrameWithNonce) {
   EXPECT_EQ(IsolationInfo::RequestType::kSubFrame,
             redirected_isolation_info.request_type());
   EXPECT_EQ(kOrigin1, redirected_isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, redirected_isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(redirected_isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt,
+              redirected_isolation_info.frame_origin_for_testing());
   } else {
     EXPECT_EQ(kOrigin3, redirected_isolation_info.frame_origin());
   }
@@ -338,8 +506,9 @@ TEST_P(IsolationInfoTest, RequestTypeOther) {
   IsolationInfo isolation_info;
   EXPECT_EQ(IsolationInfo::RequestType::kOther, isolation_info.request_type());
   EXPECT_FALSE(isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_FALSE(isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_FALSE(isolation_info.frame_origin_for_testing());
   } else {
     EXPECT_FALSE(isolation_info.frame_origin());
   }
@@ -361,8 +530,9 @@ TEST_P(IsolationInfoTest, RequestTypeOtherWithSiteForCookies) {
       SiteForCookies::FromOrigin(kOrigin1), kPartyContextEmpty);
   EXPECT_EQ(IsolationInfo::RequestType::kOther, isolation_info.request_type());
   EXPECT_EQ(kOrigin1, isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
     EXPECT_EQ("https://foo.test https://foo.test",
               isolation_info.network_isolation_key().ToCacheKeyString());
   } else {
@@ -392,8 +562,9 @@ TEST_P(IsolationInfoTest, RequestTypeOtherWithEmptySiteForCookies) {
                             kOrigin2, SiteForCookies(), kPartyContext2);
   EXPECT_EQ(IsolationInfo::RequestType::kOther, isolation_info.request_type());
   EXPECT_EQ(kOrigin1, isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
     EXPECT_EQ("https://foo.test https://foo.test",
               isolation_info.network_isolation_key().ToCacheKeyString());
   } else {
@@ -418,8 +589,9 @@ TEST_P(IsolationInfoTest, CreateTransient) {
   IsolationInfo isolation_info = IsolationInfo::CreateTransient();
   EXPECT_EQ(IsolationInfo::RequestType::kOther, isolation_info.request_type());
   EXPECT_TRUE(isolation_info.top_frame_origin()->opaque());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_FALSE(isolation_info.frame_origin().has_value());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_FALSE(isolation_info.frame_origin_for_testing().has_value());
   } else {
     EXPECT_TRUE(isolation_info.frame_origin()->opaque());
   }
@@ -441,8 +613,9 @@ TEST_P(IsolationInfoTest, CreateForInternalRequest) {
       IsolationInfo::CreateForInternalRequest(kOrigin1);
   EXPECT_EQ(IsolationInfo::RequestType::kOther, isolation_info.request_type());
   EXPECT_EQ(kOrigin1, isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
     EXPECT_EQ("https://foo.test https://foo.test",
               isolation_info.network_isolation_key().ToCacheKeyString());
   } else {
@@ -472,8 +645,9 @@ TEST_P(IsolationInfoTest, CreatePartialUpdateTopFrame) {
   EXPECT_EQ(IsolationInfo::RequestType::kMainFrame,
             isolation_info.request_type());
   EXPECT_EQ(kSite1, isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
   } else {
     EXPECT_EQ(kSite1, isolation_info.frame_origin());
   }
@@ -493,8 +667,9 @@ TEST_P(IsolationInfoTest, CreatePartialUpdateFrameOnly) {
   EXPECT_EQ(IsolationInfo::RequestType::kSubFrame,
             isolation_info.request_type());
   EXPECT_EQ(kSite1, isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
   } else {
     EXPECT_EQ(kSite2, isolation_info.frame_origin());
   }
@@ -513,8 +688,9 @@ TEST_P(IsolationInfoTest, CreatePartialUpdateNothing) {
       IsolationInfo::CreatePartial(IsolationInfo::RequestType::kOther, kNIK);
   EXPECT_EQ(IsolationInfo::RequestType::kOther, isolation_info.request_type());
   EXPECT_EQ(kSite1, isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
   } else {
     EXPECT_EQ(kSite2, isolation_info.frame_origin());
   }
@@ -533,8 +709,14 @@ TEST_P(IsolationInfoTest, CreatePartialTransient) {
   EXPECT_EQ(IsolationInfo::RequestType::kOther, isolation_info.request_type());
   EXPECT_EQ(kNIK.GetTopFrameSite(),
             SchemefulSite(*isolation_info.top_frame_origin()));
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(kNIK.GetFrameSite(), absl::nullopt);
+  EXPECT_EQ(kNIK.GetTopFrameSite(),
+            isolation_info.network_anonymization_key().GetTopFrameSite());
+
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(kNIK.GetFrameSite(), "");
+    EXPECT_EQ(kNIK.GetFrameSiteForTesting(), absl::nullopt);
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(isolation_info.frame_origin_for_testing(), absl::nullopt);
   } else {
     EXPECT_EQ(kNIK.GetFrameSite(),
               SchemefulSite(*isolation_info.frame_origin()));
@@ -543,7 +725,6 @@ TEST_P(IsolationInfoTest, CreatePartialTransient) {
   EXPECT_TRUE(isolation_info.site_for_cookies().IsNull());
   EXPECT_FALSE(isolation_info.party_context());
   EXPECT_FALSE(isolation_info.nonce());
-
   DuplicateAndCompare(isolation_info);
 }
 
@@ -552,8 +733,9 @@ TEST_P(IsolationInfoTest, CreatePartialEmpty) {
       IsolationInfo::RequestType::kOther, NetworkIsolationKey());
   EXPECT_EQ(IsolationInfo::RequestType::kOther, isolation_info.request_type());
   EXPECT_FALSE(isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_FALSE(isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_FALSE(isolation_info.frame_origin_for_testing());
   } else {
     EXPECT_FALSE(isolation_info.frame_origin());
   }
@@ -568,8 +750,8 @@ TEST_P(IsolationInfoTest, CreatePartialEmpty) {
 // Test that in the UpdateNothing case, the SiteForCookies does not have to
 // match the frame origin, unlike in the HTTP/HTTPS case.
 TEST_P(IsolationInfoTest, CustomSchemeRequestTypeOther) {
-  // Have to register the scheme, or url::Origin::Create() will return an opaque
-  // origin.
+  // Have to register the scheme, or url::Origin::Create() will return an
+  // opaque origin.
   url::ScopedSchemeRegistryForTests scoped_registry;
   url::AddStandardScheme("foo", url::SCHEME_WITH_HOST);
 
@@ -581,8 +763,9 @@ TEST_P(IsolationInfoTest, CustomSchemeRequestTypeOther) {
       SiteForCookies::FromOrigin(kCustomOrigin), kPartyContext1);
   EXPECT_EQ(IsolationInfo::RequestType::kOther, isolation_info.request_type());
   EXPECT_EQ(kCustomOrigin, isolation_info.top_frame_origin());
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin());
+  if (IsDoubleKeyIsolationInfoEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(isolation_info.frame_origin(), "");
+    EXPECT_EQ(absl::nullopt, isolation_info.frame_origin_for_testing());
     EXPECT_EQ("foo://a.foo.com foo://a.foo.com",
               isolation_info.network_isolation_key().ToCacheKeyString());
   } else {
@@ -636,9 +819,9 @@ TEST_P(IsolationInfoTest, CreateIfConsistentFails) {
   EXPECT_FALSE(IsolationInfo::CreateIfConsistent(
       IsolationInfo::RequestType::kSubFrame, absl::nullopt, kOrigin2,
       SiteForCookies()));
-  // Empty frame origins are ok when double keying is enabled but incorrect when
-  // triple key is enabled.
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
+  // Empty frame origins are ok when double keying is enabled but incorrect
+  // when triple key is enabled.
+  if (IsDoubleKeyIsolationInfoEnabled()) {
     EXPECT_TRUE(IsolationInfo::CreateIfConsistent(
         IsolationInfo::RequestType::kOther, kOrigin1, absl::nullopt,
         SiteForCookies()));
@@ -774,7 +957,7 @@ TEST_P(IsolationInfoTest, Serialization) {
                             kOrigin2, SiteForCookies::FromOrigin(kOrigin1),
                             kPartyContext1, &kNonce1),
   };
-  if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
+  if (IsDoubleKeyIsolationInfoEnabled()) {
     for (const auto& info : kNegativeWhenDoubleKeyEnabledTestCases) {
       EXPECT_TRUE(info.Serialize().empty());
     }
diff --git a/chromium/net/base/load_flags.h b/chromium/net/base/load_flags.h
index 53b2d58d208..d26eaedf401 100644
--- a/chromium/net/base/load_flags.h
+++ b/chromium/net/base/load_flags.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/load_flags_list.h b/chromium/net/base/load_flags_list.h
index 96d1a51ec10..38062cfb932 100644
--- a/chromium/net/base/load_flags_list.h
+++ b/chromium/net/base/load_flags_list.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/load_states.h b/chromium/net/base/load_states.h
index 41a0339993e..049ce124296 100644
--- a/chromium/net/base/load_states.h
+++ b/chromium/net/base/load_states.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/load_states_list.h b/chromium/net/base/load_states_list.h
index a0e20bcb79d..4e468449979 100644
--- a/chromium/net/base/load_states_list.h
+++ b/chromium/net/base/load_states_list.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/load_timing_info.cc b/chromium/net/base/load_timing_info.cc
index 7471f5c5fee..7d95f48a0db 100644
--- a/chromium/net/base/load_timing_info.cc
+++ b/chromium/net/base/load_timing_info.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/load_timing_info.h b/chromium/net/base/load_timing_info.h
index 98e12259a83..cab6804225a 100644
--- a/chromium/net/base/load_timing_info.h
+++ b/chromium/net/base/load_timing_info.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -29,8 +29,8 @@ namespace net {
 // service_worker_start_time
 // proxy_start
 // proxy_end
-// dns_start
-// dns_end
+// domain_lookup_start
+// domain_lookup_end
 // connect_start
 // ssl_start
 // ssl_end
@@ -78,8 +78,8 @@ struct NET_EXPORT LoadTimingInfo {
     // Corresponds to |domainLookupStart| and |domainLookupEnd| in
     // ResourceTiming (http://www.w3.org/TR/resource-timing/) for Web-surfacing
     // requests.
-    base::TimeTicks dns_start;
-    base::TimeTicks dns_end;
+    base::TimeTicks domain_lookup_start;
+    base::TimeTicks domain_lookup_end;
 
     // The time spent establishing the connection. Connect time includes proxy
     // connect times (though not proxy_resolve or DNS lookup times), time spent
diff --git a/chromium/net/base/load_timing_info_test_util.cc b/chromium/net/base/load_timing_info_test_util.cc
index e84d4bd127b..eccb20299f3 100644
--- a/chromium/net/base/load_timing_info_test_util.cc
+++ b/chromium/net/base/load_timing_info_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,8 +11,8 @@ namespace net {
 
 void ExpectConnectTimingHasNoTimes(
     const LoadTimingInfo::ConnectTiming& connect_timing) {
-  EXPECT_TRUE(connect_timing.dns_start.is_null());
-  EXPECT_TRUE(connect_timing.dns_end.is_null());
+  EXPECT_TRUE(connect_timing.domain_lookup_start.is_null());
+  EXPECT_TRUE(connect_timing.domain_lookup_end.is_null());
   EXPECT_TRUE(connect_timing.connect_start.is_null());
   EXPECT_TRUE(connect_timing.connect_end.is_null());
   EXPECT_TRUE(connect_timing.ssl_start.is_null());
@@ -26,12 +26,13 @@ void ExpectConnectTimingHasTimes(
   EXPECT_LE(connect_timing.connect_start, connect_timing.connect_end);
 
   if (!(connect_timing_flags & CONNECT_TIMING_HAS_DNS_TIMES)) {
-    EXPECT_TRUE(connect_timing.dns_start.is_null());
-    EXPECT_TRUE(connect_timing.dns_end.is_null());
+    EXPECT_TRUE(connect_timing.domain_lookup_start.is_null());
+    EXPECT_TRUE(connect_timing.domain_lookup_end.is_null());
   } else {
-    EXPECT_FALSE(connect_timing.dns_start.is_null());
-    EXPECT_LE(connect_timing.dns_start, connect_timing.dns_end);
-    EXPECT_LE(connect_timing.dns_end, connect_timing.connect_start);
+    EXPECT_FALSE(connect_timing.domain_lookup_start.is_null());
+    EXPECT_LE(connect_timing.domain_lookup_start,
+              connect_timing.domain_lookup_end);
+    EXPECT_LE(connect_timing.domain_lookup_end, connect_timing.connect_start);
   }
 
   if (!(connect_timing_flags & CONNECT_TIMING_HAS_SSL_TIMES)) {
diff --git a/chromium/net/base/load_timing_info_test_util.h b/chromium/net/base/load_timing_info_test_util.h
index 5c2fd172a77..7ce98b360fc 100644
--- a/chromium/net/base/load_timing_info_test_util.h
+++ b/chromium/net/base/load_timing_info_test_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/logging_network_change_observer.cc b/chromium/net/base/logging_network_change_observer.cc
index 0c83a0bc3f5..46d00954f62 100644
--- a/chromium/net/base/logging_network_change_observer.cc
+++ b/chromium/net/base/logging_network_change_observer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/logging_network_change_observer.h b/chromium/net/base/logging_network_change_observer.h
index 999354a3841..9359ea17ec2 100644
--- a/chromium/net/base/logging_network_change_observer.h
+++ b/chromium/net/base/logging_network_change_observer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/lookup_string_in_fixed_set.cc b/chromium/net/base/lookup_string_in_fixed_set.cc
index 8b08b2717dc..9956f1fd087 100644
--- a/chromium/net/base/lookup_string_in_fixed_set.cc
+++ b/chromium/net/base/lookup_string_in_fixed_set.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/lookup_string_in_fixed_set.h b/chromium/net/base/lookup_string_in_fixed_set.h
index 9d6e4ba6cc5..a8184e6924f 100644
--- a/chromium/net/base/lookup_string_in_fixed_set.h
+++ b/chromium/net/base/lookup_string_in_fixed_set.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/lookup_string_in_fixed_set_fuzzer.cc b/chromium/net/base/lookup_string_in_fixed_set_fuzzer.cc
index cf1ef25fe3d..de47fb06705 100644
--- a/chromium/net/base/lookup_string_in_fixed_set_fuzzer.cc
+++ b/chromium/net/base/lookup_string_in_fixed_set_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/lookup_string_in_fixed_set_unittest.cc b/chromium/net/base/lookup_string_in_fixed_set_unittest.cc
index e61510f8c0d..ba2f9646e52 100644
--- a/chromium/net/base/lookup_string_in_fixed_set_unittest.cc
+++ b/chromium/net/base/lookup_string_in_fixed_set_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mac/url_conversions.h b/chromium/net/base/mac/url_conversions.h
index 56f53a9d4a2..9894e8dec6d 100644
--- a/chromium/net/base/mac/url_conversions.h
+++ b/chromium/net/base/mac/url_conversions.h
@@ -1,4 +1,4 @@
-// Copyright 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mac/url_conversions.mm b/chromium/net/base/mac/url_conversions.mm
index f8accab7c08..88b15642319 100644
--- a/chromium/net/base/mac/url_conversions.mm
+++ b/chromium/net/base/mac/url_conversions.mm
@@ -1,4 +1,4 @@
-// Copyright 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mac/url_conversions_unittest.mm b/chromium/net/base/mac/url_conversions_unittest.mm
index 32e621048f6..8390f4d3bbc 100644
--- a/chromium/net/base/mac/url_conversions_unittest.mm
+++ b/chromium/net/base/mac/url_conversions_unittest.mm
@@ -1,4 +1,4 @@
-// Copyright 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mime_sniffer.cc b/chromium/net/base/mime_sniffer.cc
index aa6ebbcd6ff..b57d5c3a35b 100644
--- a/chromium/net/base/mime_sniffer.cc
+++ b/chromium/net/base/mime_sniffer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mime_sniffer.h b/chromium/net/base/mime_sniffer.h
index 1d07aee9314..b323cb3e9f8 100644
--- a/chromium/net/base/mime_sniffer.h
+++ b/chromium/net/base/mime_sniffer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mime_sniffer_fuzzer.cc b/chromium/net/base/mime_sniffer_fuzzer.cc
index 91970d8a7dc..41ee83e0159 100644
--- a/chromium/net/base/mime_sniffer_fuzzer.cc
+++ b/chromium/net/base/mime_sniffer_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mime_sniffer_perftest.cc b/chromium/net/base/mime_sniffer_perftest.cc
index 9859f279833..b13feb2334f 100644
--- a/chromium/net/base/mime_sniffer_perftest.cc
+++ b/chromium/net/base/mime_sniffer_perftest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mime_sniffer_unittest.cc b/chromium/net/base/mime_sniffer_unittest.cc
index cca0b6c2d17..ebd0e021908 100644
--- a/chromium/net/base/mime_sniffer_unittest.cc
+++ b/chromium/net/base/mime_sniffer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mime_util.cc b/chromium/net/base/mime_util.cc
index 1779ec4f965..eb9774d3617 100644
--- a/chromium/net/base/mime_util.cc
+++ b/chromium/net/base/mime_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -165,7 +165,7 @@ static const MimeInfo kPrimaryMappings[] = {
     {"image/jpeg", "jpeg,jpg"},
     {"image/jxl", "jxl"},
     {"image/png", "png"},
-    {"image/apng", "png"},
+    {"image/apng", "png,apng"},
     {"image/svg+xml", "svg,svgz"},
     {"image/webp", "webp"},
     {"multipart/related", "mht,mhtml"},
@@ -205,6 +205,10 @@ static const MimeInfo kSecondaryMappings[] = {
     {"application/vnd.android.package-archive", "apk"},
     {"application/vnd.mozilla.xul+xml", "xul"},
     {"application/vnd.ms-excel", "xls"},
+    {"application/vnd.ms-powerpoint", "ppt"},
+    {"application/"
+     "vnd.openxmlformats-officedocument.presentationml.presentation",
+     "pptx"},
     {"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
      "xlsx"},
     {"application/vnd.openxmlformats-officedocument.wordprocessingml.document",
diff --git a/chromium/net/base/mime_util.h b/chromium/net/base/mime_util.h
index 55c93426b98..cf61dd77f2e 100644
--- a/chromium/net/base/mime_util.h
+++ b/chromium/net/base/mime_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mime_util_unittest.cc b/chromium/net/base/mime_util_unittest.cc
index 6c7a0ec4a1f..14e7ce31ad1 100644
--- a/chromium/net/base/mime_util_unittest.cc
+++ b/chromium/net/base/mime_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -83,11 +83,19 @@ TEST(MimeUtilTest, ExtensionTest) {
     {FILE_PATH_LITERAL("avif"), {"image/avif"}},
     {FILE_PATH_LITERAL("jxl"), {"image/jxl"}},
 #if BUILDFLAG(IS_CHROMEOS_ASH)
-    // These are test cases for testing platform mime types on Chrome OS.
+    // These are test cases for testing platform mime types on ChromeOS.
     {FILE_PATH_LITERAL("epub"), {"application/epub+zip"}},
     {FILE_PATH_LITERAL("apk"), {"application/vnd.android.package-archive"}},
-    {FILE_PATH_LITERAL("cer"), {"application/x-x509-ca-cert"}},
-    {FILE_PATH_LITERAL("crt"), {"application/x-x509-ca-cert"}},
+    {FILE_PATH_LITERAL("cer"),
+     {
+         "application/x-x509-ca-cert",
+         "application/pkix-cert",  // System override for ChromeOS.
+     }},
+    {FILE_PATH_LITERAL("crt"),
+     {
+         "application/x-x509-ca-cert",
+         "application/pkix-cert",  // System override for ChromeOS.
+     }},
     {FILE_PATH_LITERAL("zip"), {"application/zip"}},
     {FILE_PATH_LITERAL("ics"), {"text/calendar"}},
 #endif
@@ -96,7 +104,8 @@ TEST(MimeUtilTest, ExtensionTest) {
          "application/x-mpegurl",  // Chrome's secondary mapping.
          "audio/x-mpegurl",  // https://crbug.com/1273061, system override for
                              // android-arm[64]-test and Linux. Possibly more.
-         "audio/mpegurl",    // System override for mac.
+         "application/vnd.apple.mpegurl",  // System override for ChromeOS.
+         "audio/mpegurl",                  // System override for mac.
      }},
     {FILE_PATH_LITERAL("csv"), {"text/csv"}},
     {FILE_PATH_LITERAL("not an extension / for sure"), {}},
diff --git a/chromium/net/base/mock_file_stream.cc b/chromium/net/base/mock_file_stream.cc
index ba538639226..7b5ae67ba4b 100644
--- a/chromium/net/base/mock_file_stream.cc
+++ b/chromium/net/base/mock_file_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mock_file_stream.h b/chromium/net/base/mock_file_stream.h
index 2811810a929..304552e5f53 100644
--- a/chromium/net/base/mock_file_stream.h
+++ b/chromium/net/base/mock_file_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/mock_network_change_notifier.cc b/chromium/net/base/mock_network_change_notifier.cc
index af3944b48b5..c3aae7b8bab 100644
--- a/chromium/net/base/mock_network_change_notifier.cc
+++ b/chromium/net/base/mock_network_change_notifier.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -84,6 +84,10 @@ void MockNetworkChangeNotifier::NotifyNetworkConnected(
   base::RunLoop().RunUntilIdle();
 }
 
+bool MockNetworkChangeNotifier::IsDefaultNetworkActiveInternal() {
+  return is_default_network_active_;
+}
+
 void MockNetworkChangeNotifier::SetConnectionTypeAndNotifyObservers(
     ConnectionType connection_type) {
   SetConnectionType(connection_type);
diff --git a/chromium/net/base/mock_network_change_notifier.h b/chromium/net/base/mock_network_change_notifier.h
index 60b14a94d1a..f16fc8ee186 100644
--- a/chromium/net/base/mock_network_change_notifier.h
+++ b/chromium/net/base/mock_network_change_notifier.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -61,6 +61,12 @@ class MockNetworkChangeNotifier : public NetworkChangeNotifier {
     connection_cost_ = connection_cost;
   }
 
+  bool IsDefaultNetworkActiveInternal() override;
+
+  void SetIsDefaultNetworkActiveInternalForTesting(bool is_active) {
+    is_default_network_active_ = is_active;
+  }
+
   // Tells this class to ignore its cached connection cost value and instead
   // call the base class's implementation. This is intended to allow tests to
   // mock the product code's fallback to the default implementation in certain
@@ -84,6 +90,7 @@ class MockNetworkChangeNotifier : public NetworkChangeNotifier {
       std::unique_ptr<SystemDnsConfigChangeNotifier> dns_config_notifier);
 
   bool force_network_handles_supported_ = false;
+  bool is_default_network_active_ = true;
   ConnectionType connection_type_ = CONNECTION_UNKNOWN;
   ConnectionCost connection_cost_ = CONNECTION_COST_UNKNOWN;
   bool use_default_connection_cost_implementation_ = false;
diff --git a/chromium/net/base/net_error_details.h b/chromium/net/base/net_error_details.h
index bdc9b66f6f6..3da3f325aa7 100644
--- a/chromium/net/base/net_error_details.h
+++ b/chromium/net/base/net_error_details.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_error_list.h b/chromium/net/base/net_error_list.h
index c7837efec56..20997e9af12 100644
--- a/chromium/net/base/net_error_list.h
+++ b/chromium/net/base/net_error_list.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -112,7 +112,7 @@ NET_ERROR(CONTEXT_SHUT_DOWN, -26)
 
 // The request failed because the response was delivered along with requirements
 // which are not met ('X-Frame-Options' and 'Content-Security-Policy' ancestor
-// checks and 'Cross-Origin-Resource-Policy', for instance).
+// checks and 'Cross-Origin-Resource-Policy' for instance).
 NET_ERROR(BLOCKED_BY_RESPONSE, -27)
 
 // Error -28 was removed (BLOCKED_BY_XSS_AUDITOR).
@@ -127,6 +127,9 @@ NET_ERROR(BLOCKED_BY_CSP, -30)
 // The request was blocked because of no H/2 or QUIC session.
 NET_ERROR(H2_OR_QUIC_REQUIRED, -31)
 
+// The request was blocked by CORB or ORB.
+NET_ERROR(BLOCKED_BY_ORB, -32)
+
 // A connection was closed (corresponding to a TCP FIN).
 NET_ERROR(CONNECTION_CLOSED, -100)
 
diff --git a/chromium/net/base/net_errors.cc b/chromium/net/base/net_errors.cc
index 9011378b493..f4859f4d20a 100644
--- a/chromium/net/base/net_errors.cc
+++ b/chromium/net/base/net_errors.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_errors.h b/chromium/net/base/net_errors.h
index e146fc40724..074d9ff3cd2 100644
--- a/chromium/net/base/net_errors.h
+++ b/chromium/net/base/net_errors.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_errors_posix.cc b/chromium/net/base/net_errors_posix.cc
index 6e2b83ebadd..df49829735b 100644
--- a/chromium/net/base/net_errors_posix.cc
+++ b/chromium/net/base/net_errors_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_errors_unittest.cc b/chromium/net/base/net_errors_unittest.cc
index 38edd834489..ccd6aa20768 100644
--- a/chromium/net/base/net_errors_unittest.cc
+++ b/chromium/net/base/net_errors_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_errors_win.cc b/chromium/net/base/net_errors_win.cc
index 4bc968506ed..106dd92d612 100644
--- a/chromium/net/base/net_errors_win.cc
+++ b/chromium/net/base/net_errors_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_export.h b/chromium/net/base/net_export.h
index 55cf9861239..35e1773fca6 100644
--- a/chromium/net/base/net_export.h
+++ b/chromium/net/base/net_export.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_info_source_list.h b/chromium/net/base/net_info_source_list.h
index 4538566d864..38316c64726 100644
--- a/chromium/net/base/net_info_source_list.h
+++ b/chromium/net/base/net_info_source_list.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_module.cc b/chromium/net/base/net_module.cc
index f84c39b7ccf..c409a7d48a3 100644
--- a/chromium/net/base/net_module.cc
+++ b/chromium/net/base/net_module.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright 2006-2008 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_module.h b/chromium/net/base/net_module.h
index ce93920bba6..5f366eb0ad4 100644
--- a/chromium/net/base/net_module.h
+++ b/chromium/net/base/net_module.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_string_util.h b/chromium/net/base/net_string_util.h
index 204146c0b4b..cb455614799 100644
--- a/chromium/net/base/net_string_util.h
+++ b/chromium/net/base/net_string_util.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_string_util_icu.cc b/chromium/net/base/net_string_util_icu.cc
index c3b60449afc..67dcd9c0786 100644
--- a/chromium/net/base/net_string_util_icu.cc
+++ b/chromium/net/base/net_string_util_icu.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_string_util_icu_alternatives_android.cc b/chromium/net/base/net_string_util_icu_alternatives_android.cc
index 246018078dd..b18e00937c4 100644
--- a/chromium/net/base/net_string_util_icu_alternatives_android.cc
+++ b/chromium/net/base/net_string_util_icu_alternatives_android.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_string_util_icu_alternatives_ios.mm b/chromium/net/base/net_string_util_icu_alternatives_ios.mm
index bdc7c71395d..41497a3c411 100644
--- a/chromium/net/base/net_string_util_icu_alternatives_ios.mm
+++ b/chromium/net/base/net_string_util_icu_alternatives_ios.mm
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/net_string_util_unittest.cc b/chromium/net/base/net_string_util_unittest.cc
index d02bcc798fe..f4ca55b9dda 100644
--- a/chromium/net/base/net_string_util_unittest.cc
+++ b/chromium/net/base/net_string_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_activity_monitor.cc b/chromium/net/base/network_activity_monitor.cc
index e4ce7f08c9c..183f8968d64 100644
--- a/chromium/net/base/network_activity_monitor.cc
+++ b/chromium/net/base/network_activity_monitor.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_activity_monitor.h b/chromium/net/base/network_activity_monitor.h
index 6b24f306295..319e255b048 100644
--- a/chromium/net/base/network_activity_monitor.h
+++ b/chromium/net/base/network_activity_monitor.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_activity_monitor_unittest.cc b/chromium/net/base/network_activity_monitor_unittest.cc
index e28250d204b..0028c75c90b 100644
--- a/chromium/net/base/network_activity_monitor_unittest.cc
+++ b/chromium/net/base/network_activity_monitor_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_anonymization_key.cc b/chromium/net/base/network_anonymization_key.cc
index 254cd00430e..a707ec0b5ff 100644
--- a/chromium/net/base/network_anonymization_key.cc
+++ b/chromium/net/base/network_anonymization_key.cc
@@ -1,12 +1,15 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "net/base/network_anonymization_key.h"
 #include "base/feature_list.h"
 #include "base/unguessable_token.h"
+#include "base/values.h"
 #include "net/base/features.h"
 #include "net/base/net_export.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/schemeful_site.h"
+#include "net/cookies/site_for_cookies.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace net {
@@ -20,13 +23,68 @@ NetworkAnonymizationKey::NetworkAnonymizationKey(
       frame_site_(!IsFrameSiteEnabled() ? absl::nullopt : frame_site),
       is_cross_site_(IsCrossSiteFlagSchemeEnabled() ? is_cross_site
                                                     : absl::nullopt),
-      nonce_(nonce) {}
+      nonce_(nonce) {
+  DCHECK(top_frame_site_.has_value());
+  DCHECK(!IsFrameSiteEnabled() || frame_site_.has_value());
+  // If `is_cross_site` is enabled but the value is not populated, and we have
+  // the information to calculate it, do calculate it.
+  if (IsCrossSiteFlagSchemeEnabled() && !is_cross_site_.has_value() &&
+      frame_site.has_value()) {
+    SiteForCookies site_for_cookies =
+        net::SiteForCookies(top_frame_site_.value());
+    is_cross_site_ =
+        !site_for_cookies.IsFirstParty(frame_site.value().GetURL());
+  }
+  if (IsCrossSiteFlagSchemeEnabled()) {
+    // If `frame_site_` is populated, `is_cross_site_` must be as well.
+    DCHECK(is_cross_site_.has_value());
+  }
+}
+
+NetworkAnonymizationKey NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+    const net::NetworkIsolationKey& network_isolation_key) {
+  // If NIK is a double key, NAK must also be a double key.
+  DCHECK(NetworkIsolationKey::IsFrameSiteEnabled() ||
+         (!NetworkIsolationKey::IsFrameSiteEnabled() &&
+          !NetworkAnonymizationKey::IsFrameSiteEnabled()));
+
+  // We cannot create a valid NetworkAnonymizationKey from a NetworkIsolationKey
+  // that is not fully populated.
+  if (!network_isolation_key.IsFullyPopulated()) {
+    return NetworkAnonymizationKey();
+  }
+
+  absl::optional<SchemefulSite> nak_frame_site =
+      NetworkAnonymizationKey::IsFrameSiteEnabled()
+          ? network_isolation_key.GetFrameSite()
+          : absl::nullopt;
+
+  // If we are unable to determine the value of `is_cross_site` from the
+  // NetworkIsolationKey, we default the value to `nullopt`. Otherwise we
+  // calculate what the value will be. If the NetworkAnonymizationKey is being
+  // constructed in a scheme where the is cross site value is not used this
+  // value will be overridden in the constructor and set to `nullopt`.
+  absl::optional<bool> nak_is_cross_site = absl::nullopt;
+  if (NetworkAnonymizationKey::IsCrossSiteFlagSchemeEnabled()) {
+    SiteForCookies site_for_cookies =
+        net::SiteForCookies(network_isolation_key.GetTopFrameSite().value());
+    nak_is_cross_site = !site_for_cookies.IsFirstParty(
+        network_isolation_key.GetFrameSite()->GetURL());
+  }
+
+  return NetworkAnonymizationKey(
+      network_isolation_key.GetTopFrameSite().value(), nak_frame_site,
+      nak_is_cross_site, network_isolation_key.GetNonce());
+}
 
 NetworkAnonymizationKey::NetworkAnonymizationKey() = default;
 
 NetworkAnonymizationKey::NetworkAnonymizationKey(
     const NetworkAnonymizationKey& network_anonymization_key) = default;
 
+NetworkAnonymizationKey::NetworkAnonymizationKey(
+    NetworkAnonymizationKey&& network_anonymization_key) = default;
+
 NetworkAnonymizationKey::~NetworkAnonymizationKey() = default;
 
 NetworkAnonymizationKey& NetworkAnonymizationKey::operator=(
@@ -35,12 +93,20 @@ NetworkAnonymizationKey& NetworkAnonymizationKey::operator=(
 NetworkAnonymizationKey& NetworkAnonymizationKey::operator=(
     NetworkAnonymizationKey&& network_anonymization_key) = default;
 
+NetworkAnonymizationKey NetworkAnonymizationKey::CreateTransient() {
+  SchemefulSite site_with_opaque_origin;
+  return NetworkAnonymizationKey(site_with_opaque_origin,
+                                 site_with_opaque_origin, false);
+}
+
 std::string NetworkAnonymizationKey::ToDebugString() const {
   std::string str = GetSiteDebugString(top_frame_site_);
   str += " " + GetSiteDebugString(frame_site_);
   std::string cross_site_str =
       IsCrossSiteFlagSchemeEnabled()
-          ? (GetIsCrossSite() ? " cross_site" : " same_site")
+          ? (!GetIsCrossSite().has_value() ? " with empty is_cross_site value"
+             : GetIsCrossSite().value()    ? " cross_site"
+                                           : " same_site")
           : "";
   str += cross_site_str;
 
@@ -72,9 +138,16 @@ bool NetworkAnonymizationKey::IsTransient() const {
          (IsFrameSiteEnabled() && frame_site_->opaque()) || nonce_.has_value();
 }
 
-bool NetworkAnonymizationKey::GetIsCrossSite() const {
-  DCHECK(IsCrossSiteFlagSchemeEnabled() && is_cross_site_.has_value());
-  return is_cross_site_.value();
+absl::optional<bool> NetworkAnonymizationKey::GetIsCrossSite() const {
+  DCHECK(IsCrossSiteFlagSchemeEnabled());
+  return is_cross_site_;
+}
+
+const absl::optional<SchemefulSite>& NetworkAnonymizationKey::GetFrameSite()
+    const {
+  // Frame site will be empty if double-keying is enabled.
+  CHECK(NetworkAnonymizationKey::IsFrameSiteEnabled());
+  return frame_site_;
 }
 
 bool NetworkAnonymizationKey::IsFrameSiteEnabled() {
@@ -99,9 +172,110 @@ bool NetworkAnonymizationKey::IsCrossSiteFlagSchemeEnabled() {
       net::features::kEnableCrossSiteFlagNetworkAnonymizationKey);
 }
 
+bool NetworkAnonymizationKey::ToValue(base::Value* out_value) const {
+  if (IsEmpty()) {
+    *out_value = base::Value(base::Value::Type::LIST);
+    return true;
+  }
+
+  if (IsTransient())
+    return false;
+
+  absl::optional<std::string> top_frame_value =
+      SerializeSiteWithNonce(*top_frame_site_);
+  if (!top_frame_value)
+    return false;
+  base::Value::List list;
+  list.Append(std::move(top_frame_value).value());
+
+  absl::optional<std::string> frame_value =
+      IsFrameSiteEnabled() ? SerializeSiteWithNonce(*frame_site_)
+                           : absl::nullopt;
+
+  // Append frame site for tripe key scheme or is_cross_site flag for double key
+  // with cross site flag scheme.
+  if (IsFrameSiteEnabled()) {
+    if (!frame_value.has_value()) {
+      return false;
+    }
+    list.Append(std::move(frame_value).value());
+  } else if (IsCrossSiteFlagSchemeEnabled()) {
+    const absl::optional<bool> is_cross_site = GetIsCrossSite();
+    if (is_cross_site.has_value()) {
+      list.Append(is_cross_site.value());
+    }
+  }
+
+  *out_value = base::Value(std::move(list));
+  return true;
+}
+
+bool NetworkAnonymizationKey::FromValue(
+    const base::Value& value,
+    NetworkAnonymizationKey* network_anonymization_key) {
+  if (!value.is_list())
+    return false;
+
+  const base::Value::List& list = value.GetList();
+  if (list.empty()) {
+    *network_anonymization_key = NetworkAnonymizationKey();
+    return true;
+  }
+
+  // Check top_level_site is valid for any key scheme
+  if (list.size() < 1 || !list[0].is_string()) {
+    return false;
+  }
+  absl::optional<SchemefulSite> top_frame_site =
+      SchemefulSite::DeserializeWithNonce(list[0].GetString());
+  if (!top_frame_site) {
+    return false;
+  }
+
+  absl::optional<SchemefulSite> frame_site = absl::nullopt;
+  absl::optional<bool> is_cross_site = absl::nullopt;
+
+  // If double key scheme is enabled `list` must be of length 1. list[0] will be
+  // top_frame_site.
+  if (IsDoubleKeySchemeEnabled()) {
+    if (list.size() != 1) {
+      return false;
+    }
+  } else if (IsCrossSiteFlagSchemeEnabled()) {
+    // If double key + is cross site scheme is enabled `list` must be of
+    // length 2. list[0] will be top_frame_site and list[1] will be
+    // is_cross_site.
+    if (list.size() != 2 || !list[1].is_bool()) {
+      return false;
+    }
+    is_cross_site = list[1].GetBool();
+  } else {
+    // If neither alternative scheme is enabled we expect a valid triple keyed
+    // NetworkAnonymizationKey. `list` must be of length 2. list[0] will be
+    // top_frame_site and list[1] will be frame_site.
+    if (list.size() != 2 || !list[1].is_string()) {
+      return false;
+    }
+    frame_site = SchemefulSite::DeserializeWithNonce(list[1].GetString());
+    if (!frame_site) {
+      return false;
+    }
+  }
+
+  *network_anonymization_key =
+      NetworkAnonymizationKey(std::move(top_frame_site.value()),
+                              std::move(frame_site), std::move(is_cross_site));
+  return true;
+}
+
 std::string NetworkAnonymizationKey::GetSiteDebugString(
     const absl::optional<SchemefulSite>& site) const {
   return site ? site->GetDebugString() : "null";
 }
 
+absl::optional<std::string> NetworkAnonymizationKey::SerializeSiteWithNonce(
+    const SchemefulSite& site) {
+  return *(const_cast<SchemefulSite&>(site).SerializeWithNonce());
+}
+
 }  // namespace net
diff --git a/chromium/net/base/network_anonymization_key.h b/chromium/net/base/network_anonymization_key.h
index 1a783562124..a5f47e671e4 100644
--- a/chromium/net/base/network_anonymization_key.h
+++ b/chromium/net/base/network_anonymization_key.h
@@ -1,18 +1,24 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_NETWORK_ANONYMIZATION_KEY_H_
 #define NET_BASE_NETWORK_ANONYMIZATION_KEY_H_
 
+#include <cstddef>
 #include <string>
 #include <tuple>
 
 #include "base/unguessable_token.h"
 #include "net/base/net_export.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/schemeful_site.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 
+namespace base {
+class Value;
+}
+
 namespace net {
 
 // NetworkAnonymizationKey will be used to partition shared network state based
@@ -54,9 +60,11 @@ namespace net {
 
 class NET_EXPORT NetworkAnonymizationKey {
  public:
+  // TODO(crbug/1372123): Consider having the constructor not pass
+  // `is_cross_site` since this may be unnecessary and confusing to consumers.
   NetworkAnonymizationKey(
       const SchemefulSite& top_frame_site,
-      const absl::optional<SchemefulSite>& frame_site,
+      const absl::optional<SchemefulSite>& frame_site = absl::nullopt,
       const absl::optional<bool> is_cross_site = absl::nullopt,
       const absl::optional<base::UnguessableToken> nonce = absl::nullopt);
 
@@ -93,6 +101,31 @@ class NET_EXPORT NetworkAnonymizationKey {
                     other.is_cross_site_, other.nonce_);
   }
 
+  // Creates a NetworkAnonymizationKey from a NetworkAnonymizationKey. This is
+  // possible because a NetworkAnonymizationKey must always be more granular
+  // than a NetworkAnonymizationKey.
+  static NetworkAnonymizationKey CreateFromNetworkIsolationKey(
+      const net::NetworkIsolationKey& network_isolation_key);
+
+  // TODO(crbug/1372769)
+  // Intended for temporary use in locations that should be using main frame and
+  // frame origin, but are currently only using frame origin, because the
+  // creating object may be shared across main frame objects. Having a special
+  // constructor for these methods makes it easier to keep track of locating
+  // callsites that need to have their NetworkAnonymizationKey filled in.
+  static NetworkAnonymizationKey ToDoUseTopFrameOriginAsWell(
+      const url::Origin& incorrectly_used_frame_origin) {
+    net::SchemefulSite incorrectly_used_frame_site =
+        net::SchemefulSite(incorrectly_used_frame_origin);
+    return NetworkAnonymizationKey(incorrectly_used_frame_site,
+                                   incorrectly_used_frame_site);
+  }
+
+  // Creates a transient non-empty NetworkAnonymizationKey by creating an opaque
+  // origin. This prevents the NetworkAnonymizationKey from sharing data with
+  // other NetworkAnonymizationKey.
+  static NetworkAnonymizationKey CreateTransient();
+
   // Returns the string representation of the key.
   std::string ToDebugString() const;
 
@@ -111,17 +144,21 @@ class NET_EXPORT NetworkAnonymizationKey {
   bool IsTransient() const;
 
   // Getters for the top frame, frame site, nonce and is cross site flag.
-  // TODO @brgoldstein: create feature flags to wrap these properties so that
-  // the key can be modified for experimentation.
   const absl::optional<SchemefulSite>& GetTopFrameSite() const {
     return top_frame_site_;
   }
 
-  const absl::optional<SchemefulSite>& GetFrameSite() const {
+  const absl::optional<SchemefulSite>& GetFrameSite() const;
+
+  // Do not use outside of testing. Returns the `frame_site_` if neither
+  // `kEnableCrossSiteFlagNetworkAnonymizationKey` or
+  // `kEnableDoubleKeyNetworkAnonymizationKey` are enabled. Else it
+  // returns nullopt.
+  const absl::optional<SchemefulSite>& GetFrameSiteForTesting() const {
     return frame_site_;
   }
 
-  bool GetIsCrossSite() const;
+  absl::optional<bool> GetIsCrossSite() const;
 
   const absl::optional<base::UnguessableToken>& GetNonce() const {
     return nonce_;
@@ -150,9 +187,24 @@ class NET_EXPORT NetworkAnonymizationKey {
   // cross site from the top level site.
   static bool IsCrossSiteFlagSchemeEnabled();
 
+  // Returns a representation of |this| as a base::Value. Returns false on
+  // failure. Succeeds if either IsEmpty() or !IsTransient().
+  [[nodiscard]] bool ToValue(base::Value* out_value) const;
+
+  // Inverse of ToValue(). Writes the result to |network_anonymization_key|.
+  // Returns false on failure. Fails on values that could not have been produced
+  // by ToValue(), like transient origins.
+  [[nodiscard]] static bool FromValue(
+      const base::Value& value,
+      NetworkAnonymizationKey* out_network_anonymization_key);
+
  private:
   std::string GetSiteDebugString(
       const absl::optional<SchemefulSite>& site) const;
+
+  static absl::optional<std::string> SerializeSiteWithNonce(
+      const SchemefulSite& site);
+
   // The origin/etld+1 of the top frame of the page making the request. This
   // will always be populated unless all other fields are also nullopt.
   absl::optional<SchemefulSite> top_frame_site_;
diff --git a/chromium/net/base/network_anonymization_key_unittest.cc b/chromium/net/base/network_anonymization_key_unittest.cc
index 14e8883ba59..6ebf505595a 100644
--- a/chromium/net/base/network_anonymization_key_unittest.cc
+++ b/chromium/net/base/network_anonymization_key_unittest.cc
@@ -1,14 +1,16 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/network_anonymization_key.h"
 
+#include "base/test/gtest_util.h"
 #include "base/test/scoped_feature_list.h"
 #include "base/unguessable_token.h"
 #include "base/values.h"
 #include "net/base/features.h"
 #include "net/base/schemeful_site.h"
+#include "network_anonymization_key.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/gurl.h"
@@ -17,30 +19,50 @@
 namespace net {
 
 struct EnabledFeatureFlagsTestingParam {
-  bool enableDoubleKeyNetworkAnonymizationKeyEnabled;
-  bool enableCrossSiteFlagNetworkAnonymizationKey;
+  const bool enableDoubleKeyNetworkAnonymizationKeyEnabled;
+  const bool enableCrossSiteFlagNetworkAnonymizationKey;
+  const bool enableDoubleKeyNetworkIsolationKey;
 };
 
+//    0. Triple-keying is enabled for both IsolationInfo and
+//    NetworkAnonymizationKey.
+//    1. Double-keying is enabled for both IsolationInfo and
+//    NetworkAnonymizationKey.
+//    2. Triple-keying is enabled for IsolationInfo and double-keying is enabled
+//    for NetworkAnonymizationKey.
+//    3. Triple-keying is enabled for IsolationInfo and double-keying +
+//    cross-site-bit is enabled for NetworkAnonymizationKey.
 const EnabledFeatureFlagsTestingParam kFlagsParam[] = {
     {/*enableDoubleKeyNetworkAnonymizationKeyEnabled=*/false,
-     /*enableCrossSiteFlagNetworkAnonymizationKey=*/false},
-    {/*enableDoubleKeyNetworkAnonymizationKeyEnabled=*/false,
-     /*enableCrossSiteFlagNetworkAnonymizationKey=*/true},
+     /*enableCrossSiteFlagNetworkAnonymizationKey=*/false,
+     /*enableDoubleKeyNetworkIsolationKey=*/false},
     {/*enableDoubleKeyNetworkAnonymizationKeyEnabled=*/true,
-     /*enableCrossSiteFlagNetworkAnonymizationKey=*/false},
+     /*enableCrossSiteFlagNetworkAnonymizationKey=*/false,
+     /*enableDoubleKeyNetworkIsolationKey=*/true},
     {/*enableDoubleKeyNetworkAnonymizationKeyEnabled=*/true,
-     /*enableCrossSiteFlagNetworkAnonymizationKe=y*/ true},
-};
+     /*enableCrossSiteFlagNetworkAnonymizationKey=*/false,
+     /*enableDoubleKeyNetworkIsolationKey=*/false},
+    {/*enableDoubleKeyNetworkAnonymizationKeyEnabled=*/false,
+     /*enableCrossSiteFlagNetworkAnonymizationKey=*/true,
+     /*enableDoubleKeyNetworkIsolationKey=*/false}};
 
 class NetworkAnonymizationKeyTest
     : public testing::Test,
       public testing::WithParamInterface<EnabledFeatureFlagsTestingParam> {
  public:
   void SetUp() override {
-    std::vector<base::Feature> enabled_features = {};
-    std::vector<base::Feature> disabled_features = {};
+    std::vector<base::test::FeatureRef> enabled_features = {};
+    std::vector<base::test::FeatureRef> disabled_features = {};
+
+    if (IsDoubleKeyNetworkIsolationKeyEnabled()) {
+      enabled_features.push_back(
+          net::features::kForceIsolationInfoFrameOriginToTopLevelFrame);
+    } else {
+      disabled_features.push_back(
+          net::features::kForceIsolationInfoFrameOriginToTopLevelFrame);
+    }
 
-    if (IsDoubleKeyEnabled()) {
+    if (IsDoubleKeyNetworkAnonymizationKeyEnabled()) {
       enabled_features.push_back(
           net::features::kEnableDoubleKeyNetworkAnonymizationKey);
     } else {
@@ -59,9 +81,14 @@ class NetworkAnonymizationKeyTest
     scoped_feature_list_.InitWithFeatures(enabled_features, disabled_features);
   }
 
-  bool IsDoubleKeyEnabled() {
+  static bool IsDoubleKeyNetworkIsolationKeyEnabled() {
+    return GetParam().enableDoubleKeyNetworkIsolationKey;
+  }
+
+  bool IsDoubleKeyNetworkAnonymizationKeyEnabled() {
     return GetParam().enableDoubleKeyNetworkAnonymizationKeyEnabled;
   }
+
   bool IsCrossSiteFlagEnabled() {
     return GetParam().enableCrossSiteFlagNetworkAnonymizationKey;
   }
@@ -82,7 +109,7 @@ INSTANTIATE_TEST_SUITE_P(
     /*kEnableDoubleKeyNetworkAnonymizationKey*/ testing::ValuesIn(kFlagsParam));
 
 TEST_P(NetworkAnonymizationKeyTest, IsDoubleKeyingEnabled) {
-  if (IsDoubleKeyEnabled() || IsCrossSiteFlagEnabled()) {
+  if (IsDoubleKeyNetworkAnonymizationKeyEnabled() || IsCrossSiteFlagEnabled()) {
     EXPECT_FALSE(NetworkAnonymizationKey::IsFrameSiteEnabled());
   } else {
     EXPECT_TRUE(NetworkAnonymizationKey::IsFrameSiteEnabled());
@@ -93,7 +120,8 @@ TEST_P(NetworkAnonymizationKeyTest, IsDoubleKeySchemeEnabled) {
   // Double key scheme is enabled only when
   // `kEnableDoubleKeyNetworkAnonymizationKeyEnabled` is enabled but
   // `kEnableCrossSiteFlagNetworkAnonymizationKey` is not.
-  if (IsDoubleKeyEnabled() && !IsCrossSiteFlagEnabled()) {
+  if (IsDoubleKeyNetworkAnonymizationKeyEnabled() &&
+      !IsCrossSiteFlagEnabled()) {
     EXPECT_TRUE(NetworkAnonymizationKey::IsDoubleKeySchemeEnabled());
   } else {
     EXPECT_FALSE(NetworkAnonymizationKey::IsDoubleKeySchemeEnabled());
@@ -112,6 +140,131 @@ TEST_P(NetworkAnonymizationKeyTest, IsCrossSiteFlagSchemeEnabled) {
   }
 }
 
+TEST_P(NetworkAnonymizationKeyTest, CreateFromNetworkIsolationKey) {
+  SchemefulSite site_a = SchemefulSite(GURL("http://a.test/"));
+  SchemefulSite site_b = SchemefulSite(GURL("http://b.test/"));
+  base::UnguessableToken nik_nonce = base::UnguessableToken::Create();
+  NetworkIsolationKey populated_cross_site_nik(site_a, site_b, &nik_nonce);
+  NetworkIsolationKey populated_same_site_nik(site_a, site_a, &nik_nonce);
+  NetworkIsolationKey empty_nik;
+
+  NetworkAnonymizationKey nak_from_cross_site_nik =
+      NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+          populated_cross_site_nik);
+  NetworkAnonymizationKey nak_from_same_site_nik =
+      NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+          populated_same_site_nik);
+  NetworkAnonymizationKey nak_from_empty_nik =
+      NetworkAnonymizationKey::CreateFromNetworkIsolationKey(empty_nik);
+
+  // NAKs created when there is no top frame site on the NIK should create an
+  // empty NAK.
+  EXPECT_TRUE(nak_from_empty_nik.IsEmpty());
+
+  // Double-keyed NetworkIsolationKey + double-keyed NetworkAnonymizationKey
+  // case.
+  if (IsDoubleKeyNetworkIsolationKeyEnabled() &&
+      IsDoubleKeyNetworkAnonymizationKeyEnabled()) {
+    // Top site should be populated.
+    EXPECT_EQ(nak_from_cross_site_nik.GetTopFrameSite(), site_a);
+    EXPECT_EQ(nak_from_same_site_nik.GetTopFrameSite(), site_a);
+
+    // Nonce should be populated.
+    EXPECT_EQ(nak_from_same_site_nik.GetNonce(), nik_nonce);
+    EXPECT_EQ(nak_from_cross_site_nik.GetNonce(), nik_nonce);
+
+    // Frame site getter should CHECK.
+    EXPECT_DEATH_IF_SUPPORTED(nak_from_cross_site_nik.GetFrameSite(), "");
+    EXPECT_DEATH_IF_SUPPORTED(nak_from_same_site_nik.GetFrameSite(), "");
+
+    // Double-keyed NAKs created from different third party cross site contexts
+    // should be equal.
+    EXPECT_TRUE(nak_from_same_site_nik == nak_from_cross_site_nik);
+  }
+
+  // Triple-keyed NetworkIsolationKey + triple-keyed NetworkAnonymizationKey
+  // case.
+  if (!IsDoubleKeyNetworkIsolationKeyEnabled() &&
+      !IsDoubleKeyNetworkAnonymizationKeyEnabled() &&
+      !IsCrossSiteFlagEnabled()) {
+    // Top site should be populated correctly.
+    EXPECT_EQ(nak_from_cross_site_nik.GetTopFrameSite(), site_a);
+    EXPECT_EQ(nak_from_same_site_nik.GetTopFrameSite(), site_a);
+
+    // Nonce should be populated correctly.
+    EXPECT_EQ(nak_from_same_site_nik.GetNonce(), nik_nonce);
+    EXPECT_EQ(nak_from_cross_site_nik.GetNonce(), nik_nonce);
+
+    // Frame site getter should be populated correctly.
+    EXPECT_EQ(nak_from_cross_site_nik.GetFrameSite(), site_b);
+    EXPECT_EQ(nak_from_same_site_nik.GetFrameSite(), site_a);
+
+    // Is cross site boolean should not be accessible when the feature is not
+    // enabled.
+    // EXPECT_DEATH_IF_SUPPORTED(nak_from_cross_site_nik.GetIsCrossSite(), "");
+    // EXPECT_DEATH_IF_SUPPORTED(nak_from_same_site_nik.GetIsCrossSite(), "");
+
+    // Triple-keyed NAKs created from different third party cross site contexts
+    // should be different.
+    EXPECT_FALSE(nak_from_same_site_nik == nak_from_cross_site_nik);
+  }
+
+  // Triple-keyed NetworkIsolationKey + double-keyed NetworkAnonymizationKey
+  // case.
+  if (!IsDoubleKeyNetworkIsolationKeyEnabled() &&
+      IsDoubleKeyNetworkAnonymizationKeyEnabled() &&
+      !IsCrossSiteFlagEnabled()) {
+    // Top site should be populated correctly.
+    EXPECT_EQ(nak_from_cross_site_nik.GetTopFrameSite(), site_a);
+    EXPECT_EQ(nak_from_same_site_nik.GetTopFrameSite(), site_a);
+
+    // Nonce should be populated correctly.
+    EXPECT_EQ(nak_from_same_site_nik.GetNonce(), nik_nonce);
+    EXPECT_EQ(nak_from_cross_site_nik.GetNonce(), nik_nonce);
+
+    // Frame site getter should not be accessible when the double keying is
+    // enabled.
+    EXPECT_DEATH_IF_SUPPORTED(nak_from_cross_site_nik.GetFrameSite(), "");
+    EXPECT_DEATH_IF_SUPPORTED(nak_from_same_site_nik.GetFrameSite(), "");
+
+    // Is cross site boolean should not be accessible when the feature is not
+    // enabled.
+    // EXPECT_DEATH_IF_SUPPORTED(nak_from_cross_site_nik.GetIsCrossSite(), "");
+    // EXPECT_DEATH_IF_SUPPORTED(nak_from_same_site_nik.GetIsCrossSite(), "");
+
+    // Double-keyed NAKs created from different third party cross site contexts
+    // should be the same.
+    EXPECT_TRUE(nak_from_same_site_nik == nak_from_cross_site_nik);
+  }
+
+  // Triple-keyed NetworkIsolationKey + double-keyed + cross site bit
+  // NetworkAnonymizationKey case.
+  if (!IsDoubleKeyNetworkIsolationKeyEnabled() &&
+      !IsDoubleKeyNetworkAnonymizationKeyEnabled() &&
+      IsCrossSiteFlagEnabled()) {
+    // Top site should be populated correctly.
+    EXPECT_EQ(nak_from_cross_site_nik.GetTopFrameSite(), site_a);
+    EXPECT_EQ(nak_from_same_site_nik.GetTopFrameSite(), site_a);
+
+    // Nonce should be populated correctly.
+    EXPECT_EQ(nak_from_same_site_nik.GetNonce(), nik_nonce);
+    EXPECT_EQ(nak_from_cross_site_nik.GetNonce(), nik_nonce);
+
+    // Frame site getter should not be accessible when the double keying is
+    // enabled.
+    EXPECT_DEATH_IF_SUPPORTED(nak_from_cross_site_nik.GetFrameSite(), "");
+    EXPECT_DEATH_IF_SUPPORTED(nak_from_same_site_nik.GetFrameSite(), "");
+
+    // Is cross site boolean should be populated correctly.
+    EXPECT_EQ(nak_from_same_site_nik.GetIsCrossSite(), false);
+    EXPECT_EQ(nak_from_cross_site_nik.GetIsCrossSite(), true);
+
+    // Double-keyed + cross site bit NAKs created from different third party
+    // cross site contexts should be the different.
+    EXPECT_FALSE(nak_from_same_site_nik == nak_from_cross_site_nik);
+  }
+}
+
 TEST_P(NetworkAnonymizationKeyTest, IsEmpty) {
   NetworkAnonymizationKey empty_key;
   NetworkAnonymizationKey populated_key(/*top_frame_site=*/kTestSiteA,
@@ -123,6 +276,17 @@ TEST_P(NetworkAnonymizationKeyTest, IsEmpty) {
   EXPECT_FALSE(populated_key.IsEmpty());
 }
 
+TEST_P(NetworkAnonymizationKeyTest, CreateTransient) {
+  NetworkAnonymizationKey transient_key1 =
+      NetworkAnonymizationKey::CreateTransient();
+  NetworkAnonymizationKey transient_key2 =
+      NetworkAnonymizationKey::CreateTransient();
+
+  EXPECT_TRUE(transient_key1.IsTransient());
+  EXPECT_TRUE(transient_key2.IsTransient());
+  EXPECT_FALSE(transient_key1 == transient_key2);
+}
+
 TEST_P(NetworkAnonymizationKeyTest, IsTransient) {
   NetworkAnonymizationKey empty_key;
   NetworkAnonymizationKey populated_key(/*top_frame_site=*/kTestSiteA,
@@ -140,23 +304,25 @@ TEST_P(NetworkAnonymizationKeyTest, IsTransient) {
                                          /*frame_site=*/kDataSite,
                                          /*is_cross_site=*/false,
                                          /*nonce=*/absl::nullopt);
-  NetworkAnonymizationKey populated_double_key(/*top_frame_site=*/kTestSiteA,
-                                               /*frame_site=*/absl::nullopt,
-                                               /*is_cross_site=*/false,
-                                               /*nonce=*/absl::nullopt);
+
+  NetworkAnonymizationKey from_create_transient =
+      NetworkAnonymizationKey::CreateTransient();
 
   EXPECT_TRUE(empty_key.IsTransient());
   EXPECT_FALSE(populated_key.IsTransient());
   EXPECT_TRUE(data_top_frame_key.IsTransient());
-  EXPECT_TRUE(data_top_frame_key.IsTransient());
   EXPECT_TRUE(populated_key_with_nonce.IsTransient());
+  EXPECT_TRUE(from_create_transient.IsTransient());
 
-  if (IsDoubleKeyEnabled() || IsCrossSiteFlagEnabled()) {
+  if (IsDoubleKeyNetworkAnonymizationKeyEnabled() || IsCrossSiteFlagEnabled()) {
+    NetworkAnonymizationKey populated_double_key(/*top_frame_site=*/kTestSiteA,
+                                                 /*frame_site=*/absl::nullopt,
+                                                 /*is_cross_site=*/false,
+                                                 /*nonce=*/absl::nullopt);
     EXPECT_FALSE(data_frame_key.IsTransient());
     EXPECT_FALSE(populated_double_key.IsTransient());
   } else {
     EXPECT_TRUE(data_frame_key.IsTransient());
-    EXPECT_TRUE(populated_double_key.IsTransient());
   }
 }
 
@@ -166,10 +332,6 @@ TEST_P(NetworkAnonymizationKeyTest, IsFullyPopulated) {
                                         /*frame_site=*/kTestSiteB,
                                         /*is_cross_site=*/false,
                                         /*nonce=*/absl::nullopt);
-  NetworkAnonymizationKey empty_frame_site_key(/*top_frame_site=*/kTestSiteA,
-                                               /*frame_site=*/absl::nullopt,
-                                               /*is_cross_site=*/false,
-                                               /*nonce=*/absl::nullopt);
   NetworkAnonymizationKey empty_cross_site_flag_key(
       /*top_frame_site=*/kTestSiteA,
       /*frame_site=*/kTestSiteB,
@@ -177,18 +339,47 @@ TEST_P(NetworkAnonymizationKeyTest, IsFullyPopulated) {
       /*nonce=*/absl::nullopt);
   EXPECT_TRUE(populated_key.IsFullyPopulated());
   EXPECT_FALSE(empty_key.IsFullyPopulated());
-  if (IsDoubleKeyEnabled() || IsCrossSiteFlagEnabled()) {
+  if (IsDoubleKeyNetworkAnonymizationKeyEnabled() || IsCrossSiteFlagEnabled()) {
+    NetworkAnonymizationKey empty_frame_site_key(/*top_frame_site=*/kTestSiteA,
+                                                 /*frame_site=*/absl::nullopt,
+                                                 /*is_cross_site=*/false,
+                                                 /*nonce=*/absl::nullopt);
     EXPECT_TRUE(empty_frame_site_key.IsFullyPopulated());
-  } else {
-    EXPECT_FALSE(empty_frame_site_key.IsFullyPopulated());
   }
 
   // is_cross_site is required when
   // `kEnableCrossSiteFlagNetworkAnonymizationKey` is enabled.
+  // Since we have both the top_frame_site and frame_site values the constructor
+  // should calculate and set `is_cross_site`.
+  EXPECT_TRUE(empty_cross_site_flag_key.IsFullyPopulated());
+}
+
+TEST_P(NetworkAnonymizationKeyTest, IsCrossSiteFlagCalculatedInConstructor) {
   if (IsCrossSiteFlagEnabled()) {
-    EXPECT_FALSE(empty_cross_site_flag_key.IsFullyPopulated());
-  } else {
-    EXPECT_TRUE(empty_cross_site_flag_key.IsFullyPopulated());
+    NetworkAnonymizationKey cross_site_key(/*top_frame_site=*/kTestSiteA,
+                                           /*frame_site=*/kTestSiteB,
+                                           /*is_cross_site=*/true);
+    NetworkAnonymizationKey equal_cross_site_key(/*top_frame_site=*/kTestSiteA,
+                                                 /*frame_site=*/kTestSiteB);
+
+    NetworkAnonymizationKey same_site_key(/*top_frame_site=*/kTestSiteA,
+                                          /*frame_site=*/kTestSiteA,
+                                          /*is_cross_site=*/false);
+    NetworkAnonymizationKey equal_same_site_key(/*top_frame_site=*/kTestSiteA,
+                                                /*frame_site=*/kTestSiteA);
+
+    NetworkAnonymizationKey double_key_cross_site(/*top_frame_site=*/kTestSiteA,
+                                                  /*frame_site=*/absl::nullopt,
+                                                  true);
+    EXPECT_EQ(cross_site_key.GetIsCrossSite().value(), true);
+    EXPECT_EQ(equal_cross_site_key.GetIsCrossSite().value(), true);
+    EXPECT_EQ(cross_site_key, equal_cross_site_key);
+
+    EXPECT_EQ(same_site_key.GetIsCrossSite().value(), false);
+    EXPECT_EQ(equal_same_site_key.GetIsCrossSite().value(), false);
+    EXPECT_EQ(same_site_key, equal_same_site_key);
+
+    EXPECT_EQ(double_key_cross_site.GetIsCrossSite().value(), true);
   }
 }
 
@@ -203,8 +394,9 @@ TEST_P(NetworkAnonymizationKeyTest, Getters) {
   // frame_site should be empty if any double key scheme is enabled. This
   // includes when `kEnableCrossSiteFlagNetworkAnonymizationKey` or
   // `kEnableDoubleKeyNetworkAnonymizationKey` are enabled.
-  if (IsDoubleKeyEnabled() || IsCrossSiteFlagEnabled()) {
-    EXPECT_EQ(key.GetFrameSite(), absl::nullopt);
+  if (IsDoubleKeyNetworkAnonymizationKeyEnabled() || IsCrossSiteFlagEnabled()) {
+    EXPECT_DEATH_IF_SUPPORTED(key.GetFrameSite(), "");
+    EXPECT_EQ(key.GetFrameSiteForTesting(), absl::nullopt);
   } else {
     EXPECT_EQ(key.GetFrameSite(), kTestSiteB);
   }
@@ -213,8 +405,6 @@ TEST_P(NetworkAnonymizationKeyTest, Getters) {
   // `kEnableCrossSiteFlagNetworkAnonymizationKey` is enabled.
   if (IsCrossSiteFlagEnabled()) {
     EXPECT_TRUE(key.GetIsCrossSite());
-  } else {
-    EXPECT_DEATH_IF_SUPPORTED(key.GetIsCrossSite(), "");
   }
 }
 
@@ -224,7 +414,8 @@ TEST_P(NetworkAnonymizationKeyTest, ToDebugString) {
                               /*is_cross_site=*/true, kNonce);
   NetworkAnonymizationKey empty_key;
 
-  if (IsDoubleKeyEnabled() && !IsCrossSiteFlagEnabled()) {
+  if (IsDoubleKeyNetworkAnonymizationKeyEnabled() &&
+      !IsCrossSiteFlagEnabled()) {
     // When double key scheme is enabled, the `is_cross_site` flag is always
     // forced to false.
     std::string double_key_expected_string_value = kTestSiteA.GetDebugString() +
@@ -240,9 +431,10 @@ TEST_P(NetworkAnonymizationKeyTest, ToDebugString) {
         kNonce.ToString() + ")";
     EXPECT_EQ(key.ToDebugString(),
               double_key_with_cross_site_flag_expected_string_value);
-    // is_cross_site_ must be populated if
-    // `kEnableCrossSiteFlagNetworkAnonymizationKey` is enabled.
-    EXPECT_DEATH_IF_SUPPORTED(empty_key.ToDebugString(), "");
+    // is_cross_site_ will be stored as nullopt when it's not populated even if
+    // IsCrossSiteFlagEnabled is enabled.
+    EXPECT_EQ(empty_key.ToDebugString(),
+              "null null with empty is_cross_site value");
   } else {
     // When neither `kEnableDoubleKeyNetworkAnonymizationKey` or
     // `kEnableCrossSiteFlagNetworkAnonymizationKey` is enabled,
@@ -303,7 +495,7 @@ TEST_P(NetworkAnonymizationKeyTest, Equality) {
       /*top_frame_site=*/kTestSiteA, /*frame_site=*/kTestSiteA,
       /*is_cross_site=*/false, kNonce);
 
-  if (IsDoubleKeyEnabled() || IsCrossSiteFlagEnabled()) {
+  if (IsDoubleKeyNetworkAnonymizationKeyEnabled() || IsCrossSiteFlagEnabled()) {
     EXPECT_TRUE(key == key_different_frame_site);
     EXPECT_FALSE(key != key_different_frame_site);
   } else {
@@ -330,4 +522,184 @@ TEST_P(NetworkAnonymizationKeyTest, Equality) {
   EXPECT_TRUE(empty_key < key);
 }
 
-}  // namespace net
\ No newline at end of file
+TEST_P(NetworkAnonymizationKeyTest, ValueRoundTripCrossSite) {
+  const SchemefulSite kOpaqueSite = SchemefulSite(GURL("data:text/html,junk"));
+  NetworkAnonymizationKey original_key(/*top_frame_site=*/kTestSiteA,
+                                       /*frame_site=*/kTestSiteB,
+                                       /*is_cross_site=*/true);
+  base::Value value;
+  ASSERT_TRUE(original_key.ToValue(&value));
+
+  // Fill initial value with opaque data, to make sure it's overwritten.
+  NetworkAnonymizationKey from_value_key = NetworkAnonymizationKey();
+  EXPECT_TRUE(NetworkAnonymizationKey::FromValue(value, &from_value_key));
+  EXPECT_EQ(original_key, from_value_key);
+}
+
+TEST_P(NetworkAnonymizationKeyTest, ValueRoundTripSameSite) {
+  const SchemefulSite kOpaqueSite = SchemefulSite(GURL("data:text/html,junk"));
+  NetworkAnonymizationKey original_key(/*top_frame_site=*/kTestSiteA,
+                                       /*frame_site=*/kTestSiteA,
+                                       /*is_cross_site=*/false);
+  base::Value value;
+  ASSERT_TRUE(original_key.ToValue(&value));
+
+  // Fill initial value with opaque data, to make sure it's overwritten.
+  NetworkAnonymizationKey from_value_key = NetworkAnonymizationKey();
+  EXPECT_TRUE(NetworkAnonymizationKey::FromValue(value, &from_value_key));
+  EXPECT_EQ(original_key, from_value_key);
+}
+
+TEST_P(NetworkAnonymizationKeyTest, ValueRoundTripOpaqueFrameSite) {
+  const SchemefulSite kOpaqueSite = SchemefulSite(GURL("data:text/html,junk"));
+  NetworkAnonymizationKey original_key(/*top_frame_site=*/kTestSiteA,
+                                       /*frame_site=*/kOpaqueSite,
+                                       /*is_cross_site=*/false);
+  base::Value value;
+  if (!NetworkAnonymizationKey::IsFrameSiteEnabled()) {
+    ASSERT_TRUE(original_key.ToValue(&value));
+    NetworkAnonymizationKey from_value_key = NetworkAnonymizationKey();
+    EXPECT_TRUE(NetworkAnonymizationKey::FromValue(value, &from_value_key));
+    EXPECT_EQ(original_key, from_value_key);
+  } else {
+    // If we expect a valid frame site we should fail to serialize the garbage
+    // value.
+    ASSERT_FALSE(original_key.ToValue(&value));
+  }
+}
+
+TEST_P(NetworkAnonymizationKeyTest, DeserializeValueWIthGarbageFrameSite) {
+  const SchemefulSite kOpaqueSite = SchemefulSite(GURL("data:text/html,junk"));
+  base::Value::List invalid_value;
+  invalid_value.Append("http://a.test/");
+  invalid_value.Append("data:text/html,junk");
+
+  // If we expect a valid frame site we should fail to deserialize the garbage
+  // value.
+  if (NetworkAnonymizationKey::IsFrameSiteEnabled()) {
+    NetworkAnonymizationKey from_value_key = NetworkAnonymizationKey();
+    EXPECT_FALSE(NetworkAnonymizationKey::FromValue(
+        base::Value(std::move(invalid_value)), &from_value_key));
+  }
+}
+
+TEST_P(NetworkAnonymizationKeyTest, TransientValueRoundTrip) {
+  const SchemefulSite kOpaqueSite = SchemefulSite(GURL("data:text/html,junk"));
+  NetworkAnonymizationKey original_key =
+      NetworkAnonymizationKey::CreateTransient();
+  base::Value value;
+  ASSERT_FALSE(original_key.ToValue(&value));
+}
+
+TEST_P(NetworkAnonymizationKeyTest, EmptyValueRoundTrip) {
+  const SchemefulSite kOpaqueSite = SchemefulSite(GURL("data:text/html,junk"));
+  NetworkAnonymizationKey original_key;
+  base::Value value;
+  ASSERT_TRUE(original_key.ToValue(&value));
+
+  // Fill initial value with opaque data, to make sure it's overwritten.
+  NetworkAnonymizationKey from_value_key = NetworkAnonymizationKey();
+  EXPECT_TRUE(NetworkAnonymizationKey::FromValue(value, &from_value_key));
+  EXPECT_EQ(original_key, from_value_key);
+}
+
+TEST(NetworkAnonymizationKeyFeatureShiftTest,
+     ValueRoundTripKeySchemeMissmatch) {
+  base::test::ScopedFeatureList scoped_feature_list_;
+  const SchemefulSite kOpaqueSite = SchemefulSite(GURL("data:text/html,junk"));
+  const SchemefulSite kTestSiteA = SchemefulSite(GURL("http://a.test/"));
+  const SchemefulSite kTestSiteB = SchemefulSite(GURL("http://b.test/"));
+  NetworkAnonymizationKey expected_failure_nak = NetworkAnonymizationKey();
+
+  // Turn double keying off.
+  scoped_feature_list_.InitAndDisableFeature(
+      net::features::kForceIsolationInfoFrameOriginToTopLevelFrame);
+
+  // Create a triple key.
+  NetworkAnonymizationKey original_triple_key(/*top_frame_site=*/kTestSiteA,
+                                              /*frame_site=*/kTestSiteB);
+
+  // Serialize key to value while triple keying is enabled.
+  base::Value triple_key_value;
+  ASSERT_TRUE(original_triple_key.ToValue(&triple_key_value));
+
+  // Convert it back to a triple keyed NetworkAnonymizationKey.
+  NetworkAnonymizationKey from_value_triple_key = NetworkAnonymizationKey();
+  EXPECT_TRUE(NetworkAnonymizationKey::FromValue(triple_key_value,
+                                                 &from_value_triple_key));
+  EXPECT_EQ(original_triple_key, from_value_triple_key);
+
+  // Turn double keying on.
+  scoped_feature_list_.Reset();
+  scoped_feature_list_.InitAndEnableFeature(
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey);
+
+  // Check that deserializing the triple keyed value fails.
+  EXPECT_FALSE(NetworkAnonymizationKey::FromValue(triple_key_value,
+                                                  &expected_failure_nak));
+
+  // Create a double keyed NetworkAnonymizationKey.
+  NetworkAnonymizationKey original_double_key(/*top_frame_site=*/kTestSiteA);
+  // Serialize key to value while double keying is enabled.
+  base::Value double_key_value;
+  ASSERT_TRUE(original_double_key.ToValue(&double_key_value));
+
+  // Convert it back to a double keyed NetworkAnonymizationKey.
+  NetworkAnonymizationKey from_value_double_key = NetworkAnonymizationKey();
+  EXPECT_TRUE(NetworkAnonymizationKey::FromValue(double_key_value,
+                                                 &from_value_double_key));
+  EXPECT_EQ(original_double_key, from_value_double_key);
+
+  // Turn double keying + cross site flag on.
+  scoped_feature_list_.Reset();
+  scoped_feature_list_.InitAndEnableFeature(
+      net::features::kEnableCrossSiteFlagNetworkAnonymizationKey);
+
+  // Check that deserializing the triple keyed value fails.
+  EXPECT_FALSE(NetworkAnonymizationKey::FromValue(triple_key_value,
+                                                  &expected_failure_nak));
+
+  // Check that deserializing the double keyed value fails.
+  EXPECT_FALSE(NetworkAnonymizationKey::FromValue(double_key_value,
+                                                  &expected_failure_nak));
+
+  // Create a cross site double key + cross site flag NetworkAnonymizationKey.
+  NetworkAnonymizationKey original_cross_site_double_key(
+      /*top_frame_site=*/kTestSiteA,
+      /*frame_site=*/kTestSiteB, false);
+  // Serialize key to value while double key + cross site flag is enabled.
+  base::Value cross_site_double_key_value;
+  ASSERT_TRUE(
+      original_cross_site_double_key.ToValue(&cross_site_double_key_value));
+
+  // Convert it back to a double keyed NetworkAnonymizationKey.
+  NetworkAnonymizationKey from_value_cross_site_double_key =
+      NetworkAnonymizationKey();
+  EXPECT_TRUE(NetworkAnonymizationKey::FromValue(
+      cross_site_double_key_value, &from_value_cross_site_double_key));
+  EXPECT_EQ(original_cross_site_double_key, from_value_cross_site_double_key);
+
+  // Turn double keying on.
+  scoped_feature_list_.Reset();
+  scoped_feature_list_.InitAndEnableFeature(
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey);
+
+  // Check that deserializing the cross site double keyed value fails.
+  EXPECT_FALSE(NetworkAnonymizationKey::FromValue(cross_site_double_key_value,
+                                                  &expected_failure_nak));
+
+  // Turn triple keying back on.
+  scoped_feature_list_.Reset();
+  scoped_feature_list_.InitAndDisableFeature(
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey);
+
+  // Check that deserializing the double keyed value fails.
+  EXPECT_FALSE(NetworkAnonymizationKey::FromValue(double_key_value,
+                                                  &expected_failure_nak));
+
+  // Check that deserializing the cross site double keyed value fails.
+  EXPECT_FALSE(NetworkAnonymizationKey::FromValue(cross_site_double_key_value,
+                                                  &expected_failure_nak));
+}
+
+}  // namespace net
diff --git a/chromium/net/base/network_change_notifier.cc b/chromium/net/base/network_change_notifier.cc
index 1a993852691..cc8d2bcbf32 100644
--- a/chromium/net/base/network_change_notifier.cc
+++ b/chromium/net/base/network_change_notifier.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -248,11 +248,6 @@ class NetworkChangeNotifier::ObserverList {
   const scoped_refptr<
       base::ObserverListThreadSafe<DefaultNetworkActiveObserver>>
       default_network_active_observer_list_;
-
-  // Indicates if connection cost observer was added before
-  // network_change_notifier was initialized, if so ConnectionCostObserverAdded
-  // is invoked from constructor.
-  std::atomic_bool connection_cost_observers_added_ = false;
 };
 
 class NetworkChangeNotifier::SystemDnsConfigObserver
@@ -687,13 +682,8 @@ void NetworkChangeNotifier::AddNetworkObserver(NetworkObserver* observer) {
 void NetworkChangeNotifier::AddConnectionCostObserver(
     ConnectionCostObserver* observer) {
   DCHECK(!observer->observer_list_);
-  GetObserverList().connection_cost_observers_added_ = true;
   observer->observer_list_ = GetObserverList().connection_cost_observer_list_;
   observer->observer_list_->AddObserver(observer);
-  base::AutoLock auto_lock(NetworkChangeNotifierCreationLock());
-  if (g_network_change_notifier) {
-    g_network_change_notifier->ConnectionCostObserverAdded();
-  }
 }
 
 void NetworkChangeNotifier::AddDefaultNetworkActiveObserver(
@@ -852,9 +842,6 @@ NetworkChangeNotifier::NetworkChangeNotifier(
     g_network_change_notifier = this;
 
     system_dns_config_notifier_->AddObserver(system_dns_config_observer_.get());
-    if (GetObserverList().connection_cost_observers_added_) {
-      g_network_change_notifier->ConnectionCostObserverAdded();
-    }
   }
   if (!omit_observers_in_constructor_for_testing) {
     network_change_calculator_ =
diff --git a/chromium/net/base/network_change_notifier.h b/chromium/net/base/network_change_notifier.h
index b04f7deb7ab..c79374c9a8e 100644
--- a/chromium/net/base/network_change_notifier.h
+++ b/chromium/net/base/network_change_notifier.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -670,13 +670,6 @@ class NET_EXPORT NetworkChangeNotifier {
   // as early as possible in the destructor to prevent races.
   void ClearGlobalPointer();
 
-  // Called whenever a new ConnectionCostObserver is added. This method is
-  // needed so that the implementation class can be notified and
-  // potentially take action when an observer gets added. Since the act of
-  // adding an observer and the observer list itself are both static, the
-  // implementation class has no direct capability to watch for changes.
-  virtual void ConnectionCostObserverAdded() {}
-
   // Listening for notifications of this type is expensive as they happen
   // frequently. For this reason, we report {de}registration to the
   // implementation class, so that it can decide to only listen to this type of
diff --git a/chromium/net/base/network_change_notifier_factory.h b/chromium/net/base/network_change_notifier_factory.h
index 96bd6a2fbdc..31ec69ecd4d 100644
--- a/chromium/net/base/network_change_notifier_factory.h
+++ b/chromium/net/base/network_change_notifier_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_fuchsia.cc b/chromium/net/base/network_change_notifier_fuchsia.cc
index 329dd3feca5..fc7a165ef9c 100644
--- a/chromium/net/base/network_change_notifier_fuchsia.cc
+++ b/chromium/net/base/network_change_notifier_fuchsia.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_fuchsia.h b/chromium/net/base/network_change_notifier_fuchsia.h
index 20c97a1cf78..db880127dbe 100644
--- a/chromium/net/base/network_change_notifier_fuchsia.h
+++ b/chromium/net/base/network_change_notifier_fuchsia.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_fuchsia_unittest.cc b/chromium/net/base/network_change_notifier_fuchsia_unittest.cc
index da00416653c..e36cb347358 100644
--- a/chromium/net/base/network_change_notifier_fuchsia_unittest.cc
+++ b/chromium/net/base/network_change_notifier_fuchsia_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_linux.cc b/chromium/net/base/network_change_notifier_linux.cc
index 5a21d362f44..793ed8d6114 100644
--- a/chromium/net/base/network_change_notifier_linux.cc
+++ b/chromium/net/base/network_change_notifier_linux.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_linux.h b/chromium/net/base/network_change_notifier_linux.h
index d4ba080b1c1..6c4a71aa373 100644
--- a/chromium/net/base/network_change_notifier_linux.h
+++ b/chromium/net/base/network_change_notifier_linux.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_mac.h b/chromium/net/base/network_change_notifier_mac.h
index dc69ac9af7a..b40c825d673 100644
--- a/chromium/net/base/network_change_notifier_mac.h
+++ b/chromium/net/base/network_change_notifier_mac.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_mac.mm b/chromium/net/base/network_change_notifier_mac.mm
index ece759f667b..f8ff5193d04 100644
--- a/chromium/net/base/network_change_notifier_mac.mm
+++ b/chromium/net/base/network_change_notifier_mac.mm
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_posix.cc b/chromium/net/base/network_change_notifier_posix.cc
index 6bc215cf893..c7b5c965293 100644
--- a/chromium/net/base/network_change_notifier_posix.cc
+++ b/chromium/net/base/network_change_notifier_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_posix.h b/chromium/net/base/network_change_notifier_posix.h
index 611f0536c10..92e1c76beed 100644
--- a/chromium/net/base/network_change_notifier_posix.h
+++ b/chromium/net/base/network_change_notifier_posix.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_posix_unittest.cc b/chromium/net/base/network_change_notifier_posix_unittest.cc
index 2649ecf64fc..a5c6967c153 100644
--- a/chromium/net/base/network_change_notifier_posix_unittest.cc
+++ b/chromium/net/base/network_change_notifier_posix_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_change_notifier_unittest.cc b/chromium/net/base/network_change_notifier_unittest.cc
index 9ff65e0bb3d..89013ac4b11 100644
--- a/chromium/net/base/network_change_notifier_unittest.cc
+++ b/chromium/net/base/network_change_notifier_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,6 +8,7 @@
 #include "build/build_config.h"
 #include "net/base/mock_network_change_notifier.h"
 #include "net/base/network_interfaces.h"
+#include "net/test/test_connection_cost_observer.h"
 #include "net/test/test_with_task_environment.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -226,37 +227,17 @@ TEST_F(NetworkChangeNotifierMockedTest, TriggerNonSystemDnsChange) {
   NetworkChangeNotifier::RemoveDNSObserver(&observer);
 }
 
-class TestConnectionCostObserver
-    : public NetworkChangeNotifier::ConnectionCostObserver {
- public:
-  void OnConnectionCostChanged(
-      NetworkChangeNotifier::ConnectionCost cost) override {
-    cost_changed_inputs_.push_back(cost);
-    ++cost_changed_calls_;
-  }
-
-  int cost_changed_calls() const { return cost_changed_calls_; }
-  std::vector<NetworkChangeNotifier::ConnectionCost> cost_changed_inputs()
-      const {
-    return cost_changed_inputs_;
-  }
-
- private:
-  int cost_changed_calls_ = 0;
-  std::vector<NetworkChangeNotifier::ConnectionCost> cost_changed_inputs_;
-};
-
 TEST_F(NetworkChangeNotifierMockedTest, TriggerConnectionCostChange) {
   TestConnectionCostObserver observer;
   NetworkChangeNotifier::AddConnectionCostObserver(&observer);
 
-  ASSERT_EQ(0, observer.cost_changed_calls());
+  ASSERT_EQ(0u, observer.cost_changed_calls());
 
   NetworkChangeNotifier::NotifyObserversOfConnectionCostChangeForTests(
       NetworkChangeNotifier::CONNECTION_COST_METERED);
   base::RunLoop().RunUntilIdle();
 
-  EXPECT_EQ(1, observer.cost_changed_calls());
+  EXPECT_EQ(1u, observer.cost_changed_calls());
   EXPECT_EQ(NetworkChangeNotifier::CONNECTION_COST_METERED,
             observer.cost_changed_inputs()[0]);
 
@@ -265,7 +246,7 @@ TEST_F(NetworkChangeNotifierMockedTest, TriggerConnectionCostChange) {
       NetworkChangeNotifier::CONNECTION_COST_UNMETERED);
   base::RunLoop().RunUntilIdle();
 
-  EXPECT_EQ(1, observer.cost_changed_calls());
+  EXPECT_EQ(1u, observer.cost_changed_calls());
 }
 
 TEST_F(NetworkChangeNotifierMockedTest, ConnectionCostDefaultsToCellular) {
diff --git a/chromium/net/base/network_change_notifier_win.cc b/chromium/net/base/network_change_notifier_win.cc
index 2a1563eeaca..e12985be7e4 100644
--- a/chromium/net/base/network_change_notifier_win.cc
+++ b/chromium/net/base/network_change_notifier_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -21,7 +21,7 @@
 #include "base/threading/thread.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/time.h"
-#include "base/win/windows_version.h"
+#include "net/base/network_cost_change_notifier_win.h"
 #include "net/base/winsock_init.h"
 #include "net/base/winsock_util.h"
 
@@ -32,88 +32,8 @@ namespace {
 // Time between NotifyAddrChange retries, on failure.
 const int kWatchForAddressChangeRetryIntervalMs = 500;
 
-HRESULT GetConnectionPoints(IUnknown* manager,
-                            REFIID IIDSyncInterface,
-                            IConnectionPoint** connection_point_raw) {
-  *connection_point_raw = nullptr;
-  Microsoft::WRL::ComPtr<IConnectionPointContainer> connection_point_container;
-  HRESULT hr =
-      manager->QueryInterface(IID_PPV_ARGS(&connection_point_container));
-  if (FAILED(hr))
-    return hr;
-
-  // Find the interface
-  Microsoft::WRL::ComPtr<IConnectionPoint> connection_point;
-  hr = connection_point_container->FindConnectionPoint(IIDSyncInterface,
-                                                       &connection_point);
-  if (FAILED(hr))
-    return hr;
-
-  *connection_point_raw = connection_point.Get();
-  (*connection_point_raw)->AddRef();
-
-  return hr;
-}
-
 }  // namespace
 
-// This class is used as an event sink to register for notifications from the
-// INetworkCostManagerEvents interface. In particular, we are focused on getting
-// notified when the Connection Cost changes. This is only supported on Win10+.
-class NetworkCostManagerEventSink
-    : public Microsoft::WRL::RuntimeClass<
-          Microsoft::WRL::RuntimeClassFlags<Microsoft::WRL::ClassicCom>,
-          INetworkCostManagerEvents> {
- public:
-  using CostChangedCallback = base::RepeatingCallback<void()>;
-
-  NetworkCostManagerEventSink(INetworkCostManager* cost_manager,
-                              const CostChangedCallback& callback)
-      : network_cost_manager_(cost_manager), cost_changed_callback_(callback) {}
-  ~NetworkCostManagerEventSink() override = default;
-
-  // INetworkCostManagerEvents members
-  IFACEMETHODIMP CostChanged(_In_ DWORD cost,
-                             _In_opt_ NLM_SOCKADDR* /*pSockAddr*/) override {
-    cost_changed_callback_.Run();
-    return S_OK;
-  }
-
-  IFACEMETHODIMP DataPlanStatusChanged(
-      _In_opt_ NLM_SOCKADDR* /*pSockAddr*/) override {
-    return S_OK;
-  }
-
-  HRESULT RegisterForNotifications() {
-    Microsoft::WRL::ComPtr<IUnknown> unknown;
-    HRESULT hr = QueryInterface(IID_PPV_ARGS(&unknown));
-    if (hr != S_OK)
-      return hr;
-
-    hr = GetConnectionPoints(network_cost_manager_.Get(),
-                             IID_INetworkCostManagerEvents, &connection_point_);
-    if (hr != S_OK)
-      return hr;
-
-    hr = connection_point_->Advise(unknown.Get(), &cookie_);
-    return hr;
-  }
-
-  void UnRegisterForNotifications() {
-    if (connection_point_) {
-      connection_point_->Unadvise(cookie_);
-      connection_point_ = nullptr;
-      cookie_ = 0;
-    }
-  }
-
- private:
-  Microsoft::WRL::ComPtr<INetworkCostManager> network_cost_manager_;
-  Microsoft::WRL::ComPtr<IConnectionPoint> connection_point_;
-  DWORD cookie_ = 0;
-  CostChangedCallback cost_changed_callback_;
-};
-
 NetworkChangeNotifierWin::NetworkChangeNotifierWin()
     : NetworkChangeNotifier(NetworkChangeCalculatorParamsWin()),
       blocking_task_runner_(
@@ -125,6 +45,10 @@ NetworkChangeNotifierWin::NetworkChangeNotifierWin()
           base::SequencedTaskRunnerHandle::Get()) {
   memset(&addr_overlapped_, 0, sizeof addr_overlapped_);
   addr_overlapped_.hEvent = WSACreateEvent();
+
+  cost_change_notifier_ = NetworkCostChangeNotifierWin::CreateInstance(
+      base::BindRepeating(&NetworkChangeNotifierWin::OnCostChanged,
+                          weak_factory_.GetWeakPtr()));
 }
 
 NetworkChangeNotifierWin::~NetworkChangeNotifierWin() {
@@ -135,11 +59,6 @@ NetworkChangeNotifierWin::~NetworkChangeNotifierWin() {
     addr_watcher_.StopWatching();
   }
   WSACloseEvent(addr_overlapped_.hEvent);
-
-  if (network_cost_manager_event_sink_) {
-    network_cost_manager_event_sink_->UnRegisterForNotifications();
-    network_cost_manager_event_sink_ = nullptr;
-  }
 }
 
 // static
@@ -281,115 +200,23 @@ void NetworkChangeNotifierWin::RecomputeCurrentConnectionTypeOnBlockingSequence(
 
 NetworkChangeNotifier::ConnectionCost
 NetworkChangeNotifierWin::GetCurrentConnectionCost() {
-  InitializeConnectionCost();
-
-  // Pre-Win10 use the default logic.
-  if (base::win::GetVersion() < base::win::Version::WIN10)
+  if (last_computed_connection_cost_ ==
+      ConnectionCost::CONNECTION_COST_UNKNOWN) {
+    // Use the default logic when the Windows OS APIs do not have a cost for the
+    // current connection.
     return NetworkChangeNotifier::GetCurrentConnectionCost();
-
-  // If we don't have the event sink we aren't registered for automatic updates.
-  // In that case, we need to update the value at the time it is requested.
-  if (!network_cost_manager_event_sink_)
-    UpdateConnectionCostFromCostManager();
-
-  return last_computed_connection_cost_;
-}
-
-bool NetworkChangeNotifierWin::InitializeConnectionCostOnce() {
-  // Pre-Win10 this information cannot be retrieved and cached.
-  if (base::win::GetVersion() < base::win::Version::WIN10) {
-    SetCurrentConnectionCost(CONNECTION_COST_UNKNOWN);
-    return true;
-  }
-
-  HRESULT hr =
-      ::CoCreateInstance(CLSID_NetworkListManager, nullptr, CLSCTX_ALL,
-                         IID_INetworkCostManager, &network_cost_manager_);
-  if (FAILED(hr)) {
-    SetCurrentConnectionCost(CONNECTION_COST_UNKNOWN);
-    return true;
   }
-
-  UpdateConnectionCostFromCostManager();
-
-  return true;
-}
-
-void NetworkChangeNotifierWin::InitializeConnectionCost() {
-  static bool g_connection_cost_initialized = InitializeConnectionCostOnce();
-  DCHECK(g_connection_cost_initialized);
-}
-
-HRESULT NetworkChangeNotifierWin::UpdateConnectionCostFromCostManager() {
-  if (!network_cost_manager_)
-    return E_ABORT;
-
-  DWORD cost = NLM_CONNECTION_COST_UNKNOWN;
-  HRESULT hr = network_cost_manager_->GetCost(&cost, nullptr);
-  if (FAILED(hr)) {
-    SetCurrentConnectionCost(CONNECTION_COST_UNKNOWN);
-  } else {
-    SetCurrentConnectionCost(
-        ConnectionCostFromNlmCost((NLM_CONNECTION_COST)cost));
-  }
-  return hr;
-}
-
-// static
-NetworkChangeNotifier::ConnectionCost
-NetworkChangeNotifierWin::ConnectionCostFromNlmCost(NLM_CONNECTION_COST cost) {
-  if (cost == NLM_CONNECTION_COST_UNKNOWN)
-    return CONNECTION_COST_UNKNOWN;
-  else if ((cost & NLM_CONNECTION_COST_UNRESTRICTED) != 0)
-    return CONNECTION_COST_UNMETERED;
-  else
-    return CONNECTION_COST_METERED;
+  return last_computed_connection_cost_;
 }
 
-void NetworkChangeNotifierWin::SetCurrentConnectionCost(
-    ConnectionCost connection_cost) {
-  last_computed_connection_cost_ = connection_cost;
-}
+void NetworkChangeNotifierWin::OnCostChanged(
+    NetworkChangeNotifier::ConnectionCost new_cost) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
-void NetworkChangeNotifierWin::OnCostChanged() {
-  ConnectionCost old_cost = last_computed_connection_cost_;
-  // It is possible to get multiple notifications in a short period of time.
-  // Rather than worrying about whether this notification represents the latest,
-  // just get the current value from the CostManager so we know that we're
-  // actually getting the correct value.
-  UpdateConnectionCostFromCostManager();
   // Only notify if there's actually a change.
-  if (old_cost != GetCurrentConnectionCost())
+  if (last_computed_connection_cost_ != new_cost) {
+    last_computed_connection_cost_ = new_cost;
     NotifyObserversOfConnectionCostChange();
-}
-
-void NetworkChangeNotifierWin::ConnectionCostObserverAdded() {
-  sequence_runner_for_registration_->PostTask(
-      FROM_HERE,
-      base::BindOnce(&NetworkChangeNotifierWin::OnConnectionCostObserverAdded,
-                     weak_factory_.GetWeakPtr()));
-}
-
-void NetworkChangeNotifierWin::OnConnectionCostObserverAdded() {
-  DCHECK(sequence_runner_for_registration_->RunsTasksInCurrentSequence());
-  InitializeConnectionCost();
-
-  // No need to register if we don't have a cost manager or if we're already
-  // registered.
-  if (!network_cost_manager_ || network_cost_manager_event_sink_)
-    return;
-
-  network_cost_manager_event_sink_ =
-      Microsoft::WRL::Make<net::NetworkCostManagerEventSink>(
-          network_cost_manager_.Get(),
-          base::BindRepeating(&NetworkChangeNotifierWin::OnCostChanged,
-                              weak_factory_.GetWeakPtr()));
-  HRESULT hr = network_cost_manager_event_sink_->RegisterForNotifications();
-  if (hr != S_OK) {
-    // If registration failed for any reason, just destroy the event sink. The
-    // observer will remain connected but will not receive any updates. If
-    // another observer gets added later, we can re-attempt registration.
-    network_cost_manager_event_sink_ = nullptr;
   }
 }
 
@@ -491,8 +318,8 @@ void NetworkChangeNotifierWin::NotifyParentOfConnectionTypeChangeImpl(
   offline_polls_++;
   // If we continue to appear offline, delay sending out the notification in
   // case we appear to go online within 20 seconds.  UMA histogram data shows
-  // we may not detect the transition to online state after 1 second but within
-  // 20 seconds we generally do.
+  // we may not detect the transition to online state after 1 second but
+  // within 20 seconds we generally do.
   if (last_announced_offline_ && current_offline && offline_polls_ <= 20) {
     timer_.Start(FROM_HERE, base::Seconds(1), this,
                  &NetworkChangeNotifierWin::NotifyParentOfConnectionTypeChange);
diff --git a/chromium/net/base/network_change_notifier_win.h b/chromium/net/base/network_change_notifier_win.h
index f1989cb7315..c89af0359c8 100644
--- a/chromium/net/base/network_change_notifier_win.h
+++ b/chromium/net/base/network_change_notifier_win.h
@@ -1,17 +1,13 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_NETWORK_CHANGE_NOTIFIER_WIN_H_
 #define NET_BASE_NETWORK_CHANGE_NOTIFIER_WIN_H_
 
-#include <netlistmgr.h>
-#include <ocidl.h>
 #include <windows.h>
-#include <wrl.h>
-#include <wrl/client.h>
 
-#include <memory>
+#include <atomic>
 
 #include "base/callback.h"
 #include "base/compiler_specific.h"
@@ -19,6 +15,7 @@
 #include "base/memory/weak_ptr.h"
 #include "base/sequence_checker.h"
 #include "base/thread_annotations.h"
+#include "base/threading/sequence_bound.h"
 #include "base/timer/timer.h"
 #include "base/win/object_watcher.h"
 #include "net/base/net_export.h"
@@ -30,7 +27,7 @@ class SequencedTaskRunner;
 
 namespace net {
 
-class NetworkCostManagerEventSink;
+class NetworkCostChangeNotifierWin;
 
 // NetworkChangeNotifierWin uses a SequenceChecker, as all its internal
 // notification code must be called on the sequence it is created and destroyed
@@ -100,25 +97,7 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierWin
 
   static NetworkChangeCalculatorParams NetworkChangeCalculatorParamsWin();
 
-  // Gets the current network connection cost (if possible) and caches it.
-  void InitializeConnectionCost();
-  // Does the work of initializing for thread safety.
-  bool InitializeConnectionCostOnce();
-  // Retrieves the current network connection cost from the OS's Cost Manager.
-  HRESULT UpdateConnectionCostFromCostManager();
-  // Converts the OS enum values to the enum values used in our code.
-  static ConnectionCost ConnectionCostFromNlmCost(NLM_CONNECTION_COST cost);
-  // Sets the cached network connection cost value.
-  void SetCurrentConnectionCost(ConnectionCost connection_cost);
-  // Callback method for the notification event sink.
-  void OnCostChanged();
-  // Tells this class that an observer was added and therefore this class needs
-  // to register for notifications.
-  void ConnectionCostObserverAdded() override;
-  // Since ConnectionCostObserverAdded() can be called on any thread and we
-  // don't want to do a bunch of work on an arbitrary thread, this method used
-  // to post task to do the work.
-  void OnConnectionCostObserverAdded();
+  void OnCostChanged(NetworkChangeNotifier::ConnectionCost new_cost);
 
   // All member variables may only be accessed on the sequence |this| was
   // created on.
@@ -141,8 +120,13 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierWin
   mutable base::Lock last_computed_connection_type_lock_;
   ConnectionType last_computed_connection_type_;
 
-  std::atomic<ConnectionCost> last_computed_connection_cost_ =
-      ConnectionCost::CONNECTION_COST_UNKNOWN;
+  std::atomic<NetworkChangeNotifier::ConnectionCost>
+      last_computed_connection_cost_ =
+          NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNKNOWN;
+
+  // Provides the cost of the current connection.  Uses the Windows OS APIs to
+  // monitor and determine cost.
+  base::SequenceBound<NetworkCostChangeNotifierWin> cost_change_notifier_;
 
   // Result of IsOffline() when NotifyObserversOfConnectionTypeChange()
   // was last called.
@@ -150,10 +134,6 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierWin
   // Number of times polled to check if still offline.
   int offline_polls_;
 
-  Microsoft::WRL::ComPtr<INetworkCostManager> network_cost_manager_;
-  Microsoft::WRL::ComPtr<NetworkCostManagerEventSink>
-      network_cost_manager_event_sink_;
-
   // Used to ensure that all registration actions are properly sequenced on the
   // same thread regardless of which thread was used to call into the
   // NetworkChangeNotifier API.
diff --git a/chromium/net/base/network_change_notifier_win_unittest.cc b/chromium/net/base/network_change_notifier_win_unittest.cc
index 8566136762d..cbb1b24ba63 100644
--- a/chromium/net/base/network_change_notifier_win_unittest.cc
+++ b/chromium/net/base/network_change_notifier_win_unittest.cc
@@ -1,19 +1,25 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/network_change_notifier_win.h"
 
+#include <memory>
 #include <utility>
+#include <vector>
 
 #include "base/bind.h"
 #include "base/run_loop.h"
+#include "base/sequence_checker.h"
 #include "base/task/single_thread_task_runner.h"
+#include "base/test/scoped_os_info_override_win.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/win/windows_version.h"
 #include "net/base/network_change_notifier.h"
 #include "net/base/network_change_notifier_factory.h"
+#include "net/test/test_connection_cost_observer.h"
 #include "net/test/test_with_task_environment.h"
+#include "net/test/win/fake_network_cost_manager.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -31,7 +37,6 @@ class TestNetworkChangeNotifierWin : public NetworkChangeNotifierWin {
   TestNetworkChangeNotifierWin() {
     last_computed_connection_type_ = NetworkChangeNotifier::CONNECTION_UNKNOWN;
     last_announced_offline_ = false;
-    last_computed_connection_cost_ = ConnectionCost::CONNECTION_COST_UNKNOWN;
     sequence_runner_for_registration_ = base::SequencedTaskRunnerHandle::Get();
   }
 
@@ -55,18 +60,23 @@ class TestNetworkChangeNotifierWin : public NetworkChangeNotifierWin {
 
   // From NetworkChangeNotifierWin.
   MOCK_METHOD0(WatchForAddressChangeInternal, bool());
+
+  // Allow tests to compare results with the default implementation that does
+  // not depend on the INetworkCostManager Windows OS API.  The default
+  // implementation is used as a fall back when INetworkCostManager fails.
+  ConnectionCost GetCurrentConnectionCostFromDefaultImplementation() {
+    return NetworkChangeNotifier::GetCurrentConnectionCost();
+  }
 };
 
 class TestIPAddressObserver : public NetworkChangeNotifier::IPAddressObserver {
  public:
-  TestIPAddressObserver() {
-    NetworkChangeNotifier::AddIPAddressObserver(this);
-  }
+  TestIPAddressObserver() { NetworkChangeNotifier::AddIPAddressObserver(this); }
 
   TestIPAddressObserver(const TestIPAddressObserver&) = delete;
   TestIPAddressObserver& operator=(const TestIPAddressObserver&) = delete;
 
-  ~TestIPAddressObserver() {
+  ~TestIPAddressObserver() override {
     NetworkChangeNotifier::RemoveIPAddressObserver(this);
   }
 
@@ -182,7 +192,8 @@ class NetworkChangeNotifierWinTest : public TestWithTaskEnvironment {
         .Times(1)
         .WillOnce(Invoke(&run_loop, &base::RunLoop::QuitWhenIdle));
     EXPECT_CALL(network_change_notifier_, WatchForAddressChangeInternal())
-        .Times(1).WillOnce(Return(true));
+        .Times(1)
+        .WillOnce(Return(true));
 
     run_loop.Run();
 
@@ -219,22 +230,18 @@ class NetworkChangeNotifierWinTest : public TestWithTaskEnvironment {
     base::RunLoop().RunUntilIdle();
   }
 
-  bool HasNetworkCostManager() {
-    return network_change_notifier_.network_cost_manager_.Get() != nullptr;
-  }
-
-  bool HasNetworkCostManagerEventSink() {
-    return network_change_notifier_.network_cost_manager_event_sink_.Get() !=
-           nullptr;
+  NetworkChangeNotifier::ConnectionCost GetCurrentConnectionCost() {
+    return network_change_notifier_.GetCurrentConnectionCost();
   }
 
-  NetworkChangeNotifier::ConnectionCost LastComputedConnectionCost() {
-    return network_change_notifier_.last_computed_connection_cost_;
+  NetworkChangeNotifier::ConnectionCost
+  GetCurrentConnectionCostFromDefaultImplementation() {
+    return network_change_notifier_
+        .GetCurrentConnectionCostFromDefaultImplementation();
   }
 
-  NetworkChangeNotifier::ConnectionCost GetCurrentConnectionCost() {
-    return network_change_notifier_.GetCurrentConnectionCost();
-  }
+ protected:
+  FakeNetworkCostManagerEnvironment fake_network_cost_manager_environment_;
 
  private:
   // Note that the order of declaration here is important.
@@ -287,58 +294,102 @@ TEST_F(NetworkChangeNotifierWinTest, NetChangeWinFailSignalTwice) {
   RetryAndSucceed();
 }
 
-class TestConnectionCostObserver
-    : public NetworkChangeNotifier::ConnectionCostObserver {
- public:
-  TestConnectionCostObserver() {}
+TEST_F(NetworkChangeNotifierWinTest, GetCurrentCost) {
+  if (base::win::GetVersion() < base::win::Version::WIN10)
+    return;
 
-  TestConnectionCostObserver(const TestConnectionCostObserver&) = delete;
-  TestConnectionCostObserver& operator=(const TestConnectionCostObserver&) =
-      delete;
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
 
-  ~TestConnectionCostObserver() override {
-    NetworkChangeNotifier::RemoveConnectionCostObserver(this);
-  }
+  // Wait for NetworkCostChangeNotifierWin to finish initializing.
+  RunUntilIdle();
 
-  void OnConnectionCostChanged(NetworkChangeNotifier::ConnectionCost) override {
-  }
+  EXPECT_EQ(GetCurrentConnectionCost(),
+            NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
 
-  void Register() { NetworkChangeNotifier::AddConnectionCostObserver(this); }
-};
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_METERED);
+
+  // Wait for NetworkCostChangeNotifierWin to handle the cost changed event.
+  RunUntilIdle();
+
+  EXPECT_EQ(GetCurrentConnectionCost(),
+            NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_METERED);
+}
 
-TEST_F(NetworkChangeNotifierWinTest, NetworkCostManagerIntegration) {
-  // NetworkCostManager integration only exist on Win10+.
+TEST_F(NetworkChangeNotifierWinTest, CostChangeObserver) {
   if (base::win::GetVersion() < base::win::Version::WIN10)
     return;
 
-  // Upon creation, none of the NetworkCostManager integration should be
-  // initialized yet.
-  ASSERT_FALSE(HasNetworkCostManager());
-  ASSERT_FALSE(HasNetworkCostManagerEventSink());
-  ASSERT_EQ(NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNKNOWN,
-            LastComputedConnectionCost());
-
-  // Asking for the current connection cost should initialize the
-  // NetworkCostManager integration, but not the event sink.
-  // Note that the actual ConnectionCost value return is irrelevant beyond the
-  // fact that it shouldn't be UNKNOWN anymore if the integration is initialized
-  // properly.
-  NetworkChangeNotifier::ConnectionCost current_connection_cost =
-      GetCurrentConnectionCost();
-  EXPECT_NE(NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNKNOWN,
-            current_connection_cost);
-  EXPECT_EQ(current_connection_cost, LastComputedConnectionCost());
-  EXPECT_TRUE(HasNetworkCostManager());
-  EXPECT_FALSE(HasNetworkCostManagerEventSink());
-
-  // Adding a ConnectionCostObserver should initialize the event sink. If the
-  // subsequent registration for updates fails, the event sink will get
-  // destroyed.
-  TestConnectionCostObserver test_connection_cost_observer;
-  test_connection_cost_observer.Register();
-  // The actual registration happens on a callback, so need to run until idle.
-  base::RunLoop().RunUntilIdle();
-  EXPECT_TRUE(HasNetworkCostManagerEventSink());
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
+
+  // Wait for NetworkCostChangeNotifierWin to finish initializing.
+  RunUntilIdle();
+
+  TestConnectionCostObserver cost_observer;
+  NetworkChangeNotifier::AddConnectionCostObserver(&cost_observer);
+
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_METERED);
+
+  cost_observer.WaitForConnectionCostChanged();
+
+  ASSERT_EQ(cost_observer.cost_changed_calls(), 1u);
+  EXPECT_EQ(cost_observer.last_cost_changed_input(),
+            NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_METERED);
+
+  NetworkChangeNotifier::RemoveConnectionCostObserver(&cost_observer);
+}
+
+// Uses the fake implementation of INetworkCostManager to simulate GetCost()
+// returning an error HRESULT.
+class NetworkChangeNotifierWinCostErrorTest
+    : public NetworkChangeNotifierWinTest {
+  void SetUp() override {
+    if (base::win::GetVersion() < base::win::Version::WIN10) {
+      GTEST_SKIP();
+    }
+
+    fake_network_cost_manager_environment_.SimulateError(
+        NetworkCostManagerStatus::kErrorGetCostFailed);
+
+    NetworkChangeNotifierWinTest::SetUp();
+  }
+};
+
+TEST_F(NetworkChangeNotifierWinCostErrorTest, CostError) {
+  // Wait for NetworkCostChangeNotifierWin to finish initializing, which should
+  // fail with an error.
+  RunUntilIdle();
+
+  // NetworkChangeNotifierWin must use the default implementation when
+  // NetworkCostChangeNotifierWin returns an unknown cost.
+  EXPECT_EQ(GetCurrentConnectionCost(),
+            GetCurrentConnectionCostFromDefaultImplementation());
+}
+
+// Override the Windows OS version to simulate running on an OS that does not
+// support INetworkCostManager.
+class NetworkChangeNotifierWinCostUnsupportedOsTest
+    : public NetworkChangeNotifierWinTest {
+ public:
+  NetworkChangeNotifierWinCostUnsupportedOsTest()
+      : os_override_(base::test::ScopedOSInfoOverride::Type::kWin81Pro) {}
+
+ protected:
+  base::test::ScopedOSInfoOverride os_override_;
+};
+
+TEST_F(NetworkChangeNotifierWinCostUnsupportedOsTest, CostWithUnsupportedOS) {
+  // Wait for NetworkCostChangeNotifierWin to finish initializing, which should
+  // initialize with an unknown cost on an unsupported OS.
+  RunUntilIdle();
+
+  // NetworkChangeNotifierWin must use the default implementation when
+  // NetworkCostChangeNotifierWin returns an unknown cost.
+  EXPECT_EQ(GetCurrentConnectionCost(),
+            GetCurrentConnectionCostFromDefaultImplementation());
 }
 
 }  // namespace net
diff --git a/chromium/net/base/network_config_watcher_mac.cc b/chromium/net/base/network_config_watcher_mac.cc
index efa7481dd5f..608996333f0 100644
--- a/chromium/net/base/network_config_watcher_mac.cc
+++ b/chromium/net/base/network_config_watcher_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_config_watcher_mac.h b/chromium/net/base/network_config_watcher_mac.h
index 8c01b7a1ed4..1e50e3a6e3d 100644
--- a/chromium/net/base/network_config_watcher_mac.h
+++ b/chromium/net/base/network_config_watcher_mac.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_cost_change_notifier_win.cc b/chromium/net/base/network_cost_change_notifier_win.cc
new file mode 100644
index 00000000000..abc56a415f9
--- /dev/null
+++ b/chromium/net/base/network_cost_change_notifier_win.cc
@@ -0,0 +1,271 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/network_cost_change_notifier_win.h"
+
+#include <wrl.h>
+#include <wrl/client.h>
+
+#include "base/check.h"
+#include "base/no_destructor.h"
+#include "base/task/bind_post_task.h"
+#include "base/task/thread_pool.h"
+#include "base/threading/scoped_thread_priority.h"
+#include "base/threading/thread_task_runner_handle.h"
+#include "base/win/com_init_util.h"
+#include "base/win/windows_version.h"
+
+using Microsoft::WRL::ComPtr;
+
+namespace net {
+
+namespace {
+
+NetworkChangeNotifier::ConnectionCost ConnectionCostFromNlmConnectionCost(
+    DWORD connection_cost_flags) {
+  if (connection_cost_flags == NLM_CONNECTION_COST_UNKNOWN)
+    return NetworkChangeNotifier::CONNECTION_COST_UNKNOWN;
+  else if ((connection_cost_flags & NLM_CONNECTION_COST_UNRESTRICTED) != 0)
+    return NetworkChangeNotifier::CONNECTION_COST_UNMETERED;
+  else
+    return NetworkChangeNotifier::CONNECTION_COST_METERED;
+}
+
+NetworkCostChangeNotifierWin::CoCreateInstanceCallback&
+GetCoCreateInstanceOverride() {
+  static base::NoDestructor<
+      NetworkCostChangeNotifierWin::CoCreateInstanceCallback>
+      callback_for_testing;
+  return *callback_for_testing;
+}
+
+}  // namespace
+
+// This class is used as an event sink to register for notifications from the
+// INetworkCostManagerEvents interface. In particular, we are focused on getting
+// notified when the connection cost changes. This is only supported on Win10+.
+class NetworkCostManagerEventSinkWin final
+    : public Microsoft::WRL::RuntimeClass<
+          Microsoft::WRL::RuntimeClassFlags<Microsoft::WRL::ClassicCom>,
+          INetworkCostManagerEvents> {
+ public:
+  static HRESULT CreateInstance(
+      INetworkCostManager* network_cost_manager,
+      base::RepeatingClosure cost_changed_callback,
+      ComPtr<NetworkCostManagerEventSinkWin>* result) {
+    ComPtr<NetworkCostManagerEventSinkWin> instance =
+        Microsoft::WRL::Make<net::NetworkCostManagerEventSinkWin>(
+            cost_changed_callback);
+    HRESULT hr = instance->RegisterForNotifications(network_cost_manager);
+    if (hr != S_OK) {
+      return hr;
+    }
+
+    *result = instance;
+    return S_OK;
+  }
+
+  void UnRegisterForNotifications() {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+    if (event_sink_connection_point_) {
+      event_sink_connection_point_->Unadvise(event_sink_connection_cookie_);
+      event_sink_connection_point_.Reset();
+    }
+  }
+
+  // Implement the INetworkCostManagerEvents interface.
+  HRESULT __stdcall CostChanged(DWORD /*cost*/,
+                                NLM_SOCKADDR* /*socket_address*/) final {
+    // It is possible to get multiple notifications in a short period of time.
+    // Rather than worrying about whether this notification represents the
+    // latest, just notify the owner who can get the current value from the
+    // INetworkCostManager so we know that we're actually getting the correct
+    // value.
+    cost_changed_callback_.Run();
+    return S_OK;
+  }
+
+  HRESULT __stdcall DataPlanStatusChanged(
+      NLM_SOCKADDR* /*socket_address*/) final {
+    return S_OK;
+  }
+
+  NetworkCostManagerEventSinkWin(base::RepeatingClosure cost_changed_callback)
+      : cost_changed_callback_(cost_changed_callback) {}
+
+  NetworkCostManagerEventSinkWin(const NetworkCostManagerEventSinkWin&) =
+      delete;
+  NetworkCostManagerEventSinkWin& operator=(
+      const NetworkCostManagerEventSinkWin&) = delete;
+
+ private:
+  ~NetworkCostManagerEventSinkWin() final = default;
+
+  HRESULT RegisterForNotifications(INetworkCostManager* cost_manager) {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+    DCHECK_GE(base::win::GetVersion(), base::win::Version::WIN10);
+
+    base::win::AssertComInitialized();
+    base::win::AssertComApartmentType(base::win::ComApartmentType::STA);
+
+    ComPtr<IUnknown> this_event_sink_unknown;
+    HRESULT hr = QueryInterface(IID_PPV_ARGS(&this_event_sink_unknown));
+
+    // `NetworkCostManagerEventSinkWin::QueryInterface` for `IUnknown` must
+    // succeed since it is implemented by this class.
+    DCHECK_EQ(hr, S_OK);
+
+    ComPtr<IConnectionPointContainer> connection_point_container;
+    hr =
+        cost_manager->QueryInterface(IID_PPV_ARGS(&connection_point_container));
+    if (hr != S_OK) {
+      return hr;
+    }
+
+    Microsoft::WRL::ComPtr<IConnectionPoint> event_sink_connection_point;
+    hr = connection_point_container->FindConnectionPoint(
+        IID_INetworkCostManagerEvents, &event_sink_connection_point);
+    if (hr != S_OK) {
+      return hr;
+    }
+
+    hr = event_sink_connection_point->Advise(this_event_sink_unknown.Get(),
+                                             &event_sink_connection_cookie_);
+    if (hr != S_OK) {
+      return hr;
+    }
+
+    DCHECK_EQ(event_sink_connection_point_, nullptr);
+    event_sink_connection_point_ = event_sink_connection_point;
+    return S_OK;
+  }
+
+  base::RepeatingClosure cost_changed_callback_;
+
+  // The following members must be accessed on the sequence from
+  // `sequence_checker_`
+  SEQUENCE_CHECKER(sequence_checker_);
+  DWORD event_sink_connection_cookie_ = 0;
+  Microsoft::WRL::ComPtr<IConnectionPoint> event_sink_connection_point_;
+};
+
+// static
+base::SequenceBound<NetworkCostChangeNotifierWin>
+NetworkCostChangeNotifierWin::CreateInstance(
+    CostChangedCallback cost_changed_callback) {
+  scoped_refptr<base::SequencedTaskRunner> com_best_effort_task_runner =
+      base::ThreadPool::CreateCOMSTATaskRunner(
+          {base::MayBlock(), base::TaskPriority::BEST_EFFORT,
+           base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN});
+
+  return base::SequenceBound<NetworkCostChangeNotifierWin>(
+      com_best_effort_task_runner,
+      // Ensure `cost_changed_callback` runs on the sequence of the creator and
+      // owner of `NetworkCostChangeNotifierWin`.
+      base::BindPostTask(base::SequencedTaskRunnerHandle::Get(),
+                         cost_changed_callback));
+}
+
+NetworkCostChangeNotifierWin::NetworkCostChangeNotifierWin(
+    CostChangedCallback cost_changed_callback)
+    : cost_changed_callback_(cost_changed_callback) {
+  StartWatching();
+}
+
+NetworkCostChangeNotifierWin::~NetworkCostChangeNotifierWin() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  StopWatching();
+}
+
+void NetworkCostChangeNotifierWin::StartWatching() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  if (base::win::GetComApartmentTypeForThread() ==
+      base::win::ComApartmentType::NONE) {
+    // TODO(crbug.com/1367360): INetworkCostManager inaccessible in network
+    // sandbox.  Currently, the network sandbox does not allow COM.
+    return;
+  }
+
+  base::win::AssertComInitialized();
+  base::win::AssertComApartmentType(base::win::ComApartmentType::STA);
+
+  if (base::win::GetVersion() < base::win::Version::WIN10) {
+    // INetworkCostManager requires Win10 or higher.
+    return;
+  }
+
+  SCOPED_MAY_LOAD_LIBRARY_AT_BACKGROUND_PRIORITY();
+
+  // Create INetworkListManager using CoCreateInstance, but allow tests to
+  // provide an fake implementation of INetworkListManager through an override.
+  CoCreateInstanceCallback co_create_instance_callback =
+      base::BindRepeating(&CoCreateInstance);
+  if (GetCoCreateInstanceOverride()) {
+    co_create_instance_callback = GetCoCreateInstanceOverride();
+  }
+
+  ComPtr<INetworkCostManager> cost_manager;
+  HRESULT hr = co_create_instance_callback.Run(
+      CLSID_NetworkListManager, /*unknown_outer=*/nullptr, CLSCTX_ALL,
+      IID_INetworkCostManager, &cost_manager);
+  if (hr != S_OK) {
+    return;
+  }
+
+  // Subscribe to cost changed events.
+  hr = NetworkCostManagerEventSinkWin::CreateInstance(
+      cost_manager.Get(),
+      // Cost changed callbacks must run on this sequence to get the new cost
+      // from `INetworkCostManager`.
+      base::BindPostTask(
+          base::SequencedTaskRunnerHandle::Get(),
+          base::BindRepeating(&NetworkCostChangeNotifierWin::HandleCostChanged,
+                              weak_ptr_factory_.GetWeakPtr())),
+      &cost_manager_event_sink_);
+
+  if (hr != S_OK) {
+    return;
+  }
+
+  // Set the initial cost and inform observers of the initial value.
+  cost_manager_ = cost_manager;
+  HandleCostChanged();
+}
+
+void NetworkCostChangeNotifierWin::StopWatching() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  if (cost_manager_event_sink_) {
+    cost_manager_event_sink_->UnRegisterForNotifications();
+    cost_manager_event_sink_.Reset();
+  }
+
+  cost_manager_.Reset();
+}
+
+void NetworkCostChangeNotifierWin::HandleCostChanged() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  DWORD connection_cost_flags;
+  HRESULT hr = cost_manager_->GetCost(&connection_cost_flags,
+                                      /*destination_ip_address=*/nullptr);
+  if (hr != S_OK) {
+    connection_cost_flags = NLM_CONNECTION_COST_UNKNOWN;
+  }
+
+  NetworkChangeNotifier::ConnectionCost changed_cost =
+      ConnectionCostFromNlmConnectionCost(connection_cost_flags);
+
+  cost_changed_callback_.Run(changed_cost);
+}
+
+// static
+void NetworkCostChangeNotifierWin::OverrideCoCreateInstanceForTesting(
+    CoCreateInstanceCallback callback_for_testing) {
+  GetCoCreateInstanceOverride() = callback_for_testing;
+}
+
+}  // namespace net
diff --git a/chromium/net/base/network_cost_change_notifier_win.h b/chromium/net/base/network_cost_change_notifier_win.h
new file mode 100644
index 00000000000..7868cd28b85
--- /dev/null
+++ b/chromium/net/base/network_cost_change_notifier_win.h
@@ -0,0 +1,83 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_NETWORK_COST_CHANGE_NOTIFIER_WIN_H_
+#define NET_BASE_NETWORK_COST_CHANGE_NOTIFIER_WIN_H_
+
+#include <netlistmgr.h>
+#include <wrl/client.h>
+
+#include "base/callback_forward.h"
+#include "base/memory/weak_ptr.h"
+#include "base/sequence_checker.h"
+#include "base/threading/sequence_bound.h"
+#include "net/base/net_export.h"
+#include "net/base/network_change_notifier.h"
+
+namespace net {
+class NetworkCostManagerEventSinkWin;
+
+// Uses the `INetworkCostManager` Windows OS API to monitor the cost of the
+// current connection.  `INetworkCostManager` performs blocking IO and
+// synchronous RPC and must be accessed through a thread pool COM STA single
+// threaded task runner.  NetworkCostChangeNotifierWin uses
+// `base::SequenceBound` to prevent these expensive operations from happening on
+// the UI thread.
+class NET_EXPORT_PRIVATE NetworkCostChangeNotifierWin final {
+ public:
+  using CostChangedCallback =
+      base::RepeatingCallback<void(NetworkChangeNotifier::ConnectionCost)>;
+
+  // Constructs a new instance using a new COM STA single threaded task runner
+  // to post the task that creates NetworkCostChangeNotifierWin and subscribes
+  // to cost change events.
+  static base::SequenceBound<NetworkCostChangeNotifierWin> CreateInstance(
+      CostChangedCallback cost_changed_callback);
+
+  // Tests use this hook to provide a fake implementation of the OS APIs.
+  // The fake implementation enables tests to simulate different cost values,
+  // cost changed events and OS errors.
+  using CoCreateInstanceCallback = base::RepeatingCallback<
+      HRESULT(REFCLSID, LPUNKNOWN, DWORD, REFIID, LPVOID*)>;
+  static void OverrideCoCreateInstanceForTesting(
+      CoCreateInstanceCallback callback_for_testing);
+
+  NetworkCostChangeNotifierWin(const NetworkCostChangeNotifierWin&) = delete;
+  NetworkCostChangeNotifierWin& operator=(const NetworkCostChangeNotifierWin&) =
+      delete;
+
+ private:
+  friend class base::SequenceBound<NetworkCostChangeNotifierWin>;
+
+  explicit NetworkCostChangeNotifierWin(
+      CostChangedCallback cost_changed_callback);
+  ~NetworkCostChangeNotifierWin();
+
+  // Creates `INetworkCostManager` and subscribe to cost change events.
+  void StartWatching();
+
+  // Stops monitoring the cost of the current connection by unsubscribing to
+  // `INetworkCostManager` events and releasing all members.
+  void StopWatching();
+
+  // Gets the current cost from `cost_manager_` and then runs
+  // `cost_changed_callback_`.
+  void HandleCostChanged();
+
+  // All members must be accessed on the sequence from `sequence_checker_`
+  SEQUENCE_CHECKER(sequence_checker_);
+
+  CostChangedCallback cost_changed_callback_;
+
+  Microsoft::WRL::ComPtr<INetworkCostManager> cost_manager_;
+
+  Microsoft::WRL::ComPtr<NetworkCostManagerEventSinkWin>
+      cost_manager_event_sink_;
+
+  base::WeakPtrFactory<NetworkCostChangeNotifierWin> weak_ptr_factory_{this};
+};
+
+}  // namespace net
+
+#endif  // NET_BASE_NETWORK_COST_CHANGE_NOTIFIER_WIN_H_
diff --git a/chromium/net/base/network_cost_change_notifier_win_unittest.cc b/chromium/net/base/network_cost_change_notifier_win_unittest.cc
new file mode 100644
index 00000000000..ae35acc6c88
--- /dev/null
+++ b/chromium/net/base/network_cost_change_notifier_win_unittest.cc
@@ -0,0 +1,236 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/network_cost_change_notifier_win.h"
+
+#include "base/run_loop.h"
+#include "base/sequence_checker.h"
+#include "base/test/scoped_os_info_override_win.h"
+#include "base/win/windows_version.h"
+#include "net/base/network_change_notifier.h"
+#include "net/test/test_connection_cost_observer.h"
+#include "net/test/test_with_task_environment.h"
+#include "net/test/win/fake_network_cost_manager.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+class NetworkCostChangeNotifierWinTest : public TestWithTaskEnvironment {
+ public:
+  void SetUp() override {
+    if (base::win::GetVersion() < base::win::Version::WIN10) {
+      GTEST_SKIP();
+    }
+  }
+
+ protected:
+  FakeNetworkCostManagerEnvironment fake_network_cost_manager_environment_;
+};
+
+TEST_F(NetworkCostChangeNotifierWinTest, InitialCostUnknown) {
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNKNOWN);
+
+  TestConnectionCostObserver cost_change_observer;
+  auto cost_change_callback =
+      base::BindRepeating(&TestConnectionCostObserver::OnConnectionCostChanged,
+                          base::Unretained(&cost_change_observer));
+
+  base::SequenceBound<NetworkCostChangeNotifierWin> cost_change_notifier =
+      NetworkCostChangeNotifierWin::CreateInstance(cost_change_callback);
+
+  // Wait for `NetworkCostChangeNotifierWin` to finish initializing.
+  cost_change_observer.WaitForConnectionCostChanged();
+
+  // `NetworkCostChangeNotifierWin` must report an unknown cost after
+  // initializing.
+  EXPECT_EQ(cost_change_observer.cost_changed_calls(), 1u);
+  EXPECT_EQ(cost_change_observer.last_cost_changed_input(),
+            NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNKNOWN);
+}
+
+TEST_F(NetworkCostChangeNotifierWinTest, InitialCostKnown) {
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
+
+  TestConnectionCostObserver cost_change_observer;
+  auto cost_change_callback =
+      base::BindRepeating(&TestConnectionCostObserver::OnConnectionCostChanged,
+                          base::Unretained(&cost_change_observer));
+
+  base::SequenceBound<NetworkCostChangeNotifierWin> cost_change_notifier =
+      NetworkCostChangeNotifierWin::CreateInstance(cost_change_callback);
+
+  // Initializing changes the cost from unknown to unmetered.
+  cost_change_observer.WaitForConnectionCostChanged();
+
+  ASSERT_EQ(cost_change_observer.cost_changed_calls(), 1u);
+  EXPECT_EQ(cost_change_observer.last_cost_changed_input(),
+            NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
+}
+
+TEST_F(NetworkCostChangeNotifierWinTest, MultipleCostChangedEvents) {
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
+
+  TestConnectionCostObserver cost_change_observer;
+  auto cost_change_callback =
+      base::BindRepeating(&TestConnectionCostObserver::OnConnectionCostChanged,
+                          base::Unretained(&cost_change_observer));
+
+  base::SequenceBound<NetworkCostChangeNotifierWin> cost_change_notifier =
+      NetworkCostChangeNotifierWin::CreateInstance(cost_change_callback);
+
+  // Initializing changes the cost from unknown to unmetered.
+  cost_change_observer.WaitForConnectionCostChanged();
+
+  ASSERT_EQ(cost_change_observer.cost_changed_calls(), 1u);
+  EXPECT_EQ(cost_change_observer.last_cost_changed_input(),
+            NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
+
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_METERED);
+
+  // The simulated event changes the cost from unmetered to metered.
+  cost_change_observer.WaitForConnectionCostChanged();
+
+  ASSERT_EQ(cost_change_observer.cost_changed_calls(), 2u);
+  EXPECT_EQ(cost_change_observer.last_cost_changed_input(),
+            NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_METERED);
+
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNKNOWN);
+
+  // The simulated event changes the cost from metered to unknown.
+  cost_change_observer.WaitForConnectionCostChanged();
+
+  ASSERT_EQ(cost_change_observer.cost_changed_calls(), 3u);
+  EXPECT_EQ(cost_change_observer.last_cost_changed_input(),
+            NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNKNOWN);
+}
+
+TEST_F(NetworkCostChangeNotifierWinTest, DuplicateEvents) {
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
+
+  TestConnectionCostObserver cost_change_observer;
+  auto cost_change_callback =
+      base::BindRepeating(&TestConnectionCostObserver::OnConnectionCostChanged,
+                          base::Unretained(&cost_change_observer));
+
+  base::SequenceBound<NetworkCostChangeNotifierWin> cost_change_notifier =
+      NetworkCostChangeNotifierWin::CreateInstance(cost_change_callback);
+
+  // Initializing changes the cost from unknown to unmetered.
+  cost_change_observer.WaitForConnectionCostChanged();
+  ASSERT_EQ(cost_change_observer.cost_changed_calls(), 1u);
+
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
+
+  cost_change_observer.WaitForConnectionCostChanged();
+
+  // Changing from unmetered to unmetered must dispatch a cost changed event.
+  ASSERT_EQ(cost_change_observer.cost_changed_calls(), 2u);
+  EXPECT_EQ(cost_change_observer.last_cost_changed_input(),
+            NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
+}
+
+TEST_F(NetworkCostChangeNotifierWinTest, ShutdownImmediately) {
+  TestConnectionCostObserver cost_change_observer;
+  auto cost_change_callback =
+      base::BindRepeating(&TestConnectionCostObserver::OnConnectionCostChanged,
+                          base::Unretained(&cost_change_observer));
+
+  base::SequenceBound<NetworkCostChangeNotifierWin> cost_change_notifier =
+      NetworkCostChangeNotifierWin::CreateInstance(cost_change_callback);
+
+  // Shutting down immediately must not crash.
+  cost_change_notifier.Reset();
+
+  // Wait for `NetworkCostChangeNotifierWin` to finish initializing and shutting
+  // down.
+  RunUntilIdle();
+
+  // `NetworkCostChangeNotifierWin` reports a connection change after
+  // initializing.
+  EXPECT_EQ(cost_change_observer.cost_changed_calls(), 1u);
+
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_METERED);
+
+  // Wait for `NetworkCostChangeNotifierWin` to handle the cost changed event.
+  RunUntilIdle();
+
+  // After shutdown, cost changed events must have no effect.
+  EXPECT_EQ(cost_change_observer.cost_changed_calls(), 1u);
+}
+
+TEST_F(NetworkCostChangeNotifierWinTest, ErrorHandling) {
+  // Simulate the failure of each OS API while initializing
+  // `NetworkCostChangeNotifierWin`.
+  constexpr const NetworkCostManagerStatus kErrorList[] = {
+      NetworkCostManagerStatus::kErrorCoCreateInstanceFailed,
+      NetworkCostManagerStatus::kErrorQueryInterfaceFailed,
+      NetworkCostManagerStatus::kErrorFindConnectionPointFailed,
+      NetworkCostManagerStatus::kErrorAdviseFailed,
+      NetworkCostManagerStatus::kErrorGetCostFailed,
+  };
+  for (auto error : kErrorList) {
+    fake_network_cost_manager_environment_.SetCost(
+        NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
+
+    fake_network_cost_manager_environment_.SimulateError(error);
+
+    TestConnectionCostObserver cost_change_observer;
+    auto cost_change_callback = base::BindRepeating(
+        &TestConnectionCostObserver::OnConnectionCostChanged,
+        base::Unretained(&cost_change_observer));
+
+    base::SequenceBound<NetworkCostChangeNotifierWin> cost_change_notifier =
+        NetworkCostChangeNotifierWin::CreateInstance(cost_change_callback);
+
+    if (error == NetworkCostManagerStatus::kErrorGetCostFailed) {
+      // `NetworkCostChangeNotifierWin` must report an unknown cost after
+      // `INetworkCostManager::GetCost()` fails.
+      cost_change_observer.WaitForConnectionCostChanged();
+
+      EXPECT_EQ(cost_change_observer.cost_changed_calls(), 1u);
+      EXPECT_EQ(cost_change_observer.last_cost_changed_input(),
+                NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNKNOWN);
+    } else {
+      // Wait for `NetworkCostChangeNotifierWin` to finish initializing.
+      RunUntilIdle();
+
+      // `NetworkCostChangeNotifierWin` must NOT report a changed cost after
+      // failing to initialize.
+      EXPECT_EQ(cost_change_observer.cost_changed_calls(), 0u);
+    }
+  }
+}
+
+TEST_F(NetworkCostChangeNotifierWinTest, UnsupportedOS) {
+  base::test::ScopedOSInfoOverride os_override(
+      base::test::ScopedOSInfoOverride::Type::kWin81Pro);
+
+  fake_network_cost_manager_environment_.SetCost(
+      NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED);
+
+  TestConnectionCostObserver cost_change_observer;
+  auto cost_change_callback =
+      base::BindRepeating(&TestConnectionCostObserver::OnConnectionCostChanged,
+                          base::Unretained(&cost_change_observer));
+
+  base::SequenceBound<NetworkCostChangeNotifierWin> cost_change_notifier =
+      NetworkCostChangeNotifierWin::CreateInstance(cost_change_callback);
+
+  // Wait for `NetworkCostChangeNotifierWin` to finish initializing.
+  RunUntilIdle();
+
+  // `NetworkCostChangeNotifierWin` must NOT report a changed cost for
+  // unsupported OSes.
+  EXPECT_EQ(cost_change_observer.cost_changed_calls(), 0u);
+}
+
+}  // namespace net
diff --git a/chromium/net/base/network_delegate.cc b/chromium/net/base/network_delegate.cc
index 6a5a4e253dc..e119ca3d789 100644
--- a/chromium/net/base/network_delegate.cc
+++ b/chromium/net/base/network_delegate.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -103,11 +103,13 @@ void NetworkDelegate::NotifyPACScriptError(int line_number,
 
 bool NetworkDelegate::AnnotateAndMoveUserBlockedCookies(
     const URLRequest& request,
+    const net::FirstPartySetMetadata& first_party_set_metadata,
     net::CookieAccessResultList& maybe_included_cookies,
     net::CookieAccessResultList& excluded_cookies) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   bool allowed = OnAnnotateAndMoveUserBlockedCookies(
-      request, maybe_included_cookies, excluded_cookies);
+      request, first_party_set_metadata, maybe_included_cookies,
+      excluded_cookies);
   cookie_util::DCheckIncludedAndExcludedCookieLists(maybe_included_cookies,
                                                     excluded_cookies);
   return allowed;
@@ -165,6 +167,16 @@ bool NetworkDelegate::CanUseReportingClient(const url::Origin& origin,
   return OnCanUseReportingClient(origin, endpoint);
 }
 
+absl::optional<FirstPartySetsCacheFilter::MatchInfo>
+NetworkDelegate::GetFirstPartySetsCacheFilterMatchInfoMaybeAsync(
+    const SchemefulSite& request_site,
+    base::OnceCallback<void(FirstPartySetsCacheFilter::MatchInfo)> callback)
+    const {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+  return OnGetFirstPartySetsCacheFilterMatchInfoMaybeAsync(request_site,
+                                                           std::move(callback));
+}
+
 // static
 void NetworkDelegate::ExcludeAllCookies(
     net::CookieInclusionStatus::ExclusionReason reason,
diff --git a/chromium/net/base/network_delegate.h b/chromium/net/base/network_delegate.h
index 3297b067cfd..1012d26bbaa 100644
--- a/chromium/net/base/network_delegate.h
+++ b/chromium/net/base/network_delegate.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,8 +18,10 @@
 #include "net/base/net_export.h"
 #include "net/cookies/canonical_cookie.h"
 #include "net/cookies/cookie_inclusion_status.h"
-#include "net/cookies/same_party_context.h"
 #include "net/cookies/site_for_cookies.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
+#include "net/first_party_sets/first_party_sets_cache_filter.h"
+#include "net/first_party_sets/same_party_context.h"
 #include "net/proxy_resolution/proxy_retry_info.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 
@@ -45,6 +47,7 @@ class CookieOptions;
 class HttpRequestHeaders;
 class HttpResponseHeaders;
 class IPEndPoint;
+class SchemefulSite;
 class URLRequest;
 
 class NET_EXPORT NetworkDelegate {
@@ -78,6 +81,7 @@ class NET_EXPORT NetworkDelegate {
   void NotifyPACScriptError(int line_number, const std::u16string& error);
   bool AnnotateAndMoveUserBlockedCookies(
       const URLRequest& request,
+      const net::FirstPartySetMetadata& first_party_set_metadata,
       CookieAccessResultList& maybe_included_cookies,
       CookieAccessResultList& excluded_cookies);
   bool CanSetCookie(const URLRequest& request,
@@ -119,6 +123,20 @@ class NET_EXPORT NetworkDelegate {
   bool CanUseReportingClient(const url::Origin& origin,
                              const GURL& endpoint) const;
 
+  // Gets the First-Party Sets cache filter info, which is used to mark the
+  // cache and determine if the previously stored cache of `request_site` can be
+  // accessed.
+  //
+  // The result may be returned synchronously, or `callback` may be invoked
+  // asynchronously with the result. The callback will be invoked iff the return
+  // value is nullopt; i.e. a result will be provided via return value or
+  // callback, but not both, and not neither.
+  absl::optional<FirstPartySetsCacheFilter::MatchInfo>
+  GetFirstPartySetsCacheFilterMatchInfoMaybeAsync(
+      const SchemefulSite& request_site,
+      base::OnceCallback<void(FirstPartySetsCacheFilter::MatchInfo)> callback)
+      const;
+
  protected:
   // Adds the given ExclusionReason to all cookies in
   // `mayble_included_cookies`, and moves the contents of
@@ -246,6 +264,7 @@ class NET_EXPORT NetworkDelegate {
   // otherwise.
   virtual bool OnAnnotateAndMoveUserBlockedCookies(
       const URLRequest& request,
+      const net::FirstPartySetMetadata& first_party_set_metadata,
       net::CookieAccessResultList& maybe_included_cookies,
       net::CookieAccessResultList& excluded_cookies) = 0;
 
@@ -284,6 +303,12 @@ class NET_EXPORT NetworkDelegate {
 
   virtual bool OnCanUseReportingClient(const url::Origin& origin,
                                        const GURL& endpoint) const = 0;
+
+  virtual absl::optional<FirstPartySetsCacheFilter::MatchInfo>
+  OnGetFirstPartySetsCacheFilterMatchInfoMaybeAsync(
+      const SchemefulSite& request_site,
+      base::OnceCallback<void(FirstPartySetsCacheFilter::MatchInfo)> callback)
+      const = 0;
 };
 
 }  // namespace net
diff --git a/chromium/net/base/network_delegate_impl.cc b/chromium/net/base/network_delegate_impl.cc
index e460c9d7fa7..56546418738 100644
--- a/chromium/net/base/network_delegate_impl.cc
+++ b/chromium/net/base/network_delegate_impl.cc
@@ -1,11 +1,11 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/network_delegate_impl.h"
 
 #include "net/base/net_errors.h"
-#include "net/cookies/same_party_context.h"
+#include "net/first_party_sets/same_party_context.h"
 
 namespace net {
 
@@ -50,6 +50,7 @@ void NetworkDelegateImpl::OnPACScriptError(int line_number,
 
 bool NetworkDelegateImpl::OnAnnotateAndMoveUserBlockedCookies(
     const URLRequest& request,
+    const net::FirstPartySetMetadata& first_party_set_metadata,
     net::CookieAccessResultList& maybe_included_cookies,
     net::CookieAccessResultList& excluded_cookies) {
   return true;
@@ -97,4 +98,12 @@ bool NetworkDelegateImpl::OnCanUseReportingClient(const url::Origin& origin,
   return true;
 }
 
+absl::optional<FirstPartySetsCacheFilter::MatchInfo>
+NetworkDelegateImpl::OnGetFirstPartySetsCacheFilterMatchInfoMaybeAsync(
+    const SchemefulSite& request_site,
+    base::OnceCallback<void(FirstPartySetsCacheFilter::MatchInfo)> callback)
+    const {
+  return {FirstPartySetsCacheFilter::MatchInfo()};
+}
+
 }  // namespace net
diff --git a/chromium/net/base/network_delegate_impl.h b/chromium/net/base/network_delegate_impl.h
index 7a796545e16..071dec14652 100644
--- a/chromium/net/base/network_delegate_impl.h
+++ b/chromium/net/base/network_delegate_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,7 +14,9 @@
 #include "net/base/net_export.h"
 #include "net/base/network_delegate.h"
 #include "net/cookies/canonical_cookie.h"
-#include "net/cookies/same_party_context.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
+#include "net/first_party_sets/first_party_sets_cache_filter.h"
+#include "net/first_party_sets/same_party_context.h"
 #include "net/proxy_resolution/proxy_retry_info.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 
@@ -26,6 +28,7 @@ class Origin;
 
 namespace net {
 
+class SchemefulSite;
 class CookieOptions;
 class HttpRequestHeaders;
 class HttpResponseHeaders;
@@ -68,6 +71,7 @@ class NET_EXPORT NetworkDelegateImpl : public NetworkDelegate {
 
   bool OnAnnotateAndMoveUserBlockedCookies(
       const URLRequest& request,
+      const net::FirstPartySetMetadata& first_party_set_metadata,
       net::CookieAccessResultList& maybe_included_cookies,
       net::CookieAccessResultList& excluded_cookies) override;
 
@@ -97,6 +101,12 @@ class NET_EXPORT NetworkDelegateImpl : public NetworkDelegate {
 
   bool OnCanUseReportingClient(const url::Origin& origin,
                                const GURL& endpoint) const override;
+
+  absl::optional<FirstPartySetsCacheFilter::MatchInfo>
+  OnGetFirstPartySetsCacheFilterMatchInfoMaybeAsync(
+      const SchemefulSite& request_site,
+      base::OnceCallback<void(FirstPartySetsCacheFilter::MatchInfo)> callback)
+      const override;
 };
 
 }  // namespace net
diff --git a/chromium/net/base/network_delegate_unittest.cc b/chromium/net/base/network_delegate_unittest.cc
index 733cff80b8b..869b23c0b88 100644
--- a/chromium/net/base/network_delegate_unittest.cc
+++ b/chromium/net/base/network_delegate_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_handle.h b/chromium/net/base/network_handle.h
index 40a6364eb59..0ce8cba019f 100644
--- a/chromium/net/base/network_handle.h
+++ b/chromium/net/base/network_handle.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces.cc b/chromium/net/base/network_interfaces.cc
index de9b0e5d2a3..a89c65d2217 100644
--- a/chromium/net/base/network_interfaces.cc
+++ b/chromium/net/base/network_interfaces.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -28,14 +28,16 @@ NetworkInterface::NetworkInterface(const std::string& name,
                                    NetworkChangeNotifier::ConnectionType type,
                                    const IPAddress& address,
                                    uint32_t prefix_length,
-                                   int ip_address_attributes)
+                                   int ip_address_attributes,
+                                   absl::optional<Eui48MacAddress> mac_address)
     : name(name),
       friendly_name(friendly_name),
       interface_index(interface_index),
       type(type),
       address(address),
       prefix_length(prefix_length),
-      ip_address_attributes(ip_address_attributes) {}
+      ip_address_attributes(ip_address_attributes),
+      mac_address(mac_address) {}
 
 NetworkInterface::NetworkInterface(const NetworkInterface& other) = default;
 
diff --git a/chromium/net/base/network_interfaces.h b/chromium/net/base/network_interfaces.h
index 94a9fe923ad..75e25c323a8 100644
--- a/chromium/net/base/network_interfaces.h
+++ b/chromium/net/base/network_interfaces.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,6 +7,7 @@
 
 #include <stdint.h>
 
+#include <array>
 #include <memory>
 #include <string>
 #include <vector>
@@ -15,6 +16,8 @@
 #include "net/base/net_export.h"
 #include "net/base/network_change_notifier.h"
 
+#include "third_party/abseil-cpp/absl/types/optional.h"
+
 namespace net {
 
 // A subset of IP address attributes which are actionable by the
@@ -47,6 +50,8 @@ enum IPAddressAttributes {
   IP_ADDRESS_ATTRIBUTE_DETACHED = 1 << 5,
 };
 
+using Eui48MacAddress = std::array<uint8_t, 6>;
+
 // struct that is used by GetNetworkList() to represent a network
 // interface.
 struct NET_EXPORT NetworkInterface {
@@ -57,7 +62,8 @@ struct NET_EXPORT NetworkInterface {
                    NetworkChangeNotifier::ConnectionType type,
                    const IPAddress& address,
                    uint32_t prefix_length,
-                   int ip_address_attributes);
+                   int ip_address_attributes,
+                   absl::optional<Eui48MacAddress> mac_address = absl::nullopt);
   NetworkInterface(const NetworkInterface& other);
   ~NetworkInterface();
 
@@ -68,6 +74,7 @@ struct NET_EXPORT NetworkInterface {
   IPAddress address;
   uint32_t prefix_length;
   int ip_address_attributes;  // Combination of |IPAddressAttributes|.
+  absl::optional<Eui48MacAddress> mac_address;
 };
 
 typedef std::vector<NetworkInterface> NetworkInterfaceList;
diff --git a/chromium/net/base/network_interfaces_fuchsia.cc b/chromium/net/base/network_interfaces_fuchsia.cc
index 48db0c3566b..84ed06e797b 100644
--- a/chromium/net/base/network_interfaces_fuchsia.cc
+++ b/chromium/net/base/network_interfaces_fuchsia.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_fuchsia.h b/chromium/net/base/network_interfaces_fuchsia.h
index 3a0d7e234fc..6ecc25d2f11 100644
--- a/chromium/net/base/network_interfaces_fuchsia.h
+++ b/chromium/net/base/network_interfaces_fuchsia.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_getifaddrs.cc b/chromium/net/base/network_interfaces_getifaddrs.cc
index e4260e4cd57..aad8986da2e 100644
--- a/chromium/net/base/network_interfaces_getifaddrs.cc
+++ b/chromium/net/base/network_interfaces_getifaddrs.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_getifaddrs.h b/chromium/net/base/network_interfaces_getifaddrs.h
index 668dc2503da..0b5cfeca157 100644
--- a/chromium/net/base/network_interfaces_getifaddrs.h
+++ b/chromium/net/base/network_interfaces_getifaddrs.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_getifaddrs_android.cc b/chromium/net/base/network_interfaces_getifaddrs_android.cc
index 983865c003a..b097742bf6e 100644
--- a/chromium/net/base/network_interfaces_getifaddrs_android.cc
+++ b/chromium/net/base/network_interfaces_getifaddrs_android.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_getifaddrs_android.h b/chromium/net/base/network_interfaces_getifaddrs_android.h
index 022f2aae1e7..c29873d7c22 100644
--- a/chromium/net/base/network_interfaces_getifaddrs_android.h
+++ b/chromium/net/base/network_interfaces_getifaddrs_android.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_getifaddrs_unittest.cc b/chromium/net/base/network_interfaces_getifaddrs_unittest.cc
index fd31375a767..c50d1113b8c 100644
--- a/chromium/net/base/network_interfaces_getifaddrs_unittest.cc
+++ b/chromium/net/base/network_interfaces_getifaddrs_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_linux.cc b/chromium/net/base/network_interfaces_linux.cc
index aa28e7a6bb2..ff43b4e0656 100644
--- a/chromium/net/base/network_interfaces_linux.cc
+++ b/chromium/net/base/network_interfaces_linux.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_linux.h b/chromium/net/base/network_interfaces_linux.h
index abb9d383fb3..4b9ba9e0681 100644
--- a/chromium/net/base/network_interfaces_linux.h
+++ b/chromium/net/base/network_interfaces_linux.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_linux_unittest.cc b/chromium/net/base/network_interfaces_linux_unittest.cc
index 7f4d7391156..0f7cc94f2f5 100644
--- a/chromium/net/base/network_interfaces_linux_unittest.cc
+++ b/chromium/net/base/network_interfaces_linux_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_posix.cc b/chromium/net/base/network_interfaces_posix.cc
index 9f7681d8acd..ef4b5bf6934 100644
--- a/chromium/net/base/network_interfaces_posix.cc
+++ b/chromium/net/base/network_interfaces_posix.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_posix.h b/chromium/net/base/network_interfaces_posix.h
index a3074f7ee8b..e92cbfe05b9 100644
--- a/chromium/net/base/network_interfaces_posix.h
+++ b/chromium/net/base/network_interfaces_posix.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_unittest.cc b/chromium/net/base/network_interfaces_unittest.cc
index d3fa86aebfc..40cad1d47e1 100644
--- a/chromium/net/base/network_interfaces_unittest.cc
+++ b/chromium/net/base/network_interfaces_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_win.cc b/chromium/net/base/network_interfaces_win.cc
index 68f4458599d..6f6f32a54bb 100644
--- a/chromium/net/base/network_interfaces_win.cc
+++ b/chromium/net/base/network_interfaces_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -152,6 +152,15 @@ bool GetNetworkListImpl(NetworkInterfaceList* networks,
       continue;
     }
 
+    absl::optional<Eui48MacAddress> mac_address;
+    mac_address.emplace();
+    if (adapter->PhysicalAddressLength == mac_address->size()) {
+      std::copy_n(reinterpret_cast<const uint8_t*>(adapter->PhysicalAddress),
+                  mac_address->size(), mac_address->begin());
+    } else {
+      mac_address.reset();
+    }
+
     for (IP_ADAPTER_UNICAST_ADDRESS* address = adapter->FirstUnicastAddress;
          address; address = address->Next) {
       int family = address->Address.lpSockaddr->sa_family;
@@ -188,7 +197,7 @@ bool GetNetworkListImpl(NetworkInterfaceList* networks,
               adapter->AdapterName,
               base::SysWideToNativeMB(adapter->FriendlyName), index,
               GetNetworkInterfaceType(adapter->IfType), endpoint.address(),
-              prefix_length, ip_address_attributes));
+              prefix_length, ip_address_attributes, mac_address));
         }
       }
     }
diff --git a/chromium/net/base/network_interfaces_win.h b/chromium/net/base/network_interfaces_win.h
index c2619d74455..d77d6760234 100644
--- a/chromium/net/base/network_interfaces_win.h
+++ b/chromium/net/base/network_interfaces_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_interfaces_win_unittest.cc b/chromium/net/base/network_interfaces_win_unittest.cc
index 32763aa95d2..75a73ea4f5c 100644
--- a/chromium/net/base/network_interfaces_win_unittest.cc
+++ b/chromium/net/base/network_interfaces_win_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -53,6 +53,14 @@ bool FillAdapterAddress(IP_ADAPTER_ADDRESSES* adapter_address,
   adapter_address->FirstUnicastAddress->PreferredLifetime = 100;
   adapter_address->FirstUnicastAddress->ValidLifetime = 1000;
 
+  DCHECK(sizeof(adapter_address->PhysicalAddress) > 5);
+  // Generate 06:05:04:03:02:01
+  adapter_address->PhysicalAddressLength = 6;
+  for (unsigned long i = 0; i < adapter_address->PhysicalAddressLength; i++) {
+    adapter_address->PhysicalAddress[i] =
+        adapter_address->PhysicalAddressLength - i;
+  }
+
   socklen_t sock_len = sizeof(sockaddr_storage);
 
   // Convert to sockaddr for next check.
@@ -188,6 +196,54 @@ TEST(NetworkInterfacesTest, NetworkListTrimmingWindows) {
   results.clear();
 }
 
+TEST(NetworkInterfacesTest, NetworkListExtractMacAddress) {
+  IPAddress ipv6_local_address(kIPv6LocalAddr);
+  IPAddress ipv6_address(kIPv6Addr);
+  IPAddress ipv6_prefix(kIPv6AddrPrefix);
+
+  NetworkInterfaceList results;
+  sockaddr_storage addresses[2];
+  IP_ADAPTER_ADDRESSES adapter_address = {};
+  IP_ADAPTER_UNICAST_ADDRESS address = {};
+  IP_ADAPTER_PREFIX adapter_prefix = {};
+  adapter_address.FirstUnicastAddress = &address;
+  adapter_address.FirstPrefix = &adapter_prefix;
+
+  ASSERT_TRUE(FillAdapterAddress(&adapter_address, kIfnameEm1, ipv6_address,
+                                 ipv6_prefix, addresses));
+
+  Eui48MacAddress expected_mac_address = {0x6, 0x5, 0x4, 0x3, 0x2, 0x1};
+
+  EXPECT_TRUE(internal::GetNetworkListImpl(
+      &results, INCLUDE_HOST_SCOPE_VIRTUAL_INTERFACES, &adapter_address));
+  ASSERT_EQ(results.size(), 1ul);
+  ASSERT_EQ(results[0].mac_address, expected_mac_address);
+}
+
+TEST(NetworkInterfacesTest, NetworkListExtractMacAddressInvalidLength) {
+  IPAddress ipv6_local_address(kIPv6LocalAddr);
+  IPAddress ipv6_address(kIPv6Addr);
+  IPAddress ipv6_prefix(kIPv6AddrPrefix);
+
+  NetworkInterfaceList results;
+  sockaddr_storage addresses[2];
+  IP_ADAPTER_ADDRESSES adapter_address = {};
+  IP_ADAPTER_UNICAST_ADDRESS address = {};
+  IP_ADAPTER_PREFIX adapter_prefix = {};
+  adapter_address.FirstUnicastAddress = &address;
+  adapter_address.FirstPrefix = &adapter_prefix;
+
+  ASSERT_TRUE(FillAdapterAddress(&adapter_address, kIfnameEm1, ipv6_address,
+                                 ipv6_prefix, addresses));
+  // Not EUI-48 Mac address, so it is not extracted.
+  adapter_address.PhysicalAddressLength = 8;
+
+  EXPECT_TRUE(internal::GetNetworkListImpl(
+      &results, INCLUDE_HOST_SCOPE_VIRTUAL_INTERFACES, &adapter_address));
+  ASSERT_EQ(results.size(), 1ul);
+  EXPECT_FALSE(results[0].mac_address.has_value());
+}
+
 bool read_int_or_bool(DWORD data_size, PVOID data) {
   switch (data_size) {
     case 1:
diff --git a/chromium/net/base/network_isolation_key.cc b/chromium/net/base/network_isolation_key.cc
index 9c68715db79..0000f73725d 100644
--- a/chromium/net/base/network_isolation_key.cc
+++ b/chromium/net/base/network_isolation_key.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -205,8 +205,8 @@ bool NetworkIsolationKey::FromValue(
 }
 
 const absl::optional<SchemefulSite>& NetworkIsolationKey::GetFrameSite() const {
-  // TODO: @brgoldstein, add CHECK that
-  // `kForceIsolationInfoFrameOriginToTopLevelFrame` is not enabled.
+  // Frame site will be empty if double-keying is enabled.
+  CHECK(NetworkIsolationKey::IsFrameSiteEnabled());
   return frame_site_;
 }
 
diff --git a/chromium/net/base/network_isolation_key.h b/chromium/net/base/network_isolation_key.h
index be4f992f2f7..049f4a3cf54 100644
--- a/chromium/net/base/network_isolation_key.h
+++ b/chromium/net/base/network_isolation_key.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -118,8 +118,16 @@ class NET_EXPORT NetworkIsolationKey {
   const absl::optional<SchemefulSite>& GetTopFrameSite() const {
     return top_frame_site_;
   }
+
   const absl::optional<SchemefulSite>& GetFrameSite() const;
 
+  // Do not use outside of testing. Returns the `frame_site_` if
+  // `kForceIsolationInfoFrameOriginToTopLevelFrame` is disabled. Else it
+  // returns nullopt.
+  const absl::optional<SchemefulSite>& GetFrameSiteForTesting() const {
+    return frame_site_;
+  }
+
   // Getter for the nonce.
   const absl::optional<base::UnguessableToken>& GetNonce() const {
     return nonce_;
diff --git a/chromium/net/base/network_isolation_key_unittest.cc b/chromium/net/base/network_isolation_key_unittest.cc
index 9fbd0a39510..919720fca8a 100644
--- a/chromium/net/base/network_isolation_key_unittest.cc
+++ b/chromium/net/base/network_isolation_key_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -419,7 +419,7 @@ TEST_P(NetworkIsolationKeyTest, CreateWithNewFrameSite) {
   net::NetworkIsolationKey key(site_a, site_b);
   NetworkIsolationKey key_c = key.CreateWithNewFrameSite(site_c);
   if (ForceIsolationInfoFrameOriginToTopLevelFrameEnabled()) {
-    EXPECT_EQ(absl::nullopt, key_c.GetFrameSite());
+    EXPECT_DEATH_IF_SUPPORTED(key_c.GetFrameSite(), "");
   } else {
     EXPECT_EQ(site_c, key_c.GetFrameSite());
   }
@@ -479,12 +479,7 @@ TEST(NetworkIsolationKeyFeatureShiftTest, ValueRoundTripDoubleToTriple) {
   NetworkIsolationKey created_double_key(
       SchemefulSite(GURL("https://foo.test/")),
       SchemefulSite(GURL("https://bar.test/")));
-  EXPECT_EQ(absl::nullopt, created_double_key.GetFrameSite());
-
-  // Assert the triple key still has the frame_site it was created with when
-  // frame site was enabled.
-  EXPECT_EQ(SchemefulSite(GURL("https://bar.test/")),
-            created_triple_key.GetFrameSite());
+  EXPECT_DEATH_IF_SUPPORTED(created_double_key.GetFrameSite(), "");
 
   // Test round trip of key created when frame site was disabled.
   base::Value created_double_key_value;
diff --git a/chromium/net/base/network_notification_thread_mac.cc b/chromium/net/base/network_notification_thread_mac.cc
index 105c3bb3269..3fccae82c17 100644
--- a/chromium/net/base/network_notification_thread_mac.cc
+++ b/chromium/net/base/network_notification_thread_mac.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/network_notification_thread_mac.h b/chromium/net/base/network_notification_thread_mac.h
index 6f97243a792..ccd963ad75d 100644
--- a/chromium/net/base/network_notification_thread_mac.h
+++ b/chromium/net/base/network_notification_thread_mac.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/parse_number.cc b/chromium/net/base/parse_number.cc
index 5c2af5137db..4859bffe972 100644
--- a/chromium/net/base/parse_number.cc
+++ b/chromium/net/base/parse_number.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/parse_number.h b/chromium/net/base/parse_number.h
index 4e49ab71121..d6adf388e6f 100644
--- a/chromium/net/base/parse_number.h
+++ b/chromium/net/base/parse_number.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/parse_number_unittest.cc b/chromium/net/base/parse_number_unittest.cc
index 47cce60e29e..ccde98f8f7d 100644
--- a/chromium/net/base/parse_number_unittest.cc
+++ b/chromium/net/base/parse_number_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/parse_url_hostname_to_address_fuzzer.cc b/chromium/net/base/parse_url_hostname_to_address_fuzzer.cc
index 2ca87e9e17c..a96ab059760 100644
--- a/chromium/net/base/parse_url_hostname_to_address_fuzzer.cc
+++ b/chromium/net/base/parse_url_hostname_to_address_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/platform_mime_util.h b/chromium/net/base/platform_mime_util.h
index bc2bf5509c6..6277aca961f 100644
--- a/chromium/net/base/platform_mime_util.h
+++ b/chromium/net/base/platform_mime_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/platform_mime_util_fuchsia.cc b/chromium/net/base/platform_mime_util_fuchsia.cc
index 3ed266f7e05..4605dd3533e 100644
--- a/chromium/net/base/platform_mime_util_fuchsia.cc
+++ b/chromium/net/base/platform_mime_util_fuchsia.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/platform_mime_util_linux.cc b/chromium/net/base/platform_mime_util_linux.cc
index 6c079a420f9..faf1ab72106 100644
--- a/chromium/net/base/platform_mime_util_linux.cc
+++ b/chromium/net/base/platform_mime_util_linux.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,6 +11,8 @@
 
 #if BUILDFLAG(IS_ANDROID)
 #include "net/android/network_library.h"
+#elif BUILDFLAG(IS_CHROMEOS)
+#include "third_party/xdg_shared_mime_info/mime_cache.h"
 #else
 #include "base/nix/mime_util_xdg.h"
 #endif
@@ -23,11 +25,11 @@ bool PlatformMimeUtil::GetPlatformMimeTypeFromExtension(
     std::string* result) const {
   return android::GetMimeTypeFromExtension(ext, result);
 }
-#elif BUILDFLAG(IS_CHROMEOS_ASH)
+#elif BUILDFLAG(IS_CHROMEOS)
 bool PlatformMimeUtil::GetPlatformMimeTypeFromExtension(
     const base::FilePath::StringType& ext,
     std::string* result) const {
-  return false;
+  return xdg_shared_mime_info::GetMimeCacheTypeFromExtension(ext, result);
 }
 #else
 bool PlatformMimeUtil::GetPlatformMimeTypeFromExtension(
diff --git a/chromium/net/base/platform_mime_util_mac.mm b/chromium/net/base/platform_mime_util_mac.mm
index 1b630903ce3..a45e5d639c8 100644
--- a/chromium/net/base/platform_mime_util_mac.mm
+++ b/chromium/net/base/platform_mime_util_mac.mm
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/platform_mime_util_win.cc b/chromium/net/base/platform_mime_util_win.cc
index 33d00d81264..c92468db628 100644
--- a/chromium/net/base/platform_mime_util_win.cc
+++ b/chromium/net/base/platform_mime_util_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/port_util.cc b/chromium/net/base/port_util.cc
index 84babee6f6a..a2344f66ca0 100644
--- a/chromium/net/base/port_util.cc
+++ b/chromium/net/base/port_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/port_util.h b/chromium/net/base/port_util.h
index 4f6537091df..e2718097ae4 100644
--- a/chromium/net/base/port_util.h
+++ b/chromium/net/base/port_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/port_util_unittest.cc b/chromium/net/base/port_util_unittest.cc
index 0fa1872853b..eb80ef7fde0 100644
--- a/chromium/net/base/port_util_unittest.cc
+++ b/chromium/net/base/port_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/prioritized_dispatcher.cc b/chromium/net/base/prioritized_dispatcher.cc
index 38ca35f98d5..67fadc6277c 100644
--- a/chromium/net/base/prioritized_dispatcher.cc
+++ b/chromium/net/base/prioritized_dispatcher.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/prioritized_dispatcher.h b/chromium/net/base/prioritized_dispatcher.h
index 283c8bc72e3..c14f5da24bd 100644
--- a/chromium/net/base/prioritized_dispatcher.h
+++ b/chromium/net/base/prioritized_dispatcher.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/prioritized_dispatcher_unittest.cc b/chromium/net/base/prioritized_dispatcher_unittest.cc
index 419be5da7f8..404914f16cd 100644
--- a/chromium/net/base/prioritized_dispatcher_unittest.cc
+++ b/chromium/net/base/prioritized_dispatcher_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/prioritized_task_runner.cc b/chromium/net/base/prioritized_task_runner.cc
index 5c1e8aff4a5..4ab92139f94 100644
--- a/chromium/net/base/prioritized_task_runner.cc
+++ b/chromium/net/base/prioritized_task_runner.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,7 +8,6 @@
 
 #include "base/bind.h"
 #include "base/task/task_runner.h"
-#include "base/task/task_runner_util.h"
 #include "base/task/thread_pool.h"
 
 namespace net {
diff --git a/chromium/net/base/prioritized_task_runner.h b/chromium/net/base/prioritized_task_runner.h
index 086f8c70d92..31a845e5cfd 100644
--- a/chromium/net/base/prioritized_task_runner.h
+++ b/chromium/net/base/prioritized_task_runner.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/prioritized_task_runner_unittest.cc b/chromium/net/base/prioritized_task_runner_unittest.cc
index 6f77f11cb6d..c33c3321a62 100644
--- a/chromium/net/base/prioritized_task_runner_unittest.cc
+++ b/chromium/net/base/prioritized_task_runner_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/priority_queue.h b/chromium/net/base/priority_queue.h
index 73cb6d72655..66e1a00d67c 100644
--- a/chromium/net/base/priority_queue.h
+++ b/chromium/net/base/priority_queue.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/priority_queue_unittest.cc b/chromium/net/base/priority_queue_unittest.cc
index 88974bcefe2..738fe844fb2 100644
--- a/chromium/net/base/priority_queue_unittest.cc
+++ b/chromium/net/base/priority_queue_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/privacy_mode.cc b/chromium/net/base/privacy_mode.cc
index 9578848e547..1bb15b0ba7c 100644
--- a/chromium/net/base/privacy_mode.cc
+++ b/chromium/net/base/privacy_mode.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/privacy_mode.h b/chromium/net/base/privacy_mode.h
index 0b7c5d3778f..171fb190a90 100644
--- a/chromium/net/base/privacy_mode.h
+++ b/chromium/net/base/privacy_mode.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/proxy_delegate.h b/chromium/net/base/proxy_delegate.h
index 92e622e7511..6ae0f2ef7c4 100644
--- a/chromium/net/base/proxy_delegate.h
+++ b/chromium/net/base/proxy_delegate.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/proxy_server.cc b/chromium/net/base/proxy_server.cc
index 3b09f37a48a..c2a3e48f409 100644
--- a/chromium/net/base/proxy_server.cc
+++ b/chromium/net/base/proxy_server.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/proxy_server.h b/chromium/net/base/proxy_server.h
index 9e4fe232b4d..cf62c2c8a53 100644
--- a/chromium/net/base/proxy_server.h
+++ b/chromium/net/base/proxy_server.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/proxy_server_unittest.cc b/chromium/net/base/proxy_server_unittest.cc
index 441fc0aa75c..8cf21d00c46 100644
--- a/chromium/net/base/proxy_server_unittest.cc
+++ b/chromium/net/base/proxy_server_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/proxy_string_util.cc b/chromium/net/base/proxy_string_util.cc
index 4cda416ab64..81328620503 100644
--- a/chromium/net/base/proxy_string_util.cc
+++ b/chromium/net/base/proxy_string_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/proxy_string_util.h b/chromium/net/base/proxy_string_util.h
index e6a7f3c2ca3..8388a2ff8d2 100644
--- a/chromium/net/base/proxy_string_util.h
+++ b/chromium/net/base/proxy_string_util.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/proxy_string_util_mac.cc b/chromium/net/base/proxy_string_util_mac.cc
index d6ce12c2853..c41b52e220c 100644
--- a/chromium/net/base/proxy_string_util_mac.cc
+++ b/chromium/net/base/proxy_string_util_mac.cc
@@ -1,4 +1,4 @@
-// Copyright 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/proxy_string_util_unittest.cc b/chromium/net/base/proxy_string_util_unittest.cc
index 67f6333efed..1759e55d6bd 100644
--- a/chromium/net/base/proxy_string_util_unittest.cc
+++ b/chromium/net/base/proxy_string_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/rand_callback.h b/chromium/net/base/rand_callback.h
index f001c887d1c..e9d60c2f566 100644
--- a/chromium/net/base/rand_callback.h
+++ b/chromium/net/base/rand_callback.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/registry_controlled_domains/BUILD.gn b/chromium/net/base/registry_controlled_domains/BUILD.gn
index c9eb94fb6ad..a39438129bd 100644
--- a/chromium/net/base/registry_controlled_domains/BUILD.gn
+++ b/chromium/net/base/registry_controlled_domains/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright (c) 2014 The Chromium Authors. All rights reserved.
+# Copyright 2014 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/base/registry_controlled_domains/OWNERS b/chromium/net/base/registry_controlled_domains/OWNERS
index 33ed6c7e349..242a9936d16 100644
--- a/chromium/net/base/registry_controlled_domains/OWNERS
+++ b/chromium/net/base/registry_controlled_domains/OWNERS
@@ -1,3 +1,2 @@
 cfredric@chromium.org
-pam@chromium.org
 pkasting@chromium.org
diff --git a/chromium/net/base/registry_controlled_domains/effective_tld_names.gperf b/chromium/net/base/registry_controlled_domains/effective_tld_names.gperf
index 490782dff4e..4e222cfdb3b 100644
--- a/chromium/net/base/registry_controlled_domains/effective_tld_names.gperf
+++ b/chromium/net/base/registry_controlled_domains/effective_tld_names.gperf
@@ -1,5 +1,5 @@
 %{
-// Copyright 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/registry_controlled_domains/effective_tld_names_unittest1.gperf b/chromium/net/base/registry_controlled_domains/effective_tld_names_unittest1.gperf
index 0246f17bebe..1237e142f66 100644
--- a/chromium/net/base/registry_controlled_domains/effective_tld_names_unittest1.gperf
+++ b/chromium/net/base/registry_controlled_domains/effective_tld_names_unittest1.gperf
@@ -1,5 +1,5 @@
 %{
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 // Test file used by registry_controlled_domain_unittest.
diff --git a/chromium/net/base/registry_controlled_domains/effective_tld_names_unittest2.gperf b/chromium/net/base/registry_controlled_domains/effective_tld_names_unittest2.gperf
index 03c2e2a909f..439546a1b89 100644
--- a/chromium/net/base/registry_controlled_domains/effective_tld_names_unittest2.gperf
+++ b/chromium/net/base/registry_controlled_domains/effective_tld_names_unittest2.gperf
@@ -1,5 +1,5 @@
 %{
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 // Test file used by registry_controlled_domain_unittest.
diff --git a/chromium/net/base/registry_controlled_domains/get_domain_and_registry_fuzzer.cc b/chromium/net/base/registry_controlled_domains/get_domain_and_registry_fuzzer.cc
index e71c7dc26a7..31caf31dde3 100644
--- a/chromium/net/base/registry_controlled_domains/get_domain_and_registry_fuzzer.cc
+++ b/chromium/net/base/registry_controlled_domains/get_domain_and_registry_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/registry_controlled_domains/registry_controlled_domain.cc b/chromium/net/base/registry_controlled_domains/registry_controlled_domain.cc
index e330feb408f..be72914e011 100644
--- a/chromium/net/base/registry_controlled_domains/registry_controlled_domain.cc
+++ b/chromium/net/base/registry_controlled_domains/registry_controlled_domain.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/registry_controlled_domains/registry_controlled_domain.h b/chromium/net/base/registry_controlled_domains/registry_controlled_domain.h
index ce6a2201ed8..076215b3920 100644
--- a/chromium/net/base/registry_controlled_domains/registry_controlled_domain.h
+++ b/chromium/net/base/registry_controlled_domains/registry_controlled_domain.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc b/chromium/net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc
index 9417f839fa4..6d43956e61f 100644
--- a/chromium/net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc
+++ b/chromium/net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/request_priority.cc b/chromium/net/base/request_priority.cc
index 4492758d37f..30d93aebb15 100644
--- a/chromium/net/base/request_priority.cc
+++ b/chromium/net/base/request_priority.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/request_priority.h b/chromium/net/base/request_priority.h
index cd2fa11cbf8..0c2ef5fb442 100644
--- a/chromium/net/base/request_priority.h
+++ b/chromium/net/base/request_priority.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/scheme_host_port_matcher.cc b/chromium/net/base/scheme_host_port_matcher.cc
index 2b6a57f0238..ff00fb214ae 100644
--- a/chromium/net/base/scheme_host_port_matcher.cc
+++ b/chromium/net/base/scheme_host_port_matcher.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,6 +11,13 @@
 
 namespace net {
 
+SchemeHostPortMatcher::SchemeHostPortMatcher() = default;
+SchemeHostPortMatcher::SchemeHostPortMatcher(SchemeHostPortMatcher&& rhs) =
+    default;
+SchemeHostPortMatcher& SchemeHostPortMatcher::operator=(
+    SchemeHostPortMatcher&& rhs) = default;
+SchemeHostPortMatcher::~SchemeHostPortMatcher() = default;
+
 // Declares SchemeHostPortMatcher::kParseRuleListDelimiterList[], not a
 // redefinition. This is needed for link.
 // static
diff --git a/chromium/net/base/scheme_host_port_matcher.h b/chromium/net/base/scheme_host_port_matcher.h
index 5896ee4af41..8de3dc83ea9 100644
--- a/chromium/net/base/scheme_host_port_matcher.h
+++ b/chromium/net/base/scheme_host_port_matcher.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -27,10 +27,10 @@ class NET_EXPORT SchemeHostPortMatcher {
   using RuleList = std::vector<std::unique_ptr<SchemeHostPortMatcherRule>>;
 
   // Note: This class is movable but not copiable.
-  SchemeHostPortMatcher() = default;
-  SchemeHostPortMatcher(SchemeHostPortMatcher&& rhs) = default;
-  SchemeHostPortMatcher& operator=(SchemeHostPortMatcher&& rhs) = default;
-  ~SchemeHostPortMatcher() = default;
+  SchemeHostPortMatcher();
+  SchemeHostPortMatcher(SchemeHostPortMatcher&& rhs);
+  SchemeHostPortMatcher& operator=(SchemeHostPortMatcher&& rhs);
+  ~SchemeHostPortMatcher();
 
   // The delimiter used by |ToString()|.
   constexpr static char kPrintRuleListDelimiter = ';';
diff --git a/chromium/net/base/scheme_host_port_matcher_result.h b/chromium/net/base/scheme_host_port_matcher_result.h
index 6de07ec06cc..3dc5dad4241 100644
--- a/chromium/net/base/scheme_host_port_matcher_result.h
+++ b/chromium/net/base/scheme_host_port_matcher_result.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/scheme_host_port_matcher_rule.cc b/chromium/net/base/scheme_host_port_matcher_rule.cc
index cb02c0522c2..e3e6ae5c93e 100644
--- a/chromium/net/base/scheme_host_port_matcher_rule.cc
+++ b/chromium/net/base/scheme_host_port_matcher_rule.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/scheme_host_port_matcher_rule.h b/chromium/net/base/scheme_host_port_matcher_rule.h
index 8c9aedc98b1..19f7588188b 100644
--- a/chromium/net/base/scheme_host_port_matcher_rule.h
+++ b/chromium/net/base/scheme_host_port_matcher_rule.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/scheme_host_port_matcher_rule_unittest.cc b/chromium/net/base/scheme_host_port_matcher_rule_unittest.cc
index 6623ff9a649..97330d05de3 100644
--- a/chromium/net/base/scheme_host_port_matcher_rule_unittest.cc
+++ b/chromium/net/base/scheme_host_port_matcher_rule_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/scheme_host_port_matcher_unittest.cc b/chromium/net/base/scheme_host_port_matcher_unittest.cc
index b8e58e14426..8f74b3dddb1 100644
--- a/chromium/net/base/scheme_host_port_matcher_unittest.cc
+++ b/chromium/net/base/scheme_host_port_matcher_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/schemeful_site.cc b/chromium/net/base/schemeful_site.cc
index 51df09e13fc..5920a306f78 100644
--- a/chromium/net/base/schemeful_site.cc
+++ b/chromium/net/base/schemeful_site.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/schemeful_site.h b/chromium/net/base/schemeful_site.h
index dbccfc7f1a3..a4449fc20e6 100644
--- a/chromium/net/base/schemeful_site.h
+++ b/chromium/net/base/schemeful_site.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -150,11 +150,18 @@ class NET_EXPORT SchemefulSite {
   // use opaque origins.
   friend class NetworkIsolationKey;
 
+  // Needed to serialize opaque and non-transient NetworkAnonymizationKeys,
+  // which use opaque origins.
+  friend class NetworkAnonymizationKey;
+
   // Needed to create a bogus origin from a site.
   // TODO(https://crbug.com/1148927): Give IsolationInfos empty origins instead,
   // in this case, and unfriend IsolationInfo.
   friend class IsolationInfo;
 
+  // Needed to create a bogus origin from a site.
+  friend class URLRequest;
+
   // Needed because cookies do not account for scheme.
   friend class CookieMonster;
 
diff --git a/chromium/net/base/schemeful_site_fuzzer.cc b/chromium/net/base/schemeful_site_fuzzer.cc
index 2e6cd2e6471..15c25bdbbce 100644
--- a/chromium/net/base/schemeful_site_fuzzer.cc
+++ b/chromium/net/base/schemeful_site_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/schemeful_site_unittest.cc b/chromium/net/base/schemeful_site_unittest.cc
index 53197d1292b..06086d4efb9 100644
--- a/chromium/net/base/schemeful_site_unittest.cc
+++ b/chromium/net/base/schemeful_site_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/sockaddr_storage.cc b/chromium/net/base/sockaddr_storage.cc
index 2822e07a707..21f6bf157c1 100644
--- a/chromium/net/base/sockaddr_storage.cc
+++ b/chromium/net/base/sockaddr_storage.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/sockaddr_storage.h b/chromium/net/base/sockaddr_storage.h
index de60176bccb..61459288301 100644
--- a/chromium/net/base/sockaddr_storage.h
+++ b/chromium/net/base/sockaddr_storage.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/sockaddr_util_posix.cc b/chromium/net/base/sockaddr_util_posix.cc
index c184cbe2a15..583b15a23ac 100644
--- a/chromium/net/base/sockaddr_util_posix.cc
+++ b/chromium/net/base/sockaddr_util_posix.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/sockaddr_util_posix.h b/chromium/net/base/sockaddr_util_posix.h
index a12c967a8b5..01eb72ec67f 100644
--- a/chromium/net/base/sockaddr_util_posix.h
+++ b/chromium/net/base/sockaddr_util_posix.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/sockaddr_util_posix_unittest.cc b/chromium/net/base/sockaddr_util_posix_unittest.cc
index f75e1fa35c3..765064044f0 100644
--- a/chromium/net/base/sockaddr_util_posix_unittest.cc
+++ b/chromium/net/base/sockaddr_util_posix_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/sys_addrinfo.h b/chromium/net/base/sys_addrinfo.h
index d91169668bf..ca6dd1f0313 100644
--- a/chromium/net/base/sys_addrinfo.h
+++ b/chromium/net/base/sys_addrinfo.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright 2009 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/test_completion_callback.cc b/chromium/net/base/test_completion_callback.cc
index 2727128373e..abdf6f664ef 100644
--- a/chromium/net/base/test_completion_callback.cc
+++ b/chromium/net/base/test_completion_callback.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/test_completion_callback.h b/chromium/net/base/test_completion_callback.h
index d2453921ddf..3d051c24b53 100644
--- a/chromium/net/base/test_completion_callback.h
+++ b/chromium/net/base/test_completion_callback.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/test_completion_callback_unittest.cc b/chromium/net/base/test_completion_callback_unittest.cc
index 0ba7462e25d..48ec07842b9 100644
--- a/chromium/net/base/test_completion_callback_unittest.cc
+++ b/chromium/net/base/test_completion_callback_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/test_data_stream.cc b/chromium/net/base/test_data_stream.cc
index 052d8cc9f6e..0d723827f01 100644
--- a/chromium/net/base/test_data_stream.cc
+++ b/chromium/net/base/test_data_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/test_data_stream.h b/chromium/net/base/test_data_stream.h
index 7c4c758d261..14a7ad54527 100644
--- a/chromium/net/base/test_data_stream.h
+++ b/chromium/net/base/test_data_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/test_proxy_delegate.cc b/chromium/net/base/test_proxy_delegate.cc
index b7dfe0436d4..da92cf617d8 100644
--- a/chromium/net/base/test_proxy_delegate.cc
+++ b/chromium/net/base/test_proxy_delegate.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/test_proxy_delegate.h b/chromium/net/base/test_proxy_delegate.h
index aed0c323d67..4a2f33350b4 100644
--- a/chromium/net/base/test_proxy_delegate.h
+++ b/chromium/net/base/test_proxy_delegate.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/trace_constants.h b/chromium/net/base/trace_constants.h
index e57b561bf5e..0b770240cff 100644
--- a/chromium/net/base/trace_constants.h
+++ b/chromium/net/base/trace_constants.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/transport_info.cc b/chromium/net/base/transport_info.cc
index 6b0debc40d6..c35bb9bfbca 100644
--- a/chromium/net/base/transport_info.cc
+++ b/chromium/net/base/transport_info.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/transport_info.h b/chromium/net/base/transport_info.h
index adcaf78b4b9..21fd94a7db5 100644
--- a/chromium/net/base/transport_info.h
+++ b/chromium/net/base/transport_info.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/unescape_url_component_fuzzer.cc b/chromium/net/base/unescape_url_component_fuzzer.cc
index 0bebc228d88..257b66e04a2 100644
--- a/chromium/net/base/unescape_url_component_fuzzer.cc
+++ b/chromium/net/base/unescape_url_component_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/upload_bytes_element_reader.cc b/chromium/net/base/upload_bytes_element_reader.cc
index 312b0069ad9..19b195e1a7d 100644
--- a/chromium/net/base/upload_bytes_element_reader.cc
+++ b/chromium/net/base/upload_bytes_element_reader.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/upload_bytes_element_reader.h b/chromium/net/base/upload_bytes_element_reader.h
index 71c5a4bde35..bb8459bec32 100644
--- a/chromium/net/base/upload_bytes_element_reader.h
+++ b/chromium/net/base/upload_bytes_element_reader.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/upload_bytes_element_reader_unittest.cc b/chromium/net/base/upload_bytes_element_reader_unittest.cc
index 42710ea89cd..4f5c274d0c2 100644
--- a/chromium/net/base/upload_bytes_element_reader_unittest.cc
+++ b/chromium/net/base/upload_bytes_element_reader_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/upload_data_stream.cc b/chromium/net/base/upload_data_stream.cc
index 3444b89f92f..2038f39c745 100644
--- a/chromium/net/base/upload_data_stream.cc
+++ b/chromium/net/base/upload_data_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/upload_data_stream.h b/chromium/net/base/upload_data_stream.h
index 0f9b0c2f7bf..ae538f86201 100644
--- a/chromium/net/base/upload_data_stream.h
+++ b/chromium/net/base/upload_data_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/upload_element_reader.cc b/chromium/net/base/upload_element_reader.cc
index 2a95eb816ae..bc45006989f 100644
--- a/chromium/net/base/upload_element_reader.cc
+++ b/chromium/net/base/upload_element_reader.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/upload_element_reader.h b/chromium/net/base/upload_element_reader.h
index b774c08cf00..8877532f316 100644
--- a/chromium/net/base/upload_element_reader.h
+++ b/chromium/net/base/upload_element_reader.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/upload_file_element_reader.cc b/chromium/net/base/upload_file_element_reader.cc
index d12c03b2530..8aabd901e79 100644
--- a/chromium/net/base/upload_file_element_reader.cc
+++ b/chromium/net/base/upload_file_element_reader.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,6 @@
 #include "base/files/file_util.h"
 #include "base/location.h"
 #include "base/task/task_runner.h"
-#include "base/task/task_runner_util.h"
 #include "net/base/file_stream.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
diff --git a/chromium/net/base/upload_file_element_reader.h b/chromium/net/base/upload_file_element_reader.h
index 89e108afd34..197ef313204 100644
--- a/chromium/net/base/upload_file_element_reader.h
+++ b/chromium/net/base/upload_file_element_reader.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/upload_file_element_reader_unittest.cc b/chromium/net/base/upload_file_element_reader_unittest.cc
index 45664d4b1f3..df5c3be23b6 100644
--- a/chromium/net/base/upload_file_element_reader_unittest.cc
+++ b/chromium/net/base/upload_file_element_reader_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/upload_progress.h b/chromium/net/base/upload_progress.h
index 25194aa1504..e5807e6840c 100644
--- a/chromium/net/base/upload_progress.h
+++ b/chromium/net/base/upload_progress.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/url_util.cc b/chromium/net/base/url_util.cc
index 093d325a388..d2a28b09b3c 100644
--- a/chromium/net/base/url_util.cc
+++ b/chromium/net/base/url_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -20,6 +20,7 @@
 #include "base/strings/utf_string_conversions.h"
 #include "net/base/ip_address.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/gurl.h"
 #include "url/scheme_host_port.h"
 #include "url/url_canon.h"
@@ -77,10 +78,14 @@ GURL AppendQueryParameter(const GURL& url,
 
 GURL AppendOrReplaceQueryParameter(const GURL& url,
                                    const std::string& name,
-                                   const std::string& value) {
+                                   absl::optional<base::StringPiece> value) {
   bool replaced = false;
   std::string param_name = base::EscapeQueryParamValue(name, true);
-  std::string param_value = base::EscapeQueryParamValue(value, true);
+  bool should_keep_param = value.has_value();
+
+  std::string param_value;
+  if (should_keep_param)
+    param_value = base::EscapeQueryParamValue(value.value(), true);
 
   const std::string input = url.query();
   url::Component cursor(0, input.size());
@@ -94,7 +99,11 @@ GURL AppendOrReplaceQueryParameter(const GURL& url,
     // Check |replaced| as only the first pair should be replaced.
     if (!replaced && key == param_name) {
       replaced = true;
+      if (!should_keep_param)
+        continue;
+
       key_value_pair = (param_name + "=" + param_value);
+
     } else {
       key_value_pair.assign(input, key_range.begin,
                             value_range.end() - key_range.begin);
@@ -104,7 +113,7 @@ GURL AppendOrReplaceQueryParameter(const GURL& url,
 
     output += key_value_pair;
   }
-  if (!replaced) {
+  if (!replaced && should_keep_param) {
     if (!output.empty())
       output += "&";
 
diff --git a/chromium/net/base/url_util.h b/chromium/net/base/url_util.h
index 1ae5998c2b0..bc1f761a543 100644
--- a/chromium/net/base/url_util.h
+++ b/chromium/net/base/url_util.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,6 +14,7 @@
 
 #include "base/strings/string_piece.h"
 #include "net/base/net_export.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/third_party/mozilla/url_parse.h"
 
 class GURL;
@@ -40,9 +41,10 @@ NET_EXPORT GURL AppendQueryParameter(const GURL& url,
                                      const std::string& value);
 
 // Returns a new GURL by appending or replacing the given query parameter name
-// and the value. If |name| appears more than once, only the first name-value
+// and the value. If `name` appears more than once, only the first name-value
 // pair is replaced. Unsafe characters in the name and the value are escaped
 // like %XX%XX. The original query component is preserved if it's present.
+// Using `absl::nullopt` for `value` will remove the `name` parameter.
 //
 // Examples:
 //
@@ -52,9 +54,13 @@ NET_EXPORT GURL AppendQueryParameter(const GURL& url,
 // AppendOrReplaceQueryParameter(
 //     GURL("http://example.com?x=y&name=old"), "name", "new").spec()
 // => "http://example.com?x=y&name=new"
-NET_EXPORT GURL AppendOrReplaceQueryParameter(const GURL& url,
-                                              const std::string& name,
-                                              const std::string& value);
+// AppendOrReplaceQueryParameter(
+//     GURL("http://example.com?x=y&name=old"), "name", absl::nullopt).spec()
+// => "http://example.com?x=y&"
+NET_EXPORT GURL
+AppendOrReplaceQueryParameter(const GURL& url,
+                              const std::string& name,
+                              absl::optional<base::StringPiece> value);
 
 // Iterates over the key-value pairs in the query portion of |url|.
 // NOTE: QueryIterator stores reference to |url| and creates base::StringPiece
diff --git a/chromium/net/base/url_util_unittest.cc b/chromium/net/base/url_util_unittest.cc
index a77f8bc8cce..3c5ee049e6b 100644
--- a/chromium/net/base/url_util_unittest.cc
+++ b/chromium/net/base/url_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,6 +9,7 @@
 #include "base/format_macros.h"
 #include "base/strings/utf_string_conversions.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/gurl.h"
 #include "url/scheme_host_port.h"
 #include "url/url_util.h"
@@ -80,7 +81,7 @@ TEST(UrlUtilTest, AppendOrReplaceQueryParameter) {
           GURL("http://example.com/path?name=old&existing=one&name=old"),
           "name", "new").spec());
 
-  // Preserve the content of the original params regarless of our failure to
+  // Preserve the content of the original params regardless of our failure to
   // interpret them correctly.
   EXPECT_EQ("http://example.com/path?bar&name=new&left=&"
             "=right&=&&name=again",
@@ -88,6 +89,78 @@ TEST(UrlUtilTest, AppendOrReplaceQueryParameter) {
           GURL("http://example.com/path?bar&name=old&left=&"
                 "=right&=&&name=again"),
           "name", "new").spec());
+
+  // ----- Removing the key using nullopt value -----
+
+  // Removes the name-value pair from the URL preserving other query parameters.
+  EXPECT_EQ("http://example.com/path?abc=xyz",
+            AppendOrReplaceQueryParameter(
+                GURL("http://example.com/path?name=value&abc=xyz"), "name",
+                absl::nullopt)
+                .spec());
+
+  // Removes the name-value pair from the URL.
+  EXPECT_EQ("http://example.com/path?",
+            AppendOrReplaceQueryParameter(
+                GURL("http://example.com/path?existing=one"), "existing",
+                absl::nullopt)
+                .spec());
+
+  // Removes the first name-value pair.
+  EXPECT_EQ("http://example.com/path?c=d&e=f",
+            AppendOrReplaceQueryParameter(
+                GURL("http://example.com/path?a=b&c=d&e=f"), "a", absl::nullopt)
+                .spec());
+
+  // Removes a name-value pair in between two query params.
+  EXPECT_EQ(
+      "http://example.com/path?existing=one&hello=world",
+      AppendOrReplaceQueryParameter(
+          GURL("http://example.com/path?existing=one&replace=sure&hello=world"),
+          "replace", absl::nullopt)
+          .spec());
+
+  // Removes the last name-value pair.
+  EXPECT_EQ("http://example.com/path?existing=one",
+            AppendOrReplaceQueryParameter(
+                GURL("http://example.com/path?existing=one&replace=sure"),
+                "replace", absl::nullopt)
+                .spec());
+
+  // Removing a name-value pair with unsafe characters included. The
+  // unsafe characters should be escaped.
+  EXPECT_EQ("http://example.com/path?existing=one&hello=world",
+            AppendOrReplaceQueryParameter(
+                GURL("http://example.com/"
+                     "path?existing=one&na+me=v.alue%3D&hello=world"),
+                "na me", absl::nullopt)
+                .spec());
+
+  // Does nothing if the provided query param key does not exist.
+  EXPECT_EQ("http://example.com/path?existing=one&name=old",
+            AppendOrReplaceQueryParameter(
+                GURL("http://example.com/path?existing=one&name=old"), "old",
+                absl::nullopt)
+                .spec());
+
+  // Remove the value of first parameter with this name only.
+  EXPECT_EQ(
+      "http://example.com/path?existing=one&name=old",
+      AppendOrReplaceQueryParameter(
+          GURL("http://example.com/path?name=something&existing=one&name=old"),
+          "name", absl::nullopt)
+          .spec());
+
+  // Preserve the content of the original params regardless of our failure to
+  // interpret them correctly.
+  EXPECT_EQ(
+      "http://example.com/path?bar&left=&"
+      "=right&=&&name=again",
+      AppendOrReplaceQueryParameter(
+          GURL("http://example.com/path?bar&name=old&left=&"
+               "=right&=&&name=again"),
+          "name", absl::nullopt)
+          .spec());
 }
 
 TEST(UrlUtilTest, GetValueForKeyInQuery) {
diff --git a/chromium/net/base/winsock_init.cc b/chromium/net/base/winsock_init.cc
index 55c56161201..946f5c3d59a 100644
--- a/chromium/net/base/winsock_init.cc
+++ b/chromium/net/base/winsock_init.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/winsock_init.h b/chromium/net/base/winsock_init.h
index c33de9dbfbe..d6e295c38e7 100644
--- a/chromium/net/base/winsock_init.h
+++ b/chromium/net/base/winsock_init.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/winsock_util.cc b/chromium/net/base/winsock_util.cc
index 2e90e7a269b..aff59bcfabd 100644
--- a/chromium/net/base/winsock_util.cc
+++ b/chromium/net/base/winsock_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/base/winsock_util.h b/chromium/net/base/winsock_util.h
index 1e555af3fde..35bde234af6 100644
--- a/chromium/net/base/winsock_util.h
+++ b/chromium/net/base/winsock_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/BUILD.gn b/chromium/net/cert/BUILD.gn
index d5ab77000de..98c67ba3174 100644
--- a/chromium/net/cert/BUILD.gn
+++ b/chromium/net/cert/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2022 The Chromium Authors. All rights reserved.
+# Copyright 2022 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/cert/asn1_util.cc b/chromium/net/cert/asn1_util.cc
index 15393d933f4..3317f91f59e 100644
--- a/chromium/net/cert/asn1_util.cc
+++ b/chromium/net/cert/asn1_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/asn1_util.h b/chromium/net/cert/asn1_util.h
index 349b554b39a..c150068c219 100644
--- a/chromium/net/cert/asn1_util.h
+++ b/chromium/net/cert/asn1_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/caching_cert_verifier.cc b/chromium/net/cert/caching_cert_verifier.cc
index d2c1ead3399..25292129933 100644
--- a/chromium/net/cert/caching_cert_verifier.cc
+++ b/chromium/net/cert/caching_cert_verifier.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/caching_cert_verifier.h b/chromium/net/cert/caching_cert_verifier.h
index ce06e6eb840..aab0b2cba7f 100644
--- a/chromium/net/cert/caching_cert_verifier.h
+++ b/chromium/net/cert/caching_cert_verifier.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/caching_cert_verifier_unittest.cc b/chromium/net/cert/caching_cert_verifier_unittest.cc
index ba1dbd68759..81cd7aa9830 100644
--- a/chromium/net/cert/caching_cert_verifier_unittest.cc
+++ b/chromium/net/cert/caching_cert_verifier_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_and_ct_verifier.cc b/chromium/net/cert/cert_and_ct_verifier.cc
index 1ddb9f1efe5..1c2136cd5e4 100644
--- a/chromium/net/cert/cert_and_ct_verifier.cc
+++ b/chromium/net/cert/cert_and_ct_verifier.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_and_ct_verifier.h b/chromium/net/cert/cert_and_ct_verifier.h
index cfcefaa1f86..4308e200952 100644
--- a/chromium/net/cert/cert_and_ct_verifier.h
+++ b/chromium/net/cert/cert_and_ct_verifier.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_and_ct_verifier_unittest.cc b/chromium/net/cert/cert_and_ct_verifier_unittest.cc
index 858a95250cd..ddb43875287 100644
--- a/chromium/net/cert/cert_and_ct_verifier_unittest.cc
+++ b/chromium/net/cert/cert_and_ct_verifier_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_database.cc b/chromium/net/cert/cert_database.cc
index 7e8220b4c14..728d9e443b0 100644
--- a/chromium/net/cert/cert_database.cc
+++ b/chromium/net/cert/cert_database.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_database.h b/chromium/net/cert/cert_database.h
index 0ffb928c9da..03c4f6aa8c3 100644
--- a/chromium/net/cert/cert_database.h
+++ b/chromium/net/cert/cert_database.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_database_mac.cc b/chromium/net/cert/cert_database_mac.cc
index f561550305f..e210e05e2cf 100644
--- a/chromium/net/cert/cert_database_mac.cc
+++ b/chromium/net/cert/cert_database_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_net_fetcher.h b/chromium/net/cert/cert_net_fetcher.h
index 3ac71321b22..e0ab43f9538 100644
--- a/chromium/net/cert/cert_net_fetcher.h
+++ b/chromium/net/cert/cert_net_fetcher.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_status_flags.cc b/chromium/net/cert/cert_status_flags.cc
index 5476b699af8..278c48ad3e4 100644
--- a/chromium/net/cert/cert_status_flags.cc
+++ b/chromium/net/cert/cert_status_flags.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_status_flags.h b/chromium/net/cert/cert_status_flags.h
index 4bd35186a33..20e648a81c3 100644
--- a/chromium/net/cert/cert_status_flags.h
+++ b/chromium/net/cert/cert_status_flags.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_status_flags_list.h b/chromium/net/cert/cert_status_flags_list.h
index cd998473990..d5ab73cf40c 100644
--- a/chromium/net/cert/cert_status_flags_list.h
+++ b/chromium/net/cert/cert_status_flags_list.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_type.h b/chromium/net/cert/cert_type.h
index 84fc44ab1d5..accb2173e35 100644
--- a/chromium/net/cert/cert_type.h
+++ b/chromium/net/cert/cert_type.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verifier.cc b/chromium/net/cert/cert_verifier.cc
index fed64dcccc6..1868cd7542f 100644
--- a/chromium/net/cert/cert_verifier.cc
+++ b/chromium/net/cert/cert_verifier.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,13 +9,14 @@
 #include "base/strings/string_util.h"
 #include "build/build_config.h"
 #include "net/base/features.h"
+#include "net/cert/caching_cert_verifier.h"
 #include "net/cert/cert_verify_proc.h"
+#include "net/cert/coalescing_cert_verifier.h"
 #include "net/cert/crl_set.h"
+#include "net/cert/multi_threaded_cert_verifier.h"
+#include "net/net_buildflags.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
 #include "third_party/boringssl/src/include/openssl/sha.h"
-#include "net/cert/caching_cert_verifier.h"
-#include "net/cert/coalescing_cert_verifier.h"
-#include "net/cert/multi_threaded_cert_verifier.h"
 
 namespace net {
 
@@ -78,21 +79,22 @@ bool CertVerifier::RequestParams::operator<(
 std::unique_ptr<CertVerifier> CertVerifier::CreateDefaultWithoutCaching(
     scoped_refptr<CertNetFetcher> cert_net_fetcher) {
   scoped_refptr<CertVerifyProc> verify_proc;
+#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
+  if (!verify_proc &&
+      base::FeatureList::IsEnabled(features::kChromeRootStoreUsed)) {
+    verify_proc = CertVerifyProc::CreateBuiltinWithChromeRootStore(
+        std::move(cert_net_fetcher));
+  }
+#endif
+  if (!verify_proc) {
 #if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
-  verify_proc =
-      CertVerifyProc::CreateBuiltinVerifyProc(std::move(cert_net_fetcher));
-#elif BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
-  if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature)) {
     verify_proc =
         CertVerifyProc::CreateBuiltinVerifyProc(std::move(cert_net_fetcher));
-  } else {
+#else
     verify_proc =
         CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher));
-  }
-#else
-  verify_proc =
-      CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher));
 #endif
+  }
 
   return std::make_unique<MultiThreadedCertVerifier>(std::move(verify_proc));
 }
diff --git a/chromium/net/cert/cert_verifier.h b/chromium/net/cert/cert_verifier.h
index cc03c8dc133..515fd040515 100644
--- a/chromium/net/cert/cert_verifier.h
+++ b/chromium/net/cert/cert_verifier.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verifier_unittest.cc b/chromium/net/cert/cert_verifier_unittest.cc
index 9a996fb8ffd..48531c891b2 100644
--- a/chromium/net/cert/cert_verifier_unittest.cc
+++ b/chromium/net/cert/cert_verifier_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_proc.cc b/chromium/net/cert/cert_verify_proc.cc
index eaeb8416f8b..4443323d356 100644
--- a/chromium/net/cert/cert_verify_proc.cc
+++ b/chromium/net/cert/cert_verify_proc.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -48,14 +48,18 @@
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_values.h"
 #include "net/log/net_log_with_source.h"
-#include "net/net_buildflags.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
 #include "url/url_canon.h"
 
-#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS) || BUILDFLAG(IS_MAC)
+#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS) || BUILDFLAG(IS_MAC) || \
+    BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
 #include "net/cert/cert_verify_proc_builtin.h"
 #endif
 
+#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
+#include "net/cert/internal/trust_store_chrome.h"
+#endif  // CHROME_ROOT_STORE_SUPPORTED
+
 #if BUILDFLAG(IS_ANDROID)
 #include "net/cert/cert_verify_proc_android.h"
 #elif BUILDFLAG(IS_IOS)
@@ -226,9 +230,10 @@ void BestEffortCheckOCSP(const std::string& raw_response,
         certificate.intermediate_buffers().front().get());
   }
 
-  verify_result->revocation_status =
-      CheckOCSP(raw_response, cert_der, issuer_der, base::Time::Now(),
-                kMaxRevocationLeafUpdateAge, &verify_result->response_status);
+  verify_result->revocation_status = CheckOCSP(
+      raw_response, std::string_view(cert_der.data(), cert_der.size()),
+      std::string_view(issuer_der.data(), issuer_der.size()), base::Time::Now(),
+      kMaxRevocationLeafUpdateAge, &verify_result->response_status);
 }
 
 // Records details about the most-specific trust anchor in |hashes|, which is
@@ -387,17 +392,9 @@ bool AreSHA1IntermediatesAllowed() {
   switch (*cert_algorithm) {
     case SignatureAlgorithm::kRsaPkcs1Sha1:
     case SignatureAlgorithm::kEcdsaSha1:
-    case SignatureAlgorithm::kDsaSha1:
       verify_result->has_sha1 = true;
       return true;  // For now.
 
-    case SignatureAlgorithm::kRsaPkcs1Md2:
-    case SignatureAlgorithm::kRsaPkcs1Md4:
-    case SignatureAlgorithm::kRsaPkcs1Md5:
-      // TODO(https://crbug.com/1321688): Remove these from the parser
-      // altogether.
-      return false;
-
     case SignatureAlgorithm::kRsaPkcs1Sha256:
     case SignatureAlgorithm::kRsaPkcs1Sha384:
     case SignatureAlgorithm::kRsaPkcs1Sha512:
@@ -407,7 +404,6 @@ bool AreSHA1IntermediatesAllowed() {
     case SignatureAlgorithm::kRsaPssSha256:
     case SignatureAlgorithm::kRsaPssSha384:
     case SignatureAlgorithm::kRsaPssSha512:
-    case SignatureAlgorithm::kDsaSha256:
       return true;
   }
 
@@ -529,7 +525,7 @@ scoped_refptr<CertVerifyProc> CertVerifyProc::CreateSystemVerifyProc(
 }
 #endif
 
-#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS) || BUILDFLAG(IS_MAC)
+#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS)
 // static
 scoped_refptr<CertVerifyProc> CertVerifyProc::CreateBuiltinVerifyProc(
     scoped_refptr<CertNetFetcher> cert_net_fetcher) {
@@ -538,6 +534,17 @@ scoped_refptr<CertVerifyProc> CertVerifyProc::CreateBuiltinVerifyProc(
 }
 #endif
 
+#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
+// static
+scoped_refptr<CertVerifyProc> CertVerifyProc::CreateBuiltinWithChromeRootStore(
+    scoped_refptr<CertNetFetcher> cert_net_fetcher) {
+  return CreateCertVerifyProcBuiltin(
+      std::move(cert_net_fetcher),
+      CreateSslSystemTrustStoreChromeRoot(
+          std::make_unique<net::TrustStoreChrome>()));
+}
+#endif
+
 CertVerifyProc::CertVerifyProc() = default;
 
 CertVerifyProc::~CertVerifyProc() = default;
diff --git a/chromium/net/cert/cert_verify_proc.h b/chromium/net/cert/cert_verify_proc.h
index 32e9fb1f8b0..0ffd5567020 100644
--- a/chromium/net/cert/cert_verify_proc.h
+++ b/chromium/net/cert/cert_verify_proc.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,6 +15,7 @@
 #include "crypto/crypto_buildflags.h"
 #include "net/base/hash_value.h"
 #include "net/base/net_export.h"
+#include "net/net_buildflags.h"
 
 namespace net {
 
@@ -87,12 +88,19 @@ class NET_EXPORT CertVerifyProc
       scoped_refptr<CertNetFetcher> cert_net_fetcher);
 #endif
 
-#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS) || BUILDFLAG(IS_MAC)
+#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(USE_NSS_CERTS)
   // Creates and returns a CertVerifyProcBuiltin using the SSL SystemTrustStore.
   static scoped_refptr<CertVerifyProc> CreateBuiltinVerifyProc(
       scoped_refptr<CertNetFetcher> cert_net_fetcher);
 #endif
 
+#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
+  // Creates and returns a CertVerifyProcBuiltin using the Chrome Root Store
+  // SystemTrustStore.
+  static scoped_refptr<CertVerifyProc> CreateBuiltinWithChromeRootStore(
+      scoped_refptr<CertNetFetcher> cert_net_fetcher);
+#endif
+
   CertVerifyProc(const CertVerifyProc&) = delete;
   CertVerifyProc& operator=(const CertVerifyProc&) = delete;
 
diff --git a/chromium/net/cert/cert_verify_proc_android.cc b/chromium/net/cert/cert_verify_proc_android.cc
index 95ec17f5ff2..c4e732c8f09 100644
--- a/chromium/net/cert/cert_verify_proc_android.cc
+++ b/chromium/net/cert/cert_verify_proc_android.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -97,9 +97,9 @@ scoped_refptr<ParsedCertificate> FindLastCertWithUnknownIssuer(
 // successful and the result could be parsed as a certificate, and false
 // otherwise.
 bool PerformAIAFetchAndAddResultToVector(scoped_refptr<CertNetFetcher> fetcher,
-                                         base::StringPiece uri,
+                                         std::string_view uri,
                                          ParsedCertificateList* cert_list) {
-  GURL url(uri);
+  GURL url(base::StringPiece(uri.data(), uri.size()));
   if (!url.is_valid())
     return false;
   std::unique_ptr<CertNetFetcher::Request> request(fetcher->FetchCaIssuers(
diff --git a/chromium/net/cert/cert_verify_proc_android.h b/chromium/net/cert/cert_verify_proc_android.h
index 9e8f2cc9660..394a25c931f 100644
--- a/chromium/net/cert/cert_verify_proc_android.h
+++ b/chromium/net/cert/cert_verify_proc_android.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_proc_android_unittest.cc b/chromium/net/cert/cert_verify_proc_android_unittest.cc
index 2b3e37f544b..96a72b901f8 100644
--- a/chromium/net/cert/cert_verify_proc_android_unittest.cc
+++ b/chromium/net/cert/cert_verify_proc_android_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -17,6 +17,7 @@
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
 #include "net/log/net_log_with_source.h"
+#include "net/test/cert_builder.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_certificate_data.h"
 #include "net/test/test_data_directory.h"
@@ -33,64 +34,15 @@ namespace net {
 
 namespace {
 
+const char kHostname[] = "example.com";
+const GURL kRootURL("http://aia.test/root");
+const GURL kIntermediateURL("http://aia.test/intermediate");
+
 std::unique_ptr<CertNetFetcher::Request>
 CreateMockRequestWithInvalidCertificate() {
   return MockCertNetFetcherRequest::Create(std::vector<uint8_t>({1, 2, 3}));
 }
 
-::testing::AssertionResult ReadTestPem(const std::string& file_name,
-                                       const std::string& block_name,
-                                       std::string* result) {
-  const PemBlockMapping mappings[] = {
-      {block_name.c_str(), result},
-  };
-
-  return ReadTestDataFromPemFile(file_name, mappings);
-}
-
-::testing::AssertionResult ReadTestCert(
-    const std::string& file_name,
-    scoped_refptr<X509Certificate>* result) {
-  std::string der;
-  ::testing::AssertionResult r =
-      ReadTestPem("net/data/cert_issuer_source_aia_unittest/" + file_name,
-                  "CERTIFICATE", &der);
-  if (!r)
-    return r;
-  *result =
-      X509Certificate::CreateFromBytes(base::as_bytes(base::make_span(der)));
-  if (!result) {
-    return ::testing::AssertionFailure()
-           << "X509Certificate::CreateFromBytes() failed";
-  }
-  return ::testing::AssertionSuccess();
-}
-
-::testing::AssertionResult ReadTestAIARoot(
-    scoped_refptr<X509Certificate>* result) {
-  return ReadTestCert("root.pem", result);
-}
-
-::testing::AssertionResult CreateCertificateChainFromFiles(
-    const std::vector<std::string>& files,
-    scoped_refptr<X509Certificate>* result) {
-  scoped_refptr<X509Certificate> leaf;
-  ::testing::AssertionResult r = ReadTestCert(files[0], &leaf);
-  if (!r)
-    return r;
-  std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediate_buffers;
-  for (size_t i = 1; i < files.size(); i++) {
-    scoped_refptr<X509Certificate> intermediate;
-    r = ReadTestCert(files[i], &intermediate);
-    if (!r)
-      return r;
-    intermediate_buffers.push_back(bssl::UpRef(intermediate->cert_buffer()));
-  }
-  *result = X509Certificate::CreateFromBuffer(bssl::UpRef(leaf->cert_buffer()),
-                                              std::move(intermediate_buffers));
-  return ::testing::AssertionSuccess();
-}
-
 // A test fixture for testing CertVerifyProcAndroid AIA fetching. It creates,
 // sets up, and shuts down a MockCertNetFetcher for CertVerifyProcAndroid to
 // use, and enables the field trial for AIA fetching.
@@ -98,6 +50,15 @@ class CertVerifyProcAndroidTestWithAIAFetching : public testing::Test {
  public:
   void SetUp() override {
     fetcher_ = base::MakeRefCounted<MockCertNetFetcher>();
+
+    // Generate a certificate chain with AIA pointers. Tests can modify these
+    // if testing a different scenario.
+    CertBuilder::CreateSimpleChain(&leaf_, &intermediate_, &root_);
+    ASSERT_TRUE(leaf_ && intermediate_ && root_);
+    root_->SetCaIssuersUrl(kRootURL);
+    intermediate_->SetCaIssuersUrl(kRootURL);
+    leaf_->SetCaIssuersUrl(kIntermediateURL);
+    leaf_->SetSubjectAltName(kHostname);
   }
 
   void TearDown() override {
@@ -106,21 +67,27 @@ class CertVerifyProcAndroidTestWithAIAFetching : public testing::Test {
     ASSERT_TRUE(testing::Mock::VerifyAndClearExpectations(fetcher_.get()));
   }
 
+  scoped_refptr<X509Certificate> LeafOnly() {
+    return leaf_->GetX509Certificate();
+  }
+
+  scoped_refptr<X509Certificate> LeafWithIntermediate() {
+    return leaf_->GetX509CertificateChain();
+  }
+
  protected:
-  ::testing::AssertionResult SetUpTestRoot() {
-    ::testing::AssertionResult r = ReadTestAIARoot(&root_);
-    if (!r)
-      return r;
-    scoped_test_root_ = std::make_unique<ScopedTestRoot>(root_.get());
-    return ::testing::AssertionSuccess();
+  void TrustTestRoot() {
+    scoped_test_root_.Reset({root_->GetX509Certificate()});
   }
 
   scoped_refptr<MockCertNetFetcher> fetcher_;
   const CertificateList empty_cert_list_;
+  std::unique_ptr<CertBuilder> root_;
+  std::unique_ptr<CertBuilder> intermediate_;
+  std::unique_ptr<CertBuilder> leaf_;
 
  private:
-  scoped_refptr<X509Certificate> root_;
-  std::unique_ptr<ScopedTestRoot> scoped_test_root_;
+  ScopedTestRoot scoped_test_root_;
 };
 
 }  // namespace
@@ -129,32 +96,28 @@ class CertVerifyProcAndroidTestWithAIAFetching : public testing::Test {
 // no AIA fetch occurs.
 TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
        NoFetchIfProperIntermediatesSupplied) {
-  ASSERT_TRUE(SetUpTestRoot());
+  TrustTestRoot();
   scoped_refptr<CertVerifyProcAndroid> proc =
       base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_);
-  scoped_refptr<X509Certificate> leaf;
-  ASSERT_TRUE(
-      CreateCertificateChainFromFiles({"target_one_aia.pem", "i.pem"}, &leaf));
   CertVerifyResult verify_result;
-  EXPECT_EQ(
-      OK,
-      proc->Verify(leaf.get(), "target", /*ocsp_response=*/std::string(),
-                   /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
-                   empty_cert_list_, &verify_result, NetLogWithSource()));
+  EXPECT_EQ(OK, proc->Verify(LeafWithIntermediate().get(), kHostname,
+                             /*ocsp_response=*/std::string(),
+                             /*sct_list=*/std::string(), 0,
+                             CRLSet::BuiltinCRLSet().get(), empty_cert_list_,
+                             &verify_result, NetLogWithSource()));
 }
 
 // Tests that if the certificate does not contain an AIA URL, no AIA fetch
 // occurs.
 TEST_F(CertVerifyProcAndroidTestWithAIAFetching, NoAIAURL) {
-  ASSERT_TRUE(SetUpTestRoot());
+  leaf_->SetCaIssuersAndOCSPUrls(/*ca_issuers_urls=*/{}, /*ocsp_urls=*/{});
+  TrustTestRoot();
   scoped_refptr<CertVerifyProcAndroid> proc =
       base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_);
-  scoped_refptr<X509Certificate> cert;
-  ASSERT_TRUE(ReadTestCert("target_no_aia.pem", &cert));
   CertVerifyResult verify_result;
   EXPECT_EQ(
       ERR_CERT_AUTHORITY_INVALID,
-      proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(),
+      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                    /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
                    empty_cert_list_, &verify_result, NetLogWithSource()));
 }
@@ -163,30 +126,29 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, NoAIAURL) {
 // there are two fetches, with the latter resulting in a successful
 // verification.
 TEST_F(CertVerifyProcAndroidTestWithAIAFetching, OneFileAndOneHTTPURL) {
-  ASSERT_TRUE(SetUpTestRoot());
+  const GURL kFileURL("file:///dev/null");
+  leaf_->SetCaIssuersAndOCSPUrls(
+      /*ca_issuers_urls=*/{kFileURL, kIntermediateURL},
+      /*ocsp_urls=*/{});
+  TrustTestRoot();
   scoped_refptr<CertVerifyProcAndroid> proc =
       base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_);
-  scoped_refptr<X509Certificate> cert;
-  ASSERT_TRUE(ReadTestCert("target_file_and_http_aia.pem", &cert));
-  scoped_refptr<X509Certificate> intermediate;
-  ASSERT_TRUE(ReadTestCert("i2.pem", &intermediate));
 
   // Expect two fetches: the file:// URL (which returns an error), and the
   // http:// URL that returns a valid intermediate signed by |root_|. Though the
   // intermediate itself contains an AIA URL, it should not be fetched because
   // |root_| is in the test trust store.
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("file:///dev/null"), _, _))
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(kFileURL, _, _))
       .WillOnce(Return(ByMove(
           MockCertNetFetcherRequest::Create(ERR_DISALLOWED_URL_SCHEME))));
-  EXPECT_CALL(*fetcher_,
-              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _))
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
       .WillOnce(Return(ByMove(
-          MockCertNetFetcherRequest::Create(intermediate->cert_buffer()))));
+          MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer()))));
 
   CertVerifyResult verify_result;
   EXPECT_EQ(
       OK,
-      proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(),
+      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                    /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
                    empty_cert_list_, &verify_result, NetLogWithSource()));
 }
@@ -195,22 +157,20 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, OneFileAndOneHTTPURL) {
 // verification should fail.
 TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
        UnsuccessfulVerificationWithLeafOnly) {
-  ASSERT_TRUE(SetUpTestRoot());
+  TrustTestRoot();
   scoped_refptr<CertVerifyProcAndroid> proc =
       base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_);
-  scoped_refptr<X509Certificate> cert;
-  ASSERT_TRUE(ReadTestCert("target_one_aia.pem", &cert));
   const scoped_refptr<X509Certificate> bad_intermediate =
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
 
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
       .WillOnce(Return(ByMove(
           MockCertNetFetcherRequest::Create(bad_intermediate->cert_buffer()))));
 
   CertVerifyResult verify_result;
   EXPECT_EQ(
       ERR_CERT_AUTHORITY_INVALID,
-      proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(),
+      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                    /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
                    empty_cert_list_, &verify_result, NetLogWithSource()));
 }
@@ -219,19 +179,17 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
 // should fail.
 TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
        UnsuccessfulVerificationWithLeafOnlyAndErrorOnFetch) {
-  ASSERT_TRUE(SetUpTestRoot());
+  TrustTestRoot();
   scoped_refptr<CertVerifyProcAndroid> proc =
       base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_);
-  scoped_refptr<X509Certificate> cert;
-  ASSERT_TRUE(ReadTestCert("target_one_aia.pem", &cert));
 
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
       .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED))));
 
   CertVerifyResult verify_result;
   EXPECT_EQ(
       ERR_CERT_AUTHORITY_INVALID,
-      proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(),
+      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                    /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
                    empty_cert_list_, &verify_result, NetLogWithSource()));
 }
@@ -240,19 +198,17 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
 // verification should fail.
 TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
        UnsuccessfulVerificationWithLeafOnlyAndUnparseableFetch) {
-  ASSERT_TRUE(SetUpTestRoot());
+  TrustTestRoot();
   scoped_refptr<CertVerifyProcAndroid> proc =
       base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_);
-  scoped_refptr<X509Certificate> cert;
-  ASSERT_TRUE(ReadTestCert("target_one_aia.pem", &cert));
 
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
       .WillOnce(Return(ByMove(CreateMockRequestWithInvalidCertificate())));
 
   CertVerifyResult verify_result;
   EXPECT_EQ(
       ERR_CERT_AUTHORITY_INVALID,
-      proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(),
+      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                    /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
                    empty_cert_list_, &verify_result, NetLogWithSource()));
 }
@@ -261,33 +217,34 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
 // one serves an unrelated certificate and one serves a proper intermediate, the
 // latter should be used to build a valid chain.
 TEST_F(CertVerifyProcAndroidTestWithAIAFetching, TwoHTTPURLs) {
-  ASSERT_TRUE(SetUpTestRoot());
+  const GURL kUnrelatedURL("http://aia.test/unrelated");
+  leaf_->SetCaIssuersAndOCSPUrls(
+      /*ca_issuers_urls=*/{kUnrelatedURL, kIntermediateURL},
+      /*ocsp_urls=*/{});
+  scoped_refptr<X509Certificate> unrelated =
+      ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
+  ASSERT_TRUE(unrelated);
+
+  TrustTestRoot();
   scoped_refptr<CertVerifyProcAndroid> proc =
       base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_);
-  scoped_refptr<X509Certificate> cert;
-  ASSERT_TRUE(ReadTestCert("target_two_aia.pem", &cert));
-  scoped_refptr<X509Certificate> intermediate;
-  ASSERT_TRUE(ReadTestCert("i2.pem", &intermediate));
-  scoped_refptr<X509Certificate> unrelated;
-  ASSERT_TRUE(ReadTestCert("target_three_aia.pem", &unrelated));
 
   // Expect two fetches, the first of which returns an unrelated certificate
   // that is not useful in chain-building, and the second of which returns a
   // valid intermediate signed by |root_|. Though the intermediate itself
   // contains an AIA URL, it should not be fetched because |root_| is in the
   // trust store.
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(kUnrelatedURL, _, _))
       .WillOnce(Return(
           ByMove(MockCertNetFetcherRequest::Create(unrelated->cert_buffer()))));
-  EXPECT_CALL(*fetcher_,
-              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _))
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
       .WillOnce(Return(ByMove(
-          MockCertNetFetcherRequest::Create(intermediate->cert_buffer()))));
+          MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer()))));
 
   CertVerifyResult verify_result;
   EXPECT_EQ(
       OK,
-      proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(),
+      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                    /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
                    empty_cert_list_, &verify_result, NetLogWithSource()));
 }
@@ -297,33 +254,27 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, TwoHTTPURLs) {
 TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
        AIAFetchForFetchedIntermediate) {
   // Do not set up the test root to be trusted. If the test root were trusted,
-  // then the intermediate i2.pem would not require an AIA fetch. With the test
-  // root untrusted, i2.pem does not verify and so it will trigger an AIA fetch.
+  // then the intermediate would not require an AIA fetch. With the test root
+  // untrusted, the intermediate does not verify and so it will trigger an AIA
+  // fetch.
   scoped_refptr<CertVerifyProcAndroid> proc =
       base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_);
-  scoped_refptr<X509Certificate> cert;
-  ASSERT_TRUE(ReadTestCert("target_one_aia.pem", &cert));
-  scoped_refptr<X509Certificate> intermediate;
-  ASSERT_TRUE(ReadTestCert("i2.pem", &intermediate));
-  scoped_refptr<X509Certificate> root;
-  ASSERT_TRUE(ReadTestAIARoot(&root));
 
   // Expect two fetches, the first of which returns an intermediate that itself
   // has an AIA URL.
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(kIntermediateURL, _, _))
       .WillOnce(Return(ByMove(
-          MockCertNetFetcherRequest::Create(intermediate->cert_buffer()))));
-  EXPECT_CALL(*fetcher_,
-              FetchCaIssuers(GURL("http://url-for-aia/Root.cer"), _, _))
+          MockCertNetFetcherRequest::Create(intermediate_->GetCertBuffer()))));
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(kRootURL, _, _))
       .WillOnce(Return(
-          ByMove(MockCertNetFetcherRequest::Create(root->cert_buffer()))));
+          ByMove(MockCertNetFetcherRequest::Create(root_->GetCertBuffer()))));
 
   CertVerifyResult verify_result;
   // This chain results in an AUTHORITY_INVALID root because |root_| is not
   // trusted.
   EXPECT_EQ(
       ERR_CERT_AUTHORITY_INVALID,
-      proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(),
+      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                    /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
                    empty_cert_list_, &verify_result, NetLogWithSource()));
 }
@@ -331,11 +282,15 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
 // Tests that if a certificate contains six AIA URLs, only the first five are
 // fetched, since the maximum number of fetches per Verify() call is five.
 TEST_F(CertVerifyProcAndroidTestWithAIAFetching, MaxAIAFetches) {
-  ASSERT_TRUE(SetUpTestRoot());
+  leaf_->SetCaIssuersAndOCSPUrls(
+      /*ca_issuers_urls=*/{GURL("http://aia.test/1"), GURL("http://aia.test/2"),
+                           GURL("http://aia.test/3"), GURL("http://aia.test/4"),
+                           GURL("http://aia.test/5"),
+                           GURL("http://aia.test/6")},
+      /*ocsp_urls=*/{});
+  TrustTestRoot();
   scoped_refptr<CertVerifyProcAndroid> proc =
       base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_);
-  scoped_refptr<X509Certificate> cert;
-  ASSERT_TRUE(ReadTestCert("target_six_aia.pem", &cert));
 
   EXPECT_CALL(*fetcher_, FetchCaIssuers(_, _, _))
       .WillOnce(Return(ByMove(MockCertNetFetcherRequest::Create(ERR_FAILED))))
@@ -347,7 +302,7 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, MaxAIAFetches) {
   CertVerifyResult verify_result;
   EXPECT_EQ(
       ERR_CERT_AUTHORITY_INVALID,
-      proc->Verify(cert.get(), "target", /*ocsp_response=*/std::string(),
+      proc->Verify(LeafOnly().get(), kHostname, /*ocsp_response=*/std::string(),
                    /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
                    empty_cert_list_, &verify_result, NetLogWithSource()));
 }
@@ -356,27 +311,23 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, MaxAIAFetches) {
 // that AIA URL is fetched if necessary.
 TEST_F(CertVerifyProcAndroidTestWithAIAFetching, FetchForSuppliedIntermediate) {
   // Do not set up the test root to be trusted. If the test root were trusted,
-  // then the intermediate i.pem would not require an AIA fetch. With the test
-  // root untrusted, i.pem does not verify and so it will trigger an AIA fetch.
+  // then the intermediate would not require an AIA fetch. With the test root
+  // untrusted, the intermediate does not verify and so it will trigger an AIA
+  // fetch.
   scoped_refptr<CertVerifyProcAndroid> proc =
       base::MakeRefCounted<CertVerifyProcAndroid>(fetcher_);
-  scoped_refptr<X509Certificate> leaf;
-  ASSERT_TRUE(
-      CreateCertificateChainFromFiles({"target_one_aia.pem", "i.pem"}, &leaf));
-  scoped_refptr<X509Certificate> root;
-  ASSERT_TRUE(ReadTestAIARoot(&root));
-
-  EXPECT_CALL(*fetcher_,
-              FetchCaIssuers(GURL("http://url-for-aia/Root.cer"), _, _))
+
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(kRootURL, _, _))
       .WillOnce(Return(
-          ByMove(MockCertNetFetcherRequest::Create(root->cert_buffer()))));
+          ByMove(MockCertNetFetcherRequest::Create(root_->GetCertBuffer()))));
 
   CertVerifyResult verify_result;
   // This chain results in an AUTHORITY_INVALID root because |root_| is not
   // trusted.
   EXPECT_EQ(
       ERR_CERT_AUTHORITY_INVALID,
-      proc->Verify(leaf.get(), "target", /*ocsp_response=*/std::string(),
+      proc->Verify(LeafWithIntermediate().get(), kHostname,
+                   /*ocsp_response=*/std::string(),
                    /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
                    empty_cert_list_, &verify_result, NetLogWithSource()));
 }
diff --git a/chromium/net/cert/cert_verify_proc_blocklist.inc b/chromium/net/cert/cert_verify_proc_blocklist.inc
index b2806489b89..f543de9fc1e 100644
--- a/chromium/net/cert/cert_verify_proc_blocklist.inc
+++ b/chromium/net/cert/cert_verify_proc_blocklist.inc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_proc_builtin.cc b/chromium/net/cert/cert_verify_proc_builtin.cc
index afe1bc86066..6cf4ae8ee5f 100644
--- a/chromium/net/cert/cert_verify_proc_builtin.cc
+++ b/chromium/net/cert/cert_verify_proc_builtin.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -493,7 +493,7 @@ void MapPathBuilderErrorsToCertStatus(const CertPathErrors& errors,
   // IMPORTANT: If the path was invalid for a reason that was not
   // explicity checked above, set a general error. This is important as
   // |cert_status| is what ultimately indicates whether verification was
-  // successful or not (absense of errors implies success).
+  // successful or not (absence of errors implies success).
   if (!IsCertStatusError(*cert_status))
     *cert_status |= CERT_STATUS_INVALID;
 }
@@ -742,7 +742,7 @@ int CertVerifyProcBuiltin::VerifyInternal(
     net_log.AddEvent(NetLogEventType::CERT_VERIFY_PROC_TARGET_CERT, [&] {
       return NetLogCertParams(input_cert->cert_buffer(), parsing_errors);
     });
-    if (!target) {
+    if (!target || !target->signature_algorithm()) {
       verify_result->cert_status |= CERT_STATUS_INVALID;
       return ERR_CERT_INVALID;
     }
diff --git a/chromium/net/cert/cert_verify_proc_builtin.h b/chromium/net/cert/cert_verify_proc_builtin.h
index 74400831b98..dc87a500343 100644
--- a/chromium/net/cert/cert_verify_proc_builtin.h
+++ b/chromium/net/cert/cert_verify_proc_builtin.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_proc_builtin_unittest.cc b/chromium/net/cert/cert_verify_proc_builtin_unittest.cc
index a69e47a46e5..02702f453eb 100644
--- a/chromium/net/cert/cert_verify_proc_builtin_unittest.cc
+++ b/chromium/net/cert/cert_verify_proc_builtin_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,6 +6,7 @@
 
 #include "base/memory/raw_ptr.h"
 #include "base/numerics/safe_conversions.h"
+#include "base/ranges/algorithm.h"
 #include "base/run_loop.h"
 #include "base/strings/stringprintf.h"
 #include "base/task/thread_pool.h"
@@ -530,25 +531,25 @@ TEST_F(CertVerifyProcBuiltinTest, EVNoOCSPRevocationChecks) {
 
   auto events = net_log_observer.GetEntriesForSource(verify_net_log_source);
 
-  auto event = std::find_if(events.begin(), events.end(), [](const auto& e) {
-    return e.type == NetLogEventType::CERT_VERIFY_PROC_PATH_BUILD_ATTEMPT;
-  });
+  auto event = base::ranges::find(
+      events, NetLogEventType::CERT_VERIFY_PROC_PATH_BUILD_ATTEMPT,
+      &NetLogEntry::type);
   ASSERT_NE(event, events.end());
   EXPECT_EQ(net::NetLogEventPhase::BEGIN, event->phase);
   ASSERT_TRUE(event->params.is_dict());
   EXPECT_EQ(true, event->params.FindBoolKey("is_ev_attempt"));
 
-  event = std::find_if(++event, events.end(), [](const auto& e) {
-    return e.type == NetLogEventType::CERT_VERIFY_PROC_PATH_BUILT;
-  });
+  event = base::ranges::find(++event, events.end(),
+                             NetLogEventType::CERT_VERIFY_PROC_PATH_BUILT,
+                             &NetLogEntry::type);
   ASSERT_NE(event, events.end());
   EXPECT_EQ(net::NetLogEventPhase::NONE, event->phase);
   ASSERT_TRUE(event->params.is_dict());
   EXPECT_FALSE(event->params.FindStringKey("errors"));
 
-  event = std::find_if(++event, events.end(), [](const auto& e) {
-    return e.type == NetLogEventType::CERT_VERIFY_PROC_PATH_BUILD_ATTEMPT;
-  });
+  event = base::ranges::find(
+      ++event, events.end(),
+      NetLogEventType::CERT_VERIFY_PROC_PATH_BUILD_ATTEMPT, &NetLogEntry::type);
   ASSERT_NE(event, events.end());
   EXPECT_EQ(net::NetLogEventPhase::END, event->phase);
   ASSERT_TRUE(event->params.is_dict());
@@ -640,6 +641,22 @@ TEST_F(CertVerifyProcBuiltinTest, DebugData) {
 
 namespace {
 
+// Returns a TLV to use as an unknown signature algorithm when building a cert.
+// The specific contents are as follows (the OID is from
+// https://davidben.net/oid):
+//
+// SEQUENCE {
+//   OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.0 }
+//   NULL {}
+// }
+std::string UnknownSignatureAlgorithmTLV() {
+  const uint8_t kInvalidSignatureAlgorithmTLV[] = {
+      0x30, 0x10, 0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+      0x12, 0x04, 0x01, 0x84, 0xb7, 0x09, 0x00, 0x05, 0x00};
+  return std::string(std::begin(kInvalidSignatureAlgorithmTLV),
+                     std::end(kInvalidSignatureAlgorithmTLV));
+}
+
 // Returns a TLV to use as an invalid signature algorithm when building a cert.
 // This is a SEQUENCE so that it will pass the ParseCertificate code
 // and fail inside ParseSignatureAlgorithm.
@@ -655,6 +672,30 @@ std::string InvalidSignatureAlgorithmTLV() {
 
 }  // namespace
 
+TEST_F(CertVerifyProcBuiltinTest, UnknownSignatureAlgorithmTarget) {
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+  leaf->SetSignatureAlgorithmTLV(UnknownSignatureAlgorithmTLV());
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = leaf->GetX509CertificateChain();
+  ASSERT_TRUE(chain.get());
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  NetLogSource verify_net_log_source;
+  TestCompletionCallback callback;
+  Verify(chain.get(), "www.example.com", flags, CertificateList(),
+         &verify_result, &verify_net_log_source, callback.callback());
+  int error = callback.WaitForResult();
+  // Unknown signature algorithm in the leaf cert should result in the cert
+  // being invalid.
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
+  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+}
+
 TEST_F(CertVerifyProcBuiltinTest,
        UnparsableMismatchedTBSSignatureAlgorithmTarget) {
   std::unique_ptr<CertBuilder> leaf, root;
@@ -681,6 +722,30 @@ TEST_F(CertVerifyProcBuiltinTest,
   EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
 }
 
+TEST_F(CertVerifyProcBuiltinTest, UnknownSignatureAlgorithmIntermediate) {
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+  intermediate->SetSignatureAlgorithmTLV(UnknownSignatureAlgorithmTLV());
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = leaf->GetX509CertificateChain();
+  ASSERT_TRUE(chain.get());
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  NetLogSource verify_net_log_source;
+  TestCompletionCallback callback;
+  Verify(chain.get(), "www.example.com", flags, CertificateList(),
+         &verify_result, &verify_net_log_source, callback.callback());
+  int error = callback.WaitForResult();
+  // Unknown signature algorithm in the intermediate cert should result in the
+  // cert being invalid.
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
+  EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+}
+
 TEST_F(CertVerifyProcBuiltinTest,
        UnparsableMismatchedTBSSignatureAlgorithmIntermediate) {
   std::unique_ptr<CertBuilder> leaf, intermediate, root;
@@ -708,6 +773,29 @@ TEST_F(CertVerifyProcBuiltinTest,
   EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
 }
 
+TEST_F(CertVerifyProcBuiltinTest, UnknownSignatureAlgorithmRoot) {
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CreateChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+  root->SetSignatureAlgorithmTLV(UnknownSignatureAlgorithmTLV());
+
+  // Trust the root and build a chain to verify that includes the intermediate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
+  scoped_refptr<X509Certificate> chain = leaf->GetX509CertificateChain();
+  ASSERT_TRUE(chain.get());
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  NetLogSource verify_net_log_source;
+  TestCompletionCallback callback;
+  Verify(chain.get(), "www.example.com", flags, CertificateList(),
+         &verify_result, &verify_net_log_source, callback.callback());
+  int error = callback.WaitForResult();
+  // Unknown signature algorithm in the root cert should have no effect on
+  // verification.
+  EXPECT_THAT(error, IsOk());
+}
+
 // This test is disabled on Android as adding the invalid root through
 // ScopedTestRoot causes it to be parsed by the Java X509 code which barfs. We
 // could re-enable if Chrome on Android has fully switched to the
diff --git a/chromium/net/cert/cert_verify_proc_ios.cc b/chromium/net/cert/cert_verify_proc_ios.cc
index 634266c003b..cfd7a34dbc3 100644
--- a/chromium/net/cert/cert_verify_proc_ios.cc
+++ b/chromium/net/cert/cert_verify_proc_ios.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_proc_ios.h b/chromium/net/cert/cert_verify_proc_ios.h
index 9a097add531..5c4cb1c603b 100644
--- a/chromium/net/cert/cert_verify_proc_ios.h
+++ b/chromium/net/cert/cert_verify_proc_ios.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_proc_mac.cc b/chromium/net/cert/cert_verify_proc_mac.cc
index 395c467be7e..c8016cd15b2 100644
--- a/chromium/net/cert/cert_verify_proc_mac.cc
+++ b/chromium/net/cert/cert_verify_proc_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_proc_mac.h b/chromium/net/cert/cert_verify_proc_mac.h
index 84ea532464f..848af12dfdf 100644
--- a/chromium/net/cert/cert_verify_proc_mac.h
+++ b/chromium/net/cert/cert_verify_proc_mac.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_proc_mac_unittest.cc b/chromium/net/cert/cert_verify_proc_mac_unittest.cc
index 908d5fccd15..0432999eecb 100644
--- a/chromium/net/cert/cert_verify_proc_mac_unittest.cc
+++ b/chromium/net/cert/cert_verify_proc_mac_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_proc_unittest.cc b/chromium/net/cert/cert_verify_proc_unittest.cc
index edbe04abeda..0fadd0cf800 100644
--- a/chromium/net/cert/cert_verify_proc_unittest.cc
+++ b/chromium/net/cert/cert_verify_proc_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,6 +15,7 @@
 #include "base/memory/raw_ptr.h"
 #include "base/message_loop/message_pump_type.h"
 #include "base/rand_util.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
@@ -63,11 +64,11 @@
 #include "net/url_request/url_request_context_getter.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/boringssl/src/include/openssl/bytestring.h"
 #include "third_party/boringssl/src/include/openssl/mem.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
 
 #if BUILDFLAG(IS_ANDROID)
-#include "base/android/build_info.h"
 #include "net/cert/cert_verify_proc_android.h"
 #elif BUILDFLAG(IS_IOS)
 #include "base/ios/ios_util.h"
@@ -203,9 +204,11 @@ scoped_refptr<CertVerifyProc> CreateCertVerifyProc(
     case CERT_VERIFY_PROC_WIN:
       return base::MakeRefCounted<CertVerifyProcWin>();
 #endif
+#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
     case CERT_VERIFY_PROC_BUILTIN:
       return CreateCertVerifyProcBuiltin(std::move(cert_net_fetcher),
                                          CreateSslSystemTrustStore());
+#endif
 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
     case CERT_VERIFY_PROC_BUILTIN_CHROME_ROOTS:
       return CreateCertVerifyProcBuiltin(
@@ -230,7 +233,7 @@ const std::vector<CertVerifyProcType> kAllCertVerifiers = {
 #elif BUILDFLAG(IS_IOS)
     CERT_VERIFY_PROC_IOS
 #elif BUILDFLAG(IS_MAC)
-    CERT_VERIFY_PROC_MAC, CERT_VERIFY_PROC_BUILTIN,
+    CERT_VERIFY_PROC_MAC,
 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
     CERT_VERIFY_PROC_BUILTIN_CHROME_ROOTS
 #endif
@@ -350,19 +353,6 @@ class CertVerifyProcInternalTest
     return verify_proc_->SupportsAdditionalTrustAnchors();
   }
 
-  bool SupportsReturningVerifiedChain() const {
-#if BUILDFLAG(IS_ANDROID)
-    // Before API level 17 (SDK_VERSION_JELLY_BEAN_MR1), Android does
-    // not expose the APIs necessary to get at the verified
-    // certificate chain.
-    if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID &&
-        base::android::BuildInfo::GetInstance()->sdk_int() <
-            base::android::SDK_VERSION_JELLY_BEAN_MR1)
-      return false;
-#endif
-    return true;
-  }
-
   // Returns true if the RSA/DSA keysize will be considered weak on the current
   // platform. IsInvalidRsaDsaKeySize should be checked prior, since some very
   // weak keys may be considered invalid.
@@ -502,13 +492,18 @@ TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) {
     return;
   }
 
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "ev-multi-oid.pem");
-  scoped_refptr<X509Certificate> root =
-      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
-  ASSERT_TRUE(cert);
-  ASSERT_TRUE(root);
-  ScopedTestRoot test_root(root.get());
+  std::unique_ptr<CertBuilder> leaf, root;
+  CertBuilder::CreateSimpleChain(&leaf, &root);
+  ASSERT_TRUE(leaf && root);
+
+  // The policies that target certificate asserts.
+  static const char kOtherTestCertPolicy[] = "2.23.140.1.1";
+  static const char kEVTestCertPolicy[] = "1.2.3.4";
+  // Specify the extraneous policy first, then the actual policy.
+  leaf->SetCertificatePolicies({kOtherTestCertPolicy, kEVTestCertPolicy});
+
+  scoped_refptr<X509Certificate> cert = leaf->GetX509Certificate();
+  ScopedTestRoot test_root(root->GetX509Certificate().get());
 
   // Build a CRLSet that covers the target certificate.
   //
@@ -516,26 +511,23 @@ TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) {
   // so this test does not depend on online revocation checking.
   base::StringPiece spki;
   ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(
-      x509_util::CryptoBufferAsStringPiece(root->cert_buffer()), &spki));
+      x509_util::CryptoBufferAsStringPiece(root->GetCertBuffer()), &spki));
   SHA256HashValue spki_sha256;
   crypto::SHA256HashString(spki, spki_sha256.data, sizeof(spki_sha256.data));
   scoped_refptr<CRLSet> crl_set(
       CRLSet::ForTesting(false, &spki_sha256, "", "", {}));
 
-  // The policies that "ev-multi-oid.pem" target certificate asserts.
-  static const char kOtherTestCertPolicy[] = "2.23.140.1.1";
-  static const char kEVTestCertPolicy[] = "1.2.3.4";
   // Consider the root of the test chain a valid EV root for the test policy.
   ScopedTestEVPolicy scoped_test_ev_policy(
       EVRootCAMetadata::GetInstance(),
-      X509Certificate::CalculateFingerprint256(root->cert_buffer()),
+      X509Certificate::CalculateFingerprint256(root->GetCertBuffer()),
       kEVTestCertPolicy);
   ScopedTestEVPolicy scoped_test_other_policy(
       EVRootCAMetadata::GetInstance(), SHA256HashValue(), kOtherTestCertPolicy);
 
   CertVerifyResult verify_result;
   int flags = 0;
-  int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+  int error = Verify(cert.get(), "www.example.com", flags, crl_set.get(),
                      CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
@@ -545,20 +537,22 @@ TEST_P(CertVerifyProcInternalTest, EVVerificationMultipleOID) {
 // length 1 because the target cert was directly trusted in the trust store.
 // Should verify OK but not with STATUS_IS_EV.
 TEST_P(CertVerifyProcInternalTest, TrustedTargetCertWithEVPolicy) {
-  // The policy that "explicit-policy-chain.pem" target certificate asserts.
+  std::unique_ptr<CertBuilder> leaf, root;
+  CertBuilder::CreateSimpleChain(&leaf, &root);
+  ASSERT_TRUE(leaf && root);
+
   static const char kEVTestCertPolicy[] = "1.2.3.4";
+  leaf->SetCertificatePolicies({kEVTestCertPolicy});
   ScopedTestEVPolicy scoped_test_ev_policy(
       EVRootCAMetadata::GetInstance(), SHA256HashValue(), kEVTestCertPolicy);
 
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "explicit-policy-chain.pem");
-  ASSERT_TRUE(cert);
+  scoped_refptr<X509Certificate> cert = leaf->GetX509Certificate();
   ScopedTestRoot scoped_test_root(cert.get());
 
   CertVerifyResult verify_result;
   int flags = 0;
   int error =
-      Verify(cert.get(), "policy_test.example", flags,
+      Verify(cert.get(), "www.example.com", flags,
              CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
   if (ScopedTestRootCanTrustTargetCert(verify_proc_type())) {
     EXPECT_THAT(error, IsOk());
@@ -576,27 +570,23 @@ TEST_P(CertVerifyProcInternalTest, TrustedTargetCertWithEVPolicy) {
 // explode if it does.
 TEST_P(CertVerifyProcInternalTest,
        TrustedTargetCertWithEVPolicyAndEVFingerprint) {
-  // The policy that "explicit-policy-chain.pem" target certificate asserts.
+  std::unique_ptr<CertBuilder> leaf, root;
+  CertBuilder::CreateSimpleChain(&leaf, &root);
+  ASSERT_TRUE(leaf && root);
+
   static const char kEVTestCertPolicy[] = "1.2.3.4";
-  // This the fingerprint of the "explicit-policy-chain.pem" target certificate.
-  // See net/data/ssl/certificates/explicit-policy-chain.pem
-  static const SHA256HashValue kEVTestCertFingerprint = {
-      {0x71, 0xac, 0xfa, 0x12, 0xa4, 0x42, 0x31, 0x3c, 0xff, 0x10, 0xd2,
-       0x9d, 0xb6, 0x1b, 0x4a, 0xe8, 0x25, 0x4e, 0x77, 0xd3, 0x9f, 0xa3,
-       0x2f, 0xb3, 0x19, 0x8d, 0x46, 0x9f, 0xb7, 0x73, 0x07, 0x30}};
-  ScopedTestEVPolicy scoped_test_ev_policy(EVRootCAMetadata::GetInstance(),
-                                           kEVTestCertFingerprint,
-                                           kEVTestCertPolicy);
-
-  scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "explicit-policy-chain.pem");
-  ASSERT_TRUE(cert);
+  leaf->SetCertificatePolicies({kEVTestCertPolicy});
+  ScopedTestEVPolicy scoped_test_ev_policy(
+      EVRootCAMetadata::GetInstance(),
+      X509Certificate::CalculateFingerprint256(leaf->GetCertBuffer()),
+      kEVTestCertPolicy);
+  scoped_refptr<X509Certificate> cert = leaf->GetX509Certificate();
   ScopedTestRoot scoped_test_root(cert.get());
 
   CertVerifyResult verify_result;
   int flags = 0;
   int error =
-      Verify(cert.get(), "policy_test.example", flags,
+      Verify(cert.get(), "www.example.com", flags,
              CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
   if (ScopedTestRootCanTrustTargetCert(verify_proc_type())) {
     EXPECT_THAT(error, IsOk());
@@ -623,59 +613,32 @@ TEST_P(CertVerifyProcInternalTest, TrustedIntermediateCertWithEVPolicy) {
     return;
   }
 
-  CertificateList orig_certs = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "explicit-policy-chain.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, orig_certs.size());
-
   for (bool trust_the_intermediate : {false, true}) {
     SCOPED_TRACE(trust_the_intermediate);
 
     // Need to build unique certs for each try otherwise caching can break
     // things.
-    CertBuilder root(orig_certs[2]->cert_buffer(), nullptr);
-    root.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
-    root.GenerateECKey();
-    CertBuilder intermediate(orig_certs[1]->cert_buffer(), &root);
-    intermediate.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
-    intermediate.GenerateECKey();
-    CertBuilder leaf(orig_certs[0]->cert_buffer(), &intermediate);
-    leaf.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
-    leaf.GenerateECKey();
-
-    // The policy that "explicit-policy-chain.pem" target certificate asserts.
+    std::unique_ptr<CertBuilder> leaf, intermediate, root;
+    CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root);
+    ASSERT_TRUE(leaf && intermediate && root);
+
     static const char kEVTestCertPolicy[] = "1.2.3.4";
+    leaf->SetCertificatePolicies({kEVTestCertPolicy});
+    intermediate->SetCertificatePolicies({kEVTestCertPolicy});
     // Consider the root of the test chain a valid EV root for the test policy.
     ScopedTestEVPolicy scoped_test_ev_policy(
         EVRootCAMetadata::GetInstance(),
-        X509Certificate::CalculateFingerprint256(root.GetCertBuffer()),
+        X509Certificate::CalculateFingerprint256(root->GetCertBuffer()),
         kEVTestCertPolicy);
 
-    // CRLSet which covers the leaf.
-    base::StringPiece intermediate_spki;
-    ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(
-        x509_util::CryptoBufferAsStringPiece(intermediate.GetCertBuffer()),
-        &intermediate_spki));
-    SHA256HashValue intermediate_spki_hash;
-    crypto::SHA256HashString(intermediate_spki, &intermediate_spki_hash,
-                             sizeof(SHA256HashValue));
-    scoped_refptr<CRLSet> crl_set =
-        CRLSet::ForTesting(false, &intermediate_spki_hash, "", "", {});
-
-    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
-    intermediates.push_back(bssl::UpRef(intermediate.GetCertBuffer()));
-    scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer(
-        bssl::UpRef(leaf.GetCertBuffer()), std::move(intermediates));
+    scoped_refptr<X509Certificate> cert = leaf->GetX509CertificateChain();
     ASSERT_TRUE(cert.get());
 
     scoped_refptr<X509Certificate> intermediate_cert =
-        X509Certificate::CreateFromBuffer(
-            bssl::UpRef(intermediate.GetCertBuffer()), {});
+        intermediate->GetX509Certificate();
     ASSERT_TRUE(intermediate_cert.get());
 
-    scoped_refptr<X509Certificate> root_cert =
-        X509Certificate::CreateFromBuffer(bssl::UpRef(root.GetCertBuffer()),
-                                          {});
+    scoped_refptr<X509Certificate> root_cert = root->GetX509Certificate();
     ASSERT_TRUE(root_cert.get());
 
     if (!trust_the_intermediate) {
@@ -684,8 +647,9 @@ TEST_P(CertVerifyProcInternalTest, TrustedIntermediateCertWithEVPolicy) {
       ScopedTestRoot scoped_test_root({root_cert});
       CertVerifyResult verify_result;
       int flags = 0;
-      int error = Verify(cert.get(), "policy_test.example", flags,
-                         crl_set.get(), CertificateList(), &verify_result);
+      int error = Verify(cert.get(), "www.example.com", flags,
+                         CRLSet::BuiltinCRLSet().get(), CertificateList(),
+                         &verify_result);
       EXPECT_THAT(error, IsOk());
       ASSERT_TRUE(verify_result.verified_cert);
       // Verified chain should include the intermediate and the root.
@@ -697,8 +661,9 @@ TEST_P(CertVerifyProcInternalTest, TrustedIntermediateCertWithEVPolicy) {
       ScopedTestRoot scoped_test_root({intermediate_cert, root_cert});
       CertVerifyResult verify_result;
       int flags = 0;
-      int error = Verify(cert.get(), "policy_test.example", flags,
-                         crl_set.get(), CertificateList(), &verify_result);
+      int error = Verify(cert.get(), "www.example.com", flags,
+                         CRLSet::BuiltinCRLSet().get(), CertificateList(),
+                         &verify_result);
       EXPECT_THAT(error, IsOk());
       ASSERT_TRUE(verify_result.verified_cert);
       // Verified chain should only go to the trusted intermediate, not the
@@ -865,9 +830,8 @@ TEST_P(CertVerifyProcInternalTest, UnnecessaryInvalidIntermediate) {
   auto events = net_log_observer.GetEntriesForSource(net_log.source());
   EXPECT_FALSE(events.empty());
 
-  auto event = std::find_if(events.begin(), events.end(), [](const auto& e) {
-    return e.type == NetLogEventType::CERT_VERIFY_PROC;
-  });
+  auto event = base::ranges::find(events, NetLogEventType::CERT_VERIFY_PROC,
+                                  &NetLogEntry::type);
   ASSERT_NE(event, events.end());
   EXPECT_EQ(net::NetLogEventPhase::BEGIN, event->phase);
   ASSERT_TRUE(event->params.is_dict());
@@ -876,9 +840,9 @@ TEST_P(CertVerifyProcInternalTest, UnnecessaryInvalidIntermediate) {
   EXPECT_EQ("127.0.0.1", *host);
 
   if (VerifyProcTypeIsBuiltin()) {
-    event = std::find_if(events.begin(), events.end(), [](const auto& e) {
-      return e.type == NetLogEventType::CERT_VERIFY_PROC_INPUT_CERT;
-    });
+    event =
+        base::ranges::find(events, NetLogEventType::CERT_VERIFY_PROC_INPUT_CERT,
+                           &NetLogEntry::type);
     ASSERT_NE(event, events.end());
     EXPECT_EQ(net::NetLogEventPhase::NONE, event->phase);
     ASSERT_TRUE(event->params.is_dict());
@@ -891,7 +855,11 @@ TEST_P(CertVerifyProcInternalTest, UnnecessaryInvalidIntermediate) {
   }
 }
 
-// A regression test for http://crbug.com/31497.
+// A regression test for https://crbug.com/31497: If an intermediate has
+// requireExplicitPolicy in its policyConstraints extension, verification
+// should still succeed as long as some policy is valid for the chain, since
+// Chrome does not specify any required policy as an input to certificate
+// verification (allows anyPolicy).
 TEST_P(CertVerifyProcInternalTest, IntermediateCARequireExplicitPolicy) {
   if (verify_proc_type() == CERT_VERIFY_PROC_ANDROID) {
     // Disabled on Android, as the Android verification libraries require an
@@ -900,28 +868,39 @@ TEST_P(CertVerifyProcInternalTest, IntermediateCARequireExplicitPolicy) {
     return;
   }
 
-  base::FilePath certs_dir = GetTestCertsDirectory();
+  for (bool leaf_has_policy : {false, true}) {
+    SCOPED_TRACE(leaf_has_policy);
 
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
+    std::unique_ptr<CertBuilder> leaf, intermediate, root;
+    CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root);
+    ASSERT_TRUE(leaf && intermediate && root);
 
-  std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
-  intermediates.push_back(bssl::UpRef(certs[1]->cert_buffer()));
+    static const char kPolicy1[] = "1.2.3.4";
+    static const char kPolicy2[] = "1.2.3.4.5";
+    static const char kPolicy3[] = "1.2.3.5";
+    intermediate->SetCertificatePolicies({kPolicy1, kPolicy2, kPolicy3});
+    intermediate->SetPolicyConstraints(
+        /*require_explicit_policy=*/0,
+        /*inhibit_policy_mapping=*/absl::nullopt);
 
-  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer(
-      bssl::UpRef(certs[0]->cert_buffer()), std::move(intermediates));
-  ASSERT_TRUE(cert.get());
+    if (leaf_has_policy)
+      leaf->SetCertificatePolicies({kPolicy1});
 
-  ScopedTestRoot scoped_root(certs[2].get());
+    scoped_refptr<X509Certificate> cert = leaf->GetX509CertificateChain();
+    ScopedTestRoot scoped_root(root->GetX509Certificate().get());
 
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error =
-      Verify(cert.get(), "policy_test.example", flags,
-             CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsOk());
-  EXPECT_EQ(0u, verify_result.cert_status);
+    int flags = 0;
+    CertVerifyResult verify_result;
+    int error = Verify(cert.get(), "www.example.com", flags,
+                       CRLSet::BuiltinCRLSet().get(), CertificateList(),
+                       &verify_result);
+    if (leaf_has_policy) {
+      EXPECT_THAT(error, IsOk());
+      EXPECT_EQ(0u, verify_result.cert_status);
+    } else {
+      EXPECT_THAT(error, IsError(ERR_CERT_INVALID));
+    }
+  }
 }
 
 TEST_P(CertVerifyProcInternalTest, RejectExpiredCert) {
@@ -1013,11 +992,6 @@ TEST_P(CertVerifyProcInternalTest, RejectWeakKeys) {
 
 // Regression test for http://crbug.com/108514.
 TEST_P(CertVerifyProcInternalTest, ExtraneousMD5RootCert) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
   if (verify_proc_type() == CERT_VERIFY_PROC_MAC) {
     // Disabled on OS X - Security.framework doesn't ignore superflous
     // certificates provided by servers.
@@ -1099,33 +1073,65 @@ TEST_P(CertVerifyProcInternalTest, GoogleDigiNotarTest) {
 }
 
 TEST_P(CertVerifyProcInternalTest, NameConstraintsOk) {
-  CertificateList ca_cert_list =
-      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
-                                    X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, ca_cert_list.size());
-  ScopedTestRoot test_root(ca_cert_list[0].get());
+  std::unique_ptr<CertBuilder> leaf, root;
+  CertBuilder::CreateSimpleChain(&leaf, &root);
+  ASSERT_TRUE(leaf && root);
 
-  scoped_refptr<X509Certificate> leaf = CreateCertificateChainFromFile(
-      GetTestCertsDirectory(), "name_constraint_good.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_TRUE(leaf);
-  ASSERT_EQ(0U, leaf->intermediate_buffers().size());
+  // Use the private key matching the public_key_hash of the kDomainsTest
+  // constraint in CertVerifyProc::HasNameConstraintsViolation.
+  ASSERT_TRUE(leaf->UseKeyFromFile(
+      GetTestCertsDirectory().AppendASCII("name_constrained_key.pem")));
+  // example.com is allowed by kDomainsTest, and notarealtld is not a known
+  // TLD, so that's allowed too.
+  leaf->SetSubjectAltNames({"test.ExAmPlE.CoM", "example.notarealtld",
+                            "*.test2.ExAmPlE.CoM", "*.example2.notarealtld"},
+                           {});
+
+  ScopedTestRoot test_root(root->GetX509Certificate().get());
+
+  scoped_refptr<X509Certificate> leaf_cert = leaf->GetX509Certificate();
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error =
-      Verify(leaf.get(), "test.example.com", flags,
+      Verify(leaf_cert.get(), "test.example.com", flags,
              CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
 
   error =
-      Verify(leaf.get(), "foo.test2.example.com", flags,
+      Verify(leaf_cert.get(), "foo.test2.example.com", flags,
              CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk());
   EXPECT_EQ(0U, verify_result.cert_status);
 }
 
+TEST_P(CertVerifyProcInternalTest, NameConstraintsFailure) {
+  std::unique_ptr<CertBuilder> leaf, root;
+  CertBuilder::CreateSimpleChain(&leaf, &root);
+  ASSERT_TRUE(leaf && root);
+
+  // Use the private key matching the public_key_hash of the kDomainsTest
+  // constraint in CertVerifyProc::HasNameConstraintsViolation.
+  ASSERT_TRUE(leaf->UseKeyFromFile(
+      GetTestCertsDirectory().AppendASCII("name_constrained_key.pem")));
+  // example.com is allowed by kDomainsTest, but example.org is not.
+  leaf->SetSubjectAltNames({"test.ExAmPlE.CoM", "test.ExAmPlE.OrG"}, {});
+
+  ScopedTestRoot test_root(root->GetX509Certificate().get());
+
+  scoped_refptr<X509Certificate> leaf_cert = leaf->GetX509Certificate();
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(leaf_cert.get(), "test.example.com", flags,
+             CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
+  EXPECT_THAT(error, IsError(ERR_CERT_NAME_CONSTRAINT_VIOLATION));
+  EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
+            verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
+}
+
 // This fixture is for testing the verification of a certificate chain which
 // has some sort of mismatched signature algorithm (i.e.
 // Certificate.signatureAlgorithm and TBSCertificate.algorithm are different).
@@ -1194,8 +1200,8 @@ class CertVerifyProcInspectSignatureAlgorithmsTest : public ::testing::Test {
   // Manufactures a certificate chain where each certificate has the indicated
   // signature algorithms, and then returns the result of verifying this chain.
   //
-  // TODO(eroman): Instead of building certificates at runtime, move their
-  //               generation to external scripts.
+  // TODO(mattm): Replace the custom cert mangling code in this test with
+  // CertBuilder.
   [[nodiscard]] int VerifyChain(const std::vector<CertParams>& chain_params) {
     auto chain = CreateChain(chain_params);
     if (!chain) {
@@ -1210,7 +1216,7 @@ class CertVerifyProcInspectSignatureAlgorithmsTest : public ::testing::Test {
     auto verify_proc = base::MakeRefCounted<MockCertVerifyProc>(dummy_result);
 
     return verify_proc->Verify(
-        chain.get(), "test.example.com", /*ocsp_response=*/std::string(),
+        chain.get(), "127.0.0.1", /*ocsp_response=*/std::string(),
         /*sct_list=*/std::string(), flags, CRLSet::BuiltinCRLSet().get(),
         CertificateList(), &verify_result, NetLogWithSource());
   }
@@ -1293,7 +1299,7 @@ class CertVerifyProcInspectSignatureAlgorithmsTest : public ::testing::Test {
     // Dosn't really matter which base certificate is used, so long as it is
     // valid and uses a signature AlgorithmIdentifier with the same encoded
     // length as sha1WithRSASignature.
-    const char* kLeafFilename = "name_constraint_good.pem";
+    const char* kLeafFilename = "ok_cert.pem";
 
     auto cert = CreateCertificateChainFromFile(
         GetTestCertsDirectory(), kLeafFilename, X509Certificate::FORMAT_AUTO);
@@ -1484,37 +1490,6 @@ TEST_F(CertVerifyProcInspectSignatureAlgorithmsTest, RootUnknownSha256) {
   ASSERT_THAT(rv, IsOk());
 }
 
-TEST_P(CertVerifyProcInternalTest, NameConstraintsFailure) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
-  CertificateList ca_cert_list =
-      CreateCertificateListFromFile(GetTestCertsDirectory(), "root_ca_cert.pem",
-                                    X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, ca_cert_list.size());
-  ScopedTestRoot test_root(ca_cert_list[0].get());
-
-  CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "name_constraint_bad.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, cert_list.size());
-
-  scoped_refptr<X509Certificate> leaf = X509Certificate::CreateFromBuffer(
-      bssl::UpRef(cert_list[0]->cert_buffer()), {});
-  ASSERT_TRUE(leaf);
-
-  int flags = 0;
-  CertVerifyResult verify_result;
-  int error =
-      Verify(leaf.get(), "test.example.com", flags,
-             CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
-  EXPECT_THAT(error, IsError(ERR_CERT_NAME_CONSTRAINT_VIOLATION));
-  EXPECT_EQ(CERT_STATUS_NAME_CONSTRAINT_VIOLATION,
-            verify_result.cert_status & CERT_STATUS_NAME_CONSTRAINT_VIOLATION);
-}
-
 TEST(CertVerifyProcTest, TestHasTooLongValidity) {
   struct {
     const char* const file;
@@ -1621,16 +1596,16 @@ TEST(CertVerifyProcTest, VerifyCertValidityTooLong) {
 TEST_P(CertVerifyProcInternalTest, TestKnownRoot) {
   base::FilePath certs_dir = GetTestCertsDirectory();
   scoped_refptr<X509Certificate> cert_chain = CreateCertificateChainFromFile(
-      certs_dir, "thepaverbros.com.pem", X509Certificate::FORMAT_AUTO);
+      certs_dir, "caninesonduty.com.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_TRUE(cert_chain);
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error =
-      Verify(cert_chain.get(), "thepaverbros.com", flags,
+      Verify(cert_chain.get(), "caninesonduty.com", flags,
              CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
   EXPECT_THAT(error, IsOk()) << "This test relies on a real certificate that "
-                             << "expires on Mar 26, 2023. If failing on/after "
+                             << "expires on Nov 6 2023. If failing on/after "
                              << "that date, please disable and file a bug "
                              << "against mattm.";
   EXPECT_TRUE(verify_result.is_issued_by_known_root);
@@ -1651,11 +1626,6 @@ TEST_P(CertVerifyProcInternalTest, TestKnownRoot) {
 // CertVerifyResult::public_key_hashes is filled with a SHA256 hash for each
 // of the certificates in the chain.
 TEST_P(CertVerifyProcInternalTest, PublicKeyHashes) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
@@ -1760,27 +1730,30 @@ TEST_P(CertVerifyProcInternalTest, MAYBE_WrongKeyPurpose) {
 // serverAuth EKU.
 // TODO(crbug.com/843735): Deprecate support for this.
 TEST_P(CertVerifyProcInternalTest, Sha1IntermediateUsesServerGatedCrypto) {
-  base::FilePath certs_dir =
-      GetTestNetDataDirectory()
-          .AppendASCII("verify_certificate_chain_unittest")
-          .AppendASCII("intermediate-eku-server-gated-crypto");
-
-  scoped_refptr<X509Certificate> cert_chain = CreateCertificateChainFromFile(
-      certs_dir, "sha1-chain.pem", X509Certificate::FORMAT_AUTO);
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
 
-  ASSERT_TRUE(cert_chain);
-  ASSERT_FALSE(cert_chain->intermediate_buffers().empty());
+  root->GenerateRSAKey();
+  root->SetSignatureAlgorithm(SignatureAlgorithm::kRsaPkcs1Sha1);
 
-  auto root = X509Certificate::CreateFromBuffer(
-      bssl::UpRef(cert_chain->intermediate_buffers().back().get()), {});
+  intermediate->SetExtendedKeyUsages({der::Input(kNetscapeServerGatedCrypto)});
+  intermediate->SetSignatureAlgorithm(SignatureAlgorithm::kRsaPkcs1Sha1);
 
-  ScopedTestRoot scoped_root(root.get());
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
 
   int flags = 0;
   CertVerifyResult verify_result;
-  int error =
-      Verify(cert_chain.get(), "test.example", flags,
-             CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
+  // The cert chain including the root is passed to Verify, as on recent
+  // Android versions (something like 11+) the verifier fails on SHA1 certs and
+  // then the CertVerifyProc wrapper just returns the input chain, which this
+  // test then depends on for its expectations. (This is all kind of silly, but
+  // this is just matching how the test was originally written, and we'll
+  // delete this sometime soon anyway so there's not much benefit to thinking
+  // about it too hard.)
+  int error = Verify(leaf->GetX509CertificateFullChain().get(),
+                     "www.example.com", flags, CRLSet::BuiltinCRLSet().get(),
+                     CertificateList(), &verify_result);
 
   if (AreSHA1IntermediatesAllowed()) {
     EXPECT_THAT(error, IsOk());
@@ -1800,11 +1773,6 @@ TEST_P(CertVerifyProcInternalTest, Sha1IntermediateUsesServerGatedCrypto) {
 // used to ensure that the actual, verified chain is being returned by
 // Verify().
 TEST_P(CertVerifyProcInternalTest, VerifyReturnChainBasic) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
@@ -1850,11 +1818,13 @@ TEST_P(CertVerifyProcInternalTest, VerifyReturnChainBasic) {
 // CAs are flagged appropriately, while certificates that are issued by
 // internal CAs are not flagged.
 TEST(CertVerifyProcTest, IntranetHostsRejected) {
-  CertificateList cert_list = CreateCertificateListFromFile(
-      GetTestCertsDirectory(), "reject_intranet_hosts.pem",
-      X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(1U, cert_list.size());
-  scoped_refptr<X509Certificate> cert(cert_list[0]);
+  const std::string kIntranetHostname = "webmail";
+
+  std::unique_ptr<CertBuilder> leaf, root;
+  CertBuilder::CreateSimpleChain(&leaf, &root);
+  leaf->SetSubjectAltName(kIntranetHostname);
+
+  scoped_refptr<X509Certificate> cert(leaf->GetX509Certificate());
 
   CertVerifyResult verify_result;
   int error = 0;
@@ -1864,7 +1834,7 @@ TEST(CertVerifyProcTest, IntranetHostsRejected) {
   dummy_result.is_issued_by_known_root = true;
   auto verify_proc = base::MakeRefCounted<MockCertVerifyProc>(dummy_result);
   error = verify_proc->Verify(
-      cert.get(), "webmail", /*ocsp_response=*/std::string(),
+      cert.get(), kIntranetHostname, /*ocsp_response=*/std::string(),
       /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
       CertificateList(), &verify_result, NetLogWithSource());
   EXPECT_THAT(error, IsOk());
@@ -1875,7 +1845,7 @@ TEST(CertVerifyProcTest, IntranetHostsRejected) {
   dummy_result.is_issued_by_known_root = false;
   verify_proc = base::MakeRefCounted<MockCertVerifyProc>(dummy_result);
   error = verify_proc->Verify(
-      cert.get(), "webmail", /*ocsp_response=*/std::string(),
+      cert.get(), kIntranetHostname, /*ocsp_response=*/std::string(),
       /*sct_list=*/std::string(), 0, CRLSet::BuiltinCRLSet().get(),
       CertificateList(), &verify_result, NetLogWithSource());
   EXPECT_THAT(error, IsOk());
@@ -2014,11 +1984,6 @@ TEST(CertVerifyProcTest, SymantecCertsRejected) {
 // of intermediate certificates are combined, it's possible that order may
 // not be maintained.
 TEST_P(CertVerifyProcInternalTest, VerifyReturnChainProperlyOrdered) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
@@ -2061,11 +2026,6 @@ TEST_P(CertVerifyProcInternalTest, VerifyReturnChainProperlyOrdered) {
 // Test that Verify() filters out certificates which are not related to
 // or part of the certificate chain being verified.
 TEST_P(CertVerifyProcInternalTest, VerifyReturnChainFiltersUnrelatedCerts) {
-  if (!SupportsReturningVerifiedChain()) {
-    LOG(INFO) << "Skipping this test in this platform.";
-    return;
-  }
-
   base::FilePath certs_dir = GetTestCertsDirectory();
   CertificateList certs = CreateCertificateListFromFile(
       certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
@@ -2806,31 +2766,30 @@ TEST_P(CertVerifyProcInternalTest, ValidityJustAfterNotAfter) {
 }
 
 TEST_P(CertVerifyProcInternalTest, FailedIntermediateSignatureValidation) {
-  base::FilePath certs_dir =
-      GetTestNetDataDirectory()
-          .AppendASCII("verify_certificate_chain_unittest")
-          .AppendASCII(
-              "intermediate-wrong-signature-no-authority-key-identifier");
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
 
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
+  // Intermediate has no authorityKeyIdentifier. Also remove
+  // subjectKeyIdentifier from root for good measure.
+  intermediate->EraseExtension(der::Input(kAuthorityKeyIdentifierOid));
+  root->EraseExtension(der::Input(kSubjectKeyIdentifierOid));
 
-  std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
-  intermediates.push_back(bssl::UpRef(certs[1]->cert_buffer()));
+  // Get the chain with the leaf and the intermediate signed by the original
+  // key of |root|.
+  scoped_refptr<X509Certificate> cert = leaf->GetX509CertificateChain();
 
-  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer(
-      bssl::UpRef(certs[0]->cert_buffer()), std::move(intermediates));
-  ASSERT_TRUE(cert.get());
+  // Generate a new key for root.
+  root->GenerateECKey();
 
-  // Trust the root certificate.
-  ScopedTestRoot scoped_root(certs.back().get());
+  // Trust the new root certificate.
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error =
-      Verify(cert.get(), "test.example", flags, CRLSet::BuiltinCRLSet().get(),
-             CertificateList(), &verify_result);
+      Verify(cert.get(), "www.example.com", flags,
+             CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
 
   // The intermediate was signed by a different root with a different key but
   // with the same name as the trusted one, and the intermediate has no
@@ -2841,30 +2800,38 @@ TEST_P(CertVerifyProcInternalTest, FailedIntermediateSignatureValidation) {
 }
 
 TEST_P(CertVerifyProcInternalTest, FailedTargetSignatureValidation) {
-  base::FilePath certs_dir =
-      GetTestNetDataDirectory()
-          .AppendASCII("verify_certificate_chain_unittest")
-          .AppendASCII("target-wrong-signature-no-authority-key-identifier");
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
 
-  CertificateList certs = CreateCertificateListFromFile(
-      certs_dir, "chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, certs.size());
+  // Leaf has no authorityKeyIdentifier. Also remove subjectKeyIdentifier from
+  // intermediate for good measure.
+  leaf->EraseExtension(der::Input(kAuthorityKeyIdentifierOid));
+  intermediate->EraseExtension(der::Input(kSubjectKeyIdentifierOid));
+
+  // Get a copy of the leaf signed by the original key of intermediate.
+  bssl::UniquePtr<CRYPTO_BUFFER> leaf_wrong_signature = leaf->DupCertBuffer();
 
+  // Generate a new key for intermediate.
+  intermediate->GenerateECKey();
+
+  // Make a chain that includes the original leaf with the wrong signature and
+  // the new intermediate.
   std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
-  intermediates.push_back(bssl::UpRef(certs[1]->cert_buffer()));
+  intermediates.push_back(intermediate->DupCertBuffer());
 
   scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer(
-      bssl::UpRef(certs[0]->cert_buffer()), std::move(intermediates));
+      bssl::UpRef(leaf_wrong_signature), std::move(intermediates));
   ASSERT_TRUE(cert.get());
 
   // Trust the root certificate.
-  ScopedTestRoot scoped_root(certs.back().get());
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error =
-      Verify(cert.get(), "test.example", flags, CRLSet::BuiltinCRLSet().get(),
-             CertificateList(), &verify_result);
+      Verify(cert.get(), "www.example.com", flags,
+             CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
 
   // The leaf was signed by a different intermediate with a different key but
   // with the same name as the one in the chain, and the leaf has no
@@ -2876,15 +2843,6 @@ TEST_P(CertVerifyProcInternalTest, FailedTargetSignatureValidation) {
 
 class CertVerifyProcNameNormalizationTest : public CertVerifyProcInternalTest {
  protected:
-  void SetUp() override {
-    CertVerifyProcInternalTest::SetUp();
-
-    scoped_refptr<X509Certificate> root_cert =
-        ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem");
-    ASSERT_TRUE(root_cert);
-    test_root_ = std::make_unique<ScopedTestRoot>(root_cert.get());
-  }
-
   std::string HistogramName() const {
     std::string prefix("Net.CertVerifier.NameNormalizationPrivateRoots.");
     switch (verify_proc_type()) {
@@ -2919,7 +2877,6 @@ class CertVerifyProcNameNormalizationTest : public CertVerifyProcInternalTest {
   }
 
  private:
-  std::unique_ptr<ScopedTestRoot> test_root_;
   base::HistogramTester histograms_;
 };
 
@@ -2932,24 +2889,31 @@ INSTANTIATE_TEST_SUITE_P(All,
 // the intermediate's subject CN is UTF8String, and verifies the proper
 // histogram is logged.
 TEST_P(CertVerifyProcNameNormalizationTest, StringType) {
-  scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile(
-      GetTestCertsDirectory(), "name-normalization-printable-utf8.pem",
-      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
-  ASSERT_TRUE(chain);
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  std::string issuer_cn = CertBuilder::MakeRandomHexString(12);
+  leaf->SetIssuerTLV(CertBuilder::BuildNameWithCommonNameOfType(
+      issuer_cn, CBS_ASN1_PRINTABLESTRING));
+  intermediate->SetSubjectTLV(CertBuilder::BuildNameWithCommonNameOfType(
+      issuer_cn, CBS_ASN1_UTF8STRING));
+
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error =
-      Verify(chain.get(), "example.test", flags, CRLSet::BuiltinCRLSet().get(),
-             CertificateList(), &verify_result);
+      Verify(leaf->GetX509CertificateChain().get(), "www.example.com", flags,
+             CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
 
   switch (verify_proc_type()) {
     case CERT_VERIFY_PROC_IOS:
     case CERT_VERIFY_PROC_MAC:
-    case CERT_VERIFY_PROC_WIN:
       EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
       break;
     case CERT_VERIFY_PROC_ANDROID:
+    case CERT_VERIFY_PROC_WIN:
     case CERT_VERIFY_PROC_BUILTIN:
     case CERT_VERIFY_PROC_BUILTIN_CHROME_ROOTS:
       EXPECT_THAT(error, IsOk());
@@ -2963,52 +2927,62 @@ TEST_P(CertVerifyProcNameNormalizationTest, StringType) {
 // subject CN are both PrintableString but have differing case on the first
 // character, and verifies the proper histogram is logged.
 TEST_P(CertVerifyProcNameNormalizationTest, CaseFolding) {
-  scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile(
-      GetTestCertsDirectory(), "name-normalization-case-folding.pem",
-      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
-  ASSERT_TRUE(chain);
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  std::string issuer_hex = CertBuilder::MakeRandomHexString(12);
+  leaf->SetIssuerTLV(CertBuilder::BuildNameWithCommonNameOfType(
+      "Z" + issuer_hex, CBS_ASN1_PRINTABLESTRING));
+  intermediate->SetSubjectTLV(CertBuilder::BuildNameWithCommonNameOfType(
+      "z" + issuer_hex, CBS_ASN1_PRINTABLESTRING));
+
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error =
-      Verify(chain.get(), "example.test", flags, CRLSet::BuiltinCRLSet().get(),
-             CertificateList(), &verify_result);
-
-  switch (verify_proc_type()) {
-    case CERT_VERIFY_PROC_WIN:
-      EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
-      break;
-    case CERT_VERIFY_PROC_ANDROID:
-    case CERT_VERIFY_PROC_IOS:
-    case CERT_VERIFY_PROC_MAC:
-    case CERT_VERIFY_PROC_BUILTIN:
-    case CERT_VERIFY_PROC_BUILTIN_CHROME_ROOTS:
-      EXPECT_THAT(error, IsOk());
-      break;
-  }
+      Verify(leaf->GetX509CertificateChain().get(), "www.example.com", flags,
+             CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
 
+  EXPECT_THAT(error, IsOk());
   ExpectNormalizationHistogram(error);
 }
 
-// Confirms that a chain generated by the generate-name-normalization-certs.py
-// script which does not require normalization validates ok, and that the
-// ByteEqual histogram is logged.
+// Confirms that a chain generated by the same pattern as the other
+// NameNormalizationTest cases which does not require normalization validates
+// ok, and that the ByteEqual histogram is logged.
 TEST_P(CertVerifyProcNameNormalizationTest, ByteEqual) {
-  scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile(
-      GetTestCertsDirectory(), "name-normalization-byteequal.pem",
-      X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
-  ASSERT_TRUE(chain);
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
+
+  std::string issuer_hex = CertBuilder::MakeRandomHexString(12);
+  leaf->SetIssuerTLV(CertBuilder::BuildNameWithCommonNameOfType(
+      issuer_hex, CBS_ASN1_PRINTABLESTRING));
+  intermediate->SetSubjectTLV(CertBuilder::BuildNameWithCommonNameOfType(
+      issuer_hex, CBS_ASN1_PRINTABLESTRING));
+
+  ScopedTestRoot scoped_root(root->GetX509Certificate().get());
 
   int flags = 0;
   CertVerifyResult verify_result;
   int error =
-      Verify(chain.get(), "example.test", flags, CRLSet::BuiltinCRLSet().get(),
-             CertificateList(), &verify_result);
+      Verify(leaf->GetX509CertificateChain().get(), "www.example.com", flags,
+             CRLSet::BuiltinCRLSet().get(), CertificateList(), &verify_result);
 
   EXPECT_THAT(error, IsOk());
   ExpectByteEqualHistogram();
 }
 
+std::string Md5WithRSAEncryption() {
+  const uint8_t kMd5WithRSAEncryption[] = {0x30, 0x0d, 0x06, 0x09, 0x2a,
+                                           0x86, 0x48, 0x86, 0xf7, 0x0d,
+                                           0x01, 0x01, 0x04, 0x05, 0x00};
+  return std::string(std::begin(kMd5WithRSAEncryption),
+                     std::end(kMd5WithRSAEncryption));
+}
+
 // This is the same as CertVerifyProcInternalTest, but it additionally sets up
 // networking capabilities for the cert verifiers, and a test server that can be
 // used to serve mock responses for AIA/OCSP/CRL.
@@ -3138,6 +3112,19 @@ class CertVerifyProcInternalWithNetFetchingTest
                                            "application/pkix-crl", crl);
   }
 
+  GURL CreateAndServeCrlWithAlgorithmTlvAndDigest(
+      CertBuilder* crl_issuer,
+      const std::vector<uint64_t>& revoked_serials,
+      const std::string& signature_algorithm_tlv,
+      const EVP_MD* digest) {
+    std::string crl = BuildCrlWithAlgorithmTlvAndDigest(
+        crl_issuer->GetSubject(), crl_issuer->GetKey(), revoked_serials,
+        signature_algorithm_tlv, digest);
+    std::string crl_path = MakeRandomPath(".crl");
+    return RegisterSimpleTestServerHandler(crl_path, HTTP_OK,
+                                           "application/pkix-crl", crl);
+  }
+
  private:
   std::unique_ptr<test_server::HttpResponse> DispatchToRequestHandler(
       const test_server::HttpRequest& request) {
@@ -3230,7 +3217,8 @@ INSTANTIATE_TEST_SUITE_P(All,
 #else
 #define MAYBE_IntermediateFromAia404 IntermediateFromAia404
 #endif
-TEST_P(CertVerifyProcInternalWithNetFetchingTest, MAYBE_IntermediateFromAia404) {
+TEST_P(CertVerifyProcInternalWithNetFetchingTest,
+       MAYBE_IntermediateFromAia404) {
   const char kHostname[] = "www.example.com";
 
   // Create a chain where the leaf has an AIA that points to test server.
@@ -3431,47 +3419,32 @@ TEST_P(CertVerifyProcInternalWithNetFetchingTest,
        Sha1IntermediateButAIAHasSha256) {
   const char kHostname[] = "www.example.com";
 
-  base::FilePath certs_dir =
-      GetTestNetDataDirectory()
-          .AppendASCII("verify_certificate_chain_unittest")
-          .AppendASCII("target-and-intermediate");
-
-  CertificateList orig_certs = CreateCertificateListFromFile(
-      certs_dir, "chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3U, orig_certs.size());
-
-  // Build slightly modified variants of |orig_certs|.
-  CertBuilder root(orig_certs[2]->cert_buffer(), nullptr);
-  root.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
-  root.GenerateECKey();
-  CertBuilder intermediate(orig_certs[1]->cert_buffer(), &root);
-  intermediate.GenerateECKey();
-  CertBuilder leaf(orig_certs[0]->cert_buffer(), &intermediate);
-  leaf.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
-  leaf.GenerateECKey();
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
 
   // Make the leaf certificate have an AIA (CA Issuers) that points to the
   // embedded test server. This uses a random URL for predictable behavior in
   // the presence of global caching.
   std::string ca_issuers_path = MakeRandomPath(".cer");
   GURL ca_issuers_url = GetTestServerAbsoluteUrl(ca_issuers_path);
-  leaf.SetCaIssuersUrl(ca_issuers_url);
-  leaf.SetSubjectAltName(kHostname);
+  leaf->SetCaIssuersUrl(ca_issuers_url);
+  leaf->SetSubjectAltName(kHostname);
 
   // Make two versions of the intermediate - one that is SHA256 signed, and one
   // that is SHA1 signed. Note that the subjectKeyIdentifier for `intermediate`
   // is intentionally not changed, so that path building will consider both
   // certificate paths.
-  intermediate.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
-  intermediate.SetRandomSerialNumber();
-  auto intermediate_sha256 = intermediate.DupCertBuffer();
+  intermediate->SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
+  intermediate->SetRandomSerialNumber();
+  auto intermediate_sha256 = intermediate->DupCertBuffer();
 
-  intermediate.SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha1);
-  intermediate.SetRandomSerialNumber();
-  auto intermediate_sha1 = intermediate.DupCertBuffer();
+  intermediate->SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha1);
+  intermediate->SetRandomSerialNumber();
+  auto intermediate_sha1 = intermediate->DupCertBuffer();
 
   // Trust the root certificate.
-  auto root_cert = root.GetX509Certificate();
+  auto root_cert = root->GetX509Certificate();
   ScopedTestRoot scoped_root(root_cert.get());
 
   // Setup the test server to reply with the SHA256 intermediate.
@@ -3484,7 +3457,7 @@ TEST_P(CertVerifyProcInternalWithNetFetchingTest,
   std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
   intermediates.push_back(bssl::UpRef(intermediate_sha1.get()));
   scoped_refptr<X509Certificate> chain_sha1 = X509Certificate::CreateFromBuffer(
-      leaf.DupCertBuffer(), std::move(intermediates));
+      leaf->DupCertBuffer(), std::move(intermediates));
   ASSERT_TRUE(chain_sha1.get());
 
   const int flags = 0;
@@ -4068,9 +4041,9 @@ TEST_P(CertVerifyProcInternalWithNetFetchingTest,
 
   // Leaf is revoked by intermediate issued CRL which is signed with
   // md5WithRSAEncryption.
-  leaf->SetCrlDistributionPointUrl(
-      CreateAndServeCrl(intermediate.get(), {leaf->GetSerialNumber()},
-                        SignatureAlgorithm::kRsaPkcs1Md5));
+  leaf->SetCrlDistributionPointUrl(CreateAndServeCrlWithAlgorithmTlvAndDigest(
+      intermediate.get(), {leaf->GetSerialNumber()}, Md5WithRSAEncryption(),
+      EVP_md5()));
 
   // Trust the root and build a chain to verify that includes the intermediate.
   ScopedTestRoot scoped_root(root->GetX509Certificate().get());
diff --git a/chromium/net/cert/cert_verify_proc_win.cc b/chromium/net/cert/cert_verify_proc_win.cc
index 9d767d0e216..d6c165fba6a 100644
--- a/chromium/net/cert/cert_verify_proc_win.cc
+++ b/chromium/net/cert/cert_verify_proc_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -286,7 +286,7 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
               const_cast<PCERT_CONTEXT>(cert),
               CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT,
               const_cast<PCERT_CONTEXT>(issuer), 0, nullptr)) {
-        verify_result->cert_status |= CERT_STATUS_INVALID;
+        verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
         break;
       }
     }
diff --git a/chromium/net/cert/cert_verify_proc_win.h b/chromium/net/cert/cert_verify_proc_win.h
index d79c788b6cd..eee4c6eb812 100644
--- a/chromium/net/cert/cert_verify_proc_win.h
+++ b/chromium/net/cert/cert_verify_proc_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_proc_win_unittest.cc b/chromium/net/cert/cert_verify_proc_win_unittest.cc
index 7f5d3f4e38b..b54b1ff7311 100644
--- a/chromium/net/cert/cert_verify_proc_win_unittest.cc
+++ b/chromium/net/cert/cert_verify_proc_win_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_result.cc b/chromium/net/cert/cert_verify_result.cc
index 6126e3655c0..13d00cde1a8 100644
--- a/chromium/net/cert/cert_verify_result.cc
+++ b/chromium/net/cert/cert_verify_result.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/cert_verify_result.h b/chromium/net/cert/cert_verify_result.h
index 82164642b01..669de12f282 100644
--- a/chromium/net/cert/cert_verify_result.h
+++ b/chromium/net/cert/cert_verify_result.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/client_cert_verifier.h b/chromium/net/cert/client_cert_verifier.h
index b29d61875ba..def4cec57f7 100644
--- a/chromium/net/cert/client_cert_verifier.h
+++ b/chromium/net/cert/client_cert_verifier.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/coalescing_cert_verifier.cc b/chromium/net/cert/coalescing_cert_verifier.cc
index a8878f0e5ed..ed1bc1860c3 100644
--- a/chromium/net/cert/coalescing_cert_verifier.cc
+++ b/chromium/net/cert/coalescing_cert_verifier.cc
@@ -1,17 +1,16 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/coalescing_cert_verifier.h"
 
-#include <algorithm>
-
 #include "base/bind.h"
 #include "base/containers/linked_list.h"
 #include "base/containers/unique_ptr_adapters.h"
 #include "base/memory/raw_ptr.h"
 #include "base/memory/weak_ptr.h"
 #include "base/metrics/histogram_macros.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/time/time.h"
 #include "net/base/net_errors.h"
@@ -452,8 +451,8 @@ void CoalescingCertVerifier::RemoveJob(Job* job) {
   }
 
   // Otherwise, it MUST have been a job from a previous generation.
-  auto inflight_it = std::find_if(inflight_jobs_.begin(), inflight_jobs_.end(),
-                                  base::MatchesUniquePtr(job));
+  auto inflight_it =
+      base::ranges::find_if(inflight_jobs_, base::MatchesUniquePtr(job));
   DCHECK(inflight_it != inflight_jobs_.end());
   inflight_jobs_.erase(inflight_it);
   return;
diff --git a/chromium/net/cert/coalescing_cert_verifier.h b/chromium/net/cert/coalescing_cert_verifier.h
index 1625a86b76e..2135e692c71 100644
--- a/chromium/net/cert/coalescing_cert_verifier.h
+++ b/chromium/net/cert/coalescing_cert_verifier.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/coalescing_cert_verifier_unittest.cc b/chromium/net/cert/coalescing_cert_verifier_unittest.cc
index 124444bcfcc..ab5f647bc40 100644
--- a/chromium/net/cert/coalescing_cert_verifier_unittest.cc
+++ b/chromium/net/cert/coalescing_cert_verifier_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/crl_set.cc b/chromium/net/cert/crl_set.cc
index d60b386396f..e7d5066cbcf 100644
--- a/chromium/net/cert/crl_set.cc
+++ b/chromium/net/cert/crl_set.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -65,7 +65,7 @@ std::unique_ptr<base::Value> ReadHeader(base::StringPiece* data) {
   if (data->size() < header_len)
     return nullptr;
 
-  const base::StringPiece header_bytes(data->data(), header_len);
+  const base::StringPiece header_bytes = data->substr(0, header_len);
   data->remove_prefix(header_len);
 
   std::unique_ptr<base::Value> header = base::JSONReader::ReadDeprecated(
@@ -87,7 +87,7 @@ bool ReadCRL(base::StringPiece* data,
              std::vector<std::string>* out_serials) {
   if (data->size() < crypto::kSHA256Length)
     return false;
-  out_parent_spki_hash->assign(data->data(), crypto::kSHA256Length);
+  *out_parent_spki_hash = std::string(data->substr(0, crypto::kSHA256Length));
   data->remove_prefix(crypto::kSHA256Length);
 
   uint32_t num_serials;
@@ -106,14 +106,14 @@ bool ReadCRL(base::StringPiece* data,
     if (data->size() < sizeof(uint8_t))
       return false;
 
-    uint8_t serial_length = data->data()[0];
+    uint8_t serial_length = (*data)[0];
     data->remove_prefix(sizeof(uint8_t));
 
     if (data->size() < serial_length)
       return false;
 
     out_serials->push_back(std::string());
-    out_serials->back().assign(data->data(), serial_length);
+    out_serials->back() = std::string(data->substr(0, serial_length));
     data->remove_prefix(serial_length);
   }
 
@@ -303,15 +303,15 @@ bool CRLSet::ParseAndStoreUnparsedData(std::string data,
   return true;
 }
 
-CRLSet::Result CRLSet::CheckSPKI(const base::StringPiece& spki_hash) const {
+CRLSet::Result CRLSet::CheckSPKI(base::StringPiece spki_hash) const {
   if (std::binary_search(blocked_spkis_.begin(), blocked_spkis_.end(),
                          spki_hash))
     return REVOKED;
   return GOOD;
 }
 
-CRLSet::Result CRLSet::CheckSubject(const base::StringPiece& encoded_subject,
-                                    const base::StringPiece& spki_hash) const {
+CRLSet::Result CRLSet::CheckSubject(base::StringPiece encoded_subject,
+                                    base::StringPiece spki_hash) const {
   const std::string digest(crypto::SHA256HashString(encoded_subject));
   const auto i = limited_subjects_.find(digest);
   if (i == limited_subjects_.end()) {
@@ -327,9 +327,8 @@ CRLSet::Result CRLSet::CheckSubject(const base::StringPiece& encoded_subject,
   return REVOKED;
 }
 
-CRLSet::Result CRLSet::CheckSerial(
-    const base::StringPiece& serial_number,
-    const base::StringPiece& issuer_spki_hash) const {
+CRLSet::Result CRLSet::CheckSerial(base::StringPiece serial_number,
+                                   base::StringPiece issuer_spki_hash) const {
   base::StringPiece serial(serial_number);
 
   if (!serial.empty() && (serial[0] & 0x80) != 0) {
@@ -403,9 +402,9 @@ scoped_refptr<CRLSet> CRLSet::ExpiredCRLSetForTesting() {
 scoped_refptr<CRLSet> CRLSet::ForTesting(
     bool is_expired,
     const SHA256HashValue* issuer_spki,
-    const std::string& serial_number,
-    const std::string utf8_common_name,
-    const std::vector<std::string> acceptable_spki_hashes_for_cn) {
+    base::StringPiece serial_number,
+    base::StringPiece utf8_common_name,
+    const std::vector<std::string>& acceptable_spki_hashes_for_cn) {
   std::string subject_hash;
   if (!utf8_common_name.empty()) {
     CBB cbb, top_level, set, inner_seq, oid, cn;
@@ -445,7 +444,7 @@ scoped_refptr<CRLSet> CRLSet::ForTesting(
                            sizeof(issuer_spki->data));
     std::vector<std::string> serials;
     if (!serial_number.empty()) {
-      serials.push_back(serial_number);
+      serials.push_back(std::string(serial_number));
       // |serial_number| is in DER-encoded form, which means it may have a
       // leading 0x00 to indicate it is a positive INTEGER. CRLSets are stored
       // without these leading 0x00, as handled in CheckSerial(), so remove
diff --git a/chromium/net/cert/crl_set.h b/chromium/net/cert/crl_set.h
index b629ea46afd..e504c332cf9 100644
--- a/chromium/net/cert/crl_set.h
+++ b/chromium/net/cert/crl_set.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -23,7 +23,6 @@ namespace net {
 // A CRLSet is a structure that lists the serial numbers of revoked
 // certificates from a number of issuers where issuers are identified by the
 // SHA256 of their SubjectPublicKeyInfo.
-// CRLSetStorage is responsible for creating CRLSet instances.
 class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
  public:
   enum Result {
@@ -41,7 +40,7 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
 
   // CheckSPKI checks whether the given SPKI has been listed as blocked.
   //   spki_hash: the SHA256 of the SubjectPublicKeyInfo of the certificate.
-  Result CheckSPKI(const base::StringPiece& spki_hash) const;
+  Result CheckSPKI(base::StringPiece spki_hash) const;
 
   // CheckSerial returns the information contained in the set for a given
   // certificate:
@@ -49,14 +48,14 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
   //       value
   //   issuer_spki_hash: the SHA256 of the SubjectPublicKeyInfo of the CRL
   //       signer
-  Result CheckSerial(const base::StringPiece& serial_number,
-                     const base::StringPiece& issuer_spki_hash) const;
+  Result CheckSerial(base::StringPiece serial_number,
+                     base::StringPiece issuer_spki_hash) const;
 
   // CheckSubject returns the information contained in the set for a given,
-  // encoded subject name and SPKI hash. The subject name is encoded as a DER
-  // X.501 Name (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4).
-  Result CheckSubject(const base::StringPiece& asn1_subject,
-                      const base::StringPiece& spki_hash) const;
+  // encoded subject name and SPKI SHA-256 hash. The subject name is encoded as
+  // a DER X.501 Name (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4).
+  Result CheckSubject(base::StringPiece asn1_subject,
+                      base::StringPiece spki_hash) const;
 
   // Returns true if |spki_hash|, the SHA256 of the SubjectPublicKeyInfo,
   // is known to be used for interception by a party other than the device
@@ -76,7 +75,7 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
 
   // CRLList contains a map of (issuer SPKI hash, revoked serial numbers)
   // pairs.
-  typedef std::unordered_map<std::string, std::vector<std::string>> CRLList;
+  using CRLList = std::unordered_map<std::string, std::vector<std::string>>;
 
   // crls returns the internal state of this CRLSet. It should only be used in
   // testing.
@@ -104,9 +103,9 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
   static scoped_refptr<CRLSet> ForTesting(
       bool is_expired,
       const SHA256HashValue* issuer_spki,
-      const std::string& serial_number,
-      const std::string utf8_common_name,
-      const std::vector<std::string> acceptable_spki_hashes_for_cn);
+      base::StringPiece serial_number,
+      base::StringPiece utf8_common_name,
+      const std::vector<std::string>& acceptable_spki_hashes_for_cn);
 
  private:
   CRLSet();
diff --git a/chromium/net/cert/crl_set_fuzzer.cc b/chromium/net/cert/crl_set_fuzzer.cc
index 9461db4c790..75f3f2f5616 100644
--- a/chromium/net/cert/crl_set_fuzzer.cc
+++ b/chromium/net/cert/crl_set_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/crl_set_unittest.cc b/chromium/net/cert/crl_set_unittest.cc
index bec0d8b56c0..11c20675543 100644
--- a/chromium/net/cert/crl_set_unittest.cc
+++ b/chromium/net/cert/crl_set_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_log_response_parser.cc b/chromium/net/cert/ct_log_response_parser.cc
index 614a56b252f..ffe55eac09e 100644
--- a/chromium/net/cert/ct_log_response_parser.cc
+++ b/chromium/net/cert/ct_log_response_parser.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_log_response_parser.h b/chromium/net/cert/ct_log_response_parser.h
index c5ece4ef53a..eb31c91c80c 100644
--- a/chromium/net/cert/ct_log_response_parser.h
+++ b/chromium/net/cert/ct_log_response_parser.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_log_response_parser_unittest.cc b/chromium/net/cert/ct_log_response_parser_unittest.cc
index ce479ef99ad..ee2f35fb2c1 100644
--- a/chromium/net/cert/ct_log_response_parser_unittest.cc
+++ b/chromium/net/cert/ct_log_response_parser_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_log_verifier.cc b/chromium/net/cert/ct_log_verifier.cc
index f231491fa81..44eb1ab87d0 100644
--- a/chromium/net/cert/ct_log_verifier.cc
+++ b/chromium/net/cert/ct_log_verifier.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_log_verifier.h b/chromium/net/cert/ct_log_verifier.h
index 09a69a901b8..a2aa546c2de 100644
--- a/chromium/net/cert/ct_log_verifier.h
+++ b/chromium/net/cert/ct_log_verifier.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_log_verifier_unittest.cc b/chromium/net/cert/ct_log_verifier_unittest.cc
index 2faf373297c..5a32586d803 100644
--- a/chromium/net/cert/ct_log_verifier_unittest.cc
+++ b/chromium/net/cert/ct_log_verifier_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_log_verifier_util.cc b/chromium/net/cert/ct_log_verifier_util.cc
index 0a74dac7b32..ea67bb3c5bb 100644
--- a/chromium/net/cert/ct_log_verifier_util.cc
+++ b/chromium/net/cert/ct_log_verifier_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_log_verifier_util.h b/chromium/net/cert/ct_log_verifier_util.h
index 2149e942cff..c9dfb37c720 100644
--- a/chromium/net/cert/ct_log_verifier_util.h
+++ b/chromium/net/cert/ct_log_verifier_util.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_objects_extractor.cc b/chromium/net/cert/ct_objects_extractor.cc
index 25ccf2d2986..4e4cb475573 100644
--- a/chromium/net/cert/ct_objects_extractor.cc
+++ b/chromium/net/cert/ct_objects_extractor.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_objects_extractor.h b/chromium/net/cert/ct_objects_extractor.h
index d51ddbaf103..b4d2b5a15ba 100644
--- a/chromium/net/cert/ct_objects_extractor.h
+++ b/chromium/net/cert/ct_objects_extractor.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_objects_extractor_unittest.cc b/chromium/net/cert/ct_objects_extractor_unittest.cc
index 56e42cedd19..3a4b2bbed2e 100644
--- a/chromium/net/cert/ct_objects_extractor_unittest.cc
+++ b/chromium/net/cert/ct_objects_extractor_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_policy_enforcer.cc b/chromium/net/cert/ct_policy_enforcer.cc
index 4749c19925f..717d022a5da 100644
--- a/chromium/net/cert/ct_policy_enforcer.cc
+++ b/chromium/net/cert/ct_policy_enforcer.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_policy_enforcer.h b/chromium/net/cert/ct_policy_enforcer.h
index 8e68fbe154c..47be4b74ae6 100644
--- a/chromium/net/cert/ct_policy_enforcer.h
+++ b/chromium/net/cert/ct_policy_enforcer.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_policy_status.h b/chromium/net/cert/ct_policy_status.h
index bb077c226db..3a23276b88c 100644
--- a/chromium/net/cert/ct_policy_status.h
+++ b/chromium/net/cert/ct_policy_status.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_sct_to_string.cc b/chromium/net/cert/ct_sct_to_string.cc
index 43d863466ba..3d0f3ae3c7d 100644
--- a/chromium/net/cert/ct_sct_to_string.cc
+++ b/chromium/net/cert/ct_sct_to_string.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_sct_to_string.h b/chromium/net/cert/ct_sct_to_string.h
index d22ecec7487..6d2b985c7e1 100644
--- a/chromium/net/cert/ct_sct_to_string.h
+++ b/chromium/net/cert/ct_sct_to_string.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_serialization.cc b/chromium/net/cert/ct_serialization.cc
index 1147a3785fc..89c77d31e77 100644
--- a/chromium/net/cert/ct_serialization.cc
+++ b/chromium/net/cert/ct_serialization.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_serialization.h b/chromium/net/cert/ct_serialization.h
index 37003245209..c3aded55f37 100644
--- a/chromium/net/cert/ct_serialization.h
+++ b/chromium/net/cert/ct_serialization.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_serialization_unittest.cc b/chromium/net/cert/ct_serialization_unittest.cc
index e70d473af9a..7d4fde49cfd 100644
--- a/chromium/net/cert/ct_serialization_unittest.cc
+++ b/chromium/net/cert/ct_serialization_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc
index 5721f68f589..c75f5a17de6 100644
--- a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc
+++ b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h
index 41c6709227a..dad83fc0781 100644
--- a/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h
+++ b/chromium/net/cert/ct_signed_certificate_timestamp_log_param.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ct_verifier.h b/chromium/net/cert/ct_verifier.h
index a0103c9e9f9..406df5b7b4b 100644
--- a/chromium/net/cert/ct_verifier.h
+++ b/chromium/net/cert/ct_verifier.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/decode_signed_certificate_timestamp_fuzzer.cc b/chromium/net/cert/decode_signed_certificate_timestamp_fuzzer.cc
index ad4c151cfc3..a2228142df1 100644
--- a/chromium/net/cert/decode_signed_certificate_timestamp_fuzzer.cc
+++ b/chromium/net/cert/decode_signed_certificate_timestamp_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/do_nothing_ct_verifier.cc b/chromium/net/cert/do_nothing_ct_verifier.cc
index 596c8e7bf43..4a61452c2df 100644
--- a/chromium/net/cert/do_nothing_ct_verifier.cc
+++ b/chromium/net/cert/do_nothing_ct_verifier.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/do_nothing_ct_verifier.h b/chromium/net/cert/do_nothing_ct_verifier.h
index 6d6285ef2f5..30715d68268 100644
--- a/chromium/net/cert/do_nothing_ct_verifier.h
+++ b/chromium/net/cert/do_nothing_ct_verifier.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ev_root_ca_metadata.cc b/chromium/net/cert/ev_root_ca_metadata.cc
index 95350d62fa2..343c648374c 100644
--- a/chromium/net/cert/ev_root_ca_metadata.cc
+++ b/chromium/net/cert/ev_root_ca_metadata.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,8 +10,7 @@
 #include <stdlib.h>
 #endif
 
-#include <algorithm>
-
+#include "base/containers/contains.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/strings/string_piece.h"
@@ -41,7 +40,7 @@ struct EVMetadata {
   const base::StringPiece policy_oids[kMaxOIDsPerCA];
 };
 
-#include "net/data/ssl/ev_roots/chrome-ev-root-store-inc.cc"
+#include "net/data/ssl/chrome_root_store/chrome-ev-roots-inc.cc"
 
 #endif  // defined(PLATFORM_USES_CHROMIUM_EV_METADATA)
 }  // namespace
@@ -73,9 +72,7 @@ bool ConvertBytesToDottedString(const der::Input& policy_oid,
 
 bool EVRootCAMetadata::IsEVPolicyOID(PolicyOID policy_oid) const {
   for (const auto& ev_root : kEvRootCaMetadata) {
-    if (std::find(std::begin(ev_root.policy_oids),
-                  std::end(ev_root.policy_oids),
-                  policy_oid) != std::end(ev_root.policy_oids)) {
+    if (base::Contains(ev_root.policy_oids, policy_oid)) {
       return true;
     }
   }
@@ -100,9 +97,7 @@ bool EVRootCAMetadata::HasEVPolicyOID(const SHA256HashValue& fingerprint,
   for (const auto& ev_root : kEvRootCaMetadata) {
     if (fingerprint != ev_root.fingerprint)
       continue;
-    return std::find(std::begin(ev_root.policy_oids),
-                     std::end(ev_root.policy_oids),
-                     policy_oid) != std::end(ev_root.policy_oids);
+    return base::Contains(ev_root.policy_oids, policy_oid);
   }
 
   auto it = extra_cas_.find(fingerprint);
diff --git a/chromium/net/cert/ev_root_ca_metadata.h b/chromium/net/cert/ev_root_ca_metadata.h
index 9ce78dcb32d..c568c640f4a 100644
--- a/chromium/net/cert/ev_root_ca_metadata.h
+++ b/chromium/net/cert/ev_root_ca_metadata.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ev_root_ca_metadata_unittest.cc b/chromium/net/cert/ev_root_ca_metadata_unittest.cc
index c364a34c1be..e73b50c01c1 100644
--- a/chromium/net/cert/ev_root_ca_metadata_unittest.cc
+++ b/chromium/net/cert/ev_root_ca_metadata_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/cert_issuer_source_aia.cc b/chromium/net/cert/internal/cert_issuer_source_aia.cc
index 22411efff84..855fa44480b 100644
--- a/chromium/net/cert/internal/cert_issuer_source_aia.cc
+++ b/chromium/net/cert/internal/cert_issuer_source_aia.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -177,7 +177,7 @@ void CertIssuerSourceAia::AsyncGetIssuersOf(const ParsedCertificate* cert,
 
   std::vector<GURL> urls;
   for (const auto& uri : cert->ca_issuers_uris()) {
-    GURL url(uri);
+    GURL url(base::StringPiece(uri.data(), uri.size()));
     if (url.is_valid()) {
       // TODO(mattm): do the kMaxFetchesPerCert check only on the number of
       // supported URL schemes, not all the URLs.
diff --git a/chromium/net/cert/internal/cert_issuer_source_aia.h b/chromium/net/cert/internal/cert_issuer_source_aia.h
index 4247bc50a73..9431bbcb90d 100644
--- a/chromium/net/cert/internal/cert_issuer_source_aia.h
+++ b/chromium/net/cert/internal/cert_issuer_source_aia.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc b/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc
index 344ad413f84..fe29d366ee9 100644
--- a/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc
+++ b/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/cert_issuer_source_sync_unittest.cc b/chromium/net/cert/internal/cert_issuer_source_sync_unittest.cc
index da758ca71d9..3b842545cf2 100644
--- a/chromium/net/cert/internal/cert_issuer_source_sync_unittest.cc
+++ b/chromium/net/cert/internal/cert_issuer_source_sync_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc b/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc
index 06a1321bfdd..11d39439953 100644
--- a/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc
+++ b/chromium/net/cert/internal/crl_getcrlstatusforcert_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc b/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc
index b90164de4b3..290adf48a04 100644
--- a/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc
+++ b/chromium/net/cert/internal/crl_parse_crl_certificatelist_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc b/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc
index 4a82b035e43..cdd28714d92 100644
--- a/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc
+++ b/chromium/net/cert/internal/crl_parse_crl_tbscertlist_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc b/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc
index e4aaeb00308..f79b3dd5b0c 100644
--- a/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc
+++ b/chromium/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/crl_unittest.cc b/chromium/net/cert/internal/crl_unittest.cc
index b1f9ee7ca98..44eba27705b 100644
--- a/chromium/net/cert/internal/crl_unittest.cc
+++ b/chromium/net/cert/internal/crl_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/general_names_unittest.cc b/chromium/net/cert/internal/general_names_unittest.cc
index 927b4f574c5..2c4c347d783 100644
--- a/chromium/net/cert/internal/general_names_unittest.cc
+++ b/chromium/net/cert/internal/general_names_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc b/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc
index e3deecab6e1..b6aafbfd56a 100644
--- a/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc
+++ b/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/revocation_checker.cc b/chromium/net/cert/internal/revocation_checker.cc
index 174c2287c2f..e7bb72c4ab3 100644
--- a/chromium/net/cert/internal/revocation_checker.cc
+++ b/chromium/net/cert/internal/revocation_checker.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -51,9 +51,10 @@ bool CheckCertRevocation(const ParsedCertificateList& certs,
   // Check using stapled OCSP, if available.
   if (!stapled_ocsp_response.empty() && issuer_cert) {
     OCSPVerifyResult::ResponseStatus response_details;
-    OCSPRevocationStatus ocsp_status =
-        CheckOCSP(stapled_ocsp_response, cert, issuer_cert, base::Time::Now(),
-                  max_age, &response_details);
+    OCSPRevocationStatus ocsp_status = CheckOCSP(
+        std::string_view(stapled_ocsp_response.data(),
+                         stapled_ocsp_response.size()),
+        cert, issuer_cert, base::Time::Now(), max_age, &response_details);
     if (stapled_ocsp_verify_result) {
       stapled_ocsp_verify_result->response_status = response_details;
       stapled_ocsp_verify_result->revocation_status = ocsp_status;
@@ -86,7 +87,7 @@ bool CheckCertRevocation(const ParsedCertificateList& certs,
     for (const auto& ocsp_uri : cert->ocsp_uris()) {
       // Only consider http:// URLs (https:// could create a circular
       // dependency).
-      GURL parsed_ocsp_url(ocsp_uri);
+      GURL parsed_ocsp_url(base::StringPiece(ocsp_uri.data(), ocsp_uri.size()));
       if (!parsed_ocsp_url.is_valid() ||
           !parsed_ocsp_url.SchemeIs(url::kHttpScheme)) {
         continue;
@@ -135,7 +136,7 @@ bool CheckCertRevocation(const ParsedCertificateList& certs,
       OCSPVerifyResult::ResponseStatus response_details;
 
       OCSPRevocationStatus ocsp_status = CheckOCSP(
-          base::StringPiece(
+          std::string_view(
               reinterpret_cast<const char*>(ocsp_response_bytes.data()),
               ocsp_response_bytes.size()),
           cert, issuer_cert, base::Time::Now(), max_age, &response_details);
@@ -186,7 +187,8 @@ bool CheckCertRevocation(const ParsedCertificateList& certs,
                  ->uniform_resource_identifiers) {
           // Only consider http:// URLs (https:// could create a circular
           // dependency).
-          GURL parsed_crl_url(crl_uri);
+          GURL parsed_crl_url(
+              base::StringPiece(crl_uri.data(), crl_uri.size()));
           if (!parsed_crl_url.is_valid() ||
               !parsed_crl_url.SchemeIs(url::kHttpScheme)) {
             continue;
@@ -224,7 +226,7 @@ bool CheckCertRevocation(const ParsedCertificateList& certs,
             continue;
 
           CRLRevocationStatus crl_status = CheckCRL(
-              base::StringPiece(
+              std::string_view(
                   reinterpret_cast<const char*>(crl_response_bytes.data()),
                   crl_response_bytes.size()),
               certs, target_cert_index, distribution_point, base::Time::Now(),
diff --git a/chromium/net/cert/internal/revocation_checker.h b/chromium/net/cert/internal/revocation_checker.h
index 78ae5aa9a68..d3043e2a78c 100644
--- a/chromium/net/cert/internal/revocation_checker.h
+++ b/chromium/net/cert/internal/revocation_checker.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/revocation_checker_unittest.cc b/chromium/net/cert/internal/revocation_checker_unittest.cc
index 1ad965057da..a0b22ba32d4 100644
--- a/chromium/net/cert/internal/revocation_checker_unittest.cc
+++ b/chromium/net/cert/internal/revocation_checker_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/revocation_util_unittest.cc b/chromium/net/cert/internal/revocation_util_unittest.cc
index fd1b0389748..ab8397b19d5 100644
--- a/chromium/net/cert/internal/revocation_util_unittest.cc
+++ b/chromium/net/cert/internal/revocation_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/system_trust_store.cc b/chromium/net/cert/internal/system_trust_store.cc
index fc21d3633a2..1ebd9213fa1 100644
--- a/chromium/net/cert/internal/system_trust_store.cc
+++ b/chromium/net/cert/internal/system_trust_store.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -218,6 +218,13 @@ CreateSslSystemTrustStoreNSSWithUserSlotRestriction(
 
 #elif BUILDFLAG(IS_MAC)
 
+// Using the Builtin Verifier w/o the Chrome Root Store is unsupported on
+// Mac.
+std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() {
+  return std::make_unique<DummySystemTrustStore>();
+}
+
+#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
 namespace {
 
 TrustStoreMac::TrustImplType ParamToTrustImplType(
@@ -249,8 +256,8 @@ TrustStoreMac::TrustImplType GetTrustStoreImplParam(
   // If handling that becomes necessary, the flags should be checked in the
   // higher level code (maybe in cert_verifier_creation.cc) so that each
   // type of CertVerifyProc could be created with the appropriate flags.
-  if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature)) {
-    return ParamToTrustImplType(features::kCertVerifierBuiltinImpl.Get(),
+  if (base::FeatureList::IsEnabled(features::kChromeRootStoreUsed)) {
+    return ParamToTrustImplType(features::kChromeRootStoreSysImpl.Get(),
                                 default_impl);
   }
   if (base::FeatureList::IsEnabled(
@@ -262,9 +269,9 @@ TrustStoreMac::TrustImplType GetTrustStoreImplParam(
 }
 
 size_t GetTrustStoreCacheSize() {
-  if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature) &&
-      features::kCertVerifierBuiltinCacheSize.Get() > 0) {
-    return features::kCertVerifierBuiltinCacheSize.Get();
+  if (base::FeatureList::IsEnabled(features::kChromeRootStoreUsed) &&
+      features::kChromeRootStoreSysCacheSize.Get() > 0) {
+    return features::kChromeRootStoreSysCacheSize.Get();
   }
   if (base::FeatureList::IsEnabled(
           features::kCertDualVerificationTrialFeature) &&
@@ -275,55 +282,12 @@ size_t GetTrustStoreCacheSize() {
   return kDefaultCacheSize;
 }
 
-}  // namespace
-
-class SystemTrustStoreMac : public SystemTrustStore {
- public:
-  SystemTrustStoreMac() = default;
-
-  TrustStore* GetTrustStore() override { return GetGlobalTrustStoreMac(); }
-
-  bool UsesSystemTrustStore() const override { return true; }
-
-  // IsKnownRoot returns true if the given trust anchor is a standard one (as
-  // opposed to a user-installed root)
-  bool IsKnownRoot(const ParsedCertificate* trust_anchor) const override {
-    return GetGlobalTrustStoreMac()->IsKnownRoot(trust_anchor);
-  }
-
-  static void InitializeTrustCacheOnWorkerThread() {
-    GetGlobalTrustStoreMac()->InitializeTrustCache();
-  }
-
-#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
-  int64_t chrome_root_store_version() override { return 0; }
-#endif
-
- private:
-  static constexpr TrustStoreMac::TrustImplType kDefaultTrustImpl =
-      TrustStoreMac::TrustImplType::kLruCache;
-
-  static TrustStoreMac* GetGlobalTrustStoreMac() {
-    static base::NoDestructor<TrustStoreMac> static_trust_store_mac(
-        kSecPolicyAppleSSL, GetTrustStoreImplParam(kDefaultTrustImpl),
-        GetTrustStoreCacheSize(), TrustStoreMac::TrustDomains::kAll);
-    return static_trust_store_mac.get();
-  }
-};
-
-std::unique_ptr<SystemTrustStore> CreateSslSystemTrustStore() {
-  return std::make_unique<SystemTrustStoreMac>();
-}
-
-#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
-namespace {
-
 TrustStoreMac* GetGlobalTrustStoreMacForCRS() {
   constexpr TrustStoreMac::TrustImplType kDefaultMacTrustImplForCRS =
       TrustStoreMac::TrustImplType::kDomainCacheFullCerts;
   static base::NoDestructor<TrustStoreMac> static_trust_store_mac(
       kSecPolicyAppleSSL, GetTrustStoreImplParam(kDefaultMacTrustImplForCRS),
-      GetTrustStoreCacheSize(), TrustStoreMac::TrustDomains::kUserAndAdmin);
+      GetTrustStoreCacheSize());
   return static_trust_store_mac.get();
 }
 
@@ -350,15 +314,6 @@ void InitializeTrustStoreMacCache() {
     return;
   }
 #endif  // CHROME_ROOT_STORE_SUPPORTED
-  if (base::FeatureList::IsEnabled(
-          net::features::kCertVerifierBuiltinFeature)) {
-    base::ThreadPool::PostTask(
-        FROM_HERE,
-        {base::MayBlock(), base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN},
-        base::BindOnce(
-            &SystemTrustStoreMac::InitializeTrustCacheOnWorkerThread));
-    return;
-  }
 }
 
 #elif BUILDFLAG(IS_FUCHSIA)
diff --git a/chromium/net/cert/internal/system_trust_store.h b/chromium/net/cert/internal/system_trust_store.h
index 9a965013ffe..bf7ebff3e80 100644
--- a/chromium/net/cert/internal/system_trust_store.h
+++ b/chromium/net/cert/internal/system_trust_store.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/system_trust_store_nss.h b/chromium/net/cert/internal/system_trust_store_nss.h
index 70b3052d444..dfd5a69f52c 100644
--- a/chromium/net/cert/internal/system_trust_store_nss.h
+++ b/chromium/net/cert/internal/system_trust_store_nss.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/system_trust_store_nss_unittest.cc b/chromium/net/cert/internal/system_trust_store_nss_unittest.cc
index ae343e796aa..c05c2218c5f 100644
--- a/chromium/net/cert/internal/system_trust_store_nss_unittest.cc
+++ b/chromium/net/cert/internal/system_trust_store_nss_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/system_trust_store_unittest.cc b/chromium/net/cert/internal/system_trust_store_unittest.cc
index 902b40b3c8f..1a78d1f9957 100644
--- a/chromium/net/cert/internal/system_trust_store_unittest.cc
+++ b/chromium/net/cert/internal/system_trust_store_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -19,7 +19,7 @@
 namespace net {
 
 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
-#include "net/data/ssl/chrome_root_store/chrome-root-store-test-data-inc.cc"
+#include "net/data/ssl/chrome_root_store/chrome-root-store-test-data-inc.cc"  // nogncheck
 
 TEST(SystemTrustStoreChrome, SystemDistrustOverridesChromeTrust) {
   CertificateList certs = CreateCertificateListFromFile(
diff --git a/chromium/net/cert/internal/trust_store_chrome.cc b/chromium/net/cert/internal/trust_store_chrome.cc
index 56f9d497f0f..a46ada86caa 100644
--- a/chromium/net/cert/internal/trust_store_chrome.cc
+++ b/chromium/net/cert/internal/trust_store_chrome.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/trust_store_chrome.h b/chromium/net/cert/internal/trust_store_chrome.h
index 0d7acc591a5..86e4020e4e1 100644
--- a/chromium/net/cert/internal/trust_store_chrome.h
+++ b/chromium/net/cert/internal/trust_store_chrome.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/trust_store_chrome_unittest.cc b/chromium/net/cert/internal/trust_store_chrome_unittest.cc
index 7ba40227386..ad58476e523 100644
--- a/chromium/net/cert/internal/trust_store_chrome_unittest.cc
+++ b/chromium/net/cert/internal/trust_store_chrome_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -48,9 +48,11 @@ TEST(TrustStoreChromeTestNoFixture, ContainsCert) {
     EXPECT_EQ(CertificateTrustType::TRUSTED_ANCHOR, trust.type);
   }
 
-  // Other certificates should not be included.
+  // Other certificates should not be included. Which test cert used here isn't
+  // important as long as it isn't one of the certificates in the
+  // chrome_root_store/test_store.certs.
   scoped_refptr<X509Certificate> other_cert =
-      ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem");
+      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
   ASSERT_TRUE(other_cert);
   scoped_refptr<ParsedCertificate> other_parsed =
       ToParsedCertificate(*other_cert);
diff --git a/chromium/net/cert/internal/trust_store_mac.cc b/chromium/net/cert/internal/trust_store_mac.cc
index f3b6e2a53d5..121fcb4bbb1 100644
--- a/chromium/net/cert/internal/trust_store_mac.cc
+++ b/chromium/net/cert/internal/trust_store_mac.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,6 +9,7 @@
 #include "base/atomicops.h"
 #include "base/bind.h"
 #include "base/callback_list.h"
+#include "base/containers/contains.h"
 #include "base/containers/flat_map.h"
 #include "base/containers/lru_cache.h"
 #include "base/logging.h"
@@ -18,12 +19,13 @@
 #include "base/no_destructor.h"
 #include "base/strings/strcat.h"
 #include "base/synchronization/lock.h"
+#include "base/timer/elapsed_timer.h"
 #include "crypto/mac_security_services_lock.h"
 #include "net/base/hash_value.h"
 #include "net/base/network_notification_thread_mac.h"
-#include "net/cert/known_roots_mac.h"
 #include "net/cert/pki/cert_errors.h"
 #include "net/cert/pki/cert_issuer_source_static.h"
+#include "net/cert/pki/extended_key_usage.h"
 #include "net/cert/pki/parse_name.h"
 #include "net/cert/pki/parsed_certificate.h"
 #include "net/cert/test_keychain_search_list_mac.h"
@@ -51,12 +53,6 @@ enum class TrustStatus {
   DISTRUSTED
 };
 
-enum class KnownRootStatus {
-  UNKNOWN,
-  IS_KNOWN_ROOT,
-  NOT_KNOWN_ROOT,
-};
-
 const void* kResultDebugDataKey = &kResultDebugDataKey;
 
 // Returns trust status of usage constraints dictionary |trust_dict| for a
@@ -270,35 +266,9 @@ TrustStatus IsCertificateTrustedForPolicyInDomain(
       cert_handle, is_self_issued, policy_oid, trust_domain, debug_info);
 }
 
-KnownRootStatus IsCertificateKnownRoot(const ParsedCertificate* cert) {
-  base::ScopedCFTypeRef<SecCertificateRef> cert_handle =
-      x509_util::CreateSecCertificateFromBytes(cert->der_cert().UnsafeData(),
-                                               cert->der_cert().Length());
-  if (!cert_handle)
-    return KnownRootStatus::NOT_KNOWN_ROOT;
-
-  base::ScopedCFTypeRef<CFArrayRef> trust_settings;
-  OSStatus err;
-  {
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    err = SecTrustSettingsCopyTrustSettings(cert_handle,
-                                            kSecTrustSettingsDomainSystem,
-                                            trust_settings.InitializeInto());
-  }
-  return (err == errSecSuccess) ? KnownRootStatus::IS_KNOWN_ROOT
-                                : KnownRootStatus::NOT_KNOWN_ROOT;
-}
-
 TrustStatus IsCertificateTrustedForPolicy(const ParsedCertificate* cert,
                                           const CFStringRef policy_oid,
-                                          TrustStoreMac::TrustDomains domains,
-                                          int* debug_info,
-                                          KnownRootStatus* out_is_known_root) {
-  // |*out_is_known_root| is intentionally not cleared before starting, as
-  // there may have been a value already calculated and cached independently.
-  // The caller is expected to initialize |*out_is_known_root| to UNKNOWN if
-  // the value has not been calculated.
-
+                                          int* debug_info) {
   base::ScopedCFTypeRef<SecCertificateRef> cert_handle =
       x509_util::CreateSecCertificateFromBytes(cert->der_cert().UnsafeData(),
                                                cert->der_cert().Length());
@@ -308,15 +278,10 @@ TrustStatus IsCertificateTrustedForPolicy(const ParsedCertificate* cert,
   const bool is_self_issued =
       cert->normalized_subject() == cert->normalized_issuer();
 
-  // Evaluate trust domains in user, admin, system order. Admin settings can
-  // override system ones, and user settings can override both admin and system.
+  // Evaluate user trust domain, then admin. User settings can override
+  // admin (and both override the system domain, but we don't check that).
   for (const auto& trust_domain :
-       {kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin,
-        kSecTrustSettingsDomainSystem}) {
-    if (domains == TrustStoreMac::TrustDomains::kUserAndAdmin &&
-        trust_domain == kSecTrustSettingsDomainSystem) {
-      continue;
-    }
+       {kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin}) {
     base::ScopedCFTypeRef<CFArrayRef> trust_settings;
     OSStatus err;
     {
@@ -325,11 +290,6 @@ TrustStatus IsCertificateTrustedForPolicy(const ParsedCertificate* cert,
                                               trust_settings.InitializeInto());
     }
     if (err != errSecSuccess) {
-      if (out_is_known_root && trust_domain == kSecTrustSettingsDomainSystem) {
-        // If trust settings are not present for |cert| in the system domain,
-        // record it as not a known root.
-        *out_is_known_root = KnownRootStatus::NOT_KNOWN_ROOT;
-      }
       if (err == errSecItemNotFound) {
         // No trust settings for that domain.. try the next.
         continue;
@@ -338,11 +298,6 @@ TrustStatus IsCertificateTrustedForPolicy(const ParsedCertificate* cert,
       *debug_info |= TrustStoreMac::COPY_TRUST_SETTINGS_ERROR;
       continue;
     }
-    if (out_is_known_root && trust_domain == kSecTrustSettingsDomainSystem) {
-      // If trust settings are present for |cert| in the system domain, record
-      // it as a known root.
-      *out_is_known_root = KnownRootStatus::IS_KNOWN_ROOT;
-    }
     TrustStatus trust = IsTrustSettingsTrustedForPolicy(
         trust_settings, is_self_issued, policy_oid, debug_info);
     if (trust != TrustStatus::UNSPECIFIED)
@@ -568,7 +523,7 @@ class TrustDomainCacheFullCerts {
         domain_name = "Admin";
         break;
       case kSecTrustSettingsDomainSystem:
-        domain_name = "System";
+        NOTREACHED();
         break;
     }
     base::UmaHistogramCounts1000(
@@ -589,17 +544,16 @@ SHA256HashValue CalculateFingerprint256(const der::Input& buffer) {
   return sha256;
 }
 
-// Watches macOS keychain for trust setting changes, and notifies any
+// Watches macOS keychain for |event_mask| notifications, and notifies any
 // registered callbacks. This is necessary as the keychain callback API is
 // keyed only on the callback function pointer rather than function pointer +
 // context, so it cannot be safely registered multiple callbacks with the same
 // function pointer and different contexts.
-class KeychainTrustSettingsChangedNotifier {
+template <SecKeychainEventMask event_mask>
+class KeychainChangedNotifier {
  public:
-  KeychainTrustSettingsChangedNotifier(
-      const KeychainTrustSettingsChangedNotifier&) = delete;
-  KeychainTrustSettingsChangedNotifier& operator=(
-      const KeychainTrustSettingsChangedNotifier&) = delete;
+  KeychainChangedNotifier(const KeychainChangedNotifier&) = delete;
+  KeychainChangedNotifier& operator=(const KeychainChangedNotifier&) = delete;
 
   // Registers |callback| to be run when the keychain trust settings change.
   // Must be called on the network notification thread.  |callback| will be run
@@ -612,7 +566,7 @@ class KeychainTrustSettingsChangedNotifier {
   }
 
  private:
-  friend base::NoDestructor<KeychainTrustSettingsChangedNotifier>;
+  friend base::NoDestructor<KeychainChangedNotifier>;
 
 // Much of the Keychain API was marked deprecated as of the macOS 13 SDK.
 // Removal of its use is tracked in https://crbug.com/1348251 but deprecation
@@ -620,30 +574,34 @@ class KeychainTrustSettingsChangedNotifier {
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
 
-  KeychainTrustSettingsChangedNotifier() {
+  KeychainChangedNotifier() {
     DCHECK(GetNetworkNotificationThreadMac()->RunsTasksInCurrentSequence());
-    OSStatus status = SecKeychainAddCallback(
-        &KeychainTrustSettingsChangedNotifier::KeychainCallback,
-        kSecTrustSettingsChangedEventMask, this);
+    OSStatus status =
+        SecKeychainAddCallback(&KeychainChangedNotifier::KeychainCallback,
+                               event_mask, /*context=*/nullptr);
     if (status != noErr)
       OSSTATUS_LOG(ERROR, status) << "SecKeychainAddCallback failed";
   }
 
 #pragma clang diagnostic pop
 
-  ~KeychainTrustSettingsChangedNotifier() = delete;
+  ~KeychainChangedNotifier() = delete;
 
   static OSStatus KeychainCallback(SecKeychainEvent keychain_event,
                                    SecKeychainCallbackInfo* info,
                                    void* context) {
-    KeychainTrustSettingsChangedNotifier* notifier =
-        reinterpret_cast<KeychainTrustSettingsChangedNotifier*>(context);
-    notifier->callback_list_.Notify();
+    // Since SecKeychainAddCallback is keyed on the function pointer only, we
+    // need to ensure that each template instantiation of this function has a
+    // different address. Calling the static Get() method here to get the
+    // |callback_list_| (rather than passing a |this| pointer through
+    // |context|) should require each instantiation of KeychainCallback to be
+    // unique.
+    Get()->callback_list_.Notify();
     return errSecSuccess;
   }
 
-  static KeychainTrustSettingsChangedNotifier* Get() {
-    static base::NoDestructor<KeychainTrustSettingsChangedNotifier> notifier;
+  static KeychainChangedNotifier* Get() {
+    static base::NoDestructor<KeychainChangedNotifier> notifier;
     return notifier.get();
   }
 
@@ -651,23 +609,23 @@ class KeychainTrustSettingsChangedNotifier {
 };
 
 // Observes keychain events and increments the value returned by Iteration()
-// each time the trust settings change.
-class KeychainTrustObserver {
+// each time an event indicated by |event_mask| is notified.
+template <SecKeychainEventMask event_mask>
+class KeychainObserver {
  public:
-  KeychainTrustObserver() {
+  KeychainObserver() {
     GetNetworkNotificationThreadMac()->PostTask(
         FROM_HERE,
-        base::BindOnce(
-            &KeychainTrustObserver::RegisterCallbackOnNotificationThread,
-            base::Unretained(this)));
+        base::BindOnce(&KeychainObserver::RegisterCallbackOnNotificationThread,
+                       base::Unretained(this)));
   }
 
-  KeychainTrustObserver(const KeychainTrustObserver&) = delete;
-  KeychainTrustObserver& operator=(const KeychainTrustObserver&) = delete;
+  KeychainObserver(const KeychainObserver&) = delete;
+  KeychainObserver& operator=(const KeychainObserver&) = delete;
 
   // Destroying the observer unregisters the callback. Must be destroyed on the
   // notification thread in order to safely release |subscription_|.
-  ~KeychainTrustObserver() {
+  ~KeychainObserver() {
     DCHECK(GetNetworkNotificationThreadMac()->RunsTasksInCurrentSequence());
   }
 
@@ -679,8 +637,8 @@ class KeychainTrustObserver {
   void RegisterCallbackOnNotificationThread() {
     DCHECK(GetNetworkNotificationThreadMac()->RunsTasksInCurrentSequence());
     subscription_ =
-        KeychainTrustSettingsChangedNotifier::AddCallback(base::BindRepeating(
-            &KeychainTrustObserver::Increment, base::Unretained(this)));
+        KeychainChangedNotifier<event_mask>::AddCallback(base::BindRepeating(
+            &KeychainObserver::Increment, base::Unretained(this)));
   }
 
   void Increment() { base::subtle::Barrier_AtomicIncrement(&iteration_, 1); }
@@ -691,6 +649,18 @@ class KeychainTrustObserver {
   base::subtle::Atomic64 iteration_ = 0;
 };
 
+using KeychainTrustObserver =
+    KeychainObserver<kSecTrustSettingsChangedEventMask>;
+
+// kSecDeleteEventMask events could also be checked here, but it's not
+// necessary for correct behavior. Not including that just means the
+// intermediates cache might occasionally be a little larger then necessary.
+// In theory, the kSecAddEvent events could also be filtered to only notify on
+// events for added certificates as opposed to other keychain objects, however
+// that requires some fairly nasty CSSM hackery, so we don't do it.
+using KeychainCertsObserver =
+    KeychainObserver<kSecAddEventMask | kSecKeychainListChangedMask>;
+
 }  // namespace
 
 // static
@@ -733,7 +703,6 @@ class TrustStoreMac::TrustImpl {
  public:
   virtual ~TrustImpl() = default;
 
-  virtual bool IsKnownRoot(const ParsedCertificate* cert) = 0;
   virtual TrustStatus IsCertTrusted(const ParsedCertificate* cert,
                                     base::SupportsUserData* debug_data) = 0;
   virtual bool ImplementsSyncGetIssuersOf() const { return false; }
@@ -748,14 +717,9 @@ class TrustStoreMac::TrustImpl {
 // modified.
 class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl {
  public:
-  explicit TrustImplDomainCache(CFStringRef policy_oid, TrustDomains domains)
-      : use_system_domain_cache_(domains == TrustDomains::kAll),
-        admin_domain_cache_(kSecTrustSettingsDomainAdmin, policy_oid),
+  explicit TrustImplDomainCache(CFStringRef policy_oid)
+      : admin_domain_cache_(kSecTrustSettingsDomainAdmin, policy_oid),
         user_domain_cache_(kSecTrustSettingsDomainUser, policy_oid) {
-    if (use_system_domain_cache_) {
-      system_domain_cache_ = std::make_unique<TrustDomainCache>(
-          kSecTrustSettingsDomainSystem, policy_oid);
-    }
     keychain_observer_ = std::make_unique<KeychainTrustObserver>();
   }
 
@@ -767,17 +731,6 @@ class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl {
         FROM_HERE, std::move(keychain_observer_));
   }
 
-  // Returns true if |cert| is present in kSecTrustSettingsDomainSystem.
-  bool IsKnownRoot(const ParsedCertificate* cert) override {
-    if (!use_system_domain_cache_)
-      return false;
-    SHA256HashValue cert_hash = CalculateFingerprint256(cert->der_cert());
-
-    base::AutoLock lock(cache_lock_);
-    MaybeInitializeCache();
-    return system_domain_cache_->ContainsCert(cert_hash);
-  }
-
   // Returns the trust status for |cert|.
   TrustStatus IsCertTrusted(const ParsedCertificate* cert,
                             base::SupportsUserData* debug_data) override {
@@ -786,9 +739,8 @@ class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl {
     base::AutoLock lock(cache_lock_);
     MaybeInitializeCache();
 
-    // Evaluate trust domains in user, admin, system order. Admin settings can
-    // override system ones, and user settings can override both admin and
-    // system.
+    // Evaluate user trust domain, then admin. User settings can override
+    // admin (and both override the system domain, but we don't check that).
     for (TrustDomainCache* trust_domain_cache :
          {&user_domain_cache_, &admin_domain_cache_}) {
       TrustStatus ts =
@@ -796,9 +748,6 @@ class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl {
       if (ts != TrustStatus::UNSPECIFIED)
         return ts;
     }
-    if (use_system_domain_cache_) {
-      return system_domain_cache_->IsCertTrusted(cert, cert_hash, debug_data);
-    }
 
     // Cert did not have trust settings in any domain.
     return TrustStatus::UNSPECIFIED;
@@ -822,26 +771,13 @@ class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl {
     iteration_ = keychain_iteration;
     user_domain_cache_.Initialize();
     admin_domain_cache_.Initialize();
-    if (use_system_domain_cache_ && !system_domain_initialized_) {
-      // In practice, the system trust domain does not change during runtime,
-      // and SecTrustSettingsCopyCertificates on the system domain is quite
-      // slow, so the system domain cache is not reset on keychain changes.
-      system_domain_cache_->Initialize();
-      system_domain_initialized_ = true;
-    }
   }
 
   std::unique_ptr<KeychainTrustObserver> keychain_observer_;
-  // Store whether to use the system domain in a const bool that is initialized
-  // in constructor so it is safe to read without having to lock first.
-  const bool use_system_domain_cache_;
 
   base::Lock cache_lock_;
   // |cache_lock_| must be held while accessing any following members.
   int64_t iteration_ GUARDED_BY(cache_lock_) = -1;
-  bool system_domain_initialized_ GUARDED_BY(cache_lock_) = false;
-  std::unique_ptr<TrustDomainCache> system_domain_cache_
-      GUARDED_BY(cache_lock_);
   TrustDomainCache admin_domain_cache_ GUARDED_BY(cache_lock_);
   TrustDomainCache user_domain_cache_ GUARDED_BY(cache_lock_);
 };
@@ -854,16 +790,12 @@ class TrustStoreMac::TrustImplDomainCache : public TrustStoreMac::TrustImpl {
 class TrustStoreMac::TrustImplDomainCacheFullCerts
     : public TrustStoreMac::TrustImpl {
  public:
-  explicit TrustImplDomainCacheFullCerts(CFStringRef policy_oid,
-                                         TrustDomains domains)
-      : use_system_domain_cache_(domains == TrustDomains::kAll),
+  explicit TrustImplDomainCacheFullCerts(CFStringRef policy_oid)
+      : policy_oid_(policy_oid, base::scoped_policy::RETAIN),
         admin_domain_cache_(kSecTrustSettingsDomainAdmin, policy_oid),
         user_domain_cache_(kSecTrustSettingsDomainUser, policy_oid) {
-    if (use_system_domain_cache_) {
-      system_domain_cache_ = std::make_unique<TrustDomainCacheFullCerts>(
-          kSecTrustSettingsDomainSystem, policy_oid);
-    }
-    keychain_observer_ = std::make_unique<KeychainTrustObserver>();
+    keychain_trust_observer_ = std::make_unique<KeychainTrustObserver>();
+    keychain_certs_observer_ = std::make_unique<KeychainCertsObserver>();
   }
 
   TrustImplDomainCacheFullCerts(const TrustImplDomainCacheFullCerts&) = delete;
@@ -872,18 +804,9 @@ class TrustStoreMac::TrustImplDomainCacheFullCerts
 
   ~TrustImplDomainCacheFullCerts() override {
     GetNetworkNotificationThreadMac()->DeleteSoon(
-        FROM_HERE, std::move(keychain_observer_));
-  }
-
-  // Returns true if |cert| is present in kSecTrustSettingsDomainSystem.
-  bool IsKnownRoot(const ParsedCertificate* cert) override {
-    if (!use_system_domain_cache_)
-      return false;
-    SHA256HashValue cert_hash = CalculateFingerprint256(cert->der_cert());
-
-    base::AutoLock lock(cache_lock_);
-    MaybeInitializeCache();
-    return system_domain_cache_->ContainsCert(cert_hash);
+        FROM_HERE, std::move(keychain_trust_observer_));
+    GetNetworkNotificationThreadMac()->DeleteSoon(
+        FROM_HERE, std::move(keychain_certs_observer_));
   }
 
   // Returns the trust status for |cert|.
@@ -894,9 +817,8 @@ class TrustStoreMac::TrustImplDomainCacheFullCerts
     base::AutoLock lock(cache_lock_);
     MaybeInitializeCache();
 
-    // Evaluate trust domains in user, admin, system order. Admin settings can
-    // override system ones, and user settings can override both admin and
-    // system.
+    // Evaluate user trust domain, then admin. User settings can override
+    // admin (and both override the system domain, but we don't check that).
     for (TrustDomainCacheFullCerts* trust_domain_cache :
          {&user_domain_cache_, &admin_domain_cache_}) {
       TrustStatus ts =
@@ -904,9 +826,6 @@ class TrustStoreMac::TrustImplDomainCacheFullCerts
       if (ts != TrustStatus::UNSPECIFIED)
         return ts;
     }
-    if (use_system_domain_cache_) {
-      return system_domain_cache_->IsCertTrusted(cert, cert_hash, debug_data);
-    }
 
     // Cert did not have trust settings in any domain.
     return TrustStatus::UNSPECIFIED;
@@ -920,10 +839,7 @@ class TrustStoreMac::TrustImplDomainCacheFullCerts
     MaybeInitializeCache();
     user_domain_cache_.cert_issuer_source().SyncGetIssuersOf(cert, issuers);
     admin_domain_cache_.cert_issuer_source().SyncGetIssuersOf(cert, issuers);
-    if (system_domain_cache_) {
-      system_domain_cache_->cert_issuer_source().SyncGetIssuersOf(cert,
-                                                                  issuers);
-    }
+    intermediates_cert_issuer_source_.SyncGetIssuersOf(cert, issuers);
   }
 
   // Initializes the cache, if it isn't already initialized.
@@ -937,65 +853,187 @@ class TrustStoreMac::TrustImplDomainCacheFullCerts
   // |cache_lock_| and before accessing any of the |*_domain_cache_| members.
   void MaybeInitializeCache() EXCLUSIVE_LOCKS_REQUIRED(cache_lock_) {
     cache_lock_.AssertAcquired();
-    int64_t keychain_iteration = keychain_observer_->Iteration();
-    if (iteration_ == keychain_iteration)
+
+    const int64_t keychain_trust_iteration =
+        keychain_trust_observer_->Iteration();
+    const bool trust_changed = trust_iteration_ != keychain_trust_iteration;
+    if (trust_changed) {
+      base::ElapsedTimer trust_domain_cache_init_timer;
+      trust_iteration_ = keychain_trust_iteration;
+      user_domain_cache_.Initialize();
+      admin_domain_cache_.Initialize();
+      base::UmaHistogramMediumTimes(
+          "Net.CertVerifier.MacTrustDomainCacheInitTime",
+          trust_domain_cache_init_timer.Elapsed());
+    }
+
+    const int64_t keychain_certs_iteration =
+        keychain_certs_observer_->Iteration();
+    const bool certs_changed = certs_iteration_ != keychain_certs_iteration;
+    // Intermediates cache is updated on trust changes too, since the
+    // intermediates cache is exclusive of any certs in trust domain caches.
+    if (trust_changed || certs_changed) {
+      certs_iteration_ = keychain_certs_iteration;
+      IntializeIntermediatesCache();
+    }
+  }
+
+  void IntializeIntermediatesCache() EXCLUSIVE_LOCKS_REQUIRED(cache_lock_) {
+    cache_lock_.AssertAcquired();
+
+    base::ElapsedTimer timer;
+
+    intermediates_cert_issuer_source_.Clear();
+
+    base::ScopedCFTypeRef<CFMutableDictionaryRef> query(
+        CFDictionaryCreateMutable(nullptr, 0, &kCFTypeDictionaryKeyCallBacks,
+                                  &kCFTypeDictionaryValueCallBacks));
+
+    CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
+    CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
+    CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
+
+    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
+
+    base::ScopedCFTypeRef<CFArrayRef> scoped_alternate_keychain_search_list;
+    if (TestKeychainSearchList::HasInstance()) {
+      OSStatus status = TestKeychainSearchList::GetInstance()->CopySearchList(
+          scoped_alternate_keychain_search_list.InitializeInto());
+      if (status) {
+        OSSTATUS_LOG(ERROR, status)
+            << "TestKeychainSearchList::CopySearchList error";
+        return;
+      }
+      CFDictionarySetValue(query, kSecMatchSearchList,
+                           scoped_alternate_keychain_search_list.get());
+    }
+
+    base::ScopedCFTypeRef<CFTypeRef> matching_items;
+    OSStatus err = SecItemCopyMatching(query, matching_items.InitializeInto());
+    if (err == errSecItemNotFound) {
+      RecordCachedIntermediatesHistograms(0, timer.Elapsed());
+      // No matches found.
       return;
+    }
+    if (err) {
+      RecordCachedIntermediatesHistograms(0, timer.Elapsed());
+      OSSTATUS_LOG(ERROR, err) << "SecItemCopyMatching error";
+      return;
+    }
+    CFArrayRef matching_items_array =
+        base::mac::CFCastStrict<CFArrayRef>(matching_items);
+    for (CFIndex i = 0, item_count = CFArrayGetCount(matching_items_array);
+         i < item_count; ++i) {
+      SecCertificateRef match_cert_handle =
+          base::mac::CFCastStrict<SecCertificateRef>(
+              CFArrayGetValueAtIndex(matching_items_array, i));
+
+      // If cert is already in the trust domain certs cache, don't bother
+      // including it in the intermediates cache.
+      SHA256HashValue cert_hash =
+          x509_util::CalculateFingerprint256(match_cert_handle);
+      if (user_domain_cache_.ContainsCert(cert_hash) ||
+          admin_domain_cache_.ContainsCert(cert_hash)) {
+        continue;
+      }
 
-    iteration_ = keychain_iteration;
-    user_domain_cache_.Initialize();
-    admin_domain_cache_.Initialize();
-    if (use_system_domain_cache_ && !system_domain_initialized_) {
-      // In practice, the system trust domain does not change during runtime,
-      // and SecTrustSettingsCopyCertificates on the system domain is quite
-      // slow, so the system domain cache is not reset on keychain changes.
-      system_domain_cache_->Initialize();
-      system_domain_initialized_ = true;
+      base::ScopedCFTypeRef<CFDataRef> der_data(
+          SecCertificateCopyData(match_cert_handle));
+      if (!der_data) {
+        LOG(ERROR) << "SecCertificateCopyData error";
+        continue;
+      }
+      auto buffer = x509_util::CreateCryptoBuffer(base::make_span(
+          CFDataGetBytePtr(der_data.get()), CFDataGetLength(der_data.get())));
+      CertErrors errors;
+      ParseCertificateOptions options;
+      options.allow_invalid_serial_numbers = true;
+      scoped_refptr<ParsedCertificate> parsed_cert =
+          ParsedCertificate::Create(std::move(buffer), options, &errors);
+      if (!parsed_cert) {
+        LOG(ERROR) << "Error parsing certificate:\n" << errors.ToDebugString();
+        continue;
+      }
+      if (IsNotAcceptableIntermediate(parsed_cert.get())) {
+        continue;
+      }
+      intermediates_cert_issuer_source_.AddCert(std::move(parsed_cert));
+    }
+    RecordCachedIntermediatesHistograms(CFArrayGetCount(matching_items_array),
+                                        timer.Elapsed());
+  }
+
+  // Returns true if |cert| would never be a valid intermediate. (A return
+  // value of false does not imply that it is valid.) This is an optimization
+  // to avoid using memory for caching certs that would never lead to a valid
+  // chain. It's not intended to exhaustively test everything that
+  // VerifyCertificateChain does, just to filter out some of the most obviously
+  // unusable certs.
+  bool IsNotAcceptableIntermediate(ParsedCertificate* cert) const {
+    if (!cert->has_basic_constraints() || !cert->basic_constraints().is_ca) {
+      return true;
+    }
+
+    // EKU filter is only implemented for TLS server auth since that's all we
+    // actually care about.
+    if (cert->has_extended_key_usage() &&
+        CFEqual(policy_oid_, kSecPolicyAppleSSL) &&
+        !base::Contains(cert->extended_key_usage(), der::Input(kAnyEKU)) &&
+        !base::Contains(cert->extended_key_usage(), der::Input(kServerAuth))) {
+      return true;
     }
+
+    // TODO(mattm): filter on other things too? (key usage, ...?)
+    return false;
   }
 
-  std::unique_ptr<KeychainTrustObserver> keychain_observer_;
-  // Store whether to use the system domain in a const bool that is initialized
-  // in constructor so it is safe to read without having to lock first.
-  const bool use_system_domain_cache_;
+  void RecordCachedIntermediatesHistograms(CFIndex total_cert_count,
+                                           base::TimeDelta cache_init_time)
+      const EXCLUSIVE_LOCKS_REQUIRED(cache_lock_) {
+    cache_lock_.AssertAcquired();
+    base::UmaHistogramMediumTimes(
+        "Net.CertVerifier.MacKeychainCerts.IntermediateCacheInitTime",
+        cache_init_time);
+    base::UmaHistogramCounts1000("Net.CertVerifier.MacKeychainCerts.TotalCount",
+                                 total_cert_count);
+    base::UmaHistogramCounts1000(
+        "Net.CertVerifier.MacKeychainCerts.IntermediateCount",
+        intermediates_cert_issuer_source_.size());
+  }
+
+  std::unique_ptr<KeychainTrustObserver> keychain_trust_observer_;
+  std::unique_ptr<KeychainCertsObserver> keychain_certs_observer_;
+  const base::ScopedCFTypeRef<CFStringRef> policy_oid_;
 
   base::Lock cache_lock_;
   // |cache_lock_| must be held while accessing any following members.
-  int64_t iteration_ GUARDED_BY(cache_lock_) = -1;
-  bool system_domain_initialized_ GUARDED_BY(cache_lock_) = false;
-  std::unique_ptr<TrustDomainCacheFullCerts> system_domain_cache_
-      GUARDED_BY(cache_lock_);
+  int64_t trust_iteration_ GUARDED_BY(cache_lock_) = -1;
+  int64_t certs_iteration_ GUARDED_BY(cache_lock_) = -1;
+
   TrustDomainCacheFullCerts admin_domain_cache_ GUARDED_BY(cache_lock_);
   TrustDomainCacheFullCerts user_domain_cache_ GUARDED_BY(cache_lock_);
+
+  CertIssuerSourceStatic intermediates_cert_issuer_source_
+      GUARDED_BY(cache_lock_);
 };
 
 // TrustImplNoCache is the simplest approach which calls
 // SecTrustSettingsCopyTrustSettings on every cert checked, with no caching.
 class TrustStoreMac::TrustImplNoCache : public TrustStoreMac::TrustImpl {
  public:
-  explicit TrustImplNoCache(CFStringRef policy_oid, TrustDomains domains)
-      : policy_oid_(policy_oid), domains_(domains) {}
+  explicit TrustImplNoCache(CFStringRef policy_oid) : policy_oid_(policy_oid) {}
 
   TrustImplNoCache(const TrustImplNoCache&) = delete;
   TrustImplNoCache& operator=(const TrustImplNoCache&) = delete;
 
   ~TrustImplNoCache() override = default;
 
-  // Returns true if |cert| is present in kSecTrustSettingsDomainSystem.
-  bool IsKnownRoot(const ParsedCertificate* cert) override {
-    if (domains_ == TrustDomains::kUserAndAdmin)
-      return false;
-    HashValue cert_hash(CalculateFingerprint256(cert->der_cert()));
-    base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-    return net::IsKnownRoot(cert_hash);
-  }
-
   // Returns the trust status for |cert|.
   TrustStatus IsCertTrusted(const ParsedCertificate* cert,
                             base::SupportsUserData* debug_data) override {
     int debug_info = 0;
     TrustStatus result =
-        IsCertificateTrustedForPolicy(cert, policy_oid_, domains_, &debug_info,
-                                      /*out_is_known_root=*/nullptr);
+        IsCertificateTrustedForPolicy(cert, policy_oid_, &debug_info);
     UpdateUserData(debug_info, debug_data,
                    TrustStoreMac::TrustImplType::kSimple);
     return result;
@@ -1007,7 +1045,6 @@ class TrustStoreMac::TrustImplNoCache : public TrustStoreMac::TrustImpl {
 
  private:
   const CFStringRef policy_oid_;
-  const TrustDomains domains_;
 };
 
 // TrustImplLRUCache is calls SecTrustSettingsCopyTrustSettings on every cert
@@ -1015,12 +1052,8 @@ class TrustStoreMac::TrustImplNoCache : public TrustStoreMac::TrustImpl {
 // keychain updates.
 class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl {
  public:
-  TrustImplLRUCache(CFStringRef policy_oid,
-                    size_t cache_size,
-                    TrustDomains domains)
-      : policy_oid_(policy_oid),
-        domains_(domains),
-        trust_status_cache_(cache_size) {
+  TrustImplLRUCache(CFStringRef policy_oid, size_t cache_size)
+      : policy_oid_(policy_oid), trust_status_cache_(cache_size) {
     keychain_observer_ = std::make_unique<KeychainTrustObserver>();
   }
 
@@ -1032,13 +1065,6 @@ class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl {
         FROM_HERE, std::move(keychain_observer_));
   }
 
-  // Returns true if |cert| has trust settings in kSecTrustSettingsDomainSystem.
-  bool IsKnownRoot(const ParsedCertificate* cert) override {
-    if (domains_ == TrustDomains::kUserAndAdmin)
-      return false;
-    return GetKnownRootStatus(cert) == KnownRootStatus::IS_KNOWN_ROOT;
-  }
-
   // Returns the trust status for |cert|.
   TrustStatus IsCertTrusted(const ParsedCertificate* cert,
                             base::SupportsUserData* debug_data) override {
@@ -1056,49 +1082,10 @@ class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl {
   struct TrustStatusDetails {
     TrustStatus trust_status = TrustStatus::UNKNOWN;
     int debug_info = 0;
-    KnownRootStatus is_known_root = KnownRootStatus::UNKNOWN;
   };
 
-  KnownRootStatus GetKnownRootStatus(const ParsedCertificate* cert) {
-    SHA256HashValue cert_hash = CalculateFingerprint256(cert->der_cert());
-
-    int starting_cache_iteration = -1;
-    {
-      base::AutoLock lock(cache_lock_);
-      MaybeResetCache();
-      starting_cache_iteration = iteration_;
-      auto cache_iter = trust_status_cache_.Get(cert_hash);
-      if (cache_iter != trust_status_cache_.end() &&
-          cache_iter->second.is_known_root != KnownRootStatus::UNKNOWN) {
-        return cache_iter->second.is_known_root;
-      }
-    }
-
-    KnownRootStatus is_known_root = IsCertificateKnownRoot(cert);
-
-    {
-      base::AutoLock lock(cache_lock_);
-      MaybeResetCache();
-      if (iteration_ != starting_cache_iteration)
-        return is_known_root;
-
-      auto cache_iter = trust_status_cache_.Get(cert_hash);
-      // Update |is_known_root| on existing cache entry if there is one,
-      // otherwise create a new cache entry.
-      if (cache_iter != trust_status_cache_.end()) {
-        cache_iter->second.is_known_root = is_known_root;
-      } else {
-        TrustStatusDetails trust_details;
-        trust_details.is_known_root = is_known_root;
-        trust_status_cache_.Put(cert_hash, trust_details);
-      }
-    }
-    return is_known_root;
-  }
-
   TrustStatusDetails GetTrustStatus(const ParsedCertificate* cert) {
     SHA256HashValue cert_hash = CalculateFingerprint256(cert->der_cert());
-    TrustStatusDetails trust_details;
 
     int starting_cache_iteration = -1;
     {
@@ -1109,15 +1096,12 @@ class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl {
       if (cache_iter != trust_status_cache_.end()) {
         if (cache_iter->second.trust_status != TrustStatus::UNKNOWN)
           return cache_iter->second;
-        // If there was a cache entry but the trust status was not initialized,
-        // copy the existing values. (|is_known_root| might already be cached.)
-        trust_details = cache_iter->second;
       }
     }
 
+    TrustStatusDetails trust_details;
     trust_details.trust_status = IsCertificateTrustedForPolicy(
-        cert, policy_oid_, domains_, &trust_details.debug_info,
-        &trust_details.is_known_root);
+        cert, policy_oid_, &trust_details.debug_info);
 
     {
       base::AutoLock lock(cache_lock_);
@@ -1139,7 +1123,6 @@ class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl {
   }
 
   const CFStringRef policy_oid_;
-  const TrustDomains domains_;
   std::unique_ptr<KeychainTrustObserver> keychain_observer_;
 
   base::Lock cache_lock_;
@@ -1157,27 +1140,24 @@ class TrustStoreMac::TrustImplLRUCache : public TrustStoreMac::TrustImpl {
 
 TrustStoreMac::TrustStoreMac(CFStringRef policy_oid,
                              TrustImplType impl,
-                             size_t cache_size,
-                             TrustDomains domains)
-    : domains_(domains) {
+                             size_t cache_size) {
   switch (impl) {
     case TrustImplType::kUnknown:
       DCHECK(false);
       break;
     case TrustImplType::kDomainCache:
-      trust_cache_ =
-          std::make_unique<TrustImplDomainCache>(policy_oid, domains);
+      trust_cache_ = std::make_unique<TrustImplDomainCache>(policy_oid);
       break;
     case TrustImplType::kSimple:
-      trust_cache_ = std::make_unique<TrustImplNoCache>(policy_oid, domains);
+      trust_cache_ = std::make_unique<TrustImplNoCache>(policy_oid);
       break;
     case TrustImplType::kLruCache:
       trust_cache_ =
-          std::make_unique<TrustImplLRUCache>(policy_oid, cache_size, domains);
+          std::make_unique<TrustImplLRUCache>(policy_oid, cache_size);
       break;
     case TrustImplType::kDomainCacheFullCerts:
       trust_cache_ =
-          std::make_unique<TrustImplDomainCacheFullCerts>(policy_oid, domains);
+          std::make_unique<TrustImplDomainCacheFullCerts>(policy_oid);
       break;
   }
 }
@@ -1188,10 +1168,6 @@ void TrustStoreMac::InitializeTrustCache() const {
   trust_cache_->InitializeTrustCache();
 }
 
-bool TrustStoreMac::IsKnownRoot(const ParsedCertificate* cert) const {
-  return trust_cache_->IsKnownRoot(cert);
-}
-
 void TrustStoreMac::SyncGetIssuersOf(const ParsedCertificate* cert,
                                      ParsedCertificateList* issuers) {
   if (trust_cache_->ImplementsSyncGetIssuersOf()) {
@@ -1204,7 +1180,7 @@ void TrustStoreMac::SyncGetIssuersOf(const ParsedCertificate* cert,
     return;
 
   std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> matching_cert_buffers =
-      FindMatchingCertificatesForMacNormalizedSubject(name_data, domains_);
+      FindMatchingCertificatesForMacNormalizedSubject(name_data);
 
   // Convert to ParsedCertificate.
   for (auto& buffer : matching_cert_buffers) {
@@ -1248,8 +1224,7 @@ CertificateTrust TrustStoreMac::GetTrust(
 // static
 std::vector<bssl::UniquePtr<CRYPTO_BUFFER>>
 TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
-    CFDataRef name_data,
-    TrustDomains domains) {
+    CFDataRef name_data) {
   std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> matching_cert_buffers;
   base::ScopedCFTypeRef<CFMutableDictionaryRef> query(
       CFDictionaryCreateMutable(nullptr, 0, &kCFTypeDictionaryKeyCallBacks,
@@ -1273,52 +1248,6 @@ TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
     }
   }
 
-// Much of the Keychain API was marked deprecated as of the macOS 13 SDK.
-// Removal of its use is tracked in https://crbug.com/1348251 but deprecation
-// warnings are disabled in the meanwhile.
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wdeprecated-declarations"
-
-  if (domains == TrustDomains::kAll) {
-    // If a TestKeychainSearchList is present, it will have already set
-    // |scoped_alternate_keychain_search_list|, which will be used as the
-    // basis for reordering the keychain. Otherwise, get the current keychain
-    // search list and use that.
-    if (!scoped_alternate_keychain_search_list) {
-      OSStatus status = SecKeychainCopySearchList(
-          scoped_alternate_keychain_search_list.InitializeInto());
-      if (status) {
-        OSSTATUS_LOG(ERROR, status) << "SecKeychainCopySearchList error";
-        return matching_cert_buffers;
-      }
-    }
-
-    CFMutableArrayRef mutable_keychain_search_list = CFArrayCreateMutableCopy(
-        kCFAllocatorDefault,
-        CFArrayGetCount(scoped_alternate_keychain_search_list.get()) + 1,
-        scoped_alternate_keychain_search_list.get());
-    if (!mutable_keychain_search_list) {
-      LOG(ERROR) << "CFArrayCreateMutableCopy";
-      return matching_cert_buffers;
-    }
-    scoped_alternate_keychain_search_list.reset(mutable_keychain_search_list);
-
-    base::ScopedCFTypeRef<SecKeychainRef> roots_keychain;
-    // The System Roots keychain is not normally searched by
-    // SecItemCopyMatching. Get a reference to it and include in the keychain
-    // search list.
-    OSStatus status = SecKeychainOpen(
-        "/System/Library/Keychains/SystemRootCertificates.keychain",
-        roots_keychain.InitializeInto());
-    if (status) {
-      OSSTATUS_LOG(ERROR, status) << "SecKeychainOpen error";
-      return matching_cert_buffers;
-    }
-    CFArrayAppendValue(mutable_keychain_search_list, roots_keychain);
-  }
-
-#pragma clang diagnostic pop
-
   if (scoped_alternate_keychain_search_list) {
     CFDictionarySetValue(query, kSecMatchSearchList,
                          scoped_alternate_keychain_search_list.get());
diff --git a/chromium/net/cert/internal/trust_store_mac.h b/chromium/net/cert/internal/trust_store_mac.h
index e7f9a964cb0..86119d55e16 100644
--- a/chromium/net/cert/internal/trust_store_mac.h
+++ b/chromium/net/cert/internal/trust_store_mac.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -84,17 +84,6 @@ class NET_EXPORT TrustStoreMac : public TrustStore {
     kDomainCacheFullCerts = 4,
   };
 
-  enum class TrustDomains {
-    // Load trust settings and certificates from all three trust domains
-    // (user, admin, system).
-    kAll = 0,
-
-    // Load trust settings and certificates from only the user and admin trust
-    // domains. This will find trust settings that have been set locally or by
-    // an enterprise, but not those distributed with the OS.
-    kUserAndAdmin = 1,
-  };
-
   class ResultDebugData : public base::SupportsUserData::Data {
    public:
     static const ResultDebugData* Get(const base::SupportsUserData* debug_data);
@@ -125,10 +114,7 @@ class NET_EXPORT TrustStoreMac : public TrustStore {
   // |impl| selects which internal implementation is used for checking trust
   // settings, and the interpretation of |cache_size| varies depending on
   // |impl|.
-  TrustStoreMac(CFStringRef policy_oid,
-                TrustImplType impl,
-                size_t cache_size,
-                TrustDomains domains);
+  TrustStoreMac(CFStringRef policy_oid, TrustImplType impl, size_t cache_size);
 
   TrustStoreMac(const TrustStoreMac&) = delete;
   TrustStoreMac& operator=(const TrustStoreMac&) = delete;
@@ -138,10 +124,6 @@ class NET_EXPORT TrustStoreMac : public TrustStore {
   // Initializes the trust cache, if it isn't already initialized.
   void InitializeTrustCache() const;
 
-  // Returns true if the given certificate is present in the system trust
-  // domain.
-  bool IsKnownRoot(const ParsedCertificate* cert) const;
-
   // TrustStore implementation:
   void SyncGetIssuersOf(const ParsedCertificate* cert,
                         ParsedCertificateList* issuers) override;
@@ -155,14 +137,11 @@ class NET_EXPORT TrustStoreMac : public TrustStore {
   class TrustImplNoCache;
   class TrustImplLRUCache;
 
-  FRIEND_TEST_ALL_PREFIXES(TrustStoreMacImplTest, MultiRootNotTrusted);
-
   // Finds certificates in the OS keychains whose Subject matches |name_data|.
   // The result is an array of CRYPTO_BUFFERs containing the DER certificate
   // data.
   static std::vector<bssl::UniquePtr<CRYPTO_BUFFER>>
-  FindMatchingCertificatesForMacNormalizedSubject(CFDataRef name_data,
-                                                  TrustDomains domains);
+  FindMatchingCertificatesForMacNormalizedSubject(CFDataRef name_data);
 
   // Returns the OS-normalized issuer of |cert|.
   // macOS internally uses a normalized form of subject/issuer names for
@@ -171,7 +150,6 @@ class NET_EXPORT TrustStoreMac : public TrustStore {
   static base::ScopedCFTypeRef<CFDataRef> GetMacNormalizedIssuer(
       const ParsedCertificate* cert);
 
-  TrustDomains domains_;
   std::unique_ptr<TrustImpl> trust_cache_;
 };
 
diff --git a/chromium/net/cert/internal/trust_store_mac_unittest.cc b/chromium/net/cert/internal/trust_store_mac_unittest.cc
index 92383414d74..9b714f31e7d 100644
--- a/chromium/net/cert/internal/trust_store_mac_unittest.cc
+++ b/chromium/net/cert/internal/trust_store_mac_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -13,15 +13,16 @@
 #include "base/logging.h"
 #include "base/path_service.h"
 #include "base/process/launch.h"
+#include "base/strings/strcat.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
 #include "base/synchronization/lock.h"
 #include "base/test/metrics/histogram_tester.h"
 #include "crypto/mac_security_services_lock.h"
 #include "crypto/sha2.h"
-#include "net/cert/known_roots_mac.h"
 #include "net/cert/pem.h"
 #include "net/cert/pki/cert_errors.h"
+#include "net/cert/pki/parsed_certificate.h"
 #include "net/cert/pki/test_helpers.h"
 #include "net/cert/test_keychain_search_list_mac.h"
 #include "net/cert/x509_certificate.h"
@@ -67,19 +68,6 @@ const char kCertificateHeader[] = "CERTIFICATE";
   return ::testing::AssertionSuccess();
 }
 
-// Returns the DER encodings of the  in |array|.
-std::vector<std::string> CryptoBufferVectorAsStringVector(
-    const std::vector<bssl::UniquePtr<CRYPTO_BUFFER>>& array) {
-  std::vector<std::string> result;
-
-  for (const auto& buffer : array) {
-    result.push_back(
-        std::string(x509_util::CryptoBufferAsStringPiece(buffer.get())));
-  }
-
-  return result;
-}
-
 // Returns the DER encodings of the ParsedCertificates in |list|.
 std::vector<std::string> ParsedCertificateListAsDER(
     ParsedCertificateList list) {
@@ -116,17 +104,25 @@ class DebugData : public base::SupportsUserData {
   ~DebugData() override = default;
 };
 
-enum IsKnownRootTestOrder {
-  TEST_IS_KNOWN_ROOT_BEFORE,
-  TEST_IS_KNOWN_ROOT_AFTER,
-};
+const char* TrustImplTypeToString(TrustStoreMac::TrustImplType t) {
+  switch (t) {
+    case TrustStoreMac::TrustImplType::kDomainCache:
+      return "DomainCache";
+    case TrustStoreMac::TrustImplType::kSimple:
+      return "Simple";
+    case TrustStoreMac::TrustImplType::kLruCache:
+      return "LruCache";
+    case TrustStoreMac::TrustImplType::kDomainCacheFullCerts:
+      return "DomainCacheFullCerts";
+    case TrustStoreMac::TrustImplType::kUnknown:
+      return "Unknown";
+  }
+}
 
 }  // namespace
 
 class TrustStoreMacImplTest
-    : public testing::TestWithParam<std::tuple<TrustStoreMac::TrustImplType,
-                                               IsKnownRootTestOrder,
-                                               TrustStoreMac::TrustDomains>> {};
+    : public testing::TestWithParam<TrustStoreMac::TrustImplType> {};
 
 // Much of the Keychain API was marked deprecated as of the macOS 13 SDK.
 // Removal of its use is tracked in https://crbug.com/1348251 but deprecation
@@ -155,11 +151,8 @@ TEST_P(TrustStoreMacImplTest, MultiRootNotTrusted) {
 
 #pragma clang diagnostic pop
 
-  const TrustStoreMac::TrustImplType trust_impl = std::get<0>(GetParam());
-  const IsKnownRootTestOrder is_known_root_test_order = std::get<1>(GetParam());
-  const TrustStoreMac::TrustDomains trust_domains = std::get<2>(GetParam());
-  TrustStoreMac trust_store(kSecPolicyAppleSSL, trust_impl, kDefaultCacheSize,
-                            trust_domains);
+  const TrustStoreMac::TrustImplType trust_impl = GetParam();
+  TrustStoreMac trust_store(kSecPolicyAppleSSL, trust_impl, kDefaultCacheSize);
 
   scoped_refptr<ParsedCertificate> a_by_b, b_by_c, b_by_f, c_by_d, c_by_e,
       f_by_e, d_by_d, e_by_e;
@@ -172,68 +165,45 @@ TEST_P(TrustStoreMacImplTest, MultiRootNotTrusted) {
   ASSERT_TRUE(ReadTestCert("multi-root-D-by-D.pem", &d_by_d));
   ASSERT_TRUE(ReadTestCert("multi-root-E-by-E.pem", &e_by_e));
 
-  base::ScopedCFTypeRef<CFDataRef> normalized_name_b =
-      TrustStoreMac::GetMacNormalizedIssuer(a_by_b.get());
-  ASSERT_TRUE(normalized_name_b);
-  base::ScopedCFTypeRef<CFDataRef> normalized_name_c =
-      TrustStoreMac::GetMacNormalizedIssuer(b_by_c.get());
-  ASSERT_TRUE(normalized_name_c);
-  base::ScopedCFTypeRef<CFDataRef> normalized_name_f =
-      TrustStoreMac::GetMacNormalizedIssuer(b_by_f.get());
-  ASSERT_TRUE(normalized_name_f);
-  base::ScopedCFTypeRef<CFDataRef> normalized_name_d =
-      TrustStoreMac::GetMacNormalizedIssuer(c_by_d.get());
-  ASSERT_TRUE(normalized_name_d);
-  base::ScopedCFTypeRef<CFDataRef> normalized_name_e =
-      TrustStoreMac::GetMacNormalizedIssuer(f_by_e.get());
-  ASSERT_TRUE(normalized_name_e);
-
-  // Test that the matching keychain items are found, even though they aren't
-  // trusted.
-  // TODO(eroman): These tests could be using TrustStore::SyncGetIssuersOf().
+  // Test that the untrusted keychain certs would be found during issuer
+  // searching.
   {
-    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> scoped_matching_items =
-        TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
-            normalized_name_b.get(), trust_domains);
-
-    EXPECT_THAT(CryptoBufferVectorAsStringVector(scoped_matching_items),
+    ParsedCertificateList found_issuers;
+    trust_store.SyncGetIssuersOf(a_by_b.get(), &found_issuers);
+    EXPECT_THAT(ParsedCertificateListAsDER(found_issuers),
                 UnorderedElementsAreArray(
                     ParsedCertificateListAsDER({b_by_c, b_by_f})));
   }
 
   {
-    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> scoped_matching_items =
-        TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
-            normalized_name_c.get(), trust_domains);
-    EXPECT_THAT(CryptoBufferVectorAsStringVector(scoped_matching_items),
+    ParsedCertificateList found_issuers;
+    trust_store.SyncGetIssuersOf(b_by_c.get(), &found_issuers);
+    EXPECT_THAT(ParsedCertificateListAsDER(found_issuers),
                 UnorderedElementsAreArray(
                     ParsedCertificateListAsDER({c_by_d, c_by_e})));
   }
 
   {
-    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> scoped_matching_items =
-        TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
-            normalized_name_f.get(), trust_domains);
+    ParsedCertificateList found_issuers;
+    trust_store.SyncGetIssuersOf(b_by_f.get(), &found_issuers);
     EXPECT_THAT(
-        CryptoBufferVectorAsStringVector(scoped_matching_items),
+        ParsedCertificateListAsDER(found_issuers),
         UnorderedElementsAreArray(ParsedCertificateListAsDER({f_by_e})));
   }
 
   {
-    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> scoped_matching_items =
-        TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
-            normalized_name_d.get(), trust_domains);
+    ParsedCertificateList found_issuers;
+    trust_store.SyncGetIssuersOf(c_by_d.get(), &found_issuers);
     EXPECT_THAT(
-        CryptoBufferVectorAsStringVector(scoped_matching_items),
+        ParsedCertificateListAsDER(found_issuers),
         UnorderedElementsAreArray(ParsedCertificateListAsDER({d_by_d})));
   }
 
   {
-    std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> scoped_matching_items =
-        TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
-            normalized_name_e.get(), trust_domains);
+    ParsedCertificateList found_issuers;
+    trust_store.SyncGetIssuersOf(f_by_e.get(), &found_issuers);
     EXPECT_THAT(
-        CryptoBufferVectorAsStringVector(scoped_matching_items),
+        ParsedCertificateListAsDER(found_issuers),
         UnorderedElementsAreArray(ParsedCertificateListAsDER({e_by_e})));
   }
 
@@ -242,8 +212,6 @@ TEST_P(TrustStoreMacImplTest, MultiRootNotTrusted) {
   // added and trusted the test certs on the machine the test is being run on).
   for (const auto& cert :
        {a_by_b, b_by_c, b_by_f, c_by_d, c_by_e, f_by_e, d_by_d, e_by_e}) {
-    if (is_known_root_test_order == TEST_IS_KNOWN_ROOT_BEFORE)
-      EXPECT_FALSE(trust_store.IsKnownRoot(cert.get()));
     DebugData debug_data;
     CertificateTrust trust = trust_store.GetTrust(cert.get(), &debug_data);
     EXPECT_EQ(CertificateTrustType::UNSPECIFIED, trust.type);
@@ -254,8 +222,6 @@ TEST_P(TrustStoreMacImplTest, MultiRootNotTrusted) {
     ASSERT_TRUE(trust_debug_data);
     EXPECT_EQ(0, trust_debug_data->combined_trust_debug_info());
     EXPECT_EQ(trust_impl, trust_debug_data->trust_impl());
-    if (is_known_root_test_order == TEST_IS_KNOWN_ROOT_AFTER)
-      EXPECT_FALSE(trust_store.IsKnownRoot(cert.get()));
   }
 }
 
@@ -288,13 +254,11 @@ TEST_P(TrustStoreMacImplTest, SystemCerts) {
       ParseFindCertificateOutputToDerCerts(
           find_certificate_system_roots_output);
 
-  const TrustStoreMac::TrustImplType trust_impl = std::get<0>(GetParam());
-  const IsKnownRootTestOrder is_known_root_test_order = std::get<1>(GetParam());
-  const TrustStoreMac::TrustDomains trust_domains = std::get<2>(GetParam());
+  const TrustStoreMac::TrustImplType trust_impl = GetParam();
 
   base::HistogramTester histogram_tester;
   TrustStoreMac trust_store(kSecPolicyAppleX509Basic, trust_impl,
-                            kDefaultCacheSize, trust_domains);
+                            kDefaultCacheSize);
 
   base::ScopedCFTypeRef<SecPolicyRef> sec_policy(SecPolicyCreateBasicX509());
   ASSERT_TRUE(sec_policy);
@@ -334,16 +298,6 @@ TEST_P(TrustStoreMacImplTest, SystemCerts) {
       continue;
     }
 
-    if (is_known_root_test_order == TEST_IS_KNOWN_ROOT_BEFORE) {
-      bool trust_store_is_known_root = trust_store.IsKnownRoot(cert.get());
-      if (trust_domains == TrustStoreMac::TrustDomains::kAll) {
-        base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-        EXPECT_EQ(net::IsKnownRoot(cert_handle), trust_store_is_known_root);
-      } else {
-        EXPECT_FALSE(trust_store_is_known_root);
-      }
-    }
-
     // Check if this cert is considered a trust anchor by TrustStoreMac.
     DebugData debug_data;
     CertificateTrust cert_trust = trust_store.GetTrust(cert.get(), &debug_data);
@@ -365,16 +319,15 @@ TEST_P(TrustStoreMacImplTest, SystemCerts) {
                                               kSecTrustOptionAllowExpired |
                                               kSecTrustOptionAllowExpiredRoot));
 
-      if (trust_domains == TrustStoreMac::TrustDomains::kUserAndAdmin &&
-          find_certificate_default_search_list_certs.count(cert_der) &&
+      if (find_certificate_default_search_list_certs.count(cert_der) &&
           find_certificate_system_roots_certs.count(cert_der)) {
         // If the same certificate is present in both the System and User/Admin
         // domains, and TrustStoreMac is only using trust settings from
         // User/Admin, then it's not possible for this test to know whether the
         // result from SecTrustEvaluate should match the TrustStoreMac result.
         // Just ignore such certificates.
-      } else if (trust_domains == TrustStoreMac::TrustDomains::kUserAndAdmin &&
-                 !find_certificate_default_search_list_certs.count(cert_der)) {
+      } else if (!find_certificate_default_search_list_certs.count(cert_der)) {
+        // Cert is only in the system domain. It should be untrusted.
         EXPECT_FALSE(is_trust_anchor);
       } else {
         SecTrustResultType trust_result;
@@ -397,16 +350,6 @@ TEST_P(TrustStoreMacImplTest, SystemCerts) {
       EXPECT_EQ(trust_impl, trust_debug_data->trust_impl());
     }
 
-    if (is_known_root_test_order == TEST_IS_KNOWN_ROOT_AFTER) {
-      bool trust_store_is_known_root = trust_store.IsKnownRoot(cert.get());
-      if (trust_domains == TrustStoreMac::TrustDomains::kAll) {
-        base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-        EXPECT_EQ(net::IsKnownRoot(cert_handle), trust_store_is_known_root);
-      } else {
-        EXPECT_FALSE(trust_store_is_known_root);
-      }
-    }
-
     // Call GetTrust again on the same cert. This should exercise the code
     // that checks the trust value for a cert which has already been cached.
     DebugData debug_data2;
@@ -431,26 +374,18 @@ TEST_P(TrustStoreMacImplTest, SystemCerts) {
         "Net.CertVerifier.MacTrustDomainCertCount.User", 1);
     histogram_tester.ExpectTotalCount(
         "Net.CertVerifier.MacTrustDomainCertCount.Admin", 1);
-    histogram_tester.ExpectTotalCount(
-        "Net.CertVerifier.MacTrustDomainCertCount.System",
-        (trust_domains == TrustStoreMac::TrustDomains::kAll) ? 1 : 0);
   }
 }
 
 INSTANTIATE_TEST_SUITE_P(
     Impl,
     TrustStoreMacImplTest,
-    testing::Combine(
-        testing::Values(TrustStoreMac::TrustImplType::kDomainCache,
-                        TrustStoreMac::TrustImplType::kSimple,
-                        TrustStoreMac::TrustImplType::kLruCache,
-                        TrustStoreMac::TrustImplType::kDomainCacheFullCerts),
-        // Some TrustImpls may calculate/cache IsKnownRoot values and trust
-        // values independently, so test with calling IsKnownRoot both before
-        // and after GetTrust to try to ensure there is no ordering issue with
-        // which one initializes the cache first.
-        testing::Values(TEST_IS_KNOWN_ROOT_BEFORE, TEST_IS_KNOWN_ROOT_AFTER),
-        testing::Values(TrustStoreMac::TrustDomains::kAll,
-                        TrustStoreMac::TrustDomains::kUserAndAdmin)));
+    testing::Values(TrustStoreMac::TrustImplType::kDomainCache,
+                    TrustStoreMac::TrustImplType::kSimple,
+                    TrustStoreMac::TrustImplType::kLruCache,
+                    TrustStoreMac::TrustImplType::kDomainCacheFullCerts),
+    [](const testing::TestParamInfo<TrustStoreMacImplTest::ParamType>& info) {
+      return TrustImplTypeToString(info.param);
+    });
 
 }  // namespace net
diff --git a/chromium/net/cert/internal/trust_store_nss.cc b/chromium/net/cert/internal/trust_store_nss.cc
index f9d616119a4..ffdb47af3d6 100644
--- a/chromium/net/cert/internal/trust_store_nss.cc
+++ b/chromium/net/cert/internal/trust_store_nss.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/trust_store_nss.h b/chromium/net/cert/internal/trust_store_nss.h
index 2eebd88e2bd..162aedcd97d 100644
--- a/chromium/net/cert/internal/trust_store_nss.h
+++ b/chromium/net/cert/internal/trust_store_nss.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/trust_store_nss_unittest.cc b/chromium/net/cert/internal/trust_store_nss_unittest.cc
index 6bdd0c01a2e..d2f1f9afc03 100644
--- a/chromium/net/cert/internal/trust_store_nss_unittest.cc
+++ b/chromium/net/cert/internal/trust_store_nss_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/trust_store_win.cc b/chromium/net/cert/internal/trust_store_win.cc
index 85159c87fa5..991a3a9804d 100644
--- a/chromium/net/cert/internal/trust_store_win.cc
+++ b/chromium/net/cert/internal/trust_store_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -68,8 +68,9 @@ bool IsCertTrustedForServerAuth(PCCERT_CONTEXT cert) {
     }
   }
   for (DWORD i = 0; i < usage->cUsageIdentifier; i++) {
-    if (base::StringPiece(usage->rgpszUsageIdentifier[i]) ==
-        szOID_PKIX_KP_SERVER_AUTH) {
+    base::StringPiece eku = base::StringPiece(usage->rgpszUsageIdentifier[i]);
+    if ((eku == szOID_PKIX_KP_SERVER_AUTH) ||
+        (eku == szOID_ANY_ENHANCED_KEY_USAGE)) {
       return true;
     }
   }
@@ -245,34 +246,26 @@ void TrustStoreWin::SyncGetIssuersOf(const ParsedCertificate* cert,
 // whether to continue path building, but doesn't treat the certificate
 // as affirmatively revoked/distrusted.
 //
-// Rather than have these EKUs expressed during ParsedCertificate, which
-// would require threading platform-specific knowledge throughout the
-// CertVerifier, this is implemented via CertificateTrust: if the
-// certificate has a given EKU disabled (i.e. TLS server auth), it's
-// treated as if it's distrusted. This has the effect of causing path
-// building to try the next path.
+// This behaviour is replicated here by returning Unspecified trust if
+// we find instances of the cert that do not have the correct EKUs set
+// for TLS Server Auth. This allows path building to continue and allows
+// us to later trust the cert if it is present in Chrome Root Store.
 //
-// Put differently:
-//   - If a certificate is in the Disallowed store and usable for EKU, then
-//     it's affirmatively distrusted/revoked. This is checked first and
-//     overrides everything else.
-//   - If a certificate is in the ROOT store, and usable for an EKU,
+// Windows does have some idiosyncrasies here, which result in the
+// following treatment:
+//
+//   - If a certificate is in the Disallowed store, it is distrusted for
+//     all purposes regardless of any EKUs that are set.
+//   - If a certificate is in the ROOT store, and usable for TLS Server Auth,
 //     then it's trusted.
-//   - If a certificate is in the root store, and lacks the EKU, but in
-//     the intermediate store, and has the EKU, then continue path
-//     building, but don't treat it as trusted (aka Unspecified)
-//   - If a certificate is both/either in the root store and the
-//     intermediate store, and neither have the EKU, then treat this
-//     path as terminal for path building ("Distrusted", which is
-//     imprecise but good enough).
+//   - If a certificate is in the root store, and lacks the EKU, then continue
+//     path building, but don't treat it as trusted (aka Unspecified).
 //   - If we can't find the cert anywhere, then continue path
 //     building, but don't treat it as trusted (aka Unspecified).
 //
 // If a certificate is found multiple times in the ROOT store, it is trusted
-// for TLS server auth if and only if every instance of the certificate found
-// is usable for TLS server auth. Similar logic applies for certificates in
-// the intermediate store (only return unspecified if and only if all instances
-// of the certificate found are usable for TLS server auth).
+// for TLS server auth if any instance of the certificate found
+// is usable for TLS server auth.
 CertificateTrust TrustStoreWin::GetTrust(
     const ParsedCertificate* cert,
     base::SupportsUserData* debug_data) const {
@@ -290,14 +283,13 @@ CertificateTrust TrustStoreWin::GetTrust(
               CERT_FIND_SHA1_HASH, &cert_hash_blob, cert_from_store))) {
     base::span<const uint8_t> cert_from_store_span = base::make_span(
         cert_from_store->pbCertEncoded, cert_from_store->cbCertEncoded);
-    if (base::ranges::equal(cert_span, cert_from_store_span) &&
-        IsCertTrustedForServerAuth(cert_from_store)) {
+    // If a cert is in the windows distruted store, it is considered
+    // distrusted for all purporses. EKU isn't checked. See crbug.com/1355961.
+    if (base::ranges::equal(cert_span, cert_from_store_span)) {
       return CertificateTrust::ForDistrusted();
     }
   }
 
-  bool root_found = false;
-  bool root_is_trusted = true;
   // TODO(https://crbug.com/1239270): figure out if this is thread-safe or if we
   // need locking here
   while ((cert_from_store = CertFindCertificateInStore(
@@ -306,51 +298,26 @@ CertificateTrust TrustStoreWin::GetTrust(
     base::span<const uint8_t> cert_from_store_span = base::make_span(
         cert_from_store->pbCertEncoded, cert_from_store->cbCertEncoded);
     if (base::ranges::equal(cert_span, cert_from_store_span)) {
-      root_found = true;
-      root_is_trusted &= IsCertTrustedForServerAuth(cert_from_store);
+      // If we find at least one version of the cert that is trusted for TLS
+      // Server Auth, we will trust the cert.
+      if (IsCertTrustedForServerAuth(cert_from_store)) {
+        return CertificateTrust::ForTrustAnchorEnforcingExpiration();
+      }
     }
   }
 
-  // Found at least one instance of the cert in the root store, and all
-  // instances found are trusted for TLS server auth.
-  if (root_found && root_is_trusted) {
-    return CertificateTrust::ForTrustAnchorEnforcingExpiration();
-  }
-
-  cert_from_store = nullptr;
-  bool intermediate_found = false;
-  bool intermediate_is_trusted = true;
-  while ((cert_from_store = CertFindCertificateInStore(
-              intermediate_cert_store_.get(), X509_ASN_ENCODING, 0,
-              CERT_FIND_SHA1_HASH, &cert_hash_blob, cert_from_store))) {
-    base::span<const uint8_t> cert_from_store_span = base::make_span(
-        cert_from_store->pbCertEncoded, cert_from_store->cbCertEncoded);
-
-    if (base::ranges::equal(cert_span, cert_from_store_span)) {
-      // Found cert, yay!
-      intermediate_found = true;
-      intermediate_is_trusted &= IsCertTrustedForServerAuth(cert_from_store);
-    }
-  }
-
-  // Found at least one instance of the cert in the intermediate store, and all
-  // instances found are trusted for TLS server auth.
-  if (intermediate_found && intermediate_is_trusted) {
-    return CertificateTrust::ForUnspecified();
-  }
-
   // If we fall through here, we've either
   //
-  // (a) found the cert in root or intermediates (or both) but neither is
-  //     usable for server auth (in which case treat as distrusted for path
-  //     building)
+  // (a) found the cert but it is not usable for server auth. Treat this as
+  //     Unspecified trust. Originally this was treated as Distrusted, but this
+  //     is inconsistent with how the Windows verifier works, which is to union
+  //     all of the EKU usages for all instances of the cert, whereas sending
+  //     back Distrusted would not do that.
   //
   // or
   //
   // (b) Haven't found the cert. Tell everyone Unspecified.
-  return (root_found || intermediate_found)
-             ? CertificateTrust::ForDistrusted()
-             : CertificateTrust::ForUnspecified();
+  return CertificateTrust::ForUnspecified();
 }
 
 }  // namespace net
diff --git a/chromium/net/cert/internal/trust_store_win.h b/chromium/net/cert/internal/trust_store_win.h
index 4d2fe96e7e6..1782bf02cf5 100644
--- a/chromium/net/cert/internal/trust_store_win.h
+++ b/chromium/net/cert/internal/trust_store_win.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/internal/trust_store_win_unittest.cc b/chromium/net/cert/internal/trust_store_win_unittest.cc
index b1b73c4a92d..c37b88bb96d 100644
--- a/chromium/net/cert/internal/trust_store_win_unittest.cc
+++ b/chromium/net/cert/internal/trust_store_win_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -150,12 +150,8 @@ TEST(TrustStoreWin, GetTrust) {
 //
 // - kMultiRootDByD: only has szOID_PKIX_KP_SERVER_AUTH EKU set
 // - kMultiRootEByE: only has szOID_PKIX_KP_CLIENT_AUTH set
+// - kMultiRootCByE: only has szOID_ANY_ENHANCED_KEY_USAGE set
 // - kMultiRootCByD: no EKU usages set
-//
-// And the intermediate store as follows:
-//
-// - kMultiRootCByE: only has szOID_PKIX_KP_CLIENT_AUTH set
-// - kMultiRootCByD: only has szOID_PKIX_KP_SERVER_AUTH EKU set
 TEST(TrustStoreWin, GetTrustRestrictedEKU) {
   crypto::ScopedHCERTSTORE root_store(CertOpenStore(
       CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr));
@@ -168,12 +164,10 @@ TEST(TrustStoreWin, GetTrustRestrictedEKU) {
                                            szOID_PKIX_KP_SERVER_AUTH));
   ASSERT_TRUE(AddToStoreWithEKURestriction(root_store.get(), kMultiRootEByE,
                                            szOID_PKIX_KP_CLIENT_AUTH));
+  ASSERT_TRUE(AddToStoreWithEKURestriction(root_store.get(), kMultiRootCByE,
+                                           szOID_ANY_ENHANCED_KEY_USAGE));
   ASSERT_TRUE(
       AddToStoreWithEKURestriction(root_store.get(), kMultiRootCByD, nullptr));
-  ASSERT_TRUE(AddToStoreWithEKURestriction(
-      intermediate_store.get(), kMultiRootCByE, szOID_PKIX_KP_CLIENT_AUTH));
-  ASSERT_TRUE(AddToStoreWithEKURestriction(
-      intermediate_store.get(), kMultiRootCByD, szOID_PKIX_KP_SERVER_AUTH));
   std::unique_ptr<TrustStoreWin> trust_store_win =
       TrustStoreWin::CreateForTesting(std::move(root_store),
                                       std::move(intermediate_store),
@@ -186,15 +180,14 @@ TEST(TrustStoreWin, GetTrustRestrictedEKU) {
       // Root cert with EKU szOID_PKIX_KP_SERVER_AUTH usage set should be
       // trusted.
       {kMultiRootDByD, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION},
+      // Root cert with EKU szOID_ANY_ENHANCED_KEY_USAGE usage set should be
+      // trusted.
+      {kMultiRootCByE, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION},
       // Root cert with EKU szOID_PKIX_KP_CLIENT_AUTH does not allow usage of
-      // cert for server auth.
-      {kMultiRootEByE, CertificateTrustType::DISTRUSTED},
-      // Root cert with no EKU usages but is also an intermediate cert that is
-      // allowed for server auth, so we let it be used for path building.
+      // cert for server auth, return UNSPECIFIED.
+      {kMultiRootEByE, CertificateTrustType::UNSPECIFIED},
+      // Root cert with no EKU usages, return UNSPECIFIED.
       {kMultiRootCByD, CertificateTrustType::UNSPECIFIED},
-      // Intermediate cert with EKU szOID_PKIX_KP_CLIENT_AUTH does not allow
-      // usage of cert for server auth.
-      {kMultiRootCByE, CertificateTrustType::DISTRUSTED},
       // Unknown cert has unspecified trust.
       {kMultiRootFByE, CertificateTrustType::UNSPECIFIED},
   };
@@ -209,7 +202,17 @@ TEST(TrustStoreWin, GetTrustRestrictedEKU) {
 }
 
 // Test if duplicate certs are added to the root and intermediate stores,
-// possibly with different EKU usages.
+// possibly with different EKU usages. Root store set up as follows:
+//
+// - kMultiRootDByD: only has szOID_PKIX_KP_CLIENT_AUTH EKU set
+// - kMultiRootDByD (dupe): only has szOID_PKIX_KP_SERVER_AUTH set
+// - kMultiRootDByD (dupe 2): no EKU usages set
+//
+// And the intermediate store as follows:
+//
+// - kMultiRootCByD: only has szOID_PKIX_KP_CLIENT_AUTH set
+// - kMultiRootCByD (dupe): only has szOID_PKIX_KP_SERVER_AUTH EKU set
+
 TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) {
   crypto::ScopedHCERTSTORE root_store(CertOpenStore(
       CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr));
@@ -224,10 +227,6 @@ TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) {
                                            szOID_PKIX_KP_SERVER_AUTH));
   ASSERT_TRUE(
       AddToStoreWithEKURestriction(root_store.get(), kMultiRootDByD, nullptr));
-  ASSERT_TRUE(AddToStoreWithEKURestriction(
-      intermediate_store.get(), kMultiRootCByD, szOID_PKIX_KP_SERVER_AUTH));
-  ASSERT_TRUE(AddToStoreWithEKURestriction(
-      intermediate_store.get(), kMultiRootCByD, szOID_PKIX_KP_SERVER_AUTH));
   std::unique_ptr<TrustStoreWin> trust_store_win =
       TrustStoreWin::CreateForTesting(std::move(root_store),
                                       std::move(intermediate_store),
@@ -237,10 +236,8 @@ TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) {
     base::StringPiece file_name;
     CertificateTrustType expected_result;
   } kTestData[] = {
-      {kMultiRootDByD, CertificateTrustType::DISTRUSTED},
-      // Root cert with no EKU usages but is also an intermediate cert that is
-      // allowed for server auth, so we let it be used for path building.
-      {kMultiRootCByD, CertificateTrustType::UNSPECIFIED},
+      // One copy of the Root cert is trusted for TLS Server Auth.
+      {kMultiRootDByD, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION},
   };
   for (const auto& test_data : kTestData) {
     SCOPED_TRACE(test_data.file_name);
@@ -252,8 +249,7 @@ TEST(TrustStoreWin, GetTrustRestrictedEKUDuplicateCerts) {
   }
 }
 
-// Test that disallowed certs with the right EKU settings will be
-// distrusted.
+// Test that disallowed certs will be distrusted regardless of EKU settings.
 TEST(TrustStoreWin, GetTrustDisallowedCerts) {
   crypto::ScopedHCERTSTORE root_store(CertOpenStore(
       CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr));
@@ -277,9 +273,8 @@ TEST(TrustStoreWin, GetTrustDisallowedCerts) {
     base::StringPiece file_name;
     CertificateTrustType expected_result;
   } kTestData[] = {
-      // dByD in root, also in distrusted but without szOID_PKIX_KP_SERVER_AUTH
-      // set.
-      {kMultiRootDByD, CertificateTrustType::TRUSTED_ANCHOR_WITH_EXPIRATION},
+      // dByD in root, distrusted but without szOID_PKIX_KP_SERVER_AUTH set.
+      {kMultiRootDByD, CertificateTrustType::DISTRUSTED},
       // dByD in root, also in distrusted with szOID_PKIX_KP_SERVER_AUTH set.
       {kMultiRootEByE, CertificateTrustType::DISTRUSTED},
   };
diff --git a/chromium/net/cert/known_roots.cc b/chromium/net/cert/known_roots.cc
index ffa625b8c73..bab8dfa9636 100644
--- a/chromium/net/cert/known_roots.cc
+++ b/chromium/net/cert/known_roots.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/known_roots.h b/chromium/net/cert/known_roots.h
index d3bdbcd1a0f..02a0264f986 100644
--- a/chromium/net/cert/known_roots.h
+++ b/chromium/net/cert/known_roots.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/known_roots_mac.cc b/chromium/net/cert/known_roots_mac.cc
index 383c576f8a3..ada97b821af 100644
--- a/chromium/net/cert/known_roots_mac.cc
+++ b/chromium/net/cert/known_roots_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/known_roots_mac.h b/chromium/net/cert/known_roots_mac.h
index 2ad8c57c843..d0a2429c757 100644
--- a/chromium/net/cert/known_roots_mac.h
+++ b/chromium/net/cert/known_roots_mac.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/known_roots_nss.cc b/chromium/net/cert/known_roots_nss.cc
index ab3848b5cc4..93130bd3a87 100644
--- a/chromium/net/cert/known_roots_nss.cc
+++ b/chromium/net/cert/known_roots_nss.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -34,7 +34,7 @@ using PK11HasAttributeSetFunction = CK_BBOOL (*)(PK11SlotInfo* slot,
 
 // IsKnownRoot returns true if the given certificate is one that we believe
 // is a standard (as opposed to user-installed) root.
-NO_SANITIZE("cfi-icall")
+DISABLE_CFI_DLSYM
 bool IsKnownRoot(CERTCertificate* root) {
   if (!root || !root->slot)
     return false;
diff --git a/chromium/net/cert/known_roots_nss.h b/chromium/net/cert/known_roots_nss.h
index 5d150d237dc..76ab823bd61 100644
--- a/chromium/net/cert/known_roots_nss.h
+++ b/chromium/net/cert/known_roots_nss.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/known_roots_unittest.cc b/chromium/net/cert/known_roots_unittest.cc
index 1186757de18..bef47cdbc4b 100644
--- a/chromium/net/cert/known_roots_unittest.cc
+++ b/chromium/net/cert/known_roots_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/known_roots_win.cc b/chromium/net/cert/known_roots_win.cc
index 89c9a41621b..c3b37acc7bf 100644
--- a/chromium/net/cert/known_roots_win.cc
+++ b/chromium/net/cert/known_roots_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/known_roots_win.h b/chromium/net/cert/known_roots_win.h
index f7417f08cdc..6033760c934 100644
--- a/chromium/net/cert/known_roots_win.h
+++ b/chromium/net/cert/known_roots_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/merkle_audit_proof.cc b/chromium/net/cert/merkle_audit_proof.cc
index 46e9f32a05b..3ccd8d07f74 100644
--- a/chromium/net/cert/merkle_audit_proof.cc
+++ b/chromium/net/cert/merkle_audit_proof.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/merkle_audit_proof.h b/chromium/net/cert/merkle_audit_proof.h
index 6aa36205716..39fbd9d3977 100644
--- a/chromium/net/cert/merkle_audit_proof.h
+++ b/chromium/net/cert/merkle_audit_proof.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/merkle_audit_proof_unittest.cc b/chromium/net/cert/merkle_audit_proof_unittest.cc
index 602a58494fc..d77e0acf478 100644
--- a/chromium/net/cert/merkle_audit_proof_unittest.cc
+++ b/chromium/net/cert/merkle_audit_proof_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/merkle_consistency_proof.cc b/chromium/net/cert/merkle_consistency_proof.cc
index a6ac1bb173c..404ca1c599f 100644
--- a/chromium/net/cert/merkle_consistency_proof.cc
+++ b/chromium/net/cert/merkle_consistency_proof.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/merkle_consistency_proof.h b/chromium/net/cert/merkle_consistency_proof.h
index 457ed5284dd..a0b903c0f7e 100644
--- a/chromium/net/cert/merkle_consistency_proof.h
+++ b/chromium/net/cert/merkle_consistency_proof.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/merkle_tree_leaf.cc b/chromium/net/cert/merkle_tree_leaf.cc
index 70ada09872b..2e41be9c2bc 100644
--- a/chromium/net/cert/merkle_tree_leaf.cc
+++ b/chromium/net/cert/merkle_tree_leaf.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/merkle_tree_leaf.h b/chromium/net/cert/merkle_tree_leaf.h
index fc566e65f1b..63b93eb1ed9 100644
--- a/chromium/net/cert/merkle_tree_leaf.h
+++ b/chromium/net/cert/merkle_tree_leaf.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/merkle_tree_leaf_unittest.cc b/chromium/net/cert/merkle_tree_leaf_unittest.cc
index ed9feace299..776a0fc9204 100644
--- a/chromium/net/cert/merkle_tree_leaf_unittest.cc
+++ b/chromium/net/cert/merkle_tree_leaf_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/mock_cert_net_fetcher.cc b/chromium/net/cert/mock_cert_net_fetcher.cc
index 686b56de1aa..179a343cb64 100644
--- a/chromium/net/cert/mock_cert_net_fetcher.cc
+++ b/chromium/net/cert/mock_cert_net_fetcher.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/mock_cert_net_fetcher.h b/chromium/net/cert/mock_cert_net_fetcher.h
index e32222cb965..424615553f1 100644
--- a/chromium/net/cert/mock_cert_net_fetcher.h
+++ b/chromium/net/cert/mock_cert_net_fetcher.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/mock_cert_verifier.cc b/chromium/net/cert/mock_cert_verifier.cc
index e47554e27d9..cdbffbb20ef 100644
--- a/chromium/net/cert/mock_cert_verifier.cc
+++ b/chromium/net/cert/mock_cert_verifier.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/mock_cert_verifier.h b/chromium/net/cert/mock_cert_verifier.h
index de9e42e9014..84e15a1966b 100644
--- a/chromium/net/cert/mock_cert_verifier.h
+++ b/chromium/net/cert/mock_cert_verifier.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/mock_client_cert_verifier.cc b/chromium/net/cert/mock_client_cert_verifier.cc
index 3b23e51f93c..01eea2ddaf8 100644
--- a/chromium/net/cert/mock_client_cert_verifier.cc
+++ b/chromium/net/cert/mock_client_cert_verifier.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/mock_client_cert_verifier.h b/chromium/net/cert/mock_client_cert_verifier.h
index 166643f7812..ef454f78b7f 100644
--- a/chromium/net/cert/mock_client_cert_verifier.h
+++ b/chromium/net/cert/mock_client_cert_verifier.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/multi_log_ct_verifier.cc b/chromium/net/cert/multi_log_ct_verifier.cc
index b13aac1bb8c..1391bac439c 100644
--- a/chromium/net/cert/multi_log_ct_verifier.cc
+++ b/chromium/net/cert/multi_log_ct_verifier.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/multi_log_ct_verifier.h b/chromium/net/cert/multi_log_ct_verifier.h
index c37efa24a5f..d13987a18d2 100644
--- a/chromium/net/cert/multi_log_ct_verifier.h
+++ b/chromium/net/cert/multi_log_ct_verifier.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/multi_log_ct_verifier_unittest.cc b/chromium/net/cert/multi_log_ct_verifier_unittest.cc
index 3e36d86face..0be1e7004bf 100644
--- a/chromium/net/cert/multi_log_ct_verifier_unittest.cc
+++ b/chromium/net/cert/multi_log_ct_verifier_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -85,11 +85,11 @@ class MultiLogCTVerifierTest : public ::testing::Test {
     if (!parsed.params.is_dict())
       return false;
 
-    const base::Value* scts = parsed.params.FindListPath("scts");
-    if (!scts || scts->GetListDeprecated().size() != 1)
+    const base::Value::List* scts = parsed.params.GetDict().FindList("scts");
+    if (!scts || scts->size() != 1)
       return false;
 
-    const base::Value& the_sct = scts->GetListDeprecated()[0];
+    const base::Value& the_sct = (*scts)[0];
     if (!the_sct.is_dict())
       return false;
 
diff --git a/chromium/net/cert/multi_threaded_cert_verifier.cc b/chromium/net/cert/multi_threaded_cert_verifier.cc
index d4e137fb991..1e61c4818fb 100644
--- a/chromium/net/cert/multi_threaded_cert_verifier.cc
+++ b/chromium/net/cert/multi_threaded_cert_verifier.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/multi_threaded_cert_verifier.h b/chromium/net/cert/multi_threaded_cert_verifier.h
index fe815a9e380..1254923c2f8 100644
--- a/chromium/net/cert/multi_threaded_cert_verifier.h
+++ b/chromium/net/cert/multi_threaded_cert_verifier.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/multi_threaded_cert_verifier_unittest.cc b/chromium/net/cert/multi_threaded_cert_verifier_unittest.cc
index bbba76e3475..bf38709a3bd 100644
--- a/chromium/net/cert/multi_threaded_cert_verifier_unittest.cc
+++ b/chromium/net/cert/multi_threaded_cert_verifier_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/nss_cert_database.cc b/chromium/net/cert/nss_cert_database.cc
index 7f1c1290f3b..45e213b8950 100644
--- a/chromium/net/cert/nss_cert_database.cc
+++ b/chromium/net/cert/nss_cert_database.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -434,13 +434,7 @@ bool NSSCertDatabase::IsReadOnly(const CERTCertificate* cert) {
 }
 
 // static
-// `cfi-icall` is a clang flag to enable extra checks to prevent "Indirect call
-// of a function with wrong dynamic type". To work properly it requires the
-// called function or the function taking the address of the called function
-// to be compiled with "-fsanitize=cfi-icall" that is not true for libnss3.
-// Because of that we are getting a false positive result around using the
-// dynamically loaded `pk11_has_attribute_set` method.
-NO_SANITIZE("cfi-icall")
+DISABLE_CFI_DLSYM
 bool NSSCertDatabase::IsHardwareBacked(const CERTCertificate* cert) {
   PK11SlotInfo* slot = cert->slot;
   if (!slot)
diff --git a/chromium/net/cert/nss_cert_database.h b/chromium/net/cert/nss_cert_database.h
index e8d45d7bbdc..9533f000c66 100644
--- a/chromium/net/cert/nss_cert_database.h
+++ b/chromium/net/cert/nss_cert_database.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/nss_cert_database_chromeos.cc b/chromium/net/cert/nss_cert_database_chromeos.cc
index 11a3d93da2d..5d7a0490c4d 100644
--- a/chromium/net/cert/nss_cert_database_chromeos.cc
+++ b/chromium/net/cert/nss_cert_database_chromeos.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/nss_cert_database_chromeos.h b/chromium/net/cert/nss_cert_database_chromeos.h
index 8dfb82c92bd..d060b2db600 100644
--- a/chromium/net/cert/nss_cert_database_chromeos.h
+++ b/chromium/net/cert/nss_cert_database_chromeos.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/nss_cert_database_chromeos_unittest.cc b/chromium/net/cert/nss_cert_database_chromeos_unittest.cc
index 2ecd13bf428..f3b26d1a8f5 100644
--- a/chromium/net/cert/nss_cert_database_chromeos_unittest.cc
+++ b/chromium/net/cert/nss_cert_database_chromeos_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/nss_cert_database_unittest.cc b/chromium/net/cert/nss_cert_database_unittest.cc
index eb191f3bce3..6808d3b79bd 100644
--- a/chromium/net/cert/nss_cert_database_unittest.cc
+++ b/chromium/net/cert/nss_cert_database_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,6 +7,7 @@
 #include <cert.h>
 #include <certdb.h>
 #include <pk11pub.h>
+#include <seccomon.h>
 
 #include <algorithm>
 #include <memory>
@@ -60,6 +61,12 @@ std::string GetSubjectCN(CERTCertificate* cert) {
   return s;
 }
 
+bool GetCertIsPerm(const CERTCertificate* cert) {
+  PRBool is_perm;
+  CHECK_EQ(x509_util::GetCertIsPerm(cert, &is_perm), SECSuccess);
+  return is_perm != PR_FALSE;
+}
+
 }  // namespace
 
 class CertDatabaseNSSTest : public TestWithTaskEnvironment {
@@ -287,7 +294,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_SSLTrust) {
       GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
-  EXPECT_FALSE(certs[0]->isperm);
+  EXPECT_FALSE(GetCertIsPerm(certs[0].get()));
 
   // Import it.
   NSSCertDatabase::ImportCertFailureList failed;
@@ -316,7 +323,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_EmailTrust) {
       GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
-  EXPECT_FALSE(certs[0]->isperm);
+  EXPECT_FALSE(GetCertIsPerm(certs[0].get()));
 
   // Import it.
   NSSCertDatabase::ImportCertFailureList failed;
@@ -345,7 +352,7 @@ TEST_F(CertDatabaseNSSTest, ImportCACert_ObjSignTrust) {
       GetTestCertsDirectory(), "root_ca_cert.pem",
       X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
-  EXPECT_FALSE(certs[0]->isperm);
+  EXPECT_FALSE(GetCertIsPerm(certs[0].get()));
 
   // Import it.
   NSSCertDatabase::ImportCertFailureList failed;
@@ -373,7 +380,7 @@ TEST_F(CertDatabaseNSSTest, ImportCA_NotCACert) {
   ScopedCERTCertificateList certs = CreateCERTCertificateListFromFile(
       GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1U, certs.size());
-  EXPECT_FALSE(certs[0]->isperm);
+  EXPECT_FALSE(GetCertIsPerm(certs[0].get()));
 
   // Import it.
   NSSCertDatabase::ImportCertFailureList failed;
diff --git a/chromium/net/cert/nss_profile_filter_chromeos.cc b/chromium/net/cert/nss_profile_filter_chromeos.cc
index d85ac42b13b..0cbb6962f79 100644
--- a/chromium/net/cert/nss_profile_filter_chromeos.cc
+++ b/chromium/net/cert/nss_profile_filter_chromeos.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/nss_profile_filter_chromeos.h b/chromium/net/cert/nss_profile_filter_chromeos.h
index 1bfbc159d4c..014976c2493 100644
--- a/chromium/net/cert/nss_profile_filter_chromeos.h
+++ b/chromium/net/cert/nss_profile_filter_chromeos.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/nss_profile_filter_chromeos_unittest.cc b/chromium/net/cert/nss_profile_filter_chromeos_unittest.cc
index 0a21f961ce9..07fce400a46 100644
--- a/chromium/net/cert/nss_profile_filter_chromeos_unittest.cc
+++ b/chromium/net/cert/nss_profile_filter_chromeos_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ocsp_revocation_status.h b/chromium/net/cert/ocsp_revocation_status.h
index dac7a2067e6..2aa4958c670 100644
--- a/chromium/net/cert/ocsp_revocation_status.h
+++ b/chromium/net/cert/ocsp_revocation_status.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ocsp_verify_result.cc b/chromium/net/cert/ocsp_verify_result.cc
index 35069e711d3..92ab907d4c0 100644
--- a/chromium/net/cert/ocsp_verify_result.cc
+++ b/chromium/net/cert/ocsp_verify_result.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/ocsp_verify_result.h b/chromium/net/cert/ocsp_verify_result.h
index 409d4116e1c..854e9db04bc 100644
--- a/chromium/net/cert/ocsp_verify_result.h
+++ b/chromium/net/cert/ocsp_verify_result.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pem.cc b/chromium/net/cert/pem.cc
index fe37b197b07..82f77b50642 100644
--- a/chromium/net/cert/pem.cc
+++ b/chromium/net/cert/pem.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pem.h b/chromium/net/cert/pem.h
index b8164f6ebc3..c8cf31cb5f2 100644
--- a/chromium/net/cert/pem.h
+++ b/chromium/net/cert/pem.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pem_unittest.cc b/chromium/net/cert/pem_unittest.cc
index cd2ecad89b2..b85088f4314 100644
--- a/chromium/net/cert/pem_unittest.cc
+++ b/chromium/net/cert/pem_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/cert_error_id.cc b/chromium/net/cert/pki/cert_error_id.cc
index 793b92ffb2c..8e185cdf5bd 100644
--- a/chromium/net/cert/pki/cert_error_id.cc
+++ b/chromium/net/cert/pki/cert_error_id.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/cert_error_id.h b/chromium/net/cert/pki/cert_error_id.h
index 1c0e4ec947b..bc410b15a07 100644
--- a/chromium/net/cert/pki/cert_error_id.h
+++ b/chromium/net/cert/pki/cert_error_id.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/cert_error_params.cc b/chromium/net/cert/pki/cert_error_params.cc
index 0d4f2b61d83..bbb39d4daa4 100644
--- a/chromium/net/cert/pki/cert_error_params.cc
+++ b/chromium/net/cert/pki/cert_error_params.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,7 +6,6 @@
 
 #include <memory>
 
-#include "base/check.h"
 #include "base/strings/string_number_conversions.h"
 #include "net/der/input.h"
 
diff --git a/chromium/net/cert/pki/cert_error_params.h b/chromium/net/cert/pki/cert_error_params.h
index b00d0f2e8a4..371ac25b908 100644
--- a/chromium/net/cert/pki/cert_error_params.h
+++ b/chromium/net/cert/pki/cert_error_params.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/cert_errors.cc b/chromium/net/cert/pki/cert_errors.cc
index 833fb1d3638..843967426f9 100644
--- a/chromium/net/cert/pki/cert_errors.cc
+++ b/chromium/net/cert/pki/cert_errors.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/cert_errors.h b/chromium/net/cert/pki/cert_errors.h
index 98f635da34b..6e783bcb119 100644
--- a/chromium/net/cert/pki/cert_errors.h
+++ b/chromium/net/cert/pki/cert_errors.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/cert_issuer_source.h b/chromium/net/cert/pki/cert_issuer_source.h
index 1568cd058f3..875aeb5a6ee 100644
--- a/chromium/net/cert/pki/cert_issuer_source.h
+++ b/chromium/net/cert/pki/cert_issuer_source.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/cert_issuer_source_static.cc b/chromium/net/cert/pki/cert_issuer_source_static.cc
index c41aede9d6f..5b6147d5ef3 100644
--- a/chromium/net/cert/pki/cert_issuer_source_static.cc
+++ b/chromium/net/cert/pki/cert_issuer_source_static.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@ CertIssuerSourceStatic::~CertIssuerSourceStatic() = default;
 
 void CertIssuerSourceStatic::AddCert(scoped_refptr<ParsedCertificate> cert) {
   intermediates_.insert(std::make_pair(
-      cert->normalized_subject().AsStringPiece(), std::move(cert)));
+      cert->normalized_subject().AsStringView(), std::move(cert)));
 }
 
 void CertIssuerSourceStatic::Clear() {
@@ -21,7 +21,7 @@ void CertIssuerSourceStatic::Clear() {
 void CertIssuerSourceStatic::SyncGetIssuersOf(const ParsedCertificate* cert,
                                               ParsedCertificateList* issuers) {
   auto range =
-      intermediates_.equal_range(cert->normalized_issuer().AsStringPiece());
+      intermediates_.equal_range(cert->normalized_issuer().AsStringView());
   for (auto it = range.first; it != range.second; ++it)
     issuers->push_back(it->second);
 }
diff --git a/chromium/net/cert/pki/cert_issuer_source_static.h b/chromium/net/cert/pki/cert_issuer_source_static.h
index c3be882d023..5fedd7491e6 100644
--- a/chromium/net/cert/pki/cert_issuer_source_static.h
+++ b/chromium/net/cert/pki/cert_issuer_source_static.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -30,6 +30,8 @@ class NET_EXPORT CertIssuerSourceStatic : public CertIssuerSource {
   // Clears the set of certificates.
   void Clear();
 
+  size_t size() const { return intermediates_.size(); }
+
   // CertIssuerSource implementation:
   void SyncGetIssuersOf(const ParsedCertificate* cert,
                         ParsedCertificateList* issuers) override;
@@ -39,9 +41,7 @@ class NET_EXPORT CertIssuerSourceStatic : public CertIssuerSource {
  private:
   // The certificates that the CertIssuerSourceStatic can return, keyed on the
   // normalized subject value.
-  std::unordered_multimap<base::StringPiece,
-                          scoped_refptr<ParsedCertificate>,
-                          base::StringPieceHash>
+  std::unordered_multimap<std::string_view, scoped_refptr<ParsedCertificate>>
       intermediates_;
 };
 
diff --git a/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc b/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc
index 02727cc6724..eab8e6710ce 100644
--- a/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc
+++ b/chromium/net/cert/pki/cert_issuer_source_static_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h b/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h
index e3f165036db..1b5dfc6f9c7 100644
--- a/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h
+++ b/chromium/net/cert/pki/cert_issuer_source_sync_unittest.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/certificate_policies.cc b/chromium/net/cert/pki/certificate_policies.cc
index e7a3c17e435..a6943c38507 100644
--- a/chromium/net/cert/pki/certificate_policies.cc
+++ b/chromium/net/cert/pki/certificate_policies.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/certificate_policies.h b/chromium/net/cert/pki/certificate_policies.h
index 182bf9a82f5..60451b4c5da 100644
--- a/chromium/net/cert/pki/certificate_policies.h
+++ b/chromium/net/cert/pki/certificate_policies.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/certificate_policies_unittest.cc b/chromium/net/cert/pki/certificate_policies_unittest.cc
index b38aff49a73..710f480d209 100644
--- a/chromium/net/cert/pki/certificate_policies_unittest.cc
+++ b/chromium/net/cert/pki/certificate_policies_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/common_cert_errors.cc b/chromium/net/cert/pki/common_cert_errors.cc
index d282999c472..6cf4803c09b 100644
--- a/chromium/net/cert/pki/common_cert_errors.cc
+++ b/chromium/net/cert/pki/common_cert_errors.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/common_cert_errors.h b/chromium/net/cert/pki/common_cert_errors.h
index 2819671f4c9..1422b479e07 100644
--- a/chromium/net/cert/pki/common_cert_errors.h
+++ b/chromium/net/cert/pki/common_cert_errors.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/crl.cc b/chromium/net/cert/pki/crl.cc
index c3a0c9dc5fa..dc4839c6cd5 100644
--- a/chromium/net/cert/pki/crl.cc
+++ b/chromium/net/cert/pki/crl.cc
@@ -1,10 +1,11 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/crl.h"
 
 #include "base/stl_util.h"
+#include "base/types/optional_util.h"
 #include "net/cert/pki/cert_errors.h"
 #include "net/cert/pki/revocation_util.h"
 #include "net/cert/pki/signature_algorithm.h"
@@ -33,12 +34,11 @@ inline constexpr uint8_t kIssuingDistributionPointOid[] = {0x55, 0x1d, 0x1c};
          !parser.HasMore();
 }
 
-bool ContainsExactMatchingName(std::vector<base::StringPiece> a,
-                               std::vector<base::StringPiece> b) {
+bool ContainsExactMatchingName(std::vector<std::string_view> a,
+                               std::vector<std::string_view> b) {
   std::sort(a.begin(), a.end());
   std::sort(b.begin(), b.end());
-  return !base::STLSetIntersection<std::vector<base::StringPiece>>(a, b)
-              .empty();
+  return !base::STLSetIntersection<std::vector<std::string_view>>(a, b).empty();
 }
 
 }  // namespace
@@ -361,7 +361,7 @@ CRLRevocationStatus GetCRLStatusForCert(
 ParsedCrlTbsCertList::ParsedCrlTbsCertList() = default;
 ParsedCrlTbsCertList::~ParsedCrlTbsCertList() = default;
 
-CRLRevocationStatus CheckCRL(base::StringPiece raw_crl,
+CRLRevocationStatus CheckCRL(std::string_view raw_crl,
                              const ParsedCertificateList& valid_chain,
                              size_t target_cert_index,
                              const ParsedDistributionPoint& cert_dp,
@@ -422,10 +422,9 @@ CRLRevocationStatus CheckCRL(base::StringPiece raw_crl,
 
   // Check CRL dates. Roughly corresponds to 6.3.3 (a) (1) but does not attempt
   // to update the CRL if it is out of date.
-  if (!CheckRevocationDateValid(
-          tbs_cert_list.this_update,
-          base::OptionalOrNullptr(tbs_cert_list.next_update), verify_time,
-          max_age)) {
+  if (!CheckRevocationDateValid(tbs_cert_list.this_update,
+                                base::OptionalToPtr(tbs_cert_list.next_update),
+                                verify_time, max_age)) {
     return CRLRevocationStatus::UNKNOWN;
   }
 
diff --git a/chromium/net/cert/pki/crl.h b/chromium/net/cert/pki/crl.h
index e6add49add4..325b45deb9f 100644
--- a/chromium/net/cert/pki/crl.h
+++ b/chromium/net/cert/pki/crl.h
@@ -1,11 +1,10 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_PKI_CRL_H_
 #define NET_CERT_PKI_CRL_H_
 
-#include "base/strings/string_piece_forward.h"
 #include "base/time/time.h"
 #include "net/base/net_export.h"
 #include "net/cert/pki/general_names.h"
@@ -212,7 +211,7 @@ GetCRLStatusForCert(const der::Input& cert_serial,
 //        the |thisUpdate| field in the CRL TBSCertList. Responses older than
 //        |max_age| will be considered invalid.
 [[nodiscard]] NET_EXPORT CRLRevocationStatus
-CheckCRL(base::StringPiece raw_crl,
+CheckCRL(std::string_view raw_crl,
          const ParsedCertificateList& valid_chain,
          size_t target_cert_index,
          const ParsedDistributionPoint& cert_dp,
diff --git a/chromium/net/cert/pki/extended_key_usage.cc b/chromium/net/cert/pki/extended_key_usage.cc
index e4e97b30175..297a95c1f90 100644
--- a/chromium/net/cert/pki/extended_key_usage.cc
+++ b/chromium/net/cert/pki/extended_key_usage.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/extended_key_usage.h b/chromium/net/cert/pki/extended_key_usage.h
index f2ce9eb3e36..c4834d49e3c 100644
--- a/chromium/net/cert/pki/extended_key_usage.h
+++ b/chromium/net/cert/pki/extended_key_usage.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/extended_key_usage_unittest.cc b/chromium/net/cert/pki/extended_key_usage_unittest.cc
index f98ad799882..9a17c53dfc9 100644
--- a/chromium/net/cert/pki/extended_key_usage_unittest.cc
+++ b/chromium/net/cert/pki/extended_key_usage_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/general_names.cc b/chromium/net/cert/pki/general_names.cc
index 0a598dd24fe..d2bbd25ef51 100644
--- a/chromium/net/cert/pki/general_names.cc
+++ b/chromium/net/cert/pki/general_names.cc
@@ -1,13 +1,12 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/general_names.h"
 
-#include "base/check_op.h"
-#include "base/strings/string_util.h"
 #include "net/cert/pki/cert_error_params.h"
 #include "net/cert/pki/cert_errors.h"
+#include "net/cert/pki/string_util.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
 #include "net/der/tag.h"
@@ -130,8 +129,8 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue(
   } else if (tag == der::ContextSpecificPrimitive(1)) {
     // rfc822Name                      [1]     IA5String,
     name_type = GENERAL_NAME_RFC822_NAME;
-    const base::StringPiece s = value.AsStringPiece();
-    if (!base::IsStringASCII(s)) {
+    const std::string_view s = value.AsStringView();
+    if (!net::string_util::IsAscii(s)) {
       errors->AddError(kRFC822NameNotAscii);
       return false;
     }
@@ -139,8 +138,8 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue(
   } else if (tag == der::ContextSpecificPrimitive(2)) {
     // dNSName                         [2]     IA5String,
     name_type = GENERAL_NAME_DNS_NAME;
-    const base::StringPiece s = value.AsStringPiece();
-    if (!base::IsStringASCII(s)) {
+    const std::string_view s = value.AsStringView();
+    if (!net::string_util::IsAscii(s)) {
       errors->AddError(kDnsNameNotAscii);
       return false;
     }
@@ -167,8 +166,8 @@ std::unique_ptr<GeneralNames> GeneralNames::CreateFromValue(
   } else if (tag == der::ContextSpecificPrimitive(6)) {
     // uniformResourceIdentifier       [6]     IA5String,
     name_type = GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER;
-    const base::StringPiece s = value.AsStringPiece();
-    if (!base::IsStringASCII(s)) {
+    const std::string_view s = value.AsStringView();
+    if (!net::string_util::IsAscii(s)) {
       errors->AddError(kURINotAscii);
       return false;
     }
diff --git a/chromium/net/cert/pki/general_names.h b/chromium/net/cert/pki/general_names.h
index 0bacddfe98e..c5c32d00428 100644
--- a/chromium/net/cert/pki/general_names.h
+++ b/chromium/net/cert/pki/general_names.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,7 +8,6 @@
 #include <memory>
 #include <vector>
 
-#include "base/strings/string_piece_forward.h"
 #include "net/base/ip_address.h"
 #include "net/base/net_export.h"
 #include "net/cert/pki/cert_error_id.h"
@@ -76,10 +75,10 @@ struct NET_EXPORT GeneralNames {
   std::vector<der::Input> other_names;
 
   // ASCII rfc822names.
-  std::vector<base::StringPiece> rfc822_names;
+  std::vector<std::string_view> rfc822_names;
 
   // ASCII hostnames.
-  std::vector<base::StringPiece> dns_names;
+  std::vector<std::string_view> dns_names;
 
   // DER-encoded ORAddress values.
   std::vector<der::Input> x400_addresses;
@@ -91,7 +90,7 @@ struct NET_EXPORT GeneralNames {
   std::vector<der::Input> edi_party_names;
 
   // ASCII URIs.
-  std::vector<base::StringPiece> uniform_resource_identifiers;
+  std::vector<std::string_view> uniform_resource_identifiers;
 
   // iPAddresses as sequences of octets in network byte order. This will be
   // populated if the GeneralNames represents a Subject Alternative Name.
diff --git a/chromium/net/cert/pki/name_constraints.cc b/chromium/net/cert/pki/name_constraints.cc
index b66abdbef6c..eed0741d200 100644
--- a/chromium/net/cert/pki/name_constraints.cc
+++ b/chromium/net/cert/pki/name_constraints.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,11 +8,10 @@
 
 #include <memory>
 
-#include "base/check.h"
 #include "base/numerics/clamped_math.h"
-#include "base/strings/string_util.h"
 #include "net/cert/pki/cert_errors.h"
 #include "net/cert/pki/common_cert_errors.h"
+#include "net/cert/pki/string_util.h"
 #include "net/cert/pki/verify_name_match.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
@@ -52,8 +51,8 @@ enum WildcardMatchType { WILDCARD_PARTIAL_MATCH, WILDCARD_FULL_MATCH };
 // |wildcard_matching| controls handling of wildcard names (|name| starts with
 // "*."). Wildcard handling is not specified by RFC 5280, but certificate
 // verification allows it, name constraints must check it similarly.
-bool DNSNameMatches(base::StringPiece name,
-                    base::StringPiece dns_constraint,
+bool DNSNameMatches(std::string_view name,
+                    std::string_view dns_constraint,
                     WildcardMatchType wildcard_matching) {
   // Everything matches the empty DNS name constraint.
   if (dns_constraint.empty())
@@ -74,20 +73,20 @@ bool DNSNameMatches(base::StringPiece name,
       name[0] == '*' && name[1] == '.') {
     size_t dns_constraint_dot_pos = dns_constraint.find('.');
     if (dns_constraint_dot_pos != std::string::npos) {
-      base::StringPiece dns_constraint_domain =
+      std::string_view dns_constraint_domain =
           dns_constraint.substr(dns_constraint_dot_pos + 1);
-      base::StringPiece wildcard_domain = name.substr(2);
-      if (base::EqualsCaseInsensitiveASCII(wildcard_domain,
-                                           dns_constraint_domain)) {
+      std::string_view wildcard_domain = name.substr(2);
+      if (net::string_util::IsEqualNoCase(wildcard_domain,
+                                          dns_constraint_domain)) {
         return true;
       }
     }
   }
 
-  if (!base::EndsWith(name, dns_constraint,
-                      base::CompareCase::INSENSITIVE_ASCII)) {
+  if (!net::string_util::EndsWithNoCase(name, dns_constraint)) {
     return false;
   }
+
   // Exact match.
   if (name.size() == dns_constraint.size())
     return true;
@@ -361,7 +360,7 @@ void NameConstraints::IsPermittedCert(const der::Input& subject_rdn_sequence,
   }
 }
 
-bool NameConstraints::IsPermittedDNSName(base::StringPiece name) const {
+bool NameConstraints::IsPermittedDNSName(std::string_view name) const {
   for (const auto& excluded_name : excluded_subtrees_.dns_names) {
     // When matching wildcard hosts against excluded subtrees, consider it a
     // match if the constraint would match any expansion of the wildcard. Eg,
diff --git a/chromium/net/cert/pki/name_constraints.h b/chromium/net/cert/pki/name_constraints.h
index 0fe0452da51..ea472a0ec33 100644
--- a/chromium/net/cert/pki/name_constraints.h
+++ b/chromium/net/cert/pki/name_constraints.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,7 +9,6 @@
 
 #include <memory>
 
-#include "base/strings/string_piece_forward.h"
 #include "net/base/ip_address.h"
 #include "net/base/net_export.h"
 #include "net/cert/pki/general_names.h"
@@ -56,7 +55,7 @@ class NET_EXPORT NameConstraints {
   // would not be permitted if "bar.com" is permitted and "foo.bar.com" is
   // excluded, while "*.baz.com" would only be permitted if "baz.com" is
   // permitted.
-  bool IsPermittedDNSName(base::StringPiece name) const;
+  bool IsPermittedDNSName(std::string_view name) const;
 
   // Returns true if the directoryName |name_rdn_sequence| is permitted.
   // |name_rdn_sequence| should be the DER-encoded RDNSequence value (not
diff --git a/chromium/net/cert/pki/name_constraints_unittest.cc b/chromium/net/cert/pki/name_constraints_unittest.cc
index 32a97af4f4b..b69a376f5d2 100644
--- a/chromium/net/cert/pki/name_constraints_unittest.cc
+++ b/chromium/net/cert/pki/name_constraints_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/nist_pkits_unittest.cc b/chromium/net/cert/pki/nist_pkits_unittest.cc
index f2309349fba..20b48923db4 100644
--- a/chromium/net/cert/pki/nist_pkits_unittest.cc
+++ b/chromium/net/cert/pki/nist_pkits_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/nist_pkits_unittest.h b/chromium/net/cert/pki/nist_pkits_unittest.h
index bf4d16485c9..8e4c2cb38eb 100644
--- a/chromium/net/cert/pki/nist_pkits_unittest.h
+++ b/chromium/net/cert/pki/nist_pkits_unittest.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -97,7 +97,7 @@ class PkitsTest : public ::testing::Test {
       crl_ders.push_back(net::ReadTestFileToString(
           "net/third_party/nist-pkits/crls/" + s + ".crl"));
 
-    base::StringPiece test_number = info.test_number;
+    std::string_view test_number = info.test_number;
 
     // Some of the PKITS tests are intentionally given different expectations
     // from PKITS.pdf.
diff --git a/chromium/net/cert/pki/ocsp.cc b/chromium/net/cert/pki/ocsp.cc
index 46fd72f7109..816a7840c83 100644
--- a/chromium/net/cert/pki/ocsp.cc
+++ b/chromium/net/cert/pki/ocsp.cc
@@ -1,19 +1,17 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/ocsp.h"
 
-#include <algorithm>
-
-#include "base/base64.h"
-#include "base/strings/string_util.h"
+#include "base/containers/contains.h"
 #include "base/time/time.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/pki/cert_errors.h"
 #include "net/cert/pki/extended_key_usage.h"
 #include "net/cert/pki/parsed_certificate.h"
 #include "net/cert/pki/revocation_util.h"
+#include "net/cert/pki/string_util.h"
 #include "net/cert/pki/verify_name_match.h"
 #include "net/cert/pki/verify_signed_data.h"
 #include "net/cert/x509_util.h"
@@ -466,19 +464,20 @@ bool VerifyHash(const EVP_MD* type,
 //     subjectPublicKey     BIT STRING
 // }
 bool GetSubjectPublicKeyBytes(const der::Input& spki_tlv, der::Input* spk_tlv) {
+  // TODO(bbe) decide what to do with the asn1 utilities, bring them into pki
+  // or use the boringssl stuff internally..
   base::StringPiece spk_strpiece;
   if (!asn1::ExtractSubjectPublicKeyFromSPKI(spki_tlv.AsStringPiece(),
                                              &spk_strpiece)) {
     return false;
   }
-
   // ExtractSubjectPublicKeyFromSPKI() includes the unused bit count. For this
   // application, the unused bit count must be zero, and is not included in the
   // result.
-  if (!base::StartsWith(spk_strpiece, "\0"))
+  if (!net::string_util::StartsWith(
+          std::string_view(spk_strpiece.data(), spk_strpiece.size()), "\0"))
     return false;
   spk_strpiece.remove_prefix(1);
-
   *spk_tlv = der::Input(spk_strpiece);
   return true;
 }
@@ -525,15 +524,16 @@ bool CheckCertIDMatchesCertificate(
 // TODO(eroman): Revisit how certificate parsing is used by this file. Ideally
 // would either pass in the parsed bits, or have a better abstraction for lazily
 // parsing.
-scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) {
+scoped_refptr<ParsedCertificate> OCSPParseCertificate(std::string_view der) {
   ParseCertificateOptions parse_options;
   parse_options.allow_invalid_serial_numbers = true;
 
   // TODO(eroman): Swallows the parsing errors. However uses a permissive
   // parsing model.
   CertErrors errors;
-  return ParsedCertificate::Create(x509_util::CreateCryptoBuffer(der), {},
-                                   &errors);
+  return ParsedCertificate::Create(
+      x509_util::CreateCryptoBuffer(base::StringPiece(der.data(), der.size())),
+      {}, &errors);
 }
 
 // Checks that the ResponderID |id| matches the certificate |cert| either
@@ -578,7 +578,8 @@ scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) {
   // The Authorized Responder must be directly signed by the issuer of the
   // certificate being checked.
   // TODO(eroman): Must check the signature algorithm against policy.
-  if (!VerifySignedData(responder_certificate->signature_algorithm(),
+  if (!responder_certificate->signature_algorithm().has_value() ||
+      !VerifySignedData(*responder_certificate->signature_algorithm(),
                         responder_certificate->tbs_certificate_tlv(),
                         responder_certificate->signature_value(),
                         issuer_certificate->tbs().spki_tlv)) {
@@ -589,14 +590,9 @@ scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) {
   // part of the extended key usage extension.
   if (!responder_certificate->has_extended_key_usage())
     return false;
-  const std::vector<der::Input>& ekus =
-      responder_certificate->extended_key_usage();
-  if (std::find(ekus.begin(), ekus.end(), der::Input(kOCSPSigning)) ==
-      ekus.end()) {
-    return false;
-  }
 
-  return true;
+  return base::Contains(responder_certificate->extended_key_usage(),
+                        der::Input(kOCSPSigning));
 }
 
 [[nodiscard]] bool VerifyOCSPResponseSignatureGivenCert(
@@ -631,7 +627,7 @@ scoped_refptr<ParsedCertificate> OCSPParseCertificate(base::StringPiece der) {
   //  (3) Has signed the OCSP response using its public key.
   for (const auto& responder_cert_tlv : response.certs) {
     scoped_refptr<ParsedCertificate> cur_responder_certificate =
-        OCSPParseCertificate(responder_cert_tlv.AsStringPiece());
+        OCSPParseCertificate(responder_cert_tlv.AsStringView());
 
     // If failed parsing the certificate, keep looking.
     if (!cur_responder_certificate)
@@ -787,10 +783,10 @@ OCSPRevocationStatus GetRevocationStatusForCert(
 }
 
 OCSPRevocationStatus CheckOCSP(
-    base::StringPiece raw_response,
-    base::StringPiece certificate_der,
+    std::string_view raw_response,
+    std::string_view certificate_der,
     const ParsedCertificate* certificate,
-    base::StringPiece issuer_certificate_der,
+    std::string_view issuer_certificate_der,
     const ParsedCertificate* issuer_certificate,
     const base::Time& verify_time,
     const base::TimeDelta& max_age,
@@ -891,9 +887,9 @@ OCSPRevocationStatus CheckOCSP(
 }  // namespace
 
 OCSPRevocationStatus CheckOCSP(
-    base::StringPiece raw_response,
-    base::StringPiece certificate_der,
-    base::StringPiece issuer_certificate_der,
+    std::string_view raw_response,
+    std::string_view certificate_der,
+    std::string_view issuer_certificate_der,
     const base::Time& verify_time,
     const base::TimeDelta& max_age,
     OCSPVerifyResult::ResponseStatus* response_details) {
@@ -903,15 +899,15 @@ OCSPRevocationStatus CheckOCSP(
 }
 
 OCSPRevocationStatus CheckOCSP(
-    base::StringPiece raw_response,
+    std::string_view raw_response,
     const ParsedCertificate* certificate,
     const ParsedCertificate* issuer_certificate,
     const base::Time& verify_time,
     const base::TimeDelta& max_age,
     OCSPVerifyResult::ResponseStatus* response_details) {
-  return CheckOCSP(raw_response, base::StringPiece(), certificate,
-                   base::StringPiece(), issuer_certificate, verify_time,
-                   max_age, response_details);
+  return CheckOCSP(raw_response, std::string_view(), certificate,
+                   std::string_view(), issuer_certificate, verify_time, max_age,
+                   response_details);
 }
 
 bool CreateOCSPRequest(const ParsedCertificate* cert,
@@ -1007,7 +1003,7 @@ bool CreateOCSPRequest(const ParsedCertificate* cert,
 //    the OCSPRequest}
 GURL CreateOCSPGetURL(const ParsedCertificate* cert,
                       const ParsedCertificate* issuer,
-                      base::StringPiece ocsp_responder_url) {
+                      std::string_view ocsp_responder_url) {
   std::vector<uint8_t> ocsp_request_der;
   if (!CreateOCSPRequest(cert, issuer, &ocsp_request_der)) {
     // Unexpected (means BoringSSL failed an operation).
@@ -1015,19 +1011,23 @@ GURL CreateOCSPGetURL(const ParsedCertificate* cert,
   }
 
   // Base64 encode the request data.
-  std::string b64_encoded;
-  base::Base64Encode(
-      base::StringPiece(reinterpret_cast<const char*>(ocsp_request_der.data()),
-                        ocsp_request_der.size()),
-      &b64_encoded);
+  size_t len;
+  if (!EVP_EncodedLength(&len, ocsp_request_der.size())) {
+    return GURL();
+  }
+  std::vector<uint8_t> encoded(len);
+  len = EVP_EncodeBlock(encoded.data(), ocsp_request_der.data(),
+                        ocsp_request_der.size());
+
+  std::string b64_encoded(encoded.begin(), encoded.begin() + len);
 
   // In theory +, /, and = are valid in paths and don't need to be escaped.
   // However from the example in RFC 5019 section 5 it is clear that the intent
   // is to escape non-alphanumeric characters (the example conclusively escapes
   // '/' and '=', but doesn't clarify '+').
-  base::ReplaceSubstringsAfterOffset(&b64_encoded, 0, "+", "%2B");
-  base::ReplaceSubstringsAfterOffset(&b64_encoded, 0, "/", "%2F");
-  base::ReplaceSubstringsAfterOffset(&b64_encoded, 0, "=", "%3D");
+  b64_encoded = net::string_util::FindAndReplace(b64_encoded, "+", "%2B");
+  b64_encoded = net::string_util::FindAndReplace(b64_encoded, "/", "%2F");
+  b64_encoded = net::string_util::FindAndReplace(b64_encoded, "=", "%3D");
 
   // No attempt is made to collapse double slashes for URLs that end in slash,
   // since the spec doesn't do that.
diff --git a/chromium/net/cert/pki/ocsp.h b/chromium/net/cert/pki/ocsp.h
index 6a2a5e5b7d3..7464a033d19 100644
--- a/chromium/net/cert/pki/ocsp.h
+++ b/chromium/net/cert/pki/ocsp.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,7 +8,6 @@
 #include <memory>
 #include <vector>
 
-#include "base/strings/string_piece_forward.h"
 #include "base/time/time.h"
 #include "net/base/net_export.h"
 #include "net/cert/ocsp_revocation_status.h"
@@ -287,9 +286,9 @@ NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv,
 //        |max_age| will be considered invalid.
 //  * |response_details|: Additional details about failures.
 [[nodiscard]] NET_EXPORT OCSPRevocationStatus
-CheckOCSP(base::StringPiece raw_response,
-          base::StringPiece certificate_der,
-          base::StringPiece issuer_certificate_der,
+CheckOCSP(std::string_view raw_response,
+          std::string_view certificate_der,
+          std::string_view issuer_certificate_der,
           const base::Time& verify_time,
           const base::TimeDelta& max_age,
           OCSPVerifyResult::ResponseStatus* response_details);
@@ -300,7 +299,7 @@ CheckOCSP(base::StringPiece raw_response,
 // Arguments are the same as above, except that it takes already parsed
 // instances of the certificate and issuer certificate.
 [[nodiscard]] NET_EXPORT OCSPRevocationStatus
-CheckOCSP(base::StringPiece raw_response,
+CheckOCSP(std::string_view raw_response,
           const ParsedCertificate* certificate,
           const ParsedCertificate* issuer_certificate,
           const base::Time& verify_time,
@@ -321,7 +320,7 @@ NET_EXPORT bool CreateOCSPRequest(const ParsedCertificate* cert,
 // Creates a URL to issue a GET request for OCSP information for |cert|.
 NET_EXPORT GURL CreateOCSPGetURL(const ParsedCertificate* cert,
                                  const ParsedCertificate* issuer,
-                                 base::StringPiece ocsp_responder_url);
+                                 std::string_view ocsp_responder_url);
 
 }  // namespace net
 
diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc
index 1d23453d0b5..6158c1cf923 100644
--- a/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc
+++ b/chromium/net/cert/pki/ocsp_parse_ocsp_cert_id_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc
index d312f0fae1b..bf701d8a0e0 100644
--- a/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc
+++ b/chromium/net/cert/pki/ocsp_parse_ocsp_response_data_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc
index f3673aeec7a..df8e88487ce 100644
--- a/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc
+++ b/chromium/net/cert/pki/ocsp_parse_ocsp_response_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc b/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc
index 872e2680a4e..d3289c7e29d 100644
--- a/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc
+++ b/chromium/net/cert/pki/ocsp_parse_ocsp_single_response_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/ocsp_unittest.cc b/chromium/net/cert/pki/ocsp_unittest.cc
index 6b3ae13a68d..bd1b25d4959 100644
--- a/chromium/net/cert/pki/ocsp_unittest.cc
+++ b/chromium/net/cert/pki/ocsp_unittest.cc
@@ -1,15 +1,15 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/ocsp.h"
 
-#include "base/base64.h"
 #include "base/strings/string_piece.h"
-#include "base/strings/string_util.h"
+#include "net/cert/pki/string_util.h"
 #include "net/cert/pki/test_helpers.h"
 #include "net/der/encode_values.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/boringssl/src/include/openssl/base64.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
 #include "url/gurl.h"
 
@@ -23,7 +23,7 @@ std::string GetFilePath(const std::string& file_name) {
   return std::string("net/data/ocsp_unittest/") + file_name;
 }
 
-scoped_refptr<ParsedCertificate> ParseCertificate(base::StringPiece data) {
+scoped_refptr<ParsedCertificate> ParseCertificate(std::string_view data) {
   CertErrors errors;
   return ParsedCertificate::Create(
       bssl::UniquePtr<CRYPTO_BUFFER>(CRYPTO_BUFFER_new(
@@ -124,7 +124,7 @@ const TestParams kTestParams[] = {
 // Parameterised test name generator for tests depending on RenderTextBackend.
 struct PrintTestName {
   std::string operator()(const testing::TestParamInfo<TestParams>& info) const {
-    base::StringPiece name(info.param.file_name);
+    std::string_view name(info.param.file_name);
     // Strip ".pem" from the end as GTest names cannot contain period.
     name.remove_suffix(4);
     return std::string(name);
@@ -178,7 +178,7 @@ TEST_P(CheckOCSPTest, FromFile) {
             der::Input(&request_data));
 }
 
-base::StringPiece kGetURLTestParams[] = {
+std::string_view kGetURLTestParams[] = {
     "http://www.example.com/",
     "http://www.example.com/path/",
     "http://www.example.com/path",
@@ -186,8 +186,8 @@ base::StringPiece kGetURLTestParams[] = {
     "http://user:pass@www.example.com/path?query",
 };
 
-class CreateOCSPGetURLTest
-    : public ::testing::TestWithParam<base::StringPiece> {};
+class CreateOCSPGetURLTest : public ::testing::TestWithParam<std::string_view> {
+};
 
 INSTANTIATE_TEST_SUITE_P(All,
                          CreateOCSPGetURLTest,
@@ -223,15 +223,20 @@ TEST_P(CreateOCSPGetURLTest, Basic) {
   std::string b64 = url.spec().substr(GetParam().size() + 1);
 
   // Hex un-escape the data.
-  base::ReplaceSubstringsAfterOffset(&b64, 0, "%2B", "+");
-  base::ReplaceSubstringsAfterOffset(&b64, 0, "%2F", "/");
-  base::ReplaceSubstringsAfterOffset(&b64, 0, "%3D", "=");
+  b64 = net::string_util::FindAndReplace(b64, "%2B", "+");
+  b64 = net::string_util::FindAndReplace(b64, "%2F", "/");
+  b64 = net::string_util::FindAndReplace(b64, "%3D", "=");
 
   // Base64 decode the data.
-  std::string decoded;
-  ASSERT_TRUE(base::Base64Decode(b64, &decoded));
-
-  EXPECT_EQ(request_data, decoded);
+  size_t len;
+  EXPECT_TRUE(EVP_DecodedLength(&len, b64.size()));
+  std::vector<uint8_t> decoded(len);
+  EXPECT_TRUE(EVP_DecodeBase64(decoded.data(), &len, len,
+                               reinterpret_cast<const uint8_t*>(b64.data()),
+                               b64.size()));
+  std::string decoded_string(decoded.begin(), decoded.begin() + len);
+
+  EXPECT_EQ(request_data, decoded_string);
 }
 
 }  // namespace
diff --git a/chromium/net/cert/pki/parse_certificate.cc b/chromium/net/cert/pki/parse_certificate.cc
index d206ec897e6..7be07772fd6 100644
--- a/chromium/net/cert/pki/parse_certificate.cc
+++ b/chromium/net/cert/pki/parse_certificate.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,10 +6,10 @@
 
 #include <utility>
 
-#include "base/strings/string_util.h"
 #include "net/cert/pki/cert_error_params.h"
 #include "net/cert/pki/cert_errors.h"
 #include "net/cert/pki/general_names.h"
+#include "net/cert/pki/string_util.h"
 #include "net/der/input.h"
 #include "net/der/parse_values.h"
 #include "net/der/parser.h"
@@ -805,8 +805,8 @@ bool ParseAuthorityInfoAccess(
 
 bool ParseAuthorityInfoAccessURIs(
     const der::Input& authority_info_access_tlv,
-    std::vector<base::StringPiece>* out_ca_issuers_uris,
-    std::vector<base::StringPiece>* out_ocsp_uris) {
+    std::vector<std::string_view>* out_ca_issuers_uris,
+    std::vector<std::string_view>* out_ocsp_uris) {
   std::vector<AuthorityInfoAccessDescription> access_descriptions;
   if (!ParseAuthorityInfoAccess(authority_info_access_tlv,
                                 &access_descriptions)) {
@@ -825,8 +825,8 @@ bool ParseAuthorityInfoAccessURIs(
     // GeneralName ::= CHOICE {
     if (access_location_tag == der::ContextSpecificPrimitive(6)) {
       // uniformResourceIdentifier       [6]     IA5String,
-      base::StringPiece uri = access_location_value.AsStringPiece();
-      if (!base::IsStringASCII(uri))
+      std::string_view uri = access_location_value.AsStringView();
+      if (!net::string_util::IsAscii(uri))
         return false;
 
       if (access_description.access_method_oid == der::Input(kAdCaIssuersOid))
diff --git a/chromium/net/cert/pki/parse_certificate.h b/chromium/net/cert/pki/parse_certificate.h
index d71dda139b5..960244ce8e6 100644
--- a/chromium/net/cert/pki/parse_certificate.h
+++ b/chromium/net/cert/pki/parse_certificate.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -535,8 +535,8 @@ struct AuthorityInfoAccessDescription {
 // ignored.
 [[nodiscard]] NET_EXPORT bool ParseAuthorityInfoAccessURIs(
     const der::Input& authority_info_access_tlv,
-    std::vector<base::StringPiece>* out_ca_issuers_uris,
-    std::vector<base::StringPiece>* out_ocsp_uris);
+    std::vector<std::string_view>* out_ca_issuers_uris,
+    std::vector<std::string_view>* out_ocsp_uris);
 
 // ParsedDistributionPoint represents a parsed DistributionPoint from RFC 5280.
 //
diff --git a/chromium/net/cert/pki/parse_certificate_fuzzer.cc b/chromium/net/cert/pki/parse_certificate_fuzzer.cc
index b73eb018a24..95ddc39c3e4 100644
--- a/chromium/net/cert/pki/parse_certificate_fuzzer.cc
+++ b/chromium/net/cert/pki/parse_certificate_fuzzer.cc
@@ -1,11 +1,10 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <stddef.h>
 #include <stdint.h>
 
-#include "base/check_op.h"
 #include "net/cert/pki/cert_errors.h"
 #include "net/cert/pki/parsed_certificate.h"
 #include "net/cert/x509_util.h"
diff --git a/chromium/net/cert/pki/parse_certificate_unittest.cc b/chromium/net/cert/pki/parse_certificate_unittest.cc
index 7f5c48efe3e..f22c45fdb19 100644
--- a/chromium/net/cert/pki/parse_certificate_unittest.cc
+++ b/chromium/net/cert/pki/parse_certificate_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -536,7 +536,7 @@ TEST(ParseAuthorityInfoAccess, BasicTests) {
     EXPECT_EQ(der::Input(location_der), desc.access_location);
   }
 
-  std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris;
+  std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
   ASSERT_TRUE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
                                            &ocsp_uris));
   ASSERT_EQ(1u, ca_issuers_uris.size());
@@ -578,7 +578,7 @@ TEST(ParseAuthorityInfoAccess, NoOcspOrCaIssuersURIs) {
                                   0x03, 0x13, 0x03, 0x66, 0x6f, 0x6f};
   EXPECT_EQ(der::Input(location_der), desc.access_location);
 
-  std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris;
+  std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
   // ParseAuthorityInfoAccessURIs should still return success since it was a
   // valid AuthorityInfoAccess extension, even though it did not contain any
   // elements we care about, and both output vectors should be empty.
@@ -610,7 +610,7 @@ TEST(ParseAuthorityInfoAccess, IncompleteAccessDescription) {
   std::vector<AuthorityInfoAccessDescription> access_descriptions;
   EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
 
-  std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris;
+  std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
   EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
                                             &ocsp_uris));
 }
@@ -633,7 +633,7 @@ TEST(ParseAuthorityInfoAccess, ExtraDataInAccessDescription) {
   std::vector<AuthorityInfoAccessDescription> access_descriptions;
   EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
 
-  std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris;
+  std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
   EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
                                             &ocsp_uris));
 }
@@ -645,7 +645,7 @@ TEST(ParseAuthorityInfoAccess, EmptySequence) {
   std::vector<AuthorityInfoAccessDescription> access_descriptions;
   EXPECT_FALSE(ParseAuthorityInfoAccess(der::Input(der), &access_descriptions));
 
-  std::vector<base::StringPiece> ca_issuers_uris, ocsp_uris;
+  std::vector<std::string_view> ca_issuers_uris, ocsp_uris;
   EXPECT_FALSE(ParseAuthorityInfoAccessURIs(der::Input(der), &ca_issuers_uris,
                                             &ocsp_uris));
 }
diff --git a/chromium/net/cert/pki/parse_name.cc b/chromium/net/cert/pki/parse_name.cc
index 5cd4516890c..5e8459aa0d8 100644
--- a/chromium/net/cert/pki/parse_name.cc
+++ b/chromium/net/cert/pki/parse_name.cc
@@ -1,11 +1,9 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/parse_name.h"
 
-#include "base/check_op.h"
-#include "base/notreached.h"
 #include "base/strings/string_number_conversions.h"
 #include "net/der/parse_values.h"
 #include "third_party/boringssl/src/include/openssl/bytestring.h"
@@ -72,7 +70,7 @@ bool X509NameAttribute::ValueAsStringUnsafe(std::string* out) const {
     case der::kBmpString:
       return der::ParseBmpString(value, out);
     default:
-      NOTREACHED();
+      assert(0);  // NOTREACHED
       return false;
   }
 }
diff --git a/chromium/net/cert/pki/parse_name.h b/chromium/net/cert/pki/parse_name.h
index e44833a9b30..93d8db53d67 100644
--- a/chromium/net/cert/pki/parse_name.h
+++ b/chromium/net/cert/pki/parse_name.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/parse_name_unittest.cc b/chromium/net/cert/pki/parse_name_unittest.cc
index 3e29b808c4e..81064e07a64 100644
--- a/chromium/net/cert/pki/parse_name_unittest.cc
+++ b/chromium/net/cert/pki/parse_name_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/parsed_certificate.cc b/chromium/net/cert/pki/parsed_certificate.cc
index a1268a127b6..367bce786a0 100644
--- a/chromium/net/cert/pki/parsed_certificate.cc
+++ b/chromium/net/cert/pki/parsed_certificate.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -20,8 +20,6 @@ namespace {
 DEFINE_CERT_ERROR_ID(kFailedParsingCertificate, "Failed parsing Certificate");
 DEFINE_CERT_ERROR_ID(kFailedParsingTbsCertificate,
                      "Failed parsing TBSCertificate");
-DEFINE_CERT_ERROR_ID(kFailedParsingSignatureAlgorithm,
-                     "Failed parsing SignatureAlgorithm");
 DEFINE_CERT_ERROR_ID(kFailedReadingIssuerOrSubject,
                      "Failed reading issuer or subject");
 DEFINE_CERT_ERROR_ID(kFailedNormalizingSubject, "Failed normalizing subject");
@@ -106,13 +104,8 @@ scoped_refptr<ParsedCertificate> ParsedCertificate::Create(
   }
 
   // Attempt to parse the signature algorithm contained in the Certificate.
-  absl::optional<SignatureAlgorithm> sigalg =
+  result->signature_algorithm_ =
       ParseSignatureAlgorithm(result->signature_algorithm_tlv_, errors);
-  if (!sigalg) {
-    errors->AddError(kFailedParsingSignatureAlgorithm);
-    return nullptr;
-  }
-  result->signature_algorithm_ = *sigalg;
 
   der::Input subject_value;
   if (!GetSequenceValue(result->tbs_.subject_tlv, &subject_value)) {
diff --git a/chromium/net/cert/pki/parsed_certificate.h b/chromium/net/cert/pki/parsed_certificate.h
index d02c4bf5129..e777228fc32 100644
--- a/chromium/net/cert/pki/parsed_certificate.h
+++ b/chromium/net/cert/pki/parsed_certificate.h
@@ -1,5 +1,4 @@
-
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +9,6 @@
 #include <memory>
 #include <vector>
 
-#include "base/check.h"
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
 #include "net/cert/pki/certificate_policies.h"
@@ -86,7 +84,8 @@ class NET_EXPORT ParsedCertificate
   const ParsedTbsCertificate& tbs() const { return tbs_; }
 
   // Returns the signatureAlgorithm of the Certificate (not the tbsCertificate).
-  SignatureAlgorithm signature_algorithm() const {
+  // If the signature algorithm is unknown/unsupported, this returns nullopt.
+  absl::optional<SignatureAlgorithm> signature_algorithm() const {
     return signature_algorithm_;
   }
 
@@ -176,12 +175,12 @@ class NET_EXPORT ParsedCertificate
   }
 
   // Returns any caIssuers URIs from the AuthorityInfoAccess extension.
-  const std::vector<base::StringPiece>& ca_issuers_uris() const {
+  const std::vector<std::string_view>& ca_issuers_uris() const {
     return ca_issuers_uris_;
   }
 
   // Returns any OCSP URIs from the AuthorityInfoAccess extension.
-  const std::vector<base::StringPiece>& ocsp_uris() const { return ocsp_uris_; }
+  const std::vector<std::string_view>& ocsp_uris() const { return ocsp_uris_; }
 
   // Returns true if the certificate has a Policies extension.
   bool has_policy_oids() const { return has_policy_oids_; }
@@ -261,14 +260,7 @@ class NET_EXPORT ParsedCertificate
   ParsedTbsCertificate tbs_;
 
   // The signatureAlgorithm from the Certificate.
-  //
-  // TODO(crbug.com/1321688): This class requires that we recognize the
-  // signature algorithm, but there are some self-signed root certificates with
-  // weak signature algorithms like MD2. We never verify those signatures, but
-  // this means we must include MD2, etc., in the `SignatureAlgorithm` enum.
-  // Instead, make this an `absl::optional<SignatureAlgorithm>` and make the
-  // call sites handle recognized and unrecognized algorithms.
-  SignatureAlgorithm signature_algorithm_;
+  absl::optional<SignatureAlgorithm> signature_algorithm_;
 
   // Normalized DER-encoded Subject (not including outer Sequence tag).
   std::string normalized_subject_;
@@ -301,8 +293,8 @@ class NET_EXPORT ParsedCertificate
   // CaIssuers and Ocsp URIs parsed from the AuthorityInfoAccess extension. Note
   // that the AuthorityInfoAccess may have contained other AccessDescriptions
   // which are not represented here.
-  std::vector<base::StringPiece> ca_issuers_uris_;
-  std::vector<base::StringPiece> ocsp_uris_;
+  std::vector<std::string_view> ca_issuers_uris_;
+  std::vector<std::string_view> ocsp_uris_;
 
   // Policies extension.
   bool has_policy_oids_ = false;
diff --git a/chromium/net/cert/pki/parsed_certificate_unittest.cc b/chromium/net/cert/pki/parsed_certificate_unittest.cc
index b33520910b3..bd08592a66c 100644
--- a/chromium/net/cert/pki/parsed_certificate_unittest.cc
+++ b/chromium/net/cert/pki/parsed_certificate_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -148,7 +148,10 @@ TEST(ParsedCertificateTest, BadPolicyQualifiers) {
 
 // Parses a certificate that uses an unknown signature algorithm OID (00).
 TEST(ParsedCertificateTest, BadSignatureAlgorithmOid) {
-  ASSERT_FALSE(ParseCertificateFromFile("bad_signature_algorithm_oid.pem", {}));
+  scoped_refptr<ParsedCertificate> cert =
+      ParseCertificateFromFile("bad_signature_algorithm_oid.pem", {});
+  ASSERT_TRUE(cert);
+  ASSERT_FALSE(cert->signature_algorithm());
 }
 
 //  The validity encodes time as UTCTime but following the BER rules rather than
@@ -159,7 +162,10 @@ TEST(ParsedCertificateTest, BadValidity) {
 
 // The signature algorithm contains an unexpected parameters field.
 TEST(ParsedCertificateTest, FailedSignatureAlgorithm) {
-  ASSERT_FALSE(ParseCertificateFromFile("failed_signature_algorithm.pem", {}));
+  scoped_refptr<ParsedCertificate> cert =
+      ParseCertificateFromFile("failed_signature_algorithm.pem", {});
+  ASSERT_TRUE(cert);
+  ASSERT_FALSE(cert->signature_algorithm());
 }
 
 TEST(ParsedCertificateTest, IssuerBadPrintableString) {
diff --git a/chromium/net/cert/pki/path_builder.cc b/chromium/net/cert/pki/path_builder.cc
index cdb9ede48dd..c73d033dd7d 100644
--- a/chromium/net/cert/pki/path_builder.cc
+++ b/chromium/net/cert/pki/path_builder.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,9 +11,7 @@
 #include "base/logging.h"
 #include "base/memory/raw_ptr.h"
 #include "base/metrics/histogram_functions.h"
-#include "base/notreached.h"
 #include "base/strings/string_number_conversions.h"
-#include "crypto/sha2.h"
 #include "net/base/net_errors.h"
 #include "net/cert/pki/cert_issuer_source.h"
 #include "net/cert/pki/certificate_policies.h"
@@ -25,6 +23,7 @@
 #include "net/cert/pki/verify_name_match.h"
 #include "net/der/parser.h"
 #include "net/der/tag.h"
+#include "third_party/boringssl/src/include/openssl/sha.h"
 
 namespace net {
 
@@ -34,8 +33,10 @@ using CertIssuerSources = std::vector<CertIssuerSource*>;
 
 // Returns a hex-encoded sha256 of the DER-encoding of |cert|.
 std::string FingerPrintParsedCertificate(const net::ParsedCertificate* cert) {
-  std::string hash = crypto::SHA256HashString(cert->der_cert().AsStringPiece());
-  return base::HexEncode(hash.data(), hash.size());
+  uint8_t digest[SHA256_DIGEST_LENGTH];
+  SHA256(cert->der_cert().AsSpan().data(), cert->der_cert().AsSpan().size(),
+         digest);
+  return base::HexEncode(digest, sizeof(digest));
 }
 
 // TODO(mattm): decide how much debug logging to keep.
@@ -225,7 +226,7 @@ class CertIssuersIter {
   // duplicates. This is based on the full DER of the cert to allow different
   // versions of the same certificate to be tried in different candidate paths.
   // This points to data owned by |issuers_|.
-  std::unordered_set<base::StringPiece, base::StringPieceHash> present_issuers_;
+  std::unordered_set<std::string_view> present_issuers_;
 
   // Tracks which requests have been made yet.
   bool did_initial_query_ = false;
@@ -304,10 +305,10 @@ void CertIssuersIter::GetNextIssuer(IssuerEntry* out) {
 
 void CertIssuersIter::AddIssuers(ParsedCertificateList new_issuers) {
   for (scoped_refptr<ParsedCertificate>& issuer : new_issuers) {
-    if (present_issuers_.find(issuer->der_cert().AsStringPiece()) !=
+    if (present_issuers_.find(issuer->der_cert().AsStringView()) !=
         present_issuers_.end())
       continue;
-    present_issuers_.insert(issuer->der_cert().AsStringPiece());
+    present_issuers_.insert(issuer->der_cert().AsStringView());
 
     // Look up the trust for this issuer.
     IssuerEntry entry;
@@ -420,8 +421,7 @@ class CertIssuerIterPath {
   }
 
  private:
-  using Key =
-      std::tuple<base::StringPiece, base::StringPiece, base::StringPiece>;
+  using Key = std::tuple<std::string_view, std::string_view, std::string_view>;
 
   static Key GetKey(const ParsedCertificate* cert) {
     // TODO(mattm): ideally this would use a normalized version of
@@ -430,9 +430,9 @@ class CertIssuerIterPath {
     // Note that subject_alt_names_extension().value will be empty if the cert
     // had no SubjectAltName extension, so there is no need for a condition on
     // has_subject_alt_names().
-    return Key(cert->normalized_subject().AsStringPiece(),
-               cert->subject_alt_names_extension().value.AsStringPiece(),
-               cert->tbs().spki_tlv.AsStringPiece());
+    return Key(cert->normalized_subject().AsStringView(),
+               cert->subject_alt_names_extension().value.AsStringView(),
+               cert->tbs().spki_tlv.AsStringView());
   }
 
   std::vector<std::unique_ptr<CertIssuersIter>> cur_path_;
@@ -458,7 +458,7 @@ const ParsedCertificate* CertPathBuilderResultPath::GetTrustedCert() const {
       return nullptr;
   }
 
-  NOTREACHED();
+  assert(0);  // NOTREACHED
   return nullptr;
 }
 
diff --git a/chromium/net/cert/pki/path_builder.h b/chromium/net/cert/pki/path_builder.h
index c4bd8a72581..01fc9eb6301 100644
--- a/chromium/net/cert/pki/path_builder.h
+++ b/chromium/net/cert/pki/path_builder.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/path_builder_pkits_unittest.cc b/chromium/net/cert/pki/path_builder_pkits_unittest.cc
index e082f7d55fc..0939aa6bd4a 100644
--- a/chromium/net/cert/pki/path_builder_pkits_unittest.cc
+++ b/chromium/net/cert/pki/path_builder_pkits_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -162,7 +162,7 @@ class PathBuilderPkitsTestDelegate {
         crl_ders, verify_time, /*max_age=*/base::Days(365 * 2), 1024,
         SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
 
-    base::StringPiece test_number = info.test_number;
+    std::string_view test_number = info.test_number;
     if (test_number == "4.4.19" || test_number == "4.5.3" ||
         test_number == "4.5.4" || test_number == "4.5.6") {
       // 4.4.19 - fails since CRL is signed by a certificate that is not part
diff --git a/chromium/net/cert/pki/path_builder_unittest.cc b/chromium/net/cert/pki/path_builder_unittest.cc
index 80c5baa5eae..f31c6a5f7a2 100644
--- a/chromium/net/cert/pki/path_builder_unittest.cc
+++ b/chromium/net/cert/pki/path_builder_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,6 +9,7 @@
 #include "base/containers/span.h"
 #include "base/files/file_util.h"
 #include "base/path_service.h"
+#include "base/ranges/algorithm.h"
 #include "base/test/bind.h"
 #include "base/test/metrics/histogram_tester.h"
 #include "base/test/task_environment.h"
@@ -917,7 +918,7 @@ bool AreCertsEq(const scoped_refptr<ParsedCertificate> cert_1,
 }
 
 // Test to ensure that path building stops when an intermediate cert is
-// encountered that is not usable for TLS because of EKU restrictions.
+// encountered that is not usable for TLS because it is explicitly distrusted.
 TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) {
   crypto::ScopedHCERTSTORE root_store(CertOpenStore(
       CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, NULL, 0, nullptr));
@@ -932,7 +933,7 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) {
                                szOID_PKIX_KP_SERVER_AUTH);
   AddToStoreWithEKURestriction(intermediate_store.get(), c_by_e_,
                                szOID_PKIX_KP_SERVER_AUTH);
-  AddToStoreWithEKURestriction(intermediate_store.get(), c_by_d_, nullptr);
+  AddToStoreWithEKURestriction(disallowed_store.get(), c_by_d_, nullptr);
 
   std::unique_ptr<TrustStoreWin> trust_store = TrustStoreWin::CreateForTesting(
       std::move(root_store), std::move(intermediate_store),
@@ -948,7 +949,7 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) {
 
   auto result = path_builder.Run();
   ASSERT_TRUE(result.HasValidPath());
-  ASSERT_EQ(2U, result.paths.size());
+  ASSERT_EQ(1U, result.paths.size());
   const auto& path = *result.GetBestValidPath();
   ASSERT_EQ(3U, path.certs.size());
   EXPECT_TRUE(AreCertsEq(b_by_c_, path.certs[0]));
@@ -956,14 +957,12 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinOnlyFindTrustedTLSPath) {
   EXPECT_TRUE(AreCertsEq(e_by_e_, path.certs[2]));
 
   // Should only be one valid path, the one above.
-  int valid_paths = 0;
-  for (auto&& path : result.paths) {
-    valid_paths += path->IsValid() ? 1 : 0;
-  }
+  int valid_paths =
+      base::ranges::count_if(result.paths, &CertPathBuilderResultPath::IsValid);
   ASSERT_EQ(1, valid_paths);
 }
 
-// Test that if an intermediate is disabled for TLS, and it is the only
+// Test that if an intermediate is untrusted, and it is the only
 // path, then path building should fail, even if the root is enabled for
 // TLS.
 TEST_F(PathBuilderMultiRootTest, TrustStoreWinNoPathEKURestrictions) {
@@ -976,7 +975,7 @@ TEST_F(PathBuilderMultiRootTest, TrustStoreWinNoPathEKURestrictions) {
 
   AddToStoreWithEKURestriction(root_store.get(), d_by_d_,
                                szOID_PKIX_KP_SERVER_AUTH);
-  AddToStoreWithEKURestriction(intermediate_store.get(), c_by_d_, nullptr);
+  AddToStoreWithEKURestriction(disallowed_store.get(), c_by_d_, nullptr);
   std::unique_ptr<TrustStoreWin> trust_store = TrustStoreWin::CreateForTesting(
       std::move(root_store), std::move(intermediate_store),
       std::move(disallowed_store));
diff --git a/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc b/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc
index 1db806bb67a..a3f1530e541 100644
--- a/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc
+++ b/chromium/net/cert/pki/path_builder_verify_certificate_chain_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -17,8 +17,7 @@ class PathBuilderTestDelegate {
  public:
   static void Verify(const VerifyCertChainTest& test,
                      const std::string& test_file_path) {
-    SimplePathBuilderDelegate path_builder_delegate(
-        1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
+    SimplePathBuilderDelegate path_builder_delegate(1024, test.digest_policy);
     ASSERT_FALSE(test.chain.empty());
 
     TrustStoreInMemory trust_store;
diff --git a/chromium/net/cert/pki/revocation_util.cc b/chromium/net/cert/pki/revocation_util.cc
index 17a75b03c8e..afbc7290adc 100644
--- a/chromium/net/cert/pki/revocation_util.cc
+++ b/chromium/net/cert/pki/revocation_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/revocation_util.h b/chromium/net/cert/pki/revocation_util.h
index 2966a0542de..1cd5ce81e8b 100644
--- a/chromium/net/cert/pki/revocation_util.h
+++ b/chromium/net/cert/pki/revocation_util.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/signature_algorithm.cc b/chromium/net/cert/pki/signature_algorithm.cc
index a7ff1852587..0b913bb72b4 100644
--- a/chromium/net/cert/pki/signature_algorithm.cc
+++ b/chromium/net/cert/pki/signature_algorithm.cc
@@ -1,10 +1,9 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/signature_algorithm.h"
 
-#include "base/check.h"
 #include "net/cert/pki/cert_error_params.h"
 #include "net/cert/pki/cert_errors.h"
 #include "net/der/input.h"
@@ -17,21 +16,6 @@ namespace net {
 
 namespace {
 
-// md2WithRSAEncryption
-// In dotted notation: 1.2.840.113549.1.1.2
-const uint8_t kOidMd2WithRsaEncryption[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
-                                            0x0d, 0x01, 0x01, 0x02};
-
-// md4WithRSAEncryption
-// In dotted notation: 1.2.840.113549.1.1.3
-const uint8_t kOidMd4WithRsaEncryption[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
-                                            0x0d, 0x01, 0x01, 0x03};
-
-// md5WithRSAEncryption
-// In dotted notation: 1.2.840.113549.1.1.4
-const uint8_t kOidMd5WithRsaEncryption[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
-                                            0x0d, 0x01, 0x01, 0x04};
-
 // From RFC 5912:
 //
 //     sha1WithRSAEncryption OBJECT IDENTIFIER ::= {
@@ -134,24 +118,6 @@ const uint8_t kOidRsaSsaPss[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
 
 // From RFC 5912:
 //
-//     dsa-with-sha1 OBJECT IDENTIFIER ::=  {
-//      iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 }
-//
-// In dotted notation: 1.2.840.10040.4.3
-const uint8_t kOidDsaWithSha1[] = {0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03};
-
-// From RFC 5912:
-//
-//     dsa-with-sha256 OBJECT IDENTIFIER  ::=  {
-//      joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101)
-//      csor(3) algorithms(4) id-dsa-with-sha2(3) 2 }
-//
-// In dotted notation: 2.16.840.1.101.3.4.3.2
-const uint8_t kOidDsaWithSha256[] = {0x60, 0x86, 0x48, 0x01, 0x65,
-                                     0x03, 0x04, 0x03, 0x02};
-
-// From RFC 5912:
-//
 //     id-mgf1  OBJECT IDENTIFIER  ::=  { pkcs-1 8 }
 //
 // In dotted notation: 1.2.840.113549.1.1.8
@@ -391,15 +357,6 @@ absl::optional<SignatureAlgorithm> ParseSignatureAlgorithm(
   if (oid == der::Input(kOidSha1WithRsaSignature) && IsNullOrEmpty(params)) {
     return SignatureAlgorithm::kRsaPkcs1Sha1;
   }
-  if (oid == der::Input(kOidMd2WithRsaEncryption) && IsNullOrEmpty(params)) {
-    return SignatureAlgorithm::kRsaPkcs1Md2;
-  }
-  if (oid == der::Input(kOidMd4WithRsaEncryption) && IsNullOrEmpty(params)) {
-    return SignatureAlgorithm::kRsaPkcs1Md4;
-  }
-  if (oid == der::Input(kOidMd5WithRsaEncryption) && IsNullOrEmpty(params)) {
-    return SignatureAlgorithm::kRsaPkcs1Md5;
-  }
 
   // RFC 5912 requires that the parameters for ECDSA algorithms be absent
   // ("PARAMS TYPE NULL ARE absent"):
@@ -420,16 +377,6 @@ absl::optional<SignatureAlgorithm> ParseSignatureAlgorithm(
     return ParseRsaPss(params);
   }
 
-  // RFC 5912 requires that the parameters for DSA algorithms be absent.
-  //
-  // TODO(svaldez): Add warning about non-strict parsing.
-  if (oid == der::Input(kOidDsaWithSha1) && IsNullOrEmpty(params)) {
-    return SignatureAlgorithm::kDsaSha1;
-  }
-  if (oid == der::Input(kOidDsaWithSha256) && IsNullOrEmpty(params)) {
-    return SignatureAlgorithm::kDsaSha256;
-  }
-
   // Unknown signature algorithm.
   if (errors) {
     errors->AddError(kUnknownSignatureAlgorithm,
@@ -446,8 +393,7 @@ absl::optional<DigestAlgorithm> GetTlsServerEndpointDigestAlgorithm(
   // implement this within the library, so callers do not need to condition over
   // all algorithms.
   switch (alg) {
-    // If the single digest algorithm is MD5 or SHA-1, use SHA-256.
-    case SignatureAlgorithm::kRsaPkcs1Md5:
+    // If the single digest algorithm is SHA-1, use SHA-256.
     case SignatureAlgorithm::kRsaPkcs1Sha1:
     case SignatureAlgorithm::kEcdsaSha1:
       return DigestAlgorithm::Sha256;
@@ -473,13 +419,6 @@ absl::optional<DigestAlgorithm> GetTlsServerEndpointDigestAlgorithm(
       return DigestAlgorithm::Sha384;
     case SignatureAlgorithm::kRsaPssSha512:
       return DigestAlgorithm::Sha512;
-
-    // Do not return anything for these legacy algorithms.
-    case SignatureAlgorithm::kDsaSha1:
-    case SignatureAlgorithm::kDsaSha256:
-    case SignatureAlgorithm::kRsaPkcs1Md2:
-    case SignatureAlgorithm::kRsaPkcs1Md4:
-      return absl::nullopt;
   }
   return absl::nullopt;
 }
diff --git a/chromium/net/cert/pki/signature_algorithm.h b/chromium/net/cert/pki/signature_algorithm.h
index e6e2569bbae..8e3ad573f5b 100644
--- a/chromium/net/cert/pki/signature_algorithm.h
+++ b/chromium/net/cert/pki/signature_algorithm.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,6 +9,7 @@
 
 #include "net/base/net_export.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
+#include "third_party/boringssl/src/include/openssl/evp.h"
 
 namespace net {
 
@@ -45,13 +46,6 @@ enum class SignatureAlgorithm {
   kRsaPssSha256,
   kRsaPssSha384,
   kRsaPssSha512,
-  // These algorithms can be parsed but are not supported.
-  // TODO(https://crbug.com/1321688): Remove these.
-  kRsaPkcs1Md2,
-  kRsaPkcs1Md4,
-  kRsaPkcs1Md5,
-  kDsaSha1,
-  kDsaSha256,
 };
 
 // Parses AlgorithmIdentifier as defined by RFC 5280 section 4.1.1.2:
diff --git a/chromium/net/cert/pki/signature_algorithm_unittest.cc b/chromium/net/cert/pki/signature_algorithm_unittest.cc
index 2247675ca76..3997ffc505d 100644
--- a/chromium/net/cert/pki/signature_algorithm_unittest.cc
+++ b/chromium/net/cert/pki/signature_algorithm_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -1373,8 +1373,7 @@ TEST(SignatureAlgorithmTest, ParseDerMd5WithRsaEncryptionNullParams) {
       0x05, 0x00,  // NULL (0 bytes)
   };
   // clang-format on
-  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr),
-            SignatureAlgorithm::kRsaPkcs1Md5);
+  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt);
 }
 
 // Parses a md4WithRSAEncryption which contains a NULL parameters field.
@@ -1391,8 +1390,7 @@ TEST(SignatureAlgorithmTest, ParseDerMd4WithRsaEncryptionNullParams) {
       0x05, 0x00,  // NULL (0 bytes)
   };
   // clang-format on
-  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr),
-            SignatureAlgorithm::kRsaPkcs1Md4);
+  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt);
 }
 
 // Parses a md2WithRSAEncryption which contains a NULL parameters field.
@@ -1409,8 +1407,7 @@ TEST(SignatureAlgorithmTest, ParseDerMd2WithRsaEncryptionNullParams) {
       0x05, 0x00,  // NULL (0 bytes)
   };
   // clang-format on
-  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr),
-            SignatureAlgorithm::kRsaPkcs1Md2);
+  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt);
 }
 
 // Parses a dsaWithSha1 which contains no parameters field.
@@ -1425,8 +1422,7 @@ TEST(SignatureAlgorithmTest, ParseDerDsaWithSha1NoParams) {
       0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03,
   };
   // clang-format on
-  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr),
-            SignatureAlgorithm::kDsaSha1);
+  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt);
 }
 
 // Parses a dsaWithSha1 which contains a NULL parameters field.
@@ -1443,8 +1439,7 @@ TEST(SignatureAlgorithmTest, ParseDerDsaWithSha1NullParams) {
       0x05, 0x00,  // NULL (0 bytes)
   };
   // clang-format on
-  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr),
-            SignatureAlgorithm::kDsaSha1);
+  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt);
 }
 
 // Parses a dsaWithSha256 which contains no parameters field.
@@ -1459,8 +1454,7 @@ TEST(SignatureAlgorithmTest, ParseDerDsaWithSha256NoParams) {
       0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x02
   };
   // clang-format on
-  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr),
-            SignatureAlgorithm::kDsaSha256);
+  EXPECT_EQ(ParseSignatureAlgorithm(der::Input(kData), nullptr), absl::nullopt);
 }
 
 }  // namespace
diff --git a/chromium/net/cert/pki/simple_path_builder_delegate.cc b/chromium/net/cert/pki/simple_path_builder_delegate.cc
index aa961254d3a..06dfabff957 100644
--- a/chromium/net/cert/pki/simple_path_builder_delegate.cc
+++ b/chromium/net/cert/pki/simple_path_builder_delegate.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -70,16 +70,6 @@ bool SimplePathBuilderDelegate::IsSignatureAlgorithmAcceptable(
     case SignatureAlgorithm::kRsaPssSha384:
     case SignatureAlgorithm::kRsaPssSha512:
       return true;
-
-    case SignatureAlgorithm::kRsaPkcs1Md2:
-    case SignatureAlgorithm::kRsaPkcs1Md4:
-    case SignatureAlgorithm::kRsaPkcs1Md5:
-    case SignatureAlgorithm::kDsaSha1:
-    case SignatureAlgorithm::kDsaSha256:
-      // TODO(https://crbug.com/1321688): We do not implement DSA, MD2, MD4, or
-      // MD5 anyway. Remove them from the parser altogether, so code does not
-      // need to handle them.
-      return false;
   }
 }
 
diff --git a/chromium/net/cert/pki/simple_path_builder_delegate.h b/chromium/net/cert/pki/simple_path_builder_delegate.h
index db1b368c215..d1f7bf5e0b5 100644
--- a/chromium/net/cert/pki/simple_path_builder_delegate.h
+++ b/chromium/net/cert/pki/simple_path_builder_delegate.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc b/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc
index e9613a1e61f..440dafe1c21 100644
--- a/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc
+++ b/chromium/net/cert/pki/simple_path_builder_delegate_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "net/cert/pki/simple_path_builder_delegate.h"
diff --git a/chromium/net/cert/pki/string_util.cc b/chromium/net/cert/pki/string_util.cc
new file mode 100644
index 00000000000..4fc00a62b36
--- /dev/null
+++ b/chromium/net/cert/pki/string_util.cc
@@ -0,0 +1,75 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/pki/string_util.h"
+
+#include "third_party/boringssl/src/include/openssl/mem.h"
+
+#include <algorithm>
+#include <string>
+
+namespace net::string_util {
+
+bool IsAscii(std::string_view str) {
+  for (unsigned char c : str) {
+    if (c > 127) {
+      return false;
+    }
+  }
+  return true;
+}
+
+bool IsEqualNoCase(std::string_view str1, std::string_view str2) {
+  if (str1.size() != str2.size()) {
+    return false;
+  }
+  return std::equal(str2.cbegin(), str2.cend(), str1.cbegin(),
+                    [](const unsigned char a, const unsigned char b) {
+                      return OPENSSL_tolower(a) == OPENSSL_tolower(b);
+                    });
+}
+
+bool EndsWithNoCase(std::string_view str, std::string_view suffix) {
+  return suffix.size() <= str.size() &&
+         IsEqualNoCase(suffix, str.substr(str.size() - suffix.size()));
+}
+
+bool StartsWithNoCase(std::string_view str, std::string_view prefix) {
+  return prefix.size() <= str.size() &&
+         IsEqualNoCase(prefix, str.substr(0, prefix.size()));
+}
+
+std::string FindAndReplace(std::string_view str,
+                           std::string_view find,
+                           std::string_view replace) {
+  std::string ret;
+
+  if (find.empty()) {
+    return std::string(str);
+  }
+  while (!str.empty()) {
+    size_t index = str.find(find);
+    if (index == std::string_view::npos) {
+      ret.append(str);
+      break;
+    }
+    ret.append(str.substr(0, index));
+    ret.append(replace);
+    str = str.substr(index + find.size());
+  }
+  return ret;
+}
+
+// TODO(bbe) get rid of this once we can c++20.
+bool EndsWith(std::string_view str, std::string_view suffix) {
+  return suffix.size() <= str.size() &&
+         suffix == str.substr(str.size() - suffix.size());
+}
+
+// TODO(bbe) get rid of this once we can c++20.
+bool StartsWith(std::string_view str, std::string_view prefix) {
+  return prefix.size() <= str.size() && prefix == str.substr(0, prefix.size());
+}
+
+}  // namespace net::string_util
diff --git a/chromium/net/cert/pki/string_util.h b/chromium/net/cert/pki/string_util.h
new file mode 100644
index 00000000000..da3a72af2b9
--- /dev/null
+++ b/chromium/net/cert/pki/string_util.h
@@ -0,0 +1,49 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_CERT_PKI_STRING_UTIL_H_
+#define NET_CERT_PKI_STRING_UTIL_H_
+
+#include "net/base/net_export.h"
+
+#include <string_view>
+
+namespace net::string_util {
+
+// Returns true if the characters in |str| are all ASCII, false otherwise.
+NET_EXPORT_PRIVATE bool IsAscii(std::string_view str);
+
+// Compares |str1| and |str2| ASCII case insensitively (independent of locale).
+// Returns true if |str1| and |str2| match.
+NET_EXPORT_PRIVATE bool IsEqualNoCase(std::string_view str1,
+                                      std::string_view str2);
+
+// Compares |str1| and |prefix| ASCII case insensitively (independent of
+// locale). Returns true if |str1| starts with |prefix|.
+NET_EXPORT_PRIVATE bool StartsWithNoCase(std::string_view str,
+                                         std::string_view prefix);
+
+// Compares |str1| and |suffix| ASCII case insensitively (independent of
+// locale). Returns true if |str1| starts with |suffix|.
+NET_EXPORT_PRIVATE bool EndsWithNoCase(std::string_view str,
+                                       std::string_view suffix);
+
+// Finds and replaces all occurrences of |find| of non zero length with
+// |replace| in |str|, returning the result.
+NET_EXPORT_PRIVATE std::string FindAndReplace(std::string_view str,
+                                              std::string_view find,
+                                              std::string_view replace);
+
+// TODO(bbe) transition below to c++20
+// Compares |str1| and |prefix|. Returns true if |str1| starts with |prefix|.
+NET_EXPORT_PRIVATE bool StartsWith(std::string_view str,
+                                   std::string_view prefix);
+
+// TODO(bbe) transition below to c++20
+// Compares |str1| and |suffix|. Returns true if |str1| ends with |suffix|.
+NET_EXPORT_PRIVATE bool EndsWith(std::string_view str, std::string_view suffix);
+
+}  // namespace net::string_util
+
+#endif  // NET_CERT_PKI_STRING_UTIL_H_
diff --git a/chromium/net/cert/pki/string_util_unittest.cc b/chromium/net/cert/pki/string_util_unittest.cc
new file mode 100644
index 00000000000..5a376321908
--- /dev/null
+++ b/chromium/net/cert/pki/string_util_unittest.cc
@@ -0,0 +1,103 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/pki/string_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+namespace {
+
+TEST(StringUtilTest, IsAscii) {
+  EXPECT_TRUE(net::string_util::IsAscii(""));
+  EXPECT_TRUE(net::string_util::IsAscii("mail.google.com"));
+  EXPECT_TRUE(net::string_util::IsAscii("mail.google.com\x7F"));
+  EXPECT_FALSE(net::string_util::IsAscii("mail.google.com\x80"));
+  EXPECT_FALSE(net::string_util::IsAscii("mail.google.com\xFF"));
+}
+
+TEST(StringUtilTest, IsEqualNoCase) {
+  EXPECT_TRUE(net::string_util::IsEqualNoCase("", ""));
+  EXPECT_TRUE(
+      net::string_util::IsEqualNoCase("mail.google.com", "maIL.GOoGlE.cOm"));
+  EXPECT_TRUE(net::string_util::IsEqualNoCase("MAil~-.google.cOm",
+                                              "maIL~-.gOoGlE.CoM"));
+  EXPECT_TRUE(net::string_util::IsEqualNoCase("mail\x80.google.com",
+                                              "maIL\x80.GOoGlE.cOm"));
+  EXPECT_TRUE(net::string_util::IsEqualNoCase("mail\xFF.google.com",
+                                              "maIL\xFF.GOoGlE.cOm"));
+  EXPECT_FALSE(
+      net::string_util::IsEqualNoCase("mail.google.co", "maIL.GOoGlE.cOm"));
+  EXPECT_FALSE(
+      net::string_util::IsEqualNoCase("mail.google.com", "maIL.GOoGlE.cO"));
+}
+
+TEST(StringUtilTest, EndsWithNoCase) {
+  EXPECT_TRUE(net::string_util::EndsWithNoCase("", ""));
+  EXPECT_TRUE(net::string_util::EndsWithNoCase("mail.google.com", ""));
+  EXPECT_TRUE(
+      net::string_util::EndsWithNoCase("mail.google.com", "maIL.GOoGlE.cOm"));
+  EXPECT_TRUE(
+      net::string_util::EndsWithNoCase("mail.google.com", ".gOoGlE.cOm"));
+  EXPECT_TRUE(
+      net::string_util::EndsWithNoCase("MAil~-.google.cOm", "-.gOoGlE.CoM"));
+  EXPECT_TRUE(net::string_util::EndsWithNoCase("mail\x80.google.com",
+                                               "\x80.GOoGlE.cOm"));
+  EXPECT_FALSE(
+      net::string_util::EndsWithNoCase("mail.google.com", "pOoGlE.com"));
+  EXPECT_FALSE(net::string_util::EndsWithNoCase("mail\x80.google.com",
+                                                "\x81.GOoGlE.cOm"));
+  EXPECT_FALSE(
+      net::string_util::EndsWithNoCase("mail.google.co", ".GOoGlE.cOm"));
+  EXPECT_FALSE(
+      net::string_util::EndsWithNoCase("mail.google.com", ".GOoGlE.cO"));
+  EXPECT_FALSE(
+      net::string_util::EndsWithNoCase("mail.google.com", "mail.google.com1"));
+  EXPECT_FALSE(
+      net::string_util::EndsWithNoCase("mail.google.com", "1mail.google.com"));
+}
+
+TEST(StringUtilTest, FindAndReplace) {
+  std::string tester = "hoobla derp hoobla derp porkrind";
+  tester = net::string_util::FindAndReplace(tester, "blah", "woof");
+  EXPECT_EQ(tester, "hoobla derp hoobla derp porkrind");
+  tester = net::string_util::FindAndReplace(tester, "", "yeet");
+  EXPECT_EQ(tester, "hoobla derp hoobla derp porkrind");
+  tester = net::string_util::FindAndReplace(tester, "hoobla", "derp");
+  EXPECT_EQ(tester, "derp derp derp derp porkrind");
+  tester = net::string_util::FindAndReplace(tester, "derp", "a");
+  EXPECT_EQ(tester, "a a a a porkrind");
+  tester = net::string_util::FindAndReplace(tester, "a ", "");
+  EXPECT_EQ(tester, "porkrind");
+  tester = net::string_util::FindAndReplace(tester, "porkrind", "");
+  EXPECT_EQ(tester, "");
+}
+
+TEST(StringUtilTest, StartsWithNoCase) {
+  EXPECT_TRUE(net::string_util::StartsWithNoCase("", ""));
+  EXPECT_TRUE(net::string_util::StartsWithNoCase("mail.google.com", ""));
+  EXPECT_TRUE(
+      net::string_util::StartsWithNoCase("mail.google.com", "maIL.GOoGlE.cOm"));
+  EXPECT_TRUE(net::string_util::StartsWithNoCase("mail.google.com", "MaIL."));
+  EXPECT_TRUE(
+      net::string_util::StartsWithNoCase("MAil~-.google.cOm", "maiL~-.Goo"));
+  EXPECT_TRUE(
+      net::string_util::StartsWithNoCase("mail\x80.google.com", "MAIL\x80."));
+  EXPECT_FALSE(
+      net::string_util::StartsWithNoCase("mail.google.com", "maIl.MoO"));
+  EXPECT_FALSE(
+      net::string_util::StartsWithNoCase("mail\x80.google.com", "Mail\x81"));
+  EXPECT_FALSE(
+      net::string_util::StartsWithNoCase("mai.google.co", "MAiL.GoogLE"));
+  EXPECT_FALSE(
+      net::string_util::StartsWithNoCase("mail.google.com", "MaI.GooGLE"));
+  EXPECT_FALSE(net::string_util::StartsWithNoCase("mail.google.com",
+                                                  "mail.google.com1"));
+  EXPECT_FALSE(net::string_util::StartsWithNoCase("mail.google.com",
+                                                  "1mail.google.com"));
+}
+
+}  // namespace
+
+}  // namespace net
diff --git a/chromium/net/cert/pki/test_helpers.cc b/chromium/net/cert/pki/test_helpers.cc
index 50cc1ba5105..151633f5e4d 100644
--- a/chromium/net/cert/pki/test_helpers.cc
+++ b/chromium/net/cert/pki/test_helpers.cc
@@ -1,18 +1,18 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/test_helpers.h"
 
-#include "base/base64.h"
 #include "base/base_paths.h"
 #include "base/files/file_util.h"
 #include "base/path_service.h"
 #include "base/strings/string_piece.h"
-#include "base/strings/string_util.h"
 #include "net/cert/pem.h"
 #include "net/cert/pki/cert_error_params.h"
 #include "net/cert/pki/cert_errors.h"
+#include "net/cert/pki/simple_path_builder_delegate.h"
+#include "net/cert/pki/string_util.h"
 #include "net/der/parser.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
@@ -23,11 +23,11 @@ namespace net {
 
 namespace {
 
-bool GetValue(base::StringPiece prefix,
-              base::StringPiece line,
+bool GetValue(std::string_view prefix,
+              std::string_view line,
               std::string* value,
               bool* has_value) {
-  if (!base::StartsWith(line, prefix))
+  if (!net::string_util::StartsWith(line, prefix))
     return false;
 
   if (*has_value) {
@@ -45,13 +45,16 @@ bool GetValue(base::StringPiece prefix,
 namespace der {
 
 void PrintTo(const Input& data, ::std::ostream* os) {
-  std::string b64;
-  base::Base64Encode(
-      base::StringPiece(reinterpret_cast<const char*>(data.UnsafeData()),
-                        data.Length()),
-      &b64);
-
-  *os << "[" << b64 << "]";
+  size_t len;
+  if (!EVP_EncodedLength(&len, data.Length())) {
+    *os << "[]";
+    return;
+  }
+  std::vector<uint8_t> encoded(len);
+  len = EVP_EncodeBlock(encoded.data(), data.UnsafeData(), data.Length());
+  // Skip the trailing \0.
+  std::string b64_encoded(encoded.begin(), encoded.begin() + len);
+  *os << "[" << b64_encoded << "]";
 }
 
 }  // namespace der
@@ -201,8 +204,9 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
   bool has_time = false;
   bool has_errors = false;
   bool has_key_purpose = false;
+  bool has_digest_policy = false;
 
-  base::StringPiece kExpectedErrors = "expected_errors:";
+  std::string kExpectedErrors = "expected_errors:";
 
   std::istringstream stream(file_data);
   for (std::string line; std::getline(stream, line, '\n');) {
@@ -218,7 +222,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
     if (line.empty()) {
       continue;
     }
-    base::StringPiece line_piece(line);
+    std::string_view line_piece(line);
 
     std::string value;
 
@@ -236,7 +240,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
       ReadCertChainFromFile(chain_path, &test->chain);
     } else if (GetValue("utc_time: ", line_piece, &value, &has_time)) {
       if (value == "DEFAULT") {
-        value = "221005120000Z";
+        value = "211005120000Z";
       }
       if (!der::ParseUTCTime(der::Input(&value), &test->time)) {
         ADD_FAILURE() << "Failed parsing UTC time";
@@ -271,7 +275,18 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
         ADD_FAILURE() << "Unrecognized last_cert_trust: " << value;
         return false;
       }
-    } else if (base::StartsWith(line_piece, "#")) {
+    } else if (GetValue("digest_policy: ", line_piece, &value,
+                        &has_digest_policy)) {
+      if (value == "STRONG") {
+        test->digest_policy = SimplePathBuilderDelegate::DigestPolicy::kStrong;
+      } else if (value == "ALLOW_SHA_1") {
+        test->digest_policy =
+            SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1;
+      } else {
+        ADD_FAILURE() << "Unrecognized digest_policy: " << value;
+        return false;
+      }
+    } else if (net::string_util::StartsWith(line_piece, "#")) {
       // Skip comments.
       continue;
     } else if (line_piece == kExpectedErrors) {
@@ -279,7 +294,7 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
       // The errors start on the next line, and extend until the end of the
       // file.
       std::string prefix =
-          std::string("\n") + std::string(kExpectedErrors) + std::string("\n");
+          std::string("\n") + kExpectedErrors + std::string("\n");
       size_t errors_start = file_data.find(prefix);
       if (errors_start == std::string::npos) {
         ADD_FAILURE() << "expected_errors not found";
diff --git a/chromium/net/cert/pki/test_helpers.h b/chromium/net/cert/pki/test_helpers.h
index 0fe301af316..de2fceed4dd 100644
--- a/chromium/net/cert/pki/test_helpers.h
+++ b/chromium/net/cert/pki/test_helpers.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -13,6 +13,7 @@
 
 #include "base/memory/raw_ptr.h"
 #include "net/cert/pki/parsed_certificate.h"
+#include "net/cert/pki/simple_path_builder_delegate.h"
 #include "net/cert/pki/trust_store.h"
 #include "net/cert/pki/verify_certificate_chain.h"
 #include "net/der/input.h"
@@ -109,6 +110,9 @@ struct VerifyCertChainTest {
   // The expected errors/warnings from verification (as a string).
   std::string expected_errors;
 
+  SimplePathBuilderDelegate::DigestPolicy digest_policy =
+      SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1;
+
   // Returns true if |expected_errors| contains any high severity errors (a
   // non-empty expected_errors doesn't necessarily mean verification is
   // expected to fail, as it may have contained warnings).
diff --git a/chromium/net/cert/pki/trust_store.cc b/chromium/net/cert/pki/trust_store.cc
index ee504bff53f..0f0858cdef3 100644
--- a/chromium/net/cert/pki/trust_store.cc
+++ b/chromium/net/cert/pki/trust_store.cc
@@ -1,11 +1,9 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/trust_store.h"
 
-#include "base/notreached.h"
-
 namespace net {
 
 CertificateTrust CertificateTrust::ForTrustAnchor() {
@@ -49,7 +47,7 @@ bool CertificateTrust::IsTrustAnchor() const {
       return true;
   }
 
-  NOTREACHED();
+  assert(0);  // NOTREACHED
   return false;
 }
 
@@ -64,7 +62,7 @@ bool CertificateTrust::IsDistrusted() const {
       return false;
   }
 
-  NOTREACHED();
+  assert(0);  // NOTREACHED
   return false;
 }
 
@@ -79,7 +77,7 @@ bool CertificateTrust::HasUnspecifiedTrust() const {
       return false;
   }
 
-  NOTREACHED();
+  assert(0);  // NOTREACHED
   return true;
 }
 
diff --git a/chromium/net/cert/pki/trust_store.h b/chromium/net/cert/pki/trust_store.h
index 1c3a721ea29..e5718d02d77 100644
--- a/chromium/net/cert/pki/trust_store.h
+++ b/chromium/net/cert/pki/trust_store.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/trust_store_collection.cc b/chromium/net/cert/pki/trust_store_collection.cc
index 03657c4d4a0..d7a3530f5c6 100644
--- a/chromium/net/cert/pki/trust_store_collection.cc
+++ b/chromium/net/cert/pki/trust_store_collection.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/trust_store_collection.h b/chromium/net/cert/pki/trust_store_collection.h
index 4d168aa6cfb..472feac2629 100644
--- a/chromium/net/cert/pki/trust_store_collection.h
+++ b/chromium/net/cert/pki/trust_store_collection.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/trust_store_collection_unittest.cc b/chromium/net/cert/pki/trust_store_collection_unittest.cc
index 8b17c5a8d8d..90131bea9ac 100644
--- a/chromium/net/cert/pki/trust_store_collection_unittest.cc
+++ b/chromium/net/cert/pki/trust_store_collection_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/trust_store_in_memory.cc b/chromium/net/cert/pki/trust_store_in_memory.cc
index 7769b992429..b0d9be4b9b4 100644
--- a/chromium/net/cert/pki/trust_store_in_memory.cc
+++ b/chromium/net/cert/pki/trust_store_in_memory.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -45,7 +45,7 @@ void TrustStoreInMemory::AddCertificateWithUnspecifiedTrust(
 
 void TrustStoreInMemory::SyncGetIssuersOf(const ParsedCertificate* cert,
                                           ParsedCertificateList* issuers) {
-  auto range = entries_.equal_range(cert->normalized_issuer().AsStringPiece());
+  auto range = entries_.equal_range(cert->normalized_issuer().AsStringView());
   for (auto it = range.first; it != range.second; ++it)
     issuers->push_back(it->second.cert);
 }
@@ -73,12 +73,12 @@ void TrustStoreInMemory::AddCertificate(scoped_refptr<ParsedCertificate> cert,
 
   // TODO(mattm): should this check for duplicate certificates?
   entries_.insert(
-      std::make_pair(entry.cert->normalized_subject().AsStringPiece(), entry));
+      std::make_pair(entry.cert->normalized_subject().AsStringView(), entry));
 }
 
 const TrustStoreInMemory::Entry* TrustStoreInMemory::GetEntry(
     const ParsedCertificate* cert) const {
-  auto range = entries_.equal_range(cert->normalized_subject().AsStringPiece());
+  auto range = entries_.equal_range(cert->normalized_subject().AsStringView());
   for (auto it = range.first; it != range.second; ++it) {
     if (cert == it->second.cert.get() ||
         cert->der_cert() == it->second.cert->der_cert()) {
diff --git a/chromium/net/cert/pki/trust_store_in_memory.h b/chromium/net/cert/pki/trust_store_in_memory.h
index 1d6a7c69257..021d40d28f7 100644
--- a/chromium/net/cert/pki/trust_store_in_memory.h
+++ b/chromium/net/cert/pki/trust_store_in_memory.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -73,8 +73,7 @@ class NET_EXPORT TrustStoreInMemory : public TrustStore {
   };
 
   // Multimap from normalized subject -> Entry.
-  std::unordered_multimap<base::StringPiece, Entry, base::StringPieceHash>
-      entries_;
+  std::unordered_multimap<std::string_view, Entry> entries_;
 
   // Adds a certificate with the specified trust settings. Both trusted and
   // distrusted certificates require a full DER match.
diff --git a/chromium/net/cert/pki/verify_certificate_chain.cc b/chromium/net/cert/pki/verify_certificate_chain.cc
index 5fea3878087..216d8309850 100644
--- a/chromium/net/cert/pki/verify_certificate_chain.cc
+++ b/chromium/net/cert/pki/verify_certificate_chain.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,7 +6,6 @@
 
 #include <algorithm>
 
-#include "base/check.h"
 #include "base/memory/raw_ptr.h"
 #include "net/cert/pki/cert_error_params.h"
 #include "net/cert/pki/cert_errors.h"
@@ -812,16 +811,18 @@ void PathVerifier::BasicCertificateProcessing(
   }
 
   // Check whether this signature algorithm is allowed.
-  if (!delegate_->IsSignatureAlgorithmAcceptable(cert.signature_algorithm(),
+  if (!cert.signature_algorithm().has_value() ||
+      !delegate_->IsSignatureAlgorithmAcceptable(*cert.signature_algorithm(),
                                                  errors)) {
     *shortcircuit_chain_validation = true;
     errors->AddError(cert_errors::kUnacceptableSignatureAlgorithm);
+    return;
   }
 
   if (working_public_key_) {
     // Verify the digital signature using the previous certificate's key (RFC
     // 5280 section 6.1.3 step a.1).
-    if (!VerifySignedData(cert.signature_algorithm(),
+    if (!VerifySignedData(*cert.signature_algorithm(),
                           cert.tbs_certificate_tlv(), cert.signature_value(),
                           working_public_key_.get())) {
       *shortcircuit_chain_validation = true;
diff --git a/chromium/net/cert/pki/verify_certificate_chain.h b/chromium/net/cert/pki/verify_certificate_chain.h
index 3dd187e6ff2..a67816f9d8a 100644
--- a/chromium/net/cert/pki/verify_certificate_chain.h
+++ b/chromium/net/cert/pki/verify_certificate_chain.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc b/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc
index 7a2a4aa32ec..e72a721ad33 100644
--- a/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc
+++ b/chromium/net/cert/pki/verify_certificate_chain_pkits_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h b/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h
index c563f17ffa0..e7d49876cd8 100644
--- a/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h
+++ b/chromium/net/cert/pki/verify_certificate_chain_typed_unittest.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,6 +7,7 @@
 
 #include "net/cert/pem.h"
 #include "net/cert/pki/parsed_certificate.h"
+#include "net/cert/pki/simple_path_builder_delegate.h"
 #include "net/cert/pki/test_helpers.h"
 #include "net/cert/pki/trust_store.h"
 #include "net/cert/pki/verify_certificate_chain.h"
@@ -74,8 +75,8 @@ TYPED_TEST_P(VerifyCertificateChainSingleRootTest, UnknownExtension) {
 }
 
 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, WeakSignature) {
-  this->RunTest("target-signed-with-md5/main.test");
-  this->RunTest("intermediate-signed-with-md5/main.test");
+  this->RunTest("target-signed-with-sha1/main.test");
+  this->RunTest("intermediate-signed-with-sha1/main.test");
 }
 
 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, WrongSignature) {
diff --git a/chromium/net/cert/pki/verify_certificate_chain_unittest.cc b/chromium/net/cert/pki/verify_certificate_chain_unittest.cc
index a98532ebc0a..3af510d0646 100644
--- a/chromium/net/cert/pki/verify_certificate_chain_unittest.cc
+++ b/chromium/net/cert/pki/verify_certificate_chain_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -17,8 +17,7 @@ class VerifyCertificateChainTestDelegate {
  public:
   static void Verify(const VerifyCertChainTest& test,
                      const std::string& test_file_path) {
-    SimplePathBuilderDelegate delegate(
-        1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
+    SimplePathBuilderDelegate delegate(1024, test.digest_policy);
 
     CertPathErrors errors;
     // TODO(eroman): Check user_constrained_policy_set.
diff --git a/chromium/net/cert/pki/verify_name_match.cc b/chromium/net/cert/pki/verify_name_match.cc
index b17ab7e2296..9fa1043663f 100644
--- a/chromium/net/cert/pki/verify_name_match.cc
+++ b/chromium/net/cert/pki/verify_name_match.cc
@@ -1,12 +1,9 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/verify_name_match.h"
 
-#include "base/check.h"
-#include "base/notreached.h"
-#include "base/strings/string_util.h"
 #include "net/cert/pki/cert_error_params.h"
 #include "net/cert/pki/cert_errors.h"
 #include "net/cert/pki/parse_name.h"
@@ -77,7 +74,7 @@ enum CharsetEnforcement {
       std::string::const_iterator next_iter = read_iter + 1;
       if (next_iter != output->end() && *next_iter != ' ')
         *(write_iter++) = ' ';
-    } else if (base::IsAsciiUpper(c)) {
+    } else if (c >= 'A' && c <= 'Z') {
       // Fold case.
       *(write_iter++) = c + ('a' - 'A');
     } else {
@@ -87,7 +84,7 @@ enum CharsetEnforcement {
         case ENFORCE_PRINTABLE_STRING:
           // See NormalizePrintableStringValue comment for the acceptable list
           // of characters.
-          if (!(base::IsAsciiLower(c) || (c >= '\'' && c <= ':') || c == '=' ||
+          if (!((c >= 'a' && c <= 'z') || (c >= '\'' && c <= ':') || c == '=' ||
                 c == '?'))
             return false;
           break;
@@ -139,7 +136,7 @@ enum CharsetEnforcement {
       success = NormalizeDirectoryString(ENFORCE_ASCII, output);
       break;
     default:
-      NOTREACHED();
+      // NOTREACHED
       success = false;
       break;
   }
diff --git a/chromium/net/cert/pki/verify_name_match.h b/chromium/net/cert/pki/verify_name_match.h
index 4e49d435df5..1110a5376f2 100644
--- a/chromium/net/cert/pki/verify_name_match.h
+++ b/chromium/net/cert/pki/verify_name_match.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/verify_name_match_fuzzer.cc b/chromium/net/cert/pki/verify_name_match_fuzzer.cc
index 02ae46f62bd..87310f23455 100644
--- a/chromium/net/cert/pki/verify_name_match_fuzzer.cc
+++ b/chromium/net/cert/pki/verify_name_match_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc b/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc
index dc5c810c501..cd8b3518efc 100644
--- a/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc
+++ b/chromium/net/cert/pki/verify_name_match_normalizename_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/verify_name_match_unittest.cc b/chromium/net/cert/pki/verify_name_match_unittest.cc
index 59660c0c936..75e840711e8 100644
--- a/chromium/net/cert/pki/verify_name_match_unittest.cc
+++ b/chromium/net/cert/pki/verify_name_match_unittest.cc
@@ -1,11 +1,10 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/verify_name_match.h"
 
 #include "base/strings/string_number_conversions.h"
-#include "base/strings/string_util.h"
 #include "net/cert/pki/test_helpers.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -330,8 +329,10 @@ TEST(VerifyNameMatchInvalidDataTest, FailOnInvalidPrintableStringChars) {
   ASSERT_NE(std::string::npos, replace_location);
   for (int c = 0; c < 256; ++c) {
     SCOPED_TRACE(base::NumberToString(c));
-    if (base::IsAsciiAlpha(c) || base::IsAsciiDigit(c))
+    if ((c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') ||
+        (c >= '0' && c <= '9')) {
       continue;
+    }
     switch (c) {
       case ' ':
       case '\'':
diff --git a/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc b/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc
index 996a6353342..c755fba6626 100644
--- a/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc
+++ b/chromium/net/cert/pki/verify_name_match_verifynameinsubtree_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/verify_signed_data.cc b/chromium/net/cert/pki/verify_signed_data.cc
index 5dc399129a2..7200b555f7f 100644
--- a/chromium/net/cert/pki/verify_signed_data.cc
+++ b/chromium/net/cert/pki/verify_signed_data.cc
@@ -1,10 +1,9 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/pki/verify_signed_data.h"
 
-#include "base/numerics/safe_math.h"
 #include "crypto/openssl_util.h"
 #include "net/cert/pki/cert_errors.h"
 #include "net/cert/pki/signature_algorithm.h"
@@ -155,15 +154,6 @@ bool VerifySignedData(SignatureAlgorithm algorithm,
       digest = EVP_sha512();
       is_rsa_pss = true;
       break;
-
-    case SignatureAlgorithm::kDsaSha1:
-    case SignatureAlgorithm::kDsaSha256:
-    case SignatureAlgorithm::kRsaPkcs1Md2:
-    case SignatureAlgorithm::kRsaPkcs1Md4:
-    case SignatureAlgorithm::kRsaPkcs1Md5:
-      // DSA, MD2, MD4, and MD5 are not supported. See
-      // https://crbug.com/1321688.
-      return false;
   }
 
   if (expected_pkey_id != EVP_PKEY_id(public_key))
diff --git a/chromium/net/cert/pki/verify_signed_data.h b/chromium/net/cert/pki/verify_signed_data.h
index b904992dc1c..9e30ef9a252 100644
--- a/chromium/net/cert/pki/verify_signed_data.h
+++ b/chromium/net/cert/pki/verify_signed_data.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/pki/verify_signed_data_unittest.cc b/chromium/net/cert/pki/verify_signed_data_unittest.cc
index 8a0a26e9cb0..a351fb38100 100644
--- a/chromium/net/cert/pki/verify_signed_data_unittest.cc
+++ b/chromium/net/cert/pki/verify_signed_data_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/root_cert_list_generated.h b/chromium/net/cert/root_cert_list_generated.h
index 8f5f7591d1c..cf13fcf103d 100644
--- a/chromium/net/cert/root_cert_list_generated.h
+++ b/chromium/net/cert/root_cert_list_generated.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
@@ -1130,6 +1130,13 @@ const struct RootCertData {
      278,
      true},
     {{
+         0x48, 0xA8, 0xA7, 0xEC, 0xD0, 0x3A, 0x83, 0xB2, 0x6A, 0xEC, 0x75,
+         0x74, 0xD0, 0x9D, 0x64, 0x53, 0xE9, 0x5F, 0x90, 0x36, 0x06, 0x34,
+         0xCE, 0x20, 0x4B, 0xCB, 0xD4, 0x73, 0x99, 0x7D, 0x4C, 0x05,
+     },
+     532,
+     false},
+    {{
          0x49, 0x05, 0x46, 0x66, 0x23, 0xAB, 0x41, 0x78, 0xBE, 0x92, 0xAC,
          0x5C, 0xBD, 0x65, 0x84, 0xF7, 0xA1, 0xE1, 0x7F, 0x27, 0x65, 0x2D,
          0x5A, 0x85, 0xAF, 0x89, 0x50, 0x4E, 0xA2, 0x39, 0xAA, 0xAA,
@@ -1375,6 +1382,13 @@ const struct RootCertData {
      440,
      true},
     {{
+         0x58, 0x1C, 0xC1, 0x58, 0x21, 0x16, 0x96, 0x94, 0xC3, 0x9C, 0x29,
+         0x91, 0xB5, 0x3E, 0x93, 0xAB, 0x94, 0x5A, 0x42, 0xB0, 0x76, 0x66,
+         0x17, 0x74, 0xC2, 0xEC, 0xF3, 0x8A, 0x33, 0x23, 0xAC, 0xEA,
+     },
+     540,
+     false},
+    {{
          0x58, 0x99, 0xD9, 0x13, 0xEA, 0xD1, 0x19, 0xB9, 0xCD, 0xB7, 0xBA,
          0x2F, 0x30, 0xEF, 0xE0, 0xDF, 0x68, 0xAD, 0x2C, 0xD2, 0x25, 0xBD,
          0xF4, 0x93, 0xE8, 0x32, 0x3A, 0x25, 0xAA, 0x4D, 0xBE, 0x23,
@@ -1585,6 +1599,13 @@ const struct RootCertData {
      126,
      true},
     {{
+         0x68, 0x1D, 0xC4, 0x82, 0xC2, 0x96, 0xC8, 0x40, 0x2C, 0x6E, 0xBB,
+         0x20, 0xE6, 0x83, 0x09, 0xA3, 0xBC, 0x84, 0x65, 0x23, 0xAE, 0x34,
+         0xB9, 0x84, 0xA8, 0x4E, 0xE6, 0x97, 0xA3, 0x31, 0x2D, 0xB7,
+     },
+     536,
+     false},
+    {{
          0x68, 0x27, 0x47, 0xF8, 0xBA, 0x62, 0x1B, 0x87, 0xCD, 0xD3, 0xBC,
          0x29, 0x5E, 0xD5, 0xCA, 0xBC, 0xE7, 0x22, 0xA1, 0xC0, 0xC0, 0x36,
          0x3D, 0x1D, 0x68, 0xB3, 0x89, 0x28, 0xD2, 0x78, 0x7F, 0x1E,
@@ -1620,6 +1641,13 @@ const struct RootCertData {
      499,
      true},
     {{
+         0x69, 0x3C, 0x9A, 0xA6, 0xB2, 0x45, 0xB3, 0xB0, 0x26, 0x16, 0x37,
+         0x75, 0x08, 0x63, 0xEA, 0xDB, 0x6C, 0x24, 0x8A, 0x16, 0xE5, 0x2D,
+         0x6F, 0x4B, 0xC9, 0x0C, 0x86, 0xBB, 0xF3, 0x2D, 0x70, 0x42,
+     },
+     522,
+     false},
+    {{
          0x6A, 0x43, 0x6B, 0x58, 0xD9, 0xD8, 0x30, 0xE8, 0xD5, 0xB8, 0xA6,
          0x42, 0x50, 0x5A, 0xD6, 0xB4, 0x14, 0x06, 0xAD, 0xCD, 0x68, 0x94,
          0xD9, 0x41, 0x4F, 0x7B, 0xE0, 0xA1, 0x46, 0x7B, 0xAD, 0xB7,
@@ -1634,6 +1662,13 @@ const struct RootCertData {
      421,
      true},
     {{
+         0x6A, 0x97, 0xB5, 0x1C, 0x82, 0x19, 0xE9, 0x3E, 0x5D, 0xEC, 0x64,
+         0xBA, 0xD5, 0x80, 0x6C, 0xDE, 0xB0, 0xF8, 0x35, 0x5B, 0xE4, 0x7E,
+         0x75, 0x70, 0x10, 0xB7, 0x02, 0x45, 0x6E, 0x01, 0xAA, 0xFD,
+     },
+     531,
+     false},
+    {{
          0x6B, 0x1A, 0x50, 0x5E, 0x02, 0x46, 0xF2, 0xF6, 0x0C, 0x49, 0x0F,
          0xF0, 0xC0, 0x97, 0xA7, 0xBE, 0x27, 0x21, 0x0C, 0xBB, 0x75, 0x00,
          0x23, 0x7F, 0x88, 0xB0, 0xCD, 0x48, 0x29, 0x8B, 0xC9, 0xB8,
@@ -1760,6 +1795,13 @@ const struct RootCertData {
      446,
      true},
     {{
+         0x76, 0x21, 0x95, 0xC2, 0x25, 0x58, 0x6E, 0xE6, 0xC0, 0x23, 0x74,
+         0x56, 0xE2, 0x10, 0x7D, 0xC5, 0x4F, 0x1E, 0xFC, 0x21, 0xF6, 0x1A,
+         0x79, 0x2E, 0xBD, 0x51, 0x59, 0x13, 0xCC, 0xE6, 0x83, 0x32,
+     },
+     535,
+     false},
+    {{
          0x76, 0xEE, 0x85, 0x90, 0x37, 0x4C, 0x71, 0x54, 0x37, 0xBB, 0xCA,
          0x6B, 0xBA, 0x60, 0x28, 0xEA, 0xDD, 0xE2, 0xDC, 0x6D, 0xBB, 0xB8,
          0xC3, 0xF6, 0x10, 0xE8, 0x51, 0xF1, 0x1D, 0x1A, 0xB7, 0xF5,
@@ -2299,6 +2341,13 @@ const struct RootCertData {
      259,
      true},
     {{
+         0x96, 0x35, 0x2D, 0x0A, 0xD8, 0x75, 0xC0, 0x27, 0xDB, 0x82, 0xD5,
+         0x99, 0xBA, 0xA8, 0xD4, 0x2E, 0x5C, 0x47, 0x26, 0x49, 0x98, 0x1E,
+         0xCE, 0xED, 0x3B, 0xFC, 0x65, 0xF4, 0xC8, 0x1F, 0xD5, 0xC1,
+     },
+     526,
+     false},
+    {{
          0x96, 0x47, 0x5B, 0x35, 0xAC, 0xB1, 0xC9, 0x30, 0x3A, 0x90, 0xBD,
          0x1D, 0xBF, 0x57, 0x41, 0x8F, 0x78, 0xE2, 0x9A, 0xF1, 0x1C, 0x4D,
          0xE8, 0xC8, 0xCB, 0xA2, 0xE5, 0xF9, 0x30, 0x9E, 0x38, 0xD4,
@@ -2467,6 +2516,13 @@ const struct RootCertData {
      407,
      true},
     {{
+         0xA0, 0x2F, 0xAF, 0xA1, 0x92, 0xC8, 0xCB, 0x81, 0xCB, 0x13, 0x41,
+         0x55, 0x4F, 0x9C, 0x05, 0xB7, 0x1C, 0xCA, 0x2A, 0x89, 0x0B, 0x0D,
+         0x12, 0x98, 0xD6, 0x83, 0x64, 0x7C, 0x96, 0x1E, 0xFB, 0xDF,
+     },
+     523,
+     false},
+    {{
          0xA1, 0x25, 0x74, 0xF4, 0xEB, 0x73, 0x95, 0xCC, 0x63, 0x0A, 0x15,
          0xFE, 0xC8, 0xDB, 0x1C, 0x7C, 0x82, 0x8F, 0x66, 0x69, 0x9D, 0x98,
          0x4C, 0x8C, 0x89, 0x7E, 0xCA, 0x44, 0xC8, 0x08, 0xF5, 0x5D,
@@ -2516,6 +2572,13 @@ const struct RootCertData {
      106,
      true},
     {{
+         0xA4, 0x95, 0xC8, 0xD1, 0x10, 0xE8, 0xB9, 0xE2, 0x00, 0xF3, 0x70,
+         0xAE, 0xDA, 0x3F, 0xF9, 0x2E, 0xE4, 0x3F, 0x8E, 0x3D, 0x4E, 0xC0,
+         0xDB, 0x1C, 0x0D, 0xC5, 0x8B, 0xD7, 0x62, 0x88, 0x0B, 0xA5,
+     },
+     529,
+     false},
+    {{
          0xA4, 0xB8, 0x9B, 0xB7, 0x06, 0x56, 0xEA, 0x49, 0x8F, 0x2D, 0x9E,
          0x00, 0xA4, 0x97, 0xFD, 0xB9, 0xDC, 0xD2, 0x0B, 0x81, 0xB8, 0x93,
          0x8E, 0x95, 0x2B, 0xBA, 0x2D, 0xF9, 0xF6, 0x57, 0x29, 0xC3,
@@ -2719,6 +2782,13 @@ const struct RootCertData {
      281,
      true},
     {{
+         0xAE, 0x7F, 0x96, 0x2C, 0xB9, 0xE6, 0xA7, 0xDB, 0xF7, 0xB8, 0x33,
+         0xFB, 0x18, 0xFA, 0x9B, 0x71, 0xA8, 0x91, 0x75, 0xDF, 0x94, 0x9C,
+         0x23, 0x2B, 0x6A, 0x9E, 0xF7, 0xCB, 0x3D, 0xF2, 0xBB, 0xFC,
+     },
+     525,
+     false},
+    {{
          0xAF, 0x11, 0x0F, 0x6B, 0x5A, 0xE8, 0xB7, 0x67, 0xEA, 0xC6, 0xE0,
          0xAA, 0x27, 0x3F, 0x38, 0x16, 0xE7, 0xA4, 0x0A, 0x64, 0x4E, 0xDA,
          0xCB, 0x43, 0x98, 0x14, 0x63, 0x56, 0xE7, 0x75, 0x09, 0xD6,
@@ -2775,6 +2845,13 @@ const struct RootCertData {
      72,
      true},
     {{
+         0xB1, 0x5A, 0xC9, 0x56, 0x12, 0x04, 0x75, 0x61, 0x24, 0xB9, 0xC4,
+         0xD3, 0xFE, 0x40, 0x6D, 0x93, 0x83, 0x3F, 0xF6, 0x66, 0x52, 0xF6,
+         0x7F, 0xBF, 0x13, 0x9F, 0x5B, 0xBF, 0x03, 0x0A, 0x0E, 0x64,
+     },
+     528,
+     false},
+    {{
          0xB1, 0x6C, 0xB1, 0xBA, 0x52, 0x9A, 0x39, 0xE2, 0xDF, 0xD5, 0x3B,
          0x3F, 0xF5, 0xA7, 0x9F, 0x19, 0x04, 0x61, 0x4D, 0x83, 0xE3, 0x13,
          0x04, 0xF0, 0x27, 0x8B, 0xB4, 0x0B, 0x38, 0xCF, 0x78, 0x24,
@@ -2901,6 +2978,13 @@ const struct RootCertData {
      178,
      false},
     {{
+         0xBB, 0x0C, 0xE7, 0x04, 0x03, 0x14, 0xA1, 0x43, 0xDC, 0xD1, 0x0E,
+         0x65, 0xCC, 0xAE, 0xEF, 0x70, 0x10, 0xE1, 0xB7, 0x84, 0xD1, 0x5D,
+         0x19, 0x5D, 0x77, 0xB5, 0x60, 0x19, 0x56, 0xBF, 0x9E, 0x3F,
+     },
+     541,
+     false},
+    {{
          0xBB, 0x41, 0x28, 0xEC, 0x96, 0x20, 0xF2, 0xD2, 0xA4, 0x9C, 0xE8,
          0xE2, 0xC4, 0xE2, 0x57, 0xAE, 0xBA, 0xD9, 0x3A, 0x0F, 0x11, 0xC5,
          0x6B, 0x5F, 0xA4, 0xB0, 0x0E, 0x23, 0x75, 0x9F, 0xA3, 0x9D,
@@ -2936,6 +3020,13 @@ const struct RootCertData {
      71,
      false},
     {{
+         0xBD, 0xAC, 0xCB, 0xF2, 0xE8, 0xB2, 0x7C, 0x0C, 0x02, 0xA6, 0x89,
+         0xEE, 0x86, 0x6C, 0x9B, 0x86, 0xEC, 0x04, 0x44, 0x2A, 0xFC, 0xDD,
+         0xDD, 0x5D, 0x4E, 0xC3, 0x6D, 0xEF, 0x21, 0xE7, 0x61, 0xDD,
+     },
+     539,
+     false},
+    {{
          0xBE, 0x32, 0x80, 0xC6, 0x86, 0x3C, 0x77, 0x0A, 0x33, 0xC9, 0x04,
          0x0B, 0xD9, 0x7D, 0x55, 0x40, 0xB2, 0x16, 0xD1, 0xD9, 0x1D, 0xB8,
          0xB0, 0x88, 0xCE, 0xAC, 0x11, 0x97, 0xDA, 0xE1, 0xD6, 0x60,
@@ -2992,6 +3083,13 @@ const struct RootCertData {
      124,
      false},
     {{
+         0xC2, 0xB3, 0xC3, 0x1A, 0x4A, 0x29, 0x85, 0x0A, 0xA8, 0xF3, 0xCF,
+         0x47, 0x2A, 0x11, 0x69, 0xFF, 0x71, 0xB4, 0x16, 0x57, 0x9F, 0x6A,
+         0x44, 0x82, 0xEC, 0x77, 0x44, 0xB8, 0x3D, 0xF9, 0x88, 0xAC,
+     },
+     533,
+     false},
+    {{
          0xC3, 0x72, 0xF6, 0xD1, 0x8E, 0xBE, 0xE5, 0xAA, 0x23, 0xD9, 0xE9,
          0x19, 0xF3, 0xE6, 0xBE, 0x98, 0x48, 0x8E, 0xC0, 0x16, 0x07, 0xDF,
          0x31, 0x62, 0xFC, 0x19, 0x2E, 0x4B, 0x13, 0x46, 0xAF, 0xB3,
@@ -3258,6 +3356,13 @@ const struct RootCertData {
      172,
      true},
     {{
+         0xD6, 0xEC, 0x63, 0x48, 0xA7, 0xC4, 0xD4, 0x2A, 0xC4, 0x8D, 0x9C,
+         0x43, 0x14, 0x5A, 0x8C, 0xD7, 0x19, 0x71, 0x36, 0x23, 0x63, 0x26,
+         0x7C, 0x66, 0x73, 0xA7, 0x7B, 0x8A, 0x85, 0x73, 0xA6, 0x6B,
+     },
+     530,
+     false},
+    {{
          0xD8, 0xFB, 0x33, 0xE3, 0x85, 0xC9, 0xC2, 0xDA, 0x72, 0x9A, 0x84,
          0x70, 0x6B, 0xA9, 0x27, 0xDC, 0xBB, 0x79, 0x27, 0x3E, 0x12, 0x2F,
          0xFD, 0x96, 0x73, 0x36, 0x3B, 0x70, 0xB7, 0xF3, 0x6C, 0xBB,
@@ -3328,6 +3433,13 @@ const struct RootCertData {
      236,
      true},
     {{
+         0xDE, 0x7B, 0x69, 0x32, 0xE9, 0xC4, 0x45, 0x82, 0xCE, 0x0D, 0xE0,
+         0x7A, 0xBD, 0xAB, 0x7E, 0xEA, 0x90, 0xC7, 0x5D, 0x6D, 0x2A, 0x07,
+         0x33, 0x1D, 0xF5, 0x7B, 0xD5, 0xCB, 0x88, 0x55, 0x3D, 0x13,
+     },
+     542,
+     false},
+    {{
          0xDF, 0x53, 0x0B, 0xAC, 0x9F, 0xCD, 0x91, 0x4C, 0x25, 0x2C, 0x2F,
          0xBD, 0xCE, 0xDD, 0xC6, 0x18, 0x3D, 0x4A, 0xE8, 0xC6, 0x80, 0xAD,
          0x65, 0xF0, 0x3E, 0x20, 0x48, 0x61, 0xDD, 0x7B, 0x1C, 0x73,
@@ -3335,6 +3447,13 @@ const struct RootCertData {
      313,
      true},
     {{
+         0xE0, 0x4A, 0x02, 0x2C, 0xE3, 0x2F, 0x4C, 0xCF, 0x2C, 0x7F, 0x60,
+         0x46, 0x28, 0x7B, 0x82, 0x8A, 0x32, 0xA9, 0x09, 0xF5, 0xE7, 0x51,
+         0x44, 0x7F, 0x83, 0xFD, 0x2C, 0x71, 0xF6, 0xFD, 0x81, 0x73,
+     },
+     524,
+     false},
+    {{
          0xE0, 0xC7, 0x80, 0xC6, 0x29, 0x90, 0x3E, 0x12, 0x6F, 0x1D, 0x91,
          0x95, 0x70, 0xDC, 0xE7, 0xC4, 0x96, 0xF8, 0x5F, 0x33, 0xAA, 0xE6,
          0x6B, 0x9A, 0x31, 0x47, 0xEE, 0x75, 0xF8, 0xD1, 0x62, 0x0A,
@@ -3349,6 +3468,13 @@ const struct RootCertData {
      369,
      true},
     {{
+         0xE1, 0x4E, 0x51, 0x89, 0x1F, 0x34, 0x92, 0x24, 0x3E, 0xEA, 0x61,
+         0x3B, 0xC2, 0xC8, 0x14, 0xD4, 0x72, 0x24, 0xB2, 0x24, 0xC5, 0x7D,
+         0x38, 0x16, 0x9E, 0x95, 0x8E, 0x30, 0xB3, 0xDE, 0xDE, 0xE4,
+     },
+     527,
+     false},
+    {{
          0xE1, 0x56, 0x44, 0x5F, 0xA2, 0x0C, 0x32, 0xAD, 0x00, 0x93, 0x7B,
          0x27, 0xD0, 0x96, 0xB8, 0x96, 0x3B, 0xCC, 0x86, 0x39, 0x50, 0x33,
          0x3A, 0x87, 0x7E, 0x68, 0xFA, 0x69, 0x70, 0x7A, 0x03, 0xAF,
@@ -3489,6 +3615,13 @@ const struct RootCertData {
      129,
      true},
     {{
+         0xF0, 0x01, 0x1F, 0x92, 0xFC, 0xF9, 0xBE, 0x36, 0xC7, 0xA5, 0xB3,
+         0x6E, 0x7B, 0xC8, 0x62, 0xAB, 0x20, 0xE9, 0x4E, 0xF3, 0x6F, 0xEA,
+         0x8A, 0x56, 0x1D, 0xB0, 0xA8, 0xD7, 0x75, 0x0C, 0x1F, 0x51,
+     },
+     537,
+     false},
+    {{
          0xF1, 0xC6, 0xBA, 0x67, 0x0C, 0xFC, 0x88, 0xE4, 0xDF, 0x52, 0x97,
          0x3C, 0xAE, 0x42, 0x0F, 0x0A, 0x08, 0x9D, 0xD4, 0x74, 0x14, 0x4F,
          0xE5, 0x80, 0x6C, 0x42, 0x00, 0x64, 0xE1, 0x59, 0x12, 0x29,
@@ -3629,6 +3762,13 @@ const struct RootCertData {
      158,
      true},
     {{
+         0xFC, 0x78, 0x43, 0x00, 0xEC, 0x8D, 0xF4, 0xD3, 0xD1, 0xBA, 0xD7,
+         0x63, 0x83, 0x51, 0x82, 0x91, 0x8D, 0x52, 0xA9, 0xFF, 0x02, 0x38,
+         0xBD, 0xF6, 0x95, 0xA1, 0xCD, 0x9B, 0xDB, 0x98, 0x32, 0x1C,
+     },
+     534,
+     false},
+    {{
          0xFC, 0xF7, 0xDA, 0x98, 0x36, 0x03, 0xE8, 0x88, 0x62, 0x03, 0x0D,
          0x96, 0x13, 0x7D, 0x8E, 0x13, 0x03, 0x1B, 0xAD, 0xFB, 0x4D, 0x56,
          0xC1, 0xFD, 0x4C, 0xAC, 0xC3, 0x39, 0xF6, 0xBD, 0xBB, 0x2A,
@@ -3664,6 +3804,13 @@ const struct RootCertData {
      110,
      false},
     {{
+         0xFE, 0xE8, 0xAF, 0x92, 0x91, 0x75, 0x68, 0x7F, 0x46, 0x38, 0xA3,
+         0xFC, 0x98, 0x3D, 0xB8, 0xEC, 0xD0, 0xE5, 0xE2, 0xA8, 0x3E, 0x73,
+         0x7F, 0x3F, 0xB7, 0x7B, 0x4C, 0x22, 0xFC, 0xBA, 0xC0, 0xA6,
+     },
+     538,
+     false},
+    {{
          0xFF, 0x34, 0x2F, 0xB6, 0xC4, 0xC8, 0xBD, 0x30, 0xA4, 0x70, 0x6F,
          0x73, 0x48, 0x95, 0x39, 0xF1, 0x9E, 0x6E, 0x48, 0xCC, 0x05, 0xF4,
          0x62, 0x54, 0x65, 0x4F, 0x66, 0x10, 0xDB, 0xC5, 0x40, 0xE9,
diff --git a/chromium/net/cert/root_store.proto b/chromium/net/cert/root_store.proto
index e4bd09a6339..91525dda07d 100644
--- a/chromium/net/cert/root_store.proto
+++ b/chromium/net/cert/root_store.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/scoped_nss_types.h b/chromium/net/cert/scoped_nss_types.h
index a8b56549cea..b5821822de0 100644
--- a/chromium/net/cert/scoped_nss_types.h
+++ b/chromium/net/cert/scoped_nss_types.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/sct_auditing_delegate.h b/chromium/net/cert/sct_auditing_delegate.h
index 2a146a80be6..d2f4b728ee4 100644
--- a/chromium/net/cert/sct_auditing_delegate.h
+++ b/chromium/net/cert/sct_auditing_delegate.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/sct_status_flags.cc b/chromium/net/cert/sct_status_flags.cc
index 92042fa6429..d67b4b008e8 100644
--- a/chromium/net/cert/sct_status_flags.cc
+++ b/chromium/net/cert/sct_status_flags.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/sct_status_flags.h b/chromium/net/cert/sct_status_flags.h
index 0957cdcbf6c..8bcbf0b2301 100644
--- a/chromium/net/cert/sct_status_flags.h
+++ b/chromium/net/cert/sct_status_flags.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/signed_certificate_timestamp.cc b/chromium/net/cert/signed_certificate_timestamp.cc
index da6e2c967b9..31c73f08cfb 100644
--- a/chromium/net/cert/signed_certificate_timestamp.cc
+++ b/chromium/net/cert/signed_certificate_timestamp.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/signed_certificate_timestamp.h b/chromium/net/cert/signed_certificate_timestamp.h
index a877ee724ec..a4427df1d01 100644
--- a/chromium/net/cert/signed_certificate_timestamp.h
+++ b/chromium/net/cert/signed_certificate_timestamp.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/signed_certificate_timestamp_and_status.cc b/chromium/net/cert/signed_certificate_timestamp_and_status.cc
index a1ac7ac718c..dfa0126a67b 100644
--- a/chromium/net/cert/signed_certificate_timestamp_and_status.cc
+++ b/chromium/net/cert/signed_certificate_timestamp_and_status.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/signed_certificate_timestamp_and_status.h b/chromium/net/cert/signed_certificate_timestamp_and_status.h
index 51cc06dd719..cdd70e68952 100644
--- a/chromium/net/cert/signed_certificate_timestamp_and_status.h
+++ b/chromium/net/cert/signed_certificate_timestamp_and_status.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/signed_certificate_timestamp_unittest.cc b/chromium/net/cert/signed_certificate_timestamp_unittest.cc
index 0b9a7d96b88..a17cb9c3ddb 100644
--- a/chromium/net/cert/signed_certificate_timestamp_unittest.cc
+++ b/chromium/net/cert/signed_certificate_timestamp_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/signed_tree_head.cc b/chromium/net/cert/signed_tree_head.cc
index 9640b135a5d..41c205341d9 100644
--- a/chromium/net/cert/signed_tree_head.cc
+++ b/chromium/net/cert/signed_tree_head.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/signed_tree_head.h b/chromium/net/cert/signed_tree_head.h
index 13248888314..98978415be5 100644
--- a/chromium/net/cert/signed_tree_head.h
+++ b/chromium/net/cert/signed_tree_head.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/symantec_certs.cc b/chromium/net/cert/symantec_certs.cc
index ae4a3c9b0c2..82dcecf9dea 100644
--- a/chromium/net/cert/symantec_certs.cc
+++ b/chromium/net/cert/symantec_certs.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/symantec_certs.h b/chromium/net/cert/symantec_certs.h
index f34d08ef14d..9f1dafc9dca 100644
--- a/chromium/net/cert/symantec_certs.h
+++ b/chromium/net/cert/symantec_certs.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/symantec_certs_unittest.cc b/chromium/net/cert/symantec_certs_unittest.cc
index 6a1fff6cb31..44a2da68e10 100644
--- a/chromium/net/cert/symantec_certs_unittest.cc
+++ b/chromium/net/cert/symantec_certs_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/test_keychain_search_list_mac.cc b/chromium/net/cert/test_keychain_search_list_mac.cc
index c2fe00107a2..02215a6cdfe 100644
--- a/chromium/net/cert/test_keychain_search_list_mac.cc
+++ b/chromium/net/cert/test_keychain_search_list_mac.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/test_keychain_search_list_mac.h b/chromium/net/cert/test_keychain_search_list_mac.h
index 48edf89d979..002264ac9cc 100644
--- a/chromium/net/cert/test_keychain_search_list_mac.h
+++ b/chromium/net/cert/test_keychain_search_list_mac.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/test_root_certs.cc b/chromium/net/cert/test_root_certs.cc
index fd158a06352..8b1f2a4d88e 100644
--- a/chromium/net/cert/test_root_certs.cc
+++ b/chromium/net/cert/test_root_certs.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/test_root_certs.h b/chromium/net/cert/test_root_certs.h
index c299b3c6d3b..00139642feb 100644
--- a/chromium/net/cert/test_root_certs.h
+++ b/chromium/net/cert/test_root_certs.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/test_root_certs_android.cc b/chromium/net/cert/test_root_certs_android.cc
index ce1bca56018..3cbef700135 100644
--- a/chromium/net/cert/test_root_certs_android.cc
+++ b/chromium/net/cert/test_root_certs_android.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/test_root_certs_builtin.cc b/chromium/net/cert/test_root_certs_builtin.cc
index c26eb4a290e..26a833c7f15 100644
--- a/chromium/net/cert/test_root_certs_builtin.cc
+++ b/chromium/net/cert/test_root_certs_builtin.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/test_root_certs_mac.cc b/chromium/net/cert/test_root_certs_mac.cc
index d5023728e2c..777ae20e02d 100644
--- a/chromium/net/cert/test_root_certs_mac.cc
+++ b/chromium/net/cert/test_root_certs_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/test_root_certs_unittest.cc b/chromium/net/cert/test_root_certs_unittest.cc
index f430c590623..aefbf56b199 100644
--- a/chromium/net/cert/test_root_certs_unittest.cc
+++ b/chromium/net/cert/test_root_certs_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -33,15 +33,14 @@ const char kRootCertificateFile[] = "root_ca_cert.pem";
 const char kGoodCertificateFile[] = "ok_cert.pem";
 
 scoped_refptr<CertVerifyProc> CreateCertVerifyProc() {
-#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
-  return CertVerifyProc::CreateBuiltinVerifyProc(/*cert_net_fetcher=*/nullptr);
-#elif BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
-  if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature)) {
-    return CertVerifyProc::CreateBuiltinVerifyProc(
+#if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
+  if (base::FeatureList::IsEnabled(features::kChromeRootStoreUsed)) {
+    return CertVerifyProc::CreateBuiltinWithChromeRootStore(
         /*cert_net_fetcher=*/nullptr);
-  } else {
-    return CertVerifyProc::CreateSystemVerifyProc(/*cert_net_fetcher=*/nullptr);
   }
+#endif
+#if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
+  return CertVerifyProc::CreateBuiltinVerifyProc(/*cert_net_fetcher=*/nullptr);
 #else
   return CertVerifyProc::CreateSystemVerifyProc(/*cert_net_fetcher=*/nullptr);
 #endif
diff --git a/chromium/net/cert/test_root_certs_win.cc b/chromium/net/cert/test_root_certs_win.cc
index 85632fbbc46..cabdd8b4138 100644
--- a/chromium/net/cert/test_root_certs_win.cc
+++ b/chromium/net/cert/test_root_certs_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/trial_comparison_cert_verifier.cc b/chromium/net/cert/trial_comparison_cert_verifier.cc
index 963677c5ed0..47158ef7a8b 100644
--- a/chromium/net/cert/trial_comparison_cert_verifier.cc
+++ b/chromium/net/cert/trial_comparison_cert_verifier.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/trial_comparison_cert_verifier.h b/chromium/net/cert/trial_comparison_cert_verifier.h
index f6d0981a6d0..f746593a7df 100644
--- a/chromium/net/cert/trial_comparison_cert_verifier.h
+++ b/chromium/net/cert/trial_comparison_cert_verifier.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/trial_comparison_cert_verifier_unittest.cc b/chromium/net/cert/trial_comparison_cert_verifier_unittest.cc
index 5769a076753..26ae5f4b5a6 100644
--- a/chromium/net/cert/trial_comparison_cert_verifier_unittest.cc
+++ b/chromium/net/cert/trial_comparison_cert_verifier_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/trial_comparison_cert_verifier_util.cc b/chromium/net/cert/trial_comparison_cert_verifier_util.cc
index b51d4306286..e039910c1a2 100644
--- a/chromium/net/cert/trial_comparison_cert_verifier_util.cc
+++ b/chromium/net/cert/trial_comparison_cert_verifier_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/trial_comparison_cert_verifier_util.h b/chromium/net/cert/trial_comparison_cert_verifier_util.h
index fd10d8bfdfc..9321d47938d 100644
--- a/chromium/net/cert/trial_comparison_cert_verifier_util.h
+++ b/chromium/net/cert/trial_comparison_cert_verifier_util.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_cert_types.cc b/chromium/net/cert/x509_cert_types.cc
index 202181d7e00..9263cc3e4ce 100644
--- a/chromium/net/cert/x509_cert_types.cc
+++ b/chromium/net/cert/x509_cert_types.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_cert_types.h b/chromium/net/cert/x509_cert_types.h
index 8450ee0b93b..13ab5629f31 100644
--- a/chromium/net/cert/x509_cert_types.h
+++ b/chromium/net/cert/x509_cert_types.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_cert_types_unittest.cc b/chromium/net/cert/x509_cert_types_unittest.cc
index 5de99ffea3d..7c3c97aa3d9 100644
--- a/chromium/net/cert/x509_cert_types_unittest.cc
+++ b/chromium/net/cert/x509_cert_types_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_certificate.cc b/chromium/net/cert/x509_certificate.cc
index 1dac369039a..be2c1d3aade 100644
--- a/chromium/net/cert/x509_certificate.cc
+++ b/chromium/net/cert/x509_certificate.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_certificate.h b/chromium/net/cert/x509_certificate.h
index 751d6c3e917..31cd48d3d8a 100644
--- a/chromium/net/cert/x509_certificate.h
+++ b/chromium/net/cert/x509_certificate.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_certificate_net_log_param.cc b/chromium/net/cert/x509_certificate_net_log_param.cc
index 61faf8a47f1..2a32576f762 100644
--- a/chromium/net/cert/x509_certificate_net_log_param.cc
+++ b/chromium/net/cert/x509_certificate_net_log_param.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_certificate_net_log_param.h b/chromium/net/cert/x509_certificate_net_log_param.h
index fe03f0a7907..218431e68cf 100644
--- a/chromium/net/cert/x509_certificate_net_log_param.h
+++ b/chromium/net/cert/x509_certificate_net_log_param.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_certificate_unittest.cc b/chromium/net/cert/x509_certificate_unittest.cc
index a32ba859784..d3236f7f95a 100644
--- a/chromium/net/cert/x509_certificate_unittest.cc
+++ b/chromium/net/cert/x509_certificate_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -22,6 +22,7 @@
 #include "net/cert/pem.h"
 #include "net/cert/pki/parse_certificate.h"
 #include "net/cert/x509_util.h"
+#include "net/test/cert_builder.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_certificate_data.h"
 #include "net/test/test_data_directory.h"
@@ -921,66 +922,38 @@ TEST(X509CertificateTest, IsSelfSigned) {
 }
 
 TEST(X509CertificateTest, IsIssuedByEncodedWithIntermediates) {
-  static const unsigned char kPolicyRootDN[] = {
-    0x30, 0x1e, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
-    0x13, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74,
-    0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41
-  };
-  static const unsigned char kPolicyIntermediateDN[] = {
-    0x30, 0x26, 0x31, 0x24, 0x30, 0x22, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
-    0x1b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74,
-    0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74,
-    0x65, 0x20, 0x43, 0x41
-  };
-
-  base::FilePath certs_dir = GetTestCertsDirectory();
+  std::unique_ptr<CertBuilder> leaf, intermediate, root;
+  CertBuilder::CreateSimpleChain(&leaf, &intermediate, &root);
+  ASSERT_TRUE(leaf && intermediate && root);
 
-  CertificateList policy_chain = CreateCertificateListFromFile(
-      certs_dir, "explicit-policy-chain.pem", X509Certificate::FORMAT_AUTO);
-  ASSERT_EQ(3u, policy_chain.size());
+  std::string intermediate_dn = intermediate->GetSubject();
+  std::string root_dn = root->GetSubject();
 
-  // The intermediate CA certificate's policyConstraints extension has a
-  // requireExplicitPolicy field with SkipCerts=0.
-  std::string policy_intermediate_dn(
-      reinterpret_cast<const char*>(kPolicyIntermediateDN),
-      sizeof(kPolicyIntermediateDN));
-  std::string policy_root_dn(reinterpret_cast<const char*>(kPolicyRootDN),
-                             sizeof(kPolicyRootDN));
-
-  std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
-  intermediates.push_back(bssl::UpRef(policy_chain[1]->cert_buffer()));
-  scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromBuffer(
-      bssl::UpRef(policy_chain[0]->cert_buffer()), std::move(intermediates));
+  // Create an X509Certificate object containing the leaf and the intermediate
+  // but not the root.
+  scoped_refptr<X509Certificate> cert_chain = leaf->GetX509CertificateChain();
   ASSERT_TRUE(cert_chain);
 
-  std::vector<std::string> issuers;
-
   // Check that the chain is issued by the intermediate.
-  issuers.clear();
-  issuers.push_back(policy_intermediate_dn);
-  EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers));
+  EXPECT_TRUE(cert_chain->IsIssuedByEncoded({intermediate_dn}));
 
   // Check that the chain is also issued by the root.
-  issuers.clear();
-  issuers.push_back(policy_root_dn);
-  EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers));
+  EXPECT_TRUE(cert_chain->IsIssuedByEncoded({root_dn}));
 
   // Check that the chain is issued by either the intermediate or the root.
-  issuers.clear();
-  issuers.push_back(policy_intermediate_dn);
-  issuers.push_back(policy_root_dn);
-  EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers));
+  EXPECT_TRUE(cert_chain->IsIssuedByEncoded({intermediate_dn, root_dn}));
 
   // Check that an empty issuers list returns false.
-  issuers.clear();
-  EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers));
+  EXPECT_FALSE(cert_chain->IsIssuedByEncoded({}));
 
   // Check that the chain is not issued by Verisign
-  std::string mit_issuer(reinterpret_cast<const char*>(VerisignDN),
-                         sizeof(VerisignDN));
-  issuers.clear();
-  issuers.push_back(mit_issuer);
-  EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers));
+  std::string verisign_issuer(reinterpret_cast<const char*>(VerisignDN),
+                              sizeof(VerisignDN));
+  EXPECT_FALSE(cert_chain->IsIssuedByEncoded({verisign_issuer}));
+
+  // Check that the chain is issued by root, though the extraneous Verisign
+  // name is also given.
+  EXPECT_TRUE(cert_chain->IsIssuedByEncoded({verisign_issuer, root_dn}));
 }
 
 const struct CertificateFormatTestData {
diff --git a/chromium/net/cert/x509_util.cc b/chromium/net/cert/x509_util.cc
index 310742ec97a..537ff4ac9b8 100644
--- a/chromium/net/cert/x509_util.cc
+++ b/chromium/net/cert/x509_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_util.h b/chromium/net/cert/x509_util.h
index f86c7cd9a99..f2a615663ad 100644
--- a/chromium/net/cert/x509_util.h
+++ b/chromium/net/cert/x509_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_util_android.cc b/chromium/net/cert/x509_util_android.cc
index d607d5bc83d..a4b2642fd28 100644
--- a/chromium/net/cert/x509_util_android.cc
+++ b/chromium/net/cert/x509_util_android.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_util_apple.cc b/chromium/net/cert/x509_util_apple.cc
index 979e84f2d82..ae69948dfca 100644
--- a/chromium/net/cert/x509_util_apple.cc
+++ b/chromium/net/cert/x509_util_apple.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -75,16 +75,16 @@ CreateSecCertificateArrayForX509Certificate(
     return base::ScopedCFTypeRef<CFMutableArrayRef>();
   CFArrayAppendValue(cert_list, sec_cert);
   for (const auto& intermediate : cert->intermediate_buffers()) {
-    base::ScopedCFTypeRef<SecCertificateRef> sec_cert(
+    base::ScopedCFTypeRef<SecCertificateRef> intermediate_cert(
         CreateSecCertificateFromBytes(CRYPTO_BUFFER_data(intermediate.get()),
                                       CRYPTO_BUFFER_len(intermediate.get())));
-    if (!sec_cert) {
+    if (!intermediate_cert) {
       if (invalid_intermediate_behavior == InvalidIntermediateBehavior::kFail)
         return base::ScopedCFTypeRef<CFMutableArrayRef>();
       LOG(WARNING) << "error parsing intermediate";
       continue;
     }
-    CFArrayAppendValue(cert_list, sec_cert);
+    CFArrayAppendValue(cert_list, intermediate_cert);
   }
   return cert_list;
 }
diff --git a/chromium/net/cert/x509_util_apple.h b/chromium/net/cert/x509_util_apple.h
index 1348a2ef5f3..d1bba8d868d 100644
--- a/chromium/net/cert/x509_util_apple.h
+++ b/chromium/net/cert/x509_util_apple.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_util_apple_unittest.cc b/chromium/net/cert/x509_util_apple_unittest.cc
index 06ff6b8c108..683827a710c 100644
--- a/chromium/net/cert/x509_util_apple_unittest.cc
+++ b/chromium/net/cert/x509_util_apple_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_util_mac.cc b/chromium/net/cert/x509_util_mac.cc
index bb675db0715..21892943aa9 100644
--- a/chromium/net/cert/x509_util_mac.cc
+++ b/chromium/net/cert/x509_util_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_util_mac.h b/chromium/net/cert/x509_util_mac.h
index d95f21af267..8c2e1fa2dd0 100644
--- a/chromium/net/cert/x509_util_mac.h
+++ b/chromium/net/cert/x509_util_mac.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_util_nss.cc b/chromium/net/cert/x509_util_nss.cc
index d52282832e5..6d17c40f445 100644
--- a/chromium/net/cert/x509_util_nss.cc
+++ b/chromium/net/cert/x509_util_nss.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,15 +7,18 @@
 #include <cert.h>  // Must be included before certdb.h
 #include <certdb.h>
 #include <cryptohi.h>
+#include <dlfcn.h>
 #include <nss.h>
 #include <pk11pub.h>
 #include <prerror.h>
+#include <seccomon.h>
 #include <secder.h>
 #include <sechash.h>
 #include <secmod.h>
 #include <secport.h>
 #include <string.h>
 
+#include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/strings/stringprintf.h"
 #include "crypto/nss_util.h"
@@ -436,4 +439,19 @@ SHA256HashValue CalculateFingerprint256(CERTCertificate* cert) {
   return sha256;
 }
 
+DISABLE_CFI_DLSYM
+SECStatus GetCertIsPerm(const CERTCertificate* cert, PRBool* isperm) {
+  // TODO(https://crbug.com/1365414): When the minimum NSS version is raised to
+  // 3.31 or higher, replace this with calling CERT_GetCertIsPerm directly.
+  using GetCertIsPermFunction = SECStatus (*)(const CERTCertificate*, PRBool*);
+  static GetCertIsPermFunction get_cert_is_perm =
+      reinterpret_cast<GetCertIsPermFunction>(
+          dlsym(RTLD_DEFAULT, "CERT_GetCertIsPerm"));
+  if (get_cert_is_perm) {
+    return get_cert_is_perm(cert, isperm);
+  }
+  *isperm = cert->isperm;
+  return SECSuccess;
+}
+
 }  // namespace net::x509_util
diff --git a/chromium/net/cert/x509_util_nss.h b/chromium/net/cert/x509_util_nss.h
index c9cb113a88d..c8c1a1e313e 100644
--- a/chromium/net/cert/x509_util_nss.h
+++ b/chromium/net/cert/x509_util_nss.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -157,6 +157,11 @@ NET_EXPORT bool GetValidityTimes(CERTCertificate* cert,
 // (all zero) fingerprint on failure.
 NET_EXPORT SHA256HashValue CalculateFingerprint256(CERTCertificate* cert);
 
+// Behaves like `CERT_GetCertIsPerm` in NSS. This function's type signature
+// mirrors the NSS function so call sites can be easily replaced when
+// https://crbug.com/1365414 is resolved.
+NET_EXPORT SECStatus GetCertIsPerm(const CERTCertificate* cert, PRBool* isperm);
+
 }  // namespace net::x509_util
 
 #endif  // NET_CERT_X509_UTIL_NSS_H_
diff --git a/chromium/net/cert/x509_util_nss_unittest.cc b/chromium/net/cert/x509_util_nss_unittest.cc
index 89816c2452c..65d7f114e91 100644
--- a/chromium/net/cert/x509_util_nss_unittest.cc
+++ b/chromium/net/cert/x509_util_nss_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_util_unittest.cc b/chromium/net/cert/x509_util_unittest.cc
index 00d5d281297..6a61fe90690 100644
--- a/chromium/net/cert/x509_util_unittest.cc
+++ b/chromium/net/cert/x509_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_util_win.cc b/chromium/net/cert/x509_util_win.cc
index ad819d986f6..72c537ac4f4 100644
--- a/chromium/net/cert/x509_util_win.cc
+++ b/chromium/net/cert/x509_util_win.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert/x509_util_win.h b/chromium/net/cert/x509_util_win.h
index 02f52cdaee1..27e08bb29b6 100644
--- a/chromium/net/cert/x509_util_win.h
+++ b/chromium/net/cert/x509_util_win.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert_net/cert_net_fetcher_url_request.cc b/chromium/net/cert_net/cert_net_fetcher_url_request.cc
index 4835ea8aa63..fad520b0221 100644
--- a/chromium/net/cert_net/cert_net_fetcher_url_request.cc
+++ b/chromium/net/cert_net/cert_net_fetcher_url_request.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
@@ -68,6 +68,7 @@
 #include "base/memory/ptr_util.h"
 #include "base/memory/raw_ptr.h"
 #include "base/numerics/safe_math.h"
+#include "base/ranges/algorithm.h"
 #include "base/synchronization/waitable_event.h"
 #include "base/task/single_thread_task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
@@ -461,7 +462,7 @@ void Job::AttachRequest(
 void Job::DetachRequest(CertNetFetcherURLRequest::RequestCore* request) {
   std::unique_ptr<Job> delete_this;
 
-  auto it = std::find(requests_.begin(), requests_.end(), request);
+  auto it = base::ranges::find(requests_, request);
   DCHECK(it != requests_.end());
   requests_.erase(it);
 
diff --git a/chromium/net/cert_net/cert_net_fetcher_url_request.h b/chromium/net/cert_net/cert_net_fetcher_url_request.h
index 2d468100e9f..a5411537d4a 100644
--- a/chromium/net/cert_net/cert_net_fetcher_url_request.h
+++ b/chromium/net/cert_net/cert_net_fetcher_url_request.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cert_net/cert_net_fetcher_url_request_unittest.cc b/chromium/net/cert_net/cert_net_fetcher_url_request_unittest.cc
index 08092a4af35..ab38845fe15 100644
--- a/chromium/net/cert_net/cert_net_fetcher_url_request_unittest.cc
+++ b/chromium/net/cert_net/cert_net_fetcher_url_request_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/OWNERS b/chromium/net/cookies/OWNERS
index 5f64039667d..a635fd3ba9b 100644
--- a/chromium/net/cookies/OWNERS
+++ b/chromium/net/cookies/OWNERS
@@ -1,4 +1,5 @@
 bingler@chromium.org
+cfredric@chromium.org
 dylancutler@google.com
 mkwst@chromium.org
 morlovich@chromium.org
diff --git a/chromium/net/cookies/canonical_cookie.cc b/chromium/net/cookies/canonical_cookie.cc
index 06fbffaee10..ada61ecbfe4 100644
--- a/chromium/net/cookies/canonical_cookie.cc
+++ b/chromium/net/cookies/canonical_cookie.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -576,9 +576,22 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::Create(
       parsed_cookie, creation_time, cookie_server_time);
   cookie_expires = ValidateAndAdjustExpiryDate(cookie_expires, creation_time);
 
-  CookiePrefix prefix = GetCookiePrefix(parsed_cookie.Name());
-  bool is_cookie_prefix_valid = IsCookiePrefixValid(prefix, url, parsed_cookie);
-  RecordCookiePrefixMetrics(prefix, is_cookie_prefix_valid);
+  CookiePrefix prefix_case_sensitive =
+      GetCookiePrefix(parsed_cookie.Name(), /*check_insensitively=*/false);
+  CookiePrefix prefix_case_insensitive =
+      GetCookiePrefix(parsed_cookie.Name(), /*check_insensitively=*/true);
+
+  bool is_sensitive_prefix_valid =
+      IsCookiePrefixValid(prefix_case_sensitive, url, parsed_cookie);
+  bool is_insensitive_prefix_valid =
+      IsCookiePrefixValid(prefix_case_insensitive, url, parsed_cookie);
+  bool is_cookie_prefix_valid =
+      base::FeatureList::IsEnabled(net::features::kCaseInsensitiveCookiePrefix)
+          ? is_insensitive_prefix_valid
+          : is_sensitive_prefix_valid;
+
+  RecordCookiePrefixMetrics(prefix_case_sensitive, prefix_case_insensitive,
+                            is_insensitive_prefix_valid);
 
   if (parsed_cookie.Name() == "") {
     is_cookie_prefix_valid = !HasHiddenPrefixName(parsed_cookie.Value());
@@ -1526,23 +1539,51 @@ std::string CanonicalCookie::BuildCookieAttributesLine(
 
 // static
 CanonicalCookie::CookiePrefix CanonicalCookie::GetCookiePrefix(
-    const std::string& name) {
+    const std::string& name,
+    bool check_insensitively) {
   const char kSecurePrefix[] = "__Secure-";
   const char kHostPrefix[] = "__Host-";
-  if (base::StartsWith(name, kSecurePrefix, base::CompareCase::SENSITIVE))
+
+  base::CompareCase case_sensitivity =
+      check_insensitively ? base::CompareCase::INSENSITIVE_ASCII
+                          : base::CompareCase::SENSITIVE;
+
+  if (base::StartsWith(name, kSecurePrefix, case_sensitivity))
     return CanonicalCookie::COOKIE_PREFIX_SECURE;
-  if (base::StartsWith(name, kHostPrefix, base::CompareCase::SENSITIVE))
+  if (base::StartsWith(name, kHostPrefix, case_sensitivity))
     return CanonicalCookie::COOKIE_PREFIX_HOST;
   return CanonicalCookie::COOKIE_PREFIX_NONE;
 }
 
 // static
 void CanonicalCookie::RecordCookiePrefixMetrics(
-    CanonicalCookie::CookiePrefix prefix,
-    bool is_cookie_valid) {
+    CookiePrefix prefix_case_sensitive,
+    CookiePrefix prefix_case_insensitive,
+    bool is_insensitive_prefix_valid) {
   const char kCookiePrefixHistogram[] = "Cookie.CookiePrefix";
-  UMA_HISTOGRAM_ENUMERATION(kCookiePrefixHistogram, prefix,
+  UMA_HISTOGRAM_ENUMERATION(kCookiePrefixHistogram, prefix_case_sensitive,
                             CanonicalCookie::COOKIE_PREFIX_LAST);
+
+  // For this to be true there must a prefix, so we know it's not
+  // COOKIE_PREFIX_NONE.
+  bool is_case_variant = prefix_case_insensitive != prefix_case_sensitive;
+
+  if (is_case_variant) {
+    const char kCookiePrefixVariantHistogram[] =
+        "Cookie.CookiePrefix.CaseVariant";
+    UMA_HISTOGRAM_ENUMERATION(kCookiePrefixVariantHistogram,
+                              prefix_case_insensitive,
+                              CanonicalCookie::COOKIE_PREFIX_LAST);
+
+    const char kVariantValidHistogram[] =
+        "Cookie.CookiePrefix.CaseVariantValid";
+    UMA_HISTOGRAM_BOOLEAN(kVariantValidHistogram, is_insensitive_prefix_valid);
+  }
+
+  const char kVariantCountHistogram[] = "Cookie.CookiePrefix.CaseVariantCount";
+  if (prefix_case_insensitive > CookiePrefix::COOKIE_PREFIX_NONE) {
+    UMA_HISTOGRAM_BOOLEAN(kVariantCountHistogram, is_case_variant);
+  }
 }
 
 // Returns true if the cookie does not violate any constraints imposed
@@ -1612,25 +1653,18 @@ bool CanonicalCookie::HasHiddenPrefixName(
   const base::StringPiece host_prefix = "__Host-";
 
   // Compare the value to the host_prefix.
-  if (base::StartsWith(value_without_BWS, host_prefix)) {
-    // The prefix matches, now check if the value string contains a subsequent
-    // '='.
-    if (value_without_BWS.find_first_of('=', host_prefix.size()) !=
-        base::StringPiece::npos) {
-      // This value contains a hidden prefix name.
-      return true;
-    }
-    return false;
+  if (base::StartsWith(value_without_BWS, host_prefix,
+                       base::CompareCase::INSENSITIVE_ASCII)) {
+    // This value contains a hidden prefix name.
+    return true;
   }
 
   // Do a similar check for the secure prefix
   const base::StringPiece secure_prefix = "__Secure-";
 
-  if (base::StartsWith(value_without_BWS, secure_prefix)) {
-    if (value_without_BWS.find_first_of('=', secure_prefix.size()) !=
-        base::StringPiece::npos) {
-      return true;
-    }
+  if (base::StartsWith(value_without_BWS, secure_prefix,
+                       base::CompareCase::INSENSITIVE_ASCII)) {
+    return true;
   }
 
   return false;
diff --git a/chromium/net/cookies/canonical_cookie.h b/chromium/net/cookies/canonical_cookie.h
index 7afdc20a502..22c331751c1 100644
--- a/chromium/net/cookies/canonical_cookie.h
+++ b/chromium/net/cookies/canonical_cookie.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,9 +10,11 @@
 #include <tuple>
 #include <vector>
 
+#include "base/feature_list.h"
 #include "base/gtest_prod_util.h"
 #include "base/strings/string_piece.h"
 #include "base/time/time.h"
+#include "net/base/features.h"
 #include "net/base/net_export.h"
 #include "net/cookies/cookie_access_result.h"
 #include "net/cookies/cookie_constants.h"
@@ -474,11 +476,22 @@ class NET_EXPORT CanonicalCookie {
 
   // Returns the CookiePrefix (or COOKIE_PREFIX_NONE if none) that
   // applies to the given cookie |name|.
-  static CookiePrefix GetCookiePrefix(const std::string& name);
+  static CookiePrefix GetCookiePrefix(const std::string& name) {
+    return GetCookiePrefix(name,
+                           base::FeatureList::IsEnabled(
+                               net::features::kCaseInsensitiveCookiePrefix));
+  }
+
+  // Returns the CookiePrefix (or COOKIE_PREFIX_NONE if none) that
+  // applies to the given cookie |name|. If `check_insensitively` is true then
+  // the string comparison will be performed case insensitively.
+  static CookiePrefix GetCookiePrefix(const std::string& name,
+                                      bool check_insensitively);
   // Records histograms to measure how often cookie prefixes appear in
   // the wild and how often they would be blocked.
-  static void RecordCookiePrefixMetrics(CookiePrefix prefix,
-                                        bool is_cookie_valid);
+  static void RecordCookiePrefixMetrics(CookiePrefix prefix_case_sensitive,
+                                        CookiePrefix prefix_case_insensitive,
+                                        bool is_insensitive_prefix_valid);
   // Returns true if a prefixed cookie does not violate any of the rules
   // for that cookie.
   static bool IsCookiePrefixValid(CookiePrefix prefix,
diff --git a/chromium/net/cookies/canonical_cookie_fuzzer.cc b/chromium/net/cookies/canonical_cookie_fuzzer.cc
index 558cd88e2aa..0df06e5022a 100644
--- a/chromium/net/cookies/canonical_cookie_fuzzer.cc
+++ b/chromium/net/cookies/canonical_cookie_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/canonical_cookie_test_helpers.h b/chromium/net/cookies/canonical_cookie_test_helpers.h
index d07967e0d78..ee21a12b18c 100644
--- a/chromium/net/cookies/canonical_cookie_test_helpers.h
+++ b/chromium/net/cookies/canonical_cookie_test_helpers.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/canonical_cookie_unittest.cc b/chromium/net/cookies/canonical_cookie_unittest.cc
index 49cbaf3ea55..967b0d30de7 100644
--- a/chromium/net/cookies/canonical_cookie_unittest.cc
+++ b/chromium/net/cookies/canonical_cookie_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -2417,18 +2417,51 @@ TEST(CanonicalCookieTest, SecureCookiePrefix) {
   EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
       {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
 
+  // Prefixes are case insensitive.
+  EXPECT_FALSE(CanonicalCookie::Create(
+      https_url, "__secure-A=C;", creation_time, server_time,
+      absl::nullopt /* cookie_partition_key */));
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
+  EXPECT_FALSE(CanonicalCookie::Create(
+      https_url, "__SECURE-A=C;", creation_time, server_time,
+      absl::nullopt /* cookie_partition_key */));
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
+  EXPECT_FALSE(CanonicalCookie::Create(
+      https_url, "__SeCuRe-A=C;", creation_time, server_time,
+      absl::nullopt /* cookie_partition_key */));
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
+
+  {
+    base::test::ScopedFeatureList scope_feature_list;
+    scope_feature_list.InitAndDisableFeature(
+        features::kCaseInsensitiveCookiePrefix);
+
+    EXPECT_TRUE(CanonicalCookie::Create(
+        https_url, "__secure-A=C;", creation_time, server_time,
+        absl::nullopt /* cookie_partition_key */));
+    EXPECT_TRUE(CanonicalCookie::Create(
+        https_url, "__SECURE-A=C;", creation_time, server_time,
+        absl::nullopt /* cookie_partition_key */));
+    EXPECT_TRUE(CanonicalCookie::Create(
+        https_url, "__SeCuRe-A=C;", creation_time, server_time,
+        absl::nullopt /* cookie_partition_key */));
+  }
+
   // A typoed prefix does not have to be Secure.
   EXPECT_TRUE(CanonicalCookie::Create(
-      https_url, "__secure-A=B; Secure", creation_time, server_time,
+      https_url, "__SecureA=B; Secure", creation_time, server_time,
       absl::nullopt /* cookie_partition_key */));
   EXPECT_TRUE(CanonicalCookie::Create(
-      https_url, "__secure-A=C;", creation_time, server_time,
+      https_url, "__SecureA=C;", creation_time, server_time,
       absl::nullopt /* cookie_partition_key */));
   EXPECT_TRUE(CanonicalCookie::Create(
-      https_url, "__SecureA=B; Secure", creation_time, server_time,
+      https_url, "_Secure-A=C;", creation_time, server_time,
       absl::nullopt /* cookie_partition_key */));
   EXPECT_TRUE(CanonicalCookie::Create(
-      https_url, "__SecureA=C;", creation_time, server_time,
+      https_url, "Secure-A=C;", creation_time, server_time,
       absl::nullopt /* cookie_partition_key */));
 
   // A __Secure- cookie can't be set on a non-secure origin.
@@ -2444,6 +2477,11 @@ TEST(CanonicalCookieTest, SecureCookiePrefix) {
       absl::nullopt /* cookie_partition_key */, &status));
   EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
       {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
+  EXPECT_FALSE(CanonicalCookie::Create(
+      https_url, "=__Secure-A; Secure", creation_time, server_time,
+      absl::nullopt /* cookie_partition_key */, &status));
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
 
   // While tricky, this isn't considered hidden and is fine.
   EXPECT_TRUE(CanonicalCookie::Create(
@@ -2526,12 +2564,54 @@ TEST(CanonicalCookieTest, HostCookiePrefix) {
       https_url, "__Host-A=B; Secure; Path=/;", creation_time, server_time,
       absl::nullopt /* cookie_partition_key */));
 
+  // Prefixes are case insensitive.
+  EXPECT_FALSE(CanonicalCookie::Create(
+      http_url, "__host-A=B; Domain=" + domain + "; Path=/;", creation_time,
+      server_time, absl::nullopt /* cookie_partition_key */, &status));
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
+
+  EXPECT_FALSE(CanonicalCookie::Create(
+      http_url, "__HOST-A=B; Domain=" + domain + "; Path=/;", creation_time,
+      server_time, absl::nullopt /* cookie_partition_key */, &status));
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
+
+  EXPECT_FALSE(CanonicalCookie::Create(
+      http_url, "__HoSt-A=B; Domain=" + domain + "; Path=/;", creation_time,
+      server_time, absl::nullopt /* cookie_partition_key */, &status));
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
+
+  {
+    base::test::ScopedFeatureList scope_feature_list;
+    scope_feature_list.InitAndDisableFeature(
+        features::kCaseInsensitiveCookiePrefix);
+
+    EXPECT_TRUE(CanonicalCookie::Create(
+        http_url, "__host-A=B; Domain=" + domain + "; Path=/;", creation_time,
+        server_time, absl::nullopt /* cookie_partition_key */, &status));
+
+    EXPECT_TRUE(CanonicalCookie::Create(
+        http_url, "__HOST-A=B; Domain=" + domain + "; Path=/;", creation_time,
+        server_time, absl::nullopt /* cookie_partition_key */, &status));
+
+    EXPECT_TRUE(CanonicalCookie::Create(
+        http_url, "__HoSt-A=B; Domain=" + domain + "; Path=/;", creation_time,
+        server_time, absl::nullopt /* cookie_partition_key */, &status));
+  }
+
   // Rules don't apply for a typoed prefix.
   EXPECT_TRUE(CanonicalCookie::Create(
-      http_url, "__host-A=B; Domain=" + domain + "; Path=/;", creation_time,
+      https_url, "__HostA=B; Domain=" + domain + "; Secure;", creation_time,
       server_time, absl::nullopt /* cookie_partition_key */));
+
   EXPECT_TRUE(CanonicalCookie::Create(
-      https_url, "__HostA=B; Domain=" + domain + "; Secure;", creation_time,
+      https_url, "_Host-A=B; Domain=" + domain + "; Secure;", creation_time,
+      server_time, absl::nullopt /* cookie_partition_key */));
+
+  EXPECT_TRUE(CanonicalCookie::Create(
+      https_url, "Host-A=B; Domain=" + domain + "; Secure;", creation_time,
       server_time, absl::nullopt /* cookie_partition_key */));
 
   // Hidden __Host- prefixes should be rejected.
@@ -2540,6 +2620,11 @@ TEST(CanonicalCookieTest, HostCookiePrefix) {
       absl::nullopt /* cookie_partition_key */, &status));
   EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
       {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
+  EXPECT_FALSE(CanonicalCookie::Create(
+      https_url, "=__Host-A; Path=/; Secure;", creation_time, server_time,
+      absl::nullopt /* cookie_partition_key */, &status));
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
 
   // While tricky, this isn't considered hidden and is fine.
   EXPECT_TRUE(CanonicalCookie::Create(
@@ -2996,11 +3081,23 @@ TEST(CanonicalCookieTest, IsCanonical) {
                    ->IsCanonical());
 
   EXPECT_FALSE(CanonicalCookie::CreateUnsafeCookieForTesting(
+                   "", "__Secure-a", "x.y", "/", base::Time(), base::Time(),
+                   base::Time(), base::Time(), true, false,
+                   CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_LOW, false)
+                   ->IsCanonical());
+
+  EXPECT_FALSE(CanonicalCookie::CreateUnsafeCookieForTesting(
                    "", "__Host-a=b", "x.y", "/", base::Time(), base::Time(),
                    base::Time(), base::Time(), true, false,
                    CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_LOW, false)
                    ->IsCanonical());
 
+  EXPECT_FALSE(CanonicalCookie::CreateUnsafeCookieForTesting(
+                   "", "__Host-a", "x.y", "/", base::Time(), base::Time(),
+                   base::Time(), base::Time(), true, false,
+                   CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_LOW, false)
+                   ->IsCanonical());
+
   EXPECT_TRUE(CanonicalCookie::CreateUnsafeCookieForTesting(
                   "a", "__Secure-a=b", "x.y", "/", base::Time(), base::Time(),
                   base::Time(), base::Time(), true, false,
@@ -3026,9 +3123,14 @@ TEST(CanonicalCookieTest, TestSetCreationDate) {
   EXPECT_EQ(now, cookie->CreationDate());
 }
 
+// TODO(bingler) Expand this
 TEST(CanonicalCookieTest, TestPrefixHistograms) {
   base::HistogramTester histograms;
   const char kCookiePrefixHistogram[] = "Cookie.CookiePrefix";
+  const char kCookiePrefixVariantHistogram[] =
+      "Cookie.CookiePrefix.CaseVariant";
+  const char kVariantValidHistogram[] = "Cookie.CookiePrefix.CaseVariantValid";
+  const char kVariantCountHistogram[] = "Cookie.CookiePrefix.CaseVariantCount";
   GURL https_url("https://www.example.test");
   base::Time creation_time = base::Time::Now();
   absl::optional<base::Time> server_time = absl::nullopt;
@@ -3067,6 +3169,46 @@ TEST(CanonicalCookieTest, TestPrefixHistograms) {
       absl::nullopt /* cookie_partition_key */));
   histograms.ExpectBucketCount(kCookiePrefixHistogram,
                                CanonicalCookie::COOKIE_PREFIX_SECURE, 2);
+
+  // Test prefix case variants
+  const int sensitive_value_host = histograms.GetBucketCount(
+      kCookiePrefixHistogram, CanonicalCookie::COOKIE_PREFIX_HOST);
+  const int sensitive_value_secure = histograms.GetBucketCount(
+      kCookiePrefixHistogram, CanonicalCookie::COOKIE_PREFIX_SECURE);
+
+  EXPECT_TRUE(CanonicalCookie::Create(
+      https_url, "__SECURE-A=B; Path=/; Secure", creation_time, server_time,
+      absl::nullopt /* cookie_partition_key */));
+  histograms.ExpectBucketCount(kCookiePrefixVariantHistogram,
+                               CanonicalCookie::COOKIE_PREFIX_SECURE, 1);
+  histograms.ExpectBucketCount(kCookiePrefixHistogram,
+                               CanonicalCookie::COOKIE_PREFIX_SECURE,
+                               sensitive_value_secure);
+
+  EXPECT_TRUE(CanonicalCookie::Create(
+      https_url, "__HOST-A=B; Path=/; Secure", creation_time, server_time,
+      absl::nullopt /* cookie_partition_key */));
+  histograms.ExpectBucketCount(kCookiePrefixVariantHistogram,
+                               CanonicalCookie::COOKIE_PREFIX_HOST, 1);
+  histograms.ExpectBucketCount(kCookiePrefixHistogram,
+                               CanonicalCookie::COOKIE_PREFIX_HOST,
+                               sensitive_value_host);
+
+  // True indicates a variant
+  histograms.ExpectBucketCount(kVariantCountHistogram, true, 2);
+  histograms.ExpectBucketCount(kVariantCountHistogram, false, 4);
+
+  // Invalid variants
+  EXPECT_FALSE(CanonicalCookie::Create(
+      https_url, "__SECURE-A=B", creation_time, server_time,
+      absl::nullopt /* cookie_partition_key */));
+
+  EXPECT_FALSE(CanonicalCookie::Create(
+      https_url, "__HOST-A=B;", creation_time, server_time,
+      absl::nullopt /* cookie_partition_key */));
+
+  histograms.ExpectBucketCount(kVariantValidHistogram, true, 2);
+  histograms.ExpectBucketCount(kVariantValidHistogram, false, 2);
 }
 
 TEST(CanonicalCookieTest, BuildCookieLine) {
@@ -3705,6 +3847,14 @@ TEST(CanonicalCookieTest, CreateSanitizedCookie_Logic) {
       {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
 
   EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "", "__Host-A", "", "/", two_hours_ago,
+      one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT,
+      false /*same_party*/, absl::nullopt /*partition_key*/, &status));
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
+
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
       GURL("https://www.foo.com"), "", "__Secure-A=B", "", "/", two_hours_ago,
       one_hour_from_now, one_hour_ago, true, false,
       CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT,
@@ -3712,6 +3862,14 @@ TEST(CanonicalCookieTest, CreateSanitizedCookie_Logic) {
   EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
       {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
 
+  EXPECT_FALSE(CanonicalCookie::CreateSanitizedCookie(
+      GURL("https://www.foo.com"), "", "__Secure-A", "", "/", two_hours_ago,
+      one_hour_from_now, one_hour_ago, true, false,
+      CookieSameSite::NO_RESTRICTION, CookiePriority::COOKIE_PRIORITY_DEFAULT,
+      false /*same_party*/, absl::nullopt /*partition_key*/, &status));
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CookieInclusionStatus::EXCLUDE_INVALID_PREFIX}));
+
   // While tricky, this aren't considered hidden prefixes and should succeed.
   EXPECT_TRUE(CanonicalCookie::CreateSanitizedCookie(
       GURL("https://www.foo.com"), "A", "__Host-A=B", "", "/", two_hours_ago,
@@ -5299,22 +5457,25 @@ TEST(CanonicalCookieTest, TestHasHiddenPrefixName) {
       {"foo=bar", false},
       {" \t ", false},
       {"\t", false},
-      {"__Secure-abc", false},
       {"__Secure=-", false},
       {"__Secure=-abc", false},
       {"__Secur=e-abc", false},
       {"__Secureabc", false},
       {"__Host=-", false},
       {"__Host=-abc", false},
-      {"__Host-abc", false},
       {"__Hos=t-abc", false},
       {"_Host", false},
-      {"   __Secure-abc", false},
-      {"\t__Host-", false},
       {"a__Host-abc=123", false},
       {"a__Secure-abc=123", false},
+      {"__Secure-abc", true},
+      {"__Host-abc", true},
+      {"   __Secure-abc", true},
+      {"\t__Host-", true},
       {"__Host-=", true},
       {"__Host-=123", true},
+      {"__host-=123", true},
+      {"__HOST-=123", true},
+      {"__HoSt-=123", true},
       {"__Host-abc=", true},
       {"__Host-abc=123", true},
       {" __Host-abc=123", true},
@@ -5323,6 +5484,9 @@ TEST(CanonicalCookieTest, TestHasHiddenPrefixName) {
       {"\t __Host-abc=", true},
       {"__Secure-=", true},
       {"__Secure-=123", true},
+      {"__secure-=123", true},
+      {"__SECURE-=123", true},
+      {"__SeCuRe-=123", true},
       {"__Secure-abc=", true},
       {"__Secure-abc=123", true},
       {" __Secure-abc=123", true},
diff --git a/chromium/net/cookies/cookie_access_delegate.cc b/chromium/net/cookies/cookie_access_delegate.cc
index 87422832773..0273e09008e 100644
--- a/chromium/net/cookies/cookie_access_delegate.cc
+++ b/chromium/net/cookies/cookie_access_delegate.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,23 +9,11 @@
 #include "base/callback.h"
 #include "net/base/schemeful_site.h"
 #include "net/cookies/cookie_partition_key.h"
-#include "net/cookies/first_party_set_entry.h"
+#include "net/first_party_sets/first_party_set_entry.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace net {
 
-namespace {
-CookiePartitionKey CreateCookiePartitionKeyFromFirstPartySetEntry(
-    const CookiePartitionKey& cookie_partition_key,
-    base::flat_map<net::SchemefulSite, FirstPartySetEntry> entries) {
-  if (entries.empty()) {
-    return cookie_partition_key;
-  }
-  return CookiePartitionKey::FromWire(entries.begin()->second.primary(),
-                                      cookie_partition_key.nonce());
-}
-}  // namespace
-
 CookieAccessDelegate::CookieAccessDelegate() = default;
 
 CookieAccessDelegate::~CookieAccessDelegate() = default;
@@ -34,30 +22,4 @@ bool CookieAccessDelegate::ShouldTreatUrlAsTrustworthy(const GURL& url) const {
   return false;
 }
 
-// static
-absl::optional<CookiePartitionKey>
-CookieAccessDelegate::FirstPartySetifyPartitionKey(
-    const CookieAccessDelegate* delegate,
-    const CookiePartitionKey& cookie_partition_key,
-    base::OnceCallback<void(CookiePartitionKey)> callback) {
-  // FirstPartySetify doesn't need to transform partition keys with a nonce,
-  // since those partitions are only available to a single fenced/anonymous
-  // iframe.
-  if (!delegate || cookie_partition_key.nonce()) {
-    return cookie_partition_key;
-  }
-
-  absl::optional<base::flat_map<net::SchemefulSite, FirstPartySetEntry>>
-      maybe_entries = delegate->FindFirstPartySetOwners(
-          {cookie_partition_key.site()},
-          base::BindOnce(&CreateCookiePartitionKeyFromFirstPartySetEntry,
-                         cookie_partition_key)
-              .Then(std::move(callback)));
-  if (maybe_entries.has_value())
-    return CreateCookiePartitionKeyFromFirstPartySetEntry(
-        cookie_partition_key, maybe_entries.value());
-
-  return absl::nullopt;
-}
-
 }  // namespace net
diff --git a/chromium/net/cookies/cookie_access_delegate.h b/chromium/net/cookies/cookie_access_delegate.h
index 3d69dbe7d38..8121b5595a1 100644
--- a/chromium/net/cookies/cookie_access_delegate.h
+++ b/chromium/net/cookies/cookie_access_delegate.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,9 +15,9 @@
 #include "net/cookies/canonical_cookie.h"
 #include "net/cookies/cookie_constants.h"
 #include "net/cookies/cookie_partition_key.h"
-#include "net/cookies/first_party_set_entry.h"
-#include "net/cookies/first_party_set_metadata.h"
-#include "net/cookies/same_party_context.h"
+#include "net/first_party_sets/first_party_set_entry.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
+#include "net/first_party_sets/same_party_context.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/gurl.h"
 
@@ -78,24 +78,11 @@ class NET_EXPORT CookieAccessDelegate {
   // not both, and not neither.
   [[nodiscard]] virtual absl::optional<
       base::flat_map<net::SchemefulSite, net::FirstPartySetEntry>>
-  FindFirstPartySetOwners(
+  FindFirstPartySetEntries(
       const base::flat_set<net::SchemefulSite>& sites,
       base::OnceCallback<
           void(base::flat_map<net::SchemefulSite, net::FirstPartySetEntry>)>
           callback) const = 0;
-
-  // Converts the CookiePartitionKey's site to its First-Party Set owner if
-  // the site is in a nontrivial set.
-  //
-  // This may return a result synchronously, or asynchronously invoke `callback`
-  // with the result. The callback will be invoked iff the return value is
-  // nullopt; i.e. a result will be provided via return value or callback, but
-  // not both, and not neither.
-  [[nodiscard]] static absl::optional<CookiePartitionKey>
-  FirstPartySetifyPartitionKey(
-      const CookieAccessDelegate* delegate,
-      const CookiePartitionKey& cookie_partition_key,
-      base::OnceCallback<void(CookiePartitionKey)> callback);
 };
 
 }  // namespace net
diff --git a/chromium/net/cookies/cookie_access_result.cc b/chromium/net/cookies/cookie_access_result.cc
index faa89ca1c11..7421cdbaf1a 100644
--- a/chromium/net/cookies/cookie_access_result.cc
+++ b/chromium/net/cookies/cookie_access_result.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_access_result.h b/chromium/net/cookies/cookie_access_result.h
index 8e38b4dbc15..fdf8b7d2d19 100644
--- a/chromium/net/cookies/cookie_access_result.h
+++ b/chromium/net/cookies/cookie_access_result.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_change_dispatcher.cc b/chromium/net/cookies/cookie_change_dispatcher.cc
index 755a4128d19..e91df544ecb 100644
--- a/chromium/net/cookies/cookie_change_dispatcher.cc
+++ b/chromium/net/cookies/cookie_change_dispatcher.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_change_dispatcher.h b/chromium/net/cookies/cookie_change_dispatcher.h
index 3e39c023902..32b56add43c 100644
--- a/chromium/net/cookies/cookie_change_dispatcher.h
+++ b/chromium/net/cookies/cookie_change_dispatcher.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_change_dispatcher_test_helpers.cc b/chromium/net/cookies/cookie_change_dispatcher_test_helpers.cc
index 3419e6653fe..1651e3fdd53 100644
--- a/chromium/net/cookies/cookie_change_dispatcher_test_helpers.cc
+++ b/chromium/net/cookies/cookie_change_dispatcher_test_helpers.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_change_dispatcher_test_helpers.h b/chromium/net/cookies/cookie_change_dispatcher_test_helpers.h
index 5ef6d9cd4d8..ccb2d82f21f 100644
--- a/chromium/net/cookies/cookie_change_dispatcher_test_helpers.h
+++ b/chromium/net/cookies/cookie_change_dispatcher_test_helpers.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_constants.cc b/chromium/net/cookies/cookie_constants.cc
index a443d13d57f..2a3fd5d4318 100644
--- a/chromium/net/cookies/cookie_constants.cc
+++ b/chromium/net/cookies/cookie_constants.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_constants.h b/chromium/net/cookies/cookie_constants.h
index 30e9ea6203d..525c52812da 100644
--- a/chromium/net/cookies/cookie_constants.h
+++ b/chromium/net/cookies/cookie_constants.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_constants_unittest.cc b/chromium/net/cookies/cookie_constants_unittest.cc
index 9d701851cdb..b99b19220fb 100644
--- a/chromium/net/cookies/cookie_constants_unittest.cc
+++ b/chromium/net/cookies/cookie_constants_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_deletion_info.cc b/chromium/net/cookies/cookie_deletion_info.cc
index ce3817fac10..202a9ea099d 100644
--- a/chromium/net/cookies/cookie_deletion_info.cc
+++ b/chromium/net/cookies/cookie_deletion_info.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_deletion_info.h b/chromium/net/cookies/cookie_deletion_info.h
index c066f13f8af..2876868e602 100644
--- a/chromium/net/cookies/cookie_deletion_info.h
+++ b/chromium/net/cookies/cookie_deletion_info.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_deletion_info_unittest.cc b/chromium/net/cookies/cookie_deletion_info_unittest.cc
index a21021e7cf5..ba22af06a91 100644
--- a/chromium/net/cookies/cookie_deletion_info_unittest.cc
+++ b/chromium/net/cookies/cookie_deletion_info_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_inclusion_status.cc b/chromium/net/cookies/cookie_inclusion_status.cc
index 58f0e738abd..a73548db376 100644
--- a/chromium/net/cookies/cookie_inclusion_status.cc
+++ b/chromium/net/cookies/cookie_inclusion_status.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_inclusion_status.h b/chromium/net/cookies/cookie_inclusion_status.h
index 246fe025f27..5f289ddcd94 100644
--- a/chromium/net/cookies/cookie_inclusion_status.h
+++ b/chromium/net/cookies/cookie_inclusion_status.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -96,6 +96,9 @@ class NET_EXPORT CookieInclusionStatus {
     EXCLUDE_ATTRIBUTE_VALUE_EXCEEDS_MAX_SIZE = 20,
     // Cookie was set with a Domain attribute containing non ASCII characters.
     EXCLUDE_DOMAIN_NON_ASCII = 21,
+    // Special case for when a cookie is blocked by third-party cookie blocking
+    // but the two sites are in the same First-Party Set.
+    EXCLUDE_THIRD_PARTY_BLOCKED_WITHIN_FIRST_PARTY_SET = 22,
 
     // This should be kept last.
     NUM_EXCLUSION_REASONS
diff --git a/chromium/net/cookies/cookie_inclusion_status_unittest.cc b/chromium/net/cookies/cookie_inclusion_status_unittest.cc
index 2ea50787594..09523c4f135 100644
--- a/chromium/net/cookies/cookie_inclusion_status_unittest.cc
+++ b/chromium/net/cookies/cookie_inclusion_status_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_monster.cc b/chromium/net/cookies/cookie_monster.cc
index 937e61e2663..0a5f4572193 100644
--- a/chromium/net/cookies/cookie_monster.cc
+++ b/chromium/net/cookies/cookie_monster.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -64,6 +64,7 @@
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/task/single_thread_task_runner.h"
+#include "base/threading/thread_checker.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/features.h"
 #include "net/base/isolation_info.h"
@@ -362,23 +363,21 @@ void HistogramExpirationDuration(const CanonicalCookie& cookie,
 }  // namespace
 
 CookieMonster::CookieMonster(scoped_refptr<PersistentCookieStore> store,
-                             NetLog* net_log,
-                             bool first_party_sets_enabled)
+                             NetLog* net_log)
     : CookieMonster(std::move(store),
                     base::Seconds(kDefaultAccessUpdateThresholdSeconds),
-                    net_log,
-                    first_party_sets_enabled) {}
+                    net_log) {}
 
 CookieMonster::CookieMonster(scoped_refptr<PersistentCookieStore> store,
                              base::TimeDelta last_access_threshold,
-                             NetLog* net_log,
-                             bool first_party_sets_enabled)
-    : change_dispatcher_(this, first_party_sets_enabled),
+                             NetLog* net_log)
+    : same_party_attribute_enabled_(base::FeatureList::IsEnabled(
+          net::features::kSamePartyAttributeEnabled)),
+      change_dispatcher_(this, same_party_attribute_enabled_),
       net_log_(NetLogWithSource::Make(net_log, NetLogSourceType::COOKIE_STORE)),
       store_(std::move(store)),
       last_access_threshold_(last_access_threshold),
-      last_statistic_record_time_(base::Time::Now()),
-      first_party_sets_enabled_(first_party_sets_enabled) {
+      last_statistic_record_time_(base::Time::Now()) {
   cookieable_schemes_.insert(
       cookieable_schemes_.begin(), kDefaultCookieableSchemes,
       kDefaultCookieableSchemes + kDefaultCookieableSchemesCount);
@@ -390,7 +389,7 @@ CookieMonster::CookieMonster(scoped_refptr<PersistentCookieStore> store,
 // Asynchronous CookieMonster API
 
 void CookieMonster::FlushStore(base::OnceClosure callback) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   if (initialized_ && store_.get()) {
     store_->Flush(std::move(callback));
@@ -401,7 +400,7 @@ void CookieMonster::FlushStore(base::OnceClosure callback) {
 }
 
 void CookieMonster::SetForceKeepSessionState() {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   if (store_)
     store_->SetForceKeepSessionState();
@@ -536,7 +535,7 @@ void CookieMonster::DeleteMatchingCookiesAsync(
 void CookieMonster::SetCookieableSchemes(
     const std::vector<std::string>& schemes,
     SetCookieableSchemesCallback callback) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Calls to this method will have no effect if made after a WebView or
   // CookieManager instance has been created.
@@ -551,7 +550,7 @@ void CookieMonster::SetCookieableSchemes(
 
 // This function must be called before the CookieMonster is used.
 void CookieMonster::SetPersistSessionCookies(bool persist_session_cookies) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(!initialized_);
   net_log_.AddEntryWithBoolParams(
       NetLogEventType::COOKIE_STORE_SESSION_PERSISTENCE, NetLogEventPhase::NONE,
@@ -569,7 +568,7 @@ CookieChangeDispatcher& CookieMonster::GetChangeDispatcher() {
 }
 
 CookieMonster::~CookieMonster() {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   net_log_.EndEvent(NetLogEventType::COOKIE_STORE_ALIVE);
 }
 
@@ -585,7 +584,7 @@ bool CookieMonster::CookieSorter(const CanonicalCookie* cc1,
 }
 
 void CookieMonster::GetAllCookies(GetAllCookiesCallback callback) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // This function is being called to scrape the cookie list for management UI
   // or similar.  We shouldn't show expired cookies in this list since it will
@@ -637,7 +636,7 @@ void CookieMonster::GetCookieListWithOptions(
     const CookieOptions& options,
     const CookiePartitionKeyCollection& cookie_partition_key_collection,
     GetCookieListCallback callback) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   CookieAccessResultList included_cookies;
   CookieAccessResultList excluded_cookies;
@@ -680,7 +679,7 @@ void CookieMonster::GetCookieListWithOptions(
 
 void CookieMonster::DeleteAllCreatedInTimeRange(const TimeRange& creation_range,
                                                 DeleteCallback callback) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   uint32_t num_deleted = 0;
   for (auto it = cookies_.begin(); it != cookies_.end();) {
@@ -747,7 +746,7 @@ bool CookieMonster::MatchCookieDeletionInfo(
 
 void CookieMonster::DeleteCanonicalCookie(const CanonicalCookie& cookie,
                                           DeleteCallback callback) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   uint32_t result = 0u;
   CookieMap* cookie_map = nullptr;
   PartitionedCookieMap::iterator cookie_partition_it;
@@ -790,7 +789,7 @@ void CookieMonster::DeleteCanonicalCookie(const CanonicalCookie& cookie,
 void CookieMonster::DeleteMatchingCookies(DeletePredicate predicate,
                                           DeletionCause cause,
                                           DeleteCallback callback) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(predicate);
 
   uint32_t num_deleted = 0;
@@ -832,12 +831,12 @@ void CookieMonster::DeleteMatchingCookies(DeletePredicate predicate,
 }
 
 void CookieMonster::MarkCookieStoreAsInitialized() {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   initialized_ = true;
 }
 
 void CookieMonster::FetchAllCookiesIfNecessary() {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   if (store_.get() && !started_fetching_all_cookies_) {
     started_fetching_all_cookies_ = true;
     FetchAllCookies();
@@ -845,7 +844,7 @@ void CookieMonster::FetchAllCookiesIfNecessary() {
 }
 
 void CookieMonster::FetchAllCookies() {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(store_.get()) << "Store must exist to initialize";
   DCHECK(!finished_fetching_all_cookies_)
       << "All cookies have already been fetched.";
@@ -860,7 +859,7 @@ void CookieMonster::FetchAllCookies() {
 void CookieMonster::OnLoaded(
     TimeTicks beginning_time,
     std::vector<std::unique_ptr<CanonicalCookie>> cookies) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   StoreLoadedCookies(std::move(cookies));
   base::UmaHistogramCustomTimes("Cookie.TimeBlockedOnLoad",
                                 base::TimeTicks::Now() - beginning_time,
@@ -873,7 +872,7 @@ void CookieMonster::OnLoaded(
 void CookieMonster::OnKeyLoaded(
     const std::string& key,
     std::vector<std::unique_ptr<CanonicalCookie>> cookies) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   StoreLoadedCookies(std::move(cookies));
 
@@ -900,7 +899,7 @@ void CookieMonster::OnKeyLoaded(
 
 void CookieMonster::StoreLoadedCookies(
     std::vector<std::unique_ptr<CanonicalCookie>> cookies) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Even if a key is expired, insert it so it can be garbage collected,
   // removed, and sync'd.
@@ -970,7 +969,7 @@ void CookieMonster::StoreLoadedCookies(
 }
 
 void CookieMonster::InvokeQueue() {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Move all per-key tasks into the global queue, if there are any.  This is
   // protection about a race where the store learns about all cookies loading
@@ -999,7 +998,7 @@ void CookieMonster::InvokeQueue() {
 }
 
 void CookieMonster::EnsureCookiesMapIsValid() {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Iterate through all the of the cookies, grouped by host.
   for (auto next = cookies_.begin(); next != cookies_.end();) {
@@ -1045,7 +1044,7 @@ void CookieMonster::TrimDuplicateCookiesForKey(
     CookieMap::iterator begin,
     CookieMap::iterator end,
     absl::optional<PartitionedCookieMap::iterator> cookie_partition_it) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Set of cookies ordered by creation time.
   typedef std::multiset<CookieMap::iterator, OrderByCreationTimeDesc> CookieSet;
@@ -1129,7 +1128,7 @@ CookieMonster::FindCookiesForRegistryControlledHost(
     const GURL& url,
     CookieMap* cookie_map,
     CookieMonster::PartitionedCookieMap::iterator* partition_it) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   if (!cookie_map)
     cookie_map = &cookies_;
@@ -1167,7 +1166,7 @@ std::vector<CanonicalCookie*>
 CookieMonster::FindPartitionedCookiesForRegistryControlledHost(
     const CookiePartitionKey& cookie_partition_key,
     const GURL& url) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   PartitionedCookieMap::iterator it =
       partitioned_cookies_.find(cookie_partition_key);
@@ -1183,7 +1182,7 @@ void CookieMonster::FilterCookiesWithOptions(
     std::vector<CanonicalCookie*>* cookie_ptrs,
     CookieAccessResultList* included_cookies,
     CookieAccessResultList* excluded_cookies) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Probe to save statistics relatively frequently.  We do it here rather
   // than in the set path as many websites won't set cookies, and we
@@ -1205,7 +1204,7 @@ void CookieMonster::FilterCookiesWithOptions(
             GetAccessSemanticsForCookie(*cookie_ptr),
             delegate_treats_url_as_trustworthy,
             cookie_util::GetSamePartyStatus(*cookie_ptr, options,
-                                            first_party_sets_enabled_)});
+                                            same_party_attribute_enabled_)});
 
     if (!access_result.status.IsInclude()) {
       UMA_HISTOGRAM_BOOLEAN(
@@ -1270,7 +1269,7 @@ void CookieMonster::MaybeDeleteEquivalentCookieAndUpdateStatus(
     base::Time* creation_date_to_inherit,
     CookieInclusionStatus* status,
     absl::optional<PartitionedCookieMap::iterator> cookie_partition_it) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(!status->HasExclusionReason(
       CookieInclusionStatus::EXCLUDE_OVERWRITE_SECURE));
   DCHECK(!status->HasExclusionReason(
@@ -1382,7 +1381,7 @@ CookieMonster::CookieMap::iterator CookieMonster::InternalInsertCookie(
     bool sync_to_store,
     const CookieAccessResult& access_result,
     bool dispatch_change) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   CanonicalCookie* cc_ptr = cc.get();
 
   net_log_.AddEvent(NetLogEventType::COOKIE_STORE_COOKIE_ADDED,
@@ -1445,7 +1444,7 @@ CookieMonster::InternalInsertPartitionedCookie(
     const CookieAccessResult& access_result,
     bool dispatch_change) {
   DCHECK(cc->IsPartitioned());
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   CanonicalCookie* cc_ptr = cc.get();
 
   net_log_.AddEvent(NetLogEventType::COOKIE_STORE_COOKIE_ADDED,
@@ -1489,7 +1488,7 @@ void CookieMonster::SetCanonicalCookie(
     const CookieOptions& options,
     SetCookiesCallback callback,
     absl::optional<CookieAccessResult> cookie_access_result) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   bool delegate_treats_url_as_trustworthy =
       cookie_access_delegate() &&
@@ -1500,7 +1499,7 @@ void CookieMonster::SetCanonicalCookie(
       CookieAccessParams(GetAccessSemanticsForCookie(*cc),
                          delegate_treats_url_as_trustworthy,
                          cookie_util::GetSamePartyStatus(
-                             *cc, options, first_party_sets_enabled_)),
+                             *cc, options, same_party_attribute_enabled_)),
       cookieable_schemes_, cookie_access_result);
 
   const std::string key(GetKey(cc->Domain()));
@@ -1646,7 +1645,7 @@ void CookieMonster::SetCanonicalCookie(
 
 void CookieMonster::SetAllCookies(CookieList list,
                                   SetCookiesCallback callback) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Nuke the existing store.
   while (!cookies_.empty()) {
@@ -1687,7 +1686,7 @@ void CookieMonster::SetAllCookies(CookieList list,
 
 void CookieMonster::InternalUpdateCookieAccessTime(CanonicalCookie* cc,
                                                    const Time& current) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Based off the Mozilla code.  When a cookie has been accessed recently,
   // don't bother updating its access time again.  This reduces the number of
@@ -1706,7 +1705,7 @@ void CookieMonster::InternalUpdateCookieAccessTime(CanonicalCookie* cc,
 void CookieMonster::InternalDeleteCookie(CookieMap::iterator it,
                                          bool sync_to_store,
                                          DeletionCause deletion_cause) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Ideally, this would be asserted up where we define kChangeCauseMapping,
   // but DeletionCause's visibility (or lack thereof) forces us to make
@@ -1758,7 +1757,7 @@ void CookieMonster::InternalDeletePartitionedCookie(
     CookieMap::iterator cookie_it,
     bool sync_to_store,
     DeletionCause deletion_cause) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Ideally, this would be asserted up where we define kChangeCauseMapping,
   // but DeletionCause's visibility (or lack thereof) forces us to make
@@ -1805,7 +1804,7 @@ void CookieMonster::InternalDeletePartitionedCookie(
 // meaning of the key is different, but that's not visible to this routine).
 size_t CookieMonster::GarbageCollect(const Time& current,
                                      const std::string& key) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   size_t num_deleted = 0;
   Time safe_date(Time::Now() - base::Days(kSafeFromGlobalPurgeDays));
@@ -1973,7 +1972,7 @@ size_t CookieMonster::GarbageCollectPartitionedCookies(
     const base::Time& current,
     const CookiePartitionKey& cookie_partition_key,
     const std::string& key) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   size_t num_deleted = 0;
   PartitionedCookieMap::iterator cookie_partition_it =
@@ -2020,7 +2019,7 @@ size_t CookieMonster::PurgeLeastRecentMatches(CookieItVector* cookies,
                                               size_t to_protect,
                                               size_t purge_goal,
                                               bool protect_secure_cookies) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // 1. Count number of the cookies at |priority|
   size_t cookies_count_possibly_to_be_deleted = CountCookiesForPossibleDeletion(
@@ -2070,7 +2069,7 @@ size_t CookieMonster::PurgeLeastRecentMatches(CookieItVector* cookies,
 size_t CookieMonster::GarbageCollectExpired(const Time& current,
                                             const CookieMapItPair& itpair,
                                             CookieItVector* cookie_its) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   int num_deleted = 0;
   for (CookieMap::iterator it = itpair.first, end = itpair.second; it != end;) {
@@ -2093,7 +2092,7 @@ size_t CookieMonster::GarbageCollectExpiredPartitionedCookies(
     const PartitionedCookieMap::iterator& cookie_partition_it,
     const CookieMapItPair& itpair,
     CookieItVector* cookie_its) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   int num_deleted = 0;
   for (CookieMap::iterator it = itpair.first, end = itpair.second; it != end;) {
@@ -2114,6 +2113,7 @@ size_t CookieMonster::GarbageCollectExpiredPartitionedCookies(
 
 void CookieMonster::GarbageCollectAllExpiredPartitionedCookies(
     const Time& current) {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   for (auto it = partitioned_cookies_.begin();
        it != partitioned_cookies_.end();) {
     // GarbageCollectExpiredPartitionedCookies calls
@@ -2134,7 +2134,7 @@ size_t CookieMonster::GarbageCollectDeleteRange(
     DeletionCause cause,
     CookieItVector::iterator it_begin,
     CookieItVector::iterator it_end) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   for (auto it = it_begin; it != it_end; it++) {
     InternalDeleteCookie((*it), true, cause);
@@ -2149,7 +2149,7 @@ size_t CookieMonster::GarbageCollectLeastRecentlyAccessed(
     CookieItVector cookie_its,
     base::Time* earliest_time) {
   DCHECK_LE(purge_goal, cookie_its.size());
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Sorts up to *and including* |cookie_its[purge_goal]| (if it exists), so
   // |earliest_time| will be properly assigned even if
@@ -2205,7 +2205,7 @@ std::string CookieMonster::GetKey(base::StringPiece domain) {
 }
 
 bool CookieMonster::HasCookieableScheme(const GURL& url) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // Make sure the request is on a cookie-able url scheme.
   bool is_cookieable = base::ranges::any_of(
@@ -2237,7 +2237,7 @@ CookieAccessSemantics CookieMonster::GetAccessSemanticsForCookie(
 // in the constructor so that we won't take statistics right after
 // startup, to avoid bias from browsers that are started but not used.
 void CookieMonster::RecordPeriodicStats(const base::Time& current_time) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   const base::TimeDelta kRecordStatisticsIntervalTime(
       base::Seconds(kRecordStatisticsIntervalSeconds));
@@ -2253,6 +2253,7 @@ void CookieMonster::RecordPeriodicStats(const base::Time& current_time) {
 }
 
 bool CookieMonster::DoRecordPeriodicStats() {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   // These values are all bogus if we have only partially loaded the cookies.
   if (started_fetching_all_cookies_ && !finished_fetching_all_cookies_)
     return false;
@@ -2272,7 +2273,7 @@ bool CookieMonster::DoRecordPeriodicStats() {
       }
     }
     absl::optional<base::flat_map<SchemefulSite, FirstPartySetEntry>>
-        maybe_sets = cookie_access_delegate()->FindFirstPartySetOwners(
+        maybe_sets = cookie_access_delegate()->FindFirstPartySetEntries(
             sites,
             base::BindOnce(&CookieMonster::RecordPeriodicFirstPartySetsStats,
                            weak_ptr_factory_.GetWeakPtr()));
@@ -2321,6 +2322,7 @@ void CookieMonster::RecordPeriodicFirstPartySetsStats(
     int sample = std::accumulate(
         set.second.begin(), set.second.end(), 0,
         [this](int acc, const net::SchemefulSite& site) -> int {
+          DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
           if (!site.has_registrable_domain_or_host())
             return acc;
           return acc + cookies_.count(site.registrable_domain_or_host());
@@ -2331,7 +2333,7 @@ void CookieMonster::RecordPeriodicFirstPartySetsStats(
 }
 
 void CookieMonster::DoCookieCallback(base::OnceClosure callback) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   MarkCookieStoreAsInitialized();
   FetchAllCookiesIfNecessary();
@@ -2353,6 +2355,7 @@ void CookieMonster::DoCookieCallbackForURL(base::OnceClosure callback,
 void CookieMonster::DoCookieCallbackForHostOrDomain(
     base::OnceClosure callback,
     base::StringPiece host_or_domain) {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   MarkCookieStoreAsInitialized();
   FetchAllCookiesIfNecessary();
 
@@ -2442,7 +2445,7 @@ void CookieMonster::ConvertPartitionedCookiesToUnpartitioned(const GURL& url) {
 
 void CookieMonster::OnConvertPartitionedCookiesToUnpartitioned(
     const GURL& url) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   std::vector<CanonicalCookie*> cookie_ptrs_for_site =
       FindCookiesForRegistryControlledHost(url);
@@ -2573,10 +2576,11 @@ void CookieMonster::ConvertPartitionedCookie(const net::CanonicalCookie& cookie,
   CookieOptions options = CookieOptions::MakeAllInclusive();
   CookieAccessResult access_result = new_cookie->IsSetPermittedInContext(
       url, options,
-      CookieAccessParams(GetAccessSemanticsForCookie(*new_cookie),
-                         delegate_treats_url_as_trustworthy,
-                         cookie_util::GetSamePartyStatus(
-                             *new_cookie, options, first_party_sets_enabled_)),
+      CookieAccessParams(
+          GetAccessSemanticsForCookie(*new_cookie),
+          delegate_treats_url_as_trustworthy,
+          cookie_util::GetSamePartyStatus(*new_cookie, options,
+                                          same_party_attribute_enabled_)),
       cookieable_schemes_);
   auto key = GetKey(new_cookie->Domain());
   InternalInsertCookie(key, std::move(new_cookie), /*sync_to_store=*/true,
diff --git a/chromium/net/cookies/cookie_monster.h b/chromium/net/cookies/cookie_monster.h
index 213d37d2509..227ca621fe0 100644
--- a/chromium/net/cookies/cookie_monster.h
+++ b/chromium/net/cookies/cookie_monster.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -23,6 +23,7 @@
 #include "base/memory/ref_counted.h"
 #include "base/memory/weak_ptr.h"
 #include "base/strings/string_piece.h"
+#include "base/thread_annotations.h"
 #include "base/threading/thread_checker.h"
 #include "base/time/time.h"
 #include "net/base/net_export.h"
@@ -155,16 +156,13 @@ class NET_EXPORT CookieMonster : public CookieStore {
   // this class, but it must remain valid for the duration of the cookie
   // monster's existence. If |store| is NULL, then no backing store will be
   // updated. |net_log| must outlive the CookieMonster and can be null.
-  CookieMonster(scoped_refptr<PersistentCookieStore> store,
-                NetLog* net_log,
-                bool first_party_sets_enabled);
+  CookieMonster(scoped_refptr<PersistentCookieStore> store, NetLog* net_log);
 
   // Only used during unit testing.
   // |net_log| must outlive the CookieMonster.
   CookieMonster(scoped_refptr<PersistentCookieStore> store,
                 base::TimeDelta last_access_threshold,
-                NetLog* net_log,
-                bool first_party_sets_enabled);
+                NetLog* net_log);
 
   CookieMonster(const CookieMonster&) = delete;
   CookieMonster& operator=(const CookieMonster&) = delete;
@@ -725,20 +723,22 @@ class NET_EXPORT CookieMonster : public CookieStore {
   // Set of keys (eTLD+1's) for which non-expired cookies have
   // been evicted for hitting the per-domain max. The size of this set is
   // histogrammed periodically. The size is limited to |kMaxDomainPurgedKeys|.
-  std::set<std::string> domain_purged_keys_;
+  std::set<std::string> domain_purged_keys_ GUARDED_BY_CONTEXT(thread_checker_);
 
   // The number of distinct keys (eTLD+1's) currently present in the |cookies_|
   // multimap. This is histogrammed periodically.
   size_t num_keys_ = 0u;
 
-  CookieMap cookies_;
+  CookieMap cookies_ GUARDED_BY_CONTEXT(thread_checker_);
 
-  PartitionedCookieMap partitioned_cookies_;
+  PartitionedCookieMap partitioned_cookies_ GUARDED_BY_CONTEXT(thread_checker_);
 
   // Number of distinct partitioned cookies globally. This is used to enforce a
   // global maximum on the number of partitioned cookies.
   size_t num_partitioned_cookies_ = 0u;
 
+  bool same_party_attribute_enabled_ = false;
+
   CookieMonsterChangeDispatcher change_dispatcher_;
 
   // Indicates whether the cookie store has been initialized.
@@ -756,11 +756,12 @@ class NET_EXPORT CookieMonster : public CookieStore {
   // until all cookies for the associated domain key eTLD+1 are loaded from the
   // backend store.
   std::map<std::string, base::circular_deque<base::OnceClosure>>
-      tasks_pending_for_key_;
+      tasks_pending_for_key_ GUARDED_BY_CONTEXT(thread_checker_);
 
   // Queues tasks that are blocked until all cookies are loaded from the backend
   // store.
-  base::circular_deque<base::OnceClosure> tasks_pending_;
+  base::circular_deque<base::OnceClosure> tasks_pending_
+      GUARDED_BY_CONTEXT(thread_checker_);
 
   // Once a global cookie task has been seen, all per-key tasks must be put in
   // |tasks_pending_| instead of |tasks_pending_for_key_| to ensure a reasonable
@@ -794,9 +795,7 @@ class NET_EXPORT CookieMonster : public CookieStore {
 
   bool persist_session_cookies_ = false;
 
-  bool first_party_sets_enabled_;
-
-  base::ThreadChecker thread_checker_;
+  THREAD_CHECKER(thread_checker_);
 
   base::WeakPtrFactory<CookieMonster> weak_ptr_factory_{this};
 };
diff --git a/chromium/net/cookies/cookie_monster_change_dispatcher.cc b/chromium/net/cookies/cookie_monster_change_dispatcher.cc
index cf928360284..4c1b532f9f1 100644
--- a/chromium/net/cookies/cookie_monster_change_dispatcher.cc
+++ b/chromium/net/cookies/cookie_monster_change_dispatcher.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,6 +10,7 @@
 #include "base/strings/string_piece.h"
 #include "base/task/task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
+#include "net/base/features.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/cookies/canonical_cookie.h"
 #include "net/cookies/cookie_access_delegate.h"
@@ -36,7 +37,7 @@ CookieMonsterChangeDispatcher::Subscription::Subscription(
     std::string name_key,
     GURL url,
     absl::optional<CookiePartitionKey> cookie_partition_key,
-    const bool first_party_sets_enabled,
+    bool same_party_attribute_enabled,
     net::CookieChangeCallback callback)
     : change_dispatcher_(std::move(change_dispatcher)),
       domain_key_(std::move(domain_key)),
@@ -44,7 +45,7 @@ CookieMonsterChangeDispatcher::Subscription::Subscription(
       url_(std::move(url)),
       cookie_partition_key_(std::move(cookie_partition_key)),
       callback_(std::move(callback)),
-      first_party_sets_enabled_(first_party_sets_enabled),
+      same_party_attribute_enabled_(same_party_attribute_enabled),
       task_runner_(base::ThreadTaskRunnerHandle::Get()) {
   DCHECK(url_.is_valid() || url_.is_empty());
   DCHECK_EQ(url_.is_empty(), domain_key_ == kGlobalDomainKey);
@@ -74,7 +75,7 @@ void CookieMonsterChangeDispatcher::Subscription::DispatchChange(
         cookie_access_delegate->ShouldTreatUrlAsTrustworthy(url_);
     CookieOptions options = CookieOptions::MakeAllInclusive();
     CookieSamePartyStatus same_party_status = cookie_util::GetSamePartyStatus(
-        cookie, options, first_party_sets_enabled_);
+        cookie, options, same_party_attribute_enabled_);
     if (!cookie
              .IncludeForRequestURL(
                  url_, options,
@@ -111,9 +112,9 @@ void CookieMonsterChangeDispatcher::Subscription::DoDispatchChange(
 
 CookieMonsterChangeDispatcher::CookieMonsterChangeDispatcher(
     const CookieMonster* cookie_monster,
-    const bool first_party_sets_enabled)
+    bool same_party_attribute_enabled)
     : cookie_monster_(cookie_monster),
-      first_party_sets_enabled_(first_party_sets_enabled) {}
+      same_party_attribute_enabled_(same_party_attribute_enabled) {}
 
 CookieMonsterChangeDispatcher::~CookieMonsterChangeDispatcher() {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
@@ -154,7 +155,7 @@ CookieMonsterChangeDispatcher::AddCallbackForCookie(
 
   std::unique_ptr<Subscription> subscription = std::make_unique<Subscription>(
       weak_ptr_factory_.GetWeakPtr(), DomainKey(url), NameKey(name), url,
-      cookie_partition_key, first_party_sets_enabled_, std::move(callback));
+      cookie_partition_key, same_party_attribute_enabled_, std::move(callback));
 
   LinkSubscription(subscription.get());
   return subscription;
@@ -170,7 +171,7 @@ CookieMonsterChangeDispatcher::AddCallbackForUrl(
   std::unique_ptr<Subscription> subscription = std::make_unique<Subscription>(
       weak_ptr_factory_.GetWeakPtr(), DomainKey(url),
       std::string(kGlobalNameKey), url, cookie_partition_key,
-      first_party_sets_enabled_, std::move(callback));
+      same_party_attribute_enabled_, std::move(callback));
 
   LinkSubscription(subscription.get());
   return subscription;
@@ -184,7 +185,7 @@ CookieMonsterChangeDispatcher::AddCallbackForAllChanges(
   std::unique_ptr<Subscription> subscription = std::make_unique<Subscription>(
       weak_ptr_factory_.GetWeakPtr(), std::string(kGlobalDomainKey),
       std::string(kGlobalNameKey), GURL(""), absl::nullopt,
-      first_party_sets_enabled_, std::move(callback));
+      same_party_attribute_enabled_, std::move(callback));
 
   LinkSubscription(subscription.get());
   return subscription;
diff --git a/chromium/net/cookies/cookie_monster_change_dispatcher.h b/chromium/net/cookies/cookie_monster_change_dispatcher.h
index 5680404070d..c57a141f78b 100644
--- a/chromium/net/cookies/cookie_monster_change_dispatcher.h
+++ b/chromium/net/cookies/cookie_monster_change_dispatcher.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -33,7 +33,7 @@ class CookieMonsterChangeDispatcher : public CookieChangeDispatcher {
 
   // Expects |cookie_monster| to outlive this.
   CookieMonsterChangeDispatcher(const CookieMonster* cookie_monster,
-                                bool first_party_sets_enabled);
+                                bool same_party_attribute_enabled);
 
   CookieMonsterChangeDispatcher(const CookieMonsterChangeDispatcher&) = delete;
   CookieMonsterChangeDispatcher& operator=(
@@ -78,7 +78,7 @@ class CookieMonsterChangeDispatcher : public CookieChangeDispatcher {
                  std::string name_key,
                  GURL url,
                  absl::optional<CookiePartitionKey> cookie_partition_key,
-                 const bool first_party_sets_enabled,
+                 bool same_party_attribute_enabled,
                  net::CookieChangeCallback callback);
 
     Subscription(const Subscription&) = delete;
@@ -107,7 +107,7 @@ class CookieMonsterChangeDispatcher : public CookieChangeDispatcher {
     // nullopt means all Partitioned cookies will be ignored.
     const absl::optional<CookiePartitionKey> cookie_partition_key_;
     const net::CookieChangeCallback callback_;
-    const bool first_party_sets_enabled_;
+    bool same_party_attribute_enabled_;
 
     void DoDispatchChange(const CookieChangeInfo& change) const;
 
@@ -157,7 +157,7 @@ class CookieMonsterChangeDispatcher : public CookieChangeDispatcher {
 
   CookieDomainMap cookie_domain_map_;
 
-  const bool first_party_sets_enabled_;
+  const bool same_party_attribute_enabled_;
 
   THREAD_CHECKER(thread_checker_);
 
diff --git a/chromium/net/cookies/cookie_monster_netlog_params.cc b/chromium/net/cookies/cookie_monster_netlog_params.cc
index 8215b9c0456..93dfe25387c 100644
--- a/chromium/net/cookies/cookie_monster_netlog_params.cc
+++ b/chromium/net/cookies/cookie_monster_netlog_params.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_monster_netlog_params.h b/chromium/net/cookies/cookie_monster_netlog_params.h
index 5abed20447a..f3728da5868 100644
--- a/chromium/net/cookies/cookie_monster_netlog_params.h
+++ b/chromium/net/cookies/cookie_monster_netlog_params.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_monster_perftest.cc b/chromium/net/cookies/cookie_monster_perftest.cc
index 6ad5922a685..04caef1337c 100644
--- a/chromium/net/cookies/cookie_monster_perftest.cc
+++ b/chromium/net/cookies/cookie_monster_perftest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -29,7 +29,6 @@ namespace {
 
 const int kNumCookies = 20000;
 const char kCookieLine[] = "A  = \"b=;\\\"\"  ;secure;;; samesite=none";
-const bool kFirstPartySetsEnabled = false;
 
 static constexpr char kMetricPrefixParsedCookie[] = "ParsedCookie.";
 static constexpr char kMetricPrefixCookieMonster[] = "CookieMonster.";
@@ -177,8 +176,7 @@ TEST(ParsedCookieTest, TestParseBigCookies) {
 }
 
 TEST_F(CookieMonsterTest, TestAddCookiesOnSingleHost) {
-  auto cm =
-      std::make_unique<CookieMonster>(nullptr, nullptr, kFirstPartySetsEnabled);
+  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr);
   std::vector<std::string> cookies;
   for (int i = 0; i < kNumCookies; i++) {
     cookies.push_back(base::StringPrintf("a%03d=b; SameSite=None; Secure", i));
@@ -215,8 +213,7 @@ TEST_F(CookieMonsterTest, TestAddCookiesOnSingleHost) {
 }
 
 TEST_F(CookieMonsterTest, TestAddCookieOnManyHosts) {
-  auto cm =
-      std::make_unique<CookieMonster>(nullptr, nullptr, kFirstPartySetsEnabled);
+  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr);
   std::string cookie(kCookieLine);
   std::vector<GURL> gurls;  // just wanna have ffffuunnn
   for (int i = 0; i < kNumCookies; ++i) {
@@ -252,8 +249,7 @@ TEST_F(CookieMonsterTest, TestAddCookieOnManyHosts) {
 }
 
 TEST_F(CookieMonsterTest, TestDomainTree) {
-  auto cm =
-      std::make_unique<CookieMonster>(nullptr, nullptr, kFirstPartySetsEnabled);
+  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr);
   GetCookieListCallback getCookieListCallback;
   SetCookieCallback setCookieCallback;
   const char domain_cookie_format_tree[] =
@@ -312,8 +308,7 @@ TEST_F(CookieMonsterTest, TestDomainTree) {
 }
 
 TEST_F(CookieMonsterTest, TestDomainLine) {
-  auto cm =
-      std::make_unique<CookieMonster>(nullptr, nullptr, kFirstPartySetsEnabled);
+  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr);
   SetCookieCallback setCookieCallback;
   GetCookieListCallback getCookieListCallback;
   std::vector<std::string> domain_list;
@@ -377,8 +372,7 @@ TEST_F(CookieMonsterTest, TestImport) {
 
   store->SetLoadExpectation(true, std::move(initial_cookies));
 
-  auto cm = std::make_unique<CookieMonster>(store.get(), nullptr,
-                                            kFirstPartySetsEnabled);
+  auto cm = std::make_unique<CookieMonster>(store.get(), nullptr);
 
   // Import will happen on first access.
   GURL gurl("www.foo.com");
@@ -394,8 +388,7 @@ TEST_F(CookieMonsterTest, TestImport) {
 }
 
 TEST_F(CookieMonsterTest, TestGetKey) {
-  auto cm =
-      std::make_unique<CookieMonster>(nullptr, nullptr, kFirstPartySetsEnabled);
+  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr);
   auto reporter = SetUpCookieMonsterReporter("baseline_story");
   base::ElapsedTimer get_key_timer;
   for (int i = 0; i < kNumCookies; i++)
diff --git a/chromium/net/cookies/cookie_monster_store_test.cc b/chromium/net/cookies/cookie_monster_store_test.cc
index 38bce0b9b6a..c0f8b25bd7d 100644
--- a/chromium/net/cookies/cookie_monster_store_test.cc
+++ b/chromium/net/cookies/cookie_monster_store_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -239,8 +239,7 @@ std::unique_ptr<CookieMonster> CreateMonsterFromStoreForGC(
     store->AddCookie(*cc);
   }
 
-  return std::make_unique<CookieMonster>(store.get(), /*net_log=*/nullptr,
-                                         /*first_party_sets_enabled=*/false);
+  return std::make_unique<CookieMonster>(store.get(), /*net_log=*/nullptr);
 }
 
 MockSimplePersistentCookieStore::~MockSimplePersistentCookieStore() = default;
diff --git a/chromium/net/cookies/cookie_monster_store_test.h b/chromium/net/cookies/cookie_monster_store_test.h
index 6250ebba5ea..6fdedd84120 100644
--- a/chromium/net/cookies/cookie_monster_store_test.h
+++ b/chromium/net/cookies/cookie_monster_store_test.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_monster_unittest.cc b/chromium/net/cookies/cookie_monster_unittest.cc
index 7150e7399cb..9fd9da337a5 100644
--- a/chromium/net/cookies/cookie_monster_unittest.cc
+++ b/chromium/net/cookies/cookie_monster_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -108,12 +108,11 @@ const char kTopLevelDomainPlus2[] = "http://www.math.harvard.edu";
 const char kTopLevelDomainPlus2Secure[] = "https://www.math.harvard.edu";
 const char kTopLevelDomainPlus3[] = "http://www.bourbaki.math.harvard.edu";
 const char kOtherDomain[] = "http://www.mit.edu";
-const bool kFirstPartySetsDefault = false;
 
 struct CookieMonsterTestTraits {
   static std::unique_ptr<CookieStore> Create() {
-    return std::make_unique<CookieMonster>(
-        nullptr /* store */, nullptr /* netlog */, kFirstPartySetsDefault);
+    return std::make_unique<CookieMonster>(nullptr /* store */,
+                                           nullptr /* netlog */);
   }
 
   static void DeliverChangeNotifications() { base::RunLoop().RunUntilIdle(); }
@@ -393,8 +392,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
     const int more_than_enough_cookies = domain_max_cookies + 10;
     // Add a bunch of cookies on a single host, should purge them.
     {
-      auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                                kFirstPartySetsDefault);
+      auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
       for (int i = 0; i < more_than_enough_cookies; ++i) {
         std::string cookie = base::StringPrintf("a%03d=b", i);
         EXPECT_TRUE(SetCookie(cm.get(), http_www_foo_.url(), cookie));
@@ -415,8 +413,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
     // between them.  We shouldn't go above kDomainMaxCookies for both together.
     GURL url_google_specific(http_www_foo_.Format("http://www.gmail.%D"));
     {
-      auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                                kFirstPartySetsDefault);
+      auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
       for (int i = 0; i < more_than_enough_cookies; ++i) {
         std::string cookie_general = base::StringPrintf("a%03d=b", i);
         EXPECT_TRUE(SetCookie(cm.get(), http_www_foo_.url(), cookie_general));
@@ -452,8 +449,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
     // Test histogram for the number of registrable domains affected by domain
     // purge.
     {
-      auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                                kFirstPartySetsDefault);
+      auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
       GURL url;
       for (int domain_num = 0; domain_num < 3; ++domain_num) {
         url = GURL(base::StringPrintf("http://domain%d.test", domain_num));
@@ -639,8 +635,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
     std::unique_ptr<CookieMonster> cm;
 
     if (alt_host_entries == nullptr) {
-      cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                           kFirstPartySetsDefault);
+      cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
     } else {
       // When generating all of these cookies on alternate hosts, they need to
       // be all older than the max "safe" date for GC, which is currently 30
@@ -685,8 +680,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
     DCHECK_EQ(150U, CookieMonster::kDomainMaxCookies -
                         CookieMonster::kDomainPurgeCookies);
 
-    auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                              kFirstPartySetsDefault);
+    auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
     // Key:
     // Round 1 => LN; round 2 => LS; round 3 => MN.
     // Round 4 => HN; round 5 => MS; round 6 => HS
@@ -752,8 +746,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
     DCHECK_EQ(150U, CookieMonster::kDomainMaxCookies -
                         CookieMonster::kDomainPurgeCookies);
 
-    auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                              kFirstPartySetsDefault);
+    auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
     // Key:
     // Round 1 => LN; round 2 => LS; round 3 => MN.
     // Round 4 => HN; round 5 => MS; round 6 => HS
@@ -813,8 +806,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
     DCHECK_EQ(150U, CookieMonster::kDomainMaxCookies -
                         CookieMonster::kDomainPurgeCookies);
 
-    auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                              kFirstPartySetsDefault);
+    auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
     // Key:
     // Round 1 => LN; round 2 => LS; round 3 => MN.
     // Round 4 => HN; round 5 => MS; round 6 => HS
@@ -935,8 +927,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
   void TestPartitionedCookiesGarbageCollectionHelper() {
     DCHECK_EQ(10u, CookieMonster::kPerPartitionDomainMaxCookies);
     int max_cookies = CookieMonster::kPerPartitionDomainMaxCookies;
-    auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                              kFirstPartySetsDefault);
+    auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
     auto cookie_partition_key =
         CookiePartitionKey::FromURLForTesting(GURL("https://toplevelsite.com"));
@@ -958,8 +949,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
   // Function for creating a CM with a number of cookies in it,
   // no store (and hence no ability to affect access time).
   std::unique_ptr<CookieMonster> CreateMonsterForGC(int num_cookies) {
-    auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                              kFirstPartySetsDefault);
+    auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
     base::Time creation_time = base::Time::Now();
     for (int i = 0; i < num_cookies; i++) {
       std::unique_ptr<CanonicalCookie> cc(
@@ -1028,8 +1018,8 @@ class DeferredCookieTaskTest : public CookieMonsterTest {
   DeferredCookieTaskTest() {
     persistent_store_ = base::MakeRefCounted<MockPersistentCookieStore>();
     persistent_store_->set_store_load_commands(true);
-    cookie_monster_ = std::make_unique<CookieMonster>(
-        persistent_store_.get(), net::NetLog::Get(), kFirstPartySetsDefault);
+    cookie_monster_ = std::make_unique<CookieMonster>(persistent_store_.get(),
+                                                      net::NetLog::Get());
   }
 
   // Defines a cookie to be returned from PersistentCookieStore::Load
@@ -1444,8 +1434,7 @@ TEST_F(DeferredCookieTaskTest, DeferredTaskOrder) {
 
 TEST_F(CookieMonsterTest, TestCookieDeleteAll) {
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   CookieOptions options = CookieOptions::MakeAllInclusive();
 
   EXPECT_TRUE(SetCookie(cm.get(), http_www_foo_.url(), kValidCookieLine));
@@ -1487,8 +1476,7 @@ TEST_F(CookieMonsterTest, TestCookieDeleteAll) {
 }
 
 TEST_F(CookieMonsterTest, TestCookieDeleteAllCreatedInTimeRangeTimestamps) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   Time now = Time::Now();
 
@@ -1576,8 +1564,7 @@ TEST_F(CookieMonsterTest, TestCookieDeleteAllCreatedInTimeRangeTimestamps) {
 
 TEST_F(CookieMonsterTest,
        TestCookieDeleteAllCreatedInTimeRangeTimestampsWithInfo) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   Time now = Time::Now();
 
@@ -1665,8 +1652,7 @@ TEST_F(CookieMonsterTest,
 }
 
 TEST_F(CookieMonsterTest, TestCookieDeleteMatchingCookies) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
   Time now = Time::Now();
 
   // Nothing has been added so nothing should be deleted.
@@ -1741,8 +1727,7 @@ static const base::TimeDelta kAccessDelay =
 
 TEST_F(CookieMonsterTest, TestLastAccess) {
   auto cm = std::make_unique<CookieMonster>(nullptr, kLastAccessThreshold,
-                                            net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+                                            net::NetLog::Get());
 
   EXPECT_TRUE(SetCookie(cm.get(), http_www_foo_.url(), "A=B"));
   const Time last_access_date(GetFirstCookieAccessDate(cm.get()));
@@ -1800,11 +1785,9 @@ TEST_F(CookieMonsterTest, TestPartitionedCookiesGarbageCollection) {
 }
 
 TEST_F(CookieMonsterTest, SetCookieableSchemes) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
-  auto cm_foo = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                                kFirstPartySetsDefault);
+  auto cm_foo = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   // Only cm_foo should allow foo:// cookies.
   std::vector<std::string> schemes;
@@ -1866,8 +1849,7 @@ TEST_F(CookieMonsterTest, SetCookieableSchemes) {
 
 TEST_F(CookieMonsterTest, GetAllCookiesForURL) {
   auto cm = std::make_unique<CookieMonster>(nullptr, kLastAccessThreshold,
-                                            net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+                                            net::NetLog::Get());
 
   // Create an httponly cookie.
   CookieOptions options = CookieOptions::MakeAllInclusive();
@@ -1984,8 +1966,7 @@ TEST_F(CookieMonsterTest, GetAllCookiesForURL) {
 
 TEST_F(CookieMonsterTest, GetExcludedCookiesForURL) {
   auto cm = std::make_unique<CookieMonster>(nullptr, kLastAccessThreshold,
-                                            net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+                                            net::NetLog::Get());
 
   // Create an httponly cookie.
   CookieOptions options = CookieOptions::MakeAllInclusive();
@@ -2060,8 +2041,7 @@ TEST_F(CookieMonsterTest, GetExcludedCookiesForURL) {
 }
 
 TEST_F(CookieMonsterTest, GetAllCookiesForURLPathMatching) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   CookieOptions options = CookieOptions::MakeAllInclusive();
 
@@ -2100,8 +2080,7 @@ TEST_F(CookieMonsterTest, GetAllCookiesForURLPathMatching) {
 }
 
 TEST_F(CookieMonsterTest, GetExcludedCookiesForURLPathMatching) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   CookieOptions options = CookieOptions::MakeAllInclusive();
 
@@ -2138,8 +2117,7 @@ TEST_F(CookieMonsterTest, GetExcludedCookiesForURLPathMatching) {
 }
 
 TEST_F(CookieMonsterTest, CookieSorting) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   base::Time system_time = base::Time::Now();
   for (const char* cookie_line :
@@ -2166,8 +2144,7 @@ TEST_F(CookieMonsterTest, CookieSorting) {
 }
 
 TEST_F(CookieMonsterTest, InheritCreationDate) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   base::Time the_not_so_distant_past(base::Time::Now() - base::Seconds(1000));
   EXPECT_TRUE(SetCookieWithCreationTime(cm.get(), http_www_foo_.url(),
@@ -2204,8 +2181,7 @@ TEST_F(CookieMonsterTest, InheritCreationDate) {
 // Check that GetAllCookiesForURL() does not return expired cookies and deletes
 // them.
 TEST_F(CookieMonsterTest, DeleteExpiredCookiesOnGet) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   EXPECT_TRUE(SetCookie(cm.get(), http_www_foo_.url(), "A=B;"));
 
@@ -2252,7 +2228,7 @@ TEST_F(CookieMonsterTest, DeleteExpiredCookiesOnGet) {
 // expiration happens without SetCookie.
 TEST_F(CookieMonsterTest, DeleteExpiredPartitionedCookiesOnlyOnGet) {
   auto cm = std::make_unique<CookieMonster>(
-      /*store=*/nullptr, net::NetLog::Get(), kFirstPartySetsDefault);
+      /*store=*/nullptr, net::NetLog::Get());
   auto cookie_partition_key =
       CookiePartitionKey::FromURLForTesting(GURL("https://toplevelsite.com"));
 
@@ -2335,8 +2311,7 @@ TEST_F(CookieMonsterTest, DontImportDuplicateCookies) {
   // Inject our initial cookies into the mock PersistentCookieStore.
   store->SetLoadExpectation(true, std::move(initial_cookies));
 
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   // Verify that duplicates were not imported for path "/".
   // (If this had failed, GetCookies() would have also returned X=1, X=2, X=4).
@@ -2381,8 +2356,7 @@ TEST_F(CookieMonsterTest, DontImportDuplicateCookies_PartitionedCookies) {
   initial_cookies.push_back(std::move(cc));
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   store->SetLoadExpectation(true, std::move(initial_cookies));
 
@@ -2434,8 +2408,7 @@ TEST_F(CookieMonsterTest, ImportDuplicateCreationTimes) {
   // Inject our initial cookies into the mock PersistentCookieStore.
   store->SetLoadExpectation(true, std::move(initial_cookies));
 
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   CookieList list(GetAllCookies(cm.get()));
   EXPECT_EQ(2U, list.size());
@@ -2492,8 +2465,7 @@ TEST_F(CookieMonsterTest, ImportDuplicateCreationTimes_PartitionedCookies) {
   // Inject our initial cookies into the mock PersistentCookieStore.
   store->SetLoadExpectation(true, std::move(initial_cookies));
 
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   CookieList list(GetAllCookies(cm.get()));
   EXPECT_EQ(2U, list.size());
@@ -2506,8 +2478,7 @@ TEST_F(CookieMonsterTest, ImportDuplicateCreationTimes_PartitionedCookies) {
 }
 
 TEST_F(CookieMonsterTest, PredicateSeesAllCookies) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   const base::Time now = PopulateCmForPredicateCheck(cm.get());
   // We test that we can see all cookies with |delete_info|. This includes
@@ -2535,8 +2506,7 @@ TEST_F(CookieMonsterTest, PredicateSeesAllCookies) {
 // Mainly a test of GetEffectiveDomain, or more specifically, of the
 // expected behavior of GetEffectiveDomain within the CookieMonster.
 TEST_F(CookieMonsterTest, GetKey) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   // This test is really only interesting if GetKey() actually does something.
   EXPECT_EQ("foo.com", cm->GetKey("www.foo.com"));
@@ -2581,8 +2551,8 @@ TEST_F(CookieMonsterTest, BackingStoreCommunication) {
 
   // Create new cookies and flush them to the store.
   {
-    auto cmout = std::make_unique<CookieMonster>(
-        store.get(), net::NetLog::Get(), kFirstPartySetsDefault);
+    auto cmout =
+        std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
     for (const auto& cookie : input_info) {
       EXPECT_TRUE(SetCanonicalCookie(
           cmout.get(),
@@ -2601,8 +2571,8 @@ TEST_F(CookieMonsterTest, BackingStoreCommunication) {
 
   // Create a new cookie monster and make sure that everything is correct
   {
-    auto cmin = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                                kFirstPartySetsDefault);
+    auto cmin =
+        std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
     CookieList cookies(GetAllCookies(cmin.get()));
     ASSERT_EQ(2u, cookies.size());
     // Ordering is path length, then creation time.  So second cookie
@@ -2636,8 +2606,7 @@ TEST_F(CookieMonsterTest, RestoreDifferentCookieSameCreationTime) {
       base::MakeRefCounted<MockPersistentCookieStore>();
 
   {
-    CookieMonster cmout(store.get(), net::NetLog::Get(),
-                        kFirstPartySetsDefault);
+    CookieMonster cmout(store.get(), net::NetLog::Get());
     GURL url("http://www.example.com/");
     EXPECT_TRUE(
         SetCookieWithCreationTime(&cmout, url, "A=1; max-age=600", current));
@@ -2659,8 +2628,7 @@ TEST_F(CookieMonsterTest, RestoreDifferentCookieSameCreationTime) {
 
   // Now read them in. Should get two cookies, not one.
   {
-    CookieMonster cmin(store2.get(), net::NetLog::Get(),
-                       kFirstPartySetsDefault);
+    CookieMonster cmin(store2.get(), net::NetLog::Get());
     CookieList cookies(GetAllCookies(&cmin));
     ASSERT_EQ(2u, cookies.size());
   }
@@ -2669,8 +2637,7 @@ TEST_F(CookieMonsterTest, RestoreDifferentCookieSameCreationTime) {
 TEST_F(CookieMonsterTest, CookieListOrdering) {
   // Put a random set of cookies into a monster and make sure
   // they're returned in the right order.
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   EXPECT_TRUE(
       SetCookie(cm.get(), GURL("http://d.c.b.a.foo.com/aa/x.html"), "c=1"));
@@ -2809,8 +2776,7 @@ TEST_F(CookieMonsterTest, WhileLoadingLoadCompletesBeforeKeyLoadCompletes) {
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
   store->set_store_load_commands(true);
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   auto cookie = CanonicalCookie::Create(
       kUrl, "a=b", base::Time::Now(), absl::nullopt /* server_time */,
@@ -2859,8 +2825,7 @@ TEST_F(CookieMonsterTest, WhileLoadingDeleteAllGetForURL) {
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
   store->set_store_load_commands(true);
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   ResultSavingCookieCallback<uint32_t> delete_callback;
   cm->DeleteAllAsync(delete_callback.MakeCallback());
@@ -2899,8 +2864,7 @@ TEST_F(CookieMonsterTest, WhileLoadingGetAllSetGetAll) {
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
   store->set_store_load_commands(true);
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   GetAllCookiesCallback get_cookies_callback1;
   cm->GetAllCookiesAsync(get_cookies_callback1.MakeCallback());
@@ -2950,8 +2914,7 @@ TEST_F(CookieMonsterTest, CheckOrderOfCookieTaskQueueWhenLoadingCompletes) {
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
   store->set_store_load_commands(true);
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   // Get all cookies task that queues a task to set a cookie when executed.
   auto cookie = CanonicalCookie::Create(
@@ -2995,8 +2958,7 @@ TEST_F(CookieMonsterTest, CheckOrderOfCookieTaskQueueWhenLoadingCompletes) {
 TEST_F(CookieMonsterTest, FlushStore) {
   auto counter = base::MakeRefCounted<CallbackCounter>();
   auto store = base::MakeRefCounted<FlushablePersistentStore>();
-  auto cm = std::make_unique<CookieMonster>(store, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store, net::NetLog::Get());
 
   ASSERT_EQ(0, store->flush_count());
   ASSERT_EQ(0, counter->callback_count());
@@ -3031,8 +2993,7 @@ TEST_F(CookieMonsterTest, FlushStore) {
   ASSERT_EQ(2, counter->callback_count());
 
   // If there's no backing store, FlushStore() is always a safe no-op.
-  cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                       kFirstPartySetsDefault);
+  cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
   GetAllCookies(cm.get());  // Force init.
   cm->FlushStore(base::DoNothing());
   base::RunLoop().RunUntilIdle();
@@ -3047,8 +3008,7 @@ TEST_F(CookieMonsterTest, FlushStore) {
 
 TEST_F(CookieMonsterTest, SetAllCookies) {
   auto store = base::MakeRefCounted<FlushablePersistentStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   cm->SetPersistSessionCookies(true);
 
   EXPECT_TRUE(SetCookie(cm.get(), http_www_foo_.url(), "U=V; path=/"));
@@ -3119,8 +3079,7 @@ TEST_F(CookieMonsterTest, SetAllCookies) {
 // Check that DeleteAll does flush (as a quick check that flush_count() works).
 TEST_F(CookieMonsterTest, DeleteAll) {
   auto store = base::MakeRefCounted<FlushablePersistentStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   cm->SetPersistSessionCookies(true);
 
   EXPECT_TRUE(SetCookie(cm.get(), http_www_foo_.url(), "X=Y; path=/"));
@@ -3147,8 +3106,7 @@ TEST_F(CookieMonsterTest, DeleteAll) {
 }
 
 TEST_F(CookieMonsterTest, HistogramCheck) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   // Should match call in InitializeHistograms, but doesn't really matter
   // since the histogram should have been initialized by the CM construction
@@ -3193,8 +3151,7 @@ TEST_F(CookieMonsterTest, InvalidExpiryTime) {
 // CookieStore if the "persist session cookies" option is on.
 TEST_F(CookieMonsterTest, PersistSessionCookies) {
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   cm->SetPersistSessionCookies(true);
 
   // All cookies set with SetCookie are session cookies.
@@ -3231,8 +3188,7 @@ TEST_F(CookieMonsterTest, PersistSessionCookies) {
 // Test the commands sent to the persistent cookie store.
 TEST_F(CookieMonsterTest, PersisentCookieStorageTest) {
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   // Add a cookie.
   EXPECT_TRUE(SetCookie(cm.get(), http_www_foo_.url(),
@@ -3330,8 +3286,7 @@ TEST_F(CookieMonsterTest, ControlCharacterPurge) {
   // Inject our initial cookies into the mock PersistentCookieStore.
   store->SetLoadExpectation(true, std::move(initial_cookies));
 
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   EXPECT_EQ("foo=bar; hello=world",
             GetCookies(cm.get(), url,
@@ -3344,8 +3299,7 @@ TEST_F(CookieMonsterTest, CookieSourceHistogram) {
   const std::string cookie_source_histogram = "Cookie.CookieSourceScheme";
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   histograms.ExpectTotalCount(cookie_source_histogram, 0);
 
@@ -3431,8 +3385,7 @@ TEST_F(CookieMonsterTest, NumKeysHistogram) {
       absl::nullopt /* cookie_partition_key */));
   store->SetLoadExpectation(true /* return_value */,
                             std::move(initial_cookies));
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   {
     base::HistogramTester histogram_tester;
     // Access the cookies to trigger loading from the persistent store.
@@ -3504,8 +3457,7 @@ TEST_F(CookieMonsterTest, MaxSameSiteNoneCookiesPerKey) {
   const char kHistogramName[] = "Cookie.MaxSameSiteNoneCookiesPerKey";
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   ASSERT_EQ(0u, GetAllCookies(cm.get()).size());
 
   {  // Only SameSite cookies should not log a sample.
@@ -3554,8 +3506,7 @@ TEST_F(CookieMonsterTest, MaxSameSiteNoneCookiesPerKey) {
 // Test that localhost URLs can set and get secure cookies, even if
 // non-cryptographic.
 TEST_F(CookieMonsterTest, SecureCookieLocalhost) {
-  auto cm =
-      std::make_unique<CookieMonster>(nullptr, nullptr, kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr);
 
   GURL insecure_localhost("http://localhost");
   GURL secure_localhost("https://localhost");
@@ -3629,8 +3580,7 @@ TEST_F(CookieMonsterTest, SecureCookieLocalhost) {
 
 TEST_F(CookieMonsterTest, MaybeDeleteEquivalentCookieAndUpdateStatus) {
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   // Set a secure, httponly cookie from a secure origin
   auto preexisting_cookie = CanonicalCookie::Create(
@@ -3736,8 +3686,7 @@ TEST_F(CookieMonsterTest, MaybeDeleteEquivalentCookieAndUpdateStatus) {
 TEST_F(CookieMonsterTest,
        MaybeDeleteEquivalentCookieAndUpdateStatus_PartitionedCookies) {
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   // Test adding two cookies with the same name, domain, and path but different
   // partition keys.
@@ -3780,8 +3729,7 @@ TEST_F(CookieMonsterTest,
 // multiple reasons (Secure and HttpOnly).
 TEST_F(CookieMonsterTest, SkipDontOverwriteForMultipleReasons) {
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   // Set a secure, httponly cookie from a secure origin
   auto preexisting_cookie = CanonicalCookie::Create(
@@ -3819,8 +3767,7 @@ TEST_F(CookieMonsterTest, SkipDontOverwriteForMultipleReasons) {
 // cookie should not be set.
 TEST_F(CookieMonsterTest, DontDeleteEquivalentCookieIfSetIsRejected) {
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   auto preexisting_cookie = CanonicalCookie::Create(
       http_www_foo_.url(), "cookie=foo", base::Time::Now(),
@@ -3846,8 +3793,7 @@ TEST_F(CookieMonsterTest, DontDeleteEquivalentCookieIfSetIsRejected) {
 }
 
 TEST_F(CookieMonsterTest, SetSecureCookies) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   GURL http_url("http://www.foo.com");
   GURL http_superdomain_url("http://foo.com");
@@ -4014,7 +3960,7 @@ TEST_F(CookieMonsterTest, SetSecureCookies) {
 }
 
 TEST_F(CookieMonsterTest, SetSamePartyCookies) {
-  CookieMonster cm(nullptr, net::NetLog::Get(), kFirstPartySetsDefault);
+  CookieMonster cm(nullptr, net::NetLog::Get());
   GURL http_url("http://www.foo.com");
   GURL http_superdomain_url("http://foo.com");
   GURL https_url("https://www.foo.com");
@@ -4071,8 +4017,7 @@ TEST_F(CookieMonsterTest, SetSamePartyCookies) {
 // Check domain-match criterion: If either cookie domain matches the other,
 // don't set the insecure cookie.
 TEST_F(CookieMonsterTest, LeaveSecureCookiesAlone_DomainMatch) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   // These domains will domain-match each other.
   const char* kRegistrableDomain = "foo.com";
@@ -4243,8 +4188,7 @@ TEST_F(CookieMonsterTest, LeaveSecureCookiesAlone_DomainMatch) {
 // Check path-match criterion: If the new cookie is for the same path or a
 // subdirectory of the preexisting cookie's path, don't set the new cookie.
 TEST_F(CookieMonsterTest, LeaveSecureCookiesAlone_PathMatch) {
-  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, net::NetLog::Get());
 
   // A path that is later in this list will path-match all the paths before it.
   const char* kPaths[] = {"/", "/1", "/1/2", "/1/2/3"};
@@ -4468,8 +4412,7 @@ TEST_F(CookieMonsterTest, EvictSecureCookies) {
 // Tests that strict secure cookies doesn't trip equivalent cookie checks
 // accidentally. Regression test for https://crbug.com/569943.
 TEST_F(CookieMonsterTest, EquivalentCookies) {
-  auto cm =
-      std::make_unique<CookieMonster>(nullptr, nullptr, kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr);
   GURL http_url("http://www.foo.com");
   GURL http_superdomain_url("http://foo.com");
   GURL https_url("https://www.foo.com");
@@ -4498,7 +4441,7 @@ TEST_F(CookieMonsterTest, SetCanonicalCookieDoesNotBlockForLoadAll) {
       base::MakeRefCounted<MockPersistentCookieStore>();
   // Collect load commands so we have control over their execution.
   persistent_store->set_store_load_commands(true);
-  CookieMonster cm(persistent_store.get(), nullptr, kFirstPartySetsDefault);
+  CookieMonster cm(persistent_store.get(), nullptr);
 
   // Start of a canonical cookie set.
   ResultSavingCookieCallback<CookieAccessResult> callback_set;
@@ -4545,7 +4488,7 @@ TEST_F(CookieMonsterTest, DeleteDuplicateCTime) {
   // that the implementation doesn't just happen to pick the right one because
   // of implementation details.
   for (const auto* name : kNames) {
-    CookieMonster cm(nullptr, nullptr, kFirstPartySetsDefault);
+    CookieMonster cm(nullptr, nullptr);
     Time now = Time::Now();
     GURL url("http://www.example.com");
 
@@ -4585,7 +4528,7 @@ TEST_F(CookieMonsterTest, DeleteCookieWithInheritedTimestamps) {
   CookieOptions options = CookieOptions::MakeAllInclusive();
   absl::optional<base::Time> server_time = absl::nullopt;
   absl::optional<CookiePartitionKey> partition_key = absl::nullopt;
-  CookieMonster cm(nullptr, nullptr, kFirstPartySetsDefault);
+  CookieMonster cm(nullptr, nullptr);
 
   // Write a cookie created at |t1|.
   auto cookie =
@@ -4617,7 +4560,7 @@ TEST_F(CookieMonsterTest, RejectCreatedSameSiteCookieOnSet) {
   GURL url("http://www.example.com");
   std::string cookie_line = "foo=bar; SameSite=Lax";
 
-  CookieMonster cm(nullptr, nullptr, kFirstPartySetsDefault);
+  CookieMonster cm(nullptr, nullptr);
   CookieOptions env_cross_site;
   env_cross_site.set_same_site_cookie_context(
       CookieOptions::SameSiteCookieContext(
@@ -4644,7 +4587,7 @@ TEST_F(CookieMonsterTest, RejectCreatedSecureCookieOnSet) {
   GURL http_url("http://www.example.com");
   std::string cookie_line = "foo=bar; Secure";
 
-  CookieMonster cm(nullptr, nullptr, kFirstPartySetsDefault);
+  CookieMonster cm(nullptr, nullptr);
   CookieInclusionStatus status;
   // Cookie can be created successfully from an any url. Secure is not checked
   // on Create.
@@ -4669,7 +4612,7 @@ TEST_F(CookieMonsterTest, RejectCreatedHttpOnlyCookieOnSet) {
   GURL url("http://www.example.com");
   std::string cookie_line = "foo=bar; HttpOnly";
 
-  CookieMonster cm(nullptr, nullptr, kFirstPartySetsDefault);
+  CookieMonster cm(nullptr, nullptr);
   CookieInclusionStatus status;
   // Cookie can be created successfully; HttpOnly is not checked on Create.
   auto cookie = CanonicalCookie::Create(
@@ -4743,8 +4686,7 @@ TEST_F(CookieMonsterTest, CookiesWithoutSameSiteMustBeSecure) {
        CookieInclusionStatus(), CookieEffectiveSameSite::LAX_MODE, kLongAge},
   };
 
-  auto cm =
-      std::make_unique<CookieMonster>(nullptr, nullptr, kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr);
   GURL secure_url("https://www.example1.test");
   GURL insecure_url("http://www.example2.test");
 
@@ -4779,9 +4721,7 @@ class CookieMonsterNotificationTest : public CookieMonsterTest {
   CookieMonsterNotificationTest()
       : test_url_("http://www.foo.com/foo"),
         store_(base::MakeRefCounted<MockPersistentCookieStore>()),
-        monster_(std::make_unique<CookieMonster>(store_.get(),
-                                                 nullptr,
-                                                 kFirstPartySetsDefault)) {}
+        monster_(std::make_unique<CookieMonster>(store_.get(), nullptr)) {}
 
   ~CookieMonsterNotificationTest() override = default;
 
@@ -4813,8 +4753,7 @@ TEST_F(CookieMonsterNotificationTest, NoNotificationOnLoad) {
   store->set_store_load_commands(true);
 
   // Bind it to a CookieMonster
-  auto monster = std::make_unique<CookieMonster>(store.get(), nullptr,
-                                                 kFirstPartySetsDefault);
+  auto monster = std::make_unique<CookieMonster>(store.get(), nullptr);
 
   // Trigger load dispatch and confirm it.
   monster->GetAllCookiesAsync(CookieStore::GetAllCookiesCallback());
@@ -4878,8 +4817,8 @@ class CookieMonsterLegacyCookieAccessTest : public CookieMonsterTest {
  public:
   CookieMonsterLegacyCookieAccessTest()
       : cm_(std::make_unique<CookieMonster>(nullptr /* store */,
-                                            nullptr /* netlog */,
-                                            kFirstPartySetsDefault)) {
+                                            nullptr /* netlog */
+                                            )) {
     // Need to reset first because there cannot be two TaskEnvironments at the
     // same time.
     task_environment_.reset();
@@ -5064,8 +5003,7 @@ TEST_F(CookieMonsterTest, CookieDomainSetHistogram) {
   const char kHistogramName[] = "Cookie.DomainSet";
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   histograms.ExpectTotalCount(kHistogramName, 0);
 
@@ -5093,8 +5031,7 @@ TEST_F(CookieMonsterTest, CookiePortReadHistogram) {
   const char kHistogramNameLocal[] = "Cookie.Port.Read.Localhost";
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   histograms.ExpectTotalCount(kHistogramName, 0);
 
@@ -5147,8 +5084,7 @@ TEST_F(CookieMonsterTest, CookiePortSetHistogram) {
   const char kHistogramNameLocal[] = "Cookie.Port.Set.Localhost";
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   histograms.ExpectTotalCount(kHistogramName, 0);
 
@@ -5202,8 +5138,7 @@ TEST_F(CookieMonsterTest, CookiePortReadDiffersFromSetHistogram) {
       "Cookie.Port.ReadDiffersFromSet.DomainSet";
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   histograms.ExpectTotalCount(kHistogramName, 0);
 
@@ -5302,8 +5237,7 @@ TEST_F(CookieMonsterTest, CookieSourceSchemeNameHistogram) {
   const char kHistogramName[] = "Cookie.CookieSourceSchemeName";
 
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
 
   histograms.ExpectTotalCount(kHistogramName, 0);
 
@@ -5363,9 +5297,8 @@ TEST_F(CookieMonsterTest, CookieSourceSchemeNameHistogram) {
 class FirstPartySetEnabledCookieMonsterTest : public CookieMonsterTest {
  public:
   FirstPartySetEnabledCookieMonsterTest()
-      : cm_(nullptr /* store */,
-            nullptr /* netlog */,
-            true /* first_party_sets_enabled */) {
+      : cm_(nullptr /* store */, nullptr /* netlog */
+        ) {
     std::unique_ptr<TestCookieAccessDelegate> access_delegate =
         std::make_unique<TestCookieAccessDelegate>();
     access_delegate_ = access_delegate.get();
@@ -5425,8 +5358,7 @@ TEST_F(FirstPartySetEnabledCookieMonsterTest, RecordsPeriodicFPSSizes) {
 
 TEST_F(CookieMonsterTest, GetAllCookiesForURLNonce) {
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   CookieOptions options = CookieOptions::MakeAllInclusive();
 
   auto anonymous_iframe_key = CookiePartitionKey::FromURLForTesting(
@@ -5466,8 +5398,7 @@ TEST_F(CookieMonsterTest, GetAllCookiesForURLNonce) {
 // Trial ends.
 TEST_F(CookieMonsterTest, ConvertPartitionedCookiesToUnpartitioned) {
   auto store = base::MakeRefCounted<MockPersistentCookieStore>();
-  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get(),
-                                            kFirstPartySetsDefault);
+  auto cm = std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   CookieOptions options = CookieOptions::MakeAllInclusive();
 
   // Set unpartitioned cookie
@@ -5682,8 +5613,8 @@ INSTANTIATE_TEST_SUITE_P(/* no label */,
 TEST_P(CookieMonsterWithClampingTest,
        FromStorageCookieCreated300DaysAgoThenUpdatedNow) {
   auto store = base::MakeRefCounted<FlushablePersistentStore>();
-  auto cookie_monster = std::make_unique<CookieMonster>(
-      store.get(), net::NetLog::Get(), kFirstPartySetsDefault);
+  auto cookie_monster =
+      std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   cookie_monster->SetPersistSessionCookies(true);
   EXPECT_TRUE(GetAllCookies(cookie_monster.get()).empty());
 
@@ -5737,8 +5668,8 @@ TEST_P(CookieMonsterWithClampingTest,
 TEST_P(CookieMonsterWithClampingTest,
        FromStorageCookieCreated500DaysAgoThenUpdatedNow) {
   auto store = base::MakeRefCounted<FlushablePersistentStore>();
-  auto cookie_monster = std::make_unique<CookieMonster>(
-      store.get(), net::NetLog::Get(), kFirstPartySetsDefault);
+  auto cookie_monster =
+      std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   cookie_monster->SetPersistSessionCookies(true);
   EXPECT_TRUE(GetAllCookies(cookie_monster.get()).empty());
 
@@ -5792,8 +5723,8 @@ TEST_P(CookieMonsterWithClampingTest,
 TEST_P(CookieMonsterWithClampingTest,
        SanitizedCookieCreated300DaysAgoThenUpdatedNow) {
   auto store = base::MakeRefCounted<FlushablePersistentStore>();
-  auto cookie_monster = std::make_unique<CookieMonster>(
-      store.get(), net::NetLog::Get(), kFirstPartySetsDefault);
+  auto cookie_monster =
+      std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   cookie_monster->SetPersistSessionCookies(true);
   EXPECT_TRUE(GetAllCookies(cookie_monster.get()).empty());
 
@@ -5857,8 +5788,8 @@ TEST_P(CookieMonsterWithClampingTest,
 TEST_P(CookieMonsterWithClampingTest,
        SanitizedCookieCreated500DaysAgoThenUpdatedNow) {
   auto store = base::MakeRefCounted<FlushablePersistentStore>();
-  auto cookie_monster = std::make_unique<CookieMonster>(
-      store.get(), net::NetLog::Get(), kFirstPartySetsDefault);
+  auto cookie_monster =
+      std::make_unique<CookieMonster>(store.get(), net::NetLog::Get());
   cookie_monster->SetPersistSessionCookies(true);
   EXPECT_TRUE(GetAllCookies(cookie_monster.get()).empty());
 
diff --git a/chromium/net/cookies/cookie_options.cc b/chromium/net/cookies/cookie_options.cc
index 05f30cd9463..42eb151094e 100644
--- a/chromium/net/cookies/cookie_options.cc
+++ b/chromium/net/cookies/cookie_options.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,7 @@
 
 #include "base/metrics/histogram_functions.h"
 #include "net/cookies/cookie_util.h"
-#include "net/cookies/same_party_context.h"
+#include "net/first_party_sets/same_party_context.h"
 
 namespace net {
 
diff --git a/chromium/net/cookies/cookie_options.h b/chromium/net/cookies/cookie_options.h
index b658ba3efa4..3cd66df8a3d 100644
--- a/chromium/net/cookies/cookie_options.h
+++ b/chromium/net/cookies/cookie_options.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -12,7 +12,7 @@
 #include "net/base/net_export.h"
 #include "net/cookies/cookie_constants.h"
 #include "net/cookies/cookie_inclusion_status.h"
-#include "net/cookies/same_party_context.h"
+#include "net/first_party_sets/same_party_context.h"
 #include "url/gurl.h"
 
 namespace net {
diff --git a/chromium/net/cookies/cookie_options_unittest.cc b/chromium/net/cookies/cookie_options_unittest.cc
index 603c073f7fc..d40eaeba0db 100644
--- a/chromium/net/cookies/cookie_options_unittest.cc
+++ b/chromium/net/cookies/cookie_options_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_partition_key.cc b/chromium/net/cookies/cookie_partition_key.cc
index ec9872e7ae9..685e838dd20 100644
--- a/chromium/net/cookies/cookie_partition_key.cc
+++ b/chromium/net/cookies/cookie_partition_key.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,10 +9,22 @@
 
 #include "base/feature_list.h"
 #include "base/logging.h"
-#include "base/stl_util.h"
+#include "base/types/optional_util.h"
 #include "net/base/features.h"
 #include "net/cookies/cookie_constants.h"
 
+namespace {
+
+bool PartitionedCookiesEnabled(
+    const absl::optional<base::UnguessableToken>& nonce) {
+  return base::FeatureList::IsEnabled(net::features::kPartitionedCookies) ||
+         (base::FeatureList::IsEnabled(
+              net::features::kNoncedPartitionedCookies) &&
+          nonce);
+}
+
+}  // namespace
+
 namespace net {
 
 CookiePartitionKey::CookiePartitionKey() = default;
@@ -100,9 +112,7 @@ absl::optional<CookiePartitionKey> CookiePartitionKey::FromNetworkIsolationKey(
   // If PartitionedCookies is enabled, all partitioned cookies are allowed.
   // If NoncedPartitionedCookies is enabled, only partitioned cookies whose
   // partition key has a nonce are allowed.
-  if (!base::FeatureList::IsEnabled(features::kPartitionedCookies) &&
-      (!base::FeatureList::IsEnabled(features::kNoncedPartitionedCookies) ||
-       !nonce)) {
+  if (!PartitionedCookiesEnabled(nonce)) {
     return absl::nullopt;
   }
 
@@ -111,7 +121,7 @@ absl::optional<CookiePartitionKey> CookiePartitionKey::FromNetworkIsolationKey(
   const SchemefulSite* partition_key_site =
       first_party_set_owner_site
           ? first_party_set_owner_site
-          : base::OptionalOrNullptr(network_isolation_key.GetTopFrameSite());
+          : base::OptionalToPtr(network_isolation_key.GetTopFrameSite());
   if (!partition_key_site)
     return absl::nullopt;
 
@@ -119,6 +129,16 @@ absl::optional<CookiePartitionKey> CookiePartitionKey::FromNetworkIsolationKey(
       net::CookiePartitionKey(*partition_key_site, nonce));
 }
 
+// static
+absl::optional<net::CookiePartitionKey>
+CookiePartitionKey::FromStorageKeyComponents(
+    const SchemefulSite& top_level_site,
+    const absl::optional<base::UnguessableToken>& nonce) {
+  if (!PartitionedCookiesEnabled(nonce))
+    return absl::nullopt;
+  return CookiePartitionKey::FromWire(top_level_site, nonce);
+}
+
 bool CookiePartitionKey::IsSerializeable() const {
   if (!base::FeatureList::IsEnabled(features::kPartitionedCookies)) {
     DLOG(WARNING) << "Attempting to serialize CookiePartitionKey when "
@@ -132,6 +152,9 @@ bool CookiePartitionKey::IsSerializeable() const {
 
 std::ostream& operator<<(std::ostream& os, const CookiePartitionKey& cpk) {
   os << cpk.site();
+  if (cpk.nonce().has_value()) {
+    os << ",nonced";
+  }
   return os;
 }
 
diff --git a/chromium/net/cookies/cookie_partition_key.h b/chromium/net/cookies/cookie_partition_key.h
index 4b920323ae2..1474691bc9d 100644
--- a/chromium/net/cookies/cookie_partition_key.h
+++ b/chromium/net/cookies/cookie_partition_key.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -92,6 +92,14 @@ class NET_EXPORT CookiePartitionKey {
     return absl::make_optional(CookiePartitionKey(true));
   }
 
+  // Create a new CookiePartitionKey from the components of a StorageKey.
+  // Forwards to FromWire, but unlike that method in this one the optional nonce
+  // argument has no default. It also checks that cookie partitioning is enabled
+  // before returning a valid key, which FromWire does not check.
+  static absl::optional<CookiePartitionKey> FromStorageKeyComponents(
+      const SchemefulSite& top_level_site,
+      const absl::optional<base::UnguessableToken>& nonce);
+
   const SchemefulSite& site() const { return site_; }
 
   bool from_script() const { return from_script_; }
diff --git a/chromium/net/cookies/cookie_partition_key_collection.cc b/chromium/net/cookies/cookie_partition_key_collection.cc
index 9a336885d0b..feebe03d81d 100644
--- a/chromium/net/cookies/cookie_partition_key_collection.cc
+++ b/chromium/net/cookies/cookie_partition_key_collection.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,27 +14,10 @@
 #include "net/base/schemeful_site.h"
 #include "net/cookies/cookie_access_delegate.h"
 #include "net/cookies/cookie_partition_key.h"
-#include "net/cookies/first_party_set_entry.h"
+#include "net/first_party_sets/first_party_set_entry.h"
 
 namespace net {
 
-namespace {
-CookiePartitionKeyCollection TransformWithFirstPartySetEntries(
-    const base::flat_set<CookiePartitionKey>& keys,
-    base::flat_map<SchemefulSite, FirstPartySetEntry> sites_to_entries) {
-  std::vector<CookiePartitionKey> canonicalized_keys;
-  canonicalized_keys.reserve(keys.size());
-  for (const CookiePartitionKey& key : keys) {
-    const auto it = sites_to_entries.find(key.site());
-    canonicalized_keys.push_back(
-        !key.nonce() && it != sites_to_entries.end()
-            ? CookiePartitionKey::FromWire(it->second.primary())
-            : key);
-  }
-  return CookiePartitionKeyCollection(canonicalized_keys);
-}
-}  // namespace
-
 CookiePartitionKeyCollection::CookiePartitionKeyCollection() = default;
 
 CookiePartitionKeyCollection::CookiePartitionKeyCollection(
@@ -63,37 +46,6 @@ CookiePartitionKeyCollection& CookiePartitionKeyCollection::operator=(
 
 CookiePartitionKeyCollection::~CookiePartitionKeyCollection() = default;
 
-absl::optional<CookiePartitionKeyCollection>
-CookiePartitionKeyCollection::FirstPartySetify(
-    const CookieAccessDelegate* cookie_access_delegate,
-    base::OnceCallback<void(CookiePartitionKeyCollection)> callback) const {
-  if (!cookie_access_delegate || IsEmpty() || ContainsAllKeys())
-    return *this;
-
-  std::vector<SchemefulSite> sites;
-  sites.reserve(PartitionKeys().size());
-  for (const CookiePartitionKey& key : PartitionKeys()) {
-    // Partition keys that have a nonce are not available across top-level sites
-    // in the same First-Party Set.
-    if (key.nonce())
-      continue;
-    sites.push_back(key.site());
-  }
-  if (sites.empty())
-    return *this;
-  absl::optional<base::flat_map<SchemefulSite, FirstPartySetEntry>>
-      maybe_sites_to_entries = cookie_access_delegate->FindFirstPartySetOwners(
-          sites,
-          base::BindOnce(&TransformWithFirstPartySetEntries, PartitionKeys())
-              .Then(std::move(callback)));
-
-  if (maybe_sites_to_entries.has_value())
-    return TransformWithFirstPartySetEntries(PartitionKeys(),
-                                             maybe_sites_to_entries.value());
-
-  return absl::nullopt;
-}
-
 bool CookiePartitionKeyCollection::Contains(
     const CookiePartitionKey& key) const {
   return contains_all_keys_ || base::Contains(keys_, key);
diff --git a/chromium/net/cookies/cookie_partition_key_collection.h b/chromium/net/cookies/cookie_partition_key_collection.h
index c7ea51e347e..1396b8c5fe9 100644
--- a/chromium/net/cookies/cookie_partition_key_collection.h
+++ b/chromium/net/cookies/cookie_partition_key_collection.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -12,8 +12,6 @@
 
 namespace net {
 
-class CookieAccessDelegate;
-
 // A data structure used to represent a collection of cookie partition keys.
 //
 // It can represent all possible cookie partition keys when
@@ -48,20 +46,6 @@ class NET_EXPORT CookiePartitionKeyCollection {
                    : CookiePartitionKeyCollection();
   }
 
-  // Takes a CookiePartitionKeyCollection which was created in a context that
-  // does not have access to sites' First-Party Set owners and converts it to
-  // the correct First-Party-Sets-aware CookiePartitionKeyCollection, replacing
-  // any CookiePartitionKeys whose sites which are members of a set with a new
-  // partition key containing the set's owner site.
-  //
-  // This may return a result synchronously, or asynchronously invoke `callback`
-  // with the result. The callback will be invoked iff the return value is
-  // nullopt; i.e. a result will be provided via return value or callback, but
-  // not both, and not neither.
-  [[nodiscard]] absl::optional<CookiePartitionKeyCollection> FirstPartySetify(
-      const CookieAccessDelegate* cookie_access_delegate,
-      base::OnceCallback<void(CookiePartitionKeyCollection)> callback) const;
-
   // Temporary method used to record where we need to decide how to build the
   // CookiePartitionKeyCollection.
   //
diff --git a/chromium/net/cookies/cookie_partition_key_collection_unittest.cc b/chromium/net/cookies/cookie_partition_key_collection_unittest.cc
index 01a9bad3d59..29e00470d5e 100644
--- a/chromium/net/cookies/cookie_partition_key_collection_unittest.cc
+++ b/chromium/net/cookies/cookie_partition_key_collection_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,30 +14,6 @@ namespace net {
 
 using testing::UnorderedElementsAre;
 
-namespace {
-
-// Synchronous wrapper around CookiePartitionKeyCollection::FirstPartySetify.
-// Spins the event loop.
-CookiePartitionKeyCollection FirstPartySetifyAndWait(
-    const CookiePartitionKeyCollection& collection,
-    const CookieAccessDelegate* cookie_access_delegate) {
-  base::RunLoop run_loop;
-  CookiePartitionKeyCollection canonicalized_collection;
-  absl::optional<CookiePartitionKeyCollection> maybe_collection =
-      collection.FirstPartySetify(
-          cookie_access_delegate,
-          base::BindLambdaForTesting([&](CookiePartitionKeyCollection result) {
-            canonicalized_collection = result;
-            run_loop.Quit();
-          }));
-  if (maybe_collection.has_value())
-    return maybe_collection.value();
-  run_loop.Run();
-  return canonicalized_collection;
-}
-
-}  // namespace
-
 TEST(CookiePartitionKeyCollectionTest, EmptySet) {
   CookiePartitionKeyCollection key_collection;
 
@@ -95,94 +71,6 @@ TEST(CookiePartitionKeyCollectionTest, FromOptional) {
                   GURL("https://www.foo.com"))));
 }
 
-TEST(CookiePartitionKeyCollectionTest, FirstPartySetify) {
-  base::test::TaskEnvironment env;
-  const GURL kOwnerURL("https://owner.com");
-  const SchemefulSite kOwnerSite(kOwnerURL);
-  const CookiePartitionKey kOwnerPartitionKey =
-      CookiePartitionKey::FromURLForTesting(kOwnerURL);
-
-  const GURL kMemberURL("https://member.com");
-  const SchemefulSite kMemberSite(kMemberURL);
-  const CookiePartitionKey kMemberPartitionKey =
-      CookiePartitionKey::FromURLForTesting(kMemberURL);
-
-  const GURL kNonMemberURL("https://nonmember.com");
-  const CookiePartitionKey kNonMemberPartitionKey =
-      CookiePartitionKey::FromURLForTesting(kNonMemberURL);
-
-  TestCookieAccessDelegate delegate;
-  delegate.SetFirstPartySets({
-      {kOwnerSite, net::FirstPartySetEntry(kOwnerSite, net::SiteType::kPrimary,
-                                           absl::nullopt)},
-      {kMemberSite,
-       net::FirstPartySetEntry(kOwnerSite, net::SiteType::kAssociated, 0)},
-  });
-
-  CookiePartitionKeyCollection empty_key_collection;
-  EXPECT_TRUE(
-      FirstPartySetifyAndWait(empty_key_collection, &delegate).IsEmpty());
-  EXPECT_TRUE(FirstPartySetifyAndWait(empty_key_collection, nullptr).IsEmpty());
-
-  CookiePartitionKeyCollection contains_all_keys =
-      CookiePartitionKeyCollection::ContainsAll();
-  EXPECT_TRUE(
-      FirstPartySetifyAndWait(contains_all_keys, &delegate).ContainsAllKeys());
-  EXPECT_TRUE(
-      FirstPartySetifyAndWait(contains_all_keys, nullptr).ContainsAllKeys());
-
-  // An owner site of an FPS should not have its partition key changed.
-  EXPECT_THAT(FirstPartySetifyAndWait(
-                  CookiePartitionKeyCollection(kOwnerPartitionKey), &delegate)
-                  .PartitionKeys(),
-              UnorderedElementsAre(kOwnerPartitionKey));
-
-  // A member site should have its partition key changed to the owner site.
-  EXPECT_THAT(FirstPartySetifyAndWait(
-                  CookiePartitionKeyCollection(kMemberPartitionKey), &delegate)
-                  .PartitionKeys(),
-              UnorderedElementsAre(kOwnerPartitionKey));
-
-  // A member site's partition key should not change if the CookieAccessDelegate
-  // is null.
-  EXPECT_THAT(FirstPartySetifyAndWait(
-                  CookiePartitionKeyCollection(kMemberPartitionKey), nullptr)
-                  .PartitionKeys(),
-              UnorderedElementsAre(kMemberPartitionKey));
-
-  // A non-member site should not have its partition key changed.
-  EXPECT_THAT(
-      FirstPartySetifyAndWait(
-          CookiePartitionKeyCollection(kNonMemberPartitionKey), &delegate)
-          .PartitionKeys(),
-      UnorderedElementsAre(kNonMemberPartitionKey));
-
-  // A key collection that contains a member site and non-member site should be
-  // changed to include the owner site and the unmodified non-member site.
-  EXPECT_THAT(FirstPartySetifyAndWait(
-                  CookiePartitionKeyCollection(
-                      {kMemberPartitionKey, kNonMemberPartitionKey}),
-                  &delegate)
-                  .PartitionKeys(),
-              UnorderedElementsAre(kOwnerPartitionKey, kNonMemberPartitionKey));
-
-  // Test that FirstPartySetify does not modify partition keys with nonces.
-  const CookiePartitionKey kNoncedPartitionKey =
-      CookiePartitionKey::FromURLForTesting(kMemberURL,
-                                            base::UnguessableToken::Create());
-  EXPECT_THAT(
-      FirstPartySetifyAndWait(
-          CookiePartitionKeyCollection({kNoncedPartitionKey}), &delegate)
-          .PartitionKeys(),
-      UnorderedElementsAre(kNoncedPartitionKey));
-  EXPECT_THAT(
-      FirstPartySetifyAndWait(CookiePartitionKeyCollection(
-                                  {kNoncedPartitionKey, kMemberPartitionKey}),
-                              &delegate)
-          .PartitionKeys(),
-      UnorderedElementsAre(kNoncedPartitionKey, kOwnerPartitionKey));
-}
-
 TEST(CookiePartitionKeyCollectionTest, Contains) {
   const CookiePartitionKey kPartitionKey =
       CookiePartitionKey::FromURLForTesting(GURL("https://www.foo.com"));
diff --git a/chromium/net/cookies/cookie_partition_key_fuzzer.cc b/chromium/net/cookies/cookie_partition_key_fuzzer.cc
index 6ed80060ead..8aef48e2b6c 100644
--- a/chromium/net/cookies/cookie_partition_key_fuzzer.cc
+++ b/chromium/net/cookies/cookie_partition_key_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_partition_key_unittest.cc b/chromium/net/cookies/cookie_partition_key_unittest.cc
index 4bbb7cfdc17..02712c6e450 100644
--- a/chromium/net/cookies/cookie_partition_key_unittest.cc
+++ b/chromium/net/cookies/cookie_partition_key_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -188,8 +188,8 @@ TEST_P(CookiePartitionKeyTest, FromNetworkIsolationKey) {
     SCOPED_TRACE(test_case.desc);
 
     base::test::ScopedFeatureList feature_list;
-    std::vector<base::Feature> enabled_features;
-    std::vector<base::Feature> disabled_features;
+    std::vector<base::test::FeatureRef> enabled_features;
+    std::vector<base::test::FeatureRef> disabled_features;
     if (PartitionedCookiesEnabled()) {
       enabled_features.push_back(features::kPartitionedCookies);
     } else {
diff --git a/chromium/net/cookies/cookie_store.cc b/chromium/net/cookies/cookie_store.cc
index 89e2761b5d3..706484ee4d5 100644
--- a/chromium/net/cookies/cookie_store.cc
+++ b/chromium/net/cookies/cookie_store.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_store.h b/chromium/net/cookies/cookie_store.h
index c143a7381df..cf3aac9f854 100644
--- a/chromium/net/cookies/cookie_store.h
+++ b/chromium/net/cookies/cookie_store.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_store_change_unittest.h b/chromium/net/cookies/cookie_store_change_unittest.h
index 3106ab5b054..0adbdad5bb3 100644
--- a/chromium/net/cookies/cookie_store_change_unittest.h
+++ b/chromium/net/cookies/cookie_store_change_unittest.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_store_test_callbacks.cc b/chromium/net/cookies/cookie_store_test_callbacks.cc
index 1a8465a2980..b740f818e0f 100644
--- a/chromium/net/cookies/cookie_store_test_callbacks.cc
+++ b/chromium/net/cookies/cookie_store_test_callbacks.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_store_test_callbacks.h b/chromium/net/cookies/cookie_store_test_callbacks.h
index 2387a94bbcb..3b3b685be67 100644
--- a/chromium/net/cookies/cookie_store_test_callbacks.h
+++ b/chromium/net/cookies/cookie_store_test_callbacks.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_store_test_helpers.cc b/chromium/net/cookies/cookie_store_test_helpers.cc
index 3e7e5c4fb45..050cb6a7e5c 100644
--- a/chromium/net/cookies/cookie_store_test_helpers.cc
+++ b/chromium/net/cookies/cookie_store_test_helpers.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -72,10 +72,8 @@ DelayedCookieMonsterChangeDispatcher::AddCallbackForAllChanges(
 }
 
 DelayedCookieMonster::DelayedCookieMonster()
-    : cookie_monster_(std::make_unique<CookieMonster>(
-          nullptr /* store */,
-          nullptr /* netlog */,
-          false /* first_party_sets_enabled */)),
+    : cookie_monster_(std::make_unique<CookieMonster>(nullptr /* store */,
+                                                      nullptr /* netlog */)),
       result_(CookieAccessResult(CookieInclusionStatus(
           CookieInclusionStatus::EXCLUDE_FAILURE_TO_STORE))) {}
 
diff --git a/chromium/net/cookies/cookie_store_test_helpers.h b/chromium/net/cookies/cookie_store_test_helpers.h
index 03ecacf626c..5b0da7f670c 100644
--- a/chromium/net/cookies/cookie_store_test_helpers.h
+++ b/chromium/net/cookies/cookie_store_test_helpers.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_store_unittest.h b/chromium/net/cookies/cookie_store_unittest.h
index f131f4f10cd..ee89777f343 100644
--- a/chromium/net/cookies/cookie_store_unittest.h
+++ b/chromium/net/cookies/cookie_store_unittest.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/cookie_util.cc b/chromium/net/cookies/cookie_util.cc
index 13c70c26a33..3f1a9a91ed7 100644
--- a/chromium/net/cookies/cookie_util.cc
+++ b/chromium/net/cookies/cookie_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,11 +15,11 @@
 #include "base/metrics/histogram_functions.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/notreached.h"
-#include "base/stl_util.h"
 #include "base/strings/strcat.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_tokenizer.h"
 #include "base/strings/string_util.h"
+#include "base/types/optional_util.h"
 #include "build/build_config.h"
 #include "net/base/features.h"
 #include "net/base/isolation_info.h"
@@ -30,8 +30,8 @@
 #include "net/cookies/cookie_inclusion_status.h"
 #include "net/cookies/cookie_monster.h"
 #include "net/cookies/cookie_options.h"
-#include "net/cookies/first_party_set_metadata.h"
-#include "net/cookies/same_party_context.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
+#include "net/first_party_sets/same_party_context.h"
 #include "net/http/http_util.h"
 #include "url/gurl.h"
 #include "url/url_constants.h"
@@ -817,7 +817,7 @@ absl::optional<FirstPartySetMetadata> ComputeFirstPartySetMetadataMaybeAsync(
         request_site,
         force_ignore_top_frame_party
             ? nullptr
-            : base::OptionalOrNullptr(
+            : base::OptionalToPtr(
                   isolation_info.network_isolation_key().GetTopFrameSite()),
         isolation_info.party_context().value(), std::move(callback));
   }
@@ -825,10 +825,11 @@ absl::optional<FirstPartySetMetadata> ComputeFirstPartySetMetadataMaybeAsync(
   return FirstPartySetMetadata();
 }
 
-CookieSamePartyStatus GetSamePartyStatus(const CanonicalCookie& cookie,
-                                         const CookieOptions& options,
-                                         const bool first_party_sets_enabled) {
-  if (!first_party_sets_enabled || !cookie.IsSameParty() ||
+CookieSamePartyStatus GetSamePartyStatus(
+    const CanonicalCookie& cookie,
+    const CookieOptions& options,
+    const bool same_party_attribute_enabled) {
+  if (!same_party_attribute_enabled || !cookie.IsSameParty() ||
       !options.is_in_nontrivial_first_party_set()) {
     return CookieSamePartyStatus::kNoSamePartyEnforcement;
   }
diff --git a/chromium/net/cookies/cookie_util.h b/chromium/net/cookies/cookie_util.h
index 27dd1705652..112bb34665d 100644
--- a/chromium/net/cookies/cookie_util.h
+++ b/chromium/net/cookies/cookie_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,8 +15,8 @@
 #include "net/cookies/cookie_access_result.h"
 #include "net/cookies/cookie_constants.h"
 #include "net/cookies/cookie_options.h"
-#include "net/cookies/first_party_set_metadata.h"
 #include "net/cookies/site_for_cookies.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/origin.h"
 
@@ -265,7 +265,7 @@ ComputeFirstPartySetMetadataMaybeAsync(
 NET_EXPORT CookieSamePartyStatus
 GetSamePartyStatus(const CanonicalCookie& cookie,
                    const CookieOptions& options,
-                   bool first_party_sets_enabled);
+                   bool same_party_attribute_enabled);
 
 // Takes a callback accepting a CookieAccessResult and returns a callback
 // that accepts a bool, setting the bool to true if the CookieInclusionStatus
diff --git a/chromium/net/cookies/cookie_util_unittest.cc b/chromium/net/cookies/cookie_util_unittest.cc
index bd028aa709f..801a9b6ee77 100644
--- a/chromium/net/cookies/cookie_util_unittest.cc
+++ b/chromium/net/cookies/cookie_util_unittest.cc
@@ -1,8 +1,7 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include <algorithm>
 #include <memory>
 #include <string>
 #include <tuple>
@@ -20,7 +19,7 @@
 #include "net/cookies/cookie_constants.h"
 #include "net/cookies/cookie_options.h"
 #include "net/cookies/cookie_util.h"
-#include "net/cookies/same_party_context.h"
+#include "net/first_party_sets/same_party_context.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
@@ -505,11 +504,8 @@ class CookieUtilComputeSameSiteContextTest
     std::vector<SiteForCookies> cross_site_sfc;
     std::vector<SiteForCookies> same_site_sfc = GetSameSiteSitesForCookies();
     for (const SiteForCookies& sfc : GetAllSitesForCookies()) {
-      if (std::none_of(same_site_sfc.begin(), same_site_sfc.end(),
-                       [&sfc](const SiteForCookies& s) {
-                         return sfc.RepresentativeUrl() ==
-                                s.RepresentativeUrl();
-                       })) {
+      if (!base::Contains(same_site_sfc, sfc.RepresentativeUrl(),
+                          &SiteForCookies::RepresentativeUrl)) {
         cross_site_sfc.push_back(sfc);
       }
     }
@@ -1518,7 +1514,7 @@ TEST(CookieUtilTest, AdaptCookieAccessResultToBool) {
 }
 
 TEST(CookieUtilTest, GetSamePartyStatus_NotInSet) {
-  const bool first_party_sets_enabled = true;
+  const bool same_party_attribute_enabled = true;
   CookieOptions options;
   options.set_is_in_nontrivial_first_party_set(false);
 
@@ -1546,7 +1542,7 @@ TEST(CookieUtilTest, GetSamePartyStatus_NotInSet) {
                 SamePartyContext(party_context_type));
             EXPECT_EQ(CookieSamePartyStatus::kNoSamePartyEnforcement,
                       cookie_util::GetSamePartyStatus(
-                          *cookie, options, first_party_sets_enabled));
+                          *cookie, options, same_party_attribute_enabled));
           }
         }
       }
@@ -1555,7 +1551,7 @@ TEST(CookieUtilTest, GetSamePartyStatus_NotInSet) {
 }
 
 TEST(CookieUtilTest, GetSamePartyStatus_FeatureDisabled) {
-  const bool first_party_sets_enabled = false;
+  const bool same_party_attribute_enabled = false;
   CookieOptions options;
   options.set_is_in_nontrivial_first_party_set(true);
 
@@ -1583,7 +1579,7 @@ TEST(CookieUtilTest, GetSamePartyStatus_FeatureDisabled) {
                 SamePartyContext(party_context_type));
             EXPECT_EQ(CookieSamePartyStatus::kNoSamePartyEnforcement,
                       cookie_util::GetSamePartyStatus(
-                          *cookie, options, first_party_sets_enabled));
+                          *cookie, options, same_party_attribute_enabled));
           }
         }
       }
@@ -1592,7 +1588,6 @@ TEST(CookieUtilTest, GetSamePartyStatus_FeatureDisabled) {
 }
 
 TEST(CookieUtilTest, GetSamePartyStatus_NotSameParty) {
-  const bool first_party_sets_enabled = true;
   CookieOptions options;
   options.set_is_in_nontrivial_first_party_set(true);
 
@@ -1618,8 +1613,9 @@ TEST(CookieUtilTest, GetSamePartyStatus_NotSameParty) {
 
           options.set_same_party_context(SamePartyContext(party_context_type));
           EXPECT_EQ(CookieSamePartyStatus::kNoSamePartyEnforcement,
-                    cookie_util::GetSamePartyStatus(*cookie, options,
-                                                    first_party_sets_enabled));
+                    cookie_util::GetSamePartyStatus(
+                        *cookie, options,
+                        /*same_party_attribute_enabled=*/true));
         }
       }
     }
@@ -1627,7 +1623,6 @@ TEST(CookieUtilTest, GetSamePartyStatus_NotSameParty) {
 }
 
 TEST(CookieUtilTest, GetSamePartyStatus_SamePartySemantics) {
-  const bool first_party_sets_enabled = true;
   CookieOptions options;
   options.set_is_in_nontrivial_first_party_set(true);
 
@@ -1676,14 +1671,16 @@ TEST(CookieUtilTest, GetSamePartyStatus_SamePartySemantics) {
           options.set_same_party_context(
               SamePartyContext(SamePartyContext::Type::kCrossParty));
           EXPECT_EQ(CookieSamePartyStatus::kEnforceSamePartyExclude,
-                    cookie_util::GetSamePartyStatus(*cookie, options,
-                                                    first_party_sets_enabled));
+                    cookie_util::GetSamePartyStatus(
+                        *cookie, options,
+                        /*same_party_attribute_enabled=*/true));
 
           options.set_same_party_context(
               SamePartyContext(SamePartyContext::Type::kSameParty));
           EXPECT_EQ(CookieSamePartyStatus::kEnforceSamePartyInclude,
-                    cookie_util::GetSamePartyStatus(*cookie, options,
-                                                    first_party_sets_enabled));
+                    cookie_util::GetSamePartyStatus(
+                        *cookie, options,
+                        /*same_party_attribute_enabled=*/true));
         }
       }
     }
diff --git a/chromium/net/cookies/first_party_sets_context_config.cc b/chromium/net/cookies/first_party_sets_context_config.cc
deleted file mode 100644
index e075437e0d3..00000000000
--- a/chromium/net/cookies/first_party_sets_context_config.cc
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/cookies/first_party_sets_context_config.h"
-
-namespace net {
-
-FirstPartySetsContextConfig::FirstPartySetsContextConfig(bool enabled)
-    : enabled_(enabled) {}
-
-FirstPartySetsContextConfig::FirstPartySetsContextConfig(
-    const FirstPartySetsContextConfig& other) = default;
-
-FirstPartySetsContextConfig::~FirstPartySetsContextConfig() = default;
-
-void FirstPartySetsContextConfig::SetCustomizations(
-    OverrideSets customizations) {
-  DCHECK(customizations_.empty());
-  if (enabled_)
-    customizations_ = std::move(customizations);
-}
-
-}  // namespace net
diff --git a/chromium/net/cookies/first_party_sets_context_config.h b/chromium/net/cookies/first_party_sets_context_config.h
deleted file mode 100644
index eb7ee732549..00000000000
--- a/chromium/net/cookies/first_party_sets_context_config.h
+++ /dev/null
@@ -1,42 +0,0 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_COOKIES_FIRST_PARTY_SETS_CONTEXT_CONFIG_H_
-#define NET_COOKIES_FIRST_PARTY_SETS_CONTEXT_CONFIG_H_
-
-#include "base/containers/flat_map.h"
-#include "net/base/schemeful_site.h"
-#include "net/cookies/first_party_set_entry.h"
-#include "third_party/abseil-cpp/absl/types/optional.h"
-
-namespace net {
-
-// This struct bundles together the customized settings to First-Party Sets
-// info in the given network context.
-class NET_EXPORT FirstPartySetsContextConfig {
- public:
-  using OverrideSets =
-      base::flat_map<SchemefulSite, absl::optional<FirstPartySetEntry>>;
-
-  explicit FirstPartySetsContextConfig(bool enabled);
-
-  FirstPartySetsContextConfig(const FirstPartySetsContextConfig& other);
-
-  ~FirstPartySetsContextConfig();
-
-  bool is_enabled() const { return enabled_; }
-
-  void SetCustomizations(OverrideSets customizations);
-
-  const OverrideSets& customizations() const { return customizations_; }
-
- private:
-  bool enabled_ = true;
-
-  OverrideSets customizations_;
-};
-
-}  // namespace net
-
-#endif  // NET_COOKIES_FIRST_PARTY_SETS_CONTEXT_CONFIG_H_
\ No newline at end of file
diff --git a/chromium/net/cookies/parse_cookie_line_fuzzer.cc b/chromium/net/cookies/parse_cookie_line_fuzzer.cc
index 50420ecb863..736311afbe8 100644
--- a/chromium/net/cookies/parse_cookie_line_fuzzer.cc
+++ b/chromium/net/cookies/parse_cookie_line_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/parsed_cookie.cc b/chromium/net/cookies/parsed_cookie.cc
index ebec5b77828..282a51e2d69 100644
--- a/chromium/net/cookies/parsed_cookie.cc
+++ b/chromium/net/cookies/parsed_cookie.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/parsed_cookie.h b/chromium/net/cookies/parsed_cookie.h
index ad1cd8404c4..c81a298aa43 100644
--- a/chromium/net/cookies/parsed_cookie.h
+++ b/chromium/net/cookies/parsed_cookie.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/parsed_cookie_unittest.cc b/chromium/net/cookies/parsed_cookie_unittest.cc
index 2d6c4bf119a..4eb686217b5 100644
--- a/chromium/net/cookies/parsed_cookie_unittest.cc
+++ b/chromium/net/cookies/parsed_cookie_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/site_for_cookies.cc b/chromium/net/cookies/site_for_cookies.cc
index 357867b5b5c..d518ddc72f8 100644
--- a/chromium/net/cookies/site_for_cookies.cc
+++ b/chromium/net/cookies/site_for_cookies.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/site_for_cookies.h b/chromium/net/cookies/site_for_cookies.h
index 9db7b5cda80..76fb5a8c393 100644
--- a/chromium/net/cookies/site_for_cookies.h
+++ b/chromium/net/cookies/site_for_cookies.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/site_for_cookies_unittest.cc b/chromium/net/cookies/site_for_cookies_unittest.cc
index 33312b639ae..47d21225aea 100644
--- a/chromium/net/cookies/site_for_cookies_unittest.cc
+++ b/chromium/net/cookies/site_for_cookies_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/static_cookie_policy.cc b/chromium/net/cookies/static_cookie_policy.cc
index 96a45759a5f..360509877f8 100644
--- a/chromium/net/cookies/static_cookie_policy.cc
+++ b/chromium/net/cookies/static_cookie_policy.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/static_cookie_policy.h b/chromium/net/cookies/static_cookie_policy.h
index 3acfe9b9ef0..e85a64e7057 100644
--- a/chromium/net/cookies/static_cookie_policy.h
+++ b/chromium/net/cookies/static_cookie_policy.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/static_cookie_policy_unittest.cc b/chromium/net/cookies/static_cookie_policy_unittest.cc
index 3c57a57cc92..c13a71bc682 100644
--- a/chromium/net/cookies/static_cookie_policy_unittest.cc
+++ b/chromium/net/cookies/static_cookie_policy_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/cookies/test_cookie_access_delegate.cc b/chromium/net/cookies/test_cookie_access_delegate.cc
index 31451884f97..7f68d2bc4c1 100644
--- a/chromium/net/cookies/test_cookie_access_delegate.cc
+++ b/chromium/net/cookies/test_cookie_access_delegate.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -13,15 +13,15 @@
 #include "base/containers/flat_map.h"
 #include "base/containers/flat_set.h"
 #include "base/ranges/algorithm.h"
-#include "base/stl_util.h"
 #include "base/task/thread_pool.h"
 #include "base/threading/sequenced_task_runner_handle.h"
+#include "base/types/optional_util.h"
 #include "net/base/schemeful_site.h"
 #include "net/cookies/cookie_constants.h"
 #include "net/cookies/cookie_util.h"
-#include "net/cookies/first_party_set_entry.h"
-#include "net/cookies/first_party_set_metadata.h"
-#include "net/cookies/same_party_context.h"
+#include "net/first_party_sets/first_party_set_entry.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
+#include "net/first_party_sets/same_party_context.h"
 
 namespace net {
 
@@ -56,18 +56,16 @@ TestCookieAccessDelegate::ComputeFirstPartySetMetadataMaybeAsync(
     const std::set<SchemefulSite>& party_context,
     base::OnceCallback<void(FirstPartySetMetadata)> callback) const {
   absl::optional<FirstPartySetEntry> top_frame_owner =
-      top_frame_site ? FindFirstPartySetOwnerSync(*top_frame_site)
-                     : absl::nullopt;
+      top_frame_site ? FindFirstPartySetEntry(*top_frame_site) : absl::nullopt;
   return RunMaybeAsync(
-      FirstPartySetMetadata(
-          SamePartyContext(),
-          base::OptionalOrNullptr(FindFirstPartySetOwnerSync(site)),
-          base::OptionalOrNullptr(top_frame_owner)),
+      FirstPartySetMetadata(SamePartyContext(),
+                            base::OptionalToPtr(FindFirstPartySetEntry(site)),
+                            base::OptionalToPtr(top_frame_owner)),
       std::move(callback));
 }
 
 absl::optional<FirstPartySetEntry>
-TestCookieAccessDelegate::FindFirstPartySetOwnerSync(
+TestCookieAccessDelegate::FindFirstPartySetEntry(
     const SchemefulSite& site) const {
   auto entry = first_party_sets_.find(site);
 
@@ -76,13 +74,13 @@ TestCookieAccessDelegate::FindFirstPartySetOwnerSync(
 }
 
 absl::optional<base::flat_map<SchemefulSite, FirstPartySetEntry>>
-TestCookieAccessDelegate::FindFirstPartySetOwners(
+TestCookieAccessDelegate::FindFirstPartySetEntries(
     const base::flat_set<SchemefulSite>& sites,
     base::OnceCallback<void(base::flat_map<SchemefulSite, FirstPartySetEntry>)>
         callback) const {
   std::vector<std::pair<SchemefulSite, FirstPartySetEntry>> mapping;
   for (const SchemefulSite& site : sites) {
-    absl::optional<FirstPartySetEntry> entry = FindFirstPartySetOwnerSync(site);
+    absl::optional<FirstPartySetEntry> entry = FindFirstPartySetEntry(site);
     if (entry)
       mapping.emplace_back(site, *entry);
   }
diff --git a/chromium/net/cookies/test_cookie_access_delegate.h b/chromium/net/cookies/test_cookie_access_delegate.h
index c07c887a415..ba78192ec92 100644
--- a/chromium/net/cookies/test_cookie_access_delegate.h
+++ b/chromium/net/cookies/test_cookie_access_delegate.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,8 +15,8 @@
 #include "net/base/schemeful_site.h"
 #include "net/cookies/cookie_access_delegate.h"
 #include "net/cookies/cookie_constants.h"
-#include "net/cookies/first_party_set_entry.h"
-#include "net/cookies/first_party_set_metadata.h"
+#include "net/first_party_sets/first_party_set_entry.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace net {
@@ -47,7 +47,7 @@ class TestCookieAccessDelegate : public CookieAccessDelegate {
       const std::set<SchemefulSite>& party_context,
       base::OnceCallback<void(FirstPartySetMetadata)> callback) const override;
   absl::optional<base::flat_map<SchemefulSite, FirstPartySetEntry>>
-  FindFirstPartySetOwners(
+  FindFirstPartySetEntries(
       const base::flat_set<SchemefulSite>& sites,
       base::OnceCallback<
           void(base::flat_map<SchemefulSite, FirstPartySetEntry>)> callback)
@@ -67,7 +67,7 @@ class TestCookieAccessDelegate : public CookieAccessDelegate {
       bool require_secure_origin);
 
   // Set the test delegate's First-Party Sets. The map's keys are the sites in
-  // the sets. Owner sites must be included among the keys for a given set.
+  // the sets. Primary sites must be included among the keys for a given set.
   void SetFirstPartySets(
       const base::flat_map<SchemefulSite, FirstPartySetEntry>& sets);
 
@@ -76,8 +76,8 @@ class TestCookieAccessDelegate : public CookieAccessDelegate {
   }
 
  private:
-  // Synchronous version of FindFirstPartySetOwner, for convenience.
-  absl::optional<FirstPartySetEntry> FindFirstPartySetOwnerSync(
+  // Finds a FirstPartySetEntry for the given site, if one exists.
+  absl::optional<FirstPartySetEntry> FindFirstPartySetEntry(
       const SchemefulSite& site) const;
 
   // Discard any leading dot in the domain string.
diff --git a/chromium/net/data/dns/dns.dict b/chromium/net/data/dns/dns.dict
index 42729ea7420..2c0a8d35a49 100644
--- a/chromium/net/data/dns/dns.dict
+++ b/chromium/net/data/dns/dns.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/http_chunked_decoder_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/http_chunked_decoder_fuzzer.dict
index f8552c9cff6..bcd1bd99ce1 100644
--- a/chromium/net/data/fuzzer_dictionaries/http_chunked_decoder_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/http_chunked_decoder_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_cookies_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_cookies_fuzzer.dict
index 04903d80a75..df258371102 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_cookies_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_cookies_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2021 The Chromium Authors. All rights reserved.
+# Copyright 2021 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_data_url_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_data_url_fuzzer.dict
index 7f40fd3633a..355e1832ee3 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_data_url_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_data_url_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2019 The Chromium Authors. All rights reserved.
+# Copyright 2019 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_dns_hosts_parse_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_dns_hosts_parse_fuzzer.dict
index ebda2939525..2d8c7b3d8d1 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_dns_hosts_parse_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_dns_hosts_parse_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_dns_nsswitch_reader_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_dns_nsswitch_reader_fuzzer.dict
index 2c60e057780..d439b9e59de 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_dns_nsswitch_reader_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_dns_nsswitch_reader_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2021 The Chromium Authors. All rights reserved.
+# Copyright 2021 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_dns_record_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_dns_record_fuzzer.dict
index 39286570185..4e5905f87ee 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_dns_record_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_dns_record_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -115,6 +115,24 @@
 "\xff\x9f\x00\x01\x00\x00\x00\xFF\xff\x03\x00\x01\x00\x33\xff\x00\x24\x00\x1d\x00\x20\xed\xed\xc8\x68\xc1\x71\xd6\x9e\xa9\xf0\xa2\xc9\xf5\xa9\xdc\xcf\xf9\xb8\xed\x15\x5c\xc4\x5a\xec\x6f\xb2\x86\x14\xb7\x71\x1b\x7c\x00\x02"
 "\xff\x9f\x00\x01\x00\x00\x00\xFF\xff\x03\x00\x01\x00\x33\xff\x00\x24\x00\x1d\x00\x20\xed\xed\xc8\x68\xc1\x71\xd6\x9e\xa9\xf0\xa2\xc9\xf5\xa9\xdc\xcf\xf9\xb8\xed\x15\x5c\xc4\x5a\xec\x6f\xb2\x86\x14\xb7\x71\x1b\x7c\x00\x02\x13\x01\x01\x04\x00\x00"
 
+# OptRecordRdata containing an EDE opt.
+"\x00\x0f\x00\x0b\x00\x0eWORCESTER"
+"\x00\x0f\x00\x09\x00\x15CONCORD"
+# OptRecordRdata containing an EDE opt with a non-existent opt code.
+"\x00\x0f\x00\x08\x00\x44BOSTON"
+# OptRecordRdata containing an EDE opt with specified length
+# shorter than provided data.
+"\x00\x0f\x00\x04\x00\x12WACHUSETT"
+# OptRecordRdata containing a Padding opt.
+"\x00\x0c\x00\x09LEXINGTON"
+"\x00\x0c\x00\x02\x00\x00"
+# OptRecordRdata containing an EDE opt with Non-UTF-8 extra text.
+"\x00\x0f\x00\x06\x00\x44\xb1\x05\xf0\x0d"
+# OptRecordRdata containing an EDE opt with insufficient data size.
+"\x00\x0f\x00\x01\x00"
+# OptRecordRdata containing an EDE opt with data length longer than data.
+"\x00\x0f\x00\x06\x00\x03AB"
+
 # This part has been generated with testing/libfuzzer/dictionary_generator.py
 # using net_dns_record_fuzzer binary, RFC 1034 and RFC 1035.
 "all"
@@ -888,4 +906,3 @@
 "(EXPERIMENTAL)"
 "RDLENGTH"
 "NIC.ARPA"
-
diff --git a/chromium/net/data/fuzzer_dictionaries/net_get_domain_and_registry_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_get_domain_and_registry_fuzzer.dict
index b5c58a5d953..e4ad626786b 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_get_domain_and_registry_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_get_domain_and_registry_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_host_resolver_manager_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_host_resolver_manager_fuzzer.dict
index f9364dd9804..99e162ab3a5 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_host_resolver_manager_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_host_resolver_manager_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_basic_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_basic_fuzzer.dict
index 25b4ab624e5..f0a8870dde5 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_basic_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_basic_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2019 The Chromium Authors. All rights reserved.
+# Copyright 2019 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_digest_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_digest_fuzzer.dict
index 12601cfad49..81816fea52c 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_digest_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_digest_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2019 The Chromium Authors. All rights reserved.
+# Copyright 2019 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_content_disposition_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_content_disposition_fuzzer.dict
index 34aed071211..69dbdfae376 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_http_content_disposition_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_content_disposition_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright (c) 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_proxy_client_socket_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_proxy_client_socket_fuzzer.dict
index 120e056b822..32e7fe2d8f4 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_http_proxy_client_socket_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_proxy_client_socket_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_security_headers_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_security_headers_fuzzer.dict
index ed58b067984..22845e8bb37 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_http_security_headers_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_security_headers_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_server_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_server_fuzzer.dict
index d28bae85214..f9353acc123 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_http_server_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_server_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_stream_parser_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_stream_parser_fuzzer.dict
index 4e12bb60d29..152df453511 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_http_stream_parser_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_stream_parser_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_transport_security_state_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_transport_security_state_fuzzer.dict
index 8c0f09ebd3e..0746f84c469 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_http_transport_security_state_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_transport_security_state_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_mime_sniffer_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_mime_sniffer_fuzzer.dict
index 6aaeed78d43..170c06683d9 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_mime_sniffer_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_mime_sniffer_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_ntlm_ntlm_client_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_ntlm_ntlm_client_fuzzer.dict
index 418d256f5a0..04256a5ad69 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_ntlm_ntlm_client_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_ntlm_ntlm_client_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_spdy_session_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_spdy_session_fuzzer.dict
index d636c0a6fad..ebc067cb000 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_spdy_session_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_spdy_session_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_uri_template_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_uri_template_fuzzer.dict
index 55a33576b90..f7d6daf5d82 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_uri_template_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_uri_template_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2018 The Chromium Authors. All rights reserved.
+# Copyright 2018 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_url_request_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_url_request_fuzzer.dict
index 46b42e06e50..4614d09fad0 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_url_request_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_url_request_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_websocket_extension_parser_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_websocket_extension_parser_fuzzer.dict
index a25f4819576..411079577a0 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_websocket_extension_parser_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_websocket_extension_parser_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/fuzzer_dictionaries/net_websocket_frame_parser_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_websocket_frame_parser_fuzzer.dict
index afba1606166..feb7af8a826 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_websocket_frame_parser_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_websocket_frame_parser_fuzzer.dict
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/gencerts/__init__.py b/chromium/net/data/gencerts/__init__.py
index 1231e37cc88..7d2e459014a 100755
--- a/chromium/net/data/gencerts/__init__.py
+++ b/chromium/net/data/gencerts/__init__.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright (c) 2015 The Chromium Authors. All rights reserved.
+# Copyright 2015 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -40,12 +40,12 @@ SEPTEMBER_1_2015_UTC = '150901120000Z'
 # January 1st, 2016 12:00 UTC
 JANUARY_1_2016_UTC = '160101120000Z'
 
+# October 5th, 2021 12:00 UTC
+OCTOBER_5_2021_UTC = '211005120000Z'
+
 # October 5th, 2022 12:00 UTC
 OCTOBER_5_2022_UTC = '221005120000Z'
 
-# October 5th, 2023 12:00 UTC
-OCTOBER_5_2023_UTC = '231005120000Z'
-
 KEY_PURPOSE_ANY = 'anyExtendedKeyUsage'
 KEY_PURPOSE_SERVER_AUTH = 'serverAuth'
 KEY_PURPOSE_CLIENT_AUTH = 'clientAuth'
@@ -64,10 +64,11 @@ g_tmp_dir = None
 g_invoking_script_path = None
 
 # The default validity range of generated certificates. Can be modified with
-# set_default_validity_range(). Chosen to end on a Wednesday, since these
-# will have to be manually re-generated.
-g_default_start_date = OCTOBER_5_2022_UTC
-g_default_end_date = OCTOBER_5_2023_UTC
+# set_default_validity_range(). This range is intentionally already expired to
+# avoid tests being added which depend on the certs being valid at the current
+# time rather than specifying the time as an input of the test.
+g_default_start_date = OCTOBER_5_2021_UTC
+g_default_end_date = OCTOBER_5_2022_UTC
 
 
 def set_default_validity_range(start_date, end_date):
@@ -318,20 +319,20 @@ class Certificate(object):
     # "verify_certificate_chain_unittest/my_test/generate_chains.py"
     script_path = os.path.realpath(g_invoking_script_path)
     script_path = "/".join(script_path.split(os.sep)[-3:])
-    m.update(script_path)
+    m.update(script_path.encode('utf-8'))
 
     # Mix in the path_id, which corresponds to a unique path for the
     # certificate under out/ (and accounts for non-unique certificate names).
-    m.update(self.path_id)
+    m.update(self.path_id.encode('utf-8'))
 
-    serial_bytes = m.digest()
+    serial_bytes = bytearray(m.digest())
 
     # SHA1 digest is 20 bytes long, which is appropriate for a serial number.
     # However, need to also make sure the most significant bit is 0 so it is
     # not a "negative" number.
-    serial_bytes = chr(ord(serial_bytes[0]) & 0x7F) + serial_bytes[1:]
+    serial_bytes[0] = serial_bytes[0] & 0x7F
 
-    return serial_bytes.encode("hex")
+    return serial_bytes.hex()
 
 
   def get_csr_path(self):
diff --git a/chromium/net/data/gencerts/openssl_conf.py b/chromium/net/data/gencerts/openssl_conf.py
index 75db467bc5a..ca8afcda004 100755
--- a/chromium/net/data/gencerts/openssl_conf.py
+++ b/chromium/net/data/gencerts/openssl_conf.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright (c) 2015 The Chromium Authors. All rights reserved.
+# Copyright 2015 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ov_name_constraints/generate-certs.py b/chromium/net/data/ov_name_constraints/generate-certs.py
index a015cedf466..a6fe8a667eb 100755
--- a/chromium/net/data/ov_name_constraints/generate-certs.py
+++ b/chromium/net/data/ov_name_constraints/generate-certs.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright 2018 The Chromium Authors. All rights reserved.
+# Copyright 2018 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/certificates/10_year_validity.pem b/chromium/net/data/ssl/certificates/10_year_validity.pem
index 3a3576a0ff4..c69664d6bd4 100644
--- a/chromium/net/data/ssl/certificates/10_year_validity.pem
+++ b/chromium/net/data/ssl/certificates/10_year_validity.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:ab
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:6f
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:e0:96:62:30:dc:5b:dc:c1:0a:c4:d8:b8:42:ed:
-                    42:12:f4:36:5d:45:51:3b:82:b7:f8:51:d8:ea:19:
-                    a0:a6:1c:94:37:70:fa:04:b7:58:43:05:c3:80:3d:
-                    29:2d:57:88:d3:c5:d9:e5:aa:0c:4d:f9:ba:ae:33:
-                    8e:b8:86:ef:10:0f:96:88:b5:55:af:c3:f8:10:cd:
-                    42:c9:15:30:47:7e:f5:dd:8f:60:31:de:ba:2b:19:
-                    40:3b:38:a6:fd:cb:32:77:fe:fb:66:6e:66:f0:94:
-                    9b:f5:26:36:8a:10:0a:61:22:5c:4d:67:c9:ac:17:
-                    5f:4b:68:e2:ef:47:01:99:ba:5c:6e:dd:45:78:d2:
-                    24:e9:4c:71:54:32:88:bf:50:9c:b1:ff:43:1e:45:
-                    35:36:7c:80:72:9d:47:67:02:af:4c:2c:a1:88:00:
-                    79:1f:85:e5:0b:71:7e:cc:4e:ff:ca:5b:dd:f5:0d:
-                    67:d6:b3:b0:3a:d1:1a:a0:ba:15:70:37:fc:73:0c:
-                    a5:8f:fe:a7:01:2c:7f:1d:1c:c2:fb:ec:7d:9a:04:
-                    b4:50:52:b3:5f:a1:a2:4a:02:82:28:ed:c8:82:0f:
-                    eb:9a:9b:d1:36:ee:ae:81:dd:09:25:e6:26:a7:52:
-                    6c:ad:f5:f9:bc:e1:a4:d8:f9:9e:74:10:76:e7:59:
-                    19:47
+                    00:c1:ea:65:cb:12:00:be:84:08:b3:8e:d0:cc:b0:
+                    6c:cb:d7:22:2b:f8:f6:7c:e2:17:c9:fd:75:7b:52:
+                    ce:57:24:36:2f:04:37:11:4a:9e:a0:f3:93:a9:5d:
+                    5e:40:23:97:c1:d0:50:10:c7:7d:c6:3d:9e:e2:96:
+                    fb:63:ee:66:91:f1:df:6c:5e:ec:9d:22:5c:76:34:
+                    83:ed:ff:cc:f0:96:19:78:07:d2:e0:91:50:97:1e:
+                    e7:af:94:19:3b:d8:00:d7:22:31:46:37:b2:56:19:
+                    6e:31:48:ef:f8:d7:ae:d2:0c:50:22:6f:7d:ea:a7:
+                    cc:a1:ff:40:6e:60:91:1f:88:c8:a3:b3:a3:a1:08:
+                    67:7e:7e:c4:77:75:46:90:e9:d1:3b:2c:ed:cd:a9:
+                    da:ff:8a:1e:ca:e4:ae:62:f2:a3:6b:e3:d8:50:4d:
+                    45:d7:fa:d0:93:9d:21:3d:7f:ea:c8:ef:ab:d8:2a:
+                    77:f1:84:98:2b:39:41:6c:72:4e:4f:0d:92:99:81:
+                    fc:80:4b:94:79:61:69:7c:cf:96:fc:e6:fa:53:d5:
+                    9e:60:3f:51:d4:2b:52:1c:02:19:80:ae:a5:fb:2f:
+                    02:06:f2:70:95:d8:c6:4a:38:c8:78:4a:6e:a0:07:
+                    cd:31:3b:8d:e0:1f:60:aa:c9:70:57:93:d2:4b:d4:
+                    e8:3b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                1D:47:C8:D6:D7:00:19:26:2B:07:15:39:57:22:36:5D:3D:ED:A7:55
+                9E:E1:B0:0F:6C:05:2E:6C:E6:37:0E:C9:A4:40:73:64:D5:E5:F6:13
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         ac:1e:82:3a:6f:37:2a:fd:6e:a0:80:40:e8:ce:f1:5d:61:de:
-         fe:36:d1:6d:f5:16:ed:e9:26:40:49:92:24:eb:17:f0:d8:6a:
-         a1:96:76:68:dd:42:15:cc:c6:ea:c1:79:46:a5:17:1b:28:96:
-         8e:ec:09:63:c1:96:d2:35:7c:92:1d:d0:d5:bd:22:15:16:19:
-         c5:a4:68:63:89:46:24:2f:45:16:30:4e:ee:6b:e6:12:56:00:
-         89:86:dd:2c:df:0f:d1:d9:37:f0:10:12:a3:e7:6b:8e:2d:34:
-         d0:43:fa:44:b2:de:f7:c5:a8:1e:62:15:db:c0:94:05:9e:f9:
-         fd:dd:41:79:09:89:83:bf:44:81:93:ea:41:f6:64:39:0d:cf:
-         9d:0f:6a:1a:9c:15:ea:bf:5b:03:3e:d0:7d:e6:fc:02:18:8c:
-         47:1c:4f:ca:08:e5:e1:c9:cb:e7:ce:46:49:d0:ab:8e:36:76:
-         b0:32:12:61:55:56:3a:1e:f2:8d:7e:3a:fb:b9:a5:d6:14:61:
-         29:26:a9:9d:6a:6e:0e:7f:03:57:0e:d0:4c:47:33:38:49:cd:
-         71:c2:e4:96:37:ee:1e:c6:bd:b1:ed:cd:78:00:67:29:a0:cc:
-         9c:22:61:15:5d:58:b2:08:c4:e5:0c:5a:dc:35:8f:17:ae:ef:
-         d7:44:8c:eb
+    Signature Value:
+        ad:41:57:17:1a:be:16:cd:fd:74:01:b2:f1:f6:8c:5f:ee:7f:
+        e8:a0:fc:33:d5:9e:c0:40:5d:56:79:90:1f:a4:3f:56:2c:79:
+        16:b8:9f:9a:17:77:9e:02:06:8c:d3:3e:fc:2e:0e:8c:13:f9:
+        6c:d4:cc:1a:24:dc:04:b5:1a:45:57:c3:cf:13:04:97:51:fc:
+        9b:ae:54:76:e6:24:c9:52:17:e9:24:36:ca:5f:7e:4d:13:f4:
+        14:f3:09:6b:ef:59:2f:9d:94:43:50:64:81:b0:ab:52:60:f5:
+        22:a9:2e:cf:a1:07:9b:52:e9:79:61:04:0d:2a:3f:5b:cb:32:
+        32:b9:ce:00:74:b1:8a:85:b2:2d:99:42:45:d8:e5:2a:e3:d9:
+        21:ff:26:5d:74:7d:f2:af:ae:28:02:0e:7a:36:70:5d:57:12:
+        71:1c:12:b7:5f:27:ce:df:0a:db:51:fb:ce:fb:1c:41:8f:52:
+        6d:e1:b9:69:a1:b9:7e:69:2a:85:1a:68:85:99:58:ec:ee:fd:
+        2a:55:62:2a:38:06:fa:20:3c:e5:28:9c:b9:d6:93:fd:48:b2:
+        15:24:e7:3e:84:7e:08:eb:1c:e8:47:cb:f7:e8:cc:7a:ed:79:
+        0a:9c:6c:14:43:7f:92:56:bf:ed:b7:bd:89:bc:85:be:db:89:
+        ca:38:91:7b
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzqzANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTA4MTAzMDAwMDAwMFoXDTE4MTAyOTAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAOCWYjDcW9zBCsTYuELtQhL0Nl1FUTuCt/hR
-2OoZoKYclDdw+gS3WEMFw4A9KS1XiNPF2eWqDE35uq4zjriG7xAPloi1Va/D+BDN
-QskVMEd+9d2PYDHeuisZQDs4pv3LMnf++2ZuZvCUm/UmNooQCmEiXE1nyawXX0to
-4u9HAZm6XG7dRXjSJOlMcVQyiL9QnLH/Qx5FNTZ8gHKdR2cCr0wsoYgAeR+F5Qtx
-fsxO/8pb3fUNZ9azsDrRGqC6FXA3/HMMpY/+pwEsfx0cwvvsfZoEtFBSs1+hokoC
-gijtyIIP65qb0TburoHdCSXmJqdSbK31+bzhpNj5nnQQdudZGUcCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFB1HyNbXABkmKwcVOVciNl097adVMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQCsHoI6bzcq/W6ggEDozvFdYd7+NtFt9Rbt6SZASZIk6xfw2GqhlnZo3UIVzMbq
-wXlGpRcbKJaO7AljwZbSNXySHdDVvSIVFhnFpGhjiUYkL0UWME7ua+YSVgCJht0s
-3w/R2TfwEBKj52uOLTTQQ/pEst73xageYhXbwJQFnvn93UF5CYmDv0SBk+pB9mQ5
-Dc+dD2oanBXqv1sDPtB95vwCGIxHHE/KCOXhycvnzkZJ0KuONnawMhJhVVY6HvKN
-fjr7uaXWFGEpJqmdam4OfwNXDtBMRzM4Sc1xwuSWN+4exr2x7c14AGcpoMycImEV
-XViyCMTlDFrcNY8Xru/XRIzr
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwm8wDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0wODEwMzAwMDAwMDBaFw0xODEwMjkwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB6mXLEgC+hAizjtDMsGzL1yIr+PZ84hfJ
+/XV7Us5XJDYvBDcRSp6g85OpXV5AI5fB0FAQx33GPZ7ilvtj7maR8d9sXuydIlx2
+NIPt/8zwlhl4B9LgkVCXHuevlBk72ADXIjFGN7JWGW4xSO/4167SDFAib33qp8yh
+/0BuYJEfiMijs6OhCGd+fsR3dUaQ6dE7LO3Nqdr/ih7K5K5i8qNr49hQTUXX+tCT
+nSE9f+rI76vYKnfxhJgrOUFsck5PDZKZgfyAS5R5YWl8z5b85vpT1Z5gP1HUK1Ic
+AhmArqX7LwIG8nCV2MZKOMh4Sm6gB80xO43gH2CqyXBXk9JL1Og7AgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSe4bAPbAUubOY3DsmkQHNk1eX2EzAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEArUFXFxq+Fs39dAGy8faMX+5/6KD8M9WewEBdVnmQH6Q/Vix5Frifmhd3ngIG
+jNM+/C4OjBP5bNTMGiTcBLUaRVfDzxMEl1H8m65UduYkyVIX6SQ2yl9+TRP0FPMJ
+a+9ZL52UQ1BkgbCrUmD1Iqkuz6EHm1LpeWEEDSo/W8syMrnOAHSxioWyLZlCRdjl
+KuPZIf8mXXR98q+uKAIOejZwXVcScRwSt18nzt8K21H7zvscQY9SbeG5aaG5fmkq
+hRpohZlY7O79KlViKjgG+iA85SicudaT/UiyFSTnPoR+COsc6EfL9+jMeu15Cpxs
+FEN/kla/7be9ibyFvtuJyjiRew==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/11_year_validity.pem b/chromium/net/data/ssl/certificates/11_year_validity.pem
index fc6e0254992..837af75874f 100644
--- a/chromium/net/data/ssl/certificates/11_year_validity.pem
+++ b/chromium/net/data/ssl/certificates/11_year_validity.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:ac
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:70
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:a1:bd:9d:bd:4d:2c:4a:2f:b4:d6:62:a8:3f:3c:
-                    7c:4b:de:57:a6:08:21:3d:98:9c:9e:89:e8:92:33:
-                    3b:9d:28:58:2c:9e:e8:47:33:b7:d3:28:c3:4d:de:
-                    35:1b:9e:a7:fa:1f:ef:63:69:4c:a7:43:ce:f8:ef:
-                    7d:f6:af:c0:17:9a:72:1c:7f:d2:9b:bd:f2:31:15:
-                    9b:d3:7a:28:14:41:52:7f:5c:3f:6f:ab:57:87:ab:
-                    aa:7a:3f:aa:04:a4:4b:48:d6:9f:65:d0:8b:be:db:
-                    03:e3:a0:b1:d1:41:11:8c:e5:17:e6:df:b3:e2:74:
-                    be:d8:3f:d1:34:b7:04:9e:a1:33:f2:f1:69:b9:2a:
-                    d2:b8:48:9d:34:c4:d5:cb:e6:db:50:8f:00:70:e9:
-                    13:57:5b:ae:97:cc:f4:e5:da:ad:ad:5d:5a:37:95:
-                    59:5d:af:ea:ee:3e:7d:07:a8:d0:6c:fe:66:db:06:
-                    f3:c4:3e:16:46:be:8f:58:a8:8e:fc:d8:eb:93:ca:
-                    83:dc:7c:68:b8:d8:70:29:6d:1b:9c:6b:be:d7:5e:
-                    b3:0f:7c:99:16:4d:6a:80:dc:50:24:33:21:7c:1e:
-                    d1:2d:28:e7:44:22:8d:79:d9:18:3c:1e:1c:fb:b7:
-                    8d:3a:61:06:67:fc:f3:6d:10:c1:f5:c8:5d:58:4d:
-                    29:27
+                    00:9f:1f:36:a1:2e:5f:5a:92:b2:a7:41:8e:72:0f:
+                    e5:c3:aa:1c:80:cf:b9:81:fc:e5:be:d5:80:9b:ee:
+                    ae:c5:dc:69:d4:e4:e9:89:0a:1d:7a:f1:88:05:94:
+                    56:f6:03:b7:8a:5d:6b:77:0b:23:53:0d:a0:0f:ba:
+                    22:ee:70:9e:7e:f7:fb:76:27:94:9f:e6:13:c1:49:
+                    bf:08:f1:5c:78:39:d0:22:33:00:f7:9c:55:58:d3:
+                    e6:4d:8f:2b:90:26:f6:24:3f:40:8e:ee:04:01:64:
+                    36:8b:63:3e:51:99:f2:bd:6e:8a:cb:77:9f:e5:e8:
+                    25:46:ea:13:9c:3e:da:57:79:c1:fe:14:19:68:d2:
+                    20:72:56:30:1b:f7:11:be:5f:0c:ce:5f:25:e3:28:
+                    1d:bd:1d:50:5a:87:5f:f2:6d:e9:d6:76:0a:51:1c:
+                    ed:29:c0:a3:39:42:fa:cb:77:f0:f2:03:07:d1:a6:
+                    52:fe:63:42:d4:a5:b5:53:fa:e2:88:85:9a:3f:58:
+                    5b:cf:5e:09:be:c4:08:72:5c:01:0c:ef:57:9f:a6:
+                    b1:46:a0:52:43:ec:3c:4d:30:2c:64:37:07:4d:2b:
+                    4e:d0:0c:d8:30:e4:88:cf:11:63:9e:3b:17:3b:67:
+                    be:22:99:36:d6:8e:96:84:ed:1d:8c:45:40:8f:63:
+                    91:15
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                F7:E5:3C:2B:73:F5:A9:23:AE:D6:84:45:CE:D3:E5:E8:72:09:C8:4D
+                1C:D3:60:F9:10:20:E7:CD:03:D7:36:7B:EC:A5:7B:4D:CB:C4:F2:1A
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         31:04:5d:69:2b:48:c3:6e:c4:ec:0d:2a:af:d2:64:e0:f3:c3:
-         19:94:0b:ca:53:f9:b5:22:18:41:7a:47:b3:53:93:d1:85:c5:
-         64:93:b5:13:eb:f9:ba:28:e6:42:3e:10:a3:a5:a7:94:1d:7d:
-         5e:58:cd:2d:62:a5:97:52:9c:c6:ae:f1:23:4e:74:48:f2:68:
-         b6:e9:63:34:47:d6:34:eb:ed:50:ab:b5:85:95:10:b1:c8:b8:
-         eb:08:1e:a5:6c:dc:fa:b8:99:f0:60:0f:47:51:b5:28:57:af:
-         50:fb:06:0e:0c:db:cd:fb:2d:70:57:82:5a:10:ce:07:79:cd:
-         4c:33:ed:e3:cb:50:78:a2:ce:13:b8:47:1b:c5:b8:83:50:ec:
-         8b:6a:57:ca:ca:40:11:2f:c0:aa:ab:77:d6:2d:e3:48:9c:b6:
-         99:21:2f:23:16:8d:7d:6b:8d:ed:07:60:63:00:02:3b:b1:1e:
-         6f:36:3f:47:5f:45:f3:5e:69:a2:41:50:a8:09:91:32:a3:a1:
-         02:f1:14:11:24:cc:0b:69:82:57:23:fb:21:b6:7f:fe:eb:0e:
-         63:9c:da:7b:8f:22:12:77:c9:20:4d:c2:89:55:11:b1:5e:b9:
-         07:7a:a5:a4:c6:12:5c:2c:6e:27:e0:8e:35:2d:45:c6:5c:e2:
-         8d:1f:a8:1c
+    Signature Value:
+        7c:16:35:6d:b3:80:02:dc:0f:c8:28:bb:44:52:8c:0b:9b:5c:
+        c6:36:8b:ce:f9:de:ab:99:ca:f6:b1:d6:f5:b6:ef:af:b9:40:
+        9c:ee:fb:98:d4:17:e2:18:15:5f:39:8f:e9:02:d5:5d:f6:c4:
+        cb:bd:03:cb:54:3f:77:64:d8:fb:d4:60:b1:b9:9a:7d:b9:a0:
+        1b:22:5f:2d:46:fa:f7:93:96:7e:13:ae:89:b1:68:c2:a5:e6:
+        82:1f:af:08:67:36:d9:38:46:ef:33:3f:78:11:43:3b:04:9e:
+        9a:68:97:a3:dd:29:73:6c:60:28:9d:d5:1a:ca:e3:20:39:b3:
+        eb:aa:ff:09:9d:7b:bc:18:a9:97:e1:58:7f:6b:1c:3b:50:8e:
+        4d:9c:25:8b:b0:26:34:5f:69:8b:04:56:7c:4d:d9:53:31:ea:
+        c3:a2:30:20:4c:2a:8c:2f:f8:5b:b6:c2:3a:4f:b6:54:d7:6d:
+        e5:21:f6:81:59:1b:f4:4d:82:30:c9:a4:ce:fe:c8:97:d0:fe:
+        48:c1:2d:89:96:96:23:e5:37:83:01:40:24:6d:7c:ab:29:9e:
+        75:e8:ba:c0:c6:4b:1d:85:06:87:83:cd:3b:ae:c8:c3:b3:a6:
+        a8:77:54:b4:fb:32:42:22:b0:1d:08:ae:ba:a0:82:6a:56:db:
+        4c:fd:05:ba
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzrDANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE0MTAzMDAwMDAwMFoXDTI1MTAzMDAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAKG9nb1NLEovtNZiqD88fEveV6YIIT2YnJ6J
-6JIzO50oWCye6Eczt9Mow03eNRuep/of72NpTKdDzvjvffavwBeachx/0pu98jEV
-m9N6KBRBUn9cP2+rV4erqno/qgSkS0jWn2XQi77bA+OgsdFBEYzlF+bfs+J0vtg/
-0TS3BJ6hM/Lxabkq0rhInTTE1cvm21CPAHDpE1dbrpfM9OXara1dWjeVWV2v6u4+
-fQeo0Gz+ZtsG88Q+Fka+j1iojvzY65PKg9x8aLjYcCltG5xrvtdesw98mRZNaoDc
-UCQzIXwe0S0o50QijXnZGDweHPu3jTphBmf8820QwfXIXVhNKScCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPflPCtz9akjrtaERc7T5ehyCchNMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQAxBF1pK0jDbsTsDSqv0mTg88MZlAvKU/m1IhhBekezU5PRhcVkk7UT6/m6KOZC
-PhCjpaeUHX1eWM0tYqWXUpzGrvEjTnRI8mi26WM0R9Y06+1Qq7WFlRCxyLjrCB6l
-bNz6uJnwYA9HUbUoV69Q+wYODNvN+y1wV4JaEM4Hec1MM+3jy1B4os4TuEcbxbiD
-UOyLalfKykARL8Cqq3fWLeNInLaZIS8jFo19a43tB2BjAAI7sR5vNj9HX0XzXmmi
-QVCoCZEyo6EC8RQRJMwLaYJXI/shtn/+6w5jnNp7jyISd8kgTcKJVRGxXrkHeqWk
-xhJcLG4n4I41LUXGXOKNH6gc
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnAwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xNDEwMzAwMDAwMDBaFw0yNTEwMzAwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCfHzahLl9akrKnQY5yD+XDqhyAz7mB/OW+
+1YCb7q7F3GnU5OmJCh168YgFlFb2A7eKXWt3CyNTDaAPuiLucJ5+9/t2J5Sf5hPB
+Sb8I8Vx4OdAiMwD3nFVY0+ZNjyuQJvYkP0CO7gQBZDaLYz5RmfK9borLd5/l6CVG
+6hOcPtpXecH+FBlo0iByVjAb9xG+XwzOXyXjKB29HVBah1/ybenWdgpRHO0pwKM5
+QvrLd/DyAwfRplL+Y0LUpbVT+uKIhZo/WFvPXgm+xAhyXAEM71efprFGoFJD7DxN
+MCxkNwdNK07QDNgw5IjPEWOeOxc7Z74imTbWjpaE7R2MRUCPY5EVAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQc02D5ECDnzQPXNnvspXtNy8TyGjAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAfBY1bbOAAtwPyCi7RFKMC5tcxjaLzvneq5nK9rHW9bbvr7lAnO77mNQX4hgV
+XzmP6QLVXfbEy70Dy1Q/d2TY+9RgsbmafbmgGyJfLUb695OWfhOuibFowqXmgh+v
+CGc22ThG7zM/eBFDOwSemmiXo90pc2xgKJ3VGsrjIDmz66r/CZ17vBipl+FYf2sc
+O1COTZwli7AmNF9piwRWfE3ZUzHqw6IwIEwqjC/4W7bCOk+2VNdt5SH2gVkb9E2C
+MMmkzv7Il9D+SMEtiZaWI+U3gwFAJG18qymedei6wMZLHYUGh4PNO67Iw7OmqHdU
+tPsyQiKwHQiuuqCCalbbTP0Fug==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/398_days_1_second_after_2020_09_01.pem b/chromium/net/data/ssl/certificates/398_days_1_second_after_2020_09_01.pem
index 4a6804193ea..3fa2461017e 100644
--- a/chromium/net/data/ssl/certificates/398_days_1_second_after_2020_09_01.pem
+++ b/chromium/net/data/ssl/certificates/398_days_1_second_after_2020_09_01.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:bc
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:80
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:a8:ef:99:e4:60:c1:e4:56:c0:40:b8:51:9f:02:
-                    b5:80:97:d8:86:70:44:a7:67:55:4e:90:7f:fa:12:
-                    a7:af:bf:58:b5:8a:8b:30:2a:c7:84:9f:40:a3:e8:
-                    97:01:93:f2:8e:8b:94:9d:28:1a:e2:aa:e1:c6:7f:
-                    d7:82:46:0e:41:3c:16:aa:a0:dc:bd:6c:1f:17:b9:
-                    21:d8:80:f2:30:58:2f:b5:0c:20:3b:25:92:27:1d:
-                    ad:1c:a6:af:a4:9c:c2:d3:52:57:66:8e:22:2a:f9:
-                    29:e9:29:ed:c7:04:2d:8e:71:c8:26:a3:23:07:1b:
-                    d9:ac:ed:cc:4d:d1:25:37:18:ee:ac:6f:8f:75:de:
-                    da:b3:a1:1e:70:76:ea:fe:5e:4f:2e:b4:19:5b:29:
-                    9f:2d:53:e3:47:af:b3:ba:49:41:1b:99:62:db:02:
-                    e2:e7:80:d7:f0:6c:f6:77:4d:74:41:5d:76:c2:ee:
-                    5c:4c:24:4c:c2:b4:fb:11:6f:3c:d6:e0:68:8d:76:
-                    26:3e:f0:31:94:05:e6:11:5e:aa:c8:4d:0c:db:83:
-                    8a:76:b6:76:78:32:9f:dc:48:9e:c1:38:3f:14:7c:
-                    3f:ed:40:46:bb:5c:c9:fc:41:37:a9:e3:59:1e:f7:
-                    43:cd:7a:45:5f:67:4b:ac:85:2b:1d:36:7d:8d:63:
-                    52:3d
+                    00:b3:2b:e0:a9:cb:53:7c:f1:9e:96:4e:70:a3:8d:
+                    32:7b:bc:e0:2f:71:83:08:9f:e3:56:5c:dd:38:65:
+                    2f:53:c0:0f:41:ef:cd:93:a9:bb:13:20:89:15:90:
+                    3a:38:68:d3:2f:c7:15:b4:7c:ba:77:76:ac:f8:da:
+                    a9:bd:04:1b:5a:f6:b1:6c:36:71:fe:08:93:88:b3:
+                    47:35:39:2b:19:be:e4:f4:1a:bb:30:ea:95:12:1c:
+                    cc:9f:17:be:6d:ab:0a:4e:91:61:78:46:da:3d:0a:
+                    47:fb:64:a8:74:de:e4:71:f8:e9:da:80:66:d2:8b:
+                    54:c4:39:2f:18:b2:03:a7:21:77:d0:a6:1f:c6:0c:
+                    12:13:58:fb:ed:7b:b3:d8:8e:bc:79:b4:ff:7a:c7:
+                    28:88:a0:c5:fb:35:05:29:54:9f:ed:a2:9d:d1:1b:
+                    35:74:67:28:17:ba:2c:63:42:2e:ce:5e:0a:07:13:
+                    a6:d4:65:99:6b:b5:32:5f:05:74:ba:9c:f4:ef:b6:
+                    00:79:db:0d:e4:06:a3:a4:c6:45:b8:46:26:aa:2e:
+                    0a:42:53:e7:e6:23:7f:65:07:97:bc:c5:5c:df:b3:
+                    b1:9f:f9:a3:35:93:7e:68:20:74:89:5f:bb:b7:ed:
+                    af:b5:49:a7:fb:93:19:aa:e7:cc:39:5a:a9:4f:31:
+                    3b:b7
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                E2:DB:BE:53:11:5B:82:7A:18:F5:68:EE:FA:C1:8B:38:7B:2D:F9:4F
+                DC:18:E7:85:9D:70:27:B8:2C:64:7D:A1:29:D9:F0:7C:BF:13:AA:A1
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         6b:15:75:b0:d6:f4:29:c1:da:0b:ef:fc:d1:37:63:ca:f7:8a:
-         3f:5c:66:06:79:ba:8c:3c:b3:e5:41:1d:4d:c9:63:ea:18:24:
-         26:49:df:b1:3b:bd:db:b6:f0:b7:56:0d:17:28:bf:9f:7b:10:
-         1c:20:bf:10:41:98:29:5f:bd:19:ca:65:9c:d8:31:1a:85:2a:
-         53:4b:6d:d4:6c:b8:d8:4a:7f:4c:ed:98:8f:20:3b:1c:b9:e1:
-         6d:48:7f:9f:7e:6b:02:45:05:ae:cd:6a:32:41:a2:99:7b:7b:
-         23:f8:26:3f:70:f5:cc:5a:19:af:62:0f:e2:9b:0b:71:1f:55:
-         a6:06:f1:22:27:cb:55:74:2f:25:8e:9c:07:0f:64:ab:3a:9a:
-         5a:38:76:6c:5a:48:b2:54:bf:8e:e8:83:c8:9c:68:2b:3e:43:
-         2f:99:1a:70:28:84:8d:5b:70:c3:6b:aa:34:fe:51:c7:1a:3c:
-         ee:6a:41:86:51:4b:32:90:4b:b8:5b:4e:91:c2:55:3a:f0:1d:
-         a7:27:35:47:79:58:4b:89:09:39:4a:e7:49:25:46:ad:17:61:
-         51:fa:a3:a8:21:f4:a3:25:87:3f:97:8a:1b:39:ea:f7:97:06:
-         84:f9:c9:f9:63:cf:cd:a3:5f:70:da:eb:44:d4:89:96:93:5f:
-         89:3b:2e:bf
+    Signature Value:
+        4b:d2:23:be:c9:f4:62:68:87:bf:f1:bd:1d:0f:05:ea:5f:95:
+        f0:34:85:1b:8f:4e:fd:86:34:f9:96:d7:5a:9c:5e:01:53:2a:
+        47:d1:30:c5:1b:b7:29:f2:66:48:70:07:ac:75:77:ab:e7:b3:
+        84:62:9e:35:7d:8b:37:b2:20:d2:7f:82:88:ee:f9:71:e4:ea:
+        bc:1d:4a:e7:22:a3:1c:c2:1a:33:e1:9b:fe:6e:0d:81:15:ef:
+        2f:9d:75:75:0c:cd:00:b3:e6:47:52:32:bd:a0:5c:66:95:1c:
+        c6:5d:12:dd:f7:24:6e:fb:e9:2f:22:56:6d:3e:7d:41:9b:85:
+        63:94:f7:0d:0d:1b:f9:18:8a:f4:e1:fa:f0:d3:b7:a7:38:ca:
+        e8:fc:09:c5:89:26:7d:95:db:66:23:38:3e:84:1b:23:08:8a:
+        af:4d:0e:89:12:6a:d3:d6:9f:7c:2c:ce:da:c3:c8:67:ff:d7:
+        49:15:2f:26:0b:85:86:48:dc:2a:77:99:6f:47:86:3b:cb:30:
+        36:95:ea:58:b4:c2:cd:b2:86:10:5f:03:a3:3d:de:ad:3e:7b:
+        5f:7e:32:ae:67:fc:b8:23:10:ff:05:73:93:c5:a7:62:47:fa:
+        a0:a1:80:04:13:94:0c:29:ca:97:71:87:9f:78:2e:88:29:c8:
+        3c:d6:a3:66
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzvDANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIwMDkwMjAwMDAwMFoXDTIxMTAwNTAwMDAwMVowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAKjvmeRgweRWwEC4UZ8CtYCX2IZwRKdnVU6Q
-f/oSp6+/WLWKizAqx4SfQKPolwGT8o6LlJ0oGuKq4cZ/14JGDkE8Fqqg3L1sHxe5
-IdiA8jBYL7UMIDslkicdrRymr6ScwtNSV2aOIir5Kekp7ccELY5xyCajIwcb2azt
-zE3RJTcY7qxvj3Xe2rOhHnB26v5eTy60GVspny1T40evs7pJQRuZYtsC4ueA1/Bs
-9ndNdEFddsLuXEwkTMK0+xFvPNbgaI12Jj7wMZQF5hFeqshNDNuDina2dngyn9xI
-nsE4PxR8P+1ARrtcyfxBN6njWR73Q816RV9nS6yFKx02fY1jUj0CAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOLbvlMRW4J6GPVo7vrBizh7LflPMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQBrFXWw1vQpwdoL7/zRN2PK94o/XGYGebqMPLPlQR1NyWPqGCQmSd+xO73btvC3
-Vg0XKL+fexAcIL8QQZgpX70ZymWc2DEahSpTS23UbLjYSn9M7ZiPIDscueFtSH+f
-fmsCRQWuzWoyQaKZe3sj+CY/cPXMWhmvYg/imwtxH1WmBvEiJ8tVdC8ljpwHD2Sr
-OppaOHZsWkiyVL+O6IPInGgrPkMvmRpwKISNW3DDa6o0/lHHGjzuakGGUUsykEu4
-W06RwlU68B2nJzVHeVhLiQk5SudJJUatF2FR+qOoIfSjJYc/l4obOer3lwaE+cn5
-Y8/No19w2utE1ImWk1+JOy6/
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwoAwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMDA5MDIwMDAwMDBaFw0yMTEwMDUwMDAwMDFaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzK+Cpy1N88Z6WTnCjjTJ7vOAvcYMIn+NW
+XN04ZS9TwA9B782TqbsTIIkVkDo4aNMvxxW0fLp3dqz42qm9BBta9rFsNnH+CJOI
+s0c1OSsZvuT0Grsw6pUSHMyfF75tqwpOkWF4Rto9Ckf7ZKh03uRx+OnagGbSi1TE
+OS8YsgOnIXfQph/GDBITWPvte7PYjrx5tP96xyiIoMX7NQUpVJ/top3RGzV0ZygX
+uixjQi7OXgoHE6bUZZlrtTJfBXS6nPTvtgB52w3kBqOkxkW4RiaqLgpCU+fmI39l
+B5e8xVzfs7Gf+aM1k35oIHSJX7u37a+1Saf7kxmq58w5WqlPMTu3AgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTcGOeFnXAnuCxkfaEp2fB8vxOqoTAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAS9Ijvsn0YmiHv/G9HQ8F6l+V8DSFG49O/YY0+ZbXWpxeAVMqR9EwxRu3KfJm
+SHAHrHV3q+ezhGKeNX2LN7Ig0n+CiO75ceTqvB1K5yKjHMIaM+Gb/m4NgRXvL511
+dQzNALPmR1IyvaBcZpUcxl0S3fckbvvpLyJWbT59QZuFY5T3DQ0b+RiK9OH68NO3
+pzjK6PwJxYkmfZXbZiM4PoQbIwiKr00OiRJq09affCzO2sPIZ//XSRUvJguFhkjc
+KneZb0eGO8swNpXqWLTCzbKGEF8Doz3erT57X34yrmf8uCMQ/wVzk8WnYkf6oKGA
+BBOUDCnKl3GHn3guiCnIPNajZg==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/398_days_after_2020_09_01.pem b/chromium/net/data/ssl/certificates/398_days_after_2020_09_01.pem
index c4e4fce27e2..dd0eb1dc1f3 100644
--- a/chromium/net/data/ssl/certificates/398_days_after_2020_09_01.pem
+++ b/chromium/net/data/ssl/certificates/398_days_after_2020_09_01.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:bb
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:7f
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:d8:23:51:58:0e:d2:e2:7d:5a:f5:38:25:d3:c0:
-                    67:00:27:2a:0e:f9:29:0c:5c:a1:10:a9:da:71:8f:
-                    bd:70:2f:6b:e6:9a:0f:2a:bd:ec:2d:fe:87:0a:e2:
-                    c9:86:e7:f7:0c:91:75:29:ac:19:52:40:e6:27:24:
-                    33:ef:43:3c:d7:cb:88:29:b2:9a:3b:ac:ec:a7:71:
-                    35:e9:01:43:ae:e6:dd:bb:06:26:55:fb:0f:43:c9:
-                    1a:5a:9e:c3:41:55:ea:87:eb:4b:9f:d2:a1:bd:ac:
-                    85:52:68:76:fe:94:dd:ae:34:e0:17:b7:dd:45:a8:
-                    c5:e4:86:6c:08:c8:12:da:97:bf:43:66:fc:19:11:
-                    d2:88:75:cc:ce:d2:d3:26:0c:0c:e0:e1:fc:91:da:
-                    96:cd:d0:c2:a8:6c:ca:c9:2d:6b:1b:c8:21:9e:99:
-                    41:33:2b:e1:50:0a:c6:9c:a8:14:3d:0c:1f:d3:75:
-                    ac:77:2e:57:56:ba:ca:d4:a0:e7:e9:39:f3:5f:37:
-                    bd:ba:88:74:d9:38:0f:2a:1a:2c:68:f0:b1:d3:a1:
-                    9f:d3:cb:d7:a6:cf:70:d3:35:23:24:de:34:09:2e:
-                    5c:4a:4d:da:cc:f5:48:76:08:2e:cc:4b:fa:a1:20:
-                    ac:c7:57:fa:a7:af:5d:ef:7e:26:eb:f6:8d:89:ab:
-                    8f:ff
+                    00:eb:66:84:1c:5d:7d:8a:59:9e:47:64:b9:09:e4:
+                    1a:6b:6b:e6:4f:ba:59:2e:a4:3c:57:cb:1a:11:85:
+                    bd:38:08:e0:95:30:c9:02:64:16:35:f0:57:b5:6d:
+                    2a:7e:54:0c:74:cf:0d:ae:19:ec:f5:01:47:57:0d:
+                    ef:70:f7:a2:35:49:65:e5:95:78:ad:18:00:7f:ec:
+                    94:94:95:c8:b2:86:7c:ec:b4:d3:b2:dd:c2:91:03:
+                    31:ee:46:d7:d8:ee:fd:ce:6f:cc:33:fa:ba:bb:2d:
+                    a2:a2:0c:1b:1b:84:2e:3c:8d:a1:5b:24:25:72:5b:
+                    d9:b4:67:98:0e:42:6b:39:f7:5a:da:c8:8f:6d:96:
+                    a2:1a:ce:35:a8:d5:e8:1b:14:97:f2:5b:12:eb:94:
+                    53:a1:7a:8e:3e:67:2f:d7:91:72:8b:12:cf:ba:d5:
+                    54:9e:64:92:4c:f2:fc:00:ee:86:4e:df:55:71:25:
+                    c0:88:9d:86:9e:9a:46:b8:f1:31:da:dc:78:fd:46:
+                    27:1c:ec:6b:84:14:25:8a:b2:c0:ce:75:8f:e9:84:
+                    27:97:75:f4:91:96:e7:c0:c9:8d:de:f2:f4:fb:fd:
+                    69:5e:6b:59:50:63:bb:d5:91:cc:7c:1b:0f:c2:b2:
+                    d3:56:b4:e8:77:c6:57:fb:af:7a:af:16:f9:5b:32:
+                    42:ff
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                5C:38:D4:8A:4F:B0:75:B4:5A:B2:9D:0F:A4:02:C5:CF:0B:25:09:37
+                4A:78:19:FB:FB:DF:5F:98:EC:91:7A:31:C5:98:4C:B6:8D:50:DE:AD
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         7a:0b:02:69:10:db:20:cc:b9:ee:95:57:24:42:a9:f0:07:7c:
-         47:a9:9d:85:88:19:9b:c9:79:5b:1f:e6:93:6d:b1:ad:f2:bd:
-         9a:77:b0:4c:04:04:72:b4:bb:a2:f8:da:e7:09:af:ae:86:7a:
-         e5:7e:dd:64:64:1a:92:f4:ca:9f:3b:2b:ab:4a:02:17:63:6d:
-         eb:d5:74:e6:2d:1d:c1:04:de:49:16:e0:1a:7c:ce:b3:a7:b8:
-         82:cd:9d:9a:b0:0f:c8:d9:38:5c:49:25:3e:6f:41:60:5d:9f:
-         37:c6:28:7d:ec:7b:ff:89:59:d7:bc:bd:e9:8a:1b:3a:68:8e:
-         1e:3f:e8:0e:00:6b:0b:0d:22:c2:e8:c5:bb:50:3d:fb:a4:25:
-         96:c2:f5:9e:68:0c:33:05:3b:dd:70:92:3c:ac:58:52:b6:39:
-         9d:a5:5e:b8:bc:71:4c:ac:db:8b:72:12:eb:a6:0c:86:e4:d9:
-         88:03:f2:13:f4:b6:74:7c:fb:65:12:13:f8:59:fb:bf:59:bd:
-         e6:8f:db:db:96:b3:4b:6f:b6:43:8c:20:1d:17:2d:bd:4c:40:
-         26:a1:f5:fc:b0:9d:90:00:22:c2:99:37:ce:b2:db:7b:61:a6:
-         d6:99:b7:f3:d6:56:50:15:2c:b7:9c:33:03:a4:5e:27:0d:ab:
-         64:b8:c3:15
+    Signature Value:
+        3f:f0:e3:6b:61:f7:d4:c3:61:1f:94:8a:b9:bc:a0:1a:0c:26:
+        2b:df:86:c5:39:93:a0:d0:77:9f:61:a8:ab:c1:1d:10:29:4b:
+        2e:33:e2:97:46:00:c6:27:69:4c:fc:29:b6:4d:72:ab:4c:9a:
+        96:e9:07:d2:d1:29:8e:39:ab:7c:00:c2:fb:7d:d7:04:f4:3e:
+        00:f7:cd:16:38:21:82:79:ac:ce:f1:4c:56:fd:cc:64:8c:88:
+        32:45:cb:3f:40:bb:86:0e:a3:9e:c1:f8:9a:16:57:ec:27:0e:
+        ee:cc:01:6f:d7:1d:2d:54:a9:99:6d:83:b0:b3:41:e6:57:31:
+        e1:65:a9:d2:a9:ea:ed:6f:e7:05:73:f1:27:ee:4b:da:56:c6:
+        af:ef:83:53:4e:7a:f9:54:00:58:11:c2:b2:bb:d8:7a:6c:1d:
+        3a:0c:92:cf:23:12:ee:41:d3:32:24:36:0e:0e:e4:5a:d2:1b:
+        6d:dc:85:93:ae:78:40:b3:11:81:d7:c9:e4:56:42:de:94:79:
+        da:6a:a6:fa:e3:71:96:17:51:f3:80:b2:d1:50:3a:98:9c:89:
+        20:cc:4e:0a:69:ac:34:5c:53:aa:f7:4c:c3:cb:4b:fc:f7:bd:
+        7c:82:53:9f:0c:3e:b8:ff:cb:72:44:2d:7e:19:24:a1:39:d0:
+        6c:ab:db:38
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzuzANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIwMDkwMjAwMDAwMFoXDTIxMTAwNTAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBANgjUVgO0uJ9WvU4JdPAZwAnKg75KQxcoRCp
-2nGPvXAva+aaDyq97C3+hwriyYbn9wyRdSmsGVJA5ickM+9DPNfLiCmymjus7Kdx
-NekBQ67m3bsGJlX7D0PJGlqew0FV6ofrS5/Sob2shVJodv6U3a404Be33UWoxeSG
-bAjIEtqXv0Nm/BkR0oh1zM7S0yYMDODh/JHals3QwqhsysktaxvIIZ6ZQTMr4VAK
-xpyoFD0MH9N1rHcuV1a6ytSg5+k58183vbqIdNk4DyoaLGjwsdOhn9PL16bPcNM1
-IyTeNAkuXEpN2sz1SHYILsxL+qEgrMdX+qevXe9+Juv2jYmrj/8CAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFw41IpPsHW0WrKdD6QCxc8LJQk3MB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQB6CwJpENsgzLnulVckQqnwB3xHqZ2FiBmbyXlbH+aTbbGt8r2ad7BMBARytLui
-+NrnCa+uhnrlft1kZBqS9MqfOyurSgIXY23r1XTmLR3BBN5JFuAafM6zp7iCzZ2a
-sA/I2ThcSSU+b0FgXZ83xih97Hv/iVnXvL3pihs6aI4eP+gOAGsLDSLC6MW7UD37
-pCWWwvWeaAwzBTvdcJI8rFhStjmdpV64vHFMrNuLchLrpgyG5NmIA/IT9LZ0fPtl
-EhP4Wfu/Wb3mj9vblrNLb7ZDjCAdFy29TEAmofX8sJ2QACLCmTfOstt7YabWmbfz
-1lZQFSy3nDMDpF4nDatkuMMV
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwn8wDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMDA5MDIwMDAwMDBaFw0yMTEwMDUwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrZoQcXX2KWZ5HZLkJ5Bpra+ZPulkupDxX
+yxoRhb04COCVMMkCZBY18Fe1bSp+VAx0zw2uGez1AUdXDe9w96I1SWXllXitGAB/
+7JSUlciyhnzstNOy3cKRAzHuRtfY7v3Ob8wz+rq7LaKiDBsbhC48jaFbJCVyW9m0
+Z5gOQms591rayI9tlqIazjWo1egbFJfyWxLrlFOheo4+Zy/XkXKLEs+61VSeZJJM
+8vwA7oZO31VxJcCInYaemka48THa3Hj9Ricc7GuEFCWKssDOdY/phCeXdfSRlufA
+yY3e8vT7/Wlea1lQY7vVkcx8Gw/CstNWtOh3xlf7r3qvFvlbMkL/AgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRKeBn7+99fmOyRejHFmEy2jVDerTAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAP/Dja2H31MNhH5SKubygGgwmK9+GxTmToNB3n2Goq8EdEClLLjPil0YAxidp
+TPwptk1yq0yalukH0tEpjjmrfADC+33XBPQ+APfNFjghgnmszvFMVv3MZIyIMkXL
+P0C7hg6jnsH4mhZX7CcO7swBb9cdLVSpmW2DsLNB5lcx4WWp0qnq7W/nBXPxJ+5L
+2lbGr++DU056+VQAWBHCsrvYemwdOgySzyMS7kHTMiQ2Dg7kWtIbbdyFk654QLMR
+gdfJ5FZC3pR52mqm+uNxlhdR84Cy0VA6mJyJIMxOCmmsNFxTqvdMw8tL/Pe9fIJT
+nww+uP/LckQtfhkkoTnQbKvbOA==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/399_days_after_2020_09_01.pem b/chromium/net/data/ssl/certificates/399_days_after_2020_09_01.pem
index c163818c238..2f6b7e18370 100644
--- a/chromium/net/data/ssl/certificates/399_days_after_2020_09_01.pem
+++ b/chromium/net/data/ssl/certificates/399_days_after_2020_09_01.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:ba
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:7e
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:b7:11:fa:c9:48:1a:c4:0a:c7:70:4e:37:51:2f:
-                    27:ac:72:15:be:68:85:b0:dd:23:fc:69:f4:b1:02:
-                    10:9c:49:d1:db:81:93:33:9b:d6:80:75:99:84:bd:
-                    6a:e3:b1:b1:57:89:40:a7:25:ff:34:d5:6a:a8:9a:
-                    97:c0:ef:f3:44:c4:15:89:bb:12:f8:9d:96:bc:4f:
-                    93:2e:3b:3e:e4:41:76:17:d8:bb:22:f4:84:b6:a0:
-                    80:41:f8:6b:42:ba:a1:27:17:ce:c4:ee:cf:8a:47:
-                    92:c4:4c:97:4f:72:32:a4:0e:65:96:5e:72:f6:39:
-                    9c:b1:cc:d9:6a:70:24:de:8c:c3:c9:23:76:47:10:
-                    73:02:86:4b:55:fd:fa:cf:f8:70:27:a8:f0:24:dc:
-                    f2:cd:a7:d0:d6:32:11:45:7c:81:3f:de:06:bb:4b:
-                    98:95:9c:6c:6b:a3:bb:13:19:e0:04:ed:64:bd:de:
-                    f3:b6:d1:05:1b:c3:77:69:d6:f9:f9:7a:f6:ed:51:
-                    ce:43:6b:d9:1e:6b:97:8f:f8:b7:d6:e9:45:66:5d:
-                    77:c7:58:55:05:c2:4a:68:de:e0:5d:cf:2b:4f:f2:
-                    8b:3e:4e:30:76:45:ea:5b:c9:06:5f:b7:5c:39:37:
-                    fc:2c:52:bd:2a:65:64:c2:73:45:96:76:ec:c2:a1:
-                    c4:c7
+                    00:b3:19:fd:7b:2a:81:6b:16:2b:d8:73:ac:db:4e:
+                    bb:d0:06:76:4f:f7:fc:73:62:d9:28:03:00:f2:75:
+                    28:56:b1:fe:d1:3f:08:11:f3:d8:77:62:38:85:89:
+                    72:4a:e1:7d:4b:72:c6:5f:01:49:ae:c3:b9:55:47:
+                    2e:45:78:43:20:ae:ed:b6:5d:7a:66:33:f1:98:3e:
+                    fe:6b:a9:08:35:3c:54:a2:03:73:58:87:06:58:72:
+                    fc:26:65:26:fe:78:fe:69:2e:26:55:63:e3:db:74:
+                    52:e0:6e:a4:b6:64:ab:76:54:77:88:c5:62:47:ff:
+                    44:0c:84:43:07:9b:86:de:3b:cc:2e:fb:46:f7:33:
+                    ab:bd:00:b0:2e:1b:e3:55:15:ea:e6:c8:f5:3b:1a:
+                    e2:79:12:38:32:4a:17:73:71:b9:dc:ea:43:57:98:
+                    9a:87:c0:fb:2d:b4:16:26:b4:a9:83:5e:b4:7e:73:
+                    21:93:6d:f2:35:b2:29:9d:eb:6f:90:54:45:1a:97:
+                    59:b5:6f:33:bb:17:79:b0:52:80:6a:2a:b9:6a:32:
+                    90:24:cf:9b:f1:32:82:cf:c8:fb:20:f2:a6:52:31:
+                    dc:43:3a:ef:18:7f:3a:3c:65:b5:d5:9a:27:3c:10:
+                    2b:95:8a:d4:ec:e6:24:f0:29:bb:4c:d2:f3:a7:c7:
+                    d1:33
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                E7:22:97:64:A1:4B:34:FA:62:0E:EC:A5:8F:9F:93:E9:2C:F3:4D:DB
+                CE:66:88:69:91:5E:F1:19:19:04:4B:56:72:0D:A7:79:68:0A:FB:B5
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         93:f2:8c:e6:44:0b:a8:e8:95:66:a0:be:0b:3c:60:0f:3b:28:
-         91:e3:8d:33:6b:65:4c:3f:43:37:2f:1f:b1:1f:e3:59:98:55:
-         64:0c:5d:63:b5:1c:3b:ac:af:68:42:a7:5c:3e:b9:97:6b:54:
-         16:14:a5:18:a8:ec:7f:a2:f1:a0:60:c1:68:ca:26:9e:03:d1:
-         04:30:3e:65:91:c5:0c:3b:0d:50:8a:20:07:49:30:f0:cf:91:
-         67:f0:23:21:24:b1:ef:56:bb:02:0f:38:19:05:64:b0:c4:70:
-         c0:6d:30:65:36:60:e2:e3:80:52:dc:3c:30:97:6b:4f:ae:5a:
-         e3:54:fb:0e:28:41:62:f9:97:c7:d5:27:e5:79:8c:b4:1e:cd:
-         d5:4f:4f:b7:96:fe:c9:7c:fe:9c:94:d2:dd:78:06:b4:d5:c7:
-         f7:97:ce:a5:7c:c3:ba:ca:79:43:98:89:90:82:2e:14:e4:e4:
-         3a:6b:36:97:8f:bc:1c:74:df:78:10:68:f6:0f:14:d4:54:06:
-         5e:10:6b:56:13:a7:c7:ea:16:b4:3d:90:cf:a8:70:30:70:28:
-         47:0c:c9:08:f0:c7:f3:07:9f:0b:bb:ad:46:d0:a8:dd:70:27:
-         e2:95:7d:ce:be:2a:30:0f:3a:e3:c8:20:d5:c0:1e:29:19:01:
-         25:c9:b6:6f
+    Signature Value:
+        a9:34:16:bb:1e:64:c5:e7:34:0a:cd:73:cc:e5:2f:82:4d:ab:
+        d5:3e:e5:c5:ca:f3:7f:93:6a:bb:1e:1c:99:b8:6d:20:e8:2b:
+        49:98:f5:1a:ae:09:fa:cf:fc:ed:ed:b9:4e:84:4d:44:01:ce:
+        66:bb:cc:e8:26:04:94:ed:67:d9:fc:d9:68:41:09:ab:86:4d:
+        6f:81:0f:75:6a:c9:b4:26:8d:01:32:4b:2c:03:1b:bd:40:75:
+        1c:93:b3:cc:e8:66:28:e2:c9:a9:55:14:29:88:54:a3:b4:70:
+        89:0a:a0:75:a4:36:b0:b2:7b:30:cd:74:9f:d5:83:32:f7:85:
+        95:c0:c1:e4:da:e2:84:fe:52:ce:2d:6d:31:16:a9:d3:90:c4:
+        a5:3c:cc:ba:94:6b:b1:c2:02:d5:b7:c3:b1:3e:2c:05:ab:f6:
+        6e:58:bb:e3:43:5f:f1:06:e6:44:d8:d7:48:2b:c5:b2:5f:6d:
+        ea:81:51:2f:15:6f:8a:15:4c:84:70:71:0b:db:8b:a8:72:49:
+        4a:c2:d5:87:7f:98:c8:b4:ef:3c:34:c9:f4:8d:04:9f:1a:22:
+        31:7f:e4:70:15:04:e2:ee:6b:38:cf:75:c3:a8:e8:66:87:0a:
+        a5:31:a0:4c:ea:d0:04:b3:0b:12:fe:25:53:b9:83:f7:13:55:
+        00:03:17:84
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzujANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIwMDkwMjAwMDAwMFoXDTIxMTAwNjAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBALcR+slIGsQKx3BON1EvJ6xyFb5ohbDdI/xp
-9LECEJxJ0duBkzOb1oB1mYS9auOxsVeJQKcl/zTVaqial8Dv80TEFYm7EvidlrxP
-ky47PuRBdhfYuyL0hLaggEH4a0K6oScXzsTuz4pHksRMl09yMqQOZZZecvY5nLHM
-2WpwJN6Mw8kjdkcQcwKGS1X9+s/4cCeo8CTc8s2n0NYyEUV8gT/eBrtLmJWcbGuj
-uxMZ4ATtZL3e87bRBRvDd2nW+fl69u1RzkNr2R5rl4/4t9bpRWZdd8dYVQXCSmje
-4F3PK0/yiz5OMHZF6lvJBl+3XDk3/CxSvSplZMJzRZZ27MKhxMcCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOcil2ShSzT6Yg7spY+fk+ks803bMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQCT8ozmRAuo6JVmoL4LPGAPOyiR440za2VMP0M3Lx+xH+NZmFVkDF1jtRw7rK9o
-QqdcPrmXa1QWFKUYqOx/ovGgYMFoyiaeA9EEMD5lkcUMOw1QiiAHSTDwz5Fn8CMh
-JLHvVrsCDzgZBWSwxHDAbTBlNmDi44BS3Dwwl2tPrlrjVPsOKEFi+ZfH1SfleYy0
-Hs3VT0+3lv7JfP6clNLdeAa01cf3l86lfMO6ynlDmImQgi4U5OQ6azaXj7wcdN94
-EGj2DxTUVAZeEGtWE6fH6ha0PZDPqHAwcChHDMkI8MfzB58Lu61G0KjdcCfilX3O
-viowDzrjyCDVwB4pGQElybZv
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwn4wDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMDA5MDIwMDAwMDBaFw0yMTEwMDYwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzGf17KoFrFivYc6zbTrvQBnZP9/xzYtko
+AwDydShWsf7RPwgR89h3YjiFiXJK4X1LcsZfAUmuw7lVRy5FeEMgru22XXpmM/GY
+Pv5rqQg1PFSiA3NYhwZYcvwmZSb+eP5pLiZVY+PbdFLgbqS2ZKt2VHeIxWJH/0QM
+hEMHm4beO8wu+0b3M6u9ALAuG+NVFermyPU7GuJ5EjgyShdzcbnc6kNXmJqHwPst
+tBYmtKmDXrR+cyGTbfI1simd62+QVEUal1m1bzO7F3mwUoBqKrlqMpAkz5vxMoLP
+yPsg8qZSMdxDOu8Yfzo8ZbXVmic8ECuVitTs5iTwKbtM0vOnx9EzAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTOZohpkV7xGRkES1ZyDad5aAr7tTAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAqTQWux5kxec0Cs1zzOUvgk2r1T7lxcrzf5Nqux4cmbhtIOgrSZj1Gq4J+s/8
+7e25ToRNRAHOZrvM6CYElO1n2fzZaEEJq4ZNb4EPdWrJtCaNATJLLAMbvUB1HJOz
+zOhmKOLJqVUUKYhUo7RwiQqgdaQ2sLJ7MM10n9WDMveFlcDB5NrihP5Szi1tMRap
+05DEpTzMupRrscIC1bfDsT4sBav2bli740Nf8QbmRNjXSCvFsl9t6oFRLxVvihVM
+hHBxC9uLqHJJSsLVh3+YyLTvPDTJ9I0EnxoiMX/kcBUE4u5rOM91w6joZocKpTGg
+TOrQBLMLEv4lU7mD9xNVAAMXhA==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/39_months_after_2015_04.pem b/chromium/net/data/ssl/certificates/39_months_after_2015_04.pem
index 81bdbe90904..d138fef4485 100644
--- a/chromium/net/data/ssl/certificates/39_months_after_2015_04.pem
+++ b/chromium/net/data/ssl/certificates/39_months_after_2015_04.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:ad
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:71
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:ad:83:78:e0:29:58:58:d1:87:fe:b9:2f:d8:1c:
-                    ec:08:51:ea:41:6e:2a:91:2d:e7:3f:a1:9f:c7:c5:
-                    0a:0b:0b:9d:98:be:3e:d9:dd:75:9f:be:03:3f:c7:
-                    37:f1:56:ee:7a:0c:ba:ab:99:f3:40:ef:2b:98:53:
-                    ed:d9:da:b9:38:06:12:21:58:42:7c:b3:00:cb:85:
-                    c7:53:c8:25:59:04:6f:79:70:1a:fa:50:29:97:e1:
-                    e1:e7:42:5e:b6:0e:d4:14:a4:22:38:42:45:25:02:
-                    78:7a:d6:9f:e4:58:b1:24:a5:37:89:c6:93:9b:01:
-                    b2:bd:5c:2b:77:c1:1f:88:7c:65:7d:0c:4a:dd:d4:
-                    37:b0:df:01:df:60:db:d5:94:9a:00:6b:02:58:72:
-                    83:95:07:d2:aa:3d:35:be:6b:8a:3a:de:c7:c3:fc:
-                    05:35:d2:f3:d4:7b:9d:ef:76:90:c7:49:15:c2:d4:
-                    f2:1a:9e:85:2f:0b:26:0a:45:3e:f2:51:97:92:96:
-                    43:67:f3:15:dc:4a:af:d4:0b:5e:aa:78:5d:f6:8e:
-                    a9:de:22:f4:62:f8:4e:7e:4a:e1:7c:0c:f8:50:79:
-                    a4:85:23:f2:7d:78:98:02:04:17:9e:3f:e0:47:51:
-                    7a:12:d7:84:aa:06:17:4d:4b:77:91:5c:d0:b9:88:
-                    32:15
+                    00:b1:08:9f:8e:29:52:ed:20:71:ae:d9:44:93:65:
+                    c3:11:58:97:29:dc:e2:4a:54:65:ec:d9:0d:e3:75:
+                    9c:52:7d:2e:35:2a:cb:88:70:de:8f:ce:f4:23:13:
+                    16:1d:de:7d:e4:fb:7b:8a:1e:ba:a4:6a:38:bb:c5:
+                    89:69:49:17:9b:74:88:a8:c5:ee:65:4c:f1:96:82:
+                    8e:30:42:e7:9a:9b:9b:e1:e6:5e:b0:c5:3f:46:09:
+                    fe:26:3a:02:b7:f9:a6:4b:43:0e:ed:80:d8:76:12:
+                    e3:34:38:ad:b6:a8:cb:58:9f:0e:77:67:ff:91:77:
+                    d5:63:0f:4c:2b:d4:35:22:68:08:8e:9b:5c:a6:77:
+                    51:ef:e7:3e:e0:8f:53:8f:13:c7:21:fa:c5:98:15:
+                    26:89:08:c0:c8:57:05:56:f5:52:b5:d3:6c:a6:a3:
+                    5f:3c:3c:b1:91:98:ec:0d:85:8c:d5:ad:18:30:9d:
+                    2e:91:f3:92:62:ae:9e:6d:64:4e:9d:ac:c8:88:30:
+                    64:d7:2f:d2:c3:46:fb:fd:f3:a2:69:9f:f0:ee:ef:
+                    6a:eb:e4:58:a2:37:16:46:e2:d0:53:ed:33:1e:ad:
+                    6a:5f:b2:7e:c8:e9:1d:c8:12:ed:ac:35:9d:ba:26:
+                    82:ea:04:be:e1:a5:34:fc:ee:ed:25:a6:6d:cb:fa:
+                    e5:3f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                4E:79:FF:B3:8B:AC:B6:F9:03:36:37:80:74:98:64:CE:82:40:35:AB
+                1C:10:69:49:A1:B6:07:E4:28:8A:C2:C9:80:88:80:93:91:5C:71:2E
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         90:b2:ae:c8:66:49:27:94:9f:2c:9d:b1:3d:5b:30:a4:c0:43:
-         b3:23:63:22:69:18:85:d3:1d:de:65:25:14:fd:ce:d3:dc:29:
-         6b:da:26:d2:eb:4c:16:55:3e:cc:ba:40:1d:65:ee:db:33:9e:
-         e4:d2:91:43:ce:c9:04:cf:42:91:71:10:cd:f4:5a:00:1e:67:
-         9b:16:8d:2c:b2:d2:93:48:44:a5:c2:ff:fc:35:af:c0:f5:21:
-         ab:08:cc:b4:3c:e4:5d:11:6e:8e:1a:5c:04:f7:e0:4f:dc:8a:
-         67:1f:9a:47:46:46:37:3a:e6:5f:47:1d:2b:e0:36:57:d0:9d:
-         f8:54:c8:18:38:87:56:87:80:0d:3c:f9:a9:03:78:87:ac:7f:
-         d1:18:26:28:76:85:37:de:9c:37:8e:6b:e9:91:03:cf:6a:62:
-         87:1b:18:85:0a:93:44:ef:37:65:b9:e5:e7:fa:12:54:34:38:
-         64:f1:9b:fd:8f:77:3c:42:3a:23:8f:96:96:41:91:e0:a4:61:
-         da:b9:2a:d2:9d:20:32:15:3e:7f:6d:f7:b9:58:7f:da:ea:b1:
-         c8:c7:82:9f:82:9c:8a:07:b6:c5:0e:82:73:1d:20:66:95:dc:
-         ce:bc:aa:09:f2:d9:f7:2b:cf:26:e7:b8:b9:6c:12:ce:9c:8a:
-         99:07:85:3a
+    Signature Value:
+        36:a1:f7:1b:af:3c:49:fd:af:13:19:74:79:cf:77:20:92:bb:
+        e7:76:5e:ca:12:be:e2:8d:15:6c:45:5d:70:2a:84:05:c8:b8:
+        f8:3d:34:76:0b:e7:25:5e:f0:dd:fd:08:00:b9:31:b5:72:9b:
+        18:e2:da:7a:bc:da:1a:b8:aa:80:37:ad:51:03:9f:c6:fb:e5:
+        06:13:3e:41:d5:e2:9b:dd:16:43:ad:35:3a:c3:7a:7f:2c:35:
+        6a:cb:bd:74:b9:57:93:1f:24:57:78:3c:9a:5c:f1:51:bd:5d:
+        cf:ae:f2:a9:cb:81:b4:20:93:b4:fd:bf:a3:68:68:ff:15:12:
+        2f:05:1e:54:02:ce:4b:ee:38:c7:5b:fa:01:75:f7:bc:2f:08:
+        ae:6e:d1:ba:20:5b:03:74:80:89:75:80:9f:b5:50:3d:14:b6:
+        94:73:84:2d:38:68:0b:d8:89:8f:42:bc:9b:e1:ed:e6:df:2f:
+        15:ba:ec:41:c9:1e:dc:94:cc:4a:af:68:34:76:92:50:d8:45:
+        47:57:6a:9e:c5:6f:20:59:9e:e6:f1:d8:56:bd:ee:9a:71:7e:
+        4f:08:3c:dc:9b:51:cd:62:a8:c7:7f:df:21:76:6a:90:0c:15:
+        de:6f:b0:04:3b:16:4f:cc:19:7c:06:d0:55:0a:dd:cb:0d:08:
+        59:d6:ac:a3
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzrTANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE1MDQwMjAwMDAwMFoXDTE4MDcwMjAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAK2DeOApWFjRh/65L9gc7AhR6kFuKpEt5z+h
-n8fFCgsLnZi+PtnddZ++Az/HN/FW7noMuquZ80DvK5hT7dnauTgGEiFYQnyzAMuF
-x1PIJVkEb3lwGvpQKZfh4edCXrYO1BSkIjhCRSUCeHrWn+RYsSSlN4nGk5sBsr1c
-K3fBH4h8ZX0MSt3UN7DfAd9g29WUmgBrAlhyg5UH0qo9Nb5rijrex8P8BTXS89R7
-ne92kMdJFcLU8hqehS8LJgpFPvJRl5KWQ2fzFdxKr9QLXqp4XfaOqd4i9GL4Tn5K
-4XwM+FB5pIUj8n14mAIEF54/4EdRehLXhKoGF01Ld5Fc0LmIMhUCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFE55/7OLrLb5AzY3gHSYZM6CQDWrMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQCQsq7IZkknlJ8snbE9WzCkwEOzI2MiaRiF0x3eZSUU/c7T3Clr2ibS60wWVT7M
-ukAdZe7bM57k0pFDzskEz0KRcRDN9FoAHmebFo0sstKTSESlwv/8Na/A9SGrCMy0
-PORdEW6OGlwE9+BP3IpnH5pHRkY3OuZfRx0r4DZX0J34VMgYOIdWh4ANPPmpA3iH
-rH/RGCYodoU33pw3jmvpkQPPamKHGxiFCpNE7zdlueXn+hJUNDhk8Zv9j3c8Qjoj
-j5aWQZHgpGHauSrSnSAyFT5/bfe5WH/a6rHIx4KfgpyKB7bFDoJzHSBmldzOvKoJ
-8tn3K88m57i5bBLOnIqZB4U6
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnEwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xNTA0MDIwMDAwMDBaFw0xODA3MDIwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxCJ+OKVLtIHGu2USTZcMRWJcp3OJKVGXs
+2Q3jdZxSfS41KsuIcN6PzvQjExYd3n3k+3uKHrqkaji7xYlpSRebdIioxe5lTPGW
+go4wQueam5vh5l6wxT9GCf4mOgK3+aZLQw7tgNh2EuM0OK22qMtYnw53Z/+Rd9Vj
+D0wr1DUiaAiOm1ymd1Hv5z7gj1OPE8ch+sWYFSaJCMDIVwVW9VK102ymo188PLGR
+mOwNhYzVrRgwnS6R85Jirp5tZE6drMiIMGTXL9LDRvv986Jpn/Du72rr5FiiNxZG
+4tBT7TMerWpfsn7I6R3IEu2sNZ26JoLqBL7hpTT87u0lpm3L+uU/AgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQcEGlJobYH5CiKwsmAiICTkVxxLjAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEANqH3G688Sf2vExl0ec93IJK753ZeyhK+4o0VbEVdcCqEBci4+D00dgvnJV7w
+3f0IALkxtXKbGOLaerzaGriqgDetUQOfxvvlBhM+QdXim90WQ601OsN6fyw1asu9
+dLlXkx8kV3g8mlzxUb1dz67yqcuBtCCTtP2/o2ho/xUSLwUeVALOS+44x1v6AXX3
+vC8Irm7RuiBbA3SAiXWAn7VQPRS2lHOELThoC9iJj0K8m+Ht5t8vFbrsQcke3JTM
+Sq9oNHaSUNhFR1dqnsVvIFme5vHYVr3umnF+Twg83JtRzWKox3/fIXZqkAwV3m+w
+BDsWT8wZfAbQVQrdyw0IWdasow==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/39_months_based_on_last_day.pem b/chromium/net/data/ssl/certificates/39_months_based_on_last_day.pem
index 316b826d20c..84b9ce12966 100644
--- a/chromium/net/data/ssl/certificates/39_months_based_on_last_day.pem
+++ b/chromium/net/data/ssl/certificates/39_months_based_on_last_day.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:b1
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:75
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:d1:69:f8:d8:06:fd:7e:b2:c8:c9:e4:20:35:e9:
-                    94:26:00:b2:79:dd:ee:ee:da:88:3e:45:48:23:9b:
-                    dd:ff:27:4f:3c:9f:31:84:cb:d0:dc:55:ed:67:5e:
-                    29:31:3e:62:b6:8a:d6:3d:89:66:74:a7:be:bc:53:
-                    f3:7b:a7:73:6b:22:bd:ab:0f:b9:53:43:d6:85:4d:
-                    ce:7f:7c:74:13:fe:b5:7e:e4:cf:f5:d1:3d:08:2c:
-                    69:7b:0e:26:c8:9c:42:c9:b9:1c:cf:18:f9:9c:b1:
-                    57:a0:bf:23:5e:ae:a3:ad:ca:4e:99:94:76:1c:b9:
-                    4e:98:85:c7:d8:34:6f:1e:0b:8d:1f:3b:3a:0b:4a:
-                    08:8a:aa:00:9e:ad:43:7f:ce:c8:26:63:64:06:d8:
-                    25:68:2a:22:13:15:71:e2:f1:fb:a2:67:15:65:13:
-                    8b:f5:0e:42:64:38:67:ac:60:26:08:0c:26:ab:06:
-                    6c:04:14:84:99:62:24:65:b8:0b:f2:aa:49:1b:54:
-                    c9:cb:f6:0c:ee:35:07:76:96:20:20:5a:94:c2:ec:
-                    8d:85:22:10:54:03:ba:6a:c5:d8:9f:24:cd:61:b8:
-                    5b:59:b4:aa:50:3f:00:a4:ca:3e:ad:bc:60:b6:a1:
-                    14:85:9f:1f:fa:f5:12:12:e0:4a:f4:0a:1f:9b:53:
-                    78:43
+                    00:a6:fd:ce:a0:e7:68:1f:ec:48:5a:cd:9f:73:ee:
+                    17:d1:c5:ba:eb:d4:56:72:9a:d4:1d:94:fc:36:3c:
+                    cb:05:d2:e8:7d:93:3a:49:34:03:3c:d2:72:98:3f:
+                    95:45:78:1a:0f:c9:be:70:f7:ab:91:9a:24:83:e8:
+                    46:10:80:52:af:06:a8:3c:8a:f5:f7:ea:4c:25:81:
+                    f1:7a:62:ff:91:14:34:e7:ae:26:2d:c3:55:a8:46:
+                    34:33:1f:ee:87:4d:93:ae:7d:9b:8a:4c:85:02:c0:
+                    7e:b0:4c:a1:eb:cb:71:a3:9d:e2:0e:2b:b9:cb:80:
+                    76:3d:58:4c:1d:5f:0a:de:cc:14:f8:69:2f:ce:b5:
+                    43:55:f4:c6:8b:24:d6:55:4d:0d:74:62:d1:7f:e1:
+                    95:4c:c8:fc:99:ae:9a:1b:e7:07:d8:48:7c:f7:3c:
+                    1d:8a:8c:f0:20:99:88:ed:ca:aa:cc:c1:44:1e:10:
+                    e8:95:05:ca:a2:0d:93:c0:40:bf:1f:bc:5b:b5:da:
+                    19:63:96:04:57:32:99:0f:f3:f7:f1:a3:ed:df:6c:
+                    32:df:94:71:41:fe:e7:9a:d8:c5:ab:24:6d:26:82:
+                    eb:aa:2b:aa:6d:67:90:d4:cf:d9:11:e6:87:e1:b6:
+                    e7:24:c0:47:7a:ee:55:ba:87:a9:2f:b0:93:79:a4:
+                    08:09
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                89:7E:84:3E:C3:70:4C:88:08:95:76:5B:8E:C7:F2:6E:BD:A2:D0:56
+                E7:91:F7:13:99:EC:1E:9C:81:43:8A:DA:A5:63:5B:93:3C:79:07:B6
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         06:ec:c1:c0:db:75:19:05:bf:1f:df:ab:54:7e:b9:61:76:f3:
-         f7:d8:2f:91:27:d8:46:68:0e:fc:3e:d8:be:55:c4:e8:15:60:
-         76:a0:e8:98:cd:95:71:97:3a:5b:c6:0e:d7:d1:0e:72:97:fd:
-         f6:aa:f1:b4:22:cd:1d:9a:b0:91:d4:f0:18:c0:7b:cf:d7:4c:
-         7e:d7:3a:28:9a:67:fc:41:c3:81:84:73:b5:50:a2:96:52:77:
-         7a:e9:d2:7d:0c:34:4d:0d:cb:d3:8c:42:56:8a:66:af:cb:7a:
-         6e:34:cf:19:f2:d8:08:a2:61:b4:eb:db:f5:96:08:18:fb:d5:
-         a7:a3:c9:0f:7b:3d:db:72:c8:d2:da:25:2c:4d:b7:5a:c8:26:
-         e5:18:94:04:53:ee:ab:30:17:d8:7d:3e:df:9e:ac:37:32:05:
-         f6:3e:10:b4:8b:09:1b:6c:4f:37:b5:c2:81:06:eb:98:87:1d:
-         24:5d:f9:c8:52:30:70:ca:a5:68:6c:58:60:51:d3:bf:d6:56:
-         7a:95:93:26:40:64:c9:93:23:3d:d3:7d:fa:34:9b:94:45:d5:
-         5a:76:df:b7:83:76:3f:a6:9f:ce:97:50:7d:80:10:64:d6:31:
-         20:f2:bf:bc:68:3e:63:6c:90:47:26:1d:bb:0b:b3:f8:61:5e:
-         9e:23:7c:2b
+    Signature Value:
+        7e:4c:5b:7e:32:78:be:ee:68:bc:8c:de:1d:0e:d1:86:44:8d:
+        40:d5:42:2e:79:89:18:88:b7:9c:b5:f8:b4:89:ef:f7:8a:dc:
+        32:3d:6c:a9:b7:ef:2a:86:1f:72:fb:aa:7d:86:10:4f:b0:3e:
+        7b:39:6f:ab:2b:f2:20:d9:dc:44:82:8b:d7:54:9c:a4:6f:9f:
+        bd:12:35:5d:29:56:53:b1:83:92:aa:bd:ea:3c:89:16:76:e9:
+        15:64:5d:c5:cb:60:b2:ba:7c:88:c6:66:b3:8a:13:1a:f1:a8:
+        03:c4:7b:8c:eb:11:86:e6:2f:28:87:55:6f:7d:94:e5:e7:a6:
+        8f:1d:3a:b7:fa:de:da:53:54:27:8f:0f:14:f6:34:91:11:8a:
+        29:18:a7:01:3c:b3:a0:94:57:6b:d2:c3:b7:e8:51:60:43:c3:
+        40:20:5c:ee:be:04:27:4f:b9:0f:16:84:5d:91:43:ae:03:6d:
+        cd:81:f9:e4:ad:ff:ed:09:86:6f:4c:bb:3b:5f:6a:ef:2e:e9:
+        2f:fc:ae:d8:b7:cd:f2:0e:49:ef:46:ef:7e:42:33:3b:c2:00:
+        a1:59:8e:07:6b:17:51:c2:62:1b:3e:92:70:58:7d:c9:22:4a:
+        2d:f6:b9:49:87:93:b5:10:61:34:1c:65:ef:6b:de:30:7d:3f:
+        68:45:cf:7a
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzsTANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE3MDIyODAwMDAwMFoXDTIwMDUzMDAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBANFp+NgG/X6yyMnkIDXplCYAsnnd7u7aiD5F
-SCOb3f8nTzyfMYTL0NxV7WdeKTE+YraK1j2JZnSnvrxT83unc2sivasPuVND1oVN
-zn98dBP+tX7kz/XRPQgsaXsOJsicQsm5HM8Y+ZyxV6C/I16uo63KTpmUdhy5TpiF
-x9g0bx4LjR87OgtKCIqqAJ6tQ3/OyCZjZAbYJWgqIhMVceLx+6JnFWUTi/UOQmQ4
-Z6xgJggMJqsGbAQUhJliJGW4C/KqSRtUycv2DO41B3aWICBalMLsjYUiEFQDumrF
-2J8kzWG4W1m0qlA/AKTKPq28YLahFIWfH/r1EhLgSvQKH5tTeEMCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIl+hD7DcEyICJV2W47H8m69otBWMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQAG7MHA23UZBb8f36tUfrlhdvP32C+RJ9hGaA78Pti+VcToFWB2oOiYzZVxlzpb
-xg7X0Q5yl/32qvG0Is0dmrCR1PAYwHvP10x+1zoommf8QcOBhHO1UKKWUnd66dJ9
-DDRNDcvTjEJWimavy3puNM8Z8tgIomG069v1lggY+9Wno8kPez3bcsjS2iUsTbda
-yCblGJQEU+6rMBfYfT7fnqw3MgX2PhC0iwkbbE83tcKBBuuYhx0kXfnIUjBwyqVo
-bFhgUdO/1lZ6lZMmQGTJkyM90336NJuURdVadt+3g3Y/pp/Ol1B9gBBk1jEg8r+8
-aD5jbJBHJh27C7P4YV6eI3wr
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnUwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xNzAyMjgwMDAwMDBaFw0yMDA1MzAwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm/c6g52gf7EhazZ9z7hfRxbrr1FZymtQd
+lPw2PMsF0uh9kzpJNAM80nKYP5VFeBoPyb5w96uRmiSD6EYQgFKvBqg8ivX36kwl
+gfF6Yv+RFDTnriYtw1WoRjQzH+6HTZOufZuKTIUCwH6wTKHry3GjneIOK7nLgHY9
+WEwdXwrezBT4aS/OtUNV9MaLJNZVTQ10YtF/4ZVMyPyZrpob5wfYSHz3PB2KjPAg
+mYjtyqrMwUQeEOiVBcqiDZPAQL8fvFu12hljlgRXMpkP8/fxo+3fbDLflHFB/uea
+2MWrJG0mguuqK6ptZ5DUz9kR5ofhtuckwEd67lW6h6kvsJN5pAgJAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTnkfcTmewenIFDitqlY1uTPHkHtjAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAfkxbfjJ4vu5ovIzeHQ7RhkSNQNVCLnmJGIi3nLX4tInv94rcMj1sqbfvKoYf
+cvuqfYYQT7A+ezlvqyvyINncRIKL11ScpG+fvRI1XSlWU7GDkqq96jyJFnbpFWRd
+xctgsrp8iMZms4oTGvGoA8R7jOsRhuYvKIdVb32U5eemjx06t/re2lNUJ48PFPY0
+kRGKKRinATyzoJRXa9LDt+hRYEPDQCBc7r4EJ0+5DxaEXZFDrgNtzYH55K3/7QmG
+b0y7O19q7y7pL/yu2LfN8g5J70bvfkIzO8IAoVmOB2sXUcJiGz6ScFh9ySJKLfa5
+SYeTtRBhNBxl72veMH0/aEXPeg==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/40_months_after_2015_04.pem b/chromium/net/data/ssl/certificates/40_months_after_2015_04.pem
index 9384f5fb940..c07d1217f73 100644
--- a/chromium/net/data/ssl/certificates/40_months_after_2015_04.pem
+++ b/chromium/net/data/ssl/certificates/40_months_after_2015_04.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:ae
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:72
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:b9:b8:df:f4:94:68:b3:71:59:fb:f9:01:62:0e:
-                    c3:63:db:0d:8f:87:3f:58:77:e9:71:a2:48:f6:d2:
-                    19:d4:a1:b7:08:2e:6a:68:22:1c:9c:d5:48:86:cf:
-                    e5:af:5a:05:2e:2d:f9:de:b3:3a:d2:cf:40:86:75:
-                    8b:a1:fb:38:e0:ac:5b:ea:14:4a:31:0f:ec:fb:2d:
-                    36:53:ed:39:a4:fb:3f:f8:0f:92:9b:cf:f0:82:21:
-                    ac:de:08:35:89:ed:a1:a2:b9:19:19:f3:0d:09:e4:
-                    56:93:5e:83:c9:55:8f:c4:63:bc:48:53:52:f7:6c:
-                    7e:1a:f8:63:2b:af:c5:e6:ec:f9:93:42:80:ff:20:
-                    1c:e6:55:c9:97:74:67:38:2f:59:c9:fa:6e:f0:2d:
-                    a3:12:bf:e8:28:05:62:a6:64:48:3f:3a:28:2f:08:
-                    87:8d:66:b6:a1:c6:00:2f:52:69:9b:e3:96:fa:f1:
-                    f2:3b:b8:34:3c:ef:cb:b5:2b:8c:d9:38:49:32:09:
-                    ef:c9:26:ab:c6:f0:90:32:2c:4e:f9:63:0b:c0:bf:
-                    fd:a3:8b:c9:de:9a:13:69:fd:08:f9:51:4a:b0:7d:
-                    85:de:4e:b7:57:a3:04:8f:41:6a:2f:5b:53:0a:d8:
-                    d0:dc:b3:88:b1:57:59:4a:7c:23:65:29:54:b0:11:
-                    57:eb
+                    00:a5:0f:16:e1:16:18:40:db:ce:15:87:a1:aa:d3:
+                    1f:49:59:b6:38:e8:5d:f3:ed:f3:b0:29:04:c3:57:
+                    ea:5a:7c:22:6b:ce:77:db:de:4d:d9:04:51:5c:f8:
+                    06:74:fb:ec:d2:87:b2:96:fe:b4:b3:34:81:ae:9f:
+                    a1:a1:c0:49:4b:d7:e8:bf:68:91:d4:57:f2:8d:1d:
+                    0d:f5:92:c5:b5:fd:0b:bb:5f:51:8a:94:26:11:36:
+                    3c:56:5e:c4:86:2b:1a:f5:df:1e:02:f5:e4:50:da:
+                    76:b2:66:89:10:42:45:76:4a:32:09:fc:f7:13:2e:
+                    cb:ff:e3:94:3e:80:64:0e:c7:84:b2:a1:8e:01:a0:
+                    30:4f:c0:bd:f3:20:36:7b:f6:b1:26:d7:c5:4f:17:
+                    c9:be:fc:2a:aa:e7:bc:0c:57:71:82:a0:3e:39:15:
+                    0d:c5:95:79:44:1a:dd:ec:d3:e0:cc:ae:32:c8:00:
+                    26:ed:da:f3:74:6e:5e:02:7e:02:bb:c1:a7:9c:d9:
+                    3d:03:dc:b9:97:99:24:f3:72:58:8b:1d:0f:87:c2:
+                    b2:15:2f:f9:27:77:6b:4d:d4:7d:1d:12:56:07:b9:
+                    ad:bf:e8:93:af:92:fb:b3:83:76:f8:a8:7f:e3:d4:
+                    28:a8:20:55:3c:66:39:8a:e9:0e:71:a1:78:9a:3b:
+                    da:e5
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                05:F2:4B:B7:C9:31:11:E1:F3:37:96:A5:FE:41:86:0C:FC:A9:47:E3
+                0C:63:B5:F8:FD:66:75:20:B7:40:9F:23:75:69:F4:49:D2:0E:BE:10
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         64:8b:0d:b4:b6:a5:78:82:28:1c:01:9b:ff:1a:1a:c8:e5:12:
-         34:91:ba:dc:ba:5b:8c:27:3e:e1:2d:9c:8d:84:04:14:aa:32:
-         4a:7d:a2:43:8d:08:f6:c9:48:6b:13:8a:81:0a:8f:6b:5a:c9:
-         fb:2a:95:cb:b0:66:35:45:01:04:a6:ed:31:15:a3:1d:f8:24:
-         16:95:d1:9e:93:3f:6a:fd:d6:8e:19:da:89:62:df:09:11:47:
-         5d:b8:83:d8:59:07:91:1e:c1:3c:03:b6:2f:ad:f3:ed:8c:09:
-         3a:06:73:12:93:a2:31:66:55:1d:32:40:a8:e5:7d:0a:88:4d:
-         67:53:ba:dd:d9:43:57:36:81:e3:ef:cf:a4:56:10:f7:28:9a:
-         00:d2:0e:45:c1:31:e1:89:48:db:4e:8c:df:22:02:04:a0:4e:
-         85:2f:7b:3b:9f:84:79:c0:10:90:18:43:d6:2d:2e:15:bf:2b:
-         8d:62:0d:c3:ce:54:9e:8c:09:f3:fa:f6:24:78:2d:c1:81:a7:
-         ec:65:1d:5a:a6:29:6c:fe:a0:8e:0a:df:45:55:55:73:24:99:
-         ac:62:82:ed:56:ef:5a:5a:d0:55:67:27:df:01:5d:9d:ec:04:
-         c1:bd:46:58:5c:20:23:b5:d8:02:7f:50:43:ec:e8:e3:fb:79:
-         7f:87:7a:5c
+    Signature Value:
+        38:26:c3:05:63:87:a9:a0:3f:de:4a:c5:05:59:9a:3c:fe:7a:
+        b4:9b:83:a3:97:7a:55:9f:c1:41:8a:e6:dc:ee:5f:38:73:c6:
+        ab:23:ce:20:1b:a0:02:b4:1f:d3:02:41:d4:7d:0f:c5:ee:ad:
+        c2:e0:ba:3a:1a:1e:55:c6:24:6a:ac:f7:6a:fd:01:92:f6:fe:
+        7e:e2:d1:d8:0a:8c:4e:fe:50:54:66:00:6f:fa:c7:fb:4d:29:
+        f7:8c:ac:37:0b:a4:24:94:ce:e4:65:6b:85:0f:c2:df:92:bb:
+        7f:39:62:c3:49:30:c9:59:e4:6b:8b:97:9c:71:17:58:c0:fd:
+        b9:3b:cc:f5:d0:d9:cd:e7:6d:ac:7a:b4:5e:df:45:23:e9:77:
+        4a:f5:dc:79:7f:a4:89:e9:26:bc:49:81:f1:52:76:b0:f5:2e:
+        64:3f:ab:cc:e7:8b:92:6e:3d:d5:05:90:13:fc:8f:1f:26:4e:
+        2f:2b:e9:a2:3f:39:88:98:36:b0:62:7c:65:3c:58:5c:c0:0f:
+        98:97:fa:ac:6d:f2:27:94:20:1c:d8:5b:e2:17:95:8b:5b:c1:
+        c4:74:b2:90:b3:98:6e:be:79:bf:b1:c6:94:4a:7c:56:de:f3:
+        99:04:cf:5c:5b:2a:79:8a:87:6e:68:17:4c:b4:19:42:8b:b6:
+        cd:2f:ea:cf
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzrjANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE1MDQwMjAwMDAwMFoXDTE4MDgwMTAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBALm43/SUaLNxWfv5AWIOw2PbDY+HP1h36XGi
-SPbSGdShtwguamgiHJzVSIbP5a9aBS4t+d6zOtLPQIZ1i6H7OOCsW+oUSjEP7Pst
-NlPtOaT7P/gPkpvP8IIhrN4INYntoaK5GRnzDQnkVpNeg8lVj8RjvEhTUvdsfhr4
-Yyuvxebs+ZNCgP8gHOZVyZd0ZzgvWcn6bvAtoxK/6CgFYqZkSD86KC8Ih41mtqHG
-AC9SaZvjlvrx8ju4NDzvy7UrjNk4STIJ78kmq8bwkDIsTvljC8C//aOLyd6aE2n9
-CPlRSrB9hd5Ot1ejBI9Bai9bUwrY0NyziLFXWUp8I2UpVLARV+sCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAXyS7fJMRHh8zeWpf5Bhgz8qUfjMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQBkiw20tqV4gigcAZv/GhrI5RI0kbrculuMJz7hLZyNhAQUqjJKfaJDjQj2yUhr
-E4qBCo9rWsn7KpXLsGY1RQEEpu0xFaMd+CQWldGekz9q/daOGdqJYt8JEUdduIPY
-WQeRHsE8A7YvrfPtjAk6BnMSk6IxZlUdMkCo5X0KiE1nU7rd2UNXNoHj78+kVhD3
-KJoA0g5FwTHhiUjbTozfIgIEoE6FL3s7n4R5wBCQGEPWLS4VvyuNYg3DzlSejAnz
-+vYkeC3BgafsZR1apils/qCOCt9FVVVzJJmsYoLtVu9aWtBVZyffAV2d7ATBvUZY
-XCAjtdgCf1BD7Ojj+3l/h3pc
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnIwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xNTA0MDIwMDAwMDBaFw0xODA4MDEwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQClDxbhFhhA284Vh6Gq0x9JWbY46F3z7fOw
+KQTDV+pafCJrznfb3k3ZBFFc+AZ0++zSh7KW/rSzNIGun6GhwElL1+i/aJHUV/KN
+HQ31ksW1/Qu7X1GKlCYRNjxWXsSGKxr13x4C9eRQ2nayZokQQkV2SjIJ/PcTLsv/
+45Q+gGQOx4SyoY4BoDBPwL3zIDZ79rEm18VPF8m+/Cqq57wMV3GCoD45FQ3FlXlE
+Gt3s0+DMrjLIACbt2vN0bl4CfgK7waec2T0D3LmXmSTzcliLHQ+HwrIVL/knd2tN
+1H0dElYHua2/6JOvkvuzg3b4qH/j1CioIFU8ZjmK6Q5xoXiaO9rlAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQMY7X4/WZ1ILdAnyN1afRJ0g6+EDAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAOCbDBWOHqaA/3krFBVmaPP56tJuDo5d6VZ/BQYrm3O5fOHPGqyPOIBugArQf
+0wJB1H0Pxe6twuC6OhoeVcYkaqz3av0Bkvb+fuLR2AqMTv5QVGYAb/rH+00p94ys
+NwukJJTO5GVrhQ/C35K7fzliw0kwyVnka4uXnHEXWMD9uTvM9dDZzedtrHq0Xt9F
+I+l3SvXceX+kiekmvEmB8VJ2sPUuZD+rzOeLkm491QWQE/yPHyZOLyvpoj85iJg2
+sGJ8ZTxYXMAPmJf6rG3yJ5QgHNhb4heVi1vBxHSykLOYbr55v7HGlEp8Vt7zmQTP
+XFsqeYqHbmgXTLQZQou2zS/qzw==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/60_months_after_2012_07.pem b/chromium/net/data/ssl/certificates/60_months_after_2012_07.pem
index f1791507687..4ca5f5234ea 100644
--- a/chromium/net/data/ssl/certificates/60_months_after_2012_07.pem
+++ b/chromium/net/data/ssl/certificates/60_months_after_2012_07.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:af
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:73
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:e6:28:2a:da:c6:a6:1a:e6:ff:0b:8b:b8:07:7d:
-                    71:62:32:70:79:a6:e9:b5:5f:d6:e5:6e:c0:2b:16:
-                    b0:b1:88:cd:b6:99:00:9d:dd:fd:8d:0b:b7:fd:04:
-                    10:4c:ce:7c:fd:85:f8:54:df:f4:90:ea:52:d1:34:
-                    ba:49:c7:0d:91:35:a6:66:c5:10:77:92:6a:c2:40:
-                    f1:9a:25:07:18:a9:44:36:76:51:6b:75:7e:34:3d:
-                    41:69:31:99:6f:19:2b:ee:fd:03:3e:ad:46:cc:3c:
-                    2c:5c:6a:7b:5a:23:b5:2c:fd:06:a6:73:d9:2f:b5:
-                    bf:3c:a1:12:91:e6:87:c6:b4:f1:f1:f2:db:84:a1:
-                    05:22:79:94:47:85:69:80:93:7c:b3:da:52:34:a9:
-                    ed:af:7f:f4:6b:24:15:78:e1:c2:e4:6e:50:1c:08:
-                    5f:e9:c3:a3:df:ef:7d:c5:03:c5:1a:8f:fa:e5:89:
-                    d6:d2:66:fb:bb:d3:e3:85:c3:69:5d:91:fe:62:d0:
-                    c2:29:7c:55:2a:e7:53:4c:6c:af:de:0e:35:4e:e5:
-                    5b:ca:97:6e:63:cf:11:1a:f8:78:f2:7b:82:78:1c:
-                    e4:da:d4:69:a5:e2:ac:f3:ae:d8:ab:7e:01:02:9c:
-                    1e:b6:02:cb:8a:d3:a4:90:c8:d7:40:ad:04:34:c4:
-                    b7:d9
+                    00:d4:fa:d1:99:fe:2d:7a:82:e4:72:af:58:76:bb:
+                    bb:bc:04:03:a2:57:54:75:1b:f3:48:11:aa:eb:97:
+                    05:02:8c:71:49:ec:b5:5f:a6:d0:18:c5:60:e1:04:
+                    59:3f:64:a2:96:ca:45:8b:37:82:14:7f:d9:07:fb:
+                    97:0d:64:9d:7f:ce:19:56:0e:dc:2c:e0:40:7f:86:
+                    a0:ad:9b:bf:f9:84:1e:7f:23:22:e8:35:0a:fb:ee:
+                    9a:ce:2b:00:48:53:71:86:b2:31:3e:b2:30:0d:79:
+                    d7:05:56:72:e3:95:98:c3:1e:bf:cc:cf:90:54:8e:
+                    2d:39:c8:2f:bb:3c:05:41:36:4a:2c:b7:c1:0d:4a:
+                    f6:44:02:da:d4:bf:84:9f:66:d7:30:bd:82:b1:92:
+                    f1:73:4f:53:4d:c8:d3:74:73:42:69:bc:0b:18:e0:
+                    03:51:b7:85:ca:71:74:a1:17:5d:37:22:43:86:c0:
+                    92:25:98:a9:83:49:b9:d2:97:f8:15:eb:58:d2:13:
+                    bd:4a:39:33:07:50:db:cb:fc:49:8b:ae:ab:df:42:
+                    14:c1:92:dd:93:da:c4:7a:c9:f8:4d:c2:d8:87:b6:
+                    e4:f5:0e:92:09:4a:6d:f5:30:53:14:07:ea:c5:7c:
+                    ef:93:84:09:25:e0:c7:8a:17:84:a6:76:91:1d:64:
+                    24:73
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                09:D0:DD:8E:5B:59:24:C0:DF:1F:44:F1:2C:FC:53:21:6A:FE:59:5C
+                29:81:75:1D:D1:AE:EE:50:EB:91:E2:57:31:51:5D:3A:0E:99:10:1C
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         5d:ca:fd:89:fe:ca:59:e6:7a:db:d0:49:3d:7d:55:a5:0e:b4:
-         fe:13:49:f5:01:3d:c8:b0:43:27:82:5d:35:ff:21:d6:f2:47:
-         09:ca:2e:9a:9f:1d:dd:e7:7a:70:5c:7b:f4:d8:d0:a4:bf:3e:
-         cb:24:20:e9:5c:ed:66:da:f9:04:07:7c:b1:32:ed:dc:7d:c6:
-         5a:0b:6e:7a:a1:d6:52:6f:09:d3:ed:6b:2b:0b:86:ef:4b:3f:
-         84:75:a9:03:ba:4e:cc:d2:25:4d:a1:67:e7:a3:89:87:a8:96:
-         63:56:1f:e9:08:76:f5:f5:2e:98:66:e0:c0:43:68:54:b5:1f:
-         4d:51:8c:a7:62:1e:5c:7b:59:50:92:e1:0a:4a:e5:03:db:99:
-         41:d7:ec:6f:33:69:b9:aa:59:68:cb:92:9b:61:f7:b4:47:a2:
-         5f:f2:25:05:6a:c2:b7:91:e9:26:2e:26:47:d6:e7:30:7a:41:
-         97:21:91:ce:a6:ec:72:db:d7:46:11:8f:aa:76:e1:3f:fb:71:
-         47:f9:ac:b4:3d:8a:ab:60:3d:01:89:3e:85:c6:81:a7:c1:ed:
-         60:f2:a5:a0:9e:72:10:de:5e:11:78:bf:45:58:ce:2b:43:ff:
-         a4:2e:3d:36:4b:68:76:ba:6a:38:7a:fe:53:7a:bc:3f:ad:af:
-         b9:6f:f8:a5
+    Signature Value:
+        8d:b4:56:2d:06:e1:b6:68:00:d4:02:56:5f:a2:6e:b1:1a:58:
+        b7:66:98:05:9b:9a:56:20:db:17:f1:7a:5e:32:e5:7a:88:ef:
+        dd:ec:92:b3:41:02:f9:d6:ae:17:85:49:8d:e9:df:e4:69:ee:
+        c5:74:40:d4:3a:63:4d:99:cb:65:3c:f3:cc:83:82:c0:fe:3c:
+        bf:80:df:bf:7b:33:f1:b5:2e:04:b0:9f:31:9f:40:23:1c:5b:
+        8f:dd:b1:7a:e9:4e:2c:81:ff:77:00:e8:04:f4:99:54:0d:be:
+        0d:a8:44:71:9f:b7:62:ce:99:b3:10:c3:47:34:e1:42:e4:d6:
+        07:e1:66:91:ae:0a:62:f8:b5:35:0b:ab:08:c8:da:be:5b:74:
+        03:5c:ad:1e:2c:82:bf:9a:b1:3e:88:ed:47:26:18:ba:07:31:
+        93:aa:ed:00:3f:89:c3:61:a6:7d:23:49:f3:47:4b:c5:72:cc:
+        ff:64:21:c7:5e:81:65:f7:6b:8f:03:a2:e9:b9:b7:b6:be:ed:
+        bf:51:4b:64:96:98:37:15:06:5f:17:33:85:46:15:e1:d7:04:
+        65:e4:65:f1:ef:60:01:ca:82:70:7f:69:71:2f:fc:ca:8e:64:
+        b3:a4:0e:74:31:e7:61:28:89:48:b3:29:b6:66:52:69:f7:e1:
+        1e:51:8d:09
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzrzANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE0MTAzMDAwMDAwMFoXDTE5MDkzMDAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAOYoKtrGphrm/wuLuAd9cWIycHmm6bVf1uVu
-wCsWsLGIzbaZAJ3d/Y0Lt/0EEEzOfP2F+FTf9JDqUtE0uknHDZE1pmbFEHeSasJA
-8ZolBxipRDZ2UWt1fjQ9QWkxmW8ZK+79Az6tRsw8LFxqe1ojtSz9BqZz2S+1vzyh
-EpHmh8a08fHy24ShBSJ5lEeFaYCTfLPaUjSp7a9/9GskFXjhwuRuUBwIX+nDo9/v
-fcUDxRqP+uWJ1tJm+7vT44XDaV2R/mLQwil8VSrnU0xsr94ONU7lW8qXbmPPERr4
-ePJ7gngc5NrUaaXirPOu2Kt+AQKcHrYCy4rTpJDI10CtBDTEt9kCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAnQ3Y5bWSTA3x9E8Sz8UyFq/llcMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQBdyv2J/spZ5nrb0Ek9fVWlDrT+E0n1AT3IsEMngl01/yHW8kcJyi6anx3d53pw
-XHv02NCkvz7LJCDpXO1m2vkEB3yxMu3cfcZaC256odZSbwnT7WsrC4bvSz+EdakD
-uk7M0iVNoWfno4mHqJZjVh/pCHb19S6YZuDAQ2hUtR9NUYynYh5ce1lQkuEKSuUD
-25lB1+xvM2m5qlloy5KbYfe0R6Jf8iUFasK3kekmLiZH1ucwekGXIZHOpuxy29dG
-EY+qduE/+3FH+ay0PYqrYD0BiT6FxoGnwe1g8qWgnnIQ3l4ReL9FWM4rQ/+kLj02
-S2h2umo4ev5Terw/ra+5b/il
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnMwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xNDEwMzAwMDAwMDBaFw0xOTA5MzAwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDU+tGZ/i16guRyr1h2u7u8BAOiV1R1G/NI
+EarrlwUCjHFJ7LVfptAYxWDhBFk/ZKKWykWLN4IUf9kH+5cNZJ1/zhlWDtws4EB/
+hqCtm7/5hB5/IyLoNQr77prOKwBIU3GGsjE+sjANedcFVnLjlZjDHr/Mz5BUji05
+yC+7PAVBNkost8ENSvZEAtrUv4SfZtcwvYKxkvFzT1NNyNN0c0JpvAsY4ANRt4XK
+cXShF103IkOGwJIlmKmDSbnSl/gV61jSE71KOTMHUNvL/EmLrqvfQhTBkt2T2sR6
+yfhNwtiHtuT1DpIJSm31MFMUB+rFfO+ThAkl4MeKF4SmdpEdZCRzAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQpgXUd0a7uUOuR4lcxUV06DpkQHDAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAjbRWLQbhtmgA1AJWX6JusRpYt2aYBZuaViDbF/F6XjLleojv3eySs0EC+dau
+F4VJjenf5GnuxXRA1DpjTZnLZTzzzIOCwP48v4Dfv3sz8bUuBLCfMZ9AIxxbj92x
+eulOLIH/dwDoBPSZVA2+DahEcZ+3Ys6ZsxDDRzThQuTWB+Fmka4KYvi1NQurCMja
+vlt0A1ytHiyCv5qxPojtRyYYugcxk6rtAD+Jw2GmfSNJ80dLxXLM/2Qhx16BZfdr
+jwOi6bm3tr7tv1FLZJaYNxUGXxczhUYV4dcEZeRl8e9gAcqCcH9pcS/8yo5ks6QO
+dDHnYSiJSLMptmZSaffhHlGNCQ==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/61_months_after_2012_07.pem b/chromium/net/data/ssl/certificates/61_months_after_2012_07.pem
index 92d288ab04e..8f9d360a9b1 100644
--- a/chromium/net/data/ssl/certificates/61_months_after_2012_07.pem
+++ b/chromium/net/data/ssl/certificates/61_months_after_2012_07.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:b0
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:74
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:af:c9:e5:18:11:50:55:be:1d:36:25:c5:f8:6a:
-                    03:08:11:d8:60:a5:e8:ea:29:56:29:4b:8b:01:71:
-                    c7:5a:c3:67:fc:29:12:32:f7:92:e6:9f:82:01:25:
-                    5a:3f:aa:64:ef:3c:0c:ec:83:f8:94:a0:cd:d6:ec:
-                    9c:32:4e:8d:59:58:be:94:4a:ad:a7:ed:1e:48:32:
-                    22:43:8f:13:3b:ee:a7:70:8b:65:90:92:5a:06:f5:
-                    f6:39:ff:e7:e2:b7:28:d5:d7:19:d8:a8:1f:47:4a:
-                    8c:18:12:b9:41:83:63:61:5b:22:4a:93:01:5c:92:
-                    ad:5c:1c:5e:c9:45:45:fc:0a:46:bf:31:cf:d5:a6:
-                    01:b3:07:c4:70:66:b6:a3:a7:62:7c:9b:0e:f0:0e:
-                    84:ad:a8:24:81:7c:8a:9d:8d:4b:ef:46:ec:6e:e7:
-                    ad:8f:d3:a8:86:8a:bd:f7:38:32:e2:92:0a:03:c1:
-                    bb:b5:fc:c1:32:5a:4e:a6:e1:ea:6e:51:f9:bd:5c:
-                    b1:ed:6e:06:c6:ad:83:8d:0c:18:b6:3a:a1:e3:4f:
-                    91:4f:e4:48:fc:de:fc:df:b5:e4:dc:15:01:17:05:
-                    cb:09:8d:aa:01:6d:a1:8b:b8:ca:5f:93:9a:22:9c:
-                    c4:9b:2f:cc:97:7f:a0:54:4e:a6:6b:32:e0:b4:44:
-                    0a:f9
+                    00:a0:11:b9:0c:12:b6:cc:db:8a:b7:7f:a4:c9:26:
+                    b9:44:ef:2f:8f:9a:57:00:d2:21:c0:a3:6d:0d:88:
+                    59:12:62:19:ba:71:6c:c6:98:cc:44:d3:de:aa:88:
+                    bc:64:38:cc:78:13:a5:5d:76:7a:4b:c8:d2:8e:67:
+                    64:61:81:61:4f:1e:69:11:ca:ec:c1:80:d0:ea:21:
+                    a4:ab:56:8b:e5:74:e8:0d:05:f8:6a:dd:3b:c6:73:
+                    c4:3f:b7:f1:ab:c1:55:f7:df:3f:7f:ba:36:d9:c1:
+                    6b:2d:6e:d7:93:96:87:9e:ee:00:57:d5:59:50:6d:
+                    82:9b:ab:2a:52:7e:c0:b8:be:34:8f:08:6b:ad:c6:
+                    b5:90:0c:80:ff:3f:68:05:c9:a5:5c:9a:ba:8c:49:
+                    4a:d4:b9:87:42:1d:47:42:ff:17:8f:df:55:e1:b9:
+                    f9:14:6b:08:8f:4f:de:65:59:71:1c:51:1a:58:56:
+                    96:de:ca:d1:09:0d:c1:0a:b0:19:74:45:46:38:16:
+                    7b:1a:0a:32:e0:35:34:60:83:c4:63:cb:53:34:2d:
+                    4b:f7:c8:8e:88:75:13:95:70:9f:ff:cf:f0:10:64:
+                    b3:6c:22:ca:13:3e:65:fb:a2:fb:0c:01:80:b7:64:
+                    d8:ee:0b:4c:18:fc:02:9d:fd:6c:ba:ba:46:cb:f8:
+                    05:d5
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                F0:77:4A:12:74:66:41:8F:37:1D:B9:A2:05:9A:A3:51:4F:73:7F:36
+                60:ED:A6:AB:09:02:D8:2C:54:39:D5:78:E5:E1:A1:09:44:B0:55:21
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         2a:e2:82:7e:67:53:06:70:28:29:27:66:13:76:5c:7a:f2:8b:
-         d2:ac:d7:24:eb:b2:c0:16:c9:ab:e4:20:45:d5:4c:fa:22:04:
-         48:49:2e:3f:3f:23:43:bf:6b:ec:9d:e7:e3:5a:6b:ef:47:ee:
-         b3:8c:db:91:a5:0c:fa:51:c6:32:99:5f:3d:ba:2b:ab:fc:66:
-         09:7f:33:4e:b4:19:24:ba:21:95:9d:90:a7:8c:d6:55:9a:c1:
-         d3:34:0f:8c:a1:27:8d:8a:1e:36:af:88:66:40:89:b0:9c:af:
-         23:92:0c:77:6a:96:07:17:68:90:97:56:d0:b6:3d:33:39:8a:
-         79:73:54:66:04:76:73:b6:1a:04:d3:ee:e3:2b:b2:56:ee:5e:
-         c3:61:56:1a:2d:f0:f1:cb:22:a0:58:b6:80:ca:11:1d:7d:42:
-         0f:5d:23:04:c0:ab:7c:3a:3f:99:0c:54:85:55:99:4a:43:24:
-         e1:77:42:66:25:98:05:a8:ab:65:de:05:30:54:20:ee:e9:25:
-         0a:87:e8:ed:71:62:b7:00:82:63:0a:3d:88:1b:f4:5a:24:f9:
-         90:45:5b:e7:e7:dc:f1:0e:b2:58:fc:52:0c:32:8b:7b:0e:70:
-         02:d0:78:ec:8c:61:c7:14:50:5f:8f:ce:4b:12:ac:9a:9f:fb:
-         f7:c4:af:05
+    Signature Value:
+        bc:7e:07:ce:f1:cf:0a:be:b5:27:bf:42:34:cf:8e:c4:19:e0:
+        60:c2:f9:e2:a8:e8:73:b9:75:30:5b:34:6a:3d:5a:95:b8:e7:
+        58:88:5e:48:62:70:06:7c:51:d8:17:d2:fb:4d:2c:48:4f:23:
+        2a:c3:b9:ca:0c:6a:f6:a9:d8:8c:b1:78:a6:45:9d:d3:d7:03:
+        1a:b5:64:c9:fc:92:05:ea:ea:da:e7:97:b8:67:53:d0:3b:46:
+        d8:00:28:16:ff:15:84:18:ac:c2:96:cf:df:f8:c6:bb:39:d2:
+        79:9a:69:26:1e:c5:99:4b:ca:b4:bc:ca:a0:53:e0:11:43:e9:
+        b7:b6:8c:d8:8b:88:cd:4d:10:9b:12:18:0e:80:d1:ab:b3:24:
+        a4:f3:3b:ea:21:14:79:4b:64:17:49:0a:cd:1c:e4:fd:1b:11:
+        79:46:ac:fe:c6:aa:73:12:95:fd:61:0d:b0:64:53:5c:6f:ce:
+        0a:fe:07:2d:4d:42:5b:9e:dc:4a:19:dd:19:28:ee:bf:05:e2:
+        62:61:6f:8b:83:50:17:6e:3f:31:5c:f2:d2:7d:fa:60:c3:03:
+        b9:ca:b5:16:d8:de:bb:00:09:9c:50:88:f4:00:f1:2b:00:f8:
+        1b:34:40:94:94:2c:25:63:b1:84:96:00:3d:76:48:2d:f4:77:
+        34:36:37:87
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzsDANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE0MTAzMDAwMDAwMFoXDTE5MTEwMzAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAK/J5RgRUFW+HTYlxfhqAwgR2GCl6OopVilL
-iwFxx1rDZ/wpEjL3kuafggElWj+qZO88DOyD+JSgzdbsnDJOjVlYvpRKraftHkgy
-IkOPEzvup3CLZZCSWgb19jn/5+K3KNXXGdioH0dKjBgSuUGDY2FbIkqTAVySrVwc
-XslFRfwKRr8xz9WmAbMHxHBmtqOnYnybDvAOhK2oJIF8ip2NS+9G7G7nrY/TqIaK
-vfc4MuKSCgPBu7X8wTJaTqbh6m5R+b1cse1uBsatg40MGLY6oeNPkU/kSPze/N+1
-5NwVARcFywmNqgFtoYu4yl+TmiKcxJsvzJd/oFROpmsy4LRECvkCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPB3ShJ0ZkGPNx25ogWao1FPc382MB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQAq4oJ+Z1MGcCgpJ2YTdlx68ovSrNck67LAFsmr5CBF1Uz6IgRISS4/PyNDv2vs
-nefjWmvvR+6zjNuRpQz6UcYymV89uiur/GYJfzNOtBkkuiGVnZCnjNZVmsHTNA+M
-oSeNih42r4hmQImwnK8jkgx3apYHF2iQl1bQtj0zOYp5c1RmBHZzthoE0+7jK7JW
-7l7DYVYaLfDxyyKgWLaAyhEdfUIPXSMEwKt8Oj+ZDFSFVZlKQyThd0JmJZgFqKtl
-3gUwVCDu6SUKh+jtcWK3AIJjCj2IG/RaJPmQRVvn59zxDrJY/FIMMot7DnAC0Hjs
-jGHHFFBfj85LEqyan/v3xK8F
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnQwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xNDEwMzAwMDAwMDBaFw0xOTExMDMwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgEbkMErbM24q3f6TJJrlE7y+PmlcA0iHA
+o20NiFkSYhm6cWzGmMxE096qiLxkOMx4E6VddnpLyNKOZ2RhgWFPHmkRyuzBgNDq
+IaSrVovldOgNBfhq3TvGc8Q/t/GrwVX33z9/ujbZwWstbteTloee7gBX1VlQbYKb
+qypSfsC4vjSPCGutxrWQDID/P2gFyaVcmrqMSUrUuYdCHUdC/xeP31XhufkUawiP
+T95lWXEcURpYVpbeytEJDcEKsBl0RUY4FnsaCjLgNTRgg8Rjy1M0LUv3yI6IdROV
+cJ//z/AQZLNsIsoTPmX7ovsMAYC3ZNjuC0wY/AKd/Wy6ukbL+AXVAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRg7aarCQLYLFQ51Xjl4aEJRLBVITAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAvH4HzvHPCr61J79CNM+OxBngYML54qjoc7l1MFs0aj1albjnWIheSGJwBnxR
+2BfS+00sSE8jKsO5ygxq9qnYjLF4pkWd09cDGrVkyfySBerq2ueXuGdT0DtG2AAo
+Fv8VhBiswpbP3/jGuznSeZppJh7FmUvKtLzKoFPgEUPpt7aM2IuIzU0QmxIYDoDR
+q7MkpPM76iEUeUtkF0kKzRzk/RsReUas/saqcxKV/WENsGRTXG/OCv4HLU1CW57c
+ShndGSjuvwXiYmFvi4NQF24/MVzy0n36YMMDucq1FtjeuwAJnFCI9ADxKwD4GzRA
+lJQsJWOxhJYAPXZILfR3NDY3hw==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/825_days_1_second_after_2018_03_01.pem b/chromium/net/data/ssl/certificates/825_days_1_second_after_2018_03_01.pem
index 9bb5013e331..11d7cd7b3c8 100644
--- a/chromium/net/data/ssl/certificates/825_days_1_second_after_2018_03_01.pem
+++ b/chromium/net/data/ssl/certificates/825_days_1_second_after_2018_03_01.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:b8
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:7c
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:b2:cf:a6:1f:53:61:90:3f:5b:b6:b6:76:23:27:
-                    c8:dc:5e:c3:cc:d3:48:ed:e2:9e:e2:ea:56:00:b7:
-                    34:e7:40:3c:c9:b6:e4:62:9f:8a:51:2d:78:38:37:
-                    46:2c:2f:41:60:a8:14:54:31:e8:07:88:86:dd:40:
-                    f4:16:7b:75:30:06:75:d8:f9:21:f3:e5:4b:a3:22:
-                    a7:03:a4:da:ce:e2:99:19:be:64:07:38:3f:85:ea:
-                    27:6b:f1:da:bf:cd:03:d5:fb:5e:c9:ff:aa:60:05:
-                    db:68:91:1f:78:27:c3:19:52:8b:af:93:47:2b:46:
-                    69:02:e5:c3:d1:63:7b:0c:9d:af:89:ef:c6:9c:82:
-                    95:aa:a6:85:4f:38:10:db:d4:25:a6:5b:7e:01:2d:
-                    c2:f6:ce:14:5f:df:ee:6b:3e:6b:f4:92:cb:3f:9e:
-                    ea:fb:1b:a2:f9:08:46:e0:16:3a:0e:f6:9d:93:18:
-                    a4:6d:c0:49:5c:c7:02:28:26:e9:d4:d9:c3:92:04:
-                    f4:d0:8e:c1:4a:23:e9:99:81:5e:ff:3f:c3:05:1c:
-                    8c:f2:8c:a9:24:6d:04:1b:68:69:06:11:c5:8c:7f:
-                    3c:29:f8:ec:dc:9e:93:f7:70:0b:88:ec:0e:e3:9b:
-                    ab:89:cd:8f:54:4b:06:55:99:9e:52:b5:73:43:16:
-                    5d:3f
+                    00:a1:4f:d4:c4:81:eb:6b:72:1f:2c:7c:77:49:e6:
+                    c8:29:76:f1:2a:36:d6:0c:dd:80:ed:07:83:bd:ff:
+                    76:de:d6:79:9b:ff:0f:6d:24:e3:cd:17:4d:ba:82:
+                    e9:2d:37:bf:ec:78:b4:7d:b4:6d:d1:af:84:40:ea:
+                    50:a6:87:c3:4c:1c:11:f3:c9:54:f1:d9:d7:8a:4b:
+                    a4:82:28:55:e4:b5:8a:fb:cb:c7:fa:da:07:d4:fd:
+                    f9:3a:94:ab:89:cc:e1:22:ba:12:93:78:a3:dc:6d:
+                    be:06:f7:b1:25:29:fe:0e:9f:37:08:35:5a:09:9f:
+                    4f:3e:27:b4:b9:d7:ec:10:74:c8:fe:a3:b3:97:1d:
+                    29:c2:33:eb:90:de:55:2e:77:ee:9f:60:c9:c9:1d:
+                    2a:eb:71:24:8c:fe:75:f6:88:d9:8a:00:4f:b6:9c:
+                    65:c1:8e:36:39:a4:c4:37:f3:fa:b3:5b:db:50:39:
+                    0d:8f:0b:c9:33:e2:bb:10:5c:11:3a:8a:aa:aa:16:
+                    22:f4:fe:ba:6d:ee:da:66:d9:6a:e3:b0:0b:79:78:
+                    06:5d:b7:60:9c:30:07:94:3d:45:d5:9e:95:14:49:
+                    d0:b6:c1:4c:e6:5e:81:48:3e:eb:22:9d:e8:86:d1:
+                    5e:69:7b:43:8a:e7:05:93:f5:ad:c0:3d:63:c4:70:
+                    d0:19
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                0E:C5:3C:95:6D:2C:2E:67:58:28:FB:85:8D:11:F1:EA:16:19:53:84
+                A6:14:80:2C:A5:12:49:3A:D8:66:20:1C:05:B8:44:46:E2:C0:80:12
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         40:a1:e5:d1:32:55:5c:35:13:b4:fc:80:2d:93:1f:1a:8d:54:
-         a0:99:6a:e5:3c:c1:d5:e2:07:5b:7d:79:96:ae:3c:a9:d1:70:
-         24:06:16:cc:96:b5:27:8e:36:98:e3:3b:42:b5:9a:fc:94:93:
-         d6:fb:f2:e3:b0:75:ca:84:11:40:aa:3a:2a:3b:be:78:fe:15:
-         ae:98:78:6d:85:17:b5:de:87:17:4f:5e:49:4b:79:98:38:9d:
-         d2:87:ea:61:36:54:99:0b:c0:c4:b2:55:f8:a4:8b:9b:9e:3e:
-         b6:b5:d2:56:b2:86:2d:21:bc:8c:1a:64:40:1e:fd:1d:eb:d0:
-         41:6e:48:4c:86:96:f6:f3:9b:21:d6:aa:96:19:4a:49:d9:cc:
-         8f:5e:b3:11:91:f7:59:a6:46:dd:91:08:01:bc:35:99:6c:2c:
-         9d:b2:e2:5f:fb:76:71:de:f7:ea:89:a9:08:c2:d6:fd:8a:72:
-         f3:c9:7e:57:b9:8b:fc:38:30:2b:b5:aa:2e:20:be:bb:bd:8f:
-         47:77:c8:24:af:0e:ec:be:40:26:61:8e:2e:81:a9:f1:dd:f0:
-         9c:45:fd:c7:87:b5:ae:52:90:fa:55:21:e2:50:bc:93:f4:08:
-         b8:8a:2b:40:2c:75:ff:70:a6:2e:b7:47:e3:64:e3:51:b0:ca:
-         37:13:35:b3
+    Signature Value:
+        18:c9:d9:fd:1f:2c:5c:c8:1d:d7:02:7f:b7:a9:52:3c:b4:46:
+        e6:80:aa:0c:95:3c:1e:8c:84:63:f9:37:3d:5e:c1:f3:f5:78:
+        01:16:3e:fe:ef:6f:bc:38:a4:5b:28:b1:62:5d:8b:fc:68:e4:
+        00:c2:b3:cc:4f:e0:6e:3e:6e:01:ee:47:5d:ec:04:a0:cf:ac:
+        00:13:72:d1:5e:8c:a1:d8:14:9f:0a:9d:fd:91:76:40:0c:b5:
+        fb:a5:ad:d1:17:a8:cc:5a:79:dc:0d:65:4d:61:8d:1f:c1:99:
+        08:db:23:d1:6d:48:21:19:15:56:91:32:eb:a9:11:3e:91:46:
+        2d:1e:9a:af:f5:49:ae:d0:2a:19:55:51:3f:4a:a7:06:e2:d3:
+        b7:41:61:88:22:69:0a:1e:1e:d4:95:d7:53:5b:72:66:d0:08:
+        48:26:bd:12:0f:29:34:57:9b:3a:0e:75:87:74:1d:f4:71:36:
+        6c:cf:ae:2d:34:bc:a5:25:d3:07:d1:0f:60:85:e8:9c:23:fd:
+        3c:6f:8a:b3:44:71:af:e8:5f:8c:a7:3c:bf:69:e8:7e:bf:0b:
+        30:17:b7:78:55:e8:b0:a8:0a:6c:7b:f6:e4:95:b9:9d:d3:0e:
+        6f:c6:18:da:d9:3b:67:ab:7b:dc:31:6f:96:ee:23:94:e0:87:
+        40:73:c0:51
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzuDANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE4MDMwMjAwMDAwMFoXDTIwMDYwNDAwMDAwMVowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBALLPph9TYZA/W7a2diMnyNxew8zTSO3inuLq
-VgC3NOdAPMm25GKfilEteDg3RiwvQWCoFFQx6AeIht1A9BZ7dTAGddj5IfPlS6Mi
-pwOk2s7imRm+ZAc4P4XqJ2vx2r/NA9X7Xsn/qmAF22iRH3gnwxlSi6+TRytGaQLl
-w9Fjewydr4nvxpyClaqmhU84ENvUJaZbfgEtwvbOFF/f7ms+a/SSyz+e6vsbovkI
-RuAWOg72nZMYpG3ASVzHAigm6dTZw5IE9NCOwUoj6ZmBXv8/wwUcjPKMqSRtBBto
-aQYRxYx/PCn47Nyek/dwC4jsDuObq4nNj1RLBlWZnlK1c0MWXT8CAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFA7FPJVtLC5nWCj7hY0R8eoWGVOEMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQBAoeXRMlVcNRO0/IAtkx8ajVSgmWrlPMHV4gdbfXmWrjyp0XAkBhbMlrUnjjaY
-4ztCtZr8lJPW+/LjsHXKhBFAqjoqO754/hWumHhthRe13ocXT15JS3mYOJ3Sh+ph
-NlSZC8DEslX4pIubnj62tdJWsoYtIbyMGmRAHv0d69BBbkhMhpb285sh1qqWGUpJ
-2cyPXrMRkfdZpkbdkQgBvDWZbCydsuJf+3Zx3vfqiakIwtb9inLzyX5XuYv8ODAr
-taouIL67vY9Hd8gkrw7svkAmYY4uganx3fCcRf3Hh7WuUpD6VSHiULyT9Ai4iitA
-LHX/cKYut0fjZONRsMo3EzWz
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnwwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xODAzMDIwMDAwMDBaFw0yMDA2MDQwMDAwMDFaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQChT9TEgetrch8sfHdJ5sgpdvEqNtYM3YDt
+B4O9/3be1nmb/w9tJOPNF026guktN7/seLR9tG3Rr4RA6lCmh8NMHBHzyVTx2deK
+S6SCKFXktYr7y8f62gfU/fk6lKuJzOEiuhKTeKPcbb4G97ElKf4OnzcINVoJn08+
+J7S51+wQdMj+o7OXHSnCM+uQ3lUud+6fYMnJHSrrcSSM/nX2iNmKAE+2nGXBjjY5
+pMQ38/qzW9tQOQ2PC8kz4rsQXBE6iqqqFiL0/rpt7tpm2WrjsAt5eAZdt2CcMAeU
+PUXVnpUUSdC2wUzmXoFIPusineiG0V5pe0OK5wWT9a3APWPEcNAZAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSmFIAspRJJOthmIBwFuERG4sCAEjAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAGMnZ/R8sXMgd1wJ/t6lSPLRG5oCqDJU8HoyEY/k3PV7B8/V4ARY+/u9vvDik
+WyixYl2L/GjkAMKzzE/gbj5uAe5HXewEoM+sABNy0V6ModgUnwqd/ZF2QAy1+6Wt
+0ReozFp53A1lTWGNH8GZCNsj0W1IIRkVVpEy66kRPpFGLR6ar/VJrtAqGVVRP0qn
+BuLTt0FhiCJpCh4e1JXXU1tyZtAISCa9Eg8pNFebOg51h3Qd9HE2bM+uLTS8pSXT
+B9EPYIXonCP9PG+Ks0Rxr+hfjKc8v2nofr8LMBe3eFXosKgKbHv25JW5ndMOb8YY
+2tk7Z6t73DFvlu4jlOCHQHPAUQ==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/825_days_after_2018_03_01.pem b/chromium/net/data/ssl/certificates/825_days_after_2018_03_01.pem
index e4abeda155e..3d15cfc060e 100644
--- a/chromium/net/data/ssl/certificates/825_days_after_2018_03_01.pem
+++ b/chromium/net/data/ssl/certificates/825_days_after_2018_03_01.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:b7
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:7b
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:cf:3a:7a:4b:9c:1c:a7:21:9f:e3:d0:9d:ff:4b:
-                    09:9e:00:85:53:c1:0e:f4:e5:2c:c8:75:37:2a:a8:
-                    1b:41:33:5b:97:21:80:6b:f1:e4:0b:f5:40:d4:8c:
-                    cd:a2:55:3a:07:c9:15:9f:f2:9b:23:e1:7f:3e:e5:
-                    fe:b0:8d:c9:7b:f8:25:77:9d:17:c3:85:85:e4:50:
-                    a8:90:cf:ae:9f:c5:98:c7:19:46:b4:50:c1:58:fa:
-                    4d:1e:b1:cc:3e:39:27:7b:ce:0b:a8:1d:1d:5a:1f:
-                    68:9c:66:eb:38:59:52:e9:cc:8d:1d:cf:0f:13:eb:
-                    ca:b2:4c:eb:b4:15:7c:9f:fb:a2:d5:8a:cb:ff:8a:
-                    a3:7c:95:20:d2:a2:57:7d:62:55:1c:51:f8:6e:4b:
-                    62:bc:ed:bc:35:cc:d5:d6:a6:15:02:9b:bb:1f:57:
-                    5b:7a:e2:c3:5f:df:3d:c1:56:9f:e1:b0:ec:43:d5:
-                    c4:f0:87:90:c3:e1:0f:76:d0:e7:79:61:93:0a:ed:
-                    d9:4e:d5:94:41:f7:1b:74:6e:b6:81:18:a4:67:8b:
-                    74:99:af:c6:ed:15:41:ac:97:9d:9b:f6:ce:6f:60:
-                    55:65:b5:9c:7d:60:d3:da:ec:13:aa:3a:96:9e:e9:
-                    a5:0a:ae:2d:33:ae:e3:84:60:91:d0:9d:d3:c9:e4:
-                    d3:13
+                    00:9a:39:94:e3:67:d8:e3:a9:27:4d:88:89:70:99:
+                    fd:9d:b8:a3:d5:6a:ff:f4:f0:6b:76:4f:d5:b1:a3:
+                    6c:9d:10:c1:e6:6c:ac:2e:71:86:b2:e3:91:25:d7:
+                    7e:f0:32:55:a4:b5:e2:f8:ac:d2:69:cb:c9:6e:25:
+                    12:32:f8:82:5a:8e:2d:46:30:c2:6c:d9:8e:cb:4c:
+                    69:1e:e8:c2:1e:8f:94:76:76:6a:c6:8c:a5:e7:b8:
+                    8e:79:e5:4b:6a:b1:98:cc:2f:2b:ba:35:6f:63:65:
+                    23:1c:6e:c3:9a:65:7f:fa:1e:6e:fe:a0:7d:8f:10:
+                    40:b7:30:1e:2e:41:0e:be:3b:8e:1f:ed:da:29:c0:
+                    44:63:10:e7:0f:b1:ed:7b:e9:0e:b7:2d:a0:ec:83:
+                    19:8e:a4:de:e5:2e:24:f8:4b:b8:92:63:37:ab:67:
+                    d7:69:1c:8a:de:1c:d5:e4:59:42:b7:d8:ea:54:64:
+                    cc:28:14:47:f6:a4:84:f1:7a:a4:9c:26:a1:95:4f:
+                    29:6e:c4:06:6c:b2:4e:9a:c5:ca:c7:ff:e9:6a:d9:
+                    bb:95:0c:9b:5e:d1:cf:d2:0c:fc:1c:6a:f5:bb:46:
+                    f5:e5:67:4f:2b:f8:a3:3e:3c:74:3c:cf:a8:a1:2d:
+                    53:ba:82:e3:f6:67:4c:44:71:1a:79:ff:91:40:41:
+                    c7:43
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                AE:E9:7B:D9:8C:7F:3D:56:2A:A2:18:90:A0:85:DF:43:DF:C1:32:DB
+                21:4C:BB:C1:C9:E7:EC:9E:70:89:0F:F4:C5:25:86:86:B0:C8:31:B7
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         b0:bf:ab:85:fd:ab:14:9d:a7:5f:13:f5:76:19:31:2c:3a:ed:
-         22:65:1f:4d:a8:f0:17:a4:3e:61:fb:43:b9:77:9f:a8:5d:3d:
-         65:75:5a:0a:db:80:25:1f:79:10:d2:3f:6d:0e:b0:6f:86:b3:
-         46:f6:ae:bd:05:f6:49:74:72:0d:eb:b5:ec:9f:56:32:97:0b:
-         0f:58:ff:13:21:25:97:89:25:fa:3e:ee:65:2b:ac:ae:4e:98:
-         ef:c8:08:82:8d:92:44:0c:ad:8c:ba:e5:79:d9:1b:c2:e3:c0:
-         1e:2c:c8:f7:af:cd:2e:a3:0b:30:30:22:da:6f:b2:05:de:06:
-         8c:da:9e:e0:bc:0c:27:0c:d4:af:ba:c3:70:99:10:e6:15:ac:
-         57:75:94:a2:fc:d0:5f:c0:f3:77:81:8f:c2:81:21:2f:d3:bd:
-         c8:23:b4:3f:33:3c:c0:e7:fe:06:9f:d5:33:4f:bb:b8:88:da:
-         78:84:c1:6c:23:fe:1c:63:48:d0:1f:a3:87:2c:2c:31:f5:50:
-         35:df:16:5d:40:1d:2b:3d:f5:4d:39:fb:8c:45:66:ae:76:90:
-         fc:a7:e1:94:51:e6:e7:f2:2d:29:74:e4:5d:38:b4:dc:04:00:
-         b8:a8:5f:cd:f0:af:92:dd:24:fc:54:c9:df:26:81:b4:a2:ba:
-         34:b2:7b:f3
+    Signature Value:
+        68:f9:e3:09:b5:35:6d:e8:fe:00:c8:92:6a:9c:16:c8:99:d4:
+        ba:bc:14:89:6c:a9:40:33:0e:33:f8:15:73:62:19:03:37:a1:
+        e0:af:ba:d2:9b:06:f9:33:16:c0:38:a8:40:2f:1d:8e:04:55:
+        2d:3b:ae:7b:a2:91:9b:50:eb:fa:83:42:ec:ba:9a:7e:54:28:
+        4b:95:5e:9d:64:c5:79:59:34:77:c7:d4:e4:c5:65:07:f0:63:
+        36:c7:7a:2c:ee:00:75:63:e0:eb:5f:af:5c:41:f3:11:80:63:
+        81:85:53:df:72:22:fc:4c:b8:c8:99:dc:86:e3:1e:b6:a9:37:
+        de:c9:df:23:30:2b:f3:d8:48:50:ae:40:3f:5a:92:83:64:03:
+        41:b9:f7:43:ad:2e:2f:be:7f:60:98:af:92:65:7c:7a:05:6a:
+        bd:0a:7d:c4:83:1c:a5:8b:6a:18:c5:17:8c:2d:41:d7:97:29:
+        e3:5c:79:07:9d:11:43:c5:09:a5:fa:48:9b:be:39:41:7b:34:
+        97:40:e3:84:8b:c7:bb:24:b5:9a:38:47:ca:43:56:ad:52:25:
+        22:a8:aa:2e:64:26:a1:71:cf:0b:f0:47:d9:07:f4:cc:16:99:
+        b8:17:23:ea:d3:ad:e6:6e:08:e5:85:04:0c:c3:46:66:80:ec:
+        28:cf:e1:db
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYztzANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE4MDMwMjAwMDAwMFoXDTIwMDYwNDAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAM86ekucHKchn+PQnf9LCZ4AhVPBDvTlLMh1
-NyqoG0EzW5chgGvx5Av1QNSMzaJVOgfJFZ/ymyPhfz7l/rCNyXv4JXedF8OFheRQ
-qJDPrp/FmMcZRrRQwVj6TR6xzD45J3vOC6gdHVofaJxm6zhZUunMjR3PDxPryrJM
-67QVfJ/7otWKy/+Ko3yVINKiV31iVRxR+G5LYrztvDXM1damFQKbux9XW3riw1/f
-PcFWn+Gw7EPVxPCHkMPhD3bQ53lhkwrt2U7VlEH3G3RutoEYpGeLdJmvxu0VQayX
-nZv2zm9gVWW1nH1g09rsE6o6lp7ppQquLTOu44RgkdCd08nk0xMCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK7pe9mMfz1WKqIYkKCF30PfwTLbMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQCwv6uF/asUnadfE/V2GTEsOu0iZR9NqPAXpD5h+0O5d5+oXT1ldVoK24AlH3kQ
-0j9tDrBvhrNG9q69BfZJdHIN67Xsn1YylwsPWP8TISWXiSX6Pu5lK6yuTpjvyAiC
-jZJEDK2MuuV52RvC48AeLMj3r80uowswMCLab7IF3gaM2p7gvAwnDNSvusNwmRDm
-FaxXdZSi/NBfwPN3gY/CgSEv073II7Q/MzzA5/4Gn9UzT7u4iNp4hMFsI/4cY0jQ
-H6OHLCwx9VA13xZdQB0rPfVNOfuMRWaudpD8p+GUUebn8i0pdORdOLTcBAC4qF/N
-8K+S3ST8VMnfJoG0oro0snvz
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnswDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xODAzMDIwMDAwMDBaFw0yMDA2MDQwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaOZTjZ9jjqSdNiIlwmf2duKPVav/08Gt2
+T9Wxo2ydEMHmbKwucYay45El137wMlWkteL4rNJpy8luJRIy+IJaji1GMMJs2Y7L
+TGke6MIej5R2dmrGjKXnuI555UtqsZjMLyu6NW9jZSMcbsOaZX/6Hm7+oH2PEEC3
+MB4uQQ6+O44f7dopwERjEOcPse176Q63LaDsgxmOpN7lLiT4S7iSYzerZ9dpHIre
+HNXkWUK32OpUZMwoFEf2pITxeqScJqGVTyluxAZssk6axcrH/+lq2buVDJte0c/S
+DPwcavW7RvXlZ08r+KM+PHQ8z6ihLVO6guP2Z0xEcRp5/5FAQcdDAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQhTLvByefsnnCJD/TFJYaGsMgxtzAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAaPnjCbU1bej+AMiSapwWyJnUurwUiWypQDMOM/gVc2IZAzeh4K+60psG+TMW
+wDioQC8djgRVLTuue6KRm1Dr+oNC7LqaflQoS5VenWTFeVk0d8fU5MVlB/BjNsd6
+LO4AdWPg61+vXEHzEYBjgYVT33Ii/Ey4yJnchuMetqk33snfIzAr89hIUK5AP1qS
+g2QDQbn3Q60uL75/YJivkmV8egVqvQp9xIMcpYtqGMUXjC1B15cp41x5B50RQ8UJ
+pfpIm745QXs0l0DjhIvHuyS1mjhHykNWrVIlIqiqLmQmoXHPC/BH2Qf0zBaZuBcj
+6tOt5m4I5YUEDMNGZoDsKM/h2w==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/826_days_after_2018_03_01.pem b/chromium/net/data/ssl/certificates/826_days_after_2018_03_01.pem
index 8b6574e5b77..1fb6bbdf0ec 100644
--- a/chromium/net/data/ssl/certificates/826_days_after_2018_03_01.pem
+++ b/chromium/net/data/ssl/certificates/826_days_after_2018_03_01.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:b6
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:7a
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:d8:c8:15:7a:a1:22:bf:45:1f:53:e9:21:a9:98:
-                    c4:a4:dd:be:a9:a6:6c:0c:f1:f1:be:2e:f7:dc:7f:
-                    0e:bc:02:51:d8:61:08:8a:c1:94:a8:d9:5d:b0:ba:
-                    f2:9b:d8:ec:e5:7d:4e:67:4a:d0:f3:20:00:ce:33:
-                    1c:88:f7:c5:2b:9b:56:fb:6c:4b:c4:27:43:8a:ee:
-                    e6:04:e2:50:81:52:34:29:b0:13:54:d6:73:1c:22:
-                    ca:d5:c1:8e:83:c5:c7:32:14:ad:af:fa:42:96:1c:
-                    ac:58:48:33:7a:eb:35:b4:7b:e8:f3:b5:a9:26:5d:
-                    b8:7a:da:0a:62:56:f8:5c:99:26:a3:52:d7:1d:7e:
-                    bc:4c:46:67:e9:bd:d7:07:15:0c:3a:51:fe:4c:0c:
-                    7f:cd:fb:57:b9:07:ee:08:00:44:6f:be:ce:b7:1a:
-                    86:5f:58:56:1c:73:ff:1a:05:be:80:f2:e4:a7:ae:
-                    11:51:2b:6e:2b:25:70:76:06:da:9b:42:a7:77:98:
-                    f3:62:ea:22:5f:8d:3e:03:28:66:18:57:b2:b2:84:
-                    32:44:98:ed:f0:cd:2c:ea:b8:05:11:68:8c:70:30:
-                    12:b6:67:92:99:d1:98:7c:fb:40:02:60:28:f7:94:
-                    aa:55:f8:54:20:51:03:8a:13:89:64:2d:3d:35:d4:
-                    46:51
+                    00:c6:48:5e:83:86:48:ec:31:7d:cc:2c:20:88:c3:
+                    5e:36:b5:bd:ba:4a:ed:1b:08:4c:30:4f:7c:f0:db:
+                    7f:c8:8a:31:ee:b5:58:18:8f:05:f5:85:fd:e0:e0:
+                    9c:3a:40:de:45:31:5f:94:1a:f7:67:26:9d:21:94:
+                    1f:73:96:30:0e:91:0c:96:2e:3f:40:9c:40:76:8e:
+                    27:de:23:24:a9:9f:6e:69:30:22:a7:62:ee:0f:72:
+                    5a:bb:1a:08:c8:49:f0:5b:53:e2:6a:e6:3e:5a:88:
+                    73:6d:03:c2:ec:43:8f:f2:dd:30:5f:b3:69:e6:7d:
+                    21:0c:a4:50:0a:78:3d:ba:2f:9f:dc:eb:a9:74:40:
+                    54:46:ef:c7:49:fc:24:25:ee:e9:18:3a:0d:37:86:
+                    90:5c:19:2b:17:4c:93:d2:11:45:78:20:c5:2b:ac:
+                    8c:23:d9:fe:2a:a5:3d:72:f0:a8:0d:29:76:23:73:
+                    a8:a7:c8:ed:e1:52:4c:b9:ba:0a:ce:e5:07:e2:30:
+                    26:d2:07:8d:27:02:08:bd:41:6a:0f:bf:3f:43:11:
+                    fa:17:01:0e:b1:b0:7b:df:8a:63:3d:59:41:6e:0f:
+                    f5:53:cb:f9:be:ac:c4:a6:c3:6a:19:0b:36:38:ce:
+                    34:e3:9f:36:de:ed:bd:4a:d7:75:34:2a:b6:ed:53:
+                    7b:5d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                FC:51:FB:45:0A:88:70:94:39:91:00:3E:A8:75:A4:40:11:2A:B6:47
+                56:75:5B:1E:72:EB:8C:14:EE:D6:78:E4:67:7B:7D:2D:D0:8F:6D:A1
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         50:59:7a:a8:e0:68:e0:33:c1:0a:44:fa:28:e0:3d:a7:0b:de:
-         3f:45:fc:ba:b7:f2:e5:20:13:74:ec:53:56:6e:6f:c4:e5:f1:
-         c0:84:74:91:07:32:9e:12:73:d3:6a:0f:e7:42:47:36:57:3d:
-         10:19:2e:2c:18:a4:12:07:1d:40:4f:f6:3c:d7:8e:2f:d6:d2:
-         94:90:d0:c0:52:86:41:ef:b3:11:d3:a8:46:1f:3b:ed:04:2a:
-         bc:aa:14:c2:5c:c3:f2:78:b0:65:ff:c1:e6:07:4c:d6:07:96:
-         69:ec:20:44:2a:ee:5e:9d:94:fc:af:eb:60:5d:37:1d:25:fb:
-         d5:ae:5f:b4:cf:e7:a5:50:fd:fc:72:4d:6d:eb:93:e5:bc:30:
-         eb:5b:3a:c8:d6:9e:98:db:80:d1:46:63:d9:f8:ac:47:2d:bb:
-         d7:f3:36:5b:1b:cb:a7:0b:2e:59:90:10:b1:77:44:32:0e:55:
-         78:1b:9d:11:57:9f:6c:28:96:55:5d:f7:81:6e:ff:74:3b:36:
-         6e:3a:42:e3:af:51:b2:e0:29:63:07:39:e1:43:e3:65:a8:da:
-         0a:ca:70:9a:c5:52:bf:e8:ec:5e:da:57:16:8f:1b:0e:54:b1:
-         0a:a1:cf:23:9a:48:ea:78:1e:ee:08:27:c7:83:6d:80:fa:26:
-         f6:85:0c:37
+    Signature Value:
+        3c:6f:26:8e:d6:8c:6b:01:bf:b0:8c:fc:06:9f:8c:b7:03:50:
+        6d:45:42:de:e7:d0:a0:75:f2:b8:7e:12:13:96:9c:27:c1:ee:
+        6e:b3:48:23:5b:1b:51:45:e7:89:71:62:de:4c:df:66:d3:81:
+        87:64:72:55:d3:ec:da:3d:bb:5c:92:8a:1f:73:fa:5b:bb:b8:
+        83:a9:52:b2:ce:4a:f7:19:68:f5:df:2b:cd:47:07:b7:75:4f:
+        68:15:63:db:25:d3:6a:80:48:92:f2:e2:d4:9f:ae:73:86:c6:
+        85:c9:35:66:65:8e:c4:b2:79:ea:64:ca:d2:d3:73:09:b9:22:
+        d5:b7:2a:28:d9:82:e4:85:cb:c8:82:1b:6c:95:80:62:18:21:
+        a7:2d:ae:8f:06:09:80:10:24:48:e0:2a:d5:4d:62:00:3e:ed:
+        2c:7c:1e:9d:80:84:b1:de:3a:ab:95:78:b3:65:3a:1d:16:4f:
+        82:b1:63:96:4c:75:3e:2a:0c:26:fc:60:fd:4c:b0:06:36:9a:
+        1d:47:4a:51:47:b0:19:3c:79:f5:93:97:24:61:79:91:fe:7e:
+        72:c6:cb:0a:74:00:a5:d2:ad:b8:bd:b3:45:0d:80:65:53:e5:
+        90:98:14:d2:4b:b3:70:e1:96:c2:bf:7a:1b:66:ce:d4:e7:ae:
+        8c:51:bc:c6
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYztjANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE4MDMwMjAwMDAwMFoXDTIwMDYwNTAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBANjIFXqhIr9FH1PpIamYxKTdvqmmbAzx8b4u
-99x/DrwCUdhhCIrBlKjZXbC68pvY7OV9TmdK0PMgAM4zHIj3xSubVvtsS8QnQ4ru
-5gTiUIFSNCmwE1TWcxwiytXBjoPFxzIUra/6QpYcrFhIM3rrNbR76PO1qSZduHra
-CmJW+FyZJqNS1x1+vExGZ+m91wcVDDpR/kwMf837V7kH7ggARG++zrcahl9YVhxz
-/xoFvoDy5KeuEVErbislcHYG2ptCp3eY82LqIl+NPgMoZhhXsrKEMkSY7fDNLOq4
-BRFojHAwErZnkpnRmHz7QAJgKPeUqlX4VCBRA4oTiWQtPTXURlECAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPxR+0UKiHCUOZEAPqh1pEARKrZHMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQBQWXqo4GjgM8EKRPoo4D2nC94/Rfy6t/LlIBN07FNWbm/E5fHAhHSRBzKeEnPT
-ag/nQkc2Vz0QGS4sGKQSBx1AT/Y8144v1tKUkNDAUoZB77MR06hGHzvtBCq8qhTC
-XMPyeLBl/8HmB0zWB5Zp7CBEKu5enZT8r+tgXTcdJfvVrl+0z+elUP38ck1t65Pl
-vDDrWzrI1p6Y24DRRmPZ+KxHLbvX8zZbG8unCy5ZkBCxd0QyDlV4G50RV59sKJZV
-XfeBbv90OzZuOkLjr1Gy4CljBznhQ+NlqNoKynCaxVK/6Oxe2lcWjxsOVLEKoc8j
-mkjqeB7uCCfHg22A+ib2hQw3
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnowDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xODAzMDIwMDAwMDBaFw0yMDA2MDUwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGSF6DhkjsMX3MLCCIw142tb26Su0bCEww
+T3zw23/IijHutVgYjwX1hf3g4Jw6QN5FMV+UGvdnJp0hlB9zljAOkQyWLj9AnEB2
+jifeIySpn25pMCKnYu4Pclq7GgjISfBbU+Jq5j5aiHNtA8LsQ4/y3TBfs2nmfSEM
+pFAKeD26L5/c66l0QFRG78dJ/CQl7ukYOg03hpBcGSsXTJPSEUV4IMUrrIwj2f4q
+pT1y8KgNKXYjc6inyO3hUky5ugrO5QfiMCbSB40nAgi9QWoPvz9DEfoXAQ6xsHvf
+imM9WUFuD/VTy/m+rMSmw2oZCzY4zjTjnzbe7b1K13U0KrbtU3tdAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRWdVsecuuMFO7WeORne30t0I9toTAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAPG8mjtaMawG/sIz8Bp+MtwNQbUVC3ufQoHXyuH4SE5acJ8HubrNII1sbUUXn
+iXFi3kzfZtOBh2RyVdPs2j27XJKKH3P6W7u4g6lSss5K9xlo9d8rzUcHt3VPaBVj
+2yXTaoBIkvLi1J+uc4bGhck1ZmWOxLJ56mTK0tNzCbki1bcqKNmC5IXLyIIbbJWA
+Yhghpy2ujwYJgBAkSOAq1U1iAD7tLHwenYCEsd46q5V4s2U6HRZPgrFjlkx1PioM
+Jvxg/UywBjaaHUdKUUewGTx59ZOXJGF5kf5+csbLCnQApdKtuL2zRQ2AZVPlkJgU
+0kuzcOGWwr96G2bO1OeujFG8xg==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/900_days_after_2019_07_01.pem b/chromium/net/data/ssl/certificates/900_days_after_2019_07_01.pem
index a70bcbd18bf..b2ab8c6775a 100644
--- a/chromium/net/data/ssl/certificates/900_days_after_2019_07_01.pem
+++ b/chromium/net/data/ssl/certificates/900_days_after_2019_07_01.pem
@@ -2,84 +2,84 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            97:a2:ec:ef:8c:1f:34:bb:02:1d:83:75:90:67:0b:26
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:86
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
-            Not Before: Dec  2 02:29:26 2021 GMT
-            Not After : May 20 02:29:26 2024 GMT
+            Not Before: Oct  3 17:20:31 2022 GMT
+            Not After : Mar 21 17:20:31 2025 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:9c:80:4b:13:19:37:bf:ef:3f:08:23:f2:49:29:
-                    19:ee:17:ae:f0:c5:38:6c:44:a8:5b:8d:6b:64:c3:
-                    35:a3:68:3f:86:32:f3:91:f9:0c:04:05:af:7f:56:
-                    58:47:99:cb:2e:1d:dd:52:29:83:11:55:ed:17:e3:
-                    49:02:b8:fd:aa:9a:db:76:ba:62:c8:df:fb:d7:05:
-                    23:3d:3b:07:4c:19:b7:01:8e:5b:30:49:4f:fa:43:
-                    82:f5:17:06:47:52:da:c2:93:80:3e:dc:8c:a6:fd:
-                    26:70:e1:c3:12:83:9b:c3:2e:ac:af:49:e8:ce:31:
-                    df:4d:64:23:5c:7c:cd:1e:d3:6e:f9:4b:b1:ab:d1:
-                    6c:45:32:b0:48:31:60:57:57:dd:f5:d5:af:02:7f:
-                    d7:ec:cf:92:16:7e:d8:7e:a6:3a:d6:94:7d:6b:ab:
-                    02:a9:81:83:68:b7:56:24:41:e8:5e:39:5c:1e:e6:
-                    7e:c4:58:04:19:e0:b0:03:67:12:81:1c:17:ac:08:
-                    d9:49:b6:b7:5b:d2:0d:fd:46:fd:8c:b4:d1:b5:4d:
-                    c7:9a:fb:5d:ab:b0:a5:9b:c6:d2:62:39:56:d0:d6:
-                    a6:ef:6f:07:35:d4:08:6f:aa:0a:6d:8c:9e:83:8a:
-                    8f:5f:31:b4:1c:78:7e:d8:71:0a:c2:aa:74:17:b8:
-                    4b:97
+                    00:c5:28:61:1e:94:d2:ed:5e:b3:fb:6c:35:e1:c5:
+                    1c:bb:78:67:d7:11:55:1c:38:db:67:4d:84:fa:39:
+                    73:81:ff:73:e4:10:a5:df:f4:21:43:14:c8:9f:4e:
+                    f0:a7:45:82:2b:2c:79:34:df:db:3c:d0:07:fd:33:
+                    eb:8a:be:49:dd:cf:22:7f:11:37:3f:3c:e3:be:fb:
+                    ba:a0:b1:45:b4:bd:7c:d9:5b:7b:58:75:3e:fc:b8:
+                    9f:44:4f:cf:97:bf:70:1c:42:8b:1c:77:07:1e:5f:
+                    47:a8:78:5b:9f:0b:60:db:9b:58:63:81:db:1a:f1:
+                    37:bb:de:91:09:05:b0:3b:f2:e4:d9:a6:62:4b:ac:
+                    29:91:6e:04:c9:3d:85:8f:57:d6:d9:b6:be:fe:7a:
+                    c8:e6:40:89:99:a4:c7:58:94:75:59:03:d8:bc:b1:
+                    8e:f0:d2:34:d7:c0:15:63:5c:bd:00:68:c1:2b:f4:
+                    a6:c4:0d:94:df:38:cb:22:75:0c:2a:82:23:0e:13:
+                    82:76:bb:ff:73:66:c8:9c:b7:55:92:68:a4:04:73:
+                    92:ac:69:9c:3c:69:29:19:ad:57:e4:a9:59:c5:5d:
+                    eb:ca:ba:6c:e2:86:01:6b:5c:ae:dc:35:c7:37:67:
+                    19:67:ee:37:f1:41:98:bd:02:54:87:f6:0a:c0:fd:
+                    82:9b
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                B9:33:59:57:E2:07:76:38:A7:D6:4A:43:19:79:AF:54:65:E9:7B:E2
+                84:86:46:35:36:B9:69:FE:CE:F1:0D:AF:A7:AE:1B:7E:07:F4:D5:38
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         a6:e1:c0:06:0f:64:8c:50:54:38:9a:2a:19:38:6e:ce:12:bb:
-         a1:4b:2e:62:39:a6:dd:e3:7e:3a:c2:f6:93:40:d1:b4:22:c8:
-         f2:53:82:48:46:77:66:20:31:65:fd:03:9c:38:92:a9:38:4a:
-         df:65:fb:c1:ec:c6:33:ce:94:53:eb:20:1c:5e:66:22:8a:c4:
-         b6:ce:f2:91:e6:58:21:dc:5a:f3:c1:69:37:1a:ad:03:e9:28:
-         dc:cb:ee:29:8d:73:6f:c3:a3:7c:f6:66:99:d1:c0:5a:2c:3e:
-         79:9d:3c:df:f4:de:83:a2:aa:63:7c:e6:d3:ae:23:2a:47:61:
-         15:54:d3:da:fb:c5:c3:a2:db:69:45:76:f0:f9:e0:9c:06:ab:
-         e7:20:96:a4:b5:8d:08:54:c1:37:da:27:84:d2:8e:b2:60:a9:
-         e6:d6:42:31:20:58:70:22:3e:66:2a:33:da:5f:09:64:f2:dc:
-         c6:a3:e2:b0:56:7b:a1:31:aa:cc:82:e8:a7:a7:8d:85:ad:01:
-         ac:d3:1d:ec:27:63:44:ea:ce:c2:fe:e9:6e:4d:43:11:57:dd:
-         a5:27:b3:0d:88:ad:eb:e1:60:09:0d:c9:c5:62:be:8c:ff:24:
-         eb:c7:42:b4:45:5f:23:20:0b:63:4b:81:e8:cc:57:bc:a9:88:
-         15:b6:af:20
+    Signature Value:
+        4c:83:4a:91:36:3f:73:ff:1d:38:3e:9e:fb:44:87:42:80:82:
+        2c:d9:3a:d7:4f:d9:a6:21:19:24:b5:b7:b8:42:71:23:2a:c8:
+        81:17:28:95:95:c3:9f:72:b4:5d:c8:6e:6c:91:73:1a:88:68:
+        bd:d3:67:6c:72:97:fd:48:0f:2a:8c:06:8a:ed:ac:e2:a6:b2:
+        d4:e9:73:65:4f:71:f6:d8:62:a5:68:2d:2e:86:8e:ff:da:df:
+        ee:4b:bb:0e:50:89:a4:9d:27:62:fd:90:16:89:e9:12:7b:df:
+        a2:71:87:6e:99:28:3c:07:b7:81:86:73:7d:93:a0:3c:f0:a5:
+        e3:60:55:e0:0f:9f:c0:08:ad:ef:02:9a:ec:b5:ed:2b:e7:cd:
+        ec:c3:59:2b:20:24:05:da:f8:fd:97:67:27:bd:7d:58:ac:e4:
+        dd:1a:c0:28:9e:1a:4d:57:88:f2:39:bc:92:6a:43:75:4d:fd:
+        59:9a:d9:f5:1c:49:57:ec:07:66:b2:06:e0:97:dc:44:fa:19:
+        6f:3a:84:f7:ff:7a:c7:e7:2e:37:60:4a:23:fc:ef:00:98:4c:
+        2b:d2:a1:8c:35:d3:d8:5a:2f:6e:f6:69:5c:f7:55:f1:49:f1:
+        e7:d4:9c:db:7c:6f:48:0d:5b:7a:1a:0d:6f:83:de:fd:29:d1:
+        d5:79:fc:c7
 -----BEGIN CERTIFICATE-----
-MIIDzzCCAregAwIBAgIRAJei7O+MHzS7Ah2DdZBnCyYwDQYJKoZIhvcNAQELBQAw
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwoYwDQYJKoZIhvcNAQELBQAw
 YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
 dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
-dCBDQTAeFw0yMTEyMDIwMjI5MjZaFw0yNDA1MjAwMjI5MjZaMGAxCzAJBgNVBAYT
+dCBDQTAeFw0yMjEwMDMxNzIwMzFaFw0yNTAzMjExNzIwMzFaMGAxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
 MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcgEsTGTe/7z8II/JJKRnuF67wxThsRKhb
-jWtkwzWjaD+GMvOR+QwEBa9/VlhHmcsuHd1SKYMRVe0X40kCuP2qmtt2umLI3/vX
-BSM9OwdMGbcBjlswSU/6Q4L1FwZHUtrCk4A+3Iym/SZw4cMSg5vDLqyvSejOMd9N
-ZCNcfM0e0275S7Gr0WxFMrBIMWBXV9311a8Cf9fsz5IWfth+pjrWlH1rqwKpgYNo
-t1YkQeheOVwe5n7EWAQZ4LADZxKBHBesCNlJtrdb0g39Rv2MtNG1Tcea+12rsKWb
-xtJiOVbQ1qbvbwc11AhvqgptjJ6Dio9fMbQceH7YcQrCqnQXuEuXAgMBAAGjgYAw
-fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS5M1lX4gd2OKfWSkMZea9UZel74jAf
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFKGEelNLtXrP7bDXhxRy7eGfXEVUcONtn
+TYT6OXOB/3PkEKXf9CFDFMifTvCnRYIrLHk039s80Af9M+uKvkndzyJ/ETc/POO+
++7qgsUW0vXzZW3tYdT78uJ9ET8+Xv3AcQoscdwceX0eoeFufC2Dbm1hjgdsa8Te7
+3pEJBbA78uTZpmJLrCmRbgTJPYWPV9bZtr7+esjmQImZpMdYlHVZA9i8sY7w0jTX
+wBVjXL0AaMEr9KbEDZTfOMsidQwqgiMOE4J2u/9zZsict1WSaKQEc5KsaZw8aSkZ
+rVfkqVnFXevKumzihgFrXK7cNcc3Zxln7jfxQZi9AlSH9grA/YKbAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSEhkY1Nrlp/s7xDa+nrht+B/TVODAf
 BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
 BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
-AQEApuHABg9kjFBUOJoqGThuzhK7oUsuYjmm3eN+OsL2k0DRtCLI8lOCSEZ3ZiAx
-Zf0DnDiSqThK32X7wezGM86UU+sgHF5mIorEts7ykeZYIdxa88FpNxqtA+ko3Mvu
-KY1zb8OjfPZmmdHAWiw+eZ083/Teg6KqY3zm064jKkdhFVTT2vvFw6LbaUV28Png
-nAar5yCWpLWNCFTBN9onhNKOsmCp5tZCMSBYcCI+Zioz2l8JZPLcxqPisFZ7oTGq
-zILop6eNha0BrNMd7CdjROrOwv7pbk1DEVfdpSezDYit6+FgCQ3JxWK+jP8k68dC
-tEVfIyALY0uB6MxXvKmIFbavIA==
+AQEATINKkTY/c/8dOD6e+0SHQoCCLNk610/ZpiEZJLW3uEJxIyrIgRcolZXDn3K0
+XchubJFzGohovdNnbHKX/UgPKowGiu2s4qay1OlzZU9x9thipWgtLoaO/9rf7ku7
+DlCJpJ0nYv2QFonpEnvfonGHbpkoPAe3gYZzfZOgPPCl42BV4A+fwAit7wKa7LXt
+K+fN7MNZKyAkBdr4/ZdnJ719WKzk3RrAKJ4aTVeI8jm8kmpDdU39WZrZ9RxJV+wH
+ZrIG4JfcRPoZbzqE9/96x+cuN2BKI/zvAJhMK9KhjDXT2FovbvZpXPdV8Unx59Sc
+23xvSA1behoNb4Pe/SnR1Xn8xw==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/BUILD.gn b/chromium/net/data/ssl/certificates/BUILD.gn
index b4ea35d2503..c0855965f34 100644
--- a/chromium/net/data/ssl/certificates/BUILD.gn
+++ b/chromium/net/data/ssl/certificates/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/certificates/README b/chromium/net/data/ssl/certificates/README
index e4d58b421a2..ac6c4d8b506 100644
--- a/chromium/net/data/ssl/certificates/README
+++ b/chromium/net/data/ssl/certificates/README
@@ -41,8 +41,8 @@ unit tests.
      All files are from the src/test/testdada directory in
      https://code.google.com/p/certificate-transparency/
 
-- thepaverbros.com.pem : A certificate issued by a public trust anchor valid
-    for the domain thepaverbros.com, which expires on 2022-03-26.
+- caninesonduty.com.pem : A certificate issued by a public trust anchor valid
+    for the domain caninesonduty.com, which expires on 2023-11-06.
 
 - gms.hongleong.com.my-verisign-chain.pem: A certificate chain for
   gms.hongleong.com.my issued by VeriSign Class 3 Public Primary Certification
@@ -95,9 +95,6 @@ unit tests.
      characters such as '=' and '"' that would normally be escaped when
      converting a subject/issuer name to their stringized form.
 
-- ocsp-test-root.pem : A root certificate for the code in
-      net/data/ssl/scripts/minica.py and net::EmbeddedTestServer.
-
 - websocket_cacert.pem : The testing root CA for testing WebSocket client
      certificate authentication.
      This file is used in SSLUITest.TestWSSClientCert.
@@ -115,6 +112,10 @@ unit tests.
   tests and otherwise kept fixed. The signature, etc., are intentionally
   invalid.
 
+- name_constrained_key.pem
+  The private key matching the public_key_hash of the kDomainsTest constraint
+  in CertVerifyProc::HasNameConstraintsViolation.
+
 ===== From net/data/ssl/scripts/generate-quic-chain.sh
 - quic-chain.pem
 - quic-leaf-cert.key
@@ -147,11 +148,6 @@ unit tests.
     A certificate and private key valid for a number of test names. See
     [test_names] in ee.cnf. Other names may be added as needed.
 
-- name_constraint_bad.pem
-- name_constraint_good.pem
-    Two certificates used to test the built-in ability to restrict a root to
-    a particular namespace.
-
 - bad_validity.pem
     A certificate and private key only valid on 0001-01-01. Windows refuses to
     parse this certificate.
@@ -183,10 +179,6 @@ unit tests.
     Certs to test that the maximum validity durations set by the CA/Browser
     Forum Baseline Requirements are enforced.
 
-- reject_intranet_hosts.pem
-   A certificate with a non-IANA delegated domain, which is rejected since a CA
-   cannot validate the applicant controls that domain.
-
 - pre_june_2016.pem
 - post_june_2016.pem
 - dec_2017.pem
@@ -210,9 +202,6 @@ unit tests.
      Certificates for testing EV display (including regression test for
      https://crbug.com/1069113).
 
-- ev-multi-oid.pem :
-     Certificate for testing EV with multiple OIDs. Regression test for crbug.com/705285
-
 ===== From net/data/ssl/scripts/generate-weak-test-chains.sh
 - 2048-rsa-root.pem
 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
@@ -239,12 +228,6 @@ unit tests.
      26 Feb 2022 and are generated by
      net/data/ssl/scripts/generate-redundant-test-chains.sh.
 
-===== From net/data/ssl/scripts/generate-policy-certs.sh
-- explicit-policy-chain.pem
-     A test certificate chain with requireExplicitPolicy field set on the
-     intermediate, with SkipCerts=0. This is used for regression testing
-     http://crbug.com/31497.
-
 ===== From net/data/ssl/scripts/generate-client-certificates.sh
 - client_1.pem
 - client_1.key
@@ -351,13 +334,3 @@ unit tests.
 - key_usage_p256_both.pem
      Self-signed P-256 certificates with various combinations of keyUsage
      flags. Their private key is key_usage_p256.key.
-
-===== From net/data/ssl/scripts/generate-name-normalization-certs.py
-- name-normalization-printable-utf8.pem
-     Leaf's issuer CN is PrintableString, intermediate's subject CN is
-     UTF8String.
-- name-normalization-case-folding.pem
-     Leaf's issuer CN and intermediate's subject CN are both PrintableString
-     but have differing case on the first character.
-- name-normalization-byteequal.pem
-     Names are byte-equal.
diff --git a/chromium/net/data/ssl/certificates/bad_validity.pem b/chromium/net/data/ssl/certificates/bad_validity.pem
index 192039a613d..4b17a76d2f5 100644
--- a/chromium/net/data/ssl/certificates/bad_validity.pem
+++ b/chromium/net/data/ssl/certificates/bad_validity.pem
@@ -30,7 +30,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:a7
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:6b
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -39,7 +39,7 @@ Certificate:
         Subject: CN=Leaf Certificate
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:e0:53:f4:f3:98:c1:14:33:02:c8:a4:6d:fe:aa:
                     2a:f7:94:3d:a6:6f:00:df:3b:de:4c:9f:a3:ea:07:
@@ -66,47 +66,47 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 E2:E0:A4:73:95:9B:E9:6E:FD:CE:29:C4:6F:07:81:0B:96:BD:47:BA
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         bd:75:cd:e4:f6:af:96:34:3f:cd:dc:9a:96:bf:61:69:cd:da:
-         8f:31:37:b8:65:2f:bc:f4:b2:93:0d:df:0c:12:57:b8:2a:3e:
-         1c:1c:ee:40:a6:82:8f:0b:9c:57:ca:51:76:b7:48:64:8c:23:
-         65:4a:59:33:b6:66:87:c5:90:7d:f2:f7:56:f7:e6:69:21:03:
-         95:36:39:2d:4b:84:2b:c7:c5:22:54:fc:f2:3a:4a:73:1e:59:
-         67:9f:a0:9c:77:53:54:ff:6f:8f:b1:88:b3:51:9d:e0:1a:61:
-         cf:90:37:3a:7f:a0:36:94:ab:11:73:0f:82:f6:1d:38:08:d2:
-         e4:ef:0d:62:5b:94:ca:d6:11:e0:27:d4:85:29:c6:62:16:c0:
-         2a:e5:ce:ec:35:81:3f:75:04:ba:11:b1:ee:a7:69:f8:44:1a:
-         cd:7c:56:d3:2d:f7:bf:07:39:d1:88:77:8d:44:7d:ea:04:27:
-         1e:32:e6:1a:39:40:50:56:4e:80:ff:4d:91:d3:c7:13:d8:7f:
-         9f:aa:bf:34:6b:ec:15:d0:e2:f9:85:36:c0:e6:53:dd:f2:c7:
-         32:87:80:40:2a:44:85:60:1a:55:fb:79:76:54:0b:2a:07:1b:
-         30:39:5e:74:60:93:97:ee:9d:1a:68:0d:d8:91:4e:c3:97:14:
-         9c:da:ef:80
+    Signature Value:
+        bf:da:fe:8f:5a:ca:5d:f5:9a:90:19:34:84:15:ab:46:80:62:
+        ed:95:c4:2e:04:ae:7b:0d:b7:a9:be:f6:28:8e:eb:a2:84:3e:
+        04:a6:b5:d4:61:a3:69:5c:ce:02:1e:4b:9a:40:58:19:c9:5f:
+        86:c2:a4:39:d9:c9:8e:ab:3a:b7:97:86:4e:96:73:dd:7c:84:
+        05:e8:2b:0c:83:a4:d0:69:1a:bf:c0:c1:a9:ed:c6:71:ec:bd:
+        94:56:4c:d4:0a:72:f2:62:69:57:67:b9:93:03:c5:43:a2:1b:
+        c2:20:36:6f:f1:ae:47:5d:7f:4f:65:a9:ad:30:60:93:50:34:
+        fe:8d:38:2a:b8:b3:a6:19:0c:de:30:e7:bd:61:cd:ff:b9:5e:
+        5d:06:85:52:95:d5:a0:76:14:02:58:43:e6:83:72:31:b1:41:
+        7d:20:7b:a8:db:7f:b2:36:ea:35:c0:70:c0:c1:c5:6f:fd:48:
+        41:bf:ff:67:c9:16:c4:a4:77:99:94:0b:ec:55:bc:91:b9:3d:
+        dc:68:52:b0:ad:a4:e3:c7:55:e5:67:37:52:c0:ce:1f:3d:19:
+        bb:00:91:4a:44:bb:40:eb:f5:7e:a7:7c:49:fd:26:16:a7:cd:
+        69:3d:d4:4b:37:5e:d9:cf:30:8a:8d:83:84:d5:5b:f7:4d:4d:
+        85:11:26:78
 -----BEGIN CERTIFICATE-----
-MIIDjTCCAnWgAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzpzANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMCIYDzAwMDEwMTAxMDAwMDAwWhgPMDAwMTAxMDEwMDAwMDBaMBsxGTAXBgNV
-BAMMEExlYWYgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQDgU/TzmMEUMwLIpG3+qir3lD2mbwDfO95Mn6PqB9Ss5VsN0azg7fnFmB01
-LeWzSZcUhUQP3EzSZwiIAaXYp+uT0Wqh91HnhH5SKn28bw7Y27amPt7c9aRolkQR
-hQLtRxLfuGBxlXtih2h6RFYJ1bTI8fbJRpKLaOiD1dWGcSPDgB6/bAHH0qS8QG3g
-48AuMHi9rd0lZtP1BwdW187icsUlfQzhp28AqNqrS1RDCWSktlI4L7fMAd0cAycD
-R7/f5jew7RjcUQvUdSLfUHs86zc5HJtvCHunBayMQ/fx2lEGs4JFPsiBc56wpc92
-lq+BLKwBKkpYSx2+/x+Fwife8XgLAgMBAAGjgYAwfjAMBgNVHRMBAf8EAjAAMB0G
-A1UdDgQWBBTi4KRzlZvpbv3OKcRvB4ELlr1HujAfBgNVHSMEGDAWgBSbJguKmKm7
-HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYD
-VR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAvXXN5PavljQ/zdyalr9h
-ac3ajzE3uGUvvPSykw3fDBJXuCo+HBzuQKaCjwucV8pRdrdIZIwjZUpZM7Zmh8WQ
-ffL3VvfmaSEDlTY5LUuEK8fFIlT88jpKcx5ZZ5+gnHdTVP9vj7GIs1Gd4Bphz5A3
-On+gNpSrEXMPgvYdOAjS5O8NYluUytYR4CfUhSnGYhbAKuXO7DWBP3UEuhGx7qdp
-+EQazXxW0y33vwc50Yh3jUR96gQnHjLmGjlAUFZOgP9NkdPHE9h/n6q/NGvsFdDi
-+YU2wOZT3fLHMoeAQCpEhWAaVft5dlQLKgcbMDledGCTl+6dGmgN2JFOw5cUnNrv
-gA==
+MIIDjjCCAnagAwIBAgIRALBrk5LjXI1+7Z3IllnFwmswDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAiGA8wMDAxMDEwMTAwMDAwMFoYDzAwMDEwMTAxMDAwMDAwWjAbMRkwFwYD
+VQQDDBBMZWFmIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA4FP085jBFDMCyKRt/qoq95Q9pm8A3zveTJ+j6gfUrOVbDdGs4O35xZgd
+NS3ls0mXFIVED9xM0mcIiAGl2Kfrk9FqofdR54R+Uip9vG8O2Nu2pj7e3PWkaJZE
+EYUC7UcS37hgcZV7YodoekRWCdW0yPH2yUaSi2jog9XVhnEjw4Aev2wBx9KkvEBt
+4OPALjB4va3dJWbT9QcHVtfO4nLFJX0M4advAKjaq0tUQwlkpLZSOC+3zAHdHAMn
+A0e/3+Y3sO0Y3FEL1HUi31B7POs3ORybbwh7pwWsjEP38dpRBrOCRT7IgXOesKXP
+dpavgSysASpKWEsdvv8fhcIn3vF4CwIDAQABo4GAMH4wDAYDVR0TAQH/BAIwADAd
+BgNVHQ4EFgQU4uCkc5Wb6W79zinEbweBC5a9R7owHwYDVR0jBBgwFoAUmyYLipip
+ux25HxzjGkAz7Y4XiKswHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8G
+A1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAL/a/o9ayl31mpAZNIQV
+q0aAYu2VxC4ErnsNt6m+9iiO66KEPgSmtdRho2lczgIeS5pAWBnJX4bCpDnZyY6r
+OreXhk6Wc918hAXoKwyDpNBpGr/AwantxnHsvZRWTNQKcvJiaVdnuZMDxUOiG8Ig
+Nm/xrkddf09lqa0wYJNQNP6NOCq4s6YZDN4w571hzf+5Xl0GhVKV1aB2FAJYQ+aD
+cjGxQX0ge6jbf7I26jXAcMDBxW/9SEG//2fJFsSkd5mUC+xVvJG5PdxoUrCtpOPH
+VeVnN1LAzh89GbsAkUpEu0Dr9X6nfEn9JhanzWk91Es3XtnPMIqNg4TVW/dNTYUR
+Jng=
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension.pem b/chromium/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension.pem
index 2650e60c55e..0bf4751f151 100644
--- a/chromium/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension.pem
+++ b/chromium/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension.pem
@@ -1,21 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDczCCAlugAwIBAgIUAIatnYlw5ZyRVI9AdnW4Yx0RgiYwDQYJKoZIhvcNAQEL
+MIIDkjCCAnqgAwIBAgIUZCoefl8RYqHLu2ziqedCbSAfH/4wDQYJKoZIhvcNAQEL
 BQAwYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4w
-LjAuMTAeFw0yMTEyMDExNTQyMjlaFw0yMjEyMDExNTQyMjlaMGAxCzAJBgNVBAYT
+LjAuMTAeFw0yMjEwMDMxNzIwMzBaFw0yMzEwMDMxNzIwMzBaMGAxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
 MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC754E3+obiba3pJy5MDJdf0ODNYXJuL7KN
-m4tdygGeBc3zzgin5Xc7v8dDrQ4h6SW6+q8ztZnetQ5xhQo2lkJScOiWgVYYvI+2
-M2r8447waHdlrsjY9X0YGChj3Rh4tLnrqCMHnZqO2T/NMbo10Nb0s6T3U6w+aDq8
-jzThogDpXoXgdQenkand1ZRNOzmumx25noJ9ra9qt/jrhFWGtJrPO0OI/I+QhDby
-aZmc7/17bTUrl0f4T5N3k31KJY5nsQk03d4wHLvhVaslK2qhqAEGG2ec4/3PP8Qn
-93CXu4Ti+kgfUc8megd4D9aN+5vaK7HDvkMuHYgw6R8Rdz46kU77AgMBAAGjJTAj
-MA8GA1UdEQQIMAaHBH8AAAEwEAYKKwYBBAHWeQIBFgQCBQAwDQYJKoZIhvcNAQEL
-BQADggEBAIT0kNtkR5UZk2O1WNxpntmXjCv8KIi8nwt16JLSyfv/PktrvLE3m4c4
-7WRVCOhov4NVeqBuMp8PiK2mKlicvF26eaR+YYM6rl+ltQ0bHkDcneGGc5bMERw7
-iTpGwcMQBy9IOS21p6GFxAzm/+iSWEd7sToZ1ZvqDE5ENhaOw4+TMAZn9WGpmO77
-4egLxjcs4hPzOnCvQaTbMw6No6lYyhL4m4zrqz4I5l9wzSCLkn8HACuFL8vh9t33
-UU/isQTPqER9X2AV13BB24AT5TjAGVBiaoM2VPWeuUIoYxV4sssCL6vsHijwulbZ
-mEXaG4DTPH6hz5P2aTEoZ4OVV0wCBrM=
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHxaeis59fd/yaGhvGCkW7F+eUhXvZqOgc
+SVvcudUmtxV5JAbLwXiQwKL820Wmm9VJ5gXoPtFdTNZYhbJkd324bSu/H71QDtgm
+7ngGeipmAIYEvHpscBhRStIyBtcWrYNvdOXqmAQLJirtyxaAX5NkVrURkoaoJzv9
+yYKOfbZR9hPtLIL6mfT2NiLlLtUN6icLmJX6z4t2Eu55sAnJjCwKnvg9E976yoOn
+wDXJDY3OnC3V/eYZZO9bBdlalXZ16l8xUXXhL8+xSrOgnleD2QHFLoSXecx5FEeZ
+7gGdiWi8oXzkD6MiY1xOTwFlvgNNegjnWOlqpT0OJhYD2atYMH51AgMBAAGjRDBC
+MA8GA1UdEQQIMAaHBH8AAAEwEAYKKwYBBAHWeQIBFgQCBQAwHQYDVR0OBBYEFJ4m
+W3kENeZsH6FrlzETjZb0qj98MA0GCSqGSIb3DQEBCwUAA4IBAQDFl5sdC5X3jc3h
+gFvu9w/Gg/8B4y2wyVQYk7FOWvFwQXOJ6fKo0gP01RtQ1BCUTTa4UC6yGxZSmI7D
+Vubi8wLv9ut9Trjz0ZN/s+18OKWWPpknm6RPrtgz3lcSJUPijQBDj62ocWLr51uj
+JS7k7OsvAQQ2BBh2auZDZQ6RmEJvce7Pl0wG3e7lrHo5sRU46bERvpiMctHy/x9M
+IBryGjz58SvWECsFQC49nb1jLkYbPqDsU/GlemVPffiSUVjERZMLx8FmpKnZRy2a
+tT7RY3/C0G9pNrp6ymYlhkSMOiXcjRJwPCOsXlczwQo1ACtmxXSifjSaC/3Rx/0Q
+0jufLLMb
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension_invalid.pem b/chromium/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension_invalid.pem
index 52462ec7be0..dd49c6d66c2 100644
--- a/chromium/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension_invalid.pem
+++ b/chromium/net/data/ssl/certificates/can_sign_http_exchanges_draft_extension_invalid.pem
@@ -1,21 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDczCCAlugAwIBAgIUM8LLl36AC9VOB8VwIC79Zb086jQwDQYJKoZIhvcNAQEL
+MIIDkjCCAnqgAwIBAgIUKI4gpE2u/33EvFq/n6Lu6en7OtEwDQYJKoZIhvcNAQEL
 BQAwYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4w
-LjAuMTAeFw0yMTEyMDExNTQyMjlaFw0yMjEyMDExNTQyMjlaMGAxCzAJBgNVBAYT
+LjAuMTAeFw0yMjEwMDMxNzIwMzBaFw0yMzEwMDMxNzIwMzBaMGAxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
 MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAhHeR/5qvF2tNp33pLCij4b8DZCaEHBYn
-5mMkDiSJsrbPXM/WnMMO219WzoocXXU5RBAl9cFM7cPdUAIctutZ2ISF2fCF+XMe
-G31m2+ybeARxHp8JE0w6b8BYN6UVWyIIJKeXXOU+F0uOscH9o9ALAD5uQKIBvUHr
-glK2PZp420kgABgb7LeQHbvdUc2j24SlJNMqLKfSpRIx6EK5lQXoc9d5BGYg3qNw
-ie8n4NCPdmDxX4gC0KP73yHNpwQ/1Has7Ib7onSVWSI0dZpjSG0LpTaOe51uKmFJ
-WCBlj1rvBwLVV4KCIuigaIbtLcJN8uW/NAqki1Nv2TaIyyNn33rpAgMBAAGjJTAj
-MA8GA1UdEQQIMAaHBH8AAAEwEAYKKwYBBAHWeQIBFgQCMAAwDQYJKoZIhvcNAQEL
-BQADggEBAHpTtRbKGWw6NW5VP0xyqbdZlLYA6lAr5/aVAFuh+9Jf5yQQngrHhtfL
-7Ocxs/qKxtK0Cn5XVBka0uprvGp3ArLf5l2nrY658WbFNIGo3ZnbuCoMOlq+xKRx
-0m29QO+XjEaFLGnUx5raHdFTOYkCPLBiAXeRA9NvOoOI7xz3d++VinBrhu3dFlnW
-cxj+PkZPu26GSpqubH3tqVZQiRDiBfsHuofaxmppkEhr6CrcPfgc4ZUwdiu/JeAX
-DA6Ed1BGHfZLrZnAChe9rxig23Dl3xzqgI9pmYKCo2Nw9wPzKno3pCuU23/wSP9q
-2/GiwY+JOZoTepxiebN32teJBHCeoUs=
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYzHvl9+jL2fcnXxtL+Co0+pBwhi/JvBkl
+XF9S5SNEualXFq4ajs1Mp6QEevTqSQYArAxHGtoVGBMSVeGsxQuD9mw5gizO/FTR
+dcm6fpWhp6l8W66v49Gc9zm/vte51n27iqa3LATIUzW/P6eDbLR3adQCB2n36miE
+kCvAbzwddPC6VkSeV+u/SOhccFvY5aluRuKWCOyfNi6lu4q5NCqNMF1+OplVTutW
+aGo8xMRcNqnQ9u/rwPV9NzVnhlW6Rn1eQrSMnWTnlBytyZGkHvF0ZuJ7sk3/sF7M
++KRQQ32SIeZV3n6Ctw/GOtQz/yw1g+2Sp2cBZB+fNXb4EaOojLvLAgMBAAGjRDBC
+MA8GA1UdEQQIMAaHBH8AAAEwEAYKKwYBBAHWeQIBFgQCMAAwHQYDVR0OBBYEFPPi
+QMbqtGksJRPMpYH2NFpHtVnlMA0GCSqGSIb3DQEBCwUAA4IBAQBkJakWGDFVcOkh
+MXRQBikBmnxalzrmB8ayHK6q4v65nyhi912e3wJ7RGih00ESsJtuSTZDaxhz/STI
+jo88gWHKG2EUdwh4S9c9HpPcFvGmbVZx1x2gkvIfbQMPMYEyiSsD8FYUWOrc3NGS
+gRj7/4t/IL+oeOjnKgzm2uVCIQHgGPMQWQUtsVszVcaBvegpR7SKA9ew3RdXi+WY
+ObEXIonrWg6STiVENMpLFX6flNIXJxw2IwSjerf25FxGloNLjW2zJLPh9UeiCud6
+f3+EBU7p52j5jkEjcYTZt+L/350riO+lMDHKd+u8p9qXxnS9Q52oWZSx8KTcd1oh
+24PS0WnY
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/caninesonduty.com.pem b/chromium/net/data/ssl/certificates/caninesonduty.com.pem
new file mode 100644
index 00000000000..5e99135a801
--- /dev/null
+++ b/chromium/net/data/ssl/certificates/caninesonduty.com.pem
@@ -0,0 +1,253 @@
+===========================================
+Certificate0: e93069159b9d545ee967debdccc1de1efcfa2cd0638266ffe61c8df39c30cdc0
+===========================================
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            bb:69:27:75:22:ac:ac:f0
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
+        Validity
+            Not Before: Oct  5 00:04:07 2022 GMT
+            Not After : Nov  6 00:04:07 2023 GMT
+        Subject: CN = caninesonduty.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:eb:c7:ea:a2:0f:ed:92:7a:f4:5c:59:7a:f1:ce:
+                    c9:5a:ef:57:a7:89:d0:b8:0d:ad:29:af:00:68:0a:
+                    98:b5:4b:7c:f7:cb:71:6d:c0:da:ea:8c:09:9d:9b:
+                    00:c4:9e:24:99:da:07:7b:fa:19:b3:e2:9a:70:e3:
+                    89:27:5f:d9:b3:4d:aa:6f:50:67:cb:1f:2f:0e:82:
+                    c6:b7:e3:75:c9:62:55:a9:5f:e3:aa:d0:fc:27:7e:
+                    f0:9c:b7:63:a9:db:fd:8c:17:9c:9d:e7:e1:83:d8:
+                    2c:e7:80:ae:b3:7c:b8:66:0f:44:90:93:f6:72:f3:
+                    cd:81:c5:88:fa:f5:5d:51:25:9a:c0:65:95:86:68:
+                    52:8e:34:44:55:d3:ec:17:b7:20:1f:7d:21:4a:d3:
+                    95:99:05:e3:ca:5c:f1:5f:78:cb:ca:d1:9a:63:63:
+                    ef:fe:cc:cc:e2:67:d5:3d:e2:f9:52:1f:75:a6:8f:
+                    67:70:3f:bf:6b:54:43:14:72:3c:05:40:79:85:14:
+                    4a:90:1c:0b:a8:f9:b5:59:03:0a:30:9b:12:ba:24:
+                    4c:41:28:c3:6a:8a:87:c2:88:bb:57:59:fc:4a:18:
+                    a8:da:f3:a6:9c:e6:7a:20:1a:20:44:37:be:26:ad:
+                    62:d2:02:cd:bb:12:a8:1f:23:f4:fa:f3:94:90:d7:
+                    97:8d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://crl.godaddy.com/gdig2s1-4574.crl
+            X509v3 Certificate Policies: 
+                Policy: 2.16.840.1.114413.1.7.23.1
+                  CPS: http://certificates.godaddy.com/repository/
+                Policy: 2.23.140.1.2.1
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.godaddy.com/
+                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
+            X509v3 Authority Key Identifier: 
+                40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
+            X509v3 Subject Alternative Name: 
+                DNS:caninesonduty.com, DNS:www.caninesonduty.com
+            X509v3 Subject Key Identifier: 
+                CD:0F:6D:86:BE:BC:E7:67:E3:35:89:4D:9C:14:37:7F:99:48:BB:CA
+            CT Precertificate SCTs: 
+                Signed Certificate Timestamp:
+                    Version   : v1 (0x0)
+                    Log ID    : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
+                                03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
+                    Timestamp : Oct  5 00:04:07.608 2022 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+                                30:45:02:21:00:99:37:25:11:EA:1F:77:28:5A:EB:1C:
+                                AE:E4:0B:48:D1:81:CD:27:16:2C:9B:39:72:2B:7C:2F:
+                                1A:E4:0E:73:A3:02:20:37:6B:FA:22:7F:F4:9E:FE:32:
+                                7B:99:67:38:DF:6B:69:49:11:65:72:07:03:9D:32:8D:
+                                0E:CF:93:5B:69:D8:4B
+                Signed Certificate Timestamp:
+                    Version   : v1 (0x0)
+                    Log ID    : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
+                                16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
+                    Timestamp : Oct  5 00:04:08.086 2022 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+                                30:46:02:21:00:B5:13:CC:AF:81:11:BB:A2:50:C5:68:
+                                66:E1:2F:43:09:32:AD:79:15:69:49:CA:4F:9B:BA:D7:
+                                B0:30:26:02:D7:02:21:00:C4:A9:46:56:38:7E:0D:32:
+                                1E:4C:B3:82:28:22:F5:26:9E:60:9E:3C:5B:61:17:EC:
+                                CE:2F:44:16:29:23:BF:54
+                Signed Certificate Timestamp:
+                    Version   : v1 (0x0)
+                    Log ID    : 55:81:D4:C2:16:90:36:01:4A:EA:0B:9B:57:3C:53:F0:
+                                C0:E4:38:78:70:25:08:17:2F:A3:AA:1D:07:13:D3:0C
+                    Timestamp : Oct  5 00:04:08.476 2022 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+                                30:44:02:20:4A:A2:EF:86:58:95:7E:0F:7A:52:47:CF:
+                                0A:8B:B7:40:FB:09:55:15:40:3A:D0:DB:80:C1:EE:2F:
+                                CE:81:4F:E9:02:20:56:55:07:09:5A:1C:CE:A6:B9:5E:
+                                9C:E7:9B:F8:5B:86:98:05:A1:3D:89:2F:3B:D2:AE:6B:
+                                40:D1:05:59:E2:28
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        8a:39:d0:8b:47:f4:72:f8:ca:79:84:eb:5e:fa:89:91:e8:eb:
+        6d:85:db:df:b0:39:a0:87:a0:83:b5:16:9b:24:31:30:c3:cd:
+        63:52:03:44:6a:9b:a2:3f:4c:94:53:92:ab:b1:75:36:08:26:
+        92:a4:36:71:12:2f:fe:a7:df:50:a4:6c:3c:0e:d7:3b:47:46:
+        13:7a:7c:08:ec:b0:b5:28:1c:a4:bc:fc:86:49:6d:bc:5c:c5:
+        aa:70:50:51:8e:e2:06:c9:7c:41:2d:50:e6:c9:aa:b3:9c:dc:
+        fc:b0:80:82:5b:76:8e:78:7d:10:d7:e8:06:8d:9f:7f:b0:5c:
+        4d:75:a8:06:17:a0:42:cb:06:5c:27:c4:a5:35:e5:71:13:88:
+        e2:fa:ef:19:16:8d:59:23:a2:40:66:7a:99:a0:dd:a0:3e:16:
+        56:91:b2:a8:4f:a9:44:8b:46:71:52:74:75:40:0e:a3:61:ac:
+        89:ac:32:d3:3e:43:80:7a:2d:c7:76:d6:9b:5f:57:b5:a4:87:
+        fa:de:a6:1e:86:93:87:11:8b:87:b0:39:c2:29:4a:76:f3:13:
+        4f:fb:a8:3e:9f:f1:b9:d5:43:cc:87:82:ab:22:b0:98:a8:29:
+        df:83:ed:6f:d7:88:4a:ce:e2:9c:66:3c:fa:dc:07:96:c0:1a:
+        ec:17:bb:c7
+
+-----BEGIN CERTIFICATE-----
+MIIGnzCCBYegAwIBAgIJALtpJ3UirKzwMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
+VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
+MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
+cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
+dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIyMTAwNTAwMDQwN1oX
+DTIzMTEwNjAwMDQwN1owHDEaMBgGA1UEAxMRY2FuaW5lc29uZHV0eS5jb20wggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrx+qiD+2SevRcWXrxzsla71en
+idC4Da0prwBoCpi1S3z3y3FtwNrqjAmdmwDEniSZ2gd7+hmz4ppw44knX9mzTapv
+UGfLHy8Ogsa343XJYlWpX+Oq0PwnfvCct2Op2/2MF5yd5+GD2CzngK6zfLhmD0SQ
+k/Zy882BxYj69V1RJZrAZZWGaFKONERV0+wXtyAffSFK05WZBePKXPFfeMvK0Zpj
+Y+/+zMziZ9U94vlSH3Wmj2dwP79rVEMUcjwFQHmFFEqQHAuo+bVZAwowmxK6JExB
+KMNqiofCiLtXWfxKGKja86ac5nogGiBEN74mrWLSAs27EqgfI/T685SQ15eNAgMB
+AAGjggNJMIIDRTAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
+BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDov
+L2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTQ1NzQuY3JsMF0GA1UdIARWMFQwSAYL
+YIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5n
+b2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBo
+MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUH
+MAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9n
+ZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wMwYDVR0R
+BCwwKoIRY2FuaW5lc29uZHV0eS5jb22CFXd3dy5jYW5pbmVzb25kdXR5LmNvbTAd
+BgNVHQ4EFgQUzQ9thr6852fjNYlNnBQ3f5lIu8owggF+BgorBgEEAdZ5AgQCBIIB
+bgSCAWoBaAB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABg6V0
+7zgAAAQDAEcwRQIhAJk3JRHqH3coWuscruQLSNGBzScWLJs5cit8LxrkDnOjAiA3
+a/oif/Se/jJ7mWc432tpSRFlcgcDnTKNDs+TW2nYSwB3AHoyjFTYty22IOo44FIe
+6YQWcDIThU070ivBOlejUutSAAABg6V08RYAAAQDAEgwRgIhALUTzK+BEbuiUMVo
+ZuEvQwkyrXkVaUnKT5u617AwJgLXAiEAxKlGVjh+DTIeTLOCKCL1Jp5gnjxbYRfs
+zi9EFikjv1QAdQBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAYOl
+dPKcAAAEAwBGMEQCIEqi74ZYlX4PelJHzwqLt0D7CVUVQDrQ24DB7i/OgU/pAiBW
+VQcJWhzOprlenOeb+FuGmAWhPYkvO9Kua0DRBVniKDANBgkqhkiG9w0BAQsFAAOC
+AQEAijnQi0f0cvjKeYTrXvqJkejrbYXb37A5oIegg7UWmyQxMMPNY1IDRGqboj9M
+lFOSq7F1NggmkqQ2cRIv/qffUKRsPA7XO0dGE3p8COywtSgcpLz8hkltvFzFqnBQ
+UY7iBsl8QS1Q5smqs5zc/LCAglt2jnh9ENfoBo2ff7BcTXWoBhegQssGXCfEpTXl
+cROI4vrvGRaNWSOiQGZ6maDdoD4WVpGyqE+pRItGcVJ0dUAOo2Gsiawy0z5DgHot
+x3bWm19XtaSH+t6mHoaThxGLh7A5wilKdvMTT/uoPp/xudVDzIeCqyKwmKgp34Pt
+b9eISs7inGY8+twHlsAa7Be7xw==
+-----END CERTIFICATE-----
+
+===========================================
+Certificate1: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
+===========================================
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 7 (0x7)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
+        Validity
+            Not Before: May  3 07:00:00 2011 GMT
+            Not After : May  3 07:00:00 2031 GMT
+        Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b9:e0:cb:10:d4:af:76:bd:d4:93:62:eb:30:64:
+                    b8:81:08:6c:c3:04:d9:62:17:8e:2f:ff:3e:65:cf:
+                    8f:ce:62:e6:3c:52:1c:da:16:45:4b:55:ab:78:6b:
+                    63:83:62:90:ce:0f:69:6c:99:c8:1a:14:8b:4c:cc:
+                    45:33:ea:88:dc:9e:a3:af:2b:fe:80:61:9d:79:57:
+                    c4:cf:2e:f4:3f:30:3c:5d:47:fc:9a:16:bc:c3:37:
+                    96:41:51:8e:11:4b:54:f8:28:be:d0:8c:be:f0:30:
+                    38:1e:f3:b0:26:f8:66:47:63:6d:de:71:26:47:8f:
+                    38:47:53:d1:46:1d:b4:e3:dc:00:ea:45:ac:bd:bc:
+                    71:d9:aa:6f:00:db:db:cd:30:3a:79:4f:5f:4c:47:
+                    f8:1d:ef:5b:c2:c4:9d:60:3b:b1:b2:43:91:d8:a4:
+                    33:4e:ea:b3:d6:27:4f:ad:25:8a:a5:c6:f4:d5:d0:
+                    a6:ae:74:05:64:57:88:b5:44:55:d4:2d:2a:3a:3e:
+                    f8:b8:bd:e9:32:0a:02:94:64:c4:16:3a:50:f1:4a:
+                    ae:e7:79:33:af:0c:20:07:7f:e8:df:04:39:c2:69:
+                    02:6c:63:52:fa:77:c1:1b:c8:74:87:c8:b9:93:18:
+                    50:54:35:4b:69:4e:bc:3b:d3:49:2e:1f:dc:c1:d2:
+                    52:fb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
+            X509v3 Authority Key Identifier: 
+                3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.godaddy.com/
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://crl.godaddy.com/gdroot-g2.crl
+            X509v3 Certificate Policies: 
+                Policy: X509v3 Any Policy
+                  CPS: https://certs.godaddy.com/repository/
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        08:7e:6c:93:10:c8:38:b8:96:a9:90:4b:ff:a1:5f:4f:04:ef:
+        6c:3e:9c:88:06:c9:50:8f:a6:73:f7:57:31:1b:be:bc:e4:2f:
+        db:f8:ba:d3:5b:e0:b4:e7:e6:79:62:0e:0c:a2:d7:6a:63:73:
+        31:b5:f5:a8:48:a4:3b:08:2d:a2:5d:90:d7:b4:7c:25:4f:11:
+        56:30:c4:b6:44:9d:7b:2c:9d:e5:5e:e6:ef:0c:61:aa:bf:e4:
+        2a:1b:ee:84:9e:b8:83:7d:c1:43:ce:44:a7:13:70:0d:91:1f:
+        f4:c8:13:ad:83:60:d9:d8:72:a8:73:24:1e:b5:ac:22:0e:ca:
+        17:89:62:58:44:1b:ab:89:25:01:00:0f:cd:c4:1b:62:db:51:
+        b4:d3:0f:51:2a:9b:f4:bc:73:fc:76:ce:36:a4:cd:d9:d8:2c:
+        ea:ae:9b:f5:2a:b2:90:d1:4d:75:18:8a:3f:8a:41:90:23:7d:
+        5b:4b:fe:a4:03:58:9b:46:b2:c3:60:60:83:f8:7d:50:41:ce:
+        c2:a1:90:c3:bb:ef:02:2f:d2:15:54:ee:44:15:d9:0a:ae:a7:
+        8a:33:ed:b1:2d:76:36:26:dc:04:eb:9f:f7:61:1f:15:dc:87:
+        6f:ee:46:96:28:ad:a1:26:7d:0a:09:a7:2e:04:a3:8d:bc:f8:
+        bc:04:30:01
+
+-----BEGIN CERTIFICATE-----
+MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
+EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
+ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
+MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
+EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
+CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
+EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
+BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
+K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
+cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
+pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
+eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
+AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
+HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
+9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
+b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
+b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
+CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
+MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
+91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
+RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
+DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
+GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
+LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
+-----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/common_name_only.pem b/chromium/net/data/ssl/certificates/common_name_only.pem
index 97be770c62c..01d325848cb 100644
--- a/chromium/net/data/ssl/certificates/common_name_only.pem
+++ b/chromium/net/data/ssl/certificates/common_name_only.pem
@@ -30,7 +30,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:bf
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:83
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -39,7 +39,7 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:c9:00:11:be:a3:9d:35:0e:56:27:a4:87:99:19:
                     d6:ed:c6:e5:f4:85:4b:ee:85:30:8e:ff:eb:be:65:
@@ -66,45 +66,46 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 ED:8D:2E:41:6F:59:A4:A8:A8:08:80:22:DA:52:E2:83:F8:05:A4:BE
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
     Signature Algorithm: sha256WithRSAEncryption
-         9c:a7:64:3a:82:8b:1c:35:f4:3e:14:56:83:72:01:3f:73:cd:
-         40:9a:95:1c:72:f1:9d:6f:9e:90:fc:aa:23:82:4d:a3:af:0b:
-         a4:14:50:40:a5:86:53:7d:85:10:9d:dc:eb:5a:fa:80:10:ae:
-         42:16:5d:31:f7:6d:11:3e:c2:1e:52:4e:45:53:3c:e7:6a:29:
-         20:5a:c9:df:e4:f8:7a:a4:92:2b:56:c6:ff:94:c3:a6:18:9e:
-         a0:5b:02:3b:c2:e9:bc:ca:c6:33:36:a0:00:a4:ac:9b:1e:21:
-         0d:34:11:09:12:d0:26:82:ab:84:b5:ba:d3:2a:4a:2a:cf:6f:
-         e2:cb:1c:6e:a7:39:f2:26:10:ef:79:2a:57:7a:e5:d4:16:df:
-         fa:fe:0f:8c:4b:d2:97:9e:88:44:dd:fd:13:47:d4:c0:ac:b7:
-         2e:a7:fb:30:a7:23:00:32:33:c3:2a:a0:c0:41:6b:fa:05:da:
-         8d:29:c0:69:0c:40:fc:3c:18:28:9a:d3:02:2a:e5:75:34:24:
-         13:5d:fc:08:eb:02:6c:fd:68:ed:d9:29:e1:5b:25:cd:3c:77:
-         a5:83:c0:84:fd:a2:5d:02:6c:ec:b1:22:ff:58:6f:3e:b4:96:
-         29:43:72:7d:c0:cb:93:a2:04:08:27:8c:2a:20:24:86:ac:67:
-         f0:14:33:5d
+    Signature Value:
+        86:c1:24:8e:a7:4d:26:27:8a:f6:12:62:6d:7f:de:aa:69:07:
+        97:e4:3a:78:a6:37:73:fc:63:cb:68:1d:ab:90:32:7c:b2:bd:
+        b5:7c:c6:ba:a9:bf:55:22:4e:a2:ca:1e:25:a4:4b:3e:78:f7:
+        5b:46:b7:04:83:99:57:82:82:fc:2f:c5:96:96:a3:da:8d:db:
+        df:26:e9:62:1a:24:22:9b:95:4c:cc:79:54:c9:bb:e3:1c:bc:
+        87:bb:26:74:8f:89:c2:64:57:12:ca:7e:e9:e7:cb:aa:38:9f:
+        b0:96:4c:63:64:41:cc:03:e8:5e:13:2e:9c:79:73:bc:e7:b1:
+        5b:54:80:51:48:eb:71:68:c7:21:fd:f9:2c:ee:a0:3f:52:06:
+        ae:96:1e:62:13:46:37:0e:a4:58:b2:45:1e:7d:ea:7f:7d:70:
+        47:92:7c:7b:7c:90:a8:87:7c:1a:12:51:75:75:59:92:1c:4d:
+        a2:7f:7e:ad:fa:89:de:8f:ae:2f:d6:ca:c5:3b:55:a0:fb:f5:
+        e0:3e:0b:60:c5:2d:d1:7e:e9:c1:cb:3c:24:77:56:8f:af:4e:
+        cb:99:39:b7:53:99:07:8c:71:59:20:9c:bd:db:38:bb:cc:b8:
+        5c:9a:51:66:18:46:39:96:c4:1a:ce:89:39:d3:6e:5f:79:17:
+        84:92:74:16
 -----BEGIN CERTIFICATE-----
-MIIDvDCCAqSgAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzvzANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE3MTIyMDAwMDAwMFoXDTIwMTIyMDAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMkAEb6jnTUOViekh5kZ1u3G5fSFS+6FMI7/
-675lqMAEkCx6Mny2bmpFRFc6C5Iba7ecqpH1wDev/jtpAe+SRh8ukXiWcvlfuVGa
-Q6ry9Y5u/BpS6/BywDerDFZJ3m7ixU6X95KPTLMkOrQtvpBU9aVtaCtnIR0O4DGD
-uCVVNZ4lqArkgwjxvbKKKzujEtcW53O1SDYTdRWQgzMbDnm6eyRZ06dWJDQ3eQXJ
-d9sVyeiNY2baIl9C0fGN8c37J0Zof/PhKliH/RIeqcKuPjonZ+iPIf8sWCfYyeyR
-4reQ4tKGkRwBudGJutus0xwNSLm8A2rezb5uGiKdLRR+za/nf+cCAwEAAaNvMG0w
-DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU7Y0uQW9ZpKioCIAi2lLig/gFpL4wHwYD
-VR0jBBgwFoAUmyYLipipux25HxzjGkAz7Y4XiKswHQYDVR0lBBYwFAYIKwYBBQUH
-AwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCcp2Q6goscNfQ+FFaDcgE/
-c81AmpUccvGdb56Q/Kojgk2jrwukFFBApYZTfYUQndzrWvqAEK5CFl0x920RPsIe
-Uk5FUzznaikgWsnf5Ph6pJIrVsb/lMOmGJ6gWwI7wum8ysYzNqAApKybHiENNBEJ
-EtAmgquEtbrTKkoqz2/iyxxupznyJhDveSpXeuXUFt/6/g+MS9KXnohE3f0TR9TA
-rLcup/swpyMAMjPDKqDAQWv6BdqNKcBpDED8PBgomtMCKuV1NCQTXfwI6wJs/Wjt
-2SnhWyXNPHelg8CE/aJdAmzssSL/WG8+tJYpQ3J9wMuTogQIJ4wqICSGrGfwFDNd
+MIIDvTCCAqWgAwIBAgIRALBrk5LjXI1+7Z3IllnFwoMwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xNzEyMjAwMDAwMDBaFw0yMDEyMjAwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJABG+o501DlYnpIeZGdbtxuX0hUvuhTCO
+/+u+ZajABJAsejJ8tm5qRURXOguSG2u3nKqR9cA3r/47aQHvkkYfLpF4lnL5X7lR
+mkOq8vWObvwaUuvwcsA3qwxWSd5u4sVOl/eSj0yzJDq0Lb6QVPWlbWgrZyEdDuAx
+g7glVTWeJagK5IMI8b2yiis7oxLXFudztUg2E3UVkIMzGw55unskWdOnViQ0N3kF
+yXfbFcnojWNm2iJfQtHxjfHN+ydGaH/z4SpYh/0SHqnCrj46J2fojyH/LFgn2Mns
+keK3kOLShpEcAbnRibrbrNMcDUi5vANq3s2+bhoinS0Ufs2v53/nAgMBAAGjbzBt
+MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFO2NLkFvWaSoqAiAItpS4oP4BaS+MB8G
+A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAhsEkjqdNJieK9hJibX/e
+qmkHl+Q6eKY3c/xjy2gdq5AyfLK9tXzGuqm/VSJOosoeJaRLPnj3W0a3BIOZV4KC
+/C/Flpaj2o3b3ybpYhokIpuVTMx5VMm74xy8h7smdI+JwmRXEsp+6efLqjifsJZM
+Y2RBzAPoXhMunHlzvOexW1SAUUjrcWjHIf35LO6gP1IGrpYeYhNGNw6kWLJFHn3q
+f31wR5J8e3yQqId8GhJRdXVZkhxNon9+rfqJ3o+uL9bKxTtVoPv14D4LYMUt0X7p
+wcs8JHdWj69Oy5k5t1OZB4xxWSCcvds4u8y4XJpRZhhGOZbEGs6JOdNuX3kXhJJ0
+Fg==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/crlset_by_intermediate_serial.raw b/chromium/net/data/ssl/certificates/crlset_by_intermediate_serial.raw
index 3507c3d1b87..6afcf602a0d 100644
--- a/chromium/net/data/ssl/certificates/crlset_by_intermediate_serial.raw
+++ b/chromium/net/data/ssl/certificates/crlset_by_intermediate_serial.raw
diff --git a/chromium/net/data/ssl/certificates/crlset_by_root_serial.raw b/chromium/net/data/ssl/certificates/crlset_by_root_serial.raw
index 4e405fdb03b..3195847cf64 100644
--- a/chromium/net/data/ssl/certificates/crlset_by_root_serial.raw
+++ b/chromium/net/data/ssl/certificates/crlset_by_root_serial.raw
diff --git a/chromium/net/data/ssl/certificates/dec_2017.pem b/chromium/net/data/ssl/certificates/dec_2017.pem
index 6d30d160ffb..b033f8d4565 100644
--- a/chromium/net/data/ssl/certificates/dec_2017.pem
+++ b/chromium/net/data/ssl/certificates/dec_2017.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:c0
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:84
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:dd:52:02:31:4d:6a:0c:aa:08:74:8c:ca:b1:83:
-                    73:07:d0:c0:52:2f:40:b7:e6:c4:6e:36:01:19:17:
-                    a9:9b:67:75:17:fb:3b:4e:7d:40:71:f2:0f:8a:cb:
-                    a5:ca:eb:73:45:62:33:b2:b7:e2:10:e9:2a:3d:20:
-                    eb:bd:3a:35:0c:a3:43:e3:2e:b3:6d:15:48:a6:ab:
-                    de:eb:8b:97:f2:fd:55:eb:ef:d6:66:22:b4:6f:7a:
-                    f4:7f:1b:47:f9:b7:d9:54:69:de:e2:48:18:95:5a:
-                    19:b5:49:f2:f0:01:5d:72:dd:28:c6:53:fb:b6:01:
-                    e6:94:21:5f:c0:c6:e3:94:2b:77:bd:b3:43:b8:23:
-                    d3:7e:17:95:14:e0:ea:f2:a4:90:a5:7a:d5:a7:3a:
-                    f0:0d:01:05:bc:2d:e8:1a:5c:63:74:16:39:ea:96:
-                    6c:bb:1a:72:ad:c3:12:f9:2d:12:d3:34:91:fb:50:
-                    db:74:bd:f8:e4:18:62:15:41:c9:3b:73:31:1b:70:
-                    6c:3a:0e:d0:9e:d3:60:13:d9:59:04:24:09:b9:fc:
-                    38:d4:6a:ad:99:28:2f:2b:bf:2a:d3:6c:23:c9:74:
-                    d1:21:95:61:6f:2e:66:dd:b7:a0:b7:9a:7b:94:60:
-                    2a:fd:35:c2:f5:f6:bb:71:ca:09:5e:ed:fe:54:61:
-                    1f:d7
+                    00:bb:d6:9f:20:ad:98:2d:32:9a:c8:58:d2:8f:c0:
+                    e0:b0:1b:ff:5f:f9:20:93:f3:83:39:a6:5f:bd:cc:
+                    3f:84:de:cc:66:92:aa:ae:c3:6d:9e:c5:88:54:ca:
+                    a5:3f:7f:4c:42:bc:42:fe:93:f5:d2:96:e3:d7:fa:
+                    5d:d5:bd:eb:4f:ec:a5:c2:86:95:86:de:08:c2:a9:
+                    df:f8:ca:89:df:be:43:33:e6:4f:94:9e:a1:f2:57:
+                    85:f2:e5:58:bc:40:24:8e:86:4b:4a:c9:37:65:ee:
+                    b9:7b:2d:a0:7a:89:03:62:de:b6:93:52:63:3a:16:
+                    b2:81:17:3e:40:a9:1d:88:86:25:33:75:fa:75:c3:
+                    1b:d0:19:34:7f:20:ac:a3:cb:3b:30:14:d3:2a:f9:
+                    78:fa:33:f2:1d:4f:57:7b:c7:d6:67:f1:38:ff:97:
+                    a1:7d:6a:42:25:15:b2:5b:d0:46:6f:6d:b7:86:e0:
+                    2f:70:dc:0c:f9:bd:75:08:2f:a3:28:3f:ee:4e:3b:
+                    c8:00:92:96:e2:92:5b:91:56:ba:5a:11:be:f9:4f:
+                    30:64:e2:ab:52:26:b1:68:1e:34:d9:bb:6b:18:50:
+                    8a:b8:d4:1f:ee:2d:9f:55:ec:b0:88:93:db:3b:5a:
+                    f6:f9:38:17:fe:59:dc:66:87:ef:2d:97:8d:db:7a:
+                    0f:bb
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                E2:A4:9A:6D:56:D2:38:7D:3F:74:52:15:D5:EC:C3:18:E4:EA:B1:7A
+                4F:93:BD:50:76:80:83:8F:B4:15:05:76:1D:40:1D:55:A4:4C:2C:53
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         96:54:7e:70:93:50:ce:d6:29:4f:1b:4b:20:81:a8:3e:a6:33:
-         22:f1:a5:df:8d:ec:7d:3b:e0:70:07:a7:ac:89:bd:c0:18:2c:
-         23:cb:77:af:ef:62:34:4d:c8:7f:ce:12:a9:cd:3b:18:90:32:
-         76:bc:2c:21:8b:84:4d:85:1b:33:83:ac:70:84:d6:7d:94:f6:
-         48:2f:b0:90:31:a3:0e:06:05:a9:8c:5d:d3:ee:6f:45:44:57:
-         33:75:4c:53:da:2c:76:bd:68:97:f2:71:e1:b4:fd:fc:90:b6:
-         c2:93:3f:c6:0b:8e:25:a3:2f:6f:32:cb:93:72:2e:b9:90:74:
-         b2:53:30:76:94:61:e1:9c:32:c4:5e:c8:ec:38:ce:29:9f:8d:
-         86:2e:75:18:f5:e6:f6:7d:8f:76:94:dc:bd:59:85:b2:3d:ea:
-         f8:d5:6c:0a:96:2c:ef:e3:79:ff:39:34:25:d4:4f:7c:53:34:
-         8e:3a:4a:da:24:cc:53:66:58:9f:47:6e:13:e7:15:43:2a:66:
-         d3:50:ca:77:5a:01:5c:44:a8:ed:29:e6:0d:0a:33:4b:e6:58:
-         9f:ec:1a:51:51:96:58:c4:13:78:e5:d0:34:da:e6:f8:3a:97:
-         45:a7:61:89:47:e7:2f:0a:39:c9:7a:fa:f6:63:12:3f:ac:dc:
-         b6:1c:bd:81
+    Signature Value:
+        4a:73:ad:73:ac:c9:a6:45:53:69:ea:d9:6b:30:9c:36:9a:6d:
+        ad:b4:ab:44:fe:8a:43:ad:df:df:95:28:8e:f3:73:f3:0c:4a:
+        8c:d7:a0:48:3e:ed:d5:eb:79:74:60:cf:4b:2d:57:e8:f5:f3:
+        f0:8c:e1:45:8b:05:cf:2d:18:97:4d:ea:22:3c:a1:4b:01:89:
+        a3:d9:4f:c5:6d:86:0a:83:d3:4e:c2:d4:b7:0e:47:98:fa:81:
+        13:fe:a9:5f:a5:79:73:34:4f:28:29:c6:a9:81:25:6d:db:18:
+        d8:f6:44:39:11:83:a9:d3:11:b5:b3:8d:85:b7:0b:a5:88:9a:
+        3f:21:41:df:93:b8:73:b2:49:f1:c3:bd:94:57:df:bc:08:3d:
+        a2:e9:20:ed:13:ee:1f:62:f7:84:e5:0e:7f:79:2f:a0:d6:72:
+        79:83:1c:5f:d4:6a:5d:c8:eb:a2:7b:b1:c2:6d:e2:cc:b2:fd:
+        90:d0:5c:c1:e8:74:dc:20:e6:55:f7:6c:72:dc:05:a0:83:17:
+        96:f9:85:c2:71:55:4c:4c:71:91:7d:a8:90:dd:88:eb:78:03:
+        39:4e:24:e4:d4:66:ba:e4:50:5c:4d:f3:0b:aa:3a:1b:b3:e8:
+        53:be:b5:10:76:ae:a2:e4:a0:d5:30:62:5b:9d:2c:1e:1e:2d:
+        7c:2b:1d:d6
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzwDANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE3MTIyMDAwMDAwMFoXDTIwMTIyMDAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAN1SAjFNagyqCHSMyrGDcwfQwFIvQLfmxG42
-ARkXqZtndRf7O059QHHyD4rLpcrrc0ViM7K34hDpKj0g6706NQyjQ+Mus20VSKar
-3uuLl/L9Vevv1mYitG969H8bR/m32VRp3uJIGJVaGbVJ8vABXXLdKMZT+7YB5pQh
-X8DG45Qrd72zQ7gj034XlRTg6vKkkKV61ac68A0BBbwt6BpcY3QWOeqWbLsacq3D
-EvktEtM0kftQ23S9+OQYYhVByTtzMRtwbDoO0J7TYBPZWQQkCbn8ONRqrZkoLyu/
-KtNsI8l00SGVYW8uZt23oLeae5RgKv01wvX2u3HKCV7t/lRhH9cCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOKkmm1W0jh9P3RSFdXswxjk6rF6MB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQCWVH5wk1DO1ilPG0sggag+pjMi8aXfjex9O+BwB6esib3AGCwjy3ev72I0Tch/
-zhKpzTsYkDJ2vCwhi4RNhRszg6xwhNZ9lPZIL7CQMaMOBgWpjF3T7m9FRFczdUxT
-2ix2vWiX8nHhtP38kLbCkz/GC44loy9vMsuTci65kHSyUzB2lGHhnDLEXsjsOM4p
-n42GLnUY9eb2fY92lNy9WYWyPer41WwKlizv43n/OTQl1E98UzSOOkraJMxTZlif
-R24T5xVDKmbTUMp3WgFcRKjtKeYNCjNL5lif7BpRUZZYxBN45dA02ub4OpdFp2GJ
-R+cvCjnJevr2YxI/rNy2HL2B
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwoQwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xNzEyMjAwMDAwMDBaFw0yMDEyMjAwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC71p8grZgtMprIWNKPwOCwG/9f+SCT84M5
+pl+9zD+E3sxmkqquw22exYhUyqU/f0xCvEL+k/XSluPX+l3VvetP7KXChpWG3gjC
+qd/4yonfvkMz5k+UnqHyV4Xy5Vi8QCSOhktKyTdl7rl7LaB6iQNi3raTUmM6FrKB
+Fz5AqR2IhiUzdfp1wxvQGTR/IKyjyzswFNMq+Xj6M/IdT1d7x9Zn8Tj/l6F9akIl
+FbJb0EZvbbeG4C9w3Az5vXUIL6MoP+5OO8gAkpbikluRVrpaEb75TzBk4qtSJrFo
+HjTZu2sYUIq41B/uLZ9V7LCIk9s7Wvb5OBf+Wdxmh+8tl43beg+7AgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRPk71QdoCDj7QVBXYdQB1VpEwsUzAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEASnOtc6zJpkVTaerZazCcNpptrbSrRP6KQ63f35UojvNz8wxKjNegSD7t1et5
+dGDPSy1X6PXz8IzhRYsFzy0Yl03qIjyhSwGJo9lPxW2GCoPTTsLUtw5HmPqBE/6p
+X6V5czRPKCnGqYElbdsY2PZEORGDqdMRtbONhbcLpYiaPyFB35O4c7JJ8cO9lFff
+vAg9oukg7RPuH2L3hOUOf3kvoNZyeYMcX9RqXcjronuxwm3izLL9kNBcweh03CDm
+VfdsctwFoIMXlvmFwnFVTExxkX2okN2I63gDOU4k5NRmuuRQXE3zC6o6G7PoU761
+EHauouSg1TBiW50sHh4tfCsd1g==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/ev-multi-oid.pem b/chromium/net/data/ssl/certificates/ev-multi-oid.pem
deleted file mode 100644
index 3feb7bab94c..00000000000
--- a/chromium/net/data/ssl/certificates/ev-multi-oid.pem
+++ /dev/null
@@ -1,83 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:a9
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
-        Validity
-            Not Before: Dec  1 15:42:07 2021 GMT
-            Not After : Dec  1 15:42:07 2023 GMT
-        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:e8:17:44:02:59:26:ba:6c:74:3f:7f:d5:af:49:
-                    6e:09:e5:75:5f:6a:eb:cf:83:20:54:68:d2:1b:36:
-                    28:ed:df:61:f2:70:65:e6:da:9f:96:b8:ed:63:fb:
-                    bc:44:66:d4:06:b9:0c:83:6a:a5:4d:0e:97:14:54:
-                    3c:6d:06:2d:6e:cc:84:81:f0:e8:69:59:08:7d:2e:
-                    c6:2c:95:f6:77:20:35:a4:25:39:97:c6:71:d8:5a:
-                    be:18:b5:04:6f:fb:67:cc:00:b8:94:89:36:7d:94:
-                    e1:ef:41:91:ae:74:f5:bd:16:20:bd:1a:84:0a:f4:
-                    a3:87:b2:3a:09:2d:8d:01:ee:a1:39:2b:3d:6c:87:
-                    2e:90:40:4f:40:b0:57:ea:7f:34:d5:8a:4a:d9:45:
-                    15:5a:6c:b7:90:5a:be:b5:77:9c:df:f0:09:01:09:
-                    03:53:0b:d4:ad:eb:93:d1:88:ee:73:82:ca:9c:47:
-                    23:56:8d:41:38:8e:52:8b:14:c5:2f:7f:82:19:84:
-                    a4:9d:f1:bd:be:98:de:6e:4f:9d:3a:fc:7d:60:19:
-                    34:c4:36:cd:71:17:38:e8:a8:d2:81:64:01:64:25:
-                    36:47:00:c1:6f:bc:95:a4:8e:2f:90:ab:b6:d0:9f:
-                    29:0d:2d:28:d3:c4:07:cb:bc:6a:d4:17:22:47:cf:
-                    55:61
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:FALSE
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Certificate Policies: 
-                Policy: 2.23.140.1.1
-                Policy: 1.2.3.4
-
-            X509v3 Subject Alternative Name: 
-                IP Address:127.0.0.1
-    Signature Algorithm: sha256WithRSAEncryption
-         a4:4e:29:f0:35:65:b6:5a:bc:2a:5a:c3:7f:e7:c2:e8:ee:8a:
-         d0:b6:b4:1b:69:67:b5:42:79:55:b5:0b:e7:b5:1b:65:a4:7a:
-         dd:b4:03:dc:9f:91:0b:9b:04:a3:44:9a:81:d1:b3:b8:12:88:
-         04:9b:99:5f:e5:24:91:9f:36:6c:f4:1b:88:16:9e:c2:8f:29:
-         7b:40:ba:68:5b:61:fd:ea:d0:3e:cf:e5:2f:e2:e3:7a:73:35:
-         e4:da:fd:0e:56:d6:45:c4:2f:af:a6:0b:1b:aa:9e:bb:fc:48:
-         bd:c3:1a:b1:ae:7f:fe:d3:1a:73:03:27:33:a8:44:c9:ed:d9:
-         79:c6:df:a1:ae:1e:8e:c5:82:49:ca:4a:74:84:b3:6a:2d:b0:
-         01:3e:ed:12:e6:cc:7b:db:f3:09:82:3b:93:8d:a6:4d:8a:69:
-         2c:b4:1d:bb:8d:3d:9f:43:30:0c:b8:8b:ac:7b:bd:3b:44:11:
-         cd:37:55:12:ec:db:7d:2f:36:e5:69:b2:dc:08:9c:4c:09:b8:
-         c4:5f:03:64:80:74:6d:af:a0:fe:6d:18:59:f6:d7:6c:99:b8:
-         6d:1b:3a:ee:f7:12:0c:02:c7:81:09:19:1c:84:5f:3c:f9:85:
-         54:b1:aa:84:50:f6:82:1d:7e:ce:ce:ae:5e:4c:74:de:44:f8:
-         12:ca:31:74
------BEGIN CERTIFICATE-----
-MIIDqDCCApCgAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzqTANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIxMTIwMTE1NDIwN1oXDTIzMTIwMTE1NDIwN1owYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAOgXRAJZJrpsdD9/1a9JbgnldV9q68+DIFRo
-0hs2KO3fYfJwZeban5a47WP7vERm1Aa5DINqpU0OlxRUPG0GLW7MhIHw6GlZCH0u
-xiyV9ncgNaQlOZfGcdhavhi1BG/7Z8wAuJSJNn2U4e9Bka509b0WIL0ahAr0o4ey
-OgktjQHuoTkrPWyHLpBAT0CwV+p/NNWKStlFFVpst5BavrV3nN/wCQEJA1ML1K3r
-k9GI7nOCypxHI1aNQTiOUosUxS9/ghmEpJ3xvb6Y3m5PnTr8fWAZNMQ2zXEXOOio
-0oFkAWQlNkcAwW+8laSOL5CrttCfKQ0tKNPEB8u8atQXIkfPVWECAwEAAaNbMFkw
-DAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYD
-VR0gBBIwEDAHBgVngQwBATAFBgMqAwQwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG
-9w0BAQsFAAOCAQEApE4p8DVltlq8KlrDf+fC6O6K0La0G2lntUJ5VbUL57UbZaR6
-3bQD3J+RC5sEo0SagdGzuBKIBJuZX+UkkZ82bPQbiBaewo8pe0C6aFth/erQPs/l
-L+LjenM15Nr9DlbWRcQvr6YLG6qeu/xIvcMasa5//tMacwMnM6hEye3Zecbfoa4e
-jsWCScpKdISzai2wAT7tEubMe9vzCYI7k42mTYppLLQdu409n0MwDLiLrHu9O0QR
-zTdVEuzbfS825Wmy3AicTAm4xF8DZIB0ba+g/m0YWfbXbJm4bRs67vcSDALHgQkZ
-HIRfPPmFVLGqhFD2gh1+zs6uXkx03kT4EsoxdA==
------END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/ev_test.pem b/chromium/net/data/ssl/certificates/ev_test.pem
index fa135c1b153..36fc814ce23 100644
--- a/chromium/net/data/ssl/certificates/ev_test.pem
+++ b/chromium/net/data/ssl/certificates/ev_test.pem
@@ -2,68 +2,69 @@ Certificate:
     Data:
         Version: 1 (0x0)
         Serial Number:
-            67:7c:da:93:dd:1e:fa:5d:6b:34:fc:48:d2:10:59:da:8c:4e:65:92
+            05:1a:d9:14:e2:4e:b8:9f:be:d0:25:9e:80:e4:f8:22:bc:71:9d:be
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = California, L = Mountain View, O = Test Org
         Validity
-            Not Before: Dec  1 15:42:30 2021 GMT
-            Not After : Dec  1 15:42:30 2023 GMT
+            Not Before: Oct  3 17:20:32 2022 GMT
+            Not After : Oct  2 17:20:32 2024 GMT
         Subject: C = US, ST = California, L = Mountain View, O = Test Org
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:d7:f6:76:ec:2b:92:4e:c7:3e:6e:c5:f2:de:12:
-                    e4:58:f8:a7:07:97:98:3a:ea:da:f7:36:b9:bf:ed:
-                    f1:e6:67:cc:38:f6:73:70:48:da:ef:88:44:78:eb:
-                    15:db:9b:83:d8:60:ae:ac:f9:83:e8:a0:5a:c8:48:
-                    0e:96:6b:c8:a5:05:a0:11:45:ce:22:30:7e:cc:ef:
-                    0f:13:dc:f4:93:a8:db:13:85:db:7f:3c:6e:ce:9e:
-                    cb:0e:bb:ee:de:3e:df:30:f1:6f:50:44:1e:67:84:
-                    36:e2:fb:9d:6d:30:2d:0d:34:13:c1:26:e6:18:07:
-                    19:c6:68:dc:3e:3c:33:f0:7e:8e:77:78:36:15:b4:
-                    2c:fe:9a:16:79:2c:e0:2e:ce:a0:7d:e7:60:15:be:
-                    e4:e6:7b:67:b4:a5:8b:10:9c:4e:bc:b8:f7:bc:49:
-                    46:4f:49:22:77:27:ca:42:ec:9c:6f:7b:b3:83:73:
-                    73:1f:87:19:f9:95:14:80:60:08:f9:0a:0c:e8:45:
-                    2b:82:ea:44:0a:2c:13:77:2e:15:ce:a4:49:05:1f:
-                    57:92:09:47:31:ce:39:61:26:bb:1b:89:b7:71:f2:
-                    b9:07:67:79:2c:fe:e3:fd:b1:17:2b:d4:d8:bb:2a:
-                    b8:6c:ae:88:c5:84:28:40:e8:c5:1a:2b:ee:75:35:
-                    e2:71
+                    00:9f:e4:ed:a7:ff:2d:7e:3b:26:5a:d2:5f:5e:81:
+                    5d:b7:b0:c7:b6:7c:dc:0b:5c:b2:f5:0f:f6:ee:7b:
+                    34:cc:4b:91:c4:bf:36:ea:0c:4c:c2:b6:d8:8f:5d:
+                    35:cc:1e:63:43:a8:3f:e6:36:47:1a:fa:c7:30:89:
+                    8d:5f:cd:74:66:69:1c:50:69:6d:b6:ac:25:95:ef:
+                    49:fb:1b:7f:13:45:1b:8a:2d:88:06:4c:b4:36:20:
+                    a2:6e:44:e5:f9:fe:e4:84:de:93:64:7f:22:22:46:
+                    3e:5c:f6:c3:6b:a2:66:05:27:a6:29:91:3d:70:8b:
+                    b9:f3:07:85:01:e7:79:25:aa:8f:88:b4:8f:6a:17:
+                    a7:5f:23:5a:50:5e:f0:ce:52:f5:1c:a5:b0:d2:76:
+                    8a:f7:75:7f:0e:57:e9:c3:74:2c:f1:ad:25:9a:4c:
+                    4b:ad:f9:91:a7:e2:18:db:19:79:7c:6f:1d:8f:c0:
+                    ad:f7:39:ae:6b:1c:75:9e:30:70:04:81:f9:33:25:
+                    38:aa:df:0d:ad:73:2e:b1:5c:03:99:a0:7f:01:db:
+                    62:c9:77:ed:da:9b:e6:92:0c:a8:f9:51:f0:66:0b:
+                    8c:0f:00:a5:fa:5d:9b:14:e0:5f:57:0a:75:a5:cc:
+                    a2:ba:f9:06:9b:bd:6b:d9:d7:c1:e0:02:b4:d0:c2:
+                    b9:1f
                 Exponent: 65537 (0x10001)
     Signature Algorithm: sha256WithRSAEncryption
-         15:d0:f9:e2:be:d5:27:94:cb:fe:7b:ee:21:0f:2d:24:c3:f8:
-         14:a0:02:a7:79:1d:11:31:fe:2b:9e:8c:b1:b4:70:20:1c:c0:
-         47:1d:ac:61:f7:25:11:fa:3a:b4:35:90:f5:8f:a9:14:33:5e:
-         63:fa:7d:30:dc:b6:fd:ce:71:a5:38:7e:b9:fb:84:cd:53:b9:
-         2a:77:79:10:e6:3f:6f:0e:5f:9c:33:e4:5e:d7:16:b4:33:aa:
-         65:4a:44:6e:e5:4e:21:a4:c9:02:15:03:60:02:c5:44:c9:78:
-         21:72:63:92:6e:a4:8c:2c:6a:14:7a:0a:a9:a4:2d:dd:2e:a8:
-         39:1e:bc:82:9e:db:86:a3:1e:4e:6c:b1:3f:33:ae:12:f3:ae:
-         93:f3:b3:88:c8:2b:c4:46:77:dd:b0:fd:3e:cb:e9:e9:ab:d2:
-         8f:d7:2c:96:cd:36:79:7c:9b:76:ea:c2:d5:7c:dd:af:ee:86:
-         86:ac:65:ed:95:47:2c:bc:6e:40:f9:72:e7:46:91:1f:39:7b:
-         bc:11:21:d2:13:0e:32:aa:07:0a:5a:e3:48:05:78:c1:02:0b:
-         69:03:76:b7:fa:9a:cf:06:0c:7d:3b:db:97:98:67:7a:ff:24:
-         45:f5:61:26:72:cd:61:b7:ac:b8:4a:04:51:95:44:1d:d7:96:
-         bc:96:20:79
+    Signature Value:
+        42:f5:17:0a:da:d7:5c:2c:1f:af:04:99:e9:d9:d6:4c:0c:d6:
+        cb:ac:6d:0d:4c:0f:b0:3a:18:36:ab:68:d2:5f:8e:d9:e0:13:
+        a2:64:bf:72:33:7f:86:c2:26:d8:40:5c:af:38:0b:5b:22:30:
+        dc:88:4f:5f:73:b0:0b:60:b9:30:be:8d:b9:54:9e:f9:2d:c8:
+        fb:d1:07:49:56:16:7a:8f:f2:7e:c4:c0:9b:be:f4:2d:a7:4c:
+        de:eb:cc:d5:fe:6f:ab:cf:65:15:f6:ab:1f:ed:1f:5d:09:4a:
+        65:aa:3e:5c:55:af:21:d9:ea:2c:4e:d4:f9:37:70:84:12:f5:
+        99:fb:89:d0:eb:9d:d2:62:b6:03:43:0f:e7:72:22:16:58:58:
+        a3:7c:b8:ee:f1:fd:76:73:5d:31:08:82:68:78:9b:9c:88:3e:
+        53:b8:76:0e:a4:9e:36:95:7f:f5:18:d5:32:fb:08:54:1c:89:
+        8e:73:80:13:99:39:32:79:ba:c1:00:aa:d3:ab:05:a6:d1:27:
+        fb:22:95:68:2f:c1:7a:5a:92:73:6a:de:0e:b4:c5:c8:9f:e6:
+        4e:8b:68:d2:23:5d:3c:16:54:02:dd:90:12:4e:fb:2c:a5:3b:
+        42:46:bb:67:e6:bb:1b:f6:94:75:30:91:28:cd:a1:db:6e:1d:
+        be:db:be:f8
 -----BEGIN CERTIFICATE-----
-MIIDITCCAgkCFGd82pPdHvpdazT8SNIQWdqMTmWSMA0GCSqGSIb3DQEBCwUAME0x
+MIIDITCCAgkCFAUa2RTiTrifvtAlnoDk+CK8cZ2+MA0GCSqGSIb3DQEBCwUAME0x
 CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3Vu
-dGFpbiBWaWV3MREwDwYDVQQKDAhUZXN0IE9yZzAeFw0yMTEyMDExNTQyMzBaFw0y
-MzEyMDExNTQyMzBaME0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
+dGFpbiBWaWV3MREwDwYDVQQKDAhUZXN0IE9yZzAeFw0yMjEwMDMxNzIwMzJaFw0y
+NDEwMDIxNzIwMzJaME0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
 MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MREwDwYDVQQKDAhUZXN0IE9yZzCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANf2duwrkk7HPm7F8t4S5Fj4pweX
-mDrq2vc2ub/t8eZnzDj2c3BI2u+IRHjrFdubg9hgrqz5g+igWshIDpZryKUFoBFF
-ziIwfszvDxPc9JOo2xOF2388bs6eyw677t4+3zDxb1BEHmeENuL7nW0wLQ00E8Em
-5hgHGcZo3D48M/B+jnd4NhW0LP6aFnks4C7OoH3nYBW+5OZ7Z7SlixCcTry497xJ
-Rk9JIncnykLsnG97s4Nzcx+HGfmVFIBgCPkKDOhFK4LqRAosE3cuFc6kSQUfV5IJ
-RzHOOWEmuxuJt3HyuQdneSz+4/2xFyvU2LsquGyuiMWEKEDoxRor7nU14nECAwEA
-ATANBgkqhkiG9w0BAQsFAAOCAQEAFdD54r7VJ5TL/nvuIQ8tJMP4FKACp3kdETH+
-K56MsbRwIBzARx2sYfclEfo6tDWQ9Y+pFDNeY/p9MNy2/c5xpTh+ufuEzVO5Knd5
-EOY/bw5fnDPkXtcWtDOqZUpEbuVOIaTJAhUDYALFRMl4IXJjkm6kjCxqFHoKqaQt
-3S6oOR68gp7bhqMeTmyxPzOuEvOuk/OziMgrxEZ33bD9Psvp6avSj9csls02eXyb
-durC1Xzdr+6Ghqxl7ZVHLLxuQPly50aRHzl7vBEh0hMOMqoHClrjSAV4wQILaQN2
-t/qazwYMfTvbl5hnev8kRfVhJnLNYbesuEoEUZVEHdeWvJYgeQ==
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ/k7af/LX47JlrSX16BXbewx7Z8
+3AtcsvUP9u57NMxLkcS/NuoMTMK22I9dNcweY0OoP+Y2Rxr6xzCJjV/NdGZpHFBp
+bbasJZXvSfsbfxNFG4otiAZMtDYgom5E5fn+5ITek2R/IiJGPlz2w2uiZgUnpimR
+PXCLufMHhQHneSWqj4i0j2oXp18jWlBe8M5S9RylsNJ2ivd1fw5X6cN0LPGtJZpM
+S635kafiGNsZeXxvHY/Arfc5rmscdZ4wcASB+TMlOKrfDa1zLrFcA5mgfwHbYsl3
+7dqb5pIMqPlR8GYLjA8ApfpdmxTgX1cKdaXMorr5Bpu9a9nXweACtNDCuR8CAwEA
+ATANBgkqhkiG9w0BAQsFAAOCAQEAQvUXCtrXXCwfrwSZ6dnWTAzWy6xtDUwPsDoY
+Nqto0l+O2eATomS/cjN/hsIm2EBcrzgLWyIw3IhPX3OwC2C5ML6NuVSe+S3I+9EH
+SVYWeo/yfsTAm770LadM3uvM1f5vq89lFfarH+0fXQlKZao+XFWvIdnqLE7U+Tdw
+hBL1mfuJ0Oud0mK2A0MP53IiFlhYo3y47vH9dnNdMQiCaHibnIg+U7h2DqSeNpV/
+9RjVMvsIVByJjnOAE5k5Mnm6wQCq06sFptEn+yKVaC/BelqSc2reDrTFyJ/mToto
+0iNdPBZUAt2QEk77LKU7Qka7Z+a7G/aUdTCRKM2h224dvtu++A==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/ev_test_state_only.pem b/chromium/net/data/ssl/certificates/ev_test_state_only.pem
index 705a6264a3e..48f154b6f6a 100644
--- a/chromium/net/data/ssl/certificates/ev_test_state_only.pem
+++ b/chromium/net/data/ssl/certificates/ev_test_state_only.pem
@@ -2,67 +2,68 @@ Certificate:
     Data:
         Version: 1 (0x0)
         Serial Number:
-            5e:7e:30:79:54:01:67:46:bc:d8:77:ca:76:08:4b:12:38:ab:c6:68
+            08:e7:72:d8:3b:cb:68:18:0b:32:f6:09:9f:39:d9:79:bd:af:c7:e0
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = California, O = Test Org
         Validity
-            Not Before: Dec  1 15:42:30 2021 GMT
-            Not After : Dec  1 15:42:30 2023 GMT
+            Not Before: Oct  3 17:20:32 2022 GMT
+            Not After : Oct  2 17:20:32 2024 GMT
         Subject: C = US, ST = California, O = Test Org
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:e8:35:3f:06:9a:e2:a6:0f:2d:93:78:3e:0f:74:
-                    1f:8d:49:7e:40:48:72:20:59:6b:72:5c:ac:e9:5d:
-                    cb:83:7a:d7:29:73:f9:ea:4a:5f:f1:3a:58:07:ad:
-                    ae:24:70:89:99:9e:c4:90:b0:d3:87:6c:f8:64:25:
-                    a2:92:0a:c1:54:42:eb:e3:dd:09:be:8b:3a:77:5c:
-                    fb:40:e5:3f:ab:7b:29:8b:59:a8:fd:b9:1d:10:52:
-                    d8:41:70:f3:f7:96:1e:0c:a9:64:ed:33:ba:0f:2c:
-                    83:f1:4a:f9:68:38:83:f5:a9:b5:54:10:ea:55:4f:
-                    01:17:f7:48:69:6d:89:05:eb:e3:40:66:af:47:e2:
-                    8a:27:c3:3a:1f:2b:b8:2e:95:f7:28:23:ec:33:4e:
-                    25:e4:a6:b2:0c:4c:c9:5b:29:5a:bc:0a:b8:dd:69:
-                    4c:28:19:50:c0:54:46:7a:cb:26:f5:a7:41:02:e4:
-                    a3:a0:6e:42:26:48:56:87:99:f9:6b:b9:f7:79:8e:
-                    7b:e0:da:9b:c1:14:cd:12:8b:56:d2:b0:0b:01:b9:
-                    3d:0b:dd:19:72:83:96:ea:14:d6:cc:bf:33:ee:79:
-                    f1:e7:cd:34:17:50:1c:f2:0c:ee:53:70:99:61:75:
-                    f6:0c:20:61:29:84:69:7d:f7:62:e6:cf:a6:6c:c6:
-                    6e:b7
+                    00:a4:1f:f6:07:e1:9b:b1:eb:c6:5a:45:70:e2:80:
+                    c0:71:48:d3:2e:d8:1e:38:a0:4a:5e:d0:28:d0:81:
+                    e8:3d:ec:bf:c9:94:c2:e8:1d:7c:c2:fd:30:e6:d3:
+                    72:f3:e5:83:95:df:ba:94:82:db:7b:c7:af:2e:c4:
+                    6e:96:fa:8b:75:7c:78:33:3b:69:8f:89:aa:68:14:
+                    e5:d8:a8:22:51:85:90:65:9b:98:27:8d:f0:a7:ad:
+                    3f:b0:46:47:67:8c:a0:6f:65:de:c4:5c:f0:e3:4c:
+                    ed:d4:63:21:dc:d4:77:f6:98:40:95:f3:38:c7:12:
+                    fe:5a:b0:0e:78:3d:c4:ea:c6:b8:56:51:55:9f:64:
+                    08:22:63:a1:52:01:7c:a5:95:b4:17:61:27:a0:e0:
+                    aa:28:df:21:22:c5:22:66:e9:a8:0e:7a:81:d1:c0:
+                    b8:8d:95:17:9a:71:2c:67:2d:ef:51:cf:31:3b:19:
+                    e2:b0:5f:3f:05:41:ac:7c:ee:4b:64:db:0e:56:97:
+                    93:f5:ce:9a:62:28:ef:e9:a2:15:91:10:0a:a6:67:
+                    08:ad:e3:e2:b4:9e:50:d7:c2:52:76:0d:ca:a4:36:
+                    8b:0b:41:f9:0d:c6:13:cb:6b:97:52:f3:02:19:aa:
+                    4f:96:83:9f:c6:ff:60:ef:ca:4e:59:ba:cd:c1:56:
+                    1e:55
                 Exponent: 65537 (0x10001)
     Signature Algorithm: sha256WithRSAEncryption
-         e5:17:02:f9:2f:c7:95:9c:44:2d:6f:4d:81:86:46:5c:70:cd:
-         a7:30:aa:74:23:42:1e:a5:bb:cb:c0:2c:66:52:de:43:29:9c:
-         42:16:88:60:f2:cf:4f:3f:e0:aa:bb:cd:7a:f6:62:99:c5:bc:
-         22:ea:25:b2:e5:18:1e:a6:fc:cd:37:b7:08:30:fd:cd:b6:57:
-         94:59:6e:3a:7c:ee:7c:48:82:8b:84:73:af:d1:5c:f3:b7:8e:
-         53:c0:4a:7e:47:53:60:00:6e:a7:60:fa:17:ca:a0:63:bd:c0:
-         8d:b0:d2:44:50:80:b7:73:e9:30:57:81:c1:b8:01:1d:00:41:
-         31:18:07:74:83:69:ab:8c:c5:94:0a:7b:e6:f3:cd:87:76:20:
-         2d:da:01:81:10:8b:ea:f7:9a:be:af:08:81:d2:da:9e:64:81:
-         99:a7:ff:d1:fe:98:8b:cb:3c:58:fa:99:f3:5f:e6:26:88:e1:
-         70:d6:8c:7e:22:94:77:c6:fd:6b:5c:0e:32:68:f6:22:69:35:
-         6b:c2:1b:b8:e6:54:c8:6f:0d:c6:cd:3c:5b:64:1e:e9:88:03:
-         28:e9:53:7c:97:26:d5:ff:fc:a6:97:75:fa:2e:74:34:d2:a1:
-         ec:8c:13:57:0b:94:e7:df:27:83:db:31:df:03:8f:15:6e:8d:
-         97:58:3c:5f
+    Signature Value:
+        7a:50:d2:45:b9:8c:3c:1d:90:a4:fb:cf:15:fd:88:76:39:ed:
+        9d:70:d5:81:58:1f:eb:ad:2f:dd:5d:cd:3b:be:bb:90:0f:5b:
+        c9:89:8d:d4:43:60:a9:2e:c1:38:f0:11:44:ab:c6:89:21:d3:
+        46:75:1a:d9:bd:95:15:09:a0:82:b3:e2:86:e9:30:c1:41:4f:
+        56:6c:3f:2d:b7:f8:15:7c:2e:67:b1:91:41:2b:63:77:2c:8e:
+        ee:66:00:c6:1f:5f:d2:38:49:2a:f3:38:6c:42:c6:26:b7:36:
+        a8:63:ac:89:ef:46:0a:c3:79:fd:b9:94:d9:37:7a:c2:2d:33:
+        61:2b:6d:58:33:cb:bd:98:3c:70:37:e5:12:b9:b5:7a:8f:85:
+        73:f5:fc:6a:7e:06:8c:91:2d:97:db:84:f6:ba:9f:39:5f:84:
+        f8:37:73:0f:29:35:bb:0c:bd:49:6e:b3:67:4c:f2:e2:c7:7b:
+        27:45:78:19:fa:2b:ba:f8:fc:ce:31:9e:b5:91:61:27:b7:01:
+        5f:ac:7a:41:c0:5b:da:f3:cc:72:21:3a:11:dd:08:8b:c3:d2:
+        d3:1e:6d:0e:e0:e9:3d:8b:aa:67:a2:6f:c6:02:ac:e8:b2:7e:
+        69:60:e2:7e:40:56:32:d6:76:42:ed:e5:56:db:07:e6:4f:39:
+        74:3f:de:8b
 -----BEGIN CERTIFICATE-----
-MIIC8TCCAdkCFF5+MHlUAWdGvNh3ynYISxI4q8ZoMA0GCSqGSIb3DQEBCwUAMDUx
+MIIC8TCCAdkCFAjnctg7y2gYCzL2CZ852Xm9r8fgMA0GCSqGSIb3DQEBCwUAMDUx
 CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQKDAhUZXN0
-IE9yZzAeFw0yMTEyMDExNTQyMzBaFw0yMzEyMDExNTQyMzBaMDUxCzAJBgNVBAYT
+IE9yZzAeFw0yMjEwMDMxNzIwMzJaFw0yNDEwMDIxNzIwMzJaMDUxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQKDAhUZXN0IE9yZzCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOg1Pwaa4qYPLZN4Pg90H41JfkBI
-ciBZa3JcrOldy4N61ylz+epKX/E6WAetriRwiZmexJCw04ds+GQlopIKwVRC6+Pd
-Cb6LOndc+0DlP6t7KYtZqP25HRBS2EFw8/eWHgypZO0zug8sg/FK+Wg4g/WptVQQ
-6lVPARf3SGltiQXr40Bmr0fiiifDOh8ruC6V9ygj7DNOJeSmsgxMyVspWrwKuN1p
-TCgZUMBURnrLJvWnQQLko6BuQiZIVoeZ+Wu593mOe+Dam8EUzRKLVtKwCwG5PQvd
-GXKDluoU1sy/M+558efNNBdQHPIM7lNwmWF19gwgYSmEaX33YubPpmzGbrcCAwEA
-ATANBgkqhkiG9w0BAQsFAAOCAQEA5RcC+S/HlZxELW9NgYZGXHDNpzCqdCNCHqW7
-y8AsZlLeQymcQhaIYPLPTz/gqrvNevZimcW8IuolsuUYHqb8zTe3CDD9zbZXlFlu
-OnzufEiCi4Rzr9Fc87eOU8BKfkdTYABup2D6F8qgY73AjbDSRFCAt3PpMFeBwbgB
-HQBBMRgHdINpq4zFlAp75vPNh3YgLdoBgRCL6veavq8IgdLanmSBmaf/0f6Yi8s8
-WPqZ81/mJojhcNaMfiKUd8b9a1wOMmj2Imk1a8IbuOZUyG8Nxs08W2Qe6YgDKOlT
-fJcm1f/8ppd1+i50NNKh7IwTVwuU598ng9sx3wOPFW6Nl1g8Xw==
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQf9gfhm7HrxlpFcOKAwHFI0y7Y
+HjigSl7QKNCB6D3sv8mUwugdfML9MObTcvPlg5XfupSC23vHry7Ebpb6i3V8eDM7
+aY+JqmgU5dioIlGFkGWbmCeN8KetP7BGR2eMoG9l3sRc8ONM7dRjIdzUd/aYQJXz
+OMcS/lqwDng9xOrGuFZRVZ9kCCJjoVIBfKWVtBdhJ6DgqijfISLFImbpqA56gdHA
+uI2VF5pxLGct71HPMTsZ4rBfPwVBrHzuS2TbDlaXk/XOmmIo7+miFZEQCqZnCK3j
+4rSeUNfCUnYNyqQ2iwtB+Q3GE8trl1LzAhmqT5aDn8b/YO/KTlm6zcFWHlUCAwEA
+ATANBgkqhkiG9w0BAQsFAAOCAQEAelDSRbmMPB2QpPvPFf2IdjntnXDVgVgf660v
+3V3NO767kA9byYmN1ENgqS7BOPARRKvGiSHTRnUa2b2VFQmggrPihukwwUFPVmw/
+Lbf4FXwuZ7GRQStjdyyO7mYAxh9f0jhJKvM4bELGJrc2qGOsie9GCsN5/bmU2Td6
+wi0zYSttWDPLvZg8cDflErm1eo+Fc/X8an4GjJEtl9uE9rqfOV+E+DdzDyk1uwy9
+SW6zZ0zy4sd7J0V4Gforuvj8zjGetZFhJ7cBX6x6QcBb2vPMciE6Ed0Ii8PS0x5t
+DuDpPYuqZ6JvxgKs6LJ+aWDifkBWMtZ2Qu3lVtsH5k85dD/eiw==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/expired_cert.pem b/chromium/net/data/ssl/certificates/expired_cert.pem
index 41573b9a7ea..0918e4675e1 100644
--- a/chromium/net/data/ssl/certificates/expired_cert.pem
+++ b/chromium/net/data/ssl/certificates/expired_cert.pem
@@ -30,7 +30,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:a1
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:65
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -39,7 +39,7 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:c3:46:ae:f0:79:48:86:4f:b5:cc:95:90:28:b0:
                     02:8a:d2:6f:0f:79:87:c3:c2:ba:f3:eb:0a:93:4a:
@@ -66,48 +66,48 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 F3:9E:DE:55:DE:AD:DA:14:A3:B8:AA:E5:3A:D3:84:E6:88:B1:7E:C6
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         18:24:12:01:0b:0d:e4:5e:93:22:32:dc:86:80:47:b4:79:02:
-         b0:f8:f7:c7:81:cc:08:70:5c:02:c4:f2:f1:62:d6:19:92:fb:
-         d4:d7:f3:b0:4c:73:43:0e:7d:2c:f9:a5:34:55:90:2c:97:e7:
-         61:93:c8:6c:13:1a:b1:c2:58:86:1c:70:1d:12:17:1e:d2:92:
-         5d:8d:94:37:29:52:29:7d:e1:c6:de:8f:dd:91:c7:a4:ce:8c:
-         5e:e5:56:a2:ba:ef:e6:f0:02:89:1a:f9:94:19:43:51:e7:7e:
-         d4:7a:15:49:89:a1:15:56:72:8a:41:e2:2d:8a:11:46:70:04:
-         aa:6c:25:aa:65:d0:59:96:c2:6a:5d:dd:97:6c:7f:79:3c:23:
-         de:ca:36:d8:e1:56:f4:eb:94:ef:50:14:dd:e9:79:f4:5a:09:
-         82:2d:d9:31:49:1d:57:6a:03:ec:07:c9:87:af:8f:a7:64:2e:
-         06:26:65:49:6c:ad:42:4d:d9:25:6a:56:0b:ed:38:09:94:53:
-         fc:e5:80:11:c3:fb:5b:eb:77:54:49:6c:3c:88:87:af:24:69:
-         6a:35:9d:db:8b:f5:97:ea:c8:42:59:5c:ca:5a:0c:e5:fc:38:
-         52:5f:ac:da:b7:5c:ef:37:80:04:b5:a7:d2:04:9c:bd:ba:70:
-         0b:c6:55:f3
+    Signature Value:
+        36:3c:43:bc:10:33:eb:68:3a:c5:9c:24:4c:b4:ce:59:6f:88:
+        13:02:e4:a4:31:e4:f2:8d:cb:b3:f1:bb:56:a3:c5:bb:f9:e9:
+        28:3b:88:97:c4:4a:fa:79:df:23:60:8b:7f:32:14:21:43:de:
+        60:87:21:e9:de:9a:b6:42:8c:e5:fc:c5:bd:f2:08:f8:3a:82:
+        00:b7:ed:14:3a:76:c1:4b:ca:6d:17:32:27:e3:4e:32:d7:08:
+        17:03:79:77:3f:81:a1:39:c9:d3:4e:32:83:65:18:ca:f7:fb:
+        1a:6c:54:27:2c:e2:1e:82:dd:c1:ef:a9:cf:01:d7:4e:e2:ca:
+        e1:2e:3f:64:7d:ce:4a:45:22:60:c3:cf:bd:96:91:54:99:9b:
+        99:12:d7:1c:7d:3e:54:8a:00:f7:00:c4:e9:6b:61:2b:87:f0:
+        6a:51:c0:62:ce:24:58:6a:af:bb:76:34:cd:6a:25:84:94:2b:
+        c2:66:9f:e2:50:f6:d0:6a:1b:6a:be:de:ed:db:ce:69:1b:17:
+        87:91:36:46:8d:cf:6a:82:38:06:b2:99:c4:da:10:17:77:90:
+        15:e1:c0:78:76:72:fd:12:65:06:1e:b6:26:eb:bb:99:a4:42:
+        b3:ef:14:73:2d:5d:03:ee:f7:b4:17:9d:c6:18:dd:71:d3:81:
+        88:11:ba:7e
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzoTANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTA2MDEwMTAwMDAwMFoXDTA3MDEwMTAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMNGrvB5SIZPtcyVkCiwAorSbw95h8PCuvPr
-CpNKZeklLwHMg3PIgFrrOggRMq+FwbzhB4N0CgIB+32dXq48vHPOa5GFbCIBqtgi
-5KDuqKI2AProiMDTmxY8wcG5ZIPsRvZTLEsIwT2TEf4sVzEMYE6tN/w1IqmvuExp
-mSGljwzIqpYptoXWhdQfsKpD73kcOBzZrTl337FXZzIRVNMbxUC9/yPSdVLEJxKs
-5+of36/jzx2K4Z0mrG3vIfeO9f0F+rMqVQS/snYYiIEXfPO05lSPxEvNsvLXx4ox
-4J+PGPPGfFiZ9PpyFBp3NoBTDEeU9IqyQoi4WPxP8WUbgQF9pusCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPOe3lXerdoUo7iq5TrThOaIsX7GMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQAYJBIBCw3kXpMiMtyGgEe0eQKw+PfHgcwIcFwCxPLxYtYZkvvU1/OwTHNDDn0s
-+aU0VZAsl+dhk8hsExqxwliGHHAdEhce0pJdjZQ3KVIpfeHG3o/dkcekzoxe5Vai
-uu/m8AKJGvmUGUNR537UehVJiaEVVnKKQeItihFGcASqbCWqZdBZlsJqXd2XbH95
-PCPeyjbY4Vb065TvUBTd6Xn0WgmCLdkxSR1XagPsB8mHr4+nZC4GJmVJbK1CTdkl
-alYL7TgJlFP85YARw/tb63dUSWw8iIevJGlqNZ3bi/WX6shCWVzKWgzl/DhSX6za
-t1zvN4AEtafSBJy9unALxlXz
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwmUwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0wNjAxMDEwMDAwMDBaFw0wNzAxMDEwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDRq7weUiGT7XMlZAosAKK0m8PeYfDwrrz
+6wqTSmXpJS8BzINzyIBa6zoIETKvhcG84QeDdAoCAft9nV6uPLxzzmuRhWwiAarY
+IuSg7qiiNgD66IjA05sWPMHBuWSD7Eb2UyxLCME9kxH+LFcxDGBOrTf8NSKpr7hM
+aZkhpY8MyKqWKbaF1oXUH7CqQ+95HDgc2a05d9+xV2cyEVTTG8VAvf8j0nVSxCcS
+rOfqH9+v488diuGdJqxt7yH3jvX9BfqzKlUEv7J2GIiBF3zztOZUj8RLzbLy18eK
+MeCfjxjzxnxYmfT6chQadzaAUwxHlPSKskKIuFj8T/FlG4EBfabrAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTznt5V3q3aFKO4quU604TmiLF+xjAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEANjxDvBAz62g6xZwkTLTOWW+IEwLkpDHk8o3Ls/G7VqPFu/npKDuIl8RK+nnf
+I2CLfzIUIUPeYIch6d6atkKM5fzFvfII+DqCALftFDp2wUvKbRcyJ+NOMtcIFwN5
+dz+BoTnJ004yg2UYyvf7GmxUJyziHoLdwe+pzwHXTuLK4S4/ZH3OSkUiYMPPvZaR
+VJmbmRLXHH0+VIoA9wDE6WthK4fwalHAYs4kWGqvu3Y0zWolhJQrwmaf4lD20Gob
+ar7e7dvOaRsXh5E2Ro3PaoI4BrKZxNoQF3eQFeHAeHZy/RJlBh62Juu7maRCs+8U
+cy1dA+73tBedxhjdcdOBiBG6fg==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/explicit-policy-chain.pem b/chromium/net/data/ssl/certificates/explicit-policy-chain.pem
deleted file mode 100644
index 5f6c143e2e1..00000000000
--- a/chromium/net/data/ssl/certificates/explicit-policy-chain.pem
+++ /dev/null
@@ -1,230 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Policy Test Intermediate CA
-        Validity
-            Not Before: Feb 28 23:52:34 2017 GMT
-            Not After : Feb 26 23:52:34 2027 GMT
-        Subject: CN=policy_test.example
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b3:2a:fe:85:4f:88:af:bb:62:62:b7:03:a7:c4:
-                    d7:29:37:d6:73:31:22:93:d1:5f:33:f6:8f:bf:33:
-                    00:a6:ae:72:da:cb:3d:86:3b:f8:22:29:32:a7:4f:
-                    aa:21:fd:43:47:83:18:96:c2:5c:76:f2:9a:6a:e1:
-                    49:84:22:1f:a7:d6:d6:a9:ce:d5:06:17:e3:67:65:
-                    1b:9a:05:38:2b:ee:e5:7b:ed:4e:69:b8:13:78:bc:
-                    41:b5:19:30:6a:13:d7:94:a9:d6:63:96:54:fb:61:
-                    a6:64:3a:ec:2a:83:27:c7:85:6d:57:1b:0a:67:aa:
-                    a2:ac:56:ef:24:24:62:df:46:4d:cc:75:25:db:19:
-                    7c:75:29:41:cc:88:c1:4d:a8:cc:ec:d5:23:a0:34:
-                    e7:96:57:6a:92:f8:34:ce:26:0c:41:29:99:be:54:
-                    db:d9:6f:45:5d:f7:f2:6d:c2:8b:fe:e6:4a:29:4f:
-                    74:8b:70:d5:8f:7f:64:b7:70:c6:2c:5a:01:d5:1d:
-                    6b:bb:ad:9f:3f:44:33:fe:dc:60:9a:79:a6:dc:ac:
-                    fb:79:f9:b5:f0:7f:e0:ea:96:e5:1a:bf:24:3c:e4:
-                    4f:55:3c:64:c0:d2:28:ee:b3:8d:c4:9b:a4:63:60:
-                    eb:ca:28:54:7e:d1:61:e9:cb:f6:14:d1:77:f5:f3:
-                    aa:89
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:FALSE
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Certificate Policies: 
-                Policy: 1.2.3.4
-
-            X509v3 Subject Alternative Name: 
-                DNS:policy_test.example
-    Signature Algorithm: sha256WithRSAEncryption
-         c4:94:39:60:06:55:5d:2e:af:55:e2:ab:e5:b5:fc:96:fd:24:
-         c2:08:80:fd:55:e4:d1:5c:c8:44:d2:9f:0c:0f:1a:47:2f:da:
-         33:f9:1b:11:aa:27:1c:81:e0:ba:0e:77:26:97:08:6b:80:2e:
-         81:d6:e2:37:22:33:75:31:33:41:0e:40:1a:bd:b7:8a:3e:95:
-         b6:d4:1f:bf:30:ae:75:e5:45:32:85:67:33:56:c1:42:30:7f:
-         bf:9c:ad:bc:69:91:a9:71:f9:96:1e:85:b9:7b:ea:45:ee:85:
-         1a:50:8e:05:04:69:fc:86:2b:52:54:9b:5e:f6:a0:8f:49:0d:
-         f9:d0:63:94:4e:04:e3:eb:fb:47:17:79:76:00:0c:d1:da:2c:
-         1e:8c:11:04:92:9b:01:a5:38:fb:3f:8b:7f:27:04:07:af:40:
-         8b:f3:62:e0:7e:d2:37:e5:ea:ef:98:ef:92:d7:06:59:ee:e5:
-         83:e0:f5:4a:9a:9e:cf:38:11:e1:f8:f3:9d:3d:21:4c:ea:6b:
-         34:44:e1:2c:5e:eb:0e:cd:77:8a:5a:a8:40:f9:03:ff:f4:47:
-         a7:f8:1d:d0:43:38:b6:06:c2:67:2a:42:92:44:ad:6d:c9:e7:
-         d0:60:89:82:21:fc:c5:ea:e6:21:94:26:a3:76:02:05:c5:4c:
-         34:d3:5f:2d
------BEGIN CERTIFICATE-----
-MIIDIDCCAgigAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtQb2xp
-Y3kgVGVzdCBJbnRlcm1lZGlhdGUgQ0EwHhcNMTcwMjI4MjM1MjM0WhcNMjcwMjI2
-MjM1MjM0WjAeMRwwGgYDVQQDDBNwb2xpY3lfdGVzdC5leGFtcGxlMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyr+hU+Ir7tiYrcDp8TXKTfWczEik9Ff
-M/aPvzMApq5y2ss9hjv4Iikyp0+qIf1DR4MYlsJcdvKaauFJhCIfp9bWqc7VBhfj
-Z2UbmgU4K+7le+1OabgTeLxBtRkwahPXlKnWY5ZU+2GmZDrsKoMnx4VtVxsKZ6qi
-rFbvJCRi30ZNzHUl2xl8dSlBzIjBTajM7NUjoDTnlldqkvg0ziYMQSmZvlTb2W9F
-XffybcKL/uZKKU90i3DVj39kt3DGLFoB1R1ru62fP0Qz/txgmnmm3Kz7efm18H/g
-6pblGr8kPORPVTxkwNIo7rONxJukY2DryihUftFh6cv2FNF39fOqiQIDAQABo2Ew
-XzAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAQ
-BgNVHSAECTAHMAUGAyoDBDAeBgNVHREEFzAVghNwb2xpY3lfdGVzdC5leGFtcGxl
-MA0GCSqGSIb3DQEBCwUAA4IBAQDElDlgBlVdLq9V4qvltfyW/STCCID9VeTRXMhE
-0p8MDxpHL9oz+RsRqiccgeC6DncmlwhrgC6B1uI3IjN1MTNBDkAavbeKPpW21B+/
-MK515UUyhWczVsFCMH+/nK28aZGpcfmWHoW5e+pF7oUaUI4FBGn8hitSVJte9qCP
-SQ350GOUTgTj6/tHF3l2AAzR2iwejBEEkpsBpTj7P4t/JwQHr0CL82LgftI35erv
-mO+S1wZZ7uWD4PVKmp7POBHh+POdPSFM6ms0ROEsXusOzXeKWqhA+QP/9Een+B3Q
-Qzi2BsJnKkKSRK1tyefQYImCIfzF6uYhlCajdgIFxUw0018t
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Policy Test Root CA
-        Validity
-            Not Before: Feb 28 23:52:34 2017 GMT
-            Not After : Feb 26 23:52:34 2027 GMT
-        Subject: CN=Policy Test Intermediate CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:c9:2b:9e:41:e1:bd:db:2c:15:20:25:6b:02:2f:
-                    9d:f5:10:12:22:2e:c4:93:ee:99:1c:92:50:02:d4:
-                    70:49:cc:bf:92:54:e0:04:5a:52:d8:c9:5e:74:1a:
-                    74:57:22:20:7a:8e:d8:bc:d2:02:bb:85:ec:9b:6b:
-                    80:51:d2:a4:47:6e:f6:fb:16:e2:d8:7b:58:5e:e5:
-                    22:62:68:e9:c9:f6:ff:0a:f9:ca:65:da:12:da:24:
-                    55:de:43:ef:51:54:d2:ac:db:ec:d6:13:5b:29:e1:
-                    6e:66:a1:71:f0:88:9b:23:d6:e1:79:aa:b6:76:7d:
-                    63:f6:19:63:14:5e:db:9f:28:1d:07:92:db:69:8f:
-                    fb:d5:4c:de:eb:3a:8b:df:5c:77:26:5e:f4:3f:a2:
-                    ed:19:ad:76:f0:8c:71:9c:cd:d7:c6:0c:95:6a:9b:
-                    ec:4a:e0:50:68:61:19:17:44:09:6c:93:22:03:4a:
-                    f6:e9:4c:ca:88:4d:cd:e1:a6:20:8c:a6:dc:43:f7:
-                    c3:4c:61:89:2d:db:12:74:57:00:8a:a6:e2:0e:1a:
-                    1b:93:12:f9:63:b5:01:12:07:a1:b4:4a:2a:7f:8d:
-                    c8:ab:25:fb:0a:cd:ed:18:ba:32:94:50:b9:6d:3c:
-                    f2:67:45:61:73:84:25:0d:43:86:78:b9:11:e9:51:
-                    e7:95
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Policy Constraints: 
-                Require Explicit Policy:0
-            X509v3 Certificate Policies: 
-                Policy: 1.2.3.4
-                Policy: 1.2.3.4.5
-                Policy: 1.2.3.5
-
-    Signature Algorithm: sha256WithRSAEncryption
-         67:fd:e1:e8:91:20:ed:e6:f6:b3:41:27:07:b8:cc:55:ea:90:
-         7e:cc:11:6a:e9:02:24:95:86:8d:68:72:50:a3:d5:9c:bd:34:
-         78:3b:65:73:78:5c:9a:b6:da:5f:78:01:65:ed:da:5d:fe:fb:
-         cb:ef:a4:22:75:c0:cb:3b:c8:e0:ca:91:08:4d:f4:d9:cf:73:
-         16:09:e9:cc:09:96:6f:97:a6:4f:cb:72:c9:5d:ea:3b:21:bf:
-         e2:0e:18:ac:97:51:b1:81:02:1f:f5:a6:26:25:76:2b:8c:c7:
-         2c:66:be:03:b2:de:5a:6f:c6:bb:44:9f:b2:1a:75:76:4f:bb:
-         d0:2a:67:e3:51:69:9d:1d:6f:0a:8c:f1:d9:1d:16:aa:c3:7d:
-         b8:38:fa:a1:90:2b:15:dc:81:b2:80:66:6e:b6:69:83:03:88:
-         c6:2e:03:2a:ea:9c:5e:ea:98:9c:b3:93:21:d8:f9:6d:2e:ec:
-         40:d3:bf:f5:53:69:b0:0f:4d:d9:6b:6c:ac:bc:f8:e8:12:13:
-         d1:58:16:0a:7f:13:14:31:72:69:90:d3:2f:d1:2e:d0:b2:f7:
-         14:c9:4f:0c:d8:95:21:9f:9d:b8:4d:ae:80:75:3c:92:f9:a7:
-         5a:4a:1c:6c:b2:19:a5:e6:1a:7b:a6:5d:c3:e9:a9:ae:c9:2e:
-         7a:8b:a3:6c
------BEGIN CERTIFICATE-----
-MIIDETCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDDBNQb2xp
-Y3kgVGVzdCBSb290IENBMB4XDTE3MDIyODIzNTIzNFoXDTI3MDIyNjIzNTIzNFow
-JjEkMCIGA1UEAwwbUG9saWN5IFRlc3QgSW50ZXJtZWRpYXRlIENBMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAySueQeG92ywVICVrAi+d9RASIi7Ek+6Z
-HJJQAtRwScy/klTgBFpS2MledBp0VyIgeo7YvNICu4Xsm2uAUdKkR272+xbi2HtY
-XuUiYmjpyfb/CvnKZdoS2iRV3kPvUVTSrNvs1hNbKeFuZqFx8IibI9bheaq2dn1j
-9hljFF7bnygdB5LbaY/71Uze6zqL31x3Jl70P6LtGa128IxxnM3XxgyVapvsSuBQ
-aGEZF0QJbJMiA0r26UzKiE3N4aYgjKbcQ/fDTGGJLdsSdFcAiqbiDhobkxL5Y7UB
-EgehtEoqf43IqyX7Cs3tGLoylFC5bTzyZ0Vhc4QlDUOGeLkR6VHnlQIDAQABo1Iw
-UDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAMBgNVHSQEBTADgAEA
-MB8GA1UdIAQYMBYwBQYDKgMEMAYGBCoDBAUwBQYDKgMFMA0GCSqGSIb3DQEBCwUA
-A4IBAQBn/eHokSDt5vazQScHuMxV6pB+zBFq6QIklYaNaHJQo9WcvTR4O2VzeFya
-ttpfeAFl7dpd/vvL76QidcDLO8jgypEITfTZz3MWCenMCZZvl6ZPy3LJXeo7Ib/i
-Dhisl1GxgQIf9aYmJXYrjMcsZr4Dst5ab8a7RJ+yGnV2T7vQKmfjUWmdHW8KjPHZ
-HRaqw324OPqhkCsV3IGygGZutmmDA4jGLgMq6pxe6pics5Mh2PltLuxA07/1U2mw
-D03Za2ysvPjoEhPRWBYKfxMUMXJpkNMv0S7QsvcUyU8M2JUhn524Ta6AdTyS+ada
-Shxsshml5hp7pl3D6amuyS56i6Ns
------END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 14437560522667520790 (0xc85c84cd48ccf316)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Policy Test Root CA
-        Validity
-            Not Before: Feb 28 23:52:34 2017 GMT
-            Not After : Feb 26 23:52:34 2027 GMT
-        Subject: CN=Policy Test Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:a0:e3:a7:af:b8:fa:3b:ee:47:d2:5a:ad:21:a2:
-                    71:42:4e:a6:a3:c7:82:94:b9:32:3c:6d:14:39:67:
-                    19:65:64:1f:8b:b5:c4:6d:88:12:2c:85:e2:ef:97:
-                    04:f5:9f:ee:13:65:a7:f5:86:c7:5b:20:1d:fe:47:
-                    71:a7:ab:04:69:52:0f:ea:6c:42:58:7b:89:32:49:
-                    54:14:da:d3:ad:ef:b8:7a:cc:8c:7f:16:0e:2a:b6:
-                    0e:7b:df:a5:ee:26:ff:b0:c9:6b:65:6e:15:02:b5:
-                    f4:4f:e5:6a:e1:b8:45:63:55:f9:61:0d:f6:27:cf:
-                    f3:10:ae:4a:0a:57:25:5c:de:b1:c5:8e:b2:bc:f1:
-                    b9:f2:99:c4:27:1d:53:0b:2b:7c:2a:fd:fc:73:7e:
-                    f4:ad:44:bc:8b:47:23:bd:c1:54:f3:ed:0b:ee:53:
-                    a7:9c:50:bd:32:0a:67:e2:b6:04:3e:c8:5e:da:fb:
-                    ab:7c:5c:c9:68:3c:5a:f2:c6:5e:b9:22:38:f3:10:
-                    b4:2d:e2:87:12:3a:4a:53:54:6b:92:e6:f1:eb:ba:
-                    47:b8:f1:80:3e:2c:2f:87:13:1e:dc:09:bc:a4:0c:
-                    4f:e2:df:db:53:e0:af:5d:34:b1:39:06:7f:8a:7b:
-                    12:e8:6c:01:e7:ce:d7:b7:a6:ac:3d:b7:ba:af:3f:
-                    46:93
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         6c:7f:d4:57:18:85:22:1d:87:15:45:3a:16:0d:df:06:3e:9c:
-         ed:1d:99:7b:78:75:90:5c:8f:d2:38:58:46:3e:2b:d2:69:bc:
-         ba:dd:13:7a:96:15:1f:af:3f:e0:a7:b1:3f:5c:f5:ab:af:ac:
-         65:a0:c3:e3:6b:70:25:53:57:46:3d:f6:c0:78:dc:1f:4c:d2:
-         03:42:d4:32:d0:cd:16:38:06:d1:89:1a:c4:37:2c:15:d9:6b:
-         c2:0e:8d:55:3a:a1:57:99:c7:57:18:d4:c5:13:ca:f7:25:92:
-         85:bc:5d:bb:20:8f:ee:52:8c:6e:61:aa:22:3e:37:a1:71:d9:
-         59:e3:e6:5c:de:71:f8:2a:e8:05:f5:b0:ca:40:9d:6a:24:87:
-         9f:48:69:26:65:ef:ad:6a:fd:2f:b2:38:36:f5:1a:5b:f1:5a:
-         ec:35:7a:a5:08:f7:c8:b7:78:90:e2:b9:32:24:6c:e8:cc:b0:
-         57:9e:ab:a7:06:22:c5:0e:cf:22:73:2f:dc:c7:30:eb:83:5d:
-         81:a4:00:ab:a0:01:3b:ce:7f:d9:c3:cc:28:fc:6b:74:cc:be:
-         62:d2:25:b8:a8:3b:c4:15:c4:bb:71:79:4f:df:7d:73:45:e6:
-         16:a4:41:1a:b5:3c:27:61:62:cf:86:1c:6e:d1:4b:f6:49:0a:
-         bd:3f:15:d0
------BEGIN CERTIFICATE-----
-MIIC4jCCAcqgAwIBAgIJAMhchM1IzPMWMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV
-BAMME1BvbGljeSBUZXN0IFJvb3QgQ0EwHhcNMTcwMjI4MjM1MjM0WhcNMjcwMjI2
-MjM1MjM0WjAeMRwwGgYDVQQDDBNQb2xpY3kgVGVzdCBSb290IENBMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoOOnr7j6O+5H0lqtIaJxQk6mo8eClLky
-PG0UOWcZZWQfi7XEbYgSLIXi75cE9Z/uE2Wn9YbHWyAd/kdxp6sEaVIP6mxCWHuJ
-MklUFNrTre+4esyMfxYOKrYOe9+l7ib/sMlrZW4VArX0T+Vq4bhFY1X5YQ32J8/z
-EK5KClclXN6xxY6yvPG58pnEJx1TCyt8Kv38c370rUS8i0cjvcFU8+0L7lOnnFC9
-Mgpn4rYEPshe2vurfFzJaDxa8sZeuSI48xC0LeKHEjpKU1Rrkubx67pHuPGAPiwv
-hxMe3Am8pAxP4t/bU+CvXTSxOQZ/insS6GwB587Xt6asPbe6rz9GkwIDAQABoyMw
-ITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
-AAOCAQEAbH/UVxiFIh2HFUU6Fg3fBj6c7R2Ze3h1kFyP0jhYRj4r0mm8ut0TepYV
-H68/4KexP1z1q6+sZaDD42twJVNXRj32wHjcH0zSA0LUMtDNFjgG0YkaxDcsFdlr
-wg6NVTqhV5nHVxjUxRPK9yWShbxduyCP7lKMbmGqIj43oXHZWePmXN5x+CroBfWw
-ykCdaiSHn0hpJmXvrWr9L7I4NvUaW/Fa7DV6pQj3yLd4kOK5MiRs6MywV56rpwYi
-xQ7PInMv3Mcw64NdgaQAq6ABO85/2cPMKPxrdMy+YtIluKg7xBXEu3F5T999c0Xm
-FqRBGrU8J2Fiz4YcbtFL9kkKvT8V0A==
------END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/intermediate_ca_cert.pem b/chromium/net/data/ssl/certificates/intermediate_ca_cert.pem
index 2c74eba1e54..911d564c67e 100644
--- a/chromium/net/data/ssl/certificates/intermediate_ca_cert.pem
+++ b/chromium/net/data/ssl/certificates/intermediate_ca_cert.pem
@@ -30,16 +30,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:a0
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:64
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
-            Not Before: Dec  1 15:42:06 2021 GMT
-            Not After : Nov 29 15:42:06 2031 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Sep 30 17:20:08 2032 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Intermediate CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:9d:e9:bd:e4:3d:4a:2f:fb:c2:f9:e6:22:2a:42:
                     15:46:1c:8c:8f:47:4c:e9:c5:57:95:1f:66:70:93:
@@ -67,41 +67,44 @@ Certificate:
                 17:5C:45:F3:D0:AC:1C:10:4C:8B:43:44:20:C4:DD:93:C5:C5:19:3B
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
+            X509v3 Authority Key Identifier: 
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
     Signature Algorithm: sha256WithRSAEncryption
-         9c:b1:c1:f7:c5:82:aa:43:3e:04:32:9c:32:18:de:ec:e4:d8:
-         60:d8:83:a3:b0:9b:76:b8:e8:4e:e5:e2:45:d6:71:76:cc:f9:
-         4d:5a:18:cb:06:4f:fb:a6:22:56:f3:d2:1b:c2:64:ff:c6:1e:
-         21:da:34:a5:e3:eb:e6:98:cf:6e:2d:77:bb:e6:ac:37:24:b1:
-         12:21:8b:88:11:ef:59:cf:b0:e0:a3:b5:6d:8c:ec:f8:de:ea:
-         5e:e4:e0:ed:2f:7c:91:a1:d0:ba:69:d6:bc:24:b7:fe:7d:11:
-         9e:65:ba:25:a5:22:55:53:fd:6b:18:30:17:ec:d3:d8:69:5a:
-         51:4c:e4:27:47:13:a9:b1:8b:1b:b4:9a:f0:8f:a9:a2:91:56:
-         b4:b9:e1:ed:c0:7e:58:34:e9:a5:2d:fd:02:b3:3b:47:02:42:
-         6c:ce:c2:98:b1:45:11:06:68:3a:48:be:cc:bf:66:b0:8e:c6:
-         02:ff:b8:68:64:d8:4b:44:25:b6:c5:78:63:17:53:e6:1b:8d:
-         8d:5d:0c:54:c7:fa:01:25:e5:5d:d6:dc:52:e0:25:9d:12:0d:
-         56:01:a9:c7:d9:3e:86:74:e1:d6:de:f9:0e:60:e2:6a:0f:a9:
-         fa:4d:3a:1d:5b:b1:26:1c:a7:5f:9e:71:62:f0:2c:ad:1e:e8:
-         ec:87:20:cf
+    Signature Value:
+        25:54:8b:68:3b:3c:92:ed:1b:c7:a1:62:b3:7c:ff:7e:8c:57:
+        7c:67:5c:ea:74:9f:e8:f1:b5:c8:e4:88:0e:c9:a3:f3:28:c4:
+        05:af:8f:ad:51:32:66:ae:5d:7a:b1:77:7e:99:06:c8:30:26:
+        5a:9f:1e:34:ea:aa:3e:0a:73:a2:40:e3:8f:1a:01:96:a2:6d:
+        2f:6c:d9:36:65:98:c8:86:41:0e:ee:0d:aa:da:62:54:62:23:
+        c6:23:b0:f1:ca:35:7b:e5:4b:d1:ab:80:80:d6:00:2b:19:85:
+        9d:e0:3c:3f:13:1e:90:d2:df:c3:31:90:0f:a8:40:08:33:4e:
+        f7:a4:d0:ed:3e:a4:41:cf:e8:37:49:d1:58:e8:07:3d:4b:a1:
+        c9:fe:12:07:9a:de:e0:c8:f3:68:d6:31:5d:03:77:2f:fa:b0:
+        e6:2c:f3:80:59:d0:9b:1b:59:22:cd:7e:58:c6:cf:82:92:c3:
+        76:95:78:b2:75:c8:fa:59:9f:0e:c0:e3:6d:70:f9:82:ba:db:
+        89:89:81:b7:b9:e1:41:63:51:56:8a:5a:d2:52:c2:19:2f:d9:
+        c0:9d:19:82:59:79:f9:56:1c:25:81:4d:0a:cd:77:1b:de:85:
+        6e:51:04:08:0b:0c:33:65:52:f6:90:a8:82:25:77:a0:fa:5e:
+        9c:2a:91:66
 -----BEGIN CERTIFICATE-----
-MIIDmjCCAoKgAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzoDANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIxMTIwMTE1NDIwNloXDTMxMTEyOTE1NDIwNlowazELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExHTAbBgNVBAMMFFRlc3QgSW50ZXJtZWRpYXRlIENB
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnem95D1KL/vC+eYiKkIV
-RhyMj0dM6cVXlR9mcJMi8JTDu7Vb76RvyMeJlXW6DDa/TmupNUcIQ54pauLD+wO3
-H7bhUWvtexnH+c473GXpZseDlMTRTu7tZEuB8RrqWmQYG2pOk9ATbJBgytJOtyQW
-+LIIWJ2NpzNFFTSBrS0tnGDv+SuY/nnTjSxI2xKR9C76v/UmwYIFgN1MqHC/p7wQ
-NHc520cED+1EsmVGIiCIWSgPxwyitJGloqrKBZ+Km26jy9Sk6CR1nSCBIltfdz7J
-8R6u64ozjCdbHr5tIRtCcpXjnhMDdadY1L5oEv5jjksRejTno2vdc64+GZrskYtz
-rwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQXXEXz0KwcEEyL
-Q0QgxN2TxcUZOzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAJyx
-wffFgqpDPgQynDIY3uzk2GDYg6Owm3a46E7l4kXWcXbM+U1aGMsGT/umIlbz0hvC
-ZP/GHiHaNKXj6+aYz24td7vmrDcksRIhi4gR71nPsOCjtW2M7Pje6l7k4O0vfJGh
-0Lpp1rwkt/59EZ5luiWlIlVT/WsYMBfs09hpWlFM5CdHE6mxixu0mvCPqaKRVrS5
-4e3Aflg06aUt/QKzO0cCQmzOwpixRREGaDpIvsy/ZrCOxgL/uGhk2EtEJbbFeGMX
-U+YbjY1dDFTH+gEl5V3W3FLgJZ0SDVYBqcfZPoZ04dbe+Q5g4moPqfpNOh1bsSYc
-p1+ecWLwLK0e6OyHIM8=
+MIIDvDCCAqSgAwIBAgIRALBrk5LjXI1+7Z3IllnFwmQwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMjEwMDMxNzIwMDhaFw0zMjA5MzAxNzIwMDhaMGsxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMR0wGwYDVQQDDBRUZXN0IEludGVybWVkaWF0ZSBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3pveQ9Si/7wvnmIipC
+FUYcjI9HTOnFV5UfZnCTIvCUw7u1W++kb8jHiZV1ugw2v05rqTVHCEOeKWriw/sD
+tx+24VFr7XsZx/nOO9xl6WbHg5TE0U7u7WRLgfEa6lpkGBtqTpPQE2yQYMrSTrck
+FviyCFidjaczRRU0ga0tLZxg7/krmP55040sSNsSkfQu+r/1JsGCBYDdTKhwv6e8
+EDR3OdtHBA/tRLJlRiIgiFkoD8cMorSRpaKqygWfiptuo8vUpOgkdZ0ggSJbX3c+
+yfEeruuKM4wnWx6+bSEbQnKV454TA3WnWNS+aBL+Y45LEXo056Nr3XOuPhma7JGL
+c68CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUF1xF89CsHBBM
+i0NEIMTdk8XFGTswDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFJsmC4qYqbsd
+uR8c4xpAM+2OF4irMA0GCSqGSIb3DQEBCwUAA4IBAQAlVItoOzyS7RvHoWKzfP9+
+jFd8Z1zqdJ/o8bXI5IgOyaPzKMQFr4+tUTJmrl16sXd+mQbIMCZanx406qo+CnOi
+QOOPGgGWom0vbNk2ZZjIhkEO7g2q2mJUYiPGI7DxyjV75UvRq4CA1gArGYWd4Dw/
+Ex6Q0t/DMZAPqEAIM073pNDtPqRBz+g3SdFY6Ac9S6HJ/hIHmt7gyPNo1jFdA3cv
++rDmLPOAWdCbG1kizX5Yxs+CksN2lXiydcj6WZ8OwONtcPmCutuJiYG3ueFBY1FW
+ilrSUsIZL9nAnRmCWXn5VhwlgU0KzXcb3oVuUQQICwwzZVL2kKiCJXeg+l6cKpFm
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/large_key.pem b/chromium/net/data/ssl/certificates/large_key.pem
index 422b2f32575..a5d367cb287 100644
--- a/chromium/net/data/ssl/certificates/large_key.pem
+++ b/chromium/net/data/ssl/certificates/large_key.pem
@@ -2,194 +2,195 @@ Certificate:
     Data:
         Version: 1 (0x0)
         Serial Number:
-            50:f6:7c:d7:a6:76:ef:a7:43:4b:9c:c9:6f:45:92:e0:e9:98:8c:04
+            72:5e:0f:a7:45:eb:e6:7a:d2:0a:7d:88:4a:cb:be:44:34:11:3a:d2
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = California, L = Mountain View, O = Test CA, CN = 127.0.0.1
         Validity
-            Not Before: Dec  1 15:42:26 2021 GMT
-            Not After : Nov 29 15:42:26 2031 GMT
+            Not Before: Oct  3 17:20:25 2022 GMT
+            Not After : Sep 30 17:20:25 2032 GMT
         Subject: C = US, ST = California, L = Mountain View, O = Test CA, CN = 127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (8200 bit)
+                Public-Key: (8200 bit)
                 Modulus:
-                    00:cf:61:0f:1b:13:bb:80:dc:6d:0e:e1:fa:85:b1:
-                    ae:a2:d7:2c:bb:f0:4e:9e:03:18:3d:a9:29:80:2a:
-                    2f:eb:96:c4:1c:81:32:c8:68:d3:ef:5a:85:09:49:
-                    4d:d5:ac:ee:ba:1b:61:57:c4:d8:96:ae:a3:cd:d8:
-                    83:8e:02:2e:50:8c:64:51:67:6a:bf:df:02:9e:b8:
-                    9e:f0:e6:84:7e:12:b6:2b:89:79:9d:11:0f:fc:7d:
-                    9e:cc:36:2a:20:f8:07:62:55:9c:e9:f1:e8:7d:9f:
-                    6a:41:c6:47:6c:87:73:ea:1f:f4:e4:3b:fb:17:77:
-                    3d:3a:a4:d2:94:ff:30:54:39:95:43:63:9c:f7:cc:
-                    c9:ea:c2:61:a8:09:7d:4b:28:1e:ba:4a:9c:c9:8e:
-                    84:9e:87:37:cb:9d:f2:ba:da:fa:65:81:fa:17:ea:
-                    ca:bc:98:75:59:53:ad:87:c2:fc:76:0c:8c:50:e8:
-                    4c:9a:4e:fc:ed:2f:97:e0:5e:b8:1c:13:88:66:68:
-                    bd:b7:66:b6:2e:2e:d8:69:20:b2:0a:45:0b:9d:e0:
-                    f1:cb:b4:97:c4:4b:df:ee:dc:be:20:92:97:6c:66:
-                    30:a5:54:57:27:ab:fe:cd:60:38:16:70:3f:a5:5c:
-                    01:00:6f:e7:b4:d5:08:85:3d:b5:55:8b:a5:d2:83:
-                    15:9a:ad:5d:af:d3:43:ec:bd:78:d1:18:f8:c9:48:
-                    4b:7b:e3:ae:9c:b8:7f:b4:eb:a0:ea:a0:6a:fc:c1:
-                    11:ed:17:03:81:95:05:12:c7:f1:2c:58:45:a4:96:
-                    8d:e8:a9:5e:84:35:e6:8c:fe:82:e0:e5:a8:fc:3c:
-                    73:83:46:09:d3:0d:92:16:35:b4:0c:3f:ad:7a:cb:
-                    71:95:36:0e:22:3e:09:cc:1e:5e:e1:48:6c:4b:7f:
-                    b4:8b:84:bb:7d:8b:7d:d7:81:fe:6f:66:83:c4:ba:
-                    11:c3:59:79:91:7c:a8:af:4d:c1:f7:50:8a:3b:28:
-                    74:a7:60:e3:a0:03:9c:00:93:56:0f:3f:d5:94:eb:
-                    05:7c:d4:65:f2:ea:c7:25:b8:bc:ba:25:d8:32:96:
-                    14:a8:fc:93:fc:8c:da:9e:da:2d:5d:c4:1c:9f:84:
-                    cc:cb:d8:09:11:a0:fe:25:e4:29:2c:e6:d3:7a:ff:
-                    6b:26:1b:ac:da:86:53:49:98:ea:40:cd:e6:11:bc:
-                    94:b9:09:c0:f0:69:fb:61:11:a5:6d:b5:87:96:45:
-                    9a:41:63:97:1a:75:1e:ef:68:c4:2d:2e:b8:15:19:
-                    eb:eb:e3:a3:78:3a:6e:59:fb:07:21:49:fb:70:47:
-                    4b:0f:83:a7:4b:8c:94:d2:96:c0:97:7f:82:b9:82:
-                    ab:8c:ba:fa:c4:2e:ee:da:5f:92:c7:be:66:6d:11:
-                    78:95:e3:df:aa:0b:94:68:f8:e9:eb:1c:15:1d:a5:
-                    18:ee:55:2d:0b:0f:dd:ff:5b:c0:b9:a3:cc:8b:41:
-                    a9:a6:83:3d:a3:ed:ca:5c:67:d3:96:e9:f0:53:77:
-                    89:3c:24:03:d7:7c:93:f9:e1:f1:be:c7:34:58:79:
-                    f2:76:36:83:f4:12:1c:30:59:ac:fa:69:ca:e9:5d:
-                    f6:5c:b2:c8:93:3a:69:e4:5d:0a:a2:2b:26:c1:e2:
-                    43:cd:87:76:13:8a:c2:6e:97:d0:87:f1:f2:e0:2b:
-                    a8:75:d2:48:18:59:22:c8:b3:55:63:ce:1c:1a:21:
-                    82:70:1d:bb:26:c0:92:13:5f:1f:b4:50:8f:2c:db:
-                    c5:72:2a:52:ee:c2:be:45:81:02:6d:c2:58:e6:1d:
-                    ca:be:c3:21:2b:a5:a0:34:53:88:35:76:12:7c:5e:
-                    a8:c7:41:ba:ae:b2:d2:06:e7:22:48:04:bd:d1:9e:
-                    47:1e:fe:d3:b5:90:b6:3c:05:5f:77:e4:c8:ca:e5:
-                    31:91:93:49:3d:3e:c6:ea:8b:c4:7e:bc:d9:49:3a:
-                    84:c1:cf:cf:56:ec:c5:a2:3a:36:56:61:f7:29:be:
-                    83:16:2d:5f:c9:05:94:57:2b:71:3c:f0:2f:d5:53:
-                    bf:5f:ec:76:df:ac:12:73:5e:a8:46:8f:1c:a2:e9:
-                    d2:be:a4:02:8a:97:ea:03:f3:15:41:49:4c:04:87:
-                    5d:e7:b0:bb:11:40:8a:25:9b:d4:0c:62:51:7c:6b:
-                    73:97:e4:cb:83:b3:db:ca:ad:8e:27:ec:d8:92:2f:
-                    92:97:89:8e:c7:6a:c5:fa:fa:a1:0b:7c:03:0a:8a:
-                    17:52:6e:2c:7c:07:91:e2:28:c0:92:cd:7a:0a:c4:
-                    c9:a3:fc:b4:68:e3:fb:a5:dd:9c:a6:32:3d:b3:29:
-                    25:de:a7:03:85:06:83:dd:01:98:df:5d:9c:fc:f4:
-                    db:f9:aa:b8:c9:52:53:bf:f5:91:c2:22:64:7e:e6:
-                    b1:a3:34:ee:9d:5a:54:a7:a9:eb:ab:6d:5c:25:62:
-                    7a:72:62:9f:3a:ac:6d:4d:27:32:f6:34:57:40:dd:
-                    04:8f:0c:26:d0:c8:b3:30:51:56:d5:1e:60:c6:16:
-                    e5:85:c2:2a:ad:8b:30:f9:e1:ab:1c:4d:99:2d:80:
-                    74:d0:8a:01:7c:07:9a:cb:a0:44:00:4f:9a:ff:a7:
-                    f6:45:55:c5:b9:41:3f:f2:2c:88:ed:d2:34:a6:5e:
-                    a5:e0:4d:7d:ff:69:ec:d1:58:df:3d:27:07:66:b4:
-                    84:ba:8b:10:a3:1b:83:19:8c:7a:8c:4c:58:13:0c:
-                    9a:de:a9:12:bb:f5
+                    00:a8:42:16:8f:ad:e3:47:23:3c:83:29:5c:42:44:
+                    06:fc:2a:99:48:d5:58:0f:98:49:cf:8b:2b:9f:04:
+                    24:77:2d:7c:a9:f8:47:4a:6c:74:ce:42:5c:c5:4a:
+                    31:13:2a:a9:83:53:28:83:a7:dc:4b:f0:7b:36:31:
+                    5b:20:48:9d:33:d6:dd:af:99:da:56:d1:fe:b7:d9:
+                    84:0f:40:87:a2:c4:57:bb:24:26:43:83:df:ed:47:
+                    f6:78:e8:c9:6a:cd:e6:de:d4:e2:2d:b0:89:d4:ad:
+                    31:13:65:e2:c1:1e:e5:f2:2e:89:66:e6:37:25:24:
+                    e2:51:27:31:72:1e:5d:b8:98:7a:a3:ab:94:f7:36:
+                    fa:76:f1:fc:24:5e:04:9d:3b:6b:43:cc:71:75:20:
+                    f6:09:4e:54:2b:33:2e:c2:ce:a2:64:af:cb:c0:e6:
+                    05:4d:76:1a:31:7a:f1:4d:d4:c4:b0:ea:ca:c5:a4:
+                    3c:ff:10:4e:79:eb:bd:b2:ec:57:6d:83:57:84:30:
+                    10:87:4f:ea:29:a7:73:73:61:d9:f2:54:14:37:00:
+                    da:f6:4a:5e:06:d2:d6:6d:a5:61:9d:59:45:82:6e:
+                    0a:da:bf:91:c9:c1:af:4b:75:2a:bf:3d:af:7d:51:
+                    4d:d0:f5:2d:e7:b0:57:d1:37:0d:40:94:5a:76:7a:
+                    a9:5d:84:83:9d:34:9f:54:86:f5:4c:f3:b7:ec:69:
+                    07:d0:27:80:7a:2e:c7:af:64:37:96:6d:40:31:53:
+                    48:cd:9e:5f:cc:8e:39:42:32:29:0b:72:22:58:25:
+                    56:a9:e9:81:1c:ee:18:77:d3:d9:bc:4f:c6:4b:a9:
+                    9a:9f:20:40:07:17:71:34:a1:f1:8c:ff:ad:bd:8d:
+                    60:fc:00:7e:b4:53:b4:ac:58:5f:99:9b:e1:46:05:
+                    7a:28:b0:09:f2:58:26:88:2c:67:91:19:d5:7e:9e:
+                    c8:f0:a8:75:d5:e8:ff:23:9d:cd:0f:23:99:8f:1c:
+                    35:5e:dc:56:09:1f:71:a0:e0:32:77:e9:3b:db:99:
+                    3e:e2:05:97:38:7d:21:ad:9b:5c:40:0a:b1:36:12:
+                    d9:cc:bc:a8:03:76:ad:26:04:97:3b:7c:27:09:c4:
+                    86:93:28:c0:a8:15:ca:4b:54:10:2b:50:4d:58:5f:
+                    e1:4b:4a:04:66:4a:11:f3:ad:09:4a:07:df:7d:36:
+                    ff:0e:5d:1c:b9:6b:8d:ea:1f:b9:83:32:33:ee:1e:
+                    5c:e7:5b:1c:7e:ae:b6:cf:08:83:4b:fe:5f:1f:70:
+                    ba:56:24:b8:76:12:c5:2e:f5:d6:ef:9b:83:77:17:
+                    4c:90:63:bc:94:55:83:56:d3:94:14:5f:78:2a:37:
+                    cf:e1:8d:c1:f2:e8:fd:70:e1:75:da:8f:f9:2a:ee:
+                    6a:5f:ef:b2:2e:6f:d7:fc:a0:8e:da:59:86:74:2e:
+                    21:31:bd:dd:f2:90:c1:82:6b:1e:1c:5f:b0:13:94:
+                    da:4f:de:2e:30:75:a1:37:89:6b:52:8d:05:a1:24:
+                    65:5d:29:74:56:2e:95:98:ce:5a:cd:d8:ea:67:2f:
+                    e3:b6:fd:0e:28:5d:65:3a:ff:f7:c6:ea:67:e4:8d:
+                    5a:84:d1:01:ad:58:19:8d:63:5f:c9:03:5a:b8:c3:
+                    36:73:ab:d7:54:fc:9f:82:7c:aa:ad:0f:78:b6:1a:
+                    f2:87:6a:f8:ec:9e:84:bf:52:37:ef:d2:9f:d1:79:
+                    7f:dd:73:ad:06:28:6b:88:81:52:a6:e4:91:3e:36:
+                    39:77:be:75:32:3d:c9:c1:0d:05:b2:b2:59:73:f9:
+                    92:87:2f:29:98:57:cc:7d:bb:eb:ad:f3:50:b1:d6:
+                    82:73:54:cd:5d:a1:fa:45:73:7d:1e:59:ff:3e:a2:
+                    de:93:f9:98:db:d4:d0:68:12:1b:27:11:85:01:8e:
+                    85:bb:ef:a9:33:9d:d1:6b:4f:08:38:b3:db:39:0e:
+                    10:c1:83:d9:1b:ca:43:57:81:81:fc:c0:cb:73:5b:
+                    12:73:f7:a8:57:cb:bf:bf:f0:39:7c:21:a2:a3:47:
+                    ca:42:9e:a3:27:56:3f:7d:01:18:da:35:31:d3:9b:
+                    ca:b6:79:24:1e:6e:67:47:7c:f1:06:78:f3:ff:f6:
+                    f9:a2:18:9f:f1:ec:ac:f9:20:b7:10:f3:62:72:f7:
+                    5b:db:f4:b0:89:6b:33:e6:dd:5f:a3:1e:59:ed:fb:
+                    f9:e2:d0:4d:8f:4c:9c:99:f0:4d:d6:3c:4a:9f:a0:
+                    06:c7:31:51:b8:60:58:38:1f:a6:74:f7:b4:59:f2:
+                    89:74:42:55:d8:d9:01:f1:22:b9:e9:11:45:93:c3:
+                    5d:22:cc:a0:a0:26:a8:38:d7:fd:8d:af:4c:1d:b2:
+                    46:6d:b7:ae:c9:b4:be:77:22:28:bc:4c:e0:76:de:
+                    fe:69:9c:51:28:06:53:67:33:f0:52:64:ee:4a:b7:
+                    37:25:ce:f5:35:86:06:58:42:80:5e:65:87:78:db:
+                    ec:fb:41:40:2c:d1:c0:1f:87:5e:83:59:5d:91:fe:
+                    40:e9:1e:e5:fc:23:62:fa:cc:5c:1b:f6:85:30:e8:
+                    c6:28:0e:b8:4d:2c:c4:84:55:f8:fb:40:4d:89:46:
+                    2c:95:b6:84:c7:61:b7:a7:3b:ea:01:dd:33:cd:bc:
+                    9f:2c:3e:13:3d:b6:12:05:b2:de:bb:aa:d2:91:c4:
+                    ad:c4:69:9c:0e:34:e1:77:6a:46:d5:d1:43:3d:aa:
+                    24:07:d8:5c:57:e7
                 Exponent: 65537 (0x10001)
     Signature Algorithm: sha256WithRSAEncryption
-         43:a5:dd:87:d3:69:a9:26:dc:9b:0a:a0:9b:51:1e:eb:46:80:
-         26:7d:8a:40:9b:50:88:07:63:24:69:b1:9d:8f:ea:70:48:be:
-         03:82:7e:d8:64:c3:bc:f4:c1:49:1e:c6:a1:9e:09:9c:72:be:
-         e1:29:3c:9f:23:8f:3b:41:16:cf:4c:2c:bd:a1:12:15:76:70:
-         60:82:05:38:d7:ba:94:d1:f7:32:ed:db:4e:e7:25:43:d4:e1:
-         c9:ec:30:18:24:fc:c5:5f:1b:ae:ad:e2:87:4b:7a:6c:1b:48:
-         b6:67:a0:19:87:9c:8d:1d:c8:6f:7a:fd:c3:c7:c9:e7:2a:9f:
-         63:ea:ef:09:4b:85:ca:39:59:d9:44:6f:16:7c:f1:ed:cf:74:
-         ca:0a:90:c2:14:a3:83:f0:3b:b9:60:63:55:be:60:27:bf:40:
-         87:76:cf:23:be:3d:72:94:2d:fd:b3:d3:dd:09:c4:1c:45:83:
-         c9:93:f1:a3:35:db:b6:e3:39:5d:90:91:ec:4d:52:39:a6:b7:
-         1a:eb:cc:6a:58:c3:5b:cc:9f:b6:56:5a:df:2b:38:8d:5a:c4:
-         24:53:af:ac:5d:46:4b:1f:23:70:7c:d7:be:ee:f4:07:cf:99:
-         0d:fd:c4:cf:06:2b:3c:98:f9:72:b6:92:a6:82:b3:90:54:c1:
-         af:c3:8d:91:b9:ce:d7:c3:56:eb:a1:58:33:f0:b3:a8:38:16:
-         b2:14:5f:4b:4f:a6:64:6c:27:ea:e4:c9:20:37:3e:e7:a6:ac:
-         2d:6b:4c:9c:d7:43:d1:35:7b:fb:b6:c3:e7:7b:4b:59:e0:55:
-         eb:53:41:1d:2f:34:32:fb:41:90:52:45:30:83:02:81:c3:a2:
-         9c:78:b7:a9:8d:a8:72:1f:69:a4:a8:af:53:cf:72:e1:58:61:
-         f4:6e:b6:c9:c1:70:72:4e:e5:90:bd:fd:8b:7a:4c:be:7b:94:
-         03:5f:4b:7c:d8:1e:bd:9b:53:ba:5a:97:d2:1e:58:2e:4d:7d:
-         87:c4:fe:e4:6a:35:20:8f:fa:22:4b:6a:45:90:a2:dd:79:0c:
-         f6:86:f2:37:bc:1b:dd:4b:18:1e:3d:92:fe:56:f8:5a:8f:29:
-         5d:8a:09:a3:d9:ab:1a:01:5b:3c:61:70:0f:63:33:d7:33:7b:
-         b2:ce:5c:9c:39:98:94:8c:c2:80:90:a9:6f:91:57:b8:b2:f0:
-         6a:8a:ad:44:18:90:4d:ae:b8:3f:99:fb:c0:ca:bd:a0:36:f1:
-         3b:6d:27:bd:18:a0:f7:f0:08:20:e0:c1:f3:2d:53:07:b8:d7:
-         03:d8:29:56:c8:45:78:67:f9:d0:ed:d5:6f:97:99:c7:a7:3f:
-         98:49:62:5d:96:7f:ce:e8:f5:1d:b1:fc:41:66:12:65:b8:e4:
-         5e:3e:03:96:1b:7c:c6:47:5c:ab:e7:76:05:ab:61:e5:c3:aa:
-         28:48:f8:69:1a:d7:11:23:75:70:07:ca:c5:13:0d:a0:9e:38:
-         4a:7e:38:c9:ef:06:36:5a:cf:39:2f:b1:53:69:84:2a:b4:a8:
-         57:f1:36:54:1a:e2:e8:16:3f:3c:a3:1a:c1:70:31:5e:1d:32:
-         0e:21:44:a6:a1:4b:72:6d:d3:e8:7b:25:0f:37:7a:c5:44:32:
-         40:7c:74:84:45:7b:05:78:96:e4:ff:27:76:78:86:c7:41:11:
-         25:c4:00:75:97:be:7f:fe:a5:01:c1:cf:96:fe:f3:9c:1d:2d:
-         e4:f4:48:9b:2c:8a:95:fa:04:a2:ec:07:19:05:84:62:6d:f3:
-         ed:a7:d9:e4:e7:d4:8c:29:05:85:2e:b2:96:ab:c1:0e:ec:65:
-         bb:78:cc:06:ce:76:27:67:2c:c3:46:f3:45:98:6c:24:99:b3:
-         3b:b6:91:e4:0a:fd:78:6a:e7:6c:6d:e0:46:0e:5a:15:b6:69:
-         5c:01:cd:f7:1d:57:00:7d:68:a8:78:21:b7:4a:0c:d5:5a:07:
-         5f:cc:bb:d0:8a:7b:f4:4c:bc:4d:ed:6a:ea:1b:9e:1f:6b:3c:
-         e0:85:8b:c2:f0:7f:41:68:7c:a2:1c:59:62:72:b4:18:8a:6e:
-         1e:73:a6:a0:77:36:81:ac:f6:25:48:91:60:9c:47:ab:91:c1:
-         89:1d:a0:90:ab:79:b6:0a:c1:b0:38:76:04:7e:65:3f:47:e0:
-         45:32:55:a1:25:04:f9:e7:08:42:5c:ba:e1:60:4d:b0:4e:77:
-         98:ed:6d:34:cf:4e:d1:49:6b:e4:2d:c4:a7:7d:b6:79:8b:01:
-         35:13:1f:ae:30:29:0d:47:07:9c:b0:94:f3:22:62:86:eb:95:
-         e0:72:05:cf:7c:61:58:a2:ce:fd:75:48:db:7c:91:ed:12:01:
-         c2:ee:96:74:d0:30:2c:da:6f:ef:6f:4e:2d:7b:77:7d:b9:d3:
-         d6:39:f0:74:58:b8:45:a4:0c:56:f5:d0:4a:42:89:1f:d3:fb:
-         42:ff:5f:b2:2d:fa:74:dd:c2:4e:d7:d2:d2:b0:22:51:ec:04:
-         35:1c:1d:43:dd:1d:7c:13:19:9d:be:b3:4d:e2:97:fb:c7:a1:
-         78:ab:9a:f6:21:fd:38:89:ba:be:d3:59:ee:d9:7c:96:a8:a5:
-         49:ed:ed:f7:a4:6a:13:bb:95:04:53:31:85:95:3e:e0:23:56:
-         de:3f:73:9b:3b:5a:c0:f3:d3:60:32:b0:c1:54:23:65:a7:ab:
-         09:61:9e:52:67:cf:45:ce:4b:a6:a0:b5:b9:a2:70:4e:da
+    Signature Value:
+        a3:87:11:43:6d:15:9d:52:66:13:06:87:28:ca:53:75:8e:53:
+        2d:1d:1f:d7:95:a7:46:30:fe:e8:33:b4:72:4a:60:19:90:6b:
+        26:77:f5:11:9e:fb:1a:53:24:96:fd:93:de:ef:ec:68:5a:7a:
+        10:36:8d:5c:2d:35:5a:ea:69:30:bc:4d:3d:b2:9d:ec:c8:9c:
+        a0:c2:b5:60:b9:bc:12:aa:90:89:48:13:3e:b6:f9:7d:58:a4:
+        38:bf:21:ab:7c:ad:97:4f:27:8c:40:c9:4a:86:31:28:6c:d2:
+        f7:da:79:ee:d9:7e:34:df:54:ad:71:44:a8:35:39:94:b8:69:
+        1f:d3:30:ec:e6:96:21:76:ce:bb:1d:4c:d8:d1:f7:c8:94:89:
+        8a:cf:86:de:9e:4a:ea:22:37:91:73:ee:67:63:35:f6:23:5b:
+        3f:22:e7:43:06:9b:ce:b0:42:76:b0:fb:a4:30:ed:67:42:b3:
+        66:dd:37:4d:cd:9b:5b:22:f6:39:cd:f2:f3:c6:d9:a0:60:00:
+        b8:66:2f:bf:d6:b9:7d:d2:1e:45:06:48:cc:d4:24:7b:2d:87:
+        79:1a:a4:53:ba:6b:e2:c5:9a:d5:2a:57:58:ec:fe:a8:0c:df:
+        85:79:d7:07:f2:6e:09:f7:f5:40:92:71:b3:73:f4:ea:78:c0:
+        46:a0:e8:d2:c6:5e:d7:8a:ab:39:21:21:25:0d:fd:ea:72:cc:
+        b3:75:83:3c:cc:15:e0:7b:f9:25:77:62:ee:97:bc:a4:50:3d:
+        f3:29:8e:c4:8d:49:51:b2:e2:42:ac:a6:a9:7b:ba:f7:f8:8d:
+        c6:b1:15:9b:7f:61:50:f9:8d:61:66:25:6b:88:e5:2e:91:b3:
+        b2:2b:a7:f3:45:c5:3b:4f:65:95:f5:c2:15:a8:d2:3e:36:bb:
+        d6:70:0e:db:54:c4:d9:df:1c:03:81:79:49:b6:bd:50:00:85:
+        c3:12:4f:21:97:c9:77:25:93:bc:08:fb:98:54:60:b3:69:09:
+        8e:a9:e3:8f:3b:06:f7:65:06:24:43:98:12:ad:b6:32:5a:4b:
+        66:8a:47:c8:15:8c:ba:82:17:35:e0:99:cc:69:88:f5:42:59:
+        e0:84:e6:ac:80:96:a8:4d:2a:e6:35:62:3e:d0:b5:34:9a:68:
+        83:29:31:47:a6:53:c0:b6:db:07:d8:b2:46:a2:bd:28:79:fa:
+        a3:49:17:30:77:91:0e:9c:36:b5:44:17:6c:e9:84:9b:a8:e8:
+        19:65:94:3f:7b:dd:e1:2b:5c:2f:51:af:57:14:1f:cd:45:96:
+        0e:86:bd:07:a3:4c:d8:bc:d2:cb:68:de:6b:6d:e5:dc:15:e7:
+        47:64:11:74:27:c5:d1:41:7c:01:03:6f:bd:53:ba:57:32:ba:
+        42:85:be:a4:c6:3a:c7:37:59:ed:af:ce:ae:29:09:47:16:95:
+        12:38:ed:26:31:18:55:db:ac:ea:c9:85:10:e0:ea:d9:d7:8d:
+        31:71:bb:8c:82:4d:a9:b4:96:ba:72:42:ad:98:5d:27:7d:da:
+        9a:4d:27:69:49:26:26:55:48:fd:d5:01:39:e1:ac:31:92:b8:
+        ff:86:ed:ca:ec:57:cf:10:4b:10:c6:54:4f:6d:3f:e4:68:f1:
+        e7:94:d7:6f:cd:34:1c:55:bb:3a:b0:54:72:fc:39:41:6f:cf:
+        0f:e9:80:a7:1a:6d:51:74:33:99:f5:71:87:ff:5a:79:59:79:
+        72:fc:96:07:9c:f2:91:2e:95:8d:88:01:2c:b0:91:06:92:70:
+        05:e8:56:dd:eb:7c:80:9d:e5:ac:40:56:2b:bf:ca:88:20:76:
+        41:78:0c:27:1d:43:0f:c1:b5:53:6b:22:92:d6:73:5d:35:11:
+        1a:d3:fe:19:dc:2c:c3:ba:ae:7e:23:ae:d7:e5:43:35:fd:1b:
+        cc:02:52:aa:da:33:97:5b:e0:26:33:d9:4b:39:5d:7e:2b:c6:
+        5d:6d:af:64:90:bf:02:54:e0:bc:ff:41:c0:65:d7:7b:33:fc:
+        b5:71:8c:db:59:08:73:68:78:50:1f:85:a0:b2:01:91:6b:00:
+        e3:c1:f7:8c:df:3e:93:a6:fe:c9:4f:f5:70:22:f8:c9:03:30:
+        e1:b8:bd:42:d7:a5:bc:ca:af:09:80:ba:9a:c8:1a:9c:95:b1:
+        68:60:5c:46:76:9b:4f:c2:51:81:15:b4:a4:dd:d5:c0:4c:66:
+        40:94:d3:cd:77:10:64:a5:41:99:72:69:41:a7:e7:cd:ec:4d:
+        c9:38:24:4f:da:88:48:8c:57:b7:2c:65:e3:52:91:da:6c:34:
+        00:8e:99:91:de:e2:67:03:9a:cb:55:08:f4:2d:58:81:08:e2:
+        e8:02:9c:75:da:93:29:0b:db:82:ca:b3:20:90:06:59:e9:23:
+        fb:28:aa:ef:c0:66:4d:9e:ba:c6:76:30:b5:e1:7c:aa:79:12:
+        c4:45:a4:c7:d0:5a:5f:9f:3b:13:13:90:73:bf:10:95:d8:6f:
+        fd:7f:74:f8:c9:90:e1:20:90:96:1d:b7:be:a4:70:c3:20:8e:
+        cd:78:1d:e4:58:b8:20:4f:bc:19:7b:71:91:09:95:2a:4c:66:
+        ee:5d:b4:ae:39:66:ac:e8:ba:12:76:43:9d:a5:92:c4:f9:70:
+        20:2f:91:d7:11:d6:e3:50:e6:66:6a:20:5b:b6:7e:48:22:00:
+        52:74:0c:44:2a:e8:57:85:89:63:3b:2f:b8:29:68:e6:0f
 -----BEGIN CERTIFICATE-----
-MIIJSTCCBTACFFD2fNemdu+nQ0ucyW9FkuDpmIwEMA0GCSqGSIb3DQEBCwUAMGAx
+MIIJSTCCBTACFHJeD6dF6+Z60gp9iErLvkQ0ETrSMA0GCSqGSIb3DQEBCwUAMGAx
 CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3Vu
 dGFpbiBWaWV3MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEw
-HhcNMjExMjAxMTU0MjI2WhcNMzExMTI5MTU0MjI2WjBgMQswCQYDVQQGEwJVUzET
+HhcNMjIxMDAzMTcyMDI1WhcNMzIwOTMwMTcyMDI1WjBgMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G
 A1UECgwHVGVzdCBDQTESMBAGA1UEAwwJMTI3LjAuMC4xMIIEIzANBgkqhkiG9w0B
-AQEFAAOCBBAAMIIECwKCBAIAz2EPGxO7gNxtDuH6hbGuotcsu/BOngMYPakpgCov
-65bEHIEyyGjT71qFCUlN1azuuhthV8TYlq6jzdiDjgIuUIxkUWdqv98Cnrie8OaE
-fhK2K4l5nREP/H2ezDYqIPgHYlWc6fHofZ9qQcZHbIdz6h/05Dv7F3c9OqTSlP8w
-VDmVQ2Oc98zJ6sJhqAl9SygeukqcyY6Enoc3y53yutr6ZYH6F+rKvJh1WVOth8L8
-dgyMUOhMmk787S+X4F64HBOIZmi9t2a2Li7YaSCyCkULneDxy7SXxEvf7ty+IJKX
-bGYwpVRXJ6v+zWA4FnA/pVwBAG/ntNUIhT21VYul0oMVmq1dr9ND7L140Rj4yUhL
-e+OunLh/tOug6qBq/MER7RcDgZUFEsfxLFhFpJaN6KlehDXmjP6C4OWo/Dxzg0YJ
-0w2SFjW0DD+testxlTYOIj4JzB5e4UhsS3+0i4S7fYt914H+b2aDxLoRw1l5kXyo
-r03B91CKOyh0p2DjoAOcAJNWDz/VlOsFfNRl8urHJbi8uiXYMpYUqPyT/Izantot
-XcQcn4TMy9gJEaD+JeQpLObTev9rJhus2oZTSZjqQM3mEbyUuQnA8Gn7YRGlbbWH
-lkWaQWOXGnUe72jELS64FRnr6+OjeDpuWfsHIUn7cEdLD4OnS4yU0pbAl3+CuYKr
-jLr6xC7u2l+Sx75mbRF4lePfqguUaPjp6xwVHaUY7lUtCw/d/1vAuaPMi0GppoM9
-o+3KXGfTlunwU3eJPCQD13yT+eHxvsc0WHnydjaD9BIcMFms+mnK6V32XLLIkzpp
-5F0KoismweJDzYd2E4rCbpfQh/Hy4CuoddJIGFkiyLNVY84cGiGCcB27JsCSE18f
-tFCPLNvFcipS7sK+RYECbcJY5h3KvsMhK6WgNFOINXYSfF6ox0G6rrLSBuciSAS9
-0Z5HHv7TtZC2PAVfd+TIyuUxkZNJPT7G6ovEfrzZSTqEwc/PVuzFojo2VmH3Kb6D
-Fi1fyQWUVytxPPAv1VO/X+x236wSc16oRo8counSvqQCipfqA/MVQUlMBIdd57C7
-EUCKJZvUDGJRfGtzl+TLg7Pbyq2OJ+zYki+Sl4mOx2rF+vqhC3wDCooXUm4sfAeR
-4ijAks16CsTJo/y0aOP7pd2cpjI9sykl3qcDhQaD3QGY312c/PTb+aq4yVJTv/WR
-wiJkfuaxozTunVpUp6nrq21cJWJ6cmKfOqxtTScy9jRXQN0Ejwwm0MizMFFW1R5g
-xhblhcIqrYsw+eGrHE2ZLYB00IoBfAeay6BEAE+a/6f2RVXFuUE/8iyI7dI0pl6l
-4E19/2ns0VjfPScHZrSEuosQoxuDGYx6jExYEwya3qkSu/UCAwEAATANBgkqhkiG
-9w0BAQsFAAOCBAIAQ6Xdh9NpqSbcmwqgm1Ee60aAJn2KQJtQiAdjJGmxnY/qcEi+
-A4J+2GTDvPTBSR7GoZ4JnHK+4Sk8nyOPO0EWz0wsvaESFXZwYIIFONe6lNH3Mu3b
-TuclQ9ThyewwGCT8xV8brq3ih0t6bBtItmegGYecjR3Ib3r9w8fJ5yqfY+rvCUuF
-yjlZ2URvFnzx7c90ygqQwhSjg/A7uWBjVb5gJ79Ah3bPI749cpQt/bPT3QnEHEWD
-yZPxozXbtuM5XZCR7E1SOaa3GuvMaljDW8yftlZa3ys4jVrEJFOvrF1GSx8jcHzX
-vu70B8+ZDf3EzwYrPJj5craSpoKzkFTBr8ONkbnO18NW66FYM/CzqDgWshRfS0+m
-ZGwn6uTJIDc+56asLWtMnNdD0TV7+7bD53tLWeBV61NBHS80MvtBkFJFMIMCgcOi
-nHi3qY2och9ppKivU89y4Vhh9G62ycFwck7lkL39i3pMvnuUA19LfNgevZtTulqX
-0h5YLk19h8T+5Go1II/6IktqRZCi3XkM9obyN7wb3UsYHj2S/lb4Wo8pXYoJo9mr
-GgFbPGFwD2Mz1zN7ss5cnDmYlIzCgJCpb5FXuLLwaoqtRBiQTa64P5n7wMq9oDbx
-O20nvRig9/AIIODB8y1TB7jXA9gpVshFeGf50O3Vb5eZx6c/mEliXZZ/zuj1HbH8
-QWYSZbjkXj4Dlht8xkdcq+d2Bath5cOqKEj4aRrXESN1cAfKxRMNoJ44Sn44ye8G
-NlrPOS+xU2mEKrSoV/E2VBri6BY/PKMawXAxXh0yDiFEpqFLcm3T6HslDzd6xUQy
-QHx0hEV7BXiW5P8ndniGx0ERJcQAdZe+f/6lAcHPlv7znB0t5PRImyyKlfoEouwH
-GQWEYm3z7afZ5OfUjCkFhS6ylqvBDuxlu3jMBs52J2csw0bzRZhsJJmzO7aR5Ar9
-eGrnbG3gRg5aFbZpXAHN9x1XAH1oqHght0oM1VoHX8y70Ip79Ey8Te1q6hueH2s8
-4IWLwvB/QWh8ohxZYnK0GIpuHnOmoHc2gaz2JUiRYJxHq5HBiR2gkKt5tgrBsDh2
-BH5lP0fgRTJVoSUE+ecIQly64WBNsE53mO1tNM9O0Ulr5C3Ep322eYsBNRMfrjAp
-DUcHnLCU8yJihuuV4HIFz3xhWKLO/XVI23yR7RIBwu6WdNAwLNpv729OLXt3fbnT
-1jnwdFi4RaQMVvXQSkKJH9P7Qv9fsi36dN3CTtfS0rAiUewENRwdQ90dfBMZnb6z
-TeKX+8eheKua9iH9OIm6vtNZ7tl8lqilSe3t96RqE7uVBFMxhZU+4CNW3j9zmzta
-wPPTYDKwwVQjZaerCWGeUmfPRc5LpqC1uaJwTto=
+AQEFAAOCBBAAMIIECwKCBAIAqEIWj63jRyM8gylcQkQG/CqZSNVYD5hJz4srnwQk
+dy18qfhHSmx0zkJcxUoxEyqpg1Mog6fcS/B7NjFbIEidM9bdr5naVtH+t9mED0CH
+osRXuyQmQ4Pf7Uf2eOjJas3m3tTiLbCJ1K0xE2XiwR7l8i6JZuY3JSTiUScxch5d
+uJh6o6uU9zb6dvH8JF4EnTtrQ8xxdSD2CU5UKzMuws6iZK/LwOYFTXYaMXrxTdTE
+sOrKxaQ8/xBOeeu9suxXbYNXhDAQh0/qKadzc2HZ8lQUNwDa9kpeBtLWbaVhnVlF
+gm4K2r+RycGvS3Uqvz2vfVFN0PUt57BX0TcNQJRadnqpXYSDnTSfVIb1TPO37GkH
+0CeAei7Hr2Q3lm1AMVNIzZ5fzI45QjIpC3IiWCVWqemBHO4Yd9PZvE/GS6manyBA
+BxdxNKHxjP+tvY1g/AB+tFO0rFhfmZvhRgV6KLAJ8lgmiCxnkRnVfp7I8Kh11ej/
+I53NDyOZjxw1XtxWCR9xoOAyd+k725k+4gWXOH0hrZtcQAqxNhLZzLyoA3atJgSX
+O3wnCcSGkyjAqBXKS1QQK1BNWF/hS0oEZkoR860JSgfffTb/Dl0cuWuN6h+5gzIz
+7h5c51scfq62zwiDS/5fH3C6ViS4dhLFLvXW75uDdxdMkGO8lFWDVtOUFF94KjfP
+4Y3B8uj9cOF12o/5Ku5qX++yLm/X/KCO2lmGdC4hMb3d8pDBgmseHF+wE5TaT94u
+MHWhN4lrUo0FoSRlXSl0Vi6VmM5azdjqZy/jtv0OKF1lOv/3xupn5I1ahNEBrVgZ
+jWNfyQNauMM2c6vXVPyfgnyqrQ94thryh2r47J6Ev1I379Kf0Xl/3XOtBihriIFS
+puSRPjY5d751Mj3JwQ0FsrJZc/mShy8pmFfMfbvrrfNQsdaCc1TNXaH6RXN9Hln/
+PqLek/mY29TQaBIbJxGFAY6Fu++pM53Ra08IOLPbOQ4QwYPZG8pDV4GB/MDLc1sS
+c/eoV8u/v/A5fCGio0fKQp6jJ1Y/fQEY2jUx05vKtnkkHm5nR3zxBnjz//b5ohif
+8eys+SC3EPNicvdb2/SwiWsz5t1fox5Z7fv54tBNj0ycmfBN1jxKn6AGxzFRuGBY
+OB+mdPe0WfKJdEJV2NkB8SK56RFFk8NdIsygoCaoONf9ja9MHbJGbbeuybS+dyIo
+vEzgdt7+aZxRKAZTZzPwUmTuSrc3Jc71NYYGWEKAXmWHeNvs+0FALNHAH4deg1ld
+kf5A6R7l/CNi+sxcG/aFMOjGKA64TSzEhFX4+0BNiUYslbaEx2G3pzvqAd0zzbyf
+LD4TPbYSBbLeu6rSkcStxGmcDjThd2pG1dFDPaokB9hcV+cCAwEAATANBgkqhkiG
+9w0BAQsFAAOCBAIAo4cRQ20VnVJmEwaHKMpTdY5TLR0f15WnRjD+6DO0ckpgGZBr
+Jnf1EZ77GlMklv2T3u/saFp6EDaNXC01WuppMLxNPbKd7MicoMK1YLm8EqqQiUgT
+Prb5fVikOL8hq3ytl08njEDJSoYxKGzS99p57tl+NN9UrXFEqDU5lLhpH9Mw7OaW
+IXbOux1M2NH3yJSJis+G3p5K6iI3kXPuZ2M19iNbPyLnQwabzrBCdrD7pDDtZ0Kz
+Zt03Tc2bWyL2Oc3y88bZoGAAuGYvv9a5fdIeRQZIzNQkey2HeRqkU7pr4sWa1SpX
+WOz+qAzfhXnXB/JuCff1QJJxs3P06njARqDo0sZe14qrOSEhJQ396nLMs3WDPMwV
+4Hv5JXdi7pe8pFA98ymOxI1JUbLiQqymqXu69/iNxrEVm39hUPmNYWYla4jlLpGz
+siun80XFO09llfXCFajSPja71nAO21TE2d8cA4F5Sba9UACFwxJPIZfJdyWTvAj7
+mFRgs2kJjqnjjzsG92UGJEOYEq22MlpLZopHyBWMuoIXNeCZzGmI9UJZ4ITmrICW
+qE0q5jViPtC1NJpogykxR6ZTwLbbB9iyRqK9KHn6o0kXMHeRDpw2tUQXbOmEm6jo
+GWWUP3vd4StcL1GvVxQfzUWWDoa9B6NM2LzSy2jea23l3BXnR2QRdCfF0UF8AQNv
+vVO6VzK6QoW+pMY6xzdZ7a/OrikJRxaVEjjtJjEYVdus6smFEODq2deNMXG7jIJN
+qbSWunJCrZhdJ33amk0naUkmJlVI/dUBOeGsMZK4/4btyuxXzxBLEMZUT20/5Gjx
+55TXb800HFW7OrBUcvw5QW/PD+mApxptUXQzmfVxh/9aeVl5cvyWB5zykS6VjYgB
+LLCRBpJwBehW3et8gJ3lrEBWK7/KiCB2QXgMJx1DD8G1U2siktZzXTURGtP+Gdws
+w7qufiOu1+VDNf0bzAJSqtozl1vgJjPZSzldfivGXW2vZJC/AlTgvP9BwGXXezP8
+tXGM21kIc2h4UB+FoLIBkWsA48H3jN8+k6b+yU/1cCL4yQMw4bi9QtelvMqvCYC6
+msganJWxaGBcRnabT8JRgRW0pN3VwExmQJTTzXcQZKVBmXJpQafnzexNyTgkT9qI
+SIxXtyxl41KR2mw0AI6Zkd7iZwOay1UI9C1YgQji6AKcddqTKQvbgsqzIJAGWekj
++yiq78BmTZ66xnYwteF8qnkSxEWkx9BaX587ExOQc78Qldhv/X90+MmQ4SCQlh23
+vqRwwyCOzXgd5Fi4IE+8GXtxkQmVKkxm7l20rjlmrOi6EnZDnaWSxPlwIC+R1xHW
+41DmZmogW7Z+SCIAUnQMRCroV4WJYzsvuClo5g8=
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/localhost_cert.pem b/chromium/net/data/ssl/certificates/localhost_cert.pem
index f78653ff2f0..f8d3703f939 100644
--- a/chromium/net/data/ssl/certificates/localhost_cert.pem
+++ b/chromium/net/data/ssl/certificates/localhost_cert.pem
@@ -30,16 +30,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:a6
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:6a
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
-            Not Before: Dec  1 15:42:07 2021 GMT
-            Not After : Dec  1 15:42:07 2023 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Oct  2 17:20:08 2024 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=localhost
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:dd:30:d4:ed:15:ea:fb:55:27:6d:97:ac:cf:55:
                     b4:ed:97:df:9a:9f:61:bb:c8:82:49:33:f4:b1:3a:
@@ -66,48 +66,48 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 82:64:D7:FB:A9:83:29:D9:3D:A4:7B:9E:A5:2F:1C:FB:C4:34:4D:CB
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 DNS:localhost
     Signature Algorithm: sha256WithRSAEncryption
-         41:f1:a7:30:bc:d6:ed:8f:95:28:cb:73:fe:5c:b5:48:80:6a:
-         00:5c:aa:58:9a:c4:f6:b1:37:1c:3f:e5:f4:89:6a:33:53:7f:
-         4d:fd:c8:40:11:b2:f9:39:86:e1:9a:9b:ec:9c:3f:50:01:07:
-         6c:3a:9e:77:fb:ef:4f:29:b0:08:fd:4b:e5:b8:c1:ce:65:31:
-         a7:af:07:c4:2a:a3:b9:92:a9:55:4a:d5:c2:5c:01:ad:d7:aa:
-         10:09:db:d5:fe:15:28:c1:12:79:8d:ac:9e:ff:da:43:45:c1:
-         e0:2c:db:7f:0a:76:e1:de:40:2a:28:3e:d3:6e:8e:1e:a3:e0:
-         84:ca:be:44:ab:59:3a:d7:90:8b:74:2f:b5:7f:02:28:a1:d6:
-         ed:ac:d0:46:f6:16:e5:88:9e:d8:d8:8a:55:da:4d:d9:dc:7a:
-         53:c6:0c:4b:32:ed:39:2a:1b:aa:5d:1f:33:a6:11:60:00:7c:
-         4c:c1:e7:a7:bc:c3:84:70:eb:25:f7:38:3e:41:56:66:37:3c:
-         31:93:6d:79:43:07:05:ff:75:0f:84:ec:a6:e4:18:13:bc:fc:
-         ee:69:30:14:32:92:5f:c4:73:5f:56:8c:b5:1a:a7:6a:5b:e3:
-         82:30:e6:c7:04:da:cb:27:e5:33:de:c2:e2:27:58:62:00:05:
-         3d:4d:cc:84
+    Signature Value:
+        7c:c0:17:74:a4:4c:c8:0e:40:ca:d8:ae:3f:f3:f5:fb:e7:cb:
+        40:59:46:48:5f:13:a3:c7:3a:13:d9:28:77:11:14:1b:66:c0:
+        76:78:86:84:bb:ad:48:ad:ec:2f:fe:42:0e:37:0b:c9:90:16:
+        cd:23:72:e7:65:14:62:bb:04:06:a2:da:68:25:a4:47:a9:1c:
+        c3:a5:c2:2f:a5:7e:6a:8c:74:fd:34:5e:e2:ea:a3:89:48:12:
+        c0:09:96:1b:aa:0e:c1:d3:1c:a2:34:8b:74:52:00:be:e4:ee:
+        8b:d4:2d:c0:80:fe:c4:fd:57:d7:19:a8:97:6d:2b:c0:a7:51:
+        42:4f:9a:ee:81:4c:49:76:db:2b:20:fd:f0:11:96:6a:d7:f7:
+        1c:42:b8:17:a8:d4:e1:73:1e:1c:65:e5:32:5f:86:36:dd:51:
+        6e:92:53:1a:62:4a:bc:4d:92:bb:71:63:c7:00:1d:e2:72:98:
+        2d:9c:52:6d:72:16:46:8b:c6:1f:86:80:23:44:e7:cc:45:08:
+        ee:f5:d5:a2:f7:a4:91:9e:2e:3f:07:2c:87:80:db:db:8e:43:
+        00:24:d9:ad:23:ef:a1:23:33:e2:21:82:5f:db:3c:2c:64:02:
+        b6:2b:af:ad:6f:bc:2b:0d:4f:19:3c:5a:2a:96:dc:41:44:57:
+        dc:d0:5b:2c
 -----BEGIN CERTIFICATE-----
-MIID1DCCArygAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzpjANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIxMTIwMTE1NDIwN1oXDTIzMTIwMTE1NDIwN1owYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAN0w1O0V6vtVJ22XrM9VtO2X35qfYbvIgkkz
-9LE6YN+jGSBgqe459HwPjl1yNVMPPJFBPFRB8hd9FbFmrNKNUDVrHYlzv6cBBXny
-rtoilcbV1STFLbe5gpd6eRktF2vuz3sXX7GJMnFi6oEogiojmrof1NYeSBuxVvLB
-zmEiVOEfUMM+zt6ikycp+re0rdAZ6Zq+IiFxU8Wi6Hk5b3u50FfN5EH2eIsvIdsf
-22XF1SYGb541m76Rm0VUbP5r1uV5EU+dF569Kiaot8MNhu64JI7JcqIY6O1qIn4x
-lGQdkX5qsegari7hsSXJB/vBonJ+jGcmfyoTcST2OjsN3L+D4I8CAwEAAaOBhjCB
-gzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSCZNf7qYMp2T2ke56lLxz7xDRNyzAf
-BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
-BQcDAQYIKwYBBQUHAwIwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEB
-CwUAA4IBAQBB8acwvNbtj5Uoy3P+XLVIgGoAXKpYmsT2sTccP+X0iWozU39N/chA
-EbL5OYbhmpvsnD9QAQdsOp53++9PKbAI/UvluMHOZTGnrwfEKqO5kqlVStXCXAGt
-16oQCdvV/hUowRJ5jaye/9pDRcHgLNt/Cnbh3kAqKD7Tbo4eo+CEyr5Eq1k615CL
-dC+1fwIoodbtrNBG9hbliJ7Y2IpV2k3Z3HpTxgxLMu05KhuqXR8zphFgAHxMween
-vMOEcOsl9zg+QVZmNzwxk215QwcF/3UPhOym5BgTvPzuaTAUMpJfxHNfVoy1Gqdq
-W+OCMObHBNrLJ+Uz3sLiJ1hiAAU9TcyE
+MIID1TCCAr2gAwIBAgIRALBrk5LjXI1+7Z3IllnFwmowDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMjEwMDMxNzIwMDhaFw0yNDEwMDIxNzIwMDhaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdMNTtFer7VSdtl6zPVbTtl9+an2G7yIJJ
+M/SxOmDfoxkgYKnuOfR8D45dcjVTDzyRQTxUQfIXfRWxZqzSjVA1ax2Jc7+nAQV5
+8q7aIpXG1dUkxS23uYKXenkZLRdr7s97F1+xiTJxYuqBKIIqI5q6H9TWHkgbsVby
+wc5hIlThH1DDPs7eopMnKfq3tK3QGemaviIhcVPFouh5OW97udBXzeRB9niLLyHb
+H9tlxdUmBm+eNZu+kZtFVGz+a9bleRFPnReevSomqLfDDYbuuCSOyXKiGOjtaiJ+
+MZRkHZF+arHoGq4u4bElyQf7waJyfoxnJn8qE3Ek9jo7Ddy/g+CPAgMBAAGjgYYw
+gYMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUgmTX+6mDKdk9pHuepS8c+8Q0Tcsw
+HwYDVR0jBBgwFoAUmyYLipipux25HxzjGkAz7Y4XiKswHQYDVR0lBBYwFAYIKwYB
+BQUHAwEGCCsGAQUFBwMCMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0B
+AQsFAAOCAQEAfMAXdKRMyA5AytiuP/P1++fLQFlGSF8To8c6E9kodxEUG2bAdniG
+hLutSK3sL/5CDjcLyZAWzSNy52UUYrsEBqLaaCWkR6kcw6XCL6V+aox0/TRe4uqj
+iUgSwAmWG6oOwdMcojSLdFIAvuTui9QtwID+xP1X1xmol20rwKdRQk+a7oFMSXbb
+KyD98BGWatf3HEK4F6jU4XMeHGXlMl+GNt1RbpJTGmJKvE2Su3FjxwAd4nKYLZxS
+bXIWRovGH4aAI0TnzEUI7vXVovekkZ4uPwcsh4Db245DACTZrSPvoSMz4iGCX9s8
+LGQCtiuvrW+8Kw1PGTxaKpbcQURX3NBbLA==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/may_2018.pem b/chromium/net/data/ssl/certificates/may_2018.pem
index babc0cf8f46..037e004a8a6 100644
--- a/chromium/net/data/ssl/certificates/may_2018.pem
+++ b/chromium/net/data/ssl/certificates/may_2018.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:c1
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:85
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:c7:db:d4:ed:51:ec:ba:52:12:a1:ce:4b:44:c2:
-                    3d:10:09:ae:63:8d:3e:61:53:51:04:bf:df:9d:90:
-                    bc:dc:74:44:4c:30:cd:1f:83:5a:63:5b:1f:dc:c5:
-                    7e:80:86:1e:0e:f5:94:36:54:90:65:36:a4:5a:97:
-                    cb:c1:47:16:24:9c:be:01:d3:4e:11:8f:d4:97:1a:
-                    c0:93:16:80:43:00:04:f4:d0:0b:9d:58:7f:a7:c0:
-                    8c:1f:85:b2:cf:19:de:3f:80:8c:37:52:68:db:e4:
-                    67:84:0d:94:d7:cc:a1:62:16:87:7e:6e:5b:ad:c0:
-                    bf:32:b3:ac:9c:1c:0c:27:00:c1:49:c3:05:93:06:
-                    16:05:1d:dd:d8:a6:b2:33:c1:4f:73:1d:d1:43:75:
-                    1d:05:05:e1:aa:ea:3b:b0:4f:8c:d0:94:63:ef:08:
-                    da:21:bd:03:73:51:4c:53:94:0f:34:a6:dc:9b:b6:
-                    b2:87:a8:e3:3e:e9:e6:bb:59:ba:df:31:8e:49:db:
-                    cf:ea:21:37:bb:7a:c4:02:d1:40:3a:ed:90:49:9c:
-                    7b:6f:1d:bd:ab:e5:7d:93:41:1d:c7:fb:34:c2:7e:
-                    9c:92:8f:a6:cb:e1:c4:16:1f:8e:4e:c7:7e:cc:65:
-                    5b:de:78:4a:5a:80:b2:0e:21:6d:9b:35:60:e4:59:
-                    23:ab
+                    00:ea:e1:1f:7d:6f:ea:1e:9b:48:0b:ef:50:23:47:
+                    bf:7d:b7:1e:bf:0f:21:96:f7:71:50:9c:8c:85:3e:
+                    d8:c1:04:1e:77:bf:22:a1:86:98:c1:77:ce:b0:26:
+                    43:64:a5:0c:38:b5:a7:47:12:b1:15:d1:9e:c1:99:
+                    5c:bf:49:af:74:89:6f:6d:72:73:db:75:78:d6:59:
+                    26:de:56:f5:e7:bc:99:4f:3e:9e:56:57:37:fc:c8:
+                    47:19:ab:82:19:64:a8:20:50:2d:a9:1c:d3:0b:e1:
+                    0a:b9:ac:71:92:26:3a:cd:cc:e9:24:28:9c:0f:5a:
+                    3b:55:1f:4d:56:2d:70:c0:7c:f5:d2:22:42:a5:d5:
+                    2b:1c:69:a7:58:a2:13:ea:31:ef:0a:c7:83:22:19:
+                    63:bb:8a:69:0b:14:47:02:48:b1:e5:bf:86:53:57:
+                    b8:66:8a:e5:96:99:4e:c5:aa:0b:a3:13:f5:a0:d5:
+                    46:92:d4:30:ea:04:59:d2:0d:88:05:83:d4:7f:ea:
+                    2a:6c:05:3d:c7:1f:ec:d4:e8:8e:cc:6c:65:e0:53:
+                    a3:ce:60:85:ac:02:a8:e5:0d:93:22:33:f7:dc:fa:
+                    d9:56:a5:cc:3b:6d:58:ad:6d:7b:82:ff:e9:78:2b:
+                    59:37:ff:01:a2:e0:3b:0f:71:86:b6:fa:0d:b4:0b:
+                    21:2f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                9E:32:85:AA:3A:EF:9C:98:42:FF:C1:31:9A:66:80:F5:FC:A5:58:1F
+                44:18:DF:A8:01:30:8C:D7:AE:44:06:6E:FA:98:D9:7D:43:35:92:07
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         16:ec:81:71:d3:db:7b:d5:77:88:2a:34:fa:4b:b6:ea:d1:7a:
-         e9:b3:83:0d:99:9c:08:13:ff:da:f9:db:c1:5a:30:d2:9c:f1:
-         db:f6:af:9e:99:0b:fd:45:f1:ae:03:3a:6f:41:0d:c9:8b:f3:
-         cb:b0:46:15:65:73:06:6a:da:ed:b4:55:b9:aa:b0:fb:e2:03:
-         8c:09:f6:c4:76:90:43:8d:cd:d0:1b:03:50:95:b9:88:67:76:
-         26:dd:24:24:cf:1d:66:a3:5a:eb:38:2d:f3:19:42:1f:2b:66:
-         a4:75:49:94:da:92:84:91:77:aa:0a:57:66:f0:8b:3f:a9:c3:
-         aa:8e:12:25:23:52:17:27:7d:7f:39:1f:a1:db:8a:33:82:a9:
-         10:6b:d2:d3:ad:7c:e4:18:3e:d6:5b:99:76:e9:4c:35:cd:11:
-         74:0a:27:1b:f1:24:3b:46:de:de:67:3f:53:4c:cc:0e:d1:9e:
-         66:e5:97:68:92:e4:8c:7d:38:2b:c2:c0:fa:13:51:5d:69:63:
-         7f:7f:94:77:c3:7a:20:fa:97:1a:96:b9:c4:87:85:e7:95:30:
-         9b:d4:fd:30:dc:13:8a:99:fc:60:9d:f2:29:13:76:de:2c:de:
-         83:cb:40:b2:9b:7f:f6:ff:6c:c3:2f:0d:0f:30:74:a2:43:ca:
-         65:b8:c6:bf
+    Signature Value:
+        35:bd:31:e9:2f:8f:24:03:63:ac:0f:eb:42:8c:79:3e:9a:2b:
+        a0:67:c3:a2:87:11:74:61:8a:f5:d4:5f:43:b4:9d:47:ff:86:
+        f8:52:66:b0:1f:f5:55:d2:e6:ba:11:cc:ca:2d:57:9a:90:e1:
+        60:b4:3d:38:78:cf:9d:31:e2:8f:b0:b5:96:cc:2e:a4:bd:68:
+        5a:dc:48:41:f8:d7:71:9f:bc:52:84:15:d9:5c:46:70:20:d0:
+        57:d9:67:47:dd:b4:17:12:7f:0b:20:94:4b:6d:3d:66:fc:02:
+        6b:43:a4:b5:db:a7:88:6e:91:c3:66:c1:1a:e5:ec:bb:c2:13:
+        29:f1:3f:81:11:99:1a:58:88:de:b5:fc:d6:0e:c0:a6:31:df:
+        ba:e0:c0:3a:a3:1b:60:7a:c6:9c:e0:46:e4:98:a5:08:48:a8:
+        c6:83:c6:8a:3b:b9:8b:e1:2e:21:91:58:ad:8c:fc:e3:99:bb:
+        68:70:15:19:13:38:89:0b:c9:b3:03:52:65:52:68:37:64:c5:
+        fd:50:99:90:74:d4:b3:29:8a:49:a6:65:e1:fb:df:14:5b:6f:
+        eb:ac:59:f8:91:68:07:c1:ea:e3:63:31:ec:66:d5:57:bd:82:
+        34:b3:8a:75:80:f8:75:28:9e:92:33:84:d8:d8:7b:f1:85:14:
+        be:60:e6:33
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzwTANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE4MDUwMTAwMDAwMFoXDTIwMDgwMzAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMfb1O1R7LpSEqHOS0TCPRAJrmONPmFTUQS/
-352QvNx0REwwzR+DWmNbH9zFfoCGHg71lDZUkGU2pFqXy8FHFiScvgHTThGP1Jca
-wJMWgEMABPTQC51Yf6fAjB+Fss8Z3j+AjDdSaNvkZ4QNlNfMoWIWh35uW63AvzKz
-rJwcDCcAwUnDBZMGFgUd3dimsjPBT3Md0UN1HQUF4arqO7BPjNCUY+8I2iG9A3NR
-TFOUDzSm3Ju2soeo4z7p5rtZut8xjknbz+ohN7t6xALRQDrtkEmce28dvavlfZNB
-Hcf7NMJ+nJKPpsvhxBYfjk7HfsxlW954SlqAsg4hbZs1YORZI6sCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJ4yhao675yYQv/BMZpmgPX8pVgfMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQAW7IFx09t71XeIKjT6S7bq0Xrps4MNmZwIE//a+dvBWjDSnPHb9q+emQv9RfGu
-AzpvQQ3Ji/PLsEYVZXMGatrttFW5qrD74gOMCfbEdpBDjc3QGwNQlbmIZ3Ym3SQk
-zx1mo1rrOC3zGUIfK2akdUmU2pKEkXeqCldm8Is/qcOqjhIlI1IXJ31/OR+h24oz
-gqkQa9LTrXzkGD7WW5l26Uw1zRF0Cicb8SQ7Rt7eZz9TTMwO0Z5m5ZdokuSMfTgr
-wsD6E1FdaWN/f5R3w3og+pcalrnEh4XnlTCb1P0w3BOKmfxgnfIpE3beLN6Dy0Cy
-m3/2/2zDLw0PMHSiQ8pluMa/
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwoUwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xODA1MDEwMDAwMDBaFw0yMDA4MDMwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDq4R99b+oem0gL71AjR799tx6/DyGW93FQ
+nIyFPtjBBB53vyKhhpjBd86wJkNkpQw4tadHErEV0Z7BmVy/Sa90iW9tcnPbdXjW
+WSbeVvXnvJlPPp5WVzf8yEcZq4IZZKggUC2pHNML4Qq5rHGSJjrNzOkkKJwPWjtV
+H01WLXDAfPXSIkKl1SscaadYohPqMe8Kx4MiGWO7imkLFEcCSLHlv4ZTV7hmiuWW
+mU7FqgujE/Wg1UaS1DDqBFnSDYgFg9R/6ipsBT3HH+zU6I7MbGXgU6POYIWsAqjl
+DZMiM/fc+tlWpcw7bVitbXuC/+l4K1k3/wGi4DsPcYa2+g20CyEvAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBREGN+oATCM165EBm76mNl9QzWSBzAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEANb0x6S+PJANjrA/rQox5PporoGfDoocRdGGK9dRfQ7SdR/+G+FJmsB/1VdLm
+uhHMyi1XmpDhYLQ9OHjPnTHij7C1lswupL1oWtxIQfjXcZ+8UoQV2VxGcCDQV9ln
+R920FxJ/CyCUS209ZvwCa0OktduniG6Rw2bBGuXsu8ITKfE/gRGZGliI3rX81g7A
+pjHfuuDAOqMbYHrGnOBG5JilCEioxoPGiju5i+EuIZFYrYz845m7aHAVGRM4iQvJ
+swNSZVJoN2TF/VCZkHTUsymKSaZl4fvfFFtv66xZ+JFoB8Hq42Mx7GbVV72CNLOK
+dYD4dSiekjOE2Nh78YUUvmDmMw==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/name-normalization-byteequal.pem b/chromium/net/data/ssl/certificates/name-normalization-byteequal.pem
deleted file mode 100644
index 93a98b87712..00000000000
--- a/chromium/net/data/ssl/certificates/name-normalization-byteequal.pem
+++ /dev/null
@@ -1,151 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            28:f2:45:80:4b:f4:4e:7a:86:2b:0f:99:0f:c0:53:47
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN = Intermediate for byte equality comparison
-        Validity
-            Not Before: Jan  1 06:00:00 2010 GMT
-            Not After : Dec  1 06:00:00 2032 GMT
-        Subject: CN = Leaf for byte equality comparison
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:cd:12:d3:17:b3:9c:fb:b1:60:fb:1d:c9:c9:f0:
-                    dc:8f:ef:36:04:dd:a4:d8:c5:57:39:2c:e1:d6:16:
-                    48:37:13:f7:82:16:ca:db:ef:d1:c7:6e:a0:f3:bb:
-                    be:41:0e:24:b2:33:b1:b7:35:83:92:2b:09:31:4e:
-                    24:9b:2c:fd:e1:be:09:95:e1:3f:16:0f:b6:30:c1:
-                    0d:44:77:50:da:20:ff:aa:48:80:00:67:17:fe:aa:
-                    3e:4d:b6:02:e4:f5:11:b5:cc:31:2f:77:0f:44:b0:
-                    37:78:4e:ff:ec:62:64:0f:94:8a:a1:89:c3:76:9f:
-                    03:bd:d0:e2:2a:36:ec:fa:59:51:f5:57:7d:e1:95:
-                    a4:fb:a3:3c:87:9b:65:79:68:b7:91:38:fd:7a:b3:
-                    89:a9:96:85:22:f7:38:9c:60:52:be:1f:f7:8b:c1:
-                    68:d3:ea:96:1e:13:2a:04:4e:ba:33:ac:07:ea:d9:
-                    53:67:c7:b8:15:e9:1e:ca:92:4d:91:4f:d0:d8:11:
-                    34:9b:8b:f5:00:70:7b:a7:1a:43:a2:90:1a:54:5f:
-                    34:e1:79:2e:72:65:4f:66:49:fa:b9:71:6f:4b:a1:
-                    73:79:ee:80:42:18:6b:bb:a9:b9:ba:c4:16:a6:04:
-                    74:cc:60:68:6f:0e:6e:4b:01:25:9c:c3:cb:58:73:
-                    ed:f9
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Alternative Name: 
-                DNS:example.test, IP Address:127.0.0.1
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.11129.2.4.1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         99:6d:97:e3:4f:cd:01:4e:b6:f2:a1:a7:66:f8:78:1b:70:49:
-         1e:9f:72:7c:02:fa:35:b4:88:14:e1:b8:f1:71:9b:d9:3a:d9:
-         b1:ec:6a:c8:84:22:b6:9f:80:97:70:3c:08:0b:72:c8:4d:33:
-         fe:18:80:94:4b:6a:9c:9e:c8:74:d1:85:74:bf:e2:f5:fb:f6:
-         4c:50:31:9f:1a:0a:b9:16:dc:53:87:33:1e:36:c0:b1:1f:c0:
-         ec:cd:23:f6:68:87:e8:51:bd:3a:25:35:f6:5f:62:a6:de:ad:
-         fe:e6:5c:58:2e:d9:31:e4:16:58:61:5f:40:43:12:45:8d:5e:
-         17:66:e2:c6:d0:2e:ff:8b:bd:2b:12:fe:fa:2d:20:7f:12:6e:
-         cf:62:c0:f9:b4:83:34:a4:a4:9b:20:43:fc:f2:5f:57:e8:f0:
-         ba:27:6c:46:76:24:99:a8:ad:f4:44:96:f9:b3:b4:8f:69:be:
-         e9:72:4f:e4:b3:23:2a:72:32:34:8d:42:3a:85:94:9c:4d:58:
-         65:29:51:82:c9:12:d1:0a:fc:05:1d:92:89:14:3f:75:70:0f:
-         c6:74:1f:2c:0b:ea:a5:c7:54:30:20:3c:cd:6b:48:b4:c5:64:
-         70:0d:a4:4b:69:b0:50:60:2b:38:15:0e:d9:f7:d4:8a:ee:9a:
-         2d:82:84:15
------BEGIN CERTIFICATE-----
-MIIDJDCCAgygAwIBAgIQKPJFgEv0TnqGKw+ZD8BTRzANBgkqhkiG9w0BAQsFADA0
-MTIwMAYDVQQDEylJbnRlcm1lZGlhdGUgZm9yIGJ5dGUgZXF1YWxpdHkgY29tcGFy
-aXNvbjAeFw0xMDAxMDEwNjAwMDBaFw0zMjEyMDEwNjAwMDBaMCwxKjAoBgNVBAMT
-IUxlYWYgZm9yIGJ5dGUgZXF1YWxpdHkgY29tcGFyaXNvbjCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAM0S0xeznPuxYPsdycnw3I/vNgTdpNjFVzks4dYW
-SDcT94IWytvv0cduoPO7vkEOJLIzsbc1g5IrCTFOJJss/eG+CZXhPxYPtjDBDUR3
-UNog/6pIgABnF/6qPk22AuT1EbXMMS93D0SwN3hO/+xiZA+UiqGJw3afA73Q4io2
-7PpZUfVXfeGVpPujPIebZXlot5E4/XqziamWhSL3OJxgUr4f94vBaNPqlh4TKgRO
-ujOsB+rZU2fHuBXpHsqSTZFP0NgRNJuL9QBwe6caQ6KQGlRfNOF5LnJlT2ZJ+rlx
-b0uhc3nugEIYa7upubrEFqYEdMxgaG8ObksBJZzDy1hz7fkCAwEAAaM6MDgwHQYD
-VR0RBBYwFIIMZXhhbXBsZS50ZXN0hwR/AAABMBcGA1UdIAQQMA4wDAYKKwYBBAHW
-eQIEATANBgkqhkiG9w0BAQsFAAOCAQEAmW2X40/NAU628qGnZvh4G3BJHp9yfAL6
-NbSIFOG48XGb2TrZsexqyIQitp+Al3A8CAtyyE0z/hiAlEtqnJ7IdNGFdL/i9fv2
-TFAxnxoKuRbcU4czHjbAsR/A7M0j9miH6FG9OiU19l9ipt6t/uZcWC7ZMeQWWGFf
-QEMSRY1eF2bixtAu/4u9KxL++i0gfxJuz2LA+bSDNKSkmyBD/PJfV+jwuidsRnYk
-mait9ESW+bO0j2m+6XJP5LMjKnIyNI1COoWUnE1YZSlRgskS0Qr8BR2SiRQ/dXAP
-xnQfLAvqpcdUMCA8zWtItMVkcA2kS2mwUGArOBUO2ffUiu6aLYKEFQ==
------END CERTIFICATE-----
-
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            20:38:99:aa:24:b2:c2:d9:0e:15:b8:08:bf:3b:51:b8
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN = Testing CA
-        Validity
-            Not Before: Jan  1 06:00:00 2010 GMT
-            Not After : Dec  1 06:00:00 2032 GMT
-        Subject: CN = Intermediate for byte equality comparison
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:c6:61:af:cc:65:9f:88:85:5a:83:ad:e8:fb:79:
-                    2d:c1:3d:0c:f3:88:b1:7b:ec:e9:14:9c:f0:b8:55:
-                    6d:27:b1:91:01:d0:81:fb:2a:84:2d:13:a2:ac:95:
-                    d8:30:8d:dd:66:78:38:43:ec:c5:80:65:13:95:9e:
-                    b6:b3:0d:d6:9b:28:45:d9:7e:10:d0:bb:bf:65:3d:
-                    68:6d:c8:82:89:35:02:2c:c9:6f:9e:03:0b:56:71:
-                    57:25:7d:3d:65:26:73:40:80:bb:97:27:ce:e0:d3:
-                    0f:42:09:d5:82:0e:1d:66:2f:35:8f:c7:89:c0:e9:
-                    36:6d:84:f8:9a:df:1b:eb:8d:84:3f:74:e6:f3:25:
-                    87:6a:c3:5d:5c:11:69:1f:cb:29:69:67:c0:6e:df:
-                    69:45:0c:16:bb:23:14:c1:45:99:fe:90:72:5d:5e:
-                    c9:0f:2d:b6:69:8a:fa:e7:2b:ba:0c:fb:f7:79:67:
-                    c7:e8:b4:9f:21:72:f9:38:18:27:c2:7a:b7:f9:47:
-                    1c:62:bd:8d:a4:a6:c6:57:96:6e:c1:38:5c:f4:1d:
-                    73:94:49:83:58:88:f3:0d:64:97:16:19:dc:d3:80:
-                    40:8c:d7:4f:25:c3:be:19:83:3a:92:62:0c:9c:f7:
-                    10:da:67:e1:5a:c8:ce:f6:9b:c7:e4:e5:e7:f8:13:
-                    c1:ed
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.11129.2.4.1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         65:46:09:d5:20:b9:07:e7:b9:90:9e:ed:b0:15:a4:52:20:b2:
-         6d:77:7d:37:d9:01:53:70:65:d3:3a:9f:5f:14:77:46:cd:bb:
-         4d:6d:66:9f:2c:4e:84:72:1d:7d:7d:a8:c9:8c:cb:65:f5:41:
-         a7:d8:f5:1d:b8:47:f1:87:a0:2b:6d:c6:c1:b3:a2:b4:dc:fc:
-         21:1c:2d:22:39:85:23:e3:90:26:24:b2:9b:14:8b:ab:7c:5b:
-         b7:a4:78:88:13:a2:a0:dd:c6:8e:3f:3e:3f:e4:14:2a:57:1d:
-         02:5c:c0:62:a6:8a:99:b0:13:4b:28:73:db:10:93:de:af:4d:
-         9a:e3:2e:3a:c0:5a:42:7a:21:8d:96:a0:4f:ab:c5:e5:93:8f:
-         0b:9f:bf:58:b6:02:2c:84:d6:18:af:67:d0:c0:f8:d8:68:a6:
-         d3:f0:fc:5e:68:39:92:c8:54:96:ad:00:14:17:f4:ed:0c:d2:
-         a7:60:5d:c0:00:52:85:7e:3d:e3:16:34:ca:07:d3:0f:0e:5d:
-         ff:71:d5:19:1d:95:3a:0a:c0:11:5c:a2:01:6f:7a:73:89:ca:
-         a0:8b:a2:38:f5:29:34:05:88:36:e0:8b:fd:63:a5:db:42:9d:
-         f1:ae:e3:73:74:cc:39:ec:aa:8d:37:2b:bc:76:45:b4:3e:83:
-         ae:bf:d6:ce
------BEGIN CERTIFICATE-----
-MIIC/zCCAeegAwIBAgIQIDiZqiSywtkOFbgIvztRuDANBgkqhkiG9w0BAQsFADAV
-MRMwEQYDVQQDEwpUZXN0aW5nIENBMB4XDTEwMDEwMTA2MDAwMFoXDTMyMTIwMTA2
-MDAwMFowNDEyMDAGA1UEAxMpSW50ZXJtZWRpYXRlIGZvciBieXRlIGVxdWFsaXR5
-IGNvbXBhcmlzb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGYa/M
-ZZ+IhVqDrej7eS3BPQzziLF77OkUnPC4VW0nsZEB0IH7KoQtE6Ksldgwjd1meDhD
-7MWAZROVnrazDdabKEXZfhDQu79lPWhtyIKJNQIsyW+eAwtWcVclfT1lJnNAgLuX
-J87g0w9CCdWCDh1mLzWPx4nA6TZthPia3xvrjYQ/dObzJYdqw11cEWkfyylpZ8Bu
-32lFDBa7IxTBRZn+kHJdXskPLbZpivrnK7oM+/d5Z8fotJ8hcvk4GCfCerf5Rxxi
-vY2kpsZXlm7BOFz0HXOUSYNYiPMNZJcWGdzTgECM108lw74ZgzqSYgyc9xDaZ+Fa
-yM72m8fk5ef4E8HtAgMBAAGjLDAqMA8GA1UdEwEB/wQFMAMBAf8wFwYDVR0gBBAw
-DjAMBgorBgEEAdZ5AgQBMA0GCSqGSIb3DQEBCwUAA4IBAQBlRgnVILkH57mQnu2w
-FaRSILJtd3032QFTcGXTOp9fFHdGzbtNbWafLE6Ech19fajJjMtl9UGn2PUduEfx
-h6ArbcbBs6K03PwhHC0iOYUj45AmJLKbFIurfFu3pHiIE6Kg3caOPz4/5BQqVx0C
-XMBipoqZsBNLKHPbEJPer02a4y46wFpCeiGNlqBPq8Xlk48Ln79YtgIshNYYr2fQ
-wPjYaKbT8PxeaDmSyFSWrQAUF/TtDNKnYF3AAFKFfj3jFjTKB9MPDl3/cdUZHZU6
-CsARXKIBb3pzicqgi6I49Sk0BYg24Iv9Y6XbQp3xruNzdMw57KqNNyu8dkW0PoOu
-v9bO
------END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/name-normalization-case-folding.pem b/chromium/net/data/ssl/certificates/name-normalization-case-folding.pem
deleted file mode 100644
index 1638d25f5a3..00000000000
--- a/chromium/net/data/ssl/certificates/name-normalization-case-folding.pem
+++ /dev/null
@@ -1,151 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            dc:2e:0e:78:8f:e0:63:b8:7e:ae:78:55:50:65:99:6b
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN = intermediate for case folding comparison
-        Validity
-            Not Before: Jan  1 06:00:00 2010 GMT
-            Not After : Dec  1 06:00:00 2032 GMT
-        Subject: CN = Leaf for case folding comparison
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:cd:12:d3:17:b3:9c:fb:b1:60:fb:1d:c9:c9:f0:
-                    dc:8f:ef:36:04:dd:a4:d8:c5:57:39:2c:e1:d6:16:
-                    48:37:13:f7:82:16:ca:db:ef:d1:c7:6e:a0:f3:bb:
-                    be:41:0e:24:b2:33:b1:b7:35:83:92:2b:09:31:4e:
-                    24:9b:2c:fd:e1:be:09:95:e1:3f:16:0f:b6:30:c1:
-                    0d:44:77:50:da:20:ff:aa:48:80:00:67:17:fe:aa:
-                    3e:4d:b6:02:e4:f5:11:b5:cc:31:2f:77:0f:44:b0:
-                    37:78:4e:ff:ec:62:64:0f:94:8a:a1:89:c3:76:9f:
-                    03:bd:d0:e2:2a:36:ec:fa:59:51:f5:57:7d:e1:95:
-                    a4:fb:a3:3c:87:9b:65:79:68:b7:91:38:fd:7a:b3:
-                    89:a9:96:85:22:f7:38:9c:60:52:be:1f:f7:8b:c1:
-                    68:d3:ea:96:1e:13:2a:04:4e:ba:33:ac:07:ea:d9:
-                    53:67:c7:b8:15:e9:1e:ca:92:4d:91:4f:d0:d8:11:
-                    34:9b:8b:f5:00:70:7b:a7:1a:43:a2:90:1a:54:5f:
-                    34:e1:79:2e:72:65:4f:66:49:fa:b9:71:6f:4b:a1:
-                    73:79:ee:80:42:18:6b:bb:a9:b9:ba:c4:16:a6:04:
-                    74:cc:60:68:6f:0e:6e:4b:01:25:9c:c3:cb:58:73:
-                    ed:f9
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Alternative Name: 
-                DNS:example.test, IP Address:127.0.0.1
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.11129.2.4.1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         b1:8f:87:7d:46:ee:fa:94:ff:48:e1:25:50:a8:19:f5:bc:4d:
-         99:b3:d6:e3:b6:63:17:70:f3:b0:37:18:bb:ff:c4:2c:85:32:
-         26:b8:12:45:6e:d8:4d:a9:1b:64:ca:dc:98:8a:0a:a3:5f:a6:
-         46:18:98:a1:c1:b1:35:14:56:ff:c5:bf:0d:6d:1f:2d:15:d1:
-         d9:c4:93:fe:ee:86:e6:f3:6e:96:68:e3:25:11:b7:7d:c4:a0:
-         f3:61:4e:df:fe:e7:21:02:a4:1e:9b:4c:45:42:50:d8:52:f7:
-         56:8c:f8:3b:c7:be:33:29:23:fd:1d:1c:ea:52:87:fb:da:70:
-         9e:bc:ba:99:ca:a1:ff:59:a8:96:8b:32:f9:4c:1c:df:45:9b:
-         d2:82:d0:45:e6:08:ef:c2:ed:5b:6f:a6:c7:fe:d5:0f:12:da:
-         d3:70:60:1b:8e:08:a9:d6:09:60:bf:fe:d3:5b:f4:99:ae:d7:
-         a2:fe:6a:da:a1:e5:1d:c5:ff:63:12:cb:55:6d:cb:c8:9c:d4:
-         dc:9a:4a:49:37:df:f8:41:9c:8c:26:17:a6:02:5e:3d:10:bb:
-         0e:16:11:b0:5b:3d:81:25:1f:86:62:1d:7f:14:45:0f:23:b5:
-         ce:a1:ea:ea:83:7a:42:2b:4e:75:e8:92:54:fc:ea:3b:ce:72:
-         43:35:78:0e
------BEGIN CERTIFICATE-----
-MIIDIzCCAgugAwIBAgIRANwuDniP4GO4fq54VVBlmWswDQYJKoZIhvcNAQELBQAw
-MzExMC8GA1UEAxMoaW50ZXJtZWRpYXRlIGZvciBjYXNlIGZvbGRpbmcgY29tcGFy
-aXNvbjAeFw0xMDAxMDEwNjAwMDBaFw0zMjEyMDEwNjAwMDBaMCsxKTAnBgNVBAMT
-IExlYWYgZm9yIGNhc2UgZm9sZGluZyBjb21wYXJpc29uMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAzRLTF7Oc+7Fg+x3JyfDcj+82BN2k2MVXOSzh1hZI
-NxP3ghbK2+/Rx26g87u+QQ4ksjOxtzWDkisJMU4kmyz94b4JleE/Fg+2MMENRHdQ
-2iD/qkiAAGcX/qo+TbYC5PURtcwxL3cPRLA3eE7/7GJkD5SKoYnDdp8DvdDiKjbs
-+llR9Vd94ZWk+6M8h5tleWi3kTj9erOJqZaFIvc4nGBSvh/3i8Fo0+qWHhMqBE66
-M6wH6tlTZ8e4FekeypJNkU/Q2BE0m4v1AHB7pxpDopAaVF804XkucmVPZkn6uXFv
-S6Fzee6AQhhru6m5usQWpgR0zGBobw5uSwElnMPLWHPt+QIDAQABozowODAdBgNV
-HREEFjAUggxleGFtcGxlLnRlc3SHBH8AAAEwFwYDVR0gBBAwDjAMBgorBgEEAdZ5
-AgQBMA0GCSqGSIb3DQEBCwUAA4IBAQCxj4d9Ru76lP9I4SVQqBn1vE2Zs9bjtmMX
-cPOwNxi7/8QshTImuBJFbthNqRtkytyYigqjX6ZGGJihwbE1FFb/xb8NbR8tFdHZ
-xJP+7obm826WaOMlEbd9xKDzYU7f/uchAqQem0xFQlDYUvdWjPg7x74zKSP9HRzq
-Uof72nCevLqZyqH/WaiWizL5TBzfRZvSgtBF5gjvwu1bb6bH/tUPEtrTcGAbjgip
-1glgv/7TW/SZrtei/mraoeUdxf9jEstVbcvInNTcmkpJN9/4QZyMJhemAl49ELsO
-FhGwWz2BJR+GYh1/FEUPI7XOoerqg3pCK0516JJU/Oo7znJDNXgO
------END CERTIFICATE-----
-
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            f1:97:b5:26:2d:7a:3c:74:c4:62:c9:99:2c:53:bb:e8
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN = Testing CA
-        Validity
-            Not Before: Jan  1 06:00:00 2010 GMT
-            Not After : Dec  1 06:00:00 2032 GMT
-        Subject: CN = Intermediate for case folding comparison
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:c6:61:af:cc:65:9f:88:85:5a:83:ad:e8:fb:79:
-                    2d:c1:3d:0c:f3:88:b1:7b:ec:e9:14:9c:f0:b8:55:
-                    6d:27:b1:91:01:d0:81:fb:2a:84:2d:13:a2:ac:95:
-                    d8:30:8d:dd:66:78:38:43:ec:c5:80:65:13:95:9e:
-                    b6:b3:0d:d6:9b:28:45:d9:7e:10:d0:bb:bf:65:3d:
-                    68:6d:c8:82:89:35:02:2c:c9:6f:9e:03:0b:56:71:
-                    57:25:7d:3d:65:26:73:40:80:bb:97:27:ce:e0:d3:
-                    0f:42:09:d5:82:0e:1d:66:2f:35:8f:c7:89:c0:e9:
-                    36:6d:84:f8:9a:df:1b:eb:8d:84:3f:74:e6:f3:25:
-                    87:6a:c3:5d:5c:11:69:1f:cb:29:69:67:c0:6e:df:
-                    69:45:0c:16:bb:23:14:c1:45:99:fe:90:72:5d:5e:
-                    c9:0f:2d:b6:69:8a:fa:e7:2b:ba:0c:fb:f7:79:67:
-                    c7:e8:b4:9f:21:72:f9:38:18:27:c2:7a:b7:f9:47:
-                    1c:62:bd:8d:a4:a6:c6:57:96:6e:c1:38:5c:f4:1d:
-                    73:94:49:83:58:88:f3:0d:64:97:16:19:dc:d3:80:
-                    40:8c:d7:4f:25:c3:be:19:83:3a:92:62:0c:9c:f7:
-                    10:da:67:e1:5a:c8:ce:f6:9b:c7:e4:e5:e7:f8:13:
-                    c1:ed
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.11129.2.4.1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         af:e8:07:b9:bd:c8:3d:77:f1:be:c3:6a:03:58:8d:a7:91:6a:
-         61:79:d6:0a:dc:a0:90:7a:b5:97:77:ab:27:34:22:07:f9:1e:
-         19:dc:71:e4:6a:e3:ef:d6:e4:f3:8f:40:ef:ba:3e:81:92:7b:
-         78:03:8d:3b:59:96:f0:a7:84:46:e3:52:b8:7e:bd:8e:e8:30:
-         5a:c5:ea:22:b4:e6:25:88:f3:27:90:71:16:a9:24:d2:6f:64:
-         79:29:63:d4:aa:95:71:7b:f4:29:b0:1c:50:75:75:e1:52:fe:
-         3b:a0:54:9d:f8:cc:84:c8:46:46:e1:c4:9b:ef:c8:1e:0a:01:
-         79:99:ed:85:a4:1c:81:66:5d:db:a8:65:fa:93:9d:8d:1b:cf:
-         cf:4b:ce:d8:6e:47:84:9b:33:4f:7e:69:7c:1e:fb:38:de:cd:
-         40:1c:22:de:07:dd:06:1f:cb:3a:3c:5d:9d:f1:55:9b:a2:9c:
-         c4:3e:9f:a1:a4:06:17:dd:2c:5c:5a:93:3d:34:77:55:25:ac:
-         e6:5f:72:4f:ed:40:34:13:8c:77:a3:a1:7d:86:70:7d:ef:a0:
-         12:d3:21:0f:94:f0:1b:3e:38:8f:f4:45:4a:d7:ee:38:71:08:
-         27:1b:96:7c:da:62:c4:42:d9:a3:b4:58:79:9e:c3:0a:53:e1:
-         d6:46:30:4d
------BEGIN CERTIFICATE-----
-MIIC/zCCAeegAwIBAgIRAPGXtSYtejx0xGLJmSxTu+gwDQYJKoZIhvcNAQELBQAw
-FTETMBEGA1UEAxMKVGVzdGluZyBDQTAeFw0xMDAxMDEwNjAwMDBaFw0zMjEyMDEw
-NjAwMDBaMDMxMTAvBgNVBAMTKEludGVybWVkaWF0ZSBmb3IgY2FzZSBmb2xkaW5n
-IGNvbXBhcmlzb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGYa/M
-ZZ+IhVqDrej7eS3BPQzziLF77OkUnPC4VW0nsZEB0IH7KoQtE6Ksldgwjd1meDhD
-7MWAZROVnrazDdabKEXZfhDQu79lPWhtyIKJNQIsyW+eAwtWcVclfT1lJnNAgLuX
-J87g0w9CCdWCDh1mLzWPx4nA6TZthPia3xvrjYQ/dObzJYdqw11cEWkfyylpZ8Bu
-32lFDBa7IxTBRZn+kHJdXskPLbZpivrnK7oM+/d5Z8fotJ8hcvk4GCfCerf5Rxxi
-vY2kpsZXlm7BOFz0HXOUSYNYiPMNZJcWGdzTgECM108lw74ZgzqSYgyc9xDaZ+Fa
-yM72m8fk5ef4E8HtAgMBAAGjLDAqMA8GA1UdEwEB/wQFMAMBAf8wFwYDVR0gBBAw
-DjAMBgorBgEEAdZ5AgQBMA0GCSqGSIb3DQEBCwUAA4IBAQCv6Ae5vcg9d/G+w2oD
-WI2nkWphedYK3KCQerWXd6snNCIH+R4Z3HHkauPv1uTzj0Dvuj6Bknt4A407WZbw
-p4RG41K4fr2O6DBaxeoitOYliPMnkHEWqSTSb2R5KWPUqpVxe/QpsBxQdXXhUv47
-oFSd+MyEyEZG4cSb78geCgF5me2FpByBZl3bqGX6k52NG8/PS87YbkeEmzNPfml8
-Hvs43s1AHCLeB90GH8s6PF2d8VWbopzEPp+hpAYX3SxcWpM9NHdVJazmX3JP7UA0
-E4x3o6F9hnB976AS0yEPlPAbPjiP9EVK1+44cQgnG5Z82mLEQtmjtFh5nsMKU+HW
-RjBN
------END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/name-normalization-printable-utf8.pem b/chromium/net/data/ssl/certificates/name-normalization-printable-utf8.pem
deleted file mode 100644
index 8494eeec5e6..00000000000
--- a/chromium/net/data/ssl/certificates/name-normalization-printable-utf8.pem
+++ /dev/null
@@ -1,152 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            14:ea:30:c4:68:27:1a:72:5f:81:4b:9b:ef:44:e1:22
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN = Intermediate for PrintableString / Utf8String comparison
-        Validity
-            Not Before: Jan  1 06:00:00 2010 GMT
-            Not After : Dec  1 06:00:00 2032 GMT
-        Subject: CN = Leaf for PrintableString / Utf8String comparison
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:cd:12:d3:17:b3:9c:fb:b1:60:fb:1d:c9:c9:f0:
-                    dc:8f:ef:36:04:dd:a4:d8:c5:57:39:2c:e1:d6:16:
-                    48:37:13:f7:82:16:ca:db:ef:d1:c7:6e:a0:f3:bb:
-                    be:41:0e:24:b2:33:b1:b7:35:83:92:2b:09:31:4e:
-                    24:9b:2c:fd:e1:be:09:95:e1:3f:16:0f:b6:30:c1:
-                    0d:44:77:50:da:20:ff:aa:48:80:00:67:17:fe:aa:
-                    3e:4d:b6:02:e4:f5:11:b5:cc:31:2f:77:0f:44:b0:
-                    37:78:4e:ff:ec:62:64:0f:94:8a:a1:89:c3:76:9f:
-                    03:bd:d0:e2:2a:36:ec:fa:59:51:f5:57:7d:e1:95:
-                    a4:fb:a3:3c:87:9b:65:79:68:b7:91:38:fd:7a:b3:
-                    89:a9:96:85:22:f7:38:9c:60:52:be:1f:f7:8b:c1:
-                    68:d3:ea:96:1e:13:2a:04:4e:ba:33:ac:07:ea:d9:
-                    53:67:c7:b8:15:e9:1e:ca:92:4d:91:4f:d0:d8:11:
-                    34:9b:8b:f5:00:70:7b:a7:1a:43:a2:90:1a:54:5f:
-                    34:e1:79:2e:72:65:4f:66:49:fa:b9:71:6f:4b:a1:
-                    73:79:ee:80:42:18:6b:bb:a9:b9:ba:c4:16:a6:04:
-                    74:cc:60:68:6f:0e:6e:4b:01:25:9c:c3:cb:58:73:
-                    ed:f9
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Alternative Name: 
-                DNS:example.test, IP Address:127.0.0.1
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.11129.2.4.1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         41:4e:99:ea:e1:45:69:9b:59:d3:b2:5e:e3:53:51:15:76:ca:
-         ea:51:32:a8:78:ef:37:9f:8b:52:a8:1a:24:39:cf:61:ca:d3:
-         f8:5e:9c:60:77:00:94:73:90:83:ea:aa:f2:de:b8:87:2b:3f:
-         81:ad:b9:63:ab:7f:96:a1:36:d0:a6:30:f2:67:fe:b0:a6:79:
-         25:82:58:d0:0a:b4:86:0e:53:ea:8a:9f:a5:65:fd:5c:06:21:
-         30:6e:91:92:93:34:af:e1:c8:34:d2:1a:57:47:14:11:eb:ff:
-         1a:87:98:be:cd:e2:83:73:9d:54:ed:37:c6:78:e4:85:2b:5a:
-         80:3a:ba:da:a8:81:05:c1:ac:13:3a:a4:a6:aa:05:c8:af:a5:
-         ce:66:24:30:49:bb:dd:8d:d0:1e:85:53:8f:63:57:f1:2d:8b:
-         54:a8:8a:05:02:d5:17:27:9d:1e:66:5c:03:40:a9:7c:ce:85:
-         e8:28:78:63:3b:d5:ee:33:67:84:b3:d7:d3:4d:4d:99:30:7d:
-         6d:48:fb:5a:63:8f:6f:ea:e0:78:08:05:75:e2:6f:c9:86:fb:
-         05:a1:eb:a7:b0:4b:c7:7c:19:2a:27:d1:b3:30:6b:ac:3f:6e:
-         64:9c:ca:3f:dd:2e:f8:c5:f4:2c:d5:54:4a:d5:de:79:d5:86:
-         cd:29:a9:0d
------BEGIN CERTIFICATE-----
-MIIDQjCCAiqgAwIBAgIQFOowxGgnGnJfgUub70ThIjANBgkqhkiG9w0BAQsFADBD
-MUEwPwYDVQQDEzhJbnRlcm1lZGlhdGUgZm9yIFByaW50YWJsZVN0cmluZyAvIFV0
-ZjhTdHJpbmcgY29tcGFyaXNvbjAeFw0xMDAxMDEwNjAwMDBaFw0zMjEyMDEwNjAw
-MDBaMDsxOTA3BgNVBAMTMExlYWYgZm9yIFByaW50YWJsZVN0cmluZyAvIFV0ZjhT
-dHJpbmcgY29tcGFyaXNvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AM0S0xeznPuxYPsdycnw3I/vNgTdpNjFVzks4dYWSDcT94IWytvv0cduoPO7vkEO
-JLIzsbc1g5IrCTFOJJss/eG+CZXhPxYPtjDBDUR3UNog/6pIgABnF/6qPk22AuT1
-EbXMMS93D0SwN3hO/+xiZA+UiqGJw3afA73Q4io27PpZUfVXfeGVpPujPIebZXlo
-t5E4/XqziamWhSL3OJxgUr4f94vBaNPqlh4TKgROujOsB+rZU2fHuBXpHsqSTZFP
-0NgRNJuL9QBwe6caQ6KQGlRfNOF5LnJlT2ZJ+rlxb0uhc3nugEIYa7upubrEFqYE
-dMxgaG8ObksBJZzDy1hz7fkCAwEAAaM6MDgwHQYDVR0RBBYwFIIMZXhhbXBsZS50
-ZXN0hwR/AAABMBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIEATANBgkqhkiG9w0BAQsF
-AAOCAQEAQU6Z6uFFaZtZ07Je41NRFXbK6lEyqHjvN5+LUqgaJDnPYcrT+F6cYHcA
-lHOQg+qq8t64hys/ga25Y6t/lqE20KYw8mf+sKZ5JYJY0Aq0hg5T6oqfpWX9XAYh
-MG6RkpM0r+HINNIaV0cUEev/GoeYvs3ig3OdVO03xnjkhStagDq62qiBBcGsEzqk
-pqoFyK+lzmYkMEm73Y3QHoVTj2NX8S2LVKiKBQLVFyedHmZcA0CpfM6F6Ch4YzvV
-7jNnhLPX001NmTB9bUj7WmOPb+rgeAgFdeJvyYb7BaHrp7BLx3wZKifRszBrrD9u
-ZJzKP90u+MX0LNVUStXeedWGzSmpDQ==
------END CERTIFICATE-----
-
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            66:4c:a2:29:81:ef:e6:b2:63:cc:5a:c9:28:53:d4:f9
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN = Testing CA
-        Validity
-            Not Before: Jan  1 06:00:00 2010 GMT
-            Not After : Dec  1 06:00:00 2032 GMT
-        Subject: CN = Intermediate for PrintableString / Utf8String comparison
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:c6:61:af:cc:65:9f:88:85:5a:83:ad:e8:fb:79:
-                    2d:c1:3d:0c:f3:88:b1:7b:ec:e9:14:9c:f0:b8:55:
-                    6d:27:b1:91:01:d0:81:fb:2a:84:2d:13:a2:ac:95:
-                    d8:30:8d:dd:66:78:38:43:ec:c5:80:65:13:95:9e:
-                    b6:b3:0d:d6:9b:28:45:d9:7e:10:d0:bb:bf:65:3d:
-                    68:6d:c8:82:89:35:02:2c:c9:6f:9e:03:0b:56:71:
-                    57:25:7d:3d:65:26:73:40:80:bb:97:27:ce:e0:d3:
-                    0f:42:09:d5:82:0e:1d:66:2f:35:8f:c7:89:c0:e9:
-                    36:6d:84:f8:9a:df:1b:eb:8d:84:3f:74:e6:f3:25:
-                    87:6a:c3:5d:5c:11:69:1f:cb:29:69:67:c0:6e:df:
-                    69:45:0c:16:bb:23:14:c1:45:99:fe:90:72:5d:5e:
-                    c9:0f:2d:b6:69:8a:fa:e7:2b:ba:0c:fb:f7:79:67:
-                    c7:e8:b4:9f:21:72:f9:38:18:27:c2:7a:b7:f9:47:
-                    1c:62:bd:8d:a4:a6:c6:57:96:6e:c1:38:5c:f4:1d:
-                    73:94:49:83:58:88:f3:0d:64:97:16:19:dc:d3:80:
-                    40:8c:d7:4f:25:c3:be:19:83:3a:92:62:0c:9c:f7:
-                    10:da:67:e1:5a:c8:ce:f6:9b:c7:e4:e5:e7:f8:13:
-                    c1:ed
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.11129.2.4.1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         53:2a:74:9d:c5:68:71:0f:25:8c:11:4e:e6:b1:cd:74:54:9f:
-         c5:36:f0:e8:42:a6:8d:29:51:21:8f:cd:8b:52:bf:57:ba:44:
-         73:d9:36:32:33:3b:6a:35:c7:14:81:00:c1:79:27:4e:31:eb:
-         88:cc:fa:50:43:80:ca:09:4e:60:ea:e5:2c:e3:60:d5:c6:ad:
-         09:9c:0f:e1:30:7c:ce:41:3d:1d:40:69:4e:37:0d:80:d7:f3:
-         2c:8f:c6:fb:3d:2e:40:c2:6e:f4:e3:62:f2:cc:82:69:c5:20:
-         5a:fa:ef:25:ea:e9:7e:5f:d9:37:2b:b5:16:14:b9:66:10:37:
-         df:40:1d:76:ed:9a:ea:ad:4d:b0:ac:d3:5c:6d:44:72:40:62:
-         f1:aa:e6:04:89:f2:b9:fc:c1:94:5a:16:dd:26:a6:1f:dd:5e:
-         a7:3c:db:b0:4d:6d:8d:35:34:c5:16:35:60:65:b9:74:22:32:
-         fb:ba:e7:78:32:62:82:78:66:15:3d:6b:d4:99:e2:a6:52:b7:
-         c6:8a:2f:94:b9:27:ee:6e:46:b9:45:ec:09:81:9e:f8:c4:fb:
-         21:77:3a:a2:4b:38:33:3d:4f:cc:f7:2b:50:b3:fd:58:0e:80:
-         e3:8d:9d:4a:f8:0d:c0:0d:b4:98:00:26:41:94:12:12:60:75:
-         e3:8a:1e:0a
------BEGIN CERTIFICATE-----
-MIIDDjCCAfagAwIBAgIQZkyiKYHv5rJjzFrJKFPU+TANBgkqhkiG9w0BAQsFADAV
-MRMwEQYDVQQDEwpUZXN0aW5nIENBMB4XDTEwMDEwMTA2MDAwMFoXDTMyMTIwMTA2
-MDAwMFowQzFBMD8GA1UEAww4SW50ZXJtZWRpYXRlIGZvciBQcmludGFibGVTdHJp
-bmcgLyBVdGY4U3RyaW5nIGNvbXBhcmlzb24wggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQDGYa/MZZ+IhVqDrej7eS3BPQzziLF77OkUnPC4VW0nsZEB0IH7
-KoQtE6Ksldgwjd1meDhD7MWAZROVnrazDdabKEXZfhDQu79lPWhtyIKJNQIsyW+e
-AwtWcVclfT1lJnNAgLuXJ87g0w9CCdWCDh1mLzWPx4nA6TZthPia3xvrjYQ/dObz
-JYdqw11cEWkfyylpZ8Bu32lFDBa7IxTBRZn+kHJdXskPLbZpivrnK7oM+/d5Z8fo
-tJ8hcvk4GCfCerf5RxxivY2kpsZXlm7BOFz0HXOUSYNYiPMNZJcWGdzTgECM108l
-w74ZgzqSYgyc9xDaZ+FayM72m8fk5ef4E8HtAgMBAAGjLDAqMA8GA1UdEwEB/wQF
-MAMBAf8wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgQBMA0GCSqGSIb3DQEBCwUAA4IB
-AQBTKnSdxWhxDyWMEU7msc10VJ/FNvDoQqaNKVEhj82LUr9XukRz2TYyMztqNccU
-gQDBeSdOMeuIzPpQQ4DKCU5g6uUs42DVxq0JnA/hMHzOQT0dQGlONw2A1/Msj8b7
-PS5Awm7042LyzIJpxSBa+u8l6ul+X9k3K7UWFLlmEDffQB127ZrqrU2wrNNcbURy
-QGLxquYEifK5/MGUWhbdJqYf3V6nPNuwTW2NNTTFFjVgZbl0IjL7uud4MmKCeGYV
-PWvUmeKmUrfGii+UuSfubka5RewJgZ74xPshdzqiSzgzPU/M9ytQs/1YDoDjjZ1K
-+A3ADbSYACZBlBISYHXjih4K
------END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/name_constrained_key.pem b/chromium/net/data/ssl/certificates/name_constrained_key.pem
new file mode 100644
index 00000000000..f7a9d3732b4
--- /dev/null
+++ b/chromium/net/data/ssl/certificates/name_constrained_key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwOdQrS3Jk6jJb
+Na2O4BadbxtUobCnikBNFFHn+Lof7YXQmy0DMiHL0iOhzt9ZcuRTLFzoYUvJk3Tm
+S8h7Vdj4sIvF1k8E0MCWwY2rsFbgZilV276UQr+hzMncbzU5cfgMcOlHfpycBg8U
+i4ygVUgttEWzilGA6NH9Vi7e4cb9DJyAI4AZXJI+B7d2n9HYxAuF1V417dpADz5g
+CznwFQI+i9uzITlAwWaIsZJ6GvvpSfnOFFFppbRLCLr8MTRLYv8efWYh9HcG0LFe
+vxuhtzYIIi40tzXTEYYnFhrx+HpuAR/pza/ewtvX2sVkXhr4n1B2m4+XfWHoVE4Y
+D725dY55AgMBAAECggEAVcLu5FsFQuNOumC3JC8eEmP98wP1SrPXcyuOaMv9GIip
+dMnv7/w3wk90E8zvmUJ2p5uRY23mSiU+4MzEtnEi9HRGsXMIZZmKAFQVtBZPUUmm
+mCgm6VRKml1lZ6efSWOTicpxXN/bK3svX5pCR8z5IXT37tZDr+6eMyH8EW/jPUZU
+wA/LVpmfRkcLg8VF6J70yj60peU3234b5Z9QLkR80g9U9Sj1QQhuDRAO97zireru
+QwFixeazgXzWPTk3iol6GiDbus9T0WGeUAWYZ8XyJ1voNHRNg9dfvpLAc0UBQ5Ho
+7Au6fYWQ8cEmYFIC5X46k/fZhZNgludUlQLfMsI1AQKBgQDin873bebHXpoFGXR3
+Sn8obsieSWwHCDU2gp+K8JwPtip1PrVfA1KW/wBo938zqpBZDAOOFGGl4x08wLmm
+WnlrPOsrcehDbiGTPheBPvOS11/v6IxoOVLLUnDaQIX9j8eOGG/WM0pan8wNG9Vz
+WHQduZcBQlKoyXjjJ84avorh8QKBgQDHEaAJab8sK//lCYrCpTfbS2tYCfc9b7Nx
+m/6GCJnxqVYfal9ocGd7U7RO7okDQAMyvwSpI9ejTDF8tO4BNHCgvi6rKK3Fj/CJ
+bgw8rCP1BOKLvDK/7A7/v1KqvYHtODnCH0iTVK/R/Oq2Jws0m88uSkANm1w2t+SG
+JVk/ymBtCQKBgC0L/RTbyKrKmCz5UVhA+6Oq2b/08j83l3Q9ZL82cp8A49GoZF79
+hxYym/9Bawx3E/hPVgmQ7ZQO4AnqeTyi8U2qr0hUfQmiQ5REHGH5hGsk2pISlI5H
+DrkRqxMHDltHkDAjlV9rlJUM/H+Cj9w8seASuvxqFYotehUVHXfddjfRAoGAYUXj
+hbX+jH8Tk7+N5n8FREseMO7tuT+T17f6L1SUpNmyE7fO1yHV7xV/zfIRUV0+MtXU
+WTICdPEOXXmrszsErgdAlrJR92/WgdEcealECL5SVSWpRs76pU2//16K1nfbAVh4
+BkYjg+CqcEez2gkou93cXsnDzZkeOc6WRe2GIMECgYEApyMBng9jXOD1Qw2CpWeC
+kO/GL98UXAvQAnQB1YepWDmbW2OxpXZ5TI5wQkJxE7z7EJkIm6Vq0fcHtDNwGWBq
+2zLyUW+QdR53eGEkhHNzq0hFWVMCaDbO6UNa1OFZqN/WSBFB3z4F0XAZ1ZX+PaFm
+NqcJRJ7sL5XqgAdRqcTTFcA=
+-----END PRIVATE KEY-----
diff --git a/chromium/net/data/ssl/certificates/name_constraint_bad.pem b/chromium/net/data/ssl/certificates/name_constraint_bad.pem
deleted file mode 100644
index 0863be689c8..00000000000
--- a/chromium/net/data/ssl/certificates/name_constraint_bad.pem
+++ /dev/null
@@ -1,112 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwOdQrS3Jk6jJb
-Na2O4BadbxtUobCnikBNFFHn+Lof7YXQmy0DMiHL0iOhzt9ZcuRTLFzoYUvJk3Tm
-S8h7Vdj4sIvF1k8E0MCWwY2rsFbgZilV276UQr+hzMncbzU5cfgMcOlHfpycBg8U
-i4ygVUgttEWzilGA6NH9Vi7e4cb9DJyAI4AZXJI+B7d2n9HYxAuF1V417dpADz5g
-CznwFQI+i9uzITlAwWaIsZJ6GvvpSfnOFFFppbRLCLr8MTRLYv8efWYh9HcG0LFe
-vxuhtzYIIi40tzXTEYYnFhrx+HpuAR/pza/ewtvX2sVkXhr4n1B2m4+XfWHoVE4Y
-D725dY55AgMBAAECggEAVcLu5FsFQuNOumC3JC8eEmP98wP1SrPXcyuOaMv9GIip
-dMnv7/w3wk90E8zvmUJ2p5uRY23mSiU+4MzEtnEi9HRGsXMIZZmKAFQVtBZPUUmm
-mCgm6VRKml1lZ6efSWOTicpxXN/bK3svX5pCR8z5IXT37tZDr+6eMyH8EW/jPUZU
-wA/LVpmfRkcLg8VF6J70yj60peU3234b5Z9QLkR80g9U9Sj1QQhuDRAO97zireru
-QwFixeazgXzWPTk3iol6GiDbus9T0WGeUAWYZ8XyJ1voNHRNg9dfvpLAc0UBQ5Ho
-7Au6fYWQ8cEmYFIC5X46k/fZhZNgludUlQLfMsI1AQKBgQDin873bebHXpoFGXR3
-Sn8obsieSWwHCDU2gp+K8JwPtip1PrVfA1KW/wBo938zqpBZDAOOFGGl4x08wLmm
-WnlrPOsrcehDbiGTPheBPvOS11/v6IxoOVLLUnDaQIX9j8eOGG/WM0pan8wNG9Vz
-WHQduZcBQlKoyXjjJ84avorh8QKBgQDHEaAJab8sK//lCYrCpTfbS2tYCfc9b7Nx
-m/6GCJnxqVYfal9ocGd7U7RO7okDQAMyvwSpI9ejTDF8tO4BNHCgvi6rKK3Fj/CJ
-bgw8rCP1BOKLvDK/7A7/v1KqvYHtODnCH0iTVK/R/Oq2Jws0m88uSkANm1w2t+SG
-JVk/ymBtCQKBgC0L/RTbyKrKmCz5UVhA+6Oq2b/08j83l3Q9ZL82cp8A49GoZF79
-hxYym/9Bawx3E/hPVgmQ7ZQO4AnqeTyi8U2qr0hUfQmiQ5REHGH5hGsk2pISlI5H
-DrkRqxMHDltHkDAjlV9rlJUM/H+Cj9w8seASuvxqFYotehUVHXfddjfRAoGAYUXj
-hbX+jH8Tk7+N5n8FREseMO7tuT+T17f6L1SUpNmyE7fO1yHV7xV/zfIRUV0+MtXU
-WTICdPEOXXmrszsErgdAlrJR92/WgdEcealECL5SVSWpRs76pU2//16K1nfbAVh4
-BkYjg+CqcEez2gkou93cXsnDzZkeOc6WRe2GIMECgYEApyMBng9jXOD1Qw2CpWeC
-kO/GL98UXAvQAnQB1YepWDmbW2OxpXZ5TI5wQkJxE7z7EJkIm6Vq0fcHtDNwGWBq
-2zLyUW+QdR53eGEkhHNzq0hFWVMCaDbO6UNa1OFZqN/WSBFB3z4F0XAZ1ZX+PaFm
-NqcJRJ7sL5XqgAdRqcTTFcA=
------END PRIVATE KEY-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            bb:38:42:57:48:dd:2b:24:78:13:e0:59:b9:a3:d7:77
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
-        Validity
-            Not Before: Jan 11 02:36:21 2022 GMT
-            Not After : Jan 11 02:36:21 2024 GMT
-        Subject: CN=Leaf certificate
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:b0:39:d4:2b:4b:72:64:ea:32:5b:35:ad:8e:e0:
-                    16:9d:6f:1b:54:a1:b0:a7:8a:40:4d:14:51:e7:f8:
-                    ba:1f:ed:85:d0:9b:2d:03:32:21:cb:d2:23:a1:ce:
-                    df:59:72:e4:53:2c:5c:e8:61:4b:c9:93:74:e6:4b:
-                    c8:7b:55:d8:f8:b0:8b:c5:d6:4f:04:d0:c0:96:c1:
-                    8d:ab:b0:56:e0:66:29:55:db:be:94:42:bf:a1:cc:
-                    c9:dc:6f:35:39:71:f8:0c:70:e9:47:7e:9c:9c:06:
-                    0f:14:8b:8c:a0:55:48:2d:b4:45:b3:8a:51:80:e8:
-                    d1:fd:56:2e:de:e1:c6:fd:0c:9c:80:23:80:19:5c:
-                    92:3e:07:b7:76:9f:d1:d8:c4:0b:85:d5:5e:35:ed:
-                    da:40:0f:3e:60:0b:39:f0:15:02:3e:8b:db:b3:21:
-                    39:40:c1:66:88:b1:92:7a:1a:fb:e9:49:f9:ce:14:
-                    51:69:a5:b4:4b:08:ba:fc:31:34:4b:62:ff:1e:7d:
-                    66:21:f4:77:06:d0:b1:5e:bf:1b:a1:b7:36:08:22:
-                    2e:34:b7:35:d3:11:86:27:16:1a:f1:f8:7a:6e:01:
-                    1f:e9:cd:af:de:c2:db:d7:da:c5:64:5e:1a:f8:9f:
-                    50:76:9b:8f:97:7d:61:e8:54:4e:18:0f:bd:b9:75:
-                    8e:79
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:FALSE
-            X509v3 Subject Key Identifier: 
-                E4:C5:B8:15:7B:F4:26:F0:4D:EB:27:D8:97:34:01:10:F5:96:D2:BE
-            X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Subject Alternative Name: 
-                DNS:test.ExAmPlE.CoM, DNS:test.ExAmPlE.OrG
-    Signature Algorithm: sha256WithRSAEncryption
-         b6:d8:92:56:dd:62:58:be:cf:7f:a6:e5:b0:5e:a5:0f:15:cf:
-         44:55:be:b8:3e:43:ef:1b:0d:e4:11:1a:f6:38:5c:0d:14:a4:
-         23:0e:d6:e4:a2:f4:ef:44:7f:0b:b2:4f:f9:5f:b4:d8:a9:58:
-         20:e8:de:7a:8d:1b:74:5c:73:9b:0e:e5:fa:1c:d2:5f:99:b3:
-         e9:52:23:d3:cf:ae:49:53:d2:53:19:2f:8c:02:e8:98:4e:41:
-         f2:c4:c7:fb:c5:57:76:72:8e:db:fc:41:fe:2f:84:73:3a:da:
-         d3:83:c3:35:8a:00:a3:dd:b7:58:60:82:25:0d:fb:01:ee:e2:
-         7d:fd:e5:6a:74:31:77:24:77:9e:97:7d:ba:44:bf:6c:b4:06:
-         f7:c7:9e:d0:e1:cc:1f:5d:5a:e9:38:57:f3:a9:e3:07:b2:54:
-         9b:cd:68:eb:5c:b0:af:1a:09:25:72:da:9a:1d:03:0e:8e:c7:
-         3f:fa:c7:fe:45:55:cc:cd:5b:0c:7b:5c:7a:48:07:44:bb:e1:
-         d8:bd:6c:7a:d0:3c:af:53:0d:9d:6d:af:26:ef:3b:17:61:af:
-         2c:ff:c2:2a:95:1e:4b:5f:a1:85:7e:cc:2e:24:42:90:ad:d5:
-         a0:34:1a:cd:4f:06:09:e3:94:9c:6b:98:04:1a:54:79:c8:cf:
-         72:62:34:af
------BEGIN CERTIFICATE-----
-MIIDqTCCApGgAwIBAgIRALs4QldI3SskeBPgWbmj13cwDQYJKoZIhvcNAQELBQAw
-YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
-dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
-dCBDQTAeFw0yMjAxMTEwMjM2MjFaFw0yNDAxMTEwMjM2MjFaMBsxGTAXBgNVBAMM
-EExlYWYgY2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQCwOdQrS3Jk6jJbNa2O4BadbxtUobCnikBNFFHn+Lof7YXQmy0DMiHL0iOhzt9Z
-cuRTLFzoYUvJk3TmS8h7Vdj4sIvF1k8E0MCWwY2rsFbgZilV276UQr+hzMncbzU5
-cfgMcOlHfpycBg8Ui4ygVUgttEWzilGA6NH9Vi7e4cb9DJyAI4AZXJI+B7d2n9HY
-xAuF1V417dpADz5gCznwFQI+i9uzITlAwWaIsZJ6GvvpSfnOFFFppbRLCLr8MTRL
-Yv8efWYh9HcG0LFevxuhtzYIIi40tzXTEYYnFhrx+HpuAR/pza/ewtvX2sVkXhr4
-n1B2m4+XfWHoVE4YD725dY55AgMBAAGjgZ8wgZwwDAYDVR0TAQH/BAIwADAdBgNV
-HQ4EFgQU5MW4FXv0JvBN6yfYlzQBEPWW0r4wHwYDVR0jBBgwFoAUmyYLipipux25
-HxzjGkAz7Y4XiKswHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMC0GA1Ud
-EQQmMCSCEHRlc3QuRXhBbVBsRS5Db02CEHRlc3QuRXhBbVBsRS5PckcwDQYJKoZI
-hvcNAQELBQADggEBALbYklbdYli+z3+m5bBepQ8Vz0RVvrg+Q+8bDeQRGvY4XA0U
-pCMO1uSi9O9EfwuyT/lftNipWCDo3nqNG3Rcc5sO5foc0l+Zs+lSI9PPrklT0lMZ
-L4wC6JhOQfLEx/vFV3Zyjtv8Qf4vhHM62tODwzWKAKPdt1hggiUN+wHu4n395Wp0
-MXckd56XfbpEv2y0BvfHntDhzB9dWuk4V/Op4weyVJvNaOtcsK8aCSVy2podAw6O
-xz/6x/5FVczNWwx7XHpIB0S74di9bHrQPK9TDZ1trybvOxdhryz/wiqVHktfoYV+
-zC4kQpCt1aA0Gs1PBgnjlJxrmAQaVHnIz3JiNK8=
------END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/name_constraint_good.pem b/chromium/net/data/ssl/certificates/name_constraint_good.pem
deleted file mode 100644
index 9f963cb75fa..00000000000
--- a/chromium/net/data/ssl/certificates/name_constraint_good.pem
+++ /dev/null
@@ -1,113 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwOdQrS3Jk6jJb
-Na2O4BadbxtUobCnikBNFFHn+Lof7YXQmy0DMiHL0iOhzt9ZcuRTLFzoYUvJk3Tm
-S8h7Vdj4sIvF1k8E0MCWwY2rsFbgZilV276UQr+hzMncbzU5cfgMcOlHfpycBg8U
-i4ygVUgttEWzilGA6NH9Vi7e4cb9DJyAI4AZXJI+B7d2n9HYxAuF1V417dpADz5g
-CznwFQI+i9uzITlAwWaIsZJ6GvvpSfnOFFFppbRLCLr8MTRLYv8efWYh9HcG0LFe
-vxuhtzYIIi40tzXTEYYnFhrx+HpuAR/pza/ewtvX2sVkXhr4n1B2m4+XfWHoVE4Y
-D725dY55AgMBAAECggEAVcLu5FsFQuNOumC3JC8eEmP98wP1SrPXcyuOaMv9GIip
-dMnv7/w3wk90E8zvmUJ2p5uRY23mSiU+4MzEtnEi9HRGsXMIZZmKAFQVtBZPUUmm
-mCgm6VRKml1lZ6efSWOTicpxXN/bK3svX5pCR8z5IXT37tZDr+6eMyH8EW/jPUZU
-wA/LVpmfRkcLg8VF6J70yj60peU3234b5Z9QLkR80g9U9Sj1QQhuDRAO97zireru
-QwFixeazgXzWPTk3iol6GiDbus9T0WGeUAWYZ8XyJ1voNHRNg9dfvpLAc0UBQ5Ho
-7Au6fYWQ8cEmYFIC5X46k/fZhZNgludUlQLfMsI1AQKBgQDin873bebHXpoFGXR3
-Sn8obsieSWwHCDU2gp+K8JwPtip1PrVfA1KW/wBo938zqpBZDAOOFGGl4x08wLmm
-WnlrPOsrcehDbiGTPheBPvOS11/v6IxoOVLLUnDaQIX9j8eOGG/WM0pan8wNG9Vz
-WHQduZcBQlKoyXjjJ84avorh8QKBgQDHEaAJab8sK//lCYrCpTfbS2tYCfc9b7Nx
-m/6GCJnxqVYfal9ocGd7U7RO7okDQAMyvwSpI9ejTDF8tO4BNHCgvi6rKK3Fj/CJ
-bgw8rCP1BOKLvDK/7A7/v1KqvYHtODnCH0iTVK/R/Oq2Jws0m88uSkANm1w2t+SG
-JVk/ymBtCQKBgC0L/RTbyKrKmCz5UVhA+6Oq2b/08j83l3Q9ZL82cp8A49GoZF79
-hxYym/9Bawx3E/hPVgmQ7ZQO4AnqeTyi8U2qr0hUfQmiQ5REHGH5hGsk2pISlI5H
-DrkRqxMHDltHkDAjlV9rlJUM/H+Cj9w8seASuvxqFYotehUVHXfddjfRAoGAYUXj
-hbX+jH8Tk7+N5n8FREseMO7tuT+T17f6L1SUpNmyE7fO1yHV7xV/zfIRUV0+MtXU
-WTICdPEOXXmrszsErgdAlrJR92/WgdEcealECL5SVSWpRs76pU2//16K1nfbAVh4
-BkYjg+CqcEez2gkou93cXsnDzZkeOc6WRe2GIMECgYEApyMBng9jXOD1Qw2CpWeC
-kO/GL98UXAvQAnQB1YepWDmbW2OxpXZ5TI5wQkJxE7z7EJkIm6Vq0fcHtDNwGWBq
-2zLyUW+QdR53eGEkhHNzq0hFWVMCaDbO6UNa1OFZqN/WSBFB3z4F0XAZ1ZX+PaFm
-NqcJRJ7sL5XqgAdRqcTTFcA=
------END PRIVATE KEY-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            bb:38:42:57:48:dd:2b:24:78:13:e0:59:b9:a3:d7:78
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
-        Validity
-            Not Before: Jan 11 02:36:21 2022 GMT
-            Not After : Jan 11 02:36:21 2024 GMT
-        Subject: CN=Leaf Certificate
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:b0:39:d4:2b:4b:72:64:ea:32:5b:35:ad:8e:e0:
-                    16:9d:6f:1b:54:a1:b0:a7:8a:40:4d:14:51:e7:f8:
-                    ba:1f:ed:85:d0:9b:2d:03:32:21:cb:d2:23:a1:ce:
-                    df:59:72:e4:53:2c:5c:e8:61:4b:c9:93:74:e6:4b:
-                    c8:7b:55:d8:f8:b0:8b:c5:d6:4f:04:d0:c0:96:c1:
-                    8d:ab:b0:56:e0:66:29:55:db:be:94:42:bf:a1:cc:
-                    c9:dc:6f:35:39:71:f8:0c:70:e9:47:7e:9c:9c:06:
-                    0f:14:8b:8c:a0:55:48:2d:b4:45:b3:8a:51:80:e8:
-                    d1:fd:56:2e:de:e1:c6:fd:0c:9c:80:23:80:19:5c:
-                    92:3e:07:b7:76:9f:d1:d8:c4:0b:85:d5:5e:35:ed:
-                    da:40:0f:3e:60:0b:39:f0:15:02:3e:8b:db:b3:21:
-                    39:40:c1:66:88:b1:92:7a:1a:fb:e9:49:f9:ce:14:
-                    51:69:a5:b4:4b:08:ba:fc:31:34:4b:62:ff:1e:7d:
-                    66:21:f4:77:06:d0:b1:5e:bf:1b:a1:b7:36:08:22:
-                    2e:34:b7:35:d3:11:86:27:16:1a:f1:f8:7a:6e:01:
-                    1f:e9:cd:af:de:c2:db:d7:da:c5:64:5e:1a:f8:9f:
-                    50:76:9b:8f:97:7d:61:e8:54:4e:18:0f:bd:b9:75:
-                    8e:79
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:FALSE
-            X509v3 Subject Key Identifier: 
-                E4:C5:B8:15:7B:F4:26:F0:4D:EB:27:D8:97:34:01:10:F5:96:D2:BE
-            X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Subject Alternative Name: 
-                DNS:test.ExAmPlE.CoM, DNS:example.notarealtld, DNS:*.test2.ExAmPlE.CoM, DNS:*.example2.notarealtld
-    Signature Algorithm: sha256WithRSAEncryption
-         c1:2d:db:8c:4d:f6:94:83:a3:e8:a8:93:df:20:52:95:3b:0b:
-         92:7a:f7:fd:c3:5c:ff:5e:27:3b:80:a8:cb:04:b3:40:46:3a:
-         94:24:1c:40:83:2e:ba:22:02:e8:d0:8f:46:51:e1:75:14:2a:
-         5b:82:70:f0:09:03:87:34:57:6f:14:60:df:f7:78:6c:d9:a2:
-         e2:42:d7:4d:b2:03:c7:ce:ad:b2:b2:d9:da:80:13:b1:66:35:
-         11:67:11:cc:ef:da:64:50:7b:ea:8c:88:a9:9d:c4:7d:09:63:
-         25:0f:d7:1c:b6:85:70:58:70:6c:38:62:b9:63:1f:a9:10:98:
-         bc:83:a1:63:98:79:c0:51:8e:bb:fe:97:1e:3e:51:af:27:9f:
-         73:40:9c:2e:a9:3d:2f:58:10:ca:3c:0b:ce:64:b1:0e:69:5e:
-         f8:21:3e:88:cb:00:fa:89:ef:ed:64:3b:82:4e:bd:56:56:cc:
-         a2:fa:98:b1:0e:ac:c7:61:84:32:a2:c8:98:a3:a4:c4:07:60:
-         b9:54:d4:04:3c:08:a4:27:53:6e:12:c4:67:cd:2f:ef:3a:59:
-         30:d6:e1:60:43:f8:7b:d4:3c:f1:85:f2:2e:c1:ac:a5:86:69:
-         16:70:60:92:fb:d7:5d:de:84:fe:e6:51:84:86:23:4c:d0:0f:
-         13:12:5b:e9
------BEGIN CERTIFICATE-----
-MIID2TCCAsGgAwIBAgIRALs4QldI3SskeBPgWbmj13gwDQYJKoZIhvcNAQELBQAw
-YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
-dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
-dCBDQTAeFw0yMjAxMTEwMjM2MjFaFw0yNDAxMTEwMjM2MjFaMBsxGTAXBgNVBAMM
-EExlYWYgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQCwOdQrS3Jk6jJbNa2O4BadbxtUobCnikBNFFHn+Lof7YXQmy0DMiHL0iOhzt9Z
-cuRTLFzoYUvJk3TmS8h7Vdj4sIvF1k8E0MCWwY2rsFbgZilV276UQr+hzMncbzU5
-cfgMcOlHfpycBg8Ui4ygVUgttEWzilGA6NH9Vi7e4cb9DJyAI4AZXJI+B7d2n9HY
-xAuF1V417dpADz5gCznwFQI+i9uzITlAwWaIsZJ6GvvpSfnOFFFppbRLCLr8MTRL
-Yv8efWYh9HcG0LFevxuhtzYIIi40tzXTEYYnFhrx+HpuAR/pza/ewtvX2sVkXhr4
-n1B2m4+XfWHoVE4YD725dY55AgMBAAGjgc8wgcwwDAYDVR0TAQH/BAIwADAdBgNV
-HQ4EFgQU5MW4FXv0JvBN6yfYlzQBEPWW0r4wHwYDVR0jBBgwFoAUmyYLipipux25
-HxzjGkAz7Y4XiKswHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMF0GA1Ud
-EQRWMFSCEHRlc3QuRXhBbVBsRS5Db02CE2V4YW1wbGUubm90YXJlYWx0bGSCEyou
-dGVzdDIuRXhBbVBsRS5Db02CFiouZXhhbXBsZTIubm90YXJlYWx0bGQwDQYJKoZI
-hvcNAQELBQADggEBAMEt24xN9pSDo+iok98gUpU7C5J69/3DXP9eJzuAqMsEs0BG
-OpQkHECDLroiAujQj0ZR4XUUKluCcPAJA4c0V28UYN/3eGzZouJC102yA8fOrbKy
-2dqAE7FmNRFnEczv2mRQe+qMiKmdxH0JYyUP1xy2hXBYcGw4YrljH6kQmLyDoWOY
-ecBRjrv+lx4+Ua8nn3NAnC6pPS9YEMo8C85ksQ5pXvghPojLAPqJ7+1kO4JOvVZW
-zKL6mLEOrMdhhDKiyJijpMQHYLlU1AQ8CKQnU24SxGfNL+86WTDW4WBD+HvUPPGF
-8i7BrKWGaRZwYJL7113ehP7mUYSGI0zQDxMSW+k=
------END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/ocsp-test-root.pem b/chromium/net/data/ssl/certificates/ocsp-test-root.pem
deleted file mode 100644
index ba84f41e083..00000000000
--- a/chromium/net/data/ssl/certificates/ocsp-test-root.pem
+++ /dev/null
@@ -1,73 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Testing CA
-        Validity
-            Not Before: Jan  1 06:00:00 2010 GMT
-            Not After : Dec  1 06:00:00 2032 GMT
-        Subject: CN=Testing CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:c1:54:1f:ac:63:d3:b9:69:aa:23:1a:02:cb:2e:
-                    0d:9e:e7:b2:67:24:f1:36:c1:21:b2:c2:8b:da:e5:
-                    ca:a8:77:33:cc:40:7a:d8:38:42:ef:20:ec:67:d9:
-                    41:b4:48:a1:ce:35:57:cf:5d:de:bf:3c:9b:de:8f:
-                    36:f2:53:ee:73:e6:70:d1:c4:c6:63:1d:1d:dc:0e:
-                    39:cb:de:09:b8:33:f6:63:47:ea:37:9c:3f:a8:91:
-                    d6:1a:0c:a0:05:b3:8b:0b:2c:ad:10:58:e3:58:9c:
-                    9f:30:60:0b:e8:1e:4f:f4:ac:22:09:72:c1:7b:74:
-                    f9:2f:03:d7:2b:49:6f:64:35:43:d0:b2:7a:52:27:
-                    f1:ef:ee:13:c1:38:88:8b:23:cb:10:18:77:b3:b4:
-                    dc:09:1f:0b:3b:b6:fc:3c:79:21:87:b0:5a:b3:8e:
-                    97:86:2f:8a:f6:15:6b:cb:fb:b8:24:38:51:32:c6:
-                    74:1e:6c:65:cf:cd:5f:13:14:24:21:a2:10:b9:51:
-                    85:88:4c:48:66:f3:ea:64:4d:fb:80:06:13:3d:14:
-                    e7:2a:47:04:f3:e7:00:cf:82:7c:a5:ff:d2:ef:74:
-                    c2:ab:6a:52:59:ff:ff:40:f0:f7:f6:07:89:13:88:
-                    f9:17:fc:9f:c9:e6:57:42:df:1b:fa:0b:32:21:40:
-                    bb:65
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:1
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.11129.2.4.1
-
-    Signature Algorithm: sha256WithRSAEncryption
-         33:6b:be:80:32:a8:05:66:6f:27:4f:04:17:cb:46:ac:87:e0:
-         35:ed:da:fb:8c:56:69:d2:76:75:a7:3b:16:22:11:ec:c6:98:
-         d4:8d:88:ed:64:d5:91:41:c1:54:ac:77:e2:47:ad:3d:b8:95:
-         ac:7d:92:f5:35:c9:00:d6:ff:f3:c1:bb:78:a3:7d:93:82:68:
-         85:25:79:08:86:5c:73:06:7d:5e:0c:8f:38:18:6f:1a:6f:1c:
-         eb:c4:50:2e:88:5e:66:02:b0:81:30:71:98:0a:96:bc:27:7c:
-         94:37:31:55:38:84:e8:06:4e:53:93:59:83:ed:0b:0b:d3:b0:
-         13:9b:35:12:dd:22:cf:a2:7c:c4:22:5a:6c:cf:06:53:3c:5d:
-         e5:f8:7b:96:9c:0e:34:db:7a:67:0d:e2:cc:d4:dc:47:20:98:
-         20:34:2e:f0:48:44:8e:05:e8:d5:a9:68:82:65:d9:69:cb:c8:
-         c5:03:c8:aa:b8:be:3a:51:24:e6:64:37:00:02:fb:9d:b9:76:
-         e0:eb:24:51:38:3c:a4:76:2e:1e:77:9c:94:08:26:fe:a6:71:
-         36:50:91:7d:66:9b:0d:32:ce:a5:b1:70:60:a8:1c:00:a6:6b:
-         74:e0:4b:03:87:af:2b:d2:a2:92:fe:b7:6e:be:66:54:2f:3f:
-         6c:a0:c2:a6
------BEGIN CERTIFICATE-----
-MIIC1DCCAbygAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpUZXN0
-aW5nIENBMB4XDTEwMDEwMTA2MDAwMFoXDTMyMTIwMTA2MDAwMFowFTETMBEGA1UE
-AxMKVGVzdGluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFU
-H6xj07lpqiMaAssuDZ7nsmck8TbBIbLCi9rlyqh3M8xAetg4Qu8g7GfZQbRIoc41
-V89d3r88m96PNvJT7nPmcNHExmMdHdwOOcveCbgz9mNH6jecP6iR1hoMoAWziwss
-rRBY41icnzBgC+geT/SsIglywXt0+S8D1ytJb2Q1Q9CyelIn8e/uE8E4iIsjyxAY
-d7O03AkfCzu2/Dx5IYewWrOOl4YvivYVa8v7uCQ4UTLGdB5sZc/NXxMUJCGiELlR
-hYhMSGbz6mRN+4AGEz0U5ypHBPPnAM+CfKX/0u90wqtqUln//0Dw9/YHiROI+Rf8
-n8nmV0LfG/oLMiFAu2UCAwEAAaMvMC0wEgYDVR0TAQH/BAgwBgEB/wIBATAXBgNV
-HSAEEDAOMAwGCisGAQQB1nkCBAEwDQYJKoZIhvcNAQELBQADggEBADNrvoAyqAVm
-bydPBBfLRqyH4DXt2vuMVmnSdnWnOxYiEezGmNSNiO1k1ZFBwVSsd+JHrT24lax9
-kvU1yQDW//PBu3ijfZOCaIUleQiGXHMGfV4MjzgYbxpvHOvEUC6IXmYCsIEwcZgK
-lrwnfJQ3MVU4hOgGTlOTWYPtCwvTsBObNRLdIs+ifMQiWmzPBlM8XeX4e5acDjTb
-emcN4szU3EcgmCA0LvBIRI4F6NWpaIJl2WnLyMUDyKq4vjpRJOZkNwAC+525duDr
-JFE4PKR2Lh53nJQIJv6mcTZQkX1mmw0yzqWxcGCoHACma3TgSwOHryvSopL+t26+
-ZlQvP2ygwqY=
------END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/ok_cert.pem b/chromium/net/data/ssl/certificates/ok_cert.pem
index 957c21529ff..15a299a0f53 100644
--- a/chromium/net/data/ssl/certificates/ok_cert.pem
+++ b/chromium/net/data/ssl/certificates/ok_cert.pem
@@ -30,16 +30,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:a2
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:66
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
-            Not Before: Dec  1 15:42:07 2021 GMT
-            Not After : Dec  1 15:42:07 2023 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Oct  2 17:20:08 2024 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:e0:53:f4:f3:98:c1:14:33:02:c8:a4:6d:fe:aa:
                     2a:f7:94:3d:a6:6f:00:df:3b:de:4c:9f:a3:ea:07:
@@ -66,48 +66,48 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 E2:E0:A4:73:95:9B:E9:6E:FD:CE:29:C4:6F:07:81:0B:96:BD:47:BA
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         5c:47:01:d2:67:0a:75:33:06:bf:1b:06:23:52:1f:04:23:bf:
-         ce:41:1f:11:01:23:54:d7:4f:b8:c8:00:8d:30:d6:b6:9e:33:
-         94:9f:eb:3c:e4:33:10:2c:11:21:03:88:7e:1a:58:20:16:75:
-         a2:8b:f9:9b:72:cd:31:ee:15:30:73:1a:0d:7f:a1:e7:b8:51:
-         98:ce:34:c1:fe:0a:69:18:a1:51:58:b6:91:25:b8:81:7c:ff:
-         7b:d7:df:36:b7:40:29:63:fa:a4:12:62:c6:1d:96:93:d8:3f:
-         50:f9:49:ea:fc:90:3f:6f:71:90:a7:44:fb:f8:ca:a6:a1:80:
-         61:15:82:8c:b9:de:10:6f:b7:f7:3a:74:bd:4f:bf:25:14:59:
-         3d:c4:4e:0f:d8:0f:6f:75:2d:86:46:b8:0a:3b:76:79:6b:d8:
-         b1:06:f5:a7:38:26:60:4a:42:21:80:66:ef:97:90:5b:29:ba:
-         e1:90:60:a9:25:b2:5b:0f:06:df:c8:d4:1e:e6:74:0f:6f:cf:
-         b8:53:a1:bc:ef:79:d1:27:54:e7:1b:e8:bb:34:67:a5:a5:42:
-         e1:3c:77:08:66:2f:a4:6c:a2:9a:f0:f6:37:92:b0:c1:86:cc:
-         b8:86:b5:92:7d:16:00:dd:10:1a:a6:59:ce:be:07:85:cc:1b:
-         cf:14:96:da
+    Signature Value:
+        77:ef:82:85:f1:18:e6:5a:a4:fc:19:da:1a:f4:44:fc:83:03:
+        99:0f:76:fa:40:9d:cf:91:9d:08:df:19:20:54:4e:a9:33:a5:
+        49:5e:7f:3a:8f:6d:4a:73:bd:0f:98:83:b4:61:43:63:7c:87:
+        2b:3a:59:f8:2e:22:3b:7b:39:00:83:0d:90:87:ea:06:78:59:
+        73:37:d5:02:fe:94:af:f7:31:13:c6:44:21:72:dd:e8:69:34:
+        ab:83:ee:ac:58:ee:22:fa:aa:64:bc:65:31:e9:d1:4a:ec:e5:
+        7d:6e:b9:1f:0f:5a:50:14:cc:d2:c5:32:fd:ba:74:dc:2d:a6:
+        1a:ac:e7:2e:ce:68:22:c0:16:81:29:3f:4e:a2:84:8f:64:3b:
+        d6:e9:29:00:4a:62:e1:3c:cf:14:20:cd:c5:d5:06:9a:77:3e:
+        27:ba:f3:b5:4c:c0:8c:e5:79:2d:df:8d:89:55:fa:e5:c3:ee:
+        a4:3c:61:1a:b4:68:17:4e:15:d6:be:6f:b6:d0:42:2c:18:69:
+        17:2f:34:2d:0e:87:43:1c:51:e1:ca:b0:c4:ce:3b:c1:a8:89:
+        56:97:fe:30:40:5f:0c:f4:2f:e3:ab:e1:4b:b9:55:71:44:82:
+        c2:d7:ec:58:63:20:55:c2:e5:fa:eb:8f:29:44:8d:65:fa:29:
+        48:75:57:66
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzojANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIxMTIwMTE1NDIwN1oXDTIzMTIwMTE1NDIwN1owYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAOBT9POYwRQzAsikbf6qKveUPaZvAN873kyf
-o+oH1KzlWw3RrODt+cWYHTUt5bNJlxSFRA/cTNJnCIgBpdin65PRaqH3UeeEflIq
-fbxvDtjbtqY+3tz1pGiWRBGFAu1HEt+4YHGVe2KHaHpEVgnVtMjx9slGkoto6IPV
-1YZxI8OAHr9sAcfSpLxAbeDjwC4weL2t3SVm0/UHB1bXzuJyxSV9DOGnbwCo2qtL
-VEMJZKS2Ujgvt8wB3RwDJwNHv9/mN7DtGNxRC9R1It9QezzrNzkcm28Ie6cFrIxD
-9/HaUQazgkU+yIFznrClz3aWr4EsrAEqSlhLHb7/H4XCJ97xeAsCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOLgpHOVm+lu/c4pxG8HgQuWvUe6MB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQBcRwHSZwp1Mwa/GwYjUh8EI7/OQR8RASNU10+4yACNMNa2njOUn+s85DMQLBEh
-A4h+GlggFnWii/mbcs0x7hUwcxoNf6HnuFGYzjTB/gppGKFRWLaRJbiBfP971982
-t0ApY/qkEmLGHZaT2D9Q+Unq/JA/b3GQp0T7+MqmoYBhFYKMud4Qb7f3OnS9T78l
-FFk9xE4P2A9vdS2GRrgKO3Z5a9ixBvWnOCZgSkIhgGbvl5BbKbrhkGCpJbJbDwbf
-yNQe5nQPb8+4U6G873nRJ1TnG+i7NGelpULhPHcIZi+kbKKa8PY3krDBhsy4hrWS
-fRYA3RAaplnOvgeFzBvPFJba
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwmYwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMjEwMDMxNzIwMDhaFw0yNDEwMDIxNzIwMDhaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgU/TzmMEUMwLIpG3+qir3lD2mbwDfO95M
+n6PqB9Ss5VsN0azg7fnFmB01LeWzSZcUhUQP3EzSZwiIAaXYp+uT0Wqh91HnhH5S
+Kn28bw7Y27amPt7c9aRolkQRhQLtRxLfuGBxlXtih2h6RFYJ1bTI8fbJRpKLaOiD
+1dWGcSPDgB6/bAHH0qS8QG3g48AuMHi9rd0lZtP1BwdW187icsUlfQzhp28AqNqr
+S1RDCWSktlI4L7fMAd0cAycDR7/f5jew7RjcUQvUdSLfUHs86zc5HJtvCHunBayM
+Q/fx2lEGs4JFPsiBc56wpc92lq+BLKwBKkpYSx2+/x+Fwife8XgLAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTi4KRzlZvpbv3OKcRvB4ELlr1HujAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAd++ChfEY5lqk/BnaGvRE/IMDmQ92+kCdz5GdCN8ZIFROqTOlSV5/Oo9tSnO9
+D5iDtGFDY3yHKzpZ+C4iO3s5AIMNkIfqBnhZczfVAv6Ur/cxE8ZEIXLd6Gk0q4Pu
+rFjuIvqqZLxlMenRSuzlfW65Hw9aUBTM0sUy/bp03C2mGqznLs5oIsAWgSk/TqKE
+j2Q71ukpAEpi4TzPFCDNxdUGmnc+J7rztUzAjOV5Ld+NiVX65cPupDxhGrRoF04V
+1r5vttBCLBhpFy80LQ6HQxxR4cqwxM47waiJVpf+MEBfDPQv46vhS7lVcUSCwtfs
+WGMgVcLl+uuPKUSNZfopSHVXZg==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/ok_cert_by_intermediate.pem b/chromium/net/data/ssl/certificates/ok_cert_by_intermediate.pem
index 69289624866..25be4eb757f 100644
--- a/chromium/net/data/ssl/certificates/ok_cert_by_intermediate.pem
+++ b/chromium/net/data/ssl/certificates/ok_cert_by_intermediate.pem
@@ -30,16 +30,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            e3:e2:72:2a:fb:6d:e8:f9:5d:db:93:27:30:f9:d8:e5
+            9c:ac:13:39:97:f9:d0:e4:e8:7f:a3:f1:71:92:32:fa
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Intermediate CA
         Validity
-            Not Before: Dec  1 15:42:07 2021 GMT
-            Not After : Dec  1 15:42:07 2023 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Oct  2 17:20:08 2024 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:e0:53:f4:f3:98:c1:14:33:02:c8:a4:6d:fe:aa:
                     2a:f7:94:3d:a6:6f:00:df:3b:de:4c:9f:a3:ea:07:
@@ -66,33 +66,33 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 E2:E0:A4:73:95:9B:E9:6E:FD:CE:29:C4:6F:07:81:0B:96:BD:47:BA
             X509v3 Authority Key Identifier: 
-                keyid:17:5C:45:F3:D0:AC:1C:10:4C:8B:43:44:20:C4:DD:93:C5:C5:19:3B
-
+                17:5C:45:F3:D0:AC:1C:10:4C:8B:43:44:20:C4:DD:93:C5:C5:19:3B
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         92:02:42:eb:93:af:3b:ae:72:a5:0b:d0:fc:05:62:4c:fa:29:
-         cf:0e:bd:32:1b:e7:c2:fc:42:e6:b9:04:32:2d:e1:61:68:43:
-         4f:d7:a3:a7:9a:3d:a0:1b:07:09:13:5d:ce:82:49:cb:20:9e:
-         cd:2a:32:18:cc:61:c2:42:45:31:dc:14:e5:fd:c5:66:00:12:
-         ba:ba:a1:51:71:65:63:d7:22:4c:ec:6d:28:36:0f:e5:70:5c:
-         0d:30:c7:75:8b:7f:99:d7:57:74:c0:63:5b:ee:9f:5f:d6:88:
-         96:d2:12:cf:de:48:64:0a:c2:9c:82:35:61:0c:6c:8c:3d:28:
-         0d:27:c4:db:7b:bf:93:f7:06:7d:3f:76:37:22:62:b5:aa:f9:
-         95:e5:c4:06:dd:af:39:7b:ab:23:d7:29:93:6c:63:2b:0a:d4:
-         08:15:a6:2a:c7:77:d1:c9:e9:4e:35:77:75:e2:38:17:30:f5:
-         b2:b0:f1:5a:04:3d:ac:3c:b4:b1:4c:de:c0:f8:58:ab:ef:a6:
-         56:3b:98:41:72:25:7d:02:60:22:70:0b:98:2b:1a:e0:f5:4d:
-         46:a8:94:e2:cc:0b:5e:fe:89:a9:32:29:b9:20:94:90:8f:2b:
-         24:c6:e6:21:df:00:8e:fb:f7:8f:0b:49:0b:35:7b:14:f8:22:
-         1a:a1:f8:c0
+    Signature Value:
+        93:a1:82:4b:78:ce:18:3a:0a:ae:c8:3b:04:4a:1e:2a:e0:e8:
+        c3:dd:15:cb:ed:4f:23:09:b8:d4:49:4f:3b:2c:98:bf:bd:7a:
+        4e:de:6b:48:93:0c:17:50:d5:df:b0:8a:95:3a:f4:d2:3c:c4:
+        71:cd:fc:d3:72:b1:99:dd:5c:82:74:df:42:d9:51:85:26:92:
+        2b:c8:0d:1b:aa:e5:98:9f:9d:25:cd:82:f1:a5:42:20:9c:7f:
+        e9:b3:b8:1e:75:70:2a:07:ee:33:db:6d:b6:6a:cb:e0:80:e9:
+        fe:12:15:0f:4e:e6:78:99:a3:22:68:1a:bc:ce:77:45:f0:9f:
+        ce:23:25:bd:32:b6:8d:f4:1a:3a:8e:e9:a7:bd:da:e7:d5:ba:
+        84:38:4f:db:bb:29:7f:ec:4f:56:1a:c4:43:1a:0e:a5:c9:db:
+        b1:69:9d:00:82:b6:b2:4b:67:e7:58:45:37:dc:30:81:93:5a:
+        56:de:5e:0f:9c:d6:1a:73:9c:9e:f4:f1:8e:20:11:fc:f3:3f:
+        77:7f:9a:f1:93:42:31:2b:5a:e2:70:f2:7a:f0:07:7e:28:c3:
+        21:6a:c5:b3:fe:08:76:4b:a3:58:70:f6:44:22:a5:e1:b9:17:
+        ce:a4:90:35:5c:c7:9a:e0:12:b7:5f:24:d5:60:0c:bd:9d:b6:
+        1b:78:17:16
 -----BEGIN CERTIFICATE-----
-MIID1zCCAr+gAwIBAgIRAOPicir7bej5XduTJzD52OUwDQYJKoZIhvcNAQELBQAw
+MIID1zCCAr+gAwIBAgIRAJysEzmX+dDk6H+j8XGSMvowDQYJKoZIhvcNAQELBQAw
 azELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
 dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExHTAbBgNVBAMMFFRlc3QgSW50
-ZXJtZWRpYXRlIENBMB4XDTIxMTIwMTE1NDIwN1oXDTIzMTIwMTE1NDIwN1owYDEL
+ZXJtZWRpYXRlIENBMB4XDTIyMTAwMzE3MjAwOFoXDTI0MTAwMjE3MjAwOFowYDEL
 MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50
 YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCC
 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBT9POYwRQzAsikbf6qKveU
@@ -104,27 +104,27 @@ m28Ie6cFrIxD9/HaUQazgkU+yIFznrClz3aWr4EsrAEqSlhLHb7/H4XCJ97xeAsC
 AwEAAaOBgDB+MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOLgpHOVm+lu/c4pxG8H
 gQuWvUe6MB8GA1UdIwQYMBaAFBdcRfPQrBwQTItDRCDE3ZPFxRk7MB0GA1UdJQQW
 MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3
-DQEBCwUAA4IBAQCSAkLrk687rnKlC9D8BWJM+inPDr0yG+fC/ELmuQQyLeFhaENP
-16Onmj2gGwcJE13OgknLIJ7NKjIYzGHCQkUx3BTl/cVmABK6uqFRcWVj1yJM7G0o
-Ng/lcFwNMMd1i3+Z11d0wGNb7p9f1oiW0hLP3khkCsKcgjVhDGyMPSgNJ8Tbe7+T
-9wZ9P3Y3ImK1qvmV5cQG3a85e6sj1ymTbGMrCtQIFaYqx3fRyelONXd14jgXMPWy
-sPFaBD2sPLSxTN7A+Fir76ZWO5hBciV9AmAicAuYKxrg9U1GqJTizAte/ompMim5
-IJSQjyskxuYh3wCO+/ePC0kLNXsU+CIaofjA
+DQEBCwUAA4IBAQCToYJLeM4YOgquyDsESh4q4OjD3RXL7U8jCbjUSU87LJi/vXpO
+3mtIkwwXUNXfsIqVOvTSPMRxzfzTcrGZ3VyCdN9C2VGFJpIryA0bquWYn50lzYLx
+pUIgnH/ps7gedXAqB+4z2222asvggOn+EhUPTuZ4maMiaBq8zndF8J/OIyW9MraN
+9Bo6jumnvdrn1bqEOE/buyl/7E9WGsRDGg6lyduxaZ0AgrayS2fnWEU33DCBk1pW
+3l4PnNYac5ye9PGOIBH88z93f5rxk0IxK1ricPJ68Ad+KMMhasWz/gh2S6NYcPZE
+IqXhuRfOpJA1XMea4BK3XyTVYAy9nbYbeBcW
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:a0
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:64
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
-            Not Before: Dec  1 15:42:06 2021 GMT
-            Not After : Nov 29 15:42:06 2031 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Sep 30 17:20:08 2032 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Intermediate CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:9d:e9:bd:e4:3d:4a:2f:fb:c2:f9:e6:22:2a:42:
                     15:46:1c:8c:8f:47:4c:e9:c5:57:95:1f:66:70:93:
@@ -152,41 +152,44 @@ Certificate:
                 17:5C:45:F3:D0:AC:1C:10:4C:8B:43:44:20:C4:DD:93:C5:C5:19:3B
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
+            X509v3 Authority Key Identifier: 
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
     Signature Algorithm: sha256WithRSAEncryption
-         9c:b1:c1:f7:c5:82:aa:43:3e:04:32:9c:32:18:de:ec:e4:d8:
-         60:d8:83:a3:b0:9b:76:b8:e8:4e:e5:e2:45:d6:71:76:cc:f9:
-         4d:5a:18:cb:06:4f:fb:a6:22:56:f3:d2:1b:c2:64:ff:c6:1e:
-         21:da:34:a5:e3:eb:e6:98:cf:6e:2d:77:bb:e6:ac:37:24:b1:
-         12:21:8b:88:11:ef:59:cf:b0:e0:a3:b5:6d:8c:ec:f8:de:ea:
-         5e:e4:e0:ed:2f:7c:91:a1:d0:ba:69:d6:bc:24:b7:fe:7d:11:
-         9e:65:ba:25:a5:22:55:53:fd:6b:18:30:17:ec:d3:d8:69:5a:
-         51:4c:e4:27:47:13:a9:b1:8b:1b:b4:9a:f0:8f:a9:a2:91:56:
-         b4:b9:e1:ed:c0:7e:58:34:e9:a5:2d:fd:02:b3:3b:47:02:42:
-         6c:ce:c2:98:b1:45:11:06:68:3a:48:be:cc:bf:66:b0:8e:c6:
-         02:ff:b8:68:64:d8:4b:44:25:b6:c5:78:63:17:53:e6:1b:8d:
-         8d:5d:0c:54:c7:fa:01:25:e5:5d:d6:dc:52:e0:25:9d:12:0d:
-         56:01:a9:c7:d9:3e:86:74:e1:d6:de:f9:0e:60:e2:6a:0f:a9:
-         fa:4d:3a:1d:5b:b1:26:1c:a7:5f:9e:71:62:f0:2c:ad:1e:e8:
-         ec:87:20:cf
+    Signature Value:
+        25:54:8b:68:3b:3c:92:ed:1b:c7:a1:62:b3:7c:ff:7e:8c:57:
+        7c:67:5c:ea:74:9f:e8:f1:b5:c8:e4:88:0e:c9:a3:f3:28:c4:
+        05:af:8f:ad:51:32:66:ae:5d:7a:b1:77:7e:99:06:c8:30:26:
+        5a:9f:1e:34:ea:aa:3e:0a:73:a2:40:e3:8f:1a:01:96:a2:6d:
+        2f:6c:d9:36:65:98:c8:86:41:0e:ee:0d:aa:da:62:54:62:23:
+        c6:23:b0:f1:ca:35:7b:e5:4b:d1:ab:80:80:d6:00:2b:19:85:
+        9d:e0:3c:3f:13:1e:90:d2:df:c3:31:90:0f:a8:40:08:33:4e:
+        f7:a4:d0:ed:3e:a4:41:cf:e8:37:49:d1:58:e8:07:3d:4b:a1:
+        c9:fe:12:07:9a:de:e0:c8:f3:68:d6:31:5d:03:77:2f:fa:b0:
+        e6:2c:f3:80:59:d0:9b:1b:59:22:cd:7e:58:c6:cf:82:92:c3:
+        76:95:78:b2:75:c8:fa:59:9f:0e:c0:e3:6d:70:f9:82:ba:db:
+        89:89:81:b7:b9:e1:41:63:51:56:8a:5a:d2:52:c2:19:2f:d9:
+        c0:9d:19:82:59:79:f9:56:1c:25:81:4d:0a:cd:77:1b:de:85:
+        6e:51:04:08:0b:0c:33:65:52:f6:90:a8:82:25:77:a0:fa:5e:
+        9c:2a:91:66
 -----BEGIN CERTIFICATE-----
-MIIDmjCCAoKgAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzoDANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIxMTIwMTE1NDIwNloXDTMxMTEyOTE1NDIwNlowazELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExHTAbBgNVBAMMFFRlc3QgSW50ZXJtZWRpYXRlIENB
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnem95D1KL/vC+eYiKkIV
-RhyMj0dM6cVXlR9mcJMi8JTDu7Vb76RvyMeJlXW6DDa/TmupNUcIQ54pauLD+wO3
-H7bhUWvtexnH+c473GXpZseDlMTRTu7tZEuB8RrqWmQYG2pOk9ATbJBgytJOtyQW
-+LIIWJ2NpzNFFTSBrS0tnGDv+SuY/nnTjSxI2xKR9C76v/UmwYIFgN1MqHC/p7wQ
-NHc520cED+1EsmVGIiCIWSgPxwyitJGloqrKBZ+Km26jy9Sk6CR1nSCBIltfdz7J
-8R6u64ozjCdbHr5tIRtCcpXjnhMDdadY1L5oEv5jjksRejTno2vdc64+GZrskYtz
-rwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQXXEXz0KwcEEyL
-Q0QgxN2TxcUZOzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAJyx
-wffFgqpDPgQynDIY3uzk2GDYg6Owm3a46E7l4kXWcXbM+U1aGMsGT/umIlbz0hvC
-ZP/GHiHaNKXj6+aYz24td7vmrDcksRIhi4gR71nPsOCjtW2M7Pje6l7k4O0vfJGh
-0Lpp1rwkt/59EZ5luiWlIlVT/WsYMBfs09hpWlFM5CdHE6mxixu0mvCPqaKRVrS5
-4e3Aflg06aUt/QKzO0cCQmzOwpixRREGaDpIvsy/ZrCOxgL/uGhk2EtEJbbFeGMX
-U+YbjY1dDFTH+gEl5V3W3FLgJZ0SDVYBqcfZPoZ04dbe+Q5g4moPqfpNOh1bsSYc
-p1+ecWLwLK0e6OyHIM8=
+MIIDvDCCAqSgAwIBAgIRALBrk5LjXI1+7Z3IllnFwmQwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMjEwMDMxNzIwMDhaFw0zMjA5MzAxNzIwMDhaMGsxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMR0wGwYDVQQDDBRUZXN0IEludGVybWVkaWF0ZSBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3pveQ9Si/7wvnmIipC
+FUYcjI9HTOnFV5UfZnCTIvCUw7u1W++kb8jHiZV1ugw2v05rqTVHCEOeKWriw/sD
+tx+24VFr7XsZx/nOO9xl6WbHg5TE0U7u7WRLgfEa6lpkGBtqTpPQE2yQYMrSTrck
+FviyCFidjaczRRU0ga0tLZxg7/krmP55040sSNsSkfQu+r/1JsGCBYDdTKhwv6e8
+EDR3OdtHBA/tRLJlRiIgiFkoD8cMorSRpaKqygWfiptuo8vUpOgkdZ0ggSJbX3c+
+yfEeruuKM4wnWx6+bSEbQnKV454TA3WnWNS+aBL+Y45LEXo056Nr3XOuPhma7JGL
+c68CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUF1xF89CsHBBM
+i0NEIMTdk8XFGTswDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFJsmC4qYqbsd
+uR8c4xpAM+2OF4irMA0GCSqGSIb3DQEBCwUAA4IBAQAlVItoOzyS7RvHoWKzfP9+
+jFd8Z1zqdJ/o8bXI5IgOyaPzKMQFr4+tUTJmrl16sXd+mQbIMCZanx406qo+CnOi
+QOOPGgGWom0vbNk2ZZjIhkEO7g2q2mJUYiPGI7DxyjV75UvRq4CA1gArGYWd4Dw/
+Ex6Q0t/DMZAPqEAIM073pNDtPqRBz+g3SdFY6Ac9S6HJ/hIHmt7gyPNo1jFdA3cv
++rDmLPOAWdCbG1kizX5Yxs+CksN2lXiydcj6WZ8OwONtcPmCutuJiYG3ueFBY1FW
+ilrSUsIZL9nAnRmCWXn5VhwlgU0KzXcb3oVuUQQICwwzZVL2kKiCJXeg+l6cKpFm
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/policies_sanity_check.pem b/chromium/net/data/ssl/certificates/policies_sanity_check.pem
index c9905e73f8b..0366c54bf9f 100644
--- a/chromium/net/data/ssl/certificates/policies_sanity_check.pem
+++ b/chromium/net/data/ssl/certificates/policies_sanity_check.pem
@@ -2,35 +2,35 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            31:d4:c4:86:16:12:f3:2c:9b:2a:a8:f3:da:a6:58:97:2c:3e:2b:34
+            3f:da:e4:08:b7:6c:7c:c7:71:61:c1:d6:0f:c0:95:bc:69:fb:bb:12
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = California, L = Mountain View, O = Test CA, CN = 127.0.0.1
         Validity
-            Not Before: Apr 21 15:48:20 2022 GMT
-            Not After : Apr 18 15:48:20 2032 GMT
+            Not Before: Oct  3 17:20:09 2022 GMT
+            Not After : Sep 30 17:20:09 2032 GMT
         Subject: C = US, ST = California, L = Mountain View, O = Test CA, CN = 127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:e1:fe:51:9c:3d:3f:9e:5b:92:0d:cd:ed:e7:16:
-                    9a:f0:b5:00:4b:87:90:35:c4:db:88:ee:d2:ec:1f:
-                    d4:3a:a5:a6:34:b2:7d:03:74:85:d0:d2:61:02:ce:
-                    58:af:c3:10:4c:2d:8f:32:dc:e5:f2:83:80:8c:ba:
-                    e2:33:70:5f:83:28:71:a4:45:38:f7:fd:e1:16:9a:
-                    11:c6:4f:c1:f4:5f:dd:27:3e:8b:86:d2:d0:c1:35:
-                    a8:af:ff:52:66:9f:09:ce:3b:48:d2:3a:4b:d0:67:
-                    0a:49:82:0f:db:61:c3:e0:c8:9d:75:79:8b:f4:08:
-                    af:8b:fb:69:61:03:f9:b1:e8:24:33:06:62:c3:7f:
-                    b0:44:fe:dc:62:89:0e:ec:6b:a2:26:d7:06:68:32:
-                    1b:8f:e1:09:23:80:97:37:cf:e3:cb:41:d9:fd:54:
-                    49:6c:b2:8e:97:00:3f:4d:58:af:bc:65:2d:3e:de:
-                    c7:49:45:e6:75:7c:1e:3d:b9:4c:ec:f3:89:7a:31:
-                    5c:28:f8:4a:9b:1b:0b:52:50:c4:43:57:13:90:d2:
-                    e2:c1:7e:e0:c8:81:b0:6a:5a:ea:be:d7:88:7e:7a:
-                    df:eb:9b:0e:9e:cc:53:7e:4f:d9:09:70:3f:7c:fd:
-                    a9:b5:7c:20:81:f5:a4:ff:c7:8b:b4:d6:bf:32:b9:
-                    8d:91
+                    00:a4:cd:2c:e1:f6:f0:26:79:e1:27:a7:a6:45:21:
+                    e1:8f:2a:40:82:18:cf:e0:2b:63:fa:7a:d9:eb:34:
+                    7a:1a:0c:eb:63:b9:73:5d:64:e0:3e:95:c7:6a:08:
+                    ee:c5:85:d1:07:f2:9f:36:0e:79:13:bb:fd:26:80:
+                    b7:1e:fc:63:2b:d8:a0:04:be:38:ac:e9:74:76:32:
+                    13:4d:0d:5b:b1:ba:4a:46:f1:3e:ae:1d:42:36:93:
+                    7f:1b:72:da:be:3b:c8:c6:d9:ac:57:2a:bb:69:60:
+                    d7:45:3d:4d:5b:ee:ef:ce:c8:4a:1c:21:24:69:15:
+                    c5:28:02:ec:48:1d:39:25:3b:09:d7:cb:9f:4c:c2:
+                    7a:c0:db:0b:c8:a3:86:ae:54:8c:1d:8b:a3:34:f8:
+                    4d:49:8b:9c:2b:98:00:9a:08:7b:b8:4c:6a:60:75:
+                    cd:38:ac:f0:d2:b8:67:1b:88:cf:4c:2f:be:1c:e7:
+                    30:55:2e:db:ab:ec:01:f8:12:af:87:ee:16:f9:47:
+                    02:68:c6:2a:cb:a3:89:1d:39:bf:dc:9b:92:5f:60:
+                    6f:5b:8a:60:f7:2f:4c:0c:23:9b:f5:3c:f9:0f:3c:
+                    3c:46:88:35:12:5d:1f:34:52:e6:8b:f1:fc:6d:57:
+                    ac:86:1f:f4:d2:21:eb:68:c3:0f:b4:62:9e:0f:4b:
+                    ad:f7
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Certificate Policies: 
@@ -46,45 +46,48 @@ Certificate:
                   User Notice:
                     Organization: Organization Name Two
                     Number: 42
-
+            X509v3 Subject Key Identifier: 
+                84:A7:AA:E2:63:F0:DF:98:C6:90:F3:67:27:49:0D:A8:F5:E2:EE:DF
     Signature Algorithm: sha256WithRSAEncryption
-         33:0e:69:e6:c7:23:63:e5:08:e2:27:ef:6c:28:19:64:b8:5a:
-         11:16:92:95:69:ae:f6:a8:fd:7f:f1:2f:8f:c1:3e:97:31:19:
-         ae:1f:52:22:02:81:4f:3b:93:26:d6:51:55:29:b7:6f:46:0e:
-         db:35:31:2c:1e:b9:ea:f0:7a:b5:37:bb:06:71:b1:72:3b:8f:
-         a8:03:6c:67:d0:dd:d2:df:22:b3:2c:50:98:49:41:4b:07:26:
-         6f:2f:65:ef:d1:1f:20:75:48:d1:f3:d5:d5:ac:f9:4f:5d:8a:
-         d6:fc:bd:c9:52:94:0f:27:93:28:15:b4:ec:b5:39:5a:46:d5:
-         e9:c8:65:0c:aa:11:9a:61:32:27:da:92:18:ae:ea:fd:c5:c9:
-         43:7a:88:0d:2b:79:67:30:04:0b:ba:85:99:70:5b:56:29:b8:
-         24:28:85:5b:21:ae:3c:63:60:15:b1:99:b5:b3:8c:e5:aa:be:
-         b8:b6:03:18:aa:52:ea:14:da:40:e2:e4:c1:f4:c0:4f:93:c4:
-         e1:2e:57:c0:96:72:e5:c8:28:1d:1b:37:72:9b:f8:17:14:12:
-         30:47:ef:3f:68:62:9f:25:e3:a3:67:7d:93:80:9f:ee:4f:89:
-         45:1d:83:be:70:28:23:46:53:cb:70:30:06:0e:21:25:6c:48:
-         bb:2b:3c:94
+    Signature Value:
+        91:ba:b8:c9:e1:a5:45:bf:dc:3e:30:39:e2:68:25:34:8b:d8:
+        90:5a:30:11:7d:68:ce:8c:97:23:fb:fc:91:a5:37:a9:c1:24:
+        f2:7d:92:da:69:7b:f6:3c:2f:60:ed:b8:9b:cf:93:66:54:62:
+        03:ee:3d:8c:6a:b4:4a:70:9a:ef:b1:9c:a2:a9:bb:79:9a:84:
+        72:da:b3:44:64:8e:97:76:c6:1e:85:fa:10:3f:76:fd:14:17:
+        11:7b:83:cf:82:68:5b:86:81:d8:a6:5d:26:b2:e2:cb:68:fe:
+        96:27:bc:a6:99:71:30:35:df:de:67:ea:14:81:44:42:de:d8:
+        55:17:ae:2e:c5:1a:a5:44:3c:f9:cd:02:55:93:c8:b4:88:80:
+        05:f9:15:93:8e:f3:2a:0d:3d:32:f0:a1:60:d6:f3:02:df:cd:
+        fc:cb:d7:29:34:16:cc:c8:ac:48:2b:a4:03:c0:bb:df:a8:df:
+        b8:54:0f:8e:e9:7f:fa:91:fb:33:14:0f:d6:08:ae:b2:81:fe:
+        f3:63:1f:8b:0b:81:b9:44:70:c0:cd:34:58:a2:4b:d8:0f:8b:
+        6f:15:5a:d2:10:34:c8:1d:18:f8:ba:d9:ea:b9:ce:8d:d4:a9:
+        e4:52:b5:cf:8a:3d:5a:eb:68:f3:db:c2:83:c2:98:d9:bc:d0:
+        80:cf:1e:b8
 -----BEGIN CERTIFICATE-----
-MIIELjCCAxagAwIBAgIUMdTEhhYS8yybKqjz2qZYlyw+KzQwDQYJKoZIhvcNAQEL
+MIIETTCCAzWgAwIBAgIUP9rkCLdsfMdxYcHWD8CVvGn7uxIwDQYJKoZIhvcNAQEL
 BQAwYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4w
-LjAuMTAeFw0yMjA0MjExNTQ4MjBaFw0zMjA0MTgxNTQ4MjBaMGAxCzAJBgNVBAYT
+LjAuMTAeFw0yMjEwMDMxNzIwMDlaFw0zMjA5MzAxNzIwMDlaMGAxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
 MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDh/lGcPT+eW5INze3nFprwtQBLh5A1xNuI
-7tLsH9Q6paY0sn0DdIXQ0mECzlivwxBMLY8y3OXyg4CMuuIzcF+DKHGkRTj3/eEW
-mhHGT8H0X90nPouG0tDBNaiv/1JmnwnOO0jSOkvQZwpJgg/bYcPgyJ11eYv0CK+L
-+2lhA/mx6CQzBmLDf7BE/txiiQ7sa6Im1wZoMhuP4QkjgJc3z+PLQdn9VElsso6X
-AD9NWK+8ZS0+3sdJReZ1fB49uUzs84l6MVwo+EqbGwtSUMRDVxOQ0uLBfuDIgbBq
-Wuq+14h+et/rmw6ezFN+T9kJcD98/am1fCCB9aT/x4u01r8yuY2RAgMBAAGjgd8w
-gdwwgdkGA1UdIASB0TCBzjAGBgQqAwQFMIHDBgQrBQgMMIG6MCYGCCsGAQUFBwIB
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkzSzh9vAmeeEnp6ZFIeGPKkCCGM/gK2P6
+etnrNHoaDOtjuXNdZOA+lcdqCO7FhdEH8p82DnkTu/0mgLce/GMr2KAEvjis6XR2
+MhNNDVuxukpG8T6uHUI2k38bctq+O8jG2axXKrtpYNdFPU1b7u/OyEocISRpFcUo
+AuxIHTklOwnXy59MwnrA2wvIo4auVIwdi6M0+E1Ji5wrmACaCHu4TGpgdc04rPDS
+uGcbiM9ML74c5zBVLtur7AH4Eq+H7hb5RwJoxirLo4kdOb/cm5JfYG9bimD3L0wM
+I5v1PPkPPDxGiDUSXR80UuaL8fxtV6yGH/TSIetoww+0Yp4PS633AgMBAAGjgf4w
+gfswgdkGA1UdIASB0TCBzjAGBgQqAwQFMIHDBgQrBQgMMIG6MCYGCCsGAQUFBwIB
 FhpodHRwOi8vY3BzLmV4YW1wbGUuY29tL2ZvbzBDBggrBgEFBQcCAjA3MCEaEU9y
 Z2FuaXphdGlvbiBOYW1lMAwCAQECAQICAQMCAQQaEkV4cGxpY2l0IFRleHQgSGVy
 ZTAfBggrBgEFBQcCAjATGhFFeHBsaWNpdCBUZXh0IFR3bzAqBggrBgEFBQcCAjAe
-MBwaFU9yZ2FuaXphdGlvbiBOYW1lIFR3bzADAgEqMA0GCSqGSIb3DQEBCwUAA4IB
-AQAzDmnmxyNj5QjiJ+9sKBlkuFoRFpKVaa72qP1/8S+PwT6XMRmuH1IiAoFPO5Mm
-1lFVKbdvRg7bNTEsHrnq8Hq1N7sGcbFyO4+oA2xn0N3S3yKzLFCYSUFLByZvL2Xv
-0R8gdUjR89XVrPlPXYrW/L3JUpQPJ5MoFbTstTlaRtXpyGUMqhGaYTIn2pIYrur9
-xclDeogNK3lnMAQLuoWZcFtWKbgkKIVbIa48Y2AVsZm1s4zlqr64tgMYqlLqFNpA
-4uTB9MBPk8ThLlfAlnLlyCgdGzdym/gXFBIwR+8/aGKfJeOjZ32TgJ/uT4lFHYO+
-cCgjRlPLcDAGDiElbEi7KzyU
+MBwaFU9yZ2FuaXphdGlvbiBOYW1lIFR3bzADAgEqMB0GA1UdDgQWBBSEp6riY/Df
+mMaQ82cnSQ2o9eLu3zANBgkqhkiG9w0BAQsFAAOCAQEAkbq4yeGlRb/cPjA54mgl
+NIvYkFowEX1ozoyXI/v8kaU3qcEk8n2S2ml79jwvYO24m8+TZlRiA+49jGq0SnCa
+77Gcoqm7eZqEctqzRGSOl3bGHoX6ED92/RQXEXuDz4JoW4aB2KZdJrLiy2j+lie8
+pplxMDXf3mfqFIFEQt7YVReuLsUapUQ8+c0CVZPItIiABfkVk47zKg09MvChYNbz
+At/N/MvXKTQWzMisSCukA8C736jfuFQPjul/+pH7MxQP1giusoH+82MfiwuBuURw
+wM00WKJL2A+LbxVa0hA0yB0Y+LrZ6rnOjdSp5FK1z4o9Wuto89vCg8KY2bzQgM8e
+uA==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/post_june_2016.pem b/chromium/net/data/ssl/certificates/post_june_2016.pem
index 30de9fde2e4..0a74d9f7702 100644
--- a/chromium/net/data/ssl/certificates/post_june_2016.pem
+++ b/chromium/net/data/ssl/certificates/post_june_2016.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:bd
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:81
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:c8:cc:66:10:46:e3:c1:e2:8d:ed:98:4f:b3:c5:
-                    61:50:97:e8:ab:53:35:25:8e:11:d9:83:a0:3a:ef:
-                    25:83:15:61:bb:04:6a:2f:b6:7c:15:55:d1:a9:f3:
-                    22:d6:b5:6e:05:6e:54:bd:e1:f3:3d:9b:be:7e:15:
-                    0a:e5:97:ce:45:63:74:68:49:c5:76:25:b4:35:0f:
-                    b0:78:1e:22:0a:69:82:02:ad:5d:3d:47:38:03:31:
-                    9a:f5:98:bf:fd:a6:63:e0:38:34:3c:5a:b7:c2:66:
-                    cf:3e:9d:79:be:59:c1:e9:1c:c9:f5:7b:2d:72:d8:
-                    78:54:25:22:e1:ca:dc:25:39:41:b4:2d:ea:ad:91:
-                    d8:8f:68:bd:ea:3e:05:34:4e:e8:ee:a1:c4:71:45:
-                    8c:7e:2f:09:f3:5c:dc:a5:d5:53:36:a0:03:83:f4:
-                    b0:e2:6f:f1:e8:97:60:ad:c3:fa:a2:ee:b8:85:c3:
-                    50:8b:6e:6c:e8:dc:77:27:31:4b:f2:7a:cd:cf:90:
-                    e0:23:37:33:84:28:f1:26:46:c3:d4:27:99:ad:9c:
-                    ec:de:c0:3b:7e:51:65:80:93:8a:b5:e7:18:b1:5e:
-                    2f:9a:73:45:8f:b9:71:02:15:dd:b5:6e:8b:fc:89:
-                    92:57:f6:a7:c9:1b:ec:f4:1d:d2:fc:59:b9:62:e6:
-                    06:23
+                    00:ac:bd:50:56:9a:11:59:5d:a3:61:c3:5b:0f:7b:
+                    b7:73:68:87:c8:7a:2a:f6:97:e1:09:1f:35:bb:b4:
+                    30:ad:75:ab:6d:ae:ad:5e:81:b8:36:19:68:3b:63:
+                    1e:b8:08:67:b8:bf:fe:49:8c:5e:a6:20:f7:86:d1:
+                    d4:42:db:4a:93:61:28:76:ed:86:2b:51:79:a8:bc:
+                    0e:68:8c:d2:2b:9b:5b:ef:a0:20:85:4c:94:36:6f:
+                    58:41:a5:5c:f3:2e:8d:8f:72:0b:f9:73:14:26:bf:
+                    b7:cd:62:fd:3b:7d:cf:2a:7a:64:47:69:85:c1:97:
+                    08:b6:84:47:92:fc:32:8f:2c:c6:ad:5b:66:d5:d9:
+                    1d:a2:5b:46:08:15:4d:fb:22:e4:97:a2:f9:1a:f1:
+                    98:c2:56:05:f3:90:22:9d:3a:9e:bd:b0:62:b0:92:
+                    48:a5:fe:51:50:00:d2:c0:79:c9:b0:d7:8a:99:16:
+                    7c:e1:cb:03:75:7f:6f:ff:33:1d:55:37:fb:0b:13:
+                    0f:f1:9e:0b:42:06:9d:4e:45:49:5a:17:98:3b:e1:
+                    a0:46:5a:55:8c:d6:f3:fa:4f:f0:e3:d1:52:2f:46:
+                    e2:5e:b1:cc:c7:0e:05:dc:7d:73:66:f7:92:9c:62:
+                    02:87:fe:ca:bf:43:4a:be:a0:0f:41:4d:2d:47:ea:
+                    9a:09
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                74:52:E6:00:CB:F6:2B:D2:6C:7D:64:D8:13:74:26:1C:93:EA:50:92
+                77:54:D3:17:CC:0A:33:63:BC:8C:17:18:29:3D:27:8F:27:44:AC:23
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         74:a8:c0:69:fb:be:a6:26:9b:fa:1a:92:e8:0c:e6:4b:cc:5a:
-         1c:78:92:e2:ee:43:a2:0d:9c:de:eb:08:33:84:d0:3e:5f:13:
-         d5:c7:1c:0e:f6:3b:f2:b8:f8:7d:bf:7d:62:aa:3b:30:cf:b9:
-         62:fb:e2:b6:60:72:80:d8:85:81:25:4b:b5:e5:1d:3e:cf:47:
-         8c:2d:43:74:15:4d:60:b4:c6:77:c3:f0:01:78:89:2f:93:38:
-         22:f8:c0:46:56:8b:d0:80:6a:cd:4f:91:bd:fe:85:5e:0e:a5:
-         8c:65:56:c9:83:52:b4:f2:45:e3:f1:5c:ec:e2:6f:82:39:92:
-         73:66:70:3b:d9:0b:96:79:2c:70:f9:56:33:0a:55:17:e8:c5:
-         ff:38:4f:0c:0d:42:78:fe:74:df:d6:7f:0c:41:92:36:44:33:
-         c4:ef:4b:d4:bd:e2:4f:12:25:57:e4:21:b9:f3:39:bd:8d:2c:
-         d6:00:3f:ff:45:d2:ea:8f:3c:fb:e2:e2:7d:50:ec:86:b9:f4:
-         8b:18:f3:36:b8:96:06:b9:95:43:a9:f1:cd:ca:a7:f0:4d:ad:
-         ff:7c:77:11:c6:38:1a:5f:cf:9b:aa:16:cc:d9:36:38:80:59:
-         2e:bb:86:a9:cf:ac:39:7a:fc:04:bc:16:ed:c7:e7:ac:6e:58:
-         68:24:42:d0
+    Signature Value:
+        51:f6:3a:89:7e:50:32:e0:d6:d3:9a:0a:6a:5d:65:22:97:e6:
+        fd:c6:cd:39:08:e8:ea:6d:68:f5:04:31:ba:70:26:15:9b:25:
+        4c:24:55:33:6e:69:95:2a:22:07:2c:8a:b7:b5:43:f9:73:c5:
+        8f:70:79:de:a9:f6:36:bb:f8:ba:c3:7c:d1:bf:d9:29:da:be:
+        16:46:d6:5d:45:f1:b1:54:db:58:08:72:25:3e:be:15:1f:8b:
+        c7:91:a4:f2:9b:49:11:8b:1f:d0:99:fd:47:60:1b:ec:0e:2a:
+        6b:e0:2b:2f:8d:a8:cd:2e:b1:af:72:fa:7d:15:8c:95:79:be:
+        c2:3e:83:60:84:f2:0e:3f:41:b5:3f:81:a5:04:ec:93:36:40:
+        48:54:fd:8e:d8:ba:7d:6c:bc:e0:25:25:b8:74:d6:3f:e6:03:
+        70:17:dc:ba:b6:48:fb:f0:e3:25:91:94:66:99:d9:4d:ad:c4:
+        0e:bc:0b:03:63:f5:44:0b:cb:47:a4:ad:c3:c7:5e:30:d5:f4:
+        fc:f8:32:39:88:d5:79:65:49:3f:45:2f:1c:9c:b7:4d:08:12:
+        f3:c8:d8:87:fa:44:78:a1:41:ab:54:98:ad:43:48:8e:b3:0a:
+        01:23:21:e3:84:0a:f8:5a:a8:ab:13:fb:f0:c9:54:74:ad:72:
+        61:52:e9:d9
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzvTANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE2MDYwMTAwMDAwMFoXDTE3MDcwMzAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMjMZhBG48Hije2YT7PFYVCX6KtTNSWOEdmD
-oDrvJYMVYbsEai+2fBVV0anzIta1bgVuVL3h8z2bvn4VCuWXzkVjdGhJxXYltDUP
-sHgeIgppggKtXT1HOAMxmvWYv/2mY+A4NDxat8Jmzz6deb5ZwekcyfV7LXLYeFQl
-IuHK3CU5QbQt6q2R2I9oveo+BTRO6O6hxHFFjH4vCfNc3KXVUzagA4P0sOJv8eiX
-YK3D+qLuuIXDUItubOjcdycxS/J6zc+Q4CM3M4Qo8SZGw9Qnma2c7N7AO35RZYCT
-irXnGLFeL5pzRY+5cQIV3bVui/yJklf2p8kb7PQd0vxZuWLmBiMCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHRS5gDL9ivSbH1k2BN0JhyT6lCSMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQB0qMBp+76mJpv6GpLoDOZLzFoceJLi7kOiDZze6wgzhNA+XxPVxxwO9jvyuPh9
-v31iqjswz7li++K2YHKA2IWBJUu15R0+z0eMLUN0FU1gtMZ3w/ABeIkvkzgi+MBG
-VovQgGrNT5G9/oVeDqWMZVbJg1K08kXj8Vzs4m+COZJzZnA72QuWeSxw+VYzClUX
-6MX/OE8MDUJ4/nTf1n8MQZI2RDPE70vUveJPEiVX5CG58zm9jSzWAD//RdLqjzz7
-4uJ9UOyGufSLGPM2uJYGuZVDqfHNyqfwTa3/fHcRxjgaX8+bqhbM2TY4gFkuu4ap
-z6w5evwEvBbtx+esblhoJELQ
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwoEwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xNjA2MDEwMDAwMDBaFw0xNzA3MDMwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsvVBWmhFZXaNhw1sPe7dzaIfIeir2l+EJ
+HzW7tDCtdattrq1egbg2GWg7Yx64CGe4v/5JjF6mIPeG0dRC20qTYSh27YYrUXmo
+vA5ojNIrm1vvoCCFTJQ2b1hBpVzzLo2Pcgv5cxQmv7fNYv07fc8qemRHaYXBlwi2
+hEeS/DKPLMatW2bV2R2iW0YIFU37IuSXovka8ZjCVgXzkCKdOp69sGKwkkil/lFQ
+ANLAecmw14qZFnzhywN1f2//Mx1VN/sLEw/xngtCBp1ORUlaF5g74aBGWlWM1vP6
+T/Dj0VIvRuJesczHDgXcfXNm95KcYgKH/sq/Q0q+oA9BTS1H6poJAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR3VNMXzAozY7yMFxgpPSePJ0SsIzAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAUfY6iX5QMuDW05oKal1lIpfm/cbNOQjo6m1o9QQxunAmFZslTCRVM25plSoi
+ByyKt7VD+XPFj3B53qn2Nrv4usN80b/ZKdq+FkbWXUXxsVTbWAhyJT6+FR+Lx5Gk
+8ptJEYsf0Jn9R2Ab7A4qa+ArL42ozS6xr3L6fRWMlXm+wj6DYITyDj9BtT+BpQTs
+kzZASFT9jti6fWy84CUluHTWP+YDcBfcurZI+/DjJZGUZpnZTa3EDrwLA2P1RAvL
+R6Stw8deMNX0/PgyOYjVeWVJP0UvHJy3TQgS88jYh/pEeKFBq1SYrUNIjrMKASMh
+44QK+FqoqxP78MlUdK1yYVLp2Q==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/pre_br_validity_bad_121.pem b/chromium/net/data/ssl/certificates/pre_br_validity_bad_121.pem
index 6a552d841c4..c0ac13425cb 100644
--- a/chromium/net/data/ssl/certificates/pre_br_validity_bad_121.pem
+++ b/chromium/net/data/ssl/certificates/pre_br_validity_bad_121.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:b4
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:78
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:cf:4e:e8:53:22:15:6b:29:1c:d5:31:90:0c:6c:
-                    dc:cb:db:80:55:c3:aa:f3:1c:ba:56:c9:c2:7e:53:
-                    2d:fa:c8:48:c3:f1:36:7c:a7:55:b8:c3:73:4b:9a:
-                    4f:f2:ea:dd:a2:9b:69:24:ed:07:73:44:9d:ac:ba:
-                    67:02:f8:8c:3e:47:eb:46:1f:88:0a:1d:73:3a:f3:
-                    22:27:f6:f7:f4:aa:41:47:ab:e4:2c:4c:63:ca:03:
-                    6c:ec:a9:f5:37:39:f2:ca:30:18:09:80:28:c1:a2:
-                    de:90:ff:35:41:0c:5b:78:20:43:40:4c:55:21:2f:
-                    a2:8f:c8:3f:f1:12:59:a1:9b:a6:f3:af:8f:08:59:
-                    4b:0b:e8:a7:02:fc:60:56:ec:41:15:14:aa:90:9a:
-                    ce:b3:88:63:7f:d3:82:01:a2:c2:88:d7:7f:ae:a7:
-                    f3:f7:9f:4a:c7:70:e7:43:14:bb:b6:75:5c:c9:67:
-                    ed:0d:7e:39:0f:34:cf:29:64:ef:f1:68:cd:d3:cb:
-                    b3:f0:13:af:1d:3d:87:cf:95:17:2e:dd:16:d5:de:
-                    72:84:37:14:15:64:50:11:1f:fe:c1:f3:81:90:0d:
-                    db:b4:a5:09:25:35:34:4c:dc:f0:98:23:ce:41:1f:
-                    4f:05:f3:cc:5a:ee:06:23:4e:0b:b9:63:cb:d7:6b:
-                    e1:bf
+                    00:ba:d0:97:d7:72:13:ea:8f:1a:c0:2b:11:e7:a9:
+                    d1:dd:7c:88:d2:a6:68:c0:51:1d:ff:b3:0b:88:de:
+                    f3:95:12:5a:74:7e:21:25:aa:04:cf:e2:9f:8f:9c:
+                    0a:38:e5:df:77:7a:47:73:46:2b:c7:bf:b9:5a:6b:
+                    5a:0d:75:d4:32:59:6d:45:ba:02:10:34:ec:6b:6a:
+                    86:26:67:78:19:e7:a5:87:a4:88:4c:a9:a4:ec:94:
+                    19:d0:ee:b6:49:37:df:eb:63:e8:4d:f2:09:41:56:
+                    be:7c:57:17:66:06:76:e9:35:1b:c2:9e:0e:b7:72:
+                    35:e7:82:6f:85:20:4a:75:6f:ff:84:09:fa:73:47:
+                    e7:40:8c:3f:05:f6:73:8c:f7:56:fb:1e:53:a7:ba:
+                    6c:3f:12:e0:34:21:8e:e0:b4:19:36:6e:73:86:22:
+                    5e:b2:89:17:50:c3:a6:03:d1:e0:8e:d3:bf:4e:e9:
+                    11:08:21:61:f0:f1:42:ef:56:f1:ad:e4:d7:b3:4d:
+                    6a:8a:b2:0c:ea:99:ab:a2:e5:64:f5:d0:ef:7b:1d:
+                    98:f8:8d:20:29:46:91:0b:bc:a8:1b:b7:50:a3:2e:
+                    0f:c9:0a:a1:61:cb:7f:77:9d:a0:96:ee:b1:b1:ca:
+                    2d:cc:f3:f6:16:21:16:2a:ee:e8:10:7a:e9:e2:7d:
+                    4d:21
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                AE:2F:34:B7:FC:B3:9C:38:86:A6:91:4F:42:0E:0D:16:23:94:D4:00
+                41:16:79:6C:BA:A5:55:A1:5B:53:B3:80:E8:62:C8:1B:CF:E9:A5:6C
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         8b:a8:79:8a:0c:90:5c:22:ab:66:cd:32:58:a2:5c:3c:d4:8c:
-         11:7e:d1:ec:23:7b:00:8b:bf:34:b9:d4:a5:d2:fe:41:a9:6d:
-         23:15:ce:ed:17:f4:ea:d1:d2:94:ed:0f:99:67:c1:ec:a8:ce:
-         59:1d:d6:89:b7:b9:25:9a:6e:c4:de:4a:58:ea:15:b9:fc:c9:
-         13:d5:a5:d9:c7:aa:c6:41:33:16:99:03:f5:cd:dd:3c:09:da:
-         bf:b0:06:9a:e2:1e:9b:80:b1:c0:47:37:10:ab:b2:0b:11:c8:
-         fa:c8:1a:30:09:14:e2:50:00:af:1b:17:7f:cc:df:fb:67:0b:
-         43:1b:ae:e6:73:a9:53:db:d3:f2:51:16:6a:b8:7c:36:9c:8a:
-         7b:60:e6:9a:fa:7f:d1:74:80:18:33:d6:9c:d4:f6:ab:f4:90:
-         92:5d:35:f5:c0:fb:77:7a:c8:31:12:ea:d0:6c:1e:fa:96:2f:
-         c1:19:6d:42:e0:e5:24:9b:e4:8a:e1:00:f1:74:5c:b9:d8:85:
-         f3:d1:05:ee:50:83:88:9f:47:b8:b6:95:5a:5a:e9:74:1c:fb:
-         e1:ec:3b:1e:aa:04:a5:08:e8:ce:d9:c4:c7:b8:1e:09:13:45:
-         42:74:ae:d4:95:9a:34:11:88:13:5b:1b:a5:1d:41:45:85:ee:
-         66:be:09:7a
+    Signature Value:
+        7e:9b:7f:2c:42:3f:7e:34:6b:dc:31:35:cd:e6:b4:b0:ac:99:
+        80:fb:90:37:73:b8:fb:50:8d:e5:d5:6f:e4:80:22:3e:89:d3:
+        fd:78:9e:8c:9e:6e:6d:32:3c:b7:97:ef:32:dd:86:a1:ed:44:
+        91:fc:60:55:bd:46:c4:67:f4:00:ce:a7:e5:65:fb:58:b0:75:
+        8e:81:51:b3:46:a5:b0:5f:fe:aa:69:17:5b:ce:da:7b:90:7b:
+        07:4d:f6:eb:0b:3f:b6:bd:81:d5:e5:55:43:1e:de:82:30:5d:
+        ff:1c:49:df:4b:7f:e5:5c:5a:e7:d1:6a:6f:8f:ab:53:fc:18:
+        38:8f:8e:07:ae:24:24:7f:10:73:2b:63:3e:9e:f7:dd:90:de:
+        84:df:70:e2:bb:73:f5:77:04:aa:ab:b5:bb:e6:fa:5c:4a:2b:
+        67:4a:61:2c:bb:58:9d:d3:42:6b:0d:90:b1:14:6a:ee:13:c2:
+        9f:21:45:ba:c7:7c:7b:a0:20:0b:13:b5:81:36:ff:8f:32:2e:
+        f0:2b:4e:e7:6d:cd:28:9a:49:40:69:52:c5:5f:89:eb:04:10:
+        07:3a:17:1e:f6:95:35:13:67:94:fe:65:17:4f:6e:bc:23:96:
+        d8:11:21:ce:70:af:97:ef:f5:c8:fa:e3:e3:01:72:1a:f7:4e:
+        73:8d:10:a6
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYztDANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTA4MDEwMTAwMDAwMFoXDTE4MDUwMTAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAM9O6FMiFWspHNUxkAxs3MvbgFXDqvMculbJ
-wn5TLfrISMPxNnynVbjDc0uaT/Lq3aKbaSTtB3NEnay6ZwL4jD5H60YfiAodczrz
-Iif29/SqQUer5CxMY8oDbOyp9Tc58sowGAmAKMGi3pD/NUEMW3ggQ0BMVSEvoo/I
-P/ESWaGbpvOvjwhZSwvopwL8YFbsQRUUqpCazrOIY3/TggGiwojXf66n8/efSsdw
-50MUu7Z1XMln7Q1+OQ80zylk7/FozdPLs/ATrx09h8+VFy7dFtXecoQ3FBVkUBEf
-/sHzgZAN27SlCSU1NEzc8JgjzkEfTwXzzFruBiNOC7ljy9dr4b8CAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK4vNLf8s5w4hqaRT0IODRYjlNQAMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQCLqHmKDJBcIqtmzTJYolw81IwRftHsI3sAi780udSl0v5BqW0jFc7tF/Tq0dKU
-7Q+ZZ8HsqM5ZHdaJt7klmm7E3kpY6hW5/MkT1aXZx6rGQTMWmQP1zd08Cdq/sAaa
-4h6bgLHARzcQq7ILEcj6yBowCRTiUACvGxd/zN/7ZwtDG67mc6lT29PyURZquHw2
-nIp7YOaa+n/RdIAYM9ac1Par9JCSXTX1wPt3esgxEurQbB76li/BGW1C4OUkm+SK
-4QDxdFy52IXz0QXuUIOIn0e4tpVaWul0HPvh7DseqgSlCOjO2cTHuB4JE0VCdK7U
-lZo0EYgTWxulHUFFhe5mvgl6
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwngwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0wODAxMDEwMDAwMDBaFw0xODA1MDEwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC60JfXchPqjxrAKxHnqdHdfIjSpmjAUR3/
+swuI3vOVElp0fiElqgTP4p+PnAo45d93ekdzRivHv7laa1oNddQyWW1FugIQNOxr
+aoYmZ3gZ56WHpIhMqaTslBnQ7rZJN9/rY+hN8glBVr58VxdmBnbpNRvCng63cjXn
+gm+FIEp1b/+ECfpzR+dAjD8F9nOM91b7HlOnumw/EuA0IY7gtBk2bnOGIl6yiRdQ
+w6YD0eCO079O6REIIWHw8ULvVvGt5NezTWqKsgzqmaui5WT10O97HZj4jSApRpEL
+vKgbt1CjLg/JCqFhy393naCW7rGxyi3M8/YWIRYq7ugQeunifU0hAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRBFnlsuqVVoVtTs4DoYsgbz+mlbDAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAfpt/LEI/fjRr3DE1zea0sKyZgPuQN3O4+1CN5dVv5IAiPonT/XiejJ5ubTI8
+t5fvMt2Goe1EkfxgVb1GxGf0AM6n5WX7WLB1joFRs0alsF/+qmkXW87ae5B7B032
+6ws/tr2B1eVVQx7egjBd/xxJ30t/5Vxa59Fqb4+rU/wYOI+OB64kJH8QcytjPp73
+3ZDehN9w4rtz9XcEqqu1u+b6XEorZ0phLLtYndNCaw2QsRRq7hPCnyFFusd8e6Ag
+CxO1gTb/jzIu8CtO523NKJpJQGlSxV+J6wQQBzoXHvaVNRNnlP5lF09uvCOW2BEh
+znCvl+/1yPrj4wFyGvdOc40Qpg==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/pre_br_validity_bad_2020.pem b/chromium/net/data/ssl/certificates/pre_br_validity_bad_2020.pem
index 658fef66956..54ee3112149 100644
--- a/chromium/net/data/ssl/certificates/pre_br_validity_bad_2020.pem
+++ b/chromium/net/data/ssl/certificates/pre_br_validity_bad_2020.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:b5
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:79
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:f2:36:76:b7:2a:76:bb:ad:54:f5:06:a3:9c:68:
-                    58:53:3b:fe:6e:87:2b:d8:49:71:ee:a9:cd:de:55:
-                    d6:a9:70:79:a7:a1:12:71:1b:1f:33:4b:bc:04:c7:
-                    59:41:05:ef:df:a3:41:a5:dc:d3:af:68:d9:ac:69:
-                    a0:0d:1a:60:ae:59:30:95:d7:d3:f7:bc:cd:31:a8:
-                    c8:4b:bc:93:18:9d:ea:b6:26:8b:c8:a6:dd:bc:a7:
-                    7e:57:68:c8:b9:7d:29:53:54:0d:a9:91:eb:0d:df:
-                    76:d2:eb:9b:b9:7e:b2:9c:3f:85:61:c3:ca:27:77:
-                    51:9b:31:43:c0:d7:ae:4a:99:d1:59:e4:1c:05:fe:
-                    6a:8d:d0:17:bd:27:7f:03:7d:5a:9b:38:e2:b2:ff:
-                    d1:57:ba:89:cd:55:c9:86:5c:5e:ac:75:6b:eb:37:
-                    da:08:5e:82:51:5d:8f:bb:e8:9b:6b:41:b4:3e:67:
-                    c9:58:31:62:29:73:fe:df:8d:7d:38:d2:7f:43:d4:
-                    5b:10:ba:bc:c5:d5:e2:0c:7c:2b:89:eb:05:40:ac:
-                    7a:d7:51:e9:2d:30:d7:cc:24:50:10:cf:c6:5c:48:
-                    e8:20:0e:4d:66:54:fa:a5:ad:87:c6:8a:c7:21:c7:
-                    54:f7:36:90:05:eb:3e:1f:e0:1f:60:20:bb:86:da:
-                    94:65
+                    00:e8:01:53:38:ac:8f:22:51:a3:e6:99:dc:5c:61:
+                    81:49:da:e3:d6:19:94:5e:20:32:1e:d9:0d:8a:ad:
+                    d7:f6:76:fc:91:1a:1a:a0:82:77:6b:9c:22:7d:80:
+                    9a:bc:09:06:c6:16:4c:96:47:35:de:4a:63:0a:b2:
+                    f4:b2:9d:c8:8e:9c:ba:de:0b:05:cb:16:53:c6:eb:
+                    b1:97:d2:fd:ce:a9:9b:87:c6:f3:65:83:6f:02:d0:
+                    a2:f6:70:93:0e:e4:b4:5a:ea:83:93:5d:db:16:da:
+                    54:e2:78:40:43:e6:c2:74:33:2a:f2:0f:18:a5:1f:
+                    78:95:36:b4:ab:b0:58:dc:e8:e8:2a:74:ae:45:d3:
+                    55:48:d2:64:39:d0:7d:f9:8f:96:d9:d1:77:a8:bb:
+                    54:1d:d0:01:12:f3:68:48:83:65:6a:22:86:4a:3c:
+                    f2:28:a6:d4:a6:6c:27:1b:44:4e:67:60:36:64:10:
+                    54:e2:ad:f4:fb:b7:9a:a5:93:13:2d:9e:44:22:7b:
+                    84:f6:61:6a:6e:22:ff:cd:06:84:c8:e4:e2:14:fe:
+                    d3:33:1a:f6:94:a3:6d:9d:af:e7:7e:da:02:31:1c:
+                    c6:54:60:72:46:b7:5b:56:e5:31:f5:d8:57:33:d7:
+                    2e:2e:00:ae:2a:c9:be:f0:51:c4:8b:eb:59:43:12:
+                    90:fb
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                5C:E1:78:8E:3D:FD:A8:07:E1:CD:23:0C:2E:AF:87:03:71:80:5C:36
+                55:1A:0A:BD:6F:54:C0:58:F3:8A:C4:A3:2E:4D:39:9B:BB:E4:48:AD
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         02:26:e6:64:17:60:b8:0f:69:2e:ee:47:8f:31:87:78:25:42:
-         26:52:0d:13:13:ea:c4:db:20:79:53:88:cd:f5:19:0e:ba:a5:
-         2a:1e:57:16:6f:b4:b8:4e:08:1e:a5:21:1d:e3:14:01:ed:43:
-         1c:2f:77:54:45:6b:59:94:02:07:e8:50:06:cd:ea:ed:3f:bd:
-         c0:c7:95:7d:43:e2:ee:79:43:23:b3:1a:57:50:22:7a:24:52:
-         b5:9b:9e:7c:a3:ce:53:85:6c:1d:df:60:52:76:0c:4b:be:fb:
-         1f:bd:89:eb:1c:fc:c9:e5:4c:19:6e:05:e9:2c:92:58:c7:42:
-         a5:c5:34:1a:f8:d5:85:26:ec:dc:07:e2:06:82:62:39:b2:7e:
-         30:50:87:e6:e4:66:56:c5:25:22:c0:aa:c7:98:a6:c0:1d:de:
-         ce:3e:e9:84:ce:2f:f8:04:05:4a:99:f5:78:3f:fc:b7:aa:59:
-         5e:fe:5b:8a:1c:d7:88:a4:34:51:9e:a6:11:47:d1:1a:3b:b5:
-         95:28:d3:2c:4a:99:1c:54:2b:6c:31:05:4f:0a:48:83:50:77:
-         4d:c1:6b:5a:80:c8:02:c1:11:00:af:3f:44:e4:1b:e0:f4:59:
-         7d:5e:6c:72:c2:b6:64:d3:20:4c:5f:a5:e1:5e:3f:31:43:0b:
-         e3:7b:7d:06
+    Signature Value:
+        8e:83:f2:8f:31:70:5a:ce:64:82:b3:9e:89:e8:0f:5a:d1:bc:
+        55:c1:0d:40:7b:1b:21:94:ba:5a:e3:fc:16:28:b8:92:2b:aa:
+        85:2b:66:8a:43:2e:05:f1:38:b2:20:f5:8e:e5:7a:ef:62:29:
+        70:c5:03:c9:48:3f:1c:59:83:7d:8b:64:e6:db:0e:4c:c2:18:
+        a0:85:a7:3c:18:db:ac:92:46:96:c0:f2:83:3e:e7:53:ce:5a:
+        13:90:4b:22:86:42:6b:a1:c4:1d:e6:b8:50:aa:51:c1:74:07:
+        16:d8:fe:e2:3a:9a:79:52:4a:a7:40:bb:14:d4:56:ff:01:d5:
+        0e:5c:c5:ec:1b:fa:4e:32:4a:1a:12:6d:d6:3f:0b:1c:e7:86:
+        73:e2:24:97:90:ad:50:4e:c8:af:f6:b5:75:ce:91:91:e5:bd:
+        92:c3:d4:d9:be:c0:82:8c:de:3c:98:eb:12:5b:a6:7b:d5:94:
+        7d:69:2c:c2:fa:52:62:65:a7:67:76:4f:c7:73:6f:5d:47:b9:
+        8d:39:1d:2f:80:bf:ee:5c:48:83:42:a9:09:5b:7d:a1:0a:4f:
+        c2:b6:4c:0d:ba:4a:01:25:95:f8:98:4b:93:be:dc:63:bf:aa:
+        f9:8f:77:11:ea:56:ea:12:d4:6d:57:7e:b1:e8:3b:6a:3f:69:
+        ee:ec:ea:66
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYztTANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTEyMDUwMTAwMDAwMFoXDTE5MDcwMzAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAPI2drcqdrutVPUGo5xoWFM7/m6HK9hJce6p
-zd5V1qlweaehEnEbHzNLvATHWUEF79+jQaXc069o2axpoA0aYK5ZMJXX0/e8zTGo
-yEu8kxid6rYmi8im3bynfldoyLl9KVNUDamR6w3fdtLrm7l+spw/hWHDyid3UZsx
-Q8DXrkqZ0VnkHAX+ao3QF70nfwN9Wps44rL/0Ve6ic1VyYZcXqx1a+s32gheglFd
-j7vom2tBtD5nyVgxYilz/t+NfTjSf0PUWxC6vMXV4gx8K4nrBUCsetdR6S0w18wk
-UBDPxlxI6CAOTWZU+qWth8aKxyHHVPc2kAXrPh/gH2Agu4balGUCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFzheI49/agH4c0jDC6vhwNxgFw2MB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQACJuZkF2C4D2ku7kePMYd4JUImUg0TE+rE2yB5U4jN9RkOuqUqHlcWb7S4Tgge
-pSEd4xQB7UMcL3dURWtZlAIH6FAGzertP73Ax5V9Q+LueUMjsxpXUCJ6JFK1m558
-o85ThWwd32BSdgxLvvsfvYnrHPzJ5UwZbgXpLJJYx0KlxTQa+NWFJuzcB+IGgmI5
-sn4wUIfm5GZWxSUiwKrHmKbAHd7OPumEzi/4BAVKmfV4P/y3qlle/luKHNeIpDRR
-nqYRR9EaO7WVKNMsSpkcVCtsMQVPCkiDUHdNwWtagMgCwREArz9E5Bvg9Fl9Xmxy
-wrZk0yBMX6XhXj8xQwvje30G
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnkwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xMjA1MDEwMDAwMDBaFw0xOTA3MDMwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDoAVM4rI8iUaPmmdxcYYFJ2uPWGZReIDIe
+2Q2Krdf2dvyRGhqggndrnCJ9gJq8CQbGFkyWRzXeSmMKsvSynciOnLreCwXLFlPG
+67GX0v3OqZuHxvNlg28C0KL2cJMO5LRa6oOTXdsW2lTieEBD5sJ0MyryDxilH3iV
+NrSrsFjc6OgqdK5F01VI0mQ50H35j5bZ0Xeou1Qd0AES82hIg2VqIoZKPPIoptSm
+bCcbRE5nYDZkEFTirfT7t5qlkxMtnkQie4T2YWpuIv/NBoTI5OIU/tMzGvaUo22d
+r+d+2gIxHMZUYHJGt1tW5TH12Fcz1y4uAK4qyb7wUcSL61lDEpD7AgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRVGgq9b1TAWPOKxKMuTTmbu+RIrTAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAjoPyjzFwWs5kgrOeiegPWtG8VcENQHsbIZS6WuP8Fii4kiuqhStmikMuBfE4
+siD1juV672IpcMUDyUg/HFmDfYtk5tsOTMIYoIWnPBjbrJJGlsDygz7nU85aE5BL
+IoZCa6HEHea4UKpRwXQHFtj+4jqaeVJKp0C7FNRW/wHVDlzF7Bv6TjJKGhJt1j8L
+HOeGc+Ikl5CtUE7Ir/a1dc6RkeW9ksPU2b7AgozePJjrElume9WUfWkswvpSYmWn
+Z3ZPx3NvXUe5jTkdL4C/7lxIg0KpCVt9oQpPwrZMDbpKASWV+JhLk77cY7+q+Y93
+EepW6hLUbVd+seg7aj9p7uzqZg==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/pre_br_validity_ok.pem b/chromium/net/data/ssl/certificates/pre_br_validity_ok.pem
index b991fb6784b..94a52685b8d 100644
--- a/chromium/net/data/ssl/certificates/pre_br_validity_ok.pem
+++ b/chromium/net/data/ssl/certificates/pre_br_validity_ok.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:b3
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:77
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:cc:ab:f1:8f:43:09:9d:ec:b0:94:f4:db:40:f9:
-                    6f:9e:6c:57:c4:08:26:d7:8f:18:03:a2:f4:0e:f8:
-                    99:97:73:cd:91:c9:41:c2:9b:29:41:06:9d:e4:13:
-                    11:6b:86:4d:64:e5:d9:4f:2a:bf:a2:60:b1:14:52:
-                    63:e4:e9:d0:79:73:13:6a:f8:db:c8:ff:ea:b4:e2:
-                    85:91:04:f4:8b:e4:74:0e:7f:84:77:93:23:84:de:
-                    50:c4:c0:cd:d6:1e:be:0f:c5:e9:91:36:7c:8c:b0:
-                    02:9e:49:fa:54:a8:17:f2:20:ab:98:67:8b:aa:64:
-                    29:f9:09:0c:1d:c2:b1:d0:ba:b5:dc:da:34:35:30:
-                    c5:fa:52:f2:52:8e:b2:b3:4d:7d:39:7e:48:22:21:
-                    37:2a:d3:74:d7:ba:45:97:9e:73:31:70:4c:2d:de:
-                    c8:51:09:79:4a:73:6f:cd:9c:a9:3f:07:8a:47:be:
-                    f0:22:bf:1e:88:2e:53:d7:8b:59:19:62:14:1a:d3:
-                    10:3d:f0:33:ba:a5:6d:bb:93:31:22:da:d3:d5:0b:
-                    71:bb:da:94:1a:ce:b7:06:05:1e:d8:03:dc:52:e6:
-                    29:8f:eb:b2:89:f0:b9:68:25:9f:87:21:ad:06:de:
-                    2a:7d:84:96:2f:0b:a2:e0:8a:04:de:8b:1b:6e:66:
-                    25:bf
+                    00:ba:59:8b:7c:51:b9:fa:d1:33:7f:52:6a:0e:e4:
+                    f8:aa:d2:bc:ca:87:8e:ad:c5:23:5e:4f:64:c0:44:
+                    5a:68:c9:e3:b9:10:a0:ce:95:c5:96:14:3f:92:7b:
+                    19:d1:f4:a0:b5:1e:20:ad:10:6b:35:9d:87:06:a2:
+                    d5:52:26:d8:12:9d:e4:9b:11:25:7c:7d:b8:16:b4:
+                    97:35:c8:31:e2:bc:6b:79:5b:d8:58:12:5a:ba:0a:
+                    ab:98:d7:6e:96:56:cd:54:53:ea:49:12:be:7e:ef:
+                    b5:a6:9e:f2:5a:7a:27:2e:71:40:38:94:dd:7a:e3:
+                    a4:0e:ba:54:6d:6a:fd:00:c2:dd:15:81:74:83:56:
+                    5e:27:7e:3f:2e:47:0e:3b:ec:85:4b:f9:7a:f8:7b:
+                    1a:96:4c:d8:c9:ee:bb:20:8a:25:83:38:26:f1:d0:
+                    0c:f0:22:46:4b:9b:87:91:22:eb:a2:e3:84:57:e0:
+                    a3:cc:90:de:3a:43:41:40:a0:8e:bd:c8:2d:24:ea:
+                    2a:92:11:bf:b7:7c:77:e9:9a:d3:22:da:83:d1:6b:
+                    a6:29:f4:3b:cd:d9:6b:25:d7:2f:d4:67:60:65:da:
+                    d5:ba:9e:36:1d:33:b2:e6:e2:b8:84:ea:99:1d:5d:
+                    69:43:99:af:35:63:4c:99:bc:d4:39:80:b4:88:f3:
+                    59:07
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                AB:51:E7:47:56:55:A5:33:A6:75:A4:B4:26:71:1C:7F:61:39:DC:4F
+                7C:9E:00:01:F2:2E:C7:FF:98:BA:C8:E9:DA:7D:77:F8:9D:91:B1:E9
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         73:d0:ad:c3:79:bd:b4:81:1d:82:95:cc:9c:a6:ac:02:c3:77:
-         95:b6:fd:4d:b4:14:b2:36:c8:ca:b4:dd:77:87:bd:7f:8b:1a:
-         fa:66:91:ef:ca:c3:73:d3:75:3f:93:56:7d:32:c5:63:d7:0f:
-         8f:22:11:99:a5:9f:d1:23:c4:af:d8:82:21:5a:21:a5:a2:3f:
-         de:fd:06:87:8a:76:0a:0c:c3:8a:a1:73:fd:87:3e:4d:a7:6d:
-         3d:82:a5:99:96:76:5e:33:da:1f:37:7d:29:8e:e2:f8:90:63:
-         c0:e2:7f:92:9b:6c:52:86:2f:34:39:a3:c6:f5:30:07:76:0e:
-         49:f7:02:ab:fa:ab:d7:20:58:52:e5:27:9e:0a:fd:c0:1c:af:
-         54:ec:e6:4e:eb:2a:b5:1e:4c:33:70:0a:80:1f:9e:a3:b8:bf:
-         1d:4a:0b:e0:b4:ce:1d:50:00:1d:b5:e4:be:81:31:68:9f:40:
-         5f:38:06:4f:39:bb:cf:62:4a:61:fb:fe:ea:c5:96:cb:f2:02:
-         c2:04:87:69:4d:67:03:12:04:96:94:d3:5f:f1:19:fc:ab:4c:
-         15:3d:32:f5:a8:3c:5b:9c:c8:60:38:db:f5:af:10:aa:ab:fb:
-         47:13:0d:0c:ed:14:eb:09:a3:45:70:72:0e:c0:2c:f5:d6:55:
-         54:f6:78:f2
+    Signature Value:
+        c6:7c:e6:21:ca:91:23:8e:0c:28:5c:52:c8:99:9e:4a:0c:f0:
+        f9:53:ad:ce:30:0c:d3:46:f3:0a:03:11:3c:e8:80:38:4c:40:
+        ca:a3:de:21:9c:0f:c9:5d:35:ce:ca:b4:88:15:56:f3:3f:6b:
+        7c:ac:2f:0b:54:69:2f:43:50:56:b9:6c:72:5e:d5:03:77:fe:
+        18:25:bd:9b:5c:6f:70:20:52:aa:66:49:00:12:4c:89:54:eb:
+        da:c4:7e:55:1d:d7:46:db:d3:98:29:eb:56:f0:0b:e8:f8:03:
+        4a:3f:21:25:e6:b9:e4:52:78:20:57:7c:33:2f:e2:24:e7:ae:
+        1a:e9:45:ae:3f:17:d7:0b:38:2f:0e:c3:bf:b6:39:37:e8:f9:
+        ca:fe:d2:12:d4:d2:88:f8:d9:9e:3b:9b:fa:2e:18:3b:8b:ac:
+        ef:2e:2a:35:d5:5e:b8:f9:4f:ec:6f:0c:af:d6:f3:8e:ef:78:
+        b7:d1:29:0f:7f:f8:08:85:a6:56:83:84:a3:df:c4:41:95:84:
+        3a:0d:10:31:36:d3:01:f9:ee:42:87:61:85:06:7f:e2:b6:2c:
+        d1:7b:ba:24:b9:34:a4:b1:ec:2a:6f:06:b3:b0:db:2b:c1:aa:
+        82:a7:ae:9b:09:bb:36:22:76:76:55:0f:e5:2b:25:d8:34:1c:
+        b3:0a:f0:ec
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzszANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTA4MDEwMTAwMDAwMFoXDTE1MDEwMTAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMyr8Y9DCZ3ssJT020D5b55sV8QIJtePGAOi
-9A74mZdzzZHJQcKbKUEGneQTEWuGTWTl2U8qv6JgsRRSY+Tp0HlzE2r428j/6rTi
-hZEE9IvkdA5/hHeTI4TeUMTAzdYevg/F6ZE2fIywAp5J+lSoF/Igq5hni6pkKfkJ
-DB3CsdC6tdzaNDUwxfpS8lKOsrNNfTl+SCIhNyrTdNe6RZeeczFwTC3eyFEJeUpz
-b82cqT8Hike+8CK/HoguU9eLWRliFBrTED3wM7qlbbuTMSLa09ULcbvalBrOtwYF
-HtgD3FLmKY/rsonwuWgln4chrQbeKn2Eli8LouCKBN6LG25mJb8CAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKtR50dWVaUzpnWktCZxHH9hOdxPMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQBz0K3Deb20gR2ClcycpqwCw3eVtv1NtBSyNsjKtN13h71/ixr6ZpHvysNz03U/
-k1Z9MsVj1w+PIhGZpZ/RI8Sv2IIhWiGloj/e/QaHinYKDMOKoXP9hz5Np209gqWZ
-lnZeM9ofN30pjuL4kGPA4n+Sm2xShi80OaPG9TAHdg5J9wKr+qvXIFhS5SeeCv3A
-HK9U7OZO6yq1HkwzcAqAH56juL8dSgvgtM4dUAAdteS+gTFon0BfOAZPObvPYkph
-+/7qxZbL8gLCBIdpTWcDEgSWlNNf8Rn8q0wVPTL1qDxbnMhgONv1rxCqq/tHEw0M
-7RTrCaNFcHIOwCz11lVU9njy
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwncwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0wODAxMDEwMDAwMDBaFw0xNTAxMDEwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6WYt8Ubn60TN/UmoO5Piq0rzKh46txSNe
+T2TARFpoyeO5EKDOlcWWFD+SexnR9KC1HiCtEGs1nYcGotVSJtgSneSbESV8fbgW
+tJc1yDHivGt5W9hYElq6CquY126WVs1UU+pJEr5+77WmnvJaeicucUA4lN1646QO
+ulRtav0Awt0VgXSDVl4nfj8uRw477IVL+Xr4exqWTNjJ7rsgiiWDOCbx0AzwIkZL
+m4eRIuui44RX4KPMkN46Q0FAoI69yC0k6iqSEb+3fHfpmtMi2oPRa6Yp9DvN2Wsl
+1y/UZ2Bl2tW6njYdM7Lm4riE6pkdXWlDma81Y0yZvNQ5gLSI81kHAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR8ngAB8i7H/5i6yOnafXf4nZGx6TAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAxnzmIcqRI44MKFxSyJmeSgzw+VOtzjAM00bzCgMRPOiAOExAyqPeIZwPyV01
+zsq0iBVW8z9rfKwvC1RpL0NQVrlscl7VA3f+GCW9m1xvcCBSqmZJABJMiVTr2sR+
+VR3XRtvTmCnrVvAL6PgDSj8hJea55FJ4IFd8My/iJOeuGulFrj8X1ws4Lw7Dv7Y5
+N+j5yv7SEtTSiPjZnjub+i4YO4us7y4qNdVeuPlP7G8Mr9bzju94t9EpD3/4CIWm
+VoOEo9/EQZWEOg0QMTbTAfnuQodhhQZ/4rYs0Xu6JLk0pLHsKm8Gs7DbK8Gqgqeu
+mwm7NiJ2dlUP5Ssl2DQcswrw7A==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/pre_june_2016.pem b/chromium/net/data/ssl/certificates/pre_june_2016.pem
index f63c489f762..3d16179bf00 100644
--- a/chromium/net/data/ssl/certificates/pre_june_2016.pem
+++ b/chromium/net/data/ssl/certificates/pre_june_2016.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:b9
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:7d
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:c8:b6:81:2c:56:00:30:f6:6d:ca:48:30:8b:fe:
-                    10:cc:96:d2:3b:8e:c0:cc:1e:f4:20:32:3e:f9:05:
-                    42:37:bd:44:21:1e:b3:fa:e5:81:5f:f0:52:b5:79:
-                    fb:5f:a9:9e:61:77:f4:2e:1b:d1:6e:f1:a6:ef:60:
-                    a3:08:44:7e:a5:ff:5d:ad:8f:58:b0:49:ea:32:e4:
-                    34:c5:4b:12:77:1a:d6:c7:4d:e1:06:4c:59:72:3e:
-                    c9:6d:ca:92:f6:23:ec:13:d4:90:b6:ac:8f:c3:37:
-                    94:19:03:24:d5:d0:4d:23:b9:cc:2c:d0:4c:16:21:
-                    6b:5e:29:0f:12:65:6b:9d:54:56:5c:9c:30:7f:10:
-                    c5:28:3b:87:00:91:cc:ab:f0:fc:f3:83:8a:b2:cb:
-                    a0:9c:f1:32:4a:9b:f2:df:f9:13:bd:95:e7:62:ec:
-                    ad:2f:7b:0b:3c:b5:07:a6:4e:45:1a:db:1f:14:38:
-                    03:8f:87:86:6b:49:15:41:7a:52:93:fc:9b:a6:52:
-                    fb:0f:8e:37:2a:ba:9a:a3:42:bc:85:40:dd:c3:46:
-                    8d:10:72:f4:4f:cc:f4:43:52:78:a1:90:ab:fc:a7:
-                    be:7d:9e:4f:89:1f:12:66:28:b6:ed:5f:c6:3c:43:
-                    7c:a7:e9:c9:cc:1d:19:e6:53:92:1e:b2:73:64:3b:
-                    2b:05
+                    00:8d:70:9b:0b:12:3d:e5:81:70:33:5f:fd:28:2d:
+                    06:31:54:c4:f3:b4:27:c0:34:e6:d1:04:c3:e3:62:
+                    fc:1e:b1:54:81:07:f7:dd:a6:5d:31:74:6d:2d:a9:
+                    f1:1b:e2:23:49:65:fe:1f:76:ab:5c:19:c2:ec:ae:
+                    f0:98:5d:f6:38:06:79:70:e5:d2:d5:e3:b3:a4:35:
+                    d5:cf:1b:fe:40:14:34:ec:4e:f3:3a:9f:95:de:d9:
+                    a2:fe:b5:ae:55:66:96:6f:a2:e8:5b:8e:77:d6:e4:
+                    6f:58:46:dd:f7:4e:c9:94:fc:2c:68:e9:93:b3:e3:
+                    29:dc:b3:93:43:51:57:55:4d:83:97:46:76:6c:e5:
+                    6c:a8:04:cf:ab:7f:a4:dc:95:6b:53:7a:c4:03:bb:
+                    31:5a:1a:cc:21:94:c9:24:c4:de:7c:f5:97:9b:97:
+                    37:50:33:6c:26:30:f6:90:cb:46:e4:b2:c6:9b:d2:
+                    9c:19:2e:ce:25:78:df:ad:84:6c:d4:04:cf:7f:20:
+                    47:ad:d8:c1:b2:2b:4a:29:71:f0:f6:fa:fb:31:ca:
+                    ca:f4:4c:a8:81:dd:8c:d4:e6:a0:ac:2a:22:9a:01:
+                    32:34:27:e3:8c:61:b1:1c:a9:d3:39:48:4c:13:42:
+                    44:2e:63:a2:f3:cf:54:e5:6b:af:ba:6e:06:49:a1:
+                    94:0f
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                F2:0D:52:DD:5E:BF:57:26:6C:32:61:E0:34:2C:0F:AA:F1:F3:72:E1
+                35:B7:03:06:47:D2:88:52:F9:CD:7F:E1:27:C4:4D:B9:22:04:19:75
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         b6:6f:51:cc:52:ce:19:dc:30:ad:9f:05:15:76:34:18:51:46:
-         04:5f:fd:ca:94:ef:32:a0:6c:f1:0d:0d:d9:99:a1:f6:a6:c2:
-         93:ce:b5:8e:bc:11:4f:12:86:4a:8d:6a:13:56:27:1b:c9:21:
-         04:f3:2e:b0:2d:ea:93:20:3a:45:79:b4:aa:6f:b6:43:bd:d7:
-         a8:ec:8f:8b:6c:96:37:04:5e:3b:db:af:f7:31:0e:82:61:b8:
-         5d:54:a3:8c:89:cb:65:31:60:e2:9c:d7:ca:eb:b8:d0:2c:b1:
-         09:61:a9:f6:e4:1b:ab:06:1e:7b:bd:36:9a:fc:02:d1:4f:a9:
-         d5:2a:50:ab:76:5e:bd:c9:5b:9e:29:98:9c:87:dd:ca:37:f0:
-         58:3b:a6:79:eb:00:52:9d:84:5f:2d:7a:02:51:c9:a6:96:51:
-         3e:e8:1b:42:1d:46:66:d2:c2:50:bf:bf:a9:64:13:62:20:a7:
-         c0:d0:65:4c:09:7c:e6:cd:1d:e7:0b:0c:3d:e7:e6:d4:ca:58:
-         ba:14:00:fc:3f:c5:b2:2a:e7:6f:75:6f:24:48:48:0e:de:8e:
-         ab:6e:46:ca:58:60:88:db:c4:28:f8:05:f7:68:66:e2:5a:11:
-         2a:b2:32:17:2d:e5:fe:5e:8e:c4:64:52:7f:6d:75:b8:21:5d:
-         38:0d:37:94
+    Signature Value:
+        3e:e6:74:d5:4a:48:14:04:4e:4a:c4:a2:40:28:27:87:55:72:
+        e5:e8:76:a7:2a:fa:7e:fe:e0:fc:20:60:97:7a:b5:80:4f:97:
+        6e:bf:a8:21:05:61:6c:7b:ec:6c:b7:09:75:d4:45:ad:00:ae:
+        c8:ab:a9:8a:cd:53:c1:af:5b:61:1f:0d:7f:98:24:1f:28:cf:
+        8f:78:ad:f0:41:02:9e:05:98:d8:2d:dc:c3:43:06:98:10:45:
+        69:b9:fd:7e:f4:7a:19:62:26:b6:b3:be:8f:ef:33:1e:93:cc:
+        e7:3d:85:2c:05:5b:d6:69:e5:44:25:c4:cb:ed:40:14:e1:52:
+        c1:c9:b5:a9:3c:50:76:76:ca:82:b3:97:53:bc:87:3b:3c:1a:
+        07:78:d0:e5:1d:57:1e:4d:a5:77:a9:97:f7:9b:ce:e1:ae:b7:
+        38:3e:13:4c:3b:58:34:cf:7e:86:c1:37:a8:59:4f:09:64:7f:
+        d7:bc:d7:a9:a4:0f:1c:16:19:11:ec:ca:7b:f1:bc:4d:a6:aa:
+        1f:f4:1b:a1:40:3d:bc:d4:35:f1:5b:ce:cd:66:aa:92:57:b4:
+        b1:61:da:3c:2e:9e:5c:68:fc:47:a6:4e:39:63:85:ba:d7:8e:
+        1f:89:ca:7c:6b:a2:92:36:1b:c9:0b:86:aa:2d:1f:b4:79:cf:
+        af:0d:b4:48
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzuTANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE2MDUwMTAwMDAwMFoXDTE3MDcwMzAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMi2gSxWADD2bcpIMIv+EMyW0juOwMwe9CAy
-PvkFQje9RCEes/rlgV/wUrV5+1+pnmF39C4b0W7xpu9gowhEfqX/Xa2PWLBJ6jLk
-NMVLEnca1sdN4QZMWXI+yW3KkvYj7BPUkLasj8M3lBkDJNXQTSO5zCzQTBYha14p
-DxJla51UVlycMH8QxSg7hwCRzKvw/PODirLLoJzxMkqb8t/5E72V52LsrS97Czy1
-B6ZORRrbHxQ4A4+HhmtJFUF6UpP8m6ZS+w+ONyq6mqNCvIVA3cNGjRBy9E/M9ENS
-eKGQq/ynvn2eT4kfEmYotu1fxjxDfKfpycwdGeZTkh6yc2Q7KwUCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPINUt1ev1cmbDJh4DQsD6rx83LhMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQC2b1HMUs4Z3DCtnwUVdjQYUUYEX/3KlO8yoGzxDQ3ZmaH2psKTzrWOvBFPEoZK
-jWoTVicbySEE8y6wLeqTIDpFebSqb7ZDvdeo7I+LbJY3BF4726/3MQ6CYbhdVKOM
-ictlMWDinNfK67jQLLEJYan25BurBh57vTaa/ALRT6nVKlCrdl69yVueKZich93K
-N/BYO6Z56wBSnYRfLXoCUcmmllE+6BtCHUZm0sJQv7+pZBNiIKfA0GVMCXzmzR3n
-Cww95+bUyli6FAD8P8WyKudvdW8kSEgO3o6rbkbKWGCI28Qo+AX3aGbiWhEqsjIX
-LeX+Xo7EZFJ/bXW4IV04DTeU
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwn0wDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xNjA1MDEwMDAwMDBaFw0xNzA3MDMwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCNcJsLEj3lgXAzX/0oLQYxVMTztCfANObR
+BMPjYvwesVSBB/fdpl0xdG0tqfEb4iNJZf4fdqtcGcLsrvCYXfY4Bnlw5dLV47Ok
+NdXPG/5AFDTsTvM6n5Xe2aL+ta5VZpZvouhbjnfW5G9YRt33TsmU/Cxo6ZOz4ync
+s5NDUVdVTYOXRnZs5WyoBM+rf6TclWtTesQDuzFaGswhlMkkxN589ZeblzdQM2wm
+MPaQy0bkssab0pwZLs4leN+thGzUBM9/IEet2MGyK0opcfD2+vsxysr0TKiB3YzU
+5qCsKiKaATI0J+OMYbEcqdM5SEwTQkQuY6Lzz1Tla6+6bgZJoZQPAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ1twMGR9KIUvnNf+EnxE25IgQZdTAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAPuZ01UpIFAROSsSiQCgnh1Vy5eh2pyr6fv7g/CBgl3q1gE+Xbr+oIQVhbHvs
+bLcJddRFrQCuyKupis1Twa9bYR8Nf5gkHyjPj3it8EECngWY2C3cw0MGmBBFabn9
+fvR6GWImtrO+j+8zHpPM5z2FLAVb1mnlRCXEy+1AFOFSwcm1qTxQdnbKgrOXU7yH
+OzwaB3jQ5R1XHk2ld6mX95vO4a63OD4TTDtYNM9+hsE3qFlPCWR/17zXqaQPHBYZ
+EezKe/G8TaaqH/QboUA9vNQ18VvOzWaqkle0sWHaPC6eXGj8R6ZOOWOFuteOH4nK
+fGuikjYbyQuGqi0ftHnPrw20SA==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/punycodetest.pem b/chromium/net/data/ssl/certificates/punycodetest.pem
index 89708473e28..59d3172d184 100644
--- a/chromium/net/data/ssl/certificates/punycodetest.pem
+++ b/chromium/net/data/ssl/certificates/punycodetest.pem
@@ -2,73 +2,77 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            15:e2:59:a5:5d:7f:42:13:c4:8c:e6:02:8d:d6:c7:7e:60:2c:ee:9f
+            44:ff:47:5b:37:71:65:69:6a:02:40:fd:0c:fb:7b:a0:70:f4:8d:5d
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN = xn--wgv71a119e.com
         Validity
-            Not Before: Dec  1 15:42:08 2021 GMT
-            Not After : Nov 29 15:42:08 2031 GMT
+            Not Before: Oct  3 17:20:10 2022 GMT
+            Not After : Sep 30 17:20:10 2032 GMT
         Subject: CN = xn--wgv71a119e.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:9a:ed:28:cc:19:6f:15:9e:ee:f3:c4:ed:65:62:
-                    c1:7f:12:e2:28:37:f3:2c:ac:f0:5c:42:2a:78:bf:
-                    06:27:d6:0b:eb:bf:ca:c8:3e:88:9b:81:b8:fd:0f:
-                    9a:b8:1d:9c:ce:91:4e:ec:f0:97:61:a0:73:0c:ed:
-                    9f:52:f7:cf:79:67:b6:00:e6:8e:35:77:45:74:a8:
-                    8b:3e:ec:72:59:58:60:f1:51:be:ac:e2:3b:2a:1d:
-                    7b:dd:9c:24:dd:14:03:8e:f7:3b:48:85:73:ca:17:
-                    e7:ae:1a:bc:2a:45:71:2c:3d:09:a4:19:47:6f:d4:
-                    f9:2a:ee:c3:16:4d:25:d0:7c:36:57:be:69:d0:ac:
-                    67:f8:f2:59:4f:42:ea:cd:9d:86:e6:e2:76:8d:04:
-                    cc:25:1f:5e:7c:0f:db:e6:7b:b9:c3:98:d3:e4:54:
-                    04:c3:a4:84:0c:2f:30:3e:2e:06:8b:ff:fa:2c:a6:
-                    3e:75:e3:d2:cf:49:cd:5b:1f:8c:fa:b8:5b:cd:c4:
-                    e8:79:ca:ad:07:95:01:6d:d7:b1:02:37:31:29:3c:
-                    b0:9d:ad:85:ed:c0:81:9b:de:37:38:01:3e:0a:eb:
-                    7b:ca:01:09:cd:95:49:35:6a:dc:56:bd:55:f1:98:
-                    76:9e:48:d0:1f:f1:34:50:f2:9c:f3:0d:ee:94:cc:
-                    72:b1
+                    00:b1:2e:20:9b:56:83:a2:e8:0e:6a:06:53:ea:8b:
+                    a3:2e:a1:ca:a7:ad:f5:6f:66:3d:13:77:52:66:9d:
+                    ec:63:1d:66:7e:58:90:56:7e:7d:32:a0:ec:43:14:
+                    29:90:9b:00:53:37:a9:bf:bc:bf:86:f0:89:5b:4f:
+                    64:98:4b:71:d8:b3:2d:75:10:28:67:b1:e4:80:f0:
+                    4e:3c:28:79:56:83:ab:a9:65:e7:fa:b8:d6:f6:b9:
+                    21:61:a2:a1:eb:a4:80:43:4e:ab:93:d1:95:00:03:
+                    91:c1:36:b0:66:47:f9:60:0a:70:37:08:cb:a4:cc:
+                    6e:85:1c:4e:c1:98:88:a8:18:5d:75:4e:7b:63:1d:
+                    4b:e9:1c:5f:f4:e0:72:be:c6:b0:cd:02:e8:25:4a:
+                    98:be:bf:9a:0d:93:74:4a:0b:bd:45:71:87:92:4a:
+                    39:d3:a3:96:d8:7f:2e:d4:e9:5a:3b:54:de:0f:87:
+                    dc:d1:c6:cb:f7:73:d7:0f:3d:d1:ce:7c:5a:fc:64:
+                    91:15:ff:37:1b:25:05:83:0c:d3:d2:07:0a:7c:43:
+                    54:47:99:d2:fd:79:1e:35:a4:16:a4:b8:f1:f6:8b:
+                    37:b4:26:9d:07:63:33:d0:c9:18:50:d1:3a:ad:2c:
+                    62:90:d1:b8:36:58:51:77:6b:8a:ff:f1:bd:4e:fc:
+                    74:83
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Alternative Name: 
                 DNS:xn--wgv71a119e.com, DNS:*.xn--wgv71a119e.com, DNS:blahblahblahblah.com
+            X509v3 Subject Key Identifier: 
+                C6:0C:83:61:1D:BC:65:F4:0D:48:28:F5:00:9F:B3:84:0D:A4:B6:86
     Signature Algorithm: sha256WithRSAEncryption
-         8f:c8:9f:b8:a0:4c:9d:76:e8:6e:08:42:87:0e:51:42:1e:8d:
-         47:a8:ec:c5:91:35:ed:b9:10:57:a9:a4:23:e1:d3:55:3f:79:
-         6b:06:e5:0f:0b:66:ef:a1:99:0d:33:63:6f:5f:25:c7:31:7f:
-         76:39:11:cb:3d:3a:81:2b:c0:4e:1d:c6:dc:b4:93:e5:76:74:
-         8d:78:da:49:5a:58:53:eb:a9:0c:f4:6e:46:7e:88:ea:17:1b:
-         08:15:3e:85:6d:9a:98:92:a6:9a:71:2d:86:6b:4a:47:21:7a:
-         e9:ff:ed:4a:d7:c8:24:85:0b:ff:ba:15:43:4a:63:71:6a:6a:
-         2c:29:76:01:91:00:d1:79:f0:ea:db:8b:fa:06:15:08:5d:8d:
-         21:4a:d5:6d:54:c1:60:4b:66:14:9a:fa:8f:dd:81:e7:99:56:
-         17:b3:7e:2f:7a:10:6f:c6:fa:e4:07:a9:fd:0c:79:d8:5a:c2:
-         a0:8d:bd:40:71:00:4b:40:d8:b7:43:7c:b5:f0:7b:f3:9f:17:
-         35:d8:37:63:65:6b:89:4e:ec:b4:43:0c:95:4d:d4:fc:b4:05:
-         f0:ac:17:d4:fd:12:aa:0e:47:29:ef:25:9d:70:49:75:cd:af:
-         65:df:e3:59:80:00:8e:db:5d:f5:ce:8f:2e:4f:a9:7c:66:7b:
-         7e:94:25:98
+    Signature Value:
+        93:15:4f:06:9c:44:ae:f9:ce:f4:02:aa:81:94:7e:4e:38:4c:
+        5d:cb:98:c2:e6:92:9f:bd:74:2a:43:af:d7:b6:68:cb:ff:49:
+        d5:ec:6f:4c:3b:1a:92:1f:8d:42:d0:98:2e:20:33:be:bb:06:
+        9a:62:fa:6f:d5:de:a4:f6:d7:ad:64:c0:ef:c2:e6:7b:f9:59:
+        c3:97:be:95:ee:c8:ab:84:f0:a4:f5:99:aa:63:4b:bd:a6:0b:
+        13:87:c8:17:5e:99:51:93:ec:88:38:4b:c3:91:92:af:5d:5d:
+        05:5b:70:0c:de:fd:1a:89:ed:53:14:b3:05:04:bf:2c:5a:12:
+        c6:20:7e:c0:31:42:b2:98:84:3f:71:89:85:ba:8c:8f:8e:40:
+        c7:00:e6:b4:63:90:1e:0a:a1:e8:72:96:8a:ca:6b:a0:92:ec:
+        a6:b9:4f:ca:24:27:74:84:f6:f4:ac:e6:f1:12:6e:36:3c:1a:
+        a0:79:aa:ab:48:b3:db:a4:56:86:d8:30:14:e9:bc:2c:99:37:
+        a4:60:ea:2f:6d:5b:66:13:a3:20:f4:84:07:de:24:20:61:5c:
+        51:b8:bf:28:89:a8:0d:c7:10:34:52:8e:53:49:af:92:b0:e0:
+        bf:31:9a:40:7d:dd:af:03:72:12:84:82:27:75:cf:0d:d7:bf:
+        84:b9:b2:7c
 -----BEGIN CERTIFICATE-----
-MIIDJjCCAg6gAwIBAgIUFeJZpV1/QhPEjOYCjdbHfmAs7p8wDQYJKoZIhvcNAQEL
-BQAwHTEbMBkGA1UEAwwSeG4tLXdndjcxYTExOWUuY29tMB4XDTIxMTIwMTE1NDIw
-OFoXDTMxMTEyOTE1NDIwOFowHTEbMBkGA1UEAwwSeG4tLXdndjcxYTExOWUuY29t
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmu0ozBlvFZ7u88TtZWLB
-fxLiKDfzLKzwXEIqeL8GJ9YL67/KyD6Im4G4/Q+auB2czpFO7PCXYaBzDO2fUvfP
-eWe2AOaONXdFdKiLPuxyWVhg8VG+rOI7Kh173Zwk3RQDjvc7SIVzyhfnrhq8KkVx
-LD0JpBlHb9T5Ku7DFk0l0Hw2V75p0Kxn+PJZT0LqzZ2G5uJ2jQTMJR9efA/b5nu5
-w5jT5FQEw6SEDC8wPi4Gi//6LKY+dePSz0nNWx+M+rhbzcToecqtB5UBbdexAjcx
-KTywna2F7cCBm943OAE+Cut7ygEJzZVJNWrcVr1V8Zh2nkjQH/E0UPKc8w3ulMxy
-sQIDAQABo14wXDAPBgNVHRMBAf8EBTADAQH/MEkGA1UdEQRCMECCEnhuLS13Z3Y3
+MIIDRTCCAi2gAwIBAgIURP9HWzdxZWlqAkD9DPt7oHD0jV0wDQYJKoZIhvcNAQEL
+BQAwHTEbMBkGA1UEAwwSeG4tLXdndjcxYTExOWUuY29tMB4XDTIyMTAwMzE3MjAx
+MFoXDTMyMDkzMDE3MjAxMFowHTEbMBkGA1UEAwwSeG4tLXdndjcxYTExOWUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsS4gm1aDougOagZT6ouj
+LqHKp631b2Y9E3dSZp3sYx1mfliQVn59MqDsQxQpkJsAUzepv7y/hvCJW09kmEtx
+2LMtdRAoZ7HkgPBOPCh5VoOrqWXn+rjW9rkhYaKh66SAQ06rk9GVAAORwTawZkf5
+YApwNwjLpMxuhRxOwZiIqBhddU57Yx1L6Rxf9OByvsawzQLoJUqYvr+aDZN0Sgu9
+RXGHkko506OW2H8u1OlaO1TeD4fc0cbL93PXDz3Rznxa/GSRFf83GyUFgwzT0gcK
+fENUR5nS/XkeNaQWpLjx9os3tCadB2Mz0MkYUNE6rSxikNG4NlhRd2uK//G9Tvx0
+gwIDAQABo30wezAPBgNVHRMBAf8EBTADAQH/MEkGA1UdEQRCMECCEnhuLS13Z3Y3
 MWExMTllLmNvbYIUKi54bi0td2d2NzFhMTE5ZS5jb22CFGJsYWhibGFoYmxhaGJs
-YWguY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCPyJ+4oEydduhuCEKHDlFCHo1HqOzF
-kTXtuRBXqaQj4dNVP3lrBuUPC2bvoZkNM2NvXyXHMX92ORHLPTqBK8BOHcbctJPl
-dnSNeNpJWlhT66kM9G5GfojqFxsIFT6FbZqYkqaacS2Ga0pHIXrp/+1K18gkhQv/
-uhVDSmNxamosKXYBkQDRefDq24v6BhUIXY0hStVtVMFgS2YUmvqP3YHnmVYXs34v
-ehBvxvrkB6n9DHnYWsKgjb1AcQBLQNi3Q3y18Hvznxc12DdjZWuJTuy0QwyVTdT8
-tAXwrBfU/RKqDkcp7yWdcEl1za9l3+NZgACO2131zo8uT6l8Znt+lCWY
+YWguY29tMB0GA1UdDgQWBBTGDINhHbxl9A1IKPUAn7OEDaS2hjANBgkqhkiG9w0B
+AQsFAAOCAQEAkxVPBpxErvnO9AKqgZR+TjhMXcuYwuaSn710KkOv17Zoy/9J1exv
+TDsakh+NQtCYLiAzvrsGmmL6b9XepPbXrWTA78Lme/lZw5e+le7Iq4TwpPWZqmNL
+vaYLE4fIF16ZUZPsiDhLw5GSr11dBVtwDN79GontUxSzBQS/LFoSxiB+wDFCspiE
+P3GJhbqMj45AxwDmtGOQHgqh6HKWisproJLsprlPyiQndIT29Kzm8RJuNjwaoHmq
+q0iz26RWhtgwFOm8LJk3pGDqL21bZhOjIPSEB94kIGFcUbi/KImoDccQNFKOU0mv
+krDgvzGaQH3drwNyEoSCJ3XPDde/hLmyfA==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/reject_intranet_hosts.pem b/chromium/net/data/ssl/certificates/reject_intranet_hosts.pem
deleted file mode 100644
index 59173a0f1c5..00000000000
--- a/chromium/net/data/ssl/certificates/reject_intranet_hosts.pem
+++ /dev/null
@@ -1,70 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            34:cd:8e:3d:73:67:62:16:db:4f:d0:6e:14:bf:6e:43:b8:d6:67:e2
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN = webmail
-        Validity
-            Not Before: Dec  1 17:03:42 2021 GMT
-            Not After : Jan  2 17:03:42 2023 GMT
-        Subject: CN = webmail
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:9d:57:b5:53:f8:59:0b:78:e7:e2:32:17:cb:95:
-                    f1:a6:96:9e:34:fa:8d:cf:3a:73:1d:c4:04:2a:a4:
-                    c0:03:d3:ad:f2:8d:81:a0:57:53:88:65:32:a8:fb:
-                    fb:de:62:cd:59:e0:cf:d0:2b:0a:0b:2b:0f:fd:a9:
-                    bf:55:cb:7e:9c:c2:d3:1b:a0:f4:4e:20:96:ae:54:
-                    d3:cc:95:56:40:02:f6:47:ae:eb:23:4a:17:46:da:
-                    a1:3c:14:76:4a:69:39:23:93:c9:c4:b8:93:7e:4c:
-                    ab:fe:94:62:63:ef:f1:c6:81:5a:b7:76:40:6b:d8:
-                    a3:5e:8d:f7:3d:e3:01:6f:cb:5a:5e:70:b0:63:2b:
-                    06:6b:3b:55:8f:ec:8c:03:fc:6d:9a:85:2e:30:ef:
-                    b7:1b:4c:cc:76:78:99:51:83:2b:6b:4b:52:81:90:
-                    59:33:90:0d:83:82:3a:d4:bb:37:94:17:7b:e7:8f:
-                    8d:22:79:69:22:80:22:21:a4:25:1d:62:f7:74:8d:
-                    b1:fb:83:f5:a7:a4:f1:eb:54:d4:04:cd:9d:f1:9d:
-                    50:8d:ba:76:16:63:64:86:0d:23:cb:69:ab:5d:ae:
-                    9c:da:aa:9d:a3:05:6f:32:82:5f:89:da:f1:67:28:
-                    eb:c4:d1:e5:ca:c3:bb:45:2f:b8:4b:21:3c:00:45:
-                    2b:83
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Alternative Name: 
-                DNS:webmail
-    Signature Algorithm: sha256WithRSAEncryption
-         2e:35:65:29:0d:64:5f:47:3a:9a:f0:24:ea:be:fa:2b:d8:d9:
-         d3:70:c4:66:7f:20:a2:65:46:07:8c:30:3a:1c:9e:85:32:18:
-         53:db:4a:9f:02:f7:17:f7:00:fb:93:ad:26:f8:2c:2a:52:ef:
-         19:f3:1b:57:60:70:0c:e3:7d:0f:37:40:b4:f0:4d:fc:61:91:
-         d2:6e:59:35:f0:34:bd:26:59:63:39:24:66:aa:b8:a4:46:e2:
-         84:8f:0c:7c:36:f8:dc:27:6d:fa:a4:d0:24:59:c5:6d:54:27:
-         9b:c9:40:88:a4:60:03:98:58:ed:e0:ce:88:9d:08:37:27:c2:
-         c4:d0:6b:4f:3c:46:f6:2d:9d:ee:e5:06:c9:3f:9c:59:ca:aa:
-         7a:d3:ba:ca:3f:f3:fc:11:37:7d:52:70:35:a6:96:1c:d7:0b:
-         b6:4e:0c:95:2a:f0:08:c2:b4:22:62:99:d0:4d:2d:11:01:0a:
-         0b:18:0e:5c:f0:70:dc:42:6b:7a:68:17:37:3c:ca:75:ee:8d:
-         e5:e8:36:40:05:cd:60:98:21:1d:9f:6b:33:9d:ab:35:53:cd:
-         e8:d2:54:8b:43:49:34:91:cc:6b:45:d3:42:28:76:ed:6d:9c:
-         25:44:0e:de:08:b4:83:65:81:5b:4b:fc:e3:ea:c8:b7:c0:27:
-         3f:03:81:25
------BEGIN CERTIFICATE-----
-MIICyDCCAbCgAwIBAgIUNM2OPXNnYhbbT9BuFL9uQ7jWZ+IwDQYJKoZIhvcNAQEL
-BQAwEjEQMA4GA1UEAwwHd2VibWFpbDAeFw0yMTEyMDExNzAzNDJaFw0yMzAxMDIx
-NzAzNDJaMBIxEDAOBgNVBAMMB3dlYm1haWwwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCdV7VT+FkLeOfiMhfLlfGmlp40+o3POnMdxAQqpMAD063yjYGg
-V1OIZTKo+/veYs1Z4M/QKwoLKw/9qb9Vy36cwtMboPROIJauVNPMlVZAAvZHrusj
-ShdG2qE8FHZKaTkjk8nEuJN+TKv+lGJj7/HGgVq3dkBr2KNejfc94wFvy1pecLBj
-KwZrO1WP7IwD/G2ahS4w77cbTMx2eJlRgytrS1KBkFkzkA2DgjrUuzeUF3vnj40i
-eWkigCIhpCUdYvd0jbH7g/WnpPHrVNQEzZ3xnVCNunYWY2SGDSPLaatdrpzaqp2j
-BW8ygl+J2vFnKOvE0eXKw7tFL7hLITwARSuDAgMBAAGjFjAUMBIGA1UdEQQLMAmC
-B3dlYm1haWwwDQYJKoZIhvcNAQELBQADggEBAC41ZSkNZF9HOprwJOq++ivY2dNw
-xGZ/IKJlRgeMMDocnoUyGFPbSp8C9xf3APuTrSb4LCpS7xnzG1dgcAzjfQ83QLTw
-TfxhkdJuWTXwNL0mWWM5JGaquKRG4oSPDHw2+Nwnbfqk0CRZxW1UJ5vJQIikYAOY
-WO3gzoidCDcnwsTQa088RvYtne7lBsk/nFnKqnrTuso/8/wRN31ScDWmlhzXC7ZO
-DJUq8AjCtCJimdBNLREBCgsYDlzwcNxCa3poFzc8ynXujeXoNkAFzWCYIR2fazOd
-qzVTzejSVItDSTSRzGtF00Iodu1tnCVEDt4ItINlgVtL/OPqyLfAJz8DgSU=
------END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/root_ca_cert.pem b/chromium/net/data/ssl/certificates/root_ca_cert.pem
index 326c3cdd32a..de3ce07afbf 100644
--- a/chromium/net/data/ssl/certificates/root_ca_cert.pem
+++ b/chromium/net/data/ssl/certificates/root_ca_cert.pem
@@ -30,16 +30,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            41:19:f1:f8:22:2d:a0:19:4d:d0:24:87:fc:af:13:d6:6b:d7:85:d9
+            0b:cc:00:80:c9:a0:0b:a1:c7:09:7c:9f:71:0d:90:92:cf:ee:c7:f4
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = California, L = Mountain View, O = Test CA, CN = Test Root CA
         Validity
-            Not Before: Dec  1 15:42:06 2021 GMT
-            Not After : Nov 29 15:42:06 2031 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Sep 30 17:20:08 2032 GMT
         Subject: C = US, ST = California, L = Mountain View, O = Test CA, CN = Test Root CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:c6:81:1f:92:73:b6:58:85:d9:8d:ac:b7:20:fd:
                     c7:bf:40:b2:ea:fa:e5:0b:52:01:8f:9a:c1:eb:7a:
@@ -68,26 +68,27 @@ Certificate:
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         0e:7f:a2:5b:22:6e:92:a3:90:4d:13:89:e1:67:31:4a:db:d2:
-         eb:d7:f9:e4:46:4a:58:3d:6b:10:f9:77:7c:ac:50:61:15:1a:
-         60:f7:ea:47:62:4a:08:1d:8e:73:9d:1a:51:71:7f:31:85:db:
-         03:7b:21:8a:fe:30:e0:3f:82:b0:8f:ce:e9:22:ab:48:ef:bc:
-         5b:2d:38:52:a1:68:82:69:78:05:43:c0:bf:fd:a6:65:f3:b1:
-         38:2a:4d:cc:18:b1:c6:51:cf:3a:09:3c:fe:eb:12:4d:59:a3:
-         56:b0:bc:86:ea:9a:6d:08:e3:43:d9:66:a9:1f:66:bc:b8:a5:
-         25:bf:fb:f9:d5:0d:fc:bc:78:a6:89:44:ad:06:c7:66:87:ae:
-         d4:42:80:8b:7f:e5:e2:63:4a:4b:c3:6e:21:e5:eb:08:c7:08:
-         94:00:6e:98:94:66:f5:c2:e2:51:79:d4:be:0f:51:ce:e0:48:
-         b3:a9:69:54:8b:0f:e3:72:56:40:73:c3:18:d0:9a:ae:61:8e:
-         cc:04:e9:79:3e:68:13:d2:c5:74:aa:1d:31:c8:c0:0e:bc:3e:
-         de:f9:a3:e4:2c:06:e8:f9:36:7d:dc:d6:97:de:9d:89:fa:f1:
-         27:f0:de:c9:64:7c:54:5c:4b:49:00:04:07:d4:77:26:5e:54:
-         93:a1:c0:5d
+    Signature Value:
+        39:9a:f6:0e:eb:08:4d:a0:f0:59:b9:91:fe:b5:d8:2e:4d:6b:
+        69:69:c5:d2:86:fc:a3:c2:a2:6c:ca:8d:98:1b:d2:fc:64:9b:
+        96:b4:47:f9:f4:ed:6f:52:3c:b5:13:f6:1e:71:51:3b:da:54:
+        93:c4:1d:94:17:23:76:9a:98:f5:9b:b8:b1:c5:ab:cd:ab:bd:
+        1a:c9:00:13:e0:e3:c7:5a:a7:21:71:eb:08:2b:ec:85:5c:08:
+        80:33:25:0f:1f:52:41:c4:9b:22:58:01:24:55:ef:9a:a6:ce:
+        e4:85:a3:19:33:4d:7e:3f:04:32:15:d5:fc:63:5f:8b:dc:99:
+        2b:10:63:56:ac:60:6e:f9:db:9f:63:7b:a8:df:ab:72:28:8a:
+        a9:e2:8e:9d:e6:6c:7e:5b:16:ba:94:b2:23:f2:d7:31:5b:de:
+        58:a0:8b:be:f4:6a:d2:d3:b4:e6:40:06:78:7a:2d:20:4c:cd:
+        9d:20:dd:3b:fc:b9:f3:94:13:b0:6b:18:d7:6b:e8:bf:14:cc:
+        87:30:8b:64:3f:ad:59:93:e5:f6:7c:d1:2b:f0:8e:4a:9c:c3:
+        34:18:4d:62:33:bd:a6:3a:b6:3f:1f:49:5b:63:b4:01:a8:5c:
+        f0:98:93:35:53:2e:b2:f2:19:7f:87:0d:db:b1:80:61:38:c8:
+        47:01:85:b0
 -----BEGIN CERTIFICATE-----
-MIIDljCCAn6gAwIBAgIUQRnx+CItoBlN0CSH/K8T1mvXhdkwDQYJKoZIhvcNAQEL
+MIIDljCCAn6gAwIBAgIUC8wAgMmgC6HHCXyfcQ2Qks/ux/QwDQYJKoZIhvcNAQEL
 BQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3Qg
-Um9vdCBDQTAeFw0yMTEyMDExNTQyMDZaFw0zMTExMjkxNTQyMDZaMGMxCzAJBgNV
+Um9vdCBDQTAeFw0yMjEwMDMxNzIwMDhaFw0zMjA5MzAxNzIwMDhaMGMxCzAJBgNV
 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
 aWV3MRAwDgYDVQQKDAdUZXN0IENBMRUwEwYDVQQDDAxUZXN0IFJvb3QgQ0EwggEi
 MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGgR+Sc7ZYhdmNrLcg/ce/QLLq
@@ -97,11 +98,11 @@ MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGgR+Sc7ZYhdmNrLcg/ce/QLLq
 RP7HnpWJQ1FetG7HZ4BYQ77MByi9Wf8cTI2QQvTP/VQAT0hyK+FnPIQXaJW/ygd7
 34adVuMy43CHt/g69+NuZRR8u3a3F/FCjG8qNGQQNRSMhfZXv/NcVZ2tAxDzAgMB
 AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJsmC4qYqbsduR8c4xpA
-M+2OF4irMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEADn+iWyJu
-kqOQTROJ4WcxStvS69f55EZKWD1rEPl3fKxQYRUaYPfqR2JKCB2Oc50aUXF/MYXb
-A3shiv4w4D+CsI/O6SKrSO+8Wy04UqFogml4BUPAv/2mZfOxOCpNzBixxlHPOgk8
-/usSTVmjVrC8huqabQjjQ9lmqR9mvLilJb/7+dUN/Lx4polErQbHZoeu1EKAi3/l
-4mNKS8NuIeXrCMcIlABumJRm9cLiUXnUvg9RzuBIs6lpVIsP43JWQHPDGNCarmGO
-zATpeT5oE9LFdKodMcjADrw+3vmj5CwG6Pk2fdzWl96difrxJ/DeyWR8VFxLSQAE
-B9R3Jl5Uk6HAXQ==
+M+2OF4irMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAOZr2DusI
+TaDwWbmR/rXYLk1raWnF0ob8o8KibMqNmBvS/GSblrRH+fTtb1I8tRP2HnFRO9pU
+k8QdlBcjdpqY9Zu4scWrzau9GskAE+Djx1qnIXHrCCvshVwIgDMlDx9SQcSbIlgB
+JFXvmqbO5IWjGTNNfj8EMhXV/GNfi9yZKxBjVqxgbvnbn2N7qN+rciiKqeKOneZs
+flsWupSyI/LXMVveWKCLvvRq0tO05kAGeHotIEzNnSDdO/y585QTsGsY12vovxTM
+hzCLZD+tWZPl9nzRK/COSpzDNBhNYjO9pjq2Px9JW2O0Aahc8JiTNVMusvIZf4cN
+27GAYTjIRwGFsA==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/sha1_2016.pem b/chromium/net/data/ssl/certificates/sha1_2016.pem
index b13ec7533e6..081eba9018f 100644
--- a/chromium/net/data/ssl/certificates/sha1_2016.pem
+++ b/chromium/net/data/ssl/certificates/sha1_2016.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:aa
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:6e
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:c6:8d:7f:c1:d4:77:c7:80:5b:85:b4:bb:96:0f:
-                    4b:2c:9f:53:39:5a:9d:ea:22:59:27:12:71:b2:8d:
-                    88:05:57:40:dd:74:ce:d8:5f:5d:49:46:a7:9e:9a:
-                    f3:ca:eb:45:93:b6:0f:b9:e0:df:6a:c3:88:fa:be:
-                    2a:4c:b9:08:20:1a:75:a0:80:dc:a7:6a:b4:fc:16:
-                    f0:cf:ea:c1:75:fc:3c:c3:38:b9:e0:5e:05:83:23:
-                    50:f9:94:a7:f3:79:5b:59:75:80:5e:4f:34:ce:1d:
-                    bd:82:fb:a9:f5:af:62:09:ab:13:92:0e:11:17:74:
-                    77:60:82:c9:59:8e:cd:4c:1f:53:a0:6f:c4:03:14:
-                    33:6c:e4:c2:3a:6b:c9:26:69:73:8e:0d:7f:30:7e:
-                    6f:92:8f:9b:9f:0b:6e:a9:2b:ed:f2:cd:9c:0d:ca:
-                    7a:c9:c7:2a:27:68:70:eb:c9:ee:d1:3d:bc:81:68:
-                    a4:04:23:78:de:6a:3c:21:9c:cb:50:0d:4c:07:a0:
-                    f5:c3:20:c9:b3:f1:68:29:79:0d:a6:95:2a:59:05:
-                    f5:b9:68:95:61:56:22:1d:d6:a4:93:75:d8:f7:54:
-                    d3:bf:b2:46:11:0c:0c:9f:35:91:11:8a:4b:eb:2e:
-                    8d:b6:88:e0:30:3f:ed:05:a9:c7:b5:7b:a7:59:54:
-                    7e:af
+                    00:c5:5d:b5:e9:b8:f3:a2:a8:01:b7:3b:c0:e3:89:
+                    89:cc:60:04:36:1a:ea:d1:52:9a:4b:6b:6f:5c:80:
+                    09:e9:b9:89:49:53:4f:7c:c9:d3:04:2e:7c:91:4f:
+                    b7:31:de:38:fc:18:37:53:9e:7f:4e:6a:03:68:df:
+                    53:1b:95:06:10:88:5c:12:61:a1:73:4e:c9:a4:e0:
+                    54:66:15:6f:f1:13:a8:ab:82:1d:f5:30:a4:f5:4c:
+                    3d:52:49:4a:8e:d4:65:16:f1:7e:c5:9a:2f:08:de:
+                    95:b5:02:54:24:ce:36:70:6c:48:07:a8:3b:ad:2e:
+                    a0:41:d2:c6:84:06:62:c7:ec:e0:d0:9c:bf:a1:13:
+                    7c:51:df:ab:7c:da:1d:02:f7:70:9e:e6:7b:8a:af:
+                    75:f4:99:27:17:32:9f:b2:95:dc:3c:f8:80:4f:a3:
+                    1e:82:0b:48:79:6a:ba:11:e0:65:2e:07:fe:74:db:
+                    28:c0:99:f6:72:be:03:2a:5e:22:4d:25:43:6d:39:
+                    97:76:ae:d4:58:8d:0a:23:4c:5a:89:48:55:7d:2b:
+                    8e:7d:cc:95:5a:47:30:34:b3:4c:98:00:4f:30:28:
+                    d9:c5:2d:2b:0f:79:b5:1a:19:73:58:fe:74:d2:50:
+                    d8:5e:a0:40:0e:44:c3:ec:6d:5f:6e:ac:86:ab:43:
+                    af:a7
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                F3:1F:B0:87:0B:E4:0C:42:54:A0:F4:50:37:F4:10:BD:B7:0D:C4:57
+                89:46:0C:BD:AB:A9:64:95:21:BF:40:3B:0A:35:60:B7:EA:20:4F:F9
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha1WithRSAEncryption
-         93:ba:ce:1f:a3:2c:f1:39:f4:ee:8f:df:ae:79:c9:11:d8:89:
-         b7:62:b9:9b:85:47:60:a6:98:73:60:b0:6a:51:08:39:b9:62:
-         84:5f:78:b9:c0:59:f2:78:ad:38:29:54:98:e7:48:5d:13:4d:
-         83:b8:5b:45:0b:a3:49:5c:14:51:9a:35:4f:da:af:8b:a2:d0:
-         15:44:21:ec:44:fe:af:5e:9a:93:76:a4:62:50:1a:7a:02:d1:
-         d7:9d:55:1b:ca:cb:8f:2d:c6:3e:2b:9a:18:b7:62:33:06:44:
-         fb:22:e0:ab:d0:af:e2:6a:7c:07:3e:77:71:fe:ce:15:fb:4f:
-         e5:a2:83:82:c4:1f:26:67:3b:ca:c0:73:b6:13:f0:5c:c9:54:
-         ea:dc:7f:60:bb:54:a6:ca:5d:fe:dc:75:93:84:35:47:f2:04:
-         f2:eb:f3:61:44:68:28:c8:54:7f:89:53:b2:f9:69:02:24:35:
-         c4:cf:3d:8f:a7:a8:2e:d5:24:52:62:83:f3:a1:e8:86:0b:b0:
-         d4:a8:a7:85:4c:bc:2a:82:28:95:e1:11:54:cc:3f:d3:e4:85:
-         c1:d3:f6:17:c6:bf:d0:12:37:51:e7:9f:cb:bf:58:58:60:0f:
-         1b:b1:49:db:29:76:24:4a:32:2d:1c:e4:cd:86:0a:1a:75:51:
-         60:35:e1:4b
+    Signature Value:
+        17:78:1c:ee:69:6f:a9:3a:14:f6:48:e8:2f:c9:23:3c:f1:83:
+        c0:99:20:b6:21:cc:10:e1:22:06:cd:de:cc:e3:3c:fc:60:23:
+        47:fa:df:03:7f:6a:1e:3b:6a:8c:fd:66:64:9d:3f:57:89:62:
+        41:23:a7:30:c7:f2:58:40:aa:b9:dc:69:74:3e:b4:cd:fc:54:
+        1e:2a:b5:6a:02:62:11:b6:d7:f9:6a:0f:31:37:45:9d:24:34:
+        a6:40:d5:82:1f:0c:a3:ec:53:32:b6:57:64:9d:49:60:bc:3c:
+        4d:57:b1:f5:a0:3e:c0:50:c5:12:56:70:66:4b:bb:f6:19:3b:
+        a3:23:58:c3:c5:8e:51:5a:71:f6:a8:c6:e9:82:c8:d7:77:13:
+        6d:27:d0:28:67:de:64:c9:df:db:2a:f1:0f:0d:e4:ba:5b:bc:
+        46:5e:bb:a9:7a:50:b3:54:83:e4:fa:b2:3e:18:03:06:d1:d5:
+        5c:50:45:25:47:9b:33:7e:3c:f3:c4:f4:c6:79:ad:e8:63:28:
+        f1:2c:05:08:de:83:db:3e:41:df:5d:eb:6e:53:12:51:f8:fb:
+        c4:e4:c5:dd:b1:72:e2:ae:f7:25:6c:e1:f4:aa:50:b8:b5:7c:
+        cf:78:f3:9b:dc:e3:7d:86:f3:54:79:2e:7e:b9:e4:3b:ce:e3:
+        37:4b:9f:72
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzqjANBgkqhkiG9w0BAQUFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTA4MTAzMDAwMDAwMFoXDTE2MTIzMDAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMaNf8HUd8eAW4W0u5YPSyyfUzlaneoiWScS
-cbKNiAVXQN10zthfXUlGp56a88rrRZO2D7ng32rDiPq+Kky5CCAadaCA3KdqtPwW
-8M/qwXX8PMM4ueBeBYMjUPmUp/N5W1l1gF5PNM4dvYL7qfWvYgmrE5IOERd0d2CC
-yVmOzUwfU6BvxAMUM2zkwjprySZpc44NfzB+b5KPm58Lbqkr7fLNnA3KesnHKido
-cOvJ7tE9vIFopAQjeN5qPCGcy1ANTAeg9cMgybPxaCl5DaaVKlkF9blolWFWIh3W
-pJN12PdU07+yRhEMDJ81kRGKS+sujbaI4DA/7QWpx7V7p1lUfq8CAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPMfsIcL5AxCVKD0UDf0EL23DcRXMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBBQUAA4IB
-AQCTus4foyzxOfTuj9+ueckR2Im3YrmbhUdgpphzYLBqUQg5uWKEX3i5wFnyeK04
-KVSY50hdE02DuFtFC6NJXBRRmjVP2q+LotAVRCHsRP6vXpqTdqRiUBp6AtHXnVUb
-ysuPLcY+K5oYt2IzBkT7IuCr0K/ianwHPndx/s4V+0/looOCxB8mZzvKwHO2E/Bc
-yVTq3H9gu1Smyl3+3HWThDVH8gTy6/NhRGgoyFR/iVOy+WkCJDXEzz2Pp6gu1SRS
-YoPzoeiGC7DUqKeFTLwqgiiV4RFUzD/T5IXB0/YXxr/QEjdR55/Lv1hYYA8bsUnb
-KXYkSjItHOTNhgoadVFgNeFL
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwm4wDQYJKoZIhvcNAQEFBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0wODEwMzAwMDAwMDBaFw0xNjEyMzAwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFXbXpuPOiqAG3O8DjiYnMYAQ2GurRUppL
+a29cgAnpuYlJU098ydMELnyRT7cx3jj8GDdTnn9OagNo31MblQYQiFwSYaFzTsmk
+4FRmFW/xE6irgh31MKT1TD1SSUqO1GUW8X7Fmi8I3pW1AlQkzjZwbEgHqDutLqBB
+0saEBmLH7ODQnL+hE3xR36t82h0C93Ce5nuKr3X0mScXMp+yldw8+IBPox6CC0h5
+aroR4GUuB/502yjAmfZyvgMqXiJNJUNtOZd2rtRYjQojTFqJSFV9K459zJVaRzA0
+s0yYAE8wKNnFLSsPebUaGXNY/nTSUNheoEAORMPsbV9urIarQ6+nAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSJRgy9q6lklSG/QDsKNWC36iBP+TAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQUFAAOC
+AQEAF3gc7mlvqToU9kjoL8kjPPGDwJkgtiHMEOEiBs3ezOM8/GAjR/rfA39qHjtq
+jP1mZJ0/V4liQSOnMMfyWECqudxpdD60zfxUHiq1agJiEbbX+WoPMTdFnSQ0pkDV
+gh8Mo+xTMrZXZJ1JYLw8TVex9aA+wFDFElZwZku79hk7oyNYw8WOUVpx9qjG6YLI
+13cTbSfQKGfeZMnf2yrxDw3kulu8Rl67qXpQs1SD5PqyPhgDBtHVXFBFJUebM348
+88T0xnmt6GMo8SwFCN6D2z5B313rblMSUfj7xOTF3bFy4q73JWzh9KpQuLV8z3jz
+m9zjfYbzVHkufrnkO87jN0ufcg==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/sha1_leaf.pem b/chromium/net/data/ssl/certificates/sha1_leaf.pem
index 290c54aa403..159eacdacd3 100644
--- a/chromium/net/data/ssl/certificates/sha1_leaf.pem
+++ b/chromium/net/data/ssl/certificates/sha1_leaf.pem
@@ -30,16 +30,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:be
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:82
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
-            Not Before: Dec  1 15:42:29 2021 GMT
-            Not After : Dec  1 15:42:29 2023 GMT
+            Not Before: Oct  3 17:20:30 2022 GMT
+            Not After : Oct  2 17:20:30 2024 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:bd:a3:e4:dd:5b:24:36:02:40:5d:e8:c5:c6:e3:
                     63:c8:c8:45:ef:b2:e7:cf:5a:86:46:d9:94:5e:35:
@@ -66,48 +66,48 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 1F:90:87:C1:2E:EE:B4:70:94:B3:39:33:71:D2:37:34:19:46:7C:40
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha1WithRSAEncryption
-         0b:88:e7:bb:84:f6:a2:d7:8e:e6:46:60:d5:f0:22:84:46:19:
-         f6:97:08:8f:d4:c0:ce:c0:02:f7:06:10:01:96:33:14:b0:f4:
-         a2:3f:5b:78:5f:2e:00:1f:be:03:d8:b1:af:89:4c:9d:2d:47:
-         16:d8:d0:77:0d:4e:00:3d:60:41:c8:e1:c9:fc:5f:88:af:da:
-         65:ea:ea:60:af:9d:1b:34:3b:95:25:e0:e4:2d:f0:e0:82:33:
-         74:79:14:f3:59:63:ca:72:eb:a3:eb:83:71:6f:19:e3:d8:1b:
-         89:24:b3:ab:c6:82:db:69:a3:c7:dd:f0:8f:c6:6f:de:44:98:
-         65:d3:66:37:a8:42:b6:20:9c:5b:15:7a:7b:82:e9:2d:4a:07:
-         62:ce:b2:83:17:f9:69:07:a9:e1:24:8f:9a:1c:ac:a4:20:1b:
-         eb:89:a5:f6:6b:6f:4f:c5:de:76:19:01:d2:ef:bf:5f:68:1c:
-         b6:60:6c:b0:af:2c:93:7c:e2:b0:a8:6c:4d:ea:2c:1a:26:17:
-         4d:25:cb:e4:65:ca:d9:89:4c:37:af:65:89:9b:4b:6f:a9:53:
-         b5:3e:08:4f:bd:9c:6c:ea:69:20:7e:1d:eb:50:b9:be:1f:df:
-         a9:2f:38:35:51:22:6b:84:96:01:5b:be:09:8f:d6:62:e8:6e:
-         ae:09:ef:db
+    Signature Value:
+        08:e7:3e:ac:bf:41:a5:98:43:ca:44:41:ad:8f:8c:1b:fe:b7:
+        77:1e:cb:d4:fb:5b:a2:d9:ce:88:07:9e:ef:7b:91:3b:67:a2:
+        e4:3b:a4:11:b3:8a:54:40:42:ef:38:97:2b:ac:a8:8d:d4:0a:
+        7c:e6:d4:a5:3b:d6:48:8d:af:29:e1:fb:e7:72:1b:7b:35:a6:
+        c3:1d:a5:89:9c:2d:e2:31:31:83:4c:eb:ed:8a:c5:42:71:6c:
+        8e:50:4b:76:98:11:4d:48:3d:ad:14:d1:44:05:3d:70:91:83:
+        13:d5:9d:85:fa:de:ea:a0:99:e8:3e:f0:fa:aa:59:93:ef:78:
+        6e:c8:e8:ee:94:3c:8b:35:35:7a:2a:75:3a:53:55:2c:de:68:
+        73:9a:7f:f3:b8:da:e4:4a:13:18:f6:46:53:7f:ad:65:29:13:
+        bb:23:84:56:08:77:f6:b7:84:fe:ca:2c:24:0d:4a:68:81:bf:
+        d2:44:bf:f6:1d:74:5d:dc:77:b1:1c:23:25:62:f0:b9:7a:62:
+        a7:15:4b:18:c4:19:9f:3c:4d:ef:33:49:17:a6:09:66:80:de:
+        7b:50:f5:33:0a:7f:28:23:99:a3:ca:82:a1:a7:ba:f2:44:a9:
+        17:a3:9c:75:86:f2:cd:3b:8c:af:61:28:cd:57:f0:ab:83:c8:
+        12:87:59:f3
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzvjANBgkqhkiG9w0BAQUFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIxMTIwMTE1NDIyOVoXDTIzMTIwMTE1NDIyOVowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAL2j5N1bJDYCQF3oxcbjY8jIRe+y589ahkbZ
-lF41/dqYaiHQKZRd98DuMWIlQOoHL8r8LK5/sgEaB8ZID0ozaRNRu8wxHS5eqvHS
-GU8NplGDQMXAEEWXtatFSMTqK+Ujxdp3AEpNzwQhk6vG2bbY8DbPUcJsTuku+4DS
-ziQnWRuFiRRCd4SGqJqELa2y44yP3SUjRPoKGCMJvWvw52CvQw4feGSHKj42VFIq
-kjRkqXC4ADhR0HHIgjliYJx3dT10di+IR7NngBDBYR0KNRo2St817ANq0N/3stOs
-+j1VjoFOreDvssuWlb3euhOJWERBvxiOspLiOOYhAQ23NOeHsbECAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFB+Qh8Eu7rRwlLM5M3HSNzQZRnxAMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBBQUAA4IB
-AQALiOe7hPai147mRmDV8CKERhn2lwiP1MDOwAL3BhABljMUsPSiP1t4Xy4AH74D
-2LGviUydLUcW2NB3DU4APWBByOHJ/F+Ir9pl6upgr50bNDuVJeDkLfDggjN0eRTz
-WWPKcuuj64Nxbxnj2BuJJLOrxoLbaaPH3fCPxm/eRJhl02Y3qEK2IJxbFXp7gukt
-SgdizrKDF/lpB6nhJI+aHKykIBvriaX2a29Pxd52GQHS779faBy2YGywryyTfOKw
-qGxN6iwaJhdNJcvkZcrZiUw3r2WJm0tvqVO1PghPvZxs6mkgfh3rULm+H9+pLzg1
-USJrhJYBW74Jj9Zi6G6uCe/b
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwoIwDQYJKoZIhvcNAQEFBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMjEwMDMxNzIwMzBaFw0yNDEwMDIxNzIwMzBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9o+TdWyQ2AkBd6MXG42PIyEXvsufPWoZG
+2ZReNf3amGoh0CmUXffA7jFiJUDqBy/K/Cyuf7IBGgfGSA9KM2kTUbvMMR0uXqrx
+0hlPDaZRg0DFwBBFl7WrRUjE6ivlI8XadwBKTc8EIZOrxtm22PA2z1HCbE7pLvuA
+0s4kJ1kbhYkUQneEhqiahC2tsuOMj90lI0T6ChgjCb1r8Odgr0MOH3hkhyo+NlRS
+KpI0ZKlwuAA4UdBxyII5YmCcd3U9dHYviEezZ4AQwWEdCjUaNkrfNewDatDf97LT
+rPo9VY6BTq3g77LLlpW93roTiVhEQb8YjrKS4jjmIQENtzTnh7GxAgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQfkIfBLu60cJSzOTNx0jc0GUZ8QDAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQUFAAOC
+AQEACOc+rL9BpZhDykRBrY+MG/63dx7L1PtbotnOiAee73uRO2ei5DukEbOKVEBC
+7ziXK6yojdQKfObUpTvWSI2vKeH753IbezWmwx2liZwt4jExg0zr7YrFQnFsjlBL
+dpgRTUg9rRTRRAU9cJGDE9Wdhfre6qCZ6D7w+qpZk+94bsjo7pQ8izU1eip1OlNV
+LN5oc5p/87ja5EoTGPZGU3+tZSkTuyOEVgh39reE/sosJA1KaIG/0kS/9h10Xdx3
+sRwjJWLwuXpipxVLGMQZnzxN7zNJF6YJZoDee1D1Mwp/KCOZo8qCoae68kSpF6Oc
+dYbyzTuMr2EozVfwq4PIEodZ8w==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/spdy_pooling.pem b/chromium/net/data/ssl/certificates/spdy_pooling.pem
index be9bec53b00..b5eb2007580 100644
--- a/chromium/net/data/ssl/certificates/spdy_pooling.pem
+++ b/chromium/net/data/ssl/certificates/spdy_pooling.pem
@@ -2,74 +2,78 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:2e:f2:2d:e2:b5:a4:d9:f9:54:a2:fb:77:07:f4:1d:51:f2:3a:7f
+            0a:30:58:00:41:4d:22:20:68:ab:c8:5e:5f:9d:57:82:9c:c3:a2:1e
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = California, L = Mountain View, O = Test CA, CN = 127.0.0.1
         Validity
-            Not Before: Dec  1 15:42:07 2021 GMT
-            Not After : Nov 29 15:42:07 2031 GMT
+            Not Before: Oct  3 17:20:09 2022 GMT
+            Not After : Sep 30 17:20:09 2032 GMT
         Subject: C = US, ST = California, L = Mountain View, O = Test CA, CN = 127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:a7:1e:07:5b:25:e9:5c:f6:b0:3d:31:36:ee:d0:
-                    e3:8d:63:4a:2e:c2:c2:5a:59:fd:b3:55:b8:c9:93:
-                    25:42:66:76:b5:ec:15:1e:f7:9e:73:5f:c6:5f:8a:
-                    64:80:d1:97:1b:37:1a:77:f7:42:a5:c9:70:2a:62:
-                    b1:e2:e9:bf:42:1f:c3:cf:3c:69:8d:42:7b:60:21:
-                    e6:35:79:37:9a:93:10:dd:cc:9c:1f:9a:e9:49:02:
-                    2c:af:50:8b:69:62:a0:32:4e:46:69:f3:73:5c:fc:
-                    94:2a:12:ed:f4:76:a4:32:49:47:38:34:9e:8b:20:
-                    1f:4f:57:57:2f:07:8f:a6:f1:35:68:c7:5f:16:1a:
-                    cd:cf:ee:a4:c8:f9:6a:de:1c:d4:09:13:7d:a3:29:
-                    8d:1c:70:f5:19:e1:66:e1:24:5e:9b:22:11:18:1d:
-                    9d:bf:df:e5:47:d2:18:83:4e:13:a3:45:20:67:9d:
-                    a0:06:17:32:ce:bd:9c:a2:49:5d:ed:5d:39:c7:c6:
-                    eb:73:b2:97:ce:57:42:24:71:77:8d:23:f0:ad:1f:
-                    2e:2b:52:cc:b1:8a:08:ac:78:77:4a:c9:1a:9b:32:
-                    e4:1e:7f:aa:c3:1a:e6:ed:7f:1d:df:03:da:c0:76:
-                    c2:c1:40:a5:20:30:6c:3d:8a:95:0f:1f:b5:b2:f1:
-                    c8:e1
+                    00:ec:e4:cc:ed:ab:60:cd:e3:0f:5c:3c:29:73:cf:
+                    6e:a4:52:c4:dc:49:d6:2f:d5:cd:26:56:3d:3d:aa:
+                    c6:69:d7:ad:7a:47:ea:84:73:aa:85:b8:95:13:85:
+                    ea:9b:01:5c:ef:53:62:4f:92:61:9a:bd:64:7d:fa:
+                    ce:ea:08:06:b5:c0:48:9f:db:a6:90:c1:26:26:bc:
+                    c2:44:47:18:37:16:d8:63:5a:e9:bf:23:f9:46:d6:
+                    65:0c:53:3b:b3:0e:d1:de:f7:d6:81:fe:0e:75:c4:
+                    5d:38:45:28:17:98:c8:99:bf:9a:60:ec:b0:36:38:
+                    9b:9e:36:57:e9:8a:51:d3:ee:1b:23:9b:18:db:31:
+                    dc:3f:1c:02:b6:c5:73:2f:f5:90:71:7f:a1:ab:f3:
+                    24:d6:d5:b4:5c:4f:37:eb:ca:44:55:9a:86:65:24:
+                    78:56:04:b9:3a:63:f9:f7:26:2f:8d:bc:98:9c:19:
+                    68:4d:f8:30:df:6c:30:32:31:75:3b:54:e7:7c:d3:
+                    b0:05:c5:98:66:1c:f9:73:c4:b0:c2:83:67:c3:30:
+                    79:6f:60:1f:0b:0c:67:6b:22:2c:cb:16:3d:73:1b:
+                    8c:a0:a3:30:f1:db:9a:fc:0e:45:bb:7e:b4:03:a2:
+                    33:d2:d3:cb:98:95:ec:66:f6:2e:51:e9:85:14:8d:
+                    13:89
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Alternative Name: 
                 DNS:www.example.org, DNS:mail.example.org, DNS:mail.example.com, DNS:example.test
+            X509v3 Subject Key Identifier: 
+                21:E7:36:0A:62:36:97:A3:5E:52:97:4A:73:AE:2B:1C:3E:25:C7:6C
     Signature Algorithm: sha256WithRSAEncryption
-         80:a7:d2:27:56:cd:c7:fc:3b:a7:78:2c:d7:fd:e3:6f:41:94:
-         d7:c6:1b:02:18:25:1c:31:0a:92:d3:9b:2e:77:32:02:0f:da:
-         6e:df:81:9c:80:1b:1e:b2:82:fd:8e:27:77:0e:a5:0b:3b:82:
-         bb:a0:92:3a:a1:6a:f2:0f:a4:5a:69:da:37:69:94:d6:75:c5:
-         19:05:2b:c1:46:16:35:d9:e2:31:e6:9f:1e:80:0d:bc:7f:a4:
-         01:f3:c8:63:3e:e9:78:7b:3e:c1:b0:a0:69:df:30:b4:a6:0b:
-         15:80:21:43:9f:5a:2d:63:00:7a:22:09:7f:72:4f:64:bc:66:
-         84:9c:e8:e2:d3:60:ec:eb:0e:d6:38:ba:c7:b1:0a:82:c6:3d:
-         0f:e9:57:82:fd:a6:cd:65:98:9a:c5:d7:63:43:5d:77:60:8e:
-         f8:5b:af:60:d2:39:48:3f:4d:77:e9:27:30:dc:43:c9:e0:09:
-         1b:3a:7e:04:95:7f:12:44:57:b2:b8:72:9b:b6:47:09:3b:80:
-         2c:50:7e:fe:9f:c9:2b:2c:cb:77:a1:09:47:83:3c:da:c2:e9:
-         49:17:de:fc:46:4b:45:ae:3f:3c:85:38:6f:1c:d8:95:b5:1b:
-         f1:fd:c2:79:c9:c7:0d:a7:3a:be:fd:92:1c:7a:26:e9:9a:71:
-         f8:43:d8:6e
+    Signature Value:
+        4b:83:37:e0:92:ee:31:5c:ed:d7:4f:c8:10:7c:82:49:82:72:
+        fd:d5:b0:b1:be:fb:a5:62:f8:9b:17:68:82:b9:f1:2a:d5:80:
+        3a:e5:73:2c:f9:bc:86:c0:8c:3a:69:36:63:60:c5:fb:d3:b9:
+        3b:87:8b:05:14:58:88:f5:87:50:e8:7c:c2:21:a7:66:ed:b4:
+        7f:12:86:71:6b:93:cb:a8:68:4b:5b:a6:a9:1b:8a:f0:f2:41:
+        b5:eb:eb:62:a3:f8:b6:e4:97:f2:4b:5b:47:45:3f:a5:50:74:
+        a9:07:1d:2a:d7:7b:d5:57:91:6d:c2:ed:fa:2e:42:6d:19:2b:
+        eb:4b:d6:3c:2b:c9:ac:1d:5e:11:1e:b8:cb:d7:fa:b3:4f:39:
+        b6:1b:9f:b0:e0:27:96:a3:cc:7b:03:f0:0e:dc:34:3f:b6:fb:
+        66:7b:d1:1b:a7:49:ec:f3:d5:fd:60:7c:54:ed:c1:ac:3c:a0:
+        54:6f:62:d4:5b:99:39:09:e5:c2:9b:21:5e:8d:76:59:0f:b5:
+        6d:8d:cb:b6:bb:21:ea:cb:33:9a:2c:14:ca:51:8b:26:3a:ce:
+        9f:2d:5f:d2:ad:9d:8d:c7:2b:30:7e:40:40:43:94:83:c4:09:
+        25:79:c0:fb:43:05:02:a8:93:b3:60:3f:fa:63:21:27:a3:eb:
+        8b:0f:06:33
 -----BEGIN CERTIFICATE-----
-MIIDnjCCAoagAwIBAgIUEi7yLeK1pNn5VKL7dwf0HVHyOn8wDQYJKoZIhvcNAQEL
+MIIDvTCCAqWgAwIBAgIUCjBYAEFNIiBoq8heX51XgpzDoh4wDQYJKoZIhvcNAQEL
 BQAwYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4w
-LjAuMTAeFw0yMTEyMDExNTQyMDdaFw0zMTExMjkxNTQyMDdaMGAxCzAJBgNVBAYT
+LjAuMTAeFw0yMjEwMDMxNzIwMDlaFw0zMjA5MzAxNzIwMDlaMGAxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
 MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnHgdbJelc9rA9MTbu0OONY0ouwsJaWf2z
-VbjJkyVCZna17BUe955zX8ZfimSA0ZcbNxp390KlyXAqYrHi6b9CH8PPPGmNQntg
-IeY1eTeakxDdzJwfmulJAiyvUItpYqAyTkZp83Nc/JQqEu30dqQySUc4NJ6LIB9P
-V1cvB4+m8TVox18WGs3P7qTI+WreHNQJE32jKY0ccPUZ4WbhJF6bIhEYHZ2/3+VH
-0hiDThOjRSBnnaAGFzLOvZyiSV3tXTnHxutzspfOV0IkcXeNI/CtHy4rUsyxigis
-eHdKyRqbMuQef6rDGubtfx3fA9rAdsLBQKUgMGw9ipUPH7Wy8cjhAgMBAAGjUDBO
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDs5Mztq2DN4w9cPClzz26kUsTcSdYv1c0m
+Vj09qsZp1616R+qEc6qFuJUTheqbAVzvU2JPkmGavWR9+s7qCAa1wEif26aQwSYm
+vMJERxg3FthjWum/I/lG1mUMUzuzDtHe99aB/g51xF04RSgXmMiZv5pg7LA2OJue
+NlfpilHT7hsjmxjbMdw/HAK2xXMv9ZBxf6Gr8yTW1bRcTzfrykRVmoZlJHhWBLk6
+Y/n3Ji+NvJicGWhN+DDfbDAyMXU7VOd807AFxZhmHPlzxLDCg2fDMHlvYB8LDGdr
+IizLFj1zG4ygozDx25r8DkW7frQDojPS08uYlexm9i5R6YUUjROJAgMBAAGjbzBt
 MEwGA1UdEQRFMEOCD3d3dy5leGFtcGxlLm9yZ4IQbWFpbC5leGFtcGxlLm9yZ4IQ
-bWFpbC5leGFtcGxlLmNvbYIMZXhhbXBsZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IB
-AQCAp9InVs3H/DuneCzX/eNvQZTXxhsCGCUcMQqS05sudzICD9pu34GcgBsesoL9
-jid3DqULO4K7oJI6oWryD6Raado3aZTWdcUZBSvBRhY12eIx5p8egA28f6QB88hj
-Pul4ez7BsKBp3zC0pgsVgCFDn1otYwB6Igl/ck9kvGaEnOji02Ds6w7WOLrHsQqC
-xj0P6VeC/abNZZiaxddjQ113YI74W69g0jlIP0136Scw3EPJ4AkbOn4ElX8SRFey
-uHKbtkcJO4AsUH7+n8krLMt3oQlHgzzawulJF978RktFrj88hThvHNiVtRvx/cJ5
-yccNpzq+/ZIceibpmnH4Q9hu
+bWFpbC5leGFtcGxlLmNvbYIMZXhhbXBsZS50ZXN0MB0GA1UdDgQWBBQh5zYKYjaX
+o15Sl0pzriscPiXHbDANBgkqhkiG9w0BAQsFAAOCAQEAS4M34JLuMVzt10/IEHyC
+SYJy/dWwsb77pWL4mxdogrnxKtWAOuVzLPm8hsCMOmk2Y2DF+9O5O4eLBRRYiPWH
+UOh8wiGnZu20fxKGcWuTy6hoS1umqRuK8PJBtevrYqP4tuSX8ktbR0U/pVB0qQcd
+Ktd71VeRbcLt+i5CbRkr60vWPCvJrB1eER64y9f6s085thufsOAnlqPMewPwDtw0
+P7b7ZnvRG6dJ7PPV/WB8VO3BrDygVG9i1FuZOQnlwpshXo12WQ+1bY3Ltrsh6ssz
+miwUylGLJjrOny1f0q2djccrMH5AQEOUg8QJJXnA+0MFAqiTs2A/+mMhJ6Priw8G
+Mw==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/start_after_expiry.pem b/chromium/net/data/ssl/certificates/start_after_expiry.pem
index 0d342dc7cfc..bd6eacc0377 100644
--- a/chromium/net/data/ssl/certificates/start_after_expiry.pem
+++ b/chromium/net/data/ssl/certificates/start_after_expiry.pem
@@ -2,7 +2,7 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:b2
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:76
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
@@ -11,75 +11,75 @@ Certificate:
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:c4:01:12:94:35:84:3b:37:2d:1a:7a:70:26:71:
-                    83:71:80:35:fd:20:44:c0:06:50:ec:98:c7:b2:2f:
-                    2e:cb:32:1c:09:48:06:b3:b8:15:11:e2:8e:a7:76:
-                    c8:78:3e:c3:c1:b5:df:2d:f6:74:08:01:ae:87:ce:
-                    df:ae:5c:a6:36:cc:0d:ce:a0:23:bf:b9:be:57:a0:
-                    2d:38:5d:39:9d:dc:02:c4:dc:e9:d6:cd:b4:25:b8:
-                    6b:20:47:ce:b6:f6:21:37:57:54:b7:52:ca:8e:7f:
-                    7b:a9:77:a6:9c:89:20:40:c0:2d:17:16:72:aa:09:
-                    7e:00:96:3e:e8:8b:9d:09:70:22:43:38:9b:98:f7:
-                    9a:b4:cb:44:c2:76:bd:b5:ed:0f:1e:43:98:6c:87:
-                    23:c1:ae:f0:b8:01:62:d4:a3:cd:35:2d:06:bd:c1:
-                    98:26:62:10:fb:a2:18:31:b7:e3:f2:eb:29:c5:73:
-                    50:d5:85:da:95:e6:82:95:3d:52:ba:74:15:33:96:
-                    32:66:c3:a1:c0:0b:f0:b5:e1:bf:35:90:4e:6e:4c:
-                    0b:46:45:6d:e7:28:c4:2c:fe:2b:a0:bf:38:7b:a7:
-                    27:06:d7:13:69:bc:c4:60:ec:58:a5:dd:5d:a3:29:
-                    dd:69:1d:01:22:ae:f7:93:83:dd:6d:4d:de:ef:19:
-                    5b:07
+                    00:e7:1f:c0:bc:e7:c2:07:2d:13:9c:c8:c9:8a:89:
+                    a7:fd:63:87:c5:2a:b0:f5:e4:e0:08:af:e2:c3:f1:
+                    8c:02:f1:20:7a:9d:09:c0:c7:24:ef:61:04:e3:c9:
+                    da:36:60:d5:8e:84:c9:4f:cc:ba:88:eb:00:a7:92:
+                    46:47:69:e2:89:50:90:63:55:49:9e:4c:fb:3a:c6:
+                    92:90:4d:69:b5:d8:85:3b:d6:dd:c5:62:e8:da:51:
+                    62:4e:0f:61:82:e1:72:6b:37:ac:34:f4:92:fb:17:
+                    d9:d4:52:ec:c5:e5:96:f7:e3:8f:f1:c7:a0:f4:de:
+                    bf:5d:d7:74:72:6f:41:60:9f:51:ed:93:08:48:7c:
+                    c8:44:1d:6b:30:d4:1f:67:88:1b:1e:8e:bf:83:18:
+                    d2:cd:46:78:62:e4:1c:ac:be:48:0b:56:db:7c:b9:
+                    b9:4f:97:3a:51:c1:14:37:c9:87:56:c2:19:5e:93:
+                    d6:fc:75:99:88:fd:9b:f5:bc:ab:0c:2f:77:86:bf:
+                    4d:2c:05:84:2e:82:61:f7:7d:0a:c3:fd:80:46:bd:
+                    1b:46:b8:15:6a:91:2f:de:5f:bd:c2:cb:76:77:59:
+                    03:90:c9:6d:e3:19:df:d2:f0:cc:6c:ef:ff:92:e9:
+                    27:39:5a:0f:e2:a6:49:5f:f9:0f:e4:10:d0:76:9b:
+                    5c:ff
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                4F:BF:F3:D7:00:F9:45:45:B6:65:99:23:14:40:F6:95:80:DF:6A:02
+                F1:42:EA:7F:63:33:BE:07:0C:EE:F1:61:42:F0:3F:7D:1E:D5:26:52
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         3f:72:8b:c2:c3:72:9d:fc:de:aa:69:46:7b:c7:b2:0a:12:ef:
-         ba:6d:30:18:c9:8a:5e:10:e2:39:8c:ff:36:71:15:36:cc:0e:
-         06:bd:5b:f6:81:3f:b7:2c:f4:cd:d9:1c:98:3c:b4:61:aa:1e:
-         89:d4:4a:4c:49:8b:b7:54:22:e0:89:db:a0:33:e0:c1:67:ae:
-         a2:25:3e:43:eb:11:2b:b8:7b:4b:e6:c9:ef:10:b7:15:af:2c:
-         17:dd:18:26:6e:38:71:aa:e2:e1:2e:62:13:e3:b6:9e:a8:54:
-         8b:94:7a:a9:b3:bd:3c:b0:b9:27:82:3c:9b:e9:28:e3:af:ca:
-         fa:9f:6f:58:6a:01:40:83:20:7b:03:b3:c5:36:c8:20:3a:55:
-         d3:79:bf:80:e5:95:a9:7d:87:29:0b:21:39:a5:77:0e:62:e8:
-         23:3c:7b:3a:94:d9:c4:30:8c:b1:34:ff:b0:b2:9f:58:01:89:
-         19:7b:21:37:76:df:01:d0:20:93:61:03:84:fa:b2:d2:08:f1:
-         e4:d7:7a:a7:82:39:3c:e5:ca:8a:f6:1a:74:3b:21:7d:28:5b:
-         4f:b3:02:7f:04:f5:f9:a6:c6:6a:aa:9a:5d:ba:6b:d4:07:73:
-         c0:d0:e3:8e:8c:6e:d9:4a:ba:49:e9:4b:05:e9:80:d3:5a:6b:
-         3d:c5:70:8e
+    Signature Value:
+        ac:f3:da:f2:75:15:ff:95:c9:14:47:22:c3:b6:fc:b2:93:3b:
+        33:7a:c0:81:71:f3:95:33:90:55:08:89:c1:1b:b7:06:f5:9c:
+        43:59:90:2a:b0:9c:4b:91:f1:40:c0:c5:71:80:64:1e:f1:b3:
+        1c:45:b9:d3:05:f8:1a:2d:76:a5:47:5c:f9:bc:66:66:0c:11:
+        04:af:f2:3b:ef:ff:50:46:1e:70:45:d3:14:b0:a4:4a:d3:8c:
+        99:e4:e3:a1:c8:7d:83:18:29:b8:3d:ca:ad:5c:b0:cf:ea:47:
+        73:eb:85:c2:85:99:b7:68:c5:c5:bd:f2:c6:75:b7:65:e7:74:
+        da:39:fa:b7:dc:9f:a9:f6:fd:e7:d4:70:91:b3:42:8a:71:38:
+        2e:e3:c3:2a:35:6f:08:56:21:35:81:89:46:ca:e1:05:a7:f6:
+        60:f5:b0:b3:44:3a:23:43:f3:e8:99:a3:7b:f8:42:2e:60:e5:
+        a6:ab:3f:06:20:70:2f:69:d7:bb:95:87:01:5d:16:31:c0:b7:
+        97:09:0c:02:c4:20:b1:ab:15:ef:be:05:98:eb:41:a6:eb:eb:
+        e1:90:43:e6:b1:5f:d6:61:a4:18:bd:8a:6e:00:47:a7:58:a0:
+        67:df:ea:09:a7:81:c3:5a:58:a9:ee:ac:f6:8b:2a:38:57:25:
+        b7:a6:38:36
 -----BEGIN CERTIFICATE-----
-MIIDzjCCAragAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzsjANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTE4MDkwMTAwMDAwMFoXDTE1MDQwMjAwMDAwMFowYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMQBEpQ1hDs3LRp6cCZxg3GANf0gRMAGUOyY
-x7IvLssyHAlIBrO4FRHijqd2yHg+w8G13y32dAgBrofO365cpjbMDc6gI7+5vleg
-LThdOZ3cAsTc6dbNtCW4ayBHzrb2ITdXVLdSyo5/e6l3ppyJIEDALRcWcqoJfgCW
-PuiLnQlwIkM4m5j3mrTLRMJ2vbXtDx5DmGyHI8Gu8LgBYtSjzTUtBr3BmCZiEPui
-GDG34/LrKcVzUNWF2pXmgpU9Urp0FTOWMmbDocAL8LXhvzWQTm5MC0ZFbecoxCz+
-K6C/OHunJwbXE2m8xGDsWKXdXaMp3WkdASKu95OD3W1N3u8ZWwcCAwEAAaOBgDB+
-MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFE+/89cA+UVFtmWZIxRA9pWA32oCMB8G
-A1UdIwQYMBaAFJsmC4qYqbsduR8c4xpAM+2OF4irMB0GA1UdJQQWMBQGCCsGAQUF
-BwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IB
-AQA/covCw3Kd/N6qaUZ7x7IKEu+6bTAYyYpeEOI5jP82cRU2zA4GvVv2gT+3LPTN
-2RyYPLRhqh6J1EpMSYu3VCLgidugM+DBZ66iJT5D6xEruHtL5snvELcVrywX3Rgm
-bjhxquLhLmIT47aeqFSLlHqps708sLkngjyb6Sjjr8r6n29YagFAgyB7A7PFNsgg
-OlXTeb+A5ZWpfYcpCyE5pXcOYugjPHs6lNnEMIyxNP+wsp9YAYkZeyE3dt8B0CCT
-YQOE+rLSCPHk13qngjk85cqK9hp0OyF9KFtPswJ/BPX5psZqqppdumvUB3PA0OOO
-jG7ZSrpJ6UsF6YDTWms9xXCO
+MIIDzzCCAregAwIBAgIRALBrk5LjXI1+7Z3IllnFwnYwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xODA5MDEwMDAwMDBaFw0xNTA0MDIwMDAwMDBaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDnH8C858IHLROcyMmKiaf9Y4fFKrD15OAI
+r+LD8YwC8SB6nQnAxyTvYQTjydo2YNWOhMlPzLqI6wCnkkZHaeKJUJBjVUmeTPs6
+xpKQTWm12IU71t3FYujaUWJOD2GC4XJrN6w09JL7F9nUUuzF5Zb344/xx6D03r9d
+13Ryb0Fgn1HtkwhIfMhEHWsw1B9niBsejr+DGNLNRnhi5BysvkgLVtt8ublPlzpR
+wRQ3yYdWwhlek9b8dZmI/Zv1vKsML3eGv00sBYQugmH3fQrD/YBGvRtGuBVqkS/e
+X73Cy3Z3WQOQyW3jGd/S8Mxs7/+S6Sc5Wg/ipklf+Q/kENB2m1z/AgMBAAGjgYAw
+fjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTxQup/YzO+Bwzu8WFC8D99HtUmUjAf
+BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
+BQcDAQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEArPPa8nUV/5XJFEciw7b8spM7M3rAgXHzlTOQVQiJwRu3BvWcQ1mQKrCcS5Hx
+QMDFcYBkHvGzHEW50wX4Gi12pUdc+bxmZgwRBK/yO+//UEYecEXTFLCkStOMmeTj
+och9gxgpuD3KrVywz+pHc+uFwoWZt2jFxb3yxnW3Zed02jn6t9yfqfb959RwkbNC
+inE4LuPDKjVvCFYhNYGJRsrhBaf2YPWws0Q6I0Pz6Jmje/hCLmDlpqs/BiBwL2nX
+u5WHAV0WMcC3lwkMAsQgsasV774FmOtBpuvr4ZBD5rFf1mGkGL2KbgBHp1igZ9/q
+CaeBw1pYqe6s9osqOFclt6Y4Ng==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/subjectAltName_sanity_check.pem b/chromium/net/data/ssl/certificates/subjectAltName_sanity_check.pem
index 0c30b3e9a03..429273a99c2 100644
--- a/chromium/net/data/ssl/certificates/subjectAltName_sanity_check.pem
+++ b/chromium/net/data/ssl/certificates/subjectAltName_sanity_check.pem
@@ -2,77 +2,81 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            38:5b:f5:c0:6c:fa:b0:29:44:07:3c:43:8b:e0:12:b6:31:f0:64:7c
+            1a:3e:ff:08:8f:68:f4:e8:be:f8:a2:78:86:91:fa:b1:0b:a3:8c:1f
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = California, L = Mountain View, O = Test CA, CN = 127.0.0.1
         Validity
-            Not Before: Dec  1 15:42:07 2021 GMT
-            Not After : Nov 29 15:42:07 2031 GMT
+            Not Before: Oct  3 17:20:09 2022 GMT
+            Not After : Sep 30 17:20:09 2032 GMT
         Subject: C = US, ST = California, L = Mountain View, O = Test CA, CN = 127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:c2:a3:9d:32:46:83:54:a4:44:e2:7c:16:e1:84:
-                    9d:d0:aa:e2:aa:0b:5e:08:82:79:d7:37:19:82:1e:
-                    4b:f5:aa:56:fc:a9:b4:38:65:13:5c:ab:e7:b7:f9:
-                    c7:35:ee:b6:f5:44:fc:8d:67:dd:c4:69:a6:0b:99:
-                    6d:8f:ca:6f:08:2d:13:75:b2:f0:a5:fb:8c:d8:cd:
-                    31:da:f0:aa:8a:ac:c3:0b:e9:51:26:87:75:0c:fb:
-                    20:13:ac:ba:c3:f1:0a:67:d7:b6:b3:f5:b7:3e:f4:
-                    a3:bc:69:98:9b:23:90:db:fd:bd:70:6a:ee:0a:87:
-                    51:00:57:15:b5:cd:fc:5f:73:0d:e1:45:87:d9:55:
-                    b8:c7:0f:35:f2:7d:af:36:54:2e:dd:71:ad:d2:87:
-                    1c:f0:f4:da:45:68:a6:72:84:4b:ab:ad:13:44:b7:
-                    ae:a2:20:7a:e9:1a:dc:70:5a:7a:f4:ae:40:0f:59:
-                    5e:2a:f9:0c:a8:93:86:18:cf:12:5d:4c:c3:2b:df:
-                    10:af:c2:01:ec:94:43:d1:4a:de:ef:ae:1d:94:8d:
-                    09:d2:72:33:b6:99:fb:b9:0c:b2:cd:b4:c7:80:80:
-                    57:5e:05:f0:f3:0b:ca:c6:cb:86:e4:59:00:97:20:
-                    7a:11:ef:25:72:8b:66:51:da:be:03:56:6d:e5:19:
-                    9b:c9
+                    00:e4:41:20:46:ee:74:19:2c:9b:0c:2e:e8:63:1b:
+                    40:7a:76:f9:3b:33:9f:bb:61:3b:dc:a1:71:fb:3d:
+                    e4:df:7b:2f:0f:17:91:88:3f:9d:33:93:bc:12:29:
+                    ab:7e:6f:4b:04:68:3c:33:b4:79:02:d8:3d:df:fb:
+                    9a:ee:29:de:24:7f:6d:49:00:76:5d:12:fe:d4:1b:
+                    f8:3d:e5:08:e3:ea:22:ef:85:7e:5d:55:e1:e3:7b:
+                    a1:84:c8:87:06:7b:08:97:ff:b9:cb:94:b9:c4:34:
+                    fb:77:29:df:23:e3:19:96:8f:5f:5d:cd:95:5e:f0:
+                    a5:ff:cf:91:b6:4d:a6:8a:f3:7d:7f:f8:22:8c:c9:
+                    27:0b:a5:37:37:a2:99:e4:79:ee:6d:73:1d:c9:a8:
+                    78:ba:f8:2a:aa:a0:3e:8b:8d:59:87:39:05:f1:eb:
+                    48:49:47:28:12:30:28:50:80:2a:67:3b:af:68:88:
+                    bd:c0:f1:38:da:4f:d3:7b:15:86:6f:c8:b7:61:5f:
+                    c5:af:ca:34:a2:72:b0:59:03:2c:8d:4d:f2:e7:ad:
+                    d0:d7:1a:cc:8f:2d:5c:d1:41:ea:21:1a:e9:90:2e:
+                    63:99:90:28:1e:86:73:95:7d:7b:d7:eb:e7:af:2a:
+                    16:60:38:d7:b0:34:71:65:a6:d3:bd:53:91:99:20:
+                    e0:39
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Alternative Name: 
-                IP Address:127.0.0.2, IP Address:FE80:0:0:0:0:0:0:1, DNS:test.example, email:test@test.example, othername:<unsupported>, DirName:/CN=127.0.0.3
+                IP Address:127.0.0.2, IP Address:FE80:0:0:0:0:0:0:1, DNS:test.example, email:test@test.example, othername: 1.2.3.4::ignore me, DirName:/CN=127.0.0.3
+            X509v3 Subject Key Identifier: 
+                67:95:3C:20:E0:D7:34:9E:D5:30:BE:B9:73:91:6F:0D:9B:96:3F:05
     Signature Algorithm: sha256WithRSAEncryption
-         31:a7:8f:d7:dc:92:57:9a:0a:c5:7b:ae:da:0d:8d:1d:0b:b7:
-         ab:0a:a0:c6:43:e9:d2:22:00:bc:85:7c:89:21:8f:c2:e7:27:
-         46:66:d9:f2:ed:ec:78:e3:83:0f:63:38:39:af:67:07:92:4a:
-         97:99:79:68:ca:2c:17:b3:1d:40:e9:2f:74:f6:d0:fd:9b:07:
-         5a:b1:14:c5:82:10:91:3e:7f:a7:46:b8:fd:2f:1f:81:c1:81:
-         d5:d4:cb:54:45:3a:a3:0b:9b:2d:ee:dd:61:10:b9:a2:a1:09:
-         49:57:86:34:4b:b8:2b:45:2d:f7:44:b4:3f:58:09:bc:9c:a5:
-         67:41:c1:67:8e:26:85:f3:f9:10:90:8c:12:89:f9:20:0c:52:
-         d4:7e:78:44:72:2a:51:f4:f3:37:83:14:7a:75:be:32:9a:10:
-         de:cf:4e:e8:23:fb:5b:c2:10:d9:0e:a2:d7:4d:c7:68:b7:13:
-         6d:13:f7:33:32:ec:14:73:f5:3a:9b:1d:4c:62:5b:d6:60:e6:
-         8f:b1:e5:2b:08:0a:55:32:11:75:a6:d0:00:79:e7:3e:cd:79:
-         ed:d1:65:5e:6a:da:27:25:bd:ec:c9:cb:07:75:95:85:85:ef:
-         bf:9f:6e:a2:7f:f6:0d:49:cb:ae:1d:68:bb:3d:3a:39:ce:ff:
-         ad:4d:26:fa
+    Signature Value:
+        77:e7:81:56:2c:c2:10:36:0f:45:13:2c:9e:6d:9b:ef:ab:6d:
+        50:e9:5f:3e:5f:93:9e:9a:81:24:76:5f:13:d3:b5:87:d5:c5:
+        d6:e4:55:3b:c1:18:35:a1:27:aa:91:fc:90:dd:8a:c8:2e:1f:
+        1e:17:4b:20:92:6e:fb:13:40:54:02:ea:cb:be:27:cf:c5:c0:
+        a7:29:47:74:07:ff:10:a6:98:00:cd:38:19:b4:14:43:3f:ec:
+        a1:8b:ff:47:6b:2c:ae:4b:08:d5:a0:9b:95:e3:76:56:1e:05:
+        6f:26:3e:00:92:4b:4b:b8:e0:db:71:7a:61:93:72:ed:a2:f6:
+        91:13:59:cf:62:d5:03:a2:09:96:ba:27:3c:82:38:dc:2d:8c:
+        83:f9:ff:df:19:6b:a5:1a:b2:98:74:48:9f:e2:46:c7:70:3f:
+        c9:f0:ef:3b:35:3b:03:bb:f0:a6:84:6c:c1:8b:67:fc:de:c7:
+        ce:1d:2c:15:5f:46:4e:0f:b3:78:51:a1:7c:48:08:2b:c1:63:
+        e8:95:ba:41:23:96:ef:f2:9c:53:be:ed:97:19:bd:f0:2f:bc:
+        d1:16:e8:be:c4:6e:08:8f:a1:3d:95:48:c8:ea:68:4c:82:4b:
+        4c:21:da:07:60:d6:b7:6d:09:35:7d:53:83:cf:e6:49:28:00:
+        16:12:ed:17
 -----BEGIN CERTIFICATE-----
-MIID0zCCArugAwIBAgIUOFv1wGz6sClEBzxDi+AStjHwZHwwDQYJKoZIhvcNAQEL
+MIID8jCCAtqgAwIBAgIUGj7/CI9o9Oi++KJ4hpH6sQujjB8wDQYJKoZIhvcNAQEL
 BQAwYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4w
-LjAuMTAeFw0yMTEyMDExNTQyMDdaFw0zMTExMjkxNTQyMDdaMGAxCzAJBgNVBAYT
+LjAuMTAeFw0yMjEwMDMxNzIwMDlaFw0zMjA5MzAxNzIwMDlaMGAxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
 MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCo50yRoNUpETifBbhhJ3QquKqC14IgnnX
-NxmCHkv1qlb8qbQ4ZRNcq+e3+cc17rb1RPyNZ93EaaYLmW2Pym8ILRN1svCl+4zY
-zTHa8KqKrMML6VEmh3UM+yATrLrD8Qpn17az9bc+9KO8aZibI5Db/b1wau4Kh1EA
-VxW1zfxfcw3hRYfZVbjHDzXyfa82VC7dca3Shxzw9NpFaKZyhEurrRNEt66iIHrp
-GtxwWnr0rkAPWV4q+Qyok4YYzxJdTMMr3xCvwgHslEPRSt7vrh2UjQnScjO2mfu5
-DLLNtMeAgFdeBfDzC8rGy4bkWQCXIHoR7yVyi2ZR2r4DVm3lGZvJAgMBAAGjgYQw
-gYEwDwYDVR0TAQH/BAUwAwEB/zBuBgNVHREEZzBlhwR/AAAChxD+gAAAAAAAAAAA
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkQSBG7nQZLJsMLuhjG0B6dvk7M5+7YTvc
+oXH7PeTfey8PF5GIP50zk7wSKat+b0sEaDwztHkC2D3f+5ruKd4kf21JAHZdEv7U
+G/g95Qjj6iLvhX5dVeHje6GEyIcGewiX/7nLlLnENPt3Kd8j4xmWj19dzZVe8KX/
+z5G2TaaK831/+CKMyScLpTc3opnkee5tcx3JqHi6+CqqoD6LjVmHOQXx60hJRygS
+MChQgCpnO69oiL3A8TjaT9N7FYZvyLdhX8WvyjSicrBZAyyNTfLnrdDXGsyPLVzR
+QeohGumQLmOZkCgehnOVfXvX6+evKhZgONewNHFlptO9U5GZIOA5AgMBAAGjgaMw
+gaAwDwYDVR0TAQH/BAUwAwEB/zBuBgNVHREEZzBlhwR/AAAChxD+gAAAAAAAAAAA
 AAAAAAABggx0ZXN0LmV4YW1wbGWBEXRlc3RAdGVzdC5leGFtcGxloBIGAyoDBKAL
-DAlpZ25vcmUgbWWkFjAUMRIwEAYDVQQDDAkxMjcuMC4wLjMwDQYJKoZIhvcNAQEL
-BQADggEBADGnj9fckleaCsV7rtoNjR0Lt6sKoMZD6dIiALyFfIkhj8LnJ0Zm2fLt
-7Hjjgw9jODmvZweSSpeZeWjKLBezHUDpL3T20P2bB1qxFMWCEJE+f6dGuP0vH4HB
-gdXUy1RFOqMLmy3u3WEQuaKhCUlXhjRLuCtFLfdEtD9YCbycpWdBwWeOJoXz+RCQ
-jBKJ+SAMUtR+eERyKlH08zeDFHp1vjKaEN7PTugj+1vCENkOotdNx2i3E20T9zMy
-7BRz9TqbHUxiW9Zg5o+x5SsIClUyEXWm0AB55z7Nee3RZV5q2iclvezJywd1lYWF
-77+fbqJ/9g1Jy64daLs9OjnO/61NJvo=
+DAlpZ25vcmUgbWWkFjAUMRIwEAYDVQQDDAkxMjcuMC4wLjMwHQYDVR0OBBYEFGeV
+PCDg1zSe1TC+uXORbw2blj8FMA0GCSqGSIb3DQEBCwUAA4IBAQB354FWLMIQNg9F
+EyyebZvvq21Q6V8+X5OemoEkdl8T07WH1cXW5FU7wRg1oSeqkfyQ3YrILh8eF0sg
+km77E0BUAurLvifPxcCnKUd0B/8QppgAzTgZtBRDP+yhi/9HayyuSwjVoJuV43ZW
+HgVvJj4AkktLuODbcXphk3LtovaRE1nPYtUDogmWuic8gjjcLYyD+f/fGWulGrKY
+dEif4kbHcD/J8O87NTsDu/CmhGzBi2f83sfOHSwVX0ZOD7N4UaF8SAgrwWPolbpB
+I5bv8pxTvu2XGb3wL7zRFui+xG4Ij6E9lUjI6mhMgktMIdoHYNa3bQk1fVODz+ZJ
+KAAWEu0X
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/subjectAltName_www_example_com.pem b/chromium/net/data/ssl/certificates/subjectAltName_www_example_com.pem
index 52a54abe066..7ece3517441 100644
--- a/chromium/net/data/ssl/certificates/subjectAltName_www_example_com.pem
+++ b/chromium/net/data/ssl/certificates/subjectAltName_www_example_com.pem
@@ -2,75 +2,79 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            27:e4:4c:b5:76:35:23:a5:16:ed:76:90:53:b3:46:64:62:59:73:e9
+            3c:cb:fb:30:6a:43:63:80:cb:8a:91:20:df:86:df:d9:df:c5:35:d0
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = California, L = Mountain View, O = Test CA, CN = 127.0.0.1
         Validity
-            Not Before: Dec  1 15:42:08 2021 GMT
-            Not After : Nov 29 15:42:08 2031 GMT
+            Not Before: Oct  3 17:20:09 2022 GMT
+            Not After : Sep 30 17:20:09 2032 GMT
         Subject: C = US, ST = California, L = Mountain View, O = Test CA, CN = 127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
-                    00:a6:90:88:08:48:22:2f:71:31:48:a6:dc:76:bf:
-                    33:41:89:f4:fb:14:4e:55:da:33:a8:8a:87:a5:af:
-                    56:49:97:f6:8d:5b:f8:c9:a8:c7:46:08:80:e3:dc:
-                    48:fd:13:5d:b8:1d:56:32:ba:f0:f2:69:1b:56:04:
-                    88:b0:13:68:68:8b:2c:fc:55:14:9d:c4:d4:8d:f3:
-                    7d:4d:b0:40:89:d1:2f:2f:1e:19:b8:f8:c2:a5:54:
-                    bf:1a:26:e6:42:dc:ef:de:ce:dc:6d:15:47:e4:db:
-                    5c:6e:76:c1:54:70:f7:b6:1f:eb:a7:10:9e:49:8a:
-                    aa:62:e2:e3:26:01:c8:5a:fe:f8:b8:f8:d6:13:a1:
-                    26:70:22:9f:3c:dd:ea:a0:e5:06:36:0d:7b:53:c4:
-                    73:78:d8:6a:06:eb:81:fc:15:d1:42:19:17:4d:03:
-                    4a:f8:b7:74:91:c9:3a:73:6f:1a:51:58:3c:c7:8a:
-                    ae:0e:b0:bc:c8:77:d0:4f:66:86:78:33:20:de:6a:
-                    b5:f2:d4:44:67:92:fe:d0:51:8f:08:9d:ac:12:e6:
-                    4c:46:52:22:88:d9:33:ed:2d:60:fe:18:91:77:df:
-                    3b:d0:c8:d7:78:ab:54:af:d9:48:a9:4b:0e:90:cf:
-                    ee:41:b0:1e:51:64:ee:11:8a:1a:bc:2d:07:b5:d6:
-                    8e:8f
+                    00:c3:d7:35:26:24:ab:bd:83:85:71:3e:dc:9e:41:
+                    a6:d4:bf:b9:20:c6:ca:37:f5:0e:dc:4a:23:f3:74:
+                    24:c9:7a:e2:68:0c:13:2d:11:95:cd:f9:77:61:39:
+                    db:42:c8:2c:b0:b3:eb:64:09:5c:a4:66:58:08:99:
+                    85:3c:45:a7:75:f3:08:87:90:78:bc:09:e9:29:62:
+                    54:da:15:57:4f:50:f1:6e:14:9e:f3:58:1e:d1:be:
+                    4e:a2:6f:0a:fa:1c:f5:7b:5f:05:28:74:69:6e:2a:
+                    10:fb:9b:aa:e2:30:fa:62:9a:ec:e1:28:ce:d8:38:
+                    79:99:f6:86:09:44:e4:4f:f4:39:26:04:b5:3d:4a:
+                    e4:d0:58:71:e7:24:c7:94:7d:84:68:d8:48:b3:6f:
+                    e6:99:41:e4:d7:b3:9a:d2:41:f6:14:5f:46:33:58:
+                    cb:d4:ce:2c:46:17:2a:9e:17:9c:e4:c1:bd:57:33:
+                    5a:7c:b5:31:09:59:8c:a2:de:5b:ee:9d:1b:6a:b8:
+                    ab:c0:b4:90:65:f9:2d:de:9e:d5:34:37:16:2f:84:
+                    c7:23:1e:46:0b:66:d4:7a:73:80:bc:6c:f8:20:7b:
+                    c3:6e:25:fb:27:4b:1f:82:3f:68:c6:fd:9f:a7:88:
+                    be:3e:4a:e6:53:02:04:b6:dd:5c:3c:75:b2:5b:de:
+                    7f:f3
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Alternative Name: 
                 DNS:www.example.com
+            X509v3 Subject Key Identifier: 
+                BF:A7:72:AF:07:02:68:D6:D1:00:15:E6:D3:03:9A:0E:91:38:27:2F
     Signature Algorithm: sha256WithRSAEncryption
-         a5:cb:13:11:1e:37:f4:49:05:53:95:78:cf:67:0f:11:5e:b9:
-         29:52:3c:fa:94:17:f6:df:4a:0b:52:73:cc:72:0e:f5:6f:17:
-         55:80:76:06:eb:a4:74:d1:98:d3:12:ba:40:25:a6:70:76:69:
-         c7:a3:29:8a:1f:06:41:36:6d:0b:a2:cc:4d:3c:3e:5e:3e:41:
-         24:60:d5:e2:39:27:5d:53:53:98:a7:2c:ae:49:a3:2a:dc:1f:
-         30:a6:79:73:d6:11:96:c1:8b:8e:a0:21:87:5f:d4:26:67:a3:
-         90:90:8f:17:ca:7c:30:ef:8c:eb:54:a5:ca:19:96:3f:51:cc:
-         6a:df:20:b5:98:bf:cf:32:fd:de:7f:3c:af:8f:69:be:6a:49:
-         ea:b7:1e:9d:b1:bb:62:59:3f:58:f7:70:bf:7b:48:a5:3d:04:
-         8b:9a:34:62:a5:92:fc:7e:2d:5b:4b:61:1e:6e:05:78:03:33:
-         a2:00:95:14:ba:d8:ac:01:b2:85:68:09:34:10:06:fb:5e:24:
-         97:da:27:9f:1b:45:c1:f6:1a:78:a5:18:75:d4:df:cc:e7:4d:
-         79:03:d5:8f:a7:dd:f3:f2:09:29:4a:66:03:dd:5a:02:6c:b3:
-         32:ce:43:24:93:e2:34:a0:c5:9f:34:64:bc:4f:57:87:78:bb:
-         0e:47:09:5b
+    Signature Value:
+        24:e4:5a:62:e3:13:50:78:d2:ff:c2:27:51:47:99:62:ac:93:
+        43:b1:51:6f:e5:b6:49:86:50:88:9c:88:8e:a5:00:a9:48:39:
+        b7:c5:99:41:96:83:66:1a:40:6e:06:90:48:33:9a:74:fe:d4:
+        be:29:7e:d9:4d:e3:58:0e:17:47:1b:35:14:12:a9:09:ca:07:
+        38:74:fd:59:e4:7a:b7:d8:70:91:6b:02:c9:01:97:77:59:ac:
+        27:b5:7c:38:6c:59:83:2e:15:eb:25:27:b7:63:28:39:c8:9a:
+        14:5a:4a:c9:35:b4:dd:1c:d8:a1:2d:89:12:94:ad:c2:11:70:
+        2e:cb:3f:3d:c0:ad:66:f1:da:8f:d8:db:98:02:6f:e0:46:c6:
+        c1:cb:f3:86:ed:6f:7a:b6:6d:86:7e:12:8b:74:a5:06:87:3d:
+        d8:c4:08:9d:1b:e9:55:5c:49:80:33:b5:36:ec:3e:87:7b:4e:
+        63:45:a0:28:c7:c8:ce:41:22:2b:d3:f9:3a:a5:20:ff:24:d6:
+        19:41:a6:ee:20:40:12:ad:c9:e0:be:56:0a:b7:8f:60:db:47:
+        80:50:46:f6:cf:d9:39:73:1a:25:e1:4a:62:2f:f5:5b:89:75:
+        85:f6:ea:8a:18:59:8a:9d:1b:cf:5c:d4:9c:f2:9c:cd:1b:d0:
+        e9:d8:62:5f
 -----BEGIN CERTIFICATE-----
-MIIDfTCCAmWgAwIBAgIUJ+RMtXY1I6UW7XaQU7NGZGJZc+kwDQYJKoZIhvcNAQEL
+MIIDnDCCAoSgAwIBAgIUPMv7MGpDY4DLipEg34bf2d/FNdAwDQYJKoZIhvcNAQEL
 BQAwYDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4w
-LjAuMTAeFw0yMTEyMDExNTQyMDhaFw0zMTExMjkxNTQyMDhaMGAxCzAJBgNVBAYT
+LjAuMTAeFw0yMjEwMDMxNzIwMDlaFw0zMjA5MzAxNzIwMDlaMGAxCzAJBgNVBAYT
 AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
 MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmkIgISCIvcTFIptx2vzNBifT7FE5V2jOo
-ioelr1ZJl/aNW/jJqMdGCIDj3Ej9E124HVYyuvDyaRtWBIiwE2hoiyz8VRSdxNSN
-831NsECJ0S8vHhm4+MKlVL8aJuZC3O/eztxtFUfk21xudsFUcPe2H+unEJ5Jiqpi
-4uMmAcha/vi4+NYToSZwIp883eqg5QY2DXtTxHN42GoG64H8FdFCGRdNA0r4t3SR
-yTpzbxpRWDzHiq4OsLzId9BPZoZ4MyDearXy1ERnkv7QUY8InawS5kxGUiKI2TPt
-LWD+GJF33zvQyNd4q1Sv2UipSw6Qz+5BsB5RZO4Rihq8LQe11o6PAgMBAAGjLzAt
-MA8GA1UdEwEB/wQFMAMBAf8wGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29tMA0G
-CSqGSIb3DQEBCwUAA4IBAQClyxMRHjf0SQVTlXjPZw8RXrkpUjz6lBf230oLUnPM
-cg71bxdVgHYG66R00ZjTErpAJaZwdmnHoymKHwZBNm0LosxNPD5ePkEkYNXiOSdd
-U1OYpyyuSaMq3B8wpnlz1hGWwYuOoCGHX9QmZ6OQkI8Xynww74zrVKXKGZY/Ucxq
-3yC1mL/PMv3efzyvj2m+aknqtx6dsbtiWT9Y93C/e0ilPQSLmjRipZL8fi1bS2Ee
-bgV4AzOiAJUUutisAbKFaAk0EAb7XiSX2iefG0XB9hp4pRh11N/M5015A9WPp93z
-8gkpSmYD3VoCbLMyzkMkk+I0oMWfNGS8T1eHeLsORwlb
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD1zUmJKu9g4VxPtyeQabUv7kgxso39Q7c
+SiPzdCTJeuJoDBMtEZXN+XdhOdtCyCyws+tkCVykZlgImYU8Rad18wiHkHi8Cekp
+YlTaFVdPUPFuFJ7zWB7Rvk6ibwr6HPV7XwUodGluKhD7m6riMPpimuzhKM7YOHmZ
+9oYJRORP9DkmBLU9SuTQWHHnJMeUfYRo2Eizb+aZQeTXs5rSQfYUX0YzWMvUzixG
+FyqeF5zkwb1XM1p8tTEJWYyi3lvunRtquKvAtJBl+S3entU0NxYvhMcjHkYLZtR6
+c4C8bPgge8NuJfsnSx+CP2jG/Z+niL4+SuZTAgS23Vw8dbJb3n/zAgMBAAGjTjBM
+MA8GA1UdEwEB/wQFMAMBAf8wGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29tMB0G
+A1UdDgQWBBS/p3KvBwJo1tEAFebTA5oOkTgnLzANBgkqhkiG9w0BAQsFAAOCAQEA
+JORaYuMTUHjS/8InUUeZYqyTQ7FRb+W2SYZQiJyIjqUAqUg5t8WZQZaDZhpAbgaQ
+SDOadP7Uvil+2U3jWA4XRxs1FBKpCcoHOHT9WeR6t9hwkWsCyQGXd1msJ7V8OGxZ
+gy4V6yUnt2MoOciaFFpKyTW03RzYoS2JEpStwhFwLss/PcCtZvHaj9jbmAJv4EbG
+wcvzhu1verZthn4Si3SlBoc92MQInRvpVVxJgDO1Nuw+h3tOY0WgKMfIzkEiK9P5
+OqUg/yTWGUGm7iBAEq3J4L5WCrePYNtHgFBG9s/ZOXMaJeFKYi/1W4l1hfbqihhZ
+ip0bz1zUnPKczRvQ6dhiXw==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/test_names.pem b/chromium/net/data/ssl/certificates/test_names.pem
index 63c5ee28bab..eb8f77ccf25 100644
--- a/chromium/net/data/ssl/certificates/test_names.pem
+++ b/chromium/net/data/ssl/certificates/test_names.pem
@@ -30,16 +30,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:a8
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:6c
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
-            Not Before: Dec  1 15:42:07 2021 GMT
-            Not After : Dec  1 15:42:07 2023 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Oct  2 17:20:08 2024 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:bf:62:12:5c:02:bd:66:d0:00:94:87:70:72:7f:
                     91:b5:cc:31:7e:d4:bb:ab:32:2e:c4:f1:22:db:cd:
@@ -66,49 +66,49 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 45:0D:FA:A4:6B:B9:A7:1C:93:E8:AE:AF:C4:13:39:12:D4:2F:E0:5D
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 DNS:a.test, DNS:*.a.test, DNS:b.test, DNS:*.b.test, DNS:c.test, DNS:*.c.test, DNS:d.test, DNS:*.d.test
     Signature Algorithm: sha256WithRSAEncryption
-         2d:09:f6:cc:ee:c1:5a:6f:44:e3:67:46:1c:fe:73:37:e1:5b:
-         90:62:31:70:73:98:ce:d7:f4:30:07:74:b8:ee:ce:e1:c5:e6:
-         fb:b0:78:d0:7d:95:57:4c:91:19:75:b6:45:6c:29:fd:bf:54:
-         96:d5:c2:2b:02:16:68:3d:c2:06:55:19:5a:d8:7c:b5:67:8a:
-         8c:95:57:9e:63:8f:3d:43:b6:21:65:e3:77:b8:73:3e:47:81:
-         c8:47:b5:cc:55:34:a6:dc:f4:f2:1c:c1:1f:af:ec:9d:67:01:
-         61:5a:68:99:88:b6:de:98:ec:30:38:27:c1:d8:a3:41:00:c0:
-         e1:c9:65:3c:88:e0:24:06:b2:03:f0:05:6e:47:76:3d:a7:06:
-         89:28:9f:02:ac:2f:69:7f:14:7d:2b:f2:f9:06:f3:0f:03:f0:
-         a6:04:85:d7:14:07:ec:19:d4:3c:95:c3:f2:66:74:45:c7:d0:
-         3d:fe:14:ce:9c:52:fc:49:43:f6:70:e9:bb:48:0b:ec:2b:5b:
-         10:27:8e:02:f5:b2:76:a5:d3:99:4c:5e:8d:c5:ac:ad:a3:55:
-         6e:5e:18:94:7e:fe:4a:93:ca:9a:5b:2f:2b:b8:4a:ef:b4:d5:
-         de:f7:a8:19:e7:04:07:d9:8f:9f:39:01:57:74:eb:85:e9:2b:
-         57:98:d8:23
+    Signature Value:
+        1c:4e:4c:06:fc:2a:0a:89:2e:de:21:c3:46:99:51:84:89:c0:
+        4e:66:10:73:a2:b0:cb:6b:12:e4:eb:bb:a4:56:17:2f:73:7c:
+        ea:ae:7a:a7:0a:0b:6c:4a:24:2b:f2:82:51:2d:f8:b6:d7:3c:
+        03:69:43:cd:cc:1b:85:4b:d9:c4:aa:5e:f7:c6:24:56:1a:61:
+        0e:83:89:8f:08:08:93:a9:53:d1:f9:85:e5:d1:2d:05:40:4a:
+        90:e1:36:90:3a:4b:4e:5d:ea:dd:e5:b7:ac:07:f1:62:34:6a:
+        69:0f:f0:68:cc:6a:cf:47:bd:a7:55:fd:7e:8f:bc:d5:5a:a0:
+        1e:b5:0a:e6:4b:53:8a:6f:e9:48:1b:0d:5c:ae:0a:57:07:64:
+        a6:9e:ea:68:49:76:a3:a0:20:cf:f2:cb:b6:19:2b:2f:69:3f:
+        41:50:71:27:db:32:9c:d8:4c:db:bc:c4:c2:c9:12:a4:4a:80:
+        65:71:cc:18:06:eb:3c:64:63:31:b5:d2:dc:34:d6:49:70:b0:
+        bb:98:7a:e3:e2:d4:00:4e:2a:41:7c:d4:70:93:6e:9a:12:26:
+        c8:4f:3a:e6:4a:b2:04:23:0e:c5:f6:10:d7:9b:ec:86:44:4f:
+        c0:9d:8d:d1:95:e6:4a:da:5e:81:d2:45:2f:b3:ae:97:fa:0a:
+        fd:16:c2:2f
 -----BEGIN CERTIFICATE-----
-MIIEETCCAvmgAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzqDANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIxMTIwMTE1NDIwN1oXDTIzMTIwMTE1NDIwN1owYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAL9iElwCvWbQAJSHcHJ/kbXMMX7Uu6syLsTx
-ItvNhsHG/meU9VALZ0S2apxjYLzGAdpDnaXFZUfywEljMGmCWloHO31iVtK8Tupd
-daYSsT/Y1vQRxET1zlokx3r1vfmXtN55uk79PFtrbvW59HNuaL0R2yMvTt/5kZvM
-PaH+2GYBNxEge9wNo2WaTyCmJEmVmfUo101hLkxrmzxb110aQsWpG309ttaQErsR
-1hXaD7UK92LYaMK0RfX3ifcB3H5R48ChcB2MaQAhFlKy6l3xFwmSnK34zdYI+GAc
-BmK1/Vq2L+eBxMgf/GF7nctHjDvNQHpapJM3j/exihT1qKSX3JkCAwEAAaOBwzCB
-wDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRFDfqka7mnHJPorq/EEzkS1C/gXTAf
-BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
-BQcDAQYIKwYBBQUHAwIwUQYDVR0RBEowSIIGYS50ZXN0gggqLmEudGVzdIIGYi50
-ZXN0gggqLmIudGVzdIIGYy50ZXN0gggqLmMudGVzdIIGZC50ZXN0gggqLmQudGVz
-dDANBgkqhkiG9w0BAQsFAAOCAQEALQn2zO7BWm9E42dGHP5zN+FbkGIxcHOYztf0
-MAd0uO7O4cXm+7B40H2VV0yRGXW2RWwp/b9UltXCKwIWaD3CBlUZWth8tWeKjJVX
-nmOPPUO2IWXjd7hzPkeByEe1zFU0ptz08hzBH6/snWcBYVpomYi23pjsMDgnwdij
-QQDA4cllPIjgJAayA/AFbkd2PacGiSifAqwvaX8UfSvy+QbzDwPwpgSF1xQH7BnU
-PJXD8mZ0RcfQPf4UzpxS/ElD9nDpu0gL7CtbECeOAvWydqXTmUxejcWsraNVbl4Y
-lH7+SpPKmlsvK7hK77TV3veoGecEB9mPnzkBV3TrhekrV5jYIw==
+MIIEEjCCAvqgAwIBAgIRALBrk5LjXI1+7Z3IllnFwmwwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMjEwMDMxNzIwMDhaFw0yNDEwMDIxNzIwMDhaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/YhJcAr1m0ACUh3Byf5G1zDF+1LurMi7E
+8SLbzYbBxv5nlPVQC2dEtmqcY2C8xgHaQ52lxWVH8sBJYzBpglpaBzt9YlbSvE7q
+XXWmErE/2Nb0EcRE9c5aJMd69b35l7TeebpO/Txba271ufRzbmi9EdsjL07f+ZGb
+zD2h/thmATcRIHvcDaNlmk8gpiRJlZn1KNdNYS5Ma5s8W9ddGkLFqRt9PbbWkBK7
+EdYV2g+1Cvdi2GjCtEX194n3Adx+UePAoXAdjGkAIRZSsupd8RcJkpyt+M3WCPhg
+HAZitf1ati/ngcTIH/xhe53LR4w7zUB6WqSTN4/3sYoU9aikl9yZAgMBAAGjgcMw
+gcAwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURQ36pGu5pxyT6K6vxBM5EtQv4F0w
+HwYDVR0jBBgwFoAUmyYLipipux25HxzjGkAz7Y4XiKswHQYDVR0lBBYwFAYIKwYB
+BQUHAwEGCCsGAQUFBwMCMFEGA1UdEQRKMEiCBmEudGVzdIIIKi5hLnRlc3SCBmIu
+dGVzdIIIKi5iLnRlc3SCBmMudGVzdIIIKi5jLnRlc3SCBmQudGVzdIIIKi5kLnRl
+c3QwDQYJKoZIhvcNAQELBQADggEBABxOTAb8KgqJLt4hw0aZUYSJwE5mEHOisMtr
+EuTru6RWFy9zfOqueqcKC2xKJCvyglEt+LbXPANpQ83MG4VL2cSqXvfGJFYaYQ6D
+iY8ICJOpU9H5heXRLQVASpDhNpA6S05d6t3lt6wH8WI0amkP8GjMas9HvadV/X6P
+vNVaoB61CuZLU4pv6UgbDVyuClcHZKae6mhJdqOgIM/yy7YZKy9pP0FQcSfbMpzY
+TNu8xMLJEqRKgGVxzBgG6zxkYzG10tw01klwsLuYeuPi1ABOKkF81HCTbpoSJshP
+OuZKsgQjDsX2ENeb7IZET8CdjdGV5kraXoHSRS+zrpf6Cv0Wwi8=
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/thepaverbros.com.pem b/chromium/net/data/ssl/certificates/thepaverbros.com.pem
deleted file mode 100644
index 77b7b5134ac..00000000000
--- a/chromium/net/data/ssl/certificates/thepaverbros.com.pem
+++ /dev/null
@@ -1,346 +0,0 @@
-===========================================
-Certificate0: b71f915383e7212f48e9565d319d88b36fa41a0d993ee8dbef18bd087fab398e
-===========================================
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            b1:92:b3:6c:b6:9a:ed:66
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
-        Validity
-            Not Before: Feb 22 00:03:48 2022 GMT
-            Not After : Mar 26 00:03:48 2023 GMT
-        Subject: CN = thepaverbros.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:ad:ad:8e:e5:27:d1:3a:ab:c6:40:d8:6d:24:19:
-                    89:79:14:9e:5a:9c:9b:4b:45:e2:1e:c5:f5:5f:8d:
-                    ee:ea:c6:1c:d7:43:f3:8b:10:a0:c5:3d:c5:7a:f9:
-                    d4:7c:d1:50:7a:c4:6c:a3:f7:1f:1b:80:1d:3c:af:
-                    da:c7:28:3a:63:a9:c9:c7:33:22:be:4a:67:8e:c0:
-                    bd:48:8d:99:41:0d:da:01:e1:cd:05:92:32:b7:d0:
-                    bf:23:ea:a8:2c:e4:02:99:d5:59:a0:11:7b:62:19:
-                    98:b2:48:cb:49:4b:8f:94:d1:06:af:b2:f7:3e:ba:
-                    a3:17:c4:18:47:87:a5:59:8b:36:f4:b6:a1:f2:e9:
-                    c5:e0:94:8e:3d:fb:e6:c0:90:18:ed:84:2b:ce:fc:
-                    ea:dd:5d:1f:ca:dc:17:21:05:9b:8a:ce:2e:e7:a9:
-                    79:b1:eb:3c:41:7c:6a:00:cb:b6:60:82:dc:3d:96:
-                    cb:30:c1:04:dd:ce:d8:00:fb:0e:8c:4b:3f:ba:be:
-                    c8:4b:42:13:5c:24:9e:8e:73:5b:a0:e3:99:a8:06:
-                    44:8c:4a:c5:aa:d5:5d:32:cc:56:61:3d:9f:3c:20:
-                    1a:5f:17:c8:30:fb:1d:fa:c7:54:3a:c2:bc:d9:6d:
-                    4d:bf:75:4a:b0:3d:55:7d:a2:1e:f4:2b:96:7c:bb:
-                    04:01
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:FALSE
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Key Usage: critical
-                Digital Signature, Key Encipherment
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.godaddy.com/gdig2s1-3856.crl
-
-            X509v3 Certificate Policies: 
-                Policy: 2.16.840.1.114413.1.7.23.1
-                  CPS: http://certificates.godaddy.com/repository/
-                Policy: 2.23.140.1.2.1
-
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.godaddy.com/
-                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
-
-            X509v3 Authority Key Identifier: 
-                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
-
-            X509v3 Subject Alternative Name: 
-                DNS:thepaverbros.com, DNS:www.thepaverbros.com
-            X509v3 Subject Key Identifier: 
-                B2:CC:1E:16:DC:9F:4E:C4:86:8B:B2:37:04:A8:74:1F:EE:F1:FB:B0
-            CT Precertificate SCTs: 
-                Signed Certificate Timestamp:
-                    Version   : v1 (0x0)
-                    Log ID    : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
-                                03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
-                    Timestamp : Feb 22 00:03:49.647 2022 GMT
-                    Extensions: none
-                    Signature : ecdsa-with-SHA256
-                                30:44:02:20:11:5D:B2:91:51:83:B4:C0:5D:5B:5C:3A:
-                                C6:47:1A:E2:F9:AF:52:C9:A2:D3:54:EC:97:38:B4:91:
-                                F7:56:5D:CA:02:20:2A:49:08:BE:30:F5:72:1F:3D:C6:
-                                DC:15:C0:3F:14:5D:28:06:8A:46:5D:5E:43:D5:45:1B:
-                                A9:DD:55:D4:52:C7
-                Signed Certificate Timestamp:
-                    Version   : v1 (0x0)
-                    Log ID    : 35:CF:19:1B:BF:B1:6C:57:BF:0F:AD:4C:6D:42:CB:BB:
-                                B6:27:20:26:51:EA:3F:E1:2A:EF:A8:03:C3:3B:D6:4C
-                    Timestamp : Feb 22 00:03:49.984 2022 GMT
-                    Extensions: none
-                    Signature : ecdsa-with-SHA256
-                                30:44:02:20:2F:C2:87:C2:D8:43:19:B6:6B:1C:99:A1:
-                                F3:C9:59:42:4A:B4:03:CB:F7:AC:3A:BB:A2:F2:18:23:
-                                B3:8D:94:D8:02:20:72:5F:56:33:CE:5D:A1:10:8F:23:
-                                B1:6D:18:E1:BC:F4:81:6A:B4:8A:EF:81:C1:2F:72:27:
-                                D2:4C:D1:1A:3C:01
-                Signed Certificate Timestamp:
-                    Version   : v1 (0x0)
-                    Log ID    : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
-                                16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
-                    Timestamp : Feb 22 00:03:50.108 2022 GMT
-                    Extensions: none
-                    Signature : ecdsa-with-SHA256
-                                30:44:02:20:4B:35:3F:6E:2A:B2:E0:53:7B:98:11:E0:
-                                99:3F:62:E4:65:98:6E:55:B9:2D:E4:72:0D:C3:91:2F:
-                                C1:BE:E0:8C:02:20:67:C8:85:18:E1:B4:16:1F:7E:7E:
-                                72:93:08:7D:89:A7:6A:CC:B7:BA:B8:B2:AC:78:3D:EA:
-                                C6:3D:9B:25:A1:BE
-    Signature Algorithm: sha256WithRSAEncryption
-         27:17:ab:39:12:97:02:4c:a1:3b:ff:90:25:d9:50:93:c2:c5:
-         78:f3:18:28:24:76:60:a7:0e:94:12:3f:07:63:67:3d:22:5d:
-         41:dd:e1:61:e0:cc:be:e0:c8:18:d8:06:ff:29:45:05:dd:15:
-         16:c1:a1:4a:92:b9:da:a9:d5:55:e4:e0:67:7c:d5:f2:5f:67:
-         80:f9:77:bd:0c:67:f4:0e:10:da:a4:5a:e6:1f:5f:fa:59:16:
-         71:f6:33:a9:32:93:c9:72:ba:5d:54:04:82:20:5f:f8:0f:52:
-         e4:87:c8:34:3a:68:5d:26:b8:42:d9:ae:e2:5c:9d:50:f2:53:
-         4f:47:23:3f:6f:87:15:80:47:34:94:4d:49:35:78:f9:12:94:
-         50:b9:6b:dc:6e:91:ae:22:ff:0c:da:10:56:e7:47:81:03:f6:
-         de:87:4c:a8:50:a3:dd:97:01:bb:28:4f:13:60:b8:68:fd:1b:
-         ef:55:87:ee:e9:2c:ed:f5:c4:c6:7e:c6:5c:44:92:6e:24:ec:
-         01:41:ea:49:35:0a:23:d7:55:ca:68:18:ca:03:fc:f8:ea:af:
-         52:41:11:db:76:46:9b:31:d1:1b:db:82:db:4e:70:2a:93:aa:
-         22:92:b0:6b:41:fa:08:58:3e:8e:d7:74:92:8a:cc:2f:d6:89:
-         f9:54:2d:b3
-
------BEGIN CERTIFICATE-----
-MIIGmTCCBYGgAwIBAgIJALGSs2y2mu1mMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
-VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
-MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
-cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
-dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIyMDIyMjAwMDM0OFoX
-DTIzMDMyNjAwMDM0OFowGzEZMBcGA1UEAxMQdGhlcGF2ZXJicm9zLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2tjuUn0TqrxkDYbSQZiXkUnlqc
-m0tF4h7F9V+N7urGHNdD84sQoMU9xXr51HzRUHrEbKP3HxuAHTyv2scoOmOpyccz
-Ir5KZ47AvUiNmUEN2gHhzQWSMrfQvyPqqCzkApnVWaARe2IZmLJIy0lLj5TRBq+y
-9z66oxfEGEeHpVmLNvS2ofLpxeCUjj375sCQGO2EK8786t1dH8rcFyEFm4rOLuep
-ebHrPEF8agDLtmCC3D2WyzDBBN3O2AD7DoxLP7q+yEtCE1wkno5zW6DjmagGRIxK
-xarVXTLMVmE9nzwgGl8XyDD7HfrHVDrCvNltTb91SrA9VX2iHvQrlny7BAECAwEA
-AaOCA0QwggNAMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
-AQUFBwMCMA4GA1UdDwEB/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8v
-Y3JsLmdvZGFkZHkuY29tL2dkaWcyczEtMzg1Ni5jcmwwXQYDVR0gBFYwVDBIBgtg
-hkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdv
-ZGFkZHkuY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgw
-JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcw
-AoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dk
-aWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjAxBgNVHREE
-KjAoghB0aGVwYXZlcmJyb3MuY29tghR3d3cudGhlcGF2ZXJicm9zLmNvbTAdBgNV
-HQ4EFgQUssweFtyfTsSGi7I3BKh0H+7x+7AwggF7BgorBgEEAdZ5AgQCBIIBawSC
-AWcBZQB1AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABfx69zQ8A
-AAQDAEYwRAIgEV2ykVGDtMBdW1w6xkca4vmvUsmi01Tslzi0kfdWXcoCICpJCL4w
-9XIfPcbcFcA/FF0oBopGXV5D1UUbqd1V1FLHAHUANc8ZG7+xbFe/D61MbULLu7Yn
-ICZR6j/hKu+oA8M71kwAAAF/Hr3OYAAABAMARjBEAiAvwofC2EMZtmscmaHzyVlC
-SrQDy/esOrui8hgjs42U2AIgcl9WM85doRCPI7FtGOG89IFqtIrvgcEvcifSTNEa
-PAEAdQB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAX8evc7cAAAE
-AwBGMEQCIEs1P24qsuBTe5gR4Jk/YuRlmG5VuS3kcg3DkS/BvuCMAiBnyIUY4bQW
-H35+cpMIfYmnasy3uriyrHg96sY9myWhvjANBgkqhkiG9w0BAQsFAAOCAQEAJxer
-ORKXAkyhO/+QJdlQk8LFePMYKCR2YKcOlBI/B2NnPSJdQd3hYeDMvuDIGNgG/ylF
-Bd0VFsGhSpK52qnVVeTgZ3zV8l9ngPl3vQxn9A4Q2qRa5h9f+lkWcfYzqTKTyXK6
-XVQEgiBf+A9S5IfINDpoXSa4Qtmu4lydUPJTT0cjP2+HFYBHNJRNSTV4+RKUULlr
-3G6RriL/DNoQVudHgQP23odMqFCj3ZcBuyhPE2C4aP0b71WH7uks7fXExn7GXESS
-biTsAUHqSTUKI9dVymgYygP8+OqvUkER23ZGmzHRG9uC205wKpOqIpKwa0H6CFg+
-jtd0korML9aJ+VQtsw==
------END CERTIFICATE-----
-
-===========================================
-Certificate1: 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
-===========================================
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 7 (0x7)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-        Validity
-            Not Before: May  3 07:00:00 2011 GMT
-            Not After : May  3 07:00:00 2031 GMT
-        Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:b9:e0:cb:10:d4:af:76:bd:d4:93:62:eb:30:64:
-                    b8:81:08:6c:c3:04:d9:62:17:8e:2f:ff:3e:65:cf:
-                    8f:ce:62:e6:3c:52:1c:da:16:45:4b:55:ab:78:6b:
-                    63:83:62:90:ce:0f:69:6c:99:c8:1a:14:8b:4c:cc:
-                    45:33:ea:88:dc:9e:a3:af:2b:fe:80:61:9d:79:57:
-                    c4:cf:2e:f4:3f:30:3c:5d:47:fc:9a:16:bc:c3:37:
-                    96:41:51:8e:11:4b:54:f8:28:be:d0:8c:be:f0:30:
-                    38:1e:f3:b0:26:f8:66:47:63:6d:de:71:26:47:8f:
-                    38:47:53:d1:46:1d:b4:e3:dc:00:ea:45:ac:bd:bc:
-                    71:d9:aa:6f:00:db:db:cd:30:3a:79:4f:5f:4c:47:
-                    f8:1d:ef:5b:c2:c4:9d:60:3b:b1:b2:43:91:d8:a4:
-                    33:4e:ea:b3:d6:27:4f:ad:25:8a:a5:c6:f4:d5:d0:
-                    a6:ae:74:05:64:57:88:b5:44:55:d4:2d:2a:3a:3e:
-                    f8:b8:bd:e9:32:0a:02:94:64:c4:16:3a:50:f1:4a:
-                    ae:e7:79:33:af:0c:20:07:7f:e8:df:04:39:c2:69:
-                    02:6c:63:52:fa:77:c1:1b:c8:74:87:c8:b9:93:18:
-                    50:54:35:4b:69:4e:bc:3b:d3:49:2e:1f:dc:c1:d2:
-                    52:fb
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
-            X509v3 Authority Key Identifier: 
-                keyid:3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
-
-            Authority Information Access: 
-                OCSP - URI:http://ocsp.godaddy.com/
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.godaddy.com/gdroot-g2.crl
-
-            X509v3 Certificate Policies: 
-                Policy: X509v3 Any Policy
-                  CPS: https://certs.godaddy.com/repository/
-
-    Signature Algorithm: sha256WithRSAEncryption
-         08:7e:6c:93:10:c8:38:b8:96:a9:90:4b:ff:a1:5f:4f:04:ef:
-         6c:3e:9c:88:06:c9:50:8f:a6:73:f7:57:31:1b:be:bc:e4:2f:
-         db:f8:ba:d3:5b:e0:b4:e7:e6:79:62:0e:0c:a2:d7:6a:63:73:
-         31:b5:f5:a8:48:a4:3b:08:2d:a2:5d:90:d7:b4:7c:25:4f:11:
-         56:30:c4:b6:44:9d:7b:2c:9d:e5:5e:e6:ef:0c:61:aa:bf:e4:
-         2a:1b:ee:84:9e:b8:83:7d:c1:43:ce:44:a7:13:70:0d:91:1f:
-         f4:c8:13:ad:83:60:d9:d8:72:a8:73:24:1e:b5:ac:22:0e:ca:
-         17:89:62:58:44:1b:ab:89:25:01:00:0f:cd:c4:1b:62:db:51:
-         b4:d3:0f:51:2a:9b:f4:bc:73:fc:76:ce:36:a4:cd:d9:d8:2c:
-         ea:ae:9b:f5:2a:b2:90:d1:4d:75:18:8a:3f:8a:41:90:23:7d:
-         5b:4b:fe:a4:03:58:9b:46:b2:c3:60:60:83:f8:7d:50:41:ce:
-         c2:a1:90:c3:bb:ef:02:2f:d2:15:54:ee:44:15:d9:0a:ae:a7:
-         8a:33:ed:b1:2d:76:36:26:dc:04:eb:9f:f7:61:1f:15:dc:87:
-         6f:ee:46:96:28:ad:a1:26:7d:0a:09:a7:2e:04:a3:8d:bc:f8:
-         bc:04:30:01
-
------BEGIN CERTIFICATE-----
-MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
-MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
-CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
-EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
-BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
-K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
-cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
-pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
-eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
-AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
-HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
-9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
-b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
-b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
-CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
-MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
-91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
-RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
-DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
-GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
-LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
------END CERTIFICATE-----
-
-===========================================
-Certificate2: 45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda
-===========================================
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-        Validity
-            Not Before: Sep  1 00:00:00 2009 GMT
-            Not After : Dec 31 23:59:59 2037 GMT
-        Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:bf:71:62:08:f1:fa:59:34:f7:1b:c9:18:a3:f7:
-                    80:49:58:e9:22:83:13:a6:c5:20:43:01:3b:84:f1:
-                    e6:85:49:9f:27:ea:f6:84:1b:4e:a0:b4:db:70:98:
-                    c7:32:01:b1:05:3e:07:4e:ee:f4:fa:4f:2f:59:30:
-                    22:e7:ab:19:56:6b:e2:80:07:fc:f3:16:75:80:39:
-                    51:7b:e5:f9:35:b6:74:4e:a9:8d:82:13:e4:b6:3f:
-                    a9:03:83:fa:a2:be:8a:15:6a:7f:de:0b:c3:b6:19:
-                    14:05:ca:ea:c3:a8:04:94:3b:46:7c:32:0d:f3:00:
-                    66:22:c8:8d:69:6d:36:8c:11:18:b7:d3:b2:1c:60:
-                    b4:38:fa:02:8c:ce:d3:dd:46:07:de:0a:3e:eb:5d:
-                    7c:c8:7c:fb:b0:2b:53:a4:92:62:69:51:25:05:61:
-                    1a:44:81:8c:2c:a9:43:96:23:df:ac:3a:81:9a:0e:
-                    29:c5:1c:a9:e9:5d:1e:b6:9e:9e:30:0a:39:ce:f1:
-                    88:80:fb:4b:5d:cc:32:ec:85:62:43:25:34:02:56:
-                    27:01:91:b4:3b:70:2a:3f:6e:b1:e8:9c:88:01:7d:
-                    9f:d4:f9:db:53:6d:60:9d:bf:2c:e7:58:ab:b8:5f:
-                    46:fc:ce:c4:1b:03:3c:09:eb:49:31:5c:69:46:b3:
-                    e0:47
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
-    Signature Algorithm: sha256WithRSAEncryption
-         99:db:5d:79:d5:f9:97:59:67:03:61:f1:7e:3b:06:31:75:2d:
-         a1:20:8e:4f:65:87:b4:f7:a6:9c:bc:d8:e9:2f:d0:db:5a:ee:
-         cf:74:8c:73:b4:38:42:da:05:7b:f8:02:75:b8:fd:a5:b1:d7:
-         ae:f6:d7:de:13:cb:53:10:7e:8a:46:d1:97:fa:b7:2e:2b:11:
-         ab:90:b0:27:80:f9:e8:9f:5a:e9:37:9f:ab:e4:df:6c:b3:85:
-         17:9d:3d:d9:24:4f:79:91:35:d6:5f:04:eb:80:83:ab:9a:02:
-         2d:b5:10:f4:d8:90:c7:04:73:40:ed:72:25:a0:a9:9f:ec:9e:
-         ab:68:12:99:57:c6:8f:12:3a:09:a4:bd:44:fd:06:15:37:c1:
-         9b:e4:32:a3:ed:38:e8:d8:64:f3:2c:7e:14:fc:02:ea:9f:cd:
-         ff:07:68:17:db:22:90:38:2d:7a:8d:d1:54:f1:69:e3:5f:33:
-         ca:7a:3d:7b:0a:e3:ca:7f:5f:39:e5:e2:75:ba:c5:76:18:33:
-         ce:2c:f0:2f:4c:ad:f7:b1:e7:ce:4f:a8:c4:9b:4a:54:06:c5:
-         7f:7d:d5:08:0f:e2:1c:fe:7e:17:b8:ac:5e:f6:d4:16:b2:43:
-         09:0c:4d:f6:a7:6b:b4:99:84:65:ca:7a:88:e2:e2:44:be:5c:
-         f7:ea:1c:f5
-
------BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
-NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
-AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
-E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
-/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
-DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
-GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
-tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
-AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
-FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
-WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
-9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
-gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
-2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
-LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
-4uJEvlz36hz1
------END CERTIFICATE-----
-
diff --git a/chromium/net/data/ssl/certificates/wildcard.pem b/chromium/net/data/ssl/certificates/wildcard.pem
index a31d1084137..2c3692e299e 100644
--- a/chromium/net/data/ssl/certificates/wildcard.pem
+++ b/chromium/net/data/ssl/certificates/wildcard.pem
@@ -30,16 +30,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:a3
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:67
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
-            Not Before: Dec  1 15:42:07 2021 GMT
-            Not After : Nov 29 15:42:07 2031 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Sep 30 17:20:08 2032 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:ad:1d:94:c0:c4:80:25:08:b1:7e:55:46:25:be:
                     65:bd:c2:ff:95:8e:b5:35:c6:e3:c8:46:8f:cd:23:
@@ -66,48 +66,48 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 E7:1B:C5:0D:E7:ED:C7:2B:2E:95:91:40:77:5A:57:DE:1C:F4:D7:FE
             X509v3 Authority Key Identifier: 
-                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
-
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 DNS:*.example.org
     Signature Algorithm: sha256WithRSAEncryption
-         1b:4c:3b:40:2c:3d:60:30:03:17:bd:79:83:3c:d3:0d:10:fe:
-         72:38:61:69:4a:5b:88:f1:cc:23:da:1f:83:02:d6:bd:ac:87:
-         82:95:7f:9d:4f:ae:b0:ca:c4:59:e9:42:29:bb:28:b3:af:d3:
-         30:95:58:3c:c4:38:a0:7c:dc:78:99:97:5b:02:a3:89:e6:58:
-         0d:96:d0:ab:b6:cb:f5:c8:0f:0c:05:7d:27:4e:ef:6f:a7:7b:
-         04:4c:27:05:92:01:1e:21:47:fc:0a:35:64:c8:00:02:72:98:
-         35:1e:b4:15:64:48:fb:0f:af:34:f2:7a:a6:57:2d:2b:16:4d:
-         b8:a0:54:7d:b0:18:19:bc:4e:c3:83:5c:10:fc:74:dc:90:6e:
-         dc:14:36:cf:9c:e9:e2:92:7e:db:a6:d1:0a:78:68:65:8a:1a:
-         b0:fa:0c:6a:41:ca:d4:f4:4b:e2:8a:6b:59:77:3d:15:eb:c1:
-         68:be:f5:c7:75:2d:05:33:4d:e1:af:cb:c1:e8:21:2f:fd:be:
-         49:11:e2:f1:6c:0b:65:51:10:f9:1b:87:f1:c4:7d:bc:53:e1:
-         2f:f4:90:66:fd:ec:c6:6e:a1:68:26:fc:5c:b1:3d:8f:c6:c1:
-         41:54:27:d6:75:47:7a:78:6d:ac:b3:53:ea:60:18:a1:5c:84:
-         58:13:ba:44
+    Signature Value:
+        3b:28:28:79:3c:bf:0e:3f:54:71:1e:0b:cb:1d:96:15:b4:9e:
+        34:1a:ea:ce:ad:4a:63:41:6f:bc:c3:0b:c6:89:db:23:72:88:
+        85:cf:cf:43:c3:ba:49:aa:dd:a9:4b:ed:da:ce:17:e0:c9:ee:
+        c2:f2:38:2e:0a:e5:b6:85:58:2a:89:25:36:da:ba:17:e7:1e:
+        eb:63:ee:be:83:ce:ce:05:f7:2a:96:18:a6:fd:20:50:5b:9a:
+        8d:1c:6e:11:f2:8e:11:c3:ae:86:5f:4d:d0:68:45:be:99:a9:
+        3b:87:eb:a8:e6:99:62:f9:ea:8f:03:12:91:47:df:58:46:11:
+        66:c1:57:9c:a5:a5:d2:75:ce:c8:8c:63:79:19:17:30:03:2e:
+        58:3a:cf:82:63:e9:7f:9a:c2:8d:e2:4a:dc:7f:5d:3b:40:10:
+        38:a4:45:46:3f:95:5c:48:97:7e:4e:85:82:48:e9:aa:89:c0:
+        77:d8:f3:16:b3:7a:4d:bb:82:84:e8:54:59:dc:5b:97:3f:83:
+        b3:bd:f1:84:31:ae:02:17:92:84:e9:db:06:c0:97:0c:02:2b:
+        4b:d7:99:7f:d7:9e:9a:3d:99:06:5e:3d:74:f6:b4:1f:22:f0:
+        27:cb:4c:1f:ae:c4:24:c8:1a:9a:8d:21:7b:db:32:88:5d:a6:
+        72:b4:5e:70
 -----BEGIN CERTIFICATE-----
-MIID2DCCAsCgAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzozANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIxMTIwMTE1NDIwN1oXDTMxMTEyOTE1NDIwN1owYDELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAK0dlMDEgCUIsX5VRiW+Zb3C/5WOtTXG48hG
-j80jPITO7IHvIVWUj7+hoSdk2Vbl/aD6c8SwUoJ2t70Dsrzt6G34HxFgOjBN1Cp+
-A4M4Qg5ZnwxMvVap6db4MqXrE2dVAqiDpN0L36EP8BhhOKf3gO4evZULbO8TOuOy
-mruR/4WVONT4xPzq2hL+35wuEGnAE9suYfXwsSzn331oR1S0VnBwkxNBPWL0+pik
-3CIMpP18iEwMihr0K6bJj6BPu1D60aWiM1AgKzBT31QuJLYoiDUnEVD8omimuhOc
-W7GDBACDuIaYnH861xd26zsd07qYgQX9DiXvkodoNaltFOX3Yb0CAwEAAaOBijCB
-hzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTnG8UN5+3HKy6VkUB3WlfeHPTX/jAf
-BgNVHSMEGDAWgBSbJguKmKm7HbkfHOMaQDPtjheIqzAdBgNVHSUEFjAUBggrBgEF
-BQcDAQYIKwYBBQUHAwIwGAYDVR0RBBEwD4INKi5leGFtcGxlLm9yZzANBgkqhkiG
-9w0BAQsFAAOCAQEAG0w7QCw9YDADF715gzzTDRD+cjhhaUpbiPHMI9ofgwLWvayH
-gpV/nU+usMrEWelCKbsos6/TMJVYPMQ4oHzceJmXWwKjieZYDZbQq7bL9cgPDAV9
-J07vb6d7BEwnBZIBHiFH/Ao1ZMgAAnKYNR60FWRI+w+vNPJ6plctKxZNuKBUfbAY
-GbxOw4NcEPx03JBu3BQ2z5zp4pJ+26bRCnhoZYoasPoMakHK1PRL4oprWXc9FevB
-aL71x3UtBTNN4a/LweghL/2+SRHi8WwLZVEQ+RuH8cR9vFPhL/SQZv3sxm6haCb8
-XLE9j8bBQVQn1nVHenhtrLNT6mAYoVyEWBO6RA==
+MIID2TCCAsGgAwIBAgIRALBrk5LjXI1+7Z3IllnFwmcwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMjEwMDMxNzIwMDhaFw0zMjA5MzAxNzIwMDhaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtHZTAxIAlCLF+VUYlvmW9wv+VjrU1xuPI
+Ro/NIzyEzuyB7yFVlI+/oaEnZNlW5f2g+nPEsFKCdre9A7K87eht+B8RYDowTdQq
+fgODOEIOWZ8MTL1WqenW+DKl6xNnVQKog6TdC9+hD/AYYTin94DuHr2VC2zvEzrj
+spq7kf+FlTjU+MT86toS/t+cLhBpwBPbLmH18LEs5999aEdUtFZwcJMTQT1i9PqY
+pNwiDKT9fIhMDIoa9CumyY+gT7tQ+tGlojNQICswU99ULiS2KIg1JxFQ/KJoproT
+nFuxgwQAg7iGmJx/OtcXdus7HdO6mIEF/Q4l75KHaDWpbRTl92G9AgMBAAGjgYow
+gYcwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU5xvFDeftxysulZFAd1pX3hz01/4w
+HwYDVR0jBBgwFoAUmyYLipipux25HxzjGkAz7Y4XiKswHQYDVR0lBBYwFAYIKwYB
+BQUHAwEGCCsGAQUFBwMCMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5vcmcwDQYJKoZI
+hvcNAQELBQADggEBADsoKHk8vw4/VHEeC8sdlhW0njQa6s6tSmNBb7zDC8aJ2yNy
+iIXPz0PDukmq3alL7drOF+DJ7sLyOC4K5baFWCqJJTbauhfnHutj7r6Dzs4F9yqW
+GKb9IFBbmo0cbhHyjhHDroZfTdBoRb6ZqTuH66jmmWL56o8DEpFH31hGEWbBV5yl
+pdJ1zsiMY3kZFzADLlg6z4Jj6X+awo3iStx/XTtAEDikRUY/lVxIl35OhYJI6aqJ
+wHfY8xazek27goToVFncW5c/g7O98YQxrgIXkoTp2wbAlwwCK0vXmX/Xnpo9mQZe
+PXT2tB8i8CfLTB+uxCTIGpqNIXvbMohdpnK0XnA=
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/x509_verify_results.chain.pem b/chromium/net/data/ssl/certificates/x509_verify_results.chain.pem
index c27a50da992..30c06eed2df 100644
--- a/chromium/net/data/ssl/certificates/x509_verify_results.chain.pem
+++ b/chromium/net/data/ssl/certificates/x509_verify_results.chain.pem
@@ -2,16 +2,16 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            e3:e2:72:2a:fb:6d:e8:f9:5d:db:93:27:30:f9:d8:e5
+            9c:ac:13:39:97:f9:d0:e4:e8:7f:a3:f1:71:92:32:fa
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Intermediate CA
         Validity
-            Not Before: Dec  1 15:42:07 2021 GMT
-            Not After : Dec  1 15:42:07 2023 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Oct  2 17:20:08 2024 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:e0:53:f4:f3:98:c1:14:33:02:c8:a4:6d:fe:aa:
                     2a:f7:94:3d:a6:6f:00:df:3b:de:4c:9f:a3:ea:07:
@@ -38,33 +38,33 @@ Certificate:
             X509v3 Subject Key Identifier: 
                 E2:E0:A4:73:95:9B:E9:6E:FD:CE:29:C4:6F:07:81:0B:96:BD:47:BA
             X509v3 Authority Key Identifier: 
-                keyid:17:5C:45:F3:D0:AC:1C:10:4C:8B:43:44:20:C4:DD:93:C5:C5:19:3B
-
+                17:5C:45:F3:D0:AC:1C:10:4C:8B:43:44:20:C4:DD:93:C5:C5:19:3B
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Alternative Name: 
                 IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         92:02:42:eb:93:af:3b:ae:72:a5:0b:d0:fc:05:62:4c:fa:29:
-         cf:0e:bd:32:1b:e7:c2:fc:42:e6:b9:04:32:2d:e1:61:68:43:
-         4f:d7:a3:a7:9a:3d:a0:1b:07:09:13:5d:ce:82:49:cb:20:9e:
-         cd:2a:32:18:cc:61:c2:42:45:31:dc:14:e5:fd:c5:66:00:12:
-         ba:ba:a1:51:71:65:63:d7:22:4c:ec:6d:28:36:0f:e5:70:5c:
-         0d:30:c7:75:8b:7f:99:d7:57:74:c0:63:5b:ee:9f:5f:d6:88:
-         96:d2:12:cf:de:48:64:0a:c2:9c:82:35:61:0c:6c:8c:3d:28:
-         0d:27:c4:db:7b:bf:93:f7:06:7d:3f:76:37:22:62:b5:aa:f9:
-         95:e5:c4:06:dd:af:39:7b:ab:23:d7:29:93:6c:63:2b:0a:d4:
-         08:15:a6:2a:c7:77:d1:c9:e9:4e:35:77:75:e2:38:17:30:f5:
-         b2:b0:f1:5a:04:3d:ac:3c:b4:b1:4c:de:c0:f8:58:ab:ef:a6:
-         56:3b:98:41:72:25:7d:02:60:22:70:0b:98:2b:1a:e0:f5:4d:
-         46:a8:94:e2:cc:0b:5e:fe:89:a9:32:29:b9:20:94:90:8f:2b:
-         24:c6:e6:21:df:00:8e:fb:f7:8f:0b:49:0b:35:7b:14:f8:22:
-         1a:a1:f8:c0
+    Signature Value:
+        93:a1:82:4b:78:ce:18:3a:0a:ae:c8:3b:04:4a:1e:2a:e0:e8:
+        c3:dd:15:cb:ed:4f:23:09:b8:d4:49:4f:3b:2c:98:bf:bd:7a:
+        4e:de:6b:48:93:0c:17:50:d5:df:b0:8a:95:3a:f4:d2:3c:c4:
+        71:cd:fc:d3:72:b1:99:dd:5c:82:74:df:42:d9:51:85:26:92:
+        2b:c8:0d:1b:aa:e5:98:9f:9d:25:cd:82:f1:a5:42:20:9c:7f:
+        e9:b3:b8:1e:75:70:2a:07:ee:33:db:6d:b6:6a:cb:e0:80:e9:
+        fe:12:15:0f:4e:e6:78:99:a3:22:68:1a:bc:ce:77:45:f0:9f:
+        ce:23:25:bd:32:b6:8d:f4:1a:3a:8e:e9:a7:bd:da:e7:d5:ba:
+        84:38:4f:db:bb:29:7f:ec:4f:56:1a:c4:43:1a:0e:a5:c9:db:
+        b1:69:9d:00:82:b6:b2:4b:67:e7:58:45:37:dc:30:81:93:5a:
+        56:de:5e:0f:9c:d6:1a:73:9c:9e:f4:f1:8e:20:11:fc:f3:3f:
+        77:7f:9a:f1:93:42:31:2b:5a:e2:70:f2:7a:f0:07:7e:28:c3:
+        21:6a:c5:b3:fe:08:76:4b:a3:58:70:f6:44:22:a5:e1:b9:17:
+        ce:a4:90:35:5c:c7:9a:e0:12:b7:5f:24:d5:60:0c:bd:9d:b6:
+        1b:78:17:16
 -----BEGIN CERTIFICATE-----
-MIID1zCCAr+gAwIBAgIRAOPicir7bej5XduTJzD52OUwDQYJKoZIhvcNAQELBQAw
+MIID1zCCAr+gAwIBAgIRAJysEzmX+dDk6H+j8XGSMvowDQYJKoZIhvcNAQELBQAw
 azELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
 dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExHTAbBgNVBAMMFFRlc3QgSW50
-ZXJtZWRpYXRlIENBMB4XDTIxMTIwMTE1NDIwN1oXDTIzMTIwMTE1NDIwN1owYDEL
+ZXJtZWRpYXRlIENBMB4XDTIyMTAwMzE3MjAwOFoXDTI0MTAwMjE3MjAwOFowYDEL
 MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50
 YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExEjAQBgNVBAMMCTEyNy4wLjAuMTCC
 ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOBT9POYwRQzAsikbf6qKveU
@@ -76,27 +76,27 @@ m28Ie6cFrIxD9/HaUQazgkU+yIFznrClz3aWr4EsrAEqSlhLHb7/H4XCJ97xeAsC
 AwEAAaOBgDB+MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOLgpHOVm+lu/c4pxG8H
 gQuWvUe6MB8GA1UdIwQYMBaAFBdcRfPQrBwQTItDRCDE3ZPFxRk7MB0GA1UdJQQW
 MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3
-DQEBCwUAA4IBAQCSAkLrk687rnKlC9D8BWJM+inPDr0yG+fC/ELmuQQyLeFhaENP
-16Onmj2gGwcJE13OgknLIJ7NKjIYzGHCQkUx3BTl/cVmABK6uqFRcWVj1yJM7G0o
-Ng/lcFwNMMd1i3+Z11d0wGNb7p9f1oiW0hLP3khkCsKcgjVhDGyMPSgNJ8Tbe7+T
-9wZ9P3Y3ImK1qvmV5cQG3a85e6sj1ymTbGMrCtQIFaYqx3fRyelONXd14jgXMPWy
-sPFaBD2sPLSxTN7A+Fir76ZWO5hBciV9AmAicAuYKxrg9U1GqJTizAte/ompMim5
-IJSQjyskxuYh3wCO+/ePC0kLNXsU+CIaofjA
+DQEBCwUAA4IBAQCToYJLeM4YOgquyDsESh4q4OjD3RXL7U8jCbjUSU87LJi/vXpO
+3mtIkwwXUNXfsIqVOvTSPMRxzfzTcrGZ3VyCdN9C2VGFJpIryA0bquWYn50lzYLx
+pUIgnH/ps7gedXAqB+4z2222asvggOn+EhUPTuZ4maMiaBq8zndF8J/OIyW9MraN
+9Bo6jumnvdrn1bqEOE/buyl/7E9WGsRDGg6lyduxaZ0AgrayS2fnWEU33DCBk1pW
+3l4PnNYac5ye9PGOIBH88z93f5rxk0IxK1ricPJ68Ad+KMMhasWz/gh2S6NYcPZE
+IqXhuRfOpJA1XMea4BK3XyTVYAy9nbYbeBcW
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            12:f6:d9:f1:80:1b:50:9f:64:09:c8:ea:2f:16:33:a0
+            b0:6b:93:92:e3:5c:8d:7e:ed:9d:c8:96:59:c5:c2:64
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
         Validity
-            Not Before: Dec  1 15:42:06 2021 GMT
-            Not After : Nov 29 15:42:06 2031 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Sep 30 17:20:08 2032 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Intermediate CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:9d:e9:bd:e4:3d:4a:2f:fb:c2:f9:e6:22:2a:42:
                     15:46:1c:8c:8f:47:4c:e9:c5:57:95:1f:66:70:93:
@@ -124,58 +124,61 @@ Certificate:
                 17:5C:45:F3:D0:AC:1C:10:4C:8B:43:44:20:C4:DD:93:C5:C5:19:3B
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
+            X509v3 Authority Key Identifier: 
+                9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
     Signature Algorithm: sha256WithRSAEncryption
-         9c:b1:c1:f7:c5:82:aa:43:3e:04:32:9c:32:18:de:ec:e4:d8:
-         60:d8:83:a3:b0:9b:76:b8:e8:4e:e5:e2:45:d6:71:76:cc:f9:
-         4d:5a:18:cb:06:4f:fb:a6:22:56:f3:d2:1b:c2:64:ff:c6:1e:
-         21:da:34:a5:e3:eb:e6:98:cf:6e:2d:77:bb:e6:ac:37:24:b1:
-         12:21:8b:88:11:ef:59:cf:b0:e0:a3:b5:6d:8c:ec:f8:de:ea:
-         5e:e4:e0:ed:2f:7c:91:a1:d0:ba:69:d6:bc:24:b7:fe:7d:11:
-         9e:65:ba:25:a5:22:55:53:fd:6b:18:30:17:ec:d3:d8:69:5a:
-         51:4c:e4:27:47:13:a9:b1:8b:1b:b4:9a:f0:8f:a9:a2:91:56:
-         b4:b9:e1:ed:c0:7e:58:34:e9:a5:2d:fd:02:b3:3b:47:02:42:
-         6c:ce:c2:98:b1:45:11:06:68:3a:48:be:cc:bf:66:b0:8e:c6:
-         02:ff:b8:68:64:d8:4b:44:25:b6:c5:78:63:17:53:e6:1b:8d:
-         8d:5d:0c:54:c7:fa:01:25:e5:5d:d6:dc:52:e0:25:9d:12:0d:
-         56:01:a9:c7:d9:3e:86:74:e1:d6:de:f9:0e:60:e2:6a:0f:a9:
-         fa:4d:3a:1d:5b:b1:26:1c:a7:5f:9e:71:62:f0:2c:ad:1e:e8:
-         ec:87:20:cf
+    Signature Value:
+        25:54:8b:68:3b:3c:92:ed:1b:c7:a1:62:b3:7c:ff:7e:8c:57:
+        7c:67:5c:ea:74:9f:e8:f1:b5:c8:e4:88:0e:c9:a3:f3:28:c4:
+        05:af:8f:ad:51:32:66:ae:5d:7a:b1:77:7e:99:06:c8:30:26:
+        5a:9f:1e:34:ea:aa:3e:0a:73:a2:40:e3:8f:1a:01:96:a2:6d:
+        2f:6c:d9:36:65:98:c8:86:41:0e:ee:0d:aa:da:62:54:62:23:
+        c6:23:b0:f1:ca:35:7b:e5:4b:d1:ab:80:80:d6:00:2b:19:85:
+        9d:e0:3c:3f:13:1e:90:d2:df:c3:31:90:0f:a8:40:08:33:4e:
+        f7:a4:d0:ed:3e:a4:41:cf:e8:37:49:d1:58:e8:07:3d:4b:a1:
+        c9:fe:12:07:9a:de:e0:c8:f3:68:d6:31:5d:03:77:2f:fa:b0:
+        e6:2c:f3:80:59:d0:9b:1b:59:22:cd:7e:58:c6:cf:82:92:c3:
+        76:95:78:b2:75:c8:fa:59:9f:0e:c0:e3:6d:70:f9:82:ba:db:
+        89:89:81:b7:b9:e1:41:63:51:56:8a:5a:d2:52:c2:19:2f:d9:
+        c0:9d:19:82:59:79:f9:56:1c:25:81:4d:0a:cd:77:1b:de:85:
+        6e:51:04:08:0b:0c:33:65:52:f6:90:a8:82:25:77:a0:fa:5e:
+        9c:2a:91:66
 -----BEGIN CERTIFICATE-----
-MIIDmjCCAoKgAwIBAgIQEvbZ8YAbUJ9kCcjqLxYzoDANBgkqhkiG9w0BAQsFADBj
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTEVMBMGA1UEAwwMVGVzdCBSb290
-IENBMB4XDTIxMTIwMTE1NDIwNloXDTMxMTEyOTE1NDIwNlowazELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcx
-EDAOBgNVBAoMB1Rlc3QgQ0ExHTAbBgNVBAMMFFRlc3QgSW50ZXJtZWRpYXRlIENB
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnem95D1KL/vC+eYiKkIV
-RhyMj0dM6cVXlR9mcJMi8JTDu7Vb76RvyMeJlXW6DDa/TmupNUcIQ54pauLD+wO3
-H7bhUWvtexnH+c473GXpZseDlMTRTu7tZEuB8RrqWmQYG2pOk9ATbJBgytJOtyQW
-+LIIWJ2NpzNFFTSBrS0tnGDv+SuY/nnTjSxI2xKR9C76v/UmwYIFgN1MqHC/p7wQ
-NHc520cED+1EsmVGIiCIWSgPxwyitJGloqrKBZ+Km26jy9Sk6CR1nSCBIltfdz7J
-8R6u64ozjCdbHr5tIRtCcpXjnhMDdadY1L5oEv5jjksRejTno2vdc64+GZrskYtz
-rwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQXXEXz0KwcEEyL
-Q0QgxN2TxcUZOzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAJyx
-wffFgqpDPgQynDIY3uzk2GDYg6Owm3a46E7l4kXWcXbM+U1aGMsGT/umIlbz0hvC
-ZP/GHiHaNKXj6+aYz24td7vmrDcksRIhi4gR71nPsOCjtW2M7Pje6l7k4O0vfJGh
-0Lpp1rwkt/59EZ5luiWlIlVT/WsYMBfs09hpWlFM5CdHE6mxixu0mvCPqaKRVrS5
-4e3Aflg06aUt/QKzO0cCQmzOwpixRREGaDpIvsy/ZrCOxgL/uGhk2EtEJbbFeGMX
-U+YbjY1dDFTH+gEl5V3W3FLgJZ0SDVYBqcfZPoZ04dbe+Q5g4moPqfpNOh1bsSYc
-p1+ecWLwLK0e6OyHIM8=
+MIIDvDCCAqSgAwIBAgIRALBrk5LjXI1+7Z3IllnFwmQwDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0yMjEwMDMxNzIwMDhaFw0zMjA5MzAxNzIwMDhaMGsxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMR0wGwYDVQQDDBRUZXN0IEludGVybWVkaWF0ZSBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3pveQ9Si/7wvnmIipC
+FUYcjI9HTOnFV5UfZnCTIvCUw7u1W++kb8jHiZV1ugw2v05rqTVHCEOeKWriw/sD
+tx+24VFr7XsZx/nOO9xl6WbHg5TE0U7u7WRLgfEa6lpkGBtqTpPQE2yQYMrSTrck
+FviyCFidjaczRRU0ga0tLZxg7/krmP55040sSNsSkfQu+r/1JsGCBYDdTKhwv6e8
+EDR3OdtHBA/tRLJlRiIgiFkoD8cMorSRpaKqygWfiptuo8vUpOgkdZ0ggSJbX3c+
+yfEeruuKM4wnWx6+bSEbQnKV454TA3WnWNS+aBL+Y45LEXo056Nr3XOuPhma7JGL
+c68CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUF1xF89CsHBBM
+i0NEIMTdk8XFGTswDgYDVR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFJsmC4qYqbsd
+uR8c4xpAM+2OF4irMA0GCSqGSIb3DQEBCwUAA4IBAQAlVItoOzyS7RvHoWKzfP9+
+jFd8Z1zqdJ/o8bXI5IgOyaPzKMQFr4+tUTJmrl16sXd+mQbIMCZanx406qo+CnOi
+QOOPGgGWom0vbNk2ZZjIhkEO7g2q2mJUYiPGI7DxyjV75UvRq4CA1gArGYWd4Dw/
+Ex6Q0t/DMZAPqEAIM073pNDtPqRBz+g3SdFY6Ac9S6HJ/hIHmt7gyPNo1jFdA3cv
++rDmLPOAWdCbG1kizX5Yxs+CksN2lXiydcj6WZ8OwONtcPmCutuJiYG3ueFBY1FW
+ilrSUsIZL9nAnRmCWXn5VhwlgU0KzXcb3oVuUQQICwwzZVL2kKiCJXeg+l6cKpFm
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            41:19:f1:f8:22:2d:a0:19:4d:d0:24:87:fc:af:13:d6:6b:d7:85:d9
+            0b:cc:00:80:c9:a0:0b:a1:c7:09:7c:9f:71:0d:90:92:cf:ee:c7:f4
         Signature Algorithm: sha256WithRSAEncryption
         Issuer: C = US, ST = California, L = Mountain View, O = Test CA, CN = Test Root CA
         Validity
-            Not Before: Dec  1 15:42:06 2021 GMT
-            Not After : Nov 29 15:42:06 2031 GMT
+            Not Before: Oct  3 17:20:08 2022 GMT
+            Not After : Sep 30 17:20:08 2032 GMT
         Subject: C = US, ST = California, L = Mountain View, O = Test CA, CN = Test Root CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
+                Public-Key: (2048 bit)
                 Modulus:
                     00:c6:81:1f:92:73:b6:58:85:d9:8d:ac:b7:20:fd:
                     c7:bf:40:b2:ea:fa:e5:0b:52:01:8f:9a:c1:eb:7a:
@@ -204,26 +207,27 @@ Certificate:
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         0e:7f:a2:5b:22:6e:92:a3:90:4d:13:89:e1:67:31:4a:db:d2:
-         eb:d7:f9:e4:46:4a:58:3d:6b:10:f9:77:7c:ac:50:61:15:1a:
-         60:f7:ea:47:62:4a:08:1d:8e:73:9d:1a:51:71:7f:31:85:db:
-         03:7b:21:8a:fe:30:e0:3f:82:b0:8f:ce:e9:22:ab:48:ef:bc:
-         5b:2d:38:52:a1:68:82:69:78:05:43:c0:bf:fd:a6:65:f3:b1:
-         38:2a:4d:cc:18:b1:c6:51:cf:3a:09:3c:fe:eb:12:4d:59:a3:
-         56:b0:bc:86:ea:9a:6d:08:e3:43:d9:66:a9:1f:66:bc:b8:a5:
-         25:bf:fb:f9:d5:0d:fc:bc:78:a6:89:44:ad:06:c7:66:87:ae:
-         d4:42:80:8b:7f:e5:e2:63:4a:4b:c3:6e:21:e5:eb:08:c7:08:
-         94:00:6e:98:94:66:f5:c2:e2:51:79:d4:be:0f:51:ce:e0:48:
-         b3:a9:69:54:8b:0f:e3:72:56:40:73:c3:18:d0:9a:ae:61:8e:
-         cc:04:e9:79:3e:68:13:d2:c5:74:aa:1d:31:c8:c0:0e:bc:3e:
-         de:f9:a3:e4:2c:06:e8:f9:36:7d:dc:d6:97:de:9d:89:fa:f1:
-         27:f0:de:c9:64:7c:54:5c:4b:49:00:04:07:d4:77:26:5e:54:
-         93:a1:c0:5d
+    Signature Value:
+        39:9a:f6:0e:eb:08:4d:a0:f0:59:b9:91:fe:b5:d8:2e:4d:6b:
+        69:69:c5:d2:86:fc:a3:c2:a2:6c:ca:8d:98:1b:d2:fc:64:9b:
+        96:b4:47:f9:f4:ed:6f:52:3c:b5:13:f6:1e:71:51:3b:da:54:
+        93:c4:1d:94:17:23:76:9a:98:f5:9b:b8:b1:c5:ab:cd:ab:bd:
+        1a:c9:00:13:e0:e3:c7:5a:a7:21:71:eb:08:2b:ec:85:5c:08:
+        80:33:25:0f:1f:52:41:c4:9b:22:58:01:24:55:ef:9a:a6:ce:
+        e4:85:a3:19:33:4d:7e:3f:04:32:15:d5:fc:63:5f:8b:dc:99:
+        2b:10:63:56:ac:60:6e:f9:db:9f:63:7b:a8:df:ab:72:28:8a:
+        a9:e2:8e:9d:e6:6c:7e:5b:16:ba:94:b2:23:f2:d7:31:5b:de:
+        58:a0:8b:be:f4:6a:d2:d3:b4:e6:40:06:78:7a:2d:20:4c:cd:
+        9d:20:dd:3b:fc:b9:f3:94:13:b0:6b:18:d7:6b:e8:bf:14:cc:
+        87:30:8b:64:3f:ad:59:93:e5:f6:7c:d1:2b:f0:8e:4a:9c:c3:
+        34:18:4d:62:33:bd:a6:3a:b6:3f:1f:49:5b:63:b4:01:a8:5c:
+        f0:98:93:35:53:2e:b2:f2:19:7f:87:0d:db:b1:80:61:38:c8:
+        47:01:85:b0
 -----BEGIN CERTIFICATE-----
-MIIDljCCAn6gAwIBAgIUQRnx+CItoBlN0CSH/K8T1mvXhdkwDQYJKoZIhvcNAQEL
+MIIDljCCAn6gAwIBAgIUC8wAgMmgC6HHCXyfcQ2Qks/ux/QwDQYJKoZIhvcNAQEL
 BQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DU1vdW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3Qg
-Um9vdCBDQTAeFw0yMTEyMDExNTQyMDZaFw0zMTExMjkxNTQyMDZaMGMxCzAJBgNV
+Um9vdCBDQTAeFw0yMjEwMDMxNzIwMDhaFw0zMjA5MzAxNzIwMDhaMGMxCzAJBgNV
 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW
 aWV3MRAwDgYDVQQKDAdUZXN0IENBMRUwEwYDVQQDDAxUZXN0IFJvb3QgQ0EwggEi
 MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGgR+Sc7ZYhdmNrLcg/ce/QLLq
@@ -233,11 +237,11 @@ MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGgR+Sc7ZYhdmNrLcg/ce/QLLq
 RP7HnpWJQ1FetG7HZ4BYQ77MByi9Wf8cTI2QQvTP/VQAT0hyK+FnPIQXaJW/ygd7
 34adVuMy43CHt/g69+NuZRR8u3a3F/FCjG8qNGQQNRSMhfZXv/NcVZ2tAxDzAgMB
 AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJsmC4qYqbsduR8c4xpA
-M+2OF4irMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEADn+iWyJu
-kqOQTROJ4WcxStvS69f55EZKWD1rEPl3fKxQYRUaYPfqR2JKCB2Oc50aUXF/MYXb
-A3shiv4w4D+CsI/O6SKrSO+8Wy04UqFogml4BUPAv/2mZfOxOCpNzBixxlHPOgk8
-/usSTVmjVrC8huqabQjjQ9lmqR9mvLilJb/7+dUN/Lx4polErQbHZoeu1EKAi3/l
-4mNKS8NuIeXrCMcIlABumJRm9cLiUXnUvg9RzuBIs6lpVIsP43JWQHPDGNCarmGO
-zATpeT5oE9LFdKodMcjADrw+3vmj5CwG6Pk2fdzWl96difrxJ/DeyWR8VFxLSQAE
-B9R3Jl5Uk6HAXQ==
+M+2OF4irMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAOZr2DusI
+TaDwWbmR/rXYLk1raWnF0ob8o8KibMqNmBvS/GSblrRH+fTtb1I8tRP2HnFRO9pU
+k8QdlBcjdpqY9Zu4scWrzau9GskAE+Djx1qnIXHrCCvshVwIgDMlDx9SQcSbIlgB
+JFXvmqbO5IWjGTNNfj8EMhXV/GNfi9yZKxBjVqxgbvnbn2N7qN+rciiKqeKOneZs
+flsWupSyI/LXMVveWKCLvvRq0tO05kAGeHotIEzNnSDdO/y585QTsGsY12vovxTM
+hzCLZD+tWZPl9nzRK/COSpzDNBhNYjO9pjq2Px9JW2O0Aahc8JiTNVMusvIZf4cN
+27GAYTjIRwGFsA==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/chrome_root_store/BUILD.gn b/chromium/net/data/ssl/chrome_root_store/BUILD.gn
index 38c4898e0a5..985b93a3db1 100644
--- a/chromium/net/data/ssl/chrome_root_store/BUILD.gn
+++ b/chromium/net/data/ssl/chrome_root_store/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2021 The Chromium Authors. All rights reserved.
+# Copyright 2021 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 import("//build/compiled_action.gni")
@@ -11,13 +11,18 @@ compiled_action("gen_root_store_inc") {
     "root_store.certs",
     "root_store.textproto",
   ]
-  outputs = [ "${target_gen_dir}/chrome-root-store-inc.cc" ]
+  outputs = [
+    "${target_gen_dir}/chrome-root-store-inc.cc",
+    "${target_gen_dir}/chrome-ev-roots-inc.cc",
+  ]
   args = [
     "--root-store=" + rebase_path("root_store.textproto", root_build_dir),
     "--certs=" + rebase_path("root_store.certs", root_build_dir),
-    "--write-cpp=" + rebase_path("${target_gen_dir}/chrome-root-store-inc.cc",
-                                 root_build_dir),
-    "--cpp-output-format=root",
+    "--write-cpp-root-store=" +
+        rebase_path("${target_gen_dir}/chrome-root-store-inc.cc",
+                    root_build_dir),
+    "--write-cpp-ev-roots=" +
+        rebase_path("${target_gen_dir}/chrome-ev-roots-inc.cc", root_build_dir),
   ]
 }
 
@@ -32,9 +37,8 @@ compiled_action("gen_root_store_test_inc") {
   args = [
     "--root-store=" + rebase_path("test_store.textproto", root_build_dir),
     "--certs=" + rebase_path("test_store.certs", root_build_dir),
-    "--write-cpp=" +
+    "--write-cpp-root-store=" +
         rebase_path("${target_gen_dir}/chrome-root-store-test-data-inc.cc",
                     root_build_dir),
-    "--cpp-output-format=root",
   ]
 }
diff --git a/chromium/net/data/ssl/chrome_root_store/README.md b/chromium/net/data/ssl/chrome_root_store/README.md
index d3cd6eb402e..81cceb599be 100644
--- a/chromium/net/data/ssl/chrome_root_store/README.md
+++ b/chromium/net/data/ssl/chrome_root_store/README.md
@@ -1,8 +1,7 @@
 # Chrome Root Store
 
-This directory contains the in development definition of the
-[Chrome Root Store](https://www.chromium.org/Home/chromium-security/root-ca-policy).
-It is currently not used for trust decisions in Chrome.
+This directory contains the artifacts related to the
+[Chrome Root Store](https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md).
 
 The root store is defined by two files:
 
@@ -14,26 +13,14 @@ The root store is defined by two files:
   `root_store.textproto`
 
 The [`root_store_tool`](/net/tools/root_store_tool/root_store_tool.cc) uses the
-two files above to generate code that is included in Chrome. This generated code
-will eventually be used for trust decisions in Chrome.
+two files above to generate code that is included in Chrome. The Chrome Root
+Store and Certificate Verifier will begin rolling out on Windows and macOS in
+Chrome 105, with other platforms to follow.
 
-## Testing
+## Additional Information
+Learn more about testing with the Chrome Root Store and Certificate Verifier
+[here](testing.md).
 
-To test the Chrome Root store, do the following:
+Learn more about the Chrome Root Program [here](https://g.co/chrome/root-policy).
 
-* On M102 or higher on Windows, run Chrome with the following flag:
-
-  `--enable-features=ChromeRootStoreUsed`
-
-  As of 2022-06, an example of a web site that is trusted by Windows Root Store
-  but not by Chrome Root Store is https://rootcertificateprograms.edicom.es/.
-  This can be used to test if Chrome Root Store is turned on or not (for best
-  results use a fresh incognito window to avoid any caching issues).
-
-* On 105.0.5122.0 or higher on Mac, run Chrome with the following flag:
-
-  `--enable-features=ChromeRootStoreUsed,CertVerifierBuiltin:impl/4`
-
-If you're running 104.0.5110.0 or higher, the currently used Chrome Root Store
-version can be seen in a [NetLog
-dump](https://www.chromium.org/for-testers/providing-network-details/).
+See "Frequently Asked Questions" [here](faq.md).
\ No newline at end of file
diff --git a/chromium/net/data/ssl/chrome_root_store/faq.md b/chromium/net/data/ssl/chrome_root_store/faq.md
new file mode 100644
index 00000000000..ee650af90d4
--- /dev/null
+++ b/chromium/net/data/ssl/chrome_root_store/faq.md
@@ -0,0 +1,240 @@
+# Frequently Asked Questions
+Last updated: September 1, 2022
+
+- [What is the Chrome Root Store?](#what-is-the-chrome-root-store)
+- [Where is the Chrome Root Store source code located?](#where-is-the-chrome-root-store-source-code-located)
+- [What is the Chrome Certificate Verifier?](#what-is-the-chrome-certificate-verifier)
+- [Where is Chrome Certificate Verifier source code located?](#where-is-chrome-certificate-verifier-source-code)
+- [How do these new features impact me?](#how-do-these-new-features-impact-me)
+- [When are these changes taking place?](#when-are-these-changes-taking-place)
+- [Given the rollout is gradual, how can I tell if these features are in use on my system?](#given-the-rollout-is-gradual_how-can-i-tell-if-these-features-are-in-use-on-my-system)
+- [How can I tell which certificates are trusted by the Chrome Root Store?](#how-can-i-tell-which-certificates-are-trusted-by-the-chrome-root-store)
+- [Can you help? I’m experiencing problems.](#can-you-help_i_m-experiencing-problems)
+- [Can I revert to the platform root store and verifier?](#can-i-revert-to-the-platform-root-store-and-verifier)
+- [What criteria does the Chrome Certificate Verifier use to evaluate certificates?](#what-criteria-does-the-chrome-certificate-verifier-use-to-evaluate-certificates)
+- [What criteria does the Chrome Certificate Verifier use to build certificate paths?](#what-criteria-does-the-chrome-certificate-verifier-use-to-build-certificate-paths)
+- [How is the Chrome Root Store updated?](#how-is-the-chrome-root-store-updated)
+- [Why does the certificate viewer look different?](#why-does-the-certificate-viewer-look-different)
+
+## What is the Chrome Root Store?
+Chrome uses
+[digital certificates](https://en.wikipedia.org/wiki/Public_key_certificate)
+(often referred to as “certificates,” “HTTPS certificates,” or “server
+authentication certificates”) to ensure the connections it makes on behalf of
+its users are secure and private. Certificates are responsible for binding a
+domain name to a public key, which Chrome uses to encrypt data sent to and from
+the corresponding website.
+
+As part of establishing a secure connection to a website, Chrome verifies that a
+recognized system known as a “Certification Authority” (CA) issued its
+certificate. Certificates issued by a CA not recognized by Chrome or a user’s
+local settings can cause users to see warnings and error pages.
+
+Root stores, sometimes called “trust stores,” tell operating systems and
+applications what certificates to trust. The
+[Chrome Root Store](https://g.co/chrome/root-store) contains the set of
+certificates Chrome trusts by default.
+
+## Where is the Chrome Root Store source code located?
+Source locations include
+[//net/data/ssl/chrome_root_store](/net/data/ssl/chrome_root_store),
+[//net/cert](/net/cert), [//services/cert_verifier](/services/cert_verifier),
+and [//chrome/browser/component_updater/](/chrome/browser/component_updater/).
+
+## What is the Chrome Certificate Verifier?
+Historically, Chrome integrated certificate verification processes with the
+platform on which it was running. This resulted in inconsistent user experiences
+across platforms, while also making it difficult for developers to understand
+Chrome's expected behavior. Beginning in Chrome 105, we'll begin rolling out the
+Chrome Certificate Verifier to apply a common certificate verification process
+on Windows and macOS. The rollout of the Chrome Certificate Verifier on Chrome
+OS, Linux, and Android will be announced at a later date. The launch of the
+Chrome Certificate Verifier will ensure users have a consistent experience
+across platforms, that developers have a consistent understanding of Chrome's
+behavior, and that Chrome better protects the security and privacy of users'
+connections to websites.
+
+## Where is Chrome Certificate Verifier source code?
+Source locations include
+[//net/cert](/net/cert), [//net/cert/internal](/net/cert/internal), and
+[//net/cert/pki](/net/cert/pki).
+
+## How do these new features impact me?
+
+### Chrome Users
+We expect the transition to the Chrome Root Store and Chrome Certificate
+Verifier to be seamless for most users.
+
+As the transition occurs, a small population of users may notice that a small
+number of websites that successfully loaded in earlier versions of Chrome now
+present a “Your connection is not private” warning. In instances where the
+website’s certificate does not validate to a certificate included in the Chrome
+Root Store or a user’s local settings, users will see detailed error language
+that includes “ERR_CERT_AUTHORITY_INVALID.”
+
+See troubleshooting steps [here](#can-you-help_i_m-experiencing-problems).
+
+### Website Operators
+We expect the transition to the Chrome Root Store and Chrome Certificate
+Verifier to be seamless for most website operators.
+
+We encourage website operators to configure HTTPS for their site(s) with
+certificates that follow modern best practices, including those found in the
+CA/Browser Forum
+[Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates](https://cabforum.org/baseline-requirements-documents/)
+and the Chrome Root Program [policy](https://g.co/chrome/root-policy).
+
+If your website’s certificate issuer is not included in the
+[Chrome Root Store](https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md),
+consider transitioning to another service provider to avoid compatibility
+issues.
+
+### Enterprise CA Owners
+We expect the transition to the Chrome Root Store and Chrome Certificate
+Verifier to be seamless for Enterprise CA owners.
+
+Enterprise CAs are intended for use cases exclusively internal to an
+organization (e.g., a TLS certificate issued to a corporate intranet site).
+
+The Chrome Certificate Verifier considers locally-managed certificates during
+the certificate verification process. Consequently, if an enterprise distributes
+a root CA certificate as trusted to its users (for example, by a Windows Group
+Policy Object), it will be considered trusted in Chrome.
+
+### Enterprise System Administrators
+The Chrome Certificate Verifier considers locally-managed certificates during
+the certificate verification process. Consequently, if an enterprise distributes
+a root CA certificate as trusted to its users (for example, by a Windows Group
+Policy Object), it will be considered trusted in Chrome.
+
+The Chrome Certificate Verifier evaluates certificate profile conformance
+against [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280), and in some
+cases, is more strict than platform verifiers. As a result, an enterprise policy
+will *temporarily* be available to re-enable the platform root store and
+certificate verifier to provide enterprises time to remediate certificate
+profile conformance errors. See more
+[below](#can-i-revert-to-the-platform-root-store-and-verifier).
+
+### “Publicly-Trusted” CA Owners
+CA Owners who meet the Chrome Root Program
+[policy](https://g.co/chrome/root-policy) requirements may apply for a CA
+certificate’s inclusion in the Chrome Root Store. CAs included in the Chrome
+Root Store are expected to adhere to the Chrome Root Program policy and continue
+to operate in a consistent and trustworthy manner. A CA owner’s failure to
+follow the requirements defined in the Chrome Root Program policy may result in
+a CA certificate’s removal from the Chrome Root Store, limitations on Chrome's
+acceptance of the certificates they issue, or other technical or policy
+restrictions.
+
+## When are these changes taking place?
+A “rollout” is a gradual launch of a new feature. Sometimes, to ensure it goes
+smoothly, we don’t enable a new feature for all of our users at once. Instead,
+we start with a small percentage of users and increase that percentage over time
+to ensure we minimize unanticipated compatibility issues. The Chrome Root Store
+and Certificate Verifier will begin rolling out on Windows and macOS in Chrome
+105, with other platforms to follow.
+
+## Given the rollout is gradual, how can I tell if these features are in use on my system?
+
+**If on Windows:** Navigate to https://rootcertificateprograms.edicom.es/ …
+- **Expected outcome with Chrome Root Store enabled:** Page does not load
+(NET::ERR_CERT_AUTHORITY_INVALID)
+- **Expected outcome with Chrome Root Store disabled:** Page loads
+
+**If on macOS:** Navigate to https://valid-ctrca.certificates.certum.pl/ …
+- **Expected outcome with Chrome Root Store enabled:** Page does not load
+(NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED)
+- **Expected outcome with Chrome Root Store disabled:** Page does not load
+(NET::ERR_CERT_AUTHORITY_INVALID)
+
+## How can I tell which certificates are trusted by the Chrome Root Store?
+The current contents of the Chrome Root Store is available
+[here](https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md).
+
+The Chrome Root Store is updated by Component Updater. To observe the contents
+of the Chrome Root Store in use by your version of Chrome M105.0.5122.0 or
+higher:
+
+1. Navigate to `chrome://system`
+2. Click the `Expand`... button next to `chrome_root_store`
+3. *The contents of the Chrome Root Store will display*
+
+## Can you help? I’m experiencing problems.
+As the transition to the Chrome Root Store and Certificate Verifier occurs, a
+small population of users may notice that a small number of websites that
+successfully loaded in earlier versions of Chrome now present a “Your connection
+is not private” warning that includes a message that reads
+“NET::ERR_CERT_AUTHORITY_INVALID”.
+
+**Troubleshooting (for developers, system administrators, or "power users"):**
+1. [Verify](#given-the-rollout-is-gradual_how-can-i-tell-if-these-features-are-in-use-on-my-system)
+the Chrome Root Store and Certificate Verifier are in use.
+     - If the Chrome Root Store and Certificate Verifier are not enabled, read
+     more about common connection errors
+     [here](https://support.google.com/chrome/answer/6098869?hl=en).
+2. Choose to *either* add the website’s corresponding root CA certificate to
+your platform root store *or* temporarily use these Chrome Enterprise Policies
+to disable the use of the Chrome Root Store and Certificate Verifier.
+
+    * **Adding a CA certificate to the platform root store:** Refer to your
+    operating system instructions for managing certificates. <br><br>*Warning*:
+    You should **never** install a root certificate without careful
+    consideration to the impact this might have on your privacy and security.
+    *Only* install a root certificate after obtaining it from a trusted source
+    and verifying its authenticity (e.g., verifying its SHA-256 thumbprint).
+
+    * **Use Chrome Enterprise Policies:** See
+    [below](#can-you-help_i_m-experiencing-problems).
+
+## Can I revert to the platform root store and verifier?
+The Chrome Certificate Verifier evaluates certificate profile conformance
+against [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280), and in some
+cases, is more strict than platform verifiers. The
+[ChromeRootStoreEnabled](https://chromeenterprise.google/policies/?policy=ChromeRootStoreEnabled)
+enterprise policy will be temporarily available to revert to the platform root
+store and verifier.
+
+This enterprise policy is planned to be removed from Windows and macOS beginning
+in Chrome 111, and should only be used as a temporary solution while
+troubleshooting and remediating instances of certificate profile conformance
+issues.
+
+## What criteria does the Chrome Certificate Verifier use to evaluate certificates?
+The Chrome Certificate Verifier will apply standard processing to include
+checking:
+- the certificate's key usage and extended key usage are consistent with TLS
+use-cases.
+- the certificate validity period is not in the past or future.
+- key sizes and algorithms are of known and acceptable quality.
+- whether mismatched or unknown signature algorithms are included.
+- that the certificate does not chain to or through a blocked CA.
+- conformance with [RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280).
+
+Chrome applies additional processing rules for certificates chaining to roots
+included in the Chrome Root Store, such as:
+- Certificate Transparency enforcement, and
+- maximum certificate validity enforcement as required by the CA/B Forum
+Baseline Requirements (i.e., 398 days or less).
+
+## What criteria does the Chrome Certificate Verifier use to build certificate paths?
+The Chrome Certificate Verifier was designed to follow path-building guidance
+established in [RFC 4158](https://datatracker.ietf.org/doc/html/rfc4158).
+
+## How is the Chrome Root Store updated?
+Chrome uses a "[component updater](https://chromium.googlesource.com/chromium/src/+/lkgr/components/component_updater/README.md)"
+tool to push specific updates to browser components without requiring an update
+to the Chrome browser application itself. As root CA certificates are added or
+removed from the Chrome Root Store, the component updater will be responsible
+for automatically propagating these changes to user end-points with no need for
+user action.
+
+If your enterprise has [disabled](https://chromeenterprise.google/policies/?policy=ComponentUpdatesEnabled)
+component updates, end-points will only receive updated versions of the Chrome
+Root Store during Chrome browser application updates.
+
+## Why does the certificate viewer look different?
+Beginning in Chrome 105, Chrome on Windows and macOS transitioned from using the
+native platform certificate viewer to the Chrome Certificate Viewer. This
+transition is intended to promote a consistent experience across platforms
+as we begin the [rollout](#when-are-these-changes-taking-place) of the Chrome
+Root Store.
\ No newline at end of file
diff --git a/chromium/net/data/ssl/chrome_root_store/test_store.textproto b/chromium/net/data/ssl/chrome_root_store/test_store.textproto
index 281a1f71bac..f2f38047927 100644
--- a/chromium/net/data/ssl/chrome_root_store/test_store.textproto
+++ b/chromium/net/data/ssl/chrome_root_store/test_store.textproto
@@ -1,4 +1,4 @@
-# Copyright 2021 The Chromium Authors. All rights reserved.
+# Copyright 2021 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/chrome_root_store/testing.md b/chromium/net/data/ssl/chrome_root_store/testing.md
new file mode 100644
index 00000000000..895ceabac89
--- /dev/null
+++ b/chromium/net/data/ssl/chrome_root_store/testing.md
@@ -0,0 +1,24 @@
+# Testing the Chrome Root Store and Certificate Verifier
+Last updated: September 1, 2022
+
+To test the Chrome Root Store & Certificate Verifier, do the following:
+
+## On Windows (M102 or higher)
+1. Enable the Chrome Root Store & Certificate Verifier by starting Chrome with
+the following flag: <br>`--enable-features=ChromeRootStoreUsed`
+
+2. Navigate to https://rootcertificateprograms.edicom.es/ (trusted by Windows,
+but not the Chrome Root Store)
+     - **Expected outcome with Chrome Root Store enabled:** Page does not load
+     (NET::ERR_CERT_AUTHORITY_INVALID)
+     - **Expected outcome with Chrome Root Store disabled:** Page loads
+
+## On macOS (M105.0.5122.0 or higher)
+1. Enable the Chrome Root Store & Certificate Verifier by starting Chrome with
+the following flags: <br>`--enable-features=ChromeRootStoreUsed`
+
+2. Navigate to https://valid-ctrca.certificates.certum.pl/ (not trusted by
+macOS, but trusted by the Chrome Root Store)
+     - **Expected outcome with Chrome Root Store enabled:** Page loads
+     - **Expected outcome with Chrome Root Store disabled:** Page does not load
+     (NET::ERR_CERT_AUTHORITY_INVALID)
\ No newline at end of file
diff --git a/chromium/net/data/ssl/ev_roots/BUILD.gn b/chromium/net/data/ssl/ev_roots/BUILD.gn
deleted file mode 100644
index e8695af7535..00000000000
--- a/chromium/net/data/ssl/ev_roots/BUILD.gn
+++ /dev/null
@@ -1,23 +0,0 @@
-# Copyright 2021 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-import("//build/compiled_action.gni")
-
-# Generate C++ include file for the Chrome root store.
-compiled_action("gen_ev_root_store_inc") {
-  tool = "//net/tools/root_store_tool:root_store_tool"
-
-  inputs = [
-    "ev_roots.certs",
-    "ev_roots.textproto",
-  ]
-  outputs = [ "${target_gen_dir}/chrome-ev-root-store-inc.cc" ]
-  args = [
-    "--root-store=" + rebase_path("ev_roots.textproto", root_build_dir),
-    "--certs=" + rebase_path("ev_roots.certs", root_build_dir),
-    "--write-cpp=" +
-        rebase_path("${target_gen_dir}/chrome-ev-root-store-inc.cc",
-                    root_build_dir),
-    "--cpp-output-format=ev",
-  ]
-}
diff --git a/chromium/net/data/ssl/ev_roots/ev_roots.certs b/chromium/net/data/ssl/ev_roots/ev_roots.certs
deleted file mode 100644
index 374cefa377e..00000000000
--- a/chromium/net/data/ssl/ev_roots/ev_roots.certs
+++ /dev/null
@@ -1,6826 +0,0 @@
-# This file contains certificates referenced by ev_roots.textproto. Although
-# only the PEM files are processed, to aid maintenance, each entry should be
-# prefixed with its SHA-256 hash and kept in the same order as the textproto
-# file.
-
-# 55926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 6271844772424770508 (0x570a119742c4e3cc)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA
-        Validity
-            Not Before: Sep 22 11:22:02 2011 GMT
-            Not After : Sep 22 11:22:02 2030 GMT
-        Subject: C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:a7:c6:c4:a5:29:a4:2c:ef:e5:18:c5:b0:50:a3:
-                    6f:51:3b:9f:0a:5a:c9:c2:48:38:0a:c2:1c:a0:18:
-                    7f:91:b5:87:b9:40:3f:dd:1d:68:1f:08:83:d5:2d:
-                    1e:88:a0:f8:8f:56:8f:6d:99:02:92:90:16:d5:5f:
-                    08:6c:89:d7:e1:ac:bc:20:c2:b1:e0:83:51:8a:69:
-                    4d:00:96:5a:6f:2f:c0:44:7e:a3:0e:e4:91:cd:58:
-                    ee:dc:fb:c7:1e:45:47:dd:27:b9:08:01:9f:a6:21:
-                    1d:f5:41:2d:2f:4c:fd:28:ad:e0:8a:ad:22:b4:56:
-                    65:8e:86:54:8f:93:43:29:de:39:46:78:a3:30:23:
-                    ba:cd:f0:7d:13:57:c0:5d:d2:83:6b:48:4c:c4:ab:
-                    9f:80:5a:5b:3a:bd:c9:a7:22:3f:80:27:33:5b:0e:
-                    b7:8a:0c:5d:07:37:08:cb:6c:d2:7a:47:22:44:35:
-                    c5:cc:cc:2e:8e:dd:2a:ed:b7:7d:66:0d:5f:61:51:
-                    22:55:1b:e3:46:e3:e3:3d:d0:35:62:9a:db:af:14:
-                    c8:5b:a1:cc:89:1b:e1:30:26:fc:a0:9b:1f:81:a7:
-                    47:1f:04:eb:a3:39:92:06:9f:99:d3:bf:d3:ea:4f:
-                    50:9c:19:fe:96:87:1e:3c:65:f6:a3:18:24:83:86:
-                    10:e7:54:3e:a8:3a:76:24:4f:81:21:c5:e3:0f:02:
-                    f8:93:94:47:20:bb:fe:d4:0e:d3:68:b9:dd:c4:7a:
-                    84:82:e3:53:54:79:dd:db:9c:d2:f2:07:9b:2e:b6:
-                    bc:3e:ed:85:6d:ef:25:11:f2:97:1a:42:61:f7:4a:
-                    97:e8:8b:b1:10:07:fa:65:81:b2:a2:39:cf:f7:3c:
-                    ff:18:fb:c6:f1:5a:8b:59:e2:02:ac:7b:92:d0:4e:
-                    14:4f:59:45:f6:0c:5e:28:5f:b0:e8:3f:45:cf:cf:
-                    af:9b:6f:fb:84:d3:77:5a:95:6f:ac:94:84:9e:ee:
-                    bc:c0:4a:8f:4a:93:f8:44:21:e2:31:45:61:50:4e:
-                    10:d8:e3:35:7c:4c:19:b4:de:05:bf:a3:06:9f:c8:
-                    b5:cd:e4:1f:d7:17:06:0d:7a:95:74:55:0d:68:1a:
-                    fc:10:1b:62:64:9d:6d:e0:95:a0:c3:94:07:57:0d:
-                    14:e6:bd:05:fb:b8:9f:e6:df:8b:e2:c6:e7:7e:96:
-                    f6:53:c5:80:34:50:28:58:f0:12:50:71:17:30:ba:
-                    e6:78:63:bc:f4:b2:ad:9b:2b:b2:fe:e1:39:8c:5e:
-                    ba:0b:20:94:de:7b:83:b8:ff:e3:56:8d:b7:11:e9:
-                    3b:8c:f2:b1:c1:5d:9d:a4:0b:4c:2b:d9:b2:18:f5:
-                    b5:9f:4b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                52:D8:88:3A:C8:9F:78:66:ED:89:F3:7B:38:70:94:C9:02:02:36:D0
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Authority Key Identifier: 
-                keyid:52:D8:88:3A:C8:9F:78:66:ED:89:F3:7B:38:70:94:C9:02:02:36:D0
-
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         0b:7b:72:87:c0:60:a6:49:4c:88:58:e6:1d:88:f7:14:64:48:
-         a6:d8:58:0a:0e:4f:13:35:df:35:1d:d4:ed:06:31:c8:81:3e:
-         6a:d5:dd:3b:1a:32:ee:90:3d:11:d2:2e:f4:8e:c3:63:2e:23:
-         66:b0:67:be:6f:b6:c0:13:39:60:aa:a2:34:25:93:75:52:de:
-         a7:9d:ad:0e:87:89:52:71:6a:16:3c:19:1d:83:f8:9a:29:65:
-         be:f4:3f:9a:d9:f0:f3:5a:87:21:71:80:4d:cb:e0:38:9b:3f:
-         bb:fa:e0:30:4d:cf:86:d3:65:10:19:18:d1:97:02:b1:2b:72:
-         42:68:ac:a0:bd:4e:5a:da:18:bf:6b:98:81:d0:fd:9a:be:5e:
-         15:48:cd:11:15:b9:c0:29:5c:b4:e8:88:f7:3e:36:ae:b7:62:
-         fd:1e:62:de:70:78:10:1c:48:5b:da:bc:a4:38:ba:67:ed:55:
-         3e:5e:57:df:d4:03:40:4c:81:a4:d2:4f:63:a7:09:42:09:14:
-         fc:00:a9:c2:80:73:4f:2e:c0:40:d9:11:7b:48:ea:7a:02:c0:
-         d3:eb:28:01:26:58:74:c1:c0:73:22:6d:93:95:fd:39:7d:bb:
-         2a:e3:f6:82:e3:2c:97:5f:4e:1f:91:94:fa:fe:2c:a3:d8:76:
-         1a:b8:4d:b2:38:4f:9b:fa:1d:48:60:79:26:e2:f3:fd:a9:d0:
-         9a:e8:70:8f:49:7a:d6:e5:bd:0a:0e:db:2d:f3:8d:bf:eb:e3:
-         a4:7d:cb:c7:95:71:e8:da:a3:7c:c5:c2:f8:74:92:04:1b:86:
-         ac:a4:22:53:40:b6:ac:fe:4c:76:cf:fb:94:32:c0:35:9f:76:
-         3f:6e:e5:90:6e:a0:a6:26:a2:b8:2c:be:d1:2b:85:fd:a7:68:
-         c8:ba:01:2b:b1:6c:74:1d:b8:73:95:e7:ee:b7:c7:25:f0:00:
-         4c:00:b2:7e:b6:0b:8b:1c:f3:c0:50:9e:25:b9:e0:08:de:36:
-         66:ff:37:a5:d1:bb:54:64:2c:c9:27:b5:4b:92:7e:65:ff:d3:
-         2d:e1:b9:4e:bc:7f:a4:41:21:90:41:77:a6:39:1f:ea:9e:e3:
-         9f:d0:66:6f:05:ec:aa:76:7e:bf:6b:16:a0:eb:b5:c7:fc:92:
-         54:2f:2b:11:27:25:37:78:4c:51:6a:b0:f3:cc:58:5d:14:f1:
-         6a:48:15:ff:c2:07:b6:b1:8d:0f:8e:5c:50:46:b3:3d:bf:01:
-         98:4f:b2:59:54:47:3e:34:7b:78:6d:56:93:2e:73:ea:66:28:
-         78:cd:1d:14:bf:a0:8f:2f:2e:b8:2e:8e:f2:14:8a:cc:e9:b5:
-         7c:fb:6c:9d:0c:a5:e1:96
------BEGIN CERTIFICATE-----
-MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE
-BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8w
-MzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290
-IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjExMjIwMlowazELMAkGA1UEBhMC
-SVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1
-ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENB
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNv
-UTufClrJwkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX
-4ay8IMKx4INRimlNAJZaby/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9
-KK3giq0itFZljoZUj5NDKd45RnijMCO6zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/
-gCczWw63igxdBzcIy2zSekciRDXFzMwujt0q7bd9Zg1fYVEiVRvjRuPjPdA1Yprb
-rxTIW6HMiRvhMCb8oJsfgadHHwTrozmSBp+Z07/T6k9QnBn+locePGX2oxgkg4YQ
-51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqEguNTVHnd25zS8gebLra8Pu2F
-be8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeICrHuS0E4UT1lF9gxe
-KF+w6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1fEwZtN4F
-v6MGn8i1zeQf1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbn
-fpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7
-jPKxwV2dpAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7Ynz
-ezhwlMkCAjbQMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbt
-ifN7OHCUyQICNtAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAL
-e3KHwGCmSUyIWOYdiPcUZEim2FgKDk8TNd81HdTtBjHIgT5q1d07GjLukD0R0i70
-jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lScWoWPBkdg/iaKWW+9D+a2fDz
-WochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a2hi/a5iB0P2avl4V
-SM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANATIGk0k9j
-pwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyX
-X04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+Ok
-fcvHlXHo2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7R
-K4X9p2jIugErsWx0Hbhzlefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btU
-ZCzJJ7VLkn5l/9Mt4blOvH+kQSGQQXemOR/qnuOf0GZvBeyqdn6/axag67XH/JJU
-LysRJyU3eExRarDzzFhdFPFqSBX/wge2sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaT
-LnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXhlg==
------END CERTIFICATE-----
-
-# 0376ab1d54c5f9803ce4b2e201a0ee7eef7b57b636e8a93c9b8d4860c96f5fa7
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 8608355977964138876 (0x7777062726a9b17c)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, O=AffirmTrust, CN=AffirmTrust Commercial
-        Validity
-            Not Before: Jan 29 14:06:06 2010 GMT
-            Not After : Dec 31 14:06:06 2030 GMT
-        Subject: C=US, O=AffirmTrust, CN=AffirmTrust Commercial
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:f6:1b:4f:67:07:2b:a1:15:f5:06:22:cb:1f:01:
-                    b2:e3:73:45:06:44:49:2c:bb:49:25:14:d6:ce:c3:
-                    b7:ab:2c:4f:c6:41:32:94:57:fa:12:a7:5b:0e:e2:
-                    8f:1f:1e:86:19:a7:aa:b5:2d:b9:5f:0d:8a:c2:af:
-                    85:35:79:32:2d:bb:1c:62:37:f2:b1:5b:4a:3d:ca:
-                    cd:71:5f:e9:42:be:94:e8:c8:de:f9:22:48:64:c6:
-                    e5:ab:c6:2b:6d:ad:05:f0:fa:d5:0b:cf:9a:e5:f0:
-                    50:a4:8b:3b:47:a5:23:5b:7a:7a:f8:33:3f:b8:ef:
-                    99:97:e3:20:c1:d6:28:89:cf:94:fb:b9:45:ed:e3:
-                    40:17:11:d4:74:f0:0b:31:e2:2b:26:6a:9b:4c:57:
-                    ae:ac:20:3e:ba:45:7a:05:f3:bd:9b:69:15:ae:7d:
-                    4e:20:63:c4:35:76:3a:07:02:c9:37:fd:c7:47:ee:
-                    e8:f1:76:1d:73:15:f2:97:a4:b5:c8:7a:79:d9:42:
-                    aa:2b:7f:5c:fe:ce:26:4f:a3:66:81:35:af:44:ba:
-                    54:1e:1c:30:32:65:9d:e6:3c:93:5e:50:4e:7a:e3:
-                    3a:d4:6e:cc:1a:fb:f9:d2:37:ae:24:2a:ab:57:03:
-                    22:28:0d:49:75:7f:b7:28:da:75:bf:8e:e3:dc:0e:
-                    79:31
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                9D:93:C6:53:8B:5E:CA:AF:3F:9F:1E:0F:E5:99:95:BC:24:F6:94:8F
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         58:ac:f4:04:0e:cd:c0:0d:ff:0a:fd:d4:ba:16:5f:29:bd:7b:
-         68:99:58:49:d2:b4:1d:37:4d:7f:27:7d:46:06:5d:43:c6:86:
-         2e:3e:73:b2:26:7d:4f:93:a9:b6:c4:2a:9a:ab:21:97:14:b1:
-         de:8c:d3:ab:89:15:d8:6b:24:d4:f1:16:ae:d8:a4:5c:d4:7f:
-         51:8e:ed:18:01:b1:93:63:bd:bc:f8:61:80:9a:9e:b1:ce:42:
-         70:e2:a9:7d:06:25:7d:27:a1:fe:6f:ec:b3:1e:24:da:e3:4b:
-         55:1a:00:3b:35:b4:3b:d9:d7:5d:30:fd:81:13:89:f2:c2:06:
-         2b:ed:67:c4:8e:c9:43:b2:5c:6b:15:89:02:bc:62:fc:4e:f2:
-         b5:33:aa:b2:6f:d3:0a:a2:50:e3:f6:3b:e8:2e:44:c2:db:66:
-         38:a9:33:56:48:f1:6d:1b:33:8d:0d:8c:3f:60:37:9d:d3:ca:
-         6d:7e:34:7e:0d:9f:72:76:8b:1b:9f:72:fd:52:35:41:45:02:
-         96:2f:1c:b2:9a:73:49:21:b1:49:47:45:47:b4:ef:6a:34:11:
-         c9:4d:9a:cc:59:b7:d6:02:9e:5a:4e:65:b5:94:ae:1b:df:29:
-         b0:16:f1:bf:00:9e:07:3a:17:64:b5:04:b5:23:21:99:0a:95:
-         3b:97:7c:ef
------BEGIN CERTIFICATE-----
-MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
-dCBDb21tZXJjaWFsMB4XDTEwMDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDEL
-MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
-cm1UcnVzdCBDb21tZXJjaWFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEA9htPZwcroRX1BiLLHwGy43NFBkRJLLtJJRTWzsO3qyxPxkEylFf6EqdbDuKP
-Hx6GGaeqtS25Xw2Kwq+FNXkyLbscYjfysVtKPcrNcV/pQr6U6Mje+SJIZMblq8Yr
-ba0F8PrVC8+a5fBQpIs7R6UjW3p6+DM/uO+Zl+MgwdYoic+U+7lF7eNAFxHUdPAL
-MeIrJmqbTFeurCA+ukV6BfO9m2kVrn1OIGPENXY6BwLJN/3HR+7o8XYdcxXyl6S1
-yHp52UKqK39c/s4mT6NmgTWvRLpUHhwwMmWd5jyTXlBOeuM61G7MGvv50jeuJCqr
-VwMiKA1JdX+3KNp1v47j3A55MQIDAQABo0IwQDAdBgNVHQ4EFgQUnZPGU4teyq8/
-nx4P5ZmVvCT2lI8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
-KoZIhvcNAQELBQADggEBAFis9AQOzcAN/wr91LoWXym9e2iZWEnStB03TX8nfUYG
-XUPGhi4+c7ImfU+TqbbEKpqrIZcUsd6M06uJFdhrJNTxFq7YpFzUf1GO7RgBsZNj
-vbz4YYCanrHOQnDiqX0GJX0nof5v7LMeJNrjS1UaADs1tDvZ110w/YETifLCBivt
-Z8SOyUOyXGsViQK8YvxO8rUzqrJv0wqiUOP2O+guRMLbZjipM1ZI8W0bM40NjD9g
-N53Tym1+NH4Nn3J2ixufcv1SNUFFApYvHLKac0khsUlHRUe072o0EclNmsxZt9YC
-nlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8=
------END CERTIFICATE-----
-
-# 0a81ec5a929777f145904af38d5d509f66b5e2c58fcdb531058b0e17f3f0b41b
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 8957382827206547757 (0x7c4f04391cd4992d)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=AffirmTrust, CN=AffirmTrust Networking
-        Validity
-            Not Before: Jan 29 14:08:24 2010 GMT
-            Not After : Dec 31 14:08:24 2030 GMT
-        Subject: C=US, O=AffirmTrust, CN=AffirmTrust Networking
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b4:84:cc:33:17:2e:6b:94:6c:6b:61:52:a0:eb:
-                    a3:cf:79:94:4c:e5:94:80:99:cb:55:64:44:65:8f:
-                    67:64:e2:06:e3:5c:37:49:f6:2f:9b:84:84:1e:2d:
-                    f2:60:9d:30:4e:cc:84:85:e2:2c:cf:1e:9e:fe:36:
-                    ab:33:77:35:44:d8:35:96:1a:3d:36:e8:7a:0e:d8:
-                    d5:47:a1:6a:69:8b:d9:fc:bb:3a:ae:79:5a:d5:f4:
-                    d6:71:bb:9a:90:23:6b:9a:b7:88:74:87:0c:1e:5f:
-                    b9:9e:2d:fa:ab:53:2b:dc:bb:76:3e:93:4c:08:08:
-                    8c:1e:a2:23:1c:d4:6a:ad:22:ba:99:01:2e:6d:65:
-                    cb:be:24:66:55:24:4b:40:44:b1:1b:d7:e1:c2:85:
-                    c0:de:10:3f:3d:ed:b8:fc:f1:f1:23:53:dc:bf:65:
-                    97:6f:d9:f9:40:71:8d:7d:bd:95:d4:ce:be:a0:5e:
-                    27:23:de:fd:a6:d0:26:0e:00:29:eb:3c:46:f0:3d:
-                    60:bf:3f:50:d2:dc:26:41:51:9e:14:37:42:04:a3:
-                    70:57:a8:1b:87:ed:2d:fa:7b:ee:8c:0a:e3:a9:66:
-                    89:19:cb:41:f9:dd:44:36:61:cf:e2:77:46:c8:7d:
-                    f6:f4:92:81:36:fd:db:34:f1:72:7e:f3:0c:16:bd:
-                    b4:15
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                07:1F:D2:E7:9C:DA:C2:6E:A2:40:B4:B0:7A:50:10:50:74:C4:C8:BD
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha1WithRSAEncryption
-         89:57:b2:16:7a:a8:c2:fd:d6:d9:9b:9b:34:c2:9c:b4:32:14:
-         4d:a7:a4:df:ec:be:a7:be:f8:43:db:91:37:ce:b4:32:2e:50:
-         55:1a:35:4e:76:43:71:20:ef:93:77:4e:15:70:2e:87:c3:c1:
-         1d:6d:dc:cb:b5:27:d4:2c:56:d1:52:53:3a:44:d2:73:c8:c4:
-         1b:05:65:5a:62:92:9c:ee:41:8d:31:db:e7:34:ea:59:21:d5:
-         01:7a:d7:64:b8:64:39:cd:c9:ed:af:ed:4b:03:48:a7:a0:99:
-         01:80:dc:65:a3:36:ae:65:59:48:4f:82:4b:c8:65:f1:57:1d:
-         e5:59:2e:0a:3f:6c:d8:d1:f5:e5:09:b4:6c:54:00:0a:e0:15:
-         4d:87:75:6d:b7:58:96:5a:dd:6d:d2:00:a0:f4:9b:48:be:c3:
-         37:a4:ba:36:e0:7c:87:85:97:1a:15:a2:de:2e:a2:5b:bd:af:
-         18:f9:90:50:cd:70:59:f8:27:67:47:cb:c7:a0:07:3a:7d:d1:
-         2c:5d:6c:19:3a:66:b5:7d:fd:91:6f:82:b1:be:08:93:db:14:
-         47:f1:a2:37:c7:45:9e:3c:c7:77:af:64:a8:93:df:f6:69:83:
-         82:60:f2:49:42:34:ed:5a:00:54:85:1c:16:36:92:0c:5c:fa:
-         a6:ad:bf:db
------BEGIN CERTIFICATE-----
-MIIDTDCCAjSgAwIBAgIIfE8EORzUmS0wDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
-dCBOZXR3b3JraW5nMB4XDTEwMDEyOTE0MDgyNFoXDTMwMTIzMTE0MDgyNFowRDEL
-MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
-cm1UcnVzdCBOZXR3b3JraW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAtITMMxcua5Rsa2FSoOujz3mUTOWUgJnLVWREZY9nZOIG41w3SfYvm4SEHi3y
-YJ0wTsyEheIszx6e/jarM3c1RNg1lho9Nuh6DtjVR6FqaYvZ/Ls6rnla1fTWcbua
-kCNrmreIdIcMHl+5ni36q1Mr3Lt2PpNMCAiMHqIjHNRqrSK6mQEubWXLviRmVSRL
-QESxG9fhwoXA3hA/Pe24/PHxI1Pcv2WXb9n5QHGNfb2V1M6+oF4nI979ptAmDgAp
-6zxG8D1gvz9Q0twmQVGeFDdCBKNwV6gbh+0t+nvujArjqWaJGctB+d1ENmHP4ndG
-yH329JKBNv3bNPFyfvMMFr20FQIDAQABo0IwQDAdBgNVHQ4EFgQUBx/S55zawm6i
-QLSwelAQUHTEyL0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
-KoZIhvcNAQEFBQADggEBAIlXshZ6qML91tmbmzTCnLQyFE2npN/svqe++EPbkTfO
-tDIuUFUaNU52Q3Eg75N3ThVwLofDwR1t3Mu1J9QsVtFSUzpE0nPIxBsFZVpikpzu
-QY0x2+c06lkh1QF612S4ZDnNye2v7UsDSKegmQGA3GWjNq5lWUhPgkvIZfFXHeVZ
-Lgo/bNjR9eUJtGxUAArgFU2HdW23WJZa3W3SAKD0m0i+wzekujbgfIeFlxoVot4u
-olu9rxj5kFDNcFn4J2dHy8egBzp90SxdbBk6ZrV9/ZFvgrG+CJPbFEfxojfHRZ48
-x3evZKiT3/Zpg4Jg8klCNO1aAFSFHBY2kgxc+qatv9s=
------END CERTIFICATE-----
-
-# 70a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 7893706540734352110 (0x6d8c1446b1a60aee)
-    Signature Algorithm: sha384WithRSAEncryption
-        Issuer: C=US, O=AffirmTrust, CN=AffirmTrust Premium
-        Validity
-            Not Before: Jan 29 14:10:36 2010 GMT
-            Not After : Dec 31 14:10:36 2040 GMT
-        Subject: C=US, O=AffirmTrust, CN=AffirmTrust Premium
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:c4:12:df:a9:5f:fe:41:dd:dd:f5:9f:8a:e3:f6:
-                    ac:e1:3c:78:9a:bc:d8:f0:7f:7a:a0:33:2a:dc:8d:
-                    20:5b:ae:2d:6f:e7:93:d9:36:70:6a:68:cf:8e:51:
-                    a3:85:5b:67:04:a0:10:24:6f:5d:28:82:c1:97:57:
-                    d8:48:29:13:b6:e1:be:91:4d:df:85:0c:53:18:9a:
-                    1e:24:a2:4f:8f:f0:a2:85:0b:cb:f4:29:7f:d2:a4:
-                    58:ee:26:4d:c9:aa:a8:7b:9a:d9:fa:38:de:44:57:
-                    15:e5:f8:8c:c8:d9:48:e2:0d:16:27:1d:1e:c8:83:
-                    85:25:b7:ba:aa:55:41:cc:03:22:4b:2d:91:8d:8b:
-                    e6:89:af:66:c7:e9:ff:2b:e9:3c:ac:da:d2:b3:c3:
-                    e1:68:9c:89:f8:7a:00:56:de:f4:55:95:6c:fb:ba:
-                    64:dd:62:8b:df:0b:77:32:eb:62:cc:26:9a:9b:bb:
-                    aa:62:83:4c:b4:06:7a:30:c8:29:bf:ed:06:4d:97:
-                    b9:1c:c4:31:2b:d5:5f:bc:53:12:17:9c:99:57:29:
-                    66:77:61:21:31:07:2e:25:49:9d:18:f2:ee:f3:2b:
-                    71:8c:b5:ba:39:07:49:77:fc:ef:2e:92:90:05:8d:
-                    2d:2f:77:7b:ef:43:bf:35:bb:9a:d8:f9:73:a7:2c:
-                    f2:d0:57:ee:28:4e:26:5f:8f:90:68:09:2f:b8:f8:
-                    dc:06:e9:2e:9a:3e:51:a7:d1:22:c4:0a:a7:38:48:
-                    6c:b3:f9:ff:7d:ab:86:57:e3:ba:d6:85:78:77:ba:
-                    43:ea:48:7f:f6:d8:be:23:6d:1e:bf:d1:36:6c:58:
-                    5c:f1:ee:a4:19:54:1a:f5:03:d2:76:e6:e1:8c:bd:
-                    3c:b3:d3:48:4b:e2:c8:f8:7f:92:a8:76:46:9c:42:
-                    65:3e:a4:1e:c1:07:03:5a:46:2d:b8:97:f3:b7:d5:
-                    b2:55:21:ef:ba:dc:4c:00:97:fb:14:95:27:33:bf:
-                    e8:43:47:46:d2:08:99:16:60:3b:9a:7e:d2:e6:ed:
-                    38:ea:ec:01:1e:3c:48:56:49:09:c7:4c:37:00:9e:
-                    88:0e:c0:73:e1:6f:66:e9:72:47:30:3e:10:e5:0b:
-                    03:c9:9a:42:00:6c:c5:94:7e:61:c4:8a:df:7f:82:
-                    1a:0b:59:c4:59:32:77:b3:bc:60:69:56:39:fd:b4:
-                    06:7b:2c:d6:64:36:d9:bd:48:ed:84:1f:7e:a5:22:
-                    8f:2a:b8:42:f4:82:b7:d4:53:90:78:4e:2d:1a:fd:
-                    81:6f:44:d7:3b:01:74:96:42:e0:00:e2:2e:6b:ea:
-                    c5:ee:72:ac:bb:bf:fe:ea:aa:a8:f8:dc:f6:b2:79:
-                    8a:b6:67
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                9D:C0:67:A6:0C:22:D9:26:F5:45:AB:A6:65:52:11:27:D8:45:AC:63
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha384WithRSAEncryption
-         b3:57:4d:10:62:4e:3a:e4:ac:ea:b8:1c:af:32:23:c8:b3:49:
-         5a:51:9c:76:28:8d:79:aa:57:46:17:d5:f5:52:f6:b7:44:e8:
-         08:44:bf:18:84:d2:0b:80:cd:c5:12:fd:00:55:05:61:87:41:
-         dc:b5:24:9e:3c:c4:d8:c8:fb:70:9e:2f:78:96:83:20:36:de:
-         7c:0f:69:13:88:a5:75:36:98:08:a6:c6:df:ac:ce:e3:58:d6:
-         b7:3e:de:ba:f3:eb:34:40:d8:a2:81:f5:78:3f:2f:d5:a5:fc:
-         d9:a2:d4:5e:04:0e:17:ad:fe:41:f0:e5:b2:72:fa:44:82:33:
-         42:e8:2d:58:f7:56:8c:62:3f:ba:42:b0:9c:0c:5c:7e:2e:65:
-         26:5c:53:4f:00:b2:78:7e:a1:0d:99:2d:8d:b8:1d:8e:a2:c4:
-         b0:fd:60:d0:30:a4:8e:c8:04:62:a9:c4:ed:35:de:7a:97:ed:
-         0e:38:5e:92:2f:93:70:a5:a9:9c:6f:a7:7d:13:1d:7e:c6:08:
-         48:b1:5e:67:eb:51:08:25:e9:e6:25:6b:52:29:91:9c:d2:39:
-         73:08:57:de:99:06:b4:5b:9d:10:06:e1:c2:00:a8:b8:1c:4a:
-         02:0a:14:d0:c1:41:ca:fb:8c:35:21:7d:82:38:f2:a9:54:91:
-         19:35:93:94:6d:6a:3a:c5:b2:d0:bb:89:86:93:e8:9b:c9:0f:
-         3a:a7:7a:b8:a1:f0:78:46:fa:fc:37:2f:e5:8a:84:f3:df:fe:
-         04:d9:a1:68:a0:2f:24:e2:09:95:06:d5:95:ca:e1:24:96:eb:
-         7c:f6:93:05:bb:ed:73:e9:2d:d1:75:39:d7:e7:24:db:d8:4e:
-         5f:43:8f:9e:d0:14:39:bf:55:70:48:99:57:31:b4:9c:ee:4a:
-         98:03:96:30:1f:60:06:ee:1b:23:fe:81:60:23:1a:47:62:85:
-         a5:cc:19:34:80:6f:b3:ac:1a:e3:9f:f0:7b:48:ad:d5:01:d9:
-         67:b6:a9:72:93:ea:2d:66:b5:b2:b8:e4:3d:3c:b2:ef:4c:8c:
-         ea:eb:07:bf:ab:35:9a:55:86:bc:18:a6:b5:a8:5e:b4:83:6c:
-         6b:69:40:d3:9f:dc:f1:c3:69:6b:b9:e1:6d:09:f4:f1:aa:50:
-         76:0a:7a:7d:7a:17:a1:55:96:42:99:31:09:dd:60:11:8d:05:
-         30:7e:e6:8e:46:d1:9d:14:da:c7:17:e4:05:96:8c:c4:24:b5:
-         1b:cf:14:07:b2:40:f8:a3:9e:41:86:bc:04:d0:6b:96:c8:2a:
-         80:34:fd:bf:ef:06:a3:dd:58:c5:85:3d:3e:8f:fe:9e:29:e0:
-         b6:b8:09:68:19:1c:18:43
------BEGIN CERTIFICATE-----
-MIIFRjCCAy6gAwIBAgIIbYwURrGmCu4wDQYJKoZIhvcNAQEMBQAwQTELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVz
-dCBQcmVtaXVtMB4XDTEwMDEyOTE0MTAzNloXDTQwMTIzMTE0MTAzNlowQTELMAkG
-A1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1U
-cnVzdCBQcmVtaXVtMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxBLf
-qV/+Qd3d9Z+K4/as4Tx4mrzY8H96oDMq3I0gW64tb+eT2TZwamjPjlGjhVtnBKAQ
-JG9dKILBl1fYSCkTtuG+kU3fhQxTGJoeJKJPj/CihQvL9Cl/0qRY7iZNyaqoe5rZ
-+jjeRFcV5fiMyNlI4g0WJx0eyIOFJbe6qlVBzAMiSy2RjYvmia9mx+n/K+k8rNrS
-s8PhaJyJ+HoAVt70VZVs+7pk3WKL3wt3MutizCaam7uqYoNMtAZ6MMgpv+0GTZe5
-HMQxK9VfvFMSF5yZVylmd2EhMQcuJUmdGPLu8ytxjLW6OQdJd/zvLpKQBY0tL3d7
-70O/Nbua2Plzpyzy0FfuKE4mX4+QaAkvuPjcBukumj5Rp9EixAqnOEhss/n/fauG
-V+O61oV4d7pD6kh/9ti+I20ev9E2bFhc8e6kGVQa9QPSdubhjL08s9NIS+LI+H+S
-qHZGnEJlPqQewQcDWkYtuJfzt9WyVSHvutxMAJf7FJUnM7/oQ0dG0giZFmA7mn7S
-5u046uwBHjxIVkkJx0w3AJ6IDsBz4W9m6XJHMD4Q5QsDyZpCAGzFlH5hxIrff4Ia
-C1nEWTJ3s7xgaVY5/bQGeyzWZDbZvUjthB9+pSKPKrhC9IK31FOQeE4tGv2Bb0TX
-OwF0lkLgAOIua+rF7nKsu7/+6qqo+Nz2snmKtmcCAwEAAaNCMEAwHQYDVR0OBBYE
-FJ3AZ6YMItkm9UWrpmVSESfYRaxjMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
-BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByvMiPIs0laUZx2
-KI15qldGF9X1Uva3ROgIRL8YhNILgM3FEv0AVQVhh0HctSSePMTYyPtwni94loMg
-Nt58D2kTiKV1NpgIpsbfrM7jWNa3Pt668+s0QNiigfV4Py/VpfzZotReBA4Xrf5B
-8OWycvpEgjNC6C1Y91aMYj+6QrCcDFx+LmUmXFNPALJ4fqENmS2NuB2OosSw/WDQ
-MKSOyARiqcTtNd56l+0OOF6SL5Nwpamcb6d9Ex1+xghIsV5n61EIJenmJWtSKZGc
-0jlzCFfemQa0W50QBuHCAKi4HEoCChTQwUHK+4w1IX2COPKpVJEZNZOUbWo6xbLQ
-u4mGk+ibyQ86p3q4ofB4Rvr8Ny/lioTz3/4E2aFooC8k4gmVBtWVyuEklut89pMF
-u+1z6S3RdTnX5yTb2E5fQ4+e0BQ5v1VwSJlXMbSc7kqYA5YwH2AG7hsj/oFgIxpH
-YoWlzBk0gG+zrBrjn/B7SK3VAdlntqlyk+otZrWyuOQ9PLLvTIzq6we/qzWaVYa8
-GKa1qF60g2xraUDTn9zxw2lrueFtCfTxqlB2Cnp9ehehVZZCmTEJ3WARjQUwfuaO
-RtGdFNrHF+QFlozEJLUbzxQHskD4o55BhrwE0GuWyCqANP2/7waj3VjFhT0+j/6e
-KeC2uAloGRwYQw==
------END CERTIFICATE-----
-
-# bd71fdf6da97e4cf62d1647add2581b07d79adf8397eb4ecba9c5e8488821423
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 8401224907861490260 (0x7497258ac73f7a54)
-    Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC
-        Validity
-            Not Before: Jan 29 14:20:24 2010 GMT
-            Not After : Dec 31 14:20:24 2040 GMT
-        Subject: C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub: 
-                    04:0d:30:5e:1b:15:9d:03:d0:a1:79:35:b7:3a:3c:
-                    92:7a:ca:15:1c:cd:62:f3:9c:26:5c:07:3d:e5:54:
-                    fa:a3:d6:cc:12:ea:f4:14:5f:e8:8e:19:ab:2f:2e:
-                    48:e6:ac:18:43:78:ac:d0:37:c3:bd:b2:cd:2c:e6:
-                    47:e2:1a:e6:63:b8:3d:2e:2f:78:c4:4f:db:f4:0f:
-                    a4:68:4c:55:72:6b:95:1d:4e:18:42:95:78:cc:37:
-                    3c:91:e2:9b:65:2b:29
-                ASN1 OID: secp384r1
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                9A:AF:29:7A:C0:11:35:35:26:51:30:00:C3:6A:FE:40:D5:AE:D6:3C
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: ecdsa-with-SHA384
-         30:64:02:30:17:09:f3:87:88:50:5a:af:c8:c0:42:bf:47:5f:
-         f5:6c:6a:86:e0:c4:27:74:e4:38:53:d7:05:7f:1b:34:e3:c6:
-         2f:b3:ca:09:3c:37:9d:d7:e7:b8:46:f1:fd:a1:e2:71:02:30:
-         42:59:87:43:d4:51:df:ba:d3:09:32:5a:ce:88:7e:57:3d:9c:
-         5f:42:6b:f5:07:2d:b5:f0:82:93:f9:59:6f:ae:64:fa:58:e5:
-         8b:1e:e3:63:be:b5:81:cd:6f:02:8c:79
------BEGIN CERTIFICATE-----
-MIIB/jCCAYWgAwIBAgIIdJclisc/elQwCgYIKoZIzj0EAwMwRTELMAkGA1UEBhMC
-VVMxFDASBgNVBAoMC0FmZmlybVRydXN0MSAwHgYDVQQDDBdBZmZpcm1UcnVzdCBQ
-cmVtaXVtIEVDQzAeFw0xMDAxMjkxNDIwMjRaFw00MDEyMzExNDIwMjRaMEUxCzAJ
-BgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJt
-VHJ1c3QgUHJlbWl1bSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNMF4bFZ0D
-0KF5Nbc6PJJ6yhUczWLznCZcBz3lVPqj1swS6vQUX+iOGasvLkjmrBhDeKzQN8O9
-ss0s5kfiGuZjuD0uL3jET9v0D6RoTFVya5UdThhClXjMNzyR4ptlKymjQjBAMB0G
-A1UdDgQWBBSaryl6wBE1NSZRMADDav5A1a7WPDAPBgNVHRMBAf8EBTADAQH/MA4G
-A1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjAXCfOHiFBar8jAQr9HX/Vs
-aobgxCd05DhT1wV/GzTjxi+zygk8N53X57hG8f2h4nECMEJZh0PUUd+60wkyWs6I
-flc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKMeQ==
------END CERTIFICATE-----
-
-# 8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196e
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, O=Amazon, CN=Amazon Root CA 1
-        Validity
-            Not Before: May 26 00:00:00 2015 GMT
-            Not After : Jan 17 00:00:00 2038 GMT
-        Subject: C=US, O=Amazon, CN=Amazon Root CA 1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b2:78:80:71:ca:78:d5:e3:71:af:47:80:50:74:
-                    7d:6e:d8:d7:88:76:f4:99:68:f7:58:21:60:f9:74:
-                    84:01:2f:ac:02:2d:86:d3:a0:43:7a:4e:b2:a4:d0:
-                    36:ba:01:be:8d:db:48:c8:07:17:36:4c:f4:ee:88:
-                    23:c7:3e:eb:37:f5:b5:19:f8:49:68:b0:de:d7:b9:
-                    76:38:1d:61:9e:a4:fe:82:36:a5:e5:4a:56:e4:45:
-                    e1:f9:fd:b4:16:fa:74:da:9c:9b:35:39:2f:fa:b0:
-                    20:50:06:6c:7a:d0:80:b2:a6:f9:af:ec:47:19:8f:
-                    50:38:07:dc:a2:87:39:58:f8:ba:d5:a9:f9:48:67:
-                    30:96:ee:94:78:5e:6f:89:a3:51:c0:30:86:66:a1:
-                    45:66:ba:54:eb:a3:c3:91:f9:48:dc:ff:d1:e8:30:
-                    2d:7d:2d:74:70:35:d7:88:24:f7:9e:c4:59:6e:bb:
-                    73:87:17:f2:32:46:28:b8:43:fa:b7:1d:aa:ca:b4:
-                    f2:9f:24:0e:2d:4b:f7:71:5c:5e:69:ff:ea:95:02:
-                    cb:38:8a:ae:50:38:6f:db:fb:2d:62:1b:c5:c7:1e:
-                    54:e1:77:e0:67:c8:0f:9c:87:23:d6:3f:40:20:7f:
-                    20:80:c4:80:4c:3e:3b:24:26:8e:04:ae:6c:9a:c8:
-                    aa:0d
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                84:18:CC:85:34:EC:BC:0C:94:94:2E:08:59:9C:C7:B2:10:4E:0A:08
-    Signature Algorithm: sha256WithRSAEncryption
-         98:f2:37:5a:41:90:a1:1a:c5:76:51:28:20:36:23:0e:ae:e6:
-         28:bb:aa:f8:94:ae:48:a4:30:7f:1b:fc:24:8d:4b:b4:c8:a1:
-         97:f6:b6:f1:7a:70:c8:53:93:cc:08:28:e3:98:25:cf:23:a4:
-         f9:de:21:d3:7c:85:09:ad:4e:9a:75:3a:c2:0b:6a:89:78:76:
-         44:47:18:65:6c:8d:41:8e:3b:7f:9a:cb:f4:b5:a7:50:d7:05:
-         2c:37:e8:03:4b:ad:e9:61:a0:02:6e:f5:f2:f0:c5:b2:ed:5b:
-         b7:dc:fa:94:5c:77:9e:13:a5:7f:52:ad:95:f2:f8:93:3b:de:
-         8b:5c:5b:ca:5a:52:5b:60:af:14:f7:4b:ef:a3:fb:9f:40:95:
-         6d:31:54:fc:42:d3:c7:46:1f:23:ad:d9:0f:48:70:9a:d9:75:
-         78:71:d1:72:43:34:75:6e:57:59:c2:02:5c:26:60:29:cf:23:
-         19:16:8e:88:43:a5:d4:e4:cb:08:fb:23:11:43:e8:43:29:72:
-         62:a1:a9:5d:5e:08:d4:90:ae:b8:d8:ce:14:c2:d0:55:f2:86:
-         f6:c4:93:43:77:66:61:c0:b9:e8:41:d7:97:78:60:03:6e:4a:
-         72:ae:a5:d1:7d:ba:10:9e:86:6c:1b:8a:b9:59:33:f8:eb:c4:
-         90:be:f1:b9
------BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
-ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
-b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
-MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
-b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
-ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
-9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
-IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
-VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
-93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
-jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
-A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
-U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
-N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
-o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
-5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
-rqXRfboQnoZsG4q5WTP468SQvvG5
------END CERTIFICATE-----
-
-# 1ba5b2aa8c65401a82960118f80bec4f62304d83cec4713a19c39c011ea46db4
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            06:6c:9f:d2:96:35:86:9f:0a:0f:e5:86:78:f8:5b:26:bb:8a:37
-    Signature Algorithm: sha384WithRSAEncryption
-        Issuer: C=US, O=Amazon, CN=Amazon Root CA 2
-        Validity
-            Not Before: May 26 00:00:00 2015 GMT
-            Not After : May 26 00:00:00 2040 GMT
-        Subject: C=US, O=Amazon, CN=Amazon Root CA 2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:ad:96:9f:2d:9c:4a:4c:4a:81:79:51:99:ec:8a:
-                    cb:6b:60:51:13:bc:4d:6d:06:fc:b0:08:8d:dd:19:
-                    10:6a:c7:26:0c:35:d8:c0:6f:20:84:e9:94:b1:9b:
-                    85:03:c3:5b:db:4a:e8:c8:f8:90:76:d9:5b:4f:e3:
-                    4c:e8:06:36:4d:cc:9a:ac:3d:0c:90:2b:92:d4:06:
-                    19:60:ac:37:44:79:85:81:82:ad:5a:37:e0:0d:cc:
-                    9d:a6:4c:52:76:ea:43:9d:b7:04:d1:50:f6:55:e0:
-                    d5:d2:a6:49:85:e9:37:e9:ca:7e:ae:5c:95:4d:48:
-                    9a:3f:ae:20:5a:6d:88:95:d9:34:b8:52:1a:43:90:
-                    b0:bf:6c:05:b9:b6:78:b7:ea:d0:e4:3a:3c:12:53:
-                    62:ff:4a:f2:7b:be:35:05:a9:12:34:e3:f3:64:74:
-                    62:2c:3d:00:49:5a:28:fe:32:44:bb:87:dd:65:27:
-                    02:71:3b:da:4a:f7:1f:da:cd:f7:21:55:90:4f:0f:
-                    ec:ae:82:e1:9f:6b:d9:45:d3:bb:f0:5f:87:ed:3c:
-                    2c:39:86:da:3f:de:ec:72:55:eb:79:a3:ad:db:dd:
-                    7c:b0:ba:1c:ce:fc:de:4f:35:76:cf:0f:f8:78:1f:
-                    6a:36:51:46:27:61:5b:e9:9e:cf:f0:a2:55:7d:7c:
-                    25:8a:6f:2f:b4:c5:cf:84:2e:2b:fd:0d:51:10:6c:
-                    fb:5f:1b:bc:1b:7e:c5:ae:3b:98:01:31:92:ff:0b:
-                    57:f4:9a:b2:b9:57:e9:ab:ef:0d:76:d1:f0:ee:f4:
-                    ce:86:a7:e0:6e:e9:b4:69:a1:df:69:f6:33:c6:69:
-                    2e:97:13:9e:a5:87:b0:57:10:81:37:c9:53:b3:bb:
-                    7f:f6:92:d1:9c:d0:18:f4:92:6e:da:83:4f:a6:63:
-                    99:4c:a5:fb:5e:ef:21:64:7a:20:5f:6c:64:85:15:
-                    cb:37:e9:62:0c:0b:2a:16:dc:01:2e:32:da:3e:4b:
-                    f5:9e:3a:f6:17:40:94:ef:9e:91:08:86:fa:be:63:
-                    a8:5a:33:ec:cb:74:43:95:f9:6c:69:52:36:c7:29:
-                    6f:fc:55:03:5c:1f:fb:9f:bd:47:eb:e7:49:47:95:
-                    0b:4e:89:22:09:49:e0:f5:61:1e:f1:bf:2e:8a:72:
-                    6e:80:59:ff:57:3a:f9:75:32:a3:4e:5f:ec:ed:28:
-                    62:d9:4d:73:f2:cc:81:17:60:ed:cd:eb:dc:db:a7:
-                    ca:c5:7e:02:bd:f2:54:08:54:fd:b4:2d:09:2c:17:
-                    54:4a:98:d1:54:e1:51:67:08:d2:ed:6e:7e:6f:3f:
-                    d2:2d:81:59:29:66:cb:90:39:95:11:1e:74:27:fe:
-                    dd:eb:af
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                B0:0C:F0:4C:30:F4:05:58:02:48:FD:33:E5:52:AF:4B:84:E3:66:52
-    Signature Algorithm: sha384WithRSAEncryption
-         aa:a8:80:8f:0e:78:a3:e0:a2:d4:cd:e6:f5:98:7a:3b:ea:00:
-         03:b0:97:0e:93:bc:5a:a8:f6:2c:8c:72:87:a9:b1:fc:7f:73:
-         fd:63:71:78:a5:87:59:cf:30:e1:0d:10:b2:13:5a:6d:82:f5:
-         6a:e6:80:9f:a0:05:0b:68:e4:47:6b:c7:6a:df:b6:fd:77:32:
-         72:e5:18:fa:09:f4:a0:93:2c:5d:d2:8c:75:85:76:65:90:0c:
-         03:79:b7:31:23:63:ad:78:83:09:86:68:84:ca:ff:f9:cf:26:
-         9a:92:79:e7:cd:4b:c5:e7:61:a7:17:cb:f3:a9:12:93:93:6b:
-         a7:e8:2f:53:92:c4:60:58:b0:cc:02:51:18:5b:85:8d:62:59:
-         63:b6:ad:b4:de:9a:fb:26:f7:00:27:c0:5d:55:37:74:99:c9:
-         50:7f:e3:59:2e:44:e3:2c:25:ee:ec:4c:32:77:b4:9f:1a:e9:
-         4b:5d:20:c5:da:fd:1c:87:16:c6:43:e8:d4:bb:26:9a:45:70:
-         5e:a9:0b:37:53:e2:46:7b:27:fd:e0:46:f2:89:b7:cc:42:b6:
-         cb:28:26:6e:d9:a5:c9:3a:c8:41:13:60:f7:50:8c:15:ae:b2:
-         6d:1a:15:1a:57:78:e6:92:2a:d9:65:90:82:3f:6c:02:af:ae:
-         12:3a:27:96:36:04:d7:1d:a2:80:63:a9:9b:f1:e5:ba:b4:7c:
-         14:b0:4e:c9:b1:1f:74:5f:38:f6:51:ea:9b:fa:2c:a2:11:d4:
-         a9:2d:27:1a:45:b1:af:b2:4e:71:0d:c0:58:46:d6:69:06:cb:
-         53:cb:b3:fe:6b:41:cd:41:7e:7d:4c:0f:7c:72:79:7a:59:cd:
-         5e:4a:0e:ac:9b:a9:98:73:79:7c:b4:f4:cc:b9:b8:07:0c:b2:
-         74:5c:b8:c7:6f:88:a1:90:a7:f4:aa:f9:bf:67:3a:f4:1a:15:
-         62:1e:b7:9f:be:3d:b1:29:af:67:a1:12:f2:58:10:19:53:03:
-         30:1b:b8:1a:89:f6:9c:bd:97:03:8e:a3:09:f3:1d:8b:21:f1:
-         b4:df:e4:1c:d1:9f:65:02:06:ea:5c:d6:13:b3:84:ef:a2:a5:
-         5c:8c:77:29:a7:68:c0:6b:ae:40:d2:a8:b4:ea:cd:f0:8d:4b:
-         38:9c:19:9a:1b:28:54:b8:89:90:ef:ca:75:81:3e:1e:f2:64:
-         24:c7:18:af:4e:ff:47:9e:07:f6:35:65:a4:d3:0a:56:ff:f5:
-         17:64:6c:ef:a8:22:25:49:93:b6:df:00:17:da:58:7e:5d:ee:
-         c5:1b:b0:d1:d1:5f:21:10:c7:f9:f3:ba:02:0a:27:07:c5:f1:
-         d6:c7:d3:e0:fb:09:60:6c
------BEGIN CERTIFICATE-----
-MIIFQTCCAymgAwIBAgITBmyf0pY1hp8KD+WGePhbJruKNzANBgkqhkiG9w0BAQwF
-ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
-b24gUm9vdCBDQSAyMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTEL
-MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
-b3QgQ0EgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK2Wny2cSkxK
-gXlRmeyKy2tgURO8TW0G/LAIjd0ZEGrHJgw12MBvIITplLGbhQPDW9tK6Mj4kHbZ
-W0/jTOgGNk3Mmqw9DJArktQGGWCsN0R5hYGCrVo34A3MnaZMUnbqQ523BNFQ9lXg
-1dKmSYXpN+nKfq5clU1Imj+uIFptiJXZNLhSGkOQsL9sBbm2eLfq0OQ6PBJTYv9K
-8nu+NQWpEjTj82R0Yiw9AElaKP4yRLuH3WUnAnE72kr3H9rN9yFVkE8P7K6C4Z9r
-2UXTu/Bfh+08LDmG2j/e7HJV63mjrdvdfLC6HM783k81ds8P+HgfajZRRidhW+me
-z/CiVX18JYpvL7TFz4QuK/0NURBs+18bvBt+xa47mAExkv8LV/SasrlX6avvDXbR
-8O70zoan4G7ptGmh32n2M8ZpLpcTnqWHsFcQgTfJU7O7f/aS0ZzQGPSSbtqDT6Zj
-mUyl+17vIWR6IF9sZIUVyzfpYgwLKhbcAS4y2j5L9Z469hdAlO+ekQiG+r5jqFoz
-7Mt0Q5X5bGlSNscpb/xVA1wf+5+9R+vnSUeVC06JIglJ4PVhHvG/LopyboBZ/1c6
-+XUyo05f7O0oYtlNc/LMgRdg7c3r3NunysV+Ar3yVAhU/bQtCSwXVEqY0VThUWcI
-0u1ufm8/0i2BWSlmy5A5lREedCf+3euvAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMB
-Af8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSwDPBMMPQFWAJI/TPlUq9LhONm
-UjANBgkqhkiG9w0BAQwFAAOCAgEAqqiAjw54o+Ci1M3m9Zh6O+oAA7CXDpO8Wqj2
-LIxyh6mx/H9z/WNxeKWHWc8w4Q0QshNabYL1auaAn6AFC2jkR2vHat+2/XcycuUY
-+gn0oJMsXdKMdYV2ZZAMA3m3MSNjrXiDCYZohMr/+c8mmpJ5581LxedhpxfL86kS
-k5Nrp+gvU5LEYFiwzAJRGFuFjWJZY7attN6a+yb3ACfAXVU3dJnJUH/jWS5E4ywl
-7uxMMne0nxrpS10gxdr9HIcWxkPo1LsmmkVwXqkLN1PiRnsn/eBG8om3zEK2yygm
-btmlyTrIQRNg91CMFa6ybRoVGld45pIq2WWQgj9sAq+uEjonljYE1x2igGOpm/Hl
-urR8FLBOybEfdF849lHqm/osohHUqS0nGkWxr7JOcQ3AWEbWaQbLU8uz/mtBzUF+
-fUwPfHJ5elnNXkoOrJupmHN5fLT0zLm4BwyydFy4x2+IoZCn9Kr5v2c69BoVYh63
-n749sSmvZ6ES8lgQGVMDMBu4Gon2nL2XA46jCfMdiyHxtN/kHNGfZQIG6lzWE7OE
-76KlXIx3KadowGuuQNKotOrN8I1LOJwZmhsoVLiJkO/KdYE+HvJkJMcYr07/R54H
-9jVlpNMKVv/1F2Rs76giJUmTtt8AF9pYfl3uxRuw0dFfIRDH+fO6AgonB8Xx1sfT
-4PsJYGw=
------END CERTIFICATE-----
-
-# 18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            06:6c:9f:d5:74:97:36:66:3f:3b:0b:9a:d9:e8:9e:76:03:f2:4a
-    Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C=US, O=Amazon, CN=Amazon Root CA 3
-        Validity
-            Not Before: May 26 00:00:00 2015 GMT
-            Not After : May 26 00:00:00 2040 GMT
-        Subject: C=US, O=Amazon, CN=Amazon Root CA 3
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (256 bit)
-                pub: 
-                    04:29:97:a7:c6:41:7f:c0:0d:9b:e8:01:1b:56:c6:
-                    f2:52:a5:ba:2d:b2:12:e8:d2:2e:d7:fa:c9:c5:d8:
-                    aa:6d:1f:73:81:3b:3b:98:6b:39:7c:33:a5:c5:4e:
-                    86:8e:80:17:68:62:45:57:7d:44:58:1d:b3:37:e5:
-                    67:08:eb:66:de
-                ASN1 OID: prime256v1
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                AB:B6:DB:D7:06:9E:37:AC:30:86:07:91:70:C7:9C:C4:19:B1:78:C0
-    Signature Algorithm: ecdsa-with-SHA256
-         30:46:02:21:00:e0:85:92:a3:17:b7:8d:f9:2b:06:a5:93:ac:
-         1a:98:68:61:72:fa:e1:a1:d0:fb:1c:78:60:a6:43:99:c5:b8:
-         c4:02:21:00:9c:02:ef:f1:94:9c:b3:96:f9:eb:c6:2a:f8:b6:
-         2c:fe:3a:90:14:16:d7:8c:63:24:48:1c:df:30:7d:d5:68:3b
------BEGIN CERTIFICATE-----
-MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5
-MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
-Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
-A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg
-Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl
-ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j
-QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr
-ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr
-BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM
-YyRIHN8wfdVoOw==
------END CERTIFICATE-----
-
-# e35d28419ed02025cfa69038cd623962458da5c695fbdea3c22b0bfb25897092
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            06:6c:9f:d7:c1:bb:10:4c:29:43:e5:71:7b:7b:2c:c8:1a:c1:0e
-    Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C=US, O=Amazon, CN=Amazon Root CA 4
-        Validity
-            Not Before: May 26 00:00:00 2015 GMT
-            Not After : May 26 00:00:00 2040 GMT
-        Subject: C=US, O=Amazon, CN=Amazon Root CA 4
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub: 
-                    04:d2:ab:8a:37:4f:a3:53:0d:fe:c1:8a:7b:4b:a8:
-                    7b:46:4b:63:b0:62:f6:2d:1b:db:08:71:21:d2:00:
-                    e8:63:bd:9a:27:fb:f0:39:6e:5d:ea:3d:a5:c9:81:
-                    aa:a3:5b:20:98:45:5d:16:db:fd:e8:10:6d:e3:9c:
-                    e0:e3:bd:5f:84:62:f3:70:64:33:a0:cb:24:2f:70:
-                    ba:88:a1:2a:a0:75:f8:81:ae:62:06:c4:81:db:39:
-                    6e:29:b0:1e:fa:2e:5c
-                ASN1 OID: secp384r1
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                D3:EC:C7:3A:65:6E:CC:E1:DA:76:9A:56:FB:9C:F3:86:6D:57:E5:81
-    Signature Algorithm: ecdsa-with-SHA384
-         30:65:02:30:3a:8b:21:f1:bd:7e:11:ad:d0:ef:58:96:2f:d6:
-         eb:9d:7e:90:8d:2b:cf:66:55:c3:2c:e3:28:a9:70:0a:47:0e:
-         f0:37:59:12:ff:2d:99:94:28:4e:2a:4f:35:4d:33:5a:02:31:
-         00:ea:75:00:4e:3b:c4:3a:94:12:91:c9:58:46:9d:21:13:72:
-         a7:88:9c:8a:e4:4c:4a:db:96:d4:ac:8b:6b:6b:49:12:53:33:
-         ad:d7:e4:be:24:fc:b5:0a:76:d4:a5:bc:10
------BEGIN CERTIFICATE-----
-MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5
-MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
-Um9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
-A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg
-Q0EgNDB2MBAGByqGSM49AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi
-9i0b2whxIdIA6GO9mif78DluXeo9pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83Bk
-M6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvouXKNCMEAwDwYDVR0TAQH/BAUwAwEB
-/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzplbszh2naaVvuc84ZtV+WB
-MAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0rz2ZVwyzjKKlw
-CkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW
-1KyLa2tJElMzrdfkviT8tQp21KW8EA==
------END CERTIFICATE-----
-
-# 04048028bf1f2864d48f9ad4d83294366a828856553f3b14303f90147f5d40ef
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 6047274297262753887 (0x53ec3beefbb2485f)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
-        Validity
-            Not Before: May 20 08:38:15 2009 GMT
-            Not After : Dec 31 08:38:15 2030 GMT
-        Subject: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:ca:96:6b:8e:ea:f8:fb:f1:a2:35:e0:7f:4c:da:
-                    e0:c3:52:d7:7d:b6:10:c8:02:5e:b3:43:2a:c4:4f:
-                    6a:b2:ca:1c:5d:28:9a:78:11:1a:69:59:57:af:b5:
-                    20:42:e4:8b:0f:e6:df:5b:a6:03:92:2f:f5:11:e4:
-                    62:d7:32:71:38:d9:04:0c:71:ab:3d:51:7e:0f:07:
-                    df:63:05:5c:e9:bf:94:6f:c1:29:82:c0:b4:da:51:
-                    b0:c1:3c:bb:ad:37:4a:5c:ca:f1:4b:36:0e:24:ab:
-                    bf:c3:84:77:fd:a8:50:f4:b1:e7:c6:2f:d2:2d:59:
-                    8d:7a:0a:4e:96:69:52:02:aa:36:98:ec:fc:fa:14:
-                    83:0c:37:1f:c9:92:37:7f:d7:81:2d:e5:c4:b9:e0:
-                    3e:34:fe:67:f4:3e:66:d1:d3:f4:40:cf:5e:62:34:
-                    0f:70:06:3e:20:18:5a:ce:f7:72:1b:25:6c:93:74:
-                    14:93:a3:73:b1:0e:aa:87:10:23:59:5f:20:05:19:
-                    47:ed:68:8e:92:12:ca:5d:fc:d6:2b:b2:92:3c:20:
-                    cf:e1:5f:af:20:be:a0:76:7f:76:e5:ec:1a:86:61:
-                    33:3e:e7:7b:b4:3f:a0:0f:8e:a2:b9:6a:6f:b9:87:
-                    26:6f:41:6c:88:a6:50:fd:6a:63:0b:f5:93:16:1b:
-                    19:8f:b2:ed:9b:9b:c9:90:f5:01:0c:df:19:3d:0f:
-                    3e:38:23:c9:2f:8f:0c:d1:02:fe:1b:55:d6:4e:d0:
-                    8d:3c:af:4f:a4:f3:fe:af:2a:d3:05:9d:79:08:a1:
-                    cb:57:31:b4:9c:c8:90:b2:67:f4:18:16:93:3a:fc:
-                    47:d8:d1:78:96:31:1f:ba:2b:0c:5f:5d:99:ad:63:
-                    89:5a:24:20:76:d8:df:fd:ab:4e:a6:22:aa:9d:5e:
-                    e6:27:8a:7d:68:29:a3:e7:8a:b8:da:11:bb:17:2d:
-                    99:9d:13:24:46:f7:c5:e2:d8:9f:8e:7f:c7:8f:74:
-                    6d:5a:b2:e8:72:f5:ac:ee:24:10:ad:2f:14:da:ff:
-                    2d:9a:46:71:47:be:42:df:bb:01:db:f4:7f:d3:28:
-                    8f:31:59:5b:d3:c9:02:a6:b4:52:ca:6e:97:fb:43:
-                    c5:08:26:6f:8a:f4:bb:fd:9f:28:aa:0d:d5:45:f3:
-                    13:3a:1d:d8:c0:78:8f:41:67:3c:1e:94:64:ae:7b:
-                    0b:c5:e8:d9:01:88:39:1a:97:86:64:41:d5:3b:87:
-                    0c:6e:fa:0f:c6:bd:48:14:bf:39:4d:d4:9e:41:b6:
-                    8f:96:1d:63:96:93:d9:95:06:78:31:68:9e:37:06:
-                    3b:80:89:45:61:39:23:c7:1b:44:a3:15:e5:1c:f8:
-                    92:30:bb
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:1
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                65:CD:EB:AB:35:1E:00:3E:7E:D5:74:C0:1C:B4:73:47:0E:1A:64:2F
-            X509v3 Certificate Policies: 
-                Policy: X509v3 Any Policy
-                  CPS: http://www.firmaprofesional.com/cps
-                  User Notice:
-                    Explicit Text: 
-
-    Signature Algorithm: sha1WithRSAEncryption
-         17:7d:a0:f9:b4:dd:c5:c5:eb:ad:4b:24:b5:a1:02:ab:dd:a5:
-         88:4a:b2:0f:55:4b:2b:57:8c:3b:e5:31:dd:fe:c4:32:f1:e7:
-         5b:64:96:36:32:18:ec:a5:32:77:d7:e3:44:b6:c0:11:2a:80:
-         b9:3d:6a:6e:7c:9b:d3:ad:fc:c3:d6:a3:e6:64:29:7c:d1:e1:
-         38:1e:82:2b:ff:27:65:af:fb:16:15:c4:2e:71:84:e5:b5:ff:
-         fa:a4:47:bd:64:32:bb:f6:25:84:a2:27:42:f5:20:b0:c2:13:
-         10:11:cd:10:15:ba:42:90:2a:d2:44:e1:96:26:eb:31:48:12:
-         fd:2a:da:c9:06:cf:74:1e:a9:4b:d5:87:28:f9:79:34:92:3e:
-         2e:44:e8:f6:8f:4f:8f:35:3f:25:b3:39:dc:63:2a:90:6b:20:
-         5f:c4:52:12:4e:97:2c:2a:ac:9d:97:de:48:f2:a3:66:db:c2:
-         d2:83:95:a6:66:a7:9e:25:0f:e9:0b:33:91:65:0a:5a:c3:d9:
-         54:12:dd:af:c3:4e:0e:1f:26:5e:0d:dc:b3:8d:ec:d5:81:70:
-         de:d2:4f:24:05:f3:6c:4e:f5:4c:49:66:8d:d1:ff:d2:0b:25:
-         41:48:fe:51:84:c6:42:af:80:04:cf:d0:7e:64:49:e4:f2:df:
-         a2:ec:b1:4c:c0:2a:1d:e7:b4:b1:65:a2:c4:bc:f1:98:f4:aa:
-         70:07:63:b4:b8:da:3b:4c:fa:40:22:30:5b:11:a6:f0:05:0e:
-         c6:02:03:48:ab:86:9b:85:dd:db:dd:ea:a2:76:80:73:7d:f5:
-         9c:04:c4:45:8d:e7:b9:1c:8b:9e:ea:d7:75:d1:72:b1:de:75:
-         44:e7:42:7d:e2:57:6b:7d:dc:99:bc:3d:83:28:ea:80:93:8d:
-         c5:4c:65:c1:70:81:b8:38:fc:43:31:b2:f6:03:34:47:b2:ac:
-         fb:22:06:cb:1e:dd:17:47:1c:5f:66:b9:d3:1a:a2:da:11:b1:
-         a4:bc:23:c9:e4:be:87:ff:b9:94:b6:f8:5d:20:4a:d4:5f:e7:
-         bd:68:7b:65:f2:15:1e:d2:3a:a9:2d:e9:d8:6b:24:ac:97:58:
-         44:47:ad:59:18:f1:21:65:70:de:ce:34:60:a8:40:f1:f3:3c:
-         a4:c3:28:23:8c:fe:27:33:43:40:a0:17:3c:eb:ea:3b:b0:72:
-         a6:a3:b9:4a:4b:5e:16:48:f4:b2:bc:c8:8c:92:c5:9d:9f:ac:
-         72:36:bc:34:80:34:6b:a9:8b:92:c0:b8:17:ed:ec:76:53:f5:
-         24:01:8c:b3:22:e8:4b:7c:55:c6:9d:fa:a3:14:bb:65:85:6e:
-         6e:4f:12:7e:0a:3c:9d:95
------BEGIN CERTIFICATE-----
-MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UE
-BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h
-cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEy
-MzEwODM4MTVaMFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUg
-Q2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjgwggIi
-MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDDUtd9
-thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQM
-cas9UX4PB99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefG
-L9ItWY16Ck6WaVICqjaY7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15i
-NA9wBj4gGFrO93IbJWyTdBSTo3OxDqqHECNZXyAFGUftaI6SEspd/NYrspI8IM/h
-X68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyIplD9amML9ZMWGxmPsu2b
-m8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctXMbScyJCy
-Z/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirja
-EbsXLZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/T
-KI8xWVvTyQKmtFLKbpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF
-6NkBiDkal4ZkQdU7hwxu+g/GvUgUvzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVh
-OSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD
-VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlzeurNR4APn7VdMActHNHDhpkLzCBpgYD
-VR0gBIGeMIGbMIGYBgRVHSAAMIGPMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmZp
-cm1hcHJvZmVzaW9uYWwuY29tL2NwczBcBggrBgEFBQcCAjBQHk4AUABhAHMAZQBv
-ACAAZABlACAAbABhACAAQgBvAG4AYQBuAG8AdgBhACAANAA3ACAAQgBhAHIAYwBl
-AGwAbwBuAGEAIAAwADgAMAAxADcwDQYJKoZIhvcNAQEFBQADggIBABd9oPm03cXF
-661LJLWhAqvdpYhKsg9VSytXjDvlMd3+xDLx51tkljYyGOylMnfX40S2wBEqgLk9
-am58m9Ot/MPWo+ZkKXzR4Tgegiv/J2Wv+xYVxC5xhOW1//qkR71kMrv2JYSiJ0L1
-ILDCExARzRAVukKQKtJE4ZYm6zFIEv0q2skGz3QeqUvVhyj5eTSSPi5E6PaPT481
-PyWzOdxjKpBrIF/EUhJOlywqrJ2X3kjyo2bbwtKDlaZmp54lD+kLM5FlClrD2VQS
-3a/DTg4fJl4N3LON7NWBcN7STyQF82xO9UxJZo3R/9ILJUFI/lGExkKvgATP0H5k
-SeTy36LssUzAKh3ntLFlosS88Zj0qnAHY7S42jtM+kAiMFsRpvAFDsYCA0irhpuF
-3dvd6qJ2gHN99ZwExEWN57kci57q13XRcrHedUTnQn3iV2t93Jm8PYMo6oCTjcVM
-ZcFwgbg4/EMxsvYDNEeyrPsiBsse3RdHHF9mudMaotoRsaS8I8nkvof/uZS2+F0g
-StRf571oe2XyFR7SOqkt6dhrJKyXWERHrVkY8SFlcN7ONGCoQPHzPKTDKCOM/icz
-Q0CgFzzr6juwcqajuUpLXhZI9LK8yIySxZ2frHI2vDSANGupi5LAuBft7HZT9SQB
-jLMi6Et8Vcad+qMUu2WFbm5PEn4KPJ2V
------END CERTIFICATE-----
-
-# 16af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 33554617 (0x20000b9)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
-        Validity
-            Not Before: May 12 18:46:00 2000 GMT
-            Not After : May 12 23:59:00 2025 GMT
-        Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:
-                    d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:
-                    64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:
-                    62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:
-                    52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:
-                    73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:
-                    50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:
-                    a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:
-                    70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:
-                    d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:
-                    5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:
-                    98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:
-                    ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:
-                    39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:
-                    c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:
-                    ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:
-                    78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:
-                    1a:39
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:3
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha1WithRSAEncryption
-         85:0c:5d:8e:e4:6f:51:68:42:05:a0:dd:bb:4f:27:25:84:03:
-         bd:f7:64:fd:2d:d7:30:e3:a4:10:17:eb:da:29:29:b6:79:3f:
-         76:f6:19:13:23:b8:10:0a:f9:58:a4:d4:61:70:bd:04:61:6a:
-         12:8a:17:d5:0a:bd:c5:bc:30:7c:d6:e9:0c:25:8d:86:40:4f:
-         ec:cc:a3:7e:38:c6:37:11:4f:ed:dd:68:31:8e:4c:d2:b3:01:
-         74:ee:be:75:5e:07:48:1a:7f:70:ff:16:5c:84:c0:79:85:b8:
-         05:fd:7f:be:65:11:a3:0f:c0:02:b4:f8:52:37:39:04:d5:a9:
-         31:7a:18:bf:a0:2a:f4:12:99:f7:a3:45:82:e3:3c:5e:f5:9d:
-         9e:b5:c8:9e:7c:2e:c8:a4:9e:4e:08:14:4b:6d:fd:70:6d:6b:
-         1a:63:bd:64:e6:1f:b7:ce:f0:f2:9f:2e:bb:1b:b7:f2:50:88:
-         73:92:c2:e2:e3:16:8d:9a:32:02:ab:8e:18:dd:e9:10:11:ee:
-         7e:35:ab:90:af:3e:30:94:7a:d0:33:3d:a7:65:0f:f5:fc:8e:
-         9e:62:cf:47:44:2c:01:5d:bb:1d:b5:32:d2:47:d2:38:2e:d0:
-         fe:81:dc:32:6a:1e:b5:ee:3c:d5:fc:e7:81:1d:19:c3:24:42:
-         ea:63:39:a9
------BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
------END CERTIFICATE-----
-
-# edf7ebbca27a2a384d387b7d4010c666e2edb4843e4c29b4ae1d5b9332e6b24d
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 2 (0x2)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA
-        Validity
-            Not Before: Oct 26 08:28:58 2010 GMT
-            Not After : Oct 26 08:28:58 2040 GMT
-        Subject: C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:a5:da:0a:95:16:50:e3:95:f2:5e:9d:76:31:06:
-                    32:7a:9b:f1:10:76:b8:00:9a:b5:52:36:cd:24:47:
-                    b0:9f:18:64:bc:9a:f6:fa:d5:79:d8:90:62:4c:22:
-                    2f:de:38:3d:d6:e0:a8:e9:1c:2c:db:78:11:e9:8e:
-                    68:51:15:72:c7:f3:33:87:e4:a0:5d:0b:5c:e0:57:
-                    07:2a:30:f5:cd:c4:37:77:28:4d:18:91:e6:bf:d5:
-                    52:fd:71:2d:70:3e:e7:c6:c4:8a:e3:f0:28:0b:f4:
-                    76:98:a1:8b:87:55:b2:3a:13:fc:b7:3e:27:37:8e:
-                    22:e3:a8:4f:2a:ef:60:bb:3d:b7:39:c3:0e:01:47:
-                    99:5d:12:4f:db:43:fa:57:a1:ed:f9:9d:be:11:47:
-                    26:5b:13:98:ab:5d:16:8a:b0:37:1c:57:9d:45:ff:
-                    88:96:36:bf:bb:ca:07:7b:6f:87:63:d7:d0:32:6a:
-                    d6:5d:6c:0c:f1:b3:6e:39:e2:6b:31:2e:39:00:27:
-                    14:de:38:c0:ec:19:66:86:12:e8:9d:72:16:13:64:
-                    52:c7:a9:37:1c:fd:82:30:ed:84:18:1d:f4:ae:5c:
-                    ff:70:13:00:eb:b1:f5:33:7a:4b:d6:55:f8:05:8d:
-                    4b:69:b0:f5:b3:28:36:5c:14:c4:51:73:4d:6b:0b:
-                    f1:34:07:db:17:39:d7:dc:28:7b:6b:f5:9f:f3:2e:
-                    c1:4f:17:2a:10:f3:cc:ca:e8:eb:fd:6b:ab:2e:9a:
-                    9f:2d:82:6e:04:d4:52:01:93:2d:3d:86:fc:7e:fc:
-                    df:ef:42:1d:a6:6b:ef:b9:20:c6:f7:bd:a0:a7:95:
-                    fd:a7:e6:89:24:d8:cc:8c:34:6c:e2:23:2f:d9:12:
-                    1a:21:b9:55:91:6f:0b:91:79:19:0c:ad:40:88:0b:
-                    70:e2:7a:d2:0e:d8:68:48:bb:82:13:39:10:58:e9:
-                    d8:2a:07:c6:12:db:58:db:d2:3b:55:10:47:05:15:
-                    67:62:7e:18:63:a6:46:3f:09:0e:54:32:5e:bf:0d:
-                    62:7a:27:ef:80:e8:db:d9:4b:06:5a:37:5a:25:d0:
-                    08:12:77:d4:6f:09:50:97:3d:c8:1d:c3:df:8c:45:
-                    30:56:c6:d3:64:ab:66:f3:c0:5e:96:9c:c3:c4:ef:
-                    c3:7c:6b:8b:3a:79:7f:b3:49:cf:3d:e2:89:9f:a0:
-                    30:4b:85:b9:9c:94:24:79:8f:7d:6b:a9:45:68:0f:
-                    2b:d0:f1:da:1c:cb:69:b8:ca:49:62:6d:c8:d0:63:
-                    62:dd:60:0f:58:aa:8f:a1:bc:05:a5:66:a2:cf:1b:
-                    76:b2:84:64:b1:4c:39:52:c0:30:ba:f0:8c:4b:02:
-                    b0:b6:b7
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                47:B8:CD:FF:E5:6F:EE:F8:B2:EC:2F:4E:0E:F9:25:B0:8E:3C:6B:C3
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         00:20:23:41:35:04:90:c2:40:62:60:ef:e2:35:4c:d7:3f:ac:
-         e2:34:90:b8:a1:6f:76:fa:16:16:a4:48:37:2c:e9:90:c2:f2:
-         3c:f8:0a:9f:d8:81:e5:bb:5b:da:25:2c:a4:a7:55:71:24:32:
-         f6:c8:0b:f2:bc:6a:f8:93:ac:b2:07:c2:5f:9f:db:cc:c8:8a:
-         aa:be:6a:6f:e1:49:10:cc:31:d7:80:bb:bb:c8:d8:a2:0e:64:
-         57:ea:a2:f5:c2:a9:31:15:d2:20:6a:ec:fc:22:01:28:cf:86:
-         b8:80:1e:a9:cc:11:a5:3c:f2:16:b3:47:9d:fc:d2:80:21:c4:
-         cb:d0:47:70:41:a1:ca:83:19:08:2c:6d:f2:5d:77:9c:8a:14:
-         13:d4:36:1c:92:f0:e5:06:37:dc:a6:e6:90:9b:38:8f:5c:6b:
-         1b:46:86:43:42:5f:3e:01:07:53:54:5d:65:7d:f7:8a:73:a1:
-         9a:54:5a:1f:29:43:14:27:c2:85:0f:b5:88:7b:1a:3b:94:b7:
-         1d:60:a7:b5:9c:e7:29:69:57:5a:9b:93:7a:43:30:1b:03:d7:
-         62:c8:40:a6:aa:fc:64:e4:4a:d7:91:53:01:a8:20:88:6e:9c:
-         5f:44:b9:cb:60:81:34:ec:6f:d3:7d:da:48:5f:eb:b4:90:bc:
-         2d:a9:1c:0b:ac:1c:d5:a2:68:20:80:04:d6:fc:b1:8f:2f:bb:
-         4a:31:0d:4a:86:1c:eb:e2:36:29:26:f5:da:d8:c4:f2:75:61:
-         cf:7e:ae:76:63:4a:7a:40:65:93:87:f8:1e:80:8c:86:e5:86:
-         d6:8f:0e:fc:53:2c:60:e8:16:61:1a:a2:3e:43:7b:cd:39:60:
-         54:6a:f5:f2:89:26:01:68:83:48:a2:33:e8:c9:04:91:b2:11:
-         34:11:3e:ea:d0:43:19:1f:03:93:90:0c:ff:51:3d:57:f4:41:
-         6e:e1:cb:a0:be:eb:c9:63:cd:6d:cc:e4:f8:36:aa:68:9d:ed:
-         bd:5d:97:70:44:0d:b6:0e:35:dc:e1:0c:5d:bb:a0:51:94:cb:
-         7e:16:eb:11:2f:a3:92:45:c8:4c:71:d9:bc:c9:99:52:57:46:
-         2f:50:cf:bd:35:69:f4:3d:15:ce:06:a5:2c:0f:3e:f6:81:ba:
-         94:bb:c3:bb:bf:65:78:d2:86:79:ff:49:3b:1a:83:0c:f0:de:
-         78:ec:c8:f2:4d:4c:1a:de:82:29:f8:c1:5a:da:ed:ee:e6:27:
-         5e:e8:45:d0:9d:1c:51:a8:68:ab:44:e3:d0:8b:6a:e3:f8:3b:
-         bb:dc:4d:d7:64:f2:51:be:e6:aa:ab:5a:e9:31:ee:06:bc:73:
-         bf:13:62:0a:9f:c7:b9:97
------BEGIN CERTIFICATE-----
-MIIFWTCCA0GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJOTzEd
-MBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIDAeBgNVBAMMF0J1eXBhc3Mg
-Q2xhc3MgMyBSb290IENBMB4XDTEwMTAyNjA4Mjg1OFoXDTQwMTAyNjA4Mjg1OFow
-TjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3MSAw
-HgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEB
-BQADggIPADCCAgoCggIBAKXaCpUWUOOV8l6ddjEGMnqb8RB2uACatVI2zSRHsJ8Y
-ZLya9vrVediQYkwiL944PdbgqOkcLNt4EemOaFEVcsfzM4fkoF0LXOBXByow9c3E
-N3coTRiR5r/VUv1xLXA+58bEiuPwKAv0dpihi4dVsjoT/Lc+JzeOIuOoTyrvYLs9
-tznDDgFHmV0ST9tD+leh7fmdvhFHJlsTmKtdFoqwNxxXnUX/iJY2v7vKB3tvh2PX
-0DJq1l1sDPGzbjniazEuOQAnFN44wOwZZoYS6J1yFhNkUsepNxz9gjDthBgd9K5c
-/3ATAOux9TN6S9ZV+AWNS2mw9bMoNlwUxFFzTWsL8TQH2xc519woe2v1n/MuwU8X
-KhDzzMro6/1rqy6any2CbgTUUgGTLT2G/H783+9CHaZr77kgxve9oKeV/afmiSTY
-zIw0bOIjL9kSGiG5VZFvC5F5GQytQIgLcOJ60g7YaEi7ghM5EFjp2CoHxhLbWNvS
-O1UQRwUVZ2J+GGOmRj8JDlQyXr8NYnon74Do29lLBlo3WiXQCBJ31G8JUJc9yB3D
-34xFMFbG02SrZvPAXpacw8Tvw3xrizp5f7NJzz3iiZ+gMEuFuZyUJHmPfWupRWgP
-K9Dx2hzLabjKSWJtyNBjYt1gD1iqj6G8BaVmos8bdrKEZLFMOVLAMLrwjEsCsLa3
-AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEe4zf/lb+74suwv
-Tg75JbCOPGvDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAACAj
-QTUEkMJAYmDv4jVM1z+s4jSQuKFvdvoWFqRINyzpkMLyPPgKn9iB5btb2iUspKdV
-cSQy9sgL8rxq+JOssgfCX5/bzMiKqr5qb+FJEMwx14C7u8jYog5kV+qi9cKpMRXS
-IGrs/CIBKM+GuIAeqcwRpTzyFrNHnfzSgCHEy9BHcEGhyoMZCCxt8l13nIoUE9Q2
-HJLw5QY33KbmkJs4j1xrG0aGQ0JfPgEHU1RdZX33inOhmlRaHylDFCfChQ+1iHsa
-O5S3HWCntZznKWlXWpuTekMwGwPXYshApqr8ZORK15FTAaggiG6cX0S5y2CBNOxv
-033aSF/rtJC8LakcC6wc1aJoIIAE1vyxjy+7SjENSoYc6+I2KSb12tjE8nVhz36u
-dmNKekBlk4f4HoCMhuWG1o8O/FMsYOgWYRqiPkN7zTlgVGr18okmAWiDSKIz6MkE
-kbIRNBE+6tBDGR8Dk5AM/1E9V/RBbuHLoL7ryWPNbczk+DaqaJ3tvV2XcEQNtg41
-3OEMXbugUZTLfhbrES+jkkXITHHZvMmZUldGL1DPvTVp9D0VzgalLA8+9oG6lLvD
-u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq
-4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc=
------END CERTIFICATE-----
-
-# 657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            11:00:34:b6:4e:c6:36:2d:36
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = RO, O = CERTSIGN SA, OU = certSIGN ROOT CA G2
-        Validity
-            Not Before: Feb  6 09:27:35 2017 GMT
-            Not After : Feb  6 09:27:35 2042 GMT
-        Subject: C = RO, O = CERTSIGN SA, OU = certSIGN ROOT CA G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:c0:c5:75:19:91:7d:44:74:74:87:fe:0e:3b:96:
-                    dc:d8:01:16:cc:ee:63:91:e7:0b:6f:ce:3b:0a:69:
-                    1a:7c:c2:e3:af:82:8e:86:d7:5e:8f:57:eb:d3:21:
-                    59:fd:39:37:42:30:be:50:ea:b6:0f:a9:88:d8:2e:
-                    2d:69:21:e7:d1:37:18:4e:7d:91:d5:16:5f:6b:5b:
-                    00:c2:39:43:0d:36:85:52:b9:53:65:0f:1d:42:e5:
-                    8f:cf:05:d3:ee:dc:0c:1a:d9:b8:8b:78:22:67:e4:
-                    69:b0:68:c5:3c:e4:6c:5a:46:e7:cd:c7:fa:ef:c4:
-                    ec:4b:bd:6a:a4:ac:fd:cc:28:51:ef:92:b4:29:ab:
-                    ab:35:9a:4c:e4:c4:08:c6:26:cc:f8:69:9f:e4:9c:
-                    f0:29:d3:5c:f9:c6:16:25:9e:23:c3:20:c1:3d:0f:
-                    3f:38:40:b0:fe:82:44:38:aa:5a:1a:8a:6b:63:58:
-                    38:b4:15:d3:b6:11:69:7b:1e:54:ee:8c:1a:22:ac:
-                    72:97:3f:23:59:9b:c9:22:84:c1:07:4f:cc:7f:e2:
-                    57:ca:12:70:bb:a6:65:f3:69:75:63:bd:95:fb:1b:
-                    97:cd:e4:a8:af:f6:d1:4e:a8:d9:8a:71:24:cd:36:
-                    3d:bc:96:c4:f1:6c:a9:ae:e5:cf:0d:6e:28:0d:b0:
-                    0e:b5:ca:51:7b:78:14:c3:20:2f:7f:fb:14:55:e1:
-                    11:99:fd:d5:0a:a1:9e:02:e3:62:5f:eb:35:4b:2c:
-                    b8:72:e8:3e:3d:4f:ac:2c:bb:2e:86:e2:a3:76:8f:
-                    e5:93:2a:cf:a5:ab:c8:5c:8d:4b:06:ff:12:46:ac:
-                    78:cb:14:07:35:e0:a9:df:8b:e9:af:15:4f:16:89:
-                    5b:bd:f6:8d:c6:59:ae:88:85:0e:c1:89:eb:1f:67:
-                    c5:45:8e:ff:6d:37:36:2b:78:66:83:91:51:2b:3d:
-                    ff:51:77:76:62:a1:ec:67:3e:3e:81:83:e0:56:a9:
-                    50:1f:1f:7a:99:ab:63:bf:84:17:77:f1:0d:3b:df:
-                    f7:9c:61:b3:35:98:8a:3a:b2:ec:3c:1a:37:3f:7e:
-                    8f:92:cf:d9:12:14:64:da:10:02:15:41:ff:4f:c4:
-                    eb:1c:a3:c9:fa:99:f7:46:e9:e1:18:d9:b1:b8:32:
-                    2d:cb:14:0c:50:d8:83:65:83:ee:b9:5c:cf:cb:05:
-                    5a:4c:fa:19:97:6b:d6:5d:13:d3:c2:5c:54:bc:32:
-                    73:a0:78:f5:f1:6d:1e:cb:9f:a5:a6:9f:22:dc:d1:
-                    51:9e:82:79:64:60:29:13:3e:a3:fd:4f:72:6a:ab:
-                    e2:d4:e5:b8:24:55:2c:44:4b:8a:88:44:9c:ca:84:
-                    d3:2a:3b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                82:21:2D:66:C6:D7:A0:E0:15:EB:CE:4C:09:77:C4:60:9E:54:6E:03
-    Signature Algorithm: sha256WithRSAEncryption
-         60:de:1a:b8:e7:f2:60:82:d5:03:33:81:cb:06:8a:f1:22:49:
-         e9:e8:ea:91:7f:c6:33:5e:68:19:03:86:3b:43:01:cf:07:70:
-         e4:08:1e:65:85:91:e6:11:22:b7:f5:02:23:8e:ae:b9:1e:7d:
-         1f:7e:6c:e6:bd:25:d5:95:1a:f2:05:a6:af:85:02:6f:ae:f8:
-         d6:31:ff:25:c9:4a:c8:c7:8a:a9:d9:9f:4b:49:9b:11:57:99:
-         92:43:11:de:b6:33:a4:cc:d7:8d:64:7d:d4:cd:3c:28:2c:b4:
-         9a:96:ea:4d:f5:c4:44:c4:25:aa:20:80:d8:29:55:f7:e0:41:
-         fc:06:26:ff:b9:36:f5:43:14:03:66:78:e1:11:b1:da:20:5f:
-         46:00:78:00:21:a5:1e:00:28:61:78:6f:a8:01:01:8f:9d:34:
-         9a:ff:f4:38:90:fb:b8:d1:b3:72:06:c9:71:e6:81:c5:79:ed:
-         0b:a6:79:f2:13:0b:9c:f7:5d:0e:7b:24:93:b4:48:db:86:5f:
-         de:50:86:78:e7:40:e6:31:a8:90:76:70:61:af:9c:37:2c:11:
-         b5:82:b7:aa:ae:24:34:5b:72:0c:69:0d:cd:59:9f:f6:71:af:
-         9c:0b:d1:0a:38:f9:06:22:83:53:25:0c:fc:51:c4:e6:be:e2:
-         39:95:0b:24:ad:af:d1:95:e4:96:d7:74:64:6b:71:4e:02:3c:
-         aa:85:f3:20:a3:43:39:76:5b:6c:50:fe:9a:9c:14:1e:65:14:
-         8a:15:bd:a3:82:45:5a:49:56:6a:d2:9c:b1:63:32:e5:61:e0:
-         53:22:0e:a7:0a:49:ea:cb:7e:1f:a8:e2:62:80:f6:10:45:52:
-         98:06:18:de:a5:cd:2f:7f:aa:d4:e9:3e:08:72:ec:23:03:02:
-         3c:a6:aa:d8:bc:67:74:3d:14:17:fb:54:4b:17:e3:d3:79:3d:
-         6d:6b:49:c9:28:0e:2e:74:50:bf:0c:d9:46:3a:10:86:c9:a7:
-         3f:e9:a0:ec:7f:eb:a5:77:58:69:71:e6:83:0a:37:f2:86:49:
-         6a:be:79:08:90:f6:02:16:64:3e:e5:da:4c:7e:0c:34:c9:f9:
-         5f:b6:b3:28:51:a7:a7:2b:aa:49:fa:8d:65:29:4e:e3:6b:13:
-         a7:94:a3:2d:51:6d:78:0c:44:cb:df:de:08:6f:ce:a3:64:ab:
-         d3:95:84:d4:b9:52:54:72:7b:96:25:cc:bc:69:e3:48:6e:0d:
-         d0:c7:9d:27:9a:aa:f8:13:92:dd:1e:df:63:9f:35:a9:16:36:
-         ec:8c:b8:83:f4:3d:89:8f:cd:b4:17:5e:d7:b3:17:41:10:5d:
-         27:73:60:85:57:49:22:07
------BEGIN CERTIFICATE-----
-MIIFRzCCAy+gAwIBAgIJEQA0tk7GNi02MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV
-BAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04g
-Uk9PVCBDQSBHMjAeFw0xNzAyMDYwOTI3MzVaFw00MjAyMDYwOTI3MzVaMEExCzAJ
-BgNVBAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJ
-R04gUk9PVCBDQSBHMjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDF
-dRmRfUR0dIf+DjuW3NgBFszuY5HnC2/OOwppGnzC46+CjobXXo9X69MhWf05N0Iw
-vlDqtg+piNguLWkh59E3GE59kdUWX2tbAMI5Qw02hVK5U2UPHULlj88F0+7cDBrZ
-uIt4ImfkabBoxTzkbFpG583H+u/E7Eu9aqSs/cwoUe+StCmrqzWaTOTECMYmzPhp
-n+Sc8CnTXPnGFiWeI8MgwT0PPzhAsP6CRDiqWhqKa2NYOLQV07YRaXseVO6MGiKs
-cpc/I1mbySKEwQdPzH/iV8oScLumZfNpdWO9lfsbl83kqK/20U6o2YpxJM02PbyW
-xPFsqa7lzw1uKA2wDrXKUXt4FMMgL3/7FFXhEZn91QqhngLjYl/rNUssuHLoPj1P
-rCy7Lobio3aP5ZMqz6WryFyNSwb/EkaseMsUBzXgqd+L6a8VTxaJW732jcZZroiF
-DsGJ6x9nxUWO/203Nit4ZoORUSs9/1F3dmKh7Gc+PoGD4FapUB8fepmrY7+EF3fx
-DTvf95xhszWYijqy7DwaNz9+j5LP2RIUZNoQAhVB/0/E6xyjyfqZ90bp4RjZsbgy
-LcsUDFDYg2WD7rlcz8sFWkz6GZdr1l0T08JcVLwyc6B49fFtHsufpaafItzRUZ6C
-eWRgKRM+o/1Pcmqr4tTluCRVLERLiohEnMqE0yo7AgMBAAGjQjBAMA8GA1UdEwEB
-/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSCIS1mxteg4BXrzkwJ
-d8RgnlRuAzANBgkqhkiG9w0BAQsFAAOCAgEAYN4auOfyYILVAzOBywaK8SJJ6ejq
-kX/GM15oGQOGO0MBzwdw5AgeZYWR5hEit/UCI46uuR59H35s5r0l1ZUa8gWmr4UC
-b6741jH/JclKyMeKqdmfS0mbEVeZkkMR3rYzpMzXjWR91M08KCy0mpbqTfXERMQl
-qiCA2ClV9+BB/AYm/7k29UMUA2Z44RGx2iBfRgB4ACGlHgAoYXhvqAEBj500mv/0
-OJD7uNGzcgbJceaBxXntC6Z58hMLnPddDnskk7RI24Zf3lCGeOdA5jGokHZwYa+c
-NywRtYK3qq4kNFtyDGkNzVmf9nGvnAvRCjj5BiKDUyUM/FHE5r7iOZULJK2v0ZXk
-ltd0ZGtxTgI8qoXzIKNDOXZbbFD+mpwUHmUUihW9o4JFWklWatKcsWMy5WHgUyIO
-pwpJ6st+H6jiYoD2EEVSmAYY3qXNL3+q1Ok+CHLsIwMCPKaq2LxndD0UF/tUSxfj
-03k9bWtJySgOLnRQvwzZRjoQhsmnP+mg7H/rpXdYaXHmgwo38oZJar55CJD2AhZk
-PuXaTH4MNMn5X7azKFGnpyuqSfqNZSlO42sTp5SjLVFteAxEy9/eCG/Oo2Sr05WE
-1LlSVHJ7liXMvGnjSG4N0MedJ5qq+BOS3R7fY581qRY27Iy4g/Q9iY/NtBde17MX
-QRBdJ3NghVdJIgc=
------END CERTIFICATE-----
-
-# 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 279744 (0x444c0)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
-        Validity
-            Not Before: Oct 22 12:07:37 2008 GMT
-            Not After : Dec 31 12:07:37 2029 GMT
-        Subject: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:e3:fb:7d:a3:72:ba:c2:f0:c9:14:87:f5:6b:01:
-                    4e:e1:6e:40:07:ba:6d:27:5d:7f:f7:5b:2d:b3:5a:
-                    c7:51:5f:ab:a4:32:a6:61:87:b6:6e:0f:86:d2:30:
-                    02:97:f8:d7:69:57:a1:18:39:5d:6a:64:79:c6:01:
-                    59:ac:3c:31:4a:38:7c:d2:04:d2:4b:28:e8:20:5f:
-                    3b:07:a2:cc:4d:73:db:f3:ae:4f:c7:56:d5:5a:a7:
-                    96:89:fa:f3:ab:68:d4:23:86:59:27:cf:09:27:bc:
-                    ac:6e:72:83:1c:30:72:df:e0:a2:e9:d2:e1:74:75:
-                    19:bd:2a:9e:7b:15:54:04:1b:d7:43:39:ad:55:28:
-                    c5:e2:1a:bb:f4:c0:e4:ae:38:49:33:cc:76:85:9f:
-                    39:45:d2:a4:9e:f2:12:8c:51:f8:7c:e4:2d:7f:f5:
-                    ac:5f:eb:16:9f:b1:2d:d1:ba:cc:91:42:77:4c:25:
-                    c9:90:38:6f:db:f0:cc:fb:8e:1e:97:59:3e:d5:60:
-                    4e:e6:05:28:ed:49:79:13:4b:ba:48:db:2f:f9:72:
-                    d3:39:ca:fe:1f:d8:34:72:f5:b4:40:cf:31:01:c3:
-                    ec:de:11:2d:17:5d:1f:b8:50:d1:5e:19:a7:69:de:
-                    07:33:28:ca:50:95:f9:a7:54:cb:54:86:50:45:a9:
-                    f9:49
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                08:76:CD:CB:07:FF:24:F6:C5:CD:ED:BB:90:BC:E2:84:37:46:75:F7
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha1WithRSAEncryption
-         a6:a8:ad:22:ce:01:3d:a6:a3:ff:62:d0:48:9d:8b:5e:72:b0:
-         78:44:e3:dc:1c:af:09:fd:23:48:fa:bd:2a:c4:b9:55:04:b5:
-         10:a3:8d:27:de:0b:82:63:d0:ee:de:0c:37:79:41:5b:22:b2:
-         b0:9a:41:5c:a6:70:e0:d4:d0:77:cb:23:d3:00:e0:6c:56:2f:
-         e1:69:0d:0d:d9:aa:bf:21:81:50:d9:06:a5:a8:ff:95:37:d0:
-         aa:fe:e2:b3:f5:99:2d:45:84:8a:e5:42:09:d7:74:02:2f:f7:
-         89:d8:99:e9:bc:27:d4:47:8d:ba:0d:46:1c:77:cf:14:a4:1c:
-         b9:a4:31:c4:9c:28:74:03:34:ff:33:19:26:a5:e9:0d:74:b7:
-         3e:97:c6:76:e8:27:96:a3:66:dd:e1:ae:f2:41:5b:ca:98:56:
-         83:73:70:e4:86:1a:d2:31:41:ba:2f:be:2d:13:5a:76:6f:4e:
-         e8:4e:81:0e:3f:5b:03:22:a0:12:be:66:58:11:4a:cb:03:c4:
-         b4:2a:2a:2d:96:17:e0:39:54:bc:48:d3:76:27:9d:9a:2d:06:
-         a6:c9:ec:39:d2:ab:db:9f:9a:0b:27:02:35:29:b1:40:95:e7:
-         f9:e8:9c:55:88:19:46:d6:b7:34:f5:7e:ce:39:9a:d9:38:f1:
-         51:f7:4f:2c
------BEGIN CERTIFICATE-----
-MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
-MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
-ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
-cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
-WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
-Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
-IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
-UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
-TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
-BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
-kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
-AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
-HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
-sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
-I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
-J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
-VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
-03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
------END CERTIFICATE-----
-
-# 5cc3d78e4e1d5e45547a04e6873e64f90cf9536d1ccc2ef800f355c4c5fd70fd
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 407555286 (0x184accd6)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT
-        Validity
-            Not Before: Aug  8 03:07:01 2012 GMT
-            Not After : Dec 31 03:07:01 2029 GMT
-        Subject: C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:d7:5d:6b:cd:10:3f:1f:05:59:d5:05:4d:37:b1:
-                    0e:ec:98:2b:8e:15:1d:fa:93:4b:17:82:21:71:10:
-                    52:d7:51:64:70:16:c2:55:69:4d:8e:15:6d:9f:bf:
-                    0c:1b:c2:e0:a3:67:d6:0c:ac:cf:22:ae:af:77:54:
-                    2a:4b:4c:8a:53:52:7a:c3:ee:2e:de:b3:71:25:c1:
-                    e9:5d:3d:ee:a1:2f:a3:f7:2a:3c:c9:23:1d:6a:ab:
-                    1d:a1:a7:f1:f3:ec:a0:d5:44:cf:15:cf:72:2f:1d:
-                    63:97:e8:99:f9:fd:93:a4:54:80:4c:52:d4:52:ab:
-                    2e:49:df:90:cd:b8:5f:be:3f:de:a1:ca:4d:20:d4:
-                    25:e8:84:29:53:b7:b1:88:1f:ff:fa:da:90:9f:0a:
-                    a9:2d:41:3f:b1:f1:18:29:ee:16:59:2c:34:49:1a:
-                    a8:06:d7:a8:88:d2:03:72:7a:32:e2:ea:68:4d:6e:
-                    2c:96:65:7b:ca:59:fa:f2:e2:dd:ee:30:2c:fb:cc:
-                    46:ac:c4:63:eb:6f:7f:36:2b:34:73:12:94:7f:df:
-                    cc:26:9e:f1:72:5d:50:65:59:8f:69:b3:87:5e:32:
-                    6f:c3:18:8a:b5:95:8f:b0:7a:37:de:5a:45:3b:c7:
-                    36:e1:ef:67:d1:39:d3:97:5b:73:62:19:48:2d:87:
-                    1c:06:fb:74:98:20:49:73:f0:05:d2:1b:b1:a0:a3:
-                    b7:1b:70:d3:88:69:b9:5a:d6:38:f4:62:dc:25:8b:
-                    78:bf:f8:e8:7e:b8:5c:c9:95:4f:5f:a7:2d:b9:20:
-                    6b:cf:6b:dd:f5:0d:f4:82:b7:f4:b2:66:2e:10:28:
-                    f6:97:5a:7b:96:16:8f:01:19:2d:6c:6e:7f:39:58:
-                    06:64:83:01:83:83:c3:4d:92:dd:32:c6:87:a4:37:
-                    e9:16:ce:aa:2d:68:af:0a:81:65:3a:70:c1:9b:ad:
-                    4d:6d:54:ca:2a:2d:4b:85:1b:b3:80:e6:70:45:0d:
-                    6b:5e:35:f0:7f:3b:b8:9c:e4:04:70:89:12:25:93:
-                    da:0a:99:22:60:6a:63:60:4e:76:06:98:4e:bd:83:
-                    ad:1d:58:8a:25:85:d2:c7:65:1e:2d:8e:c6:df:b6:
-                    c6:e1:7f:8a:04:21:15:29:74:f0:3e:9c:90:9d:0c:
-                    2e:f1:8a:3e:5a:aa:0c:09:1e:c7:d5:3c:a3:ed:97:
-                    c3:1e:34:fa:38:f9:08:0e:e3:c0:5d:2b:83:d1:56:
-                    6a:c9:b6:a8:54:53:2e:78:32:67:3d:82:7f:74:d0:
-                    fb:e1:b6:05:60:b9:70:db:8e:0b:f9:13:58:6f:71:
-                    60:10:52:10:b9:c1:41:09:ef:72:1f:67:31:78:ff:
-                    96:05:8d
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Authority Key Identifier: 
-                keyid:E3:FE:2D:FD:28:D0:0B:B5:BA:B6:A2:C4:BF:06:AA:05:8C:93:FB:2F
-
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                E3:FE:2D:FD:28:D0:0B:B5:BA:B6:A2:C4:BF:06:AA:05:8C:93:FB:2F
-    Signature Algorithm: sha256WithRSAEncryption
-         25:c6:ba:6b:eb:87:cb:de:82:39:96:3d:f0:44:a7:6b:84:73:
-         03:de:9d:2b:4f:ba:20:7f:bc:78:b2:cf:97:b0:1b:9c:f3:d7:
-         79:2e:f5:48:b6:d2:fb:17:88:e6:d3:7a:3f:ed:53:13:d0:e2:
-         2f:6a:79:cb:00:23:28:e6:1e:37:57:35:89:84:c2:76:4f:34:
-         36:ad:67:c3:ce:41:06:88:c5:f7:ee:d8:1a:b8:d6:0b:7f:50:
-         ff:93:aa:17:4b:8c:ec:ed:52:60:b2:a4:06:ea:4e:eb:f4:6b:
-         19:fd:eb:f5:1a:e0:25:2a:9a:dc:c7:41:36:f7:c8:74:05:84:
-         39:95:39:d6:0b:3b:a4:27:fa:08:d8:5c:1e:f8:04:60:52:11:
-         28:28:03:ff:ef:53:66:00:a5:4a:34:16:66:7c:fd:09:a4:ae:
-         9e:67:1a:6f:41:0b:6b:06:13:9b:8f:86:71:05:b4:2f:8d:89:
-         66:33:29:76:54:9a:11:f8:27:fa:b2:3f:91:e0:ce:0d:1b:f3:
-         30:1a:ad:bf:22:5d:1b:d3:bf:25:05:4d:e1:92:1a:7f:99:9f:
-         3c:44:93:ca:d4:40:49:6c:80:87:d7:04:3a:c3:32:52:35:0e:
-         56:f8:a5:dd:7d:c4:8b:0d:11:1f:53:cb:1e:b2:17:b6:68:77:
-         5a:e0:d4:cb:c8:07:ae:f5:3a:2e:8e:37:b7:d0:01:4b:43:29:
-         77:8c:39:97:8f:82:5a:f8:51:e5:89:a0:18:e7:68:7f:5d:0a:
-         2e:fb:a3:47:0e:3d:a6:23:7a:c6:01:c7:8f:c8:5e:bf:6d:80:
-         56:be:8a:24:ba:33:ea:9f:e1:32:11:9e:f1:d2:4f:80:f6:1b:
-         40:af:38:9e:11:50:79:73:12:12:cd:e6:6c:9d:2c:88:72:3c:
-         30:81:06:91:22:ea:59:ad:da:19:2e:22:c2:8d:b9:8c:87:e0:
-         66:bc:73:23:5f:21:64:63:80:48:f5:a0:3c:18:3d:94:c8:48:
-         41:1d:40:ba:5e:fe:fe:56:39:a1:c8:cf:5e:9e:19:64:46:10:
-         da:17:91:b7:05:80:ac:8b:99:92:7d:e7:a2:d8:07:0b:36:27:
-         e7:48:79:60:8a:c3:d7:13:5c:f8:72:40:df:4a:cb:cf:99:00:
-         0a:00:0b:11:95:da:56:45:03:88:0a:9f:67:d0:d5:79:b1:a8:
-         8d:40:6d:0d:c2:7a:40:fa:f3:5f:64:47:92:cb:53:b9:bb:59:
-         ce:4f:fd:d0:15:53:01:d8:df:eb:d9:e6:76:ef:d0:23:bb:3b:
-         a9:79:b3:d5:02:29:cd:89:a3:96:0f:4a:35:e7:4e:42:c0:75:
-         cd:07:cf:e6:2c:eb:7b:2e
------BEGIN CERTIFICATE-----
-MIIFjTCCA3WgAwIBAgIEGErM1jANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJD
-TjEwMC4GA1UECgwnQ2hpbmEgRmluYW5jaWFsIENlcnRpZmljYXRpb24gQXV0aG9y
-aXR5MRUwEwYDVQQDDAxDRkNBIEVWIFJPT1QwHhcNMTIwODA4MDMwNzAxWhcNMjkx
-MjMxMDMwNzAxWjBWMQswCQYDVQQGEwJDTjEwMC4GA1UECgwnQ2hpbmEgRmluYW5j
-aWFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxDRkNBIEVWIFJP
-T1QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXXWvNED8fBVnVBU03
-sQ7smCuOFR36k0sXgiFxEFLXUWRwFsJVaU2OFW2fvwwbwuCjZ9YMrM8irq93VCpL
-TIpTUnrD7i7es3ElweldPe6hL6P3KjzJIx1qqx2hp/Hz7KDVRM8Vz3IvHWOX6Jn5
-/ZOkVIBMUtRSqy5J35DNuF++P96hyk0g1CXohClTt7GIH//62pCfCqktQT+x8Rgp
-7hZZLDRJGqgG16iI0gNyejLi6mhNbiyWZXvKWfry4t3uMCz7zEasxGPrb382KzRz
-EpR/38wmnvFyXVBlWY9ps4deMm/DGIq1lY+wejfeWkU7xzbh72fROdOXW3NiGUgt
-hxwG+3SYIElz8AXSG7Ggo7cbcNOIabla1jj0Ytwli3i/+Oh+uFzJlU9fpy25IGvP
-a931DfSCt/SyZi4QKPaXWnuWFo8BGS1sbn85WAZkgwGDg8NNkt0yxoekN+kWzqot
-aK8KgWU6cMGbrU1tVMoqLUuFG7OA5nBFDWteNfB/O7ic5ARwiRIlk9oKmSJgamNg
-TnYGmE69g60dWIolhdLHZR4tjsbftsbhf4oEIRUpdPA+nJCdDC7xij5aqgwJHsfV
-PKPtl8MeNPo4+QgO48BdK4PRVmrJtqhUUy54Mmc9gn900PvhtgVguXDbjgv5E1hv
-cWAQUhC5wUEJ73IfZzF4/5YFjQIDAQABo2MwYTAfBgNVHSMEGDAWgBTj/i39KNAL
-tbq2osS/BqoFjJP7LzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAd
-BgNVHQ4EFgQU4/4t/SjQC7W6tqLEvwaqBYyT+y8wDQYJKoZIhvcNAQELBQADggIB
-ACXGumvrh8vegjmWPfBEp2uEcwPenStPuiB/vHiyz5ewG5zz13ku9Ui20vsXiObT
-ej/tUxPQ4i9qecsAIyjmHjdXNYmEwnZPNDatZ8POQQaIxffu2Bq41gt/UP+TqhdL
-jOztUmCypAbqTuv0axn96/Ua4CUqmtzHQTb3yHQFhDmVOdYLO6Qn+gjYXB74BGBS
-ESgoA//vU2YApUo0FmZ8/Qmkrp5nGm9BC2sGE5uPhnEFtC+NiWYzKXZUmhH4J/qy
-P5Hgzg0b8zAarb8iXRvTvyUFTeGSGn+ZnzxEk8rUQElsgIfXBDrDMlI1Dlb4pd19
-xIsNER9Tyx6yF7Zod1rg1MvIB671Oi6ON7fQAUtDKXeMOZePglr4UeWJoBjnaH9d
-Ci77o0cOPaYjesYBx4/IXr9tgFa+iiS6M+qf4TIRnvHST4D2G0CvOJ4RUHlzEhLN
-5mydLIhyPDCBBpEi6lmt2hkuIsKNuYyH4Ga8cyNfIWRjgEj1oDwYPZTISEEdQLpe
-/v5WOaHIz16eGWRGENoXkbcFgKyLmZJ956LYBws2J+dIeWCKw9cTXPhyQN9Ky8+Z
-AAoACxGV2lZFA4gKn2fQ1XmxqI1AbQ3CekD6819kR5LLU7m7Wc5P/dAVUwHY3+vZ
-5nbv0CO7O6l5s9UCKc2Jo5YPSjXnTkLAdc0Hz+Ys63su
------END CERTIFICATE-----
-
-# 0c2cd63df7806fa399ede809116b575bf87989f06518f9808c860503178baf66
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority
-        Validity
-            Not Before: Dec  1 00:00:00 2006 GMT
-            Not After : Dec 31 23:59:59 2029 GMT
-        Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:d0:40:8b:8b:72:e3:91:1b:f7:51:c1:1b:54:04:
-                    98:d3:a9:bf:c1:e6:8a:5d:3b:87:fb:bb:88:ce:0d:
-                    e3:2f:3f:06:96:f0:a2:29:50:99:ae:db:3b:a1:57:
-                    b0:74:51:71:cd:ed:42:91:4d:41:fe:a9:c8:d8:6a:
-                    86:77:44:bb:59:66:97:50:5e:b4:d4:2c:70:44:cf:
-                    da:37:95:42:69:3c:30:c4:71:b3:52:f0:21:4d:a1:
-                    d8:ba:39:7c:1c:9e:a3:24:9d:f2:83:16:98:aa:16:
-                    7c:43:9b:15:5b:b7:ae:34:91:fe:d4:62:26:18:46:
-                    9a:3f:eb:c1:f9:f1:90:57:eb:ac:7a:0d:8b:db:72:
-                    30:6a:66:d5:e0:46:a3:70:dc:68:d9:ff:04:48:89:
-                    77:de:b5:e9:fb:67:6d:41:e9:bc:39:bd:32:d9:62:
-                    02:f1:b1:a8:3d:6e:37:9c:e2:2f:e2:d3:a2:26:8b:
-                    c6:b8:55:43:88:e1:23:3e:a5:d2:24:39:6a:47:ab:
-                    00:d4:a1:b3:a9:25:fe:0d:3f:a7:1d:ba:d3:51:c1:
-                    0b:a4:da:ac:38:ef:55:50:24:05:65:46:93:34:4f:
-                    2d:8d:ad:c6:d4:21:19:d2:8e:ca:05:61:71:07:73:
-                    47:e5:8a:19:12:bd:04:4d:ce:4e:9c:a5:48:ac:bb:
-                    26:f7
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                0B:58:E5:8B:C6:4C:15:37:A4:40:A9:30:A9:21:BE:47:36:5A:56:FF
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.comodoca.com/COMODOCertificationAuthority.crl
-
-    Signature Algorithm: sha1WithRSAEncryption
-         3e:98:9e:9b:f6:1b:e9:d7:39:b7:78:ae:1d:72:18:49:d3:87:
-         e4:43:82:eb:3f:c9:aa:f5:a8:b5:ef:55:7c:21:52:65:f9:d5:
-         0d:e1:6c:f4:3e:8c:93:73:91:2e:02:c4:4e:07:71:6f:c0:8f:
-         38:61:08:a8:1e:81:0a:c0:2f:20:2f:41:8b:91:dc:48:45:bc:
-         f1:c6:de:ba:76:6b:33:c8:00:2d:31:46:4c:ed:e7:9d:cf:88:
-         94:ff:33:c0:56:e8:24:86:26:b8:d8:38:38:df:2a:6b:dd:12:
-         cc:c7:3f:47:17:4c:a2:c2:06:96:09:d6:db:fe:3f:3c:46:41:
-         df:58:e2:56:0f:3c:3b:c1:1c:93:35:d9:38:52:ac:ee:c8:ec:
-         2e:30:4e:94:35:b4:24:1f:4b:78:69:da:f2:02:38:cc:95:52:
-         93:f0:70:25:59:9c:20:67:c4:ee:f9:8b:57:61:f4:92:76:7d:
-         3f:84:8d:55:b7:e8:e5:ac:d5:f1:f5:19:56:a6:5a:fb:90:1c:
-         af:93:eb:e5:1c:d4:67:97:5d:04:0e:be:0b:83:a6:17:83:b9:
-         30:12:a0:c5:33:15:05:b9:0d:fb:c7:05:76:e3:d8:4a:8d:fc:
-         34:17:a3:c6:21:28:be:30:45:31:1e:c7:78:be:58:61:38:ac:
-         3b:e2:01:65
------BEGIN CERTIFICATE-----
-MIIEHTCCAwWgAwIBAgIQToEtioJl4AsC7j41AkblPTANBgkqhkiG9w0BAQUFADCB
-gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
-A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
-BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEyMDEwMDAw
-MDBaFw0yOTEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
-YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
-RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0
-aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3
-UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI
-2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8
-Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp
-+2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+
-DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O
-nKVIrLsm9wIDAQABo4GOMIGLMB0GA1UdDgQWBBQLWOWLxkwVN6RAqTCpIb5HNlpW
-/zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBJBgNVHR8EQjBAMD6g
-PKA6hjhodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9u
-QXV0aG9yaXR5LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAPpiem/Yb6dc5t3iuHXIY
-SdOH5EOC6z/JqvWote9VfCFSZfnVDeFs9D6Mk3ORLgLETgdxb8CPOGEIqB6BCsAv
-IC9Bi5HcSEW88cbeunZrM8gALTFGTO3nnc+IlP8zwFboJIYmuNg4ON8qa90SzMc/
-RxdMosIGlgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4
-zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
-BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB
-ZQ==
------END CERTIFICATE-----
-
-# 1a0d20445de5ba1862d19ef880858cbce50102b36e8f0a040c3c69e74522fe6e
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            20:a4:c4:7f:dd:df:e1:c7:53:63:07:13:88:77:60:12
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority
-        Validity
-            Not Before: Jan  1 00:00:00 2011 GMT
-            Not After : Dec 31 23:59:59 2030 GMT
-        Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:d0:40:8b:8b:72:e3:91:1b:f7:51:c1:1b:54:04:
-                    98:d3:a9:bf:c1:e6:8a:5d:3b:87:fb:bb:88:ce:0d:
-                    e3:2f:3f:06:96:f0:a2:29:50:99:ae:db:3b:a1:57:
-                    b0:74:51:71:cd:ed:42:91:4d:41:fe:a9:c8:d8:6a:
-                    86:77:44:bb:59:66:97:50:5e:b4:d4:2c:70:44:cf:
-                    da:37:95:42:69:3c:30:c4:71:b3:52:f0:21:4d:a1:
-                    d8:ba:39:7c:1c:9e:a3:24:9d:f2:83:16:98:aa:16:
-                    7c:43:9b:15:5b:b7:ae:34:91:fe:d4:62:26:18:46:
-                    9a:3f:eb:c1:f9:f1:90:57:eb:ac:7a:0d:8b:db:72:
-                    30:6a:66:d5:e0:46:a3:70:dc:68:d9:ff:04:48:89:
-                    77:de:b5:e9:fb:67:6d:41:e9:bc:39:bd:32:d9:62:
-                    02:f1:b1:a8:3d:6e:37:9c:e2:2f:e2:d3:a2:26:8b:
-                    c6:b8:55:43:88:e1:23:3e:a5:d2:24:39:6a:47:ab:
-                    00:d4:a1:b3:a9:25:fe:0d:3f:a7:1d:ba:d3:51:c1:
-                    0b:a4:da:ac:38:ef:55:50:24:05:65:46:93:34:4f:
-                    2d:8d:ad:c6:d4:21:19:d2:8e:ca:05:61:71:07:73:
-                    47:e5:8a:19:12:bd:04:4d:ce:4e:9c:a5:48:ac:bb:
-                    26:f7
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                0B:58:E5:8B:C6:4C:15:37:A4:40:A9:30:A9:21:BE:47:36:5A:56:FF
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-         2f:c9:c4:1c:07:3b:cf:61:02:00:b1:d9:21:51:75:72:03:30:
-         b0:c4:16:1f:6c:00:8b:10:ac:af:f1:47:d4:ae:10:3c:0c:1a:
-         f8:d4:93:6c:ac:10:37:7c:b7:a6:83:64:ad:cd:df:0e:87:33:
-         9d:37:b0:c6:7b:38:72:b1:f3:1a:0e:a3:f9:55:7a:6d:03:66:
-         03:17:95:4a:f1:b1:7a:df:56:21:06:42:8f:b1:d3:a8:85:de:
-         ee:97:1d:62:eb:a7:e7:31:12:66:c3:0f:a6:4b:2e:41:82:f7:
-         fd:c9:1b:a8:1b:af:ee:3c:ce:e3:9c:ae:28:07:a1:2c:9b:24:
-         c2:0f:23:26:83:32:8b:86:0f:1f:2b:12:46:25:16:8f:76:90:
-         03:6b:de:bc:aa:22:68:6b:8c:a1:ac:2b:11:39:a6:db:70:c2:
-         7d:72:e9:33:e7:fc:26:f1:74:5a:91:e6:9d:84:ac:f8:a8:06:
-         19:46:e6:a7:e9:aa:34:22:a4:a1:9f:7a:ad:b7:b2:a4:9a:33:
-         88:71:02:3c:2e:d6:7a:b2:1f:a2:ca:c0:dd:2f:10:94:fd:b3:
-         8c:84:20:79:46:d5:05:d4:10:e4:d2:db:64:4f:b8:5b:ee:1b:
-         c5:20:47:5b:94:ab:6e:d4:95:33:1d:a6:15:71:f1:f8:94:ca:
-         54:39:3e:c1
------BEGIN CERTIFICATE-----
-MIID0DCCArigAwIBAgIQIKTEf93f4cdTYwcTiHdgEjANBgkqhkiG9w0BAQUFADCB
-gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
-A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
-BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTAxMDEwMDAw
-MDBaFw0zMDEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
-YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
-RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0
-aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3
-UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI
-2GqGd0S7WWaXUF601CxwRM/aN5VCaTwwxHGzUvAhTaHYujl8HJ6jJJ3ygxaYqhZ8
-Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp
-+2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+
-DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O
-nKVIrLsm9wIDAQABo0IwQDAdBgNVHQ4EFgQUC1jli8ZMFTekQKkwqSG+RzZaVv8w
-DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
-ggEBAC/JxBwHO89hAgCx2SFRdXIDMLDEFh9sAIsQrK/xR9SuEDwMGvjUk2ysEDd8
-t6aDZK3N3w6HM503sMZ7OHKx8xoOo/lVem0DZgMXlUrxsXrfViEGQo+x06iF3u6X
-HWLrp+cxEmbDD6ZLLkGC9/3JG6gbr+48zuOcrigHoSybJMIPIyaDMouGDx8rEkYl
-Fo92kANr3ryqImhrjKGsKxE5pttwwn1y6TPn/CbxdFqR5p2ErPioBhlG5qfpqjQi
-pKGfeq23sqSaM4hxAjwu1nqyH6LKwN0vEJT9s4yEIHlG1QXUEOTS22RPuFvuG8Ug
-R1uUq27UlTMdphVx8fiUylQ5PsE=
------END CERTIFICATE-----
-
-# 1793927a0614549789adce2f8f34f7f0b66d0f3ae3a3b84d21ec15dbba4fadc7
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            1f:47:af:aa:62:00:70:50:54:4c:01:9e:9b:63:99:2a
-    Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority
-        Validity
-            Not Before: Mar  6 00:00:00 2008 GMT
-            Not After : Jan 18 23:59:59 2038 GMT
-        Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub: 
-                    04:03:47:7b:2f:75:c9:82:15:85:fb:75:e4:91:16:
-                    d4:ab:62:99:f5:3e:52:0b:06:ce:41:00:7f:97:e1:
-                    0a:24:3c:1d:01:04:ee:3d:d2:8d:09:97:0c:e0:75:
-                    e4:fa:fb:77:8a:2a:f5:03:60:4b:36:8b:16:23:16:
-                    ad:09:71:f4:4a:f4:28:50:b4:fe:88:1c:6e:3f:6c:
-                    2f:2f:09:59:5b:a5:5b:0b:33:99:e2:c3:3d:89:f9:
-                    6a:2c:ef:b2:d3:06:e9
-                ASN1 OID: secp384r1
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                75:71:A7:19:48:19:BC:9D:9D:EA:41:47:DF:94:C4:48:77:99:D3:79
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: ecdsa-with-SHA384
-         30:65:02:31:00:ef:03:5b:7a:ac:b7:78:0a:72:b7:88:df:ff:
-         b5:46:14:09:0a:fa:a0:e6:7d:08:c6:1a:87:bd:18:a8:73:bd:
-         26:ca:60:0c:9d:ce:99:9f:cf:5c:0f:30:e1:be:14:31:ea:02:
-         30:14:f4:93:3c:49:a7:33:7a:90:46:47:b3:63:7d:13:9b:4e:
-         b7:6f:18:37:80:53:fe:dd:20:e0:35:9a:36:d1:c7:01:b9:e6:
-         dc:dd:f3:ff:1d:2c:3a:16:57:d9:92:39:d6
------BEGIN CERTIFICATE-----
-MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTEL
-MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
-BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMT
-IkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwMzA2MDAw
-MDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdy
-ZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09N
-T0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlv
-biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSR
-FtSrYpn1PlILBs5BAH+X4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0J
-cfRK9ChQtP6IHG4/bC8vCVlbpVsLM5niwz2J+Wos77LTBumjQjBAMB0GA1UdDgQW
-BBR1cacZSBm8nZ3qQUfflMRId5nTeTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
-BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA7wNbeqy3eApyt4jf/7VGFAkK+qDm
-fQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8SaczepBGR7NjfRObTrdv
-GDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdY=
------END CERTIFICATE-----
-
-# 52f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
-    Signature Algorithm: sha384WithRSAEncryption
-        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
-        Validity
-            Not Before: Jan 19 00:00:00 2010 GMT
-            Not After : Jan 18 23:59:59 2038 GMT
-        Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:91:e8:54:92:d2:0a:56:b1:ac:0d:24:dd:c5:cf:
-                    44:67:74:99:2b:37:a3:7d:23:70:00:71:bc:53:df:
-                    c4:fa:2a:12:8f:4b:7f:10:56:bd:9f:70:72:b7:61:
-                    7f:c9:4b:0f:17:a7:3d:e3:b0:04:61:ee:ff:11:97:
-                    c7:f4:86:3e:0a:fa:3e:5c:f9:93:e6:34:7a:d9:14:
-                    6b:e7:9c:b3:85:a0:82:7a:76:af:71:90:d7:ec:fd:
-                    0d:fa:9c:6c:fa:df:b0:82:f4:14:7e:f9:be:c4:a6:
-                    2f:4f:7f:99:7f:b5:fc:67:43:72:bd:0c:00:d6:89:
-                    eb:6b:2c:d3:ed:8f:98:1c:14:ab:7e:e5:e3:6e:fc:
-                    d8:a8:e4:92:24:da:43:6b:62:b8:55:fd:ea:c1:bc:
-                    6c:b6:8b:f3:0e:8d:9a:e4:9b:6c:69:99:f8:78:48:
-                    30:45:d5:ad:e1:0d:3c:45:60:fc:32:96:51:27:bc:
-                    67:c3:ca:2e:b6:6b:ea:46:c7:c7:20:a0:b1:1f:65:
-                    de:48:08:ba:a4:4e:a9:f2:83:46:37:84:eb:e8:cc:
-                    81:48:43:67:4e:72:2a:9b:5c:bd:4c:1b:28:8a:5c:
-                    22:7b:b4:ab:98:d9:ee:e0:51:83:c3:09:46:4e:6d:
-                    3e:99:fa:95:17:da:7c:33:57:41:3c:8d:51:ed:0b:
-                    b6:5c:af:2c:63:1a:df:57:c8:3f:bc:e9:5d:c4:9b:
-                    af:45:99:e2:a3:5a:24:b4:ba:a9:56:3d:cf:6f:aa:
-                    ff:49:58:be:f0:a8:ff:f4:b8:ad:e9:37:fb:ba:b8:
-                    f4:0b:3a:f9:e8:43:42:1e:89:d8:84:cb:13:f1:d9:
-                    bb:e1:89:60:b8:8c:28:56:ac:14:1d:9c:0a:e7:71:
-                    eb:cf:0e:dd:3d:a9:96:a1:48:bd:3c:f7:af:b5:0d:
-                    22:4c:c0:11:81:ec:56:3b:f6:d3:a2:e2:5b:b7:b2:
-                    04:22:52:95:80:93:69:e8:8e:4c:65:f1:91:03:2d:
-                    70:74:02:ea:8b:67:15:29:69:52:02:bb:d7:df:50:
-                    6a:55:46:bf:a0:a3:28:61:7f:70:d0:c3:a2:aa:2c:
-                    21:aa:47:ce:28:9c:06:45:76:bf:82:18:27:b4:d5:
-                    ae:b4:cb:50:e6:6b:f4:4c:86:71:30:e9:a6:df:16:
-                    86:e0:d8:ff:40:dd:fb:d0:42:88:7f:a3:33:3a:2e:
-                    5c:1e:41:11:81:63:ce:18:71:6b:2b:ec:a6:8a:b7:
-                    31:5c:3a:6a:47:e0:c3:79:59:d6:20:1a:af:f2:6a:
-                    98:aa:72:bc:57:4a:d2:4b:9d:bb:10:fc:b0:4c:41:
-                    e5:ed:1d:3d:5e:28:9d:9c:cc:bf:b3:51:da:a7:47:
-                    e5:84:53
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha384WithRSAEncryption
-         0a:f1:d5:46:84:b7:ae:51:bb:6c:b2:4d:41:14:00:93:4c:9c:
-         cb:e5:c0:54:cf:a0:25:8e:02:f9:fd:b0:a2:0d:f5:20:98:3c:
-         13:2d:ac:56:a2:b0:d6:7e:11:92:e9:2e:ba:9e:2e:9a:72:b1:
-         bd:19:44:6c:61:35:a2:9a:b4:16:12:69:5a:8c:e1:d7:3e:a4:
-         1a:e8:2f:03:f4:ae:61:1d:10:1b:2a:a4:8b:7a:c5:fe:05:a6:
-         e1:c0:d6:c8:fe:9e:ae:8f:2b:ba:3d:99:f8:d8:73:09:58:46:
-         6e:a6:9c:f4:d7:27:d3:95:da:37:83:72:1c:d3:73:e0:a2:47:
-         99:03:38:5d:d5:49:79:00:29:1c:c7:ec:9b:20:1c:07:24:69:
-         57:78:b2:39:fc:3a:84:a0:b5:9c:7c:8d:bf:2e:93:62:27:b7:
-         39:da:17:18:ae:bd:3c:09:68:ff:84:9b:3c:d5:d6:0b:03:e3:
-         57:9e:14:f7:d1:eb:4f:c8:bd:87:23:b7:b6:49:43:79:85:5c:
-         ba:eb:92:0b:a1:c6:e8:68:a8:4c:16:b1:1a:99:0a:e8:53:2c:
-         92:bb:a1:09:18:75:0c:65:a8:7b:cb:23:b7:1a:c2:28:85:c3:
-         1b:ff:d0:2b:62:ef:a4:7b:09:91:98:67:8c:14:01:cd:68:06:
-         6a:63:21:75:03:80:88:8a:6e:81:c6:85:f2:a9:a4:2d:e7:f4:
-         a5:24:10:47:83:ca:cd:f4:8d:79:58:b1:06:9b:e7:1a:2a:d9:
-         9d:01:d7:94:7d:ed:03:4a:ca:f0:db:e8:a9:01:3e:f5:56:99:
-         c9:1e:8e:49:3d:bb:e5:09:b9:e0:4f:49:92:3d:16:82:40:cc:
-         cc:59:c6:e6:3a:ed:12:2e:69:3c:6c:95:b1:fd:aa:1d:7b:7f:
-         86:be:1e:0e:32:46:fb:fb:13:8f:75:7f:4c:8b:4b:46:63:fe:
-         00:34:40:70:c1:c3:b9:a1:dd:a6:70:e2:04:b3:41:bc:e9:80:
-         91:ea:64:9c:7a:e1:22:03:a9:9c:6e:6f:0e:65:4f:6c:87:87:
-         5e:f3:6e:a0:f9:75:a5:9b:40:e8:53:b2:27:9d:4a:b9:c0:77:
-         21:8d:ff:87:f2:de:bc:8c:ef:17:df:b7:49:0b:d1:f2:6e:30:
-         0b:1a:0e:4e:76:ed:11:fc:f5:e9:56:b2:7d:bf:c7:6d:0a:93:
-         8c:a5:d0:c0:b6:1d:be:3a:4e:94:a2:d7:6e:6c:0b:c2:8a:7c:
-         fa:20:f3:c4:e4:e5:cd:0d:a8:cb:91:92:b1:7c:85:ec:b5:14:
-         69:66:0e:82:e7:cd:ce:c8:2d:a6:51:7f:21:c1:35:53:85:06:
-         4a:5d:9f:ad:bb:1b:5f:74
------BEGIN CERTIFICATE-----
-MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB
-hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
-A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
-BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5
-MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
-EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
-Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh
-dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR
-6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X
-pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC
-9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV
-/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf
-Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z
-+pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w
-qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah
-SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC
-u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf
-Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq
-crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E
-FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
-/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl
-wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM
-4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV
-2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna
-FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ
-CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK
-boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke
-jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL
-S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb
-QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl
-0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB
-NVOFBkpdn627G190
------END CERTIFICATE-----
-
-# 3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
-        Validity
-            Not Before: Nov 10 00:00:00 2006 GMT
-            Not After : Nov 10 00:00:00 2031 GMT
-        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:ad:0e:15:ce:e4:43:80:5c:b1:87:f3:b7:60:f9:
-                    71:12:a5:ae:dc:26:94:88:aa:f4:ce:f5:20:39:28:
-                    58:60:0c:f8:80:da:a9:15:95:32:61:3c:b5:b1:28:
-                    84:8a:8a:dc:9f:0a:0c:83:17:7a:8f:90:ac:8a:e7:
-                    79:53:5c:31:84:2a:f6:0f:98:32:36:76:cc:de:dd:
-                    3c:a8:a2:ef:6a:fb:21:f2:52:61:df:9f:20:d7:1f:
-                    e2:b1:d9:fe:18:64:d2:12:5b:5f:f9:58:18:35:bc:
-                    47:cd:a1:36:f9:6b:7f:d4:b0:38:3e:c1:1b:c3:8c:
-                    33:d9:d8:2f:18:fe:28:0f:b3:a7:83:d6:c3:6e:44:
-                    c0:61:35:96:16:fe:59:9c:8b:76:6d:d7:f1:a2:4b:
-                    0d:2b:ff:0b:72:da:9e:60:d0:8e:90:35:c6:78:55:
-                    87:20:a1:cf:e5:6d:0a:c8:49:7c:31:98:33:6c:22:
-                    e9:87:d0:32:5a:a2:ba:13:82:11:ed:39:17:9d:99:
-                    3a:72:a1:e6:fa:a4:d9:d5:17:31:75:ae:85:7d:22:
-                    ae:3f:01:46:86:f6:28:79:c8:b1:da:e4:57:17:c4:
-                    7e:1c:0e:b0:b4:92:a6:56:b3:bd:b2:97:ed:aa:a7:
-                    f0:b7:c5:a8:3f:95:16:d0:ff:a1:96:eb:08:5f:18:
-                    77:4f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                45:EB:A2:AF:F4:92:CB:82:31:2D:51:8B:A7:A7:21:9D:F3:6D:C8:0F
-            X509v3 Authority Key Identifier: 
-                keyid:45:EB:A2:AF:F4:92:CB:82:31:2D:51:8B:A7:A7:21:9D:F3:6D:C8:0F
-
-    Signature Algorithm: sha1WithRSAEncryption
-         a2:0e:bc:df:e2:ed:f0:e3:72:73:7a:64:94:bf:f7:72:66:d8:
-         32:e4:42:75:62:ae:87:eb:f2:d5:d9:de:56:b3:9f:cc:ce:14:
-         28:b9:0d:97:60:5c:12:4c:58:e4:d3:3d:83:49:45:58:97:35:
-         69:1a:a8:47:ea:56:c6:79:ab:12:d8:67:81:84:df:7f:09:3c:
-         94:e6:b8:26:2c:20:bd:3d:b3:28:89:f7:5f:ff:22:e2:97:84:
-         1f:e9:65:ef:87:e0:df:c1:67:49:b3:5d:eb:b2:09:2a:eb:26:
-         ed:78:be:7d:3f:2b:f3:b7:26:35:6d:5f:89:01:b6:49:5b:9f:
-         01:05:9b:ab:3d:25:c1:cc:b6:7f:c2:f1:6f:86:c6:fa:64:68:
-         eb:81:2d:94:eb:42:b7:fa:8c:1e:dd:62:f1:be:50:67:b7:6c:
-         bd:f3:f1:1f:6b:0c:36:07:16:7f:37:7c:a9:5b:6d:7a:f1:12:
-         46:60:83:d7:27:04:be:4b:ce:97:be:c3:67:2a:68:11:df:80:
-         e7:0c:33:66:bf:13:0d:14:6e:f3:7f:1f:63:10:1e:fa:8d:1b:
-         25:6d:6c:8f:a5:b7:61:01:b1:d2:a3:26:a1:10:71:9d:ad:e2:
-         c3:f9:c3:99:51:b7:2b:07:08:ce:2e:e6:50:b2:a7:fa:0a:45:
-         2f:a2:f0:f2
------BEGIN CERTIFICATE-----
-MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
-b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
-EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
-cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
-JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
-mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
-wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
-VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
-AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
-AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
-BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
-pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
-dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
-fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
-NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
-H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
-+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
------END CERTIFICATE-----
-
-# 7d05ebb682339f8c9451ee094eebfefa7953a114edb2f44949452fab7d2fc185
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root G2
-        Validity
-            Not Before: Aug  1 12:00:00 2013 GMT
-            Not After : Jan 15 12:00:00 2038 GMT
-        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:d9:e7:28:2f:52:3f:36:72:49:88:93:34:f3:f8:
-                    6a:1e:31:54:80:9f:ad:54:41:b5:47:df:96:a8:d4:
-                    af:80:2d:b9:0a:cf:75:fd:89:a5:7d:24:fa:e3:22:
-                    0c:2b:bc:95:17:0b:33:bf:19:4d:41:06:90:00:bd:
-                    0c:4d:10:fe:07:b5:e7:1c:6e:22:55:31:65:97:bd:
-                    d3:17:d2:1e:62:f3:db:ea:6c:50:8c:3f:84:0c:96:
-                    cf:b7:cb:03:e0:ca:6d:a1:14:4c:1b:89:dd:ed:00:
-                    b0:52:7c:af:91:6c:b1:38:13:d1:e9:12:08:c0:00:
-                    b0:1c:2b:11:da:77:70:36:9b:ae:ce:79:87:dc:82:
-                    70:e6:09:74:70:55:69:af:a3:68:9f:bf:dd:b6:79:
-                    b3:f2:9d:70:29:55:f4:ab:ff:95:61:f3:c9:40:6f:
-                    1d:d1:be:93:bb:d3:88:2a:bb:9d:bf:72:5a:56:71:
-                    3b:3f:d4:f3:d1:0a:fe:28:ef:a3:ee:d9:99:af:03:
-                    d3:8f:60:b7:f2:92:a1:b1:bd:89:89:1f:30:cd:c3:
-                    a6:2e:62:33:ae:16:02:77:44:5a:e7:81:0a:3c:a7:
-                    44:2e:79:b8:3f:04:bc:5c:a0:87:e1:1b:af:51:8e:
-                    cd:ec:2c:fa:f8:fe:6d:f0:3a:7c:aa:8b:e4:67:95:
-                    31:8d
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                CE:C3:4A:B9:99:55:F2:B8:DB:60:BF:A9:7E:BD:56:B5:97:36:A7:D6
-    Signature Algorithm: sha256WithRSAEncryption
-         ca:a5:55:8c:e3:c8:41:6e:69:27:a7:75:11:ef:3c:86:36:6f:
-         d2:9d:c6:78:38:1d:69:96:a2:92:69:2e:38:6c:9b:7d:04:d4:
-         89:a5:b1:31:37:8a:c9:21:cc:ab:6c:cd:8b:1c:9a:d6:bf:48:
-         d2:32:66:c1:8a:c0:f3:2f:3a:ef:c0:e3:d4:91:86:d1:50:e3:
-         03:db:73:77:6f:4a:39:53:ed:de:26:c7:b5:7d:af:2b:42:d1:
-         75:62:e3:4a:2b:02:c7:50:4b:e0:69:e2:96:6c:0e:44:66:10:
-         44:8f:ad:05:eb:f8:79:ac:a6:1b:e8:37:34:9d:53:c9:61:aa:
-         a2:52:af:4a:70:16:86:c2:3a:c8:b1:13:70:36:d8:cf:ee:f4:
-         0a:34:d5:5b:4c:fd:07:9c:a2:ba:d9:01:72:5c:f3:4d:c1:dd:
-         0e:b1:1c:0d:c4:63:be:ad:f4:14:fb:89:ec:a2:41:0e:4c:cc:
-         c8:57:40:d0:6e:03:aa:cd:0c:8e:89:99:99:6c:f0:3c:30:af:
-         38:df:6f:bc:a3:be:29:20:27:ab:74:ff:13:22:78:de:97:52:
-         55:1e:83:b5:54:20:03:ee:ae:c0:4f:56:de:37:cc:c3:7f:aa:
-         04:27:bb:d3:77:b8:62:db:17:7c:9c:28:22:13:73:6c:cf:26:
-         f5:8a:29:e7
------BEGIN CERTIFICATE-----
-MIIDljCCAn6gAwIBAgIQC5McOtY5Z+pnI7/Dr5r0SzANBgkqhkiG9w0BAQsFADBl
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
-b3QgRzIwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBlMQswCQYDVQQG
-EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
-cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzIwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ5ygvUj82ckmIkzTz+GoeMVSA
-n61UQbVH35ao1K+ALbkKz3X9iaV9JPrjIgwrvJUXCzO/GU1BBpAAvQxNEP4Htecc
-biJVMWWXvdMX0h5i89vqbFCMP4QMls+3ywPgym2hFEwbid3tALBSfK+RbLE4E9Hp
-EgjAALAcKxHad3A2m67OeYfcgnDmCXRwVWmvo2ifv922ebPynXApVfSr/5Vh88lA
-bx3RvpO704gqu52/clpWcTs/1PPRCv4o76Pu2ZmvA9OPYLfykqGxvYmJHzDNw6Yu
-YjOuFgJ3RFrngQo8p0Quebg/BLxcoIfhG69Rjs3sLPr4/m3wOnyqi+RnlTGNAgMB
-AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQW
-BBTOw0q5mVXyuNtgv6l+vVa1lzan1jANBgkqhkiG9w0BAQsFAAOCAQEAyqVVjOPI
-QW5pJ6d1Ee88hjZv0p3GeDgdaZaikmkuOGybfQTUiaWxMTeKySHMq2zNixya1r9I
-0jJmwYrA8y8678Dj1JGG0VDjA9tzd29KOVPt3ibHtX2vK0LRdWLjSisCx1BL4Gni
-lmwORGYQRI+tBev4eaymG+g3NJ1TyWGqolKvSnAWhsI6yLETcDbYz+70CjTVW0z9
-B5yiutkBclzzTcHdDrEcDcRjvq30FPuJ7KJBDkzMyFdA0G4Dqs0MjomZmWzwPDCv
-ON9vvKO+KSAnq3T/EyJ43pdSVR6DtVQgA+6uwE9W3jfMw3+qBCe703e4YtsXfJwo
-IhNzbM8m9Yop5w==
------END CERTIFICATE-----
-
-# 7e37cb8b4c47090cab36551ba6f45db840680fba166a952db100717f43053fc2
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec
-        Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root G3
-        Validity
-            Not Before: Aug  1 12:00:00 2013 GMT
-            Not After : Jan 15 12:00:00 2038 GMT
-        Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root G3
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:19:e7:bc:ac:44:65:ed:cd:b8:3f:58:fb:8d:b1:
-                    57:a9:44:2d:05:15:f2:ef:0b:ff:10:74:9f:b5:62:
-                    52:5f:66:7e:1f:e5:dc:1b:45:79:0b:cc:c6:53:0a:
-                    9d:8d:5d:02:d9:a9:59:de:02:5a:f6:95:2a:0e:8d:
-                    38:4a:8a:49:c6:bc:c6:03:38:07:5f:55:da:7e:09:
-                    6e:e2:7f:5e:d0:45:20:0f:59:76:10:d6:a0:24:f0:
-                    2d:de:36:f2:6c:29:39
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                CB:D0:BD:A9:E1:98:05:51:A1:4D:37:A2:83:79:CE:8D:1D:2A:E4:84
-    Signature Algorithm: ecdsa-with-SHA384
-         30:64:02:30:25:a4:81:45:02:6b:12:4b:75:74:4f:c8:23:e3:
-         70:f2:75:72:de:7c:89:f0:cf:91:72:61:9e:5e:10:92:59:56:
-         b9:83:c7:10:e7:38:e9:58:26:36:7d:d5:e4:34:86:39:02:30:
-         7c:36:53:f0:30:e5:62:63:3a:99:e2:b6:a3:3b:9b:34:fa:1e:
-         da:10:92:71:5e:91:13:a7:dd:a4:6e:92:cc:32:d6:f5:21:66:
-         c7:2f:ea:96:63:6a:65:45:92:95:01:b4
------BEGIN CERTIFICATE-----
-MIICRjCCAc2gAwIBAgIQC6Fa+h3foLVJRK/NJKBs7DAKBggqhkjOPQQDAzBlMQsw
-CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
-ZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3Qg
-RzMwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBlMQswCQYDVQQGEwJV
-UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
-Y29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzMwdjAQBgcq
-hkjOPQIBBgUrgQQAIgNiAAQZ57ysRGXtzbg/WPuNsVepRC0FFfLvC/8QdJ+1YlJf
-Zn4f5dwbRXkLzMZTCp2NXQLZqVneAlr2lSoOjThKiknGvMYDOAdfVdp+CW7if17Q
-RSAPWXYQ1qAk8C3eNvJsKTmjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
-BAQDAgGGMB0GA1UdDgQWBBTL0L2p4ZgFUaFNN6KDec6NHSrkhDAKBggqhkjOPQQD
-AwNnADBkAjAlpIFFAmsSS3V0T8gj43DydXLefInwz5FyYZ5eEJJZVrmDxxDnOOlY
-JjZ91eQ0hjkCMHw2U/Aw5WJjOpnitqM7mzT6HtoQknFekROn3aRukswy1vUhZscv
-6pZjamVFkpUBtA==
------END CERTIFICATE-----
-
-# 4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
-        Validity
-            Not Before: Nov 10 00:00:00 2006 GMT
-            Not After : Nov 10 00:00:00 2031 GMT
-        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:e2:3b:e1:11:72:de:a8:a4:d3:a3:57:aa:50:a2:
-                    8f:0b:77:90:c9:a2:a5:ee:12:ce:96:5b:01:09:20:
-                    cc:01:93:a7:4e:30:b7:53:f7:43:c4:69:00:57:9d:
-                    e2:8d:22:dd:87:06:40:00:81:09:ce:ce:1b:83:bf:
-                    df:cd:3b:71:46:e2:d6:66:c7:05:b3:76:27:16:8f:
-                    7b:9e:1e:95:7d:ee:b7:48:a3:08:da:d6:af:7a:0c:
-                    39:06:65:7f:4a:5d:1f:bc:17:f8:ab:be:ee:28:d7:
-                    74:7f:7a:78:99:59:85:68:6e:5c:23:32:4b:bf:4e:
-                    c0:e8:5a:6d:e3:70:bf:77:10:bf:fc:01:f6:85:d9:
-                    a8:44:10:58:32:a9:75:18:d5:d1:a2:be:47:e2:27:
-                    6a:f4:9a:33:f8:49:08:60:8b:d4:5f:b4:3a:84:bf:
-                    a1:aa:4a:4c:7d:3e:cf:4f:5f:6c:76:5e:a0:4b:37:
-                    91:9e:dc:22:e6:6d:ce:14:1a:8e:6a:cb:fe:cd:b3:
-                    14:64:17:c7:5b:29:9e:32:bf:f2:ee:fa:d3:0b:42:
-                    d4:ab:b7:41:32:da:0c:d4:ef:f8:81:d5:bb:8d:58:
-                    3f:b5:1b:e8:49:28:a2:70:da:31:04:dd:f7:b2:16:
-                    f2:4c:0a:4e:07:a8:ed:4a:3d:5e:b5:7f:a3:90:c3:
-                    af:27
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
-            X509v3 Authority Key Identifier: 
-                keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
-
-    Signature Algorithm: sha1WithRSAEncryption
-         cb:9c:37:aa:48:13:12:0a:fa:dd:44:9c:4f:52:b0:f4:df:ae:
-         04:f5:79:79:08:a3:24:18:fc:4b:2b:84:c0:2d:b9:d5:c7:fe:
-         f4:c1:1f:58:cb:b8:6d:9c:7a:74:e7:98:29:ab:11:b5:e3:70:
-         a0:a1:cd:4c:88:99:93:8c:91:70:e2:ab:0f:1c:be:93:a9:ff:
-         63:d5:e4:07:60:d3:a3:bf:9d:5b:09:f1:d5:8e:e3:53:f4:8e:
-         63:fa:3f:a7:db:b4:66:df:62:66:d6:d1:6e:41:8d:f2:2d:b5:
-         ea:77:4a:9f:9d:58:e2:2b:59:c0:40:23:ed:2d:28:82:45:3e:
-         79:54:92:26:98:e0:80:48:a8:37:ef:f0:d6:79:60:16:de:ac:
-         e8:0e:cd:6e:ac:44:17:38:2f:49:da:e1:45:3e:2a:b9:36:53:
-         cf:3a:50:06:f7:2e:e8:c4:57:49:6c:61:21:18:d5:04:ad:78:
-         3c:2c:3a:80:6b:a7:eb:af:15:14:e9:d8:89:c1:b9:38:6c:e2:
-         91:6c:8a:ff:64:b9:77:25:57:30:c0:1b:24:a3:e1:dc:e9:df:
-         47:7c:b5:b4:24:08:05:30:ec:2d:bd:0b:bf:45:bf:50:b9:a9:
-         f3:eb:98:01:12:ad:c8:88:c6:98:34:5f:8d:0a:3c:c6:e9:d5:
-         95:95:6d:de
------BEGIN CERTIFICATE-----
-MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
-QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
-b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
-CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
-nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
-43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
-T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
-gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
-BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
-TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
-DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
-hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
-06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
-PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
-YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
-CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
------END CERTIFICATE-----
-
-# cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
-        Validity
-            Not Before: Aug  1 12:00:00 2013 GMT
-            Not After : Jan 15 12:00:00 2038 GMT
-        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:bb:37:cd:34:dc:7b:6b:c9:b2:68:90:ad:4a:75:
-                    ff:46:ba:21:0a:08:8d:f5:19:54:c9:fb:88:db:f3:
-                    ae:f2:3a:89:91:3c:7a:e6:ab:06:1a:6b:cf:ac:2d:
-                    e8:5e:09:24:44:ba:62:9a:7e:d6:a3:a8:7e:e0:54:
-                    75:20:05:ac:50:b7:9c:63:1a:6c:30:dc:da:1f:19:
-                    b1:d7:1e:de:fd:d7:e0:cb:94:83:37:ae:ec:1f:43:
-                    4e:dd:7b:2c:d2:bd:2e:a5:2f:e4:a9:b8:ad:3a:d4:
-                    99:a4:b6:25:e9:9b:6b:00:60:92:60:ff:4f:21:49:
-                    18:f7:67:90:ab:61:06:9c:8f:f2:ba:e9:b4:e9:92:
-                    32:6b:b5:f3:57:e8:5d:1b:cd:8c:1d:ab:95:04:95:
-                    49:f3:35:2d:96:e3:49:6d:dd:77:e3:fb:49:4b:b4:
-                    ac:55:07:a9:8f:95:b3:b4:23:bb:4c:6d:45:f0:f6:
-                    a9:b2:95:30:b4:fd:4c:55:8c:27:4a:57:14:7c:82:
-                    9d:cd:73:92:d3:16:4a:06:0c:8c:50:d1:8f:1e:09:
-                    be:17:a1:e6:21:ca:fd:83:e5:10:bc:83:a5:0a:c4:
-                    67:28:f6:73:14:14:3d:46:76:c3:87:14:89:21:34:
-                    4d:af:0f:45:0c:a6:49:a1:ba:bb:9c:c5:b1:33:83:
-                    29:85
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                4E:22:54:20:18:95:E6:E3:6E:E6:0F:FA:FA:B9:12:ED:06:17:8F:39
-    Signature Algorithm: sha256WithRSAEncryption
-         60:67:28:94:6f:0e:48:63:eb:31:dd:ea:67:18:d5:89:7d:3c:
-         c5:8b:4a:7f:e9:be:db:2b:17:df:b0:5f:73:77:2a:32:13:39:
-         81:67:42:84:23:f2:45:67:35:ec:88:bf:f8:8f:b0:61:0c:34:
-         a4:ae:20:4c:84:c6:db:f8:35:e1:76:d9:df:a6:42:bb:c7:44:
-         08:86:7f:36:74:24:5a:da:6c:0d:14:59:35:bd:f2:49:dd:b6:
-         1f:c9:b3:0d:47:2a:3d:99:2f:bb:5c:bb:b5:d4:20:e1:99:5f:
-         53:46:15:db:68:9b:f0:f3:30:d5:3e:31:e2:8d:84:9e:e3:8a:
-         da:da:96:3e:35:13:a5:5f:f0:f9:70:50:70:47:41:11:57:19:
-         4e:c0:8f:ae:06:c4:95:13:17:2f:1b:25:9f:75:f2:b1:8e:99:
-         a1:6f:13:b1:41:71:fe:88:2a:c8:4f:10:20:55:d7:f3:14:45:
-         e5:e0:44:f4:ea:87:95:32:93:0e:fe:53:46:fa:2c:9d:ff:8b:
-         22:b9:4b:d9:09:45:a4:de:a4:b8:9a:58:dd:1b:7d:52:9f:8e:
-         59:43:88:81:a4:9e:26:d5:6f:ad:dd:0d:c6:37:7d:ed:03:92:
-         1b:e5:77:5f:76:ee:3c:8d:c4:5d:56:5b:a2:d9:66:6e:b3:35:
-         37:e5:32:b6
------BEGIN CERTIFICATE-----
-MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
-MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
-b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
-2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
-1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
-q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
-tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
-vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
-BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
-5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
-1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
-NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
-Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
-8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
-pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
-MrY=
------END CERTIFICATE-----
-
-# 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72
-    Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3
-        Validity
-            Not Before: Aug  1 12:00:00 2013 GMT
-            Not After : Jan 15 12:00:00 2038 GMT
-        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub: 
-                    04:dd:a7:d9:bb:8a:b8:0b:fb:0b:7f:21:d2:f0:be:
-                    be:73:f3:33:5d:1a:bc:34:ea:de:c6:9b:bc:d0:95:
-                    f6:f0:cc:d0:0b:ba:61:5b:51:46:7e:9e:2d:9f:ee:
-                    8e:63:0c:17:ec:07:70:f5:cf:84:2e:40:83:9c:e8:
-                    3f:41:6d:3b:ad:d3:a4:14:59:36:78:9d:03:43:ee:
-                    10:13:6c:72:de:ae:88:a7:a1:6b:b5:43:ce:67:dc:
-                    23:ff:03:1c:a3:e2:3e
-                ASN1 OID: secp384r1
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                B3:DB:48:A4:F9:A1:C5:D8:AE:36:41:CC:11:63:69:62:29:BC:4B:C6
-    Signature Algorithm: ecdsa-with-SHA384
-         30:65:02:31:00:ad:bc:f2:6c:3f:12:4a:d1:2d:39:c3:0a:09:
-         97:73:f4:88:36:8c:88:27:bb:e6:88:8d:50:85:a7:63:f9:9e:
-         32:de:66:93:0f:f1:cc:b1:09:8f:dd:6c:ab:fa:6b:7f:a0:02:
-         30:39:66:5b:c2:64:8d:b8:9e:50:dc:a8:d5:49:a2:ed:c7:dc:
-         d1:49:7f:17:01:b8:c8:86:8f:4e:8c:88:2b:a8:9a:a9:8a:c5:
-         d1:00:bd:f8:54:e2:9a:e5:5b:7c:b3:27:17
------BEGIN CERTIFICATE-----
-MIICPzCCAcWgAwIBAgIQBVVWvPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQsw
-CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu
-ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe
-Fw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVTMRUw
-EwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20x
-IDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYF
-K4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FG
-fp4tn+6OYwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPO
-Z9wj/wMco+I+o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAd
-BgNVHQ4EFgQUs9tIpPmhxdiuNkHMEWNpYim8S8YwCgYIKoZIzj0EAwMDaAAwZQIx
-AK288mw/EkrRLTnDCgmXc/SINoyIJ7vmiI1Qhadj+Z4y3maTD/HMsQmP3Wyr+mt/
-oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9OjIgrqJqpisXRAL34VOKa5Vt8
-sycX
------END CERTIFICATE-----
-
-# 7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
-        Validity
-            Not Before: Nov 10 00:00:00 2006 GMT
-            Not After : Nov 10 00:00:00 2031 GMT
-        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:c6:cc:e5:73:e6:fb:d4:bb:e5:2d:2d:32:a6:df:
-                    e5:81:3f:c9:cd:25:49:b6:71:2a:c3:d5:94:34:67:
-                    a2:0a:1c:b0:5f:69:a6:40:b1:c4:b7:b2:8f:d0:98:
-                    a4:a9:41:59:3a:d3:dc:94:d6:3c:db:74:38:a4:4a:
-                    cc:4d:25:82:f7:4a:a5:53:12:38:ee:f3:49:6d:71:
-                    91:7e:63:b6:ab:a6:5f:c3:a4:84:f8:4f:62:51:be:
-                    f8:c5:ec:db:38:92:e3:06:e5:08:91:0c:c4:28:41:
-                    55:fb:cb:5a:89:15:7e:71:e8:35:bf:4d:72:09:3d:
-                    be:3a:38:50:5b:77:31:1b:8d:b3:c7:24:45:9a:a7:
-                    ac:6d:00:14:5a:04:b7:ba:13:eb:51:0a:98:41:41:
-                    22:4e:65:61:87:81:41:50:a6:79:5c:89:de:19:4a:
-                    57:d5:2e:e6:5d:1c:53:2c:7e:98:cd:1a:06:16:a4:
-                    68:73:d0:34:04:13:5c:a1:71:d3:5a:7c:55:db:5e:
-                    64:e1:37:87:30:56:04:e5:11:b4:29:80:12:f1:79:
-                    39:88:a2:02:11:7c:27:66:b7:88:b7:78:f2:ca:0a:
-                    a8:38:ab:0a:64:c2:bf:66:5d:95:84:c1:a1:25:1e:
-                    87:5d:1a:50:0b:20:12:cc:41:bb:6e:0b:51:38:b8:
-                    4b:cb
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
-            X509v3 Authority Key Identifier: 
-                keyid:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3
-
-    Signature Algorithm: sha1WithRSAEncryption
-         1c:1a:06:97:dc:d7:9c:9f:3c:88:66:06:08:57:21:db:21:47:
-         f8:2a:67:aa:bf:18:32:76:40:10:57:c1:8a:f3:7a:d9:11:65:
-         8e:35:fa:9e:fc:45:b5:9e:d9:4c:31:4b:b8:91:e8:43:2c:8e:
-         b3:78:ce:db:e3:53:79:71:d6:e5:21:94:01:da:55:87:9a:24:
-         64:f6:8a:66:cc:de:9c:37:cd:a8:34:b1:69:9b:23:c8:9e:78:
-         22:2b:70:43:e3:55:47:31:61:19:ef:58:c5:85:2f:4e:30:f6:
-         a0:31:16:23:c8:e7:e2:65:16:33:cb:bf:1a:1b:a0:3d:f8:ca:
-         5e:8b:31:8b:60:08:89:2d:0c:06:5c:52:b7:c4:f9:0a:98:d1:
-         15:5f:9f:12:be:7c:36:63:38:bd:44:a4:7f:e4:26:2b:0a:c4:
-         97:69:0d:e9:8c:e2:c0:10:57:b8:c8:76:12:91:55:f2:48:69:
-         d8:bc:2a:02:5b:0f:44:d4:20:31:db:f4:ba:70:26:5d:90:60:
-         9e:bc:4b:17:09:2f:b4:cb:1e:43:68:c9:07:27:c1:d2:5c:f7:
-         ea:21:b9:68:12:9c:3c:9c:bf:9e:fc:80:5c:9b:63:cd:ec:47:
-         aa:25:27:67:a0:37:f3:00:82:7d:54:d7:a9:f8:e9:2e:13:a3:
-         77:e8:1f:4a
------BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
-ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
-MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
-LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
-RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
-+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
-PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
-xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
-Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
-hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
-EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
-MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
-FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
-nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
-eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
-hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
-Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
-vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
-+OkuE6N36B9K
------END CERTIFICATE-----
-
-# 552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
-    Signature Algorithm: sha384WithRSAEncryption
-        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4
-        Validity
-            Not Before: Aug  1 12:00:00 2013 GMT
-            Not After : Jan 15 12:00:00 2038 GMT
-        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:bf:e6:90:73:68:de:bb:e4:5d:4a:3c:30:22:30:
-                    69:33:ec:c2:a7:25:2e:c9:21:3d:f2:8a:d8:59:c2:
-                    e1:29:a7:3d:58:ab:76:9a:cd:ae:7b:1b:84:0d:c4:
-                    30:1f:f3:1b:a4:38:16:eb:56:c6:97:6d:1d:ab:b2:
-                    79:f2:ca:11:d2:e4:5f:d6:05:3c:52:0f:52:1f:c6:
-                    9e:15:a5:7e:be:9f:a9:57:16:59:55:72:af:68:93:
-                    70:c2:b2:ba:75:99:6a:73:32:94:d1:10:44:10:2e:
-                    df:82:f3:07:84:e6:74:3b:6d:71:e2:2d:0c:1b:ee:
-                    20:d5:c9:20:1d:63:29:2d:ce:ec:5e:4e:c8:93:f8:
-                    21:61:9b:34:eb:05:c6:5e:ec:5b:1a:bc:eb:c9:cf:
-                    cd:ac:34:40:5f:b1:7a:66:ee:77:c8:48:a8:66:57:
-                    57:9f:54:58:8e:0c:2b:b7:4f:a7:30:d9:56:ee:ca:
-                    7b:5d:e3:ad:c9:4f:5e:e5:35:e7:31:cb:da:93:5e:
-                    dc:8e:8f:80:da:b6:91:98:40:90:79:c3:78:c7:b6:
-                    b1:c4:b5:6a:18:38:03:10:8d:d8:d4:37:a4:2e:05:
-                    7d:88:f5:82:3e:10:91:70:ab:55:82:41:32:d7:db:
-                    04:73:2a:6e:91:01:7c:21:4c:d4:bc:ae:1b:03:75:
-                    5d:78:66:d9:3a:31:44:9a:33:40:bf:08:d7:5a:49:
-                    a4:c2:e6:a9:a0:67:dd:a4:27:bc:a1:4f:39:b5:11:
-                    58:17:f7:24:5c:46:8f:64:f7:c1:69:88:76:98:76:
-                    3d:59:5d:42:76:87:89:97:69:7a:48:f0:e0:a2:12:
-                    1b:66:9a:74:ca:de:4b:1e:e7:0e:63:ae:e6:d4:ef:
-                    92:92:3a:9e:3d:dc:00:e4:45:25:89:b6:9a:44:19:
-                    2b:7e:c0:94:b4:d2:61:6d:eb:33:d9:c5:df:4b:04:
-                    00:cc:7d:1c:95:c3:8f:f7:21:b2:b2:11:b7:bb:7f:
-                    f2:d5:8c:70:2c:41:60:aa:b1:63:18:44:95:1a:76:
-                    62:7e:f6:80:b0:fb:e8:64:a6:33:d1:89:07:e1:bd:
-                    b7:e6:43:a4:18:b8:a6:77:01:e1:0f:94:0c:21:1d:
-                    b2:54:29:25:89:6c:e5:0e:52:51:47:74:be:26:ac:
-                    b6:41:75:de:7a:ac:5f:8d:3f:c9:bc:d3:41:11:12:
-                    5b:e5:10:50:eb:31:c5:ca:72:16:22:09:df:7c:4c:
-                    75:3f:63:ec:21:5f:c4:20:51:6b:6f:b1:ab:86:8b:
-                    4f:c2:d6:45:5f:9d:20:fc:a1:1e:c5:c0:8f:a2:b1:
-                    7e:0a:26:99:f5:e4:69:2f:98:1d:2d:f5:d9:a9:b2:
-                    1d:e5:1b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                EC:D7:E3:82:D2:71:5D:64:4C:DF:2E:67:3F:E7:BA:98:AE:1C:0F:4F
-    Signature Algorithm: sha384WithRSAEncryption
-         bb:61:d9:7d:a9:6c:be:17:c4:91:1b:c3:a1:a2:00:8d:e3:64:
-         68:0f:56:cf:77:ae:70:f9:fd:9a:4a:99:b9:c9:78:5c:0c:0c:
-         5f:e4:e6:14:29:56:0b:36:49:5d:44:63:e0:ad:9c:96:18:66:
-         1b:23:0d:3d:79:e9:6d:6b:d6:54:f8:d2:3c:c1:43:40:ae:1d:
-         50:f5:52:fc:90:3b:bb:98:99:69:6b:c7:c1:a7:a8:68:a4:27:
-         dc:9d:f9:27:ae:30:85:b9:f6:67:4d:3a:3e:8f:59:39:22:53:
-         44:eb:c8:5d:03:ca:ed:50:7a:7d:62:21:0a:80:c8:73:66:d1:
-         a0:05:60:5f:e8:a5:b4:a7:af:a8:f7:6d:35:9c:7c:5a:8a:d6:
-         a2:38:99:f3:78:8b:f4:4d:d2:20:0b:de:04:ee:8c:9b:47:81:
-         72:0d:c0:14:32:ef:30:59:2e:ae:e0:71:f2:56:e4:6a:97:6f:
-         92:50:6d:96:8d:68:7a:9a:b2:36:14:7a:06:f2:24:b9:09:11:
-         50:d7:08:b1:b8:89:7a:84:23:61:42:29:e5:a3:cd:a2:20:41:
-         d7:d1:9c:64:d9:ea:26:a1:8b:14:d7:4c:19:b2:50:41:71:3d:
-         3f:4d:70:23:86:0c:4a:dc:81:d2:cc:32:94:84:0d:08:09:97:
-         1c:4f:c0:ee:6b:20:74:30:d2:e0:39:34:10:85:21:15:01:08:
-         e8:55:32:de:71:49:d9:28:17:50:4d:e6:be:4d:d1:75:ac:d0:
-         ca:fb:41:b8:43:a5:aa:d3:c3:05:44:4f:2c:36:9b:e2:fa:e2:
-         45:b8:23:53:6c:06:6f:67:55:7f:46:b5:4c:3f:6e:28:5a:79:
-         26:d2:a4:a8:62:97:d2:1e:e2:ed:4a:8b:bc:1b:fd:47:4a:0d:
-         df:67:66:7e:b2:5b:41:d0:3b:e4:f4:3b:f4:04:63:e9:ef:c2:
-         54:00:51:a0:8a:2a:c9:ce:78:cc:d5:ea:87:04:18:b3:ce:af:
-         49:88:af:f3:92:99:b6:b3:e6:61:0f:d2:85:00:e7:50:1a:e4:
-         1b:95:9d:19:a1:b9:9c:b1:9b:b1:00:1e:ef:d0:0f:4f:42:6c:
-         c9:0a:bc:ee:43:fa:3a:71:a5:c8:4d:26:a5:35:fd:89:5d:bc:
-         85:62:1d:32:d2:a0:2b:54:ed:9a:57:c1:db:fa:10:cf:19:b7:
-         8b:4a:1b:8f:01:b6:27:95:53:e8:b6:89:6d:5b:bc:68:d4:23:
-         e8:8b:51:a2:56:f9:f0:a6:80:a0:d6:1e:b3:bc:0f:0f:53:75:
-         29:aa:ea:13:77:e4:de:8c:81:21:ad:07:10:47:11:ad:87:3d:
-         07:d1:75:bc:cf:f3:66:7e
------BEGIN CERTIFICATE-----
-MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
-RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV
-UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
-Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y
-ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If
-xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV
-ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO
-DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ
-jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/
-CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi
-EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM
-fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY
-uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK
-chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t
-9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
-hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD
-ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2
-SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd
-+SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc
-fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa
-sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N
-cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N
-0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie
-4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI
-r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
-/YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
-gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
------END CERTIFICATE-----
-
-# eec5496b988ce98625b934092eec2908bed0b0f316c2d4730c84eaf1f3d34881
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 623604 (0x983f4)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009
-        Validity
-            Not Before: Nov  5 08:50:46 2009 GMT
-            Not After : Nov  5 08:50:46 2029 GMT
-        Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:99:f1:84:34:70:ba:2f:b7:30:a0:8e:bd:7c:04:
-                    cf:be:62:bc:99:fd:82:97:d2:7a:0a:67:96:38:09:
-                    f6:10:4e:95:22:73:99:8d:da:15:2d:e7:05:fc:19:
-                    73:22:b7:8e:98:00:bc:3c:3d:ac:a1:6c:fb:d6:79:
-                    25:4b:ad:f0:cc:64:da:88:3e:29:b8:0f:09:d3:34:
-                    dd:33:f5:62:d1:e1:cd:19:e9:ee:18:4f:4c:58:ae:
-                    e2:1e:d6:0c:5b:15:5a:d8:3a:b8:c4:18:64:1e:e3:
-                    33:b2:b5:89:77:4e:0c:bf:d9:94:6b:13:97:6f:12:
-                    a3:fe:99:a9:04:cc:15:ec:60:68:36:ed:08:7b:b7:
-                    f5:bf:93:ed:66:31:83:8c:c6:71:34:87:4e:17:ea:
-                    af:8b:91:8d:1c:56:41:ae:22:37:5e:37:f2:1d:d9:
-                    d1:2d:0d:2f:69:51:a7:be:66:a6:8a:3a:2a:bd:c7:
-                    1a:b1:e1:14:f0:be:3a:1d:b9:cf:5b:b1:6a:fe:b4:
-                    b1:46:20:a2:fb:1e:3b:70:ef:93:98:7d:8c:73:96:
-                    f2:c5:ef:85:70:ad:29:26:fc:1e:04:3e:1c:a0:d8:
-                    0f:cb:52:83:62:7c:ee:8b:53:95:90:a9:57:a2:ea:
-                    61:05:d8:f9:4d:c4:27:fa:6e:ad:ed:f9:d7:51:f7:
-                    6b:a5
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                D3:94:8A:4C:62:13:2A:19:2E:CC:AF:72:8A:7D:36:D7:9A:1C:DC:67
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%20EV%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist
-
-                Full Name:
-                  URI:http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_ev_2009.crl
-
-    Signature Algorithm: sha256WithRSAEncryption
-         34:ed:7b:5a:3c:a4:94:88:ef:1a:11:75:07:2f:b3:fe:3c:fa:
-         1e:51:26:eb:87:f6:29:de:e0:f1:d4:c6:24:09:e9:c1:cf:55:
-         1b:b4:30:d9:ce:1a:fe:06:51:a6:15:a4:2d:ef:b2:4b:bf:20:
-         28:25:49:d1:a6:36:77:34:e8:64:df:52:b1:11:c7:73:7a:cd:
-         39:9e:c2:ad:8c:71:21:f2:5a:6b:af:df:3c:4e:55:af:b2:84:
-         65:14:89:b9:77:cb:2a:31:be:cf:a3:6d:cf:6f:48:94:32:46:
-         6f:e7:71:8c:a0:a6:84:19:37:07:f2:03:45:09:2b:86:75:7c:
-         df:5f:69:57:00:db:6e:d8:a6:72:22:4b:50:d4:75:98:56:df:
-         b7:18:ff:43:43:50:ae:7a:44:7b:f0:79:51:d7:43:3d:a7:d3:
-         81:d3:f0:c9:4f:b9:da:c6:97:86:d0:82:c3:e4:42:6d:fe:b0:
-         e2:64:4e:0e:26:e7:40:34:26:b5:08:89:d7:08:63:63:38:27:
-         75:1e:33:ea:6e:a8:dd:9f:99:4f:74:4d:81:89:80:4b:dd:9a:
-         97:29:5c:2f:be:81:41:b9:8c:ff:ea:7d:60:06:9e:cd:d7:3d:
-         d3:2e:a3:15:bc:a8:e6:26:e5:6f:c3:dc:b8:03:21:ea:9f:16:
-         f1:2c:54:b5
------BEGIN CERTIFICATE-----
-MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF
-MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD
-bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUw
-NDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNV
-BAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfSegpn
-ljgJ9hBOlSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM0
-3TP1YtHhzRnp7hhPTFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6Z
-qQTMFexgaDbtCHu39b+T7WYxg4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lR
-p75mpoo6Kr3HGrHhFPC+Oh25z1uxav60sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8
-HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pure3511H3a6UCAwEAAaOCASQw
-ggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxiEyoZLsyvcop9Ntea
-HNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGBhn9sZGFw
-Oi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xh
-c3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E
-RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQt
-dHJ1c3QubmV0L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDku
-Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA07XtaPKSUiO8aEXUHL7P+PPoeUSbrh/Yp
-3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt77JLvyAoJUnRpjZ3NOhk31KxEcdzes05
-nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23Pb0iUMkZv53GMoKaEGTcH8gNF
-CSuGdXzfX2lXANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR10M9p9OB0/DJT7na
-xpeG0ILD5EJt/rDiZE4OJudANCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqX
-KVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1
------END CERTIFICATE-----
-
-# 40f6af0346a99aa1cd1d555a4e9cce62c7f9634603ee406615833dc8c8d00367
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            31:f5:e4:62:0c:6c:58:ed:d6:d8
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G1
-        Validity
-            Not Before: Feb 18 18:30:00 2018 GMT
-            Not After : Feb 18 18:30:00 2043 GMT
-        Subject: C = IN, OU = emSign PKI, O = eMudhra Technologies Limited, CN = emSign Root CA - G1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:93:4b:bb:e9:66:8a:ee:9d:5b:d5:34:93:d0:1b:
-                    1e:c3:e7:9e:b8:64:33:7f:63:78:68:b4:cd:2e:71:
-                    75:d7:9b:20:c6:4d:29:bc:b6:68:60:8a:f7:21:9a:
-                    56:35:5a:f3:76:bd:d8:cd:9a:ff:93:56:4b:a5:59:
-                    06:a1:93:34:29:dd:16:34:75:4e:f2:81:b4:c7:96:
-                    4e:ad:19:15:52:4a:fe:3c:70:75:70:cd:af:2b:ab:
-                    15:9a:33:3c:aa:b3:8b:aa:cd:43:fd:f5:ea:70:ff:
-                    ed:cf:11:3b:94:ce:4e:32:16:d3:23:40:2a:77:b3:
-                    af:3c:01:2c:6c:ed:99:2c:8b:d9:4e:69:98:b2:f7:
-                    8f:41:b0:32:78:61:d6:0d:5f:c3:fa:a2:40:92:1d:
-                    5c:17:e6:70:3e:35:e7:a2:b7:c2:62:e2:ab:a4:38:
-                    4c:b5:39:35:6f:ea:03:69:fa:3a:54:68:85:6d:d6:
-                    f2:2f:43:55:1e:91:0d:0e:d8:d5:6a:a4:96:d1:13:
-                    3c:2c:78:50:e8:3a:92:d2:17:56:e5:35:1a:40:1c:
-                    3e:8d:2c:ed:39:df:42:e0:83:41:74:df:a3:cd:c2:
-                    86:60:48:68:e3:69:0b:54:00:8b:e4:76:69:21:0d:
-                    79:4e:34:08:5e:14:c2:cc:b1:b7:ad:d7:7c:70:8a:
-                    c7:85
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                FB:EF:0D:86:9E:B0:E3:DD:A9:B9:F1:21:17:7F:3E:FC:F0:77:2B:1A
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha256WithRSAEncryption
-         59:ff:f2:8c:f5:87:7d:71:3d:a3:9f:1b:5b:d1:da:f8:d3:9c:
-         6b:36:bd:9b:a9:61:eb:de:16:2c:74:3d:9e:e6:75:da:d7:ba:
-         a7:bc:42:17:e7:3d:91:eb:e5:7d:dd:3e:9c:f1:cf:92:ac:6c:
-         48:cc:c2:22:3f:69:3b:c5:b6:15:2f:a3:35:c6:68:2a:1c:57:
-         af:39:ef:8d:d0:35:c3:18:0c:7b:00:56:1c:cd:8b:19:74:de:
-         be:0f:12:e0:d0:aa:a1:3f:02:34:b1:70:ce:9d:18:d6:08:03:
-         09:46:ee:60:e0:7e:b6:c4:49:04:51:7d:70:60:bc:aa:b2:ff:
-         79:72:7a:a6:1d:3d:5f:2a:f8:ca:e2:fd:39:b7:47:b9:eb:7e:
-         df:04:23:af:fa:9c:06:07:e9:fb:63:93:80:40:b5:c6:6c:0a:
-         31:28:ce:0c:9f:cf:b3:23:35:80:41:8d:6c:c4:37:7b:81:2f:
-         80:a1:40:42:85:e9:d9:38:8d:e8:a1:53:cd:01:bf:69:e8:5a:
-         06:f2:45:0b:90:fa:ae:e1:bf:9d:f2:ae:57:3c:a5:ae:b2:56:
-         f4:8b:65:40:e9:fd:31:81:2c:f4:39:09:d8:ee:6b:a7:b4:a6:
-         1d:15:a5:98:f7:01:81:d8:85:7d:f3:51:5c:71:88:de:ba:cc:
-         1f:80:7e:4a
------BEGIN CERTIFICATE-----
-MIIDlDCCAnygAwIBAgIKMfXkYgxsWO3W2DANBgkqhkiG9w0BAQsFADBnMQswCQYD
-VQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBU
-ZWNobm9sb2dpZXMgTGltaXRlZDEcMBoGA1UEAxMTZW1TaWduIFJvb3QgQ0EgLSBH
-MTAeFw0xODAyMTgxODMwMDBaFw00MzAyMTgxODMwMDBaMGcxCzAJBgNVBAYTAklO
-MRMwEQYDVQQLEwplbVNpZ24gUEtJMSUwIwYDVQQKExxlTXVkaHJhIFRlY2hub2xv
-Z2llcyBMaW1pdGVkMRwwGgYDVQQDExNlbVNpZ24gUm9vdCBDQSAtIEcxMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk0u76WaK7p1b1TST0Bsew+eeuGQz
-f2N4aLTNLnF115sgxk0pvLZoYIr3IZpWNVrzdr3YzZr/k1ZLpVkGoZM0Kd0WNHVO
-8oG0x5ZOrRkVUkr+PHB1cM2vK6sVmjM8qrOLqs1D/fXqcP/tzxE7lM5OMhbTI0Aq
-d7OvPAEsbO2ZLIvZTmmYsvePQbAyeGHWDV/D+qJAkh1cF+ZwPjXnorfCYuKrpDhM
-tTk1b+oDafo6VGiFbdbyL0NVHpENDtjVaqSW0RM8LHhQ6DqS0hdW5TUaQBw+jSzt
-Od9C4INBdN+jzcKGYEho42kLVACL5HZpIQ15TjQIXhTCzLG3rdd8cIrHhQIDAQAB
-o0IwQDAdBgNVHQ4EFgQU++8Nhp6w492pufEhF38+/PB3KxowDgYDVR0PAQH/BAQD
-AgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFn/8oz1h31x
-PaOfG1vR2vjTnGs2vZupYeveFix0PZ7mddrXuqe8QhfnPZHr5X3dPpzxz5KsbEjM
-wiI/aTvFthUvozXGaCocV685743QNcMYDHsAVhzNixl03r4PEuDQqqE/AjSxcM6d
-GNYIAwlG7mDgfrbESQRRfXBgvKqy/3lyeqYdPV8q+Mri/Tm3R7nrft8EI6/6nAYH
-6ftjk4BAtcZsCjEozgyfz7MjNYBBjWzEN3uBL4ChQEKF6dk4jeihU80Bv2noWgby
-RQuQ+q7hv53yrlc8pa6yVvSLZUDp/TGBLPQ5Cdjua6e0ph0VpZj3AYHYhX3zUVxx
-iN66zB+Afko=
------END CERTIFICATE-----
-
-# 73c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1164660820 (0x456b5054)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority
-        Validity
-            Not Before: Nov 27 20:23:42 2006 GMT
-            Not After : Nov 27 20:53:42 2026 GMT
-        Subject: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b6:95:b6:43:42:fa:c6:6d:2a:6f:48:df:94:4c:
-                    39:57:05:ee:c3:79:11:41:68:36:ed:ec:fe:9a:01:
-                    8f:a1:38:28:fc:f7:10:46:66:2e:4d:1e:1a:b1:1a:
-                    4e:c6:d1:c0:95:88:b0:c9:ff:31:8b:33:03:db:b7:
-                    83:7b:3e:20:84:5e:ed:b2:56:28:a7:f8:e0:b9:40:
-                    71:37:c5:cb:47:0e:97:2a:68:c0:22:95:62:15:db:
-                    47:d9:f5:d0:2b:ff:82:4b:c9:ad:3e:de:4c:db:90:
-                    80:50:3f:09:8a:84:00:ec:30:0a:3d:18:cd:fb:fd:
-                    2a:59:9a:23:95:17:2c:45:9e:1f:6e:43:79:6d:0c:
-                    5c:98:fe:48:a7:c5:23:47:5c:5e:fd:6e:e7:1e:b4:
-                    f6:68:45:d1:86:83:5b:a2:8a:8d:b1:e3:29:80:fe:
-                    25:71:88:ad:be:bc:8f:ac:52:96:4b:aa:51:8d:e4:
-                    13:31:19:e8:4e:4d:9f:db:ac:b3:6a:d5:bc:39:54:
-                    71:ca:7a:7a:7f:90:dd:7d:1d:80:d9:81:bb:59:26:
-                    c2:11:fe:e6:93:e2:f7:80:e4:65:fb:34:37:0e:29:
-                    80:70:4d:af:38:86:2e:9e:7f:57:af:9e:17:ae:eb:
-                    1c:cb:28:21:5f:b6:1c:d8:e7:a2:04:22:f9:d3:da:
-                    d8:cb
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Private Key Usage Period: 
-                Not Before: Nov 27 20:23:42 2006 GMT, Not After: Nov 27 20:53:42 2026 GMT
-            X509v3 Authority Key Identifier: 
-                keyid:68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D
-
-            X509v3 Subject Key Identifier: 
-                68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D
-            1.2.840.113533.7.65.0: 
-                0...V7.1:4.0....
-    Signature Algorithm: sha1WithRSAEncryption
-         93:d4:30:b0:d7:03:20:2a:d0:f9:63:e8:91:0c:05:20:a9:5f:
-         19:ca:7b:72:4e:d4:b1:db:d0:96:fb:54:5a:19:2c:0c:08:f7:
-         b2:bc:85:a8:9d:7f:6d:3b:52:b3:2a:db:e7:d4:84:8c:63:f6:
-         0f:cb:26:01:91:50:6c:f4:5f:14:e2:93:74:c0:13:9e:30:3a:
-         50:e3:b4:60:c5:1c:f0:22:44:8d:71:47:ac:c8:1a:c9:e9:9b:
-         9a:00:60:13:ff:70:7e:5f:11:4d:49:1b:b3:15:52:7b:c9:54:
-         da:bf:9d:95:af:6b:9a:d8:9e:e9:f1:e4:43:8d:e2:11:44:3a:
-         bf:af:bd:83:42:73:52:8b:aa:bb:a7:29:cf:f5:64:1c:0a:4d:
-         d1:bc:aa:ac:9f:2a:d0:ff:7f:7f:da:7d:ea:b1:ed:30:25:c1:
-         84:da:34:d2:5b:78:83:56:ec:9c:36:c3:26:e2:11:f6:67:49:
-         1d:92:ab:8c:fb:eb:ff:7a:ee:85:4a:a7:50:80:f0:a7:5c:4a:
-         94:2e:5f:05:99:3c:52:41:e0:cd:b4:63:cf:01:43:ba:9c:83:
-         dc:8f:60:3b:f3:5a:b4:b4:7b:ae:da:0b:90:38:75:ef:81:1d:
-         66:d2:f7:57:70:36:b3:bf:fc:28:af:71:25:85:5b:13:fe:1e:
-         7f:5a:b4:3c
------BEGIN CERTIFICATE-----
-MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
-VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
-Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
-KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl
-cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0MloXDTI2MTEyNzIw
-NTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkw
-NwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSBy
-ZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNV
-BAMTJEVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALaVtkNC+sZtKm9I35RMOVcF7sN5EUFo
-Nu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYszA9u3g3s+IIRe7bJWKKf4
-4LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOwwCj0Yzfv9
-KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGI
-rb68j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi
-94DkZfs0Nw4pgHBNrziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOB
-sDCBrTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAi
-gA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1MzQyWjAfBgNVHSMEGDAWgBRo
-kORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DHhmak8fdLQ/uE
-vW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
-A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9t
-O1KzKtvn1ISMY/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6Zua
-AGAT/3B+XxFNSRuzFVJ7yVTav52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP
-9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTSW3iDVuycNsMm4hH2Z0kdkquM++v/
-eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m
-0vdXcDazv/wor3ElhVsT/h5/WrQ8
------END CERTIFICATE-----
-
-# 43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1246989352 (0x4a538c28)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2
-        Validity
-            Not Before: Jul  7 17:25:54 2009 GMT
-            Not After : Dec  7 17:55:54 2030 GMT
-        Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:ba:84:b6:72:db:9e:0c:6b:e2:99:e9:30:01:a7:
-                    76:ea:32:b8:95:41:1a:c9:da:61:4e:58:72:cf:fe:
-                    f6:82:79:bf:73:61:06:0a:a5:27:d8:b3:5f:d3:45:
-                    4e:1c:72:d6:4e:32:f2:72:8a:0f:f7:83:19:d0:6a:
-                    80:80:00:45:1e:b0:c7:e7:9a:bf:12:57:27:1c:a3:
-                    68:2f:0a:87:bd:6a:6b:0e:5e:65:f3:1c:77:d5:d4:
-                    85:8d:70:21:b4:b3:32:e7:8b:a2:d5:86:39:02:b1:
-                    b8:d2:47:ce:e4:c9:49:c4:3b:a7:de:fb:54:7d:57:
-                    be:f0:e8:6e:c2:79:b2:3a:0b:55:e2:50:98:16:32:
-                    13:5c:2f:78:56:c1:c2:94:b3:f2:5a:e4:27:9a:9f:
-                    24:d7:c6:ec:d0:9b:25:82:e3:cc:c2:c4:45:c5:8c:
-                    97:7a:06:6b:2a:11:9f:a9:0a:6e:48:3b:6f:db:d4:
-                    11:19:42:f7:8f:07:bf:f5:53:5f:9c:3e:f4:17:2c:
-                    e6:69:ac:4e:32:4c:62:77:ea:b7:e8:e5:bb:34:bc:
-                    19:8b:ae:9c:51:e7:b7:7e:b5:53:b1:33:22:e5:6d:
-                    cf:70:3c:1a:fa:e2:9b:67:b6:83:f4:8d:a5:af:62:
-                    4c:4d:e0:58:ac:64:34:12:03:f8:b6:8d:94:63:24:
-                    a4:71
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB
-    Signature Algorithm: sha256WithRSAEncryption
-         79:9f:1d:96:c6:b6:79:3f:22:8d:87:d3:87:03:04:60:6a:6b:
-         9a:2e:59:89:73:11:ac:43:d1:f5:13:ff:8d:39:2b:c0:f2:bd:
-         4f:70:8c:a9:2f:ea:17:c4:0b:54:9e:d4:1b:96:98:33:3c:a8:
-         ad:62:a2:00:76:ab:59:69:6e:06:1d:7e:c4:b9:44:8d:98:af:
-         12:d4:61:db:0a:19:46:47:f3:eb:f7:63:c1:40:05:40:a5:d2:
-         b7:f4:b5:9a:36:bf:a9:88:76:88:04:55:04:2b:9c:87:7f:1a:
-         37:3c:7e:2d:a5:1a:d8:d4:89:5e:ca:bd:ac:3d:6c:d8:6d:af:
-         d5:f3:76:0f:cd:3b:88:38:22:9d:6c:93:9a:c4:3d:bf:82:1b:
-         65:3f:a6:0f:5d:aa:fc:e5:b2:15:ca:b5:ad:c6:bc:3d:d0:84:
-         e8:ea:06:72:b0:4d:39:32:78:bf:3e:11:9c:0b:a4:9d:9a:21:
-         f3:f0:9b:0b:30:78:db:c1:dc:87:43:fe:bc:63:9a:ca:c5:c2:
-         1c:c9:c7:8d:ff:3b:12:58:08:e6:b6:3d:ec:7a:2c:4e:fb:83:
-         96:ce:0c:3c:69:87:54:73:a4:73:c2:93:ff:51:10:ac:15:54:
-         01:d8:fc:05:b1:89:a1:7f:74:83:9a:49:d7:dc:4e:7b:8a:48:
-         6f:8b:45:f6
------BEGIN CERTIFICATE-----
-MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
-VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
-cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
-IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
-dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
-NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
-dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
-dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
-aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
-RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
-cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
-wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
-U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
-jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
-BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
-BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
-jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
-Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
-1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
-nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
-VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
------END CERTIFICATE-----
-
-# db3517d1f6732a2d5ab97c533ec70779ee3270a62fb4ac4238372460e6f01e88
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            d9:b5:43:7f:af:a9:39:0f:00:00:00:00:55:65:ad:58
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4
-        Validity
-            Not Before: May 27 11:11:16 2015 GMT
-            Not After : Dec 27 11:41:16 2037 GMT
-        Subject: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2015 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G4
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:b1:ec:2c:42:ee:e2:d1:30:ff:a5:92:47:e2:2d:
-                    c3:ba:64:97:6d:ca:f7:0d:b5:59:c1:b3:cb:a8:68:
-                    19:d8:af:84:6d:30:70:5d:7e:f3:2e:d2:53:99:e1:
-                    fe:1f:5e:d9:48:af:5d:13:8d:db:ff:63:33:4d:d3:
-                    00:02:bc:c4:f8:d1:06:08:94:79:58:8a:15:de:29:
-                    b3:fd:fd:c4:4f:e8:aa:e2:a0:3b:79:cd:bf:6b:43:
-                    32:dd:d9:74:10:b9:f7:f4:68:d4:bb:d0:87:d5:aa:
-                    4b:8a:2a:6f:2a:04:b5:b2:a6:c7:a0:7a:e6:48:ab:
-                    d2:d1:59:cc:d6:7e:23:e6:97:6c:f0:42:e5:dc:51:
-                    4b:15:41:ed:49:4a:c9:de:10:97:d6:76:c1:ef:a5:
-                    b5:36:14:97:35:d8:78:22:35:52:ef:43:bd:db:27:
-                    db:61:56:82:34:dc:cb:88:60:0c:0b:5a:e5:2c:01:
-                    c6:54:af:d7:aa:c1:10:7b:d2:05:5a:b8:40:9e:86:
-                    a7:c3:90:86:02:56:52:09:7a:9c:d2:27:82:53:4a:
-                    65:52:6a:f5:3c:e7:a8:f2:9c:af:8b:bd:d3:0e:d4:
-                    d4:5e:6e:87:9e:6a:3d:45:1d:d1:5d:1b:f4:e9:0a:
-                    ac:60:99:fb:89:b4:ff:98:2c:cf:7c:1d:e9:02:aa:
-                    04:9a:1e:b8:dc:88:6e:25:b3:6c:66:f7:3c:90:f3:
-                    57:c1:b3:2f:f5:6d:f2:fb:ca:a1:f8:29:9d:46:8b:
-                    b3:6a:f6:e6:67:07:be:2c:67:0a:2a:1f:5a:b2:3e:
-                    57:c4:d3:21:21:63:65:52:91:1b:b1:99:8e:79:7e:
-                    e6:eb:8d:00:d9:5a:aa:ea:73:e8:a4:82:02:47:96:
-                    fe:5b:8e:54:61:a3:eb:2f:4b:30:b0:8b:23:75:72:
-                    7c:21:3c:c8:f6:f1:74:d4:1c:7b:a3:05:55:ee:bb:
-                    4d:3b:32:be:9a:77:66:9e:ac:69:90:22:07:1f:61:
-                    3a:96:be:e5:9a:4f:cc:05:3c:28:59:d3:c1:0c:54:
-                    a8:59:61:bd:c8:72:4c:e8:dc:9f:87:7f:bd:9c:48:
-                    36:5e:95:a3:0e:b9:38:24:55:fc:75:66:eb:02:e3:
-                    08:34:29:4a:c6:e3:2b:2f:33:a0:da:a3:86:a5:12:
-                    97:fd:80:2b:da:14:42:e3:92:bd:3e:f2:5d:5e:67:
-                    74:2e:1c:88:47:29:34:5f:e2:32:a8:9c:25:37:8c:
-                    ba:98:00:97:8b:49:96:1e:fd:25:8a:ac:dc:da:d8:
-                    5d:74:6e:66:b0:ff:44:df:a1:18:c6:be:48:2f:37:
-                    94:78:f8:95:4a:3f:7f:13:5e:5d:59:fd:74:86:43:
-                    63:73:49
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                9F:38:C4:56:23:C3:39:E8:A0:71:6C:E8:54:4C:E4:E8:3A:B1:BF:67
-    Signature Algorithm: sha256WithRSAEncryption
-         12:e5:42:a6:7b:8b:0f:0c:e4:46:a5:b6:60:40:87:8c:25:7e:
-         ad:b8:68:2e:5b:c6:40:76:3c:03:f8:c9:59:f4:f3:ab:62:ce:
-         10:8d:b4:5a:64:8c:68:c0:b0:72:43:34:d2:1b:0b:f6:2c:53:
-         d2:ca:90:4b:86:66:fc:aa:83:22:f4:8b:1a:6f:26:48:ac:76:
-         77:08:bf:c5:98:5c:f4:26:89:9e:7b:c3:b9:64:32:01:7f:d3:
-         c3:dd:58:6d:ec:b1:ab:84:55:74:77:84:04:27:52:6b:86:4c:
-         ce:dd:b9:65:ff:d6:c6:5e:9f:9a:10:99:4b:75:6a:fe:6a:e9:
-         97:20:e4:e4:76:7a:c6:d0:24:aa:90:cd:20:90:ba:47:64:fb:
-         7f:07:b3:53:78:b5:0a:62:f2:73:43:ce:41:2b:81:6a:2e:85:
-         16:94:53:d4:6b:5f:72:22:ab:51:2d:42:d5:00:9c:99:bf:de:
-         bb:94:3b:57:fd:9a:f5:86:cb:56:3b:5b:88:01:e5:7c:28:4b:
-         03:f9:49:83:7c:b2:7f:7c:e3:ed:8e:a1:7f:60:53:8e:55:9d:
-         50:34:12:0f:b7:97:7b:6c:87:4a:44:e7:f5:6d:ec:80:37:f0:
-         58:19:6e:4a:68:76:f0:1f:92:e4:ea:b5:92:d3:61:51:10:0b:
-         ad:a7:d9:5f:c7:5f:dc:1f:a3:5c:8c:a1:7e:9b:b7:9e:d3:56:
-         6f:66:5e:07:96:20:ed:0b:74:fb:66:4e:8b:11:15:e9:81:49:
-         7e:6f:b0:d4:50:7f:22:d7:5f:65:02:0d:a6:f4:85:1e:d8:ae:
-         06:4b:4a:a7:d2:31:66:c2:f8:ce:e5:08:a6:a4:02:96:44:68:
-         57:c4:d5:33:cf:19:2f:14:c4:94:1c:7b:a4:d9:f0:9f:0e:b1:
-         80:e2:d1:9e:11:64:a9:88:11:3a:76:82:e5:62:c2:80:d8:a4:
-         83:ed:93:ef:7c:2f:90:b0:32:4c:96:15:68:48:52:d4:99:08:
-         c0:24:e8:1c:e3:b3:a5:21:0e:92:c0:90:1f:cf:20:5f:ca:3b:
-         38:c7:b7:6d:3a:f3:e6:44:b8:0e:31:6b:88:8e:70:eb:9c:17:
-         52:a8:41:94:2e:87:b6:e7:a6:12:c5:75:df:5b:c0:0a:6e:7b:
-         a4:e4:5e:86:f9:36:94:df:77:c3:e9:0d:c0:39:f1:79:bb:46:
-         8e:ab:43:59:27:b7:20:bb:23:e9:56:40:21:ec:31:3d:65:aa:
-         43:f2:3d:df:70:44:e1:ba:4d:26:10:3b:98:9f:f3:c8:8e:1b:
-         38:56:21:6a:51:93:d3:91:ca:46:da:89:b7:3d:53:83:2c:08:
-         1f:8b:8f:53:dd:ff:ac:1f
------BEGIN CERTIFICATE-----
-MIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVlrVgwDQYJKoZIhvcNAQELBQAw
-gb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL
-Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg
-MjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw
-BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0
-MB4XDTE1MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVT
-MRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1
-c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJ
-bmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3Qg
-Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MIICIjANBgkqhkiG9w0B
-AQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSXbcr3DbVZwbPLqGgZ
-2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV3imz/f3E
-T+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j
-5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAM
-C1rlLAHGVK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73T
-DtTUXm6Hnmo9RR3RXRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNX
-wbMv9W3y+8qh+CmdRouzavbmZwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A
-2Vqq6nPopIICR5b+W45UYaPrL0swsIsjdXJ8ITzI9vF01Bx7owVV7rtNOzK+mndm
-nqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM6Nyfh3+9nEg2XpWjDrk4JFX8
-dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0LhyIRyk0X+IyqJwl
-N4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15dWf10hkNj
-c0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
-VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS
-5UKme4sPDORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTS
-Gwv2LFPSypBLhmb8qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGr
-hFV0d4QEJ1JrhkzO3bll/9bGXp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/
-B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19yIqtRLULVAJyZv967lDtX/Zr1hstWO1uI
-AeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7bIdKROf1beyAN/BYGW5KaHbw
-H5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDtC3T7Zk6LERXpgUl+
-b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkvFMSUHHuk
-2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol
-IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk
-5F6G+TaU33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuY
-n/PIjhs4ViFqUZPTkcpG2om3PVODLAgfi49T3f+sHw==
------END CERTIFICATE-----
-
-# 02ed0eb28c14da45165c566791700d6451d7fb56f0b2ab1d3b8eb070e56edff5
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            a6:8b:79:29:00:00:00:00:50:d0:91:f9
-    Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1
-        Validity
-            Not Before: Dec 18 15:25:36 2012 GMT
-            Not After : Dec 18 15:55:36 2037 GMT
-        Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub: 
-                    04:84:13:c9:d0:ba:6d:41:7b:e2:6c:d0:eb:55:5f:
-                    66:02:1a:24:f4:5b:89:69:47:e3:b8:c2:7d:f1:f2:
-                    02:c5:9f:a0:f6:5b:d5:8b:06:19:86:4f:53:10:6d:
-                    07:24:27:a1:a0:f8:d5:47:19:61:4c:7d:ca:93:27:
-                    ea:74:0c:ef:6f:96:09:fe:63:ec:70:5d:36:ad:67:
-                    77:ae:c9:9d:7c:55:44:3a:a2:63:51:1f:f5:e3:62:
-                    d4:a9:47:07:3e:cc:20
-                ASN1 OID: secp384r1
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                B7:63:E7:1A:DD:8D:E9:08:A6:55:83:A4:E0:6A:50:41:65:11:42:49
-    Signature Algorithm: ecdsa-with-SHA384
-         30:64:02:30:61:79:d8:e5:42:47:df:1c:ae:53:99:17:b6:6f:
-         1c:7d:e1:bf:11:94:d1:03:88:75:e4:8d:89:a4:8a:77:46:de:
-         6d:61:ef:02:f5:fb:b5:df:cc:fe:4e:ff:fe:a9:e6:a7:02:30:
-         5b:99:d7:85:37:06:b5:7b:08:fd:eb:27:8b:4a:94:f9:e1:fa:
-         a7:8e:26:08:e8:7c:92:68:6d:73:d8:6f:26:ac:21:02:b8:99:
-         b7:26:41:5b:25:60:ae:d0:48:1a:ee:06
------BEGIN CERTIFICATE-----
-MIIC+TCCAoCgAwIBAgINAKaLeSkAAAAAUNCR+TAKBggqhkjOPQQDAzCBvzELMAkG
-A1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3
-d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVu
-dHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEGA1UEAxMq
-RW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMB4XDTEy
-MTIxODE1MjUzNloXDTM3MTIxODE1NTUzNlowgb8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0
-L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0g
-Zm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMzAxBgNVBAMTKkVudHJ1c3QgUm9vdCBD
-ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEVDMTB2MBAGByqGSM49AgEGBSuBBAAi
-A2IABIQTydC6bUF74mzQ61VfZgIaJPRbiWlH47jCffHyAsWfoPZb1YsGGYZPUxBt
-ByQnoaD41UcZYUx9ypMn6nQM72+WCf5j7HBdNq1nd67JnXxVRDqiY1Ef9eNi1KlH
-Bz7MIKNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
-BBYEFLdj5xrdjekIplWDpOBqUEFlEUJJMAoGCCqGSM49BAMDA2cAMGQCMGF52OVC
-R98crlOZF7ZvHH3hvxGU0QOIdeSNiaSKd0bebWHvAvX7td/M/k7//qnmpwIwW5nX
-hTcGtXsI/esni0qU+eH6p44mCOh8kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G
------END CERTIFICATE-----
-
-# b0bfd52bb0d7d9bd92bf5d4dc13da255c02c542f378365ea893911f55e55f23c
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 7667447206703254355 (0x6a683e9c519bcb53)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=TR, L=Ankara, O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority
-        Validity
-            Not Before: Mar  5 12:09:48 2013 GMT
-            Not After : Mar  3 12:09:48 2023 GMT
-        Subject: C=TR, L=Ankara, O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:e2:f5:3f:93:05:51:1e:85:62:54:5e:7a:0b:f5:
-                    18:07:83:ae:7e:af:7c:f7:d4:8a:6b:a5:63:43:39:
-                    b9:4b:f7:c3:c6:64:89:3d:94:2e:54:80:52:39:39:
-                    07:4b:4b:dd:85:07:76:87:cc:bf:2f:95:4c:cc:7d:
-                    a7:3d:bc:47:0f:98:70:f8:8c:85:1e:74:8e:92:6d:
-                    1b:40:d1:99:0d:bb:75:6e:c8:a9:6b:9a:c0:84:31:
-                    af:ca:43:cb:eb:2b:34:e8:8f:97:6b:01:9b:d5:0e:
-                    4a:08:aa:5b:92:74:85:43:d3:80:ae:a1:88:5b:ae:
-                    b3:ea:5e:cb:16:9a:77:44:c8:a1:f6:54:68:ce:de:
-                    8f:97:2b:ba:5b:40:02:0c:64:17:c0:b5:93:cd:e1:
-                    f1:13:66:ce:0c:79:ef:d1:91:28:ab:5f:a0:12:52:
-                    30:73:19:8e:8f:e1:8c:07:a2:c3:bb:4a:f0:ea:1f:
-                    15:a8:ee:25:cc:a4:46:f8:1b:22:ef:b3:0e:43:ba:
-                    2c:24:b8:c5:2c:5c:d4:1c:f8:5d:64:bd:c3:93:5e:
-                    28:a7:3f:27:f1:8e:1e:d3:2a:50:05:a3:55:d9:cb:
-                    e7:39:53:c0:98:9e:8c:54:62:8b:26:b0:f7:7d:8d:
-                    7c:e4:c6:9e:66:42:55:82:47:e7:b2:58:8d:66:f7:
-                    07:7c:2e:36:e6:50:1c:3f:db:43:24:c5:bf:86:47:
-                    79:b3:79:1c:f7:5a:f4:13:ec:6c:f8:3f:e2:59:1f:
-                    95:ee:42:3e:b9:ad:a8:32:85:49:97:46:fe:4b:31:
-                    8f:5a:cb:ad:74:47:1f:e9:91:b7:df:28:04:22:a0:
-                    d4:0f:5d:e2:79:4f:ea:6c:85:86:bd:a8:a6:ce:e4:
-                    fa:c3:e1:b3:ae:de:3c:51:ee:cb:13:7c:01:7f:84:
-                    0e:5d:51:94:9e:13:0c:b6:2e:a5:4c:f9:39:70:36:
-                    6f:96:ca:2e:0c:44:55:c5:ca:fa:5d:02:a3:df:d6:
-                    64:8c:5a:b3:01:0a:a9:b5:0a:47:17:ff:ef:91:40:
-                    2a:8e:a1:46:3a:31:98:e5:11:fc:cc:bb:49:56:8a:
-                    fc:b9:d0:61:9a:6f:65:6c:e6:c3:cb:3e:75:49:fe:
-                    8f:a7:e2:89:c5:67:d7:9d:46:13:4e:31:76:3b:24:
-                    b3:9e:11:65:86:ab:7f:ef:1d:d4:f8:bc:e7:ac:5a:
-                    5c:b7:5a:47:5c:55:ce:55:b4:22:71:5b:5b:0b:f0:
-                    cf:dc:a0:61:64:ea:a9:d7:68:0a:63:a7:e0:0d:3f:
-                    a0:af:d3:aa:d2:7e:ef:51:a0:e6:51:2b:55:92:15:
-                    17:53:cb:b7:66:0e:66:4c:f8:f9:75:4c:90:e7:12:
-                    70:c7:45
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Authority Key Identifier: 
-                keyid:2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54
-
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         05:37:3a:f4:4d:b7:45:e2:45:75:24:8f:b6:77:52:e8:1c:d8:
-         10:93:65:f3:f2:59:06:a4:3e:1e:29:ec:5d:d1:d0:ab:7c:e0:
-         0a:90:48:78:ed:4e:98:03:99:fe:28:60:91:1d:30:1d:b8:63:
-         7c:a8:e6:35:b5:fa:d3:61:76:e6:d6:07:4b:ca:69:9a:b2:84:
-         7a:77:93:45:17:15:9f:24:d0:98:13:12:ff:bb:a0:2e:fd:4e:
-         4c:87:f8:ce:5c:aa:98:1b:05:e0:00:46:4a:82:80:a5:33:8b:
-         28:dc:ed:38:d3:df:e5:3e:e9:fe:fb:59:dd:61:84:4f:d2:54:
-         96:13:61:13:3e:8f:80:69:be:93:47:b5:35:43:d2:5a:bb:3d:
-         5c:ef:b3:42:47:cd:3b:55:13:06:b0:09:db:fd:63:f6:3a:88:
-         0a:99:6f:7e:e1:ce:1b:53:6a:44:66:23:51:08:7b:bc:5b:52:
-         a2:fd:06:37:38:40:61:8f:4a:96:b8:90:37:f8:66:c7:78:90:
-         00:15:2e:8b:ad:51:35:53:07:a8:6b:68:ae:f9:4e:3c:07:26:
-         cd:08:05:70:cc:39:3f:76:bd:a5:d3:67:26:01:86:a6:53:d2:
-         60:3b:7c:43:7f:55:8a:bc:95:1a:c1:28:39:4c:1f:43:d2:91:
-         f4:72:59:8a:b9:56:fc:3f:b4:9d:da:70:9c:76:5a:8c:43:50:
-         ee:8e:30:72:4d:df:ff:49:f7:c6:a9:67:d9:6d:ac:02:11:e2:
-         3a:16:25:a7:58:08:cb:6f:53:41:9c:48:38:47:68:33:d1:d7:
-         c7:8f:d4:74:21:d4:c3:05:90:7a:ff:ce:96:88:b1:15:29:5d:
-         23:ab:d0:60:a1:12:4f:de:f4:17:cd:32:e5:c9:bf:c8:43:ad:
-         fd:2e:8e:f1:af:e2:f4:98:fa:12:1f:20:d8:c0:a7:0c:85:c5:
-         90:f4:3b:2d:96:26:b1:2c:be:4c:ab:eb:b1:d2:8a:c9:db:78:
-         13:0f:1e:09:9d:6d:8f:00:9f:02:da:c1:fa:1f:7a:7a:09:c4:
-         4a:e6:88:2a:97:9f:89:8b:fd:37:5f:5f:3a:ce:38:59:86:4b:
-         af:71:0b:b4:d8:f2:70:4f:9f:32:13:e3:b0:a7:57:e5:da:da:
-         43:cb:84:34:f2:28:c4:ea:6d:f4:2a:ef:c1:6b:76:da:fb:7e:
-         bb:85:3c:d2:53:c2:4d:be:71:e1:45:d1:fd:23:67:0d:13:75:
-         fb:cf:65:67:22:9d:ae:b0:09:d1:09:ff:1d:34:bf:fe:23:97:
-         37:d2:39:fa:3d:0d:06:0b:b4:db:3b:a3:ab:6f:5c:1d:b6:7e:
-         e8:b3:82:34:ed:06:5c:24
------BEGIN CERTIFICATE-----
-MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV
-BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC
-aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV
-BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1
-Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz
-MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+
-BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp
-em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN
-ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY
-B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH
-D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF
-Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo
-q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D
-k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH
-fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut
-dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM
-ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8
-zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn
-rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX
-U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6
-Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5
-XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF
-Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR
-HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY
-GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c
-77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3
-+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK
-vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6
-FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl
-yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P
-AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD
-y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d
-NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA==
------END CERTIFICATE-----
-
-# ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            04:00:00:00:00:01:15:4b:5a:c3:94
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
-        Validity
-            Not Before: Sep  1 12:00:00 1998 GMT
-            Not After : Jan 28 12:00:00 2028 GMT
-        Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:
-                    83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0:
-                    63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89:
-                    8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c:
-                    70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50:
-                    15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0:
-                    6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2:
-                    89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7:
-                    54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c:
-                    92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2:
-                    75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9:
-                    c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b:
-                    bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91:
-                    ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51:
-                    63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa:
-                    48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a:
-                    07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93:
-                    90:cf
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
-    Signature Algorithm: sha1WithRSAEncryption
-         d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5:
-         7c:fc:6c:9c:2c:2b:bd:09:9e:53:bf:6b:5e:aa:11:48:b6:e5:
-         08:a3:b3:ca:3d:61:4d:d3:46:09:b3:3e:c3:a0:e3:63:55:1b:
-         f2:ba:ef:ad:39:e1:43:b9:38:a3:e6:2f:8a:26:3b:ef:a0:50:
-         56:f9:c6:0a:fd:38:cd:c4:0b:70:51:94:97:98:04:df:c3:5f:
-         94:d5:15:c9:14:41:9c:c4:5d:75:64:15:0d:ff:55:30:ec:86:
-         8f:ff:0d:ef:2c:b9:63:46:f6:aa:fc:df:bc:69:fd:2e:12:48:
-         64:9a:e0:95:f0:a6:ef:29:8f:01:b1:15:b5:0c:1d:a5:fe:69:
-         2c:69:24:78:1e:b3:a7:1c:71:62:ee:ca:c8:97:ac:17:5d:8a:
-         c2:f8:47:86:6e:2a:c4:56:31:95:d0:67:89:85:2b:f9:6c:a6:
-         5d:46:9d:0c:aa:82:e4:99:51:dd:70:b7:db:56:3d:61:e4:6a:
-         e1:5c:d6:f6:fe:3d:de:41:cc:07:ae:63:52:bf:53:53:f4:2b:
-         e9:c7:fd:b6:f7:82:5f:85:d2:41:18:db:81:b3:04:1c:c5:1f:
-         a4:80:6f:15:20:c9:de:0c:88:0a:1d:d6:66:55:e2:fc:48:c9:
-         29:26:69:e0
------BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
-A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
-b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
-MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
-YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
-aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
-jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
-xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
-1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
-snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
-U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
-9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
-BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
-AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
-yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
-38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
-AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
-DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
-HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
------END CERTIFICATE-----
-
-# cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            04:00:00:00:00:01:21:58:53:08:a2
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
-        Validity
-            Not Before: Mar 18 10:00:00 2009 GMT
-            Not After : Mar 18 10:00:00 2029 GMT
-        Subject: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:cc:25:76:90:79:06:78:22:16:f5:c0:83:b6:84:
-                    ca:28:9e:fd:05:76:11:c5:ad:88:72:fc:46:02:43:
-                    c7:b2:8a:9d:04:5f:24:cb:2e:4b:e1:60:82:46:e1:
-                    52:ab:0c:81:47:70:6c:dd:64:d1:eb:f5:2c:a3:0f:
-                    82:3d:0c:2b:ae:97:d7:b6:14:86:10:79:bb:3b:13:
-                    80:77:8c:08:e1:49:d2:6a:62:2f:1f:5e:fa:96:68:
-                    df:89:27:95:38:9f:06:d7:3e:c9:cb:26:59:0d:73:
-                    de:b0:c8:e9:26:0e:83:15:c6:ef:5b:8b:d2:04:60:
-                    ca:49:a6:28:f6:69:3b:f6:cb:c8:28:91:e5:9d:8a:
-                    61:57:37:ac:74:14:dc:74:e0:3a:ee:72:2f:2e:9c:
-                    fb:d0:bb:bf:f5:3d:00:e1:06:33:e8:82:2b:ae:53:
-                    a6:3a:16:73:8c:dd:41:0e:20:3a:c0:b4:a7:a1:e9:
-                    b2:4f:90:2e:32:60:e9:57:cb:b9:04:92:68:68:e5:
-                    38:26:60:75:b2:9f:77:ff:91:14:ef:ae:20:49:fc:
-                    ad:40:15:48:d1:02:31:61:19:5e:b8:97:ef:ad:77:
-                    b7:64:9a:7a:bf:5f:c1:13:ef:9b:62:fb:0d:6c:e0:
-                    54:69:16:a9:03:da:6e:e9:83:93:71:76:c6:69:85:
-                    82:17
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                8F:F0:4B:7F:A8:2E:45:24:AE:4D:50:FA:63:9A:8B:DE:E2:DD:1B:BC
-    Signature Algorithm: sha256WithRSAEncryption
-         4b:40:db:c0:50:aa:fe:c8:0c:ef:f7:96:54:45:49:bb:96:00:
-         09:41:ac:b3:13:86:86:28:07:33:ca:6b:e6:74:b9:ba:00:2d:
-         ae:a4:0a:d3:f5:f1:f1:0f:8a:bf:73:67:4a:83:c7:44:7b:78:
-         e0:af:6e:6c:6f:03:29:8e:33:39:45:c3:8e:e4:b9:57:6c:aa:
-         fc:12:96:ec:53:c6:2d:e4:24:6c:b9:94:63:fb:dc:53:68:67:
-         56:3e:83:b8:cf:35:21:c3:c9:68:fe:ce:da:c2:53:aa:cc:90:
-         8a:e9:f0:5d:46:8c:95:dd:7a:58:28:1a:2f:1d:de:cd:00:37:
-         41:8f:ed:44:6d:d7:53:28:97:7e:f3:67:04:1e:15:d7:8a:96:
-         b4:d3:de:4c:27:a4:4c:1b:73:73:76:f4:17:99:c2:1f:7a:0e:
-         e3:2d:08:ad:0a:1c:2c:ff:3c:ab:55:0e:0f:91:7e:36:eb:c3:
-         57:49:be:e1:2e:2d:7c:60:8b:c3:41:51:13:23:9d:ce:f7:32:
-         6b:94:01:a8:99:e7:2c:33:1f:3a:3b:25:d2:86:40:ce:3b:2c:
-         86:78:c9:61:2f:14:ba:ee:db:55:6f:df:84:ee:05:09:4d:bd:
-         28:d8:72:ce:d3:62:50:65:1e:eb:92:97:83:31:d9:b3:b5:ca:
-         47:58:3f:5f
------BEGIN CERTIFICATE-----
-MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
-A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
-Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
-MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
-A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
-RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
-gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
-KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
-QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
-XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
-DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
-LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
-RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
-jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
-6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
-mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
-Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
-WD9f
------END CERTIFICATE-----
-
-# 179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c8924
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
-    Signature Algorithm: ecdsa-with-SHA384
-        Issuer: OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign
-        Validity
-            Not Before: Nov 13 00:00:00 2012 GMT
-            Not After : Jan 19 03:14:07 2038 GMT
-        Subject: OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub: 
-                    04:47:45:0e:96:fb:7d:5d:bf:e9:39:d1:21:f8:9f:
-                    0b:b6:d5:7b:1e:92:3a:48:59:1c:f0:62:31:2d:c0:
-                    7a:28:fe:1a:a7:5c:b3:b6:cc:97:e7:45:d4:58:fa:
-                    d1:77:6d:43:a2:c0:87:65:34:0a:1f:7a:dd:eb:3c:
-                    33:a1:c5:9d:4d:a4:6f:41:95:38:7f:c9:1e:84:eb:
-                    d1:9e:49:92:87:94:87:0c:3a:85:4a:66:9f:9d:59:
-                    93:4d:97:61:06:86:4a
-                ASN1 OID: secp384r1
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                3D:E6:29:48:9B:EA:07:CA:21:44:4A:26:DE:6E:DE:D2:83:D0:9F:59
-    Signature Algorithm: ecdsa-with-SHA384
-         30:65:02:31:00:e5:69:12:c9:6e:db:c6:31:ba:09:41:e1:97:
-         f8:fb:fd:9a:e2:7d:12:c9:ed:7c:64:d3:cb:05:25:8b:56:d9:
-         a0:e7:5e:5d:4e:0b:83:9c:5b:76:29:a0:09:26:21:6a:62:02:
-         30:71:d2:b5:8f:5c:ea:3b:e1:78:09:85:a8:75:92:3b:c8:5c:
-         fd:48:ef:0d:74:22:a8:08:e2:6e:c5:49:ce:c7:0c:bc:a7:61:
-         69:f1:f7:3b:e1:2a:cb:f9:2b:f3:66:90:37
------BEGIN CERTIFICATE-----
-MIICHjCCAaSgAwIBAgIRYFlJ4CYuu1X5CneKcflK2GwwCgYIKoZIzj0EAwMwUDEk
-MCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpH
-bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoX
-DTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBD
-QSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu
-MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER0UOlvt9Xb/pOdEh+J8LttV7HpI6SFkc
-8GIxLcB6KP4ap1yztsyX50XUWPrRd21DosCHZTQKH3rd6zwzocWdTaRvQZU4f8ke
-hOvRnkmSh5SHDDqFSmafnVmTTZdhBoZKo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
-VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPeYpSJvqB8ohREom3m7e0oPQn1kwCgYI
-KoZIzj0EAwMDaAAwZQIxAOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg
-515dTguDnFt2KaAJJiFqYgIwcdK1j1zqO+F4CYWodZI7yFz9SO8NdCKoCOJuxUnO
-xwy8p2Fp8fc74SrL+SvzZpA3
------END CERTIFICATE-----
-
-# 9a296a5182d1d451a2e37f439b74daafa267523329f90f9a0d2007c334e23c9a
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            5a:4b:bd:5a:fb:4f:8a:5b:fa:65:e5
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = AT, O = e-commerce monitoring GmbH, CN = GLOBALTRUST 2020
-        Validity
-            Not Before: Feb 10 00:00:00 2020 GMT
-            Not After : Jun 10 00:00:00 2040 GMT
-        Subject: C = AT, O = e-commerce monitoring GmbH, CN = GLOBALTRUST 2020
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:ae:2e:56:ad:1b:1c:ef:f6:95:8f:a0:77:1b:2b:
-                    d3:63:8f:84:4d:45:a2:0f:9f:5b:45:ab:59:7b:51:
-                    34:f9:ec:8b:8a:78:c5:dd:6b:af:bd:c4:df:93:45:
-                    1e:bf:91:38:0b:ae:0e:16:e7:41:73:f8:db:bb:d1:
-                    b8:51:e0:cb:83:3b:73:38:6e:77:8a:0f:59:63:26:
-                    cd:a7:2a:ce:54:fb:b8:e2:c0:7c:47:ce:60:7c:3f:
-                    b2:73:f2:c0:19:b6:8a:92:87:35:0d:90:28:a2:e4:
-                    15:04:63:3e:ba:af:ee:7c:5e:cc:a6:8b:50:b2:38:
-                    f7:41:63:ca:ce:ff:69:8f:68:0e:95:36:e5:cc:b9:
-                    8c:09:ca:4b:dd:31:90:96:c8:cc:1f:fd:56:96:34:
-                    db:8e:1c:ea:2c:be:85:2e:63:dd:aa:a9:95:d3:fd:
-                    29:95:13:f0:c8:98:93:d9:2d:16:47:90:11:83:a2:
-                    3a:22:a2:28:57:a2:eb:fe:c0:8c:28:a0:a6:7d:e7:
-                    2a:42:3b:82:80:63:a5:63:1f:19:cc:7c:b2:66:a8:
-                    c2:d3:6d:37:6f:e2:7e:06:51:d9:45:84:1f:12:ce:
-                    24:52:64:85:0b:48:80:4e:87:b1:22:22:30:aa:eb:
-                    ae:be:e0:02:e0:40:e8:b0:42:80:03:51:aa:b4:7e:
-                    aa:44:d7:43:61:f3:a2:6b:16:89:49:a4:a3:a4:2b:
-                    8a:02:c4:78:f4:68:8a:c1:e4:7a:36:b1:6f:1b:96:
-                    1b:77:49:8d:d4:c9:06:72:8f:cf:53:e3:dc:17:85:
-                    20:4a:dc:98:27:d3:91:26:2b:47:1e:69:07:af:de:
-                    a2:e4:e4:d4:6b:0b:b3:5e:7c:d4:24:80:47:29:69:
-                    3b:6e:e8:ac:fd:40:eb:d8:ed:71:71:2b:f2:e8:58:
-                    1d:eb:41:97:22:c5:1f:d4:39:d0:27:8f:87:e3:18:
-                    f4:e0:a9:46:0d:f5:74:3a:82:2e:d0:6e:2c:91:a3:
-                    31:5c:3b:46:ea:7b:04:10:56:5e:80:1d:f5:a5:65:
-                    e8:82:fc:e2:07:8c:62:45:f5:20:de:46:70:86:a1:
-                    bc:93:d3:1e:74:a6:6c:b0:2c:f7:03:0c:88:0c:cb:
-                    d4:72:53:86:bc:60:46:f3:98:6a:c2:f1:bf:43:f9:
-                    70:20:77:ca:37:41:79:55:52:63:8d:5b:12:9f:c5:
-                    68:c4:88:9d:ac:f2:30:ab:b7:a3:31:97:67:ad:8f:
-                    17:0f:6c:c7:73:ed:24:94:6b:c8:83:9a:d0:9a:37:
-                    49:04:ab:b1:16:c8:6c:49:49:2d:ab:a1:d0:8c:92:
-                    f2:41:4a:79:21:25:db:63:d7:b6:9c:a7:7e:42:69:
-                    fb:3a:63
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                DC:2E:1F:D1:61:37:79:E4:AB:D5:D5:B3:12:71:68:3D:6A:68:9C:22
-            X509v3 Authority Key Identifier: 
-                keyid:DC:2E:1F:D1:61:37:79:E4:AB:D5:D5:B3:12:71:68:3D:6A:68:9C:22
-
-    Signature Algorithm: sha256WithRSAEncryption
-         91:f0:42:02:68:40:ee:c3:68:c0:54:2f:df:ec:62:c3:c3:9e:
-         8a:a0:31:28:aa:83:8e:a4:56:96:12:10:86:56:ba:97:72:d2:
-         54:30:7c:ad:19:d5:1d:68:6f:fb:14:42:d8:8d:0e:f3:b5:d1:
-         a5:e3:02:42:5e:dc:e8:46:58:07:35:02:30:e0:bc:74:4a:c1:
-         43:2a:ff:db:1a:d0:b0:af:6c:c3:fd:cb:b3:f5:7f:6d:03:2e:
-         59:56:9d:2d:2d:35:8c:b2:d6:43:17:2c:92:0a:cb:5d:e8:8c:
-         0f:4b:70:43:d0:82:ff:a8:cc:bf:a4:94:c0:be:87:bd:8a:e3:
-         93:7b:c6:8f:9b:16:9d:27:65:bc:7a:c5:42:82:6c:5c:07:d0:
-         a9:c1:88:60:44:e9:98:85:16:5f:f8:8f:ca:01:10:ce:25:c3:
-         f9:60:1b:a0:c5:97:c3:d3:2c:88:31:a2:bd:30:ec:d0:d0:c0:
-         12:f1:c1:39:e3:e5:f5:f8:d6:4a:dd:34:cd:fb:6f:c1:4f:e3:
-         00:8b:56:e2:92:f7:28:b2:42:77:72:23:67:c7:3f:11:15:b2:
-         c4:03:05:be:bb:11:7b:0a:bf:a8:6e:e7:ff:58:43:cf:9b:67:
-         a0:80:07:b6:1d:ca:ad:6d:ea:41:11:7e:2d:74:93:fb:c2:bc:
-         be:51:44:c5:ef:68:25:27:80:e3:c8:a0:d4:12:ec:d9:a5:37:
-         1d:37:7c:b4:91:ca:da:d4:b1:96:81:ef:68:5c:76:10:49:af:
-         7e:a5:37:80:b1:1c:52:bd:33:81:4c:8f:f9:dd:65:d9:14:cd:
-         8a:25:58:f4:e2:c5:83:a5:09:90:d4:6c:14:63:b5:40:df:eb:
-         c0:fc:c4:58:7e:0d:14:16:87:54:27:6e:56:e4:70:84:b8:6c:
-         32:12:7e:82:31:43:be:d7:dd:7c:a1:ad:ae:d6:ab:20:12:ef:
-         0a:c3:10:8c:49:96:35:dc:0b:75:5e:b1:4f:d5:4f:34:0e:11:
-         20:07:75:43:45:e9:a3:11:da:ac:a3:99:c2:b6:79:27:e2:b9:
-         ef:c8:e2:f6:35:29:7a:74:fa:c5:7f:82:05:62:a6:0a:ea:68:
-         b2:79:47:06:6e:f2:57:a8:15:33:c6:f7:78:4a:3d:42:7b:6b:
-         7e:fe:f7:46:ea:d1:eb:8e:ef:88:68:5b:e8:c1:d9:71:7e:fd:
-         64:ef:ff:67:47:88:58:25:2f:3e:86:07:bd:fb:a8:e5:82:a8:
-         ac:a5:d3:69:43:cd:31:88:49:84:53:92:c0:b1:39:1b:39:83:
-         01:30:c4:f2:a9:fa:d0:03:bd:72:37:60:56:1f:36:7c:bd:39:
-         91:f5:6d:0d:bf:7b:d7:92
------BEGIN CERTIFICATE-----
-MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkG
-A1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkw
-FwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMB4XDTIwMDIxMDAwMDAwMFoXDTQwMDYx
-MDAwMDAwMFowTTELMAkGA1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9u
-aXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMIICIjANBgkq
-hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAri5WrRsc7/aVj6B3GyvTY4+ETUWiD59b
-RatZe1E0+eyLinjF3WuvvcTfk0Uev5E4C64OFudBc/jbu9G4UeDLgztzOG53ig9Z
-YybNpyrOVPu44sB8R85gfD+yc/LAGbaKkoc1DZAoouQVBGM+uq/ufF7MpotQsjj3
-QWPKzv9pj2gOlTblzLmMCcpL3TGQlsjMH/1WljTbjhzqLL6FLmPdqqmV0/0plRPw
-yJiT2S0WR5ARg6I6IqIoV6Lr/sCMKKCmfecqQjuCgGOlYx8ZzHyyZqjC0203b+J+
-BlHZRYQfEs4kUmSFC0iAToexIiIwquuuvuAC4EDosEKAA1GqtH6qRNdDYfOiaxaJ
-SaSjpCuKAsR49GiKweR6NrFvG5Ybd0mN1MkGco/PU+PcF4UgStyYJ9ORJitHHmkH
-r96i5OTUawuzXnzUJIBHKWk7buis/UDr2O1xcSvy6Fgd60GXIsUf1DnQJ4+H4xj0
-4KlGDfV0OoIu0G4skaMxXDtG6nsEEFZegB31pWXogvziB4xiRfUg3kZwhqG8k9Me
-dKZssCz3AwyIDMvUclOGvGBG85hqwvG/Q/lwIHfKN0F5VVJjjVsSn8VoxIidrPIw
-q7ejMZdnrY8XD2zHc+0klGvIg5rQmjdJBKuxFshsSUktq6HQjJLyQUp5ISXbY9e2
-nKd+Qmn7OmMCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-AQYwHQYDVR0OBBYEFNwuH9FhN3nkq9XVsxJxaD1qaJwiMB8GA1UdIwQYMBaAFNwu
-H9FhN3nkq9XVsxJxaD1qaJwiMA0GCSqGSIb3DQEBCwUAA4ICAQCR8EICaEDuw2jA
-VC/f7GLDw56KoDEoqoOOpFaWEhCGVrqXctJUMHytGdUdaG/7FELYjQ7ztdGl4wJC
-XtzoRlgHNQIw4Lx0SsFDKv/bGtCwr2zD/cuz9X9tAy5ZVp0tLTWMstZDFyySCstd
-6IwPS3BD0IL/qMy/pJTAvoe9iuOTe8aPmxadJ2W8esVCgmxcB9CpwYhgROmYhRZf
-+I/KARDOJcP5YBugxZfD0yyIMaK9MOzQ0MAS8cE54+X1+NZK3TTN+2/BT+MAi1bi
-kvcoskJ3ciNnxz8RFbLEAwW+uxF7Cr+obuf/WEPPm2eggAe2HcqtbepBEX4tdJP7
-wry+UUTF72glJ4DjyKDUEuzZpTcdN3y0kcra1LGWge9oXHYQSa9+pTeAsRxSvTOB
-TI/53WXZFM2KJVj04sWDpQmQ1GwUY7VA3+vA/MRYfg0UFodUJ25W5HCEuGwyEn6C
-MUO+1918oa2u1qsgEu8KwxCMSZY13At1XrFP1U80DhEgB3VDRemjEdqso5nCtnkn
-4rnvyOL2NSl6dPrFf4IFYqYK6miyeUcGbvJXqBUzxvd4Sj1Ce2t+/vdG6tHrju+I
-aFvowdlxfv1k7/9nR4hYJS8+hge9+6jlgqispdNpQ80xiEmEU5LAsTkbOYMBMMTy
-qfrQA71yN2BWHzZ8vTmR9W0Nv3vXkg==
------END CERTIFICATE-----
-
-# c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
-        Validity
-            Not Before: Jun 29 17:06:20 2004 GMT
-            Not After : Jun 29 17:06:20 2034 GMT
-        Subject: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:de:9d:d7:ea:57:18:49:a1:5b:eb:d7:5f:48:86:
-                    ea:be:dd:ff:e4:ef:67:1c:f4:65:68:b3:57:71:a0:
-                    5e:77:bb:ed:9b:49:e9:70:80:3d:56:18:63:08:6f:
-                    da:f2:cc:d0:3f:7f:02:54:22:54:10:d8:b2:81:d4:
-                    c0:75:3d:4b:7f:c7:77:c3:3e:78:ab:1a:03:b5:20:
-                    6b:2f:6a:2b:b1:c5:88:7e:c4:bb:1e:b0:c1:d8:45:
-                    27:6f:aa:37:58:f7:87:26:d7:d8:2d:f6:a9:17:b7:
-                    1f:72:36:4e:a6:17:3f:65:98:92:db:2a:6e:5d:a2:
-                    fe:88:e0:0b:de:7f:e5:8d:15:e1:eb:cb:3a:d5:e2:
-                    12:a2:13:2d:d8:8e:af:5f:12:3d:a0:08:05:08:b6:
-                    5c:a5:65:38:04:45:99:1e:a3:60:60:74:c5:41:a5:
-                    72:62:1b:62:c5:1f:6f:5f:1a:42:be:02:51:65:a8:
-                    ae:23:18:6a:fc:78:03:a9:4d:7f:80:c3:fa:ab:5a:
-                    fc:a1:40:a4:ca:19:16:fe:b2:c8:ef:5e:73:0d:ee:
-                    77:bd:9a:f6:79:98:bc:b1:07:67:a2:15:0d:dd:a0:
-                    58:c6:44:7b:0a:3e:62:28:5f:ba:41:07:53:58:cf:
-                    11:7e:38:74:c5:f8:ff:b5:69:90:8f:84:74:ea:97:
-                    1b:af
-                Exponent: 3 (0x3)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
-            X509v3 Authority Key Identifier: 
-                keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
-                DirName:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-                serial:00
-
-            X509v3 Basic Constraints: 
-                CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-         32:4b:f3:b2:ca:3e:91:fc:12:c6:a1:07:8c:8e:77:a0:33:06:
-         14:5c:90:1e:18:f7:08:a6:3d:0a:19:f9:87:80:11:6e:69:e4:
-         96:17:30:ff:34:91:63:72:38:ee:cc:1c:01:a3:1d:94:28:a4:
-         31:f6:7a:c4:54:d7:f6:e5:31:58:03:a2:cc:ce:62:db:94:45:
-         73:b5:bf:45:c9:24:b5:d5:82:02:ad:23:79:69:8d:b8:b6:4d:
-         ce:cf:4c:ca:33:23:e8:1c:88:aa:9d:8b:41:6e:16:c9:20:e5:
-         89:9e:cd:3b:da:70:f7:7e:99:26:20:14:54:25:ab:6e:73:85:
-         e6:9b:21:9d:0a:6c:82:0e:a8:f8:c2:0c:fa:10:1e:6c:96:ef:
-         87:0d:c4:0f:61:8b:ad:ee:83:2b:95:f8:8e:92:84:72:39:eb:
-         20:ea:83:ed:83:cd:97:6e:08:bc:eb:4e:26:b6:73:2b:e4:d3:
-         f6:4c:fe:26:71:e2:61:11:74:4a:ff:57:1a:87:0f:75:48:2e:
-         cf:51:69:17:a0:02:12:61:95:d5:d1:40:b2:10:4c:ee:c4:ac:
-         10:43:a6:a5:9e:0a:d5:95:62:9a:0d:cf:88:82:c5:32:0c:e4:
-         2b:9f:45:e6:0d:9f:28:9c:b1:b9:2a:5a:57:ad:37:0f:af:1d:
-         7f:db:bd:9f
------BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
-MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
-YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
-MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
-ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
-MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
-ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
-PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
-wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
-EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
-avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
-YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
-sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
-/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
-IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
-ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
-OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
-TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
-HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
-dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
-ReYNnyicsbkqWletNw+vHX/bvZ8=
------END CERTIFICATE-----
-
-# 45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
-        Validity
-            Not Before: Sep  1 00:00:00 2009 GMT
-            Not After : Dec 31 23:59:59 2037 GMT
-        Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:bf:71:62:08:f1:fa:59:34:f7:1b:c9:18:a3:f7:
-                    80:49:58:e9:22:83:13:a6:c5:20:43:01:3b:84:f1:
-                    e6:85:49:9f:27:ea:f6:84:1b:4e:a0:b4:db:70:98:
-                    c7:32:01:b1:05:3e:07:4e:ee:f4:fa:4f:2f:59:30:
-                    22:e7:ab:19:56:6b:e2:80:07:fc:f3:16:75:80:39:
-                    51:7b:e5:f9:35:b6:74:4e:a9:8d:82:13:e4:b6:3f:
-                    a9:03:83:fa:a2:be:8a:15:6a:7f:de:0b:c3:b6:19:
-                    14:05:ca:ea:c3:a8:04:94:3b:46:7c:32:0d:f3:00:
-                    66:22:c8:8d:69:6d:36:8c:11:18:b7:d3:b2:1c:60:
-                    b4:38:fa:02:8c:ce:d3:dd:46:07:de:0a:3e:eb:5d:
-                    7c:c8:7c:fb:b0:2b:53:a4:92:62:69:51:25:05:61:
-                    1a:44:81:8c:2c:a9:43:96:23:df:ac:3a:81:9a:0e:
-                    29:c5:1c:a9:e9:5d:1e:b6:9e:9e:30:0a:39:ce:f1:
-                    88:80:fb:4b:5d:cc:32:ec:85:62:43:25:34:02:56:
-                    27:01:91:b4:3b:70:2a:3f:6e:b1:e8:9c:88:01:7d:
-                    9f:d4:f9:db:53:6d:60:9d:bf:2c:e7:58:ab:b8:5f:
-                    46:fc:ce:c4:1b:03:3c:09:eb:49:31:5c:69:46:b3:
-                    e0:47
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
-    Signature Algorithm: sha256WithRSAEncryption
-         99:db:5d:79:d5:f9:97:59:67:03:61:f1:7e:3b:06:31:75:2d:
-         a1:20:8e:4f:65:87:b4:f7:a6:9c:bc:d8:e9:2f:d0:db:5a:ee:
-         cf:74:8c:73:b4:38:42:da:05:7b:f8:02:75:b8:fd:a5:b1:d7:
-         ae:f6:d7:de:13:cb:53:10:7e:8a:46:d1:97:fa:b7:2e:2b:11:
-         ab:90:b0:27:80:f9:e8:9f:5a:e9:37:9f:ab:e4:df:6c:b3:85:
-         17:9d:3d:d9:24:4f:79:91:35:d6:5f:04:eb:80:83:ab:9a:02:
-         2d:b5:10:f4:d8:90:c7:04:73:40:ed:72:25:a0:a9:9f:ec:9e:
-         ab:68:12:99:57:c6:8f:12:3a:09:a4:bd:44:fd:06:15:37:c1:
-         9b:e4:32:a3:ed:38:e8:d8:64:f3:2c:7e:14:fc:02:ea:9f:cd:
-         ff:07:68:17:db:22:90:38:2d:7a:8d:d1:54:f1:69:e3:5f:33:
-         ca:7a:3d:7b:0a:e3:ca:7f:5f:39:e5:e2:75:ba:c5:76:18:33:
-         ce:2c:f0:2f:4c:ad:f7:b1:e7:ce:4f:a8:c4:9b:4a:54:06:c5:
-         7f:7d:d5:08:0f:e2:1c:fe:7e:17:b8:ac:5e:f6:d4:16:b2:43:
-         09:0c:4d:f6:a7:6b:b4:99:84:65:ca:7a:88:e2:e2:44:be:5c:
-         f7:ea:1c:f5
------BEGIN CERTIFICATE-----
-MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
-EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
-ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
-NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
-EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
-AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
-E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
-/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
-DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
-GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
-tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
-AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
-FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
-WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
-9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
-gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
-2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
-LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
-4uJEvlz36hz1
------END CERTIFICATE-----
-
-# 3f99cc474acfce4dfed58794665e478d1547739f2e780f1bb4ca9b133097d401
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            67:74:9d:8d:77:d8:3b:6a:db:22:f4:ff:59:e2:bf:ce
-        Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C = GR, O = Hellenic Academic and Research Institutions CA, CN = HARICA TLS ECC Root CA 2021
-        Validity
-            Not Before: Feb 19 11:01:10 2021 GMT
-            Not After : Feb 13 11:01:09 2045 GMT
-        Subject: C = GR, O = Hellenic Academic and Research Institutions CA, CN = HARICA TLS ECC Root CA 2021
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:38:08:fe:b1:a0:96:d2:7a:ac:af:49:3a:d0:c0:
-                    e0:c3:3b:28:aa:f1:72:6d:65:00:47:88:84:fc:9a:
-                    26:6b:aa:4b:ba:6c:04:0a:88:5e:17:f2:55:87:fc:
-                    30:b0:34:e2:34:58:57:1a:84:53:e9:30:d9:a9:f2:
-                    96:74:c3:51:1f:58:49:31:cc:98:4e:60:11:87:75:
-                    d3:72:94:90:4f:9b:10:25:2a:a8:78:2d:be:90:41:
-                    58:90:15:72:a7:a1:b7
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                C9:1B:53:81:12:FE:04:D5:16:D1:AA:BC:9A:6F:B7:A0:95:19:6E:CA
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-    Signature Algorithm: ecdsa-with-SHA384
-         30:64:02:30:11:de:ae:f8:dc:4e:88:b0:a9:f0:22:ad:c2:51:
-         40:ef:60:71:2d:ee:8f:02:c4:5d:03:70:49:a4:92:ea:c5:14:
-         88:70:a6:d3:0d:b0:aa:ca:2c:40:9c:fb:e9:82:6e:9a:02:30:
-         2b:47:9a:07:c6:d1:c2:81:7c:ca:0b:96:18:41:1b:a3:f4:30:
-         09:9e:b5:23:28:0d:9f:14:b6:3c:53:a2:4c:06:69:7d:fa:6c:
-         91:c6:2a:49:45:e6:ec:b7:13:e1:3a:6c
------BEGIN CERTIFICATE-----
-MIICVDCCAdugAwIBAgIQZ3SdjXfYO2rbIvT/WeK/zjAKBggqhkjOPQQDAzBsMQsw
-CQYDVQQGEwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2Vh
-cmNoIEluc3RpdHV0aW9ucyBDQTEkMCIGA1UEAwwbSEFSSUNBIFRMUyBFQ0MgUm9v
-dCBDQSAyMDIxMB4XDTIxMDIxOTExMDExMFoXDTQ1MDIxMzExMDEwOVowbDELMAkG
-A1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJj
-aCBJbnN0aXR1dGlvbnMgQ0ExJDAiBgNVBAMMG0hBUklDQSBUTFMgRUNDIFJvb3Qg
-Q0EgMjAyMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDgI/rGgltJ6rK9JOtDA4MM7
-KKrxcm1lAEeIhPyaJmuqS7psBAqIXhfyVYf8MLA04jRYVxqEU+kw2anylnTDUR9Y
-STHMmE5gEYd103KUkE+bECUqqHgtvpBBWJAVcqeht6NCMEAwDwYDVR0TAQH/BAUw
-AwEB/zAdBgNVHQ4EFgQUyRtTgRL+BNUW0aq8mm+3oJUZbsowDgYDVR0PAQH/BAQD
-AgGGMAoGCCqGSM49BAMDA2cAMGQCMBHervjcToiwqfAircJRQO9gcS3ujwLEXQNw
-SaSS6sUUiHCm0w2wqsosQJz76YJumgIwK0eaB8bRwoF8yguWGEEbo/QwCZ61IygN
-nxS2PFOiTAZpffpskcYqSUXm7LcT4Tps
------END CERTIFICATE-----
-
-# d95d0e8eda79525bf9beb11b14d2100d3294985f0c62d9fabd9cd999eccb7b1d
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            39:ca:93:1c:ef:43:f3:c6:8e:93:c7:f4:64:89:38:7e
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = GR, O = Hellenic Academic and Research Institutions CA, CN = HARICA TLS RSA Root CA 2021
-        Validity
-            Not Before: Feb 19 10:55:38 2021 GMT
-            Not After : Feb 13 10:55:37 2045 GMT
-        Subject: C = GR, O = Hellenic Academic and Research Institutions CA, CN = HARICA TLS RSA Root CA 2021
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:8b:c2:e7:af:65:9b:05:67:96:c9:0d:24:b9:d0:
-                    0e:64:fc:ce:e2:24:18:2c:84:7f:77:51:cb:04:11:
-                    36:b8:5e:ed:69:71:a7:9e:e4:25:09:97:67:c1:47:
-                    c2:cf:91:16:36:62:3d:38:04:e1:51:82:ff:ac:d2:
-                    b4:69:dd:2e:ec:11:a3:45:ee:6b:6b:3b:4c:bf:8c:
-                    8d:a4:1e:9d:11:b9:e9:38:f9:7a:0e:0c:98:e2:23:
-                    1d:d1:4e:63:d4:e7:b8:41:44:fb:6b:af:6b:da:1f:
-                    d3:c5:91:88:5b:a4:89:92:d1:81:e6:8c:39:58:a0:
-                    d6:69:43:a9:ad:98:52:58:6e:db:0a:fb:6b:cf:68:
-                    fa:e3:a4:5e:3a:45:73:98:07:ea:5f:02:72:de:0c:
-                    a5:b3:9f:ae:a9:1d:b7:1d:b3:fc:8a:59:e7:6e:72:
-                    65:ad:f5:30:94:23:07:f3:82:16:4b:35:98:9c:53:
-                    bb:2f:ca:e4:5a:d9:c7:8d:1d:fc:98:99:fb:2c:a4:
-                    82:6b:f0:2a:1f:8e:0b:5f:71:5c:5c:ae:42:7b:29:
-                    89:81:cb:03:a3:99:ca:88:9e:0b:40:09:41:33:db:
-                    e6:58:7a:fd:ae:99:70:c0:5a:0f:d6:13:86:71:2f:
-                    76:69:fc:90:dd:db:2d:6e:d1:f2:9b:f5:1a:6b:9e:
-                    6f:15:8c:7a:f0:4b:28:a0:22:38:80:24:6c:36:a4:
-                    3b:f2:30:91:f3:78:13:cf:c1:3f:35:ab:f1:1d:11:
-                    23:b5:43:22:9e:01:92:b7:18:02:e5:11:d1:82:db:
-                    15:00:cc:61:37:c1:2a:7c:9a:e1:d0:ba:b3:50:46:
-                    ee:82:ac:9d:31:f8:fb:23:e2:03:00:48:70:a3:09:
-                    26:79:15:53:60:f3:38:5c:ad:38:ea:81:00:63:14:
-                    b9:33:5e:dd:0b:db:a0:45:07:1a:33:09:f8:4d:b4:
-                    a7:02:a6:69:f4:c2:59:05:88:65:85:56:ae:4b:cb:
-                    e0:de:3c:7d:2d:1a:c8:e9:fb:1f:a3:61:4a:d6:2a:
-                    13:ad:77:4c:1a:18:9b:91:0f:58:d8:06:54:c5:97:
-                    f8:aa:3f:20:8a:a6:85:a6:77:f6:a6:fc:1c:e2:ee:
-                    6e:94:33:2a:83:50:84:0a:e5:4f:86:f8:50:45:78:
-                    00:81:eb:5b:68:e3:26:8d:cc:7b:5c:51:f4:14:2c:
-                    40:be:1a:60:1d:7a:72:61:1d:1f:63:2d:88:aa:ce:
-                    a2:45:90:08:fc:6b:be:b3:50:2a:5a:fd:a8:48:18:
-                    46:d6:90:40:92:90:0a:84:5e:68:31:f8:eb:ed:0d:
-                    d3:1d:c6:7d:99:18:55:56:27:65:2e:8d:45:c5:24:
-                    ec:ce:e3
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                0A:48:23:A6:60:A4:92:0A:33:EA:93:5B:C5:57:EA:25:4D:BD:12:EE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         3e:90:48:aa:6e:62:15:25:66:7b:0c:d5:8c:8b:89:9d:d7:ed:
-         4e:07:ef:9c:d0:14:5f:5e:50:bd:68:96:90:a4:14:11:aa:68:
-         6d:09:35:39:40:09:da:f4:09:2c:34:a5:7b:59:84:49:29:97:
-         74:c8:07:1e:47:6d:f2:ce:1c:50:26:e3:9e:3d:40:53:3f:f7:
-         7f:96:76:10:c5:46:a5:d0:20:4b:50:f4:35:3b:18:f4:55:6a:
-         41:1b:47:06:68:3c:bb:09:08:62:d9:5f:55:42:aa:ac:53:85:
-         ac:95:56:36:56:ab:e4:05:8c:c5:a8:da:1f:a3:69:bd:53:0f:
-         c4:ff:dc:ca:e3:7e:f2:4c:88:86:47:46:1a:f3:00:f5:80:91:
-         a2:dc:43:42:94:9b:20:f0:d1:cd:b2:eb:2c:53:c2:53:78:4a:
-         4f:04:94:41:9a:8f:27:32:c1:e5:49:19:bf:f1:f2:c2:8b:a8:
-         0a:39:31:28:b4:7d:62:36:2c:4d:ec:1f:33:b6:7e:77:6d:7e:
-         50:f0:9f:0e:d7:11:8f:cf:18:c5:e3:27:fe:26:ef:05:9d:cf:
-         cf:37:c5:d0:7b:da:3b:b0:16:84:0c:3a:93:d6:be:17:db:0f:
-         3e:0e:19:78:09:c7:a9:02:72:22:4b:f7:37:76:ba:75:c4:85:
-         03:5a:63:d5:b1:75:05:c2:b9:bd:94:ad:8c:15:99:a7:93:7d:
-         f6:c5:f3:aa:74:cf:04:85:94:98:00:f4:e2:f9:ca:24:65:bf:
-         e0:62:af:c8:c5:fa:b2:c9:9e:56:48:da:79:fd:96:76:15:be:
-         a3:8e:56:c4:b3:34:fc:be:47:f4:c1:b4:a8:fc:d5:30:88:68:
-         ee:cb:ae:c9:63:c4:76:be:ac:38:18:e1:5e:5c:cf:ae:3a:22:
-         51:eb:d1:8b:b3:f3:2b:33:07:54:87:fa:b4:b2:13:7b:ba:53:
-         04:62:01:9d:f1:c0:4f:ee:e1:3a:d4:8b:20:10:fa:02:57:e6:
-         ef:c1:0b:b7:90:46:9c:19:29:8c:dc:6f:a0:4a:69:69:94:b7:
-         24:65:a0:ff:ac:3f:ce:01:fb:21:2e:fd:68:f8:9b:f2:a5:cf:
-         31:38:5c:15:aa:e6:97:00:c1:df:5a:a5:a7:39:aa:e9:84:7f:
-         3c:51:a8:3a:d9:94:5b:8c:bf:4f:08:71:e5:db:a8:5c:d4:d2:
-         a6:fe:00:a3:c6:16:c7:0f:e8:80:ce:1c:28:64:74:19:08:d3:
-         42:e3:ce:00:5d:7f:b1:dc:13:b0:e1:05:cb:d1:20:aa:86:74:
-         9e:39:e7:91:fd:ff:5b:d6:f7:ad:a6:2f:03:0b:6d:e3:57:54:
-         eb:76:53:18:8d:11:98:ba
------BEGIN CERTIFICATE-----
-MIIFpDCCA4ygAwIBAgIQOcqTHO9D88aOk8f0ZIk4fjANBgkqhkiG9w0BAQsFADBs
-MQswCQYDVQQGEwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl
-c2VhcmNoIEluc3RpdHV0aW9ucyBDQTEkMCIGA1UEAwwbSEFSSUNBIFRMUyBSU0Eg
-Um9vdCBDQSAyMDIxMB4XDTIxMDIxOTEwNTUzOFoXDTQ1MDIxMzEwNTUzN1owbDEL
-MAkGA1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNl
-YXJjaCBJbnN0aXR1dGlvbnMgQ0ExJDAiBgNVBAMMG0hBUklDQSBUTFMgUlNBIFJv
-b3QgQ0EgMjAyMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIvC569l
-mwVnlskNJLnQDmT8zuIkGCyEf3dRywQRNrhe7Wlxp57kJQmXZ8FHws+RFjZiPTgE
-4VGC/6zStGndLuwRo0Xua2s7TL+MjaQenRG56Tj5eg4MmOIjHdFOY9TnuEFE+2uv
-a9of08WRiFukiZLRgeaMOVig1mlDqa2YUlhu2wr7a89o+uOkXjpFc5gH6l8Cct4M
-pbOfrqkdtx2z/IpZ525yZa31MJQjB/OCFks1mJxTuy/K5FrZx40d/JiZ+yykgmvw
-Kh+OC19xXFyuQnspiYHLA6OZyoieC0AJQTPb5lh6/a6ZcMBaD9YThnEvdmn8kN3b
-LW7R8pv1GmuebxWMevBLKKAiOIAkbDakO/IwkfN4E8/BPzWr8R0RI7VDIp4BkrcY
-AuUR0YLbFQDMYTfBKnya4dC6s1BG7oKsnTH4+yPiAwBIcKMJJnkVU2DzOFytOOqB
-AGMUuTNe3QvboEUHGjMJ+E20pwKmafTCWQWIZYVWrkvL4N48fS0ayOn7H6NhStYq
-E613TBoYm5EPWNgGVMWX+Ko/IIqmhaZ39qb8HOLubpQzKoNQhArlT4b4UEV4AIHr
-W2jjJo3Me1xR9BQsQL4aYB16cmEdH2MtiKrOokWQCPxrvrNQKlr9qEgYRtaQQJKQ
-CoReaDH46+0N0x3GfZkYVVYnZS6NRcUk7M7jAgMBAAGjQjBAMA8GA1UdEwEB/wQF
-MAMBAf8wHQYDVR0OBBYEFApII6ZgpJIKM+qTW8VX6iVNvRLuMA4GA1UdDwEB/wQE
-AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAPpBIqm5iFSVmewzVjIuJndftTgfvnNAU
-X15QvWiWkKQUEapobQk1OUAJ2vQJLDSle1mESSmXdMgHHkdt8s4cUCbjnj1AUz/3
-f5Z2EMVGpdAgS1D0NTsY9FVqQRtHBmg8uwkIYtlfVUKqrFOFrJVWNlar5AWMxaja
-H6NpvVMPxP/cyuN+8kyIhkdGGvMA9YCRotxDQpSbIPDRzbLrLFPCU3hKTwSUQZqP
-JzLB5UkZv/HywouoCjkxKLR9YjYsTewfM7Z+d21+UPCfDtcRj88YxeMn/ibvBZ3P
-zzfF0HvaO7AWhAw6k9a+F9sPPg4ZeAnHqQJyIkv3N3a6dcSFA1pj1bF1BcK5vZSt
-jBWZp5N99sXzqnTPBIWUmAD04vnKJGW/4GKvyMX6ssmeVkjaef2WdhW+o45WxLM0
-/L5H9MG0qPzVMIho7suuyWPEdr6sOBjhXlzPrjoiUevRi7PzKzMHVIf6tLITe7pT
-BGIBnfHAT+7hOtSLIBD6Alfm78ELt5BGnBkpjNxvoEppaZS3JGWg/6w/zgH7IS79
-aPib8qXPMThcFarmlwDB31qlpzmq6YR/PFGoOtmUW4y/Twhx5duoXNTSpv4Ao8YW
-xw/ogM4cKGR0GQjTQuPOAF1/sdwTsOEFy9EgqoZ0njnnkf3/W9b3raYvAwtt41dU
-63ZTGI0RmLo=
------END CERTIFICATE-----
-
-# 44b545aa8a25e65a73ca15dc27fc36d24c1cb9953a066539b11582dc487b4833
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C = GR, L = Athens, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions ECC RootCA 2015
-        Validity
-            Not Before: Jul  7 10:37:12 2015 GMT
-            Not After : Jun 30 10:37:12 2040 GMT
-        Subject: C = GR, L = Athens, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions ECC RootCA 2015
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:92:a0:41:e8:4b:82:84:5c:e2:f8:31:11:99:86:
-                    64:4e:09:25:2f:9d:41:2f:0a:ae:35:4f:74:95:b2:
-                    51:64:6b:8d:6b:e6:3f:70:95:f0:05:44:47:a6:72:
-                    38:50:76:95:02:5a:8e:ae:28:9e:f9:2d:4e:99:ef:
-                    2c:48:6f:4c:25:29:e8:d1:71:5b:df:1d:c1:75:37:
-                    b4:d7:fa:7b:7a:42:9c:6a:0a:56:5a:7c:69:0b:aa:
-                    80:09:24:6c:7e:c1:46
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                B4:22:0B:82:99:24:01:0E:9C:BB:E4:0E:FD:BF:FB:97:20:93:99:2A
-    Signature Algorithm: ecdsa-with-SHA256
-         30:64:02:30:67:ce:16:62:38:a2:ac:62:45:a7:a9:95:24:c0:
-         1a:27:9c:32:3b:c0:c0:d5:ba:a9:e7:f8:04:43:53:85:ee:52:
-         21:de:9d:f5:25:83:3e:9e:58:4b:2f:d7:67:13:0e:21:02:30:
-         05:e1:75:01:de:68:ed:2a:1f:4d:4c:09:08:0d:ec:4b:ad:64:
-         17:28:e7:75:ce:45:65:72:21:17:cb:22:41:0e:8c:13:98:38:
-         9a:54:6d:9b:ca:e2:7c:ea:02:58:22:91
------BEGIN CERTIFICATE-----
-MIICwzCCAkqgAwIBAgIBADAKBggqhkjOPQQDAjCBqjELMAkGA1UEBhMCR1IxDzAN
-BgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl
-c2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxRDBCBgNVBAMTO0hl
-bGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgRUNDIFJv
-b3RDQSAyMDE1MB4XDTE1MDcwNzEwMzcxMloXDTQwMDYzMDEwMzcxMlowgaoxCzAJ
-BgNVBAYTAkdSMQ8wDQYDVQQHEwZBdGhlbnMxRDBCBgNVBAoTO0hlbGxlbmljIEFj
-YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9yaXR5
-MUQwQgYDVQQDEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0
-dXRpb25zIEVDQyBSb290Q0EgMjAxNTB2MBAGByqGSM49AgEGBSuBBAAiA2IABJKg
-QehLgoRc4vgxEZmGZE4JJS+dQS8KrjVPdJWyUWRrjWvmP3CV8AVER6ZyOFB2lQJa
-jq4onvktTpnvLEhvTCUp6NFxW98dwXU3tNf6e3pCnGoKVlp8aQuqgAkkbH7BRqNC
-MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLQi
-C4KZJAEOnLvkDv2/+5cgk5kqMAoGCCqGSM49BAMCA2cAMGQCMGfOFmI4oqxiRaep
-lSTAGiecMjvAwNW6qef4BENThe5SId6d9SWDPp5YSy/XZxMOIQIwBeF1Ad5o7Sof
-TUwJCA3sS61kFyjndc5FZXIhF8siQQ6ME5g4mlRtm8rifOoCWCKR
------END CERTIFICATE-----
-
-# a040929a02ce53b4acf4f2ffc6981ce4496f755e6d45fe0b2a692bcd52523f36
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = GR, L = Athens, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions RootCA 2015
-        Validity
-            Not Before: Jul  7 10:11:21 2015 GMT
-            Not After : Jun 30 10:11:21 2040 GMT
-        Subject: C = GR, L = Athens, O = Hellenic Academic and Research Institutions Cert. Authority, CN = Hellenic Academic and Research Institutions RootCA 2015
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:c2:f8:a9:3f:1b:89:fc:3c:3c:04:5d:3d:90:36:
-                    b0:91:3a:79:3c:66:5a:ef:6d:39:01:49:1a:b4:b7:
-                    cf:7f:4d:23:53:b7:90:00:e3:13:2a:28:a6:31:f1:
-                    91:00:e3:28:ec:ae:21:41:ce:1f:da:fd:7d:12:5b:
-                    01:83:0f:b9:b0:5f:99:e1:f2:12:83:80:4d:06:3e:
-                    df:ac:af:e7:a1:88:6b:31:af:f0:8b:d0:18:33:b8:
-                    db:45:6a:34:f4:02:80:24:28:0a:02:15:95:5e:76:
-                    2a:0d:99:3a:14:5b:f6:cb:cb:53:bc:13:4d:01:88:
-                    37:94:25:1b:42:bc:22:d8:8e:a3:96:5e:3a:d9:32:
-                    db:3e:e8:f0:10:65:ed:74:e1:2f:a7:7c:af:27:34:
-                    bb:29:7d:9b:b6:cf:09:c8:e5:d3:0a:fc:88:65:65:
-                    74:0a:dc:73:1c:5c:cd:40:b1:1c:d4:b6:84:8c:4c:
-                    50:cf:68:8e:a8:59:ae:c2:27:4e:82:a2:35:dd:14:
-                    f4:1f:ff:b2:77:d5:87:2f:aa:6e:7d:24:27:e7:c6:
-                    cb:26:e6:e5:fe:67:07:63:d8:45:0d:dd:3a:59:65:
-                    39:58:7a:92:99:72:3d:9c:84:5e:88:21:b8:d5:f4:
-                    2c:fc:d9:70:52:4f:78:b8:bd:3c:2b:8b:95:98:f5:
-                    b3:d1:68:cf:20:14:7e:4c:5c:5f:e7:8b:e5:f5:35:
-                    81:19:37:d7:11:08:b7:66:be:d3:4a:ce:83:57:00:
-                    3a:c3:81:f8:17:cb:92:36:5d:d1:a3:d8:75:1b:e1:
-                    8b:27:ea:7a:48:41:fd:45:19:06:ad:27:99:4e:c1:
-                    70:47:dd:b5:9f:81:53:12:e5:b1:8c:48:5d:31:43:
-                    17:e3:8c:c6:7a:63:96:4b:29:30:4e:84:4e:62:19:
-                    5e:3c:ce:97:90:a5:7f:01:eb:9d:e0:f8:8b:89:dd:
-                    25:98:3d:92:b6:7e:ef:d9:f1:51:51:7d:2d:26:c8:
-                    69:59:61:e0:ac:6a:b8:2a:36:11:04:7a:50:bd:32:
-                    84:be:2f:dc:72:d5:d7:1d:16:47:e4:47:66:20:3f:
-                    f4:96:c5:af:8e:01:7a:a5:0f:7a:64:f5:0d:18:87:
-                    d9:ae:88:d5:fa:84:c1:3a:c0:69:28:2d:f2:0d:68:
-                    51:aa:e3:a5:77:c6:a4:90:0e:a1:37:8b:31:23:47:
-                    c1:09:08:eb:6e:f7:78:9b:d7:82:fc:84:20:99:49:
-                    19:b6:12:46:b1:fb:45:55:16:a9:a3:65:ac:9c:07:
-                    0f:ea:6b:dc:1f:2e:06:72:ec:86:88:12:e4:2d:db:
-                    5f:05:2f:e4:f0:03:d3:26:33:e7:80:c2:cd:42:a1:
-                    17:34:0b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                71:15:67:C8:C8:C9:BD:75:5D:72:D0:38:18:6A:9D:F3:71:24:54:0B
-    Signature Algorithm: sha256WithRSAEncryption
-         75:bb:6d:54:4b:aa:10:58:46:34:f2:62:d7:16:36:5d:08:5e:
-         d5:6c:c8:87:bd:b4:2e:46:f2:31:f8:7c:ea:42:b5:93:16:55:
-         dc:a1:0c:12:a0:da:61:7e:0f:58:58:73:64:72:c7:e8:45:8e:
-         dc:a9:f2:26:3f:c6:79:8c:b1:53:08:33:81:b0:56:13:be:e6:
-         51:5c:d8:9b:0a:4f:4b:9c:56:53:02:e9:4f:f6:0d:60:ea:4d:
-         42:55:e8:7c:1b:21:21:d3:1b:3a:cc:77:f2:b8:90:f1:68:c7:
-         f9:5a:fe:fa:2d:f4:bf:c9:f5:45:1b:ce:38:10:2a:37:8a:79:
-         a3:b4:e3:09:6c:85:86:93:ff:89:96:27:78:81:8f:67:e3:46:
-         74:54:8e:d9:0d:69:e2:4a:f4:4d:74:03:ff:b2:77:ed:95:67:
-         97:e4:b1:c5:ab:bf:6a:23:e8:d4:94:e2:44:28:62:c4:4b:e2:
-         f0:d8:e2:29:6b:1a:70:7e:24:61:93:7b:4f:03:32:25:0d:45:
-         24:2b:96:b4:46:6a:bf:4a:0b:f7:9a:8f:c1:ac:1a:c5:67:f3:
-         6f:34:d2:fa:73:63:8c:ef:16:b0:a8:a4:46:2a:f8:eb:12:ec:
-         72:b4:ef:f8:2b:7e:8c:52:c0:8b:84:54:f9:2f:3e:e3:55:a8:
-         dc:66:b1:d9:e1:5f:d8:b3:8c:59:34:59:a4:ab:4f:6c:bb:1f:
-         18:db:75:ab:d8:cb:92:cd:94:38:61:0e:07:06:1f:4b:46:10:
-         f1:15:be:8d:85:5c:3b:4a:2b:81:79:0f:b4:69:9f:49:50:97:
-         4d:f7:0e:56:5d:c0:95:6a:c2:36:c3:1b:68:c9:f5:2a:dc:47:
-         9a:be:b2:ce:c5:25:e8:fa:03:b9:da:f9:16:6e:91:84:f5:1c:
-         28:c8:fc:26:cc:d7:1c:90:56:a7:5f:6f:3a:04:bc:cd:78:89:
-         0b:8e:0f:2f:a3:aa:4f:a2:1b:12:3d:16:08:40:0f:f1:46:4c:
-         d7:aa:7b:08:c1:0a:f5:6d:27:de:02:8f:ca:c3:b5:2b:ca:e9:
-         eb:c8:21:53:38:a5:cc:3b:d8:77:37:30:a2:4f:d9:6f:d1:f2:
-         40:ad:41:7a:17:c5:d6:4a:35:89:b7:41:d5:7c:86:7f:55:4d:
-         83:4a:a5:73:20:c0:3a:af:90:f1:9a:24:8e:d9:8e:71:ca:7b:
-         b8:86:da:b2:8f:99:3e:1d:13:0d:12:11:ee:d4:ab:f0:e9:15:
-         76:02:e4:e0:df:aa:20:1e:5b:61:85:64:40:a9:90:97:0d:ad:
-         53:d2:5a:1d:87:6a:00:97:65:62:b4:be:6f:6a:a7:f5:2c:42:
-         ed:32:ad:b6:21:9e:be:bc
------BEGIN CERTIFICATE-----
-MIIGCzCCA/OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UEBhMCR1Ix
-DzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5k
-IFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMT
-N0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9v
-dENBIDIwMTUwHhcNMTUwNzA3MTAxMTIxWhcNNDAwNjMwMTAxMTIxWjCBpjELMAkG
-A1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh
-ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkx
-QDA+BgNVBAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1
-dGlvbnMgUm9vdENBIDIwMTUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
-AQDC+Kk/G4n8PDwEXT2QNrCROnk8ZlrvbTkBSRq0t89/TSNTt5AA4xMqKKYx8ZEA
-4yjsriFBzh/a/X0SWwGDD7mwX5nh8hKDgE0GPt+sr+ehiGsxr/CL0BgzuNtFajT0
-AoAkKAoCFZVedioNmToUW/bLy1O8E00BiDeUJRtCvCLYjqOWXjrZMts+6PAQZe10
-4S+nfK8nNLspfZu2zwnI5dMK/IhlZXQK3HMcXM1AsRzUtoSMTFDPaI6oWa7CJ06C
-ojXdFPQf/7J31Ycvqm59JCfnxssm5uX+Zwdj2EUN3TpZZTlYepKZcj2chF6IIbjV
-9Cz82XBST3i4vTwri5WY9bPRaM8gFH5MXF/ni+X1NYEZN9cRCLdmvtNKzoNXADrD
-gfgXy5I2XdGj2HUb4Ysn6npIQf1FGQatJ5lOwXBH3bWfgVMS5bGMSF0xQxfjjMZ6
-Y5ZLKTBOhE5iGV48zpeQpX8B653g+IuJ3SWYPZK2fu/Z8VFRfS0myGlZYeCsargq
-NhEEelC9MoS+L9xy1dcdFkfkR2YgP/SWxa+OAXqlD3pk9Q0Yh9muiNX6hME6wGko
-LfINaFGq46V3xqSQDqE3izEjR8EJCOtu93ib14L8hCCZSRm2Ekax+0VVFqmjZayc
-Bw/qa9wfLgZy7IaIEuQt218FL+TwA9MmM+eAws1CoRc0CwIDAQABo0IwQDAPBgNV
-HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJvXVd
-ctA4GGqd83EkVAswDQYJKoZIhvcNAQELBQADggIBAHW7bVRLqhBYRjTyYtcWNl0I
-XtVsyIe9tC5G8jH4fOpCtZMWVdyhDBKg2mF+D1hYc2Ryx+hFjtyp8iY/xnmMsVMI
-M4GwVhO+5lFc2JsKT0ucVlMC6U/2DWDqTUJV6HwbISHTGzrMd/K4kPFox/la/vot
-9L/J9UUbzjgQKjeKeaO04wlshYaT/4mWJ3iBj2fjRnRUjtkNaeJK9E10A/+yd+2V
-Z5fkscWrv2oj6NSU4kQoYsRL4vDY4ilrGnB+JGGTe08DMiUNRSQrlrRGar9KC/ea
-j8GsGsVn82800vpzY4zvFrCopEYq+OsS7HK07/grfoxSwIuEVPkvPuNVqNxmsdnh
-X9izjFk0WaSrT2y7HxjbdavYy5LNlDhhDgcGH0tGEPEVvo2FXDtKK4F5D7Rpn0lQ
-l033DlZdwJVqwjbDG2jJ9SrcR5q+ss7FJej6A7na+RZukYT1HCjI/CbM1xyQVqdf
-bzoEvM14iQuODy+jqk+iGxI9FghAD/FGTNeqewjBCvVtJ94Cj8rDtSvK6evIIVM4
-pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGaJI7ZjnHK
-e7iG2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0
-vm9qp/UsQu0yrbYhnr68
------END CERTIFICATE-----
-
-# 5a2fc03f0c83b090bbfa40604b0988446c7636183df9846e17101a447fb8efd6
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            08:16:5f:8a:4c:a5:ec:00:c9:93:40:df:c4:c6:ae:23:b8:1c:5a:a4
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = HK, ST = Hong Kong, L = Hong Kong, O = Hongkong Post, CN = Hongkong Post Root CA 3
-        Validity
-            Not Before: Jun  3 02:29:46 2017 GMT
-            Not After : Jun  3 02:29:46 2042 GMT
-        Subject: C = HK, ST = Hong Kong, L = Hong Kong, O = Hongkong Post, CN = Hongkong Post Root CA 3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:b3:88:d7:ea:ce:0f:20:4e:be:e6:d6:03:6d:ee:
-                    59:fc:c2:57:df:29:68:a1:83:0e:3e:68:c7:68:58:
-                    9c:1c:60:4b:89:43:0c:b9:d4:15:b2:ee:c1:4e:75:
-                    e9:b5:a7:ef:e5:e9:35:99:e4:cc:1c:e7:4b:5f:8d:
-                    33:30:20:33:53:d9:a6:bb:d5:3e:13:8e:e9:1f:87:
-                    49:ad:50:2d:50:ca:18:be:01:58:a2:13:70:96:bb:
-                    89:88:56:80:5c:f8:bd:2c:3c:e1:4c:57:88:bb:d3:
-                    b9:95:ef:cb:c7:f6:da:31:74:28:a6:e6:54:89:f5:
-                    41:31:ca:e5:26:1a:cd:82:e0:70:da:3b:29:bb:d5:
-                    03:f5:99:ba:55:f5:64:d1:60:0e:b3:89:49:b8:8a:
-                    2f:05:d2:84:45:28:7c:8f:68:50:12:78:fc:0b:b5:
-                    53:cb:c2:98:1c:84:a3:9e:b0:be:23:a4:da:dc:c8:
-                    2b:1e:da:6e:45:1e:89:98:da:f9:00:2e:06:e9:0c:
-                    3b:70:d5:50:25:88:99:cb:cd:73:60:f7:d5:ff:35:
-                    67:c5:a1:bc:5e:ab:cd:4a:b8:45:eb:c8:68:1e:0d:
-                    0d:14:46:12:e3:d2:64:62:8a:42:98:bc:b4:c6:08:
-                    08:f8:fd:a8:4c:64:9c:76:01:bd:2f:a9:6c:33:0f:
-                    d8:3f:28:b8:3c:69:01:42:86:7e:69:c1:c9:06:ca:
-                    e5:7a:46:65:e9:c2:d6:50:41:2e:3f:b7:e4:ed:6c:
-                    d7:bf:26:01:11:a2:16:29:4a:6b:34:06:90:ec:13:
-                    d2:b6:fb:6a:76:d2:3c:ed:f0:d6:2d:dd:e1:15:ec:
-                    a3:9b:2f:2c:c9:3e:2b:e4:69:3b:ff:72:25:b1:36:
-                    86:5b:c7:7f:6b:8b:55:1b:4a:c5:20:61:3d:ae:cb:
-                    50:e1:08:3a:be:b0:8f:63:41:53:30:08:59:3c:98:
-                    1d:77:ba:63:91:7a:ca:10:50:60:bf:f0:d7:bc:95:
-                    87:8f:97:c5:fe:97:6a:01:94:a3:7c:5b:85:1d:2a:
-                    39:3a:d0:54:a1:d1:39:71:9d:fd:21:f9:b5:7b:f0:
-                    e2:e0:02:8f:6e:96:24:25:2c:a0:1e:2c:a8:c4:89:
-                    a7:ef:ed:99:06:2f:b6:0a:4c:4f:db:a2:cc:37:1a:
-                    af:47:85:2d:8a:5f:c4:34:34:4c:00:fd:18:93:67:
-                    13:d1:37:e6:48:b4:8b:06:c5:57:7b:19:86:0a:79:
-                    cb:00:c9:52:af:42:ff:37:8f:e1:a3:1e:7a:3d:50:
-                    ab:63:06:e7:15:b5:3f:b6:45:37:94:37:b1:7e:f2:
-                    48:c3:7f:c5:75:fe:97:8d:45:8f:1a:a7:1a:72:28:
-                    1a:40:0f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Authority Key Identifier: 
-                keyid:17:9D:CD:1E:8B:D6:39:2B:70:D3:5C:D4:A0:B8:1F:B0:00:FC:C5:61
-
-            X509v3 Subject Key Identifier: 
-                17:9D:CD:1E:8B:D6:39:2B:70:D3:5C:D4:A0:B8:1F:B0:00:FC:C5:61
-    Signature Algorithm: sha256WithRSAEncryption
-         56:d5:7b:6e:e6:22:01:d2:42:9b:18:d5:0e:d7:66:23:5c:e3:
-         fe:a0:c7:92:d2:e9:94:ad:4b:a2:c6:ec:12:7c:74:d5:48:d2:
-         59:14:99:c0:eb:b9:d1:eb:f4:48:30:5b:ad:a7:57:73:99:a9:
-         d3:e5:b7:d1:2e:59:24:58:dc:68:2e:2e:62:d8:6a:e4:70:0b:
-         2d:20:50:20:a4:32:95:d1:00:98:bb:d3:fd:f7:32:f2:49:ae:
-         c6:7a:e0:47:be:6e:ce:cb:a3:72:3a:2d:69:5d:cb:c8:e8:45:
-         39:d4:fa:42:c1:11:4c:77:5d:92:fb:6a:ff:58:44:e5:eb:81:
-         9e:af:a0:99:ad:be:a9:01:66:cb:38:1d:3c:df:43:1f:f4:4d:
-         6e:b4:ba:17:46:fc:7d:fd:87:81:79:6a:0d:33:0f:fa:2f:f8:
-         14:b9:80:b3:5d:4d:aa:97:e1:f9:e4:18:c5:f8:d5:38:8c:26:
-         3c:fd:f2:28:e2:ee:5a:49:88:2c:df:79:3d:8e:9e:90:3c:bd:
-         41:4a:3a:dd:5b:f6:9a:b4:ce:3f:25:30:7f:32:7d:a2:03:94:
-         d0:dc:7a:a1:52:de:6e:93:8d:18:26:fd:55:ac:bd:8f:9b:d2:
-         cf:af:e7:86:2c:cb:1f:09:6f:a3:6f:a9:84:d4:73:bf:4d:a1:
-         74:1b:4e:23:60:f2:cc:0e:aa:7f:a4:9c:4c:25:a8:b2:66:3b:
-         38:ff:d9:94:30:f6:72:84:be:68:55:10:0f:c6:73:2c:16:69:
-         93:07:fe:b1:45:ed:bb:a2:55:6a:b0:da:b5:4a:02:25:27:85:
-         d7:b7:b7:86:44:16:89:6c:80:2b:3e:97:a9:9c:d5:7e:55:4c:
-         c6:de:45:10:1c:ea:e9:3b:9f:03:53:ee:ee:7a:01:02:16:78:
-         d4:e8:c2:be:46:76:88:13:3f:22:bb:48:12:1d:52:00:b4:02:
-         7e:21:1a:1e:9c:25:f4:f3:3d:5e:1e:d2:1c:f9:b3:2d:b6:f7:
-         37:5c:c6:cb:21:4e:b0:f7:99:47:18:85:c1:2b:ba:55:ae:06:
-         ea:d0:07:b2:dc:ab:d0:82:96:75:ce:d2:50:fe:99:e7:cf:2f:
-         9f:e7:76:d1:61:2a:fb:21:bb:31:d0:aa:9f:47:a4:b2:22:ca:
-         16:3a:50:57:c4:5b:43:67:c5:65:62:03:49:01:eb:43:d9:d8:
-         f8:9e:ad:cf:b1:63:0e:45:f4:a0:5a:2c:9b:2d:c5:a6:c0:ad:
-         a8:47:f4:27:4c:38:0d:2e:1b:49:3b:52:f4:e8:88:83:2b:54:
-         28:d4:f2:35:52:b4:32:83:62:69:64:0c:91:9c:9f:97:ea:74:
-         16:fd:1f:11:06:9a:9b:f4
------BEGIN CERTIFICATE-----
-MIIFzzCCA7egAwIBAgIUCBZfikyl7ADJk0DfxMauI7gcWqQwDQYJKoZIhvcNAQEL
-BQAwbzELMAkGA1UEBhMCSEsxEjAQBgNVBAgTCUhvbmcgS29uZzESMBAGA1UEBxMJ
-SG9uZyBLb25nMRYwFAYDVQQKEw1Ib25na29uZyBQb3N0MSAwHgYDVQQDExdIb25n
-a29uZyBQb3N0IFJvb3QgQ0EgMzAeFw0xNzA2MDMwMjI5NDZaFw00MjA2MDMwMjI5
-NDZaMG8xCzAJBgNVBAYTAkhLMRIwEAYDVQQIEwlIb25nIEtvbmcxEjAQBgNVBAcT
-CUhvbmcgS29uZzEWMBQGA1UEChMNSG9uZ2tvbmcgUG9zdDEgMB4GA1UEAxMXSG9u
-Z2tvbmcgUG9zdCBSb290IENBIDMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
-AoICAQCziNfqzg8gTr7m1gNt7ln8wlffKWihgw4+aMdoWJwcYEuJQwy51BWy7sFO
-dem1p+/l6TWZ5Mwc50tfjTMwIDNT2aa71T4Tjukfh0mtUC1Qyhi+AViiE3CWu4mI
-VoBc+L0sPOFMV4i707mV78vH9toxdCim5lSJ9UExyuUmGs2C4HDaOym71QP1mbpV
-9WTRYA6ziUm4ii8F0oRFKHyPaFASePwLtVPLwpgchKOesL4jpNrcyCse2m5FHomY
-2vkALgbpDDtw1VAliJnLzXNg99X/NWfFobxeq81KuEXryGgeDQ0URhLj0mRiikKY
-vLTGCAj4/ahMZJx2Ab0vqWwzD9g/KLg8aQFChn5pwckGyuV6RmXpwtZQQS4/t+Tt
-bNe/JgERohYpSms0BpDsE9K2+2p20jzt8NYt3eEV7KObLyzJPivkaTv/ciWxNoZb
-x39ri1UbSsUgYT2uy1DhCDq+sI9jQVMwCFk8mB13umOResoQUGC/8Ne8lYePl8X+
-l2oBlKN8W4UdKjk60FSh0Tlxnf0h+bV78OLgAo9uliQlLKAeLKjEiafv7ZkGL7YK
-TE/bosw3Gq9HhS2KX8Q0NEwA/RiTZxPRN+ZItIsGxVd7GYYKecsAyVKvQv83j+Gj
-Hno9UKtjBucVtT+2RTeUN7F+8kjDf8V1/peNRY8apxpyKBpADwIDAQABo2MwYTAP
-BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBQXnc0e
-i9Y5K3DTXNSguB+wAPzFYTAdBgNVHQ4EFgQUF53NHovWOStw01zUoLgfsAD8xWEw
-DQYJKoZIhvcNAQELBQADggIBAFbVe27mIgHSQpsY1Q7XZiNc4/6gx5LS6ZStS6LG
-7BJ8dNVI0lkUmcDrudHr9EgwW62nV3OZqdPlt9EuWSRY3GguLmLYauRwCy0gUCCk
-MpXRAJi70/33MvJJrsZ64Ee+bs7Lo3I6LWldy8joRTnU+kLBEUx3XZL7av9YROXr
-gZ6voJmtvqkBZss4HTzfQx/0TW60uhdG/H39h4F5ag0zD/ov+BS5gLNdTaqX4fnk
-GMX41TiMJjz98iji7lpJiCzfeT2OnpA8vUFKOt1b9pq0zj8lMH8yfaIDlNDceqFS
-3m6TjRgm/VWsvY+b0s+v54Ysyx8Jb6NvqYTUc79NoXQbTiNg8swOqn+knEwlqLJm
-Ozj/2ZQw9nKEvmhVEA/GcywWaZMH/rFF7buiVWqw2rVKAiUnhde3t4ZEFolsgCs+
-l6mc1X5VTMbeRRAc6uk7nwNT7u56AQIWeNTowr5GdogTPyK7SBIdUgC0An4hGh6c
-JfTzPV4e0hz5sy229zdcxsshTrD3mUcYhcErulWuBurQB7Lcq9CClnXO0lD+mefP
-L5/ndtFhKvshuzHQqp9HpLIiyhY6UFfEW0NnxWViA0kB60PZ2Pierc+xYw5F9KBa
-LJstxabArahH9CdMOA0uG0k7UvToiIMrVCjU8jVStDKDYmlkDJGcn5fqdBb9HxEG
-mpv0
------END CERTIFICATE-----
-
-# 5d56499be4d2e08bcfcad08a3e38723d50503bde706948e42f55603019e528ae
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            0a:01:42:80:00:00:01:45:23:c8:44:b5:00:00:00:02
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
-        Validity
-            Not Before: Jan 16 18:12:23 2014 GMT
-            Not After : Jan 16 18:12:23 2034 GMT
-        Subject: C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:a7:50:19:de:3f:99:3d:d4:33:46:f1:6f:51:61:
-                    82:b2:a9:4f:8f:67:89:5d:84:d9:53:dd:0c:28:d9:
-                    d7:f0:ff:ae:95:43:72:99:f9:b5:5d:7c:8a:c1:42:
-                    e1:31:50:74:d1:81:0d:7c:cd:9b:21:ab:43:e2:ac:
-                    ad:5e:86:6e:f3:09:8a:1f:5a:32:bd:a2:eb:94:f9:
-                    e8:5c:0a:ec:ff:98:d2:af:71:b3:b4:53:9f:4e:87:
-                    ef:92:bc:bd:ec:4f:32:30:88:4b:17:5e:57:c4:53:
-                    c2:f6:02:97:8d:d9:62:2b:bf:24:1f:62:8d:df:c3:
-                    b8:29:4b:49:78:3c:93:60:88:22:fc:99:da:36:c8:
-                    c2:a2:d4:2c:54:00:67:35:6e:73:bf:02:58:f0:a4:
-                    dd:e5:b0:a2:26:7a:ca:e0:36:a5:19:16:f5:fd:b7:
-                    ef:ae:3f:40:f5:6d:5a:04:fd:ce:34:ca:24:dc:74:
-                    23:1b:5d:33:13:12:5d:c4:01:25:f6:30:dd:02:5d:
-                    9f:e0:d5:47:bd:b4:eb:1b:a1:bb:49:49:d8:9f:5b:
-                    02:f3:8a:e4:24:90:e4:62:4f:4f:c1:af:8b:0e:74:
-                    17:a8:d1:72:88:6a:7a:01:49:cc:b4:46:79:c6:17:
-                    b1:da:98:1e:07:59:fa:75:21:85:65:dd:90:56:ce:
-                    fb:ab:a5:60:9d:c4:9d:f9:52:b0:8b:bd:87:f9:8f:
-                    2b:23:0a:23:76:3b:f7:33:e1:c9:00:f3:69:f9:4b:
-                    a2:e0:4e:bc:7e:93:39:84:07:f7:44:70:7e:fe:07:
-                    5a:e5:b1:ac:d1:18:cc:f2:35:e5:49:49:08:ca:56:
-                    c9:3d:fb:0f:18:7d:8b:3b:c1:13:c2:4d:8f:c9:4f:
-                    0e:37:e9:1f:a1:0e:6a:df:62:2e:cb:35:06:51:79:
-                    2c:c8:25:38:f4:fa:4b:a7:89:5c:9c:d2:e3:0d:39:
-                    86:4a:74:7c:d5:59:87:c2:3f:4e:0c:5c:52:f4:3d:
-                    f7:52:82:f1:ea:a3:ac:fd:49:34:1a:28:f3:41:88:
-                    3a:13:ee:e8:de:ff:99:1d:5f:ba:cb:e8:1e:f2:b9:
-                    50:60:c0:31:d3:73:e5:ef:be:a0:ed:33:0b:74:be:
-                    20:20:c4:67:6c:f0:08:03:7a:55:80:7f:46:4e:96:
-                    a7:f4:1e:3e:e1:f6:d8:09:e1:33:64:2b:63:d7:32:
-                    5e:9f:f9:c0:7b:0f:78:6f:97:bc:93:9a:f9:9c:12:
-                    90:78:7a:80:87:15:d7:72:74:9c:55:74:78:b1:ba:
-                    e1:6e:70:04:ba:4f:a0:ba:68:c3:7b:ff:31:f0:73:
-                    3d:3d:94:2a:b1:0b:41:0e:a0:fe:4d:88:65:6b:79:
-                    33:b4:d7
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                ED:44:19:C0:D3:F0:06:8B:EE:A4:7B:BE:42:E7:26:54:C8:8E:36:76
-    Signature Algorithm: sha256WithRSAEncryption
-         0d:ae:90:32:f6:a6:4b:7c:44:76:19:61:1e:27:28:cd:5e:54:
-         ef:25:bc:e3:08:90:f9:29:d7:ae:68:08:e1:94:00:58:ef:2e:
-         2e:7e:53:52:8c:b6:5c:07:ea:88:ba:99:8b:50:94:d7:82:80:
-         df:61:09:00:93:ad:0d:14:e6:ce:c1:f2:37:94:78:b0:5f:9c:
-         b3:a2:73:b8:8f:05:93:38:cd:8d:3e:b0:b8:fb:c0:cf:b1:f2:
-         ec:2d:2d:1b:cc:ec:aa:9a:b3:aa:60:82:1b:2d:3b:c3:84:3d:
-         57:8a:96:1e:9c:75:b8:d3:30:cd:60:08:83:90:d3:8e:54:f1:
-         4d:66:c0:5d:74:03:40:a3:ee:85:7e:c2:1f:77:9c:06:e8:c1:
-         a7:18:5d:52:95:ed:c9:dd:25:9e:6d:fa:a9:ed:a3:3a:34:d0:
-         59:7b:da:ed:50:f3:35:bf:ed:eb:14:4d:31:c7:60:f4:da:f1:
-         87:9c:e2:48:e2:c6:c5:37:fb:06:10:fa:75:59:66:31:47:29:
-         da:76:9a:1c:e9:82:ae:ef:9a:b9:51:f7:88:23:9a:69:95:62:
-         3c:e5:55:80:36:d7:54:02:ff:f1:b9:5d:ce:d4:23:6f:d8:45:
-         84:4a:5b:65:ef:89:0c:dd:14:a7:20:cb:18:a5:25:b4:0d:f9:
-         01:f0:a2:d2:f4:00:c8:74:8e:a1:2a:48:8e:65:db:13:c4:e2:
-         25:17:7d:eb:be:87:5b:17:20:54:51:93:4a:53:03:0b:ec:5d:
-         ca:33:ed:62:fd:45:c7:2f:5b:dc:58:a0:80:39:e6:fa:d7:fe:
-         13:14:a6:ed:3d:94:4a:42:74:d4:c3:77:59:73:cd:8f:46:be:
-         55:38:ef:fa:e8:91:32:ea:97:58:04:22:de:38:c3:cc:bc:6d:
-         c9:33:3a:6a:0a:69:3f:a0:c8:ea:72:8f:8c:63:86:23:bd:6d:
-         3c:96:9e:95:e0:49:4c:aa:a2:b9:2a:1b:9c:36:81:78:ed:c3:
-         e8:46:e2:26:59:44:75:1e:d9:75:89:51:cd:10:84:9d:61:60:
-         cb:5d:f9:97:22:4d:8e:98:e6:e3:7f:f6:5b:bb:ae:cd:ca:4a:
-         81:6b:5e:0b:f3:51:e1:74:2b:e9:7e:27:a7:d9:99:49:4e:f8:
-         a5:80:db:25:0f:1c:63:62:8a:c9:33:67:6b:3c:10:83:c6:ad:
-         de:a8:cd:16:8e:8d:f0:07:37:71:9f:f2:ab:fc:41:f5:c1:8b:
-         ec:00:37:5d:09:e5:4e:80:ef:fa:b1:5c:38:06:a5:1b:4a:e1:
-         dc:38:2d:3c:dc:ab:1f:90:1a:d5:4a:9c:ee:d1:70:6c:cc:ee:
-         f4:57:f8:18:ba:84:6e:87
------BEGIN CERTIFICATE-----
-MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
-MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
-VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
-MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw
-JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT
-3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU
-+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp
-S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1
-bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi
-T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL
-vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK
-Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK
-dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT
-c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv
-l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N
-iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
-/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD
-ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH
-6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt
-LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93
-nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3
-+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK
-W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT
-AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq
-l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG
-4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ
-mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
-7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H
------END CERTIFICATE-----
-
-# 2530cc8e98321502bad96f9b1fba1b099e2d299e0f4548bb914f363bc0d4531f
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=ES, O=IZENPE S.A., CN=Izenpe.com
-        Validity
-            Not Before: Dec 13 13:08:28 2007 GMT
-            Not After : Dec 13 08:27:25 2037 GMT
-        Subject: C=ES, O=IZENPE S.A., CN=Izenpe.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:c9:d3:7a:ca:0f:1e:ac:a7:86:e8:16:65:6a:b1:
-                    c2:1b:45:32:71:95:d9:fe:10:5b:cc:af:e7:a5:79:
-                    01:8f:89:c3:ca:f2:55:71:f7:77:be:77:94:f3:72:
-                    a4:2c:44:d8:9e:92:9b:14:3a:a1:e7:24:90:0a:0a:
-                    56:8e:c5:d8:26:94:e1:d9:48:e1:2d:3e:da:0a:72:
-                    dd:a3:99:15:da:81:a2:87:f4:7b:6e:26:77:89:58:
-                    ad:d6:eb:0c:b2:41:7a:73:6e:6d:db:7a:78:41:e9:
-                    08:88:12:7e:87:2e:66:11:63:6c:54:fb:3c:9d:72:
-                    c0:bc:2e:ff:c2:b7:dd:0d:76:e3:3a:d7:f7:b4:68:
-                    be:a2:f5:e3:81:6e:c1:46:6f:5d:8d:e0:4d:c6:54:
-                    55:89:1a:33:31:0a:b1:57:b9:a3:8a:98:c3:ec:3b:
-                    34:c5:95:41:69:7e:75:c2:3c:20:c5:61:ba:51:47:
-                    a0:20:90:93:a1:90:4b:f3:4e:7c:85:45:54:9a:d1:
-                    05:26:41:b0:b5:4d:1d:33:be:c4:03:c8:25:7c:c1:
-                    70:db:3b:f4:09:2d:54:27:48:ac:2f:e1:c4:ac:3e:
-                    c8:cb:92:4c:53:39:37:23:ec:d3:01:f9:e0:09:44:
-                    4d:4d:64:c0:e1:0d:5a:87:22:bc:ad:1b:a3:fe:26:
-                    b5:15:f3:a7:fc:84:19:e9:ec:a1:88:b4:44:69:84:
-                    83:f3:89:d1:74:06:a9:cc:0b:d6:c2:de:27:85:50:
-                    26:ca:17:b8:c9:7a:87:56:2c:1a:01:1e:6c:be:13:
-                    ad:10:ac:b5:24:f5:38:91:a1:d6:4b:da:f1:bb:d2:
-                    de:47:b5:f1:bc:81:f6:59:6b:cf:19:53:e9:8d:15:
-                    cb:4a:cb:a9:6f:44:e5:1b:41:cf:e1:86:a7:ca:d0:
-                    6a:9f:bc:4c:8d:06:33:5a:a2:85:e5:90:35:a0:62:
-                    5c:16:4e:f0:e3:a2:fa:03:1a:b4:2c:71:b3:58:2c:
-                    de:7b:0b:db:1a:0f:eb:de:21:1f:06:77:06:03:b0:
-                    c9:ef:99:fc:c0:b9:4f:0b:86:28:fe:d2:b9:ea:e3:
-                    da:a5:c3:47:69:12:e0:db:f0:f6:19:8b:ed:7b:70:
-                    d7:02:d6:ed:87:18:28:2c:04:24:4c:77:e4:48:8a:
-                    1a:c6:3b:9a:d4:0f:ca:fa:75:d2:01:40:5a:8d:79:
-                    bf:8b:cf:4b:cf:aa:16:c1:95:e4:ad:4c:8a:3e:17:
-                    91:d4:b1:62:e5:82:e5:80:04:a4:03:7e:8d:bf:da:
-                    7f:a2:0f:97:4f:0c:d3:0d:fb:d7:d1:e5:72:7e:1c:
-                    c8:77:ff:5b:9a:0f:b7:ae:05:46:e5:f1:a8:16:ec:
-                    47:a4:17
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Alternative Name: 
-                email:info@izenpe.com, DirName:/O=IZENPE S.A. - CIF A01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8/street=Avda del Mediterraneo Etorbidea 14 - 01010 Vitoria-Gasteiz
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                1D:1C:65:0E:A8:F2:25:7B:B4:91:CF:E4:B1:B1:E6:BD:55:74:6C:05
-    Signature Algorithm: sha256WithRSAEncryption
-         78:a6:0c:16:4a:9f:4c:88:3a:c0:cb:0e:a5:16:7d:9f:b9:48:
-         5f:18:8f:0d:62:36:f6:cd:19:6b:ac:ab:d5:f6:91:7d:ae:71:
-         f3:3f:b3:0e:78:85:9b:95:a4:27:21:47:42:4a:7c:48:3a:f5:
-         45:7c:b3:0c:8e:51:78:ac:95:13:de:c6:fd:7d:b8:1a:90:4c:
-         ab:92:03:c7:ed:42:01:ce:0f:d8:b1:fa:a2:92:e1:60:6d:ae:
-         7a:6b:09:aa:c6:29:ee:68:49:67:30:80:24:7a:31:16:39:5b:
-         7e:f1:1c:2e:dd:6c:09:ad:f2:31:c1:82:4e:b9:bb:f9:be:bf:
-         2a:85:3f:c0:40:a3:3a:59:fc:59:4b:3c:28:24:db:b4:15:75:
-         ae:0d:88:ba:2e:73:c0:bd:58:87:e5:42:f2:eb:5e:ee:1e:30:
-         22:99:cb:37:d1:c4:21:6c:81:ec:be:6d:26:e6:1c:e4:42:20:
-         9e:47:b0:ac:83:59:70:2c:35:d6:af:36:34:b4:cd:3b:f8:32:
-         a8:ef:e3:78:89:fb:8d:45:2c:da:9c:b8:7e:40:1c:61:e7:3e:
-         a2:92:2c:4b:f2:cd:fa:98:b6:29:ff:f3:f2:7b:a9:1f:2e:a0:
-         93:57:2b:de:85:03:f9:69:37:cb:9e:78:6a:05:b4:c5:31:78:
-         89:ec:7a:a7:85:e1:b9:7b:3c:de:be:1e:79:84:ce:9f:70:0e:
-         59:c2:35:2e:90:2a:31:d9:e4:45:7a:41:a4:2e:13:9b:34:0e:
-         66:7b:49:ab:64:97:d0:46:c3:79:9d:72:50:63:a6:98:5b:06:
-         bd:48:6d:d8:39:83:70:e8:35:f0:05:d1:aa:bc:e3:db:c8:02:
-         ea:7c:fd:82:da:c2:5b:52:35:ae:98:3a:ad:ba:35:93:23:a7:
-         1f:48:dd:35:46:98:b2:10:68:e4:a5:31:c2:0a:58:2e:19:81:
-         10:c9:50:75:fc:ea:5a:16:ce:11:d7:ee:ef:50:88:2d:61:ff:
-         3f:42:73:05:94:43:d5:8e:3c:4e:01:3a:19:a5:1f:46:4e:77:
-         d0:5d:e5:81:22:21:87:fe:94:7d:84:d8:93:ad:d6:68:43:48:
-         b2:db:eb:73:24:e7:91:7f:54:a4:b6:80:3e:9d:a3:3c:4c:72:
-         c2:57:c4:a0:d4:cc:38:27:ce:d5:06:9e:a2:48:d9:e9:9f:ce:
-         82:70:36:93:9a:3b:df:96:21:e3:59:b7:0c:da:91:37:f0:fd:
-         59:5a:b3:99:c8:69:6c:43:26:01:35:63:60:55:89:03:3a:75:
-         d8:ba:4a:d9:54:ff:ee:de:80:d8:2d:d1:38:d5:5e:2d:0b:98:
-         7d:3e:6c:db:fc:26:88:c7
------BEGIN CERTIFICATE-----
-MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/hy/WL1xnmfTANBgkqhkiG9w0BAQsFADA4
-MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6
-ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgyNzI1WjA4MQswCQYD
-VQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5j
-b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq
-scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaO
-xdgmlOHZSOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6H
-LmYRY2xU+zydcsC8Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFX
-uaOKmMPsOzTFlUFpfnXCPCDFYbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQD
-yCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxTOTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+
-JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieFUCbKF7jJeodWLBoBHmy+E60Q
-rLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUbQc/hhqfK0GqfvEyN
-BjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnvmfzAuU8L
-hij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB
-QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+
-HMh3/1uaD7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2lu
-Zm9AaXplbnBlLmNvbaSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYg
-QTAxMzM3MjYwLVJNZXJjLlZpdG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBB
-BgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJyYW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAx
-MCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-AQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0GCSqGSIb3DQEBCwUA
-A4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHzP7MOeIWb
-laQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56
-awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwo
-JNu0FXWuDYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lw
-LDXWrzY0tM07+DKo7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCT
-VyvehQP5aTfLnnhqBbTFMXiJ7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGk
-LhObNA5me0mrZJfQRsN5nXJQY6aYWwa9SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJb
-UjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQyVB1/OpaFs4R1+7vUIgtYf8/
-QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy2+tzJOeRf1SktoA+
-naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1ZWrOZyGls
-QyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw==
------END CERTIFICATE-----
-
-# 23804203ca45d8cde716b8c13bf3b448457fa06cc10250997fa01458317c41e5
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            06:e8:46:27:2f:1f:0a:8f:d1:84:5c:e3:69:f6:d5
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=ES, O=IZENPE S.A., CN=Izenpe.com
-        Validity
-            Not Before: Dec 13 13:08:27 2007 GMT
-            Not After : Dec 13 08:27:25 2037 GMT
-        Subject: C=ES, O=IZENPE S.A., CN=Izenpe.com
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:c9:d3:7a:ca:0f:1e:ac:a7:86:e8:16:65:6a:b1:
-                    c2:1b:45:32:71:95:d9:fe:10:5b:cc:af:e7:a5:79:
-                    01:8f:89:c3:ca:f2:55:71:f7:77:be:77:94:f3:72:
-                    a4:2c:44:d8:9e:92:9b:14:3a:a1:e7:24:90:0a:0a:
-                    56:8e:c5:d8:26:94:e1:d9:48:e1:2d:3e:da:0a:72:
-                    dd:a3:99:15:da:81:a2:87:f4:7b:6e:26:77:89:58:
-                    ad:d6:eb:0c:b2:41:7a:73:6e:6d:db:7a:78:41:e9:
-                    08:88:12:7e:87:2e:66:11:63:6c:54:fb:3c:9d:72:
-                    c0:bc:2e:ff:c2:b7:dd:0d:76:e3:3a:d7:f7:b4:68:
-                    be:a2:f5:e3:81:6e:c1:46:6f:5d:8d:e0:4d:c6:54:
-                    55:89:1a:33:31:0a:b1:57:b9:a3:8a:98:c3:ec:3b:
-                    34:c5:95:41:69:7e:75:c2:3c:20:c5:61:ba:51:47:
-                    a0:20:90:93:a1:90:4b:f3:4e:7c:85:45:54:9a:d1:
-                    05:26:41:b0:b5:4d:1d:33:be:c4:03:c8:25:7c:c1:
-                    70:db:3b:f4:09:2d:54:27:48:ac:2f:e1:c4:ac:3e:
-                    c8:cb:92:4c:53:39:37:23:ec:d3:01:f9:e0:09:44:
-                    4d:4d:64:c0:e1:0d:5a:87:22:bc:ad:1b:a3:fe:26:
-                    b5:15:f3:a7:fc:84:19:e9:ec:a1:88:b4:44:69:84:
-                    83:f3:89:d1:74:06:a9:cc:0b:d6:c2:de:27:85:50:
-                    26:ca:17:b8:c9:7a:87:56:2c:1a:01:1e:6c:be:13:
-                    ad:10:ac:b5:24:f5:38:91:a1:d6:4b:da:f1:bb:d2:
-                    de:47:b5:f1:bc:81:f6:59:6b:cf:19:53:e9:8d:15:
-                    cb:4a:cb:a9:6f:44:e5:1b:41:cf:e1:86:a7:ca:d0:
-                    6a:9f:bc:4c:8d:06:33:5a:a2:85:e5:90:35:a0:62:
-                    5c:16:4e:f0:e3:a2:fa:03:1a:b4:2c:71:b3:58:2c:
-                    de:7b:0b:db:1a:0f:eb:de:21:1f:06:77:06:03:b0:
-                    c9:ef:99:fc:c0:b9:4f:0b:86:28:fe:d2:b9:ea:e3:
-                    da:a5:c3:47:69:12:e0:db:f0:f6:19:8b:ed:7b:70:
-                    d7:02:d6:ed:87:18:28:2c:04:24:4c:77:e4:48:8a:
-                    1a:c6:3b:9a:d4:0f:ca:fa:75:d2:01:40:5a:8d:79:
-                    bf:8b:cf:4b:cf:aa:16:c1:95:e4:ad:4c:8a:3e:17:
-                    91:d4:b1:62:e5:82:e5:80:04:a4:03:7e:8d:bf:da:
-                    7f:a2:0f:97:4f:0c:d3:0d:fb:d7:d1:e5:72:7e:1c:
-                    c8:77:ff:5b:9a:0f:b7:ae:05:46:e5:f1:a8:16:ec:
-                    47:a4:17
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Alternative Name: 
-                email:info@izenpe.com, DirName:/O=IZENPE S.A. - CIF A01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8/street=Avda del Mediterraneo Etorbidea 14 - 01010 Vitoria-Gasteiz
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                1D:1C:65:0E:A8:F2:25:7B:B4:91:CF:E4:B1:B1:E6:BD:55:74:6C:05
-    Signature Algorithm: sha1WithRSAEncryption
-         c7:81:46:6f:21:18:4f:a0:05:ef:e7:d5:ba:97:50:a2:60:ed:
-         a5:92:14:1a:52:9b:f9:f1:88:4a:a0:dc:78:75:d1:d5:1f:95:
-         4e:c5:e7:b7:69:e6:22:f4:f8:29:a8:2a:89:be:cf:cf:76:8f:
-         e3:31:73:9d:26:d3:1c:1b:47:16:29:07:68:84:8a:d2:fb:b1:
-         1b:24:3e:d2:98:18:2c:24:8e:af:f6:7b:ea:44:16:1b:2a:c4:
-         fa:a0:97:e9:ea:6c:58:a4:ef:75:ab:00:62:d1:9d:ed:13:36:
-         db:22:0b:b6:f0:d1:f4:6e:7b:46:87:c2:9d:bc:bd:be:42:3b:
-         b7:73:d0:9a:2a:3c:b4:5b:12:16:00:af:19:39:8d:ad:83:50:
-         1c:c8:81:4f:bd:02:0f:3d:9e:35:96:ee:ef:e4:c2:03:7c:29:
-         1c:02:7e:bd:34:27:5e:af:53:d6:9d:17:bf:57:6c:e9:d0:83:
-         10:af:bf:5d:4d:ef:90:7b:5d:2b:ac:ec:ea:7d:00:26:17:cc:
-         02:5c:63:d7:19:18:a7:ec:2b:c7:8a:3e:58:0e:8a:87:e6:83:
-         9f:4e:b2:34:1e:ac:54:09:4f:1d:02:0b:39:7e:81:08:15:b9:
-         a0:69:13:c8:32:2b:e3:ad:6c:13:d6:83:9d:23:2d:b2:6d:a2:
-         88:86:7e:a8:0d:01:26:09:40:d9:ed:28:4e:8c:93:24:0f:db:
-         f1:1e:4d:7a:7a:5a:e2:a5:58:f1:dc:8f:5f:99:82:0c:2e:cf:
-         b2:dd:98:cc:92:94:3f:f9:09:b3:a5:96:25:5b:37:f5:12:85:
-         41:e2:19:4c:c6:8a:08:c1:dc:18:7a:0f:1e:3f:82:59:a2:9a:
-         3e:3f:f9:e0:09:9f:fd:c1:91:4b:5d:c9:7b:d6:b6:89:fc:df:
-         1d:7c:86:aa:cd:03:f2:0b:52:92:f1:62:6f:7f:87:ea:ab:76:
-         c9:6c:50:c2:19:82:af:aa:1d:f5:20:28:68:2e:d5:fc:64:37:
-         4f:cf:a5:44:c4:be:72:b4:8c:74:b4:6c:a7:fa:f2:bd:74:38:
-         43:2b:de:af:f9:dc:d8:e0:9d:9f:dc:3d:ca:a5:63:44:bf:92:
-         a2:4f:4c:80:1c:bb:1a:c3:9a:4a:04:55:4d:ca:ee:26:0b:1c:
-         bf:02:c5:64:d3:9e:7e:d2:d3:91:1c:4b:a2:f5:1c:e5:17:1c:
-         0d:0c:52:a3:91:1f:9c:f0:21:ed:02:94:6f:a9:a0:49:ca:e8:
-         43:8c:c4:f4:34:da:7c:22:a3:c6:66:3e:b8:1b:05:88:5d:ba:
-         bc:f7:bc:e5:dc:14:3d:a7:86:a8:b6:59:52:21:03:5e:8b:e3:
-         04:ed:4b:2a:1e:a3:4f:50
------BEGIN CERTIFICATE-----
-MIIF8DCCA9igAwIBAgIPBuhGJy8fCo/RhFzjafbVMA0GCSqGSIb3DQEBBQUAMDgx
-CzAJBgNVBAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwKSXpl
-bnBlLmNvbTAeFw0wNzEyMTMxMzA4MjdaFw0zNzEyMTMwODI3MjVaMDgxCzAJBgNV
-BAYTAkVTMRQwEgYDVQQKDAtJWkVOUEUgUy5BLjETMBEGA1UEAwwKSXplbnBlLmNv
-bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMnTesoPHqynhugWZWqx
-whtFMnGV2f4QW8yv56V5AY+Jw8ryVXH3d753lPNypCxE2J6SmxQ6oeckkAoKVo7F
-2CaU4dlI4S0+2gpy3aOZFdqBoof0e24md4lYrdbrDLJBenNubdt6eEHpCIgSfocu
-ZhFjbFT7PJ1ywLwu/8K33Q124zrX97RovqL144FuwUZvXY3gTcZUVYkaMzEKsVe5
-o4qYw+w7NMWVQWl+dcI8IMVhulFHoCCQk6GQS/NOfIVFVJrRBSZBsLVNHTO+xAPI
-JXzBcNs79AktVCdIrC/hxKw+yMuSTFM5NyPs0wH54AlETU1kwOENWocivK0bo/4m
-tRXzp/yEGensoYi0RGmEg/OJ0XQGqcwL1sLeJ4VQJsoXuMl6h1YsGgEebL4TrRCs
-tST1OJGh1kva8bvS3ke18byB9llrzxlT6Y0Vy0rLqW9E5RtBz+GGp8rQap+8TI0G
-M1qiheWQNaBiXBZO8OOi+gMatCxxs1gs3nsL2xoP694hHwZ3BgOwye+Z/MC5TwuG
-KP7Suerj2qXDR2kS4Nvw9hmL7Xtw1wLW7YcYKCwEJEx35EiKGsY7mtQPyvp10gFA
-Wo15v4vPS8+qFsGV5K1Mij4XkdSxYuWC5YAEpAN+jb/af6IPl08M0w3719Hlcn4c
-yHf/W5oPt64FRuXxqBbsR6QXAgMBAAGjgfYwgfMwgbAGA1UdEQSBqDCBpYEPaW5m
-b0BpemVucGUuY29tpIGRMIGOMUcwRQYDVQQKDD5JWkVOUEUgUy5BLiAtIENJRiBB
-MDEzMzcyNjAtUk1lcmMuVml0b3JpYS1HYXN0ZWl6IFQxMDU1IEY2MiBTODFDMEEG
-A1UECQw6QXZkYSBkZWwgTWVkaXRlcnJhbmVvIEV0b3JiaWRlYSAxNCAtIDAxMDEw
-IFZpdG9yaWEtR2FzdGVpejAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
-BjAdBgNVHQ4EFgQUHRxlDqjyJXu0kc/ksbHmvVV0bAUwDQYJKoZIhvcNAQEFBQAD
-ggIBAMeBRm8hGE+gBe/n1bqXUKJg7aWSFBpSm/nxiEqg3Hh10dUflU7F57dp5iL0
-+CmoKom+z892j+Mxc50m0xwbRxYpB2iEitL7sRskPtKYGCwkjq/2e+pEFhsqxPqg
-l+nqbFik73WrAGLRne0TNtsiC7bw0fRue0aHwp28vb5CO7dz0JoqPLRbEhYArxk5
-ja2DUBzIgU+9Ag89njWW7u/kwgN8KRwCfr00J16vU9adF79XbOnQgxCvv11N75B7
-XSus7Op9ACYXzAJcY9cZGKfsK8eKPlgOiofmg59OsjQerFQJTx0CCzl+gQgVuaBp
-E8gyK+OtbBPWg50jLbJtooiGfqgNASYJQNntKE6MkyQP2/EeTXp6WuKlWPHcj1+Z
-ggwuz7LdmMySlD/5CbOlliVbN/UShUHiGUzGigjB3Bh6Dx4/glmimj4/+eAJn/3B
-kUtdyXvWton83x18hqrNA/ILUpLxYm9/h+qrdslsUMIZgq+qHfUgKGgu1fxkN0/P
-pUTEvnK0jHS0bKf68r10OEMr3q/53NjgnZ/cPcqlY0S/kqJPTIAcuxrDmkoEVU3K
-7iYLHL8CxWTTnn7S05EcS6L1HOUXHA0MUqORH5zwIe0ClG+poEnK6EOMxPQ02nwi
-o8ZmPrgbBYhdurz3vOXcFD2nhqi2WVIhA16L4wTtSyoeo09Q
------END CERTIFICATE-----
-
-# 54455f7129c20b1447c418f997168f24c58fc5023bf5da5be2eb6e1dd8902ed5
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            0a:7e:a6:df:4b:44:9e:da:6a:24:85:9e:e6:b8:15:d3:16:7f:bb:b1
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2
-        Validity
-            Not Before: Mar  5 13:21:57 2015 GMT
-            Not After : Mar  5 13:21:57 2035 GMT
-        Subject: C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:d7:85:97:bf:11:98:e9:f0:62:83:4c:3c:87:f9:
-                    53:6a:37:0b:f2:0f:3c:87:ce:6f:dc:26:29:bd:c5:
-                    89:ba:c9:83:3d:f7:ee:ca:5b:c6:6d:49:73:b4:c9:
-                    46:a3:1b:34:13:3f:c1:89:45:57:f4:d9:b1:fb:36:
-                    65:4b:fb:08:e2:48:71:11:c8:6e:3b:9e:9d:df:89:
-                    65:37:a6:85:f6:3b:44:18:b6:c6:37:30:62:44:92:
-                    97:69:7d:42:30:24:e4:0d:0c:89:6b:63:de:c5:e1:
-                    df:4e:a9:14:6c:53:e0:61:ce:f6:17:2f:1d:3c:bd:
-                    e6:22:4c:1d:93:f5:10:c4:a1:76:ec:6a:de:c5:6c:
-                    df:96:b4:56:40:42:c0:62:92:30:a1:2d:15:94:a0:
-                    d2:20:06:09:6e:6a:6d:e5:eb:b7:be:d4:f0:f1:15:
-                    7c:8b:e6:4e:ba:13:cc:4b:27:5e:99:3c:17:5d:8f:
-                    81:7f:33:3d:4f:d3:3f:1b:ec:5c:3f:f0:3c:4c:75:
-                    6e:f2:a6:d5:9d:da:2d:07:63:02:c6:72:e9:94:bc:
-                    4c:49:95:4f:88:52:c8:db:e8:69:82:f8:cc:34:5b:
-                    22:f0:86:a7:89:bd:48:0a:6d:66:81:6d:c8:c8:64:
-                    fb:01:e1:f4:e1:de:d9:9e:dd:db:5b:d4:2a:99:26:
-                    15:1b:1e:4c:92:29:82:9e:d5:92:81:92:41:70:19:
-                    f7:a4:e5:93:4b:bc:77:67:31:dd:1c:fd:31:70:0d:
-                    17:99:0c:f9:0c:39:19:2a:17:b5:30:71:55:d5:0f:
-                    ae:58:e1:3d:2f:34:9b:cf:9f:f6:78:85:c2:93:7a:
-                    72:3e:66:8f:9c:16:11:60:8f:9e:89:6f:67:be:e0:
-                    47:5a:3b:0c:9a:67:8b:cf:46:c6:ae:38:a3:f2:a7:
-                    bc:e6:d6:85:6b:33:24:70:22:4b:cb:08:9b:bb:c8:
-                    f8:02:29:1d:be:20:0c:46:bf:6b:87:9b:b3:2a:66:
-                    42:35:46:6c:aa:ba:ad:f9:98:7b:e9:50:55:14:31:
-                    bf:b1:da:2d:ed:80:ad:68:24:fb:69:ab:d8:71:13:
-                    30:e6:67:b3:87:40:fd:89:7e:f2:43:d1:11:df:2f:
-                    65:2f:64:ce:5f:14:b9:b1:bf:31:bd:87:78:5a:59:
-                    65:88:aa:fc:59:32:48:86:d6:4c:b9:29:4b:95:d3:
-                    76:f3:77:25:6d:42:1c:38:83:4d:fd:a3:5f:9b:7f:
-                    2d:ac:79:1b:0e:42:31:97:63:a4:fb:8a:69:d5:22:
-                    0d:34:90:30:2e:a8:b4:e0:6d:b6:94:ac:bc:8b:4e:
-                    d7:70:fc:c5:38:8e:64:25:e1:4d:39:90:ce:c9:87:
-                    84:58:71
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Certificate Policies: 
-                Policy: 1.3.171.1.1.1.10
-                  CPS: https://repository.luxtrust.lu
-
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Authority Key Identifier: 
-                keyid:FF:18:28:76:F9:48:05:2C:A1:AE:F1:2B:1B:2B:B2:53:F8:4B:7C:B3
-
-            X509v3 Subject Key Identifier: 
-                FF:18:28:76:F9:48:05:2C:A1:AE:F1:2B:1B:2B:B2:53:F8:4B:7C:B3
-    Signature Algorithm: sha256WithRSAEncryption
-         6a:19:14:ed:6e:79:c1:2c:87:d4:0d:70:7e:d7:f6:78:c9:0b:
-         04:4e:c4:b1:ce:93:70:fe:b0:54:c0:32:cd:99:30:64:17:bf:
-         0f:e5:e2:33:fd:07:36:40:72:0e:1a:b6:6a:59:d6:00:e5:68:
-         20:dd:2e:72:0d:1f:6a:64:31:20:84:7d:49:a6:5a:37:eb:45:
-         c9:85:f5:d4:c7:17:99:07:e6:9b:55:e4:0c:e8:a9:b4:ce:8c:
-         5b:b5:11:5c:cf:8a:0e:0d:d6:ac:77:81:fe:32:9c:24:9e:72:
-         ce:54:f3:d0:6f:a2:56:d6:ec:c3:37:2c:65:58:be:57:00:1a:
-         f2:35:fa:eb:7b:31:5d:c2:c1:12:3d:96:81:88:96:89:c1:59:
-         5c:7a:e6:7f:70:34:e7:83:e2:b1:e1:e1:b8:58:ef:d4:95:e4:
-         60:9c:f0:96:97:72:8c:eb:84:02:2e:65:8f:a4:b7:d2:7f:67:
-         dd:c8:d3:9e:5c:aa:a9:a4:a0:25:14:06:9b:ec:4f:7e:2d:0b:
-         7f:1d:75:f1:33:d8:ed:ce:b8:75:6d:3e:5b:b9:98:1d:31:0d:
-         56:d8:43:0f:30:91:b2:04:6b:dd:56:be:95:80:55:67:be:d8:
-         cd:83:d9:18:ee:2e:0f:86:2d:92:9e:70:13:ec:de:51:c9:43:
-         78:02:a5:4d:c8:f9:5f:c4:91:58:46:16:77:5a:74:aa:40:bc:
-         07:9f:30:b9:b1:f7:12:17:dd:e3:ff:24:40:1d:7a:6a:d1:4f:
-         18:0a:aa:90:1d:eb:40:1e:df:a1:1e:44:92:10:9a:f2:8d:e1:
-         d1:4b:46:9e:e8:45:42:97:ea:45:99:f3:ec:66:d5:02:fa:f2:
-         a6:4a:24:aa:de:ce:b9:ca:f9:3f:93:6f:f9:a3:ba:ea:a5:3e:
-         99:ad:fd:ff:7b:99:f5:65:ee:f0:59:28:67:d7:90:95:a4:13:
-         84:a9:84:c1:e8:ce:ce:75:93:63:1a:bc:3c:ea:d5:64:1f:2d:
-         2a:12:39:c6:c3:5a:32:ed:47:91:16:0e:bc:38:c1:50:de:8f:
-         ca:2a:90:34:1c:ee:41:94:9c:5e:19:2e:f8:45:49:99:74:91:
-         b0:04:6f:e3:04:5a:b1:ab:2a:ab:fe:c7:d0:96:b6:da:e1:4a:
-         64:06:6e:60:4d:bd:42:4e:ff:78:da:24:ca:1b:b4:d7:96:39:
-         6c:ae:f1:0e:aa:a7:7d:48:8b:20:4c:cf:64:d6:b8:97:46:b0:
-         4e:d1:2a:56:3a:a0:93:bd:af:80:24:e0:0a:7e:e7:ca:d5:ca:
-         e8:85:55:dc:36:2a:e1:94:68:93:c7:66:72:44:0f:80:21:32:
-         6c:25:c7:23:80:83:0a:eb
------BEGIN CERTIFICATE-----
-MIIFwzCCA6ugAwIBAgIUCn6m30tEntpqJIWe5rgV0xZ/u7EwDQYJKoZIhvcNAQEL
-BQAwRjELMAkGA1UEBhMCTFUxFjAUBgNVBAoMDUx1eFRydXN0IFMuQS4xHzAdBgNV
-BAMMFkx1eFRydXN0IEdsb2JhbCBSb290IDIwHhcNMTUwMzA1MTMyMTU3WhcNMzUw
-MzA1MTMyMTU3WjBGMQswCQYDVQQGEwJMVTEWMBQGA1UECgwNTHV4VHJ1c3QgUy5B
-LjEfMB0GA1UEAwwWTHV4VHJ1c3QgR2xvYmFsIFJvb3QgMjCCAiIwDQYJKoZIhvcN
-AQEBBQADggIPADCCAgoCggIBANeFl78RmOnwYoNMPIf5U2o3C/IPPIfOb9wmKb3F
-ibrJgz337spbxm1Jc7TJRqMbNBM/wYlFV/TZsfs2ZUv7COJIcRHIbjuend+JZTem
-hfY7RBi2xjcwYkSSl2l9QjAk5A0MiWtj3sXh306pFGxT4GHO9hcvHTy95iJMHZP1
-EMShduxq3sVs35a0VkBCwGKSMKEtFZSg0iAGCW5qbeXrt77U8PEVfIvmTroTzEsn
-Xpk8F12PgX8zPU/TPxvsXD/wPEx1bvKm1Z3aLQdjAsZy6ZS8TEmVT4hSyNvoaYL4
-zDRbIvCGp4m9SAptZoFtyMhk+wHh9OHe2Z7d21vUKpkmFRseTJIpgp7VkoGSQXAZ
-96Tlk0u8d2cx3Rz9MXANF5kM+Qw5GSoXtTBxVdUPrljhPS80m8+f9niFwpN6cj5m
-j5wWEWCPnolvZ77gR1o7DJpni89Gxq44o/KnvObWhWszJHAiS8sIm7vI+AIpHb4g
-DEa/a4ebsypmQjVGbKq6rfmYe+lQVRQxv7HaLe2ArWgk+2mr2HETMOZns4dA/Yl+
-8kPREd8vZS9kzl8UubG/Mb2HeFpZZYiq/FkySIbWTLkpS5XTdvN3JW1CHDiDTf2j
-X5t/Lax5Gw5CMZdjpPuKadUiDTSQMC6otOBttpSsvItO13D8xTiOZCXhTTmQzsmH
-hFhxAgMBAAGjgagwgaUwDwYDVR0TAQH/BAUwAwEB/zBCBgNVHSAEOzA5MDcGByuB
-KwEBAQowLDAqBggrBgEFBQcCARYeaHR0cHM6Ly9yZXBvc2l0b3J5Lmx1eHRydXN0
-Lmx1MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBT/GCh2+UgFLKGu8SsbK7JT
-+Et8szAdBgNVHQ4EFgQU/xgodvlIBSyhrvErGyuyU/hLfLMwDQYJKoZIhvcNAQEL
-BQADggIBAGoZFO1uecEsh9QNcH7X9njJCwROxLHOk3D+sFTAMs2ZMGQXvw/l4jP9
-BzZAcg4atmpZ1gDlaCDdLnINH2pkMSCEfUmmWjfrRcmF9dTHF5kH5ptV5AzoqbTO
-jFu1EVzPig4N1qx3gf4ynCSecs5U89BvolbW7MM3LGVYvlcAGvI1+ut7MV3CwRI9
-loGIlonBWVx65n9wNOeD4rHh4bhY79SV5GCc8JaXcozrhAIuZY+kt9J/Z93I055c
-qqmkoCUUBpvsT34tC38ddfEz2O3OuHVtPlu5mB0xDVbYQw8wkbIEa91WvpWAVWe+
-2M2D2RjuLg+GLZKecBPs3lHJQ3gCpU3I+V/EkVhGFndadKpAvAefMLmx9xIX3eP/
-JEAdemrRTxgKqpAd60Ae36EeRJIQmvKN4dFLRp7oRUKX6kWZ8+xm1QL68qZKJKre
-zrnK+T+Tb/mjuuqlPpmt/f97mfVl7vBZKGfXkJWkE4SphMHozs51k2MavDzq1WQf
-LSoSOcbDWjLtR5EWDrw4wVDej8oqkDQc7kGUnF4ZLvhFSZl0kbAEb+MEWrGrKqv+
-x9CWttrhSmQGbmBNvUJO/3jaJMobtNeWOWyu8Q6qp31IiyBMz2TWuJdGsE7RKlY6
-oJO9r4Ak4Ap+58rVyuiFVdw2KuGUaJPHZnJED4AhMmwlxyOAgwrr
------END CERTIFICATE-----
-
-# 6c61dac3a2def031506be036d2a6fe401994fbd13df9c8d466599274c446ec98
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 80544274841616 (0x49412ce40010)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = HU, L = Budapest, O = NetLock Kft., OU = Tan\C3\BAs\C3\ADtv\C3\A1nykiad\C3\B3k (Certification Services), CN = NetLock Arany (Class Gold) F\C5\91tan\C3\BAs\C3\ADtv\C3\A1ny
-        Validity
-            Not Before: Dec 11 15:08:21 2008 GMT
-            Not After : Dec  6 15:08:21 2028 GMT
-        Subject: C = HU, L = Budapest, O = NetLock Kft., OU = Tan\C3\BAs\C3\ADtv\C3\A1nykiad\C3\B3k (Certification Services), CN = NetLock Arany (Class Gold) F\C5\91tan\C3\BAs\C3\ADtv\C3\A1ny
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:c4:24:5e:73:be:4b:6d:14:c3:a1:f4:e3:97:90:
-                    6e:d2:30:45:1e:3c:ee:67:d9:64:e0:1a:8a:7f:ca:
-                    30:ca:83:e3:20:c1:e3:f4:3a:d3:94:5f:1a:7c:5b:
-                    6d:bf:30:4f:84:27:f6:9f:1f:49:bc:c6:99:0a:90:
-                    f2:0f:f5:7f:43:84:37:63:51:8b:7a:a5:70:fc:7a:
-                    58:cd:8e:9b:ed:c3:46:6c:84:70:5d:da:f3:01:90:
-                    23:fc:4e:30:a9:7e:e1:27:63:e7:ed:64:3c:a0:b8:
-                    c9:33:63:fe:16:90:ff:b0:b8:fd:d7:a8:c0:c0:94:
-                    43:0b:b6:d5:59:a6:9e:56:d0:24:1f:70:79:af:db:
-                    39:54:0d:65:75:d9:15:41:94:01:af:5e:ec:f6:8d:
-                    f1:ff:ad:64:fe:20:9a:d7:5c:eb:fe:a6:1f:08:64:
-                    a3:8b:76:55:ad:1e:3b:28:60:2e:87:25:e8:aa:af:
-                    1f:c6:64:46:20:b7:70:7f:3c:de:48:db:96:53:b7:
-                    39:77:e4:1a:e2:c7:16:84:76:97:5b:2f:bb:19:15:
-                    85:f8:69:85:f5:99:a7:a9:f2:34:a7:a9:b6:a6:03:
-                    fc:6f:86:3d:54:7c:76:04:9b:6b:f9:40:5d:00:34:
-                    c7:2e:99:75:9d:e5:88:03:aa:4d:f8:03:d2:42:76:
-                    c0:1b
-                Exponent: 43147 (0xa88b)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:4
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                CC:FA:67:93:F0:B6:B8:D0:A5:C0:1E:F3:53:FD:8C:53:DF:83:D7:96
-    Signature Algorithm: sha256WithRSAEncryption
-         ab:7f:ee:1c:16:a9:9c:3c:51:00:a0:c0:11:08:05:a7:99:e6:
-         6f:01:88:54:61:6e:f1:b9:18:ad:4a:ad:fe:81:40:23:94:2f:
-         fb:75:7c:2f:28:4b:62:24:81:82:0b:f5:61:f1:1c:6e:b8:61:
-         38:eb:81:fa:62:a1:3b:5a:62:d3:94:65:c4:e1:e6:6d:82:f8:
-         2f:25:70:b2:21:26:c1:72:51:1f:8c:2c:c3:84:90:c3:5a:8f:
-         ba:cf:f4:a7:65:a5:eb:98:d1:fb:05:b2:46:75:15:23:6a:6f:
-         85:63:30:80:f0:d5:9e:1f:29:1c:c2:6c:b0:50:59:5d:90:5b:
-         3b:a8:0d:30:cf:bf:7d:7f:ce:f1:9d:83:bd:c9:46:6e:20:a6:
-         f9:61:51:ba:21:2f:7b:be:a5:15:63:a1:d4:95:87:f1:9e:b9:
-         f3:89:f3:3d:85:b8:b8:db:be:b5:b9:29:f9:da:37:05:00:49:
-         94:03:84:44:e7:bf:43:31:cf:75:8b:25:d1:f4:a6:64:f5:92:
-         f6:ab:05:eb:3d:e9:a5:0b:36:62:da:cc:06:5f:36:8b:b6:5e:
-         31:b8:2a:fb:5e:f6:71:df:44:26:9e:c4:e6:0d:91:b4:2e:75:
-         95:80:51:6a:4b:30:a6:b0:62:a1:93:f1:9b:d8:ce:c4:63:75:
-         3f:59:47:b1
------BEGIN CERTIFICATE-----
-MIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqGSIb3DQEBCwUAMIGnMQswCQYDVQQG
-EwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoMDE5ldExvY2sgS2Z0LjE3
-MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZpY2F0aW9uIFNl
-cnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xhc3MgR29sZCkgRsWR
-dGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgxMjA2MTUwODIxWjCB
-pzELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxOZXRM
-b2NrIEtmdC4xNzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlm
-aWNhdGlvbiBTZXJ2aWNlcykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNz
-IEdvbGQpIEbFkXRhbsO6c8OtdHbDoW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAxCRec75LbRTDofTjl5Bu0jBFHjzuZ9lk4BqKf8owyoPjIMHj9DrT
-lF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw/HpYzY6b7cNGbIRwXdrz
-AZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaaeVtAkH3B5r9s5
-VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8fxmRG
-ILdwfzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2
-BJtr+UBdADTHLpl1neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAG
-AQH/AgEEMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2M
-U9+D15YwDQYJKoZIhvcNAQELBQADggEBAKt/7hwWqZw8UQCgwBEIBaeZ5m8BiFRh
-bvG5GK1Krf6BQCOUL/t1fC8oS2IkgYIL9WHxHG64YTjrgfpioTtaYtOUZcTh5m2C
-+C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY0fsFskZ1FSNqb4VjMIDw1Z4fKRzC
-bLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+pRVjodSVh/GeufOJ8z2F
-uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2
-XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E=
------END CERTIFICATE-----
-
-# 15f0ba00a3ac7af3ac884c072b1011a077bd77c097f40164b2f8598abd83860c
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
-        Validity
-            Not Before: Dec  1 00:00:00 2006 GMT
-            Not After : Dec 31 23:59:59 2029 GMT
-        Subject: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:e4:bc:7e:92:30:6d:c6:d8:8e:2b:0b:bc:46:ce:
-                    e0:27:96:de:de:f9:fa:12:d3:3c:33:73:b3:04:2f:
-                    bc:71:8c:e5:9f:b6:22:60:3e:5f:5d:ce:09:ff:82:
-                    0c:1b:9a:51:50:1a:26:89:dd:d5:61:5d:19:dc:12:
-                    0f:2d:0a:a2:43:5d:17:d0:34:92:20:ea:73:cf:38:
-                    2c:06:26:09:7a:72:f7:fa:50:32:f8:c2:93:d3:69:
-                    a2:23:ce:41:b1:cc:e4:d5:1f:36:d1:8a:3a:f8:8c:
-                    63:e2:14:59:69:ed:0d:d3:7f:6b:e8:b8:03:e5:4f:
-                    6a:e5:98:63:69:48:05:be:2e:ff:33:b6:e9:97:59:
-                    69:f8:67:19:ae:93:61:96:44:15:d3:72:b0:3f:bc:
-                    6a:7d:ec:48:7f:8d:c3:ab:aa:71:2b:53:69:41:53:
-                    34:b5:b0:b9:c5:06:0a:c4:b0:45:f5:41:5d:6e:89:
-                    45:7b:3d:3b:26:8c:74:c2:e5:d2:d1:7d:b2:11:d4:
-                    fb:58:32:22:9a:80:c9:dc:fd:0c:e9:7f:5e:03:97:
-                    ce:3b:00:14:87:27:70:38:a9:8e:6e:b3:27:76:98:
-                    51:e0:05:e3:21:ab:1a:d5:85:22:3c:29:b5:9a:16:
-                    c5:80:a8:f4:bb:6b:30:8f:2f:46:02:a2:b1:0c:22:
-                    e0:d3
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                21:30:C9:FB:00:D7:4E:98:DA:87:AA:2A:D0:A7:2E:B1:40:31:A7:4C
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
-
-    Signature Algorithm: sha1WithRSAEncryption
-         bb:ae:4b:e7:b7:57:eb:7f:aa:2d:b7:73:47:85:6a:c1:e4:a5:
-         1d:e4:e7:3c:e9:f4:59:65:77:b5:7a:5b:5a:8d:25:36:e0:7a:
-         97:2e:38:c0:57:60:83:98:06:83:9f:b9:76:7a:6e:50:e0:ba:
-         88:2c:fc:45:cc:18:b0:99:95:51:0e:ec:1d:b8:88:ff:87:50:
-         1c:82:c2:e3:e0:32:80:bf:a0:0b:47:c8:c3:31:ef:99:67:32:
-         80:4f:17:21:79:0c:69:5c:de:5e:34:ae:02:b5:26:ea:50:df:
-         7f:18:65:2c:c9:f2:63:e1:a9:07:fe:7c:71:1f:6b:33:24:6a:
-         1e:05:f7:05:68:c0:6a:12:cb:2e:5e:61:cb:ae:28:d3:7e:c2:
-         b4:66:91:26:5f:3c:2e:24:5f:cb:58:0f:eb:28:ec:af:11:96:
-         f3:dc:7b:6f:c0:a7:88:f2:53:77:b3:60:5e:ae:ae:28:da:35:
-         2c:6f:34:45:d3:26:e1:de:ec:5b:4f:27:6b:16:7c:bd:44:04:
-         18:82:b3:89:79:17:10:71:3d:7a:a2:16:4e:f5:01:cd:a4:6c:
-         65:68:a1:49:76:5c:43:c9:d8:bc:36:67:6c:a5:94:b5:d4:cc:
-         b9:bd:6a:35:56:21:de:d8:c3:eb:fb:cb:a4:60:4c:b0:55:a0:
-         a0:7b:57:b2
------BEGIN CERTIFICATE-----
-MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBi
-MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu
-MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp
-dHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJV
-UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO
-ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwz
-c7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPP
-OCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl
-mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnF
-BgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4
-qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcw
-gZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIB
-BjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwu
-bmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3Jp
-dHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc8
-6fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/
-h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH
-/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv
-wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHN
-pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey
------END CERTIFICATE-----
-
-# 001686cd181f83a1b1217d305b365c41e3470a78a1d37b134a98cd547b92dab3
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            1c:a0:2d:c1:52:3b:6a:6d:8b:5c:1f:95:4a:ed:ac:30
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
-        Validity
-            Not Before: Jan  1 00:00:00 2011 GMT
-            Not After : Dec 31 23:59:59 2030 GMT
-        Subject: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:e4:bc:7e:92:30:6d:c6:d8:8e:2b:0b:bc:46:ce:
-                    e0:27:96:de:de:f9:fa:12:d3:3c:33:73:b3:04:2f:
-                    bc:71:8c:e5:9f:b6:22:60:3e:5f:5d:ce:09:ff:82:
-                    0c:1b:9a:51:50:1a:26:89:dd:d5:61:5d:19:dc:12:
-                    0f:2d:0a:a2:43:5d:17:d0:34:92:20:ea:73:cf:38:
-                    2c:06:26:09:7a:72:f7:fa:50:32:f8:c2:93:d3:69:
-                    a2:23:ce:41:b1:cc:e4:d5:1f:36:d1:8a:3a:f8:8c:
-                    63:e2:14:59:69:ed:0d:d3:7f:6b:e8:b8:03:e5:4f:
-                    6a:e5:98:63:69:48:05:be:2e:ff:33:b6:e9:97:59:
-                    69:f8:67:19:ae:93:61:96:44:15:d3:72:b0:3f:bc:
-                    6a:7d:ec:48:7f:8d:c3:ab:aa:71:2b:53:69:41:53:
-                    34:b5:b0:b9:c5:06:0a:c4:b0:45:f5:41:5d:6e:89:
-                    45:7b:3d:3b:26:8c:74:c2:e5:d2:d1:7d:b2:11:d4:
-                    fb:58:32:22:9a:80:c9:dc:fd:0c:e9:7f:5e:03:97:
-                    ce:3b:00:14:87:27:70:38:a9:8e:6e:b3:27:76:98:
-                    51:e0:05:e3:21:ab:1a:d5:85:22:3c:29:b5:9a:16:
-                    c5:80:a8:f4:bb:6b:30:8f:2f:46:02:a2:b1:0c:22:
-                    e0:d3
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                21:30:C9:FB:00:D7:4E:98:DA:87:AA:2A:D0:A7:2E:B1:40:31:A7:4C
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-         c2:89:84:a0:e8:8c:66:fd:ff:13:05:1b:c3:3a:8e:98:49:8a:
-         f8:aa:00:5c:26:fd:72:6a:a3:7e:12:1b:94:ae:54:f8:21:8f:
-         a7:93:4f:f7:16:ef:b9:b9:b3:32:c0:25:21:31:66:37:2c:09:
-         b0:fe:32:b0:37:ec:3c:b8:ce:8f:08:aa:08:90:07:5c:75:d5:
-         e1:4e:2c:cb:02:24:e9:a2:5e:e9:f5:78:35:22:06:1c:f2:1f:
-         88:b1:e1:5c:cc:96:54:fa:6f:49:cc:8d:f1:56:03:ed:cf:2c:
-         9f:27:de:e5:ca:83:44:be:46:40:f9:57:2e:d2:7f:31:2d:ce:
-         83:dc:fe:70:6b:84:d0:a3:9f:ff:97:d0:a8:d7:02:ec:b1:2c:
-         f0:ef:73:38:3d:99:ac:c4:4f:01:bf:d5:6a:ea:c6:2e:32:29:
-         17:0a:cb:e6:69:9e:d1:4a:b5:f6:df:8e:19:f8:95:e9:45:a9:
-         0e:cd:6d:41:59:20:9e:73:c6:6c:71:1c:9c:d4:4d:30:a8:73:
-         09:a0:15:f3:a0:45:26:c3:5b:fd:bb:b9:d8:2d:d7:1f:f5:05:
-         30:19:f6:ae:0f:8e:62:8f:df:c8:4f:86:d9:1d:61:16:b3:c9:
-         f0:bb:fb:c7:f5:af:01:22:47:ec:d8:da:cf:1c:f3:53:66:ba:
-         53:09:01:f9
------BEGIN CERTIFICATE-----
-MIIDkDCCAnigAwIBAgIQHKAtwVI7am2LXB+VSu2sMDANBgkqhkiG9w0BAQUFADBi
-MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu
-MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp
-dHkwHhcNMTEwMTAxMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJV
-UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO
-ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwz
-c7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPP
-OCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl
-mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnF
-BgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4
-qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjQjBA
-MB0GA1UdDgQWBBQhMMn7ANdOmNqHqirQpy6xQDGnTDAOBgNVHQ8BAf8EBAMCAQYw
-DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwomEoOiMZv3/EwUb
-wzqOmEmK+KoAXCb9cmqjfhIblK5U+CGPp5NP9xbvubmzMsAlITFmNywJsP4ysDfs
-PLjOjwiqCJAHXHXV4U4sywIk6aJe6fV4NSIGHPIfiLHhXMyWVPpvScyN8VYD7c8s
-nyfe5cqDRL5GQPlXLtJ/MS3Og9z+cGuE0KOf/5fQqNcC7LEs8O9zOD2ZrMRPAb/V
-aurGLjIpFwrL5mme0Uq19t+OGfiV6UWpDs1tQVkgnnPGbHEcnNRNMKhzCaAV86BF
-JsNb/bu52C3XH/UFMBn2rg+OYo/fyE+G2R1hFrPJ8Lv7x/WvASJH7NjazxzzU2a6
-UwkB+Q==
------END CERTIFICATE-----
-
-# 6b9c08e86eb0f767cfad65cd98b62149e5494a67f5845e7bd1ed019f27b86bd6
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            76:b1:20:52:74:f0:85:87:46:b3:f8:23:1a:f6:c2:c0
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA
-        Validity
-            Not Before: Dec  1 15:00:32 2014 GMT
-            Not After : Dec  1 15:10:31 2039 GMT
-        Subject: C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:d8:17:b7:1c:4a:24:2a:d6:97:b1:ca:e2:1e:fb:
-                    7d:38:ef:98:f5:b2:39:98:4e:27:b8:11:5d:7b:d2:
-                    25:94:88:82:15:26:6a:1b:31:bb:a8:5b:21:21:2b:
-                    d8:0f:4e:9f:5a:f1:b1:5a:e4:79:d6:32:23:2b:e1:
-                    53:cc:99:45:5c:7b:4f:ad:bc:bf:87:4a:0b:4b:97:
-                    5a:a8:f6:48:ec:7d:7b:0d:cd:21:06:df:9e:15:fd:
-                    41:8a:48:b7:20:f4:a1:7a:1b:57:d4:5d:50:ff:ba:
-                    67:d8:23:99:1f:c8:3f:e3:de:ff:6f:5b:77:b1:6b:
-                    6e:b8:c9:64:f7:e1:ca:41:46:0e:29:71:d0:b9:23:
-                    fc:c9:81:5f:4e:f7:6f:df:bf:84:ad:73:64:bb:b7:
-                    42:8e:69:f6:d4:76:1d:7e:9d:a7:b8:57:8a:51:67:
-                    72:d7:d4:a8:b8:95:54:40:73:03:f6:ea:f4:eb:fe:
-                    28:42:77:3f:9d:23:1b:b2:b6:3d:80:14:07:4c:2e:
-                    4f:f7:d5:0a:16:0d:bd:66:43:37:7e:23:43:79:c3:
-                    40:86:f5:4c:29:da:8e:9a:ad:0d:a5:04:87:88:1e:
-                    85:e3:e9:53:d5:9b:c8:8b:03:63:78:eb:e0:19:4a:
-                    6e:bb:2f:6b:33:64:58:93:ad:69:bf:8f:1b:ef:82:
-                    48:c7
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: 
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                35:0F:C8:36:63:5E:E2:A3:EC:F9:3B:66:15:CE:51:52:E3:91:9A:3D
-            1.3.6.1.4.1.311.21.1: 
-                ...
-    Signature Algorithm: sha256WithRSAEncryption
-         40:4c:fb:87:b2:99:81:90:7e:9d:c5:b0:b0:26:cd:88:7b:2b:
-         32:8d:6e:b8:21:71:58:97:7d:ae:37:14:af:3e:e7:f7:9a:e2:
-         7d:f6:71:98:99:04:aa:43:74:78:a3:e3:49:61:3e:73:8c:4d:
-         94:e0:f9:71:c4:b6:16:0e:53:78:1f:d6:a2:87:2f:02:39:81:
-         29:3c:af:15:98:21:30:fe:28:90:00:8c:d1:e1:cb:fa:5e:c8:
-         fd:f8:10:46:3b:a2:78:42:91:17:74:55:0a:de:50:67:4d:66:
-         d1:a7:ff:fd:d9:c0:b5:a8:a3:8a:ce:66:f5:0f:43:cd:a7:2b:
-         57:7b:63:46:6a:aa:2e:52:d8:f4:ed:e1:6d:ad:29:90:78:48:
-         ba:e1:23:aa:a3:89:ec:b5:ab:96:c0:b4:4b:a2:1d:97:9e:7a:
-         f2:6e:40:71:df:68:f1:65:4d:ce:7c:05:df:53:65:a9:a5:f0:
-         b1:97:04:70:15:46:03:98:d4:d2:bf:54:b4:a0:58:7d:52:6f:
-         da:56:26:62:d4:d8:db:89:31:6f:1c:f0:22:c2:d3:62:1c:35:
-         cd:4c:69:15:54:1a:90:98:de:eb:1e:5f:ca:77:c7:cb:8e:3d:
-         43:69:9c:9a:58:d0:24:3b:df:1b:40:96:7e:35:ad:81:c7:4e:
-         71:ba:88:13
------BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIQdrEgUnTwhYdGs/gjGvbCwDANBgkqhkiG9w0BAQsFADBt
-MQswCQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZT0lTVEUg
-Rm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9i
-YWwgUm9vdCBHQiBDQTAeFw0xNDEyMDExNTAwMzJaFw0zOTEyMDExNTEwMzFaMG0x
-CzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIwIAYDVQQLExlPSVNURSBG
-b3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNlS2V5IEdsb2Jh
-bCBSb290IEdCIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Be3
-HEokKtaXscriHvt9OO+Y9bI5mE4nuBFde9IllIiCFSZqGzG7qFshISvYD06fWvGx
-WuR51jIjK+FTzJlFXHtPrby/h0oLS5daqPZI7H17Dc0hBt+eFf1Biki3IPShehtX
-1F1Q/7pn2COZH8g/497/b1t3sWtuuMlk9+HKQUYOKXHQuSP8yYFfTvdv37+ErXNk
-u7dCjmn21HYdfp2nuFeKUWdy19SouJVUQHMD9ur06/4oQnc/nSMbsrY9gBQHTC5P
-99UKFg29ZkM3fiNDecNAhvVMKdqOmq0NpQSHiB6F4+lT1ZvIiwNjeOvgGUpuuy9r
-M2RYk61pv48b74JIxwIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw
-AwEB/zAdBgNVHQ4EFgQUNQ/INmNe4qPs+TtmFc5RUuORmj0wEAYJKwYBBAGCNxUB
-BAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEBM+4eymYGQfp3FsLAmzYh7KzKNbrgh
-cViXfa43FK8+5/ea4n32cZiZBKpDdHij40lhPnOMTZTg+XHEthYOU3gf1qKHLwI5
-gSk8rxWYITD+KJAAjNHhy/peyP34EEY7onhCkRd0VQreUGdNZtGn//3ZwLWoo4rO
-ZvUPQ82nK1d7Y0Zqqi5S2PTt4W2tKZB4SLrhI6qjiey1q5bAtEuiHZeeevJuQHHf
-aPFlTc58Bd9TZaml8LGXBHAVRgOY1NK/VLSgWH1Sb9pWJmLU2NuJMW8c8CLC02Ic
-Nc1MaRVUGpCY3useX8p3x8uOPUNpnJpY0CQ73xtAln41rYHHTnG6iBM=
------END CERTIFICATE-----
-
-# 85a0dd7dd720adb7ff05f83d542b209dc7ff4528f7d677b18389fea5e5c49e86
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1289 (0x509)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
-        Validity
-            Not Before: Nov 24 18:27:00 2006 GMT
-            Not After : Nov 24 18:23:33 2031 GMT
-        Subject: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:9a:18:ca:4b:94:0d:00:2d:af:03:29:8a:f0:0f:
-                    81:c8:ae:4c:19:85:1d:08:9f:ab:29:44:85:f3:2f:
-                    81:ad:32:1e:90:46:bf:a3:86:26:1a:1e:fe:7e:1c:
-                    18:3a:5c:9c:60:17:2a:3a:74:83:33:30:7d:61:54:
-                    11:cb:ed:ab:e0:e6:d2:a2:7e:f5:6b:6f:18:b7:0a:
-                    0b:2d:fd:e9:3e:ef:0a:c6:b3:10:e9:dc:c2:46:17:
-                    f8:5d:fd:a4:da:ff:9e:49:5a:9c:e6:33:e6:24:96:
-                    f7:3f:ba:5b:2b:1c:7a:35:c2:d6:67:fe:ab:66:50:
-                    8b:6d:28:60:2b:ef:d7:60:c3:c7:93:bc:8d:36:91:
-                    f3:7f:f8:db:11:13:c4:9c:77:76:c1:ae:b7:02:6a:
-                    81:7a:a9:45:83:e2:05:e6:b9:56:c1:94:37:8f:48:
-                    71:63:22:ec:17:65:07:95:8a:4b:df:8f:c6:5a:0a:
-                    e5:b0:e3:5f:5e:6b:11:ab:0c:f9:85:eb:44:e9:f8:
-                    04:73:f2:e9:fe:5c:98:8c:f5:73:af:6b:b4:7e:cd:
-                    d4:5c:02:2b:4c:39:e1:b2:95:95:2d:42:87:d7:d5:
-                    b3:90:43:b7:6c:13:f1:de:dd:f6:c4:f8:89:3f:d1:
-                    75:f5:92:c3:91:d5:8a:88:d0:90:ec:dc:6d:de:89:
-                    c2:65:71:96:8b:0d:03:fd:9c:bf:5b:16:ac:92:db:
-                    ea:fe:79:7c:ad:eb:af:f7:16:cb:db:cd:25:2b:e5:
-                    1f:fb:9a:9f:e2:51:cc:3a:53:0c:48:e6:0e:bd:c9:
-                    b4:76:06:52:e6:11:13:85:72:63:03:04:e0:04:36:
-                    2b:20:19:02:e8:74:a7:1f:b6:c9:56:66:f0:75:25:
-                    dc:67:c1:0e:61:60:88:b3:3e:d1:a8:fc:a3:da:1d:
-                    b0:d1:b1:23:54:df:44:76:6d:ed:41:d8:c1:b2:22:
-                    b6:53:1c:df:35:1d:dc:a1:77:2a:31:e4:2d:f5:e5:
-                    e5:db:c8:e0:ff:e5:80:d7:0b:63:a0:ff:33:a1:0f:
-                    ba:2c:15:15:ea:97:b3:d2:a2:b5:be:f2:8c:96:1e:
-                    1a:8f:1d:6c:a4:61:37:b9:86:73:33:d7:97:96:9e:
-                    23:7d:82:a4:4c:81:e2:a1:d1:ba:67:5f:95:07:a3:
-                    27:11:ee:16:10:7b:bc:45:4a:4c:b2:04:d2:ab:ef:
-                    d5:fd:0c:51:ce:50:6a:08:31:f9:91:da:0c:8f:64:
-                    5c:03:c3:3a:8b:20:3f:6e:8d:67:3d:3a:d6:fe:7d:
-                    5b:88:c9:5e:fb:cc:61:dc:8b:33:77:d3:44:32:35:
-                    09:62:04:92:16:10:d8:9e:27:47:fb:3b:21:e3:f8:
-                    eb:1d:5b
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: 
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                1A:84:62:BC:48:4C:33:25:04:D4:EE:D0:F6:03:C4:19:46:D1:94:6B
-            X509v3 Authority Key Identifier: 
-                keyid:1A:84:62:BC:48:4C:33:25:04:D4:EE:D0:F6:03:C4:19:46:D1:94:6B
-                DirName:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
-                serial:05:09
-
-    Signature Algorithm: sha1WithRSAEncryption
-         3e:0a:16:4d:9f:06:5b:a8:ae:71:5d:2f:05:2f:67:e6:13:45:
-         83:c4:36:f6:f3:c0:26:0c:0d:b5:47:64:5d:f8:b4:72:c9:46:
-         a5:03:18:27:55:89:78:7d:76:ea:96:34:80:17:20:dc:e7:83:
-         f8:8d:fc:07:b8:da:5f:4d:2e:67:b2:84:fd:d9:44:fc:77:50:
-         81:e6:7c:b4:c9:0d:0b:72:53:f8:76:07:07:41:47:96:0c:fb:
-         e0:82:26:93:55:8c:fe:22:1f:60:65:7c:5f:e7:26:b3:f7:32:
-         90:98:50:d4:37:71:55:f6:92:21:78:f7:95:79:fa:f8:2d:26:
-         87:66:56:30:77:a6:37:78:33:52:10:58:ae:3f:61:8e:f2:6a:
-         b1:ef:18:7e:4a:59:63:ca:8d:a2:56:d5:a7:2f:bc:56:1f:cf:
-         39:c1:e2:fb:0a:a8:15:2c:7d:4d:7a:63:c6:6c:97:44:3c:d2:
-         6f:c3:4a:17:0a:f8:90:d2:57:a2:19:51:a5:2d:97:41:da:07:
-         4f:a9:50:da:90:8d:94:46:e1:3e:f0:94:fd:10:00:38:f5:3b:
-         e8:40:e1:b4:6e:56:1a:20:cc:6f:58:8d:ed:2e:45:8f:d6:e9:
-         93:3f:e7:b1:2c:df:3a:d6:22:8c:dc:84:bb:22:6f:d0:f8:e4:
-         c6:39:e9:04:88:3c:c3:ba:eb:55:7a:6d:80:99:24:f5:6c:01:
-         fb:f8:97:b0:94:5b:eb:fd:d2:6f:f1:77:68:0d:35:64:23:ac:
-         b8:55:a1:03:d1:4d:42:19:dc:f8:75:59:56:a3:f9:a8:49:79:
-         f8:af:0e:b9:11:a0:7c:b7:6a:ed:34:d0:b6:26:62:38:1a:87:
-         0c:f8:e8:fd:2e:d3:90:7f:07:91:2a:1d:d6:7e:5c:85:83:99:
-         b0:38:08:3f:e9:5e:f9:35:07:e4:c9:62:6e:57:7f:a7:50:95:
-         f7:ba:c8:9b:e6:8e:a2:01:c5:d6:66:bf:79:61:f3:3c:1c:e1:
-         b9:82:5c:5d:a0:c3:e9:d8:48:bd:19:a2:11:14:19:6e:b2:86:
-         1b:68:3e:48:37:1a:88:b7:5d:96:5e:9c:c7:ef:27:62:08:e2:
-         91:19:5c:d2:f1:21:dd:ba:17:42:82:97:71:81:53:31:a9:9f:
-         f6:7d:62:bf:72:e1:a3:93:1d:cc:8a:26:5a:09:38:d0:ce:d7:
-         0d:80:16:b4:78:a5:3a:87:4c:8d:8a:a5:d5:46:97:f2:2c:10:
-         b9:bc:54:22:c0:01:50:69:43:9e:f4:b2:ef:6d:f8:ec:da:f1:
-         e3:b1:ef:df:91:8f:54:2a:0b:25:c1:26:19:c4:52:10:05:65:
-         d5:82:10:ea:c2:31:cd:2e
------BEGIN CERTIFICATE-----
-MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0x
-GTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJv
-b3QgQ0EgMjAeFw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNV
-BAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9W
-YWRpcyBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCa
-GMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXzL4GtMh6QRr+jhiYaHv5+HBg6XJxg
-Fyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrGsxDp3MJGF/hd/aTa/55J
-WpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/+NsRE8Scd3bB
-rrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF60Tp
-+ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1
-ksOR1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/i
-Ucw6UwxI5g69ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIiz
-PtGo/KPaHbDRsSNU30R2be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og
-/zOhD7osFRXql7PSorW+8oyWHhqPHWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UH
-oycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR2gyPZFwDwzqLID9ujWc9Otb+fVuI
-yV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwIDAQABo4GwMIGtMA8GA1Ud
-EwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8SEwzJQTU7tD2
-A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcwRTEL
-MAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMT
-ElF1b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2f
-BluornFdLwUvZ+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzn
-g/iN/Ae42l9NLmeyhP3ZRPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2Bl
-fF/nJrP3MpCYUNQ3cVX2kiF495V5+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5K
-WWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zsl0Q80m/DShcK+JDSV6IZUaUtl0Ha
-B0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0uRY/W6ZM/57Es3zrWIozc
-hLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gNNWQjrLhVoQPR
-TUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+XIWD
-mbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0Z
-ohEUGW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y
-4aOTHcyKJloJONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza
-8eOx79+Rj1QqCyXBJhnEUhAFZdWCEOrCMc0u
------END CERTIFICATE-----
-
-# 8fe4fb0af93a4d0d67db0bebb23e37c71bf325dcbcdd240ea04daf58b47e1840
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3
-        Validity
-            Not Before: Jan 12 18:59:32 2012 GMT
-            Not After : Jan 12 18:59:32 2042 GMT
-        Subject: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:a1:ae:25:b2:01:18:dc:57:88:3f:46:eb:f9:af:
-                    e2:eb:23:71:e2:9a:d1:61:66:21:5f:aa:af:27:51:
-                    e5:6e:1b:16:d4:2d:7d:50:b0:53:77:bd:78:3a:60:
-                    e2:64:02:9b:7c:86:9b:d6:1a:8e:ad:ff:1f:15:7f:
-                    d5:95:1e:12:cb:e6:14:84:04:c1:df:36:b3:16:9f:
-                    8a:e3:c9:db:98:34:ce:d8:33:17:28:46:fc:a7:c9:
-                    f0:d2:b4:d5:4d:09:72:49:f9:f2:87:e3:a9:da:7d:
-                    a1:7d:6b:b2:3a:25:a9:6d:52:44:ac:f8:be:6e:fb:
-                    dc:a6:73:91:90:61:a6:03:14:20:f2:e7:87:a3:88:
-                    ad:ad:a0:8c:ff:a6:0b:25:52:25:e7:16:01:d5:cb:
-                    b8:35:81:0c:a3:3b:f0:e1:e1:fc:5a:5d:ce:80:71:
-                    6d:f8:49:ab:3e:3b:ba:b8:d7:80:01:fb:a5:eb:5b:
-                    b3:c5:5e:60:2a:31:a0:af:37:e8:20:3a:9f:a8:32:
-                    2c:0c:cc:09:1d:d3:9e:8e:5d:bc:4c:98:ee:c5:1a:
-                    68:7b:ec:53:a6:e9:14:35:a3:df:cd:80:9f:0c:48:
-                    fb:1c:f4:f1:bf:4a:b8:fa:d5:8c:71:4a:c7:1f:ad:
-                    fe:41:9a:b3:83:5d:f2:84:56:ef:a5:57:43:ce:29:
-                    ad:8c:ab:55:bf:c4:fb:5b:01:dd:23:21:a1:58:00:
-                    8e:c3:d0:6a:13:ed:13:e3:12:2b:80:dc:67:e6:95:
-                    b2:cd:1e:22:6e:2a:f8:41:d4:f2:ca:14:07:8d:8a:
-                    55:12:c6:69:f5:b8:86:68:2f:53:5e:b0:d2:aa:21:
-                    c1:98:e6:30:e3:67:55:c7:9b:6e:ac:19:a8:55:a6:
-                    45:06:d0:23:3a:db:eb:65:5d:2a:11:11:f0:3b:4f:
-                    ca:6d:f4:34:c4:71:e4:ff:00:5a:f6:5c:ae:23:60:
-                    85:73:f1:e4:10:b1:25:ae:d5:92:bb:13:c1:0c:e0:
-                    39:da:b4:39:57:b5:ab:35:aa:72:21:3b:83:35:e7:
-                    31:df:7a:21:6e:b8:32:08:7d:1d:32:91:15:4a:62:
-                    72:cf:e3:77:a1:bc:d5:11:1b:76:01:67:08:e0:41:
-                    0b:c3:eb:15:6e:f8:a4:19:d9:a2:ab:af:e2:27:52:
-                    56:2b:02:8a:2c:14:24:f9:bf:42:02:bf:26:c8:c6:
-                    8f:e0:6e:38:7d:53:2d:e5:ed:98:b3:95:63:68:7f:
-                    f9:35:f4:df:88:c5:60:35:92:c0:7c:69:1c:61:95:
-                    16:d0:eb:de:0b:af:3e:04:10:45:65:58:50:38:af:
-                    48:f2:59:b6:16:f2:3c:0d:90:02:c6:70:2e:01:ad:
-                    3c:15:d7
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                ED:E7:6F:76:5A:BF:60:EC:49:5B:C6:A5:77:BB:72:16:71:9B:C4:3D
-    Signature Algorithm: sha256WithRSAEncryption
-         91:df:80:3f:43:09:7e:71:c2:f7:eb:b3:88:8f:e1:51:b2:bc:
-         3d:75:f9:28:5d:c8:bc:99:9b:7b:5d:aa:e5:ca:e1:0a:f7:e8:
-         b2:d3:9f:dd:67:31:7e:ba:01:aa:c7:6a:41:3b:90:d4:08:5c:
-         b2:60:6a:90:f0:c8:ce:03:62:f9:8b:ed:fb:6e:2a:dc:06:4d:
-         3c:29:0f:89:16:8a:58:4c:48:0f:e8:84:61:ea:3c:72:a6:77:
-         e4:42:ae:88:a3:43:58:79:7e:ae:ca:a5:53:0d:a9:3d:70:bd:
-         20:19:61:a4:6c:38:fc:43:32:e1:c1:47:ff:f8:ec:f1:11:22:
-         32:96:9c:c2:f6:5b:69:96:7b:20:0c:43:41:9a:5b:f6:59:19:
-         88:de:55:88:37:51:0b:78:5c:0a:1e:a3:42:fd:c7:9d:88:0f:
-         c0:f2:78:02:24:54:93:af:89:87:88:c9:4a:80:1d:ea:d0:6e:
-         3e:61:2e:36:bb:35:0e:27:96:fd:66:34:3b:61:72:73:f1:16:
-         5c:47:06:54:49:00:7a:58:12:b0:0a:ef:85:fd:b1:b8:33:75:
-         6a:93:1c:12:e6:60:5e:6f:1d:7f:c9:1f:23:cb:84:61:9f:1e:
-         82:44:f9:5f:ad:62:55:24:9a:52:98:ed:51:e7:a1:7e:97:3a:
-         e6:2f:1f:11:da:53:80:2c:85:9e:ab:35:10:db:22:5f:6a:c5:
-         5e:97:53:f2:32:02:09:30:a3:58:f0:0d:01:d5:72:c6:b1:7c:
-         69:7b:c3:f5:36:45:cc:61:6e:5e:4c:94:c5:5e:ae:e8:0e:5e:
-         8b:bf:f7:cd:e0:ed:a1:0e:1b:33:ee:54:18:fe:0f:be:ef:7e:
-         84:6b:43:e3:70:98:db:5d:75:b2:0d:59:07:85:15:23:39:d6:
-         f1:df:a9:26:0f:d6:48:c7:b3:a6:22:f5:33:37:5a:95:47:9f:
-         7b:ba:18:15:6f:ff:d6:14:64:83:49:d2:0a:67:21:db:0f:35:
-         63:60:28:22:e3:b1:95:83:cd:85:a6:dd:2f:0f:e7:67:52:6e:
-         bb:2f:85:7c:f5:4a:73:e7:c5:3e:c0:bd:21:12:05:3f:fc:b7:
-         03:49:02:5b:c8:25:e6:e2:54:38:f5:79:87:8c:1d:53:b2:4e:
-         85:7b:06:38:c7:2c:f8:f8:b0:72:8d:25:e5:77:52:f4:03:1c:
-         48:a6:50:5f:88:20:30:6e:f2:82:43:ab:3d:97:84:e7:53:fb:
-         21:c1:4f:0f:22:9a:86:b8:59:2a:f6:47:3d:19:88:2d:e8:85:
-         e1:9e:ec:85:08:6a:b1:6c:34:c9:1d:ec:48:2b:3b:78:ed:66:
-         c4:8e:79:69:83:de:7f:8c
------BEGIN CERTIFICATE-----
-MIIFYDCCA0igAwIBAgIURFc0JFuBiZs18s64KztbpybwdSgwDQYJKoZIhvcNAQEL
-BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
-BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBHMzAeFw0xMjAxMTIxODU5MzJaFw00
-MjAxMTIxODU5MzJaMEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBM
-aW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDIgRzMwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQChriWyARjcV4g/Ruv5r+LrI3HimtFhZiFf
-qq8nUeVuGxbULX1QsFN3vXg6YOJkApt8hpvWGo6t/x8Vf9WVHhLL5hSEBMHfNrMW
-n4rjyduYNM7YMxcoRvynyfDStNVNCXJJ+fKH46nafaF9a7I6JaltUkSs+L5u+9ym
-c5GQYaYDFCDy54ejiK2toIz/pgslUiXnFgHVy7g1gQyjO/Dh4fxaXc6AcW34Sas+
-O7q414AB+6XrW7PFXmAqMaCvN+ggOp+oMiwMzAkd056OXbxMmO7FGmh77FOm6RQ1
-o9/NgJ8MSPsc9PG/Srj61YxxSscfrf5BmrODXfKEVu+lV0POKa2Mq1W/xPtbAd0j
-IaFYAI7D0GoT7RPjEiuA3GfmlbLNHiJuKvhB1PLKFAeNilUSxmn1uIZoL1NesNKq
-IcGY5jDjZ1XHm26sGahVpkUG0CM62+tlXSoREfA7T8pt9DTEceT/AFr2XK4jYIVz
-8eQQsSWu1ZK7E8EM4DnatDlXtas1qnIhO4M15zHfeiFuuDIIfR0ykRVKYnLP43eh
-vNURG3YBZwjgQQvD6xVu+KQZ2aKrr+InUlYrAoosFCT5v0ICvybIxo/gbjh9Uy3l
-7ZizlWNof/k19N+IxWA1ksB8aRxhlRbQ694Lrz4EEEVlWFA4r0jyWbYW8jwNkALG
-cC4BrTwV1wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
-BjAdBgNVHQ4EFgQU7edvdlq/YOxJW8ald7tyFnGbxD0wDQYJKoZIhvcNAQELBQAD
-ggIBAJHfgD9DCX5xwvfrs4iP4VGyvD11+ShdyLyZm3tdquXK4Qr36LLTn91nMX66
-AarHakE7kNQIXLJgapDwyM4DYvmL7ftuKtwGTTwpD4kWilhMSA/ohGHqPHKmd+RC
-roijQ1h5fq7KpVMNqT1wvSAZYaRsOPxDMuHBR//47PERIjKWnML2W2mWeyAMQ0Ga
-W/ZZGYjeVYg3UQt4XAoeo0L9x52ID8DyeAIkVJOviYeIyUqAHerQbj5hLja7NQ4n
-lv1mNDthcnPxFlxHBlRJAHpYErAK74X9sbgzdWqTHBLmYF5vHX/JHyPLhGGfHoJE
-+V+tYlUkmlKY7VHnoX6XOuYvHxHaU4AshZ6rNRDbIl9qxV6XU/IyAgkwo1jwDQHV
-csaxfGl7w/U2Rcxhbl5MlMVerugOXou/983g7aEOGzPuVBj+D77vfoRrQ+NwmNtd
-dbINWQeFFSM51vHfqSYP1kjHs6Yi9TM3WpVHn3u6GBVv/9YUZINJ0gpnIdsPNWNg
-KCLjsZWDzYWm3S8P52dSbrsvhXz1SnPnxT7AvSESBT/8twNJAlvIJebiVDj1eYeM
-HVOyToV7BjjHLPj4sHKNJeV3UvQDHEimUF+IIDBu8oJDqz2XhOdT+yHBTw8imoa4
-WSr2Rz0ZiC3oheGe7IUIarFsNMkd7EgrO3jtZsSOeWmD3n+M
------END CERTIFICATE-----
-
-# f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d73
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=SecureTrust Corporation, CN=SecureTrust CA
-        Validity
-            Not Before: Nov  7 19:31:18 2006 GMT
-            Not After : Dec 31 19:40:55 2029 GMT
-        Subject: C=US, O=SecureTrust Corporation, CN=SecureTrust CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:ab:a4:81:e5:95:cd:f5:f6:14:8e:c2:4f:ca:d4:
-                    e2:78:95:58:9c:41:e1:0d:99:40:24:17:39:91:33:
-                    66:e9:be:e1:83:af:62:5c:89:d1:fc:24:5b:61:b3:
-                    e0:11:11:41:1c:1d:6e:f0:b8:bb:f8:de:a7:81:ba:
-                    a6:48:c6:9f:1d:bd:be:8e:a9:41:3e:b8:94:ed:29:
-                    1a:d4:8e:d2:03:1d:03:ef:6d:0d:67:1c:57:d7:06:
-                    ad:ca:c8:f5:fe:0e:af:66:25:48:04:96:0b:5d:a3:
-                    ba:16:c3:08:4f:d1:46:f8:14:5c:f2:c8:5e:01:99:
-                    6d:fd:88:cc:86:a8:c1:6f:31:42:6c:52:3e:68:cb:
-                    f3:19:34:df:bb:87:18:56:80:26:c4:d0:dc:c0:6f:
-                    df:de:a0:c2:91:16:a0:64:11:4b:44:bc:1e:f6:e7:
-                    fa:63:de:66:ac:76:a4:71:a3:ec:36:94:68:7a:77:
-                    a4:b1:e7:0e:2f:81:7a:e2:b5:72:86:ef:a2:6b:8b:
-                    f0:0f:db:d3:59:3f:ba:72:bc:44:24:9c:e3:73:b3:
-                    f7:af:57:2f:42:26:9d:a9:74:ba:00:52:f2:4b:cd:
-                    53:7c:47:0b:36:85:0e:66:a9:08:97:16:34:57:c1:
-                    66:f7:80:e3:ed:70:54:c7:93:e0:2e:28:15:59:87:
-                    ba:bb
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            1.3.6.1.4.1.311.20.2: 
-                ...C.A
-            X509v3 Key Usage: 
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                42:32:B6:16:FA:04:FD:FE:5D:4B:7A:C3:FD:F7:4C:40:1D:5A:43:AF
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.securetrust.com/STCA.crl
-
-            1.3.6.1.4.1.311.21.1: 
-                ...
-    Signature Algorithm: sha1WithRSAEncryption
-         30:ed:4f:4a:e1:58:3a:52:72:5b:b5:a6:a3:65:18:a6:bb:51:
-         3b:77:e9:9d:ea:d3:9f:5c:e0:45:65:7b:0d:ca:5b:e2:70:50:
-         b2:94:05:14:ae:49:c7:8d:41:07:12:73:94:7e:0c:23:21:fd:
-         bc:10:7f:60:10:5a:72:f5:98:0e:ac:ec:b9:7f:dd:7a:6f:5d:
-         d3:1c:f4:ff:88:05:69:42:a9:05:71:c8:b7:ac:26:e8:2e:b4:
-         8c:6a:ff:71:dc:b8:b1:df:99:bc:7c:21:54:2b:e4:58:a2:bb:
-         57:29:ae:9e:a9:a3:19:26:0f:99:2e:08:b0:ef:fd:69:cf:99:
-         1a:09:8d:e3:a7:9f:2b:c9:36:34:7b:24:b3:78:4c:95:17:a4:
-         06:26:1e:b6:64:52:36:5f:60:67:d9:9c:c5:05:74:0b:e7:67:
-         23:d2:08:fc:88:e9:ae:8b:7f:e1:30:f4:37:7e:fd:c6:32:da:
-         2d:9e:44:30:30:6c:ee:07:de:d2:34:fc:d2:ff:40:f6:4b:f4:
-         66:46:06:54:a6:f2:32:0a:63:26:30:6b:9b:d1:dc:8b:47:ba:
-         e1:b9:d5:62:d0:a2:a0:f4:67:05:78:29:63:1a:6f:04:d6:f8:
-         c6:4c:a3:9a:b1:37:b4:8d:e5:28:4b:1d:9e:2c:c2:b8:68:bc:
-         ed:02:ee:31
------BEGIN CERTIFICATE-----
-MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBI
-MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x
-FzAVBgNVBAMTDlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIz
-MTE5NDA1NVowSDELMAkGA1UEBhMCVVMxIDAeBgNVBAoTF1NlY3VyZVRydXN0IENv
-cnBvcmF0aW9uMRcwFQYDVQQDEw5TZWN1cmVUcnVzdCBDQTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2FI7CT8rU4niVWJxB4Q2ZQCQXOZEz
-Zum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjGnx29vo6pQT64lO0pGtSO
-0gMdA+9tDWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLIXgGZbf2IzIao
-wW8xQmxSPmjL8xk037uHGFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2pHGj
-7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b01k/unK8RCSc43Oz969XL0Imnal0ugBS
-8kvNU3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmHursCAwEAAaOBnTCBmjAT
-BgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
-/zAdBgNVHQ4EFgQUQjK2FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCeg
-JYYjaHR0cDovL2NybC5zZWN1cmV0cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGC
-NxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBADDtT0rhWDpSclu1pqNlGKa7UTt3
-6Z3q059c4EVlew3KW+JwULKUBRSuSceNQQcSc5R+DCMh/bwQf2AQWnL1mA6s7Ll/
-3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHfmbx8IVQr5Fiiu1cprp6poxkm
-D5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZnMUFdAvnZyPS
-CPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR
-3ItHuuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jE=
------END CERTIFICATE-----
-
-# 4200f5043ac8590ebb527d209ed1503029fbcbd41ca1b506ec27f15ade7dac69
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=SecureTrust Corporation, CN=Secure Global CA
-        Validity
-            Not Before: Nov  7 19:42:28 2006 GMT
-            Not After : Dec 31 19:52:06 2029 GMT
-        Subject: C=US, O=SecureTrust Corporation, CN=Secure Global CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:af:35:2e:d8:ac:6c:55:69:06:71:e5:13:68:24:
-                    b3:4f:d8:cc:21:47:f8:f1:60:38:89:89:03:e9:bd:
-                    ea:5e:46:53:09:dc:5c:f5:5a:e8:f7:45:2a:02:eb:
-                    31:61:d7:29:33:4c:ce:c7:7c:0a:37:7e:0f:ba:32:
-                    98:e1:1d:97:af:8f:c7:dc:c9:38:96:f3:db:1a:fc:
-                    51:ed:68:c6:d0:6e:a4:7c:24:d1:ae:42:c8:96:50:
-                    63:2e:e0:fe:75:fe:98:a7:5f:49:2e:95:e3:39:33:
-                    64:8e:1e:a4:5f:90:d2:67:3c:b2:d9:fe:41:b9:55:
-                    a7:09:8e:72:05:1e:8b:dd:44:85:82:42:d0:49:c0:
-                    1d:60:f0:d1:17:2c:95:eb:f6:a5:c1:92:a3:c5:c2:
-                    a7:08:60:0d:60:04:10:96:79:9e:16:34:e6:a9:b6:
-                    fa:25:45:39:c8:1e:65:f9:93:f5:aa:f1:52:dc:99:
-                    98:3d:a5:86:1a:0c:35:33:fa:4b:a5:04:06:15:1c:
-                    31:80:ef:aa:18:6b:c2:7b:d7:da:ce:f9:33:20:d5:
-                    f5:bd:6a:33:2d:81:04:fb:b0:5c:d4:9c:a3:e2:5c:
-                    1d:e3:a9:42:75:5e:7b:d4:77:ef:39:54:ba:c9:0a:
-                    18:1b:12:99:49:2f:88:4b:fd:50:62:d1:73:e7:8f:
-                    7a:43
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            1.3.6.1.4.1.311.20.2: 
-                ...C.A
-            X509v3 Key Usage: 
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                AF:44:04:C2:41:7E:48:83:DB:4E:39:02:EC:EC:84:7A:E6:CE:C9:A4
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.securetrust.com/SGCA.crl
-
-            1.3.6.1.4.1.311.21.1: 
-                ...
-    Signature Algorithm: sha1WithRSAEncryption
-         63:1a:08:40:7d:a4:5e:53:0d:77:d8:7a:ae:1f:0d:0b:51:16:
-         03:ef:18:7c:c8:e3:af:6a:58:93:14:60:91:b2:84:dc:88:4e:
-         be:39:8a:3a:f3:e6:82:89:5d:01:37:b3:ab:24:a4:15:0e:92:
-         35:5a:4a:44:5e:4e:57:fa:75:ce:1f:48:ce:66:f4:3c:40:26:
-         92:98:6c:1b:ee:24:46:0c:17:b3:52:a5:db:a5:91:91:cf:37:
-         d3:6f:e7:27:08:3a:4e:19:1f:3a:a7:58:5c:17:cf:79:3f:8b:
-         e4:a7:d3:26:23:9d:26:0f:58:69:fc:47:7e:b2:d0:8d:8b:93:
-         bf:29:4f:43:69:74:76:67:4b:cf:07:8c:e6:02:f7:b5:e1:b4:
-         43:b5:4b:2d:14:9f:f9:dc:26:0d:bf:a6:47:74:06:d8:88:d1:
-         3a:29:30:84:ce:d2:39:80:62:1b:a8:c7:57:49:bc:6a:55:51:
-         67:15:4a:be:35:07:e4:d5:75:98:37:79:30:14:db:29:9d:6c:
-         c5:69:cc:47:55:a2:30:f7:cc:5c:7f:c2:c3:98:1c:6b:4e:16:
-         80:eb:7a:78:65:45:a2:00:1a:af:0c:0d:55:64:34:48:b8:92:
-         b9:f1:b4:50:29:f2:4f:23:1f:da:6c:ac:1f:44:e1:dd:23:78:
-         51:5b:c7:16
------BEGIN CERTIFICATE-----
-MIIDvDCCAqSgAwIBAgIQB1YipOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBK
-MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x
-GTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwHhcNMDYxMTA3MTk0MjI4WhcNMjkx
-MjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3Qg
-Q29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jxYDiJ
-iQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa
-/FHtaMbQbqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJ
-jnIFHovdRIWCQtBJwB1g8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnI
-HmX5k/Wq8VLcmZg9pYYaDDUz+kulBAYVHDGA76oYa8J719rO+TMg1fW9ajMtgQT7
-sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgbEplJL4hL/VBi0XPnj3pDAgMBAAGjgZ0w
-gZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQF
-MAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmkMDQGA1UdHwQtMCsw
-KaAnoCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3JsMBAGCSsG
-AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0L
-URYD7xh8yOOvaliTFGCRsoTciE6+OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXO
-H0jOZvQ8QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cnCDpOGR86p1hcF895P4vkp9Mm
-I50mD1hp/Ed+stCNi5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/53CYNv6ZHdAbY
-iNE6KTCEztI5gGIbqMdXSbxqVVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xc
-f8LDmBxrThaA63p4ZUWiABqvDA1VZDRIuJK58bRQKfJPIx/abKwfROHdI3hRW8cW
------END CERTIFICATE-----
-
-# e75e72ed9f560eec6eb4800073a43fc3ad19195a392282017895974a99026b6c
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1
-        Validity
-            Not Before: Sep 30 04:20:49 2003 GMT
-            Not After : Sep 30 04:20:49 2023 GMT
-        Subject: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b3:b3:fe:7f:d3:6d:b1:ef:16:7c:57:a5:0c:6d:
-                    76:8a:2f:4b:bf:64:fb:4c:ee:8a:f0:f3:29:7c:f5:
-                    ff:ee:2a:e0:e9:e9:ba:5b:64:22:9a:9a:6f:2c:3a:
-                    26:69:51:05:99:26:dc:d5:1c:6a:71:c6:9a:7d:1e:
-                    9d:dd:7c:6c:c6:8c:67:67:4a:3e:f8:71:b0:19:27:
-                    a9:09:0c:a6:95:bf:4b:8c:0c:fa:55:98:3b:d8:e8:
-                    22:a1:4b:71:38:79:ac:97:92:69:b3:89:7e:ea:21:
-                    68:06:98:14:96:87:d2:61:36:bc:6d:27:56:9e:57:
-                    ee:c0:c0:56:fd:32:cf:a4:d9:8e:c2:23:d7:8d:a8:
-                    f3:d8:25:ac:97:e4:70:38:f4:b6:3a:b4:9d:3b:97:
-                    26:43:a3:a1:bc:49:59:72:4c:23:30:87:01:58:f6:
-                    4e:be:1c:68:56:66:af:cd:41:5d:c8:b3:4d:2a:55:
-                    46:ab:1f:da:1e:e2:40:3d:db:cd:7d:b9:92:80:9c:
-                    37:dd:0c:96:64:9d:dc:22:f7:64:8b:df:61:de:15:
-                    94:52:15:a0:7d:52:c9:4b:a8:21:c9:c6:b1:ed:cb:
-                    c3:95:60:d1:0f:f0:ab:70:f8:df:cb:4d:7e:ec:d6:
-                    fa:ab:d9:bd:7f:54:f2:a5:e9:79:fa:d9:d6:76:24:
-                    28:73
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                A0:73:49:99:68:DC:85:5B:65:E3:9B:28:2F:57:9F:BD:33:BC:07:48
-            X509v3 Key Usage: 
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-         68:40:a9:a8:bb:e4:4f:5d:79:b3:05:b5:17:b3:60:13:eb:c6:
-         92:5d:e0:d1:d3:6a:fe:fb:be:9b:6d:bf:c7:05:6d:59:20:c4:
-         1c:f0:b7:da:84:58:02:63:fa:48:16:ef:4f:a5:0b:f7:4a:98:
-         f2:3f:9e:1b:ad:47:6b:63:ce:08:47:eb:52:3f:78:9c:af:4d:
-         ae:f8:d5:4f:cf:9a:98:2a:10:41:39:52:c4:dd:d9:9b:0e:ef:
-         93:01:ae:b2:2e:ca:68:42:24:42:6c:b0:b3:3a:3e:cd:e9:da:
-         48:c4:15:cb:e9:f9:07:0f:92:50:49:8a:dd:31:97:5f:c9:e9:
-         37:aa:3b:59:65:97:94:32:c9:b3:9f:3e:3a:62:58:c5:49:ad:
-         62:0e:71:a5:32:aa:2f:c6:89:76:43:40:13:13:67:3d:a2:54:
-         25:10:cb:f1:3a:f2:d9:fa:db:49:56:bb:a6:fe:a7:41:35:c3:
-         e0:88:61:c9:88:c7:df:36:10:22:98:59:ea:b0:4a:fb:56:16:
-         73:6e:ac:4d:f7:22:a1:4f:ad:1d:7a:2d:45:27:e5:30:c1:5e:
-         f2:da:13:cb:25:42:51:95:47:03:8c:6c:21:cc:74:42:ed:53:
-         ff:33:8b:8f:0f:57:01:16:2f:cf:a6:ee:c9:70:22:14:bd:fd:
-         be:6c:0b:03
------BEGIN CERTIFICATE-----
-MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEY
-MBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21t
-dW5pY2F0aW9uIFJvb3RDQTEwHhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5
-WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMPU0VDT00gVHJ1c3QubmV0MScwJQYD
-VQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw8yl8
-9f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJ
-DKaVv0uMDPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9
-Ms+k2Y7CI9eNqPPYJayX5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/N
-QV3Is00qVUarH9oe4kA92819uZKAnDfdDJZkndwi92SL32HeFZRSFaB9UslLqCHJ
-xrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2JChzAgMBAAGjPzA9MB0G
-A1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYwDwYDVR0T
-AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vG
-kl3g0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfr
-Uj94nK9NrvjVT8+amCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5
-Bw+SUEmK3TGXX8npN6o7WWWXlDLJs58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJU
-JRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ6rBK+1YWc26sTfcioU+tHXot
-RSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAiFL39vmwLAw==
------END CERTIFICATE-----
-
-# 513b2cecb810d4cde5dd85391adfc6c2dd60d87bb736d2b521484aa47a0ebef6
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2
-        Validity
-            Not Before: May 29 05:00:39 2009 GMT
-            Not After : May 29 05:00:39 2029 GMT
-        Subject: C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:d0:15:39:52:b1:52:b3:ba:c5:59:82:c4:5d:52:
-                    ae:3a:43:65:80:4b:c7:f2:96:bc:db:36:97:d6:a6:
-                    64:8c:a8:5e:f0:e3:0a:1c:f7:df:97:3d:4b:ae:f6:
-                    5d:ec:21:b5:41:ab:cd:b9:7e:76:9f:be:f9:3e:36:
-                    34:a0:3b:c1:f6:31:11:45:74:93:3d:57:80:c5:f9:
-                    89:99:ca:e5:ab:6a:d4:b5:da:41:90:10:c1:d6:d6:
-                    42:89:c2:bf:f4:38:12:95:4c:54:05:f7:36:e4:45:
-                    83:7b:14:65:d6:dc:0c:4d:d1:de:7e:0c:ab:3b:c4:
-                    15:be:3a:56:a6:5a:6f:76:69:52:a9:7a:b9:c8:eb:
-                    6a:9a:5d:52:d0:2d:0a:6b:35:16:09:10:84:d0:6a:
-                    ca:3a:06:00:37:47:e4:7e:57:4f:3f:8b:eb:67:b8:
-                    88:aa:c5:be:53:55:b2:91:c4:7d:b9:b0:85:19:06:
-                    78:2e:db:61:1a:fa:85:f5:4a:91:a1:e7:16:d5:8e:
-                    a2:39:df:94:b8:70:1f:28:3f:8b:fc:40:5e:63:83:
-                    3c:83:2a:1a:99:6b:cf:de:59:6a:3b:fc:6f:16:d7:
-                    1f:fd:4a:10:eb:4e:82:16:3a:ac:27:0c:53:f1:ad:
-                    d5:24:b0:6b:03:50:c1:2d:3c:16:dd:44:34:27:1a:
-                    75:fb
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                0A:85:A9:77:65:05:98:7C:40:81:F8:0F:97:2C:38:F1:0A:EC:3C:CF
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha256WithRSAEncryption
-         4c:3a:a3:44:ac:b9:45:b1:c7:93:7e:c8:0b:0a:42:df:64:ea:
-         1c:ee:59:6c:08:ba:89:5f:6a:ca:4a:95:9e:7a:8f:07:c5:da:
-         45:72:82:71:0e:3a:d2:cc:6f:a7:b4:a1:23:bb:f6:24:9f:cb:
-         17:fe:8c:a6:ce:c2:d2:db:cc:8d:fc:71:fc:03:29:c1:6c:5d:
-         33:5f:64:b6:65:3b:89:6f:18:76:78:f5:dc:a2:48:1f:19:3f:
-         8e:93:eb:f1:fa:17:ee:cd:4e:e3:04:12:55:d6:e5:e4:dd:fb:
-         3e:05:7c:e2:1d:5e:c6:a7:bc:97:4f:68:3a:f5:e9:2e:0a:43:
-         b6:af:57:5c:62:68:7c:b7:fd:a3:8a:84:a0:ac:62:be:2b:09:
-         87:34:f0:6a:01:bb:9b:29:56:3c:fe:00:37:cf:23:6c:f1:4e:
-         aa:b6:74:46:12:6c:91:ee:34:d5:ec:9a:91:e7:44:be:90:31:
-         72:d5:49:02:f6:02:e5:f4:1f:eb:7c:d9:96:55:a9:ff:ec:8a:
-         f9:99:47:ff:35:5a:02:aa:04:cb:8a:5b:87:71:29:91:bd:a4:
-         b4:7a:0d:bd:9a:f5:57:23:00:07:21:17:3f:4a:39:d1:05:49:
-         0b:a7:b6:37:81:a5:5d:8c:aa:33:5e:81:28:7c:a7:7d:27:eb:
-         00:ae:8d:37
------BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJKUDEl
-MCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UECxMe
-U2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBSb290Q0EyMB4XDTA5MDUyOTA1MDAzOVoX
-DTI5MDUyOTA1MDAzOVowXTELMAkGA1UEBhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRy
-dXN0IFN5c3RlbXMgQ08uLExURC4xJzAlBgNVBAsTHlNlY3VyaXR5IENvbW11bmlj
-YXRpb24gUm9vdENBMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAV
-OVKxUrO6xVmCxF1SrjpDZYBLx/KWvNs2l9amZIyoXvDjChz335c9S672XewhtUGr
-zbl+dp+++T42NKA7wfYxEUV0kz1XgMX5iZnK5atq1LXaQZAQwdbWQonCv/Q4EpVM
-VAX3NuRFg3sUZdbcDE3R3n4MqzvEFb46VqZab3ZpUql6ucjrappdUtAtCms1FgkQ
-hNBqyjoGADdH5H5XTz+L62e4iKrFvlNVspHEfbmwhRkGeC7bYRr6hfVKkaHnFtWO
-ojnflLhwHyg/i/xAXmODPIMqGplrz95Zajv8bxbXH/1KEOtOghY6rCcMU/Gt1SSw
-awNQwS08Ft1ENCcadfsCAwEAAaNCMEAwHQYDVR0OBBYEFAqFqXdlBZh8QIH4D5cs
-OPEK7DzPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
-DQEBCwUAA4IBAQBMOqNErLlFsceTfsgLCkLfZOoc7llsCLqJX2rKSpWeeo8HxdpF
-coJxDjrSzG+ntKEju/Ykn8sX/oymzsLS28yN/HH8AynBbF0zX2S2ZTuJbxh2ePXc
-okgfGT+Ok+vx+hfuzU7jBBJV1uXk3fs+BXziHV7Gp7yXT2g69ekuCkO2r1dcYmh8
-t/2jioSgrGK+KwmHNPBqAbubKVY8/gA3zyNs8U6qtnRGEmyR7jTV7JqR50S+kDFy
-1UkC9gLl9B/rfNmWVan/7Ir5mUf/NVoCqgTLiluHcSmRvaS0eg29mvVXIwAHIRc/
-SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03
------END CERTIFICATE-----
-
-# 22a2c1f7bded704cc1e701b5f408c310880fe956b5de2a4a44f99c873a25a7c8
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 3182246526754555285 (0x2c299c5b16ed0595)
-        Signature Algorithm: ecdsa-with-SHA256
-        Issuer: C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority ECC
-        Validity
-            Not Before: Feb 12 18:15:23 2016 GMT
-            Not After : Feb 12 18:15:23 2041 GMT
-        Subject: C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority ECC
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub:
-                    04:aa:12:47:90:98:1b:fb:ef:c3:40:07:83:20:4e:
-                    f1:30:82:a2:06:d1:f2:92:86:61:f2:f6:21:68:ca:
-                    00:c4:c7:ea:43:00:54:86:dc:fd:1f:df:00:b8:41:
-                    62:5c:dc:70:16:32:de:1f:99:d4:cc:c5:07:c8:08:
-                    1f:61:16:07:51:3d:7d:5c:07:53:e3:35:38:8c:df:
-                    cd:9f:d9:2e:0d:4a:b6:19:2e:5a:70:5a:06:ed:be:
-                    f0:a1:b0:ca:d0:09:29
-                ASN1 OID: secp384r1
-                NIST CURVE: P-384
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                5B:CA:5E:E5:DE:D2:81:AA:CD:A8:2D:64:51:B6:D9:72:9B:97:E6:4F
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Authority Key Identifier: 
-                keyid:5B:CA:5E:E5:DE:D2:81:AA:CD:A8:2D:64:51:B6:D9:72:9B:97:E6:4F
-
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-    Signature Algorithm: ecdsa-with-SHA256
-         30:65:02:31:00:8a:e6:40:89:37:eb:e9:d5:13:d9:ca:d4:6b:
-         24:f3:b0:3d:87:46:58:1a:ec:b1:df:6f:fb:56:ba:70:6b:c7:
-         38:cc:e8:b1:8c:4f:0f:f7:f1:67:76:0e:83:d0:1e:51:8f:02:
-         30:3d:f6:23:28:26:4c:c6:60:87:93:26:9b:b2:35:1e:ba:d6:
-         f7:3c:d1:1c:ce:fa:25:3c:a6:1a:81:15:5b:f3:12:0f:6c:ee:
-         65:8a:c9:87:a8:f9:07:e0:62:9a:8c:5c:4a
------BEGIN CERTIFICATE-----
-MIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMC
-VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T
-U0wgQ29ycG9yYXRpb24xNDAyBgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNTIzWhcNNDEwMjEyMTgx
-NTIzWjB/MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hv
-dXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjE0MDIGA1UEAwwrU1NMLmNv
-bSBFViBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABKoSR5CYG/vvw0AHgyBO8TCCogbR8pKGYfL2IWjKAMTH6kMA
-VIbc/R/fALhBYlzccBYy3h+Z1MzFB8gIH2EWB1E9fVwHU+M1OIzfzZ/ZLg1Kthku
-WnBaBu2+8KGwytAJKaNjMGEwHQYDVR0OBBYEFFvKXuXe0oGqzagtZFG22XKbl+ZP
-MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe5d7SgarNqC1kUbbZcpuX
-5k8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUCMQCK5kCJN+vp1RPZ
-ytRrJPOwPYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZg
-h5Mmm7I1HrrW9zzRHM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSg==
------END CERTIFICATE-----
-
-# 2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 6248227494352943350 (0x56b629cd34bc78f6)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority RSA R2
-        Validity
-            Not Before: May 31 18:14:37 2017 GMT
-            Not After : May 30 18:14:37 2042 GMT
-        Subject: C = US, ST = Texas, L = Houston, O = SSL Corporation, CN = SSL.com EV Root Certification Authority RSA R2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:8f:36:65:40:e1:d6:4d:c0:d7:b4:e9:46:da:6b:
-                    ea:33:47:cd:4c:f9:7d:7d:be:bd:2d:3d:f0:db:78:
-                    e1:86:a5:d9:ba:09:57:68:ed:57:3e:a0:d0:08:41:
-                    83:e7:28:41:24:1f:e3:72:15:d0:01:1a:fb:5e:70:
-                    23:b2:cb:9f:39:e3:cf:c5:4e:c6:92:6d:26:c6:7b:
-                    bb:b3:da:27:9d:0a:86:e9:81:37:05:fe:f0:71:71:
-                    ec:c3:1c:e9:63:a2:17:14:9d:ef:1b:67:d3:85:55:
-                    02:02:d6:49:c9:cc:5a:e1:b1:f7:6f:32:9f:c9:d4:
-                    3b:88:41:a8:9c:bd:cb:ab:db:6d:7b:09:1f:a2:4c:
-                    72:90:da:2b:08:fc:cf:3c:54:ce:67:0f:a8:cf:5d:
-                    96:19:0b:c4:e3:72:eb:ad:d1:7d:1d:27:ef:92:eb:
-                    10:bf:5b:eb:3b:af:cf:80:dd:c1:d2:96:04:5b:7a:
-                    7e:a4:a9:3c:38:76:a4:62:8e:a0:39:5e:ea:77:cf:
-                    5d:00:59:8f:66:2c:3e:07:a2:a3:05:26:11:69:97:
-                    ea:85:b7:0f:96:0b:4b:c8:40:e1:50:ba:2e:8a:cb:
-                    f7:0f:9a:22:e7:7f:9a:37:13:cd:f2:4d:13:6b:21:
-                    d1:c0:cc:22:f2:a1:46:f6:44:69:9c:ca:61:35:07:
-                    00:6f:d6:61:08:11:ea:ba:b8:f6:e9:b3:60:e5:4d:
-                    b9:ec:9f:14:66:c9:57:58:db:cd:87:69:f8:8a:86:
-                    12:03:47:bf:66:13:76:ac:77:7d:34:24:85:83:cd:
-                    d7:aa:9c:90:1a:9f:21:2c:7f:78:b7:64:b8:d8:e8:
-                    a6:f4:78:b3:55:cb:84:d2:32:c4:78:ae:a3:8f:61:
-                    dd:ce:08:53:ad:ec:88:fc:15:e4:9a:0d:e6:9f:1a:
-                    77:ce:4c:8f:b8:14:15:3d:62:9c:86:38:06:00:66:
-                    12:e4:59:76:5a:53:c0:02:98:a2:10:2b:68:44:7b:
-                    8e:79:ce:33:4a:76:aa:5b:81:16:1b:b5:8a:d8:d0:
-                    00:7b:5e:62:b4:09:d6:86:63:0e:a6:05:95:49:ba:
-                    28:8b:88:93:b2:34:1c:d8:a4:55:6e:b7:1c:d0:de:
-                    99:55:3b:23:f4:22:e0:f9:29:66:26:ec:20:50:77:
-                    db:4a:0b:8f:be:e5:02:60:70:41:5e:d4:ae:50:39:
-                    22:14:26:cb:b2:3b:73:74:55:47:07:79:81:39:a8:
-                    30:13:44:e5:04:8a:ae:96:13:25:42:0f:b9:53:c4:
-                    9b:fc:cd:e4:1c:de:3c:fa:ab:d6:06:4a:1f:67:a6:
-                    98:30:1c:dd:2c:db:dc:18:95:57:66:c6:ff:5c:8b:
-                    56:f5:77
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Authority Key Identifier: 
-                keyid:F9:60:BB:D4:E3:D5:34:F6:B8:F5:06:80:25:A7:73:DB:46:69:A8:9E
-
-            X509v3 Subject Key Identifier: 
-                F9:60:BB:D4:E3:D5:34:F6:B8:F5:06:80:25:A7:73:DB:46:69:A8:9E
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         56:b3:8e:cb:0a:9d:49:8e:bf:a4:c4:91:bb:66:17:05:51:98:
-         75:fb:e5:50:2c:7a:9e:f1:14:fa:ab:d3:8a:3e:ff:91:29:8f:
-         63:8b:d8:b4:a9:54:01:0d:be:93:86:2f:f9:4a:6d:c7:5e:f5:
-         57:f9:ca:55:1c:12:be:47:0f:36:c5:df:6a:b7:db:75:c2:47:
-         25:7f:b9:f1:63:f8:68:2d:55:04:d1:f2:8d:b0:a4:cf:bc:3c:
-         5e:1f:78:e7:a5:a0:20:70:b0:04:c5:b7:f7:72:a7:de:22:0d:
-         bd:33:25:46:8c:64:92:26:e3:3e:2e:63:96:da:9b:8c:3d:f8:
-         18:09:d7:03:cc:7d:86:82:e0:ca:04:07:51:50:d7:ff:92:d5:
-         0c:ef:da:86:9f:99:d7:eb:b7:af:68:e2:39:26:94:ba:68:b7:
-         bf:83:d3:ea:7a:67:3d:62:67:ae:25:e5:72:e8:e2:e4:ec:ae:
-         12:f6:4b:2b:3c:9f:e9:b0:40:f3:38:54:b3:fd:b7:68:c8:da:
-         c6:8f:51:3c:b2:fb:91:dc:1c:e7:9b:9d:e1:b7:0d:72:8f:e2:
-         a4:c4:a9:78:f9:eb:14:ac:c6:43:05:c2:65:39:28:18:02:c3:
-         82:b2:9d:05:be:65:ed:96:5f:65:74:3c:fb:09:35:2e:7b:9c:
-         13:fd:1b:0f:5d:c7:6d:81:3a:56:0f:cc:3b:e1:af:02:2f:22:
-         ac:46:ca:46:3c:a0:1c:4c:d6:44:b4:5e:2e:5c:15:66:09:e1:
-         26:29:fe:c6:52:61:ba:b1:73:ff:c3:0c:9c:e5:6c:6a:94:3f:
-         14:ca:40:16:95:84:f3:59:a9:ac:5f:4c:61:93:6d:d1:3b:cc:
-         a2:95:0c:22:a6:67:67:44:2e:b9:d9:d2:8a:41:b3:66:0b:5a:
-         fb:7d:23:a5:f2:1a:b0:ff:de:9b:83:94:2e:d1:3f:df:92:b7:
-         91:af:05:3b:65:c7:a0:6c:b1:cd:62:12:c3:90:1b:e3:25:ce:
-         34:bc:6f:77:76:b1:10:c3:f7:05:1a:c0:d6:af:74:62:48:17:
-         77:92:69:90:61:1c:de:95:80:74:54:8f:18:1c:c3:f3:03:d0:
-         bf:a4:43:75:86:53:18:7a:0a:2e:09:1c:36:9f:91:fd:82:8a:
-         22:4b:d1:0e:50:25:dd:cb:03:0c:17:c9:83:00:08:4e:35:4d:
-         8a:8b:ed:f0:02:94:66:2c:44:7f:cb:95:27:96:17:ad:09:30:
-         ac:b6:71:17:6e:8b:17:f6:1c:09:d4:2d:3b:98:a5:71:d3:54:
-         13:d9:60:f3:f5:4b:66:4f:fa:f1:ee:20:12:8d:b4:ac:57:b1:
-         45:63:a1:ac:76:a9:c2:fb
------BEGIN CERTIFICATE-----
-MIIF6zCCA9OgAwIBAgIIVrYpzTS8ePYwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNV
-BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UE
-CgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQDDC5TU0wuY29tIEVWIFJvb3QgQ2Vy
-dGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIyMB4XDTE3MDUzMTE4MTQzN1oXDTQy
-MDUzMDE4MTQzN1owgYIxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4G
-A1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQD
-DC5TU0wuY29tIEVWIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIy
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjzZlQOHWTcDXtOlG2mvq
-M0fNTPl9fb69LT3w23jhhqXZuglXaO1XPqDQCEGD5yhBJB/jchXQARr7XnAjssuf
-OePPxU7Gkm0mxnu7s9onnQqG6YE3Bf7wcXHswxzpY6IXFJ3vG2fThVUCAtZJycxa
-4bH3bzKfydQ7iEGonL3Lq9ttewkfokxykNorCPzPPFTOZw+oz12WGQvE43LrrdF9
-HSfvkusQv1vrO6/PgN3B0pYEW3p+pKk8OHakYo6gOV7qd89dAFmPZiw+B6KjBSYR
-aZfqhbcPlgtLyEDhULouisv3D5oi53+aNxPN8k0TayHRwMwi8qFG9kRpnMphNQcA
-b9ZhCBHqurj26bNg5U257J8UZslXWNvNh2n4ioYSA0e/ZhN2rHd9NCSFg83XqpyQ
-Gp8hLH94t2S42Oim9HizVcuE0jLEeK6jj2HdzghTreyI/BXkmg3mnxp3zkyPuBQV
-PWKchjgGAGYS5Fl2WlPAApiiECtoRHuOec4zSnaqW4EWG7WK2NAAe15itAnWhmMO
-pgWVSbooi4iTsjQc2KRVbrcc0N6ZVTsj9CLg+SlmJuwgUHfbSguPvuUCYHBBXtSu
-UDkiFCbLsjtzdFVHB3mBOagwE0TlBIqulhMlQg+5U8Sb/M3kHN48+qvWBkofZ6aY
-MBzdLNvcGJVXZsb/XItW9XcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNV
-HSMEGDAWgBT5YLvU49U09rj1BoAlp3PbRmmonjAdBgNVHQ4EFgQU+WC71OPVNPa4
-9QaAJadz20ZpqJ4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQBW
-s47LCp1Jjr+kxJG7ZhcFUZh1++VQLHqe8RT6q9OKPv+RKY9ji9i0qVQBDb6Thi/5
-Sm3HXvVX+cpVHBK+Rw82xd9qt9t1wkclf7nxY/hoLVUE0fKNsKTPvDxeH3jnpaAg
-cLAExbf3cqfeIg29MyVGjGSSJuM+LmOW2puMPfgYCdcDzH2GguDKBAdRUNf/ktUM
-79qGn5nX67evaOI5JpS6aLe/g9Pqemc9YmeuJeVy6OLk7K4S9ksrPJ/psEDzOFSz
-/bdoyNrGj1E8svuR3Bznm53htw1yj+KkxKl4+esUrMZDBcJlOSgYAsOCsp0FvmXt
-ll9ldDz7CTUue5wT/RsPXcdtgTpWD8w74a8CLyKsRspGPKAcTNZEtF4uXBVmCeEm
-Kf7GUmG6sXP/wwyc5WxqlD8UykAWlYTzWamsX0xhk23RO8yilQwipmdnRC652dKK
-QbNmC1r7fSOl8hqw/96bg5Qu0T/fkreRrwU7ZcegbLHNYhLDkBvjJc40vG93drEQ
-w/cFGsDWr3RiSBd3kmmQYRzelYB0VI8YHMPzA9C/pEN1hlMYegouCRw2n5H9gooi
-S9EOUCXdywMMF8mDAAhONU2Ki+3wApRmLER/y5UnlhetCTCstnEXbosX9hwJ1C07
-mKVx01QT2WDz9UtmT/rx7iASjbSsV7FFY6GsdqnC+w==
------END CERTIFICATE-----
-
-# 4d2491414cfe956746ec4cefa6cf6f72e28a1329432f9d8a907ac4cb5dadc15a
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 10000013 (0x98968d)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA
-        Validity
-            Not Before: Dec  8 11:19:29 2010 GMT
-            Not After : Dec  8 11:10:28 2022 GMT
-        Subject: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:e3:c7:7e:89:f9:24:4b:3a:d2:33:83:35:2c:69:
-                    ec:dc:09:a4:e3:51:a8:25:2b:79:b8:08:3d:e0:91:
-                    ba:84:85:c6:85:a4:ca:e6:c9:2e:53:a4:c9:24:1e:
-                    fd:55:66:71:5d:2c:c5:60:68:04:b7:d9:c2:52:26:
-                    38:88:a4:d6:3b:40:a6:c2:cd:3f:cd:98:93:b3:54:
-                    14:58:96:55:d5:50:fe:86:ad:a4:63:7f:5c:87:f6:
-                    8e:e6:27:92:67:17:92:02:03:2c:dc:d6:66:74:ed:
-                    dd:67:ff:c1:61:8d:63:4f:0f:9b:6d:17:30:26:ef:
-                    ab:d2:1f:10:a0:f9:c5:7f:16:69:81:03:47:ed:1e:
-                    68:8d:72:a1:4d:b2:26:c6:ba:6c:5f:6d:d6:af:d1:
-                    b1:13:8e:a9:ad:f3:5e:69:75:26:18:3e:41:2b:21:
-                    7f:ee:8b:5d:07:06:9d:43:c4:29:0a:2b:fc:2a:3e:
-                    86:cb:3c:83:3a:f9:c9:0d:da:c5:99:e2:bc:78:41:
-                    33:76:e1:bf:2f:5d:e5:a4:98:50:0c:15:dd:e0:fa:
-                    9c:7f:38:68:d0:b2:a6:7a:a7:d1:31:bd:7e:8a:58:
-                    27:43:b3:ba:33:91:d3:a7:98:15:5c:9a:e6:d3:0f:
-                    75:d9:fc:41:98:97:3e:aa:25:db:8f:92:2e:b0:7b:
-                    0c:5f:f1:63:a9:37:f9:9b:75:69:4c:28:26:25:da:
-                    d5:f2:12:70:45:55:e3:df:73:5e:37:f5:21:6c:90:
-                    8e:35:5a:c9:d3:23:eb:d3:c0:be:78:ac:42:28:58:
-                    66:a5:46:6d:70:02:d7:10:f9:4b:54:fc:5d:86:4a:
-                    87:cf:7f:ca:45:ac:11:5a:b5:20:51:8d:2f:88:47:
-                    97:39:c0:cf:ba:c0:42:01:40:99:48:21:0b:6b:a7:
-                    d2:fd:96:d5:d1:be:46:9d:49:e0:0b:a6:a0:22:4e:
-                    38:d0:c1:3c:30:bc:70:8f:2c:75:cc:d0:c5:8c:51:
-                    3b:3d:94:08:64:26:61:7d:b9:c3:65:8f:14:9c:21:
-                    d0:aa:fd:17:72:03:8f:bd:9b:8c:e6:5e:53:9e:b9:
-                    9d:ef:82:bb:e1:bc:e2:72:41:5b:21:94:d3:45:37:
-                    94:d1:df:09:39:5d:e7:23:aa:9a:1d:ca:6d:a8:0a:
-                    86:85:8a:82:be:42:07:d6:f2:38:82:73:da:87:5b:
-                    e5:3c:d3:9e:3e:a7:3b:9e:f4:03:b3:f9:f1:7d:13:
-                    74:02:ff:bb:a1:e5:fa:00:79:1c:a6:66:41:88:5c:
-                    60:57:a6:2e:09:c4:ba:fd:9a:cf:a7:1f:40:c3:bb:
-                    cc:5a:0a:55:4b:3b:38:76:51:b8:63:8b:84:94:16:
-                    e6:56:f3
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                FE:AB:00:90:98:9E:24:FC:A9:CC:1A:8A:FB:27:B8:BF:30:6E:A8:3B
-    Signature Algorithm: sha256WithRSAEncryption
-         cf:77:2c:6e:56:be:4e:b3:b6:84:00:94:ab:47:c9:0d:d2:76:
-         c7:86:9f:1d:07:d3:b6:b4:bb:08:78:af:69:d2:0b:49:de:33:
-         c5:ac:ad:c2:88:02:7d:06:b7:35:02:c1:60:c9:bf:c4:e8:94:
-         de:d4:d3:a9:13:25:5a:fe:6e:a2:ae:7d:05:dc:7d:f3:6c:f0:
-         7e:a6:8d:ee:d9:d7:ce:58:17:e8:a9:29:ae:73:48:87:e7:9b:
-         ca:6e:29:a1:64:5f:19:13:f7:ae:06:10:ff:51:c6:9b:4d:55:
-         25:4f:93:99:10:01:53:75:f1:13:ce:c7:a6:41:41:d2:bf:88:
-         a5:7f:45:fc:ac:b8:a5:b5:33:0c:82:c4:fb:07:f6:6a:e5:25:
-         84:5f:06:ca:c1:86:39:11:db:58:cd:77:3b:2c:c2:4c:0f:5e:
-         9a:e3:f0:ab:3e:61:1b:50:24:c2:c0:f4:f1:19:f0:11:29:b6:
-         a5:18:02:9b:d7:63:4c:70:8c:47:a3:03:43:5c:b9:5d:46:a0:
-         0d:6f:ff:59:8e:be:dd:9f:72:c3:5b:2b:df:8c:5b:ce:e5:0c:
-         46:6c:92:b2:0a:a3:4c:54:42:18:15:12:18:bd:da:fc:ba:74:
-         6e:ff:c1:b6:a0:64:d8:a9:5f:55:ae:9f:5c:6a:76:96:d8:73:
-         67:87:fb:4d:7f:5c:ee:69:ca:73:10:fb:8a:a9:fd:9e:bd:36:
-         38:49:49:87:f4:0e:14:f0:e9:87:b8:3f:a7:4f:7a:5a:8e:79:
-         d4:93:e4:bb:68:52:84:ac:6c:e9:f3:98:70:55:72:32:f9:34:
-         ab:2b:49:b5:cd:20:62:e4:3a:7a:67:63:ab:96:dc:6d:ae:97:
-         ec:fc:9f:76:56:88:2e:66:cf:5b:b6:c9:a4:b0:d7:05:ba:e1:
-         27:2f:93:bb:26:2a:a2:93:b0:1b:f3:8e:be:1d:40:a3:b9:36:
-         8f:3e:82:1a:1a:5e:88:ea:50:f8:59:e2:83:46:29:0b:e3:44:
-         5c:e1:95:b6:69:90:9a:14:6f:97:ae:81:cf:68:ef:99:9a:be:
-         b5:e7:e1:7f:f8:fa:13:47:16:4c:cc:6d:08:40:e7:8b:78:6f:
-         50:82:44:50:3f:66:06:8a:ab:43:84:56:4a:0f:20:2d:86:0e:
-         f5:d2:db:d2:7a:8a:4b:cd:a5:e8:4e:f1:5e:26:25:01:59:23:
-         a0:7e:d2:f6:7e:21:57:d7:27:bc:15:57:4c:a4:46:c1:e0:83:
-         1e:0c:4c:4d:1f:4f:06:19:e2:f9:a8:f4:3a:82:a1:b2:79:43:
-         79:d6:ad:6f:7a:27:90:03:a4:ea:24:87:3f:d9:bd:d9:e9:f2:
-         5f:50:49:1c:ee:ec:d7:2e
------BEGIN CERTIFICATE-----
-MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO
-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh
-dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y
-MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg
-TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS
-b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS
-M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC
-UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d
-Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p
-rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l
-pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb
-j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC
-KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS
-/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X
-cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH
-1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP
-px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB
-/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7
-MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI
-eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u
-2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS
-v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC
-wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy
-CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e
-vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6
-Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa
-Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL
-eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8
-FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc
-7uzXLg==
------END CERTIFICATE-----
-
-# 1465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
-        Validity
-            Not Before: Jun 29 17:39:16 2004 GMT
-            Not After : Jun 29 17:39:16 2034 GMT
-        Subject: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b7:32:c8:fe:e9:71:a6:04:85:ad:0c:11:64:df:
-                    ce:4d:ef:c8:03:18:87:3f:a1:ab:fb:3c:a6:9f:f0:
-                    c3:a1:da:d4:d8:6e:2b:53:90:fb:24:a4:3e:84:f0:
-                    9e:e8:5f:ec:e5:27:44:f5:28:a6:3f:7b:de:e0:2a:
-                    f0:c8:af:53:2f:9e:ca:05:01:93:1e:8f:66:1c:39:
-                    a7:4d:fa:5a:b6:73:04:25:66:eb:77:7f:e7:59:c6:
-                    4a:99:25:14:54:eb:26:c7:f3:7f:19:d5:30:70:8f:
-                    af:b0:46:2a:ff:ad:eb:29:ed:d7:9f:aa:04:87:a3:
-                    d4:f9:89:a5:34:5f:db:43:91:82:36:d9:66:3c:b1:
-                    b8:b9:82:fd:9c:3a:3e:10:c8:3b:ef:06:65:66:7a:
-                    9b:19:18:3d:ff:71:51:3c:30:2e:5f:be:3d:77:73:
-                    b2:5d:06:6c:c3:23:56:9a:2b:85:26:92:1c:a7:02:
-                    b3:e4:3f:0d:af:08:79:82:b8:36:3d:ea:9c:d3:35:
-                    b3:bc:69:ca:f5:cc:9d:e8:fd:64:8d:17:80:33:6e:
-                    5e:4a:5d:99:c9:1e:87:b4:9d:1a:c0:d5:6e:13:35:
-                    23:5e:df:9b:5f:3d:ef:d6:f7:76:c2:ea:3e:bb:78:
-                    0d:1c:42:67:6b:04:d8:f8:d6:da:6f:8b:f2:44:a0:
-                    01:ab
-                Exponent: 3 (0x3)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
-            X509v3 Authority Key Identifier: 
-                keyid:BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
-                DirName:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
-                serial:00
-
-            X509v3 Basic Constraints: 
-                CA:TRUE
-    Signature Algorithm: sha1WithRSAEncryption
-         05:9d:3f:88:9d:d1:c9:1a:55:a1:ac:69:f3:f3:59:da:9b:01:
-         87:1a:4f:57:a9:a1:79:09:2a:db:f7:2f:b2:1e:cc:c7:5e:6a:
-         d8:83:87:a1:97:ef:49:35:3e:77:06:41:58:62:bf:8e:58:b8:
-         0a:67:3f:ec:b3:dd:21:66:1f:c9:54:fa:72:cc:3d:4c:40:d8:
-         81:af:77:9e:83:7a:bb:a2:c7:f5:34:17:8e:d9:11:40:f4:fc:
-         2c:2a:4d:15:7f:a7:62:5d:2e:25:d3:00:0b:20:1a:1d:68:f9:
-         17:b8:f4:bd:8b:ed:28:59:dd:4d:16:8b:17:83:c8:b2:65:c7:
-         2d:7a:a5:aa:bc:53:86:6d:dd:57:a4:ca:f8:20:41:0b:68:f0:
-         f4:fb:74:be:56:5d:7a:79:f5:f9:1d:85:e3:2d:95:be:f5:71:
-         90:43:cc:8d:1f:9a:00:0a:87:29:e9:55:22:58:00:23:ea:e3:
-         12:43:29:5b:47:08:dd:8c:41:6a:65:06:a8:e5:21:aa:41:b4:
-         95:21:95:b9:7d:d1:34:ab:13:d6:ad:bc:dc:e2:3d:39:cd:bd:
-         3e:75:70:a1:18:59:03:c9:22:b4:8f:9c:d5:5e:2a:d7:a5:b6:
-         d4:0a:6d:f8:b7:40:11:46:9a:1f:79:0e:62:bf:0f:97:ec:e0:
-         2f:1f:17:94
------BEGIN CERTIFICATE-----
-MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
-MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
-U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
-NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
-ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
-ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
-DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
-8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
-+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
-X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
-K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
-1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
-A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
-zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
-YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
-bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
-L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
-eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
-xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
-VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
-WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
------END CERTIFICATE-----
-
-# 2ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f5
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2
-        Validity
-            Not Before: Sep  1 00:00:00 2009 GMT
-            Not After : Dec 31 23:59:59 2037 GMT
-        Subject: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:bd:ed:c1:03:fc:f6:8f:fc:02:b1:6f:5b:9f:48:
-                    d9:9d:79:e2:a2:b7:03:61:56:18:c3:47:b6:d7:ca:
-                    3d:35:2e:89:43:f7:a1:69:9b:de:8a:1a:fd:13:20:
-                    9c:b4:49:77:32:29:56:fd:b9:ec:8c:dd:22:fa:72:
-                    dc:27:61:97:ee:f6:5a:84:ec:6e:19:b9:89:2c:dc:
-                    84:5b:d5:74:fb:6b:5f:c5:89:a5:10:52:89:46:55:
-                    f4:b8:75:1c:e6:7f:e4:54:ae:4b:f8:55:72:57:02:
-                    19:f8:17:71:59:eb:1e:28:07:74:c5:9d:48:be:6c:
-                    b4:f4:a4:b0:f3:64:37:79:92:c0:ec:46:5e:7f:e1:
-                    6d:53:4c:62:af:cd:1f:0b:63:bb:3a:9d:fb:fc:79:
-                    00:98:61:74:cf:26:82:40:63:f3:b2:72:6a:19:0d:
-                    99:ca:d4:0e:75:cc:37:fb:8b:89:c1:59:f1:62:7f:
-                    5f:b3:5f:65:30:f8:a7:b7:4d:76:5a:1e:76:5e:34:
-                    c0:e8:96:56:99:8a:b3:f0:7f:a4:cd:bd:dc:32:31:
-                    7c:91:cf:e0:5f:11:f8:6b:aa:49:5c:d1:99:94:d1:
-                    a2:e3:63:5b:09:76:b5:56:62:e1:4b:74:1d:96:d4:
-                    26:d4:08:04:59:d0:98:0e:0e:e6:de:fc:c3:ec:1f:
-                    90:f1
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                7C:0C:32:1F:A7:D9:30:7F:C4:7D:68:A3:62:A8:A1:CE:AB:07:5B:27
-    Signature Algorithm: sha256WithRSAEncryption
-         11:59:fa:25:4f:03:6f:94:99:3b:9a:1f:82:85:39:d4:76:05:
-         94:5e:e1:28:93:6d:62:5d:09:c2:a0:a8:d4:b0:75:38:f1:34:
-         6a:9d:e4:9f:8a:86:26:51:e6:2c:d1:c6:2d:6e:95:20:4a:92:
-         01:ec:b8:8a:67:7b:31:e2:67:2e:8c:95:03:26:2e:43:9d:4a:
-         31:f6:0e:b5:0c:bb:b7:e2:37:7f:22:ba:00:a3:0e:7b:52:fb:
-         6b:bb:3b:c4:d3:79:51:4e:cd:90:f4:67:07:19:c8:3c:46:7a:
-         0d:01:7d:c5:58:e7:6d:e6:85:30:17:9a:24:c4:10:e0:04:f7:
-         e0:f2:7f:d4:aa:0a:ff:42:1d:37:ed:94:e5:64:59:12:20:77:
-         38:d3:32:3e:38:81:75:96:73:fa:68:8f:b1:cb:ce:1f:c5:ec:
-         fa:9c:7e:cf:7e:b1:f1:07:2d:b6:fc:bf:ca:a4:bf:d0:97:05:
-         4a:bc:ea:18:28:02:90:bd:54:78:09:21:71:d3:d1:7d:1d:d9:
-         16:b0:a9:61:3d:d0:0a:00:22:fc:c7:7b:cb:09:64:45:0b:3b:
-         40:81:f7:7d:7c:32:f5:98:ca:58:8e:7d:2a:ee:90:59:73:64:
-         f9:36:74:5e:25:a1:f5:66:05:2e:7f:39:15:a9:2a:fb:50:8b:
-         8e:85:69:f4
------BEGIN CERTIFICATE-----
-MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
-ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAw
-MFoXDTM3MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
-b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
-aG5vbG9naWVzLCBJbmMuMTIwMAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZp
-Y2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNHttfKPTUuiUP3oWmb3ooa/RMg
-nLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtrX8WJpRBSiUZV9Lh1
-HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/hbVNMYq/N
-Hwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN
-dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0
-HZbUJtQIBFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0G
-CSqGSIb3DQEBCwUAA4IBAQARWfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjU
-sHU48TRqneSfioYmUeYs0cYtbpUgSpIB7LiKZ3sx4mcujJUDJi5DnUox9g61DLu3
-4jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoNAX3FWOdt5oUwF5okxBDgBPfg
-8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6nH7PfrHxBy22/L/K
-pL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztAgfd9fDL1
-mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0
------END CERTIFICATE-----
-
-# 568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
-        Validity
-            Not Before: Sep  1 00:00:00 2009 GMT
-            Not After : Dec 31 23:59:59 2037 GMT
-        Subject: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:d5:0c:3a:c4:2a:f9:4e:e2:f5:be:19:97:5f:8e:
-                    88:53:b1:1f:3f:cb:cf:9f:20:13:6d:29:3a:c8:0f:
-                    7d:3c:f7:6b:76:38:63:d9:36:60:a8:9b:5e:5c:00:
-                    80:b2:2f:59:7f:f6:87:f9:25:43:86:e7:69:1b:52:
-                    9a:90:e1:71:e3:d8:2d:0d:4e:6f:f6:c8:49:d9:b6:
-                    f3:1a:56:ae:2b:b6:74:14:eb:cf:fb:26:e3:1a:ba:
-                    1d:96:2e:6a:3b:58:94:89:47:56:ff:25:a0:93:70:
-                    53:83:da:84:74:14:c3:67:9e:04:68:3a:df:8e:40:
-                    5a:1d:4a:4e:cf:43:91:3b:e7:56:d6:00:70:cb:52:
-                    ee:7b:7d:ae:3a:e7:bc:31:f9:45:f6:c2:60:cf:13:
-                    59:02:2b:80:cc:34:47:df:b9:de:90:65:6d:02:cf:
-                    2c:91:a6:a6:e7:de:85:18:49:7c:66:4e:a3:3a:6d:
-                    a9:b5:ee:34:2e:ba:0d:03:b8:33:df:47:eb:b1:6b:
-                    8d:25:d9:9b:ce:81:d1:45:46:32:96:70:87:de:02:
-                    0e:49:43:85:b6:6c:73:bb:64:ea:61:41:ac:c9:d4:
-                    54:df:87:2f:c7:22:b2:26:cc:9f:59:54:68:9f:fc:
-                    be:2a:2f:c4:55:1c:75:40:60:17:85:02:55:39:8b:
-                    7f:05
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                9C:5F:00:DF:AA:01:D7:30:2B:38:88:A2:B8:6D:4A:9C:F2:11:91:83
-    Signature Algorithm: sha256WithRSAEncryption
-         4b:36:a6:84:77:69:dd:3b:19:9f:67:23:08:6f:0e:61:c9:fd:
-         84:dc:5f:d8:36:81:cd:d8:1b:41:2d:9f:60:dd:c7:1a:68:d9:
-         d1:6e:86:e1:88:23:cf:13:de:43:cf:e2:34:b3:04:9d:1f:29:
-         d5:bf:f8:5e:c8:d5:c1:bd:ee:92:6f:32:74:f2:91:82:2f:bd:
-         82:42:7a:ad:2a:b7:20:7d:4d:bc:7a:55:12:c2:15:ea:bd:f7:
-         6a:95:2e:6c:74:9f:cf:1c:b4:f2:c5:01:a3:85:d0:72:3e:ad:
-         73:ab:0b:9b:75:0c:6d:45:b7:8e:94:ac:96:37:b5:a0:d0:8f:
-         15:47:0e:e3:e8:83:dd:8f:fd:ef:41:01:77:cc:27:a9:62:85:
-         33:f2:37:08:ef:71:cf:77:06:de:c8:19:1d:88:40:cf:7d:46:
-         1d:ff:1e:c7:e1:ce:ff:23:db:c6:fa:8d:55:4e:a9:02:e7:47:
-         11:46:3e:f4:fd:bd:7b:29:26:bb:a9:61:62:37:28:b6:2d:2a:
-         f6:10:86:64:c9:70:a7:d2:ad:b7:29:70:79:ea:3c:da:63:25:
-         9f:fd:68:b7:30:ec:70:fb:75:8a:b7:6d:60:67:b2:1e:c8:b9:
-         e9:d8:a8:6f:02:8b:67:0d:4d:26:57:71:da:20:fc:c1:4a:50:
-         8d:b1:28:ba
------BEGIN CERTIFICATE-----
-MIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMx
-EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
-HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVs
-ZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5
-MDkwMTAwMDAwMFoXDTM3MTIzMTIzNTk1OVowgZgxCzAJBgNVBAYTAlVTMRAwDgYD
-VQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFy
-ZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQDEzJTdGFyZmllbGQgU2Vy
-dmljZXMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58gE20p
-OsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm2
-8xpWriu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4PahHQUw2eeBGg6345AWh1K
-Ts9DkTvnVtYAcMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLPLJGmpufe
-hRhJfGZOozptqbXuNC66DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk
-6mFBrMnUVN+HL8cisibMn1lUaJ/8viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAw
-DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJxfAN+q
-AdcwKziIorhtSpzyEZGDMA0GCSqGSIb3DQEBCwUAA4IBAQBLNqaEd2ndOxmfZyMI
-bw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPPE95Dz+I0swSdHynVv/heyNXB
-ve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTyxQGjhdByPq1z
-qwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkd
-iEDPfUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn
-0q23KXB56jzaYyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCN
-sSi6
------END CERTIFICATE-----
-
-# 62dd0be9b9f50a163ea0f8e75c053b1eca57ea55c8688f647c6881f2c8357b95
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 13492815561806991280 (0xbb401c43f55e4fb0)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
-        Validity
-            Not Before: Oct 25 08:30:35 2006 GMT
-            Not After : Oct 25 08:30:35 2036 GMT
-        Subject: C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:af:e4:ee:7e:8b:24:0e:12:6e:a9:50:2d:16:44:
-                    3b:92:92:5c:ca:b8:5d:84:92:42:13:2a:bc:65:57:
-                    82:40:3e:57:24:cd:50:8b:25:2a:b7:6f:fc:ef:a2:
-                    d0:c0:1f:02:24:4a:13:96:8f:23:13:e6:28:58:00:
-                    a3:47:c7:06:a7:84:23:2b:bb:bd:96:2b:7f:55:cc:
-                    8b:c1:57:1f:0e:62:65:0f:dd:3d:56:8a:73:da:ae:
-                    7e:6d:ba:81:1c:7e:42:8c:20:35:d9:43:4d:84:fa:
-                    84:db:52:2c:f3:0e:27:77:0b:6b:bf:11:2f:72:78:
-                    9f:2e:d8:3e:e6:18:37:5a:2a:72:f9:da:62:90:92:
-                    95:ca:1f:9c:e9:b3:3c:2b:cb:f3:01:13:bf:5a:cf:
-                    c1:b5:0a:60:bd:dd:b5:99:64:53:b8:a0:96:b3:6f:
-                    e2:26:77:91:8c:e0:62:10:02:9f:34:0f:a4:d5:92:
-                    33:51:de:be:8d:ba:84:7a:60:3c:6a:db:9f:2b:ec:
-                    de:de:01:3f:6e:4d:e5:50:86:cb:b4:af:ed:44:40:
-                    c5:ca:5a:8c:da:d2:2b:7c:a8:ee:be:a6:e5:0a:aa:
-                    0e:a5:df:05:52:b7:55:c7:22:5d:32:6a:97:97:63:
-                    13:db:c9:db:79:36:7b:85:3a:4a:c5:52:89:f9:24:
-                    e7:9d:77:a9:82:ff:55:1c:a5:71:69:2b:d1:02:24:
-                    f2:b3:26:d4:6b:da:04:55:e5:c1:0a:c7:6d:30:37:
-                    90:2a:e4:9e:14:33:5e:16:17:55:c5:5b:b5:cb:34:
-                    89:92:f1:9d:26:8f:a1:07:d4:c6:b2:78:50:db:0c:
-                    0c:0b:7c:0b:8c:41:d7:b9:e9:dd:8c:88:f7:a3:4d:
-                    b2:32:cc:d8:17:da:cd:b7:ce:66:9d:d4:fd:5e:ff:
-                    bd:97:3e:29:75:e7:7e:a7:62:58:af:25:34:a5:41:
-                    c7:3d:bc:0d:50:ca:03:03:0f:08:5a:1f:95:73:78:
-                    62:bf:af:72:14:69:0e:a5:e5:03:0e:78:8e:26:28:
-                    42:f0:07:0b:62:20:10:67:39:46:fa:a9:03:cc:04:
-                    38:7a:66:ef:20:83:b5:8c:4a:56:8e:91:00:fc:8e:
-                    5c:82:de:88:a0:c3:e2:68:6e:7d:8d:ef:3c:dd:65:
-                    f4:5d:ac:51:ef:24:80:ae:aa:56:97:6f:f9:ad:7d:
-                    da:61:3f:98:77:3c:a5:91:b6:1c:8c:26:da:65:a2:
-                    09:6d:c1:e2:54:e3:b9:ca:4c:4c:80:8f:77:7b:60:
-                    9a:1e:df:b6:f2:48:1e:0e:ba:4e:54:6d:98:e0:e1:
-                    a2:1a:a2:77:50:cf:c4:63:92:ec:47:19:9d:eb:e6:
-                    6b:ce:c1
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                5B:25:7B:96:A4:65:51:7E:B8:39:F3:C0:78:66:5E:E8:3A:E7:F0:EE
-            X509v3 Authority Key Identifier: 
-                keyid:5B:25:7B:96:A4:65:51:7E:B8:39:F3:C0:78:66:5E:E8:3A:E7:F0:EE
-
-            X509v3 Certificate Policies: 
-                Policy: 2.16.756.1.89.1.2.1.1
-                  CPS: http://repository.swisssign.com/
-
-    Signature Algorithm: sha1WithRSAEncryption
-         27:ba:e3:94:7c:f1:ae:c0:de:17:e6:e5:d8:d5:f5:54:b0:83:
-         f4:bb:cd:5e:05:7b:4f:9f:75:66:af:3c:e8:56:7e:fc:72:78:
-         38:03:d9:2b:62:1b:00:b9:f8:e9:60:cd:cc:ce:51:8a:c7:50:
-         31:6e:e1:4a:7e:18:2f:69:59:b6:3d:64:81:2b:e3:83:84:e6:
-         22:87:8e:7d:e0:ee:02:99:61:b8:1e:f4:b8:2b:88:12:16:84:
-         c2:31:93:38:96:31:a6:b9:3b:53:3f:c3:24:93:56:5b:69:92:
-         ec:c5:c1:bb:38:00:e3:ec:17:a9:b8:dc:c7:7c:01:83:9f:32:
-         47:ba:52:22:34:1d:32:7a:09:56:a7:7c:25:36:a9:3d:4b:da:
-         c0:82:6f:0a:bb:12:c8:87:4b:27:11:f9:1e:2d:c7:93:3f:9e:
-         db:5f:26:6b:52:d9:2e:8a:f1:14:c6:44:8d:15:a9:b7:bf:bd:
-         de:a6:1a:ee:ae:2d:fb:48:77:17:fe:bb:ec:af:18:f5:2a:51:
-         f0:39:84:97:95:6c:6e:1b:c3:2b:c4:74:60:79:25:b0:0a:27:
-         df:df:5e:d2:39:cf:45:7d:42:4b:df:b3:2c:1e:c5:c6:5d:ca:
-         55:3a:a0:9c:69:9a:8f:da:ef:b2:b0:3c:9f:87:6c:12:2b:65:
-         70:15:52:31:1a:24:cf:6f:31:23:50:1f:8c:4f:8f:23:c3:74:
-         41:63:1c:55:a8:14:dd:3e:e0:51:50:cf:f1:1b:30:56:0e:92:
-         b0:82:85:d8:83:cb:22:64:bc:2d:b8:25:d5:54:a2:b8:06:ea:
-         ad:92:a4:24:a0:c1:86:b5:4a:13:6a:47:cf:2e:0b:56:95:54:
-         cb:ce:9a:db:6a:b4:a6:b2:db:41:08:86:27:77:f7:6a:a0:42:
-         6c:0b:38:ce:d7:75:50:32:92:c2:df:2b:30:22:48:d0:d5:41:
-         38:25:5d:a4:e9:5d:9f:c6:94:75:d0:45:fd:30:97:43:8f:90:
-         ab:0a:c7:86:73:60:4a:69:2d:de:a5:78:d7:06:da:6a:9e:4b:
-         3e:77:3a:20:13:22:01:d0:bf:68:9e:63:60:6b:35:4d:0b:6d:
-         ba:a1:3d:c0:93:e0:7f:23:b3:55:ad:72:25:4e:46:f9:d2:16:
-         ef:b0:64:c1:01:9e:e9:ca:a0:6a:98:0e:cf:d8:60:f2:2f:49:
-         b8:e4:42:e1:38:35:16:f4:c8:6e:4f:f7:81:56:e8:ba:a3:be:
-         23:af:ae:fd:6f:03:e0:02:3b:30:76:fa:1b:6d:41:cf:01:b1:
-         e9:b8:c9:66:f4:db:26:f3:3a:a4:74:f2:49:24:5b:c9:b0:d0:
-         57:c1:fa:3e:7a:e1:97:c9
------BEGIN CERTIFICATE-----
-MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
-BAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2ln
-biBHb2xkIENBIC0gRzIwHhcNMDYxMDI1MDgzMDM1WhcNMzYxMDI1MDgzMDM1WjBF
-MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZT
-d2lzc1NpZ24gR29sZCBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAr+TufoskDhJuqVAtFkQ7kpJcyrhdhJJCEyq8ZVeCQD5XJM1QiyUqt2/8
-76LQwB8CJEoTlo8jE+YoWACjR8cGp4QjK7u9lit/VcyLwVcfDmJlD909Vopz2q5+
-bbqBHH5CjCA12UNNhPqE21Is8w4ndwtrvxEvcnifLtg+5hg3Wipy+dpikJKVyh+c
-6bM8K8vzARO/Ws/BtQpgvd21mWRTuKCWs2/iJneRjOBiEAKfNA+k1ZIzUd6+jbqE
-emA8atufK+ze3gE/bk3lUIbLtK/tREDFylqM2tIrfKjuvqblCqoOpd8FUrdVxyJd
-MmqXl2MT28nbeTZ7hTpKxVKJ+STnnXepgv9VHKVxaSvRAiTysybUa9oEVeXBCsdt
-MDeQKuSeFDNeFhdVxVu1yzSJkvGdJo+hB9TGsnhQ2wwMC3wLjEHXuendjIj3o02y
-MszYF9rNt85mndT9Xv+9lz4pded+p2JYryU0pUHHPbwNUMoDAw8IWh+Vc3hiv69y
-FGkOpeUDDniOJihC8AcLYiAQZzlG+qkDzAQ4embvIIO1jEpWjpEA/I5cgt6IoMPi
-aG59je883WX0XaxR7ySArqpWl2/5rX3aYT+YdzylkbYcjCbaZaIJbcHiVOO5ykxM
-gI93e2CaHt+28kgeDrpOVG2Y4OGiGqJ3UM/EY5LsRxmd6+ZrzsECAwEAAaOBrDCB
-qTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUWyV7
-lqRlUX64OfPAeGZe6Drn8O4wHwYDVR0jBBgwFoAUWyV7lqRlUX64OfPAeGZe6Drn
-8O4wRgYDVR0gBD8wPTA7BglghXQBWQECAQEwLjAsBggrBgEFBQcCARYgaHR0cDov
-L3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBACe6
-45R88a7A3hfm5djV9VSwg/S7zV4Fe0+fdWavPOhWfvxyeDgD2StiGwC5+OlgzczO
-UYrHUDFu4Up+GC9pWbY9ZIEr44OE5iKHjn3g7gKZYbge9LgriBIWhMIxkziWMaa5
-O1M/wySTVltpkuzFwbs4AOPsF6m43Md8AYOfMke6UiI0HTJ6CVanfCU2qT1L2sCC
-bwq7EsiHSycR+R4tx5M/nttfJmtS2S6K8RTGRI0Vqbe/vd6mGu6uLftIdxf+u+yv
-GPUqUfA5hJeVbG4bwyvEdGB5JbAKJ9/fXtI5z0V9QkvfsywexcZdylU6oJxpmo/a
-77KwPJ+HbBIrZXAVUjEaJM9vMSNQH4xPjyPDdEFjHFWoFN0+4FFQz/EbMFYOkrCC
-hdiDyyJkvC24JdVUorgG6q2SpCSgwYa1ShNqR88uC1aVVMvOmttqtKay20EIhid3
-92qgQmwLOM7XdVAyksLfKzAiSNDVQTglXaTpXZ/GlHXQRf0wl0OPkKsKx4ZzYEpp
-Ld6leNcG2mqeSz53OiATIgHQv2ieY2BrNU0LbbqhPcCT4H8js1WtciVORvnSFu+w
-ZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6LqjviOvrv1vA+ACOzB2+htt
-Qc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ
------END CERTIFICATE-----
-
-# 59769007f7685d0fcd50872f9f95d5755a5b2b457d81f3692b610a98672f0e1b
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 3262 (0xcbe)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA
-        Validity
-            Not Before: Jun 27 06:28:33 2012 GMT
-            Not After : Dec 31 15:59:59 2030 GMT
-        Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:b0:05:db:c8:eb:8c:c4:6e:8a:21:ef:8e:4d:9c:
-                    71:0a:1f:52:70:ed:6d:82:9c:97:c5:d7:4c:4e:45:
-                    49:cb:40:42:b5:12:34:6c:19:c2:74:a4:31:5f:85:
-                    02:97:ec:43:33:0a:53:d2:9c:8c:8e:b7:b8:79:db:
-                    2b:d5:6a:f2:8e:66:c4:ee:2b:01:07:92:d4:b3:d0:
-                    02:df:50:f6:55:af:66:0e:cb:e0:47:60:2f:2b:32:
-                    39:35:52:3a:28:83:f8:7b:16:c6:18:b8:62:d6:47:
-                    25:91:ce:f0:19:12:4d:ad:63:f5:d3:3f:75:5f:29:
-                    f0:a1:30:1c:2a:a0:98:a6:15:bd:ee:fd:19:36:f0:
-                    e2:91:43:8f:fa:ca:d6:10:27:49:4c:ef:dd:c1:f1:
-                    85:70:9b:ca:ea:a8:5a:43:fc:6d:86:6f:73:e9:37:
-                    45:a9:f0:36:c7:cc:88:75:1e:bb:6c:06:ff:9b:6b:
-                    3e:17:ec:61:aa:71:7c:c6:1d:a2:f7:49:e9:15:b5:
-                    3c:d6:a1:61:f5:11:f7:05:6f:1d:fd:11:be:d0:30:
-                    07:c2:29:b0:09:4e:26:dc:e3:a2:a8:91:6a:1f:c2:
-                    91:45:88:5c:e5:98:b8:71:a5:15:19:c9:7c:75:11:
-                    cc:70:74:4f:2d:9b:1d:91:44:fd:56:28:a0:fe:bb:
-                    86:6a:c8:fa:5c:0b:58:dc:c6:4b:76:c8:ab:22:d9:
-                    73:0f:a5:f4:5a:02:89:3f:4f:9e:22:82:ee:a2:74:
-                    53:2a:3d:53:27:69:1d:6c:8e:32:2c:64:00:26:63:
-                    61:36:4e:a3:46:b7:3f:7d:b3:2d:ac:6d:90:a2:95:
-                    a2:ce:cf:da:82:e7:07:34:19:96:e9:b8:21:aa:29:
-                    7e:a6:38:be:8e:29:4a:21:66:79:1f:b3:c3:b5:09:
-                    67:de:d6:d4:07:46:f3:2a:da:e6:22:37:60:cb:81:
-                    b6:0f:a0:0f:e9:c8:95:7f:bf:55:91:05:7a:cf:3d:
-                    15:c0:6f:de:09:94:01:83:d7:34:1b:cc:40:a5:f0:
-                    b8:9b:67:d5:98:91:3b:a7:84:78:95:26:a4:5a:08:
-                    f8:2b:74:b4:00:04:3c:df:b8:14:8e:e8:df:a9:8d:
-                    6c:67:92:33:1d:c0:b7:d2:ec:92:c8:be:09:bf:2c:
-                    29:05:6f:02:6b:9e:ef:bc:bf:2a:bc:5b:c0:50:8f:
-                    41:70:71:87:b2:4d:b7:04:a9:84:a3:32:af:ae:ee:
-                    6b:17:8b:b2:b1:fe:6c:e1:90:8c:88:a8:97:48:ce:
-                    c8:4d:cb:f3:06:cf:5f:6a:0a:42:b1:1e:1e:77:2f:
-                    8e:a0:e6:92:0e:06:fc:05:22:d2:26:e1:31:51:7d:
-                    32:dc:0f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha256WithRSAEncryption
-         5f:34:81:76:ef:96:1d:d5:e5:b5:d9:02:63:84:16:c1:ae:a0:
-         70:51:a7:f7:4c:47:35:c8:0b:d7:28:3d:89:71:d9:aa:33:41:
-         ea:14:1b:6c:21:00:c0:6c:42:19:7e:9f:69:5b:20:42:df:a2:
-         d2:da:c4:7c:97:4b:8d:b0:e8:ac:c8:ee:a5:69:04:99:0a:92:
-         a6:ab:27:2e:1a:4d:81:bf:84:d4:70:1e:ad:47:fe:fd:4a:9d:
-         33:e0:f2:b9:c4:45:08:21:0a:da:69:69:73:72:0d:be:34:fe:
-         94:8b:ad:c3:1e:35:d7:a2:83:ef:e5:38:c7:a5:85:1f:ab:cf:
-         34:ec:3f:28:fe:0c:f1:57:86:4e:c9:55:f7:1c:d4:d8:a5:7d:
-         06:7a:6f:d5:df:10:df:81:4e:21:65:b1:b6:e1:17:79:95:45:
-         06:ce:5f:cc:dc:46:89:63:68:44:8d:93:f4:64:70:a0:3d:9d:
-         28:05:c3:39:70:b8:62:7b:20:fd:e4:db:e9:08:a1:b8:9e:3d:
-         09:c7:4f:fb:2c:f8:93:76:41:de:52:e0:e1:57:d2:9d:03:bc:
-         77:9e:fe:9e:29:5e:f7:c1:51:60:1f:de:da:0b:b2:2d:75:b7:
-         43:48:93:e7:f6:79:c6:84:5d:80:59:60:94:fc:78:98:8f:3c:
-         93:51:ed:40:90:07:df:64:63:24:cb:4e:71:05:a1:d7:94:1a:
-         88:32:f1:22:74:22:ae:a5:a6:d8:12:69:4c:60:a3:02:ee:2b:
-         ec:d4:63:92:0b:5e:be:2f:76:6b:a3:b6:26:bc:8f:03:d8:0a:
-         f2:4c:64:46:bd:39:62:e5:96:eb:34:63:11:28:cc:95:f1:ad:
-         ef:ef:dc:80:58:48:e9:4b:b8:ea:65:ac:e9:fc:80:b5:b5:c8:
-         45:f9:ac:c1:9f:d9:b9:ea:62:88:8e:c4:f1:4b:83:12:ad:e6:
-         8b:84:d6:9e:c2:eb:83:18:9f:6a:bb:1b:24:60:33:70:cc:ec:
-         f7:32:f3:5c:d9:79:7d:ef:9e:a4:fe:c9:23:c3:24:ee:15:92:
-         b1:3d:91:4f:26:86:bd:66:73:24:13:ea:a4:ae:63:c1:ad:7d:
-         84:03:3c:10:78:86:1b:79:e3:c4:f3:f2:04:95:20:ae:23:82:
-         c4:b3:3a:00:62:bf:e6:36:24:e1:57:ba:c7:1e:90:75:d5:5f:
-         3f:95:61:2b:c1:3b:cd:e5:b3:68:61:d0:46:26:a9:21:52:69:
-         2d:eb:2e:c7:eb:77:ce:a6:3a:b5:03:33:4f:76:d1:e7:5c:54:
-         01:5d:cb:78:f4:c9:0c:bf:cf:12:8e:17:2d:23:68:94:e7:ab:
-         fe:a9:b2:2b:06:d0:04:cd
------BEGIN CERTIFICATE-----
-MIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVFcx
-EjAQBgNVBAoTCVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMT
-VFdDQSBHbG9iYWwgUm9vdCBDQTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5
-NTlaMFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsT
-B1Jvb3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0EwggIiMA0GCSqG
-SIb3DQEBAQUAA4ICDwAwggIKAoICAQCwBdvI64zEbooh745NnHEKH1Jw7W2CnJfF
-10xORUnLQEK1EjRsGcJ0pDFfhQKX7EMzClPSnIyOt7h52yvVavKOZsTuKwEHktSz
-0ALfUPZVr2YOy+BHYC8rMjk1Ujoog/h7FsYYuGLWRyWRzvAZEk2tY/XTP3VfKfCh
-MBwqoJimFb3u/Rk28OKRQ4/6ytYQJ0lM793B8YVwm8rqqFpD/G2Gb3PpN0Wp8DbH
-zIh1HrtsBv+baz4X7GGqcXzGHaL3SekVtTzWoWH1EfcFbx39Eb7QMAfCKbAJTibc
-46KokWofwpFFiFzlmLhxpRUZyXx1EcxwdE8tmx2RRP1WKKD+u4ZqyPpcC1jcxkt2
-yKsi2XMPpfRaAok/T54igu6idFMqPVMnaR1sjjIsZAAmY2E2TqNGtz99sy2sbZCi
-laLOz9qC5wc0GZbpuCGqKX6mOL6OKUohZnkfs8O1CWfe1tQHRvMq2uYiN2DLgbYP
-oA/pyJV/v1WRBXrPPRXAb94JlAGD1zQbzECl8LibZ9WYkTunhHiVJqRaCPgrdLQA
-BDzfuBSO6N+pjWxnkjMdwLfS7JLIvgm/LCkFbwJrnu+8vyq8W8BQj0FwcYeyTbcE
-qYSjMq+u7msXi7Kx/mzhkIyIqJdIzshNy/MGz19qCkKxHh53L46g5pIOBvwFItIm
-4TFRfTLcDwIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
-/zANBgkqhkiG9w0BAQsFAAOCAgEAXzSBdu+WHdXltdkCY4QWwa6gcFGn90xHNcgL
-1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt+i0trEfJdLjbDorMjupWkEmQqSpqsn
-LhpNgb+E1HAerUf+/UqdM+DyucRFCCEK2mlpc3INvjT+lIutwx4116KD7+U4x6WF
-H6vPNOw/KP4M8VeGTslV9xzU2KV9Bnpv1d8Q34FOIWWxtuEXeZVFBs5fzNxGiWNo
-RI2T9GRwoD2dKAXDOXC4Ynsg/eTb6QihuJ49CcdP+yz4k3ZB3lLg4VfSnQO8d57+
-nile98FRYB/e2guyLXW3Q0iT5/Z5xoRdgFlglPx4mI88k1HtQJAH32RjJMtOcQWh
-15QaiDLxInQirqWm2BJpTGCjAu4r7NRjkgtevi92a6O2JryPA9gK8kxkRr05YuWW
-6zRjESjMlfGt7+/cgFhI6Uu46mWs6fyAtbXIRfmswZ/ZuepiiI7E8UuDEq3mi4TW
-nsLrgxifarsbJGAzcMzs9zLzXNl5fe+epP7JI8Mk7hWSsT2RTyaGvWZzJBPqpK5j
-wa19hAM8EHiGG3njxPPyBJUgriOCxLM6AGK/5jYk4Ve6xx6QddVfP5VhK8E7zeWz
-aGHQRiapIVJpLesux+t3zqY6tQMzT3bR51xUAV3LePTJDL/PEo4XLSNolOer/qmy
-KwbQBM0=
------END CERTIFICATE-----
-
-# bfd88fe1101c41ae3e801bf8be56350ee9bad1a6b9bd515edc5c6d5b8711ac44
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority
-        Validity
-            Not Before: Aug 28 07:24:33 2008 GMT
-            Not After : Dec 31 15:59:59 2030 GMT
-        Subject: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:b0:7e:72:b8:a4:03:94:e6:a7:de:09:38:91:4a:
-                    11:40:87:a7:7c:59:64:14:7b:b5:11:10:dd:fe:bf:
-                    d5:c0:bb:56:e2:85:25:f4:35:72:0f:f8:53:d0:41:
-                    e1:44:01:c2:b4:1c:c3:31:42:16:47:85:33:22:76:
-                    b2:0a:6f:0f:e5:25:50:4f:85:86:be:bf:98:2e:10:
-                    67:1e:be:11:05:86:05:90:c4:59:d0:7c:78:10:b0:
-                    80:5c:b7:e1:c7:2b:75:cb:7c:9f:ae:b5:d1:9d:23:
-                    37:63:a7:dc:42:a2:2d:92:04:1b:50:c1:7b:b8:3e:
-                    1b:c9:56:04:8b:2f:52:9b:ad:a9:56:e9:c1:ff:ad:
-                    a9:58:87:30:b6:81:f7:97:45:fc:19:57:3b:2b:6f:
-                    e4:47:f4:99:45:fe:1d:f1:f8:97:a3:88:1d:37:1c:
-                    5c:8f:e0:76:25:9a:50:f8:a0:54:ff:44:90:76:23:
-                    d2:32:c6:c3:ab:06:bf:fc:fb:bf:f3:ad:7d:92:62:
-                    02:5b:29:d3:35:a3:93:9a:43:64:60:5d:b2:fa:32:
-                    ff:3b:04:af:4d:40:6a:f9:c7:e3:ef:23:fd:6b:cb:
-                    e5:0f:8b:38:0d:ee:0a:fc:fe:0f:98:9f:30:31:dd:
-                    6c:52:65:f9:8b:81:be:22:e1:1c:58:03:ba:91:1b:
-                    89:07
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                6A:38:5B:26:8D:DE:8B:5A:F2:4F:7A:54:83:19:18:E3:08:35:A6:BA
-    Signature Algorithm: sha1WithRSAEncryption
-         3c:d5:77:3d:da:df:89:ba:87:0c:08:54:6a:20:50:92:be:b0:
-         41:3d:b9:26:64:83:0a:2f:e8:40:c0:97:28:27:82:30:4a:c9:
-         93:ff:6a:e7:a6:00:7f:89:42:9a:d6:11:e5:53:ce:2f:cc:f2:
-         da:05:c4:fe:e2:50:c4:3a:86:7d:cc:da:7e:10:09:3b:92:35:
-         2a:53:b2:fe:eb:2b:05:d9:6c:5d:e6:d0:ef:d3:6a:66:9e:15:
-         28:85:7a:e8:82:00:ac:1e:a7:09:69:56:42:d3:68:51:18:be:
-         54:9a:bf:44:41:ba:49:be:20:ba:69:5c:ee:b8:77:cd:ce:6c:
-         1f:ad:83:96:18:7d:0e:b5:14:39:84:f1:28:e9:2d:a3:9e:7b:
-         1e:7a:72:5a:83:b3:79:6f:ef:b4:fc:d0:0a:a5:58:4f:46:df:
-         fb:6d:79:59:f2:84:22:52:ae:0f:cc:fb:7c:3b:e7:6a:ca:47:
-         61:c3:7a:f8:d3:92:04:1f:b8:20:84:e1:36:54:16:c7:40:de:
-         3b:8a:73:dc:df:c6:09:4c:df:ec:da:ff:d4:53:42:a1:c9:f2:
-         62:1d:22:83:3c:97:c5:f9:19:62:27:ac:65:22:d7:d3:3c:c6:
-         e5:8e:b2:53:cc:49:ce:bc:30:fe:7b:0e:33:90:fb:ed:d2:14:
-         91:1f:07:af
------BEGIN CERTIFICATE-----
-MIIDezCCAmOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJUVzES
-MBAGA1UECgwJVEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFU
-V0NBIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwODI4MDcyNDMz
-WhcNMzAxMjMxMTU1OTU5WjBfMQswCQYDVQQGEwJUVzESMBAGA1UECgwJVEFJV0FO
-LUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NBIFJvb3QgQ2VydGlm
-aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQCwfnK4pAOU5qfeCTiRShFAh6d8WWQUe7UREN3+v9XAu1bihSX0NXIP+FPQQeFE
-AcK0HMMxQhZHhTMidrIKbw/lJVBPhYa+v5guEGcevhEFhgWQxFnQfHgQsIBct+HH
-K3XLfJ+utdGdIzdjp9xCoi2SBBtQwXu4PhvJVgSLL1KbralW6cH/ralYhzC2gfeX
-RfwZVzsrb+RH9JlF/h3x+JejiB03HFyP4HYlmlD4oFT/RJB2I9IyxsOrBr/8+7/z
-rX2SYgJbKdM1o5OaQ2RgXbL6Mv87BK9NQGr5x+PvI/1ry+UPizgN7gr8/g+YnzAx
-3WxSZfmLgb4i4RxYA7qRG4kHAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
-HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqOFsmjd6LWvJPelSDGRjjCDWmujANBgkq
-hkiG9w0BAQUFAAOCAQEAPNV3PdrfibqHDAhUaiBQkr6wQT25JmSDCi/oQMCXKCeC
-MErJk/9q56YAf4lCmtYR5VPOL8zy2gXE/uJQxDqGfczafhAJO5I1KlOy/usrBdls
-XebQ79NqZp4VKIV66IIArB6nCWlWQtNoURi+VJq/REG6Sb4gumlc7rh3zc5sH62D
-lhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVYT0bf+215WfKEIlKuD8z7fDvn
-aspHYcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZ
-YiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw==
------END CERTIFICATE-----
-
-# fd73dad31c644ff1b43bef0ccdda96710b9cd9875eca7e31707af3e96d522bbd
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3
-        Validity
-            Not Before: Oct  1 10:29:56 2008 GMT
-            Not After : Oct  1 23:59:59 2033 GMT
-        Subject: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:bd:75:93:f0:62:22:6f:24:ae:e0:7a:76:ac:7d:
-                    bd:d9:24:d5:b8:b7:fc:cd:f0:42:e0:eb:78:88:56:
-                    5e:9b:9a:54:1d:4d:0c:8a:f6:d3:cf:70:f4:52:b5:
-                    d8:93:04:e3:46:86:71:41:4a:2b:f0:2a:2c:55:03:
-                    d6:48:c3:e0:39:38:ed:f2:5c:3c:3f:44:bc:93:3d:
-                    61:ab:4e:cd:0d:be:f0:20:27:58:0e:44:7f:04:1a:
-                    87:a5:d7:96:14:36:90:d0:49:7b:a1:75:fb:1a:6b:
-                    73:b1:f8:ce:a9:09:2c:f2:53:d5:c3:14:44:b8:86:
-                    a5:f6:8b:2b:39:da:a3:33:54:d9:fa:72:1a:f7:22:
-                    15:1c:88:91:6b:7f:66:e5:c3:6a:80:b0:24:f3:df:
-                    86:45:88:fd:19:7f:75:87:1f:1f:b1:1b:0a:73:24:
-                    5b:b9:65:e0:2c:54:c8:60:d3:66:17:3f:e1:cc:54:
-                    33:73:91:02:3a:a6:7f:7b:76:39:a2:1f:96:b6:38:
-                    ae:b5:c8:93:74:1d:9e:b9:b4:e5:60:9d:2f:56:d1:
-                    e0:eb:5e:5b:4c:12:70:0c:6c:44:20:ab:11:d8:f4:
-                    19:f6:d2:9c:52:37:e7:fa:b6:c2:31:3b:4a:d4:14:
-                    99:ad:c7:1a:f5:5d:5f:fa:07:b8:7c:0d:1f:d6:83:
-                    1e:b3
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                B5:03:F7:76:3B:61:82:6A:12:AA:18:53:EB:03:21:94:BF:FE:CE:CA
-    Signature Algorithm: sha256WithRSAEncryption
-         56:3d:ef:94:d5:bd:da:73:b2:58:be:ae:90:ad:98:27:97:fe:
-         01:b1:b0:52:00:b8:4d:e4:1b:21:74:1b:7e:c0:ee:5e:69:2a:
-         25:af:5c:d6:1d:da:d2:79:c9:f3:97:29:e0:86:87:de:04:59:
-         0f:f1:59:d4:64:85:4b:99:af:25:04:1e:c9:46:a9:97:de:82:
-         b2:1b:70:9f:9c:f6:af:71:31:dd:7b:05:a5:2c:d3:b9:ca:47:
-         f6:ca:f2:f6:e7:ad:b9:48:3f:bc:16:b7:c1:6d:f4:ea:09:af:
-         ec:f3:b5:e7:05:9e:a6:1e:8a:53:51:d6:93:81:cc:74:93:f6:
-         b9:da:a6:25:05:74:79:5a:7e:40:3e:82:4b:26:11:30:6e:e1:
-         3f:41:c7:47:00:35:d5:f5:d3:f7:54:3e:81:3d:da:49:6a:9a:
-         b3:ef:10:3d:e6:eb:6f:d1:c8:22:47:cb:cc:cf:01:31:92:d9:
-         18:e3:22:be:09:1e:1a:3e:5a:b2:e4:6b:0c:54:7a:7d:43:4e:
-         b8:89:a5:7b:d7:a2:3d:96:86:cc:f2:26:34:2d:6a:92:9d:9a:
-         1a:d0:30:e2:5d:4e:04:b0:5f:8b:20:7e:77:c1:3d:95:82:d1:
-         46:9a:3b:3c:78:b8:6f:a1:d0:0d:64:a2:78:1e:29:4e:93:c3:
-         a4:54:14:5b
------BEGIN CERTIFICATE-----
-MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUx
-KzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
-BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
-YyBHbG9iYWxSb290IENsYXNzIDMwHhcNMDgxMDAxMTAyOTU2WhcNMzMxMDAxMjM1
-OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnBy
-aXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50
-ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9dZPwYiJvJK7genasfb3ZJNW4t/zN
-8ELg63iIVl6bmlQdTQyK9tPPcPRStdiTBONGhnFBSivwKixVA9ZIw+A5OO3yXDw/
-RLyTPWGrTs0NvvAgJ1gORH8EGoel15YUNpDQSXuhdfsaa3Ox+M6pCSzyU9XDFES4
-hqX2iys52qMzVNn6chr3IhUciJFrf2blw2qAsCTz34ZFiP0Zf3WHHx+xGwpzJFu5
-ZeAsVMhg02YXP+HMVDNzkQI6pn97djmiH5a2OK61yJN0HZ65tOVgnS9W0eDrXltM
-EnAMbEQgqxHY9Bn20pxSN+f6tsIxO0rUFJmtxxr1XV/6B7h8DR/Wgx6zAgMBAAGj
-QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS1
-A/d2O2GCahKqGFPrAyGUv/7OyjANBgkqhkiG9w0BAQsFAAOCAQEAVj3vlNW92nOy
-WL6ukK2YJ5f+AbGwUgC4TeQbIXQbfsDuXmkqJa9c1h3a0nnJ85cp4IaH3gRZD/FZ
-1GSFS5mvJQQeyUapl96Cshtwn5z2r3Ex3XsFpSzTucpH9sry9uetuUg/vBa3wW30
-6gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7hP0HHRwA11fXT
-91Q+gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuIml
-e9eiPZaGzPImNC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4p
-TpPDpFQUWw==
------END CERTIFICATE-----
-
-# d43af9b35473755c9684fc06d7d8cb70ee5c28e773fb294eb41ee71722924d24
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            4f:d2:2b:8f:f5:64:c8:33:9e:4f:34:58:66:23:70:60
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C = CN, O = UniTrust, CN = UCA Extended Validation Root
-        Validity
-            Not Before: Mar 13 00:00:00 2015 GMT
-            Not After : Dec 31 00:00:00 2038 GMT
-        Subject: C = CN, O = UniTrust, CN = UCA Extended Validation Root
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:a9:09:07:28:13:02:b0:99:e0:64:aa:1e:43:16:
-                    7a:73:b1:91:a0:75:3e:a8:fa:e3:38:00:7a:ec:89:
-                    6a:20:0f:8b:c5:b0:9b:33:03:5a:86:c6:58:86:d5:
-                    c1:85:bb:4f:c6:9c:40:4d:ca:be:ee:69:96:b8:ad:
-                    81:30:9a:7c:92:05:eb:05:2b:9a:48:d0:b8:76:3e:
-                    96:c8:20:bb:d2:b0:f1:8f:d8:ac:45:46:ff:aa:67:
-                    60:b4:77:7e:6a:1f:3c:1a:52:7a:04:3d:07:3c:85:
-                    0d:84:d0:1f:76:0a:f7:6a:14:df:72:e3:34:7c:57:
-                    4e:56:01:3e:79:f1:aa:29:3b:6c:fa:f8:8f:6d:4d:
-                    c8:35:df:ae:eb:dc:24:ee:79:45:a7:85:b6:05:88:
-                    de:88:5d:25:7c:97:64:67:09:d9:bf:5a:15:05:86:
-                    f3:09:1e:ec:58:32:33:11:f3:77:64:b0:76:1f:e4:
-                    10:35:17:1b:f2:0e:b1:6c:a4:2a:a3:73:fc:09:1f:
-                    1e:32:19:53:11:e7:d9:b3:2c:2e:76:2e:a1:a3:de:
-                    7e:6a:88:09:e8:f2:07:8a:f8:b2:cd:10:e7:e2:73:
-                    40:93:bb:08:d1:3f:e1:fc:0b:94:b3:25:ef:7c:a6:
-                    d7:d1:af:9f:ff:96:9a:f5:91:7b:98:0b:77:d4:7e:
-                    e8:07:d2:62:b5:95:39:e3:f3:f1:6d:0f:0e:65:84:
-                    8a:63:54:c5:80:b6:e0:9e:4b:7d:47:26:a7:01:08:
-                    5d:d1:88:9e:d7:c3:32:44:fa:82:4a:0a:68:54:7f:
-                    38:53:03:cc:a4:00:33:64:51:59:0b:a3:82:91:7a:
-                    5e:ec:16:c2:f3:2a:e6:62:da:2a:db:59:62:10:25:
-                    4a:2a:81:0b:47:07:43:06:70:87:d2:fa:93:11:29:
-                    7a:48:4d:eb:94:c7:70:4d:af:67:d5:51:b1:80:20:
-                    01:01:b4:7a:08:a6:90:7f:4e:e0:ef:07:41:87:af:
-                    6a:a5:5e:8b:fb:cf:50:b2:9a:54:af:c3:89:ba:58:
-                    2d:f5:30:98:b1:36:72:39:7e:49:04:fd:29:a7:4c:
-                    79:e4:05:57:db:94:b9:16:53:8d:46:b3:1d:95:61:
-                    57:56:7f:af:f0:16:5b:61:58:6f:36:50:11:0b:d8:
-                    ac:2b:95:16:1a:0e:1f:08:cd:36:34:65:10:62:66:
-                    d5:80:5f:14:20:5f:2d:0c:a0:78:0a:68:d6:2c:d7:
-                    e9:6f:2b:d2:4a:05:93:fc:9e:6f:6b:67:ff:88:f1:
-                    4e:a5:69:4a:52:37:05:ea:c6:16:8d:d2:c4:99:d1:
-                    82:2b:3b:ba:35:75:f7:51:51:58:f3:c8:07:dd:e4:
-                    b4:03:7f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                D9:74:3A:E4:30:3D:0D:F7:12:DC:7E:5A:05:9F:1E:34:9A:F7:E1:14
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Digital Signature, Certificate Sign, CRL Sign
-    Signature Algorithm: sha256WithRSAEncryption
-         36:8d:97:cc:42:15:64:29:37:9b:26:2c:d6:fb:ae:15:69:2c:
-         6b:1a:1a:f7:5f:b6:f9:07:4c:59:ea:f3:c9:c8:b9:ae:cc:ba:
-         2e:7a:dc:c0:f5:b0:2d:c0:3b:af:9f:70:05:11:6a:9f:25:4f:
-         01:29:70:e3:e5:0c:e1:ea:5a:7c:dc:49:bb:c1:1e:2a:81:f5:
-         16:4b:72:91:c8:a2:31:b9:aa:da:fc:9d:1f:f3:5d:40:02:13:
-         fc:4e:1c:06:ca:b3:14:90:54:17:19:12:1a:f1:1f:d7:0c:69:
-         5a:f6:71:78:f4:94:7d:91:0b:8e:ec:90:54:8e:bc:6f:a1:4c:
-         ab:fc:74:64:fd:71:9a:f8:41:07:a1:cd:91:e4:3c:9a:e0:9b:
-         32:39:73:ab:2a:d5:69:c8:78:91:26:31:7d:e2:c7:30:f1:fc:
-         14:78:77:12:0e:13:f4:dd:16:94:bf:4b:67:7b:70:53:85:ca:
-         b0:bb:f3:38:4d:2c:90:39:c0:0d:c2:5d:6b:e9:e2:e5:d5:88:
-         8d:d6:2c:bf:ab:1b:be:b5:28:87:12:17:74:6e:fc:7d:fc:8f:
-         d0:87:26:b0:1b:fb:b9:6c:ab:e2:9e:3d:15:c1:3b:2e:67:02:
-         58:91:9f:ef:f8:42:1f:2c:b7:68:f5:75:ad:cf:b5:f6:ff:11:
-         7d:c2:f0:24:a5:ad:d3:fa:a0:3c:a9:fa:5d:dc:a5:a0:ef:44:
-         a4:be:d6:e8:e5:e4:13:96:17:7b:06:3e:32:ed:c7:b7:42:bc:
-         76:a3:d8:65:38:2b:38:35:51:21:0e:0e:6f:2e:34:13:40:e1:
-         2b:67:0c:6d:4a:41:30:18:23:5a:32:55:99:c9:17:e0:3c:de:
-         f6:ec:79:ad:2b:58:19:a2:ad:2c:22:1a:95:8e:be:96:90:5d:
-         42:57:c4:f9:14:03:35:2b:1c:2d:51:57:08:a7:3a:de:3f:e4:
-         c8:b4:03:73:c2:c1:26:80:bb:0b:42:1f:ad:0d:af:26:72:da:
-         cc:be:b3:a3:83:58:0d:82:c5:1f:46:51:e3:9c:18:cc:8d:9b:
-         8d:ec:49:eb:75:50:d5:8c:28:59:ca:74:34:da:8c:0b:21:ab:
-         1e:ea:1b:e5:c7:fd:15:3e:c0:17:aa:fb:23:6e:26:46:cb:fa:
-         f9:b1:72:6b:69:cf:22:84:0b:62:0f:ac:d9:19:00:94:a2:76:
-         3c:d4:2d:9a:ed:04:9e:2d:06:62:10:37:52:1c:85:72:1b:27:
-         e5:cc:c6:31:ec:37:ec:63:59:9b:0b:1d:76:cc:7e:32:9a:88:
-         95:08:36:52:bb:de:76:5f:76:49:49:ad:7f:bd:65:20:b2:c9:
-         c1:2b:76:18:76:9f:56:b1
------BEGIN CERTIFICATE-----
-MIIFWjCCA0KgAwIBAgIQT9Irj/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBH
-MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBF
-eHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwHhcNMTUwMzEzMDAwMDAwWhcNMzgxMjMx
-MDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxJTAjBgNV
-BAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrsiWog
-D4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvS
-sPGP2KxFRv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aop
-O2z6+I9tTcg1367r3CTueUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dk
-sHYf5BA1FxvyDrFspCqjc/wJHx4yGVMR59mzLC52LqGj3n5qiAno8geK+LLNEOfi
-c0CTuwjRP+H8C5SzJe98ptfRr5//lpr1kXuYC3fUfugH0mK1lTnj8/FtDw5lhIpj
-VMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhTA8ykADNkUVkLo4KRel7sFsLz
-KuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fVUbGAIAEBtHoIppB/
-TuDvB0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfblLkWU41G
-sx2VYVdWf6/wFlthWG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs
-1+lvK9JKBZP8nm9rZ/+I8U6laUpSNwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQD
-fwIDAQABo0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS3H5aBZ8eNJr34RQwDwYDVR0T
-AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBADaN
-l8xCFWQpN5smLNb7rhVpLGsaGvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAUR
-ap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZLcpHIojG5qtr8nR/zXUACE/xOHAbKsxSQ
-VBcZEhrxH9cMaVr2cXj0lH2RC47skFSOvG+hTKv8dGT9cZr4QQehzZHkPJrgmzI5
-c6sq1WnIeJEmMX3ixzDx/BR4dxIOE/TdFpS/S2d7cFOFyrC78zhNLJA5wA3CXWvp
-4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb+7lsq+KePRXBOy5nAliRn+/4Qh8s
-t2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOWF3sGPjLtx7dCvHaj
-2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwiGpWO
-vpaQXUJXxPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2C
-xR9GUeOcGMyNm43sSet1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmx
-cmtpzyKEC2IPrNkZAJSidjzULZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbM
-fjKaiJUINlK73nZfdklJrX+9ZSCyycErdhh2n1ax
------END CERTIFICATE-----
-
-# 4ff460d54b9c86dabfbcfc5712e0400d2bed3fbc4d4fbdaa86e06adcd2a9ad7a
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
-    Signature Algorithm: ecdsa-with-SHA384
-        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
-        Validity
-            Not Before: Feb  1 00:00:00 2010 GMT
-            Not After : Jan 18 23:59:59 2038 GMT
-        Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: id-ecPublicKey
-                Public-Key: (384 bit)
-                pub: 
-                    04:1a:ac:54:5a:a9:f9:68:23:e7:7a:d5:24:6f:53:
-                    c6:5a:d8:4b:ab:c6:d5:b6:d1:e6:73:71:ae:dd:9c:
-                    d6:0c:61:fd:db:a0:89:03:b8:05:14:ec:57:ce:ee:
-                    5d:3f:e2:21:b3:ce:f7:d4:8a:79:e0:a3:83:7e:2d:
-                    97:d0:61:c4:f1:99:dc:25:91:63:ab:7f:30:a3:b4:
-                    70:e2:c7:a1:33:9c:f3:bf:2e:5c:53:b1:5f:b3:7d:
-                    32:7f:8a:34:e3:79:79
-                ASN1 OID: secp384r1
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                3A:E1:09:86:D4:CF:19:C2:96:76:74:49:76:DC:E0:35:C6:63:63:9A
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: ecdsa-with-SHA384
-         30:65:02:30:36:67:a1:16:08:dc:e4:97:00:41:1d:4e:be:e1:
-         63:01:cf:3b:aa:42:11:64:a0:9d:94:39:02:11:79:5c:7b:1d:
-         fa:64:b9:ee:16:42:b3:bf:8a:c2:09:c4:ec:e4:b1:4d:02:31:
-         00:e9:2a:61:47:8c:52:4a:4b:4e:18:70:f6:d6:44:d6:6e:f5:
-         83:ba:6d:58:bd:24:d9:56:48:ea:ef:c4:a2:46:81:88:6a:3a:
-         46:d1:a9:9b:4d:c9:61:da:d1:5d:57:6a:18
------BEGIN CERTIFICATE-----
-MIICjzCCAhWgAwIBAgIQXIuZxVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNl
-eSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMT
-JVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMjAx
-MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
-Ck5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUg
-VVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlm
-aWNhdGlvbiBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqflo
-I+d61SRvU8Za2EurxtW20eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinng
-o4N+LZfQYcTxmdwlkWOrfzCjtHDix6EznPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0G
-A1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1xmNjmjAOBgNVHQ8BAf8EBAMCAQYwDwYD
-VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjA2Z6EWCNzklwBBHU6+4WMB
-zzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDpKmFHjFJKS04YcPbW
-RNZu9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1Xahg=
------END CERTIFICATE-----
-
-# e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
-    Signature Algorithm: sha384WithRSAEncryption
-        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
-        Validity
-            Not Before: Feb  1 00:00:00 2010 GMT
-            Not After : Jan 18 23:59:59 2038 GMT
-        Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (4096 bit)
-                Modulus:
-                    00:80:12:65:17:36:0e:c3:db:08:b3:d0:ac:57:0d:
-                    76:ed:cd:27:d3:4c:ad:50:83:61:e2:aa:20:4d:09:
-                    2d:64:09:dc:ce:89:9f:cc:3d:a9:ec:f6:cf:c1:dc:
-                    f1:d3:b1:d6:7b:37:28:11:2b:47:da:39:c6:bc:3a:
-                    19:b4:5f:a6:bd:7d:9d:a3:63:42:b6:76:f2:a9:3b:
-                    2b:91:f8:e2:6f:d0:ec:16:20:90:09:3e:e2:e8:74:
-                    c9:18:b4:91:d4:62:64:db:7f:a3:06:f1:88:18:6a:
-                    90:22:3c:bc:fe:13:f0:87:14:7b:f6:e4:1f:8e:d4:
-                    e4:51:c6:11:67:46:08:51:cb:86:14:54:3f:bc:33:
-                    fe:7e:6c:9c:ff:16:9d:18:bd:51:8e:35:a6:a7:66:
-                    c8:72:67:db:21:66:b1:d4:9b:78:03:c0:50:3a:e8:
-                    cc:f0:dc:bc:9e:4c:fe:af:05:96:35:1f:57:5a:b7:
-                    ff:ce:f9:3d:b7:2c:b6:f6:54:dd:c8:e7:12:3a:4d:
-                    ae:4c:8a:b7:5c:9a:b4:b7:20:3d:ca:7f:22:34:ae:
-                    7e:3b:68:66:01:44:e7:01:4e:46:53:9b:33:60:f7:
-                    94:be:53:37:90:73:43:f3:32:c3:53:ef:db:aa:fe:
-                    74:4e:69:c7:6b:8c:60:93:de:c4:c7:0c:df:e1:32:
-                    ae:cc:93:3b:51:78:95:67:8b:ee:3d:56:fe:0c:d0:
-                    69:0f:1b:0f:f3:25:26:6b:33:6d:f7:6e:47:fa:73:
-                    43:e5:7e:0e:a5:66:b1:29:7c:32:84:63:55:89:c4:
-                    0d:c1:93:54:30:19:13:ac:d3:7d:37:a7:eb:5d:3a:
-                    6c:35:5c:db:41:d7:12:da:a9:49:0b:df:d8:80:8a:
-                    09:93:62:8e:b5:66:cf:25:88:cd:84:b8:b1:3f:a4:
-                    39:0f:d9:02:9e:eb:12:4c:95:7c:f3:6b:05:a9:5e:
-                    16:83:cc:b8:67:e2:e8:13:9d:cc:5b:82:d3:4c:b3:
-                    ed:5b:ff:de:e5:73:ac:23:3b:2d:00:bf:35:55:74:
-                    09:49:d8:49:58:1a:7f:92:36:e6:51:92:0e:f3:26:
-                    7d:1c:4d:17:bc:c9:ec:43:26:d0:bf:41:5f:40:a9:
-                    44:44:f4:99:e7:57:87:9e:50:1f:57:54:a8:3e:fd:
-                    74:63:2f:b1:50:65:09:e6:58:42:2e:43:1a:4c:b4:
-                    f0:25:47:59:fa:04:1e:93:d4:26:46:4a:50:81:b2:
-                    de:be:78:b7:fc:67:15:e1:c9:57:84:1e:0f:63:d6:
-                    e9:62:ba:d6:5f:55:2e:ea:5c:c6:28:08:04:25:39:
-                    b8:0e:2b:a9:f2:4c:97:1c:07:3f:0d:52:f5:ed:ef:
-                    2f:82:0f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-    Signature Algorithm: sha384WithRSAEncryption
-         5c:d4:7c:0d:cf:f7:01:7d:41:99:65:0c:73:c5:52:9f:cb:f8:
-         cf:99:06:7f:1b:da:43:15:9f:9e:02:55:57:96:14:f1:52:3c:
-         27:87:94:28:ed:1f:3a:01:37:a2:76:fc:53:50:c0:84:9b:c6:
-         6b:4e:ba:8c:21:4f:a2:8e:55:62:91:f3:69:15:d8:bc:88:e3:
-         c4:aa:0b:fd:ef:a8:e9:4b:55:2a:06:20:6d:55:78:29:19:ee:
-         5f:30:5c:4b:24:11:55:ff:24:9a:6e:5e:2a:2b:ee:0b:4d:9f:
-         7f:f7:01:38:94:14:95:43:07:09:fb:60:a9:ee:1c:ab:12:8c:
-         a0:9a:5e:a7:98:6a:59:6d:8b:3f:08:fb:c8:d1:45:af:18:15:
-         64:90:12:0f:73:28:2e:c5:e2:24:4e:fc:58:ec:f0:f4:45:fe:
-         22:b3:eb:2f:8e:d2:d9:45:61:05:c1:97:6f:a8:76:72:8f:8b:
-         8c:36:af:bf:0d:05:ce:71:8d:e6:a6:6f:1f:6c:a6:71:62:c5:
-         d8:d0:83:72:0c:f1:67:11:89:0c:9c:13:4c:72:34:df:bc:d5:
-         71:df:aa:71:dd:e1:b9:6c:8c:3c:12:5d:65:da:bd:57:12:b6:
-         43:6b:ff:e5:de:4d:66:11:51:cf:99:ae:ec:17:b6:e8:71:91:
-         8c:de:49:fe:dd:35:71:a2:15:27:94:1c:cf:61:e3:26:bb:6f:
-         a3:67:25:21:5d:e6:dd:1d:0b:2e:68:1b:3b:82:af:ec:83:67:
-         85:d4:98:51:74:b1:b9:99:80:89:ff:7f:78:19:5c:79:4a:60:
-         2e:92:40:ae:4c:37:2a:2c:c9:c7:62:c8:0e:5d:f7:36:5b:ca:
-         e0:25:25:01:b4:dd:1a:07:9c:77:00:3f:d0:dc:d5:ec:3d:d4:
-         fa:bb:3f:cc:85:d6:6f:7f:a9:2d:df:b9:02:f7:f5:97:9a:b5:
-         35:da:c3:67:b0:87:4a:a9:28:9e:23:8e:ff:5c:27:6b:e1:b0:
-         4f:f3:07:ee:00:2e:d4:59:87:cb:52:41:95:ea:f4:47:d7:ee:
-         64:41:55:7c:8d:59:02:95:dd:62:9d:c2:b9:ee:5a:28:74:84:
-         a5:9b:b7:90:c7:0c:07:df:f5:89:36:74:32:d6:28:c1:b0:b0:
-         0b:e0:9c:4c:c3:1c:d6:fc:e3:69:b5:47:46:81:2f:a2:82:ab:
-         d3:63:44:70:c4:8d:ff:2d:33:ba:ad:8f:7b:b5:70:88:ae:3e:
-         19:cf:40:28:d8:fc:c8:90:bb:5d:99:22:f5:52:e6:58:c5:1f:
-         88:31:43:ee:88:1d:d7:c6:8e:3c:43:6a:1d:a7:18:de:7d:3d:
-         16:f1:62:f9:ca:90:a8:fd
------BEGIN CERTIFICATE-----
-MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
-iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
-cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
-BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
-MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
-BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
-aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
-dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
-AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
-3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
-tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
-Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
-VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
-79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
-c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
-Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
-c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
-UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
-Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
-BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
-A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
-Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
-VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
-ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
-8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
-iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
-Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
-XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
-qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
-VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
-L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
-jjxDah2nGN59PRbxYvnKkKj9
------END CERTIFICATE-----
-
-# cecddc905099d8dadfc5b1d209b737cbe2c18cfb2c10c0ff0bcf0d3286fc1aa2
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
-        Validity
-            Not Before: Nov  1 17:14:04 2004 GMT
-            Not After : Jan  1 05:37:19 2035 GMT
-        Subject: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:98:24:1e:bd:15:b4:ba:df:c7:8c:a5:27:b6:38:
-                    0b:69:f3:b6:4e:a8:2c:2e:21:1d:5c:44:df:21:5d:
-                    7e:23:74:fe:5e:7e:b4:4a:b7:a6:ad:1f:ae:e0:06:
-                    16:e2:9b:5b:d9:67:74:6b:5d:80:8f:29:9d:86:1b:
-                    d9:9c:0d:98:6d:76:10:28:58:e4:65:b0:7f:4a:98:
-                    79:9f:e0:c3:31:7e:80:2b:b5:8c:c0:40:3b:11:86:
-                    d0:cb:a2:86:36:60:a4:d5:30:82:6d:d9:6e:d0:0f:
-                    12:04:33:97:5f:4f:61:5a:f0:e4:f9:91:ab:e7:1d:
-                    3b:bc:e8:cf:f4:6b:2d:34:7c:e2:48:61:1c:8e:f3:
-                    61:44:cc:6f:a0:4a:a9:94:b0:4d:da:e7:a9:34:7a:
-                    72:38:a8:41:cc:3c:94:11:7d:eb:c8:a6:8c:b7:86:
-                    cb:ca:33:3b:d9:3d:37:8b:fb:7a:3e:86:2c:e7:73:
-                    d7:0a:57:ac:64:9b:19:eb:f4:0f:04:08:8a:ac:03:
-                    17:19:64:f4:5a:25:22:8d:34:2c:b2:f6:68:1d:12:
-                    6d:d3:8a:1e:14:da:c4:8f:a6:e2:23:85:d5:7a:0d:
-                    bd:6a:e0:e9:ec:ec:17:bb:42:1b:67:aa:25:ed:45:
-                    83:21:fc:c1:c9:7c:d5:62:3e:fa:f2:c5:2d:d3:fd:
-                    d4:65
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            1.3.6.1.4.1.311.20.2: 
-                ...C.A
-            X509v3 Key Usage: 
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier: 
-                C6:4F:A2:3D:06:63:84:09:9C:CE:62:E4:04:AC:8D:5C:B5:E9:B6:1B
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.xrampsecurity.com/XGCA.crl
-
-            1.3.6.1.4.1.311.21.1: 
-                ...
-    Signature Algorithm: sha1WithRSAEncryption
-         91:15:39:03:01:1b:67:fb:4a:1c:f9:0a:60:5b:a1:da:4d:97:
-         62:f9:24:53:27:d7:82:64:4e:90:2e:c3:49:1b:2b:9a:dc:fc:
-         a8:78:67:35:f1:1d:f0:11:bd:b7:48:e3:10:f6:0d:df:3f:d2:
-         c9:b6:aa:55:a4:48:ba:02:db:de:59:2e:15:5b:3b:9d:16:7d:
-         47:d7:37:ea:5f:4d:76:12:36:bb:1f:d7:a1:81:04:46:20:a3:
-         2c:6d:a9:9e:01:7e:3f:29:ce:00:93:df:fd:c9:92:73:89:89:
-         64:9e:e7:2b:e4:1c:91:2c:d2:b9:ce:7d:ce:6f:31:99:d3:e6:
-         be:d2:1e:90:f0:09:14:79:5c:23:ab:4d:d2:da:21:1f:4d:99:
-         79:9d:e1:cf:27:9f:10:9b:1c:88:0d:b0:8a:64:41:31:b8:0e:
-         6c:90:24:a4:9b:5c:71:8f:ba:bb:7e:1c:1b:db:6a:80:0f:21:
-         bc:e9:db:a6:b7:40:f4:b2:8b:a9:b1:e4:ef:9a:1a:d0:3d:69:
-         99:ee:a8:28:a3:e1:3c:b3:f0:b2:11:9c:cf:7c:40:e6:dd:e7:
-         43:7d:a2:d8:3a:b5:a9:8d:f2:34:99:c4:d4:10:e1:06:fd:09:
-         84:10:3b:ee:c4:4c:f4:ec:27:7c:42:c2:74:7c:82:8a:09:c9:
-         b4:03:25:bc
------BEGIN CERTIFICATE-----
-MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB
-gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
-MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY
-UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx
-NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3
-dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy
-dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB
-dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6
-38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP
-KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q
-DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4
-qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa
-JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi
-PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P
-BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs
-jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0
-eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD
-ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR
-vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt
-qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa
-IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy
-i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ
-O+7ETPTsJ3xCwnR8gooJybQDJbw=
------END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/ev_roots/ev_roots.textproto b/chromium/net/data/ssl/ev_roots/ev_roots.textproto
deleted file mode 100644
index d52ed0d2ca1..00000000000
--- a/chromium/net/data/ssl/ev_roots/ev_roots.textproto
+++ /dev/null
@@ -1,572 +0,0 @@
-# Copyright 2021 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-# Actalis Authentication Root CA
-# https://ssltest-a.actalis.it:8443
-trust_anchors {
-  sha256_hex: "55926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066"
-  ev_policy_oids: "1.3.159.1.17.1"
-}
-
-# AffirmTrust Commercial
-# https://commercial.affirmtrust.com/
-trust_anchors {
-  sha256_hex: "0376ab1d54c5f9803ce4b2e201a0ee7eef7b57b636e8a93c9b8d4860c96f5fa7"
-  ev_policy_oids: "1.3.6.1.4.1.34697.2.1"
-}
-
-# AffirmTrust Networking
-# https://networking.affirmtrust.com:4431
-trust_anchors {
-  sha256_hex: "0a81ec5a929777f145904af38d5d509f66b5e2c58fcdb531058b0e17f3f0b41b"
-  ev_policy_oids: "1.3.6.1.4.1.34697.2.2"
-}
-
-# AffirmTrust Premium
-# https://premium.affirmtrust.com:4432/
-trust_anchors {
-  sha256_hex: "70a73f7f376b60074248904534b11482d5bf0e698ecc498df52577ebf2e93b9a"
-  ev_policy_oids: "1.3.6.1.4.1.34697.2.3"
-}
-
-# AffirmTrust Premium ECC
-# https://premiumecc.affirmtrust.com:4433/
-trust_anchors {
-  sha256_hex: "bd71fdf6da97e4cf62d1647add2581b07d79adf8397eb4ecba9c5e8488821423"
-  ev_policy_oids: "1.3.6.1.4.1.34697.2.4"
-}
-
-# Amazon Root CA 1
-# https://good.sca1a.amazontrust.com/
-trust_anchors {
-  sha256_hex: "8ecde6884f3d87b1125ba31ac3fcb13d7016de7f57cc904fe1cb97c6ae98196e"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Amazon Root CA 2
-# https://good.sca2a.amazontrust.com/
-trust_anchors {
-  sha256_hex: "1ba5b2aa8c65401a82960118f80bec4f62304d83cec4713a19c39c011ea46db4"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Amazon Root CA 3
-# https://good.sca3a.amazontrust.com/
-trust_anchors {
-  sha256_hex: "18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Amazon Root CA 4
-# https://good.sca4a.amazontrust.com/
-trust_anchors {
-  sha256_hex: "e35d28419ed02025cfa69038cd623962458da5c695fbdea3c22b0bfb25897092"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Autoridad de Certificacion Firmaprofesional CIF A62634068
-# https://publifirma.firmaprofesional.com/
-trust_anchors {
-  sha256_hex: "04048028bf1f2864d48f9ad4d83294366a828856553f3b14303f90147f5d40ef"
-  ev_policy_oids: "1.3.6.1.4.1.13177.10.1.3.10"
-}
-
-# Baltimore CyberTrust Root
-# https://secure.omniroot.com/repository/
-trust_anchors {
-  sha256_hex: "16af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb"
-  ev_policy_oids: "1.3.6.1.4.1.6334.1.100.1"
-}
-
-# Buypass Class 3 Root CA
-# https://valid.evident.ca23.ssl.buypass.no/
-trust_anchors {
-  sha256_hex: "edf7ebbca27a2a384d387b7d4010c666e2edb4843e4c29b4ae1d5b9332e6b24d"
-  ev_policy_oids: "2.16.578.1.26.1.3.3"
-}
-
-# certSIGN ROOT CA G2
-# https://testssl-valid-evcp.certsign.ro/
-trust_anchors {
-  sha256_hex: "657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Certum Trusted Network CA
-# https://juice.certum.pl/
-trust_anchors {
-  sha256_hex: "5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e"
-  ev_policy_oids: "1.2.616.1.113527.2.5.1.1"
-}
-
-# CFCA EV ROOT
-# https://www.erenepu.com/
-trust_anchors {
-  sha256_hex: "5cc3d78e4e1d5e45547a04e6873e64f90cf9536d1ccc2ef800f355c4c5fd70fd"
-  ev_policy_oids: "2.16.156.112554.3"
-}
-
-# COMODO Certification Authority
-# https://secure.comodo.com/
-trust_anchors {
-  sha256_hex: "0c2cd63df7806fa399ede809116b575bf87989f06518f9808c860503178baf66"
-
-  ev_policy_oids: "1.3.6.1.4.1.6449.1.2.1.5.1"
-}
-
-# COMODO Certification Authority (reissued certificate with NotBefore of
-# Jan 1 00:00:00 2011 GMT)
-# https://secure.comodo.com/
-trust_anchors {
-  sha256_hex: "1a0d20445de5ba1862d19ef880858cbce50102b36e8f0a040c3c69e74522fe6e"
-
-  ev_policy_oids: "1.3.6.1.4.1.6449.1.2.1.5.1"
-}
-
-# COMODO ECC Certification Authority
-# https://comodoecccertificationauthority-ev.comodoca.com/
-trust_anchors {
-  sha256_hex: "1793927a0614549789adce2f8f34f7f0b66d0f3ae3a3b84d21ec15dbba4fadc7"
-
-  ev_policy_oids: "1.3.6.1.4.1.6449.1.2.1.5.1"
-}
-
-# COMODO RSA Certification Authority
-# https://comodorsacertificationauthority-ev.comodoca.com/
-trust_anchors {
-  sha256_hex: "52f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234"
-
-  ev_policy_oids: "1.3.6.1.4.1.6449.1.2.1.5.1"
-}
-
-# DigiCert Assured ID Root CA
-# https://assured-id-root-ca.chain-demos.digicert.com/
-trust_anchors {
-  sha256_hex: "3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c"
-
-  ev_policy_oids: "2.16.840.1.114412.2.1"
-}
-
-# DigiCert Assured ID Root G2
-# https://assured-id-root-g2.chain-demos.digicert.com/
-trust_anchors {
-  sha256_hex: "7d05ebb682339f8c9451ee094eebfefa7953a114edb2f44949452fab7d2fc185"
-
-  ev_policy_oids: "2.16.840.1.114412.2.1"
-}
-
-# DigiCert Assured ID Root G3
-# https://assured-id-root-g3.chain-demos.digicert.com/
-trust_anchors {
-  sha256_hex: "7e37cb8b4c47090cab36551ba6f45db840680fba166a952db100717f43053fc2"
-
-  ev_policy_oids: "2.16.840.1.114412.2.1"
-}
-
-# DigiCert Global Root CA
-# https://global-root-ca.chain-demos.digicert.com/
-trust_anchors {
-  sha256_hex: "4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161"
-
-  ev_policy_oids: "2.16.840.1.114412.2.1"
-}
-
-# DigiCert Global Root G2
-# https://global-root-g2.chain-demos.digicert.com/
-trust_anchors {
-  sha256_hex: "cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f"
-
-  ev_policy_oids: "2.16.840.1.114412.2.1"
-}
-
-# DigiCert Global Root G3
-# https://global-root-g3.chain-demos.digicert.com/
-trust_anchors {
-  sha256_hex: "31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0"
-
-  ev_policy_oids: "2.16.840.1.114412.2.1"
-}
-
-# DigiCert High Assurance EV Root CA
-# https://www.digicert.com
-trust_anchors {
-  sha256_hex: "7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf"
-
-  ev_policy_oids: "2.16.840.1.114412.2.1"
-}
-
-# DigiCert Trusted Root G4
-# https://trusted-root-g4.chain-demos.digicert.com/
-trust_anchors {
-  sha256_hex: "552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988"
-
-  ev_policy_oids: "2.16.840.1.114412.2.1"
-}
-
-# D-TRUST Root Class 3 CA 2 EV 2009
-# https://certdemo-ev-valid.ssl.d-trust.net/
-trust_anchors {
-  sha256_hex: "eec5496b988ce98625b934092eec2908bed0b0f316c2d4730c84eaf1f3d34881"
-
-  ev_policy_oids: "1.3.6.1.4.1.4788.2.202.1"
-}
-
-# emSign Root CA - G1
-# https://testevg1.emsign.com/
-trust_anchors {
-  sha256_hex: "40f6af0346a99aa1cd1d555a4e9cce62c7f9634603ee406615833dc8c8d00367"
-
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Entrust Root Certification Authority
-# https://www.entrust.net/
-trust_anchors {
-  sha256_hex: "73c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c"
-
-  ev_policy_oids: "2.16.840.1.114028.10.1.2"
-}
-
-# Entrust Root Certification Authority – G2
-# https://validg2.entrust.net
-trust_anchors {
-  sha256_hex: "43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339"
-
-  ev_policy_oids: "2.16.840.1.114028.10.1.2"
-}
-
-# Entrust Root Certification Authority - G4
-# https://validg4.entrust.net
-trust_anchors {
-  sha256_hex: "db3517d1f6732a2d5ab97c533ec70779ee3270a62fb4ac4238372460e6f01e88"
-  ev_policy_oids: "2.16.840.1.114028.10.1.2"
-}
-
-# Entrust Root Certification Authority – EC1
-# https://validec.entrust.net
-trust_anchors {
-  sha256_hex: "02ed0eb28c14da45165c566791700d6451d7fb56f0b2ab1d3b8eb070e56edff5"
-
-  ev_policy_oids: "2.16.840.1.114028.10.1.2"
-}
-
-# E-Tugra Certification Authority
-# https://sslev.e-tugra.com.tr
-trust_anchors {
-  sha256_hex: "b0bfd52bb0d7d9bd92bf5d4dc13da255c02c542f378365ea893911f55e55f23c"
-
-  ev_policy_oids: "2.16.792.3.0.4.1.1.4"
-}
-
-# GlobalSign Root CA
-trust_anchors {
-  sha256_hex: "ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99"
-
-  ev_policy_oids: "1.3.6.1.4.1.4146.1.1"
-}
-
-# GlobalSign Root CA - R3
-# https://2029.globalsign.com/
-trust_anchors {
-  sha256_hex: "cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b"
-
-  ev_policy_oids: "1.3.6.1.4.1.4146.1.1"
-}
-
-# GlobalSign ECC Root CA - R5
-# https://2038r5.globalsign.com/
-trust_anchors {
-  sha256_hex: "179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c8924"
-
-  ev_policy_oids: "1.3.6.1.4.1.4146.1.1"
-}
-
-# GLOBALTRUST 2020
-# https://testok-2020-server-qualified-ev-1.e-monitoring.at/
-trust_anchors {
-  sha256_hex: "9a296a5182d1d451a2e37f439b74daafa267523329f90f9a0d2007c334e23c9a"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Go Daddy Class 2 Certification Authority
-# https://www.godaddy.com/
-trust_anchors {
-  sha256_hex: "c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4"
-
-  ev_policy_oids: "2.16.840.1.114413.1.7.23.3"
-}
-
-# Go Daddy Root Certificate Authority - G2
-# https://valid.gdig2.catest.godaddy.com/
-trust_anchors {
-  sha256_hex: "45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda"
-
-  ev_policy_oids: "2.16.840.1.114413.1.7.23.3"
-}
-
-# HARICA TLS ECC Root CA 2021
-# https://tls-ecc-valid-ev.root2021.harica.gr
-trust_anchors {
-  sha256_hex: "3f99cc474acfce4dfed58794665e478d1547739f2e780f1bb4ca9b133097d401"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# HARICA TLS RSA Root CA 2021
-# https://tls-rsa-valid-ev.root2021.harica.gr
-trust_anchors {
-  sha256_hex: "d95d0e8eda79525bf9beb11b14d2100d3294985f0c62d9fabd9cd999eccb7b1d"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Hellenic Academic and Research Institutions ECC RootCA 2015
-# https://haricaeccrootca2015-valid-ev.harica.gr
-trust_anchors {
-  sha256_hex: "44b545aa8a25e65a73ca15dc27fc36d24c1cb9953a066539b11582dc487b4833"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Hellenic Academic and Research Institutions RootCA 2015
-# https://haricarootca2015-valid-ev.harica.gr
-trust_anchors {
-  sha256_hex: "a040929a02ce53b4acf4f2ffc6981ce4496f755e6d45fe0b2a692bcd52523f36"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Hongkong Post Root CA 3
-# https://valid-ev.ecert.gov.hk/
-trust_anchors {
-  sha256_hex: "5a2fc03f0c83b090bbfa40604b0988446c7636183df9846e17101a447fb8efd6"
-
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# IdenTrust Commercial Root CA 1
-# https://identrust-commercial-ev-valid.identrustssl.com/
-trust_anchors {
-  sha256_hex: "5d56499be4d2e08bcfcad08a3e38723d50503bde706948e42f55603019e528ae"
-  ev_policy_oids: "2.23.140.1.1"
-  ev_policy_oids: "2.16.840.1.113839.0.6.9"
-}
-
-# Izenpe.com - SHA256 root
-# The first OID is for businesses and the second for government entities.
-# These are the test sites, respectively:
-# https://servicios.izenpe.com
-# https://servicios1.izenpe.com
-trust_anchors {
-  sha256_hex: "2530cc8e98321502bad96f9b1fba1b099e2d299e0f4548bb914f363bc0d4531f"
-
-  ev_policy_oids: "1.3.6.1.4.1.14777.6.1.1",
-  ev_policy_oids: "1.3.6.1.4.1.14777.6.1.2"
-}
-
-# Izenpe.com - SHA1 root
-# Windows XP finds this, SHA1, root instead. The policy OIDs are the same
-# as for the SHA256 root, above.
-trust_anchors {
-  sha256_hex: "23804203ca45d8cde716b8c13bf3b448457fa06cc10250997fa01458317c41e5"
-
-  ev_policy_oids: "1.3.6.1.4.1.14777.6.1.1"
-  ev_policy_oids: "1.3.6.1.4.1.14777.6.1.2"
-}
-
-# LuxTrust Global Root 2
-# https://ltsslca5.trustme.lu/
-trust_anchors {
-  sha256_hex: "54455f7129c20b1447c418f997168f24c58fc5023bf5da5be2eb6e1dd8902ed5"
-
-  ev_policy_oids: "1.3.171.1.1.10.5.2"
-}
-
-# NetLock Arany (Class Gold) Főtanúsítvány
-# https://valid.ev.tanusitvany.hu
-trust_anchors {
-  sha256_hex: "6c61dac3a2def031506be036d2a6fe401994fbd13df9c8d466599274c446ec98"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Network Solutions Certificate Authority
-# https://www.networksolutions.com/website-packages/index.jsp
-trust_anchors {
-  sha256_hex: "15f0ba00a3ac7af3ac884c072b1011a077bd77c097f40164b2f8598abd83860c"
-
-  ev_policy_oids: "1.3.6.1.4.1.782.1.2.1.8.1"
-}
-
-# Network Solutions Certificate Authority (reissued certificate with
-# NotBefore of Jan  1 00:00:00 2011 GMT).
-# https://www.networksolutions.com/website-packages/index.jsp
-trust_anchors {
-  sha256_hex: "001686cd181f83a1b1217d305b365c41e3470a78a1d37b134a98cd547b92dab3"
-
-  ev_policy_oids: "1.3.6.1.4.1.782.1.2.1.8.1"
-}
-
-# OISTE WISeKey Global Root GB CA
-# https://goodevssl.wisekey.com
-trust_anchors {
-  sha256_hex: "6b9c08e86eb0f767cfad65cd98b62149e5494a67f5845e7bd1ed019f27b86bd6"
-
-  ev_policy_oids: "2.16.756.5.14.7.4.8"
-}
-
-# QuoVadis Root CA 2
-# https://www.quovadis.bm/
-trust_anchors {
-  sha256_hex: "85a0dd7dd720adb7ff05f83d542b209dc7ff4528f7d677b18389fea5e5c49e86"
-
-  ev_policy_oids: "1.3.6.1.4.1.8024.0.2.100.1.2"
-}
-
-# QuoVadis Root CA 2 G3
-# https://evsslicag3-v.quovadisglobal.com/
-trust_anchors {
-  sha256_hex: "8fe4fb0af93a4d0d67db0bebb23e37c71bf325dcbcdd240ea04daf58b47e1840"
-
-  ev_policy_oids: "1.3.6.1.4.1.8024.0.2.100.1.2"
-}
-
-# SecureTrust CA, SecureTrust Corporation
-# https://www.securetrust.com
-# https://www.trustwave.com/
-trust_anchors {
-  sha256_hex: "f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d73"
-
-  ev_policy_oids: "2.16.840.1.114404.1.1.2.4.1"
-}
-
-# Secure Global CA, SecureTrust Corporation
-trust_anchors {
-  sha256_hex: "4200f5043ac8590ebb527d209ed1503029fbcbd41ca1b506ec27f15ade7dac69"
-
-  ev_policy_oids: "2.16.840.1.114404.1.1.2.4.1"
-}
-
-# Security Communication RootCA1
-# https://www.secomtrust.net/contact/form.html
-trust_anchors {
-  sha256_hex: "e75e72ed9f560eec6eb4800073a43fc3ad19195a392282017895974a99026b6c"
-
-  ev_policy_oids: "1.2.392.200091.100.721.1"
-}
-
-# Security Communication EV RootCA2
-# https://www.secomtrust.net/contact/form.html
-trust_anchors {
-  sha256_hex: "513b2cecb810d4cde5dd85391adfc6c2dd60d87bb736d2b521484aa47a0ebef6"
-
-  ev_policy_oids: "1.2.392.200091.100.721.1"
-}
-
-# SSL.com EV Root Certification Authority ECC
-# https://test-ev-ecc.ssl.com/
-trust_anchors {
-  sha256_hex: "22a2c1f7bded704cc1e701b5f408c310880fe956b5de2a4a44f99c873a25a7c8"
-
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# SSL.com EV Root Certification Authority RSA R2
-# https://test-ev-rsa.ssl.com/
-trust_anchors {
-  sha256_hex: "2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c"
-
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# Staat der Nederlanden EV Root CA
-# https://pkioevssl-v.quovadisglobal.com/
-trust_anchors {
-  sha256_hex: "4d2491414cfe956746ec4cefa6cf6f72e28a1329432f9d8a907ac4cb5dadc15a"
-
-  ev_policy_oids: "2.16.528.1.1003.1.2.7"
-}
-
-# Starfield Class 2 Certification Authority
-# https://www.starfieldtech.com/
-trust_anchors {
-  sha256_hex: "1465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658"
-
-  ev_policy_oids: "2.16.840.1.114414.1.7.23.3"
-}
-
-# Starfield Root Certificate Authority - G2
-# https://valid.sfig2.catest.starfieldtech.com/
-trust_anchors {
-  sha256_hex: "2ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f5"
-
-  ev_policy_oids: "2.16.840.1.114414.1.7.23.3"
-}
-
-# Starfield Services Root Certificate Authority - G2
-# https://valid.sfsg2.catest.starfieldtech.com/
-trust_anchors {
-  sha256_hex: "568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5"
-
-  ev_policy_oids: "2.16.840.1.114414.1.7.24.3"
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# SwissSign Gold CA - G2
-# https://testevg2.swisssign.net/
-trust_anchors {
-  sha256_hex: "62dd0be9b9f50a163ea0f8e75c053b1eca57ea55c8688f647c6881f2c8357b95"
-
-  ev_policy_oids: "2.16.756.1.89.1.2.1.1"
-}
-
-# TWCA Global Root CA
-# https://evssldemo3.twca.com.tw/index.html
-trust_anchors {
-  sha256_hex: "59769007f7685d0fcd50872f9f95d5755a5b2b457d81f3692b610a98672f0e1b"
-
-  ev_policy_oids: "1.3.6.1.4.1.40869.1.1.22.3"
-}
-
-# TWCA Root Certification Authority
-# https://evssldemo.twca.com.tw/index.html
-trust_anchors {
-  sha256_hex: "bfd88fe1101c41ae3e801bf8be56350ee9bad1a6b9bd515edc5c6d5b8711ac44"
-
-  ev_policy_oids: "1.3.6.1.4.1.40869.1.1.22.3"
-}
-
-# T-TeleSec GlobalRoot Class 3
-# http://www.telesec.de/ / https://root-class3.test.telesec.de/
-trust_anchors {
-  sha256_hex: "fd73dad31c644ff1b43bef0ccdda96710b9cd9875eca7e31707af3e96d522bbd"
-
-  ev_policy_oids: "1.3.6.1.4.1.7879.13.24.1"
-}
-
-# UCA Extended Validation Root
-# https://rsaevg1.good.sheca.com/
-trust_anchors {
-  sha256_hex: "d43af9b35473755c9684fc06d7d8cb70ee5c28e773fb294eb41ee71722924d24"
-
-  ev_policy_oids: "2.23.140.1.1"
-}
-
-# USERTrust ECC Certification Authority
-# https://usertrustecccertificationauthority-ev.comodoca.com/
-trust_anchors {
-  sha256_hex: "4ff460d54b9c86dabfbcfc5712e0400d2bed3fbc4d4fbdaa86e06adcd2a9ad7a"
-
-  ev_policy_oids: "1.3.6.1.4.1.6449.1.2.1.5.1"
-}
-
-# USERTrust RSA Certification Authority
-# https://usertrustrsacertificationauthority-ev.comodoca.com/
-trust_anchors {
-  sha256_hex: "e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2"
-
-  ev_policy_oids: "1.3.6.1.4.1.6449.1.2.1.5.1"
-}
-
-# XRamp Global Certification Authority
-trust_anchors {
-  sha256_hex: "cecddc905099d8dadfc5b1d209b737cbe2c18cfb2c10c0ff0bcf0d3286fc1aa2"
-
-  ev_policy_oids: "2.16.840.1.114404.1.1.2.4.1"
-}
diff --git a/chromium/net/data/ssl/root_stores/README.md b/chromium/net/data/ssl/root_stores/README.md
index 6cfefadcb13..c2515dceb17 100644
--- a/chromium/net/data/ssl/root_stores/README.md
+++ b/chromium/net/data/ssl/root_stores/README.md
@@ -96,3 +96,8 @@ less exhaustively, on [MSDN](https://msdn.microsoft.com/en-us/library/windows/de
 Additional restrictions upon trusted CAs are maintained as properties within
 the STL; however, these were not consulted, as they're not applicable to this
 use case.
+
+Tools that can help get this data:
+
+* https://github.com/robstradling/authroot.stl
+* https://github.com/zmap/rootfetch
diff --git a/chromium/net/data/ssl/root_stores/root_stores.json b/chromium/net/data/ssl/root_stores/root_stores.json
index 5edb8db8b72..785e6bb2017 100644
--- a/chromium/net/data/ssl/root_stores/root_stores.json
+++ b/chromium/net/data/ssl/root_stores/root_stores.json
@@ -54,7 +54,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "007e452fd5cf838946696dfe37a2db2ef3991436d27bcbab45922053c15a87a8": [
       "windows/080328202117",
@@ -127,7 +128,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "00ab444abd6bdba33da8de569ac4ecde326d1be1a61442d5eec3975a0c243f04": [
       "windows/070201011524",
@@ -205,7 +207,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "016e1dcd5f78841bbebbae9ddea08c8d7ec54e698e95bb778ecdd1e10d8bf4f9": [
       "windows/181124234732",
@@ -223,6 +226,9 @@
       "windows/200226213356",
       "windows/200421004343"
     ],
+    "018e13f0772532cf809bd1b17281867283fc48c6e13be9c69812854a490c1b05": [
+      "windows/220719163622"
+    ],
     "02ed0eb28c14da45165c566791700d6451d7fb56f0b2ab1d3b8eb070e56edff5": [
       "android/android10-release",
       "android/android11-release",
@@ -330,7 +336,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "03458b6abeecc214953d97149af45391691de9f9cdcc2647863a3d67c95c243b": [
       "android/kitkat-cts-release",
@@ -494,7 +501,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "0378b202ccabba99a12e569a11a077db1edb39482061c75d0073059d9ab5b513": [
       "windows/071219233937",
@@ -604,7 +612,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "04048028bf1f2864d48f9ad4d83294366a828856553f3b14303f90147f5d40ef": [
       "android/android10-release",
@@ -731,7 +740,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "04acfb3b24793f300f67ef87e44dd72cb9b28b204f389a7cd5ae28785c7d42cd": [
       "macos/10.10.0",
@@ -819,7 +829,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "04f1bec36951bc1454a904ce32890c5da3cde1356b7900f6e62dfa2041ebad51": [
       "windows/170228174808",
@@ -850,7 +861,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "0536801fbb443b3e905fd6d70d8c81eb88551be8061299110d2b4f82e64cade1": [
       "windows/100719231554",
@@ -913,7 +925,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "058a40323ec8c46262c3052a5d357b91ac24d3da26351b3ff4407e99f7a4e9b4": [
       "windows/070201011524",
@@ -1173,7 +1186,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739": [
       "android/android10-release",
@@ -1502,7 +1516,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "075bfcca2d55ae6e35742c32afd0ca8ea4c958feefc23224999541c033d69c8d": [
       "windows/120125230451",
@@ -1556,7 +1571,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "0771920c8cb874d5c5a4dc0d6a51a2d495d38c4de2cd5b83d2a06faa051935f6": [
       "windows/121102212406",
@@ -1607,7 +1623,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "0791ca0749b20782aad3c7d7bd0cdfc9485835843eb2d7996009ce43ab6c6927": [
       "android/kitkat-cts-release",
@@ -1637,6 +1654,9 @@
       "mozilla/2.14",
       "mozilla/2.9"
     ],
+    "07cd9aa9064a9b94c6aef8fb784c1bbc1beda08acbe86878d781a39167626cf8": [
+      "windows/220719163622"
+    ],
     "08297a4047dba23680c731db6e317653ca7848e1bebd3a0b0179a707f92cf178": [
       "android/kitkat-cts-release",
       "android/kitkat-mr1-release",
@@ -1854,7 +1874,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "0b5eed4e846403cf55e065848440ed2a82758bf5b9aa1f253d4613cfa080ff3f": [
       "android/kitkat-cts-release",
@@ -1979,7 +2000,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "0c0b6b2bd1edd7b27fead157f8e846b335b784a39f06c47216c8746f64c5ceda": [
       "windows/140912180251",
@@ -2150,7 +2172,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "0c2cd63df7806fa399ede809116b575bf87989f06518f9808c860503178baf66": [
       "android/android10-release",
@@ -2330,7 +2353,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "0ed3ffab6c149c8b4e71058e8668d429abfda681c2fff508207641f0d751a3e5": [
       "macos/10.10.0",
@@ -2595,7 +2619,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "126bf01c1094d2f0ca2e352380b3c724294546ccc65597bef7f12d8a171f1984": [
       "macos/10.10.0",
@@ -2670,7 +2695,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "12d480c1a3c664781b99d9df0e9faf3f1cacee1b3c30c3123a337a4a454ffed2": [
       "windows/071219233937",
@@ -2873,7 +2899,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658": [
       "android/android10-release",
@@ -3014,7 +3041,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1501f89c5c4dcf36cf588a17c9fd7cfceb9ee01e8729be355e25de80eb6284b4": [
       "windows/160414222039",
@@ -3048,7 +3076,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "152a402bfcdf2cd548054d2275b39c7fca3ec0978078b0f0ea76e561a6c7433e": [
       "android/nougat-mr1-cts-release",
@@ -3116,7 +3145,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1594cb5b826c315de3bc932c56895ff23a3a988b5dc1f034d214dfd858d89ee8": [
       "windows/070109202240",
@@ -3198,7 +3228,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "15f0ba00a3ac7af3ac884c072b1011a077bd77c097f40164b2f8598abd83860c": [
       "android/android10-release",
@@ -3426,7 +3457,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1793927a0614549789adce2f8f34f7f0b66d0f3ae3a3b84d21ec15dbba4fadc7": [
       "android/android10-release",
@@ -3546,7 +3578,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "179fbc148a3dd00fd24ea13458cc43bfa7f59c8182d783a513f6ebec100c8924": [
       "android/android10-release",
@@ -3651,7 +3684,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "18ce6cfe7bf14e60b2e347b8dfe868cb31d02ebb3ada271569f50343b46db3a4": [
       "android/android10-release",
@@ -3722,7 +3756,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "18f1fc7f205df8adddeb7fe007dd57e3af375a9c4d8d73546bf4f1fed1e18d35": [
       "android/android10-release",
@@ -3863,7 +3898,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "19abcdff3a74402fa8f0ca206bf7fab0dffff3ae2bbd719584d21090a4353207": [
       "windows/170613190204",
@@ -3892,7 +3928,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1a0d20445de5ba1862d19ef880858cbce50102b36e8f0a040c3c69e74522fe6e": [
       "windows/110919210309",
@@ -3948,7 +3985,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1a2512cda6744abea11432a2fdc9f8c088db5a98c89e13352574cde4d9e80cdd": [
       "windows/140912180251",
@@ -3991,7 +4029,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1aa980c8c0d316f25029978982f033cbb3a3f4188d669f2de6a8d84ee00a1575": [
       "windows/080328202117",
@@ -4135,7 +4174,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1ba622b36325544ae922afc22ef9d367943794f6e16874f368a733c65c9d5279": [
       "windows/111018233154",
@@ -4273,7 +4313,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1d4f0596fca2611d09f84c78f2ea565ef2eab9cfc272a1718bd336e6e0ae021a": [
       "windows/070109202240",
@@ -4365,7 +4406,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1e49ac5dc69e86d0565da2c1305c419330b0b781bfec50e54a1b35af7fddd501": [
       "macos/10.11.0",
@@ -4449,7 +4491,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1e51942b84fd467bf77d1c89da241c04254dc8f3ef4c22451fe7a89978bdcd4f": [
       "windows/160916174005",
@@ -4482,7 +4525,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "1e910b40c08184c0ca20468e824502ff2485163f77b03bb73296823f03885621": [
       "windows/111018233154",
@@ -4568,7 +4612,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2193cfea381211a1aeaa2de984e630643a87160b1208118145eafb8e1bc69958": [
       "windows/170228174808",
@@ -4599,7 +4644,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "21db20123660bb2ed418205da11ee7a85a65e2bc6e55b5af7e7899c8a266d92e": [
       "android/kitkat-cts-release",
@@ -4723,7 +4769,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "229ccc196d32c98421cc119e78486eebef603aecd525c6b88b47abb740692b96": [
       "windows/150618202535",
@@ -4764,7 +4811,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "22a2c1f7bded704cc1e701b5f408c310880fe956b5de2a4a44f99c873a25a7c8": [
       "android/android10-release",
@@ -4821,7 +4869,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "22e0d11dc9207e16c92b2ee18cfdb2c2e940626847921fc528cedd2f7932f714": [
       "windows/070109202240",
@@ -4959,7 +5008,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c": [
       "android/android10-release",
@@ -5087,7 +5137,11 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
+    ],
+    "242b69742fcb1e5b2abf98898b94572187544e5b4d9911786573621f6a74b82c": [
+      "windows/220719163622"
     ],
     "248302a977f40f7dd6a2b770586adfaac3eb1e85fd1a102dbd7863c72b8f8ef2": [
       "macos/10.10.0",
@@ -5125,7 +5179,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2530cc8e98321502bad96f9b1fba1b099e2d299e0f4548bb914f363bc0d4531f": [
       "android/android10-release",
@@ -5191,7 +5246,8 @@
       "mozilla/2.9",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2602d21e81277a83f6048128f61d794a06f474e1f75e49740a817c2666f62211": [
       "windows/070109202240",
@@ -5313,7 +5369,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "27995829fe6a7515c1bfe848f9c4761db16c225929257bf40d0894f29ea8baf2": [
       "android/nougat-mr1-cts-release",
@@ -5381,7 +5438,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2834991cf677466d22baac3b0055e5b911d9a9e55f5b85ba02dc566782c30e8a": [
       "macos/10.10.0",
@@ -5507,7 +5565,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2a8da2f8d23e0cd3b5871ecfb0f42276ca73230667f474eede71c5ee32cc3ec6": [
       "windows/160414222039",
@@ -5541,7 +5600,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2a99f5bc1174b73cbb1d620884e01c34e51ccb3978da125f0e33268883bf4158": [
       "android/android10-release",
@@ -5635,7 +5695,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69": [
       "android/android10-release",
@@ -5673,7 +5734,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f5": [
       "android/android10-release",
@@ -5799,7 +5861,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2d47437de17951215a12f3c58e51c729a58026ef1fcc0a5fb3d9dc012f600d19": [
       "android/kitkat-cts-release",
@@ -6050,7 +6113,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2dfcbacadf22a6ff107a51fd3e8b9e17858028879b13f7c3b57b3e1bd2315809": [
       "windows/070109202240",
@@ -6091,7 +6155,8 @@
       "windows/150122021939"
     ],
     "2e44102ab58cb85419451c8e19d9acf3662cafbc614b6a53960a30f7d0e2eb41": [
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c": [
       "android/android10-release",
@@ -6143,7 +6208,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "2f1062f8bf84e7eb83a0f64c98d891fbe2c811b17ffac0bce1a6dc9c7c3dcbb7": [
       "macos/10.9.0",
@@ -6325,7 +6391,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0": [
       "android/android10-release",
@@ -6430,7 +6497,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "31eace9b4c9c71734a185680bc24866ca6cbd82b3cb61bcc8706261b59ce1073": [
       "windows/070109202240",
@@ -6672,7 +6740,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "341de98b1392abf7f4ab90a960cf25d4bd6ec65b9a51ce6ed067d00ec7ce9b7f": [
       "macos/10.10.0",
@@ -6726,7 +6795,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "34ff2a4409dc1383e9f8966e8adfe5719eba373fd0ad5e2f49f90ee07cf5d4c1": [
       "windows/190416222336",
@@ -6738,12 +6808,14 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "358df39d764af9e1b766e9c972df352ee15cfac227af6ad1d70e8e4a6edcba02": [
       "android/android12-release",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "35ae5bddd8f7ae635cffba5682a8f00b95f48462c7108ee9a0e5292b074aafb2": [
       "android/kitkat-cts-release",
@@ -6945,7 +7017,11 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
+    ],
+    "371a00dc0533b3721a7eeb40e8419e70799d2b0a0f2c1d80693165f7cec4ad75": [
+      "windows/220719163622"
     ],
     "37d51006c512eaab626421f1ec8c92013fc5f82ae98ee533eb4619b8deb4d06c": [
       "android/android10-release",
@@ -7085,7 +7161,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "37d8dc8af7867845da3344a6b1bade448d8a80e47b5579f96bf631768f9f30f6": [
       "windows/070201011524",
@@ -7373,7 +7450,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "3c4fb0b95ab8b30032f432b86f535fe172c185d0fd39865837cf36187fa6f428": [
       "android/android10-release",
@@ -7468,7 +7546,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "3c5f81fea5fab82c64bfa2eaecafcde8e077fc8620a7cae537163df36edbf378": [
       "android/android10-release",
@@ -7590,7 +7669,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "3ccc3ccfe45496d07b620dbf1328e8a1490018f48633c8a28a995ca60408b0be": [
       "windows/070109202240",
@@ -7669,7 +7749,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "3cfc3c14d1f684ff17e38c43ca440c00b967ec933e8bfe064ca1d72c90f2adb0": [
       "mozilla/2.10",
@@ -7808,7 +7889,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c": [
       "android/android10-release",
@@ -7949,7 +8031,11 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
+    ],
+    "3f034bb5704d44b2d08545a02057de93ebf3905fce721acbc730c06ddaee904e": [
+      "windows/220719163622"
     ],
     "3f06e55681d496f5be169eb5389f9f2b8ff61e1708df6881724849cd5d27cb69": [
       "android/kitkat-cts-release",
@@ -7993,6 +8079,9 @@
       "windows/090825180842",
       "windows/091013033632"
     ],
+    "3f99cc474acfce4dfed58794665e478d1547739f2e780f1bb4ca9b133097d401": [
+      "windows/220719163622"
+    ],
     "3f9da4744ec9676cd38b530e500a463fbcb18165977ff0da6d5993c3fe5fab7c": [
       "windows/070201011524",
       "windows/070522004642",
@@ -8141,7 +8230,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "40f6af0346a99aa1cd1d555a4e9cce62c7f9634603ee406615833dc8c8d00367": [
       "android/android11-release",
@@ -8166,7 +8256,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "416b1f9e84e74c1d19b23d8d7191c6ad81246e641601f599132729f507beb3cc": [
       "windows/180518182443",
@@ -8188,7 +8279,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "417dcf3180f4ed1a3747acf1179316cd48cb05c5788435168aed98c98cdcb615": [
       "windows/121102212406",
@@ -8239,7 +8331,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "41c923866ab4cad6b7ad578081582e020797a6cbdf4fff78ce8396b38937d7f5": [
       "android/android10-release",
@@ -8378,7 +8471,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "41d4f6dcf130b9843a3b9a9530953e925fdd84e8b7aeb8f205b8fae39352617d": [
       "macos/10.10.0",
@@ -8528,7 +8622,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "4210f199499a9ac33c8de02ba6dbaa14408bdd8a6e324689c1922d069715a332": [
       "windows/100503224537",
@@ -8659,7 +8754,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161": [
       "android/android10-release",
@@ -8800,7 +8896,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339": [
       "android/android10-release",
@@ -8928,7 +9025,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "43f257412d440d627476974f877da8f1fc2444565a367ae60eddc27a412531ae": [
       "macos/10.10.0",
@@ -9142,7 +9240,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "45140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda": [
       "android/android10-release",
@@ -9268,7 +9367,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "46273285615d96e52da9fc2ed8c036f10af3d9f6280f8d288706c52b2011b4da": [
       "windows/090501224247",
@@ -9336,7 +9436,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "46edc3689046d53a453fb3104ab80dcaec658b2660ea1629dd7e867990648716": [
       "android/android10-release",
@@ -9395,7 +9496,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "488e134f30c5db56b76473e608086842bf21af8ab3cd7ac67ebdf125d531834e": [
       "windows/090825180842",
@@ -9462,7 +9564,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "488fca189eaadf54a3f920ed39e587183ba512232999fae3e4a285fe98e298d1": [
       "windows/150122021939",
@@ -9582,7 +9685,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "49c8175a9815e08bef129a929de1bacad04e4db67a8c839293953e5031c81ca0": [
       "windows/070109202240",
@@ -9734,7 +9838,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "49f74f824f2e059fe99c98af3219ec0d9a004d1b64dd2fd1452616318ab806c0": [
       "windows/070109202240",
@@ -9774,6 +9879,9 @@
       "windows/140912180251",
       "windows/150122021939"
     ],
+    "4b009c1034494f9ab56bba3ba1d62731fc4d20d8955adcec10a925607261e338": [
+      "windows/220719163622"
+    ],
     "4b03f45807ad70f21bfc2cae71c9fde4604c064cf5ffb686bae5dbaad7fdd34c": [
       "android/android10-release",
       "android/android11-release",
@@ -9899,7 +10007,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "4b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708": [
       "android/lollipop-cts-release",
@@ -9958,7 +10067,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "4bdb7418bdf7ffe33ba0884afa7c0c61fd85a153972f65f7d01cb3ec7eb4073c": [
       "windows/070109202240",
@@ -10052,7 +10162,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "4d2491414cfe956746ec4cefa6cf6f72e28a1329432f9d8a907ac4cb5dadc15a": [
       "android/android10-release",
@@ -10152,7 +10263,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "4d9ebb28825c9643ab15d54e5f9614f13cb3e95de3cf4eac971301f320f9226e": [
       "windows/090825180842",
@@ -10219,7 +10331,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "4dbb0157a691fa7382289d65c0332ddb1dcb640b40ad10f010a43e20f3afed1e": [
       "windows/070109202240",
@@ -10297,6 +10410,9 @@
       "windows/140912180251",
       "windows/150122021939"
     ],
+    "4fa3126d8d3a11d1c4855a4f807cbad6cf919d3a5a88b03bea2c6372d93c40c9": [
+      "windows/220719163622"
+    ],
     "4ff460d54b9c86dabfbcfc5712e0400d2bed3fbc4d4fbdaa86e06adcd2a9ad7a": [
       "android/android10-release",
       "android/android11-release",
@@ -10403,7 +10519,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "507941c74460a0b47086220d4e9932572ab5d1b5bbcb8980ab1cb17651a844d2": [
       "android/kitkat-cts-release",
@@ -10519,7 +10636,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "513b2cecb810d4cde5dd85391adfc6c2dd60d87bb736d2b521484aa47a0ebef6": [
       "android/android10-release",
@@ -10646,7 +10764,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "51847c8cbd2e9a72c91e292d2ae247d7de1e3fd270547a20ef7d610f38b8842c": [
       "macos/10.10.0",
@@ -10849,7 +10968,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "53dfdfa4e297fcfe07594e8c62d5b8ab06b32c7549f38a163094fd6429d5da43": [
       "macos/10.10.0",
@@ -10917,7 +11037,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "54455f7129c20b1447c418f997168f24c58fc5023bf5da5be2eb6e1dd8902ed5": [
       "android/android10-release",
@@ -10969,7 +11090,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "54ae8a683fe2d78ff1ef0e0b3f58425092953ba08c67fe4a95595d1cebcdcb30": [
       "windows/140912180251",
@@ -11057,7 +11179,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988": [
       "android/android10-release",
@@ -11162,7 +11285,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5533a0401f612c688ebce5bf53f2ec14a734eb178bfae00e50e85dae6723078a": [
       "windows/131003230417",
@@ -11209,13 +11333,18 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "554153b13d2cf9ddb753bfbe1a4e0ae08d0aa4187058fe60a2b862b2e4b87bcb": [
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
+    ],
+    "5546a52504fba74f61ffd4890067529ade3b9c9d07e502592831ccda9b369fd3": [
+      "windows/220719163622"
     ],
     "55903859c8c0c3ebb8759ece4e2557225ff5758bbd38ebd48276601e1bd58097": [
       "android/android12-release",
@@ -11228,7 +11357,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "55926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066": [
       "android/android10-release",
@@ -11343,7 +11473,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5607e260163f49c8ea4175a1c0a53b13195cb7d07845611e943a2ff507036834": [
       "windows/070522004642",
@@ -11420,7 +11551,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab5": [
       "android/android10-release",
@@ -11546,7 +11678,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "56c77128d98c18d91b4cfdffbc25ee9103d4758ea2abad826a90f3457d460eb4": [
       "android/nougat-mr1-cts-release",
@@ -11819,7 +11952,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "59b3829f1ff443344958fae8bff621b684c848cfbf7ead6b63a6ca50f2794f89": [
       "macos/10.11.0",
@@ -11903,7 +12037,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5a1b5d6bc65523b40a6deffa45b48e4288ae8dd86dd70a5b858d4a5affc94f71": [
       "windows/071219233937",
@@ -12001,7 +12136,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5a885db19c01d912c5759388938cafbbdf031ab2d48e91ee15589b42971d039c": [
       "android/android10-release",
@@ -12057,7 +12193,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5ab4fcdb180b5b6af0d262a2375a2c77d25602015d96648756611e2e78c53ad3": [
       "windows/180926205955",
@@ -12075,7 +12212,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5adfa25013bed3710831572de51c4b9a21171c00313249c4cb4719d37fbb8d20": [
       "windows/160916174005",
@@ -12108,7 +12246,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5b1d9d24de0afea8b35ba04a1c3e25d0812cdf7c4625de0a89af9fe4bbd1bb15": [
       "windows/110919210309",
@@ -12303,7 +12442,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5cc3d78e4e1d5e45547a04e6873e64f90cf9536d1ccc2ef800f355c4c5fd70fd": [
       "android/android10-release",
@@ -12397,7 +12537,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5d56499be4d2e08bcfcad08a3e38723d50503bde706948e42f55603019e528ae": [
       "android/android10-release",
@@ -12494,7 +12635,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5e3571f33f45a7df1537a68b5ffb9e036af9d2f5bc4c9717130dc43d7175aac7": [
       "windows/070201011524",
@@ -12571,7 +12713,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5edb7ac43b82a06a8761e8d7be4979ebf2611f7dd79bf91c1c6b566a219ed766": [
       "android/android10-release",
@@ -12699,7 +12842,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "5f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07": [
       "android/kitkat-cts-release",
@@ -12909,7 +13053,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "606223d9db80df3939601e74b7e828e2800cce4273f76f276aa62db0a8e3b6c1": [
       "windows/071219233937",
@@ -12955,7 +13100,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "614fd18da1490560cdad1196e2492ab7062eab1a67b3a30f1d0585a7d6ba6824": [
       "windows/070109202240",
@@ -13250,7 +13396,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "62f240278c564c4dd8bf7d9d4f6f366ea894d22f5f34d989a983acec2fffed50": [
       "android/kitkat-cts-release",
@@ -13412,7 +13559,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "63343abfb89a6a03ebb57e9b3f5fa7be7c4f5c756f3017b3a8c488c3653e9179": [
       "macos/10.10.0",
@@ -13494,7 +13642,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "657cfe2fa73faa38462571f332a2363a46fce7020951710702cdfbb6eeda3305": [
       "android/android12-release",
@@ -13521,7 +13670,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "6639d13cab85df1ad9a23c443b3a60901e2b138d456fa71183578108884ec6bf": [
       "macos/10.10.0",
@@ -13989,7 +14139,11 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
+    ],
+    "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470": [
+      "windows/220719163622"
     ],
     "69ddd7ea90bb57c93e135dc85ea6fcd5480b603239bdc454fc758b2a26cf7f79": [
       "android/android10-release",
@@ -14116,7 +14270,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "69fac9bd55fb0ac78d53bbee5cf1d597989fd0aaab20a25151bdf1733ee7d122": [
       "android/kitkat-cts-release",
@@ -14265,6 +14420,9 @@
       "windows/200111003235",
       "windows/200226213356"
     ],
+    "6b328085625318aa50d173c98d8bda09d57e27413d114cf787a0f5d06c030cf6": [
+      "windows/220719163622"
+    ],
     "6b9c08e86eb0f767cfad65cd98b62149e5494a67f5845e7bd1ed019f27b86bd6": [
       "android/android10-release",
       "android/android11-release",
@@ -14343,7 +14501,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "6baf50ae3467eff3c35fefdc76a02a97fab6267723eda91e99f1b3dc2b28f82e": [
       "windows/090825180842",
@@ -14541,7 +14700,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "6cc05041e6445e74696c4cfbc9f80f543b7eabbb44b4ce6f787c6a9971c42f17": [
       "android/android10-release",
@@ -14610,7 +14770,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "6ccfd302fc44bf4599329b9750878ea44e7e8566564bcbd586169762dd10c74e": [
       "windows/130626232015",
@@ -14802,7 +14963,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "6dea86a1e66620a040c3c5943cb215d2ca87fb6ac09b59707e29d2facbd66b4e": [
       "android/kitkat-mr1-release",
@@ -14831,6 +14993,9 @@
       "windows/150122021939",
       "windows/150220201450"
     ],
+    "6e0bff069a26994c15de2c4888cc54af84882e5495b7fbf66be9ccffec7489f6": [
+      "windows/220719163622"
+    ],
     "6e5e93ae867fd3e3e78304e054d1a6aeaed0295d58c0e3fc4c9ffe310a3488cc": [
       "windows/070109202240",
       "windows/070201011524",
@@ -15053,7 +15218,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "6f2bc4cb632c24eae6782c0f39758932d1e1dc9b3e070f9303073fff38b288e2": [
       "macos/10.9.0"
@@ -15167,7 +15333,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "6fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f": [
       "macos/10.10.0",
@@ -15324,7 +15491,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "70b922bfda0e3f4a342e4ee22d579ae598d071cc5ec9c30f123680340388aea5": [
       "macos/10.10.0",
@@ -15396,7 +15564,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "71cca5391f9e794b04802530b363e121da8a3043bb26662fea4dca7fc951a4bd": [
       "android/android10-release",
@@ -15440,7 +15609,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "7286ce249fe9e32bd4752257c17cd8f6991a9c1e6f1a3cc73304ed023e6ae4eb": [
       "windows/131003230417",
@@ -15487,7 +15657,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "730b619eaa759863c65360b7412e1457eca96844ef2f16d91fcf2efe46a647e9": [
       "windows/070109202240",
@@ -15597,7 +15768,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "73c176434f1bc6d5adf45b0e76e727287c8de57616c1e6e6141a2b2cbc7d8e4c": [
       "android/android10-release",
@@ -15738,7 +15910,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf": [
       "android/android10-release",
@@ -15879,7 +16052,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "744b1147b4a9a69c32785e9e37c3323241ef29f63e76f1603d6761a783d8a0fe": [
       "windows/150122021939",
@@ -16122,7 +16296,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "767c955a76412c89af688e90a1c70f556cfd6b6025dbea10416d7eb6831f8c40": [
       "android/kitkat-cts-release",
@@ -16263,7 +16438,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "77407312c63a153d5bc00b4e51759cdfdac237dc2a33b67946e98e9bfa680ae3": [
       "android/kitkat-cts-release",
@@ -16455,7 +16631,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "781d64dfa77b00f2c006700b1fda86bf68b865a603c7a656f92e90c042ca2873": [
       "windows/080328202117",
@@ -16831,7 +17008,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "7af6ea9f753a1e709bd64d0beb867c11e8c295a56e24a6e0471459dccdaa1558": [
       "macos/10.11.0",
@@ -16915,7 +17093,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "7afc9d01a62f03a2de9637936d4afe68090d2de18d03f29c88cfb0b1ba63587f": [
       "macos/10.10.0",
@@ -17148,7 +17327,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "7d2bf3489ebc9ad3448b8b0827715a3cbfe3d523e3b56a9b5fc1d2a2da2f20fe": [
       "windows/100503224537",
@@ -17212,7 +17392,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "7d3b465a6014e526c0affcee2127d2311727ad811c26842d006af37306cc80bd": [
       "android/kitkat-cts-release",
@@ -17446,7 +17627,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "7f12cd5f7e5e290ec7d85179d5b72c20a5be7508ffdb5bf81ab9684a7fc9f667": [
       "android/kitkat-cts-release",
@@ -17651,7 +17833,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "81c2568503eb3be5eec366653960e6d1be9448915e4605b793fbeb34ccb2470f": [
       "windows/120223022238",
@@ -17819,7 +18002,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "83ce3c1229688a593d485f81973c0f9195431eda37cc5e36430e79c7a888638b": [
       "android/kitkat-cts-release",
@@ -17908,7 +18092,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61": [
       "windows/110919210309",
@@ -18000,7 +18185,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69": [
       "android/android10-release",
@@ -18057,7 +18243,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "85a0dd7dd720adb7ff05f83d542b209dc7ff4528f7d677b18389fea5e5c49e86": [
       "android/android10-release",
@@ -18197,7 +18384,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "85e0dfae3e55a843195f8b08c8349050e4689372f6e133ad0d199af96e95cc08": [
       "windows/070109202240",
@@ -18355,7 +18543,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "86a1ecba089c4a8d3bbe2734c612ba341d813e043cf9e8a862cd5c57a36bbe6b": [
       "android/android11-release",
@@ -18380,7 +18569,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "87c678bfb8b25f38f7e97b336956bbcf144bbacaa53647e61a2325bc1055316b": [
       "android/kitkat-cts-release",
@@ -18527,7 +18717,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "885de64c340e3ea70658f01e1145f957fcda27aabeea1ab9faa9fdb0102d4077": [
       "windows/070109202240",
@@ -18708,7 +18899,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "88f438dcf8ffd1fa8f429115ffe5f82ae1e06e0c70c375faad717b34a49e7265": [
       "android/android12-release",
@@ -18722,7 +18914,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "894ce6ddb012cb3f736954668de63f436080e95f17b7a81bd924eb21bee9e440": [
       "windows/071219233937",
@@ -18796,7 +18989,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "894ebc0b23da2a50c0186b7f8f25ef1f6b2935af32a94584ef80aaf877a3a06e": [
       "macos/10.10.0",
@@ -18979,7 +19173,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "8a968aadd88b20519672a452a3d6e31eacb71c26bcaf65b32f9793bf2ffa54a9": [
       "macos/10.10.0",
@@ -18994,7 +19189,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "8b3fdb151af759c566143e07c950ede4f9e8c7cf808453d33bcb78e52a400af9": [
       "windows/130420010442",
@@ -19043,7 +19239,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "8b45da1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02": [
       "android/nougat-cts-release",
@@ -19092,7 +19289,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "8ba1bd9c88efb3947e60ebe21137f81df7f09994cef27f097055018b8194c634": [
       "windows/140912180251",
@@ -19411,7 +19609,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "8da084fcf99ce07722f89b3205939806fa5cb811e1c813f6a108c7d336b3408e": [
       "android/kitkat-cts-release",
@@ -19711,7 +19910,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "8f1ecdaf29bcd56eddd6b5d56a07fcac2b74d4bcd179179144a0365c27dcf14b": [
       "windows/121102212406",
@@ -19816,7 +20016,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "8f9e2751dcd574e9ba90e744ea92581fd0af640ae86ac1ce2198c90f96b44823": [
       "windows/070109202240",
@@ -19999,7 +20200,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "90f3e05396995ff20922c44592db62d7845e1bf64aef512cca75bc669caa2479": [
       "windows/070702210503",
@@ -20192,7 +20394,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "92a9d9833fe1944db366e8bfae7a95b6480c2d6c6c2a1be65d4236b608fca1bb": [
       "macos/10.10.0",
@@ -20442,7 +20645,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "940ef46536713d8e2eb4b501e80b6abd8eb4e9928dba44784ce7d7e98595dfe8": [
       "macos/10.9.0"
@@ -20467,7 +20671,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "956057517ff3bb35049342288c1c9dce852daca652b465e9747253b5f93b1f5e": [
       "windows/070109202240",
@@ -20535,7 +20740,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "959dc5880c457cd92e5447aaa5609db09ed47bd02c17a0edefdc819e756c74e5": [
       "macos/10.10.0",
@@ -20730,7 +20936,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "97552015f5ddfc3c8788c006944555408894450084f100867086bc1a2bb58dc8": [
       "android/android12-release",
@@ -20743,7 +20950,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "978cd966f2faa07ba7aa9500d9c02e9d77f2cdada6ad6ba74af4b91c66593c50": [
       "android/kitkat-cts-release",
@@ -20860,7 +21068,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "9806ab8509e2f35e192f275f0c308b9409b42512f90c659598c22be613962272": [
       "windows/070109202240",
@@ -21043,7 +21252,11 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
+    ],
+    "9a296a5182d1d451a2e37f439b74daafa267523329f90f9a0d2007c334e23c9a": [
+      "windows/220719163622"
     ],
     "9a6ec012e1a7da9dbe34194d478ad7c0db1822fb071df12981496ed104384113": [
       "android/android10-release",
@@ -21125,7 +21338,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "9a73929a500f1a0bf49dcb046e8039169696557345e9f813f10ff9380db22695": [
       "macos/10.10.0",
@@ -21296,7 +21510,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "9b14e8f5f6ea167666e76dcd6becc190861d5e8970b99a9470f0231236049704": [
       "windows/131003230417",
@@ -21347,7 +21562,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "9cefb0cb7b74e642932532831e0dc8f4d68ad414261fc3f474b795e72a164e57": [
       "windows/150618202535",
@@ -21388,7 +21604,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "9d190b2e314566685be8a889e27aa8c7d7ae1d8aaddba3c1ecf9d24863cd34b9": [
       "macos/10.10.0",
@@ -21659,7 +21876,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "a040929a02ce53b4acf4f2ffc6981ce4496f755e6d45fe0b2a692bcd52523f36": [
       "android/android10-release",
@@ -21729,7 +21947,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "a0459b9f63b22559f5fa5d4c6db3f9f72ff19342033578f073bf1d1b46cbb912": [
       "android/android10-release",
@@ -21840,7 +22059,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "a1339d33281a0b56e557d3d32b1ce7f9367eb094bd5fa72a7e5004c8ded7cafe": [
       "android/android10-release",
@@ -21895,7 +22115,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "a1a86d04121eb87f027c66f53303c28e5739f943fc84b38ad6af009035dd9457": [
       "macos/10.13.1",
@@ -22066,7 +22287,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "a22dba681e97376e2d397d728aae3a9b6296b9fdba60bc2e11f647f2c675fb37": [
       "android/kitkat-cts-release",
@@ -22191,7 +22413,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "a31f093053bd12c1f5c3c6efd498023fd2914d7758d05d698ce084b50626e0e5": [
       "macos/10.10.0",
@@ -22327,7 +22550,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "a3d7435a18c46b23b6a4f8929cd59050c9168b03a7fad532626f297cac5356e4": [
       "windows/110919210309",
@@ -22383,7 +22607,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "a4310d50af18a6447190372a86afaf8b951ffb431d837f1e5688b45971ed1557": [
       "android/android10-release",
@@ -22503,7 +22728,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "a45ede3bbbf09c8ae15c72efc07268d693a21c996fd51e67ca079460fd6d8873": [
       "android/android10-release",
@@ -22943,7 +23169,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "a798a1c70e9b6d50eaa5724a26fac7991848edc61bf48d79816bcafb66972128": [
       "windows/070109202240",
@@ -23067,7 +23294,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "aad9ceed5aa6b1cea28596a8e4e1abed9386d6ebc9d4aad9acde0fa36ba069d0": [
       "macos/10.10.0",
@@ -23149,7 +23377,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "ab7036365c7154aa29c2c29f5d4191163b162a2225011357d56d07ffa7bc1f72": [
       "macos/10.10.0",
@@ -23249,7 +23478,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "ad016f958050e0e7e46fae7dcc50197ed8e3ff0a4b262e5ddcdb3edddc7d6578": [
       "windows/100503224537",
@@ -23313,7 +23543,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "ad7539e5cdc985fa95244055a9202d63460ec921467d034cfdbe87ec6d00fedc": [
       "windows/130626232015",
@@ -23458,7 +23689,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "ae92e90000541a9ebc101b70b6c33a62f5a53a55ba815e81d31abddf03507f5d": [
       "windows/070109202240",
@@ -24078,7 +24310,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "b2259996fff735ab35014ef63f3d413190079dd03a0962432635a8695f995305": [
       "windows/100927165108",
@@ -24229,7 +24462,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "b3c962d34019fb38ab9fe9c62399742ab26c43c2d18ce3f2b13c14321e52964b": [
       "windows/070109202240",
@@ -24534,7 +24768,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "b5bd2cb79cbd1907298d6bdf4842e516d8c78fa6fc96d25f71af814e16cc245e": [
       "windows/080828200829",
@@ -24605,7 +24840,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d3": [
       "android/android10-release",
@@ -24879,7 +25115,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "b7a7ec419454411761225ecf30d99585f851356077bf83274b11588fd05521b8": [
       "macos/10.9.0"
@@ -25006,7 +25243,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "b8bbe523bfca3b11d50f73f7f10b3ec8ec958aa1dc86f66d9541907ff1a110ef": [
       "windows/090203164005",
@@ -25241,7 +25479,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "bc23f98a313cb92de3bbfc3a5a9f4461ac39494c4ae15a9e9df131e99b73019a": [
       "android/kitkat-cts-release",
@@ -25317,7 +25556,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "bcdd8df4276366d7ff4b688dc81500d8e98252c049c8ff1e8c82f2baec9d5c16": [
       "windows/070109202240",
@@ -25489,7 +25729,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "bd81ce3b4f6591d11a67b5fc7a47fdef25521bf9aa4e18b9e3df2e34a7803be8": [
       "android/kitkat-cts-release",
@@ -25657,10 +25898,12 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "beb00b30839b9bc32c32e4447905950641f26421b15ed089198b518ae2ea1b99": [
-      "android/android12-release"
+      "android/android12-release",
+      "windows/220719163622"
     ],
     "bebce57dcb85f60a93bfa5019edb1a294bf6d81f82d9b4e71f502f0b15a1fc08": [
       "windows/160916174005",
@@ -25793,7 +26036,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "bf0feefb9e3a581ad5f9e9db7589985743d261085c4d314f6f5d7259aa421612": [
       "android/android10-release",
@@ -25992,7 +26236,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "bfff8fd04433487d6a8aa60c1a29767a9fc2bbb05e420f713a13b992891d3893": [
       "android/android10-release",
@@ -26056,7 +26301,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5": [
       "android/android10-release",
@@ -26190,7 +26436,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c0c05a8d8da55eaf27aa9b910b0a6ef0d8bbded346928db872e182c2073e9802": [
       "macos/10.10.0",
@@ -26280,6 +26527,9 @@
       "windows/150820181119",
       "windows/151119231843"
     ],
+    "c1468cf2254e6004b24696aba209d1a30ba6e2dff68a9a4e32c6ab414f90c8d9": [
+      "windows/220719163622"
+    ],
     "c1727f3b673e6ae7f12f23d789a7be38b918223ef6911c592da1f583444a547e": [
       "windows/171121202507",
       "windows/180122185731",
@@ -26305,7 +26555,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c1b12f480020336e5b04f520bc19c2e2e10ab42c9d9235f05cbec33ffa4d4dea": [
       "windows/070109202240",
@@ -26524,7 +26775,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c1cf0b52096435e3f1b71daaec455a2311c8404f5583a9e213c69d857d943305": [
       "android/kitkat-mr1-release",
@@ -26594,7 +26846,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c2157309d9aee17bf34f4df5e88dbaeba57e0361eb814cbc239f4d54d329a38d": [
       "windows/140912180251",
@@ -26639,7 +26892,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c2959db8339e8dbcf6409ca92a66c49fd2e32494940a901143bd7eb72827dec2": [
       "windows/070109202240",
@@ -26751,7 +27005,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c34c5df53080078ffe45b21a7f600469917204f4f0293f1d7209393e5265c04f": [
       "windows/150723231635",
@@ -26791,7 +27046,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4": [
       "android/android10-release",
@@ -26932,7 +27188,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c38dcb38959393358691ea4d4f3ce495ce748996e64ed1891d897a0fc4dd55c6": [
       "android/kitkat-mr1-release",
@@ -27040,7 +27297,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c470cf547e2302b977fb29dd71a89a7b6c1f60777b0329f56017f328bf4f6be6": [
       "android/kitkat-cts-release",
@@ -27249,7 +27507,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c57bacf238f9336c3dfba62d12bcf5823603e5842c44e62f5448cc7e5f4cad59": [
       "macos/10.9.0"
@@ -27257,7 +27516,8 @@
     "c741f70f4b2a8d88bf2e71c14122ef53ef10eba0cfa5e64cfa20f418853073e0": [
       "android/android12-release",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea": [
       "android/kitkat-cts-release",
@@ -27370,7 +27630,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c795ff8ff20c966688f064a1e091421d3110a3456c17ec2404b998738741f622": [
       "windows/150618202535",
@@ -27411,7 +27672,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "c7ba6567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995": [
       "android/kitkat-cts-release",
@@ -27504,7 +27766,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "ca2d82a08677072f8ab6764ff035676cfe3e5e325e012172df3f92096db79b85": [
       "android/kitkat-cts-release",
@@ -27800,7 +28063,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "caca93b9d23d2b6fa76e8b8471931e0df3ec6f63af3cdbb936c41954a1872326": [
       "windows/180619172254",
@@ -27926,7 +28190,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "cb627d18b58ad56dde331a30456bc65c601a4e9b18dedcea08e7daaa07815ff0": [
       "macos/10.10.0",
@@ -28091,7 +28356,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "cbb5af185e942a2402f9eacbc0ed5bb876eea3c1223623d00447e4f3ba554b65": [
       "macos/10.10.0",
@@ -28124,6 +28390,9 @@
       "macos/10.9.4",
       "macos/10.9.5"
     ],
+    "cbb9c44d84b8043e1050ea31a69f514955d7bfd2e2c6b49301019ad61d9f5058": [
+      "windows/220719163622"
+    ],
     "cbd8ed38d4a2d677d453d70dd8890af4f6374cba6299943f1ab3a6936c6fd795": [
       "windows/091029013045",
       "windows/100503224537",
@@ -28333,7 +28602,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "cd201256fe5ced0bfff8df595fff36b1416d5313a999f532ef4a9915df96dee0": [
       "windows/090825180842",
@@ -28400,7 +28670,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "cd808284cf746ff2fd6eb58aa1d59c4ad4b3ca56fdc6274a8926a7835f32313d": [
       "macos/10.10.0",
@@ -28636,7 +28907,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "cf56ff46a4a186109dd96584b5eeb58a510c4275b0e5f94f40bbae865e19f673": [
       "android/kitkat-cts-release",
@@ -28724,7 +28996,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "d1c339ea2784eb870f934fc5634e4aa9ad5505016401f26465d37a574663359f": [
       "macos/10.10.0",
@@ -28808,7 +29081,11 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
+    ],
+    "d3ed3fc40ad26b52e001e1e18f4b9449529deb75a81d5eb680d7b62db23ba96d": [
+      "windows/220719163622"
     ],
     "d40e9c86cd8fe468c1776959f49ea774fa548684b6c406f3909261f4dce2575c": [
       "android/android10-release",
@@ -28863,7 +29140,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "d41d829e8c1659822af93fce62bffcde264fc84e8b950c5ff275d052354695a3": [
       "android/kitkat-cts-release",
@@ -29001,7 +29279,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "d487a56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16": [
       "android/nougat-cts-release",
@@ -29050,7 +29329,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "d48d3d23eedb50a459e55197601c27774b9d7b18c94d5a059511a10250b93168": [
       "android/android10-release",
@@ -29092,7 +29372,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "d68f7730b1ec2b3fb698c96d76540c9997415a25737dcd61d44960db77d2723d": [
       "macos/10.9.0"
@@ -29154,7 +29435,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4": [
       "android/android10-release",
@@ -29295,7 +29577,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "d7ba3f4ff8ad05633451470dda3378a3491b90005e5c687d2b68d53647cfdd66": [
       "windows/170922155710",
@@ -29323,7 +29606,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "d80fef910ae3f104723b045cec2d019f441ce6213adf156791e70c1790110a31": [
       "windows/150618202535",
@@ -29363,7 +29647,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d8143624": [
       "android/kitkat-cts-release",
@@ -29489,7 +29774,11 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
+    ],
+    "d95d0e8eda79525bf9beb11b14d2100d3294985f0c62d9fabd9cd999eccb7b1d": [
+      "windows/220719163622"
     ],
     "d95fea3ca4eedce74cd76e75fc6d1ff62c441f0fa8bc77f034b19e5db258015d": [
       "android/kitkat-cts-release",
@@ -29580,7 +29869,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "da98f640194df128c7888bc8e3479a9dd31795ff087c649052fbafb02eaef184": [
       "macos/10.10.0",
@@ -29610,7 +29900,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "dd6936fe21f8f077c123a1a521c12224f72255b73e03a7260693e8a24b0fa389": [
       "android/android10-release",
@@ -29734,7 +30025,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "ddbf149733bc2bf8a09d7f012b01a6dea11d7bae26713783ef6407a2495bf189": [
       "windows/170228174808",
@@ -29765,7 +30057,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "ddff53ecd7743b60bb7b2795ff5732fa785f9a14df1120fb40a38cf84ca2a566": [
       "windows/070201011524",
@@ -29843,7 +30136,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "de1af143ffa160cf5fa86abfe577291633dc264da12c863c5738bea4afbb2cdb": [
       "windows/200421004343"
@@ -29969,7 +30263,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "e17890ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911": [
       "android/kitkat-cts-release",
@@ -30123,7 +30418,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "e28097721a8cab8880af80fdef8902b1f15bc7473ad68ec22991257a910d9ea2": [
       "windows/190723222703",
@@ -30131,7 +30427,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "e28393773da845a679f2080cc7fb44a3b7a1c3792cb7eb7729fdcb6a8d99aea7": [
       "android/kitkat-cts-release",
@@ -30219,7 +30516,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "e3268f6106ba8b665a1a962ddea1459d2a46972f1f2440329b390b895749ad45": [
       "macos/10.10.3",
@@ -30316,7 +30614,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "e389360d0fdbaeb3d250584b4730314e222f39c156a020144e8d960561791506": [
       "android/kitkat-cts-release",
@@ -30517,7 +30816,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "e3efb6118a92e3b858fd806f690e31d46b95ca1bd756da2b3037fe2f87cc9137": [
       "macos/10.9.0",
@@ -30525,6 +30825,9 @@
       "macos/10.9.4",
       "macos/10.9.5"
     ],
+    "e46a392204a8dca342a71c1ca9a60c9185b9a930370120c3b9c7e3856f0d8f3b": [
+      "windows/220719163622"
+    ],
     "e4c73430d7a5b50925df43370a0d216e9a79b9d6db8373a0c69eb1cc31c7c52a": [
       "android/kitkat-cts-release",
       "android/kitkat-mr1-release",
@@ -30874,6 +31177,9 @@
       "windows/150723231635",
       "windows/150820181119"
     ],
+    "e6be68ce06fe0da0c140f1aeb00b67b636c5eea9422088929362375ce086db39": [
+      "windows/220719163622"
+    ],
     "e6e4a951ecbf7d8edc01bc873f7b6fd35868bdb10ed786f3a1b1ee16d8cec3e9": [
       "windows/070702210503",
       "windows/070821012656",
@@ -30948,7 +31254,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "e74fbda55bd564c473a36b441aa799c8a68e077440e8288b9fa1e50e4bbaca11": [
       "windows/170228174808",
@@ -30979,7 +31286,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "e75e72ed9f560eec6eb4800073a43fc3ad19195a392282017895974a99026b6c": [
       "android/android10-release",
@@ -31120,7 +31428,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e70": [
       "macos/10.10.0",
@@ -31204,7 +31513,11 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
+    ],
+    "e778f0f095fe843729cd1a0082179e5314a9c291442805e1fb1d8fb6b8886c3a": [
+      "windows/220719163622"
     ],
     "e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2": [
       "android/android10-release",
@@ -31312,7 +31625,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "e873d4082a7b4632934f48a5cc1ee500932f661e56c3467c5c84d31447476b0c": [
       "windows/070109202240",
@@ -31632,7 +31946,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "eac0220c5c9fecc5121d3720872d06707b5266be25d4ebb56ab804bbbf85fe03": [
       "macos/10.10.0",
@@ -31856,7 +32171,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "eb7e05aa58e7bd328a282bf8867033f3c035342b516ee85c01673dffffbbfe58": [
       "windows/090203164005",
@@ -31925,7 +32241,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa": [
       "android/android10-release",
@@ -31982,7 +32299,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99": [
       "android/android10-release",
@@ -32117,7 +32435,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "ebf3c02a8789b1fb7d511995d663b72906d913ce0d5e10568a8a77e2586167e7": [
       "android/kitkat-cts-release",
@@ -32408,7 +32727,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "eec5496b988ce98625b934092eec2908bed0b0f316c2d4730c84eaf1f3d34881": [
       "android/android10-release",
@@ -32522,7 +32842,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "eefca888db442cea1f03fac5de5b1af210ae03f5e1658ddb880c645e78624546": [
       "windows/091013033632",
@@ -32675,7 +32996,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "efb5157e9c66caa1dcc63c9fac0127cde83b7a426c4579b7b43a41ba46a56deb": [
       "windows/111018233154",
@@ -32914,7 +33236,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "f015ce3cc239bfef064be9f1d2c417e1a0264a0a94be1f0c8d121864eb6949cc": [
       "windows/190723222703",
@@ -32922,7 +33245,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "f09b122c7114f4a09bd4ea4f4a99d558b46e4c25cd81140d29c05613914c3841": [
       "android/kitkat-cts-release",
@@ -33019,7 +33343,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "f1b13f5c9a326403b0f31bbe7699cd17c7d1c0b981586dd1a7b219c52508fe99": [
       "windows/070702210503",
@@ -33095,7 +33420,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "f1c1b50ae5a20dd8030ec9f6bc24823dd367b5255759b4e71b61fce9f7375d73": [
       "android/android10-release",
@@ -33236,7 +33562,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "f1f3cc207a6d47947b8cb9c30422229de0d71fb867e0b9a3eda08e0e1736bc28": [
       "windows/070109202240",
@@ -33317,7 +33644,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "f356bea244b7a91eb35d53ca9ad7864ace018e2d35d5f8f96ddf68a6f41aa474": [
       "android/android10-release",
@@ -33422,7 +33750,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "f375e2f77a108bacc4234894a9af308edeca1acd8fbde0e7aaa9634e9daf7e1c": [
       "windows/091029013045",
@@ -33584,7 +33913,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "f4c149551a3013a35bc7bffe17a7f3449bc1ab5b5a0ae74b06c23b90004c0104": [
       "android/kitkat-cts-release",
@@ -33825,7 +34155,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "f9e67d336c51002ac054c632022d66dda2e7e3fff10ad061ed31d8bbb410cfb2": [
       "android/android10-release",
@@ -33966,7 +34297,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "fabcf5197cdd7f458ac33832d3284021db2425fd6bea7a2e69b7486e8f51f9cc": [
       "macos/10.10.0",
@@ -34041,7 +34373,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "fad540811afae0dc767cdf6572a088fa3ce8493dd82b3b869a67d10aab4e8124": [
       "windows/170419224008",
@@ -34071,7 +34404,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "fb47d92a9909fd4fa9bec02737543e1f3514ced747407a8d9cfa397b0915067c": [
       "windows/120223022238",
@@ -34124,7 +34458,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "fc0a0fe27c9dc13c81238a5913a1daf8184168beb7e5a4512a771fd4f453651d": [
       "windows/070109202240",
@@ -34189,7 +34524,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "fcbfe2886206f72b27593c8b070297e12d769ed10ed7930705a8098effc14d17": [
       "android/kitkat-cts-release",
@@ -34297,7 +34633,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "fd73dad31c644ff1b43bef0ccdda96710b9cd9875eca7e31707af3e96d522bbd": [
       "android/android10-release",
@@ -34414,7 +34751,8 @@
       "windows/191029183108",
       "windows/200111003235",
       "windows/200226213356",
-      "windows/200421004343"
+      "windows/200421004343",
+      "windows/220719163622"
     ],
     "fe7114d07a147759891ff37b4f53eb43568296bc3bf89bc12cafb186985ef28d": [
       "windows/071219233937",
@@ -34490,6 +34828,9 @@
       "windows/200226213356",
       "windows/200421004343"
     ],
+    "fe7696573855773e37a95e7ad4d9cc96c30157c15d31765ba9b15704e1ae78fd": [
+      "windows/220719163622"
+    ],
     "fe863d0822fe7a2353fa484d5924e875656d3dc9fb58771f6f616f9d571bc592": [
       "macos/10.10.0",
       "macos/10.10.3",
@@ -34711,7 +35052,7 @@
       "windows/151119231843"
     ]
   },
-  "last_spki_id": 521,
+  "last_spki_id": 542,
   "spkis": {
     "004124ad6037fd5f3319e7a23d4d9c811f5598d66c4754155b0aaa9e8f00621f": {
       "fingerprints": [
@@ -35784,6 +36125,12 @@
       "id": 278,
       "legacy": true
     },
+    "48a8a7ecd03a83b26aec7574d09d6453e95f90360634ce204bcbd473997d4c05": {
+      "fingerprints": [
+        "5546a52504fba74f61ffd4890067529ade3b9c9d07e502592831ccda9b369fd3"
+      ],
+      "id": 532
+    },
     "4905466623ab4178be92ac5cbd6584f7a1e17f27652d5a85af89504ea239aaaa": {
       "fingerprints": [
         "37d51006c512eaab626421f1ec8c92013fc5f82ae98ee533eb4619b8deb4d06c"
@@ -36017,6 +36364,12 @@
       "id": 440,
       "legacy": true
     },
+    "581cc15821169694c39c2991b53e93ab945a42b076661774c2ecf38a3323acea": {
+      "fingerprints": [
+        "4b009c1034494f9ab56bba3ba1d62731fc4d20d8955adcec10a925607261e338"
+      ],
+      "id": 540
+    },
     "5899d913ead119b9cdb7ba2f30efe0df68ad2cd225bdf493e8323a25aa4dbe23": {
       "fingerprints": [
         "d7ba3f4ff8ad05633451470dda3378a3491b90005e5c687d2b68d53647cfdd66"
@@ -36219,6 +36572,12 @@
       "id": 126,
       "legacy": true
     },
+    "681dc482c296c8402c6ebb20e68309a3bc846523ae34b984a84ee697a3312db7": {
+      "fingerprints": [
+        "fe7696573855773e37a95e7ad4d9cc96c30157c15d31765ba9b15704e1ae78fd"
+      ],
+      "id": 536
+    },
     "682747f8ba621b87cdd3bc295ed5cabce722a1c0c0363d1d68b38928d2787f1e": {
       "fingerprints": [
         "2cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69"
@@ -36254,6 +36613,12 @@
       "id": 499,
       "legacy": true
     },
+    "693c9aa6b245b3b0261637750863eadb6c248a16e52d6f4bc90c86bbf32d7042": {
+      "fingerprints": [
+        "d95d0e8eda79525bf9beb11b14d2100d3294985f0c62d9fabd9cd999eccb7b1d"
+      ],
+      "id": 522
+    },
     "6a436b58d9d830e8d5b8a642505ad6b41406adcd6894d9414f7be0a1467badb7": {
       "fingerprints": [
         "05d38c2a70bfc500ccb0cb509159b46b065c6ac9cb42d2e6f16167841434572a"
@@ -36268,6 +36633,12 @@
       "id": 421,
       "legacy": true
     },
+    "6a97b51c8219e93e5dec64bad5806cdeb0f8355be47e757010b702456e01aafd": {
+      "fingerprints": [
+        "371a00dc0533b3721a7eeb40e8419e70799d2b0a0f2c1d80693165f7cec4ad75"
+      ],
+      "id": 531
+    },
     "6b1a505e0246f2f60c490ff0c097a7be27210cbb7500237f88b0cd48298bc9b8": {
       "fingerprints": [
         "2a99f5bc1174b73cbb1d620884e01c34e51ccb3978da125f0e33268883bf4158"
@@ -36388,6 +36759,12 @@
       "id": 446,
       "legacy": true
     },
+    "762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332": {
+      "fingerprints": [
+        "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470"
+      ],
+      "id": 535
+    },
     "76ee8590374c715437bbca6bba6028eadde2dc6dbbb8c3f610e851f11d1ab7f5": {
       "fingerprints": [
         "43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339"
@@ -36904,6 +37281,12 @@
       "id": 259,
       "legacy": true
     },
+    "96352d0ad875c027db82d599baa8d42e5c472649981eceed3bfc65f4c81fd5c1": {
+      "fingerprints": [
+        "6e0bff069a26994c15de2c4888cc54af84882e5495b7fbf66be9ccffec7489f6"
+      ],
+      "id": 526
+    },
     "96475b35acb1c9303a90bd1dbf57418f78e29af11c4de8c8cba2e5f9309e38d4": {
       "fingerprints": [
         "b04d708f1ae0456265dd1b66907a2691a28680b853e031df3df9083af71614d7"
@@ -37070,6 +37453,12 @@
       "id": 407,
       "legacy": true
     },
+    "a02fafa192c8cb81cb1341554f9c05b71cca2a890b0d1298d683647c961efbdf": {
+      "fingerprints": [
+        "018e13f0772532cf809bd1b17281867283fc48c6e13be9c69812854a490c1b05"
+      ],
+      "id": 523
+    },
     "a12574f4eb7395cc630a15fec8db1c7c828f66699d984c8c897eca44c808f55d": {
       "fingerprints": [
         "c499f6cecc5da4d61f14ed0405270c5249d0e79615b0da42659ed2d7ffef8a40"
@@ -37118,6 +37507,12 @@
       "id": 106,
       "legacy": true
     },
+    "a495c8d110e8b9e200f370aeda3ff92ee43f8e3d4ec0db1c0dc58bd762880ba5": {
+      "fingerprints": [
+        "e46a392204a8dca342a71c1ca9a60c9185b9a930370120c3b9c7e3856f0d8f3b"
+      ],
+      "id": 529
+    },
     "a4b89bb70656ea498f2d9e00a497fdb9dcd20b81b8938e952bba2df9f65729c3": {
       "fingerprints": [
         "5a1b5d6bc65523b40a6deffa45b48e4288ae8dd86dd70a5b858d4a5affc94f71"
@@ -37318,6 +37713,12 @@
       "id": 281,
       "legacy": true
     },
+    "ae7f962cb9e6a7dbf7b833fb18fa9b71a89175df949c232b6a9ef7cb3df2bbfc": {
+      "fingerprints": [
+        "4fa3126d8d3a11d1c4855a4f807cbad6cf919d3a5a88b03bea2c6372d93c40c9"
+      ],
+      "id": 525
+    },
     "af110f6b5ae8b767eac6e0aa273f3816e7a40a644edacb4398146356e77509d6": {
       "fingerprints": [
         "46273285615d96e52da9fc2ed8c036f10af3d9f6280f8d288706c52b2011b4da"
@@ -37374,6 +37775,12 @@
       "id": 72,
       "legacy": true
     },
+    "b15ac9561204756124b9c4d3fe406d93833ff66652f67fbf139f5bbf030a0e64": {
+      "fingerprints": [
+        "07cd9aa9064a9b94c6aef8fb784c1bbc1beda08acbe86878d781a39167626cf8"
+      ],
+      "id": 528
+    },
     "b16cb1ba529a39e2dfd53b3ff5a79f1904614d83e31304f0278bb40b38cf7824": {
       "fingerprints": [
         "0771920c8cb874d5c5a4dc0d6a51a2d495d38c4de2cd5b83d2a06faa051935f6"
@@ -37498,6 +37905,12 @@
       ],
       "id": 178
     },
+    "bb0ce7040314a143dcd10e65ccaeef7010e1b784d15d195d77b5601956bf9e3f": {
+      "fingerprints": [
+        "d3ed3fc40ad26b52e001e1e18f4b9449529deb75a81d5eb680d7b62db23ba96d"
+      ],
+      "id": 541
+    },
     "bb4128ec9620f2d2a49ce8e2c4e257aebad93a0f11c56b5fa4b00e23759fa39d": {
       "fingerprints": [
         "bf0feefb9e3a581ad5f9e9db7589985743d261085c4d314f6f5d7259aa421612"
@@ -37529,6 +37942,12 @@
       ],
       "id": 71
     },
+    "bdaccbf2e8b27c0c02a689ee866c9b86ec04442afcdddd5d4ec36def21e761dd": {
+      "fingerprints": [
+        "c1468cf2254e6004b24696aba209d1a30ba6e2dff68a9a4e32c6ab414f90c8d9"
+      ],
+      "id": 539
+    },
     "be3280c6863c770a33c9040bd97d5540b216d1d91db8b088ceac1197dae1d660": {
       "fingerprints": [
         "5ab4fcdb180b5b6af0d262a2375a2c77d25602015d96648756611e2e78c53ad3"
@@ -37584,6 +38003,12 @@
       ],
       "id": 124
     },
+    "c2b3c31a4a29850aa8f3cf472a1169ff71b416579f6a4482ec7744b83df988ac": {
+      "fingerprints": [
+        "242b69742fcb1e5b2abf98898b94572187544e5b4d9911786573621f6a74b82c"
+      ],
+      "id": 533
+    },
     "c372f6d18ebee5aa23d9e919f3e6be98488ec01607df3162fc192e4b1346afb3": {
       "fingerprints": [
         "ac7f7862e685c7a7d9826a58ea32d183d4893fcc8f8fd6d900c9769a987e77f0"
@@ -37841,6 +38266,12 @@
       "id": 172,
       "legacy": true
     },
+    "d6ec6348a7c4d42ac48d9c43145a8cd71971362363267c6673a77b8a8573a66b": {
+      "fingerprints": [
+        "e6be68ce06fe0da0c140f1aeb00b67b636c5eea9422088929362375ce086db39"
+      ],
+      "id": 530
+    },
     "d8fb33e385c9c2da729a84706ba927dcbb79273e122ffd9673363b70b7f36cbb": {
       "fingerprints": [
         "8c4edfd04348f322969e7e29a4cd4dca004655061c16e1b076422ef342ad630e"
@@ -37910,6 +38341,12 @@
       "id": 236,
       "legacy": true
     },
+    "de7b6932e9c44582ce0de07abdab7eea90c75d6d2a07331df57bd5cb88553d13": {
+      "fingerprints": [
+        "6b328085625318aa50d173c98d8bda09d57e27413d114cf787a0f5d06c030cf6"
+      ],
+      "id": 542
+    },
     "df530bac9fcd914c252c2fbdceddc6183d4ae8c680ad65f03e204861dd7b1c73": {
       "fingerprints": [
         "885de64c340e3ea70658f01e1145f957fcda27aabeea1ab9faa9fdb0102d4077"
@@ -37917,6 +38354,12 @@
       "id": 313,
       "legacy": true
     },
+    "e04a022ce32f4ccf2c7f6046287b828a32a909f5e751447f83fd2c71f6fd8173": {
+      "fingerprints": [
+        "cbb9c44d84b8043e1050ea31a69f514955d7bfd2e2c6b49301019ad61d9f5058"
+      ],
+      "id": 524
+    },
     "e0c780c629903e126f1d919570dce7c496f85f33aae66b9a3147ee75f8d1620a": {
       "fingerprints": [
         "416b1f9e84e74c1d19b23d8d7191c6ad81246e641601f599132729f507beb3cc"
@@ -37931,6 +38374,12 @@
       "id": 369,
       "legacy": true
     },
+    "e14e51891f3492243eea613bc2c814d47224b224c57d38169e958e30b3dedee4": {
+      "fingerprints": [
+        "3f034bb5704d44b2d08545a02057de93ebf3905fce721acbc730c06ddaee904e"
+      ],
+      "id": 527
+    },
     "e156445fa20c32ad00937b27d096b8963bcc863950333a877e68fa69707a03af": {
       "fingerprints": [
         "54b4fc43d44aa4ca9fc03ca7e9949fbae267a064d02da21852412a381b5d1537"
@@ -38070,6 +38519,12 @@
       "id": 129,
       "legacy": true
     },
+    "f0011f92fcf9be36c7a5b36e7bc862ab20e94ef36fea8a561db0a8d7750c1f51": {
+      "fingerprints": [
+        "e778f0f095fe843729cd1a0082179e5314a9c291442805e1fb1d8fb6b8886c3a"
+      ],
+      "id": 537
+    },
     "f1c6ba670cfc88e4df52973cae420f0a089dd474144fe5806c420064e1591229": {
       "fingerprints": [
         "7d05ebb682339f8c9451ee094eebfefa7953a114edb2f44949452fab7d2fc185"
@@ -38208,6 +38663,12 @@
       "id": 158,
       "legacy": true
     },
+    "fc784300ec8df4d3d1bad763835182918d52a9ff0238bdf695a1cd9bdb98321c": {
+      "fingerprints": [
+        "3f99cc474acfce4dfed58794665e478d1547739f2e780f1bb4ca9b133097d401"
+      ],
+      "id": 534
+    },
     "fcf7da983603e88862030d96137d8e13031badfb4d56c1fd4cacc339f6bdbb2a": {
       "fingerprints": [
         "7d3b465a6014e526c0affcee2127d2311727ad811c26842d006af37306cc80bd"
@@ -38241,6 +38702,12 @@
       ],
       "id": 110
     },
+    "fee8af929175687f4638a3fc983db8ecd0e5e2a83e737f3fb77b4c22fcbac0a6": {
+      "fingerprints": [
+        "9a296a5182d1d451a2e37f439b74daafa267523329f90f9a0d2007c334e23c9a"
+      ],
+      "id": 538
+    },
     "ff342fb6c4c8bd30a4706f73489539f19e6e48cc05f46254654f6610dbc540e9": {
       "fingerprints": [
         "eec5496b988ce98625b934092eec2908bed0b0f316c2d4730c84eaf1f3d34881"
@@ -38255,4 +38722,4 @@
       "legacy": true
     }
   }
-}
+}
\ No newline at end of file
diff --git a/chromium/net/data/ssl/root_stores/update_root_stores.py b/chromium/net/data/ssl/root_stores/update_root_stores.py
index f9f58d99c48..189f42b8014 100755
--- a/chromium/net/data/ssl/root_stores/update_root_stores.py
+++ b/chromium/net/data/ssl/root_stores/update_root_stores.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -23,7 +23,7 @@ ROOT_CERT_LIST_PATH = 'net/cert/root_cert_list_generated.h'
 ROOT_STORE_FILE_PATH = 'net/data/ssl/root_stores/root_stores.json'
 
 LICENSE_AND_HEADER = b"""\
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/data/ssl/scripts/asn1.py b/chromium/net/data/ssl/scripts/asn1.py
index 1bed51fda77..358efbf342b 100644
--- a/chromium/net/data/ssl/scripts/asn1.py
+++ b/chromium/net/data/ssl/scripts/asn1.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/ca.cnf b/chromium/net/data/ssl/scripts/ca.cnf
index ff8853212ba..41e0f147c48 100644
--- a/chromium/net/data/ssl/scripts/ca.cnf
+++ b/chromium/net/data/ssl/scripts/ca.cnf
@@ -37,32 +37,6 @@ subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always
 extendedKeyUsage       = serverAuth,clientAuth
 
-[name_constraint_bad]
-# A leaf cert that will violate the root's imposed name constraints
-basicConstraints       = critical, CA:false
-subjectKeyIdentifier   = hash
-authorityKeyIdentifier = keyid:always
-extendedKeyUsage       = serverAuth,clientAuth
-subjectAltName         = @san_name_constraint_bad
-
-[name_constraint_good]
-# A leaf cert that will match the root's imposed name constraints
-basicConstraints       = critical, CA:false
-subjectKeyIdentifier   = hash
-authorityKeyIdentifier = keyid:always
-extendedKeyUsage       = serverAuth,clientAuth
-subjectAltName         = @san_name_constraint_good
-
-[san_name_constraint_bad]
-DNS.1 = test.ExAmPlE.CoM
-DNS.2 = test.ExAmPlE.OrG
-
-[san_name_constraint_good]
-DNS.1 = test.ExAmPlE.CoM
-DNS.2 = example.notarealtld
-DNS.3 = *.test2.ExAmPlE.CoM
-DNS.4 = *.example2.notarealtld
-
 [ca_cert]
 # Extensions to add when signing a request for an intermediate/CA cert
 basicConstraints       = critical, CA:true
@@ -118,8 +92,3 @@ CN = $ENV::CA_COMMON_NAME
 basicConstraints       = critical, CA:true
 keyUsage               = critical, keyCertSign, cRLSign
 subjectKeyIdentifier   = hash
-
-[ev_multi_oid]
-basicConstraints = critical, CA:false
-extendedKeyUsage = serverAuth, clientAuth
-certificatePolicies = 2.23.140.1.1, 1.2.3.4
diff --git a/chromium/net/data/ssl/scripts/crlsetutil.py b/chromium/net/data/ssl/scripts/crlsetutil.py
index bb334ff0812..19e3e08b361 100755
--- a/chromium/net/data/ssl/scripts/crlsetutil.py
+++ b/chromium/net/data/ssl/scripts/crlsetutil.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2014 The Chromium Authors. All rights reserved.
+# Copyright 2014 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/ee.cnf b/chromium/net/data/ssl/scripts/ee.cnf
index 714f0b75ef5..cc3d396fd31 100644
--- a/chromium/net/data/ssl/scripts/ee.cnf
+++ b/chromium/net/data/ssl/scripts/ee.cnf
@@ -28,9 +28,6 @@ CN = Duplicate
 O  = Bar
 CN = Duplicate
 
-[req_intranet_dn]
-CN = webmail
-
 [req_localhost_cn]
 C  = US
 ST = California
diff --git a/chromium/net/data/ssl/scripts/generate-bad-eku-certs.sh b/chromium/net/data/ssl/scripts/generate-bad-eku-certs.sh
index 5335b843fae..cdac630bbeb 100755
--- a/chromium/net/data/ssl/scripts/generate-bad-eku-certs.sh
+++ b/chromium/net/data/ssl/scripts/generate-bad-eku-certs.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2013 The Chromium Authors. All rights reserved.
+# Copyright 2013 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-bad-self-signed.sh b/chromium/net/data/ssl/scripts/generate-bad-self-signed.sh
index 175553cdd41..445af656c03 100755
--- a/chromium/net/data/ssl/scripts/generate-bad-self-signed.sh
+++ b/chromium/net/data/ssl/scripts/generate-bad-self-signed.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-client-certificates.sh b/chromium/net/data/ssl/scripts/generate-client-certificates.sh
index 5e584b2fed6..599920e85f6 100755
--- a/chromium/net/data/ssl/scripts/generate-client-certificates.sh
+++ b/chromium/net/data/ssl/scripts/generate-client-certificates.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-cross-signed-certs.sh b/chromium/net/data/ssl/scripts/generate-cross-signed-certs.sh
index 23d20e2973e..3156ca74615 100755
--- a/chromium/net/data/ssl/scripts/generate-cross-signed-certs.sh
+++ b/chromium/net/data/ssl/scripts/generate-cross-signed-certs.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2013 The Chromium Authors. All rights reserved.
+# Copyright 2013 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-duplicate-cn-certs.sh b/chromium/net/data/ssl/scripts/generate-duplicate-cn-certs.sh
index fa2c0df24fe..789edb8b873 100755
--- a/chromium/net/data/ssl/scripts/generate-duplicate-cn-certs.sh
+++ b/chromium/net/data/ssl/scripts/generate-duplicate-cn-certs.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2013 The Chromium Authors. All rights reserved.
+# Copyright 2013 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-fuzzer-cert-include.py b/chromium/net/data/ssl/scripts/generate-fuzzer-cert-include.py
index 7fd8b9c9818..03f3faad4ae 100644
--- a/chromium/net/data/ssl/scripts/generate-fuzzer-cert-include.py
+++ b/chromium/net/data/ssl/scripts/generate-fuzzer-cert-include.py
@@ -1,4 +1,4 @@
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-key-usage-certs.sh b/chromium/net/data/ssl/scripts/generate-key-usage-certs.sh
index 55f861cf821..0bb725d4909 100755
--- a/chromium/net/data/ssl/scripts/generate-key-usage-certs.sh
+++ b/chromium/net/data/ssl/scripts/generate-key-usage-certs.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2018 The Chromium Authors. All rights reserved.
+# Copyright 2018 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-keychain.sh b/chromium/net/data/ssl/scripts/generate-keychain.sh
index 4256cd9c81d..b7edb38660d 100755
--- a/chromium/net/data/ssl/scripts/generate-keychain.sh
+++ b/chromium/net/data/ssl/scripts/generate-keychain.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-multi-root-BFE-keychain.sh b/chromium/net/data/ssl/scripts/generate-multi-root-BFE-keychain.sh
index f98f4b01cc5..d0d0871ec79 100755
--- a/chromium/net/data/ssl/scripts/generate-multi-root-BFE-keychain.sh
+++ b/chromium/net/data/ssl/scripts/generate-multi-root-BFE-keychain.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-multi-root-keychain.sh b/chromium/net/data/ssl/scripts/generate-multi-root-keychain.sh
index 67f46ef6af8..071ee7aeb92 100755
--- a/chromium/net/data/ssl/scripts/generate-multi-root-keychain.sh
+++ b/chromium/net/data/ssl/scripts/generate-multi-root-keychain.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-multi-root-test-chains.sh b/chromium/net/data/ssl/scripts/generate-multi-root-test-chains.sh
index d624160028c..14bbb530313 100755
--- a/chromium/net/data/ssl/scripts/generate-multi-root-test-chains.sh
+++ b/chromium/net/data/ssl/scripts/generate-multi-root-test-chains.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2014 The Chromium Authors. All rights reserved.
+# Copyright 2014 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-name-normalization-certs.py b/chromium/net/data/ssl/scripts/generate-name-normalization-certs.py
deleted file mode 100755
index 2b7d41e8b66..00000000000
--- a/chromium/net/data/ssl/scripts/generate-name-normalization-certs.py
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/usr/bin/env python3
-# Copyright 2019 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-'''Generates certificate chains for testing name normalization.'''
-
-import os
-import subprocess
-import sys
-
-import minica
-
-
-def pretty_print_cert(der):
-  command = ["openssl", "x509", "-text", "-inform", "DER"]
-  p = subprocess.Popen(command,
-                       stdin=subprocess.PIPE,
-                       stdout=subprocess.PIPE)
-  result = p.communicate(der)
-  if p.returncode != 0:
-    raise RuntimeError("openssl failed: %s" % p.returncode)
-  return result[0]
-
-
-def writecerts(name, der_certs):
-  fn = os.path.join('..', 'certificates', name)
-
-  text_certs = []
-  print('pretty printing', fn)
-  for der in der_certs:
-    text_certs.append(pretty_print_cert(der))
-
-  print('writing', fn)
-  with open(fn, 'wb') as f:
-    f.write(b'\n'.join(text_certs))
-
-
-def GenerateCertAndIntermediate(leaf_subject,
-                                leaf_issuer,
-                                intermediate_subject,
-                                utf8_intermediate_subject=False,
-                                ip_sans=None,
-                                dns_sans=None,
-                                serial=0):
-  if serial == 0:
-    serial = minica.RandomNumber(16)
-
-  intermediate_serial = minica.RandomNumber(16)
-
-  target_cert_der = minica.MakeCertificate(
-      leaf_issuer, leaf_subject, serial, minica.LEAF_KEY,
-      minica.INTERMEDIATE_KEY, ip_sans=ip_sans, dns_sans=dns_sans)
-
-  intermediate_cert_der = minica.MakeCertificate(
-      minica.ROOT_CN,
-      intermediate_subject,
-      intermediate_serial,
-      minica.INTERMEDIATE_KEY,
-      minica.ROOT_KEY,
-      is_ca=True,
-      utf8_subject_cn=utf8_intermediate_subject)
-
-  return [target_cert_der, intermediate_cert_der]
-
-
-def GeneratePrintableStringUtf8StringChain():
-  namesuffix = " for PrintableString / Utf8String comparison"
-  issuer_name = "Intermediate" + namesuffix
-  certs = GenerateCertAndIntermediate(leaf_subject="Leaf" + namesuffix,
-                                      leaf_issuer=issuer_name,
-                                      intermediate_subject=issuer_name,
-                                      utf8_intermediate_subject=True,
-                                      ip_sans=[b"\x7F\x00\x00\x01"],
-                                      dns_sans=["example.test"])
-  writecerts('name-normalization-printable-utf8.pem', certs)
-
-
-def GenerateCaseFoldChain():
-  namesuffix = " for case folding comparison"
-  issuer_name = "Intermediate" + namesuffix
-  certs = GenerateCertAndIntermediate(leaf_subject="Leaf" + namesuffix,
-                                      leaf_issuer=issuer_name.replace('I', 'i'),
-                                      intermediate_subject=issuer_name,
-                                      ip_sans=[b"\x7F\x00\x00\x01"],
-                                      dns_sans=["example.test"])
-  writecerts('name-normalization-case-folding.pem', certs)
-
-
-def GenerateNormalChain():
-  namesuffix = " for byte equality comparison"
-  issuer_name = "Intermediate" + namesuffix
-  certs = GenerateCertAndIntermediate(leaf_subject="Leaf" + namesuffix,
-                                      leaf_issuer=issuer_name,
-                                      intermediate_subject=issuer_name,
-                                      ip_sans=[b"\x7F\x00\x00\x01"],
-                                      dns_sans=["example.test"])
-  writecerts('name-normalization-byteequal.pem', certs)
-
-
-if __name__ == '__main__':
-  GeneratePrintableStringUtf8StringChain()
-  GenerateCaseFoldChain()
-  GenerateNormalChain()
diff --git a/chromium/net/data/ssl/scripts/generate-policy-certs.sh b/chromium/net/data/ssl/scripts/generate-policy-certs.sh
deleted file mode 100755
index cebef5ee57a..00000000000
--- a/chromium/net/data/ssl/scripts/generate-policy-certs.sh
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/bin/sh
-
-# Copyright 2013 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-# This script generates a (end-entity, intermediate, root) certificate, where
-# the root has no explicit policies associated, the intermediate has multiple
-# policies, and the leaf has a single policy.
-#
-# When validating, supplying no policy OID should not result in an error.
-
-try() {
-  "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
-}
-
-try rm -rf out
-try mkdir out
-
-# Create the serial number files.
-try /bin/sh -c "echo 01 > out/policy-root-serial"
-try /bin/sh -c "echo 01 > out/policy-intermediate-serial"
-
-# Create the signers' DB files.
-touch out/policy-root-index.txt
-touch out/policy-intermediate-index.txt
-
-# Generate the keys
-try openssl genrsa -out out/policy-root.key 2048
-try openssl genrsa -out out/policy-intermediate.key 2048
-try openssl genrsa -out out/policy-cert.key 2048
-
-# Generate the root certificate
-COMMON_NAME="Policy Test Root CA" \
-  CA_DIR=out \
-  CA_NAME=policy-root \
-  try openssl req \
-    -new \
-    -key out/policy-root.key \
-    -out out/policy-root.csr \
-    -config policy.cnf
-
-COMMON_NAME="Policy Test Root CA" \
-  CA_DIR=out \
-  CA_NAME=policy-root \
-  try openssl x509 \
-    -req -days 3650 \
-    -in out/policy-root.csr \
-    -out out/policy-root.pem \
-    -signkey out/policy-root.key \
-    -extfile policy.cnf \
-    -extensions ca_cert \
-    -text
-
-# Generate the intermediate
-COMMON_NAME="Policy Test Intermediate CA" \
-  CA_DIR=out \
-  try openssl req \
-    -new \
-    -key out/policy-intermediate.key \
-    -out out/policy-intermediate.csr \
-    -config policy.cnf
-
-COMMON_NAME="UNUSED" \
-  CA_DIR=out \
-  CA_NAME=policy-root \
-  try openssl ca \
-    -batch \
-    -in out/policy-intermediate.csr \
-    -out out/policy-intermediate.pem \
-    -config policy.cnf \
-    -extensions intermediate_cert
-
-# Generate the leaf
-COMMON_NAME="policy_test.example" \
-CA_DIR=out \
-CA_NAME=policy-intermediate \
-try openssl req \
-  -new \
-  -key out/policy-cert.key \
-  -out out/policy-cert.csr \
-  -config policy.cnf
-
-COMMON_NAME="Policy Test Intermediate CA" \
-  SAN="policy_test.example" \
-  CA_DIR=out \
-  CA_NAME=policy-intermediate \
-  try openssl ca \
-    -batch \
-    -in out/policy-cert.csr \
-    -out out/policy-cert.pem \
-    -config policy.cnf \
-    -extensions user_cert
-
-try /bin/sh -c "cat out/policy-cert.pem \
-    out/policy-intermediate.pem \
-    out/policy-root.pem >../certificates/explicit-policy-chain.pem"
diff --git a/chromium/net/data/ssl/scripts/generate-quic-chain.sh b/chromium/net/data/ssl/scripts/generate-quic-chain.sh
index 707ecda67a5..b41782becfd 100755
--- a/chromium/net/data/ssl/scripts/generate-quic-chain.sh
+++ b/chromium/net/data/ssl/scripts/generate-quic-chain.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-redundant-test-chains.sh b/chromium/net/data/ssl/scripts/generate-redundant-test-chains.sh
index f3e30cd7fbe..50308a032d6 100755
--- a/chromium/net/data/ssl/scripts/generate-redundant-test-chains.sh
+++ b/chromium/net/data/ssl/scripts/generate-redundant-test-chains.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-test-certs.sh b/chromium/net/data/ssl/scripts/generate-test-certs.sh
index 1a2dfda4802..ac4bb58bb0b 100755
--- a/chromium/net/data/ssl/scripts/generate-test-certs.sh
+++ b/chromium/net/data/ssl/scripts/generate-test-certs.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2013 The Chromium Authors. All rights reserved.
+# Copyright 2013 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -18,10 +18,6 @@ set -e -x
 #   iOS 13/macOS 10.15 - https://support.apple.com/en-us/HT210176
 # 730 is used here as just a short-hand for 2 years
 CERT_LIFETIME=730
-# Some tests mock a test cert as being a public cert, so use the max public
-# cert lifetime for those certs. The current limit is 398 days for certs issued
-# after 2020-09-01.
-PUBLIC_CERT_LIFETIME=397
 
 rm -rf out
 mkdir out
@@ -102,14 +98,6 @@ openssl req \
   -out out/ok_cert.req \
   -config ee.cnf
 
-copy_or_generate_key ../certificates/name_constraint_good.pem \
-  out/name_constrained.key
-openssl req \
-  -new \
-  -key out/name_constrained.key \
-  -out out/name_constrained.req \
-  -config ee.cnf
-
 copy_or_generate_key ../certificates/wildcard.pem out/wildcard.key
 openssl req \
   -new \
@@ -135,15 +123,6 @@ openssl req \
   -reqexts req_test_names \
   -config ee.cnf
 
-copy_or_generate_key ../certificates/ev-multi-oid.pem out/ev-multi-oid.key
-SUBJECT_NAME="req_dn" \
-openssl req \
-  -new \
-  -key out/ev-multi-oid.key \
-  -out out/ev-multi-oid.req \
-  -reqexts req_extensions \
-  -config ee.cnf \
-
 # Generate the leaf certificates
 CA_NAME="req_ca_dn" \
   openssl ca \
@@ -186,26 +165,6 @@ CA_NAME="req_ca_dn" \
 CA_NAME="req_ca_dn" \
   openssl ca \
     -batch \
-    -extensions name_constraint_bad \
-    -subj "/CN=Leaf certificate/" \
-    -days ${CERT_LIFETIME} \
-    -in out/name_constrained.req \
-    -out out/name_constraint_bad.pem \
-    -config ca.cnf
-
-CA_NAME="req_ca_dn" \
-  openssl ca \
-    -batch \
-    -extensions name_constraint_good \
-    -subj "/CN=Leaf Certificate/" \
-    -days ${CERT_LIFETIME} \
-    -in out/name_constrained.req \
-    -out out/name_constraint_good.pem \
-    -config ca.cnf
-
-CA_NAME="req_ca_dn" \
-  openssl ca \
-    -batch \
     -extensions user_cert \
     -days ${CERT_LIFETIME} \
     -in out/localhost_cert.req \
@@ -232,16 +191,6 @@ CA_NAME="req_ca_dn" \
     -out out/test_names.pem \
     -config ca.cnf
 
-## Certificate for testing EV with multiple OIDs
-CA_NAME="req_ca_dn" \
-  openssl ca \
-    -batch \
-    -extensions ev_multi_oid \
-    -days ${CERT_LIFETIME} \
-    -in out/ev-multi-oid.req \
-    -out out/ev-multi-oid.pem \
-    -config ca.cnf
-
 /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
     > ../certificates/ok_cert.pem"
 /bin/sh -c "cat out/wildcard.key out/wildcard.pem \
@@ -252,10 +201,6 @@ CA_NAME="req_ca_dn" \
     > ../certificates/expired_cert.pem"
 /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
     > ../certificates/root_ca_cert.pem"
-/bin/sh -c "cat out/name_constrained.key out/name_constraint_bad.pem \
-    > ../certificates/name_constraint_bad.pem"
-/bin/sh -c "cat out/name_constrained.key out/name_constraint_good.pem \
-    > ../certificates/name_constraint_good.pem"
 /bin/sh -c "cat out/ok_cert.key out/bad_validity.pem \
     > ../certificates/bad_validity.pem"
 /bin/sh -c "cat out/ok_cert.key out/int/ok_cert.pem \
@@ -268,8 +213,6 @@ CA_NAME="req_ca_dn" \
     > ../certificates/x509_verify_results.chain.pem"
 /bin/sh -c "cat out/test_names.key out/test_names.pem \
     > ../certificates/test_names.pem"
-/bin/sh -c "cat out/ev-multi-oid.key out/ev-multi-oid.pem \
-    > ../certificates/ev-multi-oid.pem"
 
 # Now generate the one-off certs
 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
@@ -298,12 +241,6 @@ SUBJECT_NAME="req_punycode_dn" \
     -config ../scripts/ee.cnf -newkey rsa:2048 -text \
     -out ../certificates/punycodetest.pem
 
-## Reject intranet hostnames in "publicly" trusted certs
-SUBJECT_NAME="req_intranet_dn" \
-  openssl req -x509 -days ${PUBLIC_CERT_LIFETIME} -extensions req_intranet_san \
-    -config ../scripts/ee.cnf -newkey rsa:2048 -text \
-    -out ../certificates/reject_intranet_hosts.pem
-
 ## Leaf certificate with a large key; Apple's certificate verifier rejects with
 ## a fatal error if the key is bigger than 8192 bits.
 openssl req -x509 -days 3650 \
diff --git a/chromium/net/data/ssl/scripts/generate-verisign_class3_g5_crosssigned-trusted-keychain.sh b/chromium/net/data/ssl/scripts/generate-verisign_class3_g5_crosssigned-trusted-keychain.sh
index 7ce602f5e15..78fb09ad18b 100755
--- a/chromium/net/data/ssl/scripts/generate-verisign_class3_g5_crosssigned-trusted-keychain.sh
+++ b/chromium/net/data/ssl/scripts/generate-verisign_class3_g5_crosssigned-trusted-keychain.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/generate-weak-test-chains.sh b/chromium/net/data/ssl/scripts/generate-weak-test-chains.sh
index fb7f6c69dba..b2191d20746 100755
--- a/chromium/net/data/ssl/scripts/generate-weak-test-chains.sh
+++ b/chromium/net/data/ssl/scripts/generate-weak-test-chains.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2011 The Chromium Authors. All rights reserved.
+# Copyright 2011 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/ssl/scripts/minica.py b/chromium/net/data/ssl/scripts/minica.py
deleted file mode 100644
index de750fb2ddf..00000000000
--- a/chromium/net/data/ssl/scripts/minica.py
+++ /dev/null
@@ -1,617 +0,0 @@
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-import asn1
-import base64
-import datetime
-import hashlib
-import itertools
-import os
-import time
-
-GENERALIZED_TIME_FORMAT = "%Y%m%d%H%M%SZ"
-
-OCSP_STATE_GOOD = 1
-OCSP_STATE_REVOKED = 2
-OCSP_STATE_INVALID_RESPONSE = 3
-OCSP_STATE_UNAUTHORIZED = 4
-OCSP_STATE_UNKNOWN = 5
-OCSP_STATE_TRY_LATER = 6
-OCSP_STATE_INVALID_RESPONSE_DATA = 7
-OCSP_STATE_MISMATCHED_SERIAL = 8
-
-OCSP_DATE_VALID = 1
-OCSP_DATE_OLD = 2
-OCSP_DATE_EARLY = 3
-OCSP_DATE_LONG = 4
-OCSP_DATE_LONGER = 5
-
-OCSP_PRODUCED_VALID = 1
-OCSP_PRODUCED_BEFORE_CERT = 2
-OCSP_PRODUCED_AFTER_CERT = 3
-
-# This file implements very minimal certificate and OCSP generation. It's
-# designed to test revocation checking.
-
-
-def RandomNumber(length_in_bytes):
-  '''RandomNumber returns a random number of length 8*|length_in_bytes| bits'''
-  rand = os.urandom(length_in_bytes)
-  n = 0
-  for x in rand:
-    n <<= 8
-    n |= x
-  return n
-
-
-def ModExp(n, e, p):
-  '''ModExp returns n^e mod p'''
-  r = 1
-  while e != 0:
-    if e & 1:
-      r = (r * n) % p
-    e >>= 1
-    n = (n * n) % p
-  return r
-
-
-# PKCS1v15_SHA256_PREFIX is the ASN.1 prefix for a SHA256 signature.
-#
-# TODO(davidben): Replace with bytes.fromhex when removing Python 2 support.
-PKCS1v15_SHA256_PREFIX = \
-    bytes(bytearray.fromhex('3031300d060960864801650304020105000420'))
-
-
-class RSA(object):
-  def __init__(self, modulus, e, d):
-    self.m = modulus
-    self.e = e
-    self.d = d
-
-    self.modlen = 0
-    m = modulus
-    while m != 0:
-      self.modlen += 1
-      m >>= 8
-
-  def Sign(self, message):
-    digest = hashlib.sha256(message).digest()
-    prefix = PKCS1v15_SHA256_PREFIX
-
-    em = bytearray([0xff] * (self.modlen - 1 - len(prefix) - len(digest)))
-    em[0] = 0
-    em[1] = 1
-    em += b"\x00" + prefix + digest
-
-    n = int.from_bytes(em, byteorder='big')
-
-    s = ModExp(n, self.d, self.m)
-    out = bytearray()
-    while s != 0:
-      out.append(s & 0xff)
-      s >>= 8
-    out.reverse()
-    return b'\x00' * (self.modlen - len(out)) + bytes(out)
-
-  def ToDER(self):
-    return asn1.ToDER(asn1.SEQUENCE([self.m, self.e]))
-
-
-def Name(cn, utf8_cn=False):
-  # This module historically used PrintableString for most strings, so maintain
-  # that default.
-  if utf8_cn:
-    cn_encoded = asn1.UTF8String(cn.encode('utf-8'))
-  else:
-    cn_encoded = asn1.PrintableString(cn.encode('ascii'))
-  return asn1.SEQUENCE([asn1.SET([asn1.SEQUENCE([
-      COMMON_NAME,
-      cn_encoded,
-  ])])])
-
-
-# The private key and root certificate name are hard coded here:
-
-# This is the root private key
-ROOT_KEY = RSA(
-    0x00c1541fac63d3b969aa231a02cb2e0d9ee7b26724f136c121b2c28bdae5caa87733cc407ad83842ef20ec67d941b448a1ce3557cf5ddebf3c9bde8f36f253ee73e670d1c4c6631d1ddc0e39cbde09b833f66347ea379c3fa891d61a0ca005b38b0b2cad1058e3589c9f30600be81e4ff4ac220972c17b74f92f03d72b496f643543d0b27a5227f1efee13c138888b23cb101877b3b4dc091f0b3bb6fc3c792187b05ab38e97862f8af6156bcbfbb824385132c6741e6c65cfcd5f13142421a210b95185884c4866f3ea644dfb8006133d14e72a4704f3e700cf827ca5ffd2ef74c2ab6a5259ffff40f0f7f607891388f917fc9fc9e65742df1bfa0b322140bb65,
-    65537,
-    0x00980f2db66ef249e4954074a5fbdf663135363a3071554ac4d19079661bd5b179c890ffaa5fc4a8c8e3116e81104fd7cd049f2a48dd2165332bb9fad511f6f817cb09b3c45cf1fa25d13e9331099c8578c173c74dae9dc3e83784ba0a7216e9e8144af8786221b741c167d033ad47a245e4da04aa710a44aff5cdc480b48adbba3575d1315555690f081f9f69691e801e34c21240bcd3df9573ec5f9aa290c5ed19404fb911ab28b7680e0be086487273db72da6621f24d8c66197a5f1b7687efe1d9e3b6655af2891d4540482e1246ff5f62ce61b8b5dcb2c66ade6bb41e0bf071445fb8544aa0a489780f770a6f1031ee19347641794f4ad17354d579a9d061
-)
-
-# Root certificate CN
-ROOT_CN = "Testing CA"
-
-# All certificates are issued under this policy OID, in the Google arc:
-CERT_POLICY_OID = asn1.OID([1, 3, 6, 1, 4, 1, 11129, 2, 4, 1])
-
-# These result in the following root certificate:
-# -----BEGIN CERTIFICATE-----
-# MIIC1DCCAbygAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwpUZXN0
-# aW5nIENBMB4XDTEwMDEwMTA2MDAwMFoXDTMyMTIwMTA2MDAwMFowFTETMBEGA1UE
-# AxMKVGVzdGluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFU
-# H6xj07lpqiMaAssuDZ7nsmck8TbBIbLCi9rlyqh3M8xAetg4Qu8g7GfZQbRIoc41
-# V89d3r88m96PNvJT7nPmcNHExmMdHdwOOcveCbgz9mNH6jecP6iR1hoMoAWziwss
-# rRBY41icnzBgC+geT/SsIglywXt0+S8D1ytJb2Q1Q9CyelIn8e/uE8E4iIsjyxAY
-# d7O03AkfCzu2/Dx5IYewWrOOl4YvivYVa8v7uCQ4UTLGdB5sZc/NXxMUJCGiELlR
-# hYhMSGbz6mRN+4AGEz0U5ypHBPPnAM+CfKX/0u90wqtqUln//0Dw9/YHiROI+Rf8
-# n8nmV0LfG/oLMiFAu2UCAwEAAaMvMC0wEgYDVR0TAQH/BAgwBgEB/wIBATAXBgNV
-# HSAEEDAOMAwGCisGAQQB1nkCBAEwDQYJKoZIhvcNAQELBQADggEBADNrvoAyqAVm
-# bydPBBfLRqyH4DXt2vuMVmnSdnWnOxYiEezGmNSNiO1k1ZFBwVSsd+JHrT24lax9
-# kvU1yQDW//PBu3ijfZOCaIUleQiGXHMGfV4MjzgYbxpvHOvEUC6IXmYCsIEwcZgK
-# lrwnfJQ3MVU4hOgGTlOTWYPtCwvTsBObNRLdIs+ifMQiWmzPBlM8XeX4e5acDjTb
-# emcN4szU3EcgmCA0LvBIRI4F6NWpaIJl2WnLyMUDyKq4vjpRJOZkNwAC+525duDr
-# JFE4PKR2Lh53nJQIJv6mcTZQkX1mmw0yzqWxcGCoHACma3TgSwOHryvSopL+t26+
-# ZlQvP2ygwqY=
-# -----END CERTIFICATE-----
-
-# If you update any of the above, you can generate a new root by running this
-# file as a script.
-
-INTERMEDIATE_KEY = RSA(
-    0x00c661afcc659f88855a83ade8fb792dc13d0cf388b17bece9149cf0b8556d27b19101d081fb2a842d13a2ac95d8308ddd66783843ecc5806513959eb6b30dd69b2845d97e10d0bbbf653d686dc8828935022cc96f9e030b567157257d3d6526734080bb9727cee0d30f4209d5820e1d662f358fc789c0e9366d84f89adf1beb8d843f74e6f325876ac35d5c11691fcb296967c06edf69450c16bb2314c14599fe90725d5ec90f2db6698afae72bba0cfbf77967c7e8b49f2172f9381827c27ab7f9471c62bd8da4a6c657966ec1385cf41d739449835888f30d64971619dcd380408cd74f25c3be19833a92620c9cf710da67e15ac8cef69bc7e4e5e7f813c1ed,
-    65537,
-    0x77c5e2edf52d2cafd6c649e9b06aa9455226cfa26805fa337f4e81c7c94bedfb3721715208e2d28aa4a042b2f5a3db03212ad44dae564ffeb6a44efedf7c2b65e21aca056301a3591b36c82600394fbdc16268fc0adaabadb5207871f4ef6d17888a30b84240955cd889768681cf23d0de0fe88f008c8841643e341acd397e2d1104a23242e566088b7617c26ae8b48a85b6c9b7dc64ef1fa5e9b124ff8c1659a82d8225f28a820cc6ca07beff0354364c631a9142309fea1d8b054f6e00e23c54b493a21fcbe89a646b39d1acba5bc2ace9bba0252671d42a15202f3afccc912114d6c20eb3131e74289f2c744c5b39e7d3780fe21402ab1c3ae65854fee401
-)
-
-# Intermediate certificate CN prefix (random serial number is added to the CN
-# in order to avoid caching issues.)
-INTERMEDIATE_CN_PREFIX = "Testing Intermediate CA"
-
-LEAF_KEY = RSA(
-    0x00cd12d317b39cfbb160fb1dc9c9f0dc8fef3604dda4d8c557392ce1d616483713f78216cadbefd1c76ea0f3bbbe410e24b233b1b73583922b09314e249b2cfde1be0995e13f160fb630c10d447750da20ffaa4880006717feaa3e4db602e4f511b5cc312f770f44b037784effec62640f948aa189c3769f03bdd0e22a36ecfa5951f5577de195a4fba33c879b657968b79138fd7ab389a9968522f7389c6052be1ff78bc168d3ea961e132a044eba33ac07ead95367c7b815e91eca924d914fd0d811349b8bf500707ba71a43a2901a545f34e1792e72654f6649fab9716f4ba17379ee8042186bbba9b9bac416a60474cc60686f0e6e4b01259cc3cb5873edf9,
-    65537,
-    0x009c23e81bd4c30314743dded9646b82d408937db2f0afa7d9988be6cba59d886a287aa13605ad9c7117776efc94885de76cd3554da46e301d9a5b331f4613449edb9ddac36cd0345848d8c46c4bd880acbd5cfee48ee9efe813e16a33da124fd213348c8292494ac84d03ca4aabc5e25fc67ea32e0c6845fc884b01d8988768b8b931c41de49708dbcd5fcb61823f9a1f7507c6f364be4cb5a8cf24af4925997030dd4f67a0c9c6813401cc8b2f5d1971ee0022770239b7042fde8228c33942e9c0a0b18854cb1b5542be928338ab33ac936bbba174e55457007b16f36011dbb8f4258abe64e42b1cfa79803d30170b7ecf3e7c595d42003fff72591e07acd9cd
-)
-
-LEAF_KEY_PEM = '''-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAzRLTF7Oc+7Fg+x3JyfDcj+82BN2k2MVXOSzh1hZINxP3ghbK
-2+/Rx26g87u+QQ4ksjOxtzWDkisJMU4kmyz94b4JleE/Fg+2MMENRHdQ2iD/qkiA
-AGcX/qo+TbYC5PURtcwxL3cPRLA3eE7/7GJkD5SKoYnDdp8DvdDiKjbs+llR9Vd9
-4ZWk+6M8h5tleWi3kTj9erOJqZaFIvc4nGBSvh/3i8Fo0+qWHhMqBE66M6wH6tlT
-Z8e4FekeypJNkU/Q2BE0m4v1AHB7pxpDopAaVF804XkucmVPZkn6uXFvS6Fzee6A
-Qhhru6m5usQWpgR0zGBobw5uSwElnMPLWHPt+QIDAQABAoIBAQCcI+gb1MMDFHQ9
-3tlka4LUCJN9svCvp9mYi+bLpZ2Iaih6oTYFrZxxF3du/JSIXeds01VNpG4wHZpb
-Mx9GE0Se253aw2zQNFhI2MRsS9iArL1c/uSO6e/oE+FqM9oST9ITNIyCkklKyE0D
-ykqrxeJfxn6jLgxoRfyISwHYmIdouLkxxB3klwjbzV/LYYI/mh91B8bzZL5MtajP
-JK9JJZlwMN1PZ6DJxoE0AcyLL10Zce4AIncCObcEL96CKMM5QunAoLGIVMsbVUK+
-koM4qzOsk2u7oXTlVFcAexbzYBHbuPQlir5k5Csc+nmAPTAXC37PPnxZXUIAP/9y
-WR4HrNnNAoGBAPmOqTe7ntto6rDEsU1cKOJFKIZ7UVcSByyz8aLrvj1Rb2mkrNJU
-SdTqJvtqrvDXgO0HuGtFOzsZrRV9+XRPd2P0mP0uhfRiYGWT8hnILGyI2+7zlC/w
-HDtLEefelhtdOVKgUaLQXptSn7aGalUHghZKWjRNT5ah+U85MoI2ZkDbAoGBANJe
-KvrBBPSFLj+x2rsMhG+ksK0I6tivapVvSTtDV3ME1DvA/4BIMV/nIZyoH4AYI72c
-m/vD66+eCqh75cq5BzbVD63tR+ZRi/VdT1HJcl2IFXynk6eaBw8v7gpQyx6t3iSK
-lx/dIdpLt1BQuR4qI6x1wYp7Utn98soEkiFXzgq7AoGBAJTLBYPQXvgNBxlcPSaV
-016Nw4rjTe0vN43kwCbWjjf7LQV9BPnm/Zpv/cwboLDCnQE2gDOdNKKZPYS59pjt
-pI65UNpr+bxrR3RpEIlku2/+7br8ChfG/t4vdT6djTxFih8ErYf42t+bFNT8Mbv+
-3QYzULMsgU6bxo0A2meezbrPAoGBAK/IxmtQXP6iRxosWRUSCZxs5sFAgVVdh1el
-bXEa/Xj8IQhpZlbgfHmh3oFULzZPdZYcxm7jsQ7HpipRlZwHbtLPyNFSRFFd9PCr
-7vrttSYY77OBKC3V1G5JY8S07HYPXV/1ewDCPGZ3/I8dVQKyvap/n6FDGeFUhctv
-dFhuUZq/AoGAWLXlbcIl1cvOhfFJ5owohJhzh9oW9tlCtjV5/dlix2RaE5CtDZWS
-oMm4sQu9HiA8jLDP1MEEMRFPrPXdrZnxnSqVd1DgabSegD1/ZCb1QlWwQWkk5QU+
-wotPOMI33L50kZqUaDP+1XSL0Dyfo/pYpm4tYy/5QmP6WKXCtFUXybI=
------END RSA PRIVATE KEY-----
-'''
-
-# Various OIDs
-
-AIA_OCSP = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1])
-AIA_CA_ISSUERS = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 2])
-AUTHORITY_INFORMATION_ACCESS = asn1.OID([1, 3, 6, 1, 5, 5, 7, 1, 1])
-BASIC_CONSTRAINTS = asn1.OID([2, 5, 29, 19])
-CERT_POLICIES = asn1.OID([2, 5, 29, 32])
-COMMON_NAME = asn1.OID([2, 5, 4, 3])
-COUNTRY = asn1.OID([2, 5, 4, 6])
-HASH_SHA1 = asn1.OID([1, 3, 14, 3, 2, 26])
-OCSP_TYPE_BASIC = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1, 1])
-ORGANIZATION = asn1.OID([2, 5, 4, 10])
-PUBLIC_KEY_RSA = asn1.OID([1, 2, 840, 113549, 1, 1, 1])
-SHA256_WITH_RSA_ENCRYPTION = asn1.OID([1, 2, 840, 113549, 1, 1, 11])
-SUBJECT_ALTERNATIVE_NAME = asn1.OID([2, 5, 29, 17])
-
-
-def MakeCertificate(issuer_cn,
-                    subject_cn,
-                    serial,
-                    pubkey,
-                    privkey,
-                    ocsp_url=None,
-                    ca_issuers_url=None,
-                    is_ca=False,
-                    path_len=None,
-                    ip_sans=None,
-                    dns_sans=None,
-                    utf8_subject_cn=False):
-  '''MakeCertificate returns a DER encoded certificate, signed by privkey.'''
-  extensions = asn1.SEQUENCE([])
-
-  if is_ca:
-    # Root certificate.
-    c = None
-    o = None
-    extensions.children.append(
-        asn1.SEQUENCE([
-            BASIC_CONSTRAINTS,
-            True,
-            asn1.OCTETSTRING(
-                asn1.ToDER(
-                    asn1.SEQUENCE([
-                        True,  # IsCA
-                    ] + ([path_len] if path_len is not None else [])  # Path len
-                                  ))),
-        ]))
-  if ip_sans is not None or dns_sans is not None:
-    sans = []
-    if dns_sans is not None:
-      for dns_name in dns_sans:
-        sans.append(asn1.Raw(asn1.TagAndData(0x82, dns_name.encode('ascii'))))
-    if ip_sans is not None:
-      for ip_addr in ip_sans:
-        sans.append(asn1.Raw(asn1.TagAndData(0x87, ip_addr)))
-    extensions.children.append(
-        asn1.SEQUENCE([
-            SUBJECT_ALTERNATIVE_NAME,
-            # There is implicitly a critical=False here. Since false is the
-            # default, encoding the value would be invalid DER.
-            asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE(sans)))
-        ]))
-
-  if ocsp_url is not None or ca_issuers_url is not None:
-    aia_entries = []
-    if ocsp_url is not None:
-      aia_entries.append(
-          asn1.SEQUENCE([
-              AIA_OCSP,
-              asn1.Raw(asn1.TagAndData(0x86, ocsp_url.encode('ascii'))),
-          ]))
-    if ca_issuers_url is not None:
-      aia_entries.append(
-          asn1.SEQUENCE([
-              AIA_CA_ISSUERS,
-              asn1.Raw(asn1.TagAndData(0x86, ca_issuers_url.encode('ascii'))),
-          ]))
-    extensions.children.append(
-        asn1.SEQUENCE([
-            AUTHORITY_INFORMATION_ACCESS,
-            # There is implicitly a critical=False here. Since false is the default,
-            # encoding the value would be invalid DER.
-            asn1.OCTETSTRING(asn1.ToDER(asn1.SEQUENCE(aia_entries))),
-        ]))
-
-  extensions.children.append(
-      asn1.SEQUENCE([
-          CERT_POLICIES,
-          # There is implicitly a critical=False here. Since false is the default,
-          # encoding the value would be invalid DER.
-          asn1.OCTETSTRING(
-              asn1.ToDER(
-                  asn1.SEQUENCE([
-                      asn1.SEQUENCE([  # PolicyInformation
-                          CERT_POLICY_OID,
-                      ]),
-                  ]))),
-      ]))
-
-  tbsCert = asn1.ToDER(
-      asn1.SEQUENCE([
-          asn1.Explicit(0, 2),  # Version
-          serial,
-          asn1.SEQUENCE([SHA256_WITH_RSA_ENCRYPTION,
-                         None]),  # SignatureAlgorithm
-          Name(cn=issuer_cn),  # Issuer
-          asn1.SEQUENCE([  # Validity
-              asn1.UTCTime("100101060000Z"),  # NotBefore
-              asn1.UTCTime("321201060000Z"),  # NotAfter
-          ]),
-          Name(cn=subject_cn, utf8_cn=utf8_subject_cn),  # Subject
-          asn1.SEQUENCE([  # SubjectPublicKeyInfo
-              asn1.SEQUENCE([  # Algorithm
-                  PUBLIC_KEY_RSA,
-                  None,
-              ]),
-              asn1.BitString(asn1.ToDER(pubkey)),
-          ]),
-          asn1.Explicit(3, extensions),
-      ]))
-
-  return asn1.ToDER(
-      asn1.SEQUENCE([
-          asn1.Raw(tbsCert),
-          asn1.SEQUENCE([
-              SHA256_WITH_RSA_ENCRYPTION,
-              None,
-          ]),
-          asn1.BitString(privkey.Sign(tbsCert)),
-      ]))
-
-
-def MakeOCSPSingleResponse(issuer_name_hash, issuer_key_hash, serial,
-                           ocsp_state, ocsp_date):
-  cert_status = None
-  if ocsp_state == OCSP_STATE_REVOKED:
-    cert_status = asn1.Explicit(1, asn1.GeneralizedTime("20100101060000Z"))
-  elif ocsp_state == OCSP_STATE_UNKNOWN:
-    cert_status = asn1.Raw(asn1.TagAndLength(0x80 | 2, 0))
-  elif ocsp_state == OCSP_STATE_GOOD:
-    cert_status = asn1.Raw(asn1.TagAndLength(0x80 | 0, 0))
-  elif ocsp_state == OCSP_STATE_MISMATCHED_SERIAL:
-    cert_status = asn1.Raw(asn1.TagAndLength(0x80 | 0, 0))
-    serial -= 1
-  else:
-    raise ValueError('Bad OCSP state: ' + str(ocsp_state))
-
-  now = datetime.datetime.fromtimestamp(time.mktime(time.gmtime()))
-  if ocsp_date == OCSP_DATE_VALID:
-    thisUpdate = now - datetime.timedelta(days=1)
-    nextUpdate = thisUpdate + datetime.timedelta(weeks=1)
-  elif ocsp_date == OCSP_DATE_OLD:
-    thisUpdate = now - datetime.timedelta(days=1, weeks=1)
-    nextUpdate = thisUpdate + datetime.timedelta(weeks=1)
-  elif ocsp_date == OCSP_DATE_EARLY:
-    thisUpdate = now + datetime.timedelta(days=1)
-    nextUpdate = thisUpdate + datetime.timedelta(weeks=1)
-  elif ocsp_date == OCSP_DATE_LONG:
-    thisUpdate = now - datetime.timedelta(days=365)
-    nextUpdate = thisUpdate + datetime.timedelta(days=366)
-  elif ocsp_date == OCSP_DATE_LONGER:
-    thisUpdate = now - datetime.timedelta(days=367)
-    nextUpdate = thisUpdate + datetime.timedelta(days=368)
-  else:
-    raise ValueError('Bad OCSP date: ' + str(ocsp_date))
-
-  return asn1.SEQUENCE([  # SingleResponse
-      asn1.SEQUENCE([  # CertID
-          asn1.SEQUENCE([  # hashAlgorithm
-              HASH_SHA1,
-              None,
-          ]),
-          issuer_name_hash,
-          issuer_key_hash,
-          serial,
-      ]),
-      cert_status,
-      asn1.GeneralizedTime(  # thisUpdate
-          thisUpdate.strftime(GENERALIZED_TIME_FORMAT)),
-      asn1.Explicit(  # nextUpdate
-          0,
-          asn1.GeneralizedTime(nextUpdate.strftime(GENERALIZED_TIME_FORMAT))),
-  ])
-
-
-def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_states, ocsp_dates,
-                     ocsp_produced):
-  if ocsp_states[0] == OCSP_STATE_UNAUTHORIZED:
-    return unauthorizedDER
-  elif ocsp_states[0] == OCSP_STATE_INVALID_RESPONSE:
-    return '3'
-  elif ocsp_states[0] == OCSP_STATE_TRY_LATER:
-    resp = asn1.SEQUENCE([
-        asn1.ENUMERATED(3),
-    ])
-    return asn1.ToDER(resp)
-  elif ocsp_states[0] == OCSP_STATE_INVALID_RESPONSE_DATA:
-    invalid_data = asn1.ToDER(asn1.OCTETSTRING(b'not ocsp data'))
-    basic_resp = asn1.SEQUENCE([
-        asn1.Raw(invalid_data),
-        asn1.SEQUENCE([
-            SHA256_WITH_RSA_ENCRYPTION,
-            None,
-        ]),
-        asn1.BitString(ROOT_KEY.Sign(invalid_data)),
-    ])
-    resp = asn1.SEQUENCE([
-        asn1.ENUMERATED(0),
-        asn1.Explicit(
-            0,
-            asn1.SEQUENCE([
-                OCSP_TYPE_BASIC,
-                asn1.OCTETSTRING(asn1.ToDER(basic_resp)),
-            ])),
-    ])
-    return asn1.ToDER(resp)
-
-  # https://tools.ietf.org/html/rfc2560
-  issuer_name_hash = asn1.OCTETSTRING(
-      hashlib.sha1(asn1.ToDER(Name(cn=issuer_cn))).digest())
-
-  issuer_key_hash = asn1.OCTETSTRING(
-      hashlib.sha1(asn1.ToDER(issuer_key)).digest())
-
-  now = datetime.datetime.fromtimestamp(time.mktime(time.gmtime()))
-  if ocsp_produced == OCSP_PRODUCED_VALID:
-    producedAt = now - datetime.timedelta(days=1)
-  elif ocsp_produced == OCSP_PRODUCED_BEFORE_CERT:
-    producedAt = datetime.datetime.strptime("19100101050000Z",
-                                            GENERALIZED_TIME_FORMAT)
-  elif ocsp_produced == OCSP_PRODUCED_AFTER_CERT:
-    producedAt = datetime.datetime.strptime("20321201070000Z",
-                                            GENERALIZED_TIME_FORMAT)
-  else:
-    raise ValueError('Bad OCSP produced: ' + str(ocsp_produced))
-
-  single_responses = [
-      MakeOCSPSingleResponse(issuer_name_hash, issuer_key_hash, serial,
-                             ocsp_state, ocsp_date)
-      for ocsp_state, ocsp_date in itertools.izip(ocsp_states, ocsp_dates)
-  ]
-
-  basic_resp_data_der = asn1.ToDER(
-      asn1.SEQUENCE([
-          asn1.Explicit(2, issuer_key_hash),
-          asn1.GeneralizedTime(producedAt.strftime(GENERALIZED_TIME_FORMAT)),
-          asn1.SEQUENCE(single_responses),
-      ]))
-
-  basic_resp = asn1.SEQUENCE([
-      asn1.Raw(basic_resp_data_der),
-      asn1.SEQUENCE([
-          SHA256_WITH_RSA_ENCRYPTION,
-          None,
-      ]),
-      asn1.BitString(issuer_key.Sign(basic_resp_data_der)),
-  ])
-
-  resp = asn1.SEQUENCE([
-      asn1.ENUMERATED(0),
-      asn1.Explicit(
-          0,
-          asn1.SEQUENCE([
-              OCSP_TYPE_BASIC,
-              asn1.OCTETSTRING(asn1.ToDER(basic_resp)),
-          ]))
-  ])
-
-  return asn1.ToDER(resp)
-
-
-def DERToPEM(der):
-  pem = '-----BEGIN CERTIFICATE-----\n'
-  pem += base64.encodebytes(der).decode('ascii')
-  pem += '-----END CERTIFICATE-----\n'
-  return pem
-
-
-# unauthorizedDER is an OCSPResponse with a status of 6:
-# SEQUENCE { ENUM(6) }
-# TODO(davidben): Replace with bytes.fromhex when removing Python 2 support.
-unauthorizedDER = bytes(bytearray.fromhex('30030a0106'))
-
-
-def GenerateCertKeyAndOCSP(subject="127.0.0.1",
-                           ocsp_url="http://127.0.0.1",
-                           ocsp_states=None,
-                           ocsp_dates=None,
-                           ocsp_produced=OCSP_PRODUCED_VALID,
-                           ocsp_intermediate_url=None,
-                           ocsp_intermediate_states=None,
-                           ocsp_intermediate_dates=None,
-                           ocsp_intermediate_produced=OCSP_PRODUCED_VALID,
-                           ip_sans=[b"\x7F\x00\x00\x01"],
-                           dns_sans=None,
-                           serial=0):
-  '''GenerateCertKeyAndOCSP returns a (cert_and_key_pem,
-                                       (ocsp_der, ocsp_intermediate_der)) where:
-       * cert_and_key_pem contains a certificate and private key in PEM format
-         with the given subject common name and OCSP URL.
-         It also contains the intermediate certificate PEM if
-         ocsp_intermediate_url is not None.
-       * ocsp_der contains a DER encoded OCSP response or None if ocsp_url is
-         None
-       * ocsp_intermediate_der contains a DER encoded OCSP response for the
-         intermediate or None if ocsp_intermediate_url is None'''
-
-  if ocsp_states is None:
-    ocsp_states = [OCSP_STATE_GOOD]
-  if ocsp_dates is None:
-    ocsp_dates = [OCSP_DATE_VALID]
-
-  issuer_cn = ROOT_CN
-  issuer_key = ROOT_KEY
-  intermediate_pem = ''
-  intermediate_ocsp_der = None
-
-  if ocsp_intermediate_url is not None:
-    if ocsp_intermediate_states is None:
-      ocsp_intermediate_states = [OCSP_STATE_GOOD]
-    if ocsp_intermediate_dates is None:
-      ocsp_intermediate_dates = [OCSP_DATE_VALID]
-    intermediate_serial = RandomNumber(16)
-    intermediate_cn = "%s %X" % (INTERMEDIATE_CN_PREFIX, intermediate_serial)
-    intermediate_cert_der = MakeCertificate(ROOT_CN,
-                                            intermediate_cn,
-                                            intermediate_serial,
-                                            INTERMEDIATE_KEY,
-                                            ROOT_KEY,
-                                            ocsp_intermediate_url,
-                                            is_ca=True)
-    intermediate_pem = DERToPEM(intermediate_cert_der)
-    issuer_cn = intermediate_cn
-    issuer_key = INTERMEDIATE_KEY
-    intermediate_ocsp_der = MakeOCSPResponse(ROOT_CN, ROOT_KEY,
-                                             intermediate_serial,
-                                             ocsp_intermediate_states,
-                                             ocsp_intermediate_dates,
-                                             ocsp_intermediate_produced)
-
-  if serial == 0:
-    serial = RandomNumber(16)
-  cert_der = MakeCertificate(issuer_cn,
-                             subject,
-                             serial,
-                             LEAF_KEY,
-                             issuer_key,
-                             ocsp_url,
-                             ip_sans=ip_sans,
-                             dns_sans=dns_sans)
-  cert_pem = DERToPEM(cert_der)
-
-  ocsp_der = None
-  if ocsp_url is not None:
-    ocsp_der = MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_states,
-                                ocsp_dates, ocsp_produced)
-
-  return cert_pem + LEAF_KEY_PEM + intermediate_pem, (ocsp_der,
-                                                      intermediate_ocsp_der)
-
-
-def GenerateCertKeyAndIntermediate(subject,
-                                   ca_issuers_url,
-                                   ip_sans=None,
-                                   dns_sans=None,
-                                   serial=0):
-  '''Returns a (cert_and_key_pem, intermediate_cert_pem) where:
-       * cert_and_key_pem contains a certificate and private key in PEM format
-         with the given subject common name and caIssuers URL.
-       * intermediate_cert_pem contains a PEM encoded certificate that signed
-         cert_and_key_pem and was signed by ocsp-test-root.pem.'''
-  if serial == 0:
-    serial = RandomNumber(16)
-
-  intermediate_serial = RandomNumber(16)
-  intermediate_cn = "%s %X" % (INTERMEDIATE_CN_PREFIX, intermediate_serial)
-
-  target_cert_der = MakeCertificate(intermediate_cn,
-                                    subject,
-                                    serial,
-                                    LEAF_KEY,
-                                    INTERMEDIATE_KEY,
-                                    ip_sans=ip_sans,
-                                    dns_sans=dns_sans,
-                                    ca_issuers_url=ca_issuers_url)
-  target_cert_pem = DERToPEM(target_cert_der)
-
-  intermediate_cert_der = MakeCertificate(ROOT_CN,
-                                          intermediate_cn,
-                                          intermediate_serial,
-                                          INTERMEDIATE_KEY,
-                                          ROOT_KEY,
-                                          is_ca=True)
-
-  return target_cert_pem + LEAF_KEY_PEM, intermediate_cert_der
-
-
-if __name__ == '__main__':
-
-  def bin_to_array(s):
-    return ' '.join(['0x%02x,' % c for c in s])
-
-  import crlsetutil
-
-  der_root = MakeCertificate(ROOT_CN,
-                             ROOT_CN,
-                             1,
-                             ROOT_KEY,
-                             ROOT_KEY,
-                             is_ca=True,
-                             path_len=1)
-  print('ocsp-test-root.pem:')
-  print(DERToPEM(der_root))
-
-  print()
-  print('kOCSPTestCertFingerprint:')
-  print(bin_to_array(hashlib.sha1(der_root).digest()))
-
-  print()
-  print('kOCSPTestCertSPKI:')
-  print(bin_to_array(crlsetutil.der_cert_to_spki_hash(der_root)))
diff --git a/chromium/net/data/ssl/scripts/policy.cnf b/chromium/net/data/ssl/scripts/policy.cnf
deleted file mode 100644
index dbb2efabf08..00000000000
--- a/chromium/net/data/ssl/scripts/policy.cnf
+++ /dev/null
@@ -1,62 +0,0 @@
-CA_DIR=out
-CA_NAME=policy-root
-SAN=policy_test.example
-
-[ca]
-default_ca = CA_root
-preserve   = yes
-
-[CA_root]
-dir           = ${ENV::CA_DIR}
-key_size      = 2048
-algo          = sha256
-database      = $dir/${ENV::CA_NAME}-index.txt
-new_certs_dir = $dir
-serial        = $dir/${ENV::CA_NAME}-serial
-certificate   = $dir/${ENV::CA_NAME}.pem
-private_key   = $dir/${ENV::CA_NAME}.key
-RANDFILE      = $dir/.rand
-default_days     = 3650
-default_crl_days = 30
-default_md       = sha256
-policy           = policy_anything
-unique_subject   = no
-copy_extensions  = copy
-
-[user_cert]
-basicConstraints       = critical, CA:false
-extendedKeyUsage       = serverAuth, clientAuth
-certificatePolicies    = 1.2.3.4
-subjectAltName         = DNS:${ENV::SAN}
-
-[ca_cert]
-basicConstraints       = critical, CA:true
-keyUsage               = critical, digitalSignature, keyCertSign, cRLSign
-
-[intermediate_cert]
-basicConstraints       = critical, CA:true
-keyUsage               = critical, digitalSignature, keyCertSign, cRLSign
-policyConstraints      = requireExplicitPolicy:0
-certificatePolicies    = 1.2.3.4, 1.2.3.4.5, 1.2.3.5
-
-[policy_anything]
-# Default signing policy
-countryName            = optional
-stateOrProvinceName    = optional
-localityName           = optional
-organizationName       = optional
-organizationalUnitName = optional
-commonName             = optional
-emailAddress           = optional
-
-[req]
-default_bits       = 2048
-default_md         = sha256
-string_mask        = utf8only
-prompt             = no
-encrypt_key        = no
-distinguished_name = req_env_dn
-
-[req_env_dn]
-CN = ${ENV::COMMON_NAME}
-
diff --git a/chromium/net/data/websocket/OWNERS b/chromium/net/data/websocket/OWNERS
index 20ff3c47588..4392ef47220 100644
--- a/chromium/net/data/websocket/OWNERS
+++ b/chromium/net/data/websocket/OWNERS
@@ -1,2 +1 @@
 ricea@chromium.org
-yhirano@chromium.org
diff --git a/chromium/net/data/websocket/check-origin_wsh.py b/chromium/net/data/websocket/check-origin_wsh.py
index 3137b0963f6..ee8fb820381 100644
--- a/chromium/net/data/websocket/check-origin_wsh.py
+++ b/chromium/net/data/websocket/check-origin_wsh.py
@@ -1,4 +1,4 @@
-# Copyright 2021 The Chromium Authors. All rights reserved.
+# Copyright 2021 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/websocket/close-code-and-reason_wsh.py b/chromium/net/data/websocket/close-code-and-reason_wsh.py
index 694307ac452..cdf1d4d83ec 100644
--- a/chromium/net/data/websocket/close-code-and-reason_wsh.py
+++ b/chromium/net/data/websocket/close-code-and-reason_wsh.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/websocket/close-immediately_wsh.py b/chromium/net/data/websocket/close-immediately_wsh.py
index 6cc08424951..eb3e19e1498 100644
--- a/chromium/net/data/websocket/close-immediately_wsh.py
+++ b/chromium/net/data/websocket/close-immediately_wsh.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/websocket/close-observer_wsh.py b/chromium/net/data/websocket/close-observer_wsh.py
index 7856ceb3c26..6e4c60d2192 100644
--- a/chromium/net/data/websocket/close-observer_wsh.py
+++ b/chromium/net/data/websocket/close-observer_wsh.py
@@ -1,4 +1,4 @@
-# Copyright 2019 The Chromium Authors. All rights reserved.
+# Copyright 2019 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/websocket/close-with-split-packet_wsh.py b/chromium/net/data/websocket/close-with-split-packet_wsh.py
index 3bd5b58b25a..58ffe5d56de 100644
--- a/chromium/net/data/websocket/close-with-split-packet_wsh.py
+++ b/chromium/net/data/websocket/close-with-split-packet_wsh.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/websocket/close_wsh.py b/chromium/net/data/websocket/close_wsh.py
index b67fefd2dde..60f26c70b5a 100644
--- a/chromium/net/data/websocket/close_wsh.py
+++ b/chromium/net/data/websocket/close_wsh.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/websocket/echo-request-headers_wsh.py b/chromium/net/data/websocket/echo-request-headers_wsh.py
index 553aca2679c..7317e23cc8a 100644
--- a/chromium/net/data/websocket/echo-request-headers_wsh.py
+++ b/chromium/net/data/websocket/echo-request-headers_wsh.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2014 The Chromium Authors. All rights reserved.
+# Copyright 2014 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
diff --git a/chromium/net/data/websocket/echo-with-no-extension_wsh.py b/chromium/net/data/websocket/echo-with-no-extension_wsh.py
index 0455f054484..def5112c106 100644
--- a/chromium/net/data/websocket/echo-with-no-extension_wsh.py
+++ b/chromium/net/data/websocket/echo-with-no-extension_wsh.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/websocket/header-continuation_wsh.py b/chromium/net/data/websocket/header-continuation_wsh.py
index 67be0a77a23..d059226cd96 100644
--- a/chromium/net/data/websocket/header-continuation_wsh.py
+++ b/chromium/net/data/websocket/header-continuation_wsh.py
@@ -1,4 +1,4 @@
-# Copyright 2015 The Chromium Authors. All rights reserved.
+# Copyright 2015 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
diff --git a/chromium/net/data/websocket/protocol-test_wsh.py b/chromium/net/data/websocket/protocol-test_wsh.py
index 76a5678112e..8670b77b237 100644
--- a/chromium/net/data/websocket/protocol-test_wsh.py
+++ b/chromium/net/data/websocket/protocol-test_wsh.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/websocket/set-hsts_wsh.py b/chromium/net/data/websocket/set-hsts_wsh.py
index c78a82ae92e..6901b6c2a1e 100644
--- a/chromium/net/data/websocket/set-hsts_wsh.py
+++ b/chromium/net/data/websocket/set-hsts_wsh.py
@@ -1,4 +1,4 @@
-# Copyright 2015 The Chromium Authors. All rights reserved.
+# Copyright 2015 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
diff --git a/chromium/net/data/websocket/trailing-whitespace_wsh.py b/chromium/net/data/websocket/trailing-whitespace_wsh.py
index 02543f46bb5..426c040660a 100644
--- a/chromium/net/data/websocket/trailing-whitespace_wsh.py
+++ b/chromium/net/data/websocket/trailing-whitespace_wsh.py
@@ -1,4 +1,4 @@
-# Copyright 2015 The Chromium Authors. All rights reserved.
+# Copyright 2015 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
diff --git a/chromium/net/data/websocket/truncated-headers_wsh.py b/chromium/net/data/websocket/truncated-headers_wsh.py
index 717f72dc8a5..f511c230885 100644
--- a/chromium/net/data/websocket/truncated-headers_wsh.py
+++ b/chromium/net/data/websocket/truncated-headers_wsh.py
@@ -1,4 +1,4 @@
-# Copyright 2015 The Chromium Authors. All rights reserved.
+# Copyright 2015 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/data/websocket/websocket_worker_simple.js b/chromium/net/data/websocket/websocket_worker_simple.js
index 37e3be8b80d..eb0f0e95d06 100644
--- a/chromium/net/data/websocket/websocket_worker_simple.js
+++ b/chromium/net/data/websocket/websocket_worker_simple.js
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/encode_values.cc b/chromium/net/der/encode_values.cc
index ef67fd54aed..62d6455f631 100644
--- a/chromium/net/der/encode_values.cc
+++ b/chromium/net/der/encode_values.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/encode_values.h b/chromium/net/der/encode_values.h
index b8d6b75800b..801cd869084 100644
--- a/chromium/net/der/encode_values.h
+++ b/chromium/net/der/encode_values.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/encode_values_unittest.cc b/chromium/net/der/encode_values_unittest.cc
index b8fd2edf453..4f5567573b5 100644
--- a/chromium/net/der/encode_values_unittest.cc
+++ b/chromium/net/der/encode_values_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/input.cc b/chromium/net/der/input.cc
index c2c7557f1ad..c348799d6fd 100644
--- a/chromium/net/der/input.cc
+++ b/chromium/net/der/input.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,10 @@
 
 namespace net::der {
 
-Input::Input(const base::StringPiece& in)
+Input::Input(base::StringPiece in)
+    : data_(reinterpret_cast<const uint8_t*>(in.data())), len_(in.length()) {}
+
+Input::Input(std::string_view in)
     : data_(reinterpret_cast<const uint8_t*>(in.data())), len_(in.length()) {}
 
 Input::Input(const std::string* s) : Input(base::StringPiece(*s)) {}
@@ -23,6 +26,10 @@ base::StringPiece Input::AsStringPiece() const {
   return base::StringPiece(reinterpret_cast<const char*>(data_), len_);
 }
 
+std::string_view Input::AsStringView() const {
+  return std::string_view(reinterpret_cast<const char*>(data_), len_);
+}
+
 base::span<const uint8_t> Input::AsSpan() const {
   return base::make_span(data_, len_);
 }
diff --git a/chromium/net/der/input.h b/chromium/net/der/input.h
index 9293694412e..97a4f633676 100644
--- a/chromium/net/der/input.h
+++ b/chromium/net/der/input.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -40,7 +40,10 @@ class NET_EXPORT_PRIVATE Input {
       : data_(data), len_(len) {}
 
   // Creates an Input from a base::StringPiece.
-  explicit Input(const base::StringPiece& sp);
+  explicit Input(base::StringPiece sp);
+
+  // Creates an Input from a std::string_view
+  explicit Input(std::string_view sp);
 
   // Creates an Input from a std::string. The lifetimes are a bit subtle when
   // using this function: The constructed Input is only valid so long as |s| is
@@ -64,6 +67,11 @@ class NET_EXPORT_PRIVATE Input {
   // Input.
   base::StringPiece AsStringPiece() const;
 
+  // Returns a std::string_view pointing to the same data as the Input. The
+  // resulting string_view must not outlive the data that was used to construct
+  // this Input.
+  std::string_view AsStringView() const;
+
   // Returns a base::span pointing to the same data as the Input. The resulting
   // base::span must not outlive the data that was used to construct this
   // Input.
diff --git a/chromium/net/der/input_unittest.cc b/chromium/net/der/input_unittest.cc
index 11da23eb4b9..9b42d9df0ea 100644
--- a/chromium/net/der/input_unittest.cc
+++ b/chromium/net/der/input_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/parse_values.cc b/chromium/net/der/parse_values.cc
index 2609e0e5c9a..d7f986e9fdf 100644
--- a/chromium/net/der/parse_values.cc
+++ b/chromium/net/der/parse_values.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/parse_values.h b/chromium/net/der/parse_values.h
index 12cf4550618..556d37ec176 100644
--- a/chromium/net/der/parse_values.h
+++ b/chromium/net/der/parse_values.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/parse_values_unittest.cc b/chromium/net/der/parse_values_unittest.cc
index 22e4a4f0581..0b6d36421f0 100644
--- a/chromium/net/der/parse_values_unittest.cc
+++ b/chromium/net/der/parse_values_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/parser.cc b/chromium/net/der/parser.cc
index 927f5fbbcb1..01ea3f0a4fa 100644
--- a/chromium/net/der/parser.cc
+++ b/chromium/net/der/parser.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/parser.h b/chromium/net/der/parser.h
index 04541c251bb..a854b1bd9fc 100644
--- a/chromium/net/der/parser.h
+++ b/chromium/net/der/parser.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/parser_unittest.cc b/chromium/net/der/parser_unittest.cc
index 09017f9f0bd..e1e032d06f7 100644
--- a/chromium/net/der/parser_unittest.cc
+++ b/chromium/net/der/parser_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/tag.cc b/chromium/net/der/tag.cc
index 1820551ce3b..494eb55562a 100644
--- a/chromium/net/der/tag.cc
+++ b/chromium/net/der/tag.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/der/tag.h b/chromium/net/der/tag.h
index 1a98f9f0a80..31f87f93bc2 100644
--- a/chromium/net/der/tag.h
+++ b/chromium/net/der/tag.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/backend_cleanup_tracker.cc b/chromium/net/disk_cache/backend_cleanup_tracker.cc
index d4c44913f9e..ff685bb9c14 100644
--- a/chromium/net/disk_cache/backend_cleanup_tracker.cc
+++ b/chromium/net/disk_cache/backend_cleanup_tracker.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/backend_cleanup_tracker.h b/chromium/net/disk_cache/backend_cleanup_tracker.h
index 98b60dbd6ad..8fe6fa138ea 100644
--- a/chromium/net/disk_cache/backend_cleanup_tracker.h
+++ b/chromium/net/disk_cache/backend_cleanup_tracker.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/backend_cleanup_tracker_unittest.cc b/chromium/net/disk_cache/backend_cleanup_tracker_unittest.cc
index 96013c179f9..7c0191a23ee 100644
--- a/chromium/net/disk_cache/backend_cleanup_tracker_unittest.cc
+++ b/chromium/net/disk_cache/backend_cleanup_tracker_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/backend_unittest.cc b/chromium/net/disk_cache/backend_unittest.cc
index 16ac64f3042..d9d8dae76e1 100644
--- a/chromium/net/disk_cache/backend_unittest.cc
+++ b/chromium/net/disk_cache/backend_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -283,9 +283,12 @@ int DiskCacheBackendTest::GeneratePendingIO(net::TestCompletionCallback* cb) {
     // We are using the current thread as the cache thread because we want to
     // be able to call directly this method to make sure that the OS (instead
     // of us switching thread) is returning IO pending.
+    bool optimistic = false;
     if (!simple_cache_mode_) {
       rv = static_cast<disk_cache::EntryImpl*>(entry)->WriteDataImpl(
-          0, i, buffer.get(), kSize, cb->callback(), false);
+          0, i, buffer.get(), kSize, cb->callback(), false, &optimistic);
+      if (optimistic)
+        rv = net::ERR_IO_PENDING;
     } else {
       rv = entry->WriteData(0, i, buffer.get(), kSize, cb->callback(), false);
     }
diff --git a/chromium/net/disk_cache/blockfile/addr.cc b/chromium/net/disk_cache/blockfile/addr.cc
index bf44bd78688..5e8a608e2ae 100644
--- a/chromium/net/disk_cache/blockfile/addr.cc
+++ b/chromium/net/disk_cache/blockfile/addr.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/addr.h b/chromium/net/disk_cache/blockfile/addr.h
index c7a9a2ae614..c0f13db77da 100644
--- a/chromium/net/disk_cache/blockfile/addr.h
+++ b/chromium/net/disk_cache/blockfile/addr.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/addr_unittest.cc b/chromium/net/disk_cache/blockfile/addr_unittest.cc
index dbb2dbc04e1..7cee590e02c 100644
--- a/chromium/net/disk_cache/blockfile/addr_unittest.cc
+++ b/chromium/net/disk_cache/blockfile/addr_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/backend_impl.cc b/chromium/net/disk_cache/blockfile/backend_impl.cc
index 25d81dce762..a12a6787a55 100644
--- a/chromium/net/disk_cache/blockfile/backend_impl.cc
+++ b/chromium/net/disk_cache/blockfile/backend_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/backend_impl.h b/chromium/net/disk_cache/blockfile/backend_impl.h
index 7190c3bd8c9..3e413ebf25c 100644
--- a/chromium/net/disk_cache/blockfile/backend_impl.h
+++ b/chromium/net/disk_cache/blockfile/backend_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/bitmap.cc b/chromium/net/disk_cache/blockfile/bitmap.cc
index 245d3df33f7..3ba945ff5a5 100644
--- a/chromium/net/disk_cache/blockfile/bitmap.cc
+++ b/chromium/net/disk_cache/blockfile/bitmap.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright 2009 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/bitmap.h b/chromium/net/disk_cache/blockfile/bitmap.h
index 9ffa98b9864..547fcfeec07 100644
--- a/chromium/net/disk_cache/blockfile/bitmap.h
+++ b/chromium/net/disk_cache/blockfile/bitmap.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/bitmap_unittest.cc b/chromium/net/disk_cache/blockfile/bitmap_unittest.cc
index c77aedf12c5..0d8ebaaffa8 100644
--- a/chromium/net/disk_cache/blockfile/bitmap_unittest.cc
+++ b/chromium/net/disk_cache/blockfile/bitmap_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright 2009 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/block_files.cc b/chromium/net/disk_cache/blockfile/block_files.cc
index afb9a5f95b2..0f938170654 100644
--- a/chromium/net/disk_cache/blockfile/block_files.cc
+++ b/chromium/net/disk_cache/blockfile/block_files.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/block_files.h b/chromium/net/disk_cache/blockfile/block_files.h
index 6bfd7e20be6..8d235b1b735 100644
--- a/chromium/net/disk_cache/blockfile/block_files.h
+++ b/chromium/net/disk_cache/blockfile/block_files.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/block_files_unittest.cc b/chromium/net/disk_cache/blockfile/block_files_unittest.cc
index a2168ea9c86..b99fed6a44a 100644
--- a/chromium/net/disk_cache/blockfile/block_files_unittest.cc
+++ b/chromium/net/disk_cache/blockfile/block_files_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -30,8 +30,8 @@ int NumberOfFiles(const base::FilePath& path) {
 
 namespace disk_cache {
 
-// Flaky on ChromeOS: https://crbug.com/1156795
 #if BUILDFLAG(IS_CHROMEOS_ASH)
+// Flaky on ChromeOS: https://crbug.com/1156795
 #define MAYBE_BlockFiles_Grow DISABLED_BlockFiles_Grow
 #else
 #define MAYBE_BlockFiles_Grow BlockFiles_Grow
@@ -43,14 +43,21 @@ TEST_F(DiskCacheTest, MAYBE_BlockFiles_Grow) {
   BlockFiles files(cache_path_);
   ASSERT_TRUE(files.Init(true));
 
+#if BUILDFLAG(IS_FUCHSIA)
+  // Too slow on Fuchsia: https://crbug.com/1354793
+  const int kMaxSize = 3500;
+  const int kNumberOfFiles = 4;
+#else
   const int kMaxSize = 35000;
+  const int kNumberOfFiles = 6;
+#endif
   Addr address[kMaxSize];
 
   // Fill up the 32-byte block file (use three files).
   for (auto& addr : address) {
     EXPECT_TRUE(files.CreateBlock(RANKINGS, 4, &addr));
   }
-  EXPECT_EQ(6, NumberOfFiles(cache_path_));
+  EXPECT_EQ(kNumberOfFiles, NumberOfFiles(cache_path_));
 
   // Make sure we don't keep adding files.
   for (int i = 0; i < kMaxSize * 4; i += 2) {
@@ -58,7 +65,7 @@ TEST_F(DiskCacheTest, MAYBE_BlockFiles_Grow) {
     files.DeleteBlock(address[target], false);
     EXPECT_TRUE(files.CreateBlock(RANKINGS, 4, &address[target]));
   }
-  EXPECT_EQ(6, NumberOfFiles(cache_path_));
+  EXPECT_EQ(kNumberOfFiles, NumberOfFiles(cache_path_));
 }
 
 // We should be able to delete empty block files.
diff --git a/chromium/net/disk_cache/blockfile/disk_format.cc b/chromium/net/disk_cache/blockfile/disk_format.cc
index 475c57f2cc4..4f785c9172c 100644
--- a/chromium/net/disk_cache/blockfile/disk_format.cc
+++ b/chromium/net/disk_cache/blockfile/disk_format.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/disk_format.h b/chromium/net/disk_cache/blockfile/disk_format.h
index 94786f05279..a65fb32c922 100644
--- a/chromium/net/disk_cache/blockfile/disk_format.h
+++ b/chromium/net/disk_cache/blockfile/disk_format.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/disk_format_base.h b/chromium/net/disk_cache/blockfile/disk_format_base.h
index 9d70e5ad9b2..c7c4b9f41ce 100644
--- a/chromium/net/disk_cache/blockfile/disk_format_base.h
+++ b/chromium/net/disk_cache/blockfile/disk_format_base.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/entry_impl.cc b/chromium/net/disk_cache/blockfile/entry_impl.cc
index 019c3aacd8f..fab3bf06662 100644
--- a/chromium/net/disk_cache/blockfile/entry_impl.cc
+++ b/chromium/net/disk_cache/blockfile/entry_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,9 +9,12 @@
 
 #include "base/files/file_util.h"
 #include "base/hash/hash.h"
+#include "base/metrics/histogram_macros.h"
 #include "base/numerics/safe_math.h"
 #include "base/strings/string_util.h"
 #include "base/time/time.h"
+#include "build/build_config.h"
+#include "net/base/features.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/disk_cache/blockfile/backend_impl.h"
@@ -355,7 +358,8 @@ int EntryImpl::WriteDataImpl(int index,
                              IOBuffer* buf,
                              int buf_len,
                              CompletionOnceCallback callback,
-                             bool truncate) {
+                             bool truncate,
+                             bool* optimistic) {
   if (net_log_.IsCapturing()) {
     NetLogReadWriteData(net_log_, net::NetLogEventType::ENTRY_WRITE_DATA,
                         net::NetLogEventPhase::BEGIN, index, offset, buf_len,
@@ -363,7 +367,7 @@ int EntryImpl::WriteDataImpl(int index,
   }
 
   int result = InternalWriteData(index, offset, buf, buf_len,
-                                 std::move(callback), truncate);
+                                 std::move(callback), truncate, optimistic);
 
   if (result != net::ERR_IO_PENDING && net_log_.IsCapturing()) {
     NetLogReadWriteComplete(net_log_, net::NetLogEventType::ENTRY_WRITE_DATA,
@@ -696,10 +700,12 @@ void EntryImpl::FixForDelete() {
 }
 
 void EntryImpl::IncrementIoCount() {
+  ++io_count_;
   backend_->IncrementIoCount();
 }
 
 void EntryImpl::DecrementIoCount() {
+  --io_count_;
   if (backend_.get())
     backend_->DecrementIoCount();
 }
@@ -872,9 +878,13 @@ int EntryImpl::WriteData(int index,
                          int buf_len,
                          CompletionOnceCallback callback,
                          bool truncate) {
-  if (callback.is_null())
-    return WriteDataImpl(index, offset, buf, buf_len, std::move(callback),
-                         truncate);
+  if (callback.is_null()) {
+    bool optimistic;
+    int err = WriteDataImpl(index, offset, buf, buf_len, std::move(callback),
+                            truncate, &optimistic);
+    DCHECK(!optimistic);
+    return err;
+  }
 
   DCHECK(node_.Data()->dirty || read_only_);
   if (index < 0 || index >= kNumStreams)
@@ -1113,9 +1123,11 @@ int EntryImpl::InternalWriteData(int index,
                                  IOBuffer* buf,
                                  int buf_len,
                                  CompletionOnceCallback callback,
-                                 bool truncate) {
+                                 bool truncate,
+                                 bool* optimistic) {
   DCHECK(node_.Data()->dirty || read_only_);
   DVLOG(2) << "Write to " << index << " at " << offset << " : " << buf_len;
+  *optimistic = false;
   if (index < 0 || index >= kNumStreams)
     return net::ERR_INVALID_ARGUMENT;
 
@@ -1154,6 +1166,8 @@ int EntryImpl::InternalWriteData(int index,
   backend_->OnEvent(Stats::WRITE_DATA);
   backend_->OnWrite(buf_len);
 
+  UMA_HISTOGRAM_BOOLEAN("HttpCache.BlockfileWriteInUserBuffer",
+                        !!user_buffers_[index].get());
   if (user_buffers_[index].get()) {
     // Complete the operation locally.
     user_buffers_[index]->Write(offset, buf, buf_len);
@@ -1186,17 +1200,32 @@ int EntryImpl::InternalWriteData(int index,
   if (!buf_len)
     return 0;
 
+  scoped_refptr<net::IOBuffer> op_buf = buf;
+
   SyncCallback* io_callback = nullptr;
   bool null_callback = callback.is_null();
   if (!null_callback) {
-    io_callback = new SyncCallback(this, buf, std::move(callback),
+#if BUILDFLAG(IS_WIN)
+    // Only do this optimization on Windows, since it's guaranteed there that an
+    // async write to the File object followed by a read will always give the
+    // previously written data. On Posix this isn't the case.
+    if (base::FeatureList::IsEnabled(
+            net::features::kOptimisticBlockfileWrite) &&
+        io_count_ == 0) {
+      op_buf = base::MakeRefCounted<IOBuffer>(buf_len);
+      memcpy(op_buf->data(), buf->data(), buf_len);
+      *optimistic = true;
+    }
+#endif
+
+    io_callback = new SyncCallback(this, op_buf.get(), std::move(callback),
                                    net::NetLogEventType::ENTRY_WRITE_DATA);
   }
 
   TimeTicks start_async = TimeTicks::Now();
 
   bool completed;
-  if (!file->Write(buf->data(), buf_len, file_offset, io_callback,
+  if (!file->Write(op_buf->data(), buf_len, file_offset, io_callback,
                    &completed)) {
     if (io_callback)
       io_callback->Discard();
@@ -1210,7 +1239,8 @@ int EntryImpl::InternalWriteData(int index,
     ReportIOTime(kWriteAsync1, start_async);
 
   ReportIOTime(kWrite, start);
-  return (completed || null_callback) ? buf_len : net::ERR_IO_PENDING;
+  return (completed || *optimistic || null_callback) ? buf_len
+                                                     : net::ERR_IO_PENDING;
 }
 
 // ------------------------------------------------------------------------
diff --git a/chromium/net/disk_cache/blockfile/entry_impl.h b/chromium/net/disk_cache/blockfile/entry_impl.h
index 40ad359c067..3a5e1631edb 100644
--- a/chromium/net/disk_cache/blockfile/entry_impl.h
+++ b/chromium/net/disk_cache/blockfile/entry_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -64,7 +64,8 @@ class NET_EXPORT_PRIVATE EntryImpl
                     IOBuffer* buf,
                     int buf_len,
                     CompletionOnceCallback callback,
-                    bool truncate);
+                    bool truncate,
+                    bool* optimistic);
   int ReadSparseDataImpl(int64_t offset,
                          IOBuffer* buf,
                          int buf_len,
@@ -223,7 +224,8 @@ class NET_EXPORT_PRIVATE EntryImpl
                         IOBuffer* buf,
                         int buf_len,
                         CompletionOnceCallback callback,
-                        bool truncate);
+                        bool truncate,
+                        bool* optimistic);
 
   // Initializes the storage for an internal or external data block.
   bool CreateDataBlock(int index, int size);
@@ -310,6 +312,7 @@ class NET_EXPORT_PRIVATE EntryImpl
   bool read_only_;            // True if not yet writing.
   bool dirty_ = false;        // True if we detected that this is a dirty entry.
   std::unique_ptr<SparseControl> sparse_;  // Support for sparse entries.
+  int io_count_ = 0;
 };
 
 }  // namespace disk_cache
diff --git a/chromium/net/disk_cache/blockfile/errors.h b/chromium/net/disk_cache/blockfile/errors.h
index 565eb049050..d734ab3e8f5 100644
--- a/chromium/net/disk_cache/blockfile/errors.h
+++ b/chromium/net/disk_cache/blockfile/errors.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/eviction.cc b/chromium/net/disk_cache/blockfile/eviction.cc
index 3e16efe5f1a..a6db3780db2 100644
--- a/chromium/net/disk_cache/blockfile/eviction.cc
+++ b/chromium/net/disk_cache/blockfile/eviction.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/eviction.h b/chromium/net/disk_cache/blockfile/eviction.h
index 8946b6f15c9..f6f5f058c85 100644
--- a/chromium/net/disk_cache/blockfile/eviction.h
+++ b/chromium/net/disk_cache/blockfile/eviction.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/experiments.h b/chromium/net/disk_cache/blockfile/experiments.h
index a2ca9600625..3ac54b2e29e 100644
--- a/chromium/net/disk_cache/blockfile/experiments.h
+++ b/chromium/net/disk_cache/blockfile/experiments.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/file.cc b/chromium/net/disk_cache/blockfile/file.cc
index 17c77a4e099..b37694c051f 100644
--- a/chromium/net/disk_cache/blockfile/file.cc
+++ b/chromium/net/disk_cache/blockfile/file.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/file.h b/chromium/net/disk_cache/blockfile/file.h
index 94b16d4acf2..1477343e625 100644
--- a/chromium/net/disk_cache/blockfile/file.h
+++ b/chromium/net/disk_cache/blockfile/file.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/file_block.h b/chromium/net/disk_cache/blockfile/file_block.h
index cf9e4f793ca..96647fcc97e 100644
--- a/chromium/net/disk_cache/blockfile/file_block.h
+++ b/chromium/net/disk_cache/blockfile/file_block.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright 2006-2008 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/file_ios.cc b/chromium/net/disk_cache/blockfile/file_ios.cc
index c910da3c82f..12403b8afc8 100644
--- a/chromium/net/disk_cache/blockfile/file_ios.cc
+++ b/chromium/net/disk_cache/blockfile/file_ios.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/file_lock.cc b/chromium/net/disk_cache/blockfile/file_lock.cc
index 06ef394597c..76be863dd11 100644
--- a/chromium/net/disk_cache/blockfile/file_lock.cc
+++ b/chromium/net/disk_cache/blockfile/file_lock.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/file_lock.h b/chromium/net/disk_cache/blockfile/file_lock.h
index 63d21f3612d..d0299ee2e3d 100644
--- a/chromium/net/disk_cache/blockfile/file_lock.h
+++ b/chromium/net/disk_cache/blockfile/file_lock.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/file_posix.cc b/chromium/net/disk_cache/blockfile/file_posix.cc
index 1d1de955d48..6c78ca0a6b2 100644
--- a/chromium/net/disk_cache/blockfile/file_posix.cc
+++ b/chromium/net/disk_cache/blockfile/file_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/file_win.cc b/chromium/net/disk_cache/blockfile/file_win.cc
index 61c98814383..5ffe1c90427 100644
--- a/chromium/net/disk_cache/blockfile/file_win.cc
+++ b/chromium/net/disk_cache/blockfile/file_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -94,8 +94,10 @@ void CompletionHandler::OnIOCompleted(
     NOTREACHED();
   }
 
+  // `callback_` may self delete while in `OnFileIOComplete`.
   if (data->callback_)
-    data->callback_->OnFileIOComplete(static_cast<int>(actual_bytes));
+    data->callback_.ExtractAsDangling()->OnFileIOComplete(
+        static_cast<int>(actual_bytes));
 
   delete data;
 }
diff --git a/chromium/net/disk_cache/blockfile/histogram_macros.h b/chromium/net/disk_cache/blockfile/histogram_macros.h
index dd77f405bff..0b23397d6aa 100644
--- a/chromium/net/disk_cache/blockfile/histogram_macros.h
+++ b/chromium/net/disk_cache/blockfile/histogram_macros.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/in_flight_backend_io.cc b/chromium/net/disk_cache/blockfile/in_flight_backend_io.cc
index 98bb1ec43ae..ceebe54a4c0 100644
--- a/chromium/net/disk_cache/blockfile/in_flight_backend_io.cc
+++ b/chromium/net/disk_cache/blockfile/in_flight_backend_io.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -74,13 +74,19 @@ void BackendIO::OnIOComplete(int result) {
   DCHECK(IsEntryOperation());
   DCHECK_NE(result, net::ERR_IO_PENDING);
   result_ = result;
-  NotifyController();
+  if (notify_controller_)
+    NotifyController();
 }
 
 // Runs on the primary thread.
 void BackendIO::OnDone(bool cancel) {
   if (IsEntryOperation()) {
     CACHE_UMA(TIMES, "TotalIOTime", 0, ElapsedTime());
+    if (operation_ == OP_READ) {
+      CACHE_UMA(TIMES, "TotalIOTimeRead", 0, ElapsedTime());
+    } else if (operation_ == OP_WRITE) {
+      CACHE_UMA(TIMES, "TotalIOTimeWrite", 0, ElapsedTime());
+    }
   }
 
   if (ReturnsEntry() && result_ == net::OK) {
@@ -88,6 +94,7 @@ void BackendIO::OnDone(bool cancel) {
     if (cancel)
       out_entry_.ExtractAsDangling()->Close();
   }
+  ClearController();
 }
 
 bool BackendIO::IsEntryOperation() {
@@ -335,7 +342,7 @@ void BackendIO::ExecuteBackendOperation() {
     case OP_CLOSE_ENTRY:
       // Collect the reference to |entry_| to balance with the AddRef() in
       // LeakEntryImpl.
-      entry_->Release();
+      entry_.ExtractAsDangling()->Release();
       result_ = net::OK;
       break;
     case OP_DOOM_ENTRY:
@@ -366,11 +373,16 @@ void BackendIO::ExecuteEntryOperation() {
           entry_->ReadDataImpl(index_, offset_, buf_.get(), buf_len_,
                                base::BindOnce(&BackendIO::OnIOComplete, this));
       break;
-    case OP_WRITE:
-      result_ = entry_->WriteDataImpl(
-          index_, offset_, buf_.get(), buf_len_,
-          base::BindOnce(&BackendIO::OnIOComplete, this), truncate_);
+    case OP_WRITE: {
+      bool optimistic = false;
+      result_ =
+          entry_->WriteDataImpl(index_, offset_, buf_.get(), buf_len_,
+                                base::BindOnce(&BackendIO::OnIOComplete, this),
+                                truncate_, &optimistic);
+      if (optimistic)
+        notify_controller_ = false;
       break;
+    }
     case OP_READ_SPARSE:
       result_ = entry_->ReadSparseDataImpl(
           offset64_, buf_.get(), buf_len_,
diff --git a/chromium/net/disk_cache/blockfile/in_flight_backend_io.h b/chromium/net/disk_cache/blockfile/in_flight_backend_io.h
index 180f3ef8289..6bf139a9bcc 100644
--- a/chromium/net/disk_cache/blockfile/in_flight_backend_io.h
+++ b/chromium/net/disk_cache/blockfile/in_flight_backend_io.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -182,6 +182,7 @@ class BackendIO : public BackgroundIO {
   bool truncate_ = false;
   int64_t offset64_ = 0;
   base::TimeTicks start_time_;
+  bool notify_controller_ = true;
   base::OnceClosure task_;
 };
 
diff --git a/chromium/net/disk_cache/blockfile/in_flight_io.cc b/chromium/net/disk_cache/blockfile/in_flight_io.cc
index 6d4d742e6cc..76c3a17d732 100644
--- a/chromium/net/disk_cache/blockfile/in_flight_io.cc
+++ b/chromium/net/disk_cache/blockfile/in_flight_io.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -32,6 +32,10 @@ void BackgroundIO::Cancel() {
   controller_ = nullptr;
 }
 
+void BackgroundIO::ClearController() {
+  controller_ = nullptr;
+}
+
 BackgroundIO::~BackgroundIO() = default;
 
 // ---------------------------------------------------------------------------
diff --git a/chromium/net/disk_cache/blockfile/in_flight_io.h b/chromium/net/disk_cache/blockfile/in_flight_io.h
index cc83583d340..6b0739ec8c2 100644
--- a/chromium/net/disk_cache/blockfile/in_flight_io.h
+++ b/chromium/net/disk_cache/blockfile/in_flight_io.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -61,6 +61,9 @@ class BackgroundIO : public base::RefCountedThreadSafe<BackgroundIO> {
   // thread.
   void NotifyController();
 
+  // Clears the controller before it might get destroyed.
+  void ClearController();
+
   int result_ = -1;  // Final operation result.
 
  private:
@@ -68,7 +71,7 @@ class BackgroundIO : public base::RefCountedThreadSafe<BackgroundIO> {
 
   // An event to signal when the operation completes.
   base::WaitableEvent io_completed_;
-  raw_ptr<InFlightIO, DanglingUntriaged>
+  raw_ptr<InFlightIO>
       controller_;              // The controller that tracks all operations.
   base::Lock controller_lock_;  // A lock protecting clearing of controller_.
 };
diff --git a/chromium/net/disk_cache/blockfile/mapped_file.cc b/chromium/net/disk_cache/blockfile/mapped_file.cc
index 7cac41e5d48..350af204285 100644
--- a/chromium/net/disk_cache/blockfile/mapped_file.cc
+++ b/chromium/net/disk_cache/blockfile/mapped_file.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/mapped_file.h b/chromium/net/disk_cache/blockfile/mapped_file.h
index d5fb298f49d..b621c3d1fae 100644
--- a/chromium/net/disk_cache/blockfile/mapped_file.h
+++ b/chromium/net/disk_cache/blockfile/mapped_file.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/mapped_file_bypass_mmap_posix.cc b/chromium/net/disk_cache/blockfile/mapped_file_bypass_mmap_posix.cc
index 1a82381b2b8..7963c670643 100644
--- a/chromium/net/disk_cache/blockfile/mapped_file_bypass_mmap_posix.cc
+++ b/chromium/net/disk_cache/blockfile/mapped_file_bypass_mmap_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/mapped_file_posix.cc b/chromium/net/disk_cache/blockfile/mapped_file_posix.cc
index bc94afc7d80..fb9593a87be 100644
--- a/chromium/net/disk_cache/blockfile/mapped_file_posix.cc
+++ b/chromium/net/disk_cache/blockfile/mapped_file_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/mapped_file_unittest.cc b/chromium/net/disk_cache/blockfile/mapped_file_unittest.cc
index d8bfb6eca48..da661ad4024 100644
--- a/chromium/net/disk_cache/blockfile/mapped_file_unittest.cc
+++ b/chromium/net/disk_cache/blockfile/mapped_file_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/mapped_file_win.cc b/chromium/net/disk_cache/blockfile/mapped_file_win.cc
index 3cc771e4951..d0b4739b8e1 100644
--- a/chromium/net/disk_cache/blockfile/mapped_file_win.cc
+++ b/chromium/net/disk_cache/blockfile/mapped_file_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/rankings.cc b/chromium/net/disk_cache/blockfile/rankings.cc
index d7bb61fdbf7..990c1e5a42e 100644
--- a/chromium/net/disk_cache/blockfile/rankings.cc
+++ b/chromium/net/disk_cache/blockfile/rankings.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/rankings.h b/chromium/net/disk_cache/blockfile/rankings.h
index e942120fab5..74148eb41ac 100644
--- a/chromium/net/disk_cache/blockfile/rankings.h
+++ b/chromium/net/disk_cache/blockfile/rankings.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/sparse_control.cc b/chromium/net/disk_cache/blockfile/sparse_control.cc
index 6fe761e39e6..14d6cb5d45b 100644
--- a/chromium/net/disk_cache/blockfile/sparse_control.cc
+++ b/chromium/net/disk_cache/blockfile/sparse_control.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -740,6 +740,7 @@ bool SparseControl::DoChildIO() {
   }
 
   int rv = 0;
+  bool optimistic = false;
   switch (operation_) {
     case kReadOperation:
       if (entry_->net_log().IsCapturing()) {
@@ -759,7 +760,8 @@ bool SparseControl::DoChildIO() {
                               child_->net_log().source(), child_len_);
       }
       rv = child_->WriteDataImpl(kSparseData, child_offset_, user_buf_.get(),
-                                 child_len_, std::move(callback), false);
+                                 child_len_, std::move(callback), false,
+                                 &optimistic);
       break;
     case kGetRangeOperation:
       rv = DoGetAvailableRange();
@@ -768,7 +770,7 @@ bool SparseControl::DoChildIO() {
       NOTREACHED();
   }
 
-  if (rv == net::ERR_IO_PENDING) {
+  if (rv == net::ERR_IO_PENDING || optimistic) {
     if (!pending_) {
       pending_ = true;
       // The child will protect himself against closing the entry while IO is in
diff --git a/chromium/net/disk_cache/blockfile/sparse_control.h b/chromium/net/disk_cache/blockfile/sparse_control.h
index 1ddcb39fe4b..d96b7db659a 100644
--- a/chromium/net/disk_cache/blockfile/sparse_control.h
+++ b/chromium/net/disk_cache/blockfile/sparse_control.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/stats.cc b/chromium/net/disk_cache/blockfile/stats.cc
index 5023bc4a056..8f8f03d6bdf 100644
--- a/chromium/net/disk_cache/blockfile/stats.cc
+++ b/chromium/net/disk_cache/blockfile/stats.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/stats.h b/chromium/net/disk_cache/blockfile/stats.h
index c3a47bd5f71..6c9fa2ec974 100644
--- a/chromium/net/disk_cache/blockfile/stats.h
+++ b/chromium/net/disk_cache/blockfile/stats.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/stats_unittest.cc b/chromium/net/disk_cache/blockfile/stats_unittest.cc
index be15cbf93aa..70a1a38f016 100644
--- a/chromium/net/disk_cache/blockfile/stats_unittest.cc
+++ b/chromium/net/disk_cache/blockfile/stats_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/storage_block-inl.h b/chromium/net/disk_cache/blockfile/storage_block-inl.h
index b1c0a89cbeb..8114c2115de 100644
--- a/chromium/net/disk_cache/blockfile/storage_block-inl.h
+++ b/chromium/net/disk_cache/blockfile/storage_block-inl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -197,10 +197,10 @@ template<typename T> void StorageBlock<T>::AllocateData() {
 template<typename T> void StorageBlock<T>::DeleteData() {
   if (own_data_) {
     if (!extended_) {
-      delete data_;
+      data_.ClearAndDelete();
     } else {
       data_->~T();
-      delete[] reinterpret_cast<char*>(data_.get());
+      delete[] reinterpret_cast<char*>(data_.ExtractAsDangling().get());
     }
     own_data_ = false;
   }
diff --git a/chromium/net/disk_cache/blockfile/storage_block.h b/chromium/net/disk_cache/blockfile/storage_block.h
index e367c3bb0fa..4b94728a02a 100644
--- a/chromium/net/disk_cache/blockfile/storage_block.h
+++ b/chromium/net/disk_cache/blockfile/storage_block.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/storage_block_unittest.cc b/chromium/net/disk_cache/blockfile/storage_block_unittest.cc
index 7d7c13befaf..e8168265d63 100644
--- a/chromium/net/disk_cache/blockfile/storage_block_unittest.cc
+++ b/chromium/net/disk_cache/blockfile/storage_block_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/blockfile/stress_support.h b/chromium/net/disk_cache/blockfile/stress_support.h
index b4d3a6be0c6..87b8778ace8 100644
--- a/chromium/net/disk_cache/blockfile/stress_support.h
+++ b/chromium/net/disk_cache/blockfile/stress_support.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/cache_util.cc b/chromium/net/disk_cache/cache_util.cc
index c6465e9377a..f4f59fcf27a 100644
--- a/chromium/net/disk_cache/cache_util.cc
+++ b/chromium/net/disk_cache/cache_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -128,8 +128,9 @@ namespace disk_cache {
 
 const int kDefaultCacheSize = 80 * 1024 * 1024;
 
-const base::Feature kChangeDiskCacheSizeExperiment{
-    "ChangeDiskCacheSize", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kChangeDiskCacheSizeExperiment,
+             "ChangeDiskCacheSize",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
 void DeleteCache(const base::FilePath& path, bool remove_folder) {
   if (remove_folder) {
diff --git a/chromium/net/disk_cache/cache_util.h b/chromium/net/disk_cache/cache_util.h
index 429c1f1937d..22da27450b0 100644
--- a/chromium/net/disk_cache/cache_util.h
+++ b/chromium/net/disk_cache/cache_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -20,7 +20,7 @@ namespace disk_cache {
 
 // Experiment to increase the cache size to see the impact on various
 // performance metrics.
-NET_EXPORT_PRIVATE extern const base::Feature kChangeDiskCacheSizeExperiment;
+NET_EXPORT_PRIVATE BASE_DECLARE_FEATURE(kChangeDiskCacheSizeExperiment);
 
 // Moves the cache files from the given path to another location.
 // Fails if the destination exists already, or if it doesn't have
diff --git a/chromium/net/disk_cache/cache_util_posix.cc b/chromium/net/disk_cache/cache_util_posix.cc
index 3085241cadd..8b3eefa31b5 100644
--- a/chromium/net/disk_cache/cache_util_posix.cc
+++ b/chromium/net/disk_cache/cache_util_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/cache_util_unittest.cc b/chromium/net/disk_cache/cache_util_unittest.cc
index ccb25d333e2..8d6cb6cde9d 100644
--- a/chromium/net/disk_cache/cache_util_unittest.cc
+++ b/chromium/net/disk_cache/cache_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/cache_util_win.cc b/chromium/net/disk_cache/cache_util_win.cc
index b002405f719..70d798e925f 100644
--- a/chromium/net/disk_cache/cache_util_win.cc
+++ b/chromium/net/disk_cache/cache_util_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/disk_cache.cc b/chromium/net/disk_cache/disk_cache.cc
index b31892c1890..adf107a7a9c 100644
--- a/chromium/net/disk_cache/disk_cache.cc
+++ b/chromium/net/disk_cache/disk_cache.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/disk_cache.h b/chromium/net/disk_cache/disk_cache.h
index 31f548b2a46..84a0a793e52 100644
--- a/chromium/net/disk_cache/disk_cache.h
+++ b/chromium/net/disk_cache/disk_cache.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/disk_cache_fuzzer.cc b/chromium/net/disk_cache/disk_cache_fuzzer.cc
index e111cbe9894..2487a37f986 100644
--- a/chromium/net/disk_cache/disk_cache_fuzzer.cc
+++ b/chromium/net/disk_cache/disk_cache_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/disk_cache_fuzzer.proto b/chromium/net/disk_cache/disk_cache_fuzzer.proto
index 6b98a4512c6..7bdf4ab68d7 100644
--- a/chromium/net/disk_cache/disk_cache_fuzzer.proto
+++ b/chromium/net/disk_cache/disk_cache_fuzzer.proto
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/disk_cache_perftest.cc b/chromium/net/disk_cache/disk_cache_perftest.cc
index 0a2501e475a..be0bec3922e 100644
--- a/chromium/net/disk_cache/disk_cache_perftest.cc
+++ b/chromium/net/disk_cache/disk_cache_perftest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/disk_cache_test_base.cc b/chromium/net/disk_cache/disk_cache_test_base.cc
index 9e36dd91212..b7ffb7fa0b2 100644
--- a/chromium/net/disk_cache/disk_cache_test_base.cc
+++ b/chromium/net/disk_cache/disk_cache_test_base.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/disk_cache_test_base.h b/chromium/net/disk_cache/disk_cache_test_base.h
index 3659a1a7ea9..eead0c3df0d 100644
--- a/chromium/net/disk_cache/disk_cache_test_base.h
+++ b/chromium/net/disk_cache/disk_cache_test_base.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/disk_cache_test_util.cc b/chromium/net/disk_cache/disk_cache_test_util.cc
index 7256850af5a..8b76d334420 100644
--- a/chromium/net/disk_cache/disk_cache_test_util.cc
+++ b/chromium/net/disk_cache/disk_cache_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/disk_cache_test_util.h b/chromium/net/disk_cache/disk_cache_test_util.h
index 548fefbef07..e4f7db938e2 100644
--- a/chromium/net/disk_cache/disk_cache_test_util.h
+++ b/chromium/net/disk_cache/disk_cache_test_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/entry_unittest.cc b/chromium/net/disk_cache/entry_unittest.cc
index d5a444bf1d9..284eacbf0e3 100644
--- a/chromium/net/disk_cache/entry_unittest.cc
+++ b/chromium/net/disk_cache/entry_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -19,6 +19,7 @@
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "net/base/completion_once_callback.h"
+#include "net/base/features.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/request_priority.h"
@@ -5582,6 +5583,59 @@ TEST_F(DiskCacheEntryTest, BlockFileSparsePendingAfterDtor) {
   FlushQueueForTest();
 }
 
+#if BUILDFLAG(IS_WIN)
+TEST_F(DiskCacheEntryTest, BlockFileOptimisticWrite) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(net::features::kOptimisticBlockfileWrite);
+
+  CreateBackend(disk_cache::kNone);
+  disk_cache::Entry* entry = nullptr;
+  ASSERT_THAT(CreateEntry("key", &entry), IsOk());
+  ASSERT_TRUE(entry != nullptr);
+
+  // To ensure `EntryImpl::user_buffers_` aren't used in this test:
+  // 1) make an initial write bigger than kMaxBlockSize
+  // 2) second write has to be bigger than kMaxBlockSize but smaller than the
+  // first so that truncation happens.
+  const int kSize1 = disk_cache::kMaxBlockSize + 100;
+  scoped_refptr<net::IOBuffer> write_buf1 =
+      base::MakeRefCounted<net::IOBuffer>(kSize1);
+  CacheTestFillBuffer(write_buf1->data(), kSize1, false);
+
+  net::TestCompletionCallback cb_write1;
+  EXPECT_EQ(net::ERR_IO_PENDING,
+            entry->WriteData(0, 0, write_buf1.get(), kSize1,
+                             cb_write1.callback(), true));
+  EXPECT_EQ(kSize1, cb_write1.WaitForResult());
+
+  entry->Close();
+
+  ASSERT_THAT(OpenEntry("key", &entry), IsOk());
+  ASSERT_TRUE(entry != nullptr);
+
+  const int kSize2 = disk_cache::kMaxBlockSize + 1;
+  scoped_refptr<net::IOBuffer> write_buf2 =
+      base::MakeRefCounted<net::IOBuffer>(kSize2);
+  CacheTestFillBuffer(write_buf2->data(), kSize2, false);
+
+  net::TestCompletionCallback cb_write2;
+  EXPECT_EQ(net::ERR_IO_PENDING,
+            entry->WriteData(0, 0, write_buf2.get(), kSize2,
+                             cb_write2.callback(), true));
+  EXPECT_EQ(kSize2, cb_write2.WaitForResult());
+
+  scoped_refptr<net::IOBuffer> read_buf =
+      base::MakeRefCounted<net::IOBuffer>(kSize2);
+  net::TestCompletionCallback cb_read;
+  EXPECT_EQ(net::ERR_IO_PENDING,
+            entry->ReadData(0, 0, read_buf.get(), kSize2, cb_read.callback()));
+  EXPECT_EQ(kSize2, cb_read.WaitForResult());
+  EXPECT_EQ(0, memcmp(read_buf->data(), write_buf2->data(), kSize2));
+
+  entry->Close();
+}
+#endif
+
 class DiskCacheSimplePrefetchTest : public DiskCacheEntryTest {
  public:
   DiskCacheSimplePrefetchTest() = default;
diff --git a/chromium/net/disk_cache/memory/mem_backend_impl.cc b/chromium/net/disk_cache/memory/mem_backend_impl.cc
index ab9f0416f96..3cd0969294e 100644
--- a/chromium/net/disk_cache/memory/mem_backend_impl.cc
+++ b/chromium/net/disk_cache/memory/mem_backend_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/memory/mem_backend_impl.h b/chromium/net/disk_cache/memory/mem_backend_impl.h
index b3994ed24e1..28db7b99fd8 100644
--- a/chromium/net/disk_cache/memory/mem_backend_impl.h
+++ b/chromium/net/disk_cache/memory/mem_backend_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/memory/mem_entry_impl.cc b/chromium/net/disk_cache/memory/mem_entry_impl.cc
index 38ab5bf418a..923ffdfd034 100644
--- a/chromium/net/disk_cache/memory/mem_entry_impl.cc
+++ b/chromium/net/disk_cache/memory/mem_entry_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/memory/mem_entry_impl.h b/chromium/net/disk_cache/memory/mem_entry_impl.h
index 4dcf3397a74..efefa457541 100644
--- a/chromium/net/disk_cache/memory/mem_entry_impl.h
+++ b/chromium/net/disk_cache/memory/mem_entry_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/mock/mock_backend_impl.cc b/chromium/net/disk_cache/mock/mock_backend_impl.cc
index 51fab72593c..e49c5294160 100644
--- a/chromium/net/disk_cache/mock/mock_backend_impl.cc
+++ b/chromium/net/disk_cache/mock/mock_backend_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/mock/mock_backend_impl.h b/chromium/net/disk_cache/mock/mock_backend_impl.h
index 63d35f4b3c7..2724a7eac40 100644
--- a/chromium/net/disk_cache/mock/mock_backend_impl.h
+++ b/chromium/net/disk_cache/mock/mock_backend_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/mock/mock_entry_impl.cc b/chromium/net/disk_cache/mock/mock_entry_impl.cc
index 0d8c1557f27..cf1eec75b2e 100644
--- a/chromium/net/disk_cache/mock/mock_entry_impl.cc
+++ b/chromium/net/disk_cache/mock/mock_entry_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/mock/mock_entry_impl.h b/chromium/net/disk_cache/mock/mock_entry_impl.h
index 8f747b2a582..faea5339274 100644
--- a/chromium/net/disk_cache/mock/mock_entry_impl.h
+++ b/chromium/net/disk_cache/mock/mock_entry_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/net_log_parameters.cc b/chromium/net/disk_cache/net_log_parameters.cc
index 9745df6856f..377adb4d2e9 100644
--- a/chromium/net/disk_cache/net_log_parameters.cc
+++ b/chromium/net/disk_cache/net_log_parameters.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/net_log_parameters.h b/chromium/net/disk_cache/net_log_parameters.h
index 605b7f4b262..6a5499fb22b 100644
--- a/chromium/net/disk_cache/net_log_parameters.h
+++ b/chromium/net/disk_cache/net_log_parameters.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/post_doom_waiter.cc b/chromium/net/disk_cache/simple/post_doom_waiter.cc
index 717adda347d..8d508c586e8 100644
--- a/chromium/net/disk_cache/simple/post_doom_waiter.cc
+++ b/chromium/net/disk_cache/simple/post_doom_waiter.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/post_doom_waiter.h b/chromium/net/disk_cache/simple/post_doom_waiter.h
index 3fde99253e3..9a03932fb5a 100644
--- a/chromium/net/disk_cache/simple/post_doom_waiter.h
+++ b/chromium/net/disk_cache/simple/post_doom_waiter.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_backend_impl.cc b/chromium/net/disk_cache/simple/simple_backend_impl.cc
index e0be60eb39b..13b584ed368 100644
--- a/chromium/net/disk_cache/simple/simple_backend_impl.cc
+++ b/chromium/net/disk_cache/simple/simple_backend_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -28,7 +28,6 @@
 #include "base/metrics/histogram_functions.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/system/sys_info.h"
-#include "base/task/task_runner_util.h"
 #include "base/task/thread_pool/thread_pool_instance.h"
 #include "base/threading/sequenced_task_runner_handle.h"
 #include "base/time/time.h"
diff --git a/chromium/net/disk_cache/simple/simple_backend_impl.h b/chromium/net/disk_cache/simple/simple_backend_impl.h
index 84ca265f3ef..b9f6d5f3477 100644
--- a/chromium/net/disk_cache/simple/simple_backend_impl.h
+++ b/chromium/net/disk_cache/simple/simple_backend_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_backend_version.h b/chromium/net/disk_cache/simple/simple_backend_version.h
index c3d0ba75592..65c042669aa 100644
--- a/chromium/net/disk_cache/simple/simple_backend_version.h
+++ b/chromium/net/disk_cache/simple/simple_backend_version.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_entry_format.cc b/chromium/net/disk_cache/simple/simple_entry_format.cc
index 41cab2d36f2..72d1bf90d8e 100644
--- a/chromium/net/disk_cache/simple/simple_entry_format.cc
+++ b/chromium/net/disk_cache/simple/simple_entry_format.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_entry_format.h b/chromium/net/disk_cache/simple/simple_entry_format.h
index 9b2e75e9584..7a95cd65ba9 100644
--- a/chromium/net/disk_cache/simple/simple_entry_format.h
+++ b/chromium/net/disk_cache/simple/simple_entry_format.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_entry_format_history.h b/chromium/net/disk_cache/simple/simple_entry_format_history.h
index 5936c8807d3..ea16baa6487 100644
--- a/chromium/net/disk_cache/simple/simple_entry_format_history.h
+++ b/chromium/net/disk_cache/simple/simple_entry_format_history.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_entry_impl.cc b/chromium/net/disk_cache/simple/simple_entry_impl.cc
index 02d2005d86e..4bfa63b37f2 100644
--- a/chromium/net/disk_cache/simple/simple_entry_impl.cc
+++ b/chromium/net/disk_cache/simple/simple_entry_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -19,7 +19,6 @@
 #include "base/memory/raw_ptr.h"
 #include "base/notreached.h"
 #include "base/task/task_runner.h"
-#include "base/task/task_runner_util.h"
 #include "base/threading/sequenced_task_runner_handle.h"
 #include "base/time/time.h"
 #include "base/trace_event/memory_usage_estimator.h"
diff --git a/chromium/net/disk_cache/simple/simple_entry_impl.h b/chromium/net/disk_cache/simple/simple_entry_impl.h
index 3d0254a8d04..74551c6ff8f 100644
--- a/chromium/net/disk_cache/simple/simple_entry_impl.h
+++ b/chromium/net/disk_cache/simple/simple_entry_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_entry_operation.cc b/chromium/net/disk_cache/simple/simple_entry_operation.cc
index b58f57309b5..c0c23ae1708 100644
--- a/chromium/net/disk_cache/simple/simple_entry_operation.cc
+++ b/chromium/net/disk_cache/simple/simple_entry_operation.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_entry_operation.h b/chromium/net/disk_cache/simple/simple_entry_operation.h
index a7f4d529c45..c854d2f609a 100644
--- a/chromium/net/disk_cache/simple/simple_entry_operation.h
+++ b/chromium/net/disk_cache/simple/simple_entry_operation.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_file_enumerator.cc b/chromium/net/disk_cache/simple/simple_file_enumerator.cc
index e18c1a99f76..5ad2ad1a44a 100644
--- a/chromium/net/disk_cache/simple/simple_file_enumerator.cc
+++ b/chromium/net/disk_cache/simple/simple_file_enumerator.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_file_enumerator.h b/chromium/net/disk_cache/simple/simple_file_enumerator.h
index 466e3e1f1fd..89d37607275 100644
--- a/chromium/net/disk_cache/simple/simple_file_enumerator.h
+++ b/chromium/net/disk_cache/simple/simple_file_enumerator.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_file_enumerator_unittest.cc b/chromium/net/disk_cache/simple/simple_file_enumerator_unittest.cc
index 38bbbee76b2..6b8eb6e67a3 100644
--- a/chromium/net/disk_cache/simple/simple_file_enumerator_unittest.cc
+++ b/chromium/net/disk_cache/simple/simple_file_enumerator_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_file_tracker.cc b/chromium/net/disk_cache/simple/simple_file_tracker.cc
index 7560a8622cc..b0ceeaf3181 100644
--- a/chromium/net/disk_cache/simple/simple_file_tracker.cc
+++ b/chromium/net/disk_cache/simple/simple_file_tracker.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_file_tracker.h b/chromium/net/disk_cache/simple/simple_file_tracker.h
index 3262bd75b00..653a8b3aa40 100644
--- a/chromium/net/disk_cache/simple/simple_file_tracker.h
+++ b/chromium/net/disk_cache/simple/simple_file_tracker.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_file_tracker_unittest.cc b/chromium/net/disk_cache/simple/simple_file_tracker_unittest.cc
index 0708ac9f31c..076a343401f 100644
--- a/chromium/net/disk_cache/simple/simple_file_tracker_unittest.cc
+++ b/chromium/net/disk_cache/simple/simple_file_tracker_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_histogram_enums.h b/chromium/net/disk_cache/simple/simple_histogram_enums.h
index 01cd170e064..4ad737c1589 100644
--- a/chromium/net/disk_cache/simple/simple_histogram_enums.h
+++ b/chromium/net/disk_cache/simple/simple_histogram_enums.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_histogram_macros.h b/chromium/net/disk_cache/simple/simple_histogram_macros.h
index 192907ff41f..d21ef5c476e 100644
--- a/chromium/net/disk_cache/simple/simple_histogram_macros.h
+++ b/chromium/net/disk_cache/simple/simple_histogram_macros.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_index.cc b/chromium/net/disk_cache/simple/simple_index.cc
index 10f9e62153e..7745824387b 100644
--- a/chromium/net/disk_cache/simple/simple_index.cc
+++ b/chromium/net/disk_cache/simple/simple_index.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_index.h b/chromium/net/disk_cache/simple/simple_index.h
index 3ba0bdc50e8..5f6cf3b241e 100644
--- a/chromium/net/disk_cache/simple/simple_index.h
+++ b/chromium/net/disk_cache/simple/simple_index.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_index_delegate.h b/chromium/net/disk_cache/simple/simple_index_delegate.h
index 00e02a8c987..075dc4517c7 100644
--- a/chromium/net/disk_cache/simple/simple_index_delegate.h
+++ b/chromium/net/disk_cache/simple/simple_index_delegate.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_index_file.cc b/chromium/net/disk_cache/simple/simple_index_file.cc
index bc36558d2cc..73ef905f570 100644
--- a/chromium/net/disk_cache/simple/simple_index_file.cc
+++ b/chromium/net/disk_cache/simple/simple_index_file.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_index_file.h b/chromium/net/disk_cache/simple/simple_index_file.h
index 53cda96e22f..fed23c50c52 100644
--- a/chromium/net/disk_cache/simple/simple_index_file.h
+++ b/chromium/net/disk_cache/simple/simple_index_file.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_index_file_unittest.cc b/chromium/net/disk_cache/simple/simple_index_file_unittest.cc
index 7802c98675f..5473d5cafa5 100644
--- a/chromium/net/disk_cache/simple/simple_index_file_unittest.cc
+++ b/chromium/net/disk_cache/simple/simple_index_file_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_index_unittest.cc b/chromium/net/disk_cache/simple/simple_index_unittest.cc
index 34d2266fed9..6fc3e54204b 100644
--- a/chromium/net/disk_cache/simple/simple_index_unittest.cc
+++ b/chromium/net/disk_cache/simple/simple_index_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_net_log_parameters.cc b/chromium/net/disk_cache/simple/simple_net_log_parameters.cc
index b6d06026193..e146d1359a8 100644
--- a/chromium/net/disk_cache/simple/simple_net_log_parameters.cc
+++ b/chromium/net/disk_cache/simple/simple_net_log_parameters.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_net_log_parameters.h b/chromium/net/disk_cache/simple/simple_net_log_parameters.h
index 443edb30377..fb7f94938f7 100644
--- a/chromium/net/disk_cache/simple/simple_net_log_parameters.h
+++ b/chromium/net/disk_cache/simple/simple_net_log_parameters.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_synchronous_entry.cc b/chromium/net/disk_cache/simple/simple_synchronous_entry.cc
index 8ac5d028cdf..cbeaf88f1fb 100644
--- a/chromium/net/disk_cache/simple/simple_synchronous_entry.cc
+++ b/chromium/net/disk_cache/simple/simple_synchronous_entry.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -215,8 +215,9 @@ using simple_util::GetDataSizeFromFileSize;
 using simple_util::GetFileSizeFromDataSize;
 using simple_util::GetFileIndexFromStreamIndex;
 
-const base::Feature kSimpleCachePrefetchExperiment = {
-    "SimpleCachePrefetchExperiment2", base::FEATURE_DISABLED_BY_DEFAULT};
+BASE_FEATURE(kSimpleCachePrefetchExperiment,
+             "SimpleCachePrefetchExperiment2",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
 const char kSimpleCacheFullPrefetchBytesParam[] = "FullPrefetchBytes";
 constexpr base::FeatureParam<int> kSimpleCacheFullPrefetchSize{
diff --git a/chromium/net/disk_cache/simple/simple_synchronous_entry.h b/chromium/net/disk_cache/simple/simple_synchronous_entry.h
index bf29e5e7f79..a8610d2676e 100644
--- a/chromium/net/disk_cache/simple/simple_synchronous_entry.h
+++ b/chromium/net/disk_cache/simple/simple_synchronous_entry.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -41,7 +41,7 @@ namespace disk_cache {
 class BackendFileOperations;
 class UnboundBackendFileOperations;
 
-NET_EXPORT_PRIVATE extern const base::Feature kSimpleCachePrefetchExperiment;
+NET_EXPORT_PRIVATE BASE_DECLARE_FEATURE(kSimpleCachePrefetchExperiment);
 NET_EXPORT_PRIVATE extern const char kSimpleCacheFullPrefetchBytesParam[];
 NET_EXPORT_PRIVATE extern const char
     kSimpleCacheTrailerPrefetchSpeculativeBytesParam[];
diff --git a/chromium/net/disk_cache/simple/simple_test_util.cc b/chromium/net/disk_cache/simple/simple_test_util.cc
index d62320e0690..4a0058221f0 100644
--- a/chromium/net/disk_cache/simple/simple_test_util.cc
+++ b/chromium/net/disk_cache/simple/simple_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_test_util.h b/chromium/net/disk_cache/simple/simple_test_util.h
index 701e1eb3a85..c1d7f9b2a83 100644
--- a/chromium/net/disk_cache/simple/simple_test_util.h
+++ b/chromium/net/disk_cache/simple/simple_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_util.cc b/chromium/net/disk_cache/simple/simple_util.cc
index ed0b382221d..b29ff3fb1af 100644
--- a/chromium/net/disk_cache/simple/simple_util.cc
+++ b/chromium/net/disk_cache/simple/simple_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_util.h b/chromium/net/disk_cache/simple/simple_util.h
index 6860e39350d..459a2a13f3f 100644
--- a/chromium/net/disk_cache/simple/simple_util.h
+++ b/chromium/net/disk_cache/simple/simple_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_util_posix.cc b/chromium/net/disk_cache/simple/simple_util_posix.cc
index 0a72be27c39..878166e9971 100644
--- a/chromium/net/disk_cache/simple/simple_util_posix.cc
+++ b/chromium/net/disk_cache/simple/simple_util_posix.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_util_unittest.cc b/chromium/net/disk_cache/simple/simple_util_unittest.cc
index 675f310539e..1c6b91b2934 100644
--- a/chromium/net/disk_cache/simple/simple_util_unittest.cc
+++ b/chromium/net/disk_cache/simple/simple_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_util_win.cc b/chromium/net/disk_cache/simple/simple_util_win.cc
index cd211cedf24..c3c79e2ddff 100644
--- a/chromium/net/disk_cache/simple/simple_util_win.cc
+++ b/chromium/net/disk_cache/simple/simple_util_win.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_version_upgrade.cc b/chromium/net/disk_cache/simple/simple_version_upgrade.cc
index fb78d1f4b32..09d80c5af87 100644
--- a/chromium/net/disk_cache/simple/simple_version_upgrade.cc
+++ b/chromium/net/disk_cache/simple/simple_version_upgrade.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_version_upgrade.h b/chromium/net/disk_cache/simple/simple_version_upgrade.h
index 55e764e0e55..e3d58d6111a 100644
--- a/chromium/net/disk_cache/simple/simple_version_upgrade.h
+++ b/chromium/net/disk_cache/simple/simple_version_upgrade.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/disk_cache/simple/simple_version_upgrade_unittest.cc b/chromium/net/disk_cache/simple/simple_version_upgrade_unittest.cc
index 6a10cf8fc88..85345e79884 100644
--- a/chromium/net/disk_cache/simple/simple_version_upgrade_unittest.cc
+++ b/chromium/net/disk_cache/simple/simple_version_upgrade_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/BUILD.gn b/chromium/net/dns/BUILD.gn
index e8f3d6b5091..9f4efcb2244 100644
--- a/chromium/net/dns/BUILD.gn
+++ b/chromium/net/dns/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2018 The Chromium Authors. All rights reserved.
+# Copyright 2018 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -62,9 +62,12 @@ source_set("dns") {
     "host_resolver_mdns_listener_impl.h",
     "host_resolver_mdns_task.cc",
     "host_resolver_mdns_task.h",
+    "host_resolver_nat64_task.cc",
+    "host_resolver_nat64_task.h",
     "host_resolver_proc.cc",
     "host_resolver_proc.h",
-    "host_resolver_results.cc",
+    "host_resolver_system_task.cc",
+    "host_resolver_system_task.h",
     "https_record_rdata.cc",
     "httpssvc_metrics.cc",
     "httpssvc_metrics.h",
@@ -216,7 +219,6 @@ source_set("host_resolver") {
     "dns_config.h",
     "host_cache.h",
     "host_resolver.h",
-    "host_resolver_results.h",
     "mapped_host_resolver.h",
   ]
   public = []
@@ -296,7 +298,7 @@ source_set("dns_client") {
     # chrome/browser/ash/smb_client/discovery/mdns_host_locator.cc
     # Result parsing for results read through MdnsClient.
     # TODO(crbug.com/902531): Remove once migrated to network service.
-    "//chrome/browser/chromeos",
+    "//chrome/browser/ash",
 
     # Tests and test support
     "//chrome/browser:test_support",
@@ -357,7 +359,7 @@ source_set("mdns_client") {
     # chrome/browser/ash/smb_client/discovery/mdns_host_locator.cc
     # Makes MDNS queries using MDnsClient.
     # TODO(crbug.com/902531): Remove once migrated to network service.
-    "//chrome/browser/chromeos",
+    "//chrome/browser/ash",
 
     # Tests and test support
     "//chrome/browser:test_support",
@@ -538,15 +540,6 @@ fuzzer_test("net_dns_https_record_rdata_fuzzer") {
   dict = "//net/data/fuzzer_dictionaries/net_dns_record_fuzzer.dict"
 }
 
-fuzzer_test("net_dns_integrity_record_fuzzer") {
-  sources = [ "integrity_record_fuzzer.cc" ]
-  deps = [
-    "//base",
-    "//net",
-    "//net:net_fuzzer_test_support",
-  ]
-}
-
 fuzzer_test("net_dns_nsswitch_reader_fuzzer") {
   sources = [ "nsswitch_reader_fuzzer.cc" ]
   deps = [
diff --git a/chromium/net/dns/OWNERS b/chromium/net/dns/OWNERS
index d2b5e8663ca..e15a3a2b558 100644
--- a/chromium/net/dns/OWNERS
+++ b/chromium/net/dns/OWNERS
@@ -1,2 +1,3 @@
 ericorth@chromium.org
 dmcardle@chromium.org
+horo@chromium.org
diff --git a/chromium/net/dns/README.md b/chromium/net/dns/README.md
index 87caba0ba08..b958958fc6c 100644
--- a/chromium/net/dns/README.md
+++ b/chromium/net/dns/README.md
@@ -225,11 +225,12 @@ particular resolution sources.
 #### SYSTEM
 
 `net::HostResolverSource::SYSTEM`
-`net::HostResolverManager::TaskType::PROC`
+`net::HostResolverManager::TaskType::SYSTEM`
 
-Implemented by: `net::HostResolverManager::ProcTask`
+Implemented by: `net::HostResolverSystemTask`
 
-Usually called the "system resolver" or sometimes the "proc resolver". Results
+Usually called the "system resolver" or sometimes the "proc resolver" (because
+it was historically always implemented using net::HostResolverProc). Results
 are queried from the system or OS using the `getaddrinfo()` OS API call. This
 source is only capable of address (A and AAAA) resolves but will also query for
 canonname info if the request includes the `HOST_RESOLVER_CANONNAME` flag. The
@@ -248,18 +249,24 @@ always be used for **address resolves** when **any** of the following are true:
 
 Secure DNS requests cannot be made using the system resolver.
 
-`net::HostResolverManager::ProcTask` uses a blocking
-[`base::TaskRunner`](/base/task/task_runner.h) to make blocking resolution requests.
+`net::HostResolverSystemTask` posts a blocking task to a
+[`base::ThreadPool`](/base/task/thread_pool.h) to make blocking resolution
+requests.
 On a timeout, additional attempts are made, but previous attempts are not
 cancelled as there is no cancellation mechanism for `getaddrinfo()`. The first
 attempt to complete is used and any other attempt completions are ignored.
 
-Each attempt calls [`net::HostResolverProc`](/net/dns/host_resolver_proc.h). In
-prod, this is always implemented by a `net::SystemHostResolverProc`, which makes
-the actual call to `getaddrinfo()` using the
-[`net::AddressInfo`](/net/dns/address_info.h) helper, but in tests, the
-`net::HostResolverProc` may be replaced by a chain of test implementations to
-override behavior.
+In prod, the blocking task runner always calls `SystemHostResolverCall()`, which
+makes the actual call to `getaddrinfo()` using the
+[`net::AddressInfo`](/net/dns/address_info.h) helper. In tests, the blocking
+task runner may use a test implementation of
+[`net::HostResolverProc`](/net/dns/host_resolver_proc.h), which itself can be
+chained.
+
+Data collected specifically for this source:
+
+* "Net.DNS.SystemTask.SuccessTime"
+* "Net.DNS.SystemTask.FailureTime"
 
 #### DNS
 
diff --git a/chromium/net/dns/address_info.cc b/chromium/net/dns/address_info.cc
index 334b3cf21e3..c0e2a073140 100644
--- a/chromium/net/dns/address_info.cc
+++ b/chromium/net/dns/address_info.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/address_info.h b/chromium/net/dns/address_info.h
index 144632a8e8a..68de3c167c5 100644
--- a/chromium/net/dns/address_info.h
+++ b/chromium/net/dns/address_info.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/address_info_unittest.cc b/chromium/net/dns/address_info_unittest.cc
index 56663180a17..6a7a669e821 100644
--- a/chromium/net/dns/address_info_unittest.cc
+++ b/chromium/net/dns/address_info_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/address_sorter.h b/chromium/net/dns/address_sorter.h
index 19162d86e53..cb7872e67c6 100644
--- a/chromium/net/dns/address_sorter.h
+++ b/chromium/net/dns/address_sorter.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/address_sorter_posix.cc b/chromium/net/dns/address_sorter_posix.cc
index 9bd30d0ac84..d4b839652b9 100644
--- a/chromium/net/dns/address_sorter_posix.cc
+++ b/chromium/net/dns/address_sorter_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -25,7 +25,8 @@
 #include <algorithm>
 #include <vector>
 
-#include "base/cxx17_backports.h"
+#include "base/containers/cxx20_erase_vector.h"
+#include "base/containers/unique_ptr_adapters.h"
 #include "base/logging.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
@@ -38,12 +39,11 @@
 #endif
 
 namespace net {
-
 namespace {
-
 // Address sorting is performed according to RFC3484 with revisions.
 // http://tools.ietf.org/html/draft-ietf-6man-rfc3484bis-06
-// Precedence and label are separate to support override through /etc/gai.conf.
+// Precedence and label are separate to support override through
+// /etc/gai.conf.
 
 // Returns true if |p1| should precede |p2| in the table.
 // Sorts table by decreasing prefix size to allow longest prefix matching.
@@ -138,7 +138,8 @@ const AddressSorterPosix::PolicyEntry kDefaultPrecedenceTable[] = {
     {{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF}, 96, 35},
     // 2002::/16 -- 6to4
     {{
-         0x20, 0x02,
+         0x20,
+         0x02,
      },
      16,
      30},
@@ -163,7 +164,8 @@ const AddressSorterPosix::PolicyEntry kDefaultLabelTable[] = {
     {{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xFF, 0xFF}, 96, 4},
     // 2002::/16 -- 6to4
     {{
-         0x20, 0x02,
+         0x20,
+         0x02,
      },
      16,
      2},
@@ -196,54 +198,56 @@ struct DestinationInfo {
   unsigned precedence;
   unsigned label;
   raw_ptr<const AddressSorterPosix::SourceAddressInfo> src;
+  std::unique_ptr<DatagramClientSocket> socket;
   size_t common_prefix_length;
+  bool failed = false;
 };
 
 // Returns true iff |dst_a| should precede |dst_b| in the address list.
 // RFC 3484, section 6.
-bool CompareDestinations(const std::unique_ptr<DestinationInfo>& dst_a,
-                         const std::unique_ptr<DestinationInfo>& dst_b) {
+bool CompareDestinations(const DestinationInfo& dst_a,
+                         const DestinationInfo& dst_b) {
   // Rule 1: Avoid unusable destinations.
   // Unusable destinations are already filtered out.
-  DCHECK(dst_a->src);
-  DCHECK(dst_b->src);
+  DCHECK(dst_a.src);
+  DCHECK(dst_b.src);
 
   // Rule 2: Prefer matching scope.
-  bool scope_match1 = (dst_a->src->scope == dst_a->scope);
-  bool scope_match2 = (dst_b->src->scope == dst_b->scope);
+  bool scope_match1 = (dst_a.src->scope == dst_a.scope);
+  bool scope_match2 = (dst_b.src->scope == dst_b.scope);
   if (scope_match1 != scope_match2)
     return scope_match1;
 
   // Rule 3: Avoid deprecated addresses.
-  if (dst_a->src->deprecated != dst_b->src->deprecated)
-    return !dst_a->src->deprecated;
+  if (dst_a.src->deprecated != dst_b.src->deprecated)
+    return !dst_a.src->deprecated;
 
   // Rule 4: Prefer home addresses.
-  if (dst_a->src->home != dst_b->src->home)
-    return dst_a->src->home;
+  if (dst_a.src->home != dst_b.src->home)
+    return dst_a.src->home;
 
   // Rule 5: Prefer matching label.
-  bool label_match1 = (dst_a->src->label == dst_a->label);
-  bool label_match2 = (dst_b->src->label == dst_b->label);
+  bool label_match1 = (dst_a.src->label == dst_a.label);
+  bool label_match2 = (dst_b.src->label == dst_b.label);
   if (label_match1 != label_match2)
     return label_match1;
 
   // Rule 6: Prefer higher precedence.
-  if (dst_a->precedence != dst_b->precedence)
-    return dst_a->precedence > dst_b->precedence;
+  if (dst_a.precedence != dst_b.precedence)
+    return dst_a.precedence > dst_b.precedence;
 
   // Rule 7: Prefer native transport.
-  if (dst_a->src->native != dst_b->src->native)
-    return dst_a->src->native;
+  if (dst_a.src->native != dst_b.src->native)
+    return dst_a.src->native;
 
   // Rule 8: Prefer smaller scope.
-  if (dst_a->scope != dst_b->scope)
-    return dst_a->scope < dst_b->scope;
+  if (dst_a.scope != dst_b.scope)
+    return dst_a.scope < dst_b.scope;
 
   // Rule 9: Use longest matching prefix. Only for matching address families.
-  if (dst_a->endpoint.address().size() == dst_b->endpoint.address().size()) {
-    if (dst_a->common_prefix_length != dst_b->common_prefix_length)
-      return dst_a->common_prefix_length > dst_b->common_prefix_length;
+  if (dst_a.endpoint.address().size() == dst_b.endpoint.address().size()) {
+    if (dst_a.common_prefix_length != dst_b.common_prefix_length)
+      return dst_a.common_prefix_length > dst_b.common_prefix_length;
   }
 
   // Rule 10: Leave the order unchanged.
@@ -253,6 +257,82 @@ bool CompareDestinations(const std::unique_ptr<DestinationInfo>& dst_a,
 
 }  // namespace
 
+class AddressSorterPosix::SortContext {
+ public:
+  SortContext(size_t in_num_endpoints,
+              AddressSorter::CallbackType callback,
+              const AddressSorterPosix* sorter)
+      : num_endpoints_(in_num_endpoints),
+        callback_(std::move(callback)),
+        sorter_(sorter) {}
+  ~SortContext() = default;
+  void DidCompleteConnect(IPEndPoint dest, size_t info_index, int rv) {
+    ++num_completed_;
+    if (rv != OK) {
+      VLOG(1) << "Could not connect to " << dest.ToStringWithoutPort()
+              << " reason " << rv;
+      sort_list_[info_index].failed = true;
+      MaybeFinishSort();
+      return;
+    }
+    // Filter out unusable destinations.
+    IPEndPoint src;
+    rv = sort_list_[info_index].socket->GetLocalAddress(&src);
+    if (rv != OK) {
+      LOG(WARNING) << "Could not get local address for "
+                   << dest.ToStringWithoutPort() << " reason " << rv;
+      sort_list_[info_index].failed = true;
+      MaybeFinishSort();
+      return;
+    }
+
+    AddressSorterPosix::SourceAddressInfo& src_info =
+        sorter_->source_map_[src.address()];
+    if (src_info.scope == AddressSorterPosix::SCOPE_UNDEFINED) {
+      // If |source_info_| is out of date, |src| might be missing, but we still
+      // want to sort, even though the HostCache will be cleared soon.
+      sorter_->FillPolicy(src.address(), &src_info);
+    }
+    sort_list_[info_index].src = &src_info;
+
+    if (sort_list_[info_index].endpoint.address().size() ==
+        src.address().size()) {
+      sort_list_[info_index].common_prefix_length =
+          std::min(CommonPrefixLength(sort_list_[info_index].endpoint.address(),
+                                      src.address()),
+                   sort_list_[info_index].src->prefix_length);
+    }
+    MaybeFinishSort();
+  }
+
+  std::vector<DestinationInfo>& sort_list() { return sort_list_; }
+
+ private:
+  void MaybeFinishSort() {
+    // Sort the list of endpoints only after each Connect call has been made.
+    if (num_completed_ != num_endpoints_) {
+      return;
+    }
+    base::EraseIf(sort_list_, [](auto& element) { return element.failed; });
+    std::stable_sort(sort_list_.begin(), sort_list_.end(), CompareDestinations);
+
+    std::vector<IPEndPoint> sorted_result;
+    for (const auto& info : sort_list_)
+      sorted_result.push_back(info.endpoint);
+
+    CallbackType callback = std::move(callback_);
+    sorter_->FinishedSort(this);  // deletes this
+    std::move(callback).Run(true, std::move(sorted_result));
+  }
+
+  const size_t num_endpoints_;
+  size_t num_completed_ = 0;
+  std::vector<DestinationInfo> sort_list_;
+  AddressSorter::CallbackType callback_;
+
+  const AddressSorterPosix* sorter_;
+};
+
 AddressSorterPosix::AddressSorterPosix(ClientSocketFactory* socket_factory)
     : socket_factory_(socket_factory),
       precedence_table_(LoadPolicy(kDefaultPrecedenceTable,
@@ -273,64 +353,36 @@ AddressSorterPosix::~AddressSorterPosix() {
 void AddressSorterPosix::Sort(const std::vector<IPEndPoint>& endpoints,
                               CallbackType callback) const {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-  std::vector<std::unique_ptr<DestinationInfo>> sort_list;
-
+  sort_contexts_.insert(std::make_unique<SortContext>(
+      endpoints.size(), std::move(callback), this));
+  auto* sort_context = sort_contexts_.rbegin()->get();
   for (const IPEndPoint& endpoint : endpoints) {
-    auto info = std::make_unique<DestinationInfo>();
-    info->endpoint = endpoint;
-    info->scope = GetScope(ipv4_scope_table_, info->endpoint.address());
-    info->precedence =
-        GetPolicyValue(precedence_table_, info->endpoint.address());
-    info->label = GetPolicyValue(label_table_, info->endpoint.address());
+    DestinationInfo info;
+    info.endpoint = endpoint;
+    info.scope = GetScope(ipv4_scope_table_, info.endpoint.address());
+    info.precedence =
+        GetPolicyValue(precedence_table_, info.endpoint.address());
+    info.label = GetPolicyValue(label_table_, info.endpoint.address());
 
     // Each socket can only be bound once.
-    std::unique_ptr<DatagramClientSocket> socket(
-        socket_factory_->CreateDatagramClientSocket(
-            DatagramSocket::DEFAULT_BIND, nullptr /* NetLog */,
-            NetLogSource()));
-
-    IPEndPoint dest = info->endpoint;
+    info.socket = socket_factory_->CreateDatagramClientSocket(
+        DatagramSocket::DEFAULT_BIND, nullptr /* NetLog */, NetLogSource());
+    IPEndPoint dest = info.endpoint;
     // Even though no packets are sent, cannot use port 0 in Connect.
-    if (dest.port() == 0)
+    if (dest.port() == 0) {
       dest = IPEndPoint(dest.address(), /*port=*/80);
-    int rv = socket->Connect(dest);
-    if (rv != OK) {
-      VLOG(1) << "Could not connect to " << dest.ToStringWithoutPort()
-              << " reason " << rv;
-      continue;
     }
-    // Filter out unusable destinations.
-    IPEndPoint src;
-    rv = socket->GetLocalAddress(&src);
-    if (rv != OK) {
-      LOG(WARNING) << "Could not get local address for "
-                   << dest.ToStringWithoutPort() << " reason " << rv;
-      continue;
-    }
-
-    SourceAddressInfo& src_info = source_map_[src.address()];
-    if (src_info.scope == SCOPE_UNDEFINED) {
-      // If |source_info_| is out of date, |src| might be missing, but we still
-      // want to sort, even though the HostCache will be cleared soon.
-      FillPolicy(src.address(), &src_info);
-    }
-    info->src = &src_info;
-
-    if (info->endpoint.address().size() == src.address().size()) {
-      info->common_prefix_length =
-          std::min(CommonPrefixLength(info->endpoint.address(), src.address()),
-                   info->src->prefix_length);
+    sort_context->sort_list().push_back(std::move(info));
+    size_t info_index = sort_context->sort_list().size() - 1;
+    // Destroying a SortContext destroys the underlying socket.
+    int rv = sort_context->sort_list().back().socket->ConnectAsync(
+        dest,
+        base::BindOnce(&AddressSorterPosix::SortContext::DidCompleteConnect,
+                       base::Unretained(sort_context), dest, info_index));
+    if (rv != ERR_IO_PENDING) {
+      sort_context->DidCompleteConnect(dest, info_index, rv);
     }
-    sort_list.push_back(std::move(info));
   }
-
-  std::stable_sort(sort_list.begin(), sort_list.end(), CompareDestinations);
-
-  std::vector<IPEndPoint> sorted_result;
-  for (const auto& info : sort_list)
-    sorted_result.push_back(info->endpoint);
-
-  std::move(callback).Run(true, std::move(sorted_result));
 }
 
 void AddressSorterPosix::OnIPAddressChanged() {
@@ -380,7 +432,7 @@ void AddressSorterPosix::OnIPAddressChanged() {
       strncpy(ifr.ifr_name, ifa->ifa_name, sizeof(ifr.ifr_name) - 1);
       DCHECK_LE(ifa->ifa_addr->sa_len, sizeof(ifr.ifr_ifru.ifru_addr));
       memcpy(&ifr.ifr_ifru.ifru_addr, ifa->ifa_addr, ifa->ifa_addr->sa_len);
-      int rv = ioctl(ioctl_socket, SIOCGIFAFLAG_IN6, &ifr);
+      rv = ioctl(ioctl_socket, SIOCGIFAFLAG_IN6, &ifr);
       if (rv >= 0) {
         info.deprecated = ifr.ifr_ifru.ifru_flags & IN6_IFF_DEPRECATED;
       } else {
@@ -409,6 +461,11 @@ void AddressSorterPosix::FillPolicy(const IPAddress& address,
   info->label = GetPolicyValue(label_table_, address);
 }
 
+void AddressSorterPosix::FinishedSort(SortContext* sort_context) const {
+  auto it = sort_contexts_.find(sort_context);
+  sort_contexts_.erase(it);
+}
+
 // static
 std::unique_ptr<AddressSorter> AddressSorter::CreateAddressSorter() {
   return std::make_unique<AddressSorterPosix>(
diff --git a/chromium/net/dns/address_sorter_posix.h b/chromium/net/dns/address_sorter_posix.h
index 7f6919ce5d4..07af528f60d 100644
--- a/chromium/net/dns/address_sorter_posix.h
+++ b/chromium/net/dns/address_sorter_posix.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,12 +8,15 @@
 #include <map>
 #include <vector>
 
+#include "base/containers/unique_ptr_adapters.h"
 #include "base/memory/raw_ptr.h"
+#include "base/memory/ref_counted.h"
 #include "base/threading/thread_checker.h"
 #include "net/base/ip_address.h"
 #include "net/base/net_export.h"
 #include "net/base/network_change_notifier.h"
 #include "net/dns/address_sorter.h"
+#include "net/socket/datagram_client_socket.h"
 
 namespace net {
 
@@ -71,13 +74,15 @@ class NET_EXPORT_PRIVATE AddressSorterPosix
 
  private:
   friend class AddressSorterPosixTest;
+  class SortContext;
 
   // NetworkChangeNotifier::IPAddressObserver:
   void OnIPAddressChanged() override;
-
   // Fills |info| with values for |address| from policy tables.
   void FillPolicy(const IPAddress& address, SourceAddressInfo* info) const;
 
+  void FinishedSort(SortContext* sort_context) const;
+
   // Mutable to allow using default values for source addresses which were not
   // found in most recent OnIPAddressChanged.
   mutable SourceAddressMap source_map_;
@@ -87,6 +92,13 @@ class NET_EXPORT_PRIVATE AddressSorterPosix
   PolicyTable label_table_;
   PolicyTable ipv4_scope_table_;
 
+  // SortContext stores data for an outstanding Sort() that is completing
+  // asynchronously. Mutable to allow pushing a new SortContext when Sort is
+  // called. Since Sort can be called multiple times, a container is necessary
+  // to track different SortContexts.
+  mutable std::set<std::unique_ptr<SortContext>, base::UniquePtrComparator>
+      sort_contexts_;
+
   THREAD_CHECKER(thread_checker_);
 };
 
diff --git a/chromium/net/dns/address_sorter_posix_unittest.cc b/chromium/net/dns/address_sorter_posix_unittest.cc
index 124aa2f0d6a..a2e8f26bb06 100644
--- a/chromium/net/dns/address_sorter_posix_unittest.cc
+++ b/chromium/net/dns/address_sorter_posix_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -12,6 +12,7 @@
 #include "base/check_op.h"
 #include "base/memory/raw_ptr.h"
 #include "base/notreached.h"
+#include "base/threading/thread_task_runner_handle.h"
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
@@ -42,8 +43,10 @@ IPAddress ParseIP(const std::string& str) {
 // A mock socket which binds to source address according to AddressMapping.
 class TestUDPClientSocket : public DatagramClientSocket {
  public:
-  explicit TestUDPClientSocket(const AddressMapping* mapping)
-      : mapping_(mapping) {}
+  enum class ConnectMode { kSynchronous, kAsynchronous, kAsynchronousManual };
+  explicit TestUDPClientSocket(const AddressMapping* mapping,
+                               ConnectMode connect_mode)
+      : mapping_(mapping), connect_mode_(connect_mode) {}
 
   TestUDPClientSocket(const TestUDPClientSocket&) = delete;
   TestUDPClientSocket& operator=(const TestUDPClientSocket&) = delete;
@@ -87,10 +90,43 @@ class TestUDPClientSocket : public DatagramClientSocket {
     NOTIMPLEMENTED();
     return ERR_NOT_IMPLEMENTED;
   }
+
   int ConnectUsingDefaultNetwork(const IPEndPoint& address) override {
     NOTIMPLEMENTED();
     return ERR_NOT_IMPLEMENTED;
   }
+
+  int ConnectAsync(const IPEndPoint& address,
+                   CompletionOnceCallback callback) override {
+    DCHECK(callback);
+    int rv = Connect(address);
+    finish_connect_callback_ =
+        base::BindOnce(&TestUDPClientSocket::RunConnectCallback,
+                       weak_ptr_factory_.GetWeakPtr(), std::move(callback), rv);
+    if (connect_mode_ == ConnectMode::kAsynchronous) {
+      base::ThreadTaskRunnerHandle::Get()->PostTask(
+          FROM_HERE, std::move(finish_connect_callback_));
+      return ERR_IO_PENDING;
+    } else if (connect_mode_ == ConnectMode::kAsynchronousManual) {
+      return ERR_IO_PENDING;
+    }
+    return rv;
+  }
+
+  int ConnectUsingNetworkAsync(handles::NetworkHandle network,
+                               const IPEndPoint& address,
+                               CompletionOnceCallback callback) override {
+    NOTIMPLEMENTED();
+    return ERR_NOT_IMPLEMENTED;
+  }
+
+  int ConnectUsingDefaultNetworkAsync(
+      const IPEndPoint& address,
+      CompletionOnceCallback callback) override {
+    NOTIMPLEMENTED();
+    return ERR_NOT_IMPLEMENTED;
+  }
+
   handles::NetworkHandle GetBoundNetwork() const override {
     return handles::kInvalidNetworkHandle;
   }
@@ -110,11 +146,20 @@ class TestUDPClientSocket : public DatagramClientSocket {
 
   const NetLogWithSource& NetLog() const override { return net_log_; }
 
+  void FinishConnect() { std::move(finish_connect_callback_).Run(); }
+
  private:
+  void RunConnectCallback(CompletionOnceCallback callback, int rv) {
+    std::move(callback).Run(rv);
+  }
   NetLogWithSource net_log_;
   raw_ptr<const AddressMapping> mapping_;
   bool connected_ = false;
   IPEndPoint local_endpoint_;
+  ConnectMode connect_mode_;
+  base::OnceClosure finish_connect_callback_;
+
+  base::WeakPtrFactory<TestUDPClientSocket> weak_ptr_factory_{this};
 };
 
 // Creates TestUDPClientSockets and maintains an AddressMapping.
@@ -131,7 +176,12 @@ class TestSocketFactory : public ClientSocketFactory {
       DatagramSocket::BindType,
       NetLog*,
       const NetLogSource&) override {
-    return std::make_unique<TestUDPClientSocket>(&mapping_);
+    auto new_socket =
+        std::make_unique<TestUDPClientSocket>(&mapping_, connect_mode_);
+    if (socket_create_callback_) {
+      socket_create_callback_.Run(new_socket.get());
+    }
+    return new_socket;
   }
   std::unique_ptr<TransportClientSocket> CreateTransportClientSocket(
       const AddressList&,
@@ -153,16 +203,28 @@ class TestSocketFactory : public ClientSocketFactory {
   void AddMapping(const IPAddress& dst, const IPAddress& src) {
     mapping_[dst] = src;
   }
+  void SetConnectMode(TestUDPClientSocket::ConnectMode connect_mode) {
+    connect_mode_ = connect_mode;
+  }
+  void SetSocketCreateCallback(
+      base::RepeatingCallback<void(TestUDPClientSocket*)>
+          socket_create_callback) {
+    socket_create_callback_ = std::move(socket_create_callback);
+  }
 
  private:
   AddressMapping mapping_;
+  TestUDPClientSocket::ConnectMode connect_mode_;
+  base::RepeatingCallback<void(TestUDPClientSocket*)> socket_create_callback_;
 };
 
-void OnSortComplete(std::vector<IPEndPoint>* sorted_buf,
+void OnSortComplete(bool& completed,
+                    std::vector<IPEndPoint>* sorted_buf,
                     CompletionOnceCallback callback,
                     bool success,
                     std::vector<IPEndPoint> sorted) {
   EXPECT_TRUE(success);
+  completed = true;
   if (success)
     *sorted_buf = std::move(sorted);
   std::move(callback).Run(OK);
@@ -174,21 +236,49 @@ void OnSortComplete(std::vector<IPEndPoint>* sorted_buf,
 // constructor of AddressSorterPosix.
 class AddressSorterPosixTest : public TestWithTaskEnvironment {
  protected:
-  AddressSorterPosixTest() : sorter_(&socket_factory_) {}
+  AddressSorterPosixTest()
+      : sorter_(std::make_unique<AddressSorterPosix>(&socket_factory_)) {}
 
   void AddMapping(const std::string& dst, const std::string& src) {
     socket_factory_.AddMapping(ParseIP(dst), ParseIP(src));
   }
 
+  void SetSocketCreateCallback(
+      base::RepeatingCallback<void(TestUDPClientSocket*)>
+          socket_create_callback) {
+    socket_factory_.SetSocketCreateCallback(std::move(socket_create_callback));
+  }
+
+  void SetConnectMode(TestUDPClientSocket::ConnectMode connect_mode) {
+    socket_factory_.SetConnectMode(connect_mode);
+  }
+
   AddressSorterPosix::SourceAddressInfo* GetSourceInfo(
       const std::string& addr) {
     IPAddress address = ParseIP(addr);
-    AddressSorterPosix::SourceAddressInfo* info = &sorter_.source_map_[address];
+    AddressSorterPosix::SourceAddressInfo* info =
+        &sorter_->source_map_[address];
     if (info->scope == AddressSorterPosix::SCOPE_UNDEFINED)
-      sorter_.FillPolicy(address, info);
+      sorter_->FillPolicy(address, info);
     return info;
   }
 
+  TestSocketFactory socket_factory_;
+  std::unique_ptr<AddressSorterPosix> sorter_;
+  bool completed_ = false;
+
+ private:
+  friend class AddressSorterPosixSyncOrAsyncTest;
+};
+
+// Parameterized subclass of AddressSorterPosixTest. Necessary because not every
+// test needs to be parameterized.
+class AddressSorterPosixSyncOrAsyncTest
+    : public AddressSorterPosixTest,
+      public testing::WithParamInterface<TestUDPClientSocket::ConnectMode> {
+ protected:
+  AddressSorterPosixSyncOrAsyncTest() { SetConnectMode(GetParam()); }
+
   // Verify that NULL-terminated |addresses| matches (-1)-terminated |order|
   // after sorting.
   void Verify(const char* const addresses[], const int order[]) {
@@ -200,8 +290,9 @@ class AddressSorterPosixTest : public TestWithTaskEnvironment {
 
     std::vector<IPEndPoint> sorted;
     TestCompletionCallback callback;
-    sorter_.Sort(endpoints,
-                 base::BindOnce(&OnSortComplete, &sorted, callback.callback()));
+    sorter_->Sort(endpoints,
+                  base::BindOnce(&OnSortComplete, std::ref(completed_), &sorted,
+                                 callback.callback()));
     callback.WaitForResult();
 
     for (size_t i = 0; (i < sorted.size()) || (order[i] >= 0); ++i) {
@@ -212,14 +303,18 @@ class AddressSorterPosixTest : public TestWithTaskEnvironment {
           << "  Actual: " << actual.ToString() << "\n"
           << "Expected: " << expected.ToString();
     }
+    EXPECT_TRUE(completed_);
   }
-
-  TestSocketFactory socket_factory_;
-  AddressSorterPosix sorter_;
 };
 
+INSTANTIATE_TEST_SUITE_P(
+    AddressSorterPosix,
+    AddressSorterPosixSyncOrAsyncTest,
+    ::testing::Values(TestUDPClientSocket::ConnectMode::kSynchronous,
+                      TestUDPClientSocket::ConnectMode::kAsynchronous));
+
 // Rule 1: Avoid unusable destinations.
-TEST_F(AddressSorterPosixTest, Rule1) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, Rule1) {
   AddMapping("10.0.0.231", "10.0.0.1");
   const char* const addresses[] = {"::1", "10.0.0.231", "127.0.0.1", nullptr};
   const int order[] = { 1, -1 };
@@ -227,7 +322,7 @@ TEST_F(AddressSorterPosixTest, Rule1) {
 }
 
 // Rule 2: Prefer matching scope.
-TEST_F(AddressSorterPosixTest, Rule2) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, Rule2) {
   AddMapping("3002::1", "4000::10");      // matching global
   AddMapping("ff32::1", "fe81::10");      // matching link-local
   AddMapping("fec1::1", "fec1::10");      // matching node-local
@@ -245,7 +340,7 @@ TEST_F(AddressSorterPosixTest, Rule2) {
 }
 
 // Rule 3: Avoid deprecated addresses.
-TEST_F(AddressSorterPosixTest, Rule3) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, Rule3) {
   // Matching scope.
   AddMapping("3002::1", "4000::10");
   GetSourceInfo("4000::10")->deprecated = true;
@@ -256,7 +351,7 @@ TEST_F(AddressSorterPosixTest, Rule3) {
 }
 
 // Rule 4: Prefer home addresses.
-TEST_F(AddressSorterPosixTest, Rule4) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, Rule4) {
   AddMapping("3002::1", "4000::10");
   AddMapping("3002::2", "4000::20");
   GetSourceInfo("4000::20")->home = true;
@@ -266,7 +361,7 @@ TEST_F(AddressSorterPosixTest, Rule4) {
 }
 
 // Rule 5: Prefer matching label.
-TEST_F(AddressSorterPosixTest, Rule5) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, Rule5) {
   AddMapping("::1", "::1");                       // matching loopback
   AddMapping("::ffff:1234:1", "::ffff:1234:10");  // matching IPv4-mapped
   AddMapping("2001::1", "::ffff:1234:10");        // Teredo vs. IPv4-mapped
@@ -283,7 +378,7 @@ TEST_F(AddressSorterPosixTest, Rule5) {
 }
 
 // Rule 6: Prefer higher precedence.
-TEST_F(AddressSorterPosixTest, Rule6) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, Rule6) {
   AddMapping("::1", "::1");                       // loopback
   AddMapping("ff32::1", "fe81::10");              // multicast
   AddMapping("::ffff:1234:1", "::ffff:1234:10");  // IPv4-mapped
@@ -295,7 +390,7 @@ TEST_F(AddressSorterPosixTest, Rule6) {
 }
 
 // Rule 7: Prefer native transport.
-TEST_F(AddressSorterPosixTest, Rule7) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, Rule7) {
   AddMapping("3002::1", "4000::10");
   AddMapping("3002::2", "4000::20");
   GetSourceInfo("4000::20")->native = true;
@@ -305,7 +400,7 @@ TEST_F(AddressSorterPosixTest, Rule7) {
 }
 
 // Rule 8: Prefer smaller scope.
-TEST_F(AddressSorterPosixTest, Rule8) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, Rule8) {
   // Matching scope. Should precede the others by Rule 2.
   AddMapping("fe81::1", "fe81::10");  // link-local
   AddMapping("3000::1", "4000::10");  // global
@@ -320,7 +415,7 @@ TEST_F(AddressSorterPosixTest, Rule8) {
 }
 
 // Rule 9: Use longest matching prefix.
-TEST_F(AddressSorterPosixTest, Rule9) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, Rule9) {
   AddMapping("3000::1", "3000:ffff::10");  // 16 bit match
   GetSourceInfo("3000:ffff::10")->prefix_length = 16;
   AddMapping("4000::1", "4000::10");       // 123 bit match, limited to 15
@@ -334,7 +429,7 @@ TEST_F(AddressSorterPosixTest, Rule9) {
 }
 
 // Rule 10: Leave the order unchanged.
-TEST_F(AddressSorterPosixTest, Rule10) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, Rule10) {
   AddMapping("4000::1", "4000::10");
   AddMapping("4000::2", "4000::10");
   AddMapping("4000::3", "4000::10");
@@ -343,7 +438,7 @@ TEST_F(AddressSorterPosixTest, Rule10) {
   Verify(addresses, order);
 }
 
-TEST_F(AddressSorterPosixTest, MultipleRules) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, MultipleRules) {
   AddMapping("::1", "::1");           // loopback
   AddMapping("ff32::1", "fe81::10");  // link-local multicast
   AddMapping("ff3e::1", "4000::10");  // global multicast
@@ -356,7 +451,7 @@ TEST_F(AddressSorterPosixTest, MultipleRules) {
   Verify(addresses, order);
 }
 
-TEST_F(AddressSorterPosixTest, InputPortsAreMaintained) {
+TEST_P(AddressSorterPosixSyncOrAsyncTest, InputPortsAreMaintained) {
   AddMapping("::1", "::1");
   AddMapping("::2", "::2");
   AddMapping("::3", "::3");
@@ -368,11 +463,67 @@ TEST_F(AddressSorterPosixTest, InputPortsAreMaintained) {
   std::vector<IPEndPoint> input = {endpoint1, endpoint2, endpoint3};
   std::vector<IPEndPoint> sorted;
   TestCompletionCallback callback;
-  sorter_.Sort(input,
-               base::BindOnce(&OnSortComplete, &sorted, callback.callback()));
+  sorter_->Sort(input, base::BindOnce(&OnSortComplete, std::ref(completed_),
+                                      &sorted, callback.callback()));
   callback.WaitForResult();
 
   EXPECT_THAT(sorted, testing::ElementsAre(endpoint1, endpoint2, endpoint3));
 }
 
+TEST_P(AddressSorterPosixSyncOrAsyncTest, AddressSorterPosixDestroyed) {
+  AddMapping("::1", "::1");
+  AddMapping("::2", "::2");
+  AddMapping("::3", "::3");
+
+  IPEndPoint endpoint1(ParseIP("::1"), /*port=*/111);
+  IPEndPoint endpoint2(ParseIP("::2"), /*port=*/222);
+  IPEndPoint endpoint3(ParseIP("::3"), /*port=*/333);
+
+  std::vector<IPEndPoint> input = {endpoint1, endpoint2, endpoint3};
+  std::vector<IPEndPoint> sorted;
+  TestCompletionCallback callback;
+  sorter_->Sort(input, base::BindOnce(&OnSortComplete, std::ref(completed_),
+                                      &sorted, callback.callback()));
+  sorter_.reset();
+  base::RunLoop().RunUntilIdle();
+
+  TestUDPClientSocket::ConnectMode connect_mode = GetParam();
+  if (connect_mode == TestUDPClientSocket::ConnectMode::kAsynchronous) {
+    EXPECT_FALSE(completed_);
+  } else {
+    EXPECT_TRUE(completed_);
+  }
+}
+
+TEST_F(AddressSorterPosixTest, RandomAsyncSocketOrder) {
+  SetConnectMode(TestUDPClientSocket::ConnectMode::kAsynchronousManual);
+  std::vector<TestUDPClientSocket*> created_sockets;
+  SetSocketCreateCallback(base::BindRepeating(
+      [](std::vector<TestUDPClientSocket*>& created_sockets,
+         TestUDPClientSocket* socket) { created_sockets.push_back(socket); },
+      std::ref(created_sockets)));
+
+  AddMapping("::1", "::1");
+  AddMapping("::2", "::2");
+  AddMapping("::3", "::3");
+
+  IPEndPoint endpoint1(ParseIP("::1"), /*port=*/111);
+  IPEndPoint endpoint2(ParseIP("::2"), /*port=*/222);
+  IPEndPoint endpoint3(ParseIP("::3"), /*port=*/333);
+
+  std::vector<IPEndPoint> input = {endpoint1, endpoint2, endpoint3};
+  std::vector<IPEndPoint> sorted;
+  TestCompletionCallback callback;
+  sorter_->Sort(input, base::BindOnce(&OnSortComplete, std::ref(completed_),
+                                      &sorted, callback.callback()));
+
+  ASSERT_EQ(created_sockets.size(), 3u);
+  created_sockets[1]->FinishConnect();
+  created_sockets[2]->FinishConnect();
+  created_sockets[0]->FinishConnect();
+
+  base::RunLoop().RunUntilIdle();
+  EXPECT_TRUE(completed_);
+}
+
 }  // namespace net
diff --git a/chromium/net/dns/address_sorter_unittest.cc b/chromium/net/dns/address_sorter_unittest.cc
index 534a23d8831..bacea6fa247 100644
--- a/chromium/net/dns/address_sorter_unittest.cc
+++ b/chromium/net/dns/address_sorter_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/address_sorter_win.cc b/chromium/net/dns/address_sorter_win.cc
index dc02848e17b..a8cfe286e40 100644
--- a/chromium/net/dns/address_sorter_win.cc
+++ b/chromium/net/dns/address_sorter_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/context_host_resolver.cc b/chromium/net/dns/context_host_resolver.cc
index ba0edc91f28..066fc004b58 100644
--- a/chromium/net/dns/context_host_resolver.cc
+++ b/chromium/net/dns/context_host_resolver.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -12,13 +12,13 @@
 #include "base/strings/string_piece.h"
 #include "base/time/tick_clock.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/dns/dns_config.h"
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/host_resolver_manager.h"
 #include "net/dns/host_resolver_proc.h"
-#include "net/dns/host_resolver_results.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/resolve_error_info.h"
 #include "net/dns/resolve_context.h"
 #include "net/log/net_log_with_source.h"
@@ -69,7 +69,7 @@ void ContextHostResolver::OnShutdown() {
 std::unique_ptr<HostResolver::ResolveHostRequest>
 ContextHostResolver::CreateRequest(
     url::SchemeHostPort host,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     NetLogWithSource source_net_log,
     absl::optional<ResolveHostParameters> optional_parameters) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -78,7 +78,7 @@ ContextHostResolver::CreateRequest(
     return HostResolver::CreateFailingRequest(ERR_CONTEXT_SHUT_DOWN);
 
   return manager_->CreateRequest(
-      std::move(host), std::move(network_isolation_key),
+      Host(std::move(host)), std::move(network_anonymization_key),
       std::move(source_net_log), std::move(optional_parameters),
       resolve_context_.get(), resolve_context_->host_cache());
 }
@@ -86,7 +86,7 @@ ContextHostResolver::CreateRequest(
 std::unique_ptr<HostResolver::ResolveHostRequest>
 ContextHostResolver::CreateRequest(
     const HostPortPair& host,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const NetLogWithSource& source_net_log,
     const absl::optional<ResolveHostParameters>& optional_parameters) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -94,9 +94,9 @@ ContextHostResolver::CreateRequest(
   if (shutting_down_)
     return HostResolver::CreateFailingRequest(ERR_CONTEXT_SHUT_DOWN);
 
-  return manager_->CreateRequest(host, network_isolation_key, source_net_log,
-                                 optional_parameters, resolve_context_.get(),
-                                 resolve_context_->host_cache());
+  return manager_->CreateRequest(
+      host, network_anonymization_key, source_net_log, optional_parameters,
+      resolve_context_.get(), resolve_context_->host_cache());
 }
 
 std::unique_ptr<HostResolver::ProbeRequest>
@@ -156,9 +156,10 @@ size_t ContextHostResolver::CacheSize() const {
                                         : 0;
 }
 
-void ContextHostResolver::SetProcParamsForTesting(
-    const ProcTaskParams& proc_params) {
-  manager_->set_proc_params_for_test(proc_params);
+void ContextHostResolver::SetHostResolverSystemParamsForTest(
+    const HostResolverSystemTask::Params& host_resolver_system_params) {
+  manager_->set_host_resolver_system_params_for_test(  // IN-TEST
+      host_resolver_system_params);
 }
 
 void ContextHostResolver::SetTickClockForTesting(
diff --git a/chromium/net/dns/context_host_resolver.h b/chromium/net/dns/context_host_resolver.h
index 7499d699f72..49d161eefd7 100644
--- a/chromium/net/dns/context_host_resolver.h
+++ b/chromium/net/dns/context_host_resolver.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,6 +15,7 @@
 #include "net/base/network_handle.h"
 #include "net/base/network_isolation_key.h"
 #include "net/dns/host_resolver.h"
+#include "net/dns/host_resolver_system_task.h"
 #include "net/log/net_log_with_source.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/scheme_host_port.h"
@@ -27,7 +28,6 @@ namespace net {
 
 class HostCache;
 class HostResolverManager;
-struct ProcTaskParams;
 class ResolveContext;
 class URLRequestContext;
 
@@ -55,12 +55,12 @@ class NET_EXPORT ContextHostResolver : public HostResolver {
   void OnShutdown() override;
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       url::SchemeHostPort host,
-      NetworkIsolationKey network_isolation_key,
+      NetworkAnonymizationKey network_anonymization_key,
       NetLogWithSource net_log,
       absl::optional<ResolveHostParameters> optional_parameters) override;
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       const HostPortPair& host,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const NetLogWithSource& net_log,
       const absl::optional<ResolveHostParameters>& optional_parameters)
       override;
@@ -81,7 +81,8 @@ class NET_EXPORT ContextHostResolver : public HostResolver {
   // Returns the number of entries in the host cache, or 0 if there is no cache.
   size_t CacheSize() const;
 
-  void SetProcParamsForTesting(const ProcTaskParams& proc_params);
+  void SetHostResolverSystemParamsForTest(
+      const HostResolverSystemTask::Params& host_resolver_system_params);
   void SetTickClockForTesting(const base::TickClock* tick_clock);
   ResolveContext* resolve_context_for_testing() {
     return resolve_context_.get();
diff --git a/chromium/net/dns/context_host_resolver_unittest.cc b/chromium/net/dns/context_host_resolver_unittest.cc
index 4369636fbb5..a27584136f4 100644
--- a/chromium/net/dns/context_host_resolver_unittest.cc
+++ b/chromium/net/dns/context_host_resolver_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -30,6 +30,7 @@
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/host_resolver_manager.h"
+#include "net/dns/host_resolver_system_task.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/dns/public/dns_over_https_config.h"
 #include "net/dns/public/dns_protocol.h"
@@ -99,7 +100,8 @@ class ContextHostResolverTest : public ::testing::Test,
     EXPECT_TRUE(dns_client_->GetEffectiveConfig());
 
     scoped_refptr<HostResolverProc> proc = CreateCatchAllHostResolverProc();
-    manager_->set_proc_params_for_test(ProcTaskParams(proc, 1u));
+    manager_->set_host_resolver_system_params_for_test(
+        HostResolverSystemTask::Params(proc, 1u));
   }
 
   raw_ptr<MockDnsClient> dns_client_;
@@ -126,7 +128,7 @@ TEST_F(ContextHostResolverTest, Resolve) {
       manager_.get(), std::move(resolve_context));
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
 
   TestCompletionCallback callback;
@@ -158,7 +160,7 @@ TEST_F(ContextHostResolverTest, ResolveWithScheme) {
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(
           url::SchemeHostPort(url::kHttpsScheme, "example.com", 100),
-          NetworkIsolationKey(), NetLogWithSource(), absl::nullopt);
+          NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
@@ -181,7 +183,7 @@ TEST_F(ContextHostResolverTest, ResolveWithSchemeAndIpLiteral) {
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(
           url::SchemeHostPort(url::kHttpsScheme, "[1234::5678]", 100),
-          NetworkIsolationKey(), NetLogWithSource(), absl::nullopt);
+          NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
@@ -211,7 +213,7 @@ TEST_F(ContextHostResolverTest, DestroyRequest) {
                                        false /* enable_caching */));
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
 
   TestCompletionCallback callback;
@@ -314,7 +316,7 @@ TEST_F(ContextHostResolverTest, DestroyResolver) {
                                        false /* enable_caching */));
   std::unique_ptr<HostResolver::ResolveHostRequest> request1 =
       resolver1->CreateRequest(HostPortPair("example.com", 100),
-                               NetworkIsolationKey(), NetLogWithSource(),
+                               NetworkAnonymizationKey(), NetLogWithSource(),
                                absl::nullopt);
   auto resolver2 = std::make_unique<ContextHostResolver>(
       manager_.get(),
@@ -322,7 +324,7 @@ TEST_F(ContextHostResolverTest, DestroyResolver) {
                                        false /* enable_caching */));
   std::unique_ptr<HostResolver::ResolveHostRequest> request2 =
       resolver2->CreateRequest(HostPortPair("google.com", 100),
-                               NetworkIsolationKey(), NetLogWithSource(),
+                               NetworkAnonymizationKey(), NetLogWithSource(),
                                absl::nullopt);
 
   TestCompletionCallback callback1;
@@ -364,7 +366,7 @@ TEST_F(ContextHostResolverTest, DestroyResolver_CompletedRequests) {
                                        false /* enable_caching */));
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
 
   // Complete request and then destroy the resolver.
@@ -398,7 +400,7 @@ TEST_F(ContextHostResolverTest, DestroyResolver_DelayedStartRequest) {
                                        false /* enable_caching */));
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
 
   resolver = nullptr;
@@ -452,7 +454,7 @@ TEST_F(ContextHostResolverTest, OnShutdown_PendingRequest) {
       manager_.get(), std::move(resolve_context));
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
 
   TestCompletionCallback callback;
@@ -487,7 +489,7 @@ TEST_F(ContextHostResolverTest, OnShutdown_CompletedRequests) {
       manager_.get(), std::move(resolve_context));
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
 
   // Complete request and then shutdown the resolver.
@@ -512,11 +514,11 @@ TEST_F(ContextHostResolverTest, OnShutdown_SubsequentRequests) {
 
   std::unique_ptr<HostResolver::ResolveHostRequest> request1 =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
   std::unique_ptr<HostResolver::ResolveHostRequest> request2 =
       resolver->CreateRequest(HostPortPair("127.0.0.1", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
 
   TestCompletionCallback callback1;
@@ -573,7 +575,7 @@ TEST_F(ContextHostResolverTest, OnShutdown_DelayedStartRequest) {
       manager_.get(), std::move(resolve_context));
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
 
   resolver->OnShutdown();
@@ -623,7 +625,7 @@ TEST_F(ContextHostResolverTest, ResolveFromCache) {
   host_cache->Set(
       HostCache::Key("example.com", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey()),
+                     NetworkAnonymizationKey()),
       HostCache::Entry(OK, expected,
                        /*aliases=*/std::set<std::string>({"example.com"}),
                        HostCache::Entry::SOURCE_DNS, base::Days(1)),
@@ -638,7 +640,7 @@ TEST_F(ContextHostResolverTest, ResolveFromCache) {
       HostResolver::ResolveHostParameters::CacheUsage::STALE_ALLOWED;
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               parameters);
 
   TestCompletionCallback callback;
@@ -671,7 +673,7 @@ TEST_F(ContextHostResolverTest, ResultsAddedToCache) {
 
   std::unique_ptr<HostResolver::ResolveHostRequest> caching_request =
       resolver->CreateRequest(HostPortPair("example.com", 103),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
   TestCompletionCallback caching_callback;
   int rv = caching_request->Start(caching_callback.callback());
@@ -681,7 +683,7 @@ TEST_F(ContextHostResolverTest, ResultsAddedToCache) {
   local_resolve_parameters.source = HostResolverSource::LOCAL_ONLY;
   std::unique_ptr<HostResolver::ResolveHostRequest> cached_request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               local_resolve_parameters);
 
   TestCompletionCallback callback;
@@ -698,6 +700,8 @@ TEST_F(ContextHostResolverTest, ResultsAddedToCache) {
 TEST_F(ContextHostResolverTest, ResultsAddedToCacheWithNetworkIsolationKey) {
   const SchemefulSite kSite(GURL("https://origin.test/"));
   const NetworkIsolationKey kNetworkIsolationKey(kSite, kSite);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey(
+      kSite, kSite, /*is_cross_site=*/false);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
@@ -721,7 +725,7 @@ TEST_F(ContextHostResolverTest, ResultsAddedToCacheWithNetworkIsolationKey) {
 
   std::unique_ptr<HostResolver::ResolveHostRequest> caching_request =
       resolver->CreateRequest(HostPortPair("example.com", 103),
-                              kNetworkIsolationKey, NetLogWithSource(),
+                              kNetworkAnonymizationKey, NetLogWithSource(),
                               absl::nullopt);
   TestCompletionCallback caching_callback;
   int rv = caching_request->Start(caching_callback.callback());
@@ -729,14 +733,14 @@ TEST_F(ContextHostResolverTest, ResultsAddedToCacheWithNetworkIsolationKey) {
 
   HostCache::Key cache_key("example.com", DnsQueryType::UNSPECIFIED,
                            0 /* host_resolver_flags */, HostResolverSource::ANY,
-                           kNetworkIsolationKey);
+                           kNetworkAnonymizationKey);
   EXPECT_TRUE(
       resolver->GetHostCache()->Lookup(cache_key, base::TimeTicks::Now()));
 
-  HostCache::Key cache_key_with_empty_nik(
+  HostCache::Key cache_key_with_empty_nak(
       "example.com", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
-  EXPECT_FALSE(resolver->GetHostCache()->Lookup(cache_key_with_empty_nik,
+      HostResolverSource::ANY, NetworkAnonymizationKey());
+  EXPECT_FALSE(resolver->GetHostCache()->Lookup(cache_key_with_empty_nak,
                                                 base::TimeTicks::Now()));
 }
 
@@ -873,8 +877,8 @@ TEST_F(ContextHostResolverTest, ExistingNetworkBoundLookup) {
     auto resolver = std::make_unique<ContextHostResolver>(
         manager.get(), std::move(resolve_context));
     std::unique_ptr<HostResolver::ResolveHostRequest> request =
-        resolver->CreateRequest(host, NetworkIsolationKey(), NetLogWithSource(),
-                                absl::nullopt);
+        resolver->CreateRequest(host, NetworkAnonymizationKey(),
+                                NetLogWithSource(), absl::nullopt);
 
     TestCompletionCallback callback;
     int rv = request->Start(callback.callback());
@@ -906,8 +910,8 @@ TEST_F(ContextHostResolverTest, NotExistingNetworkBoundLookup) {
   auto resolver = std::make_unique<ContextHostResolver>(
       manager_.get(), std::move(resolve_context));
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
-      resolver->CreateRequest(host, NetworkIsolationKey(), NetLogWithSource(),
-                              absl::nullopt);
+      resolver->CreateRequest(host, NetworkAnonymizationKey(),
+                              NetLogWithSource(), absl::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
diff --git a/chromium/net/dns/dns_alias_utility.cc b/chromium/net/dns/dns_alias_utility.cc
index 3576f87135a..10d53bca722 100644
--- a/chromium/net/dns/dns_alias_utility.cc
+++ b/chromium/net/dns/dns_alias_utility.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_alias_utility.h b/chromium/net/dns/dns_alias_utility.h
index 2e51d3ace77..421bc270d83 100644
--- a/chromium/net/dns/dns_alias_utility.h
+++ b/chromium/net/dns/dns_alias_utility.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_alias_utility_unittest.cc b/chromium/net/dns/dns_alias_utility_unittest.cc
index c4adadab462..0b9f08f65d7 100644
--- a/chromium/net/dns/dns_alias_utility_unittest.cc
+++ b/chromium/net/dns/dns_alias_utility_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_client.cc b/chromium/net/dns/dns_client.cc
index fd48d43f451..c5c0b7c5f1e 100644
--- a/chromium/net/dns/dns_client.cc
+++ b/chromium/net/dns/dns_client.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_client.h b/chromium/net/dns/dns_client.h
index 4a0931f76a0..4d6fb191d93 100644
--- a/chromium/net/dns/dns_client.h
+++ b/chromium/net/dns/dns_client.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_client_unittest.cc b/chromium/net/dns/dns_client_unittest.cc
index 7ce5be79432..76657458c49 100644
--- a/chromium/net/dns/dns_client_unittest.cc
+++ b/chromium/net/dns/dns_client_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config.cc b/chromium/net/dns/dns_config.cc
index 2a24a13bbc3..c099f05d8dc 100644
--- a/chromium/net/dns/dns_config.cc
+++ b/chromium/net/dns/dns_config.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config.h b/chromium/net/dns/dns_config.h
index 19fbd97fca9..fffb31ce542 100644
--- a/chromium/net/dns/dns_config.h
+++ b/chromium/net/dns/dns_config.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service.cc b/chromium/net/dns/dns_config_service.cc
index d1df61f0a92..ba5864d492a 100644
--- a/chromium/net/dns/dns_config_service.cc
+++ b/chromium/net/dns/dns_config_service.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service.h b/chromium/net/dns/dns_config_service.h
index d4aa18027e7..fac0e48b2cd 100644
--- a/chromium/net/dns/dns_config_service.h
+++ b/chromium/net/dns/dns_config_service.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_android.cc b/chromium/net/dns/dns_config_service_android.cc
index 25cbc3ada9c..70605d89e17 100644
--- a/chromium/net/dns/dns_config_service_android.cc
+++ b/chromium/net/dns/dns_config_service_android.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_android.h b/chromium/net/dns/dns_config_service_android.h
index 8788998cba4..b7ea5e05a15 100644
--- a/chromium/net/dns/dns_config_service_android.h
+++ b/chromium/net/dns/dns_config_service_android.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_android_unittest.cc b/chromium/net/dns/dns_config_service_android_unittest.cc
index 0a8851ff788..b079f40616d 100644
--- a/chromium/net/dns/dns_config_service_android_unittest.cc
+++ b/chromium/net/dns/dns_config_service_android_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_fuchsia.cc b/chromium/net/dns/dns_config_service_fuchsia.cc
index 73e053b5778..740f342c524 100644
--- a/chromium/net/dns/dns_config_service_fuchsia.cc
+++ b/chromium/net/dns/dns_config_service_fuchsia.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_fuchsia.h b/chromium/net/dns/dns_config_service_fuchsia.h
index 0dea321323c..dfab56da7eb 100644
--- a/chromium/net/dns/dns_config_service_fuchsia.h
+++ b/chromium/net/dns/dns_config_service_fuchsia.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_linux.cc b/chromium/net/dns/dns_config_service_linux.cc
index b9d65f6a5cc..ea74a2d3148 100644
--- a/chromium/net/dns/dns_config_service_linux.cc
+++ b/chromium/net/dns/dns_config_service_linux.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -20,7 +20,6 @@
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/check.h"
-#include "base/containers/contains.h"
 #include "base/files/file_path.h"
 #include "base/files/file_path_watcher.h"
 #include "base/location.h"
@@ -206,8 +205,6 @@ enum class IncompatibleNsswitchReason {
 void RecordIncompatibleNsswitchReason(
     IncompatibleNsswitchReason reason,
     absl::optional<NsswitchReader::Service> service_token) {
-  base::UmaHistogramEnumeration("Net.DNS.DnsConfig.Nsswitch.IncompatibleReason",
-                                reason);
   if (service_token) {
     base::UmaHistogramEnumeration(
         "Net.DNS.DnsConfig.Nsswitch.IncompatibleService",
@@ -280,6 +277,7 @@ bool IsNsswitchConfigCompatible(
       case NsswitchReader::Service::kMdns4:
       case NsswitchReader::Service::kMdns6:
       case NsswitchReader::Service::kResolve:
+      case NsswitchReader::Service::kNis:
         RecordIncompatibleNsswitchReason(
             IncompatibleNsswitchReason::kIncompatibleService,
             specification.service);
@@ -303,7 +301,6 @@ bool IsNsswitchConfigCompatible(
         break;
 
       case NsswitchReader::Service::kMyHostname:
-      case NsswitchReader::Service::kNis:
         // Similar enough to Chrome behavior (or unlikely to matter for Chrome
         // resolutions) to be considered compatible unless the actions do
         // something very weird to skip remaining services without a result.
@@ -472,16 +469,10 @@ class DnsConfigServiceLinux::ConfigReader : public SerialWorker {
       if (dns_config_ && !dns_config_->unhandled_options) {
         std::vector<NsswitchReader::ServiceSpecification> nsswitch_hosts =
             nsswitch_reader_->ReadAndParseHosts();
-        base::UmaHistogramCounts100("Net.DNS.DnsConfig.Nsswitch.NumServices",
-                                    nsswitch_hosts.size());
         dns_config_->unhandled_options =
             !IsNsswitchConfigCompatible(nsswitch_hosts);
         base::UmaHistogramBoolean("Net.DNS.DnsConfig.Nsswitch.Compatible",
                                   !dns_config_->unhandled_options);
-        base::UmaHistogramBoolean(
-            "Net.DNS.DnsConfig.Nsswitch.NisServiceInHosts",
-            base::Contains(nsswitch_hosts, NsswitchReader::Service::kNis,
-                           &NsswitchReader::ServiceSpecification::service));
       }
     }
 
diff --git a/chromium/net/dns/dns_config_service_linux.h b/chromium/net/dns/dns_config_service_linux.h
index 162f4c3cc15..99172cfe686 100644
--- a/chromium/net/dns/dns_config_service_linux.h
+++ b/chromium/net/dns/dns_config_service_linux.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_linux_unittest.cc b/chromium/net/dns/dns_config_service_linux_unittest.cc
index cd92a042be2..c4fb2985f11 100644
--- a/chromium/net/dns/dns_config_service_linux_unittest.cc
+++ b/chromium/net/dns/dns_config_service_linux_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -42,9 +42,6 @@ namespace net {
 
 namespace {
 
-const char kNsswitchNisServiceInHostsHistogramName[] =
-    "Net.DNS.DnsConfig.Nsswitch.NisServiceInHosts";
-
 // MAXNS is normally 3, but let's test 4 if possible.
 const char* const kNameserversIPv4[] = {
     "8.8.8.8",
@@ -883,29 +880,7 @@ TEST_F(DnsConfigServiceLinuxTest, RejectsNsswitchResolve) {
   EXPECT_TRUE(config->unhandled_options);
 }
 
-TEST_F(DnsConfigServiceLinuxTest, HistogramNoNisServiceInHosts) {
-  auto res = std::make_unique<struct __res_state>();
-  InitializeResState(res.get());
-  resolv_reader_->set_value(std::move(res));
-
-  nsswitch_reader_->set_value(
-      {NsswitchReader::ServiceSpecification(NsswitchReader::Service::kFiles),
-       NsswitchReader::ServiceSpecification(NsswitchReader::Service::kDns)});
-
-  base::HistogramTester histogram_tester;
-  CallbackHelper callback_helper;
-  service_.ReadConfig(callback_helper.GetCallback());
-  absl::optional<DnsConfig> config = callback_helper.WaitForResult();
-  EXPECT_TRUE(resolv_reader_->closed());
-  histogram_tester.ExpectBucketCount(kNsswitchNisServiceInHostsHistogramName,
-                                     false, 1);
-
-  ASSERT_TRUE(config.has_value());
-  EXPECT_TRUE(config->IsValid());
-  EXPECT_FALSE(config->unhandled_options);
-}
-
-TEST_F(DnsConfigServiceLinuxTest, AcceptsNsswitchNis) {
+TEST_F(DnsConfigServiceLinuxTest, RejectsNsswitchNis) {
   auto res = std::make_unique<struct __res_state>();
   InitializeResState(res.get());
   resolv_reader_->set_value(std::move(res));
@@ -915,17 +890,14 @@ TEST_F(DnsConfigServiceLinuxTest, AcceptsNsswitchNis) {
        NsswitchReader::ServiceSpecification(NsswitchReader::Service::kNis),
        NsswitchReader::ServiceSpecification(NsswitchReader::Service::kDns)});
 
-  base::HistogramTester histogram_tester;
   CallbackHelper callback_helper;
   service_.ReadConfig(callback_helper.GetCallback());
   absl::optional<DnsConfig> config = callback_helper.WaitForResult();
   EXPECT_TRUE(resolv_reader_->closed());
-  histogram_tester.ExpectBucketCount(kNsswitchNisServiceInHostsHistogramName,
-                                     true, 1);
 
   ASSERT_TRUE(config.has_value());
   EXPECT_TRUE(config->IsValid());
-  EXPECT_FALSE(config->unhandled_options);
+  EXPECT_TRUE(config->unhandled_options);
 }
 
 TEST_F(DnsConfigServiceLinuxTest, RejectsWithBadNisNotFoundAction) {
diff --git a/chromium/net/dns/dns_config_service_posix.cc b/chromium/net/dns/dns_config_service_posix.cc
index 025078e1126..a8a223d1d9e 100644
--- a/chromium/net/dns/dns_config_service_posix.cc
+++ b/chromium/net/dns/dns_config_service_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_posix.h b/chromium/net/dns/dns_config_service_posix.h
index e98cd0f9725..16a9a1ddafe 100644
--- a/chromium/net/dns/dns_config_service_posix.h
+++ b/chromium/net/dns/dns_config_service_posix.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_posix_unittest.cc b/chromium/net/dns/dns_config_service_posix_unittest.cc
index 695a382526e..dc37587dda5 100644
--- a/chromium/net/dns/dns_config_service_posix_unittest.cc
+++ b/chromium/net/dns/dns_config_service_posix_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_unittest.cc b/chromium/net/dns/dns_config_service_unittest.cc
index 7ba68e14760..759395939dd 100644
--- a/chromium/net/dns/dns_config_service_unittest.cc
+++ b/chromium/net/dns/dns_config_service_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_win.cc b/chromium/net/dns/dns_config_service_win.cc
index 71ecb1866a2..6ce5beb91e6 100644
--- a/chromium/net/dns/dns_config_service_win.cc
+++ b/chromium/net/dns/dns_config_service_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_win.h b/chromium/net/dns/dns_config_service_win.h
index b1169446998..5a711bb560d 100644
--- a/chromium/net/dns/dns_config_service_win.h
+++ b/chromium/net/dns/dns_config_service_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_service_win_unittest.cc b/chromium/net/dns/dns_config_service_win_unittest.cc
index 45af232c8f4..c0aa8ea609c 100644
--- a/chromium/net/dns/dns_config_service_win_unittest.cc
+++ b/chromium/net/dns/dns_config_service_win_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_watcher_mac.cc b/chromium/net/dns/dns_config_watcher_mac.cc
index 747c18bf16c..c978387ff4c 100644
--- a/chromium/net/dns/dns_config_watcher_mac.cc
+++ b/chromium/net/dns/dns_config_watcher_mac.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_config_watcher_mac.h b/chromium/net/dns/dns_config_watcher_mac.h
index 489452230c1..9d1fbe6d0da 100644
--- a/chromium/net/dns/dns_config_watcher_mac.h
+++ b/chromium/net/dns/dns_config_watcher_mac.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_hosts.cc b/chromium/net/dns/dns_hosts.cc
index ab2cf0d065e..fba2a88d1f1 100644
--- a/chromium/net/dns/dns_hosts.cc
+++ b/chromium/net/dns/dns_hosts.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_hosts.h b/chromium/net/dns/dns_hosts.h
index c92d42f9376..0c0f955ccf0 100644
--- a/chromium/net/dns/dns_hosts.h
+++ b/chromium/net/dns/dns_hosts.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_hosts_parse_fuzzer.cc b/chromium/net/dns/dns_hosts_parse_fuzzer.cc
index 194cb2b4b8f..d68ac03221f 100644
--- a/chromium/net/dns/dns_hosts_parse_fuzzer.cc
+++ b/chromium/net/dns/dns_hosts_parse_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_hosts_unittest.cc b/chromium/net/dns/dns_hosts_unittest.cc
index b3f683aad60..885c47acd46 100644
--- a/chromium/net/dns/dns_hosts_unittest.cc
+++ b/chromium/net/dns/dns_hosts_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_parse_domain_ascii_win_fuzzer.cc b/chromium/net/dns/dns_parse_domain_ascii_win_fuzzer.cc
index b6a10efd9d6..f37a74c23f7 100644
--- a/chromium/net/dns/dns_parse_domain_ascii_win_fuzzer.cc
+++ b/chromium/net/dns/dns_parse_domain_ascii_win_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_query.cc b/chromium/net/dns/dns_query.cc
index 01d7bab9d88..6f93a819d4d 100644
--- a/chromium/net/dns/dns_query.cc
+++ b/chromium/net/dns/dns_query.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_query.h b/chromium/net/dns/dns_query.h
index 6a9db0971ba..7e2045d0e07 100644
--- a/chromium/net/dns/dns_query.h
+++ b/chromium/net/dns/dns_query.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_query_parse_fuzzer.cc b/chromium/net/dns/dns_query_parse_fuzzer.cc
index c524f62a88a..a6d62b0cf9f 100644
--- a/chromium/net/dns/dns_query_parse_fuzzer.cc
+++ b/chromium/net/dns/dns_query_parse_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_query_unittest.cc b/chromium/net/dns/dns_query_unittest.cc
index b09d6c8f303..49c658a13a0 100644
--- a/chromium/net/dns/dns_query_unittest.cc
+++ b/chromium/net/dns/dns_query_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_record_fuzzer.cc b/chromium/net/dns/dns_record_fuzzer.cc
index 9c052332961..84e94b73be5 100644
--- a/chromium/net/dns/dns_record_fuzzer.cc
+++ b/chromium/net/dns/dns_record_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_reloader.cc b/chromium/net/dns/dns_reloader.cc
index 43cc164e20c..bfd2de11f9c 100644
--- a/chromium/net/dns/dns_reloader.cc
+++ b/chromium/net/dns/dns_reloader.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_reloader.h b/chromium/net/dns/dns_reloader.h
index 8b7ff2e04ea..cd2822af15b 100644
--- a/chromium/net/dns/dns_reloader.h
+++ b/chromium/net/dns/dns_reloader.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_response.cc b/chromium/net/dns/dns_response.cc
index 762521d0691..d1f1ef7eb7e 100644
--- a/chromium/net/dns/dns_response.cc
+++ b/chromium/net/dns/dns_response.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -313,9 +313,8 @@ DnsResponse::DnsResponse(
       std::accumulate(additional_records.begin(), additional_records.end(),
                       response_size, do_accumulation);
 
-  io_buffer_ = base::MakeRefCounted<IOBuffer>(response_size);
-  io_buffer_size_ = response_size;
-  base::BigEndianWriter writer(io_buffer_->data(), io_buffer_size_);
+  auto io_buffer = base::MakeRefCounted<IOBuffer>(response_size);
+  base::BigEndianWriter writer(io_buffer->data(), response_size);
   success &= WriteHeader(&writer, header);
   DCHECK(success);
   if (has_query) {
@@ -338,10 +337,10 @@ DnsResponse::DnsResponse(
     DCHECK(success);
   }
   if (!success) {
-    io_buffer_.reset();
-    io_buffer_size_ = 0;
     return;
   }
+  io_buffer_ = io_buffer;
+  io_buffer_size_ = response_size;
   // Ensure we don't have any remaining uninitialized bytes in the buffer.
   DCHECK(!writer.remaining());
   memset(writer.ptr(), 0, writer.remaining());
diff --git a/chromium/net/dns/dns_response.h b/chromium/net/dns/dns_response.h
index 57132abc4dc..f78fc3c2959 100644
--- a/chromium/net/dns/dns_response.h
+++ b/chromium/net/dns/dns_response.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_response_fuzzer.cc b/chromium/net/dns/dns_response_fuzzer.cc
index 346d22c3993..074342c87a2 100644
--- a/chromium/net/dns/dns_response_fuzzer.cc
+++ b/chromium/net/dns/dns_response_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_response_result_extractor.cc b/chromium/net/dns/dns_response_result_extractor.cc
index 90af6162505..57a468e92bd 100644
--- a/chromium/net/dns/dns_response_result_extractor.cc
+++ b/chromium/net/dns/dns_response_result_extractor.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -433,70 +433,6 @@ ExtractionError ExtractServiceResults(const DnsResponse& response,
   return ExtractionError::kOk;
 }
 
-ExtractionError ExtractIntegrityResults(const DnsResponse& response,
-                                        HostCache::Entry* out_results) {
-  DCHECK(out_results);
-
-  absl::optional<base::TimeDelta> response_ttl;
-  std::vector<std::unique_ptr<const RecordParsed>> records;
-  ExtractionError extraction_error = ExtractResponseRecords(
-      response, dns_protocol::kExperimentalTypeIntegrity, &records,
-      &response_ttl, nullptr /* out_aliases */);
-
-  if (extraction_error != ExtractionError::kOk) {
-    *out_results = HostCache::Entry(ERR_DNS_MALFORMED_RESPONSE,
-                                    HostCache::Entry::SOURCE_DNS);
-    return extraction_error;
-  }
-
-  // Condense results into a list of booleans. We do not cache the results,
-  // but this enables us to write some unit tests.
-  std::vector<bool> condensed_results;
-  for (const auto& record : records) {
-    const IntegrityRecordRdata& rdata = *record->rdata<IntegrityRecordRdata>();
-    condensed_results.push_back(rdata.IsIntact());
-  }
-
-  *out_results = HostCache::Entry(
-      condensed_results.empty() ? ERR_NAME_NOT_RESOLVED : OK,
-      std::move(condensed_results), HostCache::Entry::SOURCE_DNS, response_ttl);
-  DCHECK_EQ(extraction_error, ExtractionError::kOk);
-  return extraction_error;
-}
-
-ExtractionError ExtractExperimentalHttpsResults(const DnsResponse& response,
-                                                HostCache::Entry* out_results) {
-  DCHECK(out_results);
-
-  absl::optional<base::TimeDelta> response_ttl;
-  std::vector<std::unique_ptr<const RecordParsed>> records;
-  ExtractionError extraction_error =
-      ExtractResponseRecords(response, dns_protocol::kTypeHttps, &records,
-                             &response_ttl, nullptr /* out_aliases */);
-
-  if (extraction_error != ExtractionError::kOk) {
-    *out_results = HostCache::Entry(ERR_DNS_MALFORMED_RESPONSE,
-                                    HostCache::Entry::SOURCE_DNS);
-    return extraction_error;
-  }
-
-  // Record record compatibility (draft-ietf-dnsop-svcb-https-08#section-8) for
-  // each record.
-  std::vector<bool> record_compatibility;
-  for (const auto& record : records) {
-    const HttpsRecordRdata* rdata = record->rdata<HttpsRecordRdata>();
-    DCHECK(rdata);
-    record_compatibility.push_back(rdata->IsAlias() ||
-                                   rdata->AsServiceForm()->IsCompatible());
-  }
-
-  *out_results = HostCache::Entry(records.empty() ? ERR_NAME_NOT_RESOLVED : OK,
-                                  std::move(record_compatibility),
-                                  HostCache::Entry::SOURCE_DNS, response_ttl);
-  DCHECK_EQ(extraction_error, ExtractionError::kOk);
-  return extraction_error;
-}
-
 const RecordParsed* UnwrapRecordPtr(
     const std::unique_ptr<const RecordParsed>& ptr) {
   return ptr.get();
@@ -667,23 +603,17 @@ DnsResponseResultExtractor::ExtractDnsResults(
       return ExtractPointerResults(*response_, out_results);
     case DnsQueryType::SRV:
       return ExtractServiceResults(*response_, out_results);
-    case DnsQueryType::INTEGRITY:
-      return ExtractIntegrityResults(*response_, out_results);
     case DnsQueryType::HTTPS:
       return ExtractHttpsResults(*response_, original_domain_name, request_port,
                                  out_results);
-    case DnsQueryType::HTTPS_EXPERIMENTAL:
-      return ExtractExperimentalHttpsResults(*response_, out_results);
   }
 }
 
 // static
 HostCache::Entry DnsResponseResultExtractor::CreateEmptyResult(
     DnsQueryType query_type) {
-  if (query_type != DnsQueryType::INTEGRITY &&
-      query_type != DnsQueryType::HTTPS &&
-      query_type != DnsQueryType::HTTPS_EXPERIMENTAL) {
-    // Currently only used for INTEGRITY/HTTPS.
+  if (query_type != DnsQueryType::HTTPS) {
+    // Currently only used for HTTPS.
     NOTIMPLEMENTED();
     return HostCache::Entry(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
   }
diff --git a/chromium/net/dns/dns_response_result_extractor.h b/chromium/net/dns/dns_response_result_extractor.h
index 5e575aa95d0..f34a54019bd 100644
--- a/chromium/net/dns/dns_response_result_extractor.h
+++ b/chromium/net/dns/dns_response_result_extractor.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_response_result_extractor_unittest.cc b/chromium/net/dns/dns_response_result_extractor_unittest.cc
index afee3d37903..d9187373f24 100644
--- a/chromium/net/dns/dns_response_result_extractor_unittest.cc
+++ b/chromium/net/dns/dns_response_result_extractor_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -740,167 +740,6 @@ TEST(DnsResponseResultExtractorTest, IgnoresWrongTypeSrvResponses) {
   EXPECT_FALSE(results.has_ttl());
 }
 
-TEST(DnsResponseResultExtractorTest, ExtractsExperimentalHttpsResponses) {
-  constexpr char kName[] = "https.test";
-  constexpr auto kTtl = base::Minutes(31);
-
-  DnsResponse response = BuildTestDnsResponse(
-      kName, dns_protocol::kTypeHttps,
-      {BuildTestHttpsAliasRecord(kName, "alias.test", kTtl)});
-  DnsResponseResultExtractor extractor(&response);
-
-  HostCache::Entry results(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
-  EXPECT_EQ(extractor.ExtractDnsResults(DnsQueryType::HTTPS_EXPERIMENTAL,
-                                        /*original_domain_name=*/kName,
-                                        /*request_port=*/0, &results),
-            DnsResponseResultExtractor::ExtractionError::kOk);
-
-  EXPECT_THAT(results.error(), test::IsOk());
-  EXPECT_THAT(results.https_record_compatibility(),
-              testing::Pointee(testing::ElementsAre(true)));
-
-  ASSERT_TRUE(results.has_ttl());
-  EXPECT_EQ(results.ttl(), kTtl);
-}
-
-TEST(DnsResponseResultExtractorTest,
-     ExtractsNxdomainExperimentalHttpsResponses) {
-  constexpr char kName[] = "https.test";
-  constexpr auto kTtl = base::Hours(8);
-
-  DnsResponse response = BuildTestDnsResponse(
-      kName, dns_protocol::kTypeHttps, /*answers=*/{},
-      /*authority=*/
-      {BuildTestDnsRecord(kName, dns_protocol::kTypeSOA, "fake rdata", kTtl)},
-      /*additional=*/{}, dns_protocol::kRcodeNXDOMAIN);
-  DnsResponseResultExtractor extractor(&response);
-
-  HostCache::Entry results(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
-  EXPECT_EQ(extractor.ExtractDnsResults(DnsQueryType::HTTPS_EXPERIMENTAL,
-                                        /*original_domain_name=*/kName,
-                                        /*request_port=*/0, &results),
-            DnsResponseResultExtractor::ExtractionError::kOk);
-
-  EXPECT_THAT(results.error(), test::IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_THAT(results.https_record_compatibility(),
-              testing::Pointee(testing::IsEmpty()));
-
-  ASSERT_TRUE(results.has_ttl());
-  EXPECT_EQ(results.ttl(), kTtl);
-}
-
-TEST(DnsResponseResultExtractorTest, ExtractsNodataExperimentalHttpsResponses) {
-  constexpr char kName[] = "https.test";
-  constexpr auto kTtl = base::Days(3);
-
-  DnsResponse response = BuildTestDnsResponse(
-      kName, dns_protocol::kTypeHttps, /*answers=*/{},
-      /*authority=*/
-      {BuildTestDnsRecord(kName, dns_protocol::kTypeSOA, "fake rdata", kTtl)});
-  DnsResponseResultExtractor extractor(&response);
-
-  HostCache::Entry results(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
-  EXPECT_EQ(extractor.ExtractDnsResults(DnsQueryType::HTTPS_EXPERIMENTAL,
-                                        /*original_domain_name=*/kName,
-                                        /*request_port=*/0, &results),
-            DnsResponseResultExtractor::ExtractionError::kOk);
-
-  EXPECT_THAT(results.error(), test::IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_THAT(results.https_record_compatibility(),
-              testing::Pointee(testing::IsEmpty()));
-
-  ASSERT_TRUE(results.has_ttl());
-  EXPECT_EQ(results.ttl(), kTtl);
-}
-
-TEST(DnsResponseResultExtractorTest, RejectsMalformedExperimentalHttpsRecord) {
-  constexpr char kName[] = "https.test";
-
-  DnsResponse response = BuildTestDnsResponse(
-      kName, dns_protocol::kTypeHttps,
-      {BuildTestDnsRecord(kName, dns_protocol::kTypeHttps,
-                          "malformed rdata")} /* answers */);
-  DnsResponseResultExtractor extractor(&response);
-
-  HostCache::Entry results(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
-  EXPECT_EQ(extractor.ExtractDnsResults(DnsQueryType::HTTPS_EXPERIMENTAL,
-                                        /*original_domain_name=*/kName,
-                                        /*request_port=*/0, &results),
-            DnsResponseResultExtractor::ExtractionError::kMalformedRecord);
-
-  EXPECT_THAT(results.error(), test::IsError(ERR_DNS_MALFORMED_RESPONSE));
-  EXPECT_FALSE(results.has_ttl());
-}
-
-TEST(DnsResponseResultExtractorTest, RejectsWrongNameExperimentalHttpsRecord) {
-  constexpr char kName[] = "https.test";
-
-  DnsResponse response = BuildTestDnsResponse(
-      kName, dns_protocol::kTypeHttps,
-      {BuildTestHttpsAliasRecord("different.test", "alias.test")});
-  DnsResponseResultExtractor extractor(&response);
-
-  HostCache::Entry results(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
-  EXPECT_EQ(extractor.ExtractDnsResults(DnsQueryType::HTTPS_EXPERIMENTAL,
-                                        /*original_domain_name=*/kName,
-                                        /*request_port=*/0, &results),
-            DnsResponseResultExtractor::ExtractionError::kNameMismatch);
-
-  EXPECT_THAT(results.error(), test::IsError(ERR_DNS_MALFORMED_RESPONSE));
-  EXPECT_FALSE(results.has_ttl());
-}
-
-TEST(DnsResponseResultExtractorTest,
-     IgnoresWrongTypeExperimentalHttpsResponses) {
-  constexpr char kName[] = "https.test";
-
-  DnsResponse response = BuildTestDnsResponse(
-      kName, dns_protocol::kTypeHttps,
-      {BuildTestAddressRecord(kName, IPAddress(1, 2, 3, 4))});
-  DnsResponseResultExtractor extractor(&response);
-
-  HostCache::Entry results(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
-  EXPECT_EQ(extractor.ExtractDnsResults(DnsQueryType::HTTPS_EXPERIMENTAL,
-                                        /*original_domain_name=*/kName,
-                                        /*request_port=*/0, &results),
-            DnsResponseResultExtractor::ExtractionError::kOk);
-
-  EXPECT_THAT(results.error(), test::IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_THAT(results.https_record_compatibility(),
-              testing::Pointee(testing::IsEmpty()));
-  EXPECT_FALSE(results.has_ttl());
-}
-
-TEST(DnsResponseResultExtractorTest,
-     IgnoresAdditionalExperimentalHttpsRecords) {
-  constexpr char kName[] = "https.test";
-  constexpr auto kTtl = base::Days(3);
-
-  DnsResponse response = BuildTestDnsResponse(
-      kName, dns_protocol::kTypeHttps,
-      /*answers=*/{BuildTestHttpsAliasRecord(kName, "alias.test", kTtl)},
-      /*authority=*/{},
-      /*additional=*/
-      {BuildTestHttpsServiceRecord(kName, 3u, "service1.test", {},
-                                   base::Minutes(44)),
-       BuildTestHttpsServiceRecord(kName, 2u, "service2.test", {},
-                                   base::Minutes(30))});
-  DnsResponseResultExtractor extractor(&response);
-
-  HostCache::Entry results(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
-  EXPECT_EQ(extractor.ExtractDnsResults(DnsQueryType::HTTPS_EXPERIMENTAL,
-                                        /*original_domain_name=*/kName,
-                                        /*request_port=*/0, &results),
-            DnsResponseResultExtractor::ExtractionError::kOk);
-
-  EXPECT_THAT(results.error(), test::IsOk());
-  EXPECT_THAT(results.https_record_compatibility(),
-              testing::Pointee(testing::ElementsAre(true)));
-
-  ASSERT_TRUE(results.has_ttl());
-  EXPECT_EQ(results.ttl(), kTtl);
-}
-
 TEST(DnsResponseResultExtractorTest, ExtractsBasicHttpsResponses) {
   constexpr char kName[] = "https.test";
   constexpr auto kTtl = base::Hours(12);
diff --git a/chromium/net/dns/dns_response_unittest.cc b/chromium/net/dns/dns_response_unittest.cc
index 6908103b777..494514ca29c 100644
--- a/chromium/net/dns/dns_response_unittest.cc
+++ b/chromium/net/dns/dns_response_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_server_iterator.cc b/chromium/net/dns/dns_server_iterator.cc
index fdf6b559895..1605fa8c1ff 100644
--- a/chromium/net/dns/dns_server_iterator.cc
+++ b/chromium/net/dns/dns_server_iterator.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_server_iterator.h b/chromium/net/dns/dns_server_iterator.h
index b9420b92359..b3585058334 100644
--- a/chromium/net/dns/dns_server_iterator.h
+++ b/chromium/net/dns/dns_server_iterator.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_session.cc b/chromium/net/dns/dns_session.cc
index 426c91bf978..34ab08fe65c 100644
--- a/chromium/net/dns/dns_session.cc
+++ b/chromium/net/dns/dns_session.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_session.h b/chromium/net/dns/dns_session.h
index 5b0b8340523..4d72c487446 100644
--- a/chromium/net/dns/dns_session.h
+++ b/chromium/net/dns/dns_session.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_test_util.cc b/chromium/net/dns/dns_test_util.cc
index fd2e535ef4e..8dc388806b0 100644
--- a/chromium/net/dns/dns_test_util.cc
+++ b/chromium/net/dns/dns_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,12 +14,12 @@
 #include "base/location.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/ranges/algorithm.h"
-#include "base/stl_util.h"
 #include "base/strings/strcat.h"
 #include "base/sys_byteorder.h"
 #include "base/task/single_thread_task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/time.h"
+#include "base/types/optional_util.h"
 #include "net/base/io_buffer.h"
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
@@ -543,15 +543,14 @@ class MockDnsTransactionFactory::MockTransaction
       case MockDnsClientRule::ResultType::kFail: {
         int error = result_.net_error.value_or(ERR_NAME_NOT_RESOLVED);
         DCHECK_NE(error, OK);
-        std::move(callback_).Run(error,
-                                 base::OptionalOrNullptr(result_.response));
+        std::move(callback_).Run(error, base::OptionalToPtr(result_.response));
         break;
       }
       case MockDnsClientRule::ResultType::kEmpty:
       case MockDnsClientRule::ResultType::kOk:
       case MockDnsClientRule::ResultType::kMalformed:
         DCHECK(!result_.net_error.has_value());
-        std::move(callback_).Run(OK, base::OptionalOrNullptr(result_.response));
+        std::move(callback_).Run(OK, base::OptionalToPtr(result_.response));
         break;
       case MockDnsClientRule::ResultType::kTimeout:
         DCHECK(!result_.net_error.has_value());
diff --git a/chromium/net/dns/dns_test_util.h b/chromium/net/dns/dns_test_util.h
index 438ec95d934..2b5d94b5fb9 100644
--- a/chromium/net/dns/dns_test_util.h
+++ b/chromium/net/dns/dns_test_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_transaction.cc b/chromium/net/dns/dns_transaction.cc
index 8acf25c45c0..0c03aa3d6dc 100644
--- a/chromium/net/dns/dns_transaction.cc
+++ b/chromium/net/dns/dns_transaction.cc
@@ -1,10 +1,9 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/dns/dns_transaction.h"
 
-#include <algorithm>
 #include <memory>
 #include <set>
 #include <string>
@@ -26,6 +25,7 @@
 #include "base/metrics/histogram_functions.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/rand_util.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/stringprintf.h"
 #include "base/task/single_thread_task_runner.h"
@@ -240,9 +240,7 @@ class DnsUDPAttempt : public DnsAttempt {
   base::Value GetRawResponseBufferForLog() const override {
     if (!response_)
       return base::Value();
-
-    return NetLogBinaryValue(response_->io_buffer()->data(),
-                             response_->io_buffer_size());
+    return NetLogBinaryValue(response_->io_buffer()->data(), read_size_);
   }
 
   const NetLogWithSource& GetSocketNetLog() const override {
@@ -324,6 +322,7 @@ class DnsUDPAttempt : public DnsAttempt {
     DCHECK_NE(ERR_IO_PENDING, rv);
     if (rv < 0)
       return rv;
+    read_size_ = rv;
 
     DCHECK(rv);
     bool parse_result = response_->InitParse(rv, *query_);
@@ -360,6 +359,7 @@ class DnsUDPAttempt : public DnsAttempt {
   const raw_ptr<DnsUdpTracker> udp_tracker_;
 
   std::unique_ptr<DnsResponse> response_;
+  int read_size_ = 0;
 
   CompletionOnceCallback callback_;
 };
@@ -591,7 +591,7 @@ class DnsHTTPAttempt : public DnsAttempt, public URLRequest::Delegate {
     buffer_->set_offset(0);
     if (size == 0u)
       return ERR_DNS_MALFORMED_RESPONSE;
-    response_ = std::make_unique<DnsResponse>(buffer_, size + 1);
+    response_ = std::make_unique<DnsResponse>(buffer_, size);
     if (!response_->InitParse(size, *query_))
       return ERR_DNS_MALFORMED_RESPONSE;
     if (response_->rcode() == dns_protocol::kRcodeNXDOMAIN)
@@ -822,8 +822,7 @@ class DnsTCPAttempt : public DnsAttempt {
     // Check if advertised response is too short. (Optimization only.)
     if (response_length_ < query_->io_buffer()->size())
       return ERR_DNS_MALFORMED_RESPONSE;
-    // Allocate more space so that DnsResponse::InitParse sanity check passes.
-    response_ = std::make_unique<DnsResponse>(response_length_ + 1);
+    response_ = std::make_unique<DnsResponse>(response_length_);
     buffer_ = base::MakeRefCounted<DrainableIOBuffer>(response_->io_buffer(),
                                                       response_length_);
     next_state_ = STATE_READ_RESPONSE;
@@ -1612,10 +1611,10 @@ class DnsTransactionImpl : public DnsTransaction,
   }
 
   bool AnyAttemptPending() {
-    return std::any_of(attempts_.begin(), attempts_.end(),
-                       [](std::unique_ptr<DnsAttempt>& attempt) {
-                         return attempt->IsPending();
-                       });
+    return base::ranges::any_of(attempts_,
+                                [](std::unique_ptr<DnsAttempt>& attempt) {
+                                  return attempt->IsPending();
+                                });
   }
 
   void OnFallbackPeriodExpired() {
diff --git a/chromium/net/dns/dns_transaction.h b/chromium/net/dns/dns_transaction.h
index ace31bb9e94..c388ff8a309 100644
--- a/chromium/net/dns/dns_transaction.h
+++ b/chromium/net/dns/dns_transaction.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_transaction_unittest.cc b/chromium/net/dns/dns_transaction_unittest.cc
index db7bfd9c2e0..f6b27b0aa20 100644
--- a/chromium/net/dns/dns_transaction_unittest.cc
+++ b/chromium/net/dns/dns_transaction_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -99,6 +99,30 @@ std::string DomainFromDot(base::StringPiece dotted_name) {
 
 enum class Transport { UDP, TCP, HTTPS };
 
+class NetLogCountingObserver : public net::NetLog::ThreadSafeObserver {
+ public:
+  NetLogCountingObserver() = default;
+
+  ~NetLogCountingObserver() override {
+    if (net_log())
+      net_log()->RemoveObserver(this);
+  }
+
+  void OnAddEntry(const NetLogEntry& entry) override {
+    ++count_;
+    if (!entry.params.is_none() && entry.params.is_dict())
+      dict_count_++;
+  }
+
+  int count() const { return count_; }
+
+  int dict_count() const { return dict_count_; }
+
+ private:
+  int count_ = 0;
+  int dict_count_ = 0;
+};
+
 // A SocketDataProvider builder.
 class DnsSocketData {
  public:
@@ -979,6 +1003,20 @@ TEST_F(DnsTransactionTest, Lookup) {
   helper0.RunUntilComplete();
 }
 
+TEST_F(DnsTransactionTest, LookupWithLog) {
+  AddAsyncQueryAndResponse(0 /* id */, kT0HostName, kT0Qtype,
+                           kT0ResponseDatagram, std::size(kT0ResponseDatagram));
+
+  TransactionHelper helper0(kT0RecordCount);
+  NetLogCountingObserver observer;
+  NetLog::Get()->AddObserver(&observer, NetLogCaptureMode::kEverything);
+  helper0.StartTransaction(transaction_factory_.get(), kT0HostName, kT0Qtype,
+                           false /* secure */, resolve_context_.get());
+  helper0.RunUntilComplete();
+  EXPECT_EQ(observer.count(), 6);
+  EXPECT_EQ(observer.dict_count(), 4);
+}
+
 TEST_F(DnsTransactionTest, LookupWithEDNSOption) {
   OptRecordRdata expected_opt_rdata;
 
@@ -2541,39 +2579,7 @@ TEST_F(DnsTransactionTest, CanLookupDohServerName) {
   helper0.RunUntilComplete();
 }
 
-class CountingObserver : public net::NetLog::ThreadSafeObserver {
- public:
-  CountingObserver() = default;
-
-  ~CountingObserver() override {
-    if (net_log())
-      net_log()->RemoveObserver(this);
-  }
-
-  void OnAddEntry(const NetLogEntry& entry) override {
-    ++count_;
-    if (!entry.params.is_none() && entry.params.is_dict())
-      dict_count_++;
-  }
-
-  int count() const { return count_; }
-
-  int dict_count() const { return dict_count_; }
-
- private:
-  int count_ = 0;
-  int dict_count_ = 0;
-};
-
-// Flaky on MSAN. https://crbug.com/1245953
-#if defined(MEMORY_SANITIZER)
-#define MAYBE_HttpsPostLookupWithLog \
-  DISABLED_HttpsPostLookupWithLog
-#else
-#define MAYBE_HttpsPostLookupWithLog \
-  HttpsPostLookupWithLog
-#endif
-TEST_F(DnsTransactionTest, MAYBE_HttpsPostLookupWithLog) {
+TEST_F(DnsTransactionTest, HttpsPostLookupWithLog) {
   ConfigureDohServers(true /* use_post */);
   AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
                       std::size(kT0ResponseDatagram), SYNCHRONOUS,
@@ -2581,7 +2587,7 @@ TEST_F(DnsTransactionTest, MAYBE_HttpsPostLookupWithLog) {
                       DnsQuery::PaddingStrategy::BLOCK_LENGTH_128,
                       false /* enqueue_transaction_id */);
   TransactionHelper helper0(kT0RecordCount);
-  CountingObserver observer;
+  NetLogCountingObserver observer;
   NetLog::Get()->AddObserver(&observer, NetLogCaptureMode::kEverything);
   helper0.StartTransaction(transaction_factory_.get(), kT0HostName, kT0Qtype,
                            true /* secure */, resolve_context_.get());
@@ -3040,6 +3046,22 @@ TEST_F(DnsTransactionTest, TcpLookup_UdpRetry) {
   helper0.RunUntilComplete();
 }
 
+TEST_F(DnsTransactionTest, TcpLookup_UdpRetry_WithLog) {
+  AddAsyncQueryAndRcode(kT0HostName, kT0Qtype,
+                        dns_protocol::kRcodeNOERROR | dns_protocol::kFlagTC);
+  AddQueryAndResponse(0 /* id */, kT0HostName, kT0Qtype, kT0ResponseDatagram,
+                      std::size(kT0ResponseDatagram), ASYNC, Transport::TCP);
+
+  TransactionHelper helper0(kT0RecordCount);
+  NetLogCountingObserver observer;
+  NetLog::Get()->AddObserver(&observer, NetLogCaptureMode::kEverything);
+  helper0.StartTransaction(transaction_factory_.get(), kT0HostName, kT0Qtype,
+                           false /* secure */, resolve_context_.get());
+  helper0.RunUntilComplete();
+  EXPECT_EQ(observer.count(), 8);
+  EXPECT_EQ(observer.dict_count(), 6);
+}
+
 TEST_F(DnsTransactionTest, TcpLookup_LowEntropy) {
   socket_factory_->diverse_source_ports_ = false;
 
diff --git a/chromium/net/dns/dns_udp_tracker.cc b/chromium/net/dns/dns_udp_tracker.cc
index 17ff41b6453..74c714b6432 100644
--- a/chromium/net/dns/dns_udp_tracker.cc
+++ b/chromium/net/dns/dns_udp_tracker.cc
@@ -1,14 +1,14 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/dns/dns_udp_tracker.h"
 
-#include <algorithm>
 #include <utility>
 
 #include "base/metrics/histogram_macros.h"
 #include "base/numerics/safe_conversions.h"
+#include "base/ranges/algorithm.h"
 #include "base/time/tick_clock.h"
 #include "net/base/net_errors.h"
 
@@ -126,9 +126,8 @@ void DnsUdpTracker::SaveIdMismatch(uint16_t id) {
 
   base::TimeTicks now = tick_clock_->NowTicks();
   base::TimeTicks time_cutoff = now - kMaxRecognizedIdAge;
-  bool is_recognized = std::any_of(
-      recent_queries_.cbegin(), recent_queries_.cend(),
-      [&](const auto& recent_query) {
+  bool is_recognized =
+      base::ranges::any_of(recent_queries_, [&](const auto& recent_query) {
         return recent_query.query_id == id && recent_query.time >= time_cutoff;
       });
 
diff --git a/chromium/net/dns/dns_udp_tracker.h b/chromium/net/dns/dns_udp_tracker.h
index faefb8d0e01..360c4f9f903 100644
--- a/chromium/net/dns/dns_udp_tracker.h
+++ b/chromium/net/dns/dns_udp_tracker.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_udp_tracker_unittest.cc b/chromium/net/dns/dns_udp_tracker_unittest.cc
index 0c79ff831d2..2a60b5f142e 100644
--- a/chromium/net/dns/dns_udp_tracker_unittest.cc
+++ b/chromium/net/dns/dns_udp_tracker_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_util.cc b/chromium/net/dns/dns_util.cc
index 2c2715524df..a5dfa194c3a 100644
--- a/chromium/net/dns/dns_util.cc
+++ b/chromium/net/dns/dns_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,7 +7,6 @@
 #include <errno.h>
 #include <limits.h>
 
-#include <algorithm>
 #include <cstring>
 #include <string>
 #include <unordered_map>
@@ -18,6 +17,7 @@
 #include "base/feature_list.h"
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram_macros.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_split.h"
 #include "build/build_config.h"
@@ -258,10 +258,7 @@ uint16_t DnsQueryTypeToQtype(DnsQueryType dns_query_type) {
       return dns_protocol::kTypePTR;
     case DnsQueryType::SRV:
       return dns_protocol::kTypeSRV;
-    case DnsQueryType::INTEGRITY:
-      return dns_protocol::kExperimentalTypeIntegrity;
     case DnsQueryType::HTTPS:
-    case DnsQueryType::HTTPS_EXPERIMENTAL:
       return dns_protocol::kTypeHttps;
   }
 }
@@ -310,10 +307,8 @@ std::vector<DnsOverHttpsServerConfig> GetDohUpgradeServersFromNameservers(
 std::string GetDohProviderIdForHistogramFromServerConfig(
     const DnsOverHttpsServerConfig& doh_server) {
   const auto& entries = DohProviderEntry::GetList();
-  const auto it =
-      std::find_if(entries.begin(), entries.end(), [&](const auto* entry) {
-        return entry->doh_server_config == doh_server;
-      });
+  const auto it = base::ranges::find(entries, doh_server,
+                                     &DohProviderEntry::doh_server_config);
   return it != entries.end() ? (*it)->provider : "Other";
 }
 
diff --git a/chromium/net/dns/dns_util.h b/chromium/net/dns/dns_util.h
index 78a2de7d69e..ab9233e8ffc 100644
--- a/chromium/net/dns/dns_util.h
+++ b/chromium/net/dns/dns_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/dns_util_unittest.cc b/chromium/net/dns/dns_util_unittest.cc
index 9aae23630ed..532f4a810f9 100644
--- a/chromium/net/dns/dns_util_unittest.cc
+++ b/chromium/net/dns/dns_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright 2009 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/fuzzed_host_resolver_util.cc b/chromium/net/dns/fuzzed_host_resolver_util.cc
index bb6ebe68ba7..0bbe930200c 100644
--- a/chromium/net/dns/fuzzed_host_resolver_util.cc
+++ b/chromium/net/dns/fuzzed_host_resolver_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -35,6 +35,7 @@
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver_manager.h"
 #include "net/dns/host_resolver_proc.h"
+#include "net/dns/host_resolver_system_task.h"
 #include "net/dns/mdns_client.h"
 #include "net/dns/public/util.h"
 #include "net/dns/resolve_context.h"
@@ -375,14 +376,13 @@ class FuzzedHostResolverManager : public HostResolverManager {
         socket_factory_(data_provider_),
         net_log_(net_log),
         data_provider_weak_factory_(data_provider) {
-    ProcTaskParams proc_task_params(
+    HostResolverSystemTask::Params system_task_params(
         base::MakeRefCounted<FuzzedHostResolverProc>(
             data_provider_weak_factory_.GetWeakPtr()),
         // Retries are only used when the original request hangs, which this
         // class currently can't simulate.
         0 /* max_retry_attempts */);
-    set_proc_params_for_test(proc_task_params);
-    SetTaskRunnerForTesting(base::SequencedTaskRunnerHandle::Get());
+    set_host_resolver_system_params_for_test(system_task_params);  // IN-TEST
     SetMdnsSocketFactoryForTesting(
         std::make_unique<FuzzedMdnsSocketFactory>(data_provider_));
     std::unique_ptr<DnsClient> dns_client = DnsClient::CreateClientForTesting(
diff --git a/chromium/net/dns/fuzzed_host_resolver_util.h b/chromium/net/dns/fuzzed_host_resolver_util.h
index 337955e31a5..801a1736eb9 100644
--- a/chromium/net/dns/fuzzed_host_resolver_util.h
+++ b/chromium/net/dns/fuzzed_host_resolver_util.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -26,9 +26,8 @@ class NetLog;
 // true or calling SetInsecureDnsClientEnabled on the underlying
 // HostResolverManager.
 //
-// To make behavior most deterministic, does not use the WorkerPool to run its
-// simulated platform host resolver calls, instead runs them on the thread it is
-// created on.
+// To make behavior most deterministic, it is recommended that tests and fuzzers
+// run all system DNS resolution on the current thread.
 //
 // Note that it does not attempt to sort the resulting AddressList when using
 // the mock system resolver path.
diff --git a/chromium/net/dns/host_cache.cc b/chromium/net/dns/host_cache.cc
index 042d9ff186d..a4d1399e3c4 100644
--- a/chromium/net/dns/host_cache.cc
+++ b/chromium/net/dns/host_cache.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -19,11 +19,11 @@
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/numerics/safe_conversions.h"
-#include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
 #include "base/time/default_tick_clock.h"
 #include "base/trace_event/trace_event.h"
+#include "base/types/optional_util.h"
 #include "base/value_iterators.h"
 #include "net/base/address_family.h"
 #include "net/base/ip_endpoint.h"
@@ -58,7 +58,7 @@ const char kDnsQueryTypeKey[] = "dns_query_type";
 const char kFlagsKey[] = "flags";
 const char kHostResolverSourceKey[] = "host_resolver_source";
 const char kSecureKey[] = "secure";
-const char kNetworkIsolationKeyKey[] = "network_isolation_key";
+const char kNetworkAnonymizationKey[] = "network_anonymization_key";
 const char kExpirationKey[] = "expiration";
 const char kTtlKey[] = "ttl";
 const char kPinnedKey[] = "pinned";
@@ -202,6 +202,14 @@ const std::string& GetHostname(
   return *hostname;
 }
 
+absl::optional<DnsQueryType> GetDnsQueryType(int dns_query_type) {
+  for (const auto& type : kDnsQueryTypes) {
+    if (base::strict_cast<int>(type.first) == dns_query_type)
+      return type.first;
+  }
+  return absl::nullopt;
+}
+
 }  // namespace
 
 // Used in histograms; do not modify existing values.
@@ -233,12 +241,12 @@ HostCache::Key::Key(absl::variant<url::SchemeHostPort, std::string> host,
                     DnsQueryType dns_query_type,
                     HostResolverFlags host_resolver_flags,
                     HostResolverSource host_resolver_source,
-                    const NetworkIsolationKey& network_isolation_key)
+                    const NetworkAnonymizationKey& network_anonymization_key)
     : host(std::move(host)),
       dns_query_type(dns_query_type),
       host_resolver_flags(host_resolver_flags),
       host_resolver_source(host_resolver_source),
-      network_isolation_key(network_isolation_key) {
+      network_anonymization_key(network_anonymization_key) {
   DCHECK(IsValidHostname(GetHostname(this->host)));
   if (absl::holds_alternative<url::SchemeHostPort>(this->host))
     DCHECK(absl::get<url::SchemeHostPort>(this->host).IsValid());
@@ -798,17 +806,19 @@ void HostCache::GetList(base::Value::List& entry_list,
     const Key& key = pair.first;
     const Entry& entry = pair.second;
 
-    base::Value network_isolation_key_value;
+    base::Value network_anonymization_key_value;
     if (serialization_type == SerializationType::kRestorable) {
-      // Don't save entries associated with ephemeral NetworkIsolationKeys.
-      if (!key.network_isolation_key.ToValue(&network_isolation_key_value))
+      // Don't save entries associated with ephemeral NetworkAnonymizationKeys.
+      if (!key.network_anonymization_key.ToValue(
+              &network_anonymization_key_value)) {
         continue;
+      }
     } else {
       // ToValue() fails for transient NIKs, since they should never be
       // serialized to disk in a restorable format, so use ToDebugString() when
       // serializing for debugging instead of for restoring from disk.
-      network_isolation_key_value =
-          base::Value(key.network_isolation_key.ToDebugString());
+      network_anonymization_key_value =
+          base::Value(key.network_anonymization_key.ToDebugString());
     }
 
     base::Value::Dict entry_dict = entry.GetAsValue(include_staleness);
@@ -827,8 +837,8 @@ void HostCache::GetList(base::Value::List& entry_list,
     entry_dict.Set(kFlagsKey, key.host_resolver_flags);
     entry_dict.Set(kHostResolverSourceKey,
                    base::strict_cast<int>(key.host_resolver_source));
-    entry_dict.Set(kNetworkIsolationKeyKey,
-                   std::move(network_isolation_key_value));
+    entry_dict.Set(kNetworkAnonymizationKey,
+                   std::move(network_anonymization_key_value));
     entry_dict.Set(kSecureKey, key.secure);
 
     entry_list.Append(std::move(entry_dict));
@@ -882,21 +892,22 @@ bool HostCache::RestoreFromListValue(const base::Value::List& old_cache) {
         entry_dict.FindInt(kDnsQueryTypeKey);
     if (!maybe_dns_query_type.has_value())
       return false;
-    DnsQueryType dns_query_type =
-        static_cast<DnsQueryType>(maybe_dns_query_type.value());
-
+    absl::optional<DnsQueryType> dns_query_type =
+        GetDnsQueryType(maybe_dns_query_type.value());
+    if (!dns_query_type.has_value())
+      return false;
     // HostResolverSource is optional.
     int host_resolver_source =
         entry_dict.FindInt(kHostResolverSourceKey)
             .value_or(base::strict_cast<int>(HostResolverSource::ANY));
 
-    const base::Value* network_isolation_key_value =
-        entry_dict.Find(kNetworkIsolationKeyKey);
-    NetworkIsolationKey network_isolation_key;
-    if (!network_isolation_key_value ||
-        network_isolation_key_value->type() == base::Value::Type::STRING ||
-        !NetworkIsolationKey::FromValue(*network_isolation_key_value,
-                                        &network_isolation_key)) {
+    const base::Value* network_anonymization_key_value =
+        entry_dict.Find(kNetworkAnonymizationKey);
+    NetworkAnonymizationKey network_anonymization_key;
+    if (!network_anonymization_key_value ||
+        network_anonymization_key_value->type() == base::Value::Type::STRING ||
+        !NetworkAnonymizationKey::FromValue(*network_anonymization_key_value,
+                                            &network_anonymization_key)) {
       return false;
     }
 
@@ -1035,7 +1046,8 @@ bool HostCache::RestoreFromListValue(const base::Value::List& old_cache) {
 
     // Assume an empty endpoints list and an empty aliases if we have an address
     // type and no results.
-    if (IsAddressType(dns_query_type) && !text_records && !hostname_records) {
+    if (IsAddressType(dns_query_type.value()) && !text_records &&
+        !hostname_records) {
       if (!ip_endpoints) {
         ip_endpoints.emplace();
       }
@@ -1043,9 +1055,9 @@ bool HostCache::RestoreFromListValue(const base::Value::List& old_cache) {
         aliases.emplace();
       }
     }
-    Key key(std::move(host), dns_query_type, flags,
+    Key key(std::move(host), dns_query_type.value(), flags,
             static_cast<HostResolverSource>(host_resolver_source),
-            network_isolation_key);
+            network_anonymization_key);
     key.secure = secure;
 
     // If the key is already in the cache, assume it's more recent and don't
diff --git a/chromium/net/dns/host_cache.h b/chromium/net/dns/host_cache.h
index eb915468c45..7e1fcd97cd9 100644
--- a/chromium/net/dns/host_cache.h
+++ b/chromium/net/dns/host_cache.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -21,9 +21,9 @@
 #include "base/gtest_prod_util.h"
 #include "base/memory/raw_ptr.h"
 #include "base/numerics/clamped_math.h"
-#include "base/stl_util.h"
 #include "base/threading/thread_checker.h"
 #include "base/time/time.h"
+#include "base/types/optional_util.h"
 #include "base/values.h"
 #include "net/base/address_family.h"
 #include "net/base/connection_endpoint_metadata.h"
@@ -32,9 +32,9 @@
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
-#include "net/dns/host_resolver_results.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/dns/public/dns_query_type.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/host_resolver_source.h"
 #include "net/log/net_log_capture_mode.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
@@ -58,7 +58,7 @@ class NET_EXPORT HostCache {
         DnsQueryType dns_query_type,
         HostResolverFlags host_resolver_flags,
         HostResolverSource host_resolver_source,
-        const NetworkIsolationKey& network_isolation_key);
+        const NetworkAnonymizationKey& network_anonymization_key);
     Key();
     Key(const Key& key);
     Key(Key&& key);
@@ -70,7 +70,7 @@ class NET_EXPORT HostCache {
     // assumption that integer comparisons are faster than string comparisons.
     static auto GetTuple(const Key* key) {
       return std::tie(key->dns_query_type, key->host_resolver_flags, key->host,
-                      key->host_resolver_source, key->network_isolation_key,
+                      key->host_resolver_source, key->network_anonymization_key,
                       key->secure);
     }
 
@@ -90,7 +90,7 @@ class NET_EXPORT HostCache {
     DnsQueryType dns_query_type = DnsQueryType::UNSPECIFIED;
     HostResolverFlags host_resolver_flags = 0;
     HostResolverSource host_resolver_source = HostResolverSource::ANY;
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
     bool secure = false;
   };
 
@@ -188,7 +188,7 @@ class NET_EXPORT HostCache {
     absl::optional<std::vector<HostResolverEndpointResult>> GetEndpoints()
         const;
     const std::vector<IPEndPoint>* ip_endpoints() const {
-      return base::OptionalOrNullptr(ip_endpoints_);
+      return base::OptionalToPtr(ip_endpoints_);
     }
     void set_ip_endpoints(
         absl::optional<std::vector<IPEndPoint>> ip_endpoints) {
@@ -198,7 +198,7 @@ class NET_EXPORT HostCache {
         const;
     void ClearMetadatas() { endpoint_metadatas_.reset(); }
     const std::set<std::string>* aliases() const {
-      return base::OptionalOrNullptr(aliases_);
+      return base::OptionalToPtr(aliases_);
     }
     void set_aliases(std::set<std::string> aliases) {
       aliases_ = std::move(aliases);
@@ -217,7 +217,7 @@ class NET_EXPORT HostCache {
       hostnames_ = std::move(hostnames);
     }
     const std::vector<bool>* https_record_compatibility() const {
-      return base::OptionalOrNullptr(https_record_compatibility_);
+      return base::OptionalToPtr(https_record_compatibility_);
     }
     void set_https_record_compatibility(
         absl::optional<std::vector<bool>> https_record_compatibility) {
@@ -374,12 +374,12 @@ class NET_EXPORT HostCache {
 
   // The two ways to serialize the cache to a value.
   enum class SerializationType {
-    // Entries with transient NetworkIsolationKeys are not serialized, and
+    // Entries with transient NetworkAnonymizationKeys are not serialized, and
     // RestoreFromListValue() can load the returned value.
     kRestorable,
-    // Entries with transient NetworkIsolationKeys are serialized, and
+    // Entries with transient NetworkAnonymizationKeys are serialized, and
     // RestoreFromListValue() cannot load the returned value, since the debug
-    // serialization of NetworkIsolationKeys is used instead of the
+    // serialization of NetworkAnonymizationKeys is used instead of the
     // deserializable representation.
     kDebug,
   };
diff --git a/chromium/net/dns/host_cache_fuzzer.cc b/chromium/net/dns/host_cache_fuzzer.cc
index 8b302a29706..9917f71298b 100644
--- a/chromium/net/dns/host_cache_fuzzer.cc
+++ b/chromium/net/dns/host_cache_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/host_cache_fuzzer.proto b/chromium/net/dns/host_cache_fuzzer.proto
index 4f4e01ba5f9..09ff6169c52 100644
--- a/chromium/net/dns/host_cache_fuzzer.proto
+++ b/chromium/net/dns/host_cache_fuzzer.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/host_cache_unittest.cc b/chromium/net/dns/host_cache_unittest.cc
index 863eec2f4fc..a19b72dfe6f 100644
--- a/chromium/net/dns/host_cache_unittest.cc
+++ b/chromium/net/dns/host_cache_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -24,11 +24,11 @@
 #include "base/values.h"
 #include "net/base/connection_endpoint_metadata.h"
 #include "net/base/ip_endpoint.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
-#include "net/dns/host_resolver_results.h"
 #include "net/dns/host_resolver_results_test_util.h"
 #include "net/dns/https_record_rdata.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
@@ -55,7 +55,7 @@ const int kMaxCacheEntries = 10;
 HostCache::Key Key(const std::string& hostname) {
   return HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, hostname, 443),
                         DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                        NetworkIsolationKey());
+                        NetworkAnonymizationKey());
 }
 
 bool FoobarIndexIsOdd(const std::string& foobarx_com) {
@@ -226,11 +226,11 @@ TEST(HostCacheTest, HandlesKeysWithoutScheme) {
   base::TimeTicks now;
 
   HostCache::Key key("host1.test", DnsQueryType::UNSPECIFIED, 0,
-                     HostResolverSource::ANY, NetworkIsolationKey());
+                     HostResolverSource::ANY, NetworkAnonymizationKey());
   HostCache::Key key_with_scheme(
       url::SchemeHostPort(url::kHttpsScheme, "host1.test", 443),
       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-      NetworkIsolationKey());
+      NetworkAnonymizationKey());
   ASSERT_NE(key, key_with_scheme);
   HostCache::Entry entry =
       HostCache::Entry(OK, /*ip_endpoints=*/{}, /*aliases=*/{},
@@ -271,20 +271,20 @@ TEST(HostCacheTest, HandlesKeysWithoutScheme) {
   EXPECT_TRUE(cache.Lookup(key_with_scheme, now));
 }
 
-// Make sure NetworkIsolationKey is respected.
-TEST(HostCacheTest, NetworkIsolationKey) {
+// Make sure NetworkAnonymizationKey is respected.
+TEST(HostCacheTest, NetworkAnonymizationKey) {
   const url::SchemeHostPort kHost(url::kHttpsScheme, "hostname.test", 443);
   const base::TimeDelta kTTL = base::Seconds(10);
 
   const SchemefulSite kSite1(GURL("https://site1.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://site2.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   HostCache::Key key1(kHost, DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY, kNetworkIsolationKey1);
+                      HostResolverSource::ANY, kNetworkAnonymizationKey1);
   HostCache::Key key2(kHost, DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY, kNetworkIsolationKey2);
+                      HostResolverSource::ANY, kNetworkAnonymizationKey2);
   HostCache::Entry entry1 =
       HostCache::Entry(OK, /*ip_endpoints=*/{}, /*aliases=*/{},
                        HostCache::Entry::SOURCE_UNKNOWN);
@@ -299,27 +299,27 @@ TEST(HostCacheTest, NetworkIsolationKey) {
 
   EXPECT_EQ(0U, cache.size());
 
-  // Add an entry for kNetworkIsolationKey1.
+  // Add an entry for kNetworkAnonymizationKey1.
   EXPECT_FALSE(cache.Lookup(key1, now));
   cache.Set(key1, entry1, now, kTTL);
 
   const std::pair<const HostCache::Key, HostCache::Entry>* result =
       cache.Lookup(key1, now);
   ASSERT_TRUE(result);
-  EXPECT_EQ(kNetworkIsolationKey1, result->first.network_isolation_key);
+  EXPECT_EQ(kNetworkAnonymizationKey1, result->first.network_anonymization_key);
   EXPECT_EQ(OK, result->second.error());
   EXPECT_FALSE(cache.Lookup(key2, now));
   EXPECT_EQ(1U, cache.size());
 
-  // Add a different entry for kNetworkIsolationKey2.
+  // Add a different entry for kNetworkAnonymizationKey2.
   cache.Set(key2, entry2, now, 3 * kTTL);
   result = cache.Lookup(key1, now);
   ASSERT_TRUE(result);
-  EXPECT_EQ(kNetworkIsolationKey1, result->first.network_isolation_key);
+  EXPECT_EQ(kNetworkAnonymizationKey1, result->first.network_anonymization_key);
   EXPECT_EQ(OK, result->second.error());
   result = cache.Lookup(key2, now);
   ASSERT_TRUE(result);
-  EXPECT_EQ(kNetworkIsolationKey2, result->first.network_isolation_key);
+  EXPECT_EQ(kNetworkAnonymizationKey2, result->first.network_anonymization_key);
   EXPECT_EQ(ERR_FAILED, result->second.error());
   EXPECT_EQ(2U, cache.size());
 
@@ -328,7 +328,7 @@ TEST(HostCacheTest, NetworkIsolationKey) {
   EXPECT_FALSE(cache.Lookup(key1, now));
   result = cache.Lookup(key2, now);
   ASSERT_TRUE(result);
-  EXPECT_EQ(kNetworkIsolationKey2, result->first.network_isolation_key);
+  EXPECT_EQ(kNetworkAnonymizationKey2, result->first.network_anonymization_key);
   EXPECT_EQ(ERR_FAILED, result->second.error());
 }
 
@@ -438,10 +438,10 @@ TEST(HostCacheTest, DnsQueryTypeIsPartOfKey) {
 
   HostCache::Key key1(url::SchemeHostPort(url::kHttpScheme, "foobar.com", 80),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
   HostCache::Key key2(url::SchemeHostPort(url::kHttpScheme, "foobar.com", 80),
                       DnsQueryType::A, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
   HostCache::Entry entry =
       HostCache::Entry(OK, /*ip_endpoints=*/{}, /*aliases=*/{},
                        HostCache::Entry::SOURCE_UNKNOWN);
@@ -477,11 +477,11 @@ TEST(HostCacheTest, HostResolverFlagsArePartOfKey) {
   base::TimeTicks now;
 
   HostCache::Key key1(kHost, DnsQueryType::A, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
   HostCache::Key key2(kHost, DnsQueryType::A, HOST_RESOLVER_CANONNAME,
-                      HostResolverSource::ANY, NetworkIsolationKey());
+                      HostResolverSource::ANY, NetworkAnonymizationKey());
   HostCache::Key key3(kHost, DnsQueryType::A, HOST_RESOLVER_LOOPBACK_ONLY,
-                      HostResolverSource::ANY, NetworkIsolationKey());
+                      HostResolverSource::ANY, NetworkAnonymizationKey());
   HostCache::Entry entry =
       HostCache::Entry(OK, /*ip_endpoints=*/{}, /*aliases=*/{},
                        HostCache::Entry::SOURCE_UNKNOWN);
@@ -525,9 +525,9 @@ TEST(HostCacheTest, HostResolverSourceIsPartOfKey) {
   base::TimeTicks now;
 
   HostCache::Key key1(kHost, DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY, NetworkIsolationKey());
+                      HostResolverSource::ANY, NetworkAnonymizationKey());
   HostCache::Key key2(kHost, DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::DNS, NetworkIsolationKey());
+                      HostResolverSource::DNS, NetworkAnonymizationKey());
   HostCache::Entry entry =
       HostCache::Entry(OK, /*ip_endpoints=*/{}, /*aliases=*/{},
                        HostCache::Entry::SOURCE_UNKNOWN);
@@ -564,10 +564,10 @@ TEST(HostCacheTest, SecureIsPartOfKey) {
   HostCache::EntryStaleness stale;
 
   HostCache::Key key1(kHost, DnsQueryType::A, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
   key1.secure = true;
   HostCache::Key key2(kHost, DnsQueryType::A, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
   key2.secure = false;
   HostCache::Entry entry =
       HostCache::Entry(OK, /*ip_endpoints=*/{}, /*aliases=*/{},
@@ -611,9 +611,10 @@ TEST(HostCacheTest, PreferLessStaleMoreSecure) {
   HostCache::EntryStaleness stale;
 
   HostCache::Key insecure_key(kHost, DnsQueryType::A, 0,
-                              HostResolverSource::ANY, NetworkIsolationKey());
+                              HostResolverSource::ANY,
+                              NetworkAnonymizationKey());
   HostCache::Key secure_key(kHost, DnsQueryType::A, 0, HostResolverSource::ANY,
-                            NetworkIsolationKey());
+                            NetworkAnonymizationKey());
   secure_key.secure = true;
   HostCache::Entry entry =
       HostCache::Entry(OK, /*ip_endpoints=*/{}, /*aliases=*/{},
@@ -1126,111 +1127,111 @@ TEST(HostCacheTest, KeyComparators) {
   std::vector<CacheTestParameters> tests = {
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        0},
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::A, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        1},
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::A, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        -1},
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host2", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        -1},
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::A, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host2", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        1},
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host2", 443),
                       DnsQueryType::A, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        -1},
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, HOST_RESOLVER_CANONNAME,
-                      HostResolverSource::ANY, NetworkIsolationKey()),
+                      HostResolverSource::ANY, NetworkAnonymizationKey()),
        -1},
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, HOST_RESOLVER_CANONNAME,
-                      HostResolverSource::ANY, NetworkIsolationKey()),
+                      HostResolverSource::ANY, NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        1},
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, HOST_RESOLVER_CANONNAME,
-                      HostResolverSource::ANY, NetworkIsolationKey()),
+                      HostResolverSource::ANY, NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host2", 443),
                       DnsQueryType::UNSPECIFIED, HOST_RESOLVER_CANONNAME,
-                      HostResolverSource::ANY, NetworkIsolationKey()),
+                      HostResolverSource::ANY, NetworkAnonymizationKey()),
        -1},
       // 9: Different host scheme.
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        1},
       // 10: Different host port.
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 1544),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        -1},
       // 11: Same host name without scheme/port.
       {HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY, NetworkIsolationKey()),
+                      HostResolverSource::ANY, NetworkAnonymizationKey()),
        HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY, NetworkIsolationKey()),
+                      HostResolverSource::ANY, NetworkAnonymizationKey()),
        0},
       // 12: Different host name without scheme/port.
       {HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY, NetworkIsolationKey()),
+                      HostResolverSource::ANY, NetworkAnonymizationKey()),
        HostCache::Key("host2", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY, NetworkIsolationKey()),
+                      HostResolverSource::ANY, NetworkAnonymizationKey()),
        -1},
       // 13: Only one with scheme/port.
       {HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                       DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                      NetworkIsolationKey()),
+                      NetworkAnonymizationKey()),
        HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY, NetworkIsolationKey()),
+                      HostResolverSource::ANY, NetworkAnonymizationKey()),
        -1},
   };
   HostCache::Key insecure_key =
       HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                      DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   HostCache::Key secure_key =
       HostCache::Key(url::SchemeHostPort(url::kHttpsScheme, "host1", 443),
                      DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   secure_key.secure = true;
   tests.emplace_back(insecure_key, secure_key, -1);
 
@@ -1303,7 +1304,7 @@ TEST(HostCacheTest, SerializeAndDeserializeWithExpirations) {
                 HostCache::SerializationType::kRestorable);
   HostCache restored_cache(kMaxCacheEntries);
 
-  restored_cache.RestoreFromListValue(serialized_cache);
+  EXPECT_TRUE(restored_cache.RestoreFromListValue(serialized_cache));
 
   HostCache::EntryStaleness stale;
 
@@ -1395,7 +1396,7 @@ TEST(HostCacheTest, SerializeAndDeserializeWithChanges) {
 
   EXPECT_EQ(0u, restored_cache.last_restore_size());
 
-  restored_cache.RestoreFromListValue(serialized_cache);
+  EXPECT_TRUE(restored_cache.RestoreFromListValue(serialized_cache));
   EXPECT_EQ(1u, restored_cache.last_restore_size());
 
   HostCache::EntryStaleness stale;
@@ -1492,7 +1493,7 @@ TEST(HostCacheTest, SerializeAndDeserializeAddresses) {
 
   EXPECT_EQ(0u, restored_cache.last_restore_size());
 
-  restored_cache.RestoreFromListValue(serialized_cache);
+  EXPECT_TRUE(restored_cache.RestoreFromListValue(serialized_cache));
 
   HostCache::EntryStaleness stale;
 
@@ -1551,7 +1552,7 @@ TEST(HostCacheTest, SerializeAndDeserializeEntryWithoutScheme) {
   const base::TimeDelta kTTL = base::Seconds(10);
 
   HostCache::Key key("host.test", DnsQueryType::UNSPECIFIED, 0,
-                     HostResolverSource::ANY, NetworkIsolationKey());
+                     HostResolverSource::ANY, NetworkAnonymizationKey());
   HostCache::Entry entry =
       HostCache::Entry(OK, /*ip_endpoints=*/{},
                        /*aliases=*/{}, HostCache::Entry::SOURCE_UNKNOWN);
@@ -1575,20 +1576,20 @@ TEST(HostCacheTest, SerializeAndDeserializeEntryWithoutScheme) {
               Pointee(Pair(key, EntryContentsEqual(entry))));
 }
 
-TEST(HostCacheTest, SerializeAndDeserializeWithNetworkIsolationKey) {
+TEST(HostCacheTest, SerializeAndDeserializeWithNetworkAnonymizationKey) {
   const url::SchemeHostPort kHost =
       url::SchemeHostPort(url::kHttpsScheme, "hostname.test", 443);
   const base::TimeDelta kTTL = base::Seconds(10);
   const SchemefulSite kSite(GURL("https://site.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey(kSite, kSite);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey(kSite, kSite);
   const SchemefulSite kOpaqueSite;
-  const NetworkIsolationKey kOpaqueNetworkIsolationKey(kOpaqueSite,
-                                                       kOpaqueSite);
+  const NetworkAnonymizationKey kOpaqueNetworkAnonymizationKey(kOpaqueSite,
+                                                               kOpaqueSite);
 
   HostCache::Key key1(kHost, DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY, kNetworkIsolationKey);
+                      HostResolverSource::ANY, kNetworkAnonymizationKey);
   HostCache::Key key2(kHost, DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY, kOpaqueNetworkIsolationKey);
+                      HostResolverSource::ANY, kOpaqueNetworkAnonymizationKey);
 
   IPEndPoint endpoint(IPAddress(1, 2, 3, 4), 0);
   HostCache::Entry entry = HostCache::Entry(OK, {endpoint}, /*aliases=*/{},
@@ -1601,11 +1602,11 @@ TEST(HostCacheTest, SerializeAndDeserializeWithNetworkIsolationKey) {
   cache.Set(key2, entry, now, kTTL);
 
   EXPECT_TRUE(cache.Lookup(key1, now));
-  EXPECT_EQ(kNetworkIsolationKey,
-            cache.Lookup(key1, now)->first.network_isolation_key);
+  EXPECT_EQ(kNetworkAnonymizationKey,
+            cache.Lookup(key1, now)->first.network_anonymization_key);
   EXPECT_TRUE(cache.Lookup(key2, now));
-  EXPECT_EQ(kOpaqueNetworkIsolationKey,
-            cache.Lookup(key2, now)->first.network_isolation_key);
+  EXPECT_EQ(kOpaqueNetworkAnonymizationKey,
+            cache.Lookup(key2, now)->first.network_anonymization_key);
   EXPECT_EQ(2u, cache.size());
 
   base::Value::List serialized_cache;
@@ -1624,11 +1625,11 @@ TEST(HostCacheTest, SerializeAndDeserializeWithNetworkIsolationKey) {
 TEST(HostCacheTest, SerializeForDebugging) {
   const url::SchemeHostPort kHost(url::kHttpsScheme, "hostname.test", 443);
   const base::TimeDelta kTTL = base::Seconds(10);
-  const NetworkIsolationKey kNetworkIsolationKey =
-      NetworkIsolationKey::CreateTransient();
+  const NetworkAnonymizationKey kNetworkAnonymizationKey =
+      NetworkAnonymizationKey::CreateTransient();
 
   HostCache::Key key(kHost, DnsQueryType::UNSPECIFIED, 0,
-                     HostResolverSource::ANY, kNetworkIsolationKey);
+                     HostResolverSource::ANY, kNetworkAnonymizationKey);
 
   IPEndPoint endpoint(IPAddress(1, 2, 3, 4), 0);
   HostCache::Entry entry = HostCache::Entry(OK, {endpoint}, /*aliases=*/{},
@@ -1640,8 +1641,8 @@ TEST(HostCacheTest, SerializeForDebugging) {
   cache.Set(key, entry, now, kTTL);
 
   EXPECT_TRUE(cache.Lookup(key, now));
-  EXPECT_EQ(kNetworkIsolationKey,
-            cache.Lookup(key, now)->first.network_isolation_key);
+  EXPECT_EQ(kNetworkAnonymizationKey,
+            cache.Lookup(key, now)->first.network_anonymization_key);
   EXPECT_EQ(1u, cache.size());
 
   base::Value::List serialized_cache;
@@ -1653,9 +1654,9 @@ TEST(HostCacheTest, SerializeForDebugging) {
   ASSERT_EQ(1u, serialized_cache.size());
   ASSERT_TRUE(serialized_cache[0].is_dict());
   const std::string* nik_string =
-      serialized_cache[0].GetDict().FindString("network_isolation_key");
+      serialized_cache[0].GetDict().FindString("network_anonymization_key");
   ASSERT_TRUE(nik_string);
-  ASSERT_EQ(kNetworkIsolationKey.ToDebugString(), *nik_string);
+  ASSERT_EQ(kNetworkAnonymizationKey.ToDebugString(), *nik_string);
 }
 
 TEST(HostCacheTest, SerializeAndDeserialize_Text) {
@@ -1665,7 +1666,7 @@ TEST(HostCacheTest, SerializeAndDeserialize_Text) {
   std::vector<std::string> text_records({"foo", "bar"});
   HostCache::Key key(url::SchemeHostPort(url::kHttpsScheme, "example.com", 443),
                      DnsQueryType::A, 0, HostResolverSource::DNS,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   key.secure = true;
   HostCache::Entry entry(OK, text_records, HostCache::Entry::SOURCE_DNS, ttl);
   EXPECT_TRUE(entry.text_records());
@@ -1678,7 +1679,7 @@ TEST(HostCacheTest, SerializeAndDeserialize_Text) {
   cache.GetList(serialized_cache, false /* include_staleness */,
                 HostCache::SerializationType::kRestorable);
   HostCache restored_cache(kMaxCacheEntries);
-  restored_cache.RestoreFromListValue(serialized_cache);
+  EXPECT_TRUE(restored_cache.RestoreFromListValue(serialized_cache));
 
   ASSERT_EQ(1u, serialized_cache.size());
   ASSERT_EQ(1u, restored_cache.size());
@@ -1697,7 +1698,7 @@ TEST(HostCacheTest, SerializeAndDeserialize_Hostname) {
       {HostPortPair("example.com", 95), HostPortPair("chromium.org", 122)});
   HostCache::Key key(url::SchemeHostPort(url::kHttpsScheme, "example.com", 443),
                      DnsQueryType::A, 0, HostResolverSource::DNS,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   HostCache::Entry entry(OK, hostnames, HostCache::Entry::SOURCE_DNS, ttl);
   EXPECT_TRUE(entry.hostnames());
 
@@ -1709,7 +1710,7 @@ TEST(HostCacheTest, SerializeAndDeserialize_Hostname) {
   cache.GetList(serialized_cache, false /* include_staleness */,
                 HostCache::SerializationType::kRestorable);
   HostCache restored_cache(kMaxCacheEntries);
-  restored_cache.RestoreFromListValue(serialized_cache);
+  EXPECT_TRUE(restored_cache.RestoreFromListValue(serialized_cache));
 
   ASSERT_EQ(1u, restored_cache.size());
   HostCache::EntryStaleness stale;
@@ -1725,7 +1726,7 @@ TEST(HostCacheTest, SerializeAndDeserializeEndpointResult) {
   base::TimeDelta ttl = base::Seconds(99);
   HostCache::Key key(url::SchemeHostPort(url::kHttpsScheme, "example.com", 443),
                      DnsQueryType::A, 0, HostResolverSource::DNS,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   IPEndPoint ipv6_endpoint(
       IPAddress(1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4), 110);
   IPEndPoint ipv4_endpoint1(IPAddress(1, 1, 1, 1), 80);
@@ -1781,7 +1782,7 @@ TEST(HostCacheTest, SerializeAndDeserializeEndpointResult) {
   cache.GetList(serialized_cache, false /* include_staleness */,
                 HostCache::SerializationType::kRestorable);
   HostCache restored_cache(kMaxCacheEntries);
-  restored_cache.RestoreFromListValue(serialized_cache);
+  EXPECT_TRUE(restored_cache.RestoreFromListValue(serialized_cache));
 
   // Check `serialized_cache` can be encoded as JSON. This ensures it has no
   // binary values.
@@ -1824,7 +1825,7 @@ TEST(HostCacheTest, DeserializeNoEndpointNoAliase) {
    "flags": 0,
    "host_resolver_source": 2,
    "hostname": "example.com",
-   "network_isolation_key": [  ],
+   "network_anonymization_key": [  ],
    "port": 443,
    "scheme": "https",
    "secure": false
@@ -1835,13 +1836,13 @@ TEST(HostCacheTest, DeserializeNoEndpointNoAliase) {
 
   HostCache restored_cache(kMaxCacheEntries);
   ASSERT_TRUE(dict->is_list());
-  restored_cache.RestoreFromListValue(dict->GetList());
+  EXPECT_TRUE(restored_cache.RestoreFromListValue(dict->GetList()));
 
   ASSERT_EQ(1u, restored_cache.size());
 
   HostCache::Key key(url::SchemeHostPort(url::kHttpsScheme, "example.com", 443),
                      DnsQueryType::A, 0, HostResolverSource::DNS,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
 
   HostCache::EntryStaleness stale;
   const std::pair<const HostCache::Key, HostCache::Entry>* result =
@@ -1866,7 +1867,7 @@ TEST(HostCacheTest, DeserializeLegacyAddresses) {
    "flags": 0,
    "host_resolver_source": 2,
    "hostname": "example.com",
-   "network_isolation_key": [  ],
+   "network_anonymization_key": [  ],
    "port": 443,
    "scheme": "https",
    "secure": false
@@ -1877,13 +1878,13 @@ TEST(HostCacheTest, DeserializeLegacyAddresses) {
 
   HostCache restored_cache(kMaxCacheEntries);
   ASSERT_TRUE(dict->is_list());
-  restored_cache.RestoreFromListValue(dict->GetList());
+  EXPECT_TRUE(restored_cache.RestoreFromListValue(dict->GetList()));
 
   ASSERT_EQ(1u, restored_cache.size());
 
   HostCache::Key key(url::SchemeHostPort(url::kHttpsScheme, "example.com", 443),
                      DnsQueryType::A, 0, HostResolverSource::DNS,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
 
   HostCache::EntryStaleness stale;
   const std::pair<const HostCache::Key, HostCache::Entry>* result =
@@ -1895,6 +1896,68 @@ TEST(HostCacheTest, DeserializeLegacyAddresses) {
   EXPECT_THAT(result->second.aliases(), Pointee(ElementsAre()));
 }
 
+TEST(HostCacheTest, DeserializeInvalidQueryTypeIntegrity) {
+  base::TimeDelta ttl = base::Seconds(99);
+  std::string expiration_time_str = base::NumberToString(
+      (base::Time::Now() + ttl).since_origin().InMicroseconds());
+
+  // RestoreFromListValue doesn't support dns_query_type=6 (INTEGRITY).
+  auto dict = base::JSONReader::Read(base::StringPrintf(
+      R"(
+ [ {
+   "addresses": [ "2000::", "1.2.3.4" ],
+   "dns_query_type": 6,
+   "expiration": "%s",
+   "flags": 0,
+   "host_resolver_source": 2,
+   "hostname": "example.com",
+   "network_isolation_key": [  ],
+   "port": 443,
+   "scheme": "https",
+   "secure": false
+} ]
+)",
+      expiration_time_str.c_str()));
+  ASSERT_TRUE(dict);
+
+  HostCache restored_cache(kMaxCacheEntries);
+  ASSERT_TRUE(dict->is_list());
+  EXPECT_FALSE(restored_cache.RestoreFromListValue(dict->GetList()));
+
+  ASSERT_EQ(0u, restored_cache.size());
+}
+
+TEST(HostCacheTest, DeserializeInvalidQueryTypeHttpsExperimental) {
+  base::TimeDelta ttl = base::Seconds(99);
+  std::string expiration_time_str = base::NumberToString(
+      (base::Time::Now() + ttl).since_origin().InMicroseconds());
+
+  // RestoreFromListValue doesn't support dns_query_type=8 (HTTPS_EXPERIMENTAL).
+  auto dict = base::JSONReader::Read(base::StringPrintf(
+      R"(
+ [ {
+   "addresses": [ "2000::", "1.2.3.4" ],
+   "dns_query_type": 8,
+   "expiration": "%s",
+   "flags": 0,
+   "host_resolver_source": 2,
+   "hostname": "example.com",
+   "network_isolation_key": [  ],
+   "port": 443,
+   "scheme": "https",
+   "secure": false
+} ]
+)",
+      expiration_time_str.c_str()));
+  ASSERT_TRUE(dict);
+
+  HostCache restored_cache(kMaxCacheEntries);
+  ASSERT_TRUE(dict->is_list());
+  EXPECT_FALSE(restored_cache.RestoreFromListValue(dict->GetList()));
+
+  ASSERT_EQ(0u, restored_cache.size());
+}
+
 TEST(HostCacheTest, PersistenceDelegate) {
   const base::TimeDelta kTTL = base::Seconds(10);
   HostCache cache(kMaxCacheEntries);
diff --git a/chromium/net/dns/host_resolver.cc b/chromium/net/dns/host_resolver.cc
index 1aa58423843..c554a1cf67b 100644
--- a/chromium/net/dns/host_resolver.cc
+++ b/chromium/net/dns/host_resolver.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,10 +15,12 @@
 #include "base/notreached.h"
 #include "base/ranges/algorithm.h"
 #include "base/strings/string_number_conversions.h"
+#include "base/strings/string_piece.h"
 #include "base/time/time_delta_from_string.h"
 #include "base/values.h"
 #include "net/base/address_list.h"
 #include "net/base/features.h"
+#include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
 #include "net/base/network_change_notifier.h"
 #include "net/dns/context_host_resolver.h"
@@ -26,10 +28,12 @@
 #include "net/dns/dns_util.h"
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver_manager.h"
-#include "net/dns/host_resolver_results.h"
 #include "net/dns/mapped_host_resolver.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/resolve_context.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
+#include "third_party/abseil-cpp/absl/types/variant.h"
+#include "url/scheme_host_port.h"
 
 #if BUILDFLAG(IS_ANDROID)
 #include "base/android/build_info.h"
@@ -43,7 +47,6 @@ namespace {
 // The experiment settings of features::kUseDnsHttpsSvcb. See the comments in
 // net/base/features.h for more details.
 const char kUseDnsHttpsSvcbEnable[] = "enable";
-const char kUseDnsHttpsSvcbEnableInsecure[] = "enable_insecure";
 const char kUseDnsHttpsSvcbInsecureExtraTimeMax[] = "insecure_extra_time_max";
 const char kUseDnsHttpsSvcbInsecureExtraTimePercent[] =
     "insecure_extra_time_percent";
@@ -52,8 +55,6 @@ const char kUseDnsHttpsSvcbSecureExtraTimeMax[] = "secure_extra_time_max";
 const char kUseDnsHttpsSvcbSecureExtraTimePercent[] =
     "secure_extra_time_percent";
 const char kUseDnsHttpsSvcbSecureExtraTimeMin[] = "secure_extra_time_min";
-const char kUseDnsHttpsSvcbExtraTimeAbsolute[] = "extra_time_absolute";
-const char kUseDnsHttpsSvcbExtraTimePercent[] = "extra_time_percent";
 
 class FailingRequestImpl : public HostResolver::ResolveHostRequest,
                            public HostResolver::ProbeRequest {
@@ -121,6 +122,86 @@ void GetTimeDeltaFromDictString(const base::Value::Dict& args,
 
 }  // namespace
 
+HostResolver::Host::Host(absl::variant<url::SchemeHostPort, HostPortPair> host)
+    : host_(std::move(host)) {
+#if DCHECK_IS_ON()
+  if (absl::holds_alternative<url::SchemeHostPort>(host_)) {
+    DCHECK(absl::get<url::SchemeHostPort>(host_).IsValid());
+  } else {
+    DCHECK(absl::holds_alternative<HostPortPair>(host_));
+    DCHECK(!absl::get<HostPortPair>(host_).IsEmpty());
+  }
+#endif  // DCHECK_IS_ON()
+}
+
+HostResolver::Host::~Host() = default;
+
+HostResolver::Host::Host(const Host&) = default;
+
+HostResolver::Host& HostResolver::Host::operator=(const Host&) = default;
+
+HostResolver::Host::Host(Host&&) = default;
+
+HostResolver::Host& HostResolver::Host::operator=(Host&&) = default;
+
+bool HostResolver::Host::HasScheme() const {
+  return absl::holds_alternative<url::SchemeHostPort>(host_);
+}
+
+const std::string& HostResolver::Host::GetScheme() const {
+  DCHECK(absl::holds_alternative<url::SchemeHostPort>(host_));
+  return absl::get<url::SchemeHostPort>(host_).scheme();
+}
+
+std::string HostResolver::Host::GetHostname() const {
+  if (absl::holds_alternative<url::SchemeHostPort>(host_)) {
+    return absl::get<url::SchemeHostPort>(host_).host();
+  } else {
+    DCHECK(absl::holds_alternative<HostPortPair>(host_));
+    return absl::get<HostPortPair>(host_).HostForURL();
+  }
+}
+
+base::StringPiece HostResolver::Host::GetHostnameWithoutBrackets() const {
+  if (absl::holds_alternative<url::SchemeHostPort>(host_)) {
+    base::StringPiece hostname = absl::get<url::SchemeHostPort>(host_).host();
+    if (hostname.size() > 2 && hostname.front() == '[' &&
+        hostname.back() == ']') {
+      return hostname.substr(1, hostname.size() - 2);
+    } else {
+      return hostname;
+    }
+  } else {
+    DCHECK(absl::holds_alternative<HostPortPair>(host_));
+    return absl::get<HostPortPair>(host_).host();
+  }
+}
+
+uint16_t HostResolver::Host::GetPort() const {
+  if (absl::holds_alternative<url::SchemeHostPort>(host_)) {
+    return absl::get<url::SchemeHostPort>(host_).port();
+  } else {
+    DCHECK(absl::holds_alternative<HostPortPair>(host_));
+    return absl::get<HostPortPair>(host_).port();
+  }
+}
+
+std::string HostResolver::Host::ToString() const {
+  if (absl::holds_alternative<url::SchemeHostPort>(host_)) {
+    return absl::get<url::SchemeHostPort>(host_).Serialize();
+  } else {
+    DCHECK(absl::holds_alternative<HostPortPair>(host_));
+    return absl::get<HostPortPair>(host_).ToString();
+  }
+}
+
+const url::SchemeHostPort& HostResolver::Host::AsSchemeHostPort() const {
+  const url::SchemeHostPort* scheme_host_port =
+      absl::get_if<url::SchemeHostPort>(&host_);
+  DCHECK(scheme_host_port);
+  return *scheme_host_port;
+}
+
 HostResolver::HttpsSvcbOptions::HttpsSvcbOptions() = default;
 
 HostResolver::HttpsSvcbOptions::HttpsSvcbOptions(
@@ -136,8 +217,6 @@ HostResolver::HttpsSvcbOptions HostResolver::HttpsSvcbOptions::FromDict(
   net::HostResolver::HttpsSvcbOptions options;
   options.enable =
       dict.FindBool(kUseDnsHttpsSvcbEnable).value_or(options.enable);
-  options.enable_insecure = dict.FindBool(kUseDnsHttpsSvcbEnableInsecure)
-                                .value_or(options.enable_insecure);
   GetTimeDeltaFromDictString(dict, kUseDnsHttpsSvcbInsecureExtraTimeMax,
                              &options.insecure_extra_time_max);
 
@@ -156,10 +235,6 @@ HostResolver::HttpsSvcbOptions HostResolver::HttpsSvcbOptions::FromDict(
   GetTimeDeltaFromDictString(dict, kUseDnsHttpsSvcbSecureExtraTimeMin,
                              &options.secure_extra_time_min);
 
-  GetTimeDeltaFromDictString(dict, kUseDnsHttpsSvcbExtraTimeAbsolute,
-                             &options.extra_time_absolute);
-  options.extra_time_percent = dict.FindInt(kUseDnsHttpsSvcbExtraTimePercent)
-                                   .value_or(options.extra_time_percent);
   return options;
 }
 
@@ -167,7 +242,6 @@ HostResolver::HttpsSvcbOptions HostResolver::HttpsSvcbOptions::FromDict(
 HostResolver::HttpsSvcbOptions HostResolver::HttpsSvcbOptions::FromFeatures() {
   net::HostResolver::HttpsSvcbOptions options;
   options.enable = base::FeatureList::IsEnabled(features::kUseDnsHttpsSvcb);
-  options.enable_insecure = features::kUseDnsHttpsSvcbEnableInsecure.Get();
   options.insecure_extra_time_max =
       features::kUseDnsHttpsSvcbInsecureExtraTimeMax.Get();
   options.insecure_extra_time_percent =
@@ -180,9 +254,6 @@ HostResolver::HttpsSvcbOptions HostResolver::HttpsSvcbOptions::FromFeatures() {
       features::kUseDnsHttpsSvcbSecureExtraTimePercent.Get();
   options.secure_extra_time_min =
       features::kUseDnsHttpsSvcbSecureExtraTimeMin.Get();
-  options.extra_time_absolute =
-      features::kUseDnsHttpsSvcbExtraTimeAbsolute.Get();
-  options.extra_time_percent = features::kUseDnsHttpsSvcbExtraTimePercent.Get();
   return options;
 }
 
@@ -200,9 +271,6 @@ HostResolver::ResolveHostRequest::GetExperimentalResultsForTesting() const {
   return nullptr;
 }
 
-const size_t HostResolver::ManagerOptions::kDefaultRetryAttempts =
-    static_cast<size_t>(-1);
-
 std::unique_ptr<HostResolver> HostResolver::Factory::CreateResolver(
     HostResolverManager* manager,
     base::StringPiece host_mapping_rules,
@@ -464,6 +532,16 @@ AddressList HostResolver::EndpointResultToAddressList(
   return list;
 }
 
+// static
+std::vector<IPEndPoint> HostResolver::GetNonProtocolEndpoints(
+    const std::vector<HostResolverEndpointResult>& endpoints) {
+  auto non_protocol_endpoint =
+      base::ranges::find_if(endpoints, &EndpointResultIsNonProtocol);
+  if (non_protocol_endpoint == endpoints.end())
+    return std::vector<IPEndPoint>();
+  return non_protocol_endpoint->ip_endpoints;
+}
+
 HostResolver::HostResolver() = default;
 
 // static
diff --git a/chromium/net/dns/host_resolver.h b/chromium/net/dns/host_resolver.h
index b349d2fca25..42068d196ff 100644
--- a/chromium/net/dns/host_resolver.h
+++ b/chromium/net/dns/host_resolver.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -17,19 +17,21 @@
 #include "net/base/address_family.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/host_port_pair.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/network_handle.h"
-#include "net/base/network_isolation_key.h"
 #include "net/base/request_priority.h"
 #include "net/dns/host_cache.h"
-#include "net/dns/host_resolver_results.h"
+#include "net/dns/host_resolver_system_task.h"
 #include "net/dns/public/dns_config_overrides.h"
 #include "net/dns/public/dns_query_type.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/host_resolver_source.h"
 #include "net/dns/public/mdns_listener_update_type.h"
 #include "net/dns/public/resolve_error_info.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/log/net_log_with_source.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
+#include "third_party/abseil-cpp/absl/types/variant.h"
 #include "url/scheme_host_port.h"
 
 namespace base {
@@ -56,7 +58,29 @@ class URLRequestContext;
 // See mock_host_resolver.h for test implementations.
 class NET_EXPORT HostResolver {
  public:
-  using Host = absl::variant<url::SchemeHostPort, HostPortPair>;
+  class NET_EXPORT Host {
+   public:
+    explicit Host(absl::variant<url::SchemeHostPort, HostPortPair> host);
+    ~Host();
+
+    Host(const Host&);
+    Host& operator=(const Host&);
+    Host(Host&&);
+    Host& operator=(Host&&);
+
+    bool HasScheme() const;
+    const std::string& GetScheme() const;
+    std::string GetHostname() const;  // With brackets for IPv6 literals.
+    base::StringPiece GetHostnameWithoutBrackets() const;
+    uint16_t GetPort() const;
+
+    std::string ToString() const;
+
+    const url::SchemeHostPort& AsSchemeHostPort() const;
+
+   private:
+    absl::variant<url::SchemeHostPort, HostPortPair> host_;
+  };
 
   // Handler for an individual host resolution request. Created by
   // HostResolver::CreateRequest().
@@ -186,15 +210,12 @@ class NET_EXPORT HostResolver {
     static HttpsSvcbOptions FromFeatures();
 
     bool enable = false;
-    bool enable_insecure = false;
     base::TimeDelta insecure_extra_time_max;
     int insecure_extra_time_percent = 0;
     base::TimeDelta insecure_extra_time_min;
     base::TimeDelta secure_extra_time_max;
     int secure_extra_time_percent = 0;
     base::TimeDelta secure_extra_time_min;
-    base::TimeDelta extra_time_absolute;
-    int extra_time_percent = 0;
   };
 
   // Parameter-grouping struct for additional optional parameters for creation
@@ -211,9 +232,6 @@ class NET_EXPORT HostResolver {
     // of concurrency.
     static const size_t kDefaultParallelism = 0;
 
-    // Set |max_system_retry_attempts| to this to select a default retry value.
-    static const size_t kDefaultRetryAttempts;
-
     // How many resolve requests will be allowed to run in parallel.
     // |kDefaultParallelism| for the resolver to choose a default value.
     size_t max_concurrent_resolves = kDefaultParallelism;
@@ -221,7 +239,8 @@ class NET_EXPORT HostResolver {
     // The maximum number of times to retry for host resolution if using the
     // system resolver. No effect when the system resolver is not used.
     // |kDefaultRetryAttempts| for the resolver to choose a default value.
-    size_t max_system_retry_attempts = kDefaultRetryAttempts;
+    size_t max_system_retry_attempts =
+        HostResolverSystemTask::Params::kDefaultRetryAttempts;
 
     // Initial setting for whether the insecure portion of the built-in
     // asynchronous DnsClient is enabled or disabled. See HostResolverManager::
@@ -396,7 +415,7 @@ class NET_EXPORT HostResolver {
   // defaults will be used if passed |nullptr|.
   virtual std::unique_ptr<ResolveHostRequest> CreateRequest(
       url::SchemeHostPort host,
-      NetworkIsolationKey network_isolation_key,
+      NetworkAnonymizationKey network_anonymization_key,
       NetLogWithSource net_log,
       absl::optional<ResolveHostParameters> optional_parameters) = 0;
 
@@ -404,7 +423,7 @@ class NET_EXPORT HostResolver {
   // TODO(crbug.com/1206799): Rename to discourage use when scheme is known.
   virtual std::unique_ptr<ResolveHostRequest> CreateRequest(
       const HostPortPair& host,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const NetLogWithSource& net_log,
       const absl::optional<ResolveHostParameters>& optional_parameters) = 0;
 
@@ -500,6 +519,10 @@ class NET_EXPORT HostResolver {
       const std::vector<HostResolverEndpointResult>& endpoints,
       const std::set<std::string>& aliases);
 
+  // Utility to get the non protocol endpoints.
+  static std::vector<IPEndPoint> GetNonProtocolEndpoints(
+      const std::vector<HostResolverEndpointResult>& endpoints);
+
  protected:
   HostResolver();
 
diff --git a/chromium/net/dns/host_resolver_manager.cc b/chromium/net/dns/host_resolver_manager.cc
index 095269ce601..9db789cd87a 100644
--- a/chromium/net/dns/host_resolver_manager.cc
+++ b/chromium/net/dns/host_resolver_manager.cc
@@ -1,10 +1,9 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/dns/host_resolver_manager.h"
 
-#include <algorithm>
 #include <cmath>
 #include <iterator>
 #include <limits>
@@ -44,7 +43,6 @@
 #include "base/observer_list.h"
 #include "base/ranges/algorithm.h"
 #include "base/sequence_checker.h"
-#include "base/stl_util.h"
 #include "base/strings/strcat.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_piece.h"
@@ -59,6 +57,7 @@
 #include "base/time/default_tick_clock.h"
 #include "base/time/time.h"
 #include "base/trace_event/trace_event.h"
+#include "base/types/optional_util.h"
 #include "base/values.h"
 #include "build/build_config.h"
 #include "net/base/address_family.h"
@@ -69,8 +68,8 @@
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/network_interfaces.h"
-#include "net/base/network_isolation_key.h"
 #include "net/base/prioritized_dispatcher.h"
 #include "net/base/request_priority.h"
 #include "net/base/trace_constants.h"
@@ -78,7 +77,6 @@
 #include "net/dns/address_sorter.h"
 #include "net/dns/dns_alias_utility.h"
 #include "net/dns/dns_client.h"
-#include "net/dns/dns_reloader.h"
 #include "net/dns/dns_response.h"
 #include "net/dns/dns_response_result_extractor.h"
 #include "net/dns/dns_transaction.h"
@@ -86,12 +84,14 @@
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver_mdns_listener_impl.h"
 #include "net/dns/host_resolver_mdns_task.h"
+#include "net/dns/host_resolver_nat64_task.h"
 #include "net/dns/host_resolver_proc.h"
-#include "net/dns/host_resolver_results.h"
+#include "net/dns/host_resolver_system_task.h"
 #include "net/dns/httpssvc_metrics.h"
 #include "net/dns/mdns_client.h"
 #include "net/dns/public/dns_protocol.h"
 #include "net/dns/public/dns_query_type.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/resolve_error_info.h"
 #include "net/dns/public/secure_dns_mode.h"
 #include "net/dns/public/secure_dns_policy.h"
@@ -140,10 +140,10 @@ namespace {
 // some platform's resolvers.
 const size_t kMaxHostLength = 4096;
 
-// Default TTL for successful resolutions with ProcTask.
+// Default TTL for successful resolutions with HostResolverSystemTask.
 const unsigned kCacheEntryTTLSeconds = 60;
 
-// Default TTL for unsuccessful resolutions with ProcTask.
+// Default TTL for unsuccessful resolutions with HostResolverSystemTask.
 const unsigned kNegativeCacheEntryTTLSeconds = 0;
 
 // Minimum TTL for successful resolutions with DnsTask.
@@ -158,14 +158,6 @@ const uint8_t kIPv6ProbeAddress[] = {0x20, 0x01, 0x48, 0x60, 0x48, 0x60,
                                      0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                                      0x00, 0x00, 0x88, 0x88};
 
-enum DnsResolveStatus {
-  RESOLVE_STATUS_DNS_SUCCESS = 0,
-  RESOLVE_STATUS_PROC_SUCCESS,
-  RESOLVE_STATUS_FAIL,
-  RESOLVE_STATUS_SUSPECT_NETBIOS,
-  RESOLVE_STATUS_MAX
-};
-
 // ICANN uses this localhost address to indicate a name collision.
 //
 // The policy in Chromium is to fail host resolving if it resolves to
@@ -217,15 +209,6 @@ bool ConfigureAsyncDnsNoFallbackFieldTrial() {
   return kDefault;
 }
 
-const base::FeatureParam<base::TaskPriority>::Option prio_modes[] = {
-    {base::TaskPriority::USER_VISIBLE, "default"},
-    {base::TaskPriority::USER_BLOCKING, "user_blocking"}};
-const base::Feature kSystemResolverPriorityExperiment = {
-    "SystemResolverPriorityExperiment", base::FEATURE_DISABLED_BY_DEFAULT};
-const base::FeatureParam<base::TaskPriority> priority_mode{
-    &kSystemResolverPriorityExperiment, "mode",
-    base::TaskPriority::USER_VISIBLE, &prio_modes};
-
 //-----------------------------------------------------------------------------
 
 // Returns true if it can determine that only loopback addresses are configured.
@@ -277,38 +260,6 @@ bool HaveOnlyLoopbackAddresses() {
 #endif  // defined(various platforms)
 }
 
-// Creates NetLog parameters when the resolve failed.
-base::Value NetLogProcTaskFailedParams(uint32_t attempt_number,
-                                       int net_error,
-                                       int os_error) {
-  base::Value::Dict dict;
-  if (attempt_number)
-    dict.Set("attempt_number", base::saturated_cast<int>(attempt_number));
-
-  dict.Set("net_error", net_error);
-
-  if (os_error) {
-    dict.Set("os_error", os_error);
-#if BUILDFLAG(IS_WIN)
-    // Map the error code to a human-readable string.
-    LPWSTR error_string = nullptr;
-    FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
-                  nullptr,  // Use the internal message table.
-                  os_error,
-                  0,  // Use default language.
-                  (LPWSTR)&error_string,
-                  0,         // Buffer size.
-                  nullptr);  // Arguments (unused).
-    dict.Set("os_error_string", base::WideToUTF8(error_string));
-    LocalFree(error_string);
-#elif BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
-    dict.Set("os_error_string", gai_strerror(os_error));
-#endif
-  }
-
-  return base::Value(std::move(dict));
-}
-
 // Creates NetLog parameters when the DnsTask failed.
 base::Value NetLogDnsTaskFailedParams(
     int net_error,
@@ -361,13 +312,13 @@ base::Value NetLogIPv6AvailableParams(bool ipv6_available, bool cached) {
 
 //-----------------------------------------------------------------------------
 
-// Maximum of 64 concurrent resolver threads (excluding retries).
+// Maximum of 64 concurrent resolver calls (excluding retries).
 // Between 2010 and 2020, the limit was set to 6 because of a report of a broken
 // home router that would fail in the presence of more simultaneous queries.
 // In 2020, we conducted an experiment to see if this kind of router was still
 // present on the Internet, and found no evidence of any remaining issues, so
 // we increased the limit to 64 at that time.
-const size_t kDefaultMaxProcTasks = 64u;
+const size_t kDefaultMaxSystemTasks = 64u;
 
 PrioritizedDispatcher::Limits GetDispatcherLimits(
     const HostResolver::ManagerOptions& options) {
@@ -379,7 +330,7 @@ PrioritizedDispatcher::Limits GetDispatcherLimits(
     return limits;
 
   // Default, without trial is no reserved slots.
-  limits.total_jobs = kDefaultMaxProcTasks;
+  limits.total_jobs = kDefaultMaxSystemTasks;
 
   // Parallelism is determined by the field trial.
   std::string group =
@@ -468,13 +419,6 @@ base::Value NetLogResults(const HostCache::Entry& results) {
   return base::Value(std::move(dict));
 }
 
-base::Value ToLogStringValue(const HostResolver::Host& host) {
-  if (absl::holds_alternative<url::SchemeHostPort>(host))
-    return base::Value(absl::get<url::SchemeHostPort>(host).Serialize());
-
-  return base::Value(absl::get<HostPortPair>(host).ToString());
-}
-
 base::Value ToLogStringValue(
     const absl::variant<url::SchemeHostPort, std::string>& host) {
   if (absl::holds_alternative<url::SchemeHostPort>(host)) {
@@ -493,19 +437,6 @@ base::StringPiece GetScheme(
   return base::StringPiece();
 }
 
-base::StringPiece GetHostname(const HostResolver::Host& host) {
-  if (absl::holds_alternative<url::SchemeHostPort>(host)) {
-    base::StringPiece hostname = absl::get<url::SchemeHostPort>(host).host();
-    if (hostname.size() >= 2 && hostname.front() == '[' &&
-        hostname.back() == ']') {
-      hostname = hostname.substr(1, hostname.size() - 2);
-    }
-    return hostname;
-  }
-
-  return absl::get<HostPortPair>(host).host();
-}
-
 base::StringPiece GetHostname(
     const absl::variant<url::SchemeHostPort, std::string>& host) {
   if (absl::holds_alternative<url::SchemeHostPort>(host)) {
@@ -520,14 +451,6 @@ base::StringPiece GetHostname(
   return absl::get<std::string>(host);
 }
 
-uint16_t GetPort(const HostResolver::Host& host) {
-  if (absl::holds_alternative<url::SchemeHostPort>(host)) {
-    return absl::get<url::SchemeHostPort>(host).port();
-  }
-
-  return absl::get<HostPortPair>(host).port();
-}
-
 // Only use scheme/port in JobKey if `https_svcb_options_enabled` is true
 // (or the query is explicitly for HTTPS). Otherwise DNS will not give different
 // results for the same hostname.
@@ -536,11 +459,11 @@ absl::variant<url::SchemeHostPort, std::string> CreateHostForJobKey(
     DnsQueryType query_type,
     bool https_svcb_options_enabled) {
   if ((https_svcb_options_enabled || query_type == DnsQueryType::HTTPS) &&
-      absl::holds_alternative<url::SchemeHostPort>(input)) {
-    return absl::get<url::SchemeHostPort>(input);
+      input.HasScheme()) {
+    return input.AsSchemeHostPort();
   }
 
-  return std::string(GetHostname(input));
+  return std::string(input.GetHostnameWithoutBrackets());
 }
 
 DnsResponse CreateFakeEmptyResponse(base::StringPiece hostname,
@@ -605,7 +528,7 @@ class HostResolverManager::RequestImpl
  public:
   RequestImpl(NetLogWithSource source_net_log,
               HostResolver::Host request_host,
-              NetworkIsolationKey network_isolation_key,
+              NetworkAnonymizationKey network_anonymization_key,
               absl::optional<ResolveHostParameters> optional_parameters,
               base::WeakPtr<ResolveContext> resolve_context,
               HostCache* host_cache,
@@ -613,11 +536,11 @@ class HostResolverManager::RequestImpl
               const base::TickClock* tick_clock)
       : source_net_log_(std::move(source_net_log)),
         request_host_(std::move(request_host)),
-        network_isolation_key_(
+        network_anonymization_key_(
             base::FeatureList::IsEnabled(
                 features::kSplitHostCacheByNetworkIsolationKey)
-                ? std::move(network_isolation_key)
-                : NetworkIsolationKey()),
+                ? std::move(network_anonymization_key)
+                : NetworkAnonymizationKey()),
         parameters_(optional_parameters ? std::move(optional_parameters).value()
                                         : ResolveHostParameters()),
         resolve_context_(std::move(resolve_context)),
@@ -668,13 +591,13 @@ class HostResolverManager::RequestImpl
 
   const AddressList* GetAddressResults() const override {
     DCHECK(complete_);
-    return base::OptionalOrNullptr(legacy_address_results_);
+    return base::OptionalToPtr(legacy_address_results_);
   }
 
   const std::vector<HostResolverEndpointResult>* GetEndpointResults()
       const override {
     DCHECK(complete_);
-    return base::OptionalOrNullptr(endpoint_results_);
+    return base::OptionalToPtr(endpoint_results_);
   }
 
   const absl::optional<std::vector<std::string>>& GetTextResults()
@@ -710,7 +633,7 @@ class HostResolverManager::RequestImpl
     }
 #endif  // DCHECK_IS_ON()
 
-    return base::OptionalOrNullptr(fixed_up_dns_alias_results_);
+    return base::OptionalToPtr(fixed_up_dns_alias_results_);
   }
 
   const std::vector<bool>* GetExperimentalResultsForTesting() const override {
@@ -781,8 +704,8 @@ class HostResolverManager::RequestImpl
 
   const HostResolver::Host& request_host() const { return request_host_; }
 
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
   }
 
   const ResolveHostParameters& parameters() const { return parameters_; }
@@ -831,15 +754,15 @@ class HostResolverManager::RequestImpl
     source_net_log_.BeginEvent(
         NetLogEventType::HOST_RESOLVER_MANAGER_REQUEST, [this] {
           base::Value::Dict dict;
-          dict.Set("host", ToLogStringValue(request_host_));
+          dict.Set("host", request_host_.ToString());
           dict.Set("dns_query_type",
                    base::strict_cast<int>(parameters_.dns_query_type));
           dict.Set("allow_cached_response",
                    parameters_.cache_usage !=
                        ResolveHostParameters::CacheUsage::DISALLOWED);
           dict.Set("is_speculative", parameters_.is_speculative);
-          dict.Set("network_isolation_key",
-                   network_isolation_key_.ToDebugString());
+          dict.Set("network_anonymization_key",
+                   network_anonymization_key_.ToDebugString());
           dict.Set("secure_dns_policy",
                    base::strict_cast<int>(parameters_.secure_dns_policy));
           return base::Value(std::move(dict));
@@ -871,7 +794,7 @@ class HostResolverManager::RequestImpl
   const NetLogWithSource source_net_log_;
 
   const HostResolver::Host request_host_;
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
   ResolveHostParameters parameters_;
   base::WeakPtr<ResolveContext> resolve_context_;
   const raw_ptr<HostCache> host_cache_;
@@ -971,236 +894,6 @@ class HostResolverManager::ProbeRequestImpl
   base::WeakPtrFactory<ProbeRequestImpl> weak_ptr_factory_{this};
 };
 
-//------------------------------------------------------------------------------
-
-// Calls HostResolverProc in ThreadPool. Performs retries if necessary.
-//
-// In non-test code, the HostResolverProc is always SystemHostResolverProc,
-// which calls a platform API that implements host resolution.
-//
-// Whenever we try to resolve the host, we post a delayed task to check if host
-// resolution (OnLookupComplete) is completed or not. If the original attempt
-// hasn't completed, then we start another attempt for host resolution. We take
-// the results from the first attempt that finishes and ignore the results from
-// all other attempts.
-//
-// TODO(szym): Move to separate source file for testing and mocking.
-//
-class HostResolverManager::ProcTask {
- public:
-  typedef base::OnceCallback<void(int net_error, const AddressList& addr_list)>
-      Callback;
-
-  ProcTask(std::string hostname,
-           AddressFamily address_family,
-           HostResolverFlags flags,
-           const ProcTaskParams& params,
-           Callback callback,
-           scoped_refptr<base::TaskRunner> proc_task_runner,
-           const NetLogWithSource& job_net_log,
-           const base::TickClock* tick_clock,
-           handles::NetworkHandle network)
-      : hostname_(std::move(hostname)),
-        address_family_(address_family),
-        flags_(flags),
-        params_(params),
-        callback_(std::move(callback)),
-        network_task_runner_(base::ThreadTaskRunnerHandle::Get()),
-        proc_task_runner_(std::move(proc_task_runner)),
-        net_log_(job_net_log),
-        tick_clock_(tick_clock),
-        network_(network) {
-    DCHECK(callback_);
-    if (!params_.resolver_proc.get())
-      params_.resolver_proc = HostResolverProc::GetDefault();
-    // If default is unset, use the system proc.
-    if (!params_.resolver_proc.get())
-      params_.resolver_proc = base::MakeRefCounted<SystemHostResolverProc>();
-  }
-
-  ProcTask(const ProcTask&) = delete;
-  ProcTask& operator=(const ProcTask&) = delete;
-
-  // Cancels this ProcTask. Any outstanding resolve attempts running on worker
-  // thread will continue running, but they will post back to the network thread
-  // before checking their WeakPtrs to find that this task is cancelled.
-  ~ProcTask() {
-    DCHECK(network_task_runner_->BelongsToCurrentThread());
-
-    // If this is cancellation, log the EndEvent (otherwise this was logged in
-    // OnLookupComplete()).
-    if (!was_completed())
-      net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_MANAGER_PROC_TASK);
-  }
-
-  void Start() {
-    DCHECK(network_task_runner_->BelongsToCurrentThread());
-    DCHECK(!was_completed());
-    net_log_.BeginEvent(NetLogEventType::HOST_RESOLVER_MANAGER_PROC_TASK);
-    StartLookupAttempt();
-  }
-
-  bool was_completed() const {
-    DCHECK(network_task_runner_->BelongsToCurrentThread());
-    return callback_.is_null();
-  }
-
- private:
-  using AttemptCompletionCallback = base::OnceCallback<
-      void(const AddressList& results, int error, const int os_error)>;
-
-  void StartLookupAttempt() {
-    DCHECK(network_task_runner_->BelongsToCurrentThread());
-    DCHECK(!was_completed());
-    base::TimeTicks start_time = tick_clock_->NowTicks();
-    ++attempt_number_;
-    // Dispatch the lookup attempt to a worker thread.
-    AttemptCompletionCallback completion_callback = base::BindOnce(
-        &ProcTask::OnLookupAttemptComplete, weak_ptr_factory_.GetWeakPtr(),
-        start_time, attempt_number_, tick_clock_);
-    proc_task_runner_->PostTask(
-        FROM_HERE,
-        base::BindOnce(&ProcTask::DoLookup, hostname_, address_family_, flags_,
-                       params_.resolver_proc, network_task_runner_,
-                       std::move(completion_callback), network_));
-
-    net_log_.AddEventWithIntParams(
-        NetLogEventType::HOST_RESOLVER_MANAGER_ATTEMPT_STARTED,
-        "attempt_number", attempt_number_);
-
-    // If the results aren't received within a given time, RetryIfNotComplete
-    // will start a new attempt if none of the outstanding attempts have
-    // completed yet.
-    // Use a WeakPtr to avoid keeping the ProcTask alive after completion or
-    // cancellation.
-    if (attempt_number_ <= params_.max_retry_attempts) {
-      network_task_runner_->PostDelayedTask(
-          FROM_HERE,
-          base::BindOnce(&ProcTask::StartLookupAttempt,
-                         weak_ptr_factory_.GetWeakPtr()),
-          params_.unresponsive_delay *
-              std::pow(params_.retry_factor, attempt_number_ - 1));
-    }
-  }
-
-  // WARNING: This code runs in ThreadPool with CONTINUE_ON_SHUTDOWN. The
-  // shutdown code cannot wait for it to finish, so this code must be very
-  // careful about using other objects (like MessageLoops, Singletons, etc).
-  // During shutdown these objects may no longer exist.
-  static void DoLookup(
-      std::string hostname,
-      AddressFamily address_family,
-      HostResolverFlags flags,
-      scoped_refptr<HostResolverProc> resolver_proc,
-      scoped_refptr<base::SingleThreadTaskRunner> network_task_runner,
-      AttemptCompletionCallback completion_callback,
-      handles::NetworkHandle network) {
-    AddressList results;
-    int os_error = 0;
-    int error = resolver_proc->Resolve(hostname, address_family, flags,
-                                       &results, &os_error, network);
-
-    network_task_runner->PostTask(
-        FROM_HERE, base::BindOnce(std::move(completion_callback), results,
-                                  error, os_error));
-  }
-
-  // Callback for when DoLookup() completes (runs on task runner thread). Now
-  // that we're back in the network thread, checks that |proc_task| is still
-  // valid, and if so, passes back to the object.
-  static void OnLookupAttemptComplete(base::WeakPtr<ProcTask> proc_task,
-                                      const base::TimeTicks& start_time,
-                                      const uint32_t attempt_number,
-                                      const base::TickClock* tick_clock,
-                                      const AddressList& results,
-                                      int error,
-                                      const int os_error) {
-    TRACE_EVENT0(NetTracingCategory(), "ProcTask::OnLookupComplete");
-
-    // If results are empty, we should return an error.
-    bool empty_list_on_ok = (error == OK && results.empty());
-    if (empty_list_on_ok)
-      error = ERR_NAME_NOT_RESOLVED;
-
-    // Ideally the following code would be part of host_resolver_proc.cc,
-    // however it isn't safe to call NetworkChangeNotifier from worker threads.
-    // So do it here on the IO thread instead.
-    if (error != OK && NetworkChangeNotifier::IsOffline())
-      error = ERR_INTERNET_DISCONNECTED;
-
-    if (!proc_task)
-      return;
-
-    proc_task->OnLookupComplete(results, start_time, attempt_number, error,
-                                os_error);
-  }
-
-  void OnLookupComplete(const AddressList& results,
-                        const base::TimeTicks& start_time,
-                        const uint32_t attempt_number,
-                        int error,
-                        const int os_error) {
-    DCHECK(network_task_runner_->BelongsToCurrentThread());
-    DCHECK(!was_completed());
-
-    // Invalidate WeakPtrs to cancel handling of all outstanding lookup attempts
-    // and retries.
-    weak_ptr_factory_.InvalidateWeakPtrs();
-
-    if (error != OK) {
-      net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_MANAGER_PROC_TASK, [&] {
-        return NetLogProcTaskFailedParams(0, error, os_error);
-      });
-      net_log_.AddEvent(
-          NetLogEventType::HOST_RESOLVER_MANAGER_ATTEMPT_FINISHED, [&] {
-            return NetLogProcTaskFailedParams(attempt_number, error, os_error);
-          });
-    } else {
-      net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_MANAGER_PROC_TASK,
-                        [&] { return results.NetLogParams(); });
-      net_log_.AddEventWithIntParams(
-          NetLogEventType::HOST_RESOLVER_MANAGER_ATTEMPT_FINISHED,
-          "attempt_number", attempt_number);
-    }
-
-    std::move(callback_).Run(error, results);
-  }
-
-  const std::string hostname_;
-  const AddressFamily address_family_;
-  const HostResolverFlags flags_;
-
-  // Holds an owning reference to the HostResolverProc that we are going to use.
-  // This may not be the current resolver procedure by the time we call
-  // ResolveAddrInfo, but that's OK... we'll use it anyways, and the owning
-  // reference ensures that it remains valid until we are done.
-  ProcTaskParams params_;
-
-  // The listener to the results of this ProcTask.
-  Callback callback_;
-
-  // Used to post events onto the network thread.
-  scoped_refptr<base::SingleThreadTaskRunner> network_task_runner_;
-  // Used to post blocking HostResolverProc tasks.
-  scoped_refptr<base::TaskRunner> proc_task_runner_;
-
-  // Keeps track of the number of attempts we have made so far to resolve the
-  // host. Whenever we start an attempt to resolve the host, we increase this
-  // number.
-  uint32_t attempt_number_ = 0;
-
-  NetLogWithSource net_log_;
-
-  raw_ptr<const base::TickClock> tick_clock_;
-  // Network to perform DNS lookups for.
-  handles::NetworkHandle network_;
-
-  // Used to loop back from the blocking lookup attempt tasks as well as from
-  // delayed retry tasks. Invalidate WeakPtrs on completion and cancellation to
-  // cancel handling of such posted tasks.
-  base::WeakPtrFactory<ProcTask> weak_ptr_factory_{this};
-};
-
 //-----------------------------------------------------------------------------
 
 // Resolves the hostname using DnsTransaction, which is a full implementation of
@@ -1389,31 +1082,13 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
       return types;
 
     if (types.Has(DnsQueryType::HTTPS)) {
-      if (!secure_ && (!https_svcb_options_.enable_insecure ||
-                       !client_->CanQueryAdditionalTypesViaInsecureDns())) {
+      if (!secure_ && !client_->CanQueryAdditionalTypesViaInsecureDns()) {
         types.Remove(DnsQueryType::HTTPS);
       } else {
         DCHECK(!httpssvc_metrics_);
-        httpssvc_metrics_.emplace(secure_, /*expect_intact=*/false);
-      }
-    }
-
-    if (types.Has(DnsQueryType::INTEGRITY) ||
-        types.Has(DnsQueryType::HTTPS_EXPERIMENTAL)) {
-      if (!secure_ && (!features::kDnsHttpssvcEnableQueryOverInsecure.Get() ||
-                       !client_->CanQueryAdditionalTypesViaInsecureDns())) {
-        types.RemoveAll(
-            {DnsQueryType::INTEGRITY, DnsQueryType::HTTPS_EXPERIMENTAL});
-      } else {
-        DCHECK(!httpssvc_metrics_)
-            << "Caller requested multiple experimental types";
-        httpssvc_metrics_.emplace(
-            secure_,
-            /*expect_intact=*/httpssvc_domain_cache_.IsExperimental(
-                GetHostname(host_)));
+        httpssvc_metrics_.emplace(secure_);
       }
     }
-
     DCHECK(!types.Empty());
     return types;
   }
@@ -1438,9 +1113,7 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
       }
     }
     for (DnsQueryType remaining_query : query_types) {
-      if (remaining_query == DnsQueryType::HTTPS ||
-          remaining_query == DnsQueryType::HTTPS_EXPERIMENTAL ||
-          remaining_query == DnsQueryType::INTEGRITY) {
+      if (remaining_query == DnsQueryType::HTTPS) {
         // Ignore errors for these types. In most cases treating them normally
         // would only result in fallback to resolution without querying the
         // type. Instead, synthesize empty results.
@@ -1495,17 +1168,9 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
       base::TimeDelta elapsed_time = tick_clock_->NowTicks() - task_start_time_;
 
       switch (transaction.type) {
-        case DnsQueryType::INTEGRITY:
-          DCHECK(httpssvc_metrics_);
-          httpssvc_metrics_->SaveForIntegrity(HttpssvcDnsRcode::kTimedOut,
-                                              /*condensed_records=*/{},
-                                              elapsed_time);
-          break;
         case DnsQueryType::HTTPS:
           DCHECK(!secure_ ||
                  !features::kUseDnsHttpsSvcbEnforceSecureResponse.Get());
-          [[fallthrough]];
-        case DnsQueryType::HTTPS_EXPERIMENTAL:
           if (httpssvc_metrics_) {
             // Don't record provider ID for timeouts. It is not precisely known
             // at this level which provider is actually to blame for the
@@ -1628,16 +1293,7 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     }
 
     if (httpssvc_metrics_) {
-      if (transaction_info.type == DnsQueryType::INTEGRITY) {
-        const std::vector<bool>* experimental_results =
-            results.https_record_compatibility();
-        CHECK(experimental_results);
-        // INTEGRITY queries can time out the normal way (here), or when the
-        // experimental query timer runs out (OnExperimentalQueryTimeout).
-        httpssvc_metrics_->SaveForIntegrity(
-            rcode_for_httpssvc, *experimental_results, elapsed_time);
-      } else if (transaction_info.type == DnsQueryType::HTTPS ||
-                 transaction_info.type == DnsQueryType::HTTPS_EXPERIMENTAL) {
+      if (transaction_info.type == DnsQueryType::HTTPS) {
         const std::vector<bool>* record_compatibility =
             results.https_record_compatibility();
         CHECK(record_compatibility);
@@ -1685,9 +1341,7 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
           results = HostCache::Entry::MergeEntries(
               std::move(results), std::move(saved_results_).value());
           break;
-        case DnsQueryType::INTEGRITY:
         case DnsQueryType::HTTPS:
-        case DnsQueryType::HTTPS_EXPERIMENTAL:
           // No particular importance to order.
           results = HostCache::Entry::MergeEntries(
               std::move(results), std::move(saved_results_).value());
@@ -1865,7 +1519,7 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
 
     net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_MANAGER_DNS_TASK, [&] {
       return NetLogDnsTaskFailedParams(net_error, failed_transaction_type, ttl,
-                                       base::OptionalOrNullptr(saved_results_));
+                                       base::OptionalToPtr(saved_results_));
     });
 
     // Expect this to result in destroying `this` and thus cancelling any
@@ -1935,12 +1589,6 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
         timeout_min = https_svcb_options_.insecure_extra_time_min;
       }
 
-      if (timeout_max.is_zero() && extra_time_percent == 0 &&
-          timeout_min.is_zero()) {
-        timeout_max = https_svcb_options_.extra_time_absolute;
-        extra_time_percent = https_svcb_options_.extra_time_percent;
-      }
-
       // Skip timeout for secure requests if the timeout would be a fatal
       // failure.
       if (secure_ && features::kUseDnsHttpsSvcbEnforceSecureResponse.Get()) {
@@ -1948,12 +1596,6 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
         extra_time_percent = 0;
         timeout_min = base::TimeDelta();
       }
-    } else if (AnyOfTypeTransactionsRemain(
-                   {DnsQueryType::INTEGRITY,
-                    DnsQueryType::HTTPS_EXPERIMENTAL})) {
-      DCHECK(base::FeatureList::IsEnabled(features::kDnsHttpssvc));
-      timeout_max = features::dns_httpssvc_experiment::GetExtraTimeAbsolute();
-      extra_time_percent = features::kDnsHttpssvcExtraTimePercent.Get();
     } else {
       // Unhandled supplemental type.
       NOTREACHED();
@@ -1985,38 +1627,13 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
   }
 
   bool ShouldTriggerHttpToHttpsUpgrade(const HostCache::Entry& results) {
-    // These values are logged to UMA. Entries should not be renumbered and
-    // numeric values should never be reused. Please keep in sync with
-    // "DNS.HttpUpgradeResult" in src/tools/metrics/histograms/enums.xml.
-    enum class UpgradeResult {
-      kUpgradeTriggered = 0,
-      kNoHttpsRecord = 1,
-      kHttpsScheme = 2,
-      kOtherScheme = 3,
-      kUpgradeDisabled = 4,
-      kMaxValue = kUpgradeDisabled
-    } upgrade_result;
-
-    if (!results.https_record_compatibility() ||
-        base::ranges::none_of(*results.https_record_compatibility(),
-                              base::identity())) {
-      upgrade_result = UpgradeResult::kNoHttpsRecord;
-    } else if (GetScheme(host_) == url::kHttpsScheme ||
-               GetScheme(host_) == url::kWssScheme) {
-      upgrade_result = UpgradeResult::kHttpsScheme;
-    } else if (GetScheme(host_) != url::kHttpScheme &&
-               GetScheme(host_) != url::kWsScheme) {
-      // This is an unusual case because HTTPS would normally not be requested
-      // if the scheme is not http(s):// or ws(s)://.
-      upgrade_result = UpgradeResult::kOtherScheme;
-    } else if (!features::kUseDnsHttpsSvcbHttpUpgrade.Get()) {
-      upgrade_result = UpgradeResult::kUpgradeDisabled;
-    } else {
-      upgrade_result = UpgradeResult::kUpgradeTriggered;
-    }
-
-    UMA_HISTOGRAM_ENUMERATION("Net.DNS.DnsTask.HttpUpgrade", upgrade_result);
-    return upgrade_result == UpgradeResult::kUpgradeTriggered;
+    // Upgrade if at least one HTTPS record was compatible, and the host uses an
+    // upgradable scheme.
+    return results.https_record_compatibility() &&
+           base::ranges::any_of(*results.https_record_compatibility(),
+                                base::identity()) &&
+           (GetScheme(host_) == url::kHttpScheme ||
+            GetScheme(host_) == url::kWsScheme);
   }
 
   // Only keep metadata results (from HTTPS records) for appropriate schemes.
@@ -2062,7 +1679,6 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
   raw_ptr<const base::TickClock> tick_clock_;
   base::TimeTicks task_start_time_;
 
-  HttpssvcExperimentDomainCache httpssvc_domain_cache_;
   absl::optional<HttpssvcMetrics> httpssvc_metrics_;
 
   // Timer for task timeout. Generally started after completion of address
@@ -2086,11 +1702,11 @@ struct HostResolverManager::JobKey {
   bool operator<(const JobKey& other) const {
     return std::forward_as_tuple(query_types.ToEnumBitmask(), flags, source,
                                  secure_dns_mode, &*resolve_context, host,
-                                 network_isolation_key) <
+                                 network_anonymization_key) <
            std::forward_as_tuple(other.query_types.ToEnumBitmask(), other.flags,
                                  other.source, other.secure_dns_mode,
                                  &*other.resolve_context, other.host,
-                                 other.network_isolation_key);
+                                 other.network_anonymization_key);
   }
 
   bool operator==(const JobKey& other) const {
@@ -2098,7 +1714,7 @@ struct HostResolverManager::JobKey {
   }
 
   absl::variant<url::SchemeHostPort, std::string> host;
-  NetworkIsolationKey network_isolation_key;
+  NetworkAnonymizationKey network_anonymization_key;
   DnsQueryTypeSet query_types;
   HostResolverFlags flags;
   HostResolverSource source;
@@ -2113,16 +1729,14 @@ struct HostResolverManager::JobKey {
       // is why the following DCHECK restricts the allowable query types.
       DCHECK(Difference(query_types,
                         DnsQueryTypeSet(DnsQueryType::A, DnsQueryType::AAAA,
-                                        DnsQueryType::HTTPS,
-                                        DnsQueryType::HTTPS_EXPERIMENTAL,
-                                        DnsQueryType::INTEGRITY))
+                                        DnsQueryType::HTTPS))
                  .Empty());
     }
     const DnsQueryType query_type_for_key = query_types.Size() == 1
                                                 ? *query_types.begin()
                                                 : DnsQueryType::UNSPECIFIED;
     HostCache::Key key(host, query_type_for_key, flags, source,
-                       network_isolation_key);
+                       network_anonymization_key);
     key.secure = secure;
     return key;
   }
@@ -2145,7 +1759,6 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       HostCache* host_cache,
       std::deque<TaskType> tasks,
       RequestPriority priority,
-      scoped_refptr<base::TaskRunner> proc_task_runner,
       const NetLogWithSource& source_net_log,
       const base::TickClock* tick_clock,
       const HostResolver::HttpsSvcbOptions& https_svcb_options)
@@ -2155,7 +1768,6 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
         host_cache_(host_cache),
         tasks_(tasks),
         priority_tracker_(priority),
-        proc_task_runner_(std::move(proc_task_runner)),
         tick_clock_(tick_clock),
         https_svcb_options_(https_svcb_options),
         net_log_(
@@ -2220,7 +1832,8 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     DCHECK_EQ(host_cache_, request->host_cache());
     // TODO(crbug.com/1206799): Check equality of whole host once Jobs are
     // separated by scheme/port.
-    DCHECK_EQ(GetHostname(key_.host), GetHostname(request->request_host()));
+    DCHECK_EQ(GetHostname(key_.host),
+              request->request_host().GetHostnameWithoutBrackets());
 
     request->AssignJob(weak_ptr_factory_.GetSafeRef());
 
@@ -2246,7 +1859,8 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   void ChangeRequestPriority(RequestImpl* req, RequestPriority priority) {
     // TODO(crbug.com/1206799): Check equality of whole host once Jobs are
     // separated by scheme/port.
-    DCHECK_EQ(GetHostname(key_.host), GetHostname(req->request_host()));
+    DCHECK_EQ(GetHostname(key_.host),
+              req->request_host().GetHostnameWithoutBrackets());
 
     priority_tracker_.Remove(req->priority());
     req->set_priority(priority);
@@ -2259,7 +1873,8 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   void CancelRequest(RequestImpl* request) {
     // TODO(crbug.com/1206799): Check equality of whole host once Jobs are
     // separated by scheme/port.
-    DCHECK_EQ(GetHostname(key_.host), GetHostname(request->request_host()));
+    DCHECK_EQ(GetHostname(key_.host),
+              request->request_host().GetHostnameWithoutBrackets());
     DCHECK(!requests_.empty());
 
     priority_tracker_.Remove(request->priority());
@@ -2297,14 +1912,13 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
                           weak_ptr_factory_.GetWeakPtr(), error, fallback_only);
   }
 
-  // Aborts or removes any current/future insecure DnsTasks if a ProcTask is
-  // available for fallback. If no fallback is available and |fallback_only| is
-  // false, a job that is currently running an insecure DnsTask will be
-  // completed with |error|.
+  // Aborts or removes any current/future insecure DnsTasks if a
+  // HostResolverSystemTask is available for fallback. If no fallback is
+  // available and |fallback_only| is false, a job that is currently running an
+  // insecure DnsTask will be completed with |error|.
   void AbortInsecureDnsTask(int error, bool fallback_only) {
-    bool has_proc_fallback =
-        std::find(tasks_.begin(), tasks_.end(), TaskType::PROC) != tasks_.end();
-    if (has_proc_fallback) {
+    bool has_system_fallback = base::Contains(tasks_, TaskType::SYSTEM);
+    if (has_system_fallback) {
       for (auto it = tasks_.begin(); it != tasks_.end();) {
         if (*it == TaskType::DNS)
           it = tasks_.erase(it);
@@ -2314,7 +1928,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     }
 
     if (dns_task_ && !dns_task_->secure()) {
-      if (has_proc_fallback) {
+      if (has_system_fallback) {
         KillDnsTask();
         dns_task_error_ = OK;
         RunNextTask();
@@ -2400,9 +2014,10 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
 
     TaskType next_task = tasks_.front();
 
-    // Schedule insecure DnsTasks and ProcTasks with the dispatcher.
+    // Schedule insecure DnsTasks and HostResolverSystemTasks with the
+    // dispatcher.
     if (!dispatched_ &&
-        (next_task == TaskType::DNS || next_task == TaskType::PROC ||
+        (next_task == TaskType::DNS || next_task == TaskType::SYSTEM ||
          next_task == TaskType::MDNS)) {
       dispatched_ = true;
       job_running_ = false;
@@ -2427,8 +2042,8 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     job_running_ = true;
 
     switch (next_task) {
-      case TaskType::PROC:
-        StartProcTask();
+      case TaskType::SYSTEM:
+        StartSystemTask();
         break;
       case TaskType::DNS:
         StartDnsTask(false /* secure */);
@@ -2442,6 +2057,9 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       case TaskType::INSECURE_CACHE_LOOKUP:
         InsecureCacheLookup();
         break;
+      case TaskType::NAT64:
+        StartNat64Task();
+        break;
       case TaskType::SECURE_CACHE_LOOKUP:
       case TaskType::CACHE_LOOKUP:
       case TaskType::CONFIG_PRESET:
@@ -2472,15 +2090,15 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       query_types_list.Append(kDnsQueryTypes.at(query_type));
     dict.Set("dns_query_types", std::move(query_types_list));
     dict.Set("secure_dns_mode", base::strict_cast<int>(key_.secure_dns_mode));
-    dict.Set("network_isolation_key",
-             key_.network_isolation_key.ToDebugString());
+    dict.Set("network_anonymization_key",
+             key_.network_anonymization_key.ToDebugString());
     return base::Value(std::move(dict));
   }
 
   void Finish() {
     if (is_running()) {
       // Clean up but don't run any callbacks.
-      proc_task_ = nullptr;
+      system_task_ = nullptr;
       KillDnsTask();
       mdns_task_ = nullptr;
       job_running_ = false;
@@ -2568,33 +2186,40 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   // the limits on |dispatcher_|. But in order to keep the number of
   // ThreadPool threads low, we will need to use an "inner"
   // PrioritizedDispatcher with tighter limits.
-  void StartProcTask() {
+  void StartSystemTask() {
     DCHECK(dispatched_);
     DCHECK_EQ(1, num_occupied_job_slots_);
     DCHECK(HasAddressType(key_.query_types));
 
-    proc_task_ = std::make_unique<ProcTask>(
+    system_task_ = HostResolverSystemTask::Create(
         std::string(GetHostname(key_.host)),
         HostResolver::DnsQueryTypeSetToAddressFamily(key_.query_types),
-        key_.flags, resolver_->proc_params_,
-        base::BindOnce(&Job::OnProcTaskComplete, base::Unretained(this),
-                       tick_clock_->NowTicks()),
-        proc_task_runner_, net_log_, tick_clock_, key_.GetTargetNetwork());
+        key_.flags, resolver_->host_resolver_system_params_, net_log_,
+        key_.GetTargetNetwork());
 
     // Start() could be called from within Resolve(), hence it must NOT directly
-    // call OnProcTaskComplete, for example, on synchronous failure.
-    proc_task_->Start();
+    // call OnSystemTaskComplete, for example, on synchronous failure.
+    system_task_->Start(base::BindOnce(&Job::OnSystemTaskComplete,
+                                       base::Unretained(this),
+                                       tick_clock_->NowTicks()));
   }
 
-  // Called by ProcTask when it completes.
-  void OnProcTaskComplete(base::TimeTicks start_time,
-                          int net_error,
-                          const AddressList& addr_list) {
-    DCHECK(proc_task_);
+  // Called by HostResolverSystemTask when it completes.
+  void OnSystemTaskComplete(base::TimeTicks start_time,
+                            const AddressList& addr_list,
+                            int /*os_error*/,
+                            int net_error) {
+    DCHECK(system_task_);
+
+    base::TimeDelta duration = tick_clock_->NowTicks() - start_time;
+    if (net_error == OK)
+      UMA_HISTOGRAM_LONG_TIMES_100("Net.DNS.SystemTask.SuccessTime", duration);
+    else
+      UMA_HISTOGRAM_LONG_TIMES_100("Net.DNS.SystemTask.FailureTime", duration);
 
     if (dns_task_error_ != OK && net_error == OK) {
-      // This ProcTask was a fallback resolution after a failed insecure
-      // DnsTask.
+      // This HostResolverSystemTask was a fallback resolution after a failed
+      // insecure DnsTask.
       resolver_->OnFallbackResolve(dns_task_error_);
     }
 
@@ -2843,6 +2468,23 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     CompleteRequestsWithError(rv);
   }
 
+  void StartNat64Task() {
+    DCHECK(!nat64_task_);
+    RequestImpl* req = requests_.head()->value();
+    nat64_task_ = std::make_unique<HostResolverNat64Task>(
+        std::string{GetHostname(key_.host)}, req->network_anonymization_key(),
+        req->source_net_log(), req->resolve_context(), req->host_cache(),
+        resolver_);
+    nat64_task_->Start(base::BindOnce(&Job::OnNat64TaskComplete,
+                                      weak_ptr_factory_.GetWeakPtr()));
+  }
+
+  void OnNat64TaskComplete() {
+    DCHECK(nat64_task_);
+    HostCache::Entry results = nat64_task_->GetResults();
+    CompleteRequestsWithoutCache(results, absl::nullopt /* stale_info */);
+  }
+
   void RecordJobHistograms(int error) {
     // Used in UMA_HISTOGRAM_ENUMERATION. Do not renumber entries or reuse
     // deprecated values.
@@ -2954,7 +2596,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
 
       if (results.error() == OK && !req->parameters().is_speculative) {
         req->set_results(
-            results.CopyWithDefaultPort(GetPort(req->request_host())));
+            results.CopyWithDefaultPort(req->request_host().GetPort()));
       }
       req->OnJobCompleted(
           key_, results.error(),
@@ -3029,9 +2671,6 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   // Tracks the highest priority across |requests_|.
   PriorityTracker priority_tracker_;
 
-  // Task runner used for HostResolverProc.
-  scoped_refptr<base::TaskRunner> proc_task_runner_;
-
   bool had_non_speculative_request_ = false;
 
   // Number of slots occupied by this Job in |dispatcher_|. Should be 0 when
@@ -3051,8 +2690,9 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
 
   NetLogWithSource net_log_;
 
-  // Resolves the host using a HostResolverProc.
-  std::unique_ptr<ProcTask> proc_task_;
+  // Resolves the host using the system DNS resolver, which can be overridden
+  // for tests.
+  std::unique_ptr<HostResolverSystemTask> system_task_;
 
   // Resolves the host using a DnsTransaction.
   std::unique_ptr<DnsTask> dns_task_;
@@ -3060,6 +2700,9 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   // Resolves the host using MDnsClient.
   std::unique_ptr<HostResolverMdnsTask> mdns_task_;
 
+  // Perform NAT64 address synthesis to a given IPv4 literal.
+  std::unique_ptr<HostResolverNat64Task> nat64_task_;
+
   // All Requests waiting for the result of this Job. Some can be canceled.
   base::LinkedList<RequestImpl> requests_;
 
@@ -3092,7 +2735,7 @@ HostResolverManager::HostResolverManager(
     SystemDnsConfigChangeNotifier* system_dns_config_notifier,
     handles::NetworkHandle target_network,
     NetLog* net_log)
-    : proc_params_(nullptr, options.max_system_retry_attempts),
+    : host_resolver_system_params_(nullptr, options.max_system_retry_attempts),
       net_log_(net_log),
       system_dns_config_notifier_(system_dns_config_notifier),
       target_network_(target_network),
@@ -3108,10 +2751,6 @@ HostResolverManager::HostResolverManager(
 
   DCHECK_GE(dispatcher_->num_priorities(), static_cast<size_t>(NUM_PRIORITIES));
 
-  proc_task_runner_ = base::ThreadPool::CreateTaskRunner(
-      {base::MayBlock(), priority_mode.Get(),
-       base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN});
-
 #if BUILDFLAG(IS_WIN)
   EnsureWinsockInit();
 #endif
@@ -3126,10 +2765,7 @@ HostResolverManager::HostResolverManager(
   }
   if (system_dns_config_notifier_)
     system_dns_config_notifier_->AddObserver(this);
-#if BUILDFLAG(IS_POSIX) && !BUILDFLAG(IS_APPLE) && !BUILDFLAG(IS_OPENBSD) && \
-    !BUILDFLAG(IS_ANDROID)
-  EnsureDnsReloaderInit();
-#endif
+  EnsureSystemHostResolverCallReady();
 
   auto connection_type =
       IsBoundToNetwork()
@@ -3147,7 +2783,7 @@ HostResolverManager::HostResolverManager(
   DCHECK(options.dns_config_overrides == DnsConfigOverrides());
 #endif
 
-  allow_fallback_to_proctask_ = !ConfigureAsyncDnsNoFallbackFieldTrial();
+  allow_fallback_to_systemtask_ = !ConfigureAsyncDnsNoFallbackFieldTrial();
 }
 
 HostResolverManager::~HostResolverManager() {
@@ -3185,8 +2821,22 @@ HostResolverManager::CreateNetworkBoundHostResolverManager(
 
 std::unique_ptr<HostResolver::ResolveHostRequest>
 HostResolverManager::CreateRequest(
+    absl::variant<url::SchemeHostPort, HostPortPair> host,
+    NetworkAnonymizationKey network_anonymization_key,
+    NetLogWithSource net_log,
+    absl::optional<ResolveHostParameters> optional_parameters,
+    ResolveContext* resolve_context,
+    HostCache* host_cache) {
+  return CreateRequest(HostResolver::Host(std::move(host)),
+                       std::move(network_anonymization_key), std::move(net_log),
+                       std::move(optional_parameters), resolve_context,
+                       host_cache);
+}
+
+std::unique_ptr<HostResolver::ResolveHostRequest>
+HostResolverManager::CreateRequest(
     HostResolver::Host host,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     NetLogWithSource net_log,
     absl::optional<ResolveHostParameters> optional_parameters,
     ResolveContext* resolve_context,
@@ -3200,7 +2850,7 @@ HostResolverManager::CreateRequest(
   DCHECK(registered_contexts_.HasObserver(resolve_context));
 
   return std::make_unique<RequestImpl>(
-      std::move(net_log), std::move(host), std::move(network_isolation_key),
+      std::move(net_log), std::move(host), std::move(network_anonymization_key),
       std::move(optional_parameters), resolve_context->GetWeakPtr(), host_cache,
       weak_ptr_factory_.GetWeakPtr(), tick_clock_);
 }
@@ -3358,11 +3008,6 @@ void HostResolverManager::SetLastIPv6ProbeResultForTesting(
   SetLastIPv6ProbeResult(last_ipv6_probe_result);
 }
 
-void HostResolverManager::SetTaskRunnerForTesting(
-    scoped_refptr<base::TaskRunner> task_runner) {
-  proc_task_runner_ = std::move(task_runner);
-}
-
 // static
 bool HostResolverManager::IsLocalTask(TaskType task) {
   switch (task) {
@@ -3395,7 +3040,7 @@ int HostResolverManager::Resolve(RequestImpl* request) {
   job_key.host =
       CreateHostForJobKey(request->request_host(), parameters.dns_query_type,
                           https_svcb_options_.enable);
-  job_key.network_isolation_key = request->network_isolation_key();
+  job_key.network_anonymization_key = request->network_anonymization_key();
   job_key.source = parameters.source;
 
   IPAddress ip_address;
@@ -3410,13 +3055,14 @@ int HostResolverManager::Resolve(RequestImpl* request) {
   absl::optional<HostCache::EntryStaleness> stale_info;
   HostCache::Entry results = ResolveLocally(
       job_key, ip_address, parameters.cache_usage, parameters.secure_dns_policy,
-      request->source_net_log(), request->host_cache(), &tasks, &stale_info);
+      parameters.source, request->source_net_log(), request->host_cache(),
+      &tasks, &stale_info);
   if (results.error() != ERR_DNS_CACHE_MISS ||
       request->parameters().source == HostResolverSource::LOCAL_ONLY ||
       tasks.empty()) {
     if (results.error() == OK && !request->parameters().is_speculative) {
       request->set_results(
-          results.CopyWithDefaultPort(GetPort(request->request_host())));
+          results.CopyWithDefaultPort(request->request_host().GetPort()));
     }
     if (stale_info && !request->parameters().is_speculative)
       request->set_stale_info(std::move(stale_info).value());
@@ -3434,6 +3080,7 @@ HostCache::Entry HostResolverManager::ResolveLocally(
     const IPAddress& ip_address,
     ResolveHostParameters::CacheUsage cache_usage,
     SecureDnsPolicy secure_dns_policy,
+    HostResolverSource source,
     const NetLogWithSource& source_net_log,
     HostCache* cache,
     std::deque<TaskType>* out_tasks,
@@ -3471,8 +3118,19 @@ HostCache::Entry HostResolverManager::ResolveLocally(
                             HostCache::Entry::SOURCE_UNKNOWN);
   }
 
-  if (ip_address.IsValid())
+  if (ip_address.IsValid()) {
+    // Use NAT64Task for IPv4 literal when the network is IPv6 only.
+    if (!default_family_due_to_no_ipv6 && ip_address.IsIPv4() &&
+        base::FeatureList::IsEnabled(features::kUseNAT64ForIPv4Literal) &&
+        !IsGloballyReachable(IPAddress(ip_address), source_net_log) &&
+        source != HostResolverSource::LOCAL_ONLY) {
+      out_tasks->push_front(TaskType::NAT64);
+      return HostCache::Entry(ERR_DNS_CACHE_MISS,
+                              HostCache::Entry::SOURCE_UNKNOWN);
+    }
+
     return ResolveAsIP(job_key.query_types, resolve_canonname, ip_address);
+  }
 
   // Special-case localhost names, as per the recommendations in
   // https://tools.ietf.org/html/draft-west-let-localhost-be-localhost.
@@ -3562,10 +3220,10 @@ HostResolverManager::Job* HostResolverManager::AddJobWithoutRequest(
     std::deque<TaskType> tasks,
     RequestPriority priority,
     const NetLogWithSource& source_net_log) {
-  auto new_job = std::make_unique<Job>(
-      weak_ptr_factory_.GetWeakPtr(), key, cache_usage, host_cache,
-      std::move(tasks), priority, proc_task_runner_, source_net_log,
-      tick_clock_, https_svcb_options_);
+  auto new_job =
+      std::make_unique<Job>(weak_ptr_factory_.GetWeakPtr(), key, cache_usage,
+                            host_cache, std::move(tasks), priority,
+                            source_net_log, tick_clock_, https_svcb_options_);
   auto insert_result = jobs_.emplace(std::move(key), std::move(new_job));
   auto& iterator = insert_result.first;
   bool is_new = insert_result.second;
@@ -3685,7 +3343,7 @@ absl::optional<HostCache::Entry> HostResolverManager::ServeFromHosts(
   // Don't attempt a HOSTS lookup if there is no DnsConfig or the HOSTS lookup
   // is going to be done next as part of a system lookup.
   if (!dns_client_ || !HasAddressType(query_types) ||
-      (!tasks.empty() && tasks.front() == TaskType::PROC))
+      (!tasks.empty() && tasks.front() == TaskType::SYSTEM))
     return absl::nullopt;
   const DnsHosts* hosts = dns_client_->GetHosts();
 
@@ -3810,11 +3468,12 @@ bool HostResolverManager::ShouldForceSystemResolverDueToTestOverride() const {
                                  &IPEndPoint::address))
         << "Test could query a publicly-routable address.";
   }
-  return !proc_params_.resolver_proc && HostResolverProc::GetDefault() &&
+  return !host_resolver_system_params_.resolver_proc &&
+         HostResolverProc::GetDefault() &&
          !system_resolver_disabled_for_testing_;
 }
 
-void HostResolverManager::PushDnsTasks(bool proc_task_allowed,
+void HostResolverManager::PushDnsTasks(bool system_task_allowed,
                                        SecureDnsMode secure_dns_mode,
                                        bool insecure_tasks_allowed,
                                        bool allow_cache,
@@ -3884,9 +3543,9 @@ void HostResolverManager::PushDnsTasks(bool proc_task_allowed,
       base::ranges::find_first_of(*out_tasks, kWantTasks) == out_tasks->end();
   // The system resolver can be used as a fallback for a non-existent or
   // failing DnsTask if allowed by the request parameters.
-  if (proc_task_allowed &&
-      (no_dns_or_secure_tasks || allow_fallback_to_proctask_))
-    out_tasks->push_back(TaskType::PROC);
+  if (system_task_allowed &&
+      (no_dns_or_secure_tasks || allow_fallback_to_systemtask_))
+    out_tasks->push_back(TaskType::SYSTEM);
 }
 
 void HostResolverManager::CreateTaskSequence(
@@ -3924,41 +3583,42 @@ void HostResolverManager::CreateTaskSequence(
 
   switch (job_key.source) {
     case HostResolverSource::ANY:
-      // Force address queries with canonname to use ProcTask to counter poor
-      // CNAME support in DnsTask. See https://crbug.com/872665
+      // Force address queries with canonname to use HostResolverSystemTask to
+      // counter poor CNAME support in DnsTask. See https://crbug.com/872665
       //
-      // Otherwise, default to DnsTask (with allowed fallback to ProcTask for
-      // address queries). But if hostname appears to be an MDNS name (ends in
-      // *.local), go with ProcTask for address queries and MdnsTask for non-
-      // address queries.
+      // Otherwise, default to DnsTask (with allowed fallback to
+      // HostResolverSystemTask for address queries). But if hostname appears to
+      // be an MDNS name (ends in *.local), go with HostResolverSystemTask for
+      // address queries and MdnsTask for non- address queries.
       if ((job_key.flags & HOST_RESOLVER_CANONNAME) && has_address_type) {
-        out_tasks->push_back(TaskType::PROC);
+        out_tasks->push_back(TaskType::SYSTEM);
       } else if (!ResemblesMulticastDNSName(GetHostname(job_key.host))) {
-        bool proc_task_allowed = has_address_type && job_key.secure_dns_mode !=
-                                                         SecureDnsMode::kSecure;
+        bool system_task_allowed =
+            has_address_type &&
+            job_key.secure_dns_mode != SecureDnsMode::kSecure;
         if (dns_client_ && dns_client_->GetEffectiveConfig()) {
           bool insecure_allowed =
               dns_client_->CanUseInsecureDnsTransactions() &&
               !dns_client_->FallbackFromInsecureTransactionPreferred() &&
               (has_address_type ||
                dns_client_->CanQueryAdditionalTypesViaInsecureDns());
-          PushDnsTasks(proc_task_allowed, job_key.secure_dns_mode,
+          PushDnsTasks(system_task_allowed, job_key.secure_dns_mode,
                        insecure_allowed, allow_cache, prioritize_local_lookups,
                        &*job_key.resolve_context, out_tasks);
-        } else if (proc_task_allowed) {
-          out_tasks->push_back(TaskType::PROC);
+        } else if (system_task_allowed) {
+          out_tasks->push_back(TaskType::SYSTEM);
         }
       } else if (has_address_type) {
         // For *.local address queries, try the system resolver even if the
         // secure dns mode is SECURE. Public recursive resolvers aren't expected
         // to handle these queries.
-        out_tasks->push_back(TaskType::PROC);
+        out_tasks->push_back(TaskType::SYSTEM);
       } else {
         out_tasks->push_back(TaskType::MDNS);
       }
       break;
     case HostResolverSource::SYSTEM:
-      out_tasks->push_back(TaskType::PROC);
+      out_tasks->push_back(TaskType::SYSTEM);
       break;
     case HostResolverSource::DNS:
       if (dns_client_ && dns_client_->GetEffectiveConfig()) {
@@ -3966,7 +3626,7 @@ void HostResolverManager::CreateTaskSequence(
             dns_client_->CanUseInsecureDnsTransactions() &&
             (has_address_type ||
              dns_client_->CanQueryAdditionalTypesViaInsecureDns());
-        PushDnsTasks(false /* proc_task_allowed */, job_key.secure_dns_mode,
+        PushDnsTasks(false /* system_task_allowed */, job_key.secure_dns_mode,
                      insecure_allowed, allow_cache, prioritize_local_lookups,
                      &*job_key.resolve_context, out_tasks);
       }
@@ -4036,13 +3696,6 @@ void HostResolverManager::GetEffectiveParametersForRequest(
         url::kHttpScheme, url::kHttpsScheme, url::kWsScheme, url::kWssScheme};
     if (base::Contains(kSchemesForHttpsQuery, GetScheme(host)))
       effective_types.Put(DnsQueryType::HTTPS);
-  } else if (base::FeatureList::IsEnabled(features::kDnsHttpssvc) &&
-             (httpssvc_domain_cache_.IsExperimental(GetHostname(host)) ||
-              httpssvc_domain_cache_.IsControl(GetHostname(host)))) {
-    if (features::kDnsHttpssvcUseIntegrity.Get())
-      effective_types.Put(DnsQueryType::INTEGRITY);
-    if (features::kDnsHttpssvcUseHttpssvc.Get())
-      effective_types.Put(DnsQueryType::HTTPS_EXPERIMENTAL);
   }
 
   *out_effective_types = effective_types;
@@ -4102,18 +3755,16 @@ bool HostResolverManager::IsGloballyReachable(const IPAddress& dest,
   rv = socket->GetLocalAddress(&endpoint);
   if (rv != OK)
     return false;
-  DCHECK_EQ(ADDRESS_FAMILY_IPV6, endpoint.GetFamily());
   const IPAddress& address = endpoint.address();
 
-  bool is_link_local =
-      (address.bytes()[0] == 0xFE) && ((address.bytes()[1] & 0xC0) == 0x80);
-  if (is_link_local)
-    return false;
-
-  const uint8_t kTeredoPrefix[] = {0x20, 0x01, 0, 0};
-  if (IPAddressStartsWith(address, kTeredoPrefix))
+  if (address.IsLinkLocal())
     return false;
 
+  if (address.IsIPv6()) {
+    const uint8_t kTeredoPrefix[] = {0x20, 0x01, 0, 0};
+    if (IPAddressStartsWith(address, kTeredoPrefix))
+      return false;
+  }
   return true;
 }
 
@@ -4290,7 +3941,7 @@ void HostResolverManager::OnFallbackResolve(int dns_task_error) {
   dns_client_->IncrementInsecureFallbackFailures();
 
   // If DnsClient became not preferred, fallback all fallback-allowed insecure
-  // DnsTasks to ProcTasks.
+  // DnsTasks to HostResolverSystemTasks.
   if (dns_client_->FallbackFromInsecureTransactionPreferred())
     AbortInsecureDnsTasks(ERR_FAILED, true /* fallback_only */);
 }
@@ -4345,10 +3996,10 @@ void HostResolverManager::InvalidateCaches(bool network_change) {
 
 void HostResolverManager::UpdateConnectionType(
     NetworkChangeNotifier::ConnectionType type) {
-  proc_params_.unresponsive_delay =
+  host_resolver_system_params_.unresponsive_delay =
       GetTimeDeltaForConnectionTypeFromFieldTrialOrDefault(
           "DnsUnresponsiveDelayMsByConnectionType",
-          ProcTaskParams::kDnsDefaultUnresponsiveDelay, type);
+          HostResolverSystemTask::Params::kDnsDefaultUnresponsiveDelay, type);
 
   // Note that NetworkChangeNotifier always sends a CONNECTION_NONE notification
   // before non-NONE notifications. This check therefore just ensures each
diff --git a/chromium/net/dns/host_resolver_manager.h b/chromium/net/dns/host_resolver_manager.h
index 922e5a6c4cf..962e6e5291b 100644
--- a/chromium/net/dns/host_resolver_manager.h
+++ b/chromium/net/dns/host_resolver_manager.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -26,14 +26,13 @@
 #include "base/timer/timer.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/host_port_pair.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/network_change_notifier.h"
 #include "net/base/network_handle.h"
-#include "net/base/network_isolation_key.h"
 #include "net/base/prioritized_dispatcher.h"
 #include "net/dns/dns_config.h"
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver.h"
-#include "net/dns/host_resolver_proc.h"
 #include "net/dns/httpssvc_metrics.h"
 #include "net/dns/public/dns_config_overrides.h"
 #include "net/dns/public/dns_query_type.h"
@@ -68,10 +67,11 @@ class NetLog;
 //
 // For each hostname that is requested, HostResolver creates a
 // HostResolverManager::Job. When this job gets dispatched it creates a task
-// (ProcTask for the system resolver or DnsTask for the async resolver) which
-// resolves the hostname. If requests for that same host are made during the
-// job's lifetime, they are attached to the existing job rather than creating a
-// new one. This avoids doing parallel resolves for the same host.
+// (HostResolverSystemTask for the system resolver or DnsTask for the async
+// resolver) which resolves the hostname. If requests for that same host are
+// made during the job's lifetime, they are attached to the existing job rather
+// than creating a new one. This avoids doing parallel resolves for the same
+// host.
 //
 // The way these classes fit together is illustrated by:
 //
@@ -147,8 +147,15 @@ class NET_EXPORT HostResolverManager
   // TODO(crbug.com/1022059): Use the HostCache out of the ResolveContext
   // instead of passing it separately.
   std::unique_ptr<HostResolver::ResolveHostRequest> CreateRequest(
+      absl::variant<url::SchemeHostPort, HostPortPair> host,
+      NetworkAnonymizationKey network_anonymization_key,
+      NetLogWithSource net_log,
+      absl::optional<ResolveHostParameters> optional_parameters,
+      ResolveContext* resolve_context,
+      HostCache* host_cache);
+  std::unique_ptr<HostResolver::ResolveHostRequest> CreateRequest(
       HostResolver::Host host,
-      NetworkIsolationKey network_isolation_key,
+      NetworkAnonymizationKey network_anonymization_key,
       NetLogWithSource net_log,
       absl::optional<ResolveHostParameters> optional_parameters,
       ResolveContext* resolve_context,
@@ -163,9 +170,9 @@ class NET_EXPORT HostResolverManager
   // Enables or disables the built-in asynchronous DnsClient. If enabled, by
   // default (when no |ResolveHostParameters::source| is specified), the
   // DnsClient will be used for resolves and, in case of failure, resolution
-  // will fallback to the system resolver (HostResolverProc from
-  // ProcTaskParams). If the DnsClient is not pre-configured with a valid
-  // DnsConfig, a new config is fetched from NetworkChangeNotifier.
+  // will fallback to the system resolver (in tests, HostResolverProc from
+  // HostResolverSystemTask::Params). If the DnsClient is not pre-configured
+  // with a valid DnsConfig, a new config is fetched from NetworkChangeNotifier.
   //
   // Setting to |true| has no effect if |ENABLE_BUILT_IN_DNS| not defined.
   virtual void SetInsecureDnsClientEnabled(bool enabled,
@@ -191,8 +198,9 @@ class NET_EXPORT HostResolverManager
   void RegisterResolveContext(ResolveContext* context);
   void DeregisterResolveContext(const ResolveContext* context);
 
-  void set_proc_params_for_test(const ProcTaskParams& proc_params) {
-    proc_params_ = proc_params;
+  void set_host_resolver_system_params_for_test(
+      const HostResolverSystemTask::Params& host_resolver_system_params) {
+    host_resolver_system_params_ = host_resolver_system_params;
   }
 
   void InvalidateCachesForTesting() { InvalidateCaches(); }
@@ -256,15 +264,11 @@ class NET_EXPORT HostResolverManager
   // Callback from HaveOnlyLoopbackAddresses probe.
   void SetHaveOnlyLoopbackAddresses(bool result);
 
-  // Sets the task runner used for HostResolverProc tasks.
-  void SetTaskRunnerForTesting(scoped_refptr<base::TaskRunner> task_runner);
-
  private:
   friend class HostResolverManagerTest;
   friend class HostResolverManagerDnsTest;
   class Job;
   struct JobKey;
-  class ProcTask;
   class LoopbackProbeJob;
   class DnsTask;
   class RequestImpl;
@@ -273,7 +277,7 @@ class NET_EXPORT HostResolverManager
 
   // Task types that a Job might run.
   enum class TaskType {
-    PROC,
+    SYSTEM,
     DNS,
     SECURE_DNS,
     MDNS,
@@ -281,6 +285,7 @@ class NET_EXPORT HostResolverManager
     INSECURE_CACHE_LOOKUP,
     SECURE_CACHE_LOOKUP,
     CONFIG_PRESET,
+    NAT64,
   };
 
   // Returns true if the task is local, synchronous, and instantaneous.
@@ -310,7 +315,8 @@ class NET_EXPORT HostResolverManager
       const IPAddress& ip_address,
       ResolveHostParameters::CacheUsage cache_usage,
       SecureDnsPolicy secure_dns_policy,
-      const NetLogWithSource& request_net_log,
+      HostResolverSource source,
+      const NetLogWithSource& source_net_log,
       HostCache* cache,
       std::deque<TaskType>* out_tasks,
       absl::optional<HostCache::EntryStaleness>* out_stale_info);
@@ -384,7 +390,7 @@ class NET_EXPORT HostResolverManager
   // Helper method to add DnsTasks and related tasks based on the SecureDnsMode
   // and fallback parameters. If |prioritize_local_lookups| is true, then we
   // may push an insecure cache lookup ahead of a secure DnsTask.
-  void PushDnsTasks(bool proc_task_allowed,
+  void PushDnsTasks(bool system_task_allowed,
                     SecureDnsMode secure_dns_mode,
                     bool insecure_tasks_allowed,
                     bool allow_cache,
@@ -446,11 +452,11 @@ class NET_EXPORT HostResolverManager
   void AbortJobsWithoutTargetNetwork(bool in_progress_only);
 
   // Aborts all in progress insecure DnsTasks. In-progress jobs will fall back
-  // to ProcTasks if able and otherwise abort with |error|. Might start new
-  // jobs, if any jobs were taking up two dispatcher slots.
+  // to HostResolverSystemTasks if able and otherwise abort with |error|. Might
+  // start new jobs, if any jobs were taking up two dispatcher slots.
   //
   // If |fallback_only|, insecure DnsTasks will only abort if they can fallback
-  // to ProcTask.
+  // to HostResolverSystemTasks.
   void AbortInsecureDnsTasks(int error, bool fallback_only);
 
   // Attempts to serve each Job in |jobs_| from the HOSTS file if we have
@@ -469,8 +475,8 @@ class NET_EXPORT HostResolverManager
 
   void UpdateJobsForChangedConfig();
 
-  // Called on successful resolve after falling back to ProcTask after a failed
-  // DnsTask resolve.
+  // Called on successful resolve after falling back to HostResolverSystemTask
+  // after a failed DnsTask resolve.
   void OnFallbackResolve(int dns_task_error);
 
   int GetOrCreateMdnsClient(MDnsClient** out_client);
@@ -504,8 +510,8 @@ class NET_EXPORT HostResolverManager
   // Limit on the maximum number of jobs queued in |dispatcher_|.
   size_t max_queued_jobs_ = 0;
 
-  // Parameters for ProcTask.
-  ProcTaskParams proc_params_;
+  // Parameters for HostResolverSystemTask.
+  HostResolverSystemTask::Params host_resolver_system_params_;
 
   raw_ptr<NetLog> net_log_;
 
@@ -526,12 +532,8 @@ class NET_EXPORT HostResolverManager
   // Any resolver flags that should be added to a request by default.
   HostResolverFlags additional_resolver_flags_ = 0;
 
-  // Allow fallback to ProcTask if DnsTask fails.
-  bool allow_fallback_to_proctask_ = true;
-
-  // Task runner used for DNS lookups using the system resolver. Normally a
-  // ThreadPool task runner, but can be overridden for tests.
-  scoped_refptr<base::TaskRunner> proc_task_runner_;
+  // Allow fallback to HostResolverSystemTask if DnsTask fails.
+  bool allow_fallback_to_systemtask_ = true;
 
   // Shared tick clock, overridden for testing.
   raw_ptr<const base::TickClock> tick_clock_;
@@ -546,9 +548,6 @@ class NET_EXPORT HostResolverManager
       registered_contexts_;
   bool invalidation_in_progress_ = false;
 
-  // Helper for metrics associated with `features::kDnsHttpssvc`.
-  HttpssvcExperimentDomainCache httpssvc_domain_cache_;
-
   // An experimental flag for features::kUseDnsHttpsSvcb.
   HostResolver::HttpsSvcbOptions https_svcb_options_;
 
diff --git a/chromium/net/dns/host_resolver_manager_fuzzer.cc b/chromium/net/dns/host_resolver_manager_fuzzer.cc
index fd9ec489091..1f7518393c9 100644
--- a/chromium/net/dns/host_resolver_manager_fuzzer.cc
+++ b/chromium/net/dns/host_resolver_manager_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,6 +15,7 @@
 #include "base/check_op.h"
 #include "base/run_loop.h"
 #include "base/test/task_environment.h"
+#include "base/threading/sequenced_task_runner_handle.h"
 #include "net/base/address_family.h"
 #include "net/base/address_list.h"
 #include "net/base/net_errors.h"
@@ -23,6 +24,7 @@
 #include "net/dns/context_host_resolver.h"
 #include "net/dns/fuzzed_host_resolver_util.h"
 #include "net/dns/host_resolver.h"
+#include "net/dns/host_resolver_proc.h"
 #include "net/dns/public/dns_query_type.h"
 #include "net/dns/public/host_resolver_source.h"
 #include "net/log/net_log.h"
@@ -178,7 +180,7 @@ class DnsRequest {
 
     const char* hostname = data_provider_->PickValueInArray(kHostNames);
     request_ = host_resolver_->CreateRequest(
-        net::HostPortPair(hostname, 80), net::NetworkIsolationKey(),
+        net::HostPortPair(hostname, 80), net::NetworkAnonymizationKey(),
         net::NetLogWithSource(), parameters);
     int rv = request_->Start(
         base::BindOnce(&DnsRequest::OnCallback, base::Unretained(this)));
@@ -232,6 +234,19 @@ class DnsRequest {
   std::unique_ptr<base::RunLoop> run_loop_;
 };
 
+class FuzzerEnvironment {
+ public:
+  FuzzerEnvironment() {
+    net::SetSystemDnsResolutionTaskRunnerForTesting(  // IN-TEST
+        base::SequencedTaskRunnerHandle::Get());
+  }
+  ~FuzzerEnvironment() = default;
+};
+
+void EnsureInitFuzzerEnvironment() {
+  static FuzzerEnvironment init_environment;
+}
+
 }  // namespace
 
 // Fuzzer for HostResolverImpl. Fuzzes using both the system resolver and
@@ -244,6 +259,9 @@ class DnsRequest {
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   {
     FuzzedDataProvider data_provider(data, size);
+
+    EnsureInitFuzzerEnvironment();
+
     // Including an observer; even though the recorded results aren't currently
     // used, it'll ensure the netlogging code is fuzzed as well.
     net::RecordingNetLogObserver net_log_observer;
diff --git a/chromium/net/dns/host_resolver_manager_unittest.cc b/chromium/net/dns/host_resolver_manager_unittest.cc
index 2d91bb3f692..57e847088ad 100644
--- a/chromium/net/dns/host_resolver_manager_unittest.cc
+++ b/chromium/net/dns/host_resolver_manager_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -51,7 +51,7 @@
 #include "net/base/ip_endpoint.h"
 #include "net/base/mock_network_change_notifier.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/dns/dns_client.h"
 #include "net/dns/dns_config.h"
@@ -59,6 +59,7 @@
 #include "net/dns/dns_util.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/host_resolver_results_test_util.h"
+#include "net/dns/host_resolver_system_task.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/dns/mock_mdns_client.h"
 #include "net/dns/mock_mdns_socket_factory.h"
@@ -116,8 +117,10 @@ namespace {
 const size_t kMaxJobs = 10u;
 const size_t kMaxRetryAttempts = 4u;
 
-ProcTaskParams DefaultParams(scoped_refptr<HostResolverProc> resolver_proc) {
-  return ProcTaskParams(std::move(resolver_proc), kMaxRetryAttempts);
+HostResolverSystemTask::Params DefaultParams(
+    scoped_refptr<HostResolverProc> resolver_proc) {
+  return HostResolverSystemTask::Params(std::move(resolver_proc),
+                                        kMaxRetryAttempts);
 }
 
 // A HostResolverProc that pushes each host mapped into a list and allows
@@ -475,18 +478,25 @@ class TestHostResolverManager : public HostResolverManager {
   TestHostResolverManager(const HostResolver::ManagerOptions& options,
                           SystemDnsConfigChangeNotifier* notifier,
                           NetLog* net_log,
-                          bool ipv6_reachable = true)
+                          bool ipv6_reachable = true,
+                          bool ipv4_reachable = true)
       : HostResolverManager(options, notifier, net_log),
-        ipv6_reachable_(ipv6_reachable) {}
+        ipv6_reachable_(ipv6_reachable),
+        ipv4_reachable_(ipv4_reachable) {}
 
   ~TestHostResolverManager() override = default;
 
  private:
   const bool ipv6_reachable_;
+  const bool ipv4_reachable_;
 
   bool IsGloballyReachable(const IPAddress& dest,
                            const NetLogWithSource& net_log) override {
-    return ipv6_reachable_;
+    if (dest.IsIPv6()) {
+      return ipv6_reachable_;
+    } else {
+      return ipv4_reachable_;
+    }
   }
 };
 
@@ -547,7 +557,7 @@ class HostResolverManagerTest : public TestWithTaskEnvironment {
   // This HostResolverManager will only allow 1 outstanding resolve at a time
   // and perform no retries.
   void CreateSerialResolver(bool check_ipv6_on_wifi = true) {
-    ProcTaskParams params = DefaultParams(proc_);
+    HostResolverSystemTask::Params params = DefaultParams(proc_);
     params.max_retry_attempts = 0u;
     CreateResolverWithLimitsAndParams(1u, params, true /* ipv6_reachable */,
                                       check_ipv6_on_wifi);
@@ -570,10 +580,11 @@ class HostResolverManagerTest : public TestWithTaskEnvironment {
     EXPECT_FALSE(proc_->HasBlockedRequests());
   }
 
-  void CreateResolverWithLimitsAndParams(size_t max_concurrent_resolves,
-                                         const ProcTaskParams& params,
-                                         bool ipv6_reachable,
-                                         bool check_ipv6_on_wifi) {
+  void CreateResolverWithLimitsAndParams(
+      size_t max_concurrent_resolves,
+      const HostResolverSystemTask::Params& params,
+      bool ipv6_reachable,
+      bool check_ipv6_on_wifi) {
     HostResolver::ManagerOptions options = DefaultOptions();
     options.max_concurrent_resolves = max_concurrent_resolves;
     options.check_ipv6_on_wifi = check_ipv6_on_wifi;
@@ -591,16 +602,18 @@ class HostResolverManagerTest : public TestWithTaskEnvironment {
 
   virtual void CreateResolverWithOptionsAndParams(
       HostResolver::ManagerOptions options,
-      const ProcTaskParams& params,
-      bool ipv6_reachable) {
+      const HostResolverSystemTask::Params& params,
+      bool ipv6_reachable,
+      bool ipv4_reachable = true) {
     // Use HostResolverManagerDnsTest if enabling DNS client.
     DCHECK(!options.insecure_dns_client_enabled);
 
     DestroyResolver();
 
     resolver_ = std::make_unique<TestHostResolverManager>(
-        options, nullptr /* notifier */, nullptr /* net_log */, ipv6_reachable);
-    resolver_->set_proc_params_for_test(params);
+        options, nullptr /* notifier */, nullptr /* net_log */, ipv6_reachable,
+        ipv4_reachable);
+    resolver_->set_host_resolver_system_params_for_test(params);
 
     resolver_->RegisterResolveContext(resolve_context_.get());
   }
@@ -611,9 +624,9 @@ class HostResolverManagerTest : public TestWithTaskEnvironment {
     return resolver_->num_running_dispatcher_jobs_for_tests();
   }
 
-  void set_allow_fallback_to_proctask(bool allow_fallback_to_proctask) {
+  void set_allow_fallback_to_systemtask(bool allow_fallback_to_systemtask) {
     DCHECK(resolver_.get());
-    resolver_->allow_fallback_to_proctask_ = allow_fallback_to_proctask;
+    resolver_->allow_fallback_to_systemtask_ = allow_fallback_to_systemtask;
   }
 
   static unsigned maximum_insecure_dns_task_failures() {
@@ -661,7 +674,7 @@ TEST_F(HostResolverManagerTest, AsynchronousLookup) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -680,7 +693,7 @@ TEST_F(HostResolverManagerTest, AsynchronousLookup) {
       GetCacheHit(HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
                                  0 /* host_resolver_flags */,
                                  HostResolverSource::ANY,
-                                 NetworkIsolationKey()));
+                                 NetworkAnonymizationKey()));
   EXPECT_TRUE(cache_result);
 }
 
@@ -691,7 +704,7 @@ TEST_F(HostResolverManagerTest, AsynchronousLookupWithScheme) {
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
       url::SchemeHostPort(url::kHttpScheme, "host.test", 80),
-      NetworkIsolationKey(), NetLogWithSource(), absl::nullopt,
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsOk());
@@ -706,9 +719,10 @@ TEST_F(HostResolverManagerTest, AsynchronousLookupWithScheme) {
   EXPECT_EQ("host.test", proc_->GetCaptureList()[0].hostname);
 
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
-      GetCacheHit(HostCache::Key(
-          "host.test", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-          HostResolverSource::ANY, NetworkIsolationKey()));
+      GetCacheHit(
+          HostCache::Key(url::SchemeHostPort(url::kHttpScheme, "host.test", 80),
+                         DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+                         HostResolverSource::ANY, NetworkAnonymizationKey()));
   EXPECT_TRUE(cache_result);
 }
 
@@ -717,7 +731,7 @@ TEST_F(HostResolverManagerTest, JobsClearedOnCompletion) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_EQ(1u, resolver_->num_jobs_for_testing());
@@ -731,11 +745,11 @@ TEST_F(HostResolverManagerTest, JobsClearedOnCompletion_MultipleRequests) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_EQ(1u, resolver_->num_jobs_for_testing());
@@ -751,7 +765,7 @@ TEST_F(HostResolverManagerTest, JobsClearedOnCompletion_Failure) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_EQ(1u, resolver_->num_jobs_for_testing());
@@ -764,7 +778,7 @@ TEST_F(HostResolverManagerTest, JobsClearedOnCompletion_Abort) {
   proc_->AddRuleForAllFamilies("just.testing", "192.168.1.42");
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_EQ(1u, resolver_->num_jobs_for_testing());
@@ -784,12 +798,12 @@ TEST_F(HostResolverManagerTest, DnsQueryType) {
 
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper v4_response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
 
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper v6_response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
 
   proc_->SignalMultiple(2u);
@@ -816,7 +830,7 @@ TEST_F(HostResolverManagerTest, DnsQueryWithoutAliases) {
 
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
 
   proc_->SignalMultiple(1u);
@@ -836,8 +850,9 @@ TEST_F(HostResolverManagerTest, LocalhostIPV4IPV6Lookup) {
 
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper v4_v4_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("localhost", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(v4_v4_response.result_error(), IsOk());
   EXPECT_THAT(v4_v4_response.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
@@ -847,8 +862,9 @@ TEST_F(HostResolverManagerTest, LocalhostIPV4IPV6Lookup) {
 
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper v4_v6_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("localhost", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(v4_v6_response.result_error(), IsOk());
   EXPECT_THAT(v4_v6_response.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("::1", 80)));
@@ -857,8 +873,9 @@ TEST_F(HostResolverManagerTest, LocalhostIPV4IPV6Lookup) {
                   testing::ElementsAre(CreateExpected("::1", 80))))));
 
   ResolveHostResponseHelper v4_unsp_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("localhost", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(v4_unsp_response.result_error(), IsOk());
   EXPECT_THAT(v4_unsp_response.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -880,8 +897,9 @@ TEST_F(HostResolverManagerTest, ResolveIPLiteralWithHostResolverSystemOnly) {
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::SYSTEM;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kIpLiteral, 80), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair(kIpLiteral, 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
 
   // IP literal resolution is expected to take precedence over source, so the
   // result is expected to be the input IP, not the result IP from the proc rule
@@ -899,7 +917,7 @@ TEST_F(HostResolverManagerTest, EmptyListMeansNameNotResolved) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -917,7 +935,7 @@ TEST_F(HostResolverManagerTest, FailedAsynchronousLookup) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
@@ -934,13 +952,13 @@ TEST_F(HostResolverManagerTest, FailedAsynchronousLookup) {
       GetCacheHit(HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
                                  0 /* host_resolver_flags */,
                                  HostResolverSource::ANY,
-                                 NetworkIsolationKey()));
+                                 NetworkAnonymizationKey()));
   EXPECT_FALSE(cache_result);
 }
 
 TEST_F(HostResolverManagerTest, AbortedAsynchronousLookup) {
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   ASSERT_FALSE(response0.complete());
@@ -954,7 +972,7 @@ TEST_F(HostResolverManagerTest, AbortedAsynchronousLookup) {
   // To ensure there was no spurious callback, complete with a new resolver.
   CreateResolver();
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -968,7 +986,7 @@ TEST_F(HostResolverManagerTest, AbortedAsynchronousLookup) {
 
 TEST_F(HostResolverManagerTest, NumericIPv4Address) {
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("127.1.2.3", 5555), NetworkIsolationKey(),
+      HostPortPair("127.1.2.3", 5555), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -984,7 +1002,7 @@ TEST_F(HostResolverManagerTest, NumericIPv4Address) {
 TEST_F(HostResolverManagerTest, NumericIPv4AddressWithScheme) {
   ResolveHostResponseHelper response(resolver_->CreateRequest(
       url::SchemeHostPort(url::kHttpsScheme, "127.1.2.3", 5555),
-      NetworkIsolationKey(), NetLogWithSource(), absl::nullopt,
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsOk());
@@ -1000,7 +1018,7 @@ TEST_F(HostResolverManagerTest, NumericIPv6Address) {
   // Resolve a plain IPv6 address.  Don't worry about [brackets], because
   // the caller should have removed them.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("2001:db8::1", 5555), NetworkIsolationKey(),
+      HostPortPair("2001:db8::1", 5555), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -1016,7 +1034,7 @@ TEST_F(HostResolverManagerTest, NumericIPv6Address) {
 TEST_F(HostResolverManagerTest, NumericIPv6AddressWithScheme) {
   ResolveHostResponseHelper response(resolver_->CreateRequest(
       url::SchemeHostPort(url::kFtpScheme, "[2001:db8::1]", 5555),
-      NetworkIsolationKey(), NetLogWithSource(), absl::nullopt,
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsOk());
@@ -1030,7 +1048,7 @@ TEST_F(HostResolverManagerTest, NumericIPv6AddressWithScheme) {
 
 TEST_F(HostResolverManagerTest, EmptyHost) {
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(std::string(), 5555), NetworkIsolationKey(),
+      HostPortPair(std::string(), 5555), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -1042,7 +1060,7 @@ TEST_F(HostResolverManagerTest, EmptyHost) {
 TEST_F(HostResolverManagerTest, EmptyDotsHost) {
   for (int i = 0; i < 16; ++i) {
     ResolveHostResponseHelper response(resolver_->CreateRequest(
-        HostPortPair(std::string(i, '.'), 5555), NetworkIsolationKey(),
+        HostPortPair(std::string(i, '.'), 5555), NetworkAnonymizationKey(),
         NetLogWithSource(), absl::nullopt, resolve_context_.get(),
         resolve_context_->host_cache()));
 
@@ -1054,7 +1072,7 @@ TEST_F(HostResolverManagerTest, EmptyDotsHost) {
 
 TEST_F(HostResolverManagerTest, LongHost) {
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(std::string(4097, 'a'), 5555), NetworkIsolationKey(),
+      HostPortPair(std::string(4097, 'a'), 5555), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -1069,27 +1087,27 @@ TEST_F(HostResolverManagerTest, DeDupeRequests) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
@@ -1112,27 +1130,27 @@ TEST_F(HostResolverManagerTest, DeDupeRequestsWithDifferentPorts) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 81), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 81), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 82), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 82), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 83), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 83), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
@@ -1151,27 +1169,27 @@ TEST_F(HostResolverManagerTest, CancelMultipleRequests) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
@@ -1205,14 +1223,14 @@ TEST_F(HostResolverManagerTest, CanceledRequestsReleaseJobSlots) {
 
     responses.emplace_back(
         std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-            HostPortPair(hostname, 80), NetworkIsolationKey(),
+            HostPortPair(hostname, 80), NetworkAnonymizationKey(),
             NetLogWithSource(), absl::nullopt, resolve_context_.get(),
             resolve_context_->host_cache())));
     ASSERT_FALSE(responses.back()->complete());
 
     responses.emplace_back(
         std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-            HostPortPair(hostname, 80), NetworkIsolationKey(),
+            HostPortPair(hostname, 80), NetworkAnonymizationKey(),
             NetLogWithSource(), absl::nullopt, resolve_context_.get(),
             resolve_context_->host_cache())));
     ASSERT_FALSE(responses.back()->complete());
@@ -1253,7 +1271,7 @@ TEST_F(HostResolverManagerTest, CancelWithinCallback) {
       });
 
   ResolveHostResponseHelper cancelling_response(
-      resolver_->CreateRequest(HostPortPair("a", 80), NetworkIsolationKey(),
+      resolver_->CreateRequest(HostPortPair("a", 80), NetworkAnonymizationKey(),
                                NetLogWithSource(), absl::nullopt,
                                resolve_context_.get(),
                                resolve_context_->host_cache()),
@@ -1261,12 +1279,12 @@ TEST_F(HostResolverManagerTest, CancelWithinCallback) {
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
@@ -1275,7 +1293,7 @@ TEST_F(HostResolverManagerTest, CancelWithinCallback) {
   EXPECT_THAT(cancelling_response.result_error(), IsOk());
 
   ResolveHostResponseHelper final_response(resolver_->CreateRequest(
-      HostPortPair("finalrequest", 70), NetworkIsolationKey(),
+      HostPortPair("finalrequest", 70), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(final_response.result_error(), IsOk());
@@ -1302,7 +1320,7 @@ TEST_F(HostResolverManagerTest, DeleteWithinCallback) {
       });
 
   ResolveHostResponseHelper deleting_response(
-      resolver_->CreateRequest(HostPortPair("a", 80), NetworkIsolationKey(),
+      resolver_->CreateRequest(HostPortPair("a", 80), NetworkAnonymizationKey(),
                                NetLogWithSource(), absl::nullopt,
                                resolve_context_.get(),
                                resolve_context_->host_cache()),
@@ -1313,12 +1331,12 @@ TEST_F(HostResolverManagerTest, DeleteWithinCallback) {
   // request will run first and cancel the rest.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 81), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 81), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 82), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 82), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
@@ -1349,7 +1367,7 @@ TEST_F(HostResolverManagerTest, DeleteWithinAbortedCallback) {
           });
 
   ResolveHostResponseHelper deleting_response(
-      resolver_->CreateRequest(HostPortPair("a", 80), NetworkIsolationKey(),
+      resolver_->CreateRequest(HostPortPair("a", 80), NetworkAnonymizationKey(),
                                NetLogWithSource(), absl::nullopt,
                                resolve_context_.get(),
                                resolve_context_->host_cache()),
@@ -1357,17 +1375,17 @@ TEST_F(HostResolverManagerTest, DeleteWithinAbortedCallback) {
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 82), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 82), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 82), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 82), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
@@ -1389,15 +1407,15 @@ TEST_F(HostResolverManagerTest, StartWithinCallback) {
   auto custom_callback = base::BindLambdaForTesting(
       [&](CompletionOnceCallback completion_callback, int error) {
         new_response = std::make_unique<ResolveHostResponseHelper>(
-            resolver_->CreateRequest(HostPortPair("new", 70),
-                                     NetworkIsolationKey(), NetLogWithSource(),
-                                     absl::nullopt, resolve_context_.get(),
-                                     resolve_context_->host_cache()));
+            resolver_->CreateRequest(
+                HostPortPair("new", 70), NetworkAnonymizationKey(),
+                NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+                resolve_context_->host_cache()));
         std::move(completion_callback).Run(error);
       });
 
   ResolveHostResponseHelper starting_response(
-      resolver_->CreateRequest(HostPortPair("a", 80), NetworkIsolationKey(),
+      resolver_->CreateRequest(HostPortPair("a", 80), NetworkAnonymizationKey(),
                                NetLogWithSource(), absl::nullopt,
                                resolve_context_.get(),
                                resolve_context_->host_cache()),
@@ -1417,31 +1435,34 @@ TEST_F(HostResolverManagerTest, StartWithinEvictionCallback) {
   auto custom_callback = base::BindLambdaForTesting(
       [&](CompletionOnceCallback completion_callback, int error) {
         new_response = std::make_unique<ResolveHostResponseHelper>(
-            resolver_->CreateRequest(HostPortPair("new", 70),
-                                     NetworkIsolationKey(), NetLogWithSource(),
-                                     absl::nullopt, resolve_context_.get(),
-                                     resolve_context_->host_cache()));
+            resolver_->CreateRequest(
+                HostPortPair("new", 70), NetworkAnonymizationKey(),
+                NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+                resolve_context_->host_cache()));
         std::move(completion_callback).Run(error);
       });
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("initial", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("initial", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper evictee1_response(
       resolver_->CreateRequest(HostPortPair("evictee1", 80),
-                               NetworkIsolationKey(), NetLogWithSource(),
+                               NetworkAnonymizationKey(), NetLogWithSource(),
                                absl::nullopt, resolve_context_.get(),
                                resolve_context_->host_cache()),
       std::move(custom_callback));
   ResolveHostResponseHelper evictee2_response(resolver_->CreateRequest(
-      HostPortPair("evictee2", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("evictee2", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
 
   // Now one running request ("initial") and two queued requests ("evictee1" and
   // "evictee2"). Any further requests will cause evictions.
   ResolveHostResponseHelper evictor_response(resolver_->CreateRequest(
-      HostPortPair("evictor", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("evictor", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(evictee1_response.result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
 
@@ -1466,19 +1487,20 @@ TEST_F(HostResolverManagerTest, StartWithinEvictionCallback_DoubleEviction) {
   auto custom_callback = base::BindLambdaForTesting(
       [&](CompletionOnceCallback completion_callback, int error) {
         new_response = std::make_unique<ResolveHostResponseHelper>(
-            resolver_->CreateRequest(HostPortPair("new", 70),
-                                     NetworkIsolationKey(), NetLogWithSource(),
-                                     absl::nullopt, resolve_context_.get(),
-                                     resolve_context_->host_cache()));
+            resolver_->CreateRequest(
+                HostPortPair("new", 70), NetworkAnonymizationKey(),
+                NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+                resolve_context_->host_cache()));
         std::move(completion_callback).Run(error);
       });
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("initial", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("initial", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper evictee_response(
       resolver_->CreateRequest(HostPortPair("evictee", 80),
-                               NetworkIsolationKey(), NetLogWithSource(),
+                               NetworkAnonymizationKey(), NetLogWithSource(),
                                absl::nullopt, resolve_context_.get(),
                                resolve_context_->host_cache()),
       std::move(custom_callback));
@@ -1486,8 +1508,9 @@ TEST_F(HostResolverManagerTest, StartWithinEvictionCallback_DoubleEviction) {
   // Now one running request ("initial") and one queued requests ("evictee").
   // Any further requests will cause evictions.
   ResolveHostResponseHelper evictor_response(resolver_->CreateRequest(
-      HostPortPair("evictor", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("evictor", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(evictee_response.result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
 
@@ -1509,31 +1532,34 @@ TEST_F(HostResolverManagerTest, StartWithinEvictionCallback_SameRequest) {
   auto custom_callback = base::BindLambdaForTesting(
       [&](CompletionOnceCallback completion_callback, int error) {
         new_response = std::make_unique<ResolveHostResponseHelper>(
-            resolver_->CreateRequest(HostPortPair("evictor", 80),
-                                     NetworkIsolationKey(), NetLogWithSource(),
-                                     absl::nullopt, resolve_context_.get(),
-                                     resolve_context_->host_cache()));
+            resolver_->CreateRequest(
+                HostPortPair("evictor", 80), NetworkAnonymizationKey(),
+                NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+                resolve_context_->host_cache()));
         std::move(completion_callback).Run(error);
       });
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("initial", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("initial", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper evictee_response(
       resolver_->CreateRequest(HostPortPair("evictee", 80),
-                               NetworkIsolationKey(), NetLogWithSource(),
+                               NetworkAnonymizationKey(), NetLogWithSource(),
                                absl::nullopt, resolve_context_.get(),
                                resolve_context_->host_cache()),
       std::move(custom_callback));
   ResolveHostResponseHelper additional_response(resolver_->CreateRequest(
-      HostPortPair("additional", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("additional", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
 
   // Now one running request ("initial") and two queued requests ("evictee" and
   // "additional"). Any further requests will cause evictions.
   ResolveHostResponseHelper evictor_response(resolver_->CreateRequest(
-      HostPortPair("evictor", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("evictor", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(evictee_response.result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
 
@@ -1552,13 +1578,13 @@ TEST_F(HostResolverManagerTest, BypassCache) {
   proc_->SignalMultiple(2u);
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(initial_response.result_error(), IsOk());
   EXPECT_EQ(1u, proc_->GetCaptureList().size());
 
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(cached_response.result_error(), IsOk());
   // Expect no increase to calls to |proc_| because result was cached.
@@ -1568,7 +1594,7 @@ TEST_F(HostResolverManagerTest, BypassCache) {
   parameters.cache_usage =
       HostResolver::ResolveHostParameters::CacheUsage::DISALLOWED;
   ResolveHostResponseHelper cache_bypassed_response(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(cache_bypassed_response.result_error(), IsOk());
   // Expect call to |proc_| because cache was bypassed.
@@ -1581,13 +1607,13 @@ TEST_F(HostResolverManagerTest, FlushCacheOnIPAddressChange) {
   proc_->SignalMultiple(2u);  // One before the flush, one after.
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host1", 70), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(initial_response.result_error(), IsOk());
   EXPECT_EQ(1u, proc_->GetCaptureList().size());
 
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("host1", 75), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host1", 75), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(cached_response.result_error(), IsOk());
   EXPECT_EQ(1u, proc_->GetCaptureList().size());  // No expected increase.
@@ -1599,7 +1625,7 @@ TEST_F(HostResolverManagerTest, FlushCacheOnIPAddressChange) {
   // Resolve "host1" again -- this time it won't be served from cache, so it
   // will complete asynchronously.
   ResolveHostResponseHelper flushed_response(resolver_->CreateRequest(
-      HostPortPair("host1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(flushed_response.result_error(), IsOk());
   EXPECT_EQ(2u, proc_->GetCaptureList().size());  // Expected increase.
@@ -1608,7 +1634,7 @@ TEST_F(HostResolverManagerTest, FlushCacheOnIPAddressChange) {
 // Test that IP address changes send ERR_NETWORK_CHANGED to pending requests.
 TEST_F(HostResolverManagerTest, AbortOnIPAddressChanged) {
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host1", 70), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
 
   ASSERT_FALSE(response.complete());
@@ -1633,17 +1659,17 @@ TEST_F(HostResolverManagerTest, ObeyPoolConstraintsAfterIPAddressChange) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("b", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("c", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("c", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
@@ -1678,7 +1704,7 @@ TEST_F(HostResolverManagerTest, AbortOnlyExistingRequestsOnIPAddressChange) {
           std::unique_ptr<ResolveHostResponseHelper>* next_response,
           CompletionOnceCallback completion_callback, int error) {
         *next_response = std::make_unique<ResolveHostResponseHelper>(
-            resolver_->CreateRequest(next_host, NetworkIsolationKey(),
+            resolver_->CreateRequest(next_host, NetworkAnonymizationKey(),
                                      NetLogWithSource(), absl::nullopt,
                                      resolve_context_.get(),
                                      resolve_context_->host_cache()));
@@ -1688,25 +1714,25 @@ TEST_F(HostResolverManagerTest, AbortOnlyExistingRequestsOnIPAddressChange) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> next_responses(3);
 
   ResolveHostResponseHelper response0(
-      resolver_->CreateRequest(HostPortPair("bbb", 80), NetworkIsolationKey(),
-                               NetLogWithSource(), absl::nullopt,
-                               resolve_context_.get(),
+      resolver_->CreateRequest(HostPortPair("bbb", 80),
+                               NetworkAnonymizationKey(), NetLogWithSource(),
+                               absl::nullopt, resolve_context_.get(),
                                resolve_context_->host_cache()),
       base::BindOnce(custom_callback_template, HostPortPair("zzz", 80),
                      &next_responses[0]));
 
   ResolveHostResponseHelper response1(
-      resolver_->CreateRequest(HostPortPair("eee", 80), NetworkIsolationKey(),
-                               NetLogWithSource(), absl::nullopt,
-                               resolve_context_.get(),
+      resolver_->CreateRequest(HostPortPair("eee", 80),
+                               NetworkAnonymizationKey(), NetLogWithSource(),
+                               absl::nullopt, resolve_context_.get(),
                                resolve_context_->host_cache()),
       base::BindOnce(custom_callback_template, HostPortPair("aaa", 80),
                      &next_responses[1]));
 
   ResolveHostResponseHelper response2(
-      resolver_->CreateRequest(HostPortPair("ccc", 80), NetworkIsolationKey(),
-                               NetLogWithSource(), absl::nullopt,
-                               resolve_context_.get(),
+      resolver_->CreateRequest(HostPortPair("ccc", 80),
+                               NetworkAnonymizationKey(), NetLogWithSource(),
+                               absl::nullopt, resolve_context_.get(),
                                resolve_context_->host_cache()),
       base::BindOnce(custom_callback_template, HostPortPair("eee", 80),
                      &next_responses[2]));
@@ -1757,43 +1783,43 @@ TEST_F(HostResolverManagerTest, HigherPriorityRequestsStartedFirst) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req0", 80), NetworkIsolationKey(), NetLogWithSource(),
-          low_priority, resolve_context_.get(),
+          HostPortPair("req0", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), low_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req1", 80), NetworkIsolationKey(), NetLogWithSource(),
-          medium_priority, resolve_context_.get(),
+          HostPortPair("req1", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), medium_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req2", 80), NetworkIsolationKey(), NetLogWithSource(),
-          medium_priority, resolve_context_.get(),
+          HostPortPair("req2", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), medium_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req3", 80), NetworkIsolationKey(), NetLogWithSource(),
-          low_priority, resolve_context_.get(),
+          HostPortPair("req3", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), low_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req4", 80), NetworkIsolationKey(), NetLogWithSource(),
-          highest_priority, resolve_context_.get(),
+          HostPortPair("req4", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), highest_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req5", 80), NetworkIsolationKey(), NetLogWithSource(),
-          low_priority, resolve_context_.get(),
+          HostPortPair("req5", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), low_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req6", 80), NetworkIsolationKey(), NetLogWithSource(),
-          low_priority, resolve_context_.get(),
+          HostPortPair("req6", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), low_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req5", 80), NetworkIsolationKey(), NetLogWithSource(),
-          highest_priority, resolve_context_.get(),
+          HostPortPair("req5", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), highest_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
 
   for (const auto& response : responses) {
@@ -1838,18 +1864,18 @@ TEST_F(HostResolverManagerTest, ChangePriority) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req0", 80), NetworkIsolationKey(), NetLogWithSource(),
-          medium_priority, resolve_context_.get(),
+          HostPortPair("req0", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), medium_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req1", 80), NetworkIsolationKey(), NetLogWithSource(),
-          low_priority, resolve_context_.get(),
+          HostPortPair("req1", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), low_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req2", 80), NetworkIsolationKey(), NetLogWithSource(),
-          lowest_priority, resolve_context_.get(),
+          HostPortPair("req2", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), lowest_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
 
   // req0 starts immediately; without ChangePriority, req1 and then req2 should
@@ -1893,38 +1919,38 @@ TEST_F(HostResolverManagerTest, CancelPendingRequest) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req0", 80), NetworkIsolationKey(), NetLogWithSource(),
-          lowest_priority, resolve_context_.get(),
+          HostPortPair("req0", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), lowest_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req1", 80), NetworkIsolationKey(), NetLogWithSource(),
-          highest_priority, resolve_context_.get(),
+          HostPortPair("req1", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), highest_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req2", 80), NetworkIsolationKey(), NetLogWithSource(),
-          medium_priority, resolve_context_.get(),
+          HostPortPair("req2", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), medium_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req3", 80), NetworkIsolationKey(), NetLogWithSource(),
-          low_priority, resolve_context_.get(),
+          HostPortPair("req3", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), low_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req4", 80), NetworkIsolationKey(), NetLogWithSource(),
-          highest_priority, resolve_context_.get(),
+          HostPortPair("req4", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), highest_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req5", 80), NetworkIsolationKey(), NetLogWithSource(),
-          lowest_priority, resolve_context_.get(),
+          HostPortPair("req5", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), lowest_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req6", 80), NetworkIsolationKey(), NetLogWithSource(),
-          medium_priority, resolve_context_.get(),
+          HostPortPair("req6", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), medium_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
 
   // Cancel some requests
@@ -1949,7 +1975,7 @@ TEST_F(HostResolverManagerTest, CancelPendingRequest) {
   EXPECT_FALSE(responses[4]->complete());
   EXPECT_FALSE(responses[5]->complete());
 
-  // Verify that they called out the the resolver proc (which runs on the
+  // Verify that they called out to the resolver proc (which runs on the
   // resolver thread) in the expected order.
   MockHostResolverProc::CaptureList capture_list = proc_->GetCaptureList();
   ASSERT_EQ(4u, capture_list.size());
@@ -1983,23 +2009,23 @@ TEST_F(HostResolverManagerTest, QueueOverflow) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req0", 80), NetworkIsolationKey(), NetLogWithSource(),
-          lowest_priority, resolve_context_.get(),
+          HostPortPair("req0", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), lowest_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req1", 80), NetworkIsolationKey(), NetLogWithSource(),
-          highest_priority, resolve_context_.get(),
+          HostPortPair("req1", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), highest_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req2", 80), NetworkIsolationKey(), NetLogWithSource(),
-          medium_priority, resolve_context_.get(),
+          HostPortPair("req2", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), medium_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req3", 80), NetworkIsolationKey(), NetLogWithSource(),
-          medium_priority, resolve_context_.get(),
+          HostPortPair("req3", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), medium_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
 
   // At this point, there are 3 enqueued jobs (and one "running" job).
@@ -2007,8 +2033,8 @@ TEST_F(HostResolverManagerTest, QueueOverflow) {
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req4", 80), NetworkIsolationKey(), NetLogWithSource(),
-          low_priority, resolve_context_.get(),
+          HostPortPair("req4", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), low_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   EXPECT_THAT(responses[4]->result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));  // Evicts self.
@@ -2017,8 +2043,8 @@ TEST_F(HostResolverManagerTest, QueueOverflow) {
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req5", 80), NetworkIsolationKey(), NetLogWithSource(),
-          medium_priority, resolve_context_.get(),
+          HostPortPair("req5", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), medium_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   EXPECT_THAT(responses[2]->result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
@@ -2027,8 +2053,8 @@ TEST_F(HostResolverManagerTest, QueueOverflow) {
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req6", 80), NetworkIsolationKey(), NetLogWithSource(),
-          highest_priority, resolve_context_.get(),
+          HostPortPair("req6", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), highest_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   EXPECT_THAT(responses[3]->result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
@@ -2037,8 +2063,8 @@ TEST_F(HostResolverManagerTest, QueueOverflow) {
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req7", 80), NetworkIsolationKey(), NetLogWithSource(),
-          medium_priority, resolve_context_.get(),
+          HostPortPair("req7", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), medium_priority, resolve_context_.get(),
           resolve_context_->host_cache())));
   EXPECT_THAT(responses[5]->result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
@@ -2089,11 +2115,11 @@ TEST_F(HostResolverManagerTest, QueueOverflow_SelfEvict) {
   // requests we make will not complete.
 
   ResolveHostResponseHelper run_response(resolver_->CreateRequest(
-      HostPortPair("run", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("run", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
 
   ResolveHostResponseHelper evict_response(resolver_->CreateRequest(
-      HostPortPair("req1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("req1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(evict_response.result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
@@ -2117,8 +2143,9 @@ TEST_F(HostResolverManagerTest, AddressFamilyWithRawIPs) {
   v6_parameters.dns_query_type = DnsQueryType::AAAA;
 
   ResolveHostResponseHelper v4_v4_request(resolver_->CreateRequest(
-      HostPortPair("127.0.0.1", 80), NetworkIsolationKey(), NetLogWithSource(),
-      v4_parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("127.0.0.1", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), v4_parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(v4_v4_request.result_error(), IsOk());
   EXPECT_THAT(v4_v4_request.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
@@ -2128,13 +2155,15 @@ TEST_F(HostResolverManagerTest, AddressFamilyWithRawIPs) {
           testing::ElementsAre(CreateExpected("127.0.0.1", 80))))));
 
   ResolveHostResponseHelper v4_v6_request(resolver_->CreateRequest(
-      HostPortPair("127.0.0.1", 80), NetworkIsolationKey(), NetLogWithSource(),
-      v6_parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("127.0.0.1", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), v6_parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(v4_v6_request.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 
   ResolveHostResponseHelper v4_unsp_request(resolver_->CreateRequest(
-      HostPortPair("127.0.0.1", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("127.0.0.1", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(v4_unsp_request.result_error(), IsOk());
   EXPECT_THAT(v4_unsp_request.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
@@ -2144,12 +2173,12 @@ TEST_F(HostResolverManagerTest, AddressFamilyWithRawIPs) {
           testing::ElementsAre(CreateExpected("127.0.0.1", 80))))));
 
   ResolveHostResponseHelper v6_v4_request(resolver_->CreateRequest(
-      HostPortPair("::1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("::1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       v4_parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(v6_v4_request.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 
   ResolveHostResponseHelper v6_v6_request(resolver_->CreateRequest(
-      HostPortPair("::1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("::1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       v6_parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(v6_v6_request.result_error(), IsOk());
   EXPECT_THAT(v6_v6_request.request()->GetAddressResults()->endpoints(),
@@ -2160,7 +2189,7 @@ TEST_F(HostResolverManagerTest, AddressFamilyWithRawIPs) {
           testing::ElementsAre(CreateExpected("::1", 80))))));
 
   ResolveHostResponseHelper v6_unsp_request(resolver_->CreateRequest(
-      HostPortPair("::1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("::1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(v6_unsp_request.result_error(), IsOk());
   EXPECT_THAT(v6_unsp_request.request()->GetAddressResults()->endpoints(),
@@ -2180,7 +2209,7 @@ TEST_F(HostResolverManagerTest, LocalOnly_FromCache) {
 
   // First NONE query expected to complete synchronously with a cache miss.
   ResolveHostResponseHelper cache_miss_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), source_none_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_TRUE(cache_miss_request.complete());
@@ -2191,7 +2220,7 @@ TEST_F(HostResolverManagerTest, LocalOnly_FromCache) {
 
   // Normal query to populate the cache.
   ResolveHostResponseHelper normal_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(normal_request.result_error(), IsOk());
@@ -2199,7 +2228,7 @@ TEST_F(HostResolverManagerTest, LocalOnly_FromCache) {
 
   // Second NONE query expected to complete synchronously with cache hit.
   ResolveHostResponseHelper cache_hit_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), source_none_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_TRUE(cache_hit_request.complete());
@@ -2222,7 +2251,7 @@ TEST_F(HostResolverManagerTest, LocalOnly_StaleEntry) {
 
   // First NONE query expected to complete synchronously with a cache miss.
   ResolveHostResponseHelper cache_miss_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), source_none_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_TRUE(cache_miss_request.complete());
@@ -2233,7 +2262,7 @@ TEST_F(HostResolverManagerTest, LocalOnly_StaleEntry) {
 
   // Normal query to populate the cache.
   ResolveHostResponseHelper normal_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(normal_request.result_error(), IsOk());
@@ -2243,7 +2272,7 @@ TEST_F(HostResolverManagerTest, LocalOnly_StaleEntry) {
 
   // Second NONE query still expected to complete synchronously with cache miss.
   ResolveHostResponseHelper stale_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), source_none_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_TRUE(stale_request.complete());
@@ -2258,8 +2287,8 @@ TEST_F(HostResolverManagerTest, LocalOnly_FromIp) {
   source_none_parameters.source = HostResolverSource::LOCAL_ONLY;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("1.2.3.4", 56), NetworkIsolationKey(), NetLogWithSource(),
-      source_none_parameters, resolve_context_.get(),
+      HostPortPair("1.2.3.4", 56), NetworkAnonymizationKey(),
+      NetLogWithSource(), source_none_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
   // Expected to resolve synchronously.
@@ -2280,7 +2309,7 @@ TEST_F(HostResolverManagerTest, LocalOnly_InvalidName) {
   source_none_parameters.source = HostResolverSource::LOCAL_ONLY;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("foo,bar.com", 57), NetworkIsolationKey(),
+      HostPortPair("foo,bar.com", 57), NetworkAnonymizationKey(),
       NetLogWithSource(), source_none_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -2297,7 +2326,7 @@ TEST_F(HostResolverManagerTest, LocalOnly_InvalidLocalhost) {
   source_none_parameters.source = HostResolverSource::LOCAL_ONLY;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("foo,bar.localhost", 58), NetworkIsolationKey(),
+      HostPortPair("foo,bar.localhost", 58), NetworkAnonymizationKey(),
       NetLogWithSource(), source_none_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -2320,7 +2349,7 @@ TEST_F(HostResolverManagerTest, StaleAllowed) {
 
   // First query expected to complete synchronously as a cache miss.
   ResolveHostResponseHelper cache_miss_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), stale_allowed_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_TRUE(cache_miss_request.complete());
@@ -2331,7 +2360,7 @@ TEST_F(HostResolverManagerTest, StaleAllowed) {
 
   // Normal query to populate cache
   ResolveHostResponseHelper normal_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(normal_request.result_error(), IsOk());
@@ -2341,7 +2370,7 @@ TEST_F(HostResolverManagerTest, StaleAllowed) {
 
   // Second NONE query expected to get a stale cache hit.
   ResolveHostResponseHelper stale_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 84), NetworkIsolationKey(),
+      HostPortPair("just.testing", 84), NetworkAnonymizationKey(),
       NetLogWithSource(), stale_allowed_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_TRUE(stale_request.complete());
@@ -2366,7 +2395,7 @@ TEST_F(HostResolverManagerTest, StaleAllowed_NonLocal) {
   // Normal non-local resolves should still work normally with the STALE_ALLOWED
   // parameter, and there should be no stale info.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 85), NetworkIsolationKey(),
+      HostPortPair("just.testing", 85), NetworkAnonymizationKey(),
       NetLogWithSource(), stale_allowed_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
@@ -2385,8 +2414,8 @@ TEST_F(HostResolverManagerTest, StaleAllowed_FromIp) {
       HostResolver::ResolveHostParameters::CacheUsage::STALE_ALLOWED;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("1.2.3.4", 57), NetworkIsolationKey(), NetLogWithSource(),
-      stale_allowed_parameters, resolve_context_.get(),
+      HostPortPair("1.2.3.4", 57), NetworkAnonymizationKey(),
+      NetLogWithSource(), stale_allowed_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
   // Expected to resolve synchronously without stale info.
@@ -2421,7 +2450,7 @@ TEST_F(HostResolverManagerTest, MultipleAttempts) {
   auto resolver_proc = base::MakeRefCounted<LookupAttemptHostResolverProc>(
       nullptr, kAttemptNumberToResolve, kTotalAttempts);
 
-  ProcTaskParams params = DefaultParams(resolver_proc);
+  HostResolverSystemTask::Params params = DefaultParams(resolver_proc);
   base::TimeDelta unresponsive_delay = params.unresponsive_delay;
   int retry_factor = params.retry_factor;
 
@@ -2436,7 +2465,7 @@ TEST_F(HostResolverManagerTest, MultipleAttempts) {
 
   // Resolve "host1".
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host1", 70), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_FALSE(response.complete());
 
@@ -2481,16 +2510,16 @@ TEST_F(HostResolverManagerTest, DefaultMaxRetryAttempts) {
       std::numeric_limits<size_t>::max());
 
   // This corresponds to kDefaultMaxRetryAttempts in
-  // ProcTaskParams::ProcTaskParams(). The correspondence is verified below,
-  // since that symbol is not exported.
+  // HostResolverSystemTask::Params::HostResolverSystemTask::Params(). The
+  // correspondence is verified below, since that symbol is not exported.
   const size_t expected_max_retries = 4;
 
   // Use the special value |ManagerOptions::kDefaultRetryAttempts|, which is
   // expected to translate into |expected_num_retries|.
-  ASSERT_NE(HostResolver::ManagerOptions::kDefaultRetryAttempts,
+  ASSERT_NE(HostResolverSystemTask::Params::kDefaultRetryAttempts,
             expected_max_retries);
-  ProcTaskParams params(resolver_proc,
-                        HostResolver::ManagerOptions::kDefaultRetryAttempts);
+  HostResolverSystemTask::Params params(
+      resolver_proc, HostResolverSystemTask::Params::kDefaultRetryAttempts);
   ASSERT_EQ(params.max_retry_attempts, expected_max_retries);
 
   CreateResolverWithLimitsAndParams(kMaxJobs, params,
@@ -2500,7 +2529,7 @@ TEST_F(HostResolverManagerTest, DefaultMaxRetryAttempts) {
   // Resolve "host1". The resolver proc will hang all requests so this
   // resolution should remain stalled until calling SetResolvedAttemptNumber().
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host1", 70), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_FALSE(response.complete());
 
@@ -2541,7 +2570,7 @@ TEST_F(HostResolverManagerTest, NameCollisionIcann) {
   proc_->SignalMultiple(6u);
 
   ResolveHostResponseHelper single_response(resolver_->CreateRequest(
-      HostPortPair("single", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("single", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(single_response.result_error(),
               IsError(ERR_ICANN_NAME_COLLISION));
@@ -2554,18 +2583,19 @@ TEST_F(HostResolverManagerTest, NameCollisionIcann) {
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       GetCacheHit(HostCache::Key(
           "single", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-          HostResolverSource::ANY, NetworkIsolationKey()));
+          HostResolverSource::ANY, NetworkAnonymizationKey()));
   EXPECT_FALSE(cache_result);
 
   ResolveHostResponseHelper multiple_response(resolver_->CreateRequest(
-      HostPortPair("multiple", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("multiple", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(multiple_response.result_error(),
               IsError(ERR_ICANN_NAME_COLLISION));
 
   // Resolving an IP literal of 127.0.53.53 however is allowed.
   ResolveHostResponseHelper literal_response(resolver_->CreateRequest(
-      HostPortPair("127.0.53.53", 80), NetworkIsolationKey(),
+      HostPortPair("127.0.53.53", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(literal_response.result_error(), IsOk());
@@ -2573,7 +2603,7 @@ TEST_F(HostResolverManagerTest, NameCollisionIcann) {
   // Moreover the address should not be recognized when embedded in an IPv6
   // address.
   ResolveHostResponseHelper ipv6_response(resolver_->CreateRequest(
-      HostPortPair("127.0.53.53", 80), NetworkIsolationKey(),
+      HostPortPair("127.0.53.53", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(ipv6_response.result_error(), IsOk());
@@ -2581,19 +2611,19 @@ TEST_F(HostResolverManagerTest, NameCollisionIcann) {
   // Try some other IPs which are similar, but NOT an exact match on
   // 127.0.53.53.
   ResolveHostResponseHelper similar_response1(resolver_->CreateRequest(
-      HostPortPair("not_reserved1", 80), NetworkIsolationKey(),
+      HostPortPair("not_reserved1", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(similar_response1.result_error(), IsOk());
 
   ResolveHostResponseHelper similar_response2(resolver_->CreateRequest(
-      HostPortPair("not_reserved2", 80), NetworkIsolationKey(),
+      HostPortPair("not_reserved2", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(similar_response2.result_error(), IsOk());
 
   ResolveHostResponseHelper similar_response3(resolver_->CreateRequest(
-      HostPortPair("not_reserved3", 80), NetworkIsolationKey(),
+      HostPortPair("not_reserved3", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(similar_response3.result_error(), IsOk());
@@ -2633,11 +2663,11 @@ TEST_F(HostResolverManagerTest, IncludeCanonicalName) {
   HostResolver::ResolveHostParameters parameters;
   parameters.include_canonical_name = true;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   ResolveHostResponseHelper response_no_flag(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -2660,7 +2690,7 @@ TEST_F(HostResolverManagerTest, FixupCanonicalName) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -2683,11 +2713,11 @@ TEST_F(HostResolverManagerTest, IncludeCanonicalNameButNotReceived) {
   HostResolver::ResolveHostParameters parameters;
   parameters.include_canonical_name = true;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   ResolveHostResponseHelper response_no_flag(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -2715,11 +2745,11 @@ TEST_F(HostResolverManagerTest, IncludeCanonicalNameSkipsUrlCanonicalization) {
   HostResolver::ResolveHostParameters parameters;
   parameters.include_canonical_name = true;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   ResolveHostResponseHelper response_no_flag(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -2744,11 +2774,13 @@ TEST_F(HostResolverManagerTest, LoopbackOnly) {
   HostResolver::ResolveHostParameters parameters;
   parameters.loopback_only = true;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("otherlocal", 80), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("otherlocal", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper response_no_flag(resolver_->CreateRequest(
-      HostPortPair("otherlocal", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("otherlocal", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults()->endpoints(),
@@ -2769,7 +2801,7 @@ TEST_F(HostResolverManagerTest, IsSpeculative) {
   parameters.is_speculative = true;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -2783,7 +2815,7 @@ TEST_F(HostResolverManagerTest, IsSpeculative) {
   // Reresolve without the |is_speculative| flag should immediately return from
   // cache.
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -2807,11 +2839,11 @@ TEST_F(HostResolverManagerTest, AvoidMulticastResolutionParameter) {
   HostResolver::ResolveHostParameters parameters;
   parameters.avoid_multicast_resolution = true;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("avoid.multicast.test", 80), NetworkIsolationKey(),
+      HostPortPair("avoid.multicast.test", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   ResolveHostResponseHelper response_no_flag(resolver_->CreateRequest(
-      HostPortPair("avoid.multicast.test", 80), NetworkIsolationKey(),
+      HostPortPair("avoid.multicast.test", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3088,7 +3120,7 @@ TEST_F(HostResolverManagerTest, Mdns) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3125,7 +3157,7 @@ TEST_F(HostResolverManagerTest, Mdns_AaaaOnly) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3154,7 +3186,7 @@ TEST_F(HostResolverManagerTest, Mdns_Txt) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3182,7 +3214,7 @@ TEST_F(HostResolverManagerTest, Mdns_Ptr) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 83), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 83), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3211,7 +3243,7 @@ TEST_F(HostResolverManagerTest, Mdns_Srv) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 83), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 83), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3240,9 +3272,9 @@ TEST_F(HostResolverManagerTest, Mdns_Srv_Unrestricted) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("foo bar(A1B2)._ipps._tcp.local", 83), NetworkIsolationKey(),
-      NetLogWithSource(), parameters, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      HostPortPair("foo bar(A1B2)._ipps._tcp.local", 83),
+      NetworkAnonymizationKey(), NetLogWithSource(), parameters,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   socket_factory_ptr->SimulateReceive(kMdnsResponseSrvUnrestricted,
                                       sizeof(kMdnsResponseSrvUnrestricted));
@@ -3269,7 +3301,7 @@ TEST_F(HostResolverManagerTest, Mdns_Srv_Result_Unrestricted) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 83), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 83), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3301,7 +3333,7 @@ TEST_F(HostResolverManagerTest, Mdns_Nsec) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3335,7 +3367,7 @@ TEST_F(HostResolverManagerTest, Mdns_NoResponse) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3376,7 +3408,7 @@ TEST_F(HostResolverManagerTest, Mdns_WrongType) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3422,7 +3454,7 @@ TEST_F(HostResolverManagerTest, Mdns_PartialResults) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3454,7 +3486,7 @@ TEST_F(HostResolverManagerTest, Mdns_Cancel) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3492,7 +3524,7 @@ TEST_F(HostResolverManagerTest, Mdns_PartialFailure) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3512,7 +3544,7 @@ TEST_F(HostResolverManagerTest, Mdns_ListenFailure) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -3872,18 +3904,18 @@ DnsConfig CreateUpgradableDnsConfig() {
 }
 
 // Check that entries are written to the cache with the right NIK.
-TEST_F(HostResolverManagerTest, NetworkIsolationKeyWriteToHostCache) {
+TEST_F(HostResolverManagerTest, NetworkAnonymizationKeyWriteToHostCache) {
   const SchemefulSite kSite1(GURL("https://origin1.test/"));
   const SchemefulSite kSite2(GURL("https://origin2.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   const char kFirstDnsResult[] = "192.168.1.42";
   const char kSecondDnsResult[] = "192.168.1.43";
 
-  for (bool split_cache_by_network_isolation_key : {false, true}) {
+  for (bool split_cache_by_network_anonymization_key : {false, true}) {
     base::test::ScopedFeatureList feature_list;
-    if (split_cache_by_network_isolation_key) {
+    if (split_cache_by_network_anonymization_key) {
       feature_list.InitAndEnableFeature(
           features::kSplitHostCacheByNetworkIsolationKey);
     } else {
@@ -3893,9 +3925,9 @@ TEST_F(HostResolverManagerTest, NetworkIsolationKeyWriteToHostCache) {
     proc_->AddRuleForAllFamilies("just.testing", kFirstDnsResult);
     proc_->SignalMultiple(1u);
 
-    // Resolve a host using kNetworkIsolationKey1.
+    // Resolve a host using kNetworkAnonymizationKey1.
     ResolveHostResponseHelper response1(resolver_->CreateRequest(
-        HostPortPair("just.testing", 80), kNetworkIsolationKey1,
+        HostPortPair("just.testing", 80), kNetworkAnonymizationKey1,
         NetLogWithSource(), absl::nullopt, resolve_context_.get(),
         resolve_context_->host_cache()));
     EXPECT_THAT(response1.result_error(), IsOk());
@@ -3908,49 +3940,50 @@ TEST_F(HostResolverManagerTest, NetworkIsolationKeyWriteToHostCache) {
     EXPECT_FALSE(response1.request()->GetStaleInfo());
     EXPECT_EQ(1u, proc_->GetCaptureList().size());
 
-    // If the host cache is being split by NetworkIsolationKeys, there should be
-    // an entry in the HostCache with kNetworkIsolationKey1. Otherwise, there
-    // should be an entry with the empy NIK.
-    if (split_cache_by_network_isolation_key) {
+    // If the host cache is being split by NetworkAnonymizationKeys, there
+    // should be an entry in the HostCache with kNetworkAnonymizationKey1.
+    // Otherwise, there should be an entry with the empty NAK.
+    if (split_cache_by_network_anonymization_key) {
       EXPECT_TRUE(GetCacheHit(
           HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
                          0 /* host_resolver_flags */, HostResolverSource::ANY,
-                         kNetworkIsolationKey1)));
+                         kNetworkAnonymizationKey1)));
 
       EXPECT_FALSE(GetCacheHit(
           HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
                          0 /* host_resolver_flags */, HostResolverSource::ANY,
-                         NetworkIsolationKey())));
+                         NetworkAnonymizationKey())));
     } else {
       EXPECT_FALSE(GetCacheHit(
           HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
                          0 /* host_resolver_flags */, HostResolverSource::ANY,
-                         kNetworkIsolationKey1)));
+                         kNetworkAnonymizationKey1)));
 
       EXPECT_TRUE(GetCacheHit(
           HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
                          0 /* host_resolver_flags */, HostResolverSource::ANY,
-                         NetworkIsolationKey())));
+                         NetworkAnonymizationKey())));
     }
 
-    // There should be no entry using kNetworkIsolationKey2 in either case.
+    // There should be no entry using kNetworkAnonymizationKey2 in either case.
     EXPECT_FALSE(GetCacheHit(HostCache::Key(
         "just.testing", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-        HostResolverSource::ANY, kNetworkIsolationKey2)));
+        HostResolverSource::ANY, kNetworkAnonymizationKey2)));
 
-    // A request using kNetworkIsolationKey2 should only be served out of the
-    // cache of the cache if |split_cache_by_network_isolation_key| is false. If
-    // it's not served over the network, it is provided a different result.
-    if (split_cache_by_network_isolation_key) {
+    // A request using kNetworkAnonymizationKey2 should only be served out of
+    // the cache of the cache if |split_cache_by_network_anonymization_key| is
+    // false. If it's not served over the network, it is provided a different
+    // result.
+    if (split_cache_by_network_anonymization_key) {
       proc_->AddRuleForAllFamilies("just.testing", kSecondDnsResult);
       proc_->SignalMultiple(1u);
     }
     ResolveHostResponseHelper response2(resolver_->CreateRequest(
-        HostPortPair("just.testing", 80), kNetworkIsolationKey2,
+        HostPortPair("just.testing", 80), kNetworkAnonymizationKey2,
         NetLogWithSource(), absl::nullopt, resolve_context_.get(),
         resolve_context_->host_cache()));
     EXPECT_THAT(response2.result_error(), IsOk());
-    if (split_cache_by_network_isolation_key) {
+    if (split_cache_by_network_anonymization_key) {
       EXPECT_THAT(response2.request()->GetAddressResults()->endpoints(),
                   testing::ElementsAre(CreateExpected(kSecondDnsResult, 80)));
       EXPECT_THAT(
@@ -3962,7 +3995,7 @@ TEST_F(HostResolverManagerTest, NetworkIsolationKeyWriteToHostCache) {
       EXPECT_TRUE(GetCacheHit(
           HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
                          0 /* host_resolver_flags */, HostResolverSource::ANY,
-                         kNetworkIsolationKey2)));
+                         kNetworkAnonymizationKey2)));
     } else {
       EXPECT_THAT(response2.request()->GetAddressResults()->endpoints(),
                   testing::ElementsAre(CreateExpected(kFirstDnsResult, 80)));
@@ -3975,7 +4008,7 @@ TEST_F(HostResolverManagerTest, NetworkIsolationKeyWriteToHostCache) {
       EXPECT_FALSE(GetCacheHit(
           HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
                          0 /* host_resolver_flags */, HostResolverSource::ANY,
-                         kNetworkIsolationKey2)));
+                         kNetworkAnonymizationKey2)));
     }
 
     resolve_context_->host_cache()->clear();
@@ -3984,21 +4017,21 @@ TEST_F(HostResolverManagerTest, NetworkIsolationKeyWriteToHostCache) {
 }
 
 // Check that entries are read to the cache with the right NIK.
-TEST_F(HostResolverManagerTest, NetworkIsolationKeyReadFromHostCache) {
+TEST_F(HostResolverManagerTest, NetworkAnonymizationKeyReadFromHostCache) {
   const SchemefulSite kSite1(GURL("https://origin1.test/"));
   const SchemefulSite kSite2(GURL("https://origin2.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   struct CacheEntry {
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
     const char* cached_ip_address;
   };
 
   const CacheEntry kCacheEntries[] = {
-      {NetworkIsolationKey(), "192.168.1.42"},
-      {kNetworkIsolationKey1, "192.168.1.43"},
-      {kNetworkIsolationKey2, "192.168.1.44"},
+      {NetworkAnonymizationKey(), "192.168.1.42"},
+      {kNetworkAnonymizationKey1, "192.168.1.43"},
+      {kNetworkAnonymizationKey2, "192.168.1.44"},
   };
 
   // Add entries to cache for the empty NIK, NIK1, and NIK2. Only the
@@ -4007,7 +4040,7 @@ TEST_F(HostResolverManagerTest, NetworkIsolationKeyReadFromHostCache) {
   for (const auto& cache_entry : kCacheEntries) {
     HostCache::Key key("just.testing", DnsQueryType::UNSPECIFIED, 0,
                        HostResolverSource::ANY,
-                       cache_entry.network_isolation_key);
+                       cache_entry.network_anonymization_key);
     IPAddress address;
     ASSERT_TRUE(address.AssignFromIPLiteral(cache_entry.cached_ip_address));
     HostCache::Entry entry = HostCache::Entry(
@@ -4016,9 +4049,9 @@ TEST_F(HostResolverManagerTest, NetworkIsolationKeyReadFromHostCache) {
                                         base::Days(1));
   }
 
-  for (bool split_cache_by_network_isolation_key : {false, true}) {
+  for (bool split_cache_by_network_anonymization_key : {false, true}) {
     base::test::ScopedFeatureList feature_list;
-    if (split_cache_by_network_isolation_key) {
+    if (split_cache_by_network_anonymization_key) {
       feature_list.InitAndEnableFeature(
           features::kSplitHostCacheByNetworkIsolationKey);
     } else {
@@ -4026,63 +4059,67 @@ TEST_F(HostResolverManagerTest, NetworkIsolationKeyReadFromHostCache) {
           features::kSplitHostCacheByNetworkIsolationKey);
     }
 
-    // A request that uses kNetworkIsolationKey1 will return cache entry 1 if
-    // the NetworkIsolationKeys are being used, and cache entry 0 otherwise.
+    // A request that uses kNetworkAnonymizationKey1 will return cache entry 1
+    // if the NetworkAnonymizationKeys are being used, and cache entry 0
+    // otherwise.
     ResolveHostResponseHelper response1(resolver_->CreateRequest(
-        HostPortPair("just.testing", 80), kNetworkIsolationKey1,
+        HostPortPair("just.testing", 80), kNetworkAnonymizationKey1,
         NetLogWithSource(), absl::nullopt, resolve_context_.get(),
         resolve_context_->host_cache()));
     EXPECT_THAT(response1.result_error(), IsOk());
-    EXPECT_THAT(response1.request()->GetAddressResults()->endpoints(),
-                testing::ElementsAre(CreateExpected(
-                    kCacheEntries[split_cache_by_network_isolation_key ? 1 : 0]
-                        .cached_ip_address,
-                    80)));
+    EXPECT_THAT(
+        response1.request()->GetAddressResults()->endpoints(),
+        testing::ElementsAre(CreateExpected(
+            kCacheEntries[split_cache_by_network_anonymization_key ? 1 : 0]
+                .cached_ip_address,
+            80)));
     EXPECT_THAT(
         response1.request()->GetEndpointResults(),
         testing::Pointee(testing::ElementsAre(
             ExpectEndpointResult(testing::ElementsAre(CreateExpected(
-                kCacheEntries[split_cache_by_network_isolation_key ? 1 : 0]
+                kCacheEntries[split_cache_by_network_anonymization_key ? 1 : 0]
                     .cached_ip_address,
                 80))))));
     EXPECT_TRUE(response1.request()->GetStaleInfo());
 
-    // A request that uses kNetworkIsolationKey2 will return cache entry 2 if
-    // the NetworkIsolationKeys are being used, and cache entry 0 otherwise.
+    // A request that uses kNetworkAnonymizationKey2 will return cache entry 2
+    // if the NetworkAnonymizationKeys are being used, and cache entry 0
+    // otherwise.
     ResolveHostResponseHelper response2(resolver_->CreateRequest(
-        HostPortPair("just.testing", 80), kNetworkIsolationKey2,
+        HostPortPair("just.testing", 80), kNetworkAnonymizationKey2,
         NetLogWithSource(), absl::nullopt, resolve_context_.get(),
         resolve_context_->host_cache()));
     EXPECT_THAT(response2.result_error(), IsOk());
-    EXPECT_THAT(response2.request()->GetAddressResults()->endpoints(),
-                testing::ElementsAre(CreateExpected(
-                    kCacheEntries[split_cache_by_network_isolation_key ? 2 : 0]
-                        .cached_ip_address,
-                    80)));
+    EXPECT_THAT(
+        response2.request()->GetAddressResults()->endpoints(),
+        testing::ElementsAre(CreateExpected(
+            kCacheEntries[split_cache_by_network_anonymization_key ? 2 : 0]
+                .cached_ip_address,
+            80)));
     EXPECT_THAT(
         response2.request()->GetEndpointResults(),
         testing::Pointee(testing::ElementsAre(
             ExpectEndpointResult(testing::ElementsAre(CreateExpected(
-                kCacheEntries[split_cache_by_network_isolation_key ? 2 : 0]
+                kCacheEntries[split_cache_by_network_anonymization_key ? 2 : 0]
                     .cached_ip_address,
                 80))))));
     EXPECT_TRUE(response2.request()->GetStaleInfo());
   }
 }
 
-// Test that two requests made with different NetworkIsolationKeys are not
+// Test that two requests made with different NetworkAnonymizationKeys are not
 // merged if |features::kSplitHostCacheByNetworkIsolationKey| is enabled.
-TEST_F(HostResolverManagerTest, NetworkIsolationKeyTwoRequestsAtOnce) {
+TEST_F(HostResolverManagerTest, NetworkAnonymizationKeyTwoRequestsAtOnce) {
   const SchemefulSite kSite1(GURL("https://origin1.test/"));
   const SchemefulSite kSite2(GURL("https://origin2.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   const char kDnsResult[] = "192.168.1.42";
 
-  for (bool split_cache_by_network_isolation_key : {false, true}) {
+  for (bool split_cache_by_network_anonymization_key : {false, true}) {
     base::test::ScopedFeatureList feature_list;
-    if (split_cache_by_network_isolation_key) {
+    if (split_cache_by_network_anonymization_key) {
       feature_list.InitAndEnableFeature(
           features::kSplitHostCacheByNetworkIsolationKey);
     } else {
@@ -4091,23 +4128,23 @@ TEST_F(HostResolverManagerTest, NetworkIsolationKeyTwoRequestsAtOnce) {
     }
     proc_->AddRuleForAllFamilies("just.testing", kDnsResult);
 
-    // Start resolving a host using kNetworkIsolationKey1.
+    // Start resolving a host using kNetworkAnonymizationKey1.
     ResolveHostResponseHelper response1(resolver_->CreateRequest(
-        HostPortPair("just.testing", 80), kNetworkIsolationKey1,
+        HostPortPair("just.testing", 80), kNetworkAnonymizationKey1,
         NetLogWithSource(), absl::nullopt, resolve_context_.get(),
         resolve_context_->host_cache()));
     EXPECT_FALSE(response1.complete());
 
-    // Start resolving the same host using kNetworkIsolationKey2.
+    // Start resolving the same host using kNetworkAnonymizationKey2.
     ResolveHostResponseHelper response2(resolver_->CreateRequest(
-        HostPortPair("just.testing", 80), kNetworkIsolationKey2,
+        HostPortPair("just.testing", 80), kNetworkAnonymizationKey2,
         NetLogWithSource(), absl::nullopt, resolve_context_.get(),
         resolve_context_->host_cache()));
     EXPECT_FALSE(response2.complete());
 
     // Wait for and complete the expected number of over-the-wire DNS
     // resolutions.
-    if (split_cache_by_network_isolation_key) {
+    if (split_cache_by_network_anonymization_key) {
       proc_->WaitFor(2);
       EXPECT_EQ(2u, proc_->GetCaptureList().size());
       proc_->SignalMultiple(2u);
@@ -4150,7 +4187,7 @@ TEST_F(HostResolverManagerTest, ContextsNotMerged) {
 
   // Start resolving a host using |resolve_context_|.
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_FALSE(response1.complete());
@@ -4160,7 +4197,7 @@ TEST_F(HostResolverManagerTest, ContextsNotMerged) {
                                   true /* enable_caching */);
   resolver_->RegisterResolveContext(&resolve_context2);
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      HostPortPair("just.testing", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, &resolve_context2,
       resolve_context2.host_cache()));
   EXPECT_FALSE(response2.complete());
@@ -4231,9 +4268,11 @@ class HostResolverManagerDnsTest : public HostResolverManagerTest {
     return options;
   }
 
-  void CreateResolverWithOptionsAndParams(HostResolver::ManagerOptions options,
-                                          const ProcTaskParams& params,
-                                          bool ipv6_reachable) override {
+  void CreateResolverWithOptionsAndParams(
+      HostResolver::ManagerOptions options,
+      const HostResolverSystemTask::Params& params,
+      bool ipv6_reachable,
+      bool ipv4_reachable = true) override {
     DestroyResolver();
 
     resolver_ = std::make_unique<TestHostResolverManager>(
@@ -4245,7 +4284,7 @@ class HostResolverManagerDnsTest : public HostResolverManagerTest {
     resolver_->SetInsecureDnsClientEnabled(
         options.insecure_dns_client_enabled,
         options.additional_types_via_insecure_dns_enabled);
-    resolver_->set_proc_params_for_test(params);
+    resolver_->set_host_resolver_system_params_for_test(params);
 
     resolver_->RegisterResolveContext(resolve_context_.get());
   }
@@ -4466,11 +4505,11 @@ class HostResolverManagerDnsTest : public HostResolverManagerTest {
     for (unsigned i = 0; i < maximum_insecure_dns_task_failures(); ++i) {
       // Use custom names to require separate Jobs.
       std::string hostname = base::StringPrintf("nx_%u", i);
-      // Ensure fallback to ProcTask succeeds.
+      // Ensure fallback to HostResolverSystemTask succeeds.
       proc_->AddRuleForAllFamilies(hostname, "192.168.1.101");
       responses.emplace_back(
           std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-              HostPortPair(hostname, 80), NetworkIsolationKey(),
+              HostPortPair(hostname, 80), NetworkAnonymizationKey(),
               NetLogWithSource(), parameters, resolve_context_.get(),
               resolve_context_->host_cache())));
     }
@@ -4496,14 +4535,14 @@ TEST_F(HostResolverManagerDnsTest, FlushCacheOnDnsConfigChange) {
 
   // Resolve to populate the cache.
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host1", 70), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(initial_response.result_error(), IsOk());
   EXPECT_EQ(1u, proc_->GetCaptureList().size());
 
   // Result expected to come from the cache.
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("host1", 75), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host1", 75), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(cached_response.result_error(), IsOk());
   EXPECT_EQ(1u, proc_->GetCaptureList().size());  // No expected increase.
@@ -4513,7 +4552,7 @@ TEST_F(HostResolverManagerDnsTest, FlushCacheOnDnsConfigChange) {
 
   // Expect flushed from cache and therefore served from |proc_|.
   ResolveHostResponseHelper flushed_response(resolver_->CreateRequest(
-      HostPortPair("host1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(flushed_response.result_error(), IsOk());
   EXPECT_EQ(2u, proc_->GetCaptureList().size());  // Expected increase.
@@ -4521,7 +4560,7 @@ TEST_F(HostResolverManagerDnsTest, FlushCacheOnDnsConfigChange) {
 
 TEST_F(HostResolverManagerDnsTest, DisableAndEnableInsecureDnsClient) {
   // Disable fallback to allow testing how requests are initially handled.
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
 
   ChangeDnsConfig(CreateValidDnsConfig());
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.2.47");
@@ -4530,23 +4569,24 @@ TEST_F(HostResolverManagerDnsTest, DisableAndEnableInsecureDnsClient) {
   resolver_->SetInsecureDnsClientEnabled(
       /*enabled=*/false,
       /*additional_dns_types_enabled*/ false);
-  ResolveHostResponseHelper response_proc(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 1212), NetworkIsolationKey(),
+  ResolveHostResponseHelper response_system(resolver_->CreateRequest(
+      HostPortPair("nx_succeed", 1212), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
-  EXPECT_THAT(response_proc.result_error(), IsOk());
-  EXPECT_THAT(response_proc.request()->GetAddressResults()->endpoints(),
+  EXPECT_THAT(response_system.result_error(), IsOk());
+  EXPECT_THAT(response_system.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("192.168.2.47", 1212)));
   EXPECT_THAT(
-      response_proc.request()->GetEndpointResults(),
+      response_system.request()->GetEndpointResults(),
       testing::Pointee(testing::ElementsAre(ExpectEndpointResult(
           testing::ElementsAre(CreateExpected("192.168.2.47", 1212))))));
 
   resolver_->SetInsecureDnsClientEnabled(/*enabled*/ true,
                                          /*additional_dns_types_enabled=*/true);
   ResolveHostResponseHelper response_dns_client(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 1212), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("ok_fail", 1212), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response_dns_client.result_error(), IsOk());
   EXPECT_THAT(response_dns_client.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("::1", 1212),
@@ -4558,24 +4598,25 @@ TEST_F(HostResolverManagerDnsTest, DisableAndEnableInsecureDnsClient) {
                                         CreateExpected("127.0.0.1", 1212))))));
 }
 
-TEST_F(HostResolverManagerDnsTest, UseProcTaskWhenPrivateDnsActive) {
+TEST_F(HostResolverManagerDnsTest,
+       UseHostResolverSystemTaskWhenPrivateDnsActive) {
   // Disable fallback to allow testing how requests are initially handled.
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.2.47");
   proc_->SignalMultiple(1u);
 
   DnsConfig config = CreateValidDnsConfig();
   config.dns_over_tls_active = true;
   ChangeDnsConfig(config);
-  ResolveHostResponseHelper response_proc(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 1212), NetworkIsolationKey(),
+  ResolveHostResponseHelper response_system(resolver_->CreateRequest(
+      HostPortPair("nx_succeed", 1212), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
-  EXPECT_THAT(response_proc.result_error(), IsOk());
-  EXPECT_THAT(response_proc.request()->GetAddressResults()->endpoints(),
+  EXPECT_THAT(response_system.result_error(), IsOk());
+  EXPECT_THAT(response_system.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("192.168.2.47", 1212)));
   EXPECT_THAT(
-      response_proc.request()->GetEndpointResults(),
+      response_system.request()->GetEndpointResults(),
       testing::Pointee(testing::ElementsAre(ExpectEndpointResult(
           testing::ElementsAre(CreateExpected("192.168.2.47", 1212))))));
 }
@@ -4589,7 +4630,7 @@ TEST_F(HostResolverManagerDnsTest, LocalhostLookup) {
   proc_->AddRuleForAllFamilies("localhost.", "192.168.1.42");
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("foo.localhost", 80), NetworkIsolationKey(),
+      HostPortPair("foo.localhost", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response0.result_error(), IsOk());
@@ -4603,8 +4644,9 @@ TEST_F(HostResolverManagerDnsTest, LocalhostLookup) {
               CreateExpected("::1", 80), CreateExpected("127.0.0.1", 80))))));
 
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("localhost", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response1.result_error(), IsOk());
   EXPECT_THAT(response1.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -4616,8 +4658,9 @@ TEST_F(HostResolverManagerDnsTest, LocalhostLookup) {
               CreateExpected("::1", 80), CreateExpected("127.0.0.1", 80))))));
 
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("localhost.", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("localhost.", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response2.result_error(), IsOk());
   EXPECT_THAT(response2.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -4643,8 +4686,9 @@ TEST_F(HostResolverManagerDnsTest, LocalhostLookupWithHosts) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("localhost", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response0.result_error(), IsOk());
   EXPECT_THAT(response0.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -4656,7 +4700,7 @@ TEST_F(HostResolverManagerDnsTest, LocalhostLookupWithHosts) {
               CreateExpected("::1", 80), CreateExpected("127.0.0.1", 80))))));
 
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("foo.localhost", 80), NetworkIsolationKey(),
+      HostPortPair("foo.localhost", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response1.result_error(), IsOk());
@@ -4677,8 +4721,9 @@ TEST_F(HostResolverManagerDnsTest, DnsTask) {
 
   // Initially there is no config, so client should not be invoked.
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("ok_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_FALSE(initial_response.complete());
 
   proc_->SignalMultiple(1u);
@@ -4688,14 +4733,17 @@ TEST_F(HostResolverManagerDnsTest, DnsTask) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("ok_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_succeed", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
 
   proc_->SignalMultiple(4u);
 
@@ -4710,7 +4758,7 @@ TEST_F(HostResolverManagerDnsTest, DnsTask) {
           ExpectEndpointResult(testing::UnorderedElementsAre(
               CreateExpected("::1", 80), CreateExpected("127.0.0.1", 80))))));
 
-  // Fallback to ProcTask.
+  // Fallback to HostResolverSystemTask.
   EXPECT_THAT(response1.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_THAT(response2.result_error(), IsOk());
   EXPECT_THAT(response2.request()->GetAddressResults()->endpoints(),
@@ -4724,9 +4772,9 @@ TEST_F(HostResolverManagerDnsTest, DnsTaskWithScheme) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kWsScheme, "ok_fail", 80), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kWsScheme, "ok_fail", 80),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   // Resolved by MockDnsClient.
   EXPECT_THAT(response.result_error(), IsOk());
@@ -4741,9 +4789,9 @@ TEST_F(HostResolverManagerDnsTest, DnsTaskWithScheme) {
 }
 
 // Test successful and failing resolutions in HostResolverManager::DnsTask when
-// fallback to ProcTask is disabled.
-TEST_F(HostResolverManagerDnsTest, NoFallbackToProcTask) {
-  set_allow_fallback_to_proctask(false);
+// fallback to HostResolverSystemTask is disabled.
+TEST_F(HostResolverManagerDnsTest, NoFallbackToHostResolverSystemTask) {
+  set_allow_fallback_to_systemtask(false);
 
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.102");
   // All other hostnames will fail in proc_.
@@ -4752,11 +4800,13 @@ TEST_F(HostResolverManagerDnsTest, NoFallbackToProcTask) {
   InvalidateDnsConfig();
   // Initially there is no config, so client should not be invoked.
   ResolveHostResponseHelper initial_response0(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("ok_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper initial_response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_succeed", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   proc_->SignalMultiple(2u);
 
   EXPECT_THAT(initial_response0.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
@@ -4770,13 +4820,15 @@ TEST_F(HostResolverManagerDnsTest, NoFallbackToProcTask) {
   // Switch to a valid config.
   ChangeDnsConfig(CreateValidDnsConfig());
   // First request is resolved by MockDnsClient, others should fail due to
-  // disabled fallback to ProcTask.
+  // disabled fallback to HostResolverSystemTask.
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("ok_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_succeed", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   proc_->SignalMultiple(6u);
 
   // Resolved by MockDnsClient.
@@ -4789,7 +4841,7 @@ TEST_F(HostResolverManagerDnsTest, NoFallbackToProcTask) {
       testing::Pointee(testing::ElementsAre(
           ExpectEndpointResult(testing::UnorderedElementsAre(
               CreateExpected("::1", 80), CreateExpected("127.0.0.1", 80))))));
-  // Fallback to ProcTask is disabled.
+  // Fallback to HostResolverSystemTask is disabled.
   EXPECT_THAT(response1.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 }
 
@@ -4797,8 +4849,9 @@ TEST_F(HostResolverManagerDnsTest, NoFallbackToProcTask) {
 TEST_F(HostResolverManagerDnsTest, OnDnsTaskFailureAbortedJob) {
   ChangeDnsConfig(CreateValidDnsConfig());
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("nx_abort", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_abort", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   // Abort all jobs here.
   CreateResolver();
   proc_->SignalMultiple(1u);
@@ -4807,12 +4860,13 @@ TEST_F(HostResolverManagerDnsTest, OnDnsTaskFailureAbortedJob) {
   // It shouldn't crash during OnDnsTaskFailure callbacks.
   EXPECT_FALSE(response.complete());
 
-  // Repeat test with Fallback to ProcTask disabled
-  set_allow_fallback_to_proctask(false);
+  // Repeat test with Fallback to HostResolverSystemTask disabled
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
   ResolveHostResponseHelper no_fallback_response(resolver_->CreateRequest(
-      HostPortPair("nx_abort", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_abort", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   // Abort all jobs here.
   CreateResolver();
   proc_->SignalMultiple(2u);
@@ -4825,7 +4879,7 @@ TEST_F(HostResolverManagerDnsTest, OnDnsTaskFailureAbortedJob) {
 // Fallback to proc allowed with ANY source.
 TEST_F(HostResolverManagerDnsTest, FallbackBySource_Any) {
   // Ensure fallback is otherwise allowed by resolver settings.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
 
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.102");
   // All other hostnames will fail in proc_.
@@ -4833,11 +4887,13 @@ TEST_F(HostResolverManagerDnsTest, FallbackBySource_Any) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("nx_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_succeed", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   proc_->SignalMultiple(2u);
 
   EXPECT_THAT(response0.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
@@ -4852,7 +4908,7 @@ TEST_F(HostResolverManagerDnsTest, FallbackBySource_Any) {
 // Fallback to proc not allowed with DNS source.
 TEST_F(HostResolverManagerDnsTest, FallbackBySource_Dns) {
   // Ensure fallback is otherwise allowed by resolver settings.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
 
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.102");
   // All other hostnames will fail in proc_.
@@ -4862,11 +4918,13 @@ TEST_F(HostResolverManagerDnsTest, FallbackBySource_Dns) {
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("nx_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_succeed", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   // Nothing should reach |proc_| on success, but let failures through to fail
   // instead of hanging.
   proc_->SignalMultiple(2u);
@@ -4878,7 +4936,7 @@ TEST_F(HostResolverManagerDnsTest, FallbackBySource_Dns) {
 // Fallback to proc on DnsClient change allowed with ANY source.
 TEST_F(HostResolverManagerDnsTest, FallbackOnAbortBySource_Any) {
   // Ensure fallback is otherwise allowed by resolver settings.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
 
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.102");
   // All other hostnames will fail in proc_.
@@ -4886,11 +4944,13 @@ TEST_F(HostResolverManagerDnsTest, FallbackOnAbortBySource_Any) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("ok_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_succeed", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   proc_->SignalMultiple(2u);
 
   // Simulate the case when the preference or policy has disabled the insecure
@@ -4899,7 +4959,7 @@ TEST_F(HostResolverManagerDnsTest, FallbackOnAbortBySource_Any) {
       /*enabled=*/false,
       /*additional_dns_types_enabled=*/false);
 
-  // All requests should fallback to proc resolver.
+  // All requests should fallback to system resolver.
   EXPECT_THAT(response0.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_THAT(response1.result_error(), IsOk());
   EXPECT_THAT(response1.request()->GetAddressResults()->endpoints(),
@@ -4909,10 +4969,10 @@ TEST_F(HostResolverManagerDnsTest, FallbackOnAbortBySource_Any) {
                   testing::ElementsAre(CreateExpected("192.168.1.102", 80))))));
 }
 
-// Fallback to proc on DnsClient change not allowed with DNS source.
+// Fallback to system on DnsClient change not allowed with DNS source.
 TEST_F(HostResolverManagerDnsTest, FallbackOnAbortBySource_Dns) {
   // Ensure fallback is otherwise allowed by resolver settings.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
 
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.102");
   // All other hostnames will fail in proc_.
@@ -4922,11 +4982,13 @@ TEST_F(HostResolverManagerDnsTest, FallbackOnAbortBySource_Dns) {
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("ok_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_succeed", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   // Nothing should reach |proc_| on success, but let failures through to fail
   // instead of hanging.
   proc_->SignalMultiple(2u);
@@ -4946,7 +5008,7 @@ TEST_F(HostResolverManagerDnsTest, FallbackOnAbortBySource_Dns) {
 TEST_F(HostResolverManagerDnsTest,
        DisableInsecureDnsClient_SecureDnsTasksUnaffected) {
   // Ensure fallback is otherwise allowed by resolver settings.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
 
   proc_->AddRuleForAllFamilies("automatic", "192.168.1.102");
   // All other hostnames will fail in proc_.
@@ -4957,7 +5019,8 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("automatic", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(),
       /* optional_parameters=*/absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_FALSE(response_secure.complete());
@@ -4988,23 +5051,23 @@ TEST_F(HostResolverManagerDnsTest, DnsTaskUnspec) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-          absl::nullopt, resolve_context_.get(),
+          HostPortPair("4ok", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("6ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-          absl::nullopt, resolve_context_.get(),
+          HostPortPair("6ok", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4nx", 80), NetworkIsolationKey(), NetLogWithSource(),
-          absl::nullopt, resolve_context_.get(),
+          HostPortPair("4nx", 80), NetworkAnonymizationKey(),
+          NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
   proc_->SignalMultiple(4u);
@@ -5044,8 +5107,9 @@ TEST_F(HostResolverManagerDnsTest, NameCollisionIcann) {
   // When the resolver returns an A record with 127.0.53.53 it should be
   // mapped to a special error.
   ResolveHostResponseHelper response_ipv4(resolver_->CreateRequest(
-      HostPortPair("4collision", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("4collision", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response_ipv4.result_error(), IsError(ERR_ICANN_NAME_COLLISION));
   EXPECT_FALSE(response_ipv4.request()->GetAddressResults());
   EXPECT_FALSE(response_ipv4.request()->GetEndpointResults());
@@ -5054,8 +5118,9 @@ TEST_F(HostResolverManagerDnsTest, NameCollisionIcann) {
   // work just like any other IP. (Despite having the same suffix, it is not
   // considered special)
   ResolveHostResponseHelper response_ipv6(resolver_->CreateRequest(
-      HostPortPair("6collision", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("6collision", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response_ipv6.result_error(), IsOk());
   EXPECT_THAT(response_ipv6.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("::127.0.53.53", 80)));
@@ -5074,8 +5139,9 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
   proc_->SignalMultiple(1u);  // For the first request which misses.
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("nx_ipv4", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_ipv4", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(initial_response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 
   IPAddress local_ipv4 = IPAddress::IPv4Localhost();
@@ -5092,8 +5158,9 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response_ipv4(resolver_->CreateRequest(
-      HostPortPair("nx_ipv4", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_ipv4", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response_ipv4.result_error(), IsOk());
   EXPECT_THAT(response_ipv4.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
@@ -5104,8 +5171,9 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
               testing::Pointee(testing::IsEmpty()));
 
   ResolveHostResponseHelper response_ipv6(resolver_->CreateRequest(
-      HostPortPair("nx_ipv6", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_ipv6", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response_ipv6.result_error(), IsOk());
   EXPECT_THAT(response_ipv6.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("::1", 80)));
@@ -5116,8 +5184,9 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
               testing::Pointee(testing::IsEmpty()));
 
   ResolveHostResponseHelper response_both(resolver_->CreateRequest(
-      HostPortPair("nx_both", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_both", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response_both.result_error(), IsOk());
   EXPECT_THAT(response_both.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -5135,8 +5204,9 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
 
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper response_specified_ipv4(resolver_->CreateRequest(
-      HostPortPair("nx_ipv4", 80), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_ipv4", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response_specified_ipv4.result_error(), IsOk());
   EXPECT_THAT(
       response_specified_ipv4.request()->GetAddressResults()->endpoints(),
@@ -5149,8 +5219,9 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
 
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper response_specified_ipv6(resolver_->CreateRequest(
-      HostPortPair("nx_ipv6", 80), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_ipv6", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response_specified_ipv6.result_error(), IsOk());
   EXPECT_THAT(
       response_specified_ipv6.request()->GetAddressResults()->endpoints(),
@@ -5163,8 +5234,9 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
 
   // Request with upper case.
   ResolveHostResponseHelper response_upper(resolver_->CreateRequest(
-      HostPortPair("nx_IPV4", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_IPV4", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response_upper.result_error(), IsOk());
   EXPECT_THAT(response_upper.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
@@ -5175,7 +5247,8 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
               testing::Pointee(testing::IsEmpty()));
 }
 
-TEST_F(HostResolverManagerDnsTest, SkipHostsWithUpcomingProcTask) {
+TEST_F(HostResolverManagerDnsTest,
+       SkipHostsWithUpcomingHostResolverSystemTask) {
   // Disable the DnsClient.
   resolver_->SetInsecureDnsClientEnabled(
       /*enabled=*/false,
@@ -5194,7 +5267,7 @@ TEST_F(HostResolverManagerDnsTest, SkipHostsWithUpcomingProcTask) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("hosts", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("hosts", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 }
@@ -5211,27 +5284,27 @@ TEST_F(HostResolverManagerDnsTest, BypassDnsTask) {
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok.local", 80), NetworkIsolationKey(),
+          HostPortPair("ok.local", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok.local.", 80), NetworkIsolationKey(),
+          HostPortPair("ok.local.", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("oklocal", 80), NetworkIsolationKey(),
+          HostPortPair("oklocal", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("oklocal.", 80), NetworkIsolationKey(),
+          HostPortPair("oklocal.", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
@@ -5248,7 +5321,7 @@ TEST_F(HostResolverManagerDnsTest, BypassDnsTask) {
 // Test that non-address queries for hosts ending in ".local" are resolved using
 // the MDNS resolver.
 TEST_F(HostResolverManagerDnsTest, BypassDnsToMdnsWithNonAddress) {
-  // Ensure DNS task and system (proc) requests will fail.
+  // Ensure DNS task and system requests will fail.
   MockDnsClientRuleList rules;
   rules.emplace_back(
       "myhello.local", dns_protocol::kTypeTXT, false /* secure */,
@@ -5268,7 +5341,7 @@ TEST_F(HostResolverManagerDnsTest, BypassDnsToMdnsWithNonAddress) {
   dns_parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      HostPortPair("myhello.local", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), dns_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -5285,7 +5358,7 @@ TEST_F(HostResolverManagerDnsTest, BypassDnsToMdnsWithNonAddress) {
 // Test that DNS task is always used when explicitly requested as the source,
 // even with a case that would normally bypass it eg hosts ending in ".local".
 TEST_F(HostResolverManagerDnsTest, DnsNotBypassedWhenDnsSource) {
-  // Ensure DNS task requests will succeed and system (proc) requests will fail.
+  // Ensure DNS task requests will succeed and system requests will fail.
   ChangeDnsConfig(CreateValidDnsConfig());
   proc_->AddRuleForAllFamilies(std::string(), std::string());
 
@@ -5293,14 +5366,16 @@ TEST_F(HostResolverManagerDnsTest, DnsNotBypassedWhenDnsSource) {
   dns_parameters.source = HostResolverSource::DNS;
 
   ResolveHostResponseHelper dns_response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       dns_parameters, resolve_context_.get(), resolve_context_->host_cache()));
   ResolveHostResponseHelper dns_local_response(resolver_->CreateRequest(
-      HostPortPair("ok.local", 80), NetworkIsolationKey(), NetLogWithSource(),
-      dns_parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("ok.local", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), dns_parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper normal_local_response(resolver_->CreateRequest(
-      HostPortPair("ok.local", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("ok.local", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
 
   proc_->SignalMultiple(3u);
 
@@ -5311,18 +5386,18 @@ TEST_F(HostResolverManagerDnsTest, DnsNotBypassedWhenDnsSource) {
 }
 
 TEST_F(HostResolverManagerDnsTest, SystemOnlyBypassesDnsTask) {
-  // Ensure DNS task requests will succeed and system (proc) requests will fail.
+  // Ensure DNS task requests will succeed and system requests will fail.
   ChangeDnsConfig(CreateValidDnsConfig());
   proc_->AddRuleForAllFamilies(std::string(), std::string());
 
   ResolveHostResponseHelper dns_response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
 
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::SYSTEM;
   ResolveHostResponseHelper system_response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
 
   proc_->SignalMultiple(2u);
@@ -5337,7 +5412,7 @@ TEST_F(HostResolverManagerDnsTest,
 
   // Check that DnsTask works.
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("ok_1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok_1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(initial_response.result_error(), IsOk());
 
@@ -5346,12 +5421,12 @@ TEST_F(HostResolverManagerDnsTest,
   // Insecure DnsTasks should be disabled by now unless explicitly requested via
   // |source|.
   ResolveHostResponseHelper fail_response(resolver_->CreateRequest(
-      HostPortPair("ok_2", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok_2", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::DNS;
   ResolveHostResponseHelper dns_response(resolver_->CreateRequest(
-      HostPortPair("ok_2", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok_2", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   proc_->SignalMultiple(2u);
   EXPECT_THAT(fail_response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
@@ -5360,7 +5435,7 @@ TEST_F(HostResolverManagerDnsTest,
   // Check that it is re-enabled after DNS change.
   ChangeDnsConfig(CreateValidDnsConfig());
   ResolveHostResponseHelper reenabled_response(resolver_->CreateRequest(
-      HostPortPair("ok_3", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok_3", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(reenabled_response.result_error(), IsOk());
 }
@@ -5374,7 +5449,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsWorksAfterInsecureFailure) {
 
   // Secure DnsTasks should not be affected.
   ResolveHostResponseHelper secure_response(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       /* optional_parameters=*/absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(secure_response.result_error(), IsOk());
@@ -5393,7 +5468,7 @@ TEST_F(HostResolverManagerDnsTest, DontDisableDnsClientOnSporadicFailure) {
                                         : base::StringPrintf("ok_%u", i);
     responses.emplace_back(
         std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-            HostPortPair(hostname, 80), NetworkIsolationKey(),
+            HostPortPair(hostname, 80), NetworkAnonymizationKey(),
             NetLogWithSource(), absl::nullopt, resolve_context_.get(),
             resolve_context_->host_cache())));
   }
@@ -5408,8 +5483,9 @@ TEST_F(HostResolverManagerDnsTest, DontDisableDnsClientOnSporadicFailure) {
 
   // DnsTask should still be enabled.
   ResolveHostResponseHelper final_response(resolver_->CreateRequest(
-      HostPortPair("ok_last", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("ok_last", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(final_response.result_error(), IsOk());
 }
 
@@ -5420,7 +5496,7 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 500), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 500), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
 
@@ -5442,7 +5518,7 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_InvalidConfig) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("example.com", 500), NetworkIsolationKey(),
+      HostPortPair("example.com", 500), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
@@ -5466,7 +5542,7 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_UseLocalIpv6) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("ok", 500), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 500), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response1.result_error(), IsOk());
   EXPECT_THAT(response1.request()->GetAddressResults()->endpoints(),
@@ -5483,7 +5559,7 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_UseLocalIpv6) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("ok", 500), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 500), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response2.result_error(), IsOk());
   EXPECT_THAT(response2.request()->GetAddressResults()->endpoints(),
@@ -5509,8 +5585,9 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_Localhost) {
       /*enabled=*/false,
       /*additional_dns_types_enabled=*/false);
   ResolveHostResponseHelper system_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("localhost", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(system_response.result_error(), IsOk());
   EXPECT_THAT(system_response.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -5524,8 +5601,9 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_Localhost) {
   // With DnsClient
   UseMockDnsClient(CreateValidDnsConfig(), CreateDefaultDnsRules());
   ResolveHostResponseHelper builtin_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("localhost", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(builtin_response.result_error(), IsOk());
   EXPECT_THAT(builtin_response.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -5542,8 +5620,9 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_Localhost) {
   config.use_local_ipv6 = false;
   ChangeDnsConfig(config);
   ResolveHostResponseHelper ipv6_disabled_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("localhost", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(ipv6_disabled_response.result_error(), IsOk());
   EXPECT_THAT(
       ipv6_disabled_response.request()->GetAddressResults()->endpoints(),
@@ -5563,7 +5642,14 @@ TEST_F(HostResolverManagerDnsTest, Ipv6UnreachableOnlyDisablesAAAAQuery) {
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbEnableInsecure", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -5587,8 +5673,8 @@ TEST_F(HostResolverManagerDnsTest, Ipv6UnreachableOnlyDisablesAAAAQuery) {
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(),
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(),
       /*optional_parameters=*/absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
@@ -5633,20 +5719,20 @@ TEST_F(HostResolverManagerDnsTest, SeparateJobsBySecureDnsMode) {
   HostResolver::ResolveHostParameters parameters_disable_secure;
   parameters_disable_secure.secure_dns_policy = SecureDnsPolicy::kDisable;
   ResolveHostResponseHelper insecure_response(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters_disable_secure, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_EQ(1u, resolver_->num_jobs_for_testing());
 
   ResolveHostResponseHelper automatic_response0(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_EQ(2u, resolver_->num_jobs_for_testing());
 
   HostResolver::ResolveHostParameters parameters_allow_secure;
   parameters_allow_secure.secure_dns_policy = SecureDnsPolicy::kAllow;
   ResolveHostResponseHelper automatic_response1(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("a", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters_allow_secure, resolve_context_.get(),
       resolve_context_->host_cache()));
   // The AUTOMATIC mode requests should be joined into the same job.
@@ -5677,7 +5763,7 @@ TEST_F(HostResolverManagerDnsTest, CancelWithOneTransactionActive) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   ASSERT_FALSE(response.complete());
   ASSERT_EQ(1u, num_running_dispatcher_jobs());
@@ -5695,7 +5781,7 @@ TEST_F(HostResolverManagerDnsTest, CancelWithOneTransactionActiveOnePending) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_EQ(1u, num_running_dispatcher_jobs());
 
@@ -5711,7 +5797,7 @@ TEST_F(HostResolverManagerDnsTest, CancelWithTwoTransactionsActive) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_EQ(2u, num_running_dispatcher_jobs());
 
@@ -5737,7 +5823,7 @@ TEST_F(HostResolverManagerDnsTest, DeleteWithActiveTransactions) {
     std::string hostname = base::StringPrintf("ok%i", i);
     responses.emplace_back(
         std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-            HostPortPair(hostname, 80), NetworkIsolationKey(),
+            HostPortPair(hostname, 80), NetworkAnonymizationKey(),
             NetLogWithSource(), absl::nullopt, resolve_context_.get(),
             resolve_context_->host_cache())));
   }
@@ -5758,7 +5844,7 @@ TEST_F(HostResolverManagerDnsTest, DeleteWithSecureTransactions) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
 
   DestroyResolver();
@@ -5771,7 +5857,7 @@ TEST_F(HostResolverManagerDnsTest, DeleteWithCompletedRequests) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsOk());
@@ -5802,8 +5888,9 @@ TEST_F(HostResolverManagerDnsTest, CancelWithIPv6TransactionActive) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("6slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("6slow_ok", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_EQ(2u, num_running_dispatcher_jobs());
 
   // The IPv4 request should complete, the IPv6 request is still pending.
@@ -5819,12 +5906,13 @@ TEST_F(HostResolverManagerDnsTest, CancelWithIPv6TransactionActive) {
 
 // Cancel a request with only the IPv4 transaction pending.
 TEST_F(HostResolverManagerDnsTest, CancelWithIPv4TransactionPending) {
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("4slow_ok", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_EQ(2u, num_running_dispatcher_jobs());
 
   // The IPv6 request should complete, the IPv4 request is still pending.
@@ -5866,7 +5954,7 @@ TEST_F(HostResolverManagerDnsTest, CancelWithAutomaticModeTransactionPending) {
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
       HostPortPair("secure_6slow_6nx_insecure_6slow_ok", 80),
-      NetworkIsolationKey(), NetLogWithSource(), absl::nullopt,
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
       resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_EQ(0u, num_running_dispatcher_jobs());
 
@@ -5882,7 +5970,7 @@ TEST_F(HostResolverManagerDnsTest, CancelWithAutomaticModeTransactionPending) {
 
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
       HostPortPair("secure_6slow_6nx_insecure_6slow_ok", 80),
-      NetworkIsolationKey(), NetLogWithSource(), absl::nullopt,
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
       resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_EQ(0u, num_running_dispatcher_jobs());
 
@@ -5909,28 +5997,28 @@ TEST_F(HostResolverManagerDnsTest, CancelWithAutomaticModeTransactionPending) {
 
 // Test cases where AAAA completes first.
 TEST_F(HostResolverManagerDnsTest, AAAACompletesFirst) {
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
 
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4slow_ok", 80), NetworkIsolationKey(),
+          HostPortPair("4slow_ok", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4slow_4ok", 80), NetworkIsolationKey(),
+          HostPortPair("4slow_4ok", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4slow_4timeout", 80), NetworkIsolationKey(),
+          HostPortPair("4slow_4timeout", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4slow_6timeout", 80), NetworkIsolationKey(),
+          HostPortPair("4slow_6timeout", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
@@ -5993,7 +6081,7 @@ TEST_F(HostResolverManagerDnsTest, AAAACompletesFirst_AutomaticMode) {
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
       HostPortPair("secure_slow_nx_insecure_4slow_ok", 80),
-      NetworkIsolationKey(), NetLogWithSource(), absl::nullopt,
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
       resolve_context_.get(), resolve_context_->host_cache()));
   base::RunLoop().RunUntilIdle();
   EXPECT_FALSE(response.complete());
@@ -6012,7 +6100,7 @@ TEST_F(HostResolverManagerDnsTest, AAAACompletesFirst_AutomaticMode) {
   HostCache::Key insecure_key =
       HostCache::Key("secure_slow_nx_insecure_4slow_ok",
                      DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-                     HostResolverSource::ANY, NetworkIsolationKey());
+                     HostResolverSource::ANY, NetworkAnonymizationKey());
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       GetCacheHit(insecure_key);
   EXPECT_TRUE(!!cache_result);
@@ -6020,7 +6108,7 @@ TEST_F(HostResolverManagerDnsTest, AAAACompletesFirst_AutomaticMode) {
 
 TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic) {
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.100");
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
 
   ChangeDnsConfig(CreateValidDnsConfig());
   DnsConfigOverrides overrides;
@@ -6030,8 +6118,9 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic) {
 
   // A successful DoH request should result in a secure cache entry.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("automatic", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_THAT(response_secure.result_error(), IsOk());
   EXPECT_FALSE(
       response_secure.request()->GetResolveErrorInfo().is_secure_network_error);
@@ -6045,7 +6134,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic) {
               CreateExpected("::1", 80), CreateExpected("127.0.0.1", 80))))));
   HostCache::Key secure_key = HostCache::Key(
       "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   secure_key.secure = true;
   cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
@@ -6053,7 +6142,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic) {
   // A successful plaintext DNS request should result in an insecure cache
   // entry.
   ResolveHostResponseHelper response_insecure(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic", 80), NetworkIsolationKey(),
+      HostPortPair("insecure_automatic", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   ASSERT_THAT(response_insecure.result_error(), IsOk());
@@ -6071,19 +6160,20 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic) {
   HostCache::Key insecure_key =
       HostCache::Key("insecure_automatic", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_TRUE(!!cache_result);
 
-  // Fallback to ProcTask allowed in AUTOMATIC mode.
-  ResolveHostResponseHelper response_proc(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+  // Fallback to HostResolverSystemTask allowed in AUTOMATIC mode.
+  ResolveHostResponseHelper response_system(resolver_->CreateRequest(
+      HostPortPair("nx_succeed", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   proc_->SignalMultiple(1u);
-  EXPECT_THAT(response_proc.result_error(), IsOk());
-  EXPECT_THAT(response_proc.request()->GetAddressResults()->endpoints(),
+  EXPECT_THAT(response_system.result_error(), IsOk());
+  EXPECT_THAT(response_system.request()->GetAddressResults()->endpoints(),
               testing::ElementsAre(CreateExpected("192.168.1.100", 80)));
-  EXPECT_THAT(response_proc.request()->GetEndpointResults(),
+  EXPECT_THAT(response_system.request()->GetEndpointResults(),
               testing::Pointee(testing::ElementsAre(ExpectEndpointResult(
                   testing::ElementsAre(CreateExpected("192.168.1.100", 80))))));
 }
@@ -6098,14 +6188,14 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_SecureCache) {
   HostCache::Key cached_secure_key =
       HostCache::Key("automatic_cached", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   cached_secure_key.secure = true;
   IPEndPoint kExpectedSecureIP = CreateExpected("192.168.1.102", 80);
   PopulateCache(cached_secure_key, kExpectedSecureIP);
 
   // The secure cache should be checked prior to any DoH request being sent.
   ResolveHostResponseHelper response_secure_cached(resolver_->CreateRequest(
-      HostPortPair("automatic_cached", 80), NetworkIsolationKey(),
+      HostPortPair("automatic_cached", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response_secure_cached.result_error(), IsOk());
@@ -6132,13 +6222,13 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_InsecureCache) {
   HostCache::Key cached_insecure_key =
       HostCache::Key("insecure_automatic_cached", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.103", 80);
   PopulateCache(cached_insecure_key, kExpectedInsecureIP);
 
   // The insecure cache should be checked after DoH requests fail.
   ResolveHostResponseHelper response_insecure_cached(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic_cached", 80), NetworkIsolationKey(),
+      HostPortPair("insecure_automatic_cached", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response_insecure_cached.result_error(), IsOk());
@@ -6168,20 +6258,20 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Downgrade) {
   HostCache::Key cached_secure_key =
       HostCache::Key("automatic_cached", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   cached_secure_key.secure = true;
   IPEndPoint kExpectedSecureIP = CreateExpected("192.168.1.102", 80);
   PopulateCache(cached_secure_key, kExpectedSecureIP);
   HostCache::Key cached_insecure_key =
       HostCache::Key("insecure_automatic_cached", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.103", 80);
   PopulateCache(cached_insecure_key, kExpectedInsecureIP);
 
   // The secure cache should still be checked first.
   ResolveHostResponseHelper response_cached(resolver_->CreateRequest(
-      HostPortPair("automatic_cached", 80), NetworkIsolationKey(),
+      HostPortPair("automatic_cached", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response_cached.result_error(), IsOk());
@@ -6193,7 +6283,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Downgrade) {
 
   // The insecure cache should be checked before any insecure requests are sent.
   ResolveHostResponseHelper insecure_response_cached(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic_cached", 80), NetworkIsolationKey(),
+      HostPortPair("insecure_automatic_cached", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(insecure_response_cached.result_error(), IsOk());
@@ -6208,8 +6298,9 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Downgrade) {
   // downgraded to OFF. A successful plaintext DNS request should result in an
   // insecure cache entry.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("automatic", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -6221,7 +6312,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Downgrade) {
               CreateExpected("::1", 80), CreateExpected("127.0.0.1", 80))))));
   HostCache::Key key = HostCache::Key(
       "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   cache_result = GetCacheHit(key);
   EXPECT_TRUE(!!cache_result);
 }
@@ -6236,8 +6327,9 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Unavailable) {
   // DoH requests should be skipped when there are no available DoH servers
   // in automatic mode. The cached result should be in the insecure cache.
   ResolveHostResponseHelper response_automatic(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("automatic", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_THAT(response_automatic.result_error(), IsOk());
   EXPECT_FALSE(response_automatic.request()
                    ->GetResolveErrorInfo()
@@ -6252,7 +6344,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Unavailable) {
               CreateExpected("::1", 80), CreateExpected("127.0.0.1", 80))))));
   HostCache::Key secure_key = HostCache::Key(
       "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   secure_key.secure = true;
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       GetCacheHit(secure_key);
@@ -6260,13 +6352,13 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Unavailable) {
 
   HostCache::Key insecure_key = HostCache::Key(
       "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_TRUE(!!cache_result);
 }
 
 TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Unavailable_Fail) {
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
   DnsConfigOverrides overrides;
   overrides.secure_dns_mode = SecureDnsMode::kAutomatic;
@@ -6275,7 +6367,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Unavailable_Fail) {
 
   // Insecure requests that fail should not be cached.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   ASSERT_THAT(response_secure.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(
@@ -6283,7 +6375,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Unavailable_Fail) {
 
   HostCache::Key secure_key = HostCache::Key(
       "secure", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   secure_key.secure = true;
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       GetCacheHit(secure_key);
@@ -6291,7 +6383,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Unavailable_Fail) {
 
   HostCache::Key insecure_key = HostCache::Key(
       "secure", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_FALSE(!!cache_result);
 }
@@ -6312,7 +6404,7 @@ TEST_F(HostResolverManagerDnsTest,
   // Configure the resolver and underlying mock to attempt a secure query iff
   // the context has marked a DoH server available and otherwise attempt a
   // non-secure query.
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
   DnsConfigOverrides overrides;
   overrides.secure_dns_mode = SecureDnsMode::kAutomatic;
@@ -6330,14 +6422,14 @@ TEST_F(HostResolverManagerDnsTest,
   // request. Non-secure requests for "secure" will fail with
   // ERR_NAME_NOT_RESOLVED.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, &resolve_context1, resolve_context_->host_cache()));
   ASSERT_THAT(response_secure.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 
   // One available DoH server for |resolve_context2|, so expect a secure
   // request. Secure requests for "secure" will succeed.
   ResolveHostResponseHelper response_secure2(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, &resolve_context2, nullptr /* host_cache */));
   ASSERT_THAT(response_secure2.result_error(), IsOk());
 
@@ -6354,7 +6446,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Stale) {
   // Populate cache with insecure entry.
   HostCache::Key cached_stale_key = HostCache::Key(
       "automatic_stale", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   IPEndPoint kExpectedStaleIP = CreateExpected("192.168.1.102", 80);
   PopulateCache(cached_stale_key, kExpectedStaleIP);
   MakeCacheStale();
@@ -6366,7 +6458,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Stale) {
   // The insecure cache should be checked before secure requests are made since
   // stale results are allowed.
   ResolveHostResponseHelper response_stale(resolver_->CreateRequest(
-      HostPortPair("automatic_stale", 80), NetworkIsolationKey(),
+      HostPortPair("automatic_stale", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), stale_allowed_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response_stale.result_error(), IsOk());
@@ -6395,8 +6487,9 @@ TEST_F(HostResolverManagerDnsTest,
 
   // The secure part of the dns client should be enabled.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("automatic", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_THAT(response_secure.result_error(), IsOk());
   EXPECT_THAT(response_secure.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -6408,7 +6501,7 @@ TEST_F(HostResolverManagerDnsTest,
               CreateExpected("::1", 80), CreateExpected("127.0.0.1", 80))))));
   HostCache::Key secure_key = HostCache::Key(
       "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   secure_key.secure = true;
   cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
@@ -6416,7 +6509,7 @@ TEST_F(HostResolverManagerDnsTest,
   // The insecure part of the dns client is disabled so insecure requests
   // should be skipped.
   ResolveHostResponseHelper response_insecure(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic", 80), NetworkIsolationKey(),
+      HostPortPair("insecure_automatic", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   proc_->SignalMultiple(1u);
@@ -6429,21 +6522,21 @@ TEST_F(HostResolverManagerDnsTest,
   HostCache::Key insecure_key =
       HostCache::Key("insecure_automatic", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_TRUE(!!cache_result);
 
   HostCache::Key cached_insecure_key =
       HostCache::Key("insecure_automatic_cached", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.101", 80);
   PopulateCache(cached_insecure_key, kExpectedInsecureIP);
 
   // The insecure cache should still be checked even if the insecure part of
   // the dns client is disabled.
   ResolveHostResponseHelper response_insecure_cached(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic_cached", 80), NetworkIsolationKey(),
+      HostPortPair("insecure_automatic_cached", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response_insecure_cached.result_error(), IsOk());
@@ -6468,8 +6561,9 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_DotActive) {
 
   // The secure part of the dns client should be enabled.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("automatic", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_THAT(response_secure.result_error(), IsOk());
   EXPECT_THAT(response_secure.request()->GetAddressResults()->endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -6481,7 +6575,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_DotActive) {
               CreateExpected("::1", 80), CreateExpected("127.0.0.1", 80))))));
   HostCache::Key secure_key = HostCache::Key(
       "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   secure_key.secure = true;
   cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
@@ -6489,7 +6583,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_DotActive) {
   // Insecure async requests should be skipped since the system resolver
   // requests will be secure.
   ResolveHostResponseHelper response_insecure(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic", 80), NetworkIsolationKey(),
+      HostPortPair("insecure_automatic", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   proc_->SignalMultiple(1u);
@@ -6505,20 +6599,20 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_DotActive) {
   HostCache::Key insecure_key =
       HostCache::Key("insecure_automatic", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_TRUE(!!cache_result);
 
   HostCache::Key cached_insecure_key =
       HostCache::Key("insecure_automatic_cached", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.101", 80);
   PopulateCache(cached_insecure_key, kExpectedInsecureIP);
 
   // The insecure cache should still be checked.
   ResolveHostResponseHelper response_insecure_cached(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic_cached", 80), NetworkIsolationKey(),
+      HostPortPair("insecure_automatic_cached", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response_insecure_cached.result_error(), IsOk());
@@ -6535,7 +6629,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_DotActive) {
 
 TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure) {
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.100");
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
 
   ChangeDnsConfig(CreateValidDnsConfig());
   DnsConfigOverrides overrides;
@@ -6544,20 +6638,20 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure) {
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result;
 
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   ASSERT_THAT(response_secure.result_error(), IsOk());
   EXPECT_FALSE(
       response_secure.request()->GetResolveErrorInfo().is_secure_network_error);
   HostCache::Key secure_key = HostCache::Key(
       "secure", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   secure_key.secure = true;
   cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
 
   ResolveHostResponseHelper response_insecure(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   ASSERT_THAT(response_insecure.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_TRUE(response_insecure.request()
@@ -6565,23 +6659,24 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure) {
                   .is_secure_network_error);
   HostCache::Key insecure_key = HostCache::Key(
       "ok", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_FALSE(!!cache_result);
 
-  // Fallback to ProcTask not allowed in SECURE mode.
-  ResolveHostResponseHelper response_proc(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+  // Fallback to HostResolverSystemTask not allowed in SECURE mode.
+  ResolveHostResponseHelper response_system(resolver_->CreateRequest(
+      HostPortPair("nx_succeed", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   proc_->SignalMultiple(1u);
-  EXPECT_THAT(response_proc.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
+  EXPECT_THAT(response_system.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_TRUE(
-      response_proc.request()->GetResolveErrorInfo().is_secure_network_error);
+      response_system.request()->GetResolveErrorInfo().is_secure_network_error);
 }
 
 TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure_InsecureAsyncDisabled) {
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.100");
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   resolver_->SetInsecureDnsClientEnabled(
       /*enabled=*/false,
       /*additional_dns_types_enabled=*/false);
@@ -6594,12 +6689,12 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure_InsecureAsyncDisabled) {
 
   // The secure part of the dns client should be enabled.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   ASSERT_THAT(response_secure.result_error(), IsOk());
   HostCache::Key secure_key = HostCache::Key(
       "secure", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   secure_key.secure = true;
   cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
@@ -6617,15 +6712,15 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure_Local_CacheMiss) {
   // Populate cache with an insecure entry.
   HostCache::Key cached_insecure_key = HostCache::Key(
       "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.102", 80);
   PopulateCache(cached_insecure_key, kExpectedInsecureIP);
 
   // NONE query expected to complete synchronously with a cache miss since
   // the insecure cache should not be checked.
   ResolveHostResponseHelper cache_miss_request(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
-      source_none_parameters, resolve_context_.get(),
+      HostPortPair("automatic", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), source_none_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_TRUE(cache_miss_request.complete());
   EXPECT_THAT(cache_miss_request.result_error(), IsError(ERR_DNS_CACHE_MISS));
@@ -6649,7 +6744,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure_Local_CacheHit) {
   // Populate cache with a secure entry.
   HostCache::Key cached_secure_key = HostCache::Key(
       "secure", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
-      HostResolverSource::ANY, NetworkIsolationKey());
+      HostResolverSource::ANY, NetworkAnonymizationKey());
   cached_secure_key.secure = true;
   IPEndPoint kExpectedSecureIP = CreateExpected("192.168.1.103", 80);
   PopulateCache(cached_secure_key, kExpectedSecureIP);
@@ -6657,7 +6752,7 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure_Local_CacheHit) {
   // NONE query expected to complete synchronously with a cache hit from the
   // secure cache.
   ResolveHostResponseHelper response_cached(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_TRUE(response_cached.complete());
   EXPECT_THAT(response_cached.result_error(), IsOk());
@@ -6700,9 +6795,10 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), /*optional_parameters=*/absl::nullopt,
-      resolve_context_.get(), resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(),
+      /*optional_parameters=*/absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetEndpointResults());
   EXPECT_FALSE(response.request()->GetTextResults());
@@ -6732,13 +6828,14 @@ TEST_F(HostResolverManagerDnsTest, SlowResolve) {
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("slow_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("slow_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("slow_succeed", 80), NetworkIsolationKey(),
+      HostPortPair("slow_succeed", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   proc_->SignalMultiple(3u);
@@ -6765,7 +6862,7 @@ TEST_F(HostResolverManagerDnsTest, SlowResolve) {
 // complete. In automatic mode, because fallback to insecure is available, the
 // secure transaction is expected to quickly timeout and fallback to insecure.
 TEST_F(HostResolverManagerDnsTest, SlowSecureResolve_AutomaticMode) {
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
 
   MockDnsClientRuleList rules = CreateDefaultDnsRules();
   AddSecureDnsRule(&rules, "slow_fail", dns_protocol::kTypeA,
@@ -6787,13 +6884,14 @@ TEST_F(HostResolverManagerDnsTest, SlowSecureResolve_AutomaticMode) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("slow_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("slow_fail", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("slow_succeed", 80), NetworkIsolationKey(),
+      HostPortPair("slow_succeed", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -6832,10 +6930,10 @@ TEST_F(HostResolverManagerDnsTest, SlowSecureResolve_SecureMode) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("slow", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("slow", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response0.result_error(), IsOk());
@@ -6845,11 +6943,11 @@ TEST_F(HostResolverManagerDnsTest, SlowSecureResolve_SecureMode) {
 // Test the case where only a single transaction slot is available.
 TEST_F(HostResolverManagerDnsTest, SerialResolver) {
   CreateSerialResolver();
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_FALSE(response.complete());
   EXPECT_EQ(1u, num_running_dispatcher_jobs());
@@ -6874,16 +6972,17 @@ TEST_F(HostResolverManagerDnsTest, AAAAStartsAfterOtherJobFinishes) {
   CreateResolverWithLimitsAndParams(3u, DefaultParams(proc_),
                                     true /* ipv6_reachable */,
                                     true /* check_ipv6_on_wifi */);
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_EQ(2u, num_running_dispatcher_jobs());
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("4slow_ok", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_EQ(3u, num_running_dispatcher_jobs());
 
   // Request 0's transactions should complete, starting Request 1's second
@@ -6906,7 +7005,7 @@ TEST_F(HostResolverManagerDnsTest, AAAAStartsAfterOtherJobFinishes) {
 }
 
 // Tests the case that a Job with a single transaction receives an empty address
-// list, triggering fallback to ProcTask.
+// list, triggering fallback to HostResolverSystemTask.
 TEST_F(HostResolverManagerDnsTest, IPv4EmptyFallback) {
   // Disable ipv6 to ensure we'll only try a single transaction for the host.
   CreateResolverWithLimitsAndParams(kMaxJobs, DefaultParams(proc_),
@@ -6921,7 +7020,7 @@ TEST_F(HostResolverManagerDnsTest, IPv4EmptyFallback) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("empty_fallback", 80), NetworkIsolationKey(),
+      HostPortPair("empty_fallback", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
@@ -6933,14 +7032,14 @@ TEST_F(HostResolverManagerDnsTest, IPv4EmptyFallback) {
 }
 
 // Tests the case that a Job with two transactions receives two empty address
-// lists, triggering fallback to ProcTask.
+// lists, triggering fallback to HostResolverSystemTask.
 TEST_F(HostResolverManagerDnsTest, UnspecEmptyFallback) {
   ChangeDnsConfig(CreateValidDnsConfig());
   proc_->AddRuleForAllFamilies("empty_fallback", "192.168.0.1");
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("empty_fallback", 80), NetworkIsolationKey(),
+      HostPortPair("empty_fallback", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -6972,18 +7071,18 @@ TEST_F(HostResolverManagerDnsTest, InvalidDnsConfigWithPendingRequests) {
   // First active job gets two slots.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("slow_nx1", 80), NetworkIsolationKey(),
+          HostPortPair("slow_nx1", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   // Next job gets one slot, and waits on another.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("slow_nx2", 80), NetworkIsolationKey(),
+          HostPortPair("slow_nx2", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
 
@@ -7004,9 +7103,9 @@ TEST_F(HostResolverManagerDnsTest, InvalidDnsConfigWithPendingRequests) {
 // when using DnsClient.
 TEST_F(HostResolverManagerDnsTest, DontAbortOnInitialDNSConfigRead) {
   // DnsClient is enabled, but there's no DnsConfig, so the request should start
-  // using ProcTask.
+  // using HostResolverSystemTask.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host1", 70), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_FALSE(response.complete());
 
@@ -7042,43 +7141,47 @@ TEST_F(HostResolverManagerDnsTest,
     parameters.secure_dns_policy = SecureDnsPolicy::kDisable;
 
     // Queue up enough failures to disable insecure DnsTasks.  These will all
-    // fall back to ProcTasks, and succeed there.
+    // fall back to HostResolverSystemTasks, and succeed there.
     std::vector<std::unique_ptr<ResolveHostResponseHelper>> failure_responses;
     for (unsigned i = 0u; i < maximum_insecure_dns_task_failures(); ++i) {
       std::string host = base::StringPrintf("nx%u", i);
       proc_->AddRuleForAllFamilies(host, "192.168.0.1");
       failure_responses.emplace_back(
           std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-              HostPortPair(host, 80), NetworkIsolationKey(), NetLogWithSource(),
-              parameters, resolve_context_.get(),
+              HostPortPair(host, 80), NetworkAnonymizationKey(),
+              NetLogWithSource(), parameters, resolve_context_.get(),
               resolve_context_->host_cache())));
       EXPECT_FALSE(failure_responses[i]->complete());
     }
 
     // These requests should all bypass insecure DnsTasks, due to the above
-    // failures, so should end up using ProcTasks.
+    // failures, so should end up using HostResolverSystemTasks.
     proc_->AddRuleForAllFamilies("slow_ok1", "192.168.0.2");
     ResolveHostResponseHelper response0(resolver_->CreateRequest(
-        HostPortPair("slow_ok1", 80), NetworkIsolationKey(), NetLogWithSource(),
-        parameters, resolve_context_.get(), resolve_context_->host_cache()));
+        HostPortPair("slow_ok1", 80), NetworkAnonymizationKey(),
+        NetLogWithSource(), parameters, resolve_context_.get(),
+        resolve_context_->host_cache()));
     EXPECT_FALSE(response0.complete());
     proc_->AddRuleForAllFamilies("slow_ok2", "192.168.0.3");
     ResolveHostResponseHelper response1(resolver_->CreateRequest(
-        HostPortPair("slow_ok2", 80), NetworkIsolationKey(), NetLogWithSource(),
-        parameters, resolve_context_.get(), resolve_context_->host_cache()));
+        HostPortPair("slow_ok2", 80), NetworkAnonymizationKey(),
+        NetLogWithSource(), parameters, resolve_context_.get(),
+        resolve_context_->host_cache()));
     EXPECT_FALSE(response1.complete());
     proc_->AddRuleForAllFamilies("slow_ok3", "192.168.0.4");
     ResolveHostResponseHelper response2(resolver_->CreateRequest(
-        HostPortPair("slow_ok3", 80), NetworkIsolationKey(), NetLogWithSource(),
-        parameters, resolve_context_.get(), resolve_context_->host_cache()));
+        HostPortPair("slow_ok3", 80), NetworkAnonymizationKey(),
+        NetLogWithSource(), parameters, resolve_context_.get(),
+        resolve_context_->host_cache()));
     EXPECT_FALSE(response2.complete());
 
-    // Requests specifying DNS source cannot fallback to ProcTask, so they
-    // should be unaffected.
+    // Requests specifying DNS source cannot fallback to HostResolverSystemTask,
+    // so they should be unaffected.
     parameters.source = HostResolverSource::DNS;
     ResolveHostResponseHelper response_dns(resolver_->CreateRequest(
-        HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-        parameters, resolve_context_.get(), resolve_context_->host_cache()));
+        HostPortPair("4slow_ok", 80), NetworkAnonymizationKey(),
+        NetLogWithSource(), parameters, resolve_context_.get(),
+        resolve_context_->host_cache()));
     EXPECT_FALSE(response_dns.complete());
 
     // Requests specifying SYSTEM source should be unaffected by disabling
@@ -7086,13 +7189,14 @@ TEST_F(HostResolverManagerDnsTest,
     proc_->AddRuleForAllFamilies("nx_ok", "192.168.0.5");
     parameters.source = HostResolverSource::SYSTEM;
     ResolveHostResponseHelper response_system(resolver_->CreateRequest(
-        HostPortPair("nx_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-        parameters, resolve_context_.get(), resolve_context_->host_cache()));
+        HostPortPair("nx_ok", 80), NetworkAnonymizationKey(),
+        NetLogWithSource(), parameters, resolve_context_.get(),
+        resolve_context_->host_cache()));
     EXPECT_FALSE(response_system.complete());
 
     // Secure DnsTasks should not be affected.
     ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-        HostPortPair("automatic", 80), NetworkIsolationKey(),
+        HostPortPair("automatic", 80), NetworkAnonymizationKey(),
         NetLogWithSource(), /* optional_parameters=*/absl::nullopt,
         resolve_context_.get(), resolve_context_->host_cache()));
     EXPECT_FALSE(response_secure.complete());
@@ -7164,34 +7268,36 @@ TEST_F(HostResolverManagerDnsTest,
   // First active job gets two slots.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("slow_ok1", 80), NetworkIsolationKey(),
+          HostPortPair("slow_ok1", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   EXPECT_FALSE(responses[0]->complete());
   // Next job gets one slot, and waits on another.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("slow_ok2", 80), NetworkIsolationKey(),
+          HostPortPair("slow_ok2", 80), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   EXPECT_FALSE(responses[1]->complete());
   // Next one is queued.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+          HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
           absl::nullopt, resolve_context_.get(),
           resolve_context_->host_cache())));
   EXPECT_FALSE(responses[2]->complete());
 
   EXPECT_EQ(3u, num_running_dispatcher_jobs());
 
-  // Clear DnsClient.  The two in-progress jobs should fall back to a ProcTask,
-  // and the next one should be started with a ProcTask.
+  // Clear DnsClient.  The two in-progress jobs should fall back to a
+  // HostResolverSystemTask, and the next one should be started with a
+  // HostResolverSystemTask.
   resolver_->SetInsecureDnsClientEnabled(
       /*enabled=*/false,
       /*additional_dns_types_enabled=*/false);
 
-  // All three in-progress requests should now be running a ProcTask.
+  // All three in-progress requests should now be running a
+  // HostResolverSystemTask.
   EXPECT_EQ(3u, num_running_dispatcher_jobs());
   proc_->SignalMultiple(3u);
 
@@ -7226,7 +7332,7 @@ TEST_F(HostResolverManagerDnsTest, DnsCallsWithDisabledDnsClient) {
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       params, resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
@@ -7243,7 +7349,7 @@ TEST_F(HostResolverManagerDnsTest,
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       params, resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
@@ -7257,7 +7363,7 @@ TEST_F(HostResolverManagerDnsTest, DnsCallsWithNoDnsConfig) {
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       params, resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
@@ -7285,16 +7391,16 @@ TEST_F(HostResolverManagerDnsTest, NoCheckIpv6OnWifi) {
   proc_->AddRule("h1", ADDRESS_FAMILY_IPV6, "::2");
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("h1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   HostResolver::ResolveHostParameters parameters;
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper v4_response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("h1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper v6_response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("h1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
 
   proc_->SignalMultiple(3u);
@@ -7327,15 +7433,15 @@ TEST_F(HostResolverManagerDnsTest, NoCheckIpv6OnWifi) {
   base::RunLoop().RunUntilIdle();  // Wait for NetworkChangeNotifier.
 
   ResolveHostResponseHelper no_wifi_response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("h1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper no_wifi_v4_response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("h1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper no_wifi_v6_response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("h1", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
 
   proc_->SignalMultiple(3u);
@@ -7364,18 +7470,18 @@ TEST_F(HostResolverManagerDnsTest, NoCheckIpv6OnWifi) {
 
 TEST_F(HostResolverManagerDnsTest, NotFoundTTL) {
   CreateResolver();
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
 
   // NODATA
   ResolveHostResponseHelper no_data_response(resolver_->CreateRequest(
-      HostPortPair("empty", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("empty", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(no_data_response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(no_data_response.request()->GetAddressResults());
   EXPECT_FALSE(no_data_response.request()->GetEndpointResults());
   HostCache::Key key("empty", DnsQueryType::UNSPECIFIED, 0,
-                     HostResolverSource::ANY, NetworkIsolationKey());
+                     HostResolverSource::ANY, NetworkAnonymizationKey());
   HostCache::EntryStaleness staleness;
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       resolve_context_->host_cache()->Lookup(key, base::TimeTicks::Now(),
@@ -7386,14 +7492,15 @@ TEST_F(HostResolverManagerDnsTest, NotFoundTTL) {
 
   // NXDOMAIN
   ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
-      HostPortPair("nodomain", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nodomain", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(no_domain_response.result_error(),
               IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(no_domain_response.request()->GetAddressResults());
   EXPECT_FALSE(no_domain_response.request()->GetEndpointResults());
   HostCache::Key nxkey("nodomain", DnsQueryType::UNSPECIFIED, 0,
-                       HostResolverSource::ANY, NetworkIsolationKey());
+                       HostResolverSource::ANY, NetworkAnonymizationKey());
   cache_result = resolve_context_->host_cache()->Lookup(
       nxkey, base::TimeTicks::Now(), false /* ignore_secure */);
   EXPECT_TRUE(!!cache_result);
@@ -7407,7 +7514,7 @@ TEST_F(HostResolverManagerDnsTest, CachedError) {
   proc_->SignalMultiple(1u);
 
   CreateResolver();
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   ChangeDnsConfig(CreateValidDnsConfig());
 
   HostResolver::ResolveHostParameters cache_only_parameters;
@@ -7415,17 +7522,17 @@ TEST_F(HostResolverManagerDnsTest, CachedError) {
 
   // Expect cache initially empty.
   ResolveHostResponseHelper cache_miss_response0(resolver_->CreateRequest(
-      HostPortPair("nodomain", 80), NetworkIsolationKey(), NetLogWithSource(),
-      cache_only_parameters, resolve_context_.get(),
+      HostPortPair("nodomain", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), cache_only_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(cache_miss_response0.result_error(), IsError(ERR_DNS_CACHE_MISS));
   EXPECT_FALSE(cache_miss_response0.request()->GetStaleInfo());
 
-  // The cache should not be populate with an error because fallback to ProcTask
-  // was available.
+  // The cache should not be populate with an error because fallback to
+  // HostResolverSystemTask was available.
   ResolveHostResponseHelper no_domain_response_with_fallback(
       resolver_->CreateRequest(HostPortPair("nodomain", 80),
-                               NetworkIsolationKey(), NetLogWithSource(),
+                               NetworkAnonymizationKey(), NetLogWithSource(),
                                absl::nullopt, resolve_context_.get(),
                                resolve_context_->host_cache()));
   EXPECT_THAT(no_domain_response_with_fallback.result_error(),
@@ -7433,26 +7540,27 @@ TEST_F(HostResolverManagerDnsTest, CachedError) {
 
   // Expect cache still empty.
   ResolveHostResponseHelper cache_miss_response1(resolver_->CreateRequest(
-      HostPortPair("nodomain", 80), NetworkIsolationKey(), NetLogWithSource(),
-      cache_only_parameters, resolve_context_.get(),
+      HostPortPair("nodomain", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), cache_only_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(cache_miss_response1.result_error(), IsError(ERR_DNS_CACHE_MISS));
   EXPECT_FALSE(cache_miss_response1.request()->GetStaleInfo());
 
-  // Disable fallback to proctask
-  set_allow_fallback_to_proctask(false);
+  // Disable fallback to systemtask
+  set_allow_fallback_to_systemtask(false);
 
   // Populate cache with an error.
   ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
-      HostPortPair("nodomain", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nodomain", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(no_domain_response.result_error(),
               IsError(ERR_NAME_NOT_RESOLVED));
 
   // Expect the error result can be resolved from the cache.
   ResolveHostResponseHelper cache_hit_response(resolver_->CreateRequest(
-      HostPortPair("nodomain", 80), NetworkIsolationKey(), NetLogWithSource(),
-      cache_only_parameters, resolve_context_.get(),
+      HostPortPair("nodomain", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), cache_only_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(cache_hit_response.result_error(),
               IsError(ERR_NAME_NOT_RESOLVED));
@@ -7461,7 +7569,7 @@ TEST_F(HostResolverManagerDnsTest, CachedError) {
 
 TEST_F(HostResolverManagerDnsTest, CachedError_AutomaticMode) {
   CreateResolver();
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
 
   // Switch to automatic mode.
@@ -7472,11 +7580,11 @@ TEST_F(HostResolverManagerDnsTest, CachedError_AutomaticMode) {
   HostCache::Key insecure_key =
       HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   HostCache::Key secure_key =
       HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   secure_key.secure = true;
 
   // Expect cache initially empty.
@@ -7488,7 +7596,7 @@ TEST_F(HostResolverManagerDnsTest, CachedError_AutomaticMode) {
 
   // Populate both secure and insecure caches with an error.
   ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
-      HostPortPair("automatic_nodomain", 80), NetworkIsolationKey(),
+      HostPortPair("automatic_nodomain", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(no_domain_response.result_error(),
@@ -7503,7 +7611,7 @@ TEST_F(HostResolverManagerDnsTest, CachedError_AutomaticMode) {
 
 TEST_F(HostResolverManagerDnsTest, CachedError_SecureMode) {
   CreateResolver();
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
 
   // Switch to secure mode.
@@ -7514,11 +7622,11 @@ TEST_F(HostResolverManagerDnsTest, CachedError_SecureMode) {
   HostCache::Key insecure_key =
       HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   HostCache::Key secure_key =
       HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
                      0 /* host_resolver_flags */, HostResolverSource::ANY,
-                     NetworkIsolationKey());
+                     NetworkAnonymizationKey());
   secure_key.secure = true;
 
   // Expect cache initially empty.
@@ -7530,7 +7638,7 @@ TEST_F(HostResolverManagerDnsTest, CachedError_SecureMode) {
 
   // Populate secure cache with an error.
   ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
-      HostPortPair("automatic_nodomain", 80), NetworkIsolationKey(),
+      HostPortPair("automatic_nodomain", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(no_domain_response.result_error(),
@@ -7547,11 +7655,11 @@ TEST_F(HostResolverManagerDnsTest, CachedError_SecureMode) {
 // the failure is not cached.
 TEST_F(HostResolverManagerDnsTest, TtlNotSharedBetweenQtypes) {
   CreateResolver();
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_4timeout", 80), NetworkIsolationKey(),
+      HostPortPair("4slow_4timeout", 80), NetworkAnonymizationKey(),
       NetLogWithSource(), absl::nullopt /* optional_parameters */,
       resolve_context_.get(), resolve_context_->host_cache()));
 
@@ -7575,12 +7683,12 @@ TEST_F(HostResolverManagerDnsTest, CanonicalName) {
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
 
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("alias", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("alias", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       params, resolve_context_.get(), resolve_context_->host_cache()));
   ASSERT_THAT(response.result_error(), IsOk());
 
@@ -7598,12 +7706,12 @@ TEST_F(HostResolverManagerDnsTest, CanonicalName_PreferV6) {
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
 
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("alias", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("alias", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       params, resolve_context_.get(), resolve_context_->host_cache()));
   ASSERT_FALSE(response.complete());
   base::RunLoop().RunUntilIdle();
@@ -7622,13 +7730,13 @@ TEST_F(HostResolverManagerDnsTest, CanonicalName_V4Only) {
              "correct", false /* delay */);
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
 
   HostResolver::ResolveHostParameters params;
   params.dns_query_type = DnsQueryType::A;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("alias", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("alias", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       params, resolve_context_.get(), resolve_context_->host_cache()));
   ASSERT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(
@@ -7659,10 +7767,10 @@ TEST_F(HostResolverManagerDnsTest, CanonicalNameWithoutResults) {
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("a.test", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("a.test", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       /*optional_parameters=*/absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -7704,7 +7812,7 @@ TEST_F(HostResolverManagerDnsTest, CanonicalNameWithResultsForOnlyOneFamily) {
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("a.test", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("a.test", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       /*optional_parameters=*/absl::nullopt, resolve_context_.get(),
       resolve_context_->host_cache()));
 
@@ -7724,7 +7832,7 @@ TEST_F(HostResolverManagerDnsTest, CanonicalNameWithResultsForOnlyOneFamily) {
 TEST_F(HostResolverManagerDnsTest, CanonicalNameForcesProc) {
   // Disable fallback to ensure system resolver is used directly, not via
   // fallback.
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
 
   proc_->AddRuleForAllFamilies("nx_succeed", "192.168.1.102",
                                HOST_RESOLVER_CANONNAME, "canonical");
@@ -7735,8 +7843,9 @@ TEST_F(HostResolverManagerDnsTest, CanonicalNameForcesProc) {
   HostResolver::ResolveHostParameters params;
   params.include_canonical_name = true;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
-      params, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("nx_succeed", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), params, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_THAT(response.result_error(), IsOk());
 
   EXPECT_THAT(response.request()->GetDnsAliasResults(),
@@ -7768,13 +7877,14 @@ TEST_F(HostResolverManagerDnsTest, DnsAliases) {
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("first.test", 80), NetworkIsolationKey(), NetLogWithSource(),
-      params, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("first.test", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), params, resolve_context_.get(),
+      resolve_context_->host_cache()));
 
   ASSERT_THAT(response.result_error(), IsOk());
   ASSERT_TRUE(response.request()->GetAddressResults());
@@ -7810,13 +7920,14 @@ TEST_F(HostResolverManagerDnsTest, DnsAliasesAreFixedUp) {
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host.test", 80), NetworkIsolationKey(), NetLogWithSource(),
-      params, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("host.test", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), params, resolve_context_.get(),
+      resolve_context_->host_cache()));
 
   ASSERT_THAT(response.result_error(), IsOk());
   ASSERT_TRUE(response.request()->GetAddressResults());
@@ -7843,13 +7954,14 @@ TEST_F(HostResolverManagerDnsTest, NoAdditionalDnsAliases) {
 
   CreateResolver();
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("first.test", 80), NetworkIsolationKey(), NetLogWithSource(),
-      params, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("first.test", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), params, resolve_context_.get(),
+      resolve_context_->host_cache()));
 
   ASSERT_THAT(response.result_error(), IsOk());
   ASSERT_TRUE(response.request()->GetAddressResults());
@@ -8522,13 +8634,13 @@ TEST_F(HostResolverManagerDnsTest, FlushCacheOnDnsConfigOverridesChange) {
 
   // Populate cache.
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("ok", 70), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 70), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(initial_response.result_error(), IsOk());
 
   // Confirm result now cached.
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("ok", 75), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 75), NetworkAnonymizationKey(), NetLogWithSource(),
       local_source_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   ASSERT_THAT(cached_response.result_error(), IsOk());
@@ -8541,7 +8653,7 @@ TEST_F(HostResolverManagerDnsTest, FlushCacheOnDnsConfigOverridesChange) {
 
   // Expect no longer cached
   ResolveHostResponseHelper flushed_response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       local_source_parameters, resolve_context_.get(),
       resolve_context_->host_cache()));
   EXPECT_THAT(flushed_response.result_error(), IsError(ERR_DNS_CACHE_MISS));
@@ -8584,8 +8696,9 @@ TEST_F(HostResolverManagerDnsTest, CancellationOnBaseConfigChange) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("4slow_ok", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_FALSE(response.complete());
 
   DnsConfig new_config = original_config;
@@ -8609,8 +8722,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("4slow_ok", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_FALSE(response.complete());
 
   DnsConfig new_config = original_config;
@@ -8626,8 +8740,9 @@ TEST_F(HostResolverManagerDnsTest,
 TEST_F(HostResolverManagerDnsTest, CancelQueriesOnSettingOverrides) {
   ChangeDnsConfig(CreateValidDnsConfig());
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("4slow_ok", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_FALSE(response.complete());
 
   DnsConfigOverrides overrides;
@@ -8646,8 +8761,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("4slow_ok", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_FALSE(response.complete());
 
   resolver_->SetDnsConfigOverrides(overrides);
@@ -8665,8 +8781,9 @@ TEST_F(HostResolverManagerDnsTest, CancelQueriesOnClearingOverrides) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("4slow_ok", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_FALSE(response.complete());
 
   resolver_->SetDnsConfigOverrides(DnsConfigOverrides());
@@ -8680,8 +8797,9 @@ TEST_F(HostResolverManagerDnsTest,
        CancelQueriesOnClearingOverrides_NoOverrides) {
   ChangeDnsConfig(CreateValidDnsConfig());
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("4slow_ok", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
   ASSERT_FALSE(response.complete());
 
   resolver_->SetDnsConfigOverrides(DnsConfigOverrides());
@@ -8738,7 +8856,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -8762,7 +8880,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery) {
   EXPECT_EQ(resolve_context_->host_cache()->size(), 1u);
   parameters.source = HostResolverSource::LOCAL_ONLY;
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(cached_response.result_error(), IsOk());
   ASSERT_THAT(cached_response.request()->GetTextResults(),
@@ -8792,8 +8910,9 @@ TEST_F(HostResolverManagerDnsTest, TxtQueryRejectsIpLiteral) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("8.8.8.8", 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("8.8.8.8", 108), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
@@ -8824,7 +8943,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_MixedWithUnrecognizedType) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -8837,7 +8956,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_MixedWithUnrecognizedType) {
 }
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_InvalidConfig) {
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   // Set empty DnsConfig.
   InvalidateDnsConfig();
 
@@ -8845,14 +8964,14 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_InvalidConfig) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
 }
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_NonexistentDomain) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -8871,7 +8990,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_NonexistentDomain) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -8884,7 +9003,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_NonexistentDomain) {
   EXPECT_EQ(resolve_context_->host_cache()->size(), 1u);
   parameters.source = HostResolverSource::LOCAL_ONLY;
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(cached_response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(cached_response.request()->GetAddressResults());
@@ -8896,7 +9015,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_NonexistentDomain) {
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_Failure) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -8913,7 +9032,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Failure) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -8928,7 +9047,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Failure) {
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_Timeout) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -8945,7 +9064,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Timeout) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_TIMED_OUT));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -8960,7 +9079,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Timeout) {
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_Empty) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -8979,7 +9098,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Empty) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -8992,7 +9111,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Empty) {
   EXPECT_EQ(resolve_context_->host_cache()->size(), 1u);
   parameters.source = HostResolverSource::LOCAL_ONLY;
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(cached_response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(cached_response.request()->GetAddressResults());
@@ -9004,7 +9123,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Empty) {
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_Malformed) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9021,7 +9140,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Malformed) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9049,7 +9168,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_MismatchedName) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9080,7 +9199,7 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_WrongType) {
 
   // Responses for the wrong type should be ignored.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9109,7 +9228,7 @@ TEST_F(HostResolverManagerDnsTest,
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair(kName, 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   // No non-local work is done, so ERR_DNS_CACHE_MISS is the result.
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
@@ -9147,7 +9266,7 @@ TEST_F(HostResolverManagerDnsTest, TxtDnsQuery) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9170,7 +9289,7 @@ TEST_F(HostResolverManagerDnsTest, TxtDnsQuery) {
   // Expect result to be cached.
   EXPECT_EQ(resolve_context_->host_cache()->size(), 1u);
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(cached_response.result_error(), IsOk());
   EXPECT_TRUE(cached_response.request()->GetStaleInfo());
@@ -9198,7 +9317,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9229,8 +9348,9 @@ TEST_F(HostResolverManagerDnsTest, PtrQueryRejectsIpLiteral) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("8.8.8.8", 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("8.8.8.8", 108), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
@@ -9255,8 +9375,9 @@ TEST_F(HostResolverManagerDnsTest, PtrQueryHandlesReverseIpLookup) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kHostname, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair(kHostname, 108), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
@@ -9272,7 +9393,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQueryHandlesReverseIpLookup) {
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_NonexistentDomain) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9289,7 +9410,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_NonexistentDomain) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9301,7 +9422,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_NonexistentDomain) {
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_Failure) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9318,7 +9439,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Failure) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9330,7 +9451,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Failure) {
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_Timeout) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9347,7 +9468,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Timeout) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_TIMED_OUT));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9359,7 +9480,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Timeout) {
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_Empty) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9376,7 +9497,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Empty) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9388,7 +9509,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Empty) {
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_Malformed) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9405,7 +9526,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Malformed) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9430,7 +9551,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_MismatchedName) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9458,7 +9579,7 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_WrongType) {
 
   // Responses for the wrong type should be ignored.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9484,7 +9605,7 @@ TEST_F(HostResolverManagerDnsTest,
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair(kName, 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   // No non-local work is done, so ERR_DNS_CACHE_MISS is the result.
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
@@ -9514,7 +9635,7 @@ TEST_F(HostResolverManagerDnsTest, PtrDnsQuery) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9546,7 +9667,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9592,8 +9713,9 @@ TEST_F(HostResolverManagerDnsTest, SrvQueryRejectsIpLiteral) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("8.8.8.8", 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
+      HostPortPair("8.8.8.8", 108), NetworkAnonymizationKey(),
+      NetLogWithSource(), parameters, resolve_context_.get(),
+      resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
@@ -9620,7 +9742,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_ZeroWeight) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9636,7 +9758,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_ZeroWeight) {
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_NonexistentDomain) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9653,7 +9775,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_NonexistentDomain) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9665,7 +9787,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_NonexistentDomain) {
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_Failure) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9682,7 +9804,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Failure) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9694,7 +9816,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Failure) {
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_Timeout) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9711,7 +9833,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Timeout) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_TIMED_OUT));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9723,7 +9845,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Timeout) {
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_Empty) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9740,7 +9862,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Empty) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9752,7 +9874,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Empty) {
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_Malformed) {
   // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
+  set_allow_fallback_to_systemtask(true);
   proc_->AddRuleForAllFamilies("host", "192.168.1.102");
   proc_->SignalMultiple(1u);
 
@@ -9769,7 +9891,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Malformed) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9794,7 +9916,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_MismatchedName) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9822,7 +9944,7 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_WrongType) {
 
   // Responses for the wrong type should be ignored.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9848,7 +9970,7 @@ TEST_F(HostResolverManagerDnsTest,
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair(kName, 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   // No non-local work is done, so ERR_DNS_CACHE_MISS is the result.
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
@@ -9882,7 +10004,7 @@ TEST_F(HostResolverManagerDnsTest, SrvDnsQuery) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("host", 108), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9929,9 +10051,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsQuery) {
   parameters.dns_query_type = DnsQueryType::HTTPS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), parameters, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), parameters,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
@@ -9964,7 +10086,7 @@ TEST_F(HostResolverManagerDnsTest, HttpsQueryForNonStandardPort) {
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
       url::SchemeHostPort(url::kHttpsScheme, kName, 1111),
-      NetworkIsolationKey(), NetLogWithSource(), parameters,
+      NetworkAnonymizationKey(), NetLogWithSource(), parameters,
       resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -9994,16 +10116,15 @@ TEST_F(HostResolverManagerDnsTest, HttpsQueryForHttpUpgrade) {
   parameters.dns_query_type = DnsQueryType::HTTPS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpScheme, kName, 80), NetworkIsolationKey(),
-      NetLogWithSource(), parameters, resolve_context_.get(),
-      resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
+      url::SchemeHostPort(url::kHttpScheme, kName, 80),
+      NetworkAnonymizationKey(), NetLogWithSource(), parameters,
+      resolve_context_.get(), resolve_context_->host_cache()));
+  EXPECT_THAT(response.result_error(), IsError(ERR_DNS_NAME_HTTPS_ONLY));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
   EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
+  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
 }
 
 // Test that HTTPS requests for an http host with port 443 will result in a
@@ -10031,16 +10152,15 @@ TEST_F(HostResolverManagerDnsTest, HttpsQueryForHttpUpgradeFromHttpsPort) {
   parameters.dns_query_type = DnsQueryType::HTTPS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), parameters, resolve_context_.get(),
-      resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
+      url::SchemeHostPort(url::kHttpScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), parameters,
+      resolve_context_.get(), resolve_context_->host_cache()));
+  EXPECT_THAT(response.result_error(), IsError(ERR_DNS_NAME_HTTPS_ONLY));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
   EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
+  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
 }
 
 TEST_F(HostResolverManagerDnsTest,
@@ -10066,575 +10186,10 @@ TEST_F(HostResolverManagerDnsTest,
   parameters.dns_query_type = DnsQueryType::HTTPS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpScheme, kName, 1111), NetworkIsolationKey(),
-      NetLogWithSource(), parameters, resolve_context_.get(),
-      resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery) {
-  const std::string kName = "https.test";
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, false /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQueryRejectsIpLiteral) {
-  MockDnsClientRuleList rules;
-
-  // Entry that would resolve if DNS is mistakenly queried to ensure that does
-  // not happen.
-  rules.emplace_back("8.8.8.8", dns_protocol::kTypeHttps, /*secure=*/false,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         "8.8.8.8", dns_protocol::kTypeHttps,
-                         {BuildTestHttpsAliasRecord("8.8.8.8", "alias.test")})),
-                     /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, "8.8.8.8", 443),
-      NetworkIsolationKey(), NetLogWithSource(), parameters,
+      url::SchemeHostPort(url::kHttpScheme, kName, 1111),
+      NetworkAnonymizationKey(), NetLogWithSource(), parameters,
       resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsInsecureQueryDisallowedWhenAdditionalTypesDisallowed) {
-  const std::string kName = "https.test";
-
-  ChangeDnsConfig(CreateValidDnsConfig());
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kOff;
-  resolver_->SetDnsConfigOverrides(overrides);
-  resolver_->SetInsecureDnsClientEnabled(
-      /*enabled=*/true,
-      /*additional_dns_types_enabled=*/false);
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  // No non-local work is done, so ERR_DNS_CACHE_MISS is the result.
-  EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsSecureQueryAllowedWhenAdditionalTypesDisallowed) {
-  const std::string kName = "https.test";
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, /*secure=*/true,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-  resolver_->SetInsecureDnsClientEnabled(
-      /*enabled=*/true,
-      /*additional_dns_types_enabled=*/false);
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  // Experimental type, so does not affect overall result.
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsFallbackQueryDisallowedWhenAdditionalTypesDisallowed) {
-  const char kName[] = "https.test";
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      /*delay=*/false);
-  // No expected HTTPS request in insecure mode.
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kAutomatic;
-  resolver_->SetDnsConfigOverrides(overrides);
-  resolver_->SetInsecureDnsClientEnabled(
-      /*enabled=*/true,
-      /*additional_dns_types_enabled=*/false);
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-// Test that HTTPS records can be extracted from a response that also contains
-// unrecognized record types.
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsQuery_MixedWithUnrecognizedType) {
-  const std::string kName = "https.test";
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestDnsRecord(kName, 3u /* type */, "fake rdata 1"),
-      BuildTestHttpsAliasRecord(kName, "alias.test"),
-      BuildTestDnsRecord(kName, 3u /* type */, "fake rdata 2")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, false /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery_MultipleResults) {
-  const std::string kName = "https.test";
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test"),
-      BuildTestHttpsAliasRecord(kName, "another-alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, false /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true, true)));
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery_InvalidConfig) {
-  set_allow_fallback_to_proctask(false);
-  // Set empty DnsConfig.
-  InvalidateDnsConfig();
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("https.test", 108), NetworkIsolationKey(),
-      NetLogWithSource(), parameters, resolve_context_.get(),
-      resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery_NonexistentDomain) {
-  const std::string kName = "https.test";
-
-  // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
-  proc_->AddRuleForAllFamilies(kName, "192.168.1.102");
-  proc_->SignalMultiple(1u);
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, false /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kNoDomain),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery_Failure) {
-  const std::string kName = "https.test";
-
-  // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
-  proc_->AddRuleForAllFamilies(kName, "192.168.1.102");
-  proc_->SignalMultiple(1u);
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, false /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-
-  // Expect result not cached.
-  EXPECT_EQ(resolve_context_->host_cache()->size(), 0u);
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery_Timeout) {
-  const std::string kName = "https.test";
-
-  // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
-  proc_->AddRuleForAllFamilies(kName, "192.168.1.102");
-  proc_->SignalMultiple(1u);
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, false /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kTimeout),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-
-  // Expect result not cached.
-  EXPECT_EQ(resolve_context_->host_cache()->size(), 0u);
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery_Empty) {
-  const std::string kName = "https.test";
-
-  // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
-  proc_->AddRuleForAllFamilies(kName, "192.168.1.102");
-  proc_->SignalMultiple(1u);
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, false /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery_Malformed) {
-  const std::string kName = "https.test";
-
-  // Setup fallback to confirm it is not used for non-address results.
-  set_allow_fallback_to_proctask(true);
-  proc_->AddRuleForAllFamilies(kName, "192.168.1.102");
-  proc_->SignalMultiple(1u);
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, false /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kMalformed),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-
-  // Expect result not cached.
-  EXPECT_EQ(resolve_context_->host_cache()->size(), 0u);
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery_MismatchedName) {
-  const std::string kName = "https.test";
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord("different.test", "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, false /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-
-  // Expect result not cached.
-  EXPECT_EQ(resolve_context_->host_cache()->size(), 0u);
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery_AdditionalRecords) {
-  const std::string kName = "https.test";
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  std::vector<DnsResourceRecord> additional = {
-      BuildTestHttpsServiceRecord(kName, 3u, "service1.test", {}),
-      BuildTestHttpsServiceRecord(kName, 2u, "service2.test", {})};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, false /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records,
-                         {} /* authority */, additional)),
-                     false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  // Additional records aren't currently used in results.
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsQuery_WrongType) {
-  const std::string kName = "https.test";
-
-  // Respond to an HTTPS query with an A response.
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, false /* secure */,
-      MockDnsClientRule::Result(BuildTestDnsResponse(
-          kName, dns_protocol::kTypeHttps,
-          {BuildTestAddressRecord(kName, IPAddress(1, 2, 3, 4))})),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  // Responses for the wrong type should be ignored.
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-
-  // Expect result not cached.
-  EXPECT_EQ(resolve_context_->host_cache()->size(), 0u);
-}
-
-// Same as ExperimentalHttpsQuery except we specify DNS HostResolverSource
-// instead of relying on automatic determination.  Expect same results since DNS
-// should be what we automatically determine, but some slightly different logic
-// paths are involved.
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsDnsQuery) {
-  const std::string kName = "https.test";
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, false /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.source = HostResolverSource::DNS;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-// Same as ExperimentalHttpsInsecureQueryDisallowedWhenAdditionalTypesDisallowed
-// except we specify DNS HostResolverSource instead of relying on automatic
-// determination. Expect same results since DNS should be what we automatically
-// determine, but some slightly different logic paths are involved.
-TEST_F(
-    HostResolverManagerDnsTest,
-    ExperimentalHttpsDnsInsecureQueryDisallowedWhenAdditionalTypesDisallowed) {
-  const std::string kName = "https.test";
-
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kOff;
-  resolver_->SetDnsConfigOverrides(overrides);
-  resolver_->SetInsecureDnsClientEnabled(
-      /*enabled=*/true,
-      /*additional_dns_types_enabled=*/false);
-
-  HostResolver::ResolveHostParameters parameters;
-  parameters.source = HostResolverSource::DNS;
-  parameters.dns_query_type = DnsQueryType::HTTPS_EXPERIMENTAL;
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      parameters, resolve_context_.get(), resolve_context_->host_cache()));
-  // No non-local work is done, so ERR_DNS_CACHE_MISS is the result.
-  EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
+  EXPECT_THAT(response.result_error(), IsError(ERR_DNS_NAME_HTTPS_ONLY));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
@@ -10671,9 +10226,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQuery) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(
@@ -10695,7 +10250,16 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithNonstandardPort) {
   const char kName[] = "name.test";
   const char kExpectedHttpsQueryName[] = "_108._https.name.test";
 
-  base::test::ScopedFeatureList features(features::kUseDnsHttpsSvcb);
+  base::test::ScopedFeatureList features;
+  features.InitAndEnableFeatureWithParameters(
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {BuildTestHttpsServiceRecord(
@@ -10723,9 +10287,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithNonstandardPort) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 108), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 108),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(
@@ -10748,7 +10312,16 @@ TEST_F(HostResolverManagerDnsTest,
   const char kName[] = "name.test";
   const char kExpectedHttpsQueryName[] = "_108._https.name.test";
 
-  base::test::ScopedFeatureList features(features::kUseDnsHttpsSvcb);
+  base::test::ScopedFeatureList features;
+  features.InitAndEnableFeatureWithParameters(
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {BuildTestHttpsServiceRecord(
@@ -10776,9 +10349,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 108), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 108),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   // Expect only A/AAAA results without metadata because the HTTPS service
@@ -10797,7 +10370,16 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithAlpnAndEch) {
   const char kName[] = "name.test";
   const uint8_t kEch[] = "ECH is neato!";
 
-  base::test::ScopedFeatureList features(features::kUseDnsHttpsSvcb);
+  base::test::ScopedFeatureList features;
+  features.InitAndEnableFeatureWithParameters(
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {BuildTestHttpsServiceRecord(
@@ -10825,9 +10407,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithAlpnAndEch) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(
@@ -10849,7 +10431,16 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithAlpnAndEch) {
 TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithNonMatchingPort) {
   const char kName[] = "name.test";
 
-  base::test::ScopedFeatureList features(features::kUseDnsHttpsSvcb);
+  base::test::ScopedFeatureList features;
+  features.InitAndEnableFeatureWithParameters(
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -10876,9 +10467,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithNonMatchingPort) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -10893,7 +10484,16 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithNonMatchingPort) {
 TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithMatchingPort) {
   const char kName[] = "name.test";
 
-  base::test::ScopedFeatureList features(features::kUseDnsHttpsSvcb);
+  base::test::ScopedFeatureList features;
+  features.InitAndEnableFeatureWithParameters(
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -10920,9 +10520,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithMatchingPort) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(
@@ -10943,7 +10543,16 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithMatchingPort) {
 TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithoutAddresses) {
   const char kName[] = "name.test";
 
-  base::test::ScopedFeatureList features(features::kUseDnsHttpsSvcb);
+  base::test::ScopedFeatureList features;
+  features.InitAndEnableFeatureWithParameters(
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -10987,9 +10596,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithoutAddresses) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   // No address results overrides overall result.
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -11004,7 +10613,16 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithoutAddresses) {
 TEST_F(HostResolverManagerDnsTest, HttpsQueriedInAddressQueryButNoResults) {
   const char kName[] = "name.test";
 
-  base::test::ScopedFeatureList features(features::kUseDnsHttpsSvcb);
+  base::test::ScopedFeatureList features;
+  features.InitAndEnableFeatureWithParameters(
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -11027,9 +10645,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsQueriedInAddressQueryButNoResults) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -11052,7 +10670,14 @@ TEST_F(HostResolverManagerDnsTest,
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"}});
+      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"},
+       // Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -11075,9 +10700,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -11096,7 +10721,14 @@ TEST_F(HostResolverManagerDnsTest,
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"}});
+      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"},
+       // Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(kName, dns_protocol::kTypeHttps, /*secure=*/true,
@@ -11121,9 +10753,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -11142,7 +10774,14 @@ TEST_F(HostResolverManagerDnsTest,
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"}});
+      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"},
+       // Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -11165,9 +10804,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
@@ -11186,7 +10825,14 @@ TEST_F(HostResolverManagerDnsTest,
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnforceSecureResponse", "false"}});
+      {{"UseDnsHttpsSvcbEnforceSecureResponse", "false"},
+       // Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -11209,9 +10855,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -11231,7 +10877,14 @@ TEST_F(
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"}});
+      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"},
+       // Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   // Delay HTTPS result to ensure it comes after A failure.
@@ -11256,9 +10909,9 @@ TEST_F(
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   base::RunLoop().RunUntilIdle();
   EXPECT_FALSE(response.complete());
@@ -11283,7 +10936,14 @@ TEST_F(
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnforceSecureResponse", "false"}});
+      {{"UseDnsHttpsSvcbEnforceSecureResponse", "false"},
+       // Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   // Delay HTTPS result to ensure it is cancelled after AAAA failure.
@@ -11322,9 +10982,9 @@ TEST_F(
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   base::RunLoop().RunUntilIdle();
   // Unnecessary to complete delayed transactions because they should be
@@ -11336,7 +10996,7 @@ TEST_F(
   EXPECT_TRUE(response.request()->GetEndpointResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
+  EXPECT_TRUE(response.request()->GetExperimentalResultsForTesting());
 }
 
 TEST_F(HostResolverManagerDnsTest, TimeoutHttpsInAddressRequestIsFatal) {
@@ -11345,7 +11005,14 @@ TEST_F(HostResolverManagerDnsTest, TimeoutHttpsInAddressRequestIsFatal) {
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"}});
+      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"},
+       // Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -11368,9 +11035,9 @@ TEST_F(HostResolverManagerDnsTest, TimeoutHttpsInAddressRequestIsFatal) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_TIMED_OUT));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
@@ -11388,7 +11055,14 @@ TEST_F(HostResolverManagerDnsTest, ServfailHttpsInAddressRequestIsFatal) {
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"}});
+      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"},
+       // Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -11416,9 +11090,9 @@ TEST_F(HostResolverManagerDnsTest, ServfailHttpsInAddressRequestIsFatal) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_SERVER_FAILED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
@@ -11441,7 +11115,14 @@ TEST_F(HostResolverManagerDnsTest, UnparsableHttpsInAddressRequestIsFatal) {
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"}});
+      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"},
+       // Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -11466,9 +11147,9 @@ TEST_F(HostResolverManagerDnsTest, UnparsableHttpsInAddressRequestIsFatal) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetEndpointResults());
@@ -11486,7 +11167,14 @@ TEST_F(HostResolverManagerDnsTest, RefusedHttpsInAddressRequestIsIgnored) {
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"}});
+      {{"UseDnsHttpsSvcbEnforceSecureResponse", "true"},
+       // Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -11514,9 +11202,9 @@ TEST_F(HostResolverManagerDnsTest, RefusedHttpsInAddressRequestIsIgnored) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -11531,7 +11219,16 @@ TEST_F(HostResolverManagerDnsTest, RefusedHttpsInAddressRequestIsIgnored) {
 TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryForWssScheme) {
   const char kName[] = "name.test";
 
-  base::test::ScopedFeatureList features(features::kUseDnsHttpsSvcb);
+  base::test::ScopedFeatureList features;
+  features.InitAndEnableFeatureWithParameters(
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -11557,9 +11254,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryForWssScheme) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kWssScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kWssScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(
@@ -11580,7 +11277,16 @@ TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryForWssScheme) {
 TEST_F(HostResolverManagerDnsTest, NoHttpsInAddressQueryWithoutScheme) {
   const char kName[] = "name.test";
 
-  base::test::ScopedFeatureList features(features::kUseDnsHttpsSvcb);
+  base::test::ScopedFeatureList features;
+  features.InitAndEnableFeatureWithParameters(
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -11604,7 +11310,7 @@ TEST_F(HostResolverManagerDnsTest, NoHttpsInAddressQueryWithoutScheme) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 443), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair(kName, 443), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
@@ -11619,7 +11325,16 @@ TEST_F(HostResolverManagerDnsTest, NoHttpsInAddressQueryWithoutScheme) {
 TEST_F(HostResolverManagerDnsTest, NoHttpsInAddressQueryForNonHttpScheme) {
   const char kName[] = "name.test";
 
-  base::test::ScopedFeatureList features(features::kUseDnsHttpsSvcb);
+  base::test::ScopedFeatureList features;
+  features.InitAndEnableFeatureWithParameters(
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -11643,9 +11358,9 @@ TEST_F(HostResolverManagerDnsTest, NoHttpsInAddressQueryForNonHttpScheme) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kFtpScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kFtpScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -11657,61 +11372,19 @@ TEST_F(HostResolverManagerDnsTest, NoHttpsInAddressQueryForNonHttpScheme) {
 }
 
 TEST_F(HostResolverManagerDnsTest,
-       HttpsInAddressQueryForHttpSchemeWhenUpgradeDisabled) {
-  const char kName[] = "name.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "false"}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsServiceRecord(kName, /*priority=*/1, /*service_name=*/".",
-                                  /*params=*/{})};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, /*secure=*/true,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kAutomatic;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpScheme, kName, 80), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-
-  // With the param disabled, expect the HTTPS record to have no effect on
-  // results (except GetExperimentalResultsForTesting()).
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTest,
        HttpsInAddressQueryForHttpSchemeWhenUpgradeEnabled) {
   const char kName[] = "name.test";
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -11737,9 +11410,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpScheme, kName, 80), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpScheme, kName, 80),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_NAME_HTTPS_ONLY));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -11755,7 +11428,14 @@ TEST_F(HostResolverManagerDnsTest,
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -11780,9 +11460,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpScheme, kName, 80), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpScheme, kName, 80),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_NAME_HTTPS_ONLY));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -11800,7 +11480,14 @@ TEST_F(
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {BuildTestHttpsServiceRecord(
@@ -11828,9 +11515,9 @@ TEST_F(
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpScheme, kName, 80), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpScheme, kName, 80),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   // Expect incompatible HTTPS record to have no effect on results (except
   // `GetExperimentalResultsForTesting()` which returns the record
@@ -11852,7 +11539,14 @@ TEST_F(HostResolverManagerDnsTest,
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -11878,9 +11572,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpScheme, kName, 80), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpScheme, kName, 80),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_NAME_HTTPS_ONLY));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -11895,7 +11589,14 @@ TEST_F(HostResolverManagerDnsTest, HttpsInSecureModeAddressQuery) {
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbEnableInsecure", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -11920,9 +11621,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInSecureModeAddressQuery) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
@@ -11938,7 +11639,14 @@ TEST_F(HostResolverManagerDnsTest, HttpsInSecureModeAddressQueryForHttpScheme) {
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -11964,9 +11672,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInSecureModeAddressQueryForHttpScheme) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpScheme, kName, 80), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpScheme, kName, 80),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_NAME_HTTPS_ONLY));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -11981,7 +11689,14 @@ TEST_F(HostResolverManagerDnsTest, HttpsInInsecureAddressQuery) {
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbEnableInsecure", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12004,9 +11719,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInInsecureAddressQuery) {
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
@@ -12030,8 +11745,14 @@ TEST_F(HostResolverManagerDnsTest, HttpsInInsecureAddressQueryForHttpScheme) {
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"},
-                                   {"UseDnsHttpsSvcbEnableInsecure", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12054,9 +11775,9 @@ TEST_F(HostResolverManagerDnsTest, HttpsInInsecureAddressQueryForHttpScheme) {
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpScheme, kName, 80), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpScheme, kName, 80),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_NAME_HTTPS_ONLY));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -12071,7 +11792,14 @@ TEST_F(HostResolverManagerDnsTest, FailedHttpsInInsecureAddressRequestIgnored) {
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbEnableInsecure", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -12091,9 +11819,9 @@ TEST_F(HostResolverManagerDnsTest, FailedHttpsInInsecureAddressRequestIgnored) {
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -12111,7 +11839,14 @@ TEST_F(HostResolverManagerDnsTest,
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbEnableInsecure", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -12131,9 +11866,9 @@ TEST_F(HostResolverManagerDnsTest,
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -12151,7 +11886,14 @@ TEST_F(HostResolverManagerDnsTest,
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbEnableInsecure", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -12176,9 +11918,9 @@ TEST_F(HostResolverManagerDnsTest,
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -12196,7 +11938,14 @@ TEST_F(HostResolverManagerDnsTest,
 
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbEnableInsecure", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   rules.emplace_back(
@@ -12218,9 +11967,9 @@ TEST_F(HostResolverManagerDnsTest,
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
   EXPECT_THAT(response.request()->GetEndpointResults(),
@@ -12232,50 +11981,6 @@ TEST_F(HostResolverManagerDnsTest,
               testing::Pointee(testing::IsEmpty()));
 }
 
-TEST_F(HostResolverManagerDnsTest,
-       NoHttpsInInsecureAddressQueryWhenInsecureHttpsDisabled) {
-  const char kName[] = "name.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbEnableInsecure", "false"}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsServiceRecord(kName, /*priority=*/1, /*service_name=*/".",
-                                  /*params=*/{})};
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  // Should not be queried.
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kUnexpected),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
 // Test that when additional HTTPS timeout Feature params are disabled, the task
 // does not timeout until the transactions themselves timeout.
 TEST_F(HostResolverManagerDnsTest,
@@ -12285,8 +11990,7 @@ TEST_F(HostResolverManagerDnsTest,
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbExtraTimeAbsolute", "0"},
-       {"UseDnsHttpsSvcbExtraTimePercent", "0"},
+      {// Disable timeouts.
        {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
        {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
        {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
@@ -12315,9 +12019,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -12344,14 +12048,16 @@ TEST_F(HostResolverManagerDnsTest,
        HttpsInSecureAddressQueryWithOnlyMinTimeout) {
   const char kName[] = "name.test";
 
-  // Set an absolute timeout of 10 minutes via the "min" param.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbSecureExtraTimeMin", "10m"},
-       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+      {{"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "30m"},
+       // Set a Secure absolute timeout of 10 minutes via the "min" param.
        {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
-       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "30m"}});
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "10m"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12377,9 +12083,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -12406,14 +12112,16 @@ TEST_F(HostResolverManagerDnsTest,
        HttpsInSecureAddressQueryWithOnlyMaxTimeout) {
   const char kName[] = "name.test";
 
-  // Set an absolute timeout of 10 minutes via the "max" param.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbSecureExtraTimeMin", "0"},
-       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+      {{"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "30m"},
+       // Set a Secure absolute timeout of 10 minutes via the "max" param.
        {"UseDnsHttpsSvcbSecureExtraTimeMax", "10m"},
-       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "30m"}});
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12439,9 +12147,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -12468,14 +12176,16 @@ TEST_F(HostResolverManagerDnsTest,
        HttpsInSecureAddressQueryWithRelativeTimeout) {
   const char kName[] = "name.test";
 
-  // Set a relative timeout of 10%.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbSecureExtraTimeMin", "0"},
-       {"UseDnsHttpsSvcbSecureExtraTimePercent", "10"},
+      {{"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "30m"},
+       // Set a Secure relative timeout of 10%.
        {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
-       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "30m"}});
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "10"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12501,9 +12211,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -12538,13 +12248,16 @@ TEST_F(HostResolverManagerDnsTest,
        HttpsInSecureAddressQueryWithMaxTimeoutFirst) {
   const char kName[] = "name.test";
 
-  // Set an max timeout of 30s and a relative timeout of 100%.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbSecureExtraTimeMin", "10s"},
+      {{"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       // Set a Secure max timeout of 30s and a relative timeout of 100%.
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "30s"},
        {"UseDnsHttpsSvcbSecureExtraTimePercent", "100"},
-       {"UseDnsHttpsSvcbSecureExtraTimeMax", "30s"}});
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "10s"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12570,9 +12283,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -12609,13 +12322,16 @@ TEST_F(HostResolverManagerDnsTest,
        HttpsInAddressQueryWithRelativeTimeoutFirst) {
   const char kName[] = "name.test";
 
-  // Set a max timeout of 20 minutes and a relative timeout of 10%.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbSecureExtraTimeMin", "1s"},
+      {{"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       // Set a Secure max timeout of 20 minutes and a relative timeout of 10%.
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "20m"},
        {"UseDnsHttpsSvcbSecureExtraTimePercent", "10"},
-       {"UseDnsHttpsSvcbSecureExtraTimeMax", "20m"}});
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "1s"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12641,9 +12357,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -12678,13 +12394,16 @@ TEST_F(HostResolverManagerDnsTest,
        HttpsInAddressQueryWithRelativeTimeoutShorterThanMinTimeout) {
   const char kName[] = "name.test";
 
-  // Set a min timeout of 1 minute and a relative timeout of 10%.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbSecureExtraTimeMin", "1m"},
+      {{"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       // Set a Secure min timeout of 1 minute and a relative timeout of 10%.
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "20m"},
        {"UseDnsHttpsSvcbSecureExtraTimePercent", "10"},
-       {"UseDnsHttpsSvcbSecureExtraTimeMax", "20m"}});
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "1m"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12710,9 +12429,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -12747,15 +12466,16 @@ TEST_F(HostResolverManagerDnsTest,
        HttpsInInsecureAddressQueryWithOnlyMinTimeout) {
   const char kName[] = "name.test";
 
-  // Set an absolute timeout of 10 minutes via the "min" param.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnableInsecure", "true"},
-       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "10m"},
-       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+      {// Set an Insecure absolute timeout of 10 minutes via the "min" param.
        {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
-       {"UseDnsHttpsSvcbSecureExtraTimeMin", "30m"}});
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "10m"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12778,9 +12498,9 @@ TEST_F(HostResolverManagerDnsTest,
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -12807,15 +12527,16 @@ TEST_F(HostResolverManagerDnsTest,
        HttpsInInsecureAddressQueryWithOnlyMaxTimeout) {
   const char kName[] = "name.test";
 
-  // Set an absolute timeout of 10 minutes via the "max" param.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnableInsecure", "true"},
-       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
-       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+      {// Set an Insecure absolute timeout of 10 minutes via the "max" param.
        {"UseDnsHttpsSvcbInsecureExtraTimeMax", "10m"},
-       {"UseDnsHttpsSvcbSecureExtraTimeMin", "30m"}});
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12838,9 +12559,9 @@ TEST_F(HostResolverManagerDnsTest,
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -12867,15 +12588,16 @@ TEST_F(HostResolverManagerDnsTest,
        HttpsInInsecureAddressQueryWithRelativeTimeout) {
   const char kName[] = "name.test";
 
-  // Set a relative timeout of 10%.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnableInsecure", "true"},
-       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
-       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "10"},
+      {// Set an Insecure relative timeout of 10%.
        {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
-       {"UseDnsHttpsSvcbSecureExtraTimeMin", "30m"}});
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "10"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -12898,9 +12620,9 @@ TEST_F(HostResolverManagerDnsTest,
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -12931,210 +12653,22 @@ TEST_F(HostResolverManagerDnsTest,
   EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
 }
 
-TEST_F(HostResolverManagerDnsTest, HttpsInAddressQueryWithLegacyTimeouts) {
+// Test that HTTPS timeouts are not used when fatal for the request.
+TEST_F(HostResolverManagerDnsTest,
+       HttpsInAddressQueryWaitsWithoutTimeoutIfFatal) {
   const char kName[] = "name.test";
 
-  // Set an absolute timeout of 30s and a relative timeout of 100%.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbExtraTimeAbsolute", "30s"},
-       {"UseDnsHttpsSvcbExtraTimePercent", "100"},
+      {// Set timeouts but also enforce secure responses.
+       {"UseDnsHttpsSvcbEnforceSecureResponse", "true"},
        {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
        {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
        {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
        {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
        {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
-       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsServiceRecord(kName, /*priority=*/1, /*service_name=*/".",
-                                  /*params=*/{})};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, /*secure=*/true,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     /*delay=*/true);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/true);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/true);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kAutomatic;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-  RunUntilIdle();
-  EXPECT_FALSE(response.complete());
-
-  // Complete final address transaction after 4 minutes total.
-  FastForwardBy(base::Minutes(2));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  FastForwardBy(base::Minutes(2));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-  RunUntilIdle();
-  EXPECT_FALSE(response.complete());
-
-  // Wait until 1 second before expected timeout (from the absolute timeout).
-  FastForwardBy(base::Seconds(29));
-  RunUntilIdle();
-  EXPECT_FALSE(response.complete());
-
-  // Exceed expected timeout.
-  FastForwardBy(base::Seconds(2));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  // No experimental results if transaction did not complete.
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       HttpsInSecureAddressQueryWithTimeoutOverridingLegacyTimeouts) {
-  const char kName[] = "name.test";
-
-  // Set long legacy timeouts, and a single short 1m timeout using the new
-  // params.
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbSecureExtraTimeMin", "1m"},
-       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
-       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
-       {"UseDnsHttpsSvcbExtraTimeAbsolute", "30m"},
-       {"UseDnsHttpsSvcbExtraTimePercent", "500"}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsServiceRecord(kName, /*priority=*/1, /*service_name=*/".",
-                                  /*params=*/{})};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, /*secure=*/true,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     /*delay=*/true);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-  RunUntilIdle();
-  EXPECT_FALSE(response.complete());
-
-  // Exceed expected timeout.
-  FastForwardBy(base::Minutes(1) + base::Seconds(1));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  // No experimental results if transaction did not complete.
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       HttpsInInsecureAddressQueryWithTimeoutOverridingLegacyTimeouts) {
-  const char kName[] = "name.test";
-
-  // Set long legacy timeouts, and a single short 1m timeout using the new
-  // params.
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbEnableInsecure", "true"},
-       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "1m"},
-       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
-       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
-       {"UseDnsHttpsSvcbExtraTimeAbsolute", "30m"},
-       {"UseDnsHttpsSvcbExtraTimePercent", "500"}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsServiceRecord(kName, /*priority=*/1, /*service_name=*/".",
-                                  /*params=*/{})};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, /*secure=*/false,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     /*delay=*/true);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-  RunUntilIdle();
-  EXPECT_FALSE(response.complete());
-
-  // Exceed expected timeout.
-  FastForwardBy(base::Minutes(1) + base::Seconds(1));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  // No experimental results if transaction did not complete.
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-// Test that HTTPS timeouts are not used when fatal for the request.
-TEST_F(HostResolverManagerDnsTest,
-       HttpsInAddressQueryWaitsWithoutTimeoutIfFatal) {
-  const char kName[] = "name.test";
-
-  // Set timeouts but also enforce secure responses.
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbSecureExtraTimeMin", "20m"},
-       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
-       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
-       {"UseDnsHttpsSvcbEnforceSecureResponse", "true"}});
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "20m"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -13160,9 +12694,9 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -13196,15 +12730,17 @@ TEST_F(HostResolverManagerDnsTest,
        HttpsInAddressQueryAlwaysRespectsTimeoutsForInsecure) {
   const char kName[] = "name.test";
 
-  // Set timeouts but also enforce secure responses.
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
       features::kUseDnsHttpsSvcb,
-      {{"UseDnsHttpsSvcbInsecureExtraTimeMin", "20m"},
-       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
-       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+      {// Set timeouts but also enforce secure responses.
        {"UseDnsHttpsSvcbEnforceSecureResponse", "true"},
-       {"UseDnsHttpsSvcbEnableInsecure", "true"}});
+       {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbInsecureExtraTimeMin", "20m"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
   MockDnsClientRuleList rules;
   std::vector<DnsResourceRecord> records = {
@@ -13227,9 +12763,9 @@ TEST_F(HostResolverManagerDnsTest,
   UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 443), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
+      url::SchemeHostPort(url::kHttpsScheme, kName, 443),
+      NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt,
+      resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
   EXPECT_FALSE(response.complete());
 
@@ -13250,968 +12786,6 @@ TEST_F(HostResolverManagerDnsTest,
   EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
 }
 
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsInAddressQuery) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, true /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsInAddressQueryWithMultipleResults) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test"),
-      BuildTestHttpsAliasRecord(kName, "another-alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, true /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::UnorderedElementsAre(true, true)));
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsInAddressQueryWithMalformedResult) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test"),
-      BuildTestHttpsAliasRecord(kName, "another-alias.test"),
-      BuildTestDnsRecord(kName, dns_protocol::kTypeHttps,
-                         "malformed rdata" /* rdata */)};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, true /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-
-  // HTTPS records cannot be read if any are malformed.
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::IsEmpty()));
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsInAddressQuery_AddressesOnly) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::IsEmpty()));
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsInAddressQuery_HttpsOnly) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, true /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  // Results never saved when overall result not OK.
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsInAddressQuery_AddressError) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, true /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  // Results never saved when overall result not OK.
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsInAddressQuery_HttpsError) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::IsEmpty()));
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       MalformedExperimentalHttpsResponseInAddressRequestIsIgnored) {
-  const char kName[] = "name.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kMalformed),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 108), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::IsEmpty()));
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       MalformedExperimentalHttpsRecordInAddressRequestIsIgnored) {
-  const char kName[] = "name.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, /*secure=*/true,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, /*answers=*/
-                         {BuildTestDnsRecord(kName, dns_protocol::kTypeHttps,
-                                             /*rdata=*/"malformed rdata")})),
-                     /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      url::SchemeHostPort(url::kHttpsScheme, kName, 108), NetworkIsolationKey(),
-      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::IsEmpty()));
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsInAddressQuery_NoData) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  EXPECT_FALSE(response.request()->GetAddressResults());
-  EXPECT_FALSE(response.request()->GetEndpointResults());
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  // Results never saved when overall result not OK.
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest, ExperimentalHttpsInAddressQuery_HttpsLast) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, true /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     true /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-
-  base::RunLoop().RunUntilIdle();
-  ASSERT_FALSE(response.complete());
-
-  ASSERT_TRUE(dns_client_->CompleteOneDelayedTransactionOfType(
-      DnsQueryType::HTTPS_EXPERIMENTAL));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsInAddressQuery_AddressesLast) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, true /* secure */,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      true /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      true /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-
-  base::RunLoop().RunUntilIdle();
-  ASSERT_FALSE(response.complete());
-
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsInInsecureAddressQueryDisallowedWhenParamDisabled) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc,
-      {{"DnsHttpssvcUseHttpssvc", "true"},
-       {"DnsHttpssvcExperimentDomains", kName},
-       {"DnsHttpssvcEnableQueryOverInsecure", "false"}});
-
-  MockDnsClientRuleList rules;
-  // No expected HTTPS request in insecure mode.
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kOff;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(
-    HostResolverManagerDnsTest,
-    ExperimentalHttpsInInsecureAddressQueryAllowedWhenInsecureFeatureEnabled) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName},
-                               {"DnsHttpssvcEnableQueryOverInsecure", "true"}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, /*secure=*/false,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kOff;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      /*optional_parameters=*/absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(
-    HostResolverManagerDnsTest,
-    ExperimentalHttpsInInsecureAddressQueryDisallowedWithoutAdditionalTypes) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName},
-                               {"DnsHttpssvcEnableQueryOverInsecure", "true"}});
-
-  MockDnsClientRuleList rules;
-  // Use a delayed rule to hang if an unexpected HTTPS query is made. Allows the
-  // test to fail on unexpected query whether or not HTTPS query errors are
-  // ignored.
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      /*delay=*/true);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kOff;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  resolver_->SetInsecureDnsClientEnabled(
-      /*enabled=*/true,
-      /*additional_dns_types_enabled=*/false);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      /*optional_parameters=*/absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsInSecureAddressQueryAllowedWithoutAdditionalTypes) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName},
-                               {"DnsHttpssvcEnableQueryOverInsecure", "true"}});
-
-  MockDnsClientRuleList rules;
-  std::vector<DnsResourceRecord> records = {
-      BuildTestHttpsAliasRecord(kName, "alias.test")};
-  rules.emplace_back(kName, dns_protocol::kTypeHttps, /*secure=*/true,
-                     MockDnsClientRule::Result(BuildTestDnsResponse(
-                         kName, dns_protocol::kTypeHttps, records)),
-                     /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  resolver_->SetInsecureDnsClientEnabled(
-      /*enabled=*/true,
-      /*additional_dns_types_enabled=*/false);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      /*optional_parameters=*/absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::ElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsInAddressFallbackDisallowedWithoutAdditionalTypes) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName},
-                               {"DnsHttpssvcEnableQueryOverInsecure", "true"}});
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/true,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      /*delay=*/false);
-  // Use a delayed rule to hang if an unexpected HTTPS query is made. Allows the
-  // test to fail on unexpected query whether or not HTTPS query errors are
-  // ignored.
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      /*delay=*/true);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, /*secure=*/false,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      /*delay=*/false);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kAutomatic;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  resolver_->SetInsecureDnsClientEnabled(
-      /*enabled=*/true,
-      /*additional_dns_types_enabled=*/false);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      /*optional_parameters=*/absl::nullopt, resolve_context_.get(),
-      resolve_context_->host_cache()));
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest,
-       ExperimentalHttpsInAddressQuery_ExperimentalTimeout) {
-  const char kName[] = "combined.test";
-  const base::TimeDelta kTimeout = base::Seconds(2);
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc,
-      {{"DnsHttpssvcUseHttpssvc", "true"},
-       {"DnsHttpssvcExperimentDomains", kName},
-       {"DnsHttpssvcExtraTimeMs",
-        base::NumberToString(kTimeout.InMilliseconds())}});
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kFail),
-      true /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-
-  base::RunLoop().RunUntilIdle();
-  EXPECT_FALSE(response.complete());
-
-  FastForwardBy(kTimeout);
-  EXPECT_TRUE(response.complete());
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
-TEST_F(HostResolverManagerDnsTest, MultipleExperimentalQueries) {
-  const char kName[] = "combined.test";
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc, {{"DnsHttpssvcUseHttpssvc", "true"},
-                               {"DnsHttpssvcUseIntegrity", "true"},
-                               {"DnsHttpssvcExperimentDomains", kName}});
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kExperimentalTypeIntegrity, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_THAT(response.request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(testing::IsEmpty()));
-}
-
-TEST_F(HostResolverManagerDnsTest, MultipleExperimentalQueries_Timeout) {
-  const char kName[] = "combined.test";
-  const base::TimeDelta kTimeout = base::Seconds(2);
-
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kDnsHttpssvc,
-      {{"DnsHttpssvcUseHttpssvc", "true"},
-       {"DnsHttpssvcUseIntegrity", "true"},
-       {"DnsHttpssvcExperimentDomains", kName},
-       {"DnsHttpssvcExtraTimeMs",
-        base::NumberToString(kTimeout.InMilliseconds())}});
-
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      kName, dns_protocol::kTypeHttps, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      true /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kExperimentalTypeIntegrity, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kEmpty),
-      true /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-  rules.emplace_back(
-      kName, dns_protocol::kTypeAAAA, true /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-      false /* delay */);
-
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  DnsConfigOverrides overrides;
-  overrides.secure_dns_mode = SecureDnsMode::kSecure;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
-      absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
-
-  base::RunLoop().RunUntilIdle();
-  EXPECT_FALSE(response.complete());
-
-  FastForwardBy(kTimeout);
-  EXPECT_TRUE(response.complete());
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-  EXPECT_THAT(response.request()->GetEndpointResults(),
-              testing::Pointee(testing::ElementsAre(
-                  ExpectEndpointResult(testing::SizeIs(2)))));
-  EXPECT_FALSE(response.request()->GetTextResults());
-  EXPECT_FALSE(response.request()->GetHostnameResults());
-  EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
-}
-
 TEST_F(HostResolverManagerDnsTest, UnsolicitedHttps) {
   const char kName[] = "unsolicited.test";
 
@@ -14237,7 +12811,7 @@ TEST_F(HostResolverManagerDnsTest, UnsolicitedHttps) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kName, 108), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair(kName, 108), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_TRUE(response.request()->GetAddressResults());
@@ -14250,642 +12824,6 @@ TEST_F(HostResolverManagerDnsTest, UnsolicitedHttps) {
   EXPECT_FALSE(response.request()->GetExperimentalResultsForTesting());
 }
 
-class HostResolverManagerDnsTestIntegrity : public HostResolverManagerDnsTest {
- public:
-  HostResolverManagerDnsTestIntegrity()
-      : HostResolverManagerDnsTest(
-            base::test::TaskEnvironment::TimeSource::MOCK_TIME) {
-    const base::FieldTrialParams params = {
-        {"DnsHttpssvcUseIntegrity", "true"},
-        {"DnsHttpssvcExperimentDomains", "host"},
-        {"DnsHttpssvcControlDomains", ""},
-        {"DnsHttpssvcEnableQueryOverInsecure", "false"},
-    };
-    scoped_feature_list_.InitAndEnableFeatureWithParameters(
-        features::kDnsHttpssvc, params);
-  }
-
- protected:
-  struct IntegrityAddRulesOptions {
-    bool add_a = true;
-    bool add_aaaa = true;
-    bool add_integrity = true;
-    bool integrity_mangled = false;
-
-    bool secure_a = true;
-    bool secure_aaaa = true;
-    bool secure_integrity = true;
-
-    bool delay_a = false;
-    bool delay_aaaa = false;
-    bool delay_integrity = false;
-  };
-
-  std::vector<uint8_t> GetValidIntegrityRdata() {
-    const IntegrityRecordRdata kValidRecord({'f', 'o', 'o'});
-    absl::optional<std::vector<uint8_t>> valid_serialized =
-        kValidRecord.Serialize();
-    CHECK(valid_serialized);
-    return *valid_serialized;
-  }
-
-  std::vector<uint8_t> GetMangledIntegrityRdata() {
-    std::vector<uint8_t> rdata = GetValidIntegrityRdata();
-    constexpr size_t kOffset = 2u;
-    CHECK_GT(rdata.size(), kOffset);
-    // Create a mangled version of |kValidRecord| by erasing a byte.
-    rdata.erase(rdata.begin() + kOffset);
-    return rdata;
-  }
-
-  void AddRules(MockDnsClientRuleList rules,
-                const IntegrityAddRulesOptions& options) {
-    if (options.add_a) {
-      rules.emplace_back(
-          "host", dns_protocol::kTypeA, options.secure_a,
-          MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-          options.delay_a);
-    }
-
-    if (options.add_aaaa) {
-      rules.emplace_back(
-          "host", dns_protocol::kTypeAAAA, options.secure_aaaa,
-          MockDnsClientRule::Result(MockDnsClientRule::ResultType::kOk),
-          options.delay_aaaa);
-    }
-
-    if (options.add_integrity) {
-      std::vector<uint8_t> integrity_rdata = options.integrity_mangled
-                                                 ? GetMangledIntegrityRdata()
-                                                 : GetValidIntegrityRdata();
-      std::string integrity_rdata_str(integrity_rdata.begin(),
-                                      integrity_rdata.end());
-      std::vector<DnsResourceRecord> answers{
-          BuildTestDnsRecord("host", dns_protocol::kExperimentalTypeIntegrity,
-                             std::move(integrity_rdata_str))};
-      DnsResponse response = BuildTestDnsResponse(
-          "host", dns_protocol::kExperimentalTypeIntegrity, answers);
-
-      rules.emplace_back("host", dns_protocol::kExperimentalTypeIntegrity,
-                         options.secure_integrity,
-                         MockDnsClientRule::Result(std::move(response)),
-                         options.delay_integrity);
-    }
-
-    CreateResolver();
-    UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-  }
-
-  std::unique_ptr<ResolveHostResponseHelper> DoIntegrityQuery(bool use_secure) {
-    if (use_secure) {
-      DnsConfigOverrides overrides;
-      overrides.secure_dns_mode = SecureDnsMode::kSecure;
-      resolver_->SetDnsConfigOverrides(overrides);
-    }
-
-    return std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-        HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
-        HostResolver::ResolveHostParameters(), resolve_context_.get(),
-        resolve_context_->host_cache()));
-  }
-
-  base::test::ScopedFeatureList scoped_feature_list_;
-};
-
-TEST_F(HostResolverManagerDnsTestIntegrity, IntegrityQuery) {
-  AddRules(CreateDefaultDnsRules(), IntegrityAddRulesOptions());
-
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  EXPECT_THAT(response->result_error(), IsOk());
-  EXPECT_TRUE(response->request()->GetAddressResults());
-  EXPECT_TRUE(response->request()->GetEndpointResults());
-  EXPECT_FALSE(response->request()->GetTextResults());
-  EXPECT_THAT(response->request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(UnorderedElementsAre(true)));
-}
-
-TEST_F(HostResolverManagerDnsTestIntegrity, IntegrityQueryMangled) {
-  IntegrityAddRulesOptions options;
-  options.integrity_mangled = true;
-  AddRules(CreateDefaultDnsRules(), options);
-
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  EXPECT_THAT(response->result_error(), IsOk());
-  EXPECT_TRUE(response->request()->GetAddressResults());
-  EXPECT_TRUE(response->request()->GetEndpointResults());
-  EXPECT_FALSE(response->request()->GetTextResults());
-  EXPECT_THAT(response->request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(UnorderedElementsAre(false)));
-}
-
-TEST_F(HostResolverManagerDnsTestIntegrity, IntegrityQueryOnlyOverSecure) {
-  IntegrityAddRulesOptions rules_options;
-  rules_options.secure_a = false;
-  rules_options.secure_aaaa = false;
-  rules_options.secure_integrity = false;
-
-  AddRules(CreateDefaultDnsRules(), rules_options);
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(false /* use_secure */);
-
-  EXPECT_THAT(response->result_error(), IsOk());
-  EXPECT_FALSE(response->request()->GetExperimentalResultsForTesting());
-}
-
-// Ensure that the address results are preserved, even when the INTEGRITY query
-// completes last.
-TEST_F(HostResolverManagerDnsTestIntegrity, IntegrityQueryCompletesLast) {
-  IntegrityAddRulesOptions rules_options;
-  rules_options.delay_a = true;
-  rules_options.delay_aaaa = true;
-  rules_options.delay_integrity = true;
-
-  AddRules(CreateDefaultDnsRules(), rules_options);
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  constexpr base::TimeDelta kQuantum = base::Milliseconds(1);
-
-  FastForwardBy(100 * kQuantum);
-
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_TRUE(dns_client_->CompleteOneDelayedTransactionOfType(
-      DnsQueryType::INTEGRITY));
-
-  // Above, the A/AAAA queries took 100 time units. We only fast forward by 1
-  // time unit (1%) before answering the INTEGRITY query, to avoid triggering
-  // the timeout logic. This should work, assuming
-  //   (1) the relative timeout is > 1% and
-  //   (2) the absolute timeout is < (101 * kQuantum).
-  FastForwardBy(kQuantum);
-
-  ASSERT_THAT(response->result_error(), IsOk());
-  ASSERT_TRUE(response->request()->GetAddressResults());
-  EXPECT_THAT(response->request()->GetAddressResults()->endpoints(),
-              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 108),
-                                            CreateExpected("::1", 108)));
-  EXPECT_THAT(
-      response->request()->GetEndpointResults(),
-      testing::Pointee(testing::ElementsAre(
-          ExpectEndpointResult(testing::UnorderedElementsAre(
-              CreateExpected("::1", 108), CreateExpected("127.0.0.1", 108))))));
-  // If this expectation fails, the INTEGRITY query was probably timed out.
-  // Check the |kDnsHttpssvcExtraTimeMs| and |kDnsHttpssvcExtraTimePercent|
-  // feature params in relation to this test's FastForward steps.
-  EXPECT_THAT(response->request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(UnorderedElementsAre(true)));
-}
-
-// Ensure that a successful INTEGRITY query cannot mask the appropriate
-// ERR_NAME_NOT_RESOLVED of A/AAAA responses with empty bodies.
-TEST_F(HostResolverManagerDnsTestIntegrity,
-       IntegrityQueryCannotMaskAddressNodata) {
-  net::MockDnsClientRuleList rules;
-  AddSecureDnsRule(&rules, "host", dns_protocol::kTypeA,
-                   MockDnsClientRule::ResultType::kEmpty, true /* delay */);
-  AddSecureDnsRule(&rules, "host", dns_protocol::kTypeAAAA,
-                   MockDnsClientRule::ResultType::kEmpty, true /* delay */);
-
-  IntegrityAddRulesOptions rules_options;
-  rules_options.add_a = false;
-  rules_options.add_aaaa = false;
-  rules_options.add_integrity = true;
-  rules_options.delay_integrity = true;
-
-  AddRules(std::move(rules), rules_options);
-
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  ASSERT_TRUE(dns_client_->CompleteOneDelayedTransactionOfType(
-      DnsQueryType::INTEGRITY));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  ASSERT_EQ(response->result_error(), net::ERR_NAME_NOT_RESOLVED);
-}
-
-// Ensure that a successful INTEGRITY query cannot mask the appropriate
-// ERR_NAME_NOT_RESOLVED of A/AAAA queries that fail.
-TEST_F(HostResolverManagerDnsTestIntegrity,
-       IntegrityQueryCannotMaskAddressFail) {
-  net::MockDnsClientRuleList rules;
-  AddSecureDnsRule(&rules, "host", dns_protocol::kTypeA,
-                   MockDnsClientRule::ResultType::kFail, true /* delay */);
-  AddSecureDnsRule(&rules, "host", dns_protocol::kTypeAAAA,
-                   MockDnsClientRule::ResultType::kFail, true /* delay */);
-
-  IntegrityAddRulesOptions rules_options;
-  rules_options.add_a = false;
-  rules_options.add_aaaa = false;
-  rules_options.add_integrity = true;
-  rules_options.delay_integrity = true;
-
-  AddRules(std::move(rules), rules_options);
-
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  ASSERT_TRUE(dns_client_->CompleteOneDelayedTransactionOfType(
-      DnsQueryType::INTEGRITY));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  // After the A query fails, the pending AAAA query is cleared.
-  ASSERT_FALSE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  ASSERT_EQ(response->result_error(), net::ERR_NAME_NOT_RESOLVED);
-}
-
-// For symmetry with |IntegrityQueryCompletesLast|, test the case where the
-// INTEGRITY query completes first.
-TEST_F(HostResolverManagerDnsTestIntegrity, IntegrityQueryCompletesFirst) {
-  IntegrityAddRulesOptions rules_options;
-  rules_options.delay_a = true;
-  rules_options.delay_aaaa = true;
-  rules_options.delay_integrity = true;
-
-  AddRules(CreateDefaultDnsRules(), rules_options);
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  constexpr base::TimeDelta kQuantum = base::Milliseconds(10);
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_TRUE(dns_client_->CompleteOneDelayedTransactionOfType(
-      DnsQueryType::INTEGRITY));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_THAT(response->result_error(), IsOk());
-  EXPECT_THAT(response->request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(UnorderedElementsAre(true)));
-  ASSERT_TRUE(response->request()->GetAddressResults());
-  EXPECT_THAT(response->request()->GetAddressResults()->endpoints(),
-              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 108),
-                                            CreateExpected("::1", 108)));
-  EXPECT_THAT(
-      response->request()->GetEndpointResults(),
-      testing::Pointee(testing::ElementsAre(
-          ExpectEndpointResult(testing::UnorderedElementsAre(
-              CreateExpected("::1", 108), CreateExpected("127.0.0.1", 108))))));
-}
-
-// Ensure that the address results are preserved, even when the INTEGRITY query
-// completes last and fails.
-TEST_F(HostResolverManagerDnsTestIntegrity,
-       IntegrityQueryCompletesLastWithError) {
-  IntegrityAddRulesOptions rules_options;
-  rules_options.add_a = true;
-  rules_options.add_aaaa = true;
-  rules_options.add_integrity = false;
-
-  rules_options.delay_a = true;
-  rules_options.delay_aaaa = true;
-  rules_options.delay_integrity = true;
-
-  AddRules(CreateDefaultDnsRules(), rules_options);
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  constexpr base::TimeDelta kQuantum = base::Milliseconds(1);
-
-  FastForwardBy(100 * kQuantum);
-
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_FALSE(dns_client_->CompleteOneDelayedTransactionOfType(
-      DnsQueryType::INTEGRITY));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_THAT(response->result_error(), IsOk());
-  ASSERT_TRUE(response->request()->GetAddressResults());
-  EXPECT_THAT(response->request()->GetAddressResults()->endpoints(),
-              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 108),
-                                            CreateExpected("::1", 108)));
-  EXPECT_THAT(
-      response->request()->GetEndpointResults(),
-      testing::Pointee(testing::ElementsAre(
-          ExpectEndpointResult(testing::UnorderedElementsAre(
-              CreateExpected("::1", 108), CreateExpected("127.0.0.1", 108))))));
-  EXPECT_THAT(response->request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(IsEmpty()));
-}
-
-// Ensure that the address results are preserved, even when the INTEGRITY query
-// completes first and fails.
-TEST_F(HostResolverManagerDnsTestIntegrity,
-       IntegrityQueryCompletesFirstWithError) {
-  IntegrityAddRulesOptions rules_options;
-  rules_options.add_a = true;
-  rules_options.add_aaaa = true;
-  rules_options.add_integrity = false;
-
-  rules_options.delay_a = true;
-  rules_options.delay_aaaa = true;
-  rules_options.delay_integrity = true;
-
-  AddRules(CreateDefaultDnsRules(), rules_options);
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  constexpr base::TimeDelta kQuantum = base::Milliseconds(10);
-
-  FastForwardBy(kQuantum);
-
-  // This fails because there is no rule for the INTEGRITY query.
-  ASSERT_FALSE(dns_client_->CompleteOneDelayedTransactionOfType(
-      DnsQueryType::INTEGRITY));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_THAT(response->result_error(), IsOk());
-  EXPECT_THAT(response->request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(IsEmpty()));
-  ASSERT_TRUE(response->request()->GetAddressResults());
-  EXPECT_THAT(response->request()->GetAddressResults()->endpoints(),
-              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 108),
-                                            CreateExpected("::1", 108)));
-  EXPECT_THAT(
-      response->request()->GetEndpointResults(),
-      testing::Pointee(testing::ElementsAre(
-          ExpectEndpointResult(testing::UnorderedElementsAre(
-              CreateExpected("::1", 108), CreateExpected("127.0.0.1", 108))))));
-}
-
-TEST_F(HostResolverManagerDnsTestIntegrity,
-       IntegrityQueryCompletesLastMangled) {
-  IntegrityAddRulesOptions rules_options;
-  rules_options.integrity_mangled = true;
-
-  rules_options.delay_a = true;
-  rules_options.delay_aaaa = true;
-  rules_options.delay_integrity = true;
-
-  AddRules(CreateDefaultDnsRules(), rules_options);
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  constexpr base::TimeDelta kQuantum = base::Milliseconds(1);
-
-  FastForwardBy(100 * kQuantum);
-
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_TRUE(dns_client_->CompleteOneDelayedTransactionOfType(
-      DnsQueryType::INTEGRITY));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_THAT(response->result_error(), IsOk());
-  ASSERT_TRUE(response->request()->GetAddressResults());
-  EXPECT_THAT(response->request()->GetAddressResults()->endpoints(),
-              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 108),
-                                            CreateExpected("::1", 108)));
-  EXPECT_THAT(
-      response->request()->GetEndpointResults(),
-      testing::Pointee(testing::ElementsAre(
-          ExpectEndpointResult(testing::UnorderedElementsAre(
-              CreateExpected("::1", 108), CreateExpected("127.0.0.1", 108))))));
-  EXPECT_THAT(response->request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(UnorderedElementsAre(false)));
-}
-
-TEST_F(HostResolverManagerDnsTestIntegrity,
-       IntegrityQueryCompletesFirstMangled) {
-  IntegrityAddRulesOptions rules_options;
-  rules_options.integrity_mangled = true;
-
-  rules_options.delay_a = true;
-  rules_options.delay_aaaa = true;
-  rules_options.delay_integrity = true;
-
-  AddRules(CreateDefaultDnsRules(), rules_options);
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  constexpr base::TimeDelta kQuantum = base::Milliseconds(10);
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_TRUE(dns_client_->CompleteOneDelayedTransactionOfType(
-      DnsQueryType::INTEGRITY));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  FastForwardBy(kQuantum);
-
-  ASSERT_THAT(response->result_error(), IsOk());
-  EXPECT_THAT(response->request()->GetExperimentalResultsForTesting(),
-              testing::Pointee(UnorderedElementsAre(false)));
-  ASSERT_TRUE(response->request()->GetAddressResults());
-  EXPECT_THAT(response->request()->GetAddressResults()->endpoints(),
-              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 108),
-                                            CreateExpected("::1", 108)));
-  EXPECT_THAT(
-      response->request()->GetEndpointResults(),
-      testing::Pointee(testing::ElementsAre(
-          ExpectEndpointResult(testing::UnorderedElementsAre(
-              CreateExpected("::1", 108), CreateExpected("127.0.0.1", 108))))));
-}
-
-// Make sure that INTEGRITY queries don't get cancelled *before* the configured
-// timeout, but do get cancelled after it, in the case where the absolute
-// timeout dominates.
-TEST_F(HostResolverManagerDnsTestIntegrity, RespectsAbsoluteTimeout) {
-  IntegrityAddRulesOptions rules_options;
-  rules_options.delay_a = true;
-  rules_options.delay_aaaa = true;
-  rules_options.delay_integrity = true;
-
-  AddRules(CreateDefaultDnsRules(), rules_options);
-
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  //                                  relative_timeout
-  //                         ┌────────────────────────────────┤
-  //                         │
-  //                         │  absolute_timeout
-  //                         ├────────────────────┤
-  //       a_aaaa_elapsed    │                                             time
-  //    ├────────────────────┼─────────────────────────────────────────────────>
-  //   Now                   └ (moment when A and AAAA complete)
-  //
-  // When the A and AAAA queries complete, and only INTEGRITY remains, we start
-  // running the INTEGRITY timeout clock. This moment is |Now + a_aaaa_elapsed|,
-  // or just |a_aaaa_elapsed| if we let Now = 0. The INTEGRITY query is
-  // cancelled at the moment that |absolute_timeout| or |relative_timeout| runs
-  // out.
-  //
-  // The TimeDelta values of |absolute_timeout| and |relative_timeout| are
-  // computed from feature params.
-  //
-  //   absolute_timeout = a_aaaa_elapsed + ExtraMs.
-  //
-  //   relative_timeout = a_aaaa_elapsed * (1 + (ExtraPercent/100)).
-  //
-  // Assume ExtraMs > 0 and 0 < ExtraPercent < 100.
-  //
-  // For this test, we want the absolute timeout to happen *before* the relative
-  // timeout. Compute a value for a_aaaa_elapsed such that absolute_timeout
-  // comes before relative_timeout.
-  //
-  // Assuming ExtraPercent is not zero, we know that these two lines intersect
-  // for some value of a_aaaa_elapsed. Let's find it.
-  //
-  // Assume absolute_timeout = relative_timeout.
-  //   a_aaaa_elapsed + ExtraMs = a_aaaa_elapsed * (1 + (ExtraPercent / 100)).
-  //   ExtraMs = a_aaaa_elapsed * (1 + (ExtraPercent / 100)) - a_aaaa_elapsed.
-  //   ExtraMs = a_aaaa_elapsed * ((1 + (ExtraPercent / 100)) - 1).
-  //   ExtraMs / ((1 + (ExtraPercent / 100)) - 1) = a_aaaa_elapsed.
-  // Simplified:
-  //   a_aaaa_elapsed = 100 * ExtraMs / ExtraPercent.
-  //
-  // For values of a_aaaa_elapsed < 100 * ExtraMs / ExtraPercent,
-  // relative_timeout < absolute_timeout. For larger values, absolute_timeout >
-  // relative_timeout.
-
-  base::TimeDelta absolute_timeout =
-      base::Milliseconds(features::kDnsHttpssvcExtraTimeMs.Get());
-  base::TimeDelta intersection =
-      100 * absolute_timeout / features::kDnsHttpssvcExtraTimePercent.Get();
-
-  // Let enough time pass during the A and AAAA transactions that the
-  // absolute timeout will be less than the relative timeout.
-  base::TimeDelta a_aaaa_elapsed = 50 * intersection;
-
-  FastForwardBy(a_aaaa_elapsed);
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  // Since the A and AAAA queries have only just completed, we shouldn't
-  // have timed out the INTEGRITY query.
-  EXPECT_FALSE(response->complete());
-
-  // After half of the absolute timeout, the query should still be alive.
-  FastForwardBy(absolute_timeout / 2);
-
-  // Since the absolute timeout has not yet elapsed, and it is shorter by
-  // design than the relative timeout, we shouldn't
-  // have timed out the INTEGRITY transaction.
-  EXPECT_FALSE(response->complete());
-
-  // After (more than) the timeout has passed, we should have cancelled
-  // the INTEGRITY transaction.
-  FastForwardBy(absolute_timeout);
-  ASSERT_THAT(response->result_error(), IsOk());
-
-  // Since we cancelled the transaction, we shouldn't have any INTEGRITY
-  // results.
-  EXPECT_FALSE(response->request()->GetExperimentalResultsForTesting());
-
-  // Out of paranoia, pass some more time to ensure no crashes occur.
-  FastForwardBy(base::Milliseconds(100));
-}
-
-TEST_F(HostResolverManagerDnsTestIntegrity, RespectsRelativeTimeout) {
-  IntegrityAddRulesOptions rules_options;
-  rules_options.delay_a = false;
-  rules_options.delay_aaaa = true;
-  rules_options.delay_integrity = true;
-
-  AddRules(CreateDefaultDnsRules(), rules_options);
-
-  std::unique_ptr<ResolveHostResponseHelper> response =
-      DoIntegrityQuery(true /* use_secure */);
-
-  base::TimeDelta absolute_timeout =
-      base::Milliseconds(features::kDnsHttpssvcExtraTimeMs.Get());
-  base::TimeDelta intersection =
-      100 * absolute_timeout / features::kDnsHttpssvcExtraTimePercent.Get();
-
-  // Let little enough time pass during the A and AAAA transactions that the
-  // relative timeout will be less than the absolute timeout.
-  base::TimeDelta a_aaaa_elapsed = 0.05 * intersection;
-
-  // Since the A and AAAA queries haven't both completed yet, we shouldn't time
-  // out the INTEGRITY query.
-  FastForwardBy(a_aaaa_elapsed);
-
-  // Upon completing the AAAA transaction, the INTEGRITY timer should start
-  ASSERT_TRUE(
-      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
-
-  base::TimeDelta relative_timeout =
-      a_aaaa_elapsed * features::kDnsHttpssvcExtraTimePercent.Get() / 100;
-
-  // After *less* than the relative timeout, the query shouldn't have concluded.
-  FastForwardBy(relative_timeout * 0.5);
-
-  EXPECT_FALSE(response->complete());
-
-  // After more than the relative timeout, the query should conclude by aborting
-  // the INTEGRITY query.
-  FastForwardBy(relative_timeout);
-
-  // The task should have completed with a cancelled INTEGRITY query.
-  ASSERT_THAT(response->result_error(), IsOk());
-  EXPECT_FALSE(response->request()->GetExperimentalResultsForTesting());
-  ASSERT_TRUE(response->request()->GetAddressResults());
-  EXPECT_THAT(response->request()->GetAddressResults()->endpoints(),
-              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 108),
-                                            CreateExpected("::1", 108)));
-  EXPECT_THAT(
-      response->request()->GetEndpointResults(),
-      testing::Pointee(testing::ElementsAre(
-          ExpectEndpointResult(testing::UnorderedElementsAre(
-              CreateExpected("::1", 108), CreateExpected("127.0.0.1", 108))))));
-
-  // Out of paranoia, pass some more time to ensure no crashes occur.
-  FastForwardBy(base::Milliseconds(100));
-}
-
 TEST_F(HostResolverManagerDnsTest, DohProbeRequest) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
@@ -14975,7 +12913,7 @@ TEST_F(HostResolverManagerDnsTest,
        NewlyRegisteredContext_ConfigBeforeRegistration) {
   ResolveContext context(nullptr /* url_request_context */,
                          true /* enable_caching */);
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
   DnsConfigOverrides overrides;
   overrides.secure_dns_mode = SecureDnsMode::kSecure;
@@ -14995,7 +12933,7 @@ TEST_F(HostResolverManagerDnsTest,
   context.RecordServerSuccess(0u /* server_index */, true /* is_doh_server */,
                               dns_client_->GetCurrentSession());
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, &context, context.host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
 
@@ -15008,7 +12946,7 @@ TEST_F(HostResolverManagerDnsTest,
        NewlyRegisteredContext_NoConfigAtRegistration) {
   ResolveContext context(nullptr /* url_request_context */,
                          true /* enable_caching */);
-  set_allow_fallback_to_proctask(false);
+  set_allow_fallback_to_systemtask(false);
   InvalidateDnsConfig();
   DnsConfigOverrides overrides;
   overrides.secure_dns_mode = SecureDnsMode::kSecure;
@@ -15034,7 +12972,7 @@ TEST_F(HostResolverManagerDnsTest,
   context.RecordServerSuccess(0u /* server_index */, true /* is_doh_server */,
                               dns_client_->GetCurrentSession());
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("secure", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       absl::nullopt, &context, context.host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
 
@@ -15051,7 +12989,7 @@ TEST_F(HostResolverManagerDnsTest, AvoidMulticastIgnoredWithDnsTask) {
   parameters.avoid_multicast_resolution = true;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostPortPair("ok", 80), NetworkAnonymizationKey(), NetLogWithSource(),
       parameters, resolve_context_.get(), resolve_context_->host_cache()));
   EXPECT_THAT(response.result_error(), IsOk());
 }
@@ -15063,7 +13001,15 @@ class HostResolverManagerBootstrapTest : public HostResolverManagerDnsTest {
   void SetUp() override {
     // The request host scheme and port are only preserved if the SVCB feature
     // is enabled.
-    features.InitAndEnableFeature(features::kUseDnsHttpsSvcb);
+    features.InitAndEnableFeatureWithParameters(
+        features::kUseDnsHttpsSvcb,
+        {// Disable timeouts.
+         {"UseDnsHttpsSvcbInsecureExtraTimeMax", "0"},
+         {"UseDnsHttpsSvcbInsecureExtraTimePercent", "0"},
+         {"UseDnsHttpsSvcbInsecureExtraTimeMin", "0"},
+         {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+         {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+         {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
 
     HostResolverManagerDnsTest::SetUp();
 
@@ -15073,7 +13019,7 @@ class HostResolverManagerBootstrapTest : public HostResolverManagerDnsTest {
     proc_->SignalMultiple(1u);  // Allow up to one proc query.
   }
 
-  const NetworkIsolationKey kIsolationKey;
+  const NetworkAnonymizationKey kAnonymizationKey;
   const url::SchemeHostPort kEndpoint =
       url::SchemeHostPort(url::kHttpsScheme, "bootstrap", 443);
   const std::vector<IPEndPoint> kCacheAddrs = {
@@ -15109,7 +13055,7 @@ class HostResolverManagerBootstrapTest : public HostResolverManagerDnsTest {
 
   HostCache::Key MakeCacheKey(bool secure) {
     HostCache::Key cache_key(kEndpoint, DnsQueryType::UNSPECIFIED, 0,
-                             HostResolverSource::ANY, kIsolationKey);
+                             HostResolverSource::ANY, kAnonymizationKey);
     cache_key.secure = secure;
     return cache_key;
   }
@@ -15146,7 +13092,7 @@ TEST_F(HostResolverManagerBootstrapTest, BlankSlate) {
                    /*secure_result=*/MockResult::kUnexpected);
 
   ResolveHostResponseHelper bootstrap_response(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_FALSE(bootstrap_response.complete());
@@ -15164,7 +13110,7 @@ TEST_F(HostResolverManagerBootstrapTest, InsecureCacheEntry) {
   PopulateCache(/*secure=*/false);
 
   ResolveHostResponseHelper bootstrap_response(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_TRUE(bootstrap_response.complete());
@@ -15182,7 +13128,7 @@ TEST_F(HostResolverManagerBootstrapTest, SecureCacheEntry) {
   PopulateCache(/*secure=*/true);
 
   ResolveHostResponseHelper bootstrap_response(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_TRUE(bootstrap_response.complete());
@@ -15200,7 +13146,7 @@ TEST_F(HostResolverManagerBootstrapTest, OnlyBootstrap) {
   dns_client_->set_preset_addrs(kBootstrapAddrs);
 
   ResolveHostResponseHelper bootstrap_response(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_TRUE(bootstrap_response.complete());
@@ -15232,7 +13178,7 @@ TEST_F(HostResolverManagerBootstrapTest, BootstrapAndInsecureCache) {
   PopulateCache(/*secure=*/false);
 
   ResolveHostResponseHelper bootstrap_response(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_TRUE(bootstrap_response.complete());
@@ -15264,7 +13210,7 @@ TEST_F(HostResolverManagerBootstrapTest, BootstrapAndSecureCacheEntry) {
   PopulateCache(/*secure=*/true);
 
   ResolveHostResponseHelper bootstrap_response(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_TRUE(bootstrap_response.complete());
@@ -15281,7 +13227,7 @@ TEST_F(HostResolverManagerBootstrapTest, BlankSlateFailure) {
                    /*secure_result=*/MockResult::kUnexpected);
 
   ResolveHostResponseHelper bootstrap_response(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_FALSE(bootstrap_response.complete());
@@ -15298,7 +13244,7 @@ TEST_F(HostResolverManagerBootstrapTest, BootstrapFollowupFailure) {
   dns_client_->set_preset_addrs(kBootstrapAddrs);
 
   ResolveHostResponseHelper bootstrap_response(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_TRUE(bootstrap_response.complete());
@@ -15325,7 +13271,7 @@ TEST_F(HostResolverManagerBootstrapTest, ContextClose) {
 
   // Trigger a followup request.
   ResolveHostResponseHelper bootstrap_response(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   // Deregistering the resolve context should clean up the pending followup job.
@@ -15344,14 +13290,14 @@ TEST_F(HostResolverManagerBootstrapTest, BootstrapAfterFollowup) {
 
   // Run bootstrap and its followup query.
   ResolveHostResponseHelper bootstrap_response1(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
 
   // The remote addresses are now in the secure cache.
   // Rerun bootstrap, which reads the secure cache results.
   ResolveHostResponseHelper bootstrap_response2(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_TRUE(bootstrap_response2.complete());
@@ -15370,13 +13316,13 @@ TEST_F(HostResolverManagerBootstrapTest, BootstrapFollowupFailureTwice) {
 
   // Run the bootstrap query and the followup, which will fail.
   ResolveHostResponseHelper bootstrap_response1(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
   RunUntilIdle();
 
   // Reissue the bootstrap query.
   ResolveHostResponseHelper bootstrap_response2(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_TRUE(bootstrap_response2.complete());
@@ -15402,7 +13348,7 @@ TEST_F(HostResolverManagerBootstrapTest, OnlyBootstrapTwice) {
   dns_client_->set_preset_addrs(kBootstrapAddrs);
 
   ResolveHostResponseHelper bootstrap_response1(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_TRUE(bootstrap_response1.complete());
@@ -15414,7 +13360,7 @@ TEST_F(HostResolverManagerBootstrapTest, OnlyBootstrapTwice) {
                   ExpectEndpointResult(AddressesMatch(kBootstrapAddrs)))));
 
   ResolveHostResponseHelper bootstrap_response2(resolver_->CreateRequest(
-      kEndpoint, kIsolationKey, NetLogWithSource(), bootstrap_params(),
+      kEndpoint, kAnonymizationKey, NetLogWithSource(), bootstrap_params(),
       resolve_context_.get(), resolve_context_->host_cache()));
 
   EXPECT_TRUE(bootstrap_response2.complete());
@@ -15437,4 +13383,148 @@ TEST_F(HostResolverManagerBootstrapTest, OnlyBootstrapTwice) {
                   ExpectEndpointResult(AddressesMatch(kRemoteAddrs)))));
 }
 
+TEST_F(HostResolverManagerTest, IPv4AddressLiteralInIPv6OnlyNetwork) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      /*enabled_features=*/{features::kUseNAT64ForIPv4Literal},
+      /*disabled_features=*/{});
+
+  HostResolver::ManagerOptions options = DefaultOptions();
+  CreateResolverWithOptionsAndParams(std::move(options), DefaultParams(proc_),
+                                     true /* ipv6_reachable */,
+                                     false /* ipv4_reachable */);
+  proc_->AddRule("ipv4only.arpa", ADDRESS_FAMILY_IPV6,
+                 "64:ff9b::c000:aa,64:ff9b::c000:ab,2001:db8:43::c000:aa,"
+                 "2001:db8:43::c000:ab");
+  proc_->SignalMultiple(1u);
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("192.168.1.42", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
+
+  EXPECT_THAT(response.result_error(), IsOk());
+  EXPECT_THAT(response.top_level_result_error(), IsOk());
+  EXPECT_THAT(
+      response.request()->GetAddressResults()->endpoints(),
+      testing::ElementsAre(CreateExpected("64:ff9b::c0a8:12a", 80),
+                           CreateExpected("2001:db8:43::c0a8:12a", 80)));
+  EXPECT_THAT(
+      response.request()->GetEndpointResults(),
+      testing::Pointee(testing::ElementsAre(ExpectEndpointResult(
+          testing::ElementsAre(CreateExpected("64:ff9b::c0a8:12a", 80),
+                               CreateExpected("2001:db8:43::c0a8:12a", 80))))));
+  EXPECT_FALSE(response.request()->GetStaleInfo());
+
+  ASSERT_TRUE(!proc_->GetCaptureList().empty());
+  EXPECT_EQ("ipv4only.arpa", proc_->GetCaptureList()[0].hostname);
+
+  const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
+      GetCacheHit(HostCache::Key(
+          "ipv4only.arpa", DnsQueryType::AAAA, 0 /* host_resolver_flags */,
+          HostResolverSource::ANY, NetworkAnonymizationKey()));
+  EXPECT_TRUE(cache_result);
+}
+
+TEST_F(HostResolverManagerTest, IPv4AddressLiteralInIPv6OnlyNetworkPort443) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      /*enabled_features=*/{features::kUseNAT64ForIPv4Literal},
+      /*disabled_features=*/{});
+
+  HostResolver::ManagerOptions options = DefaultOptions();
+  CreateResolverWithOptionsAndParams(std::move(options), DefaultParams(proc_),
+                                     true /* ipv6_reachable */,
+                                     false /* ipv4_reachable */);
+  proc_->AddRule("ipv4only.arpa", ADDRESS_FAMILY_IPV6,
+                 "64:ff9b::c000:aa,64:ff9b::c000:ab,2001:db8:43::c000:aa,"
+                 "2001:db8:43::c000:ab");
+  proc_->SignalMultiple(1u);
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("192.168.1.42", 443), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
+
+  EXPECT_THAT(response.result_error(), IsOk());
+  EXPECT_THAT(response.top_level_result_error(), IsOk());
+  EXPECT_THAT(
+      response.request()->GetAddressResults()->endpoints(),
+      testing::ElementsAre(CreateExpected("64:ff9b::c0a8:12a", 443),
+                           CreateExpected("2001:db8:43::c0a8:12a", 443)));
+  EXPECT_THAT(response.request()->GetEndpointResults(),
+              testing::Pointee(testing::ElementsAre(
+                  ExpectEndpointResult(testing::ElementsAre(
+                      CreateExpected("64:ff9b::c0a8:12a", 443),
+                      CreateExpected("2001:db8:43::c0a8:12a", 443))))));
+  EXPECT_FALSE(response.request()->GetStaleInfo());
+
+  ASSERT_TRUE(!proc_->GetCaptureList().empty());
+  EXPECT_EQ("ipv4only.arpa", proc_->GetCaptureList()[0].hostname);
+
+  const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
+      GetCacheHit(HostCache::Key(
+          "ipv4only.arpa", DnsQueryType::AAAA, 0 /* host_resolver_flags */,
+          HostResolverSource::ANY, NetworkAnonymizationKey()));
+  EXPECT_TRUE(cache_result);
+}
+
+TEST_F(HostResolverManagerTest, IPv4AddressLiteralInIPv6OnlyNetworkNoDns64) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      /*enabled_features=*/{features::kUseNAT64ForIPv4Literal},
+      /*disabled_features=*/{});
+
+  HostResolver::ManagerOptions options = DefaultOptions();
+  CreateResolverWithOptionsAndParams(std::move(options), DefaultParams(proc_),
+                                     true /* ipv6_reachable */,
+                                     false /* ipv4_reachable */);
+  proc_->AddRule("ipv4only.arpa", ADDRESS_FAMILY_IPV6, std::string());
+  proc_->SignalMultiple(1u);
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("192.168.1.42", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
+
+  EXPECT_THAT(response.result_error(), IsOk());
+  EXPECT_THAT(response.top_level_result_error(), IsOk());
+  EXPECT_THAT(response.request()->GetAddressResults()->endpoints(),
+              testing::ElementsAre(CreateExpected("192.168.1.42", 80)));
+  EXPECT_THAT(response.request()->GetEndpointResults(),
+              testing::Pointee(testing::ElementsAre(ExpectEndpointResult(
+                  testing::ElementsAre(CreateExpected("192.168.1.42", 80))))));
+  EXPECT_FALSE(response.request()->GetStaleInfo());
+}
+
+// Test when DNS returns bad IPv6 address of ipv4only.arpa., and the
+// IPv4 address of ipv4only.arpa is not contained in the IPv6 address.
+TEST_F(HostResolverManagerTest, IPv4AddressLiteralInIPv6OnlyNetworkBadAddress) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      /*enabled_features=*/{features::kUseNAT64ForIPv4Literal},
+      /*disabled_features=*/{});
+
+  HostResolver::ManagerOptions options = DefaultOptions();
+  CreateResolverWithOptionsAndParams(std::move(options), DefaultParams(proc_),
+                                     true /* ipv6_reachable */,
+                                     false /* ipv4_reachable */);
+  proc_->AddRule("ipv4only.arpa", ADDRESS_FAMILY_IPV6, "2001:db8::1");
+  proc_->SignalMultiple(1u);
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("192.168.1.42", 80), NetworkAnonymizationKey(),
+      NetLogWithSource(), absl::nullopt, resolve_context_.get(),
+      resolve_context_->host_cache()));
+
+  EXPECT_THAT(response.result_error(), IsOk());
+  EXPECT_THAT(response.top_level_result_error(), IsOk());
+  EXPECT_THAT(response.request()->GetAddressResults()->endpoints(),
+              testing::ElementsAre(CreateExpected("192.168.1.42", 80)));
+  EXPECT_THAT(response.request()->GetEndpointResults(),
+              testing::Pointee(testing::ElementsAre(ExpectEndpointResult(
+                  testing::ElementsAre(CreateExpected("192.168.1.42", 80))))));
+  EXPECT_FALSE(response.request()->GetStaleInfo());
+}
+
 }  // namespace net
diff --git a/chromium/net/dns/host_resolver_mdns_listener_impl.cc b/chromium/net/dns/host_resolver_mdns_listener_impl.cc
index a3b9e437106..6253a6bd723 100644
--- a/chromium/net/dns/host_resolver_mdns_listener_impl.cc
+++ b/chromium/net/dns/host_resolver_mdns_listener_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -73,9 +73,7 @@ void HostResolverMdnsListenerImpl::OnRecordUpdate(
 
   switch (query_type_) {
     case DnsQueryType::UNSPECIFIED:
-    case DnsQueryType::INTEGRITY:
     case DnsQueryType::HTTPS:
-    case DnsQueryType::HTTPS_EXPERIMENTAL:
       NOTREACHED();
       break;
     case DnsQueryType::A:
diff --git a/chromium/net/dns/host_resolver_mdns_listener_impl.h b/chromium/net/dns/host_resolver_mdns_listener_impl.h
index 8844e518326..b7b80c4dd5c 100644
--- a/chromium/net/dns/host_resolver_mdns_listener_impl.h
+++ b/chromium/net/dns/host_resolver_mdns_listener_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/host_resolver_mdns_task.cc b/chromium/net/dns/host_resolver_mdns_task.cc
index 79333b94744..2a837595c89 100644
--- a/chromium/net/dns/host_resolver_mdns_task.cc
+++ b/chromium/net/dns/host_resolver_mdns_task.cc
@@ -1,10 +1,9 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/dns/host_resolver_mdns_task.h"
 
-#include <algorithm>
 #include <utility>
 
 #include "base/bind.h"
@@ -12,6 +11,7 @@
 #include "base/location.h"
 #include "base/memory/raw_ptr.h"
 #include "base/notreached.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/string_util.h"
 #include "base/threading/sequenced_task_runner_handle.h"
 #include "net/base/ip_endpoint.h"
@@ -137,9 +137,7 @@ HostResolverMdnsTask::HostResolverMdnsTask(MDnsClient* mdns_client,
   DCHECK(!query_types.Empty());
   DCHECK(!query_types.Has(DnsQueryType::UNSPECIFIED));
 
-  static constexpr DnsQueryTypeSet kUnwantedQueries(
-      DnsQueryType::HTTPS, DnsQueryType::INTEGRITY,
-      DnsQueryType::HTTPS_EXPERIMENTAL);
+  static constexpr DnsQueryTypeSet kUnwantedQueries(DnsQueryType::HTTPS);
 
   for (DnsQueryType query_type : Difference(query_types, kUnwantedQueries))
     transactions_.emplace_back(query_type, this);
@@ -170,12 +168,11 @@ HostCache::Entry HostResolverMdnsTask::GetResults() const {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(!transactions_.empty());
   DCHECK(!completion_closure_);
-  DCHECK(std::all_of(transactions_.begin(), transactions_.end(),
-                     [](const Transaction& t) { return t.IsDone(); }));
+  DCHECK(base::ranges::all_of(transactions_,
+                              [](const Transaction& t) { return t.IsDone(); }));
 
   auto found_error =
-      std::find_if(transactions_.begin(), transactions_.end(),
-                   [](const Transaction& t) { return t.IsError(); });
+      base::ranges::find_if(transactions_, &Transaction::IsError);
   if (found_error != transactions_.end()) {
     return found_error->results();
   }
@@ -208,13 +205,9 @@ HostCache::Entry HostResolverMdnsTask::ParseResult(
     case DnsQueryType::UNSPECIFIED:
       // Should create two separate transactions with specified type.
     case DnsQueryType::HTTPS:
-    case DnsQueryType::HTTPS_EXPERIMENTAL:
       // Not supported.
       // TODO(ericorth@chromium.org): Consider support for HTTPS in mDNS if it
       // is ever decided to support HTTPS via non-DoH.
-    case DnsQueryType::INTEGRITY:
-      // INTEGRITY queries are not expected to be useful in mDNS, so they're not
-      // supported.
       NOTREACHED();
       return HostCache::Entry(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
     case DnsQueryType::A:
@@ -241,14 +234,14 @@ void HostResolverMdnsTask::CheckCompletion(bool post_needed) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
   // Finish immediately if any transactions completed with an error.
-  if (std::any_of(transactions_.begin(), transactions_.end(),
-                  [](const Transaction& t) { return t.IsError(); })) {
+  if (base::ranges::any_of(transactions_,
+                           [](const Transaction& t) { return t.IsError(); })) {
     Complete(post_needed);
     return;
   }
 
-  if (std::all_of(transactions_.begin(), transactions_.end(),
-                  [](const Transaction& t) { return t.IsDone(); })) {
+  if (base::ranges::all_of(transactions_,
+                           [](const Transaction& t) { return t.IsDone(); })) {
     Complete(post_needed);
     return;
   }
diff --git a/chromium/net/dns/host_resolver_mdns_task.h b/chromium/net/dns/host_resolver_mdns_task.h
index 57687fdd1a6..a5c5a074268 100644
--- a/chromium/net/dns/host_resolver_mdns_task.h
+++ b/chromium/net/dns/host_resolver_mdns_task.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/host_resolver_nat64_task.cc b/chromium/net/dns/host_resolver_nat64_task.cc
new file mode 100644
index 00000000000..415c24b0b2d
--- /dev/null
+++ b/chromium/net/dns/host_resolver_nat64_task.cc
@@ -0,0 +1,171 @@
+// Copyright 2022 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/host_resolver_nat64_task.h"
+
+#include <algorithm>
+#include <utility>
+
+#include "base/bind.h"
+#include "base/check_op.h"
+#include "base/functional/callback.h"
+#include "base/location.h"
+#include "base/memory/raw_ptr.h"
+#include "base/notreached.h"
+#include "base/strings/string_util.h"
+#include "base/threading/sequenced_task_runner_handle.h"
+#include "net/base/address_list.h"
+#include "net/base/ip_endpoint.h"
+#include "net/base/net_errors.h"
+#include "net/dns/host_resolver.h"
+#include "net/dns/host_resolver_manager.h"
+#include "net/dns/public/dns_query_type.h"
+
+namespace net {
+
+HostResolverNat64Task::HostResolverNat64Task(
+    base::StringPiece hostname,
+    NetworkAnonymizationKey network_anonymization_key,
+    NetLogWithSource net_log,
+    ResolveContext* resolve_context,
+    HostCache* host_cache,
+    base::WeakPtr<HostResolverManager> resolver)
+    : hostname_(hostname),
+      network_anonymization_key_(std::move(network_anonymization_key)),
+      net_log_(std::move(net_log)),
+      resolve_context_(resolve_context),
+      host_cache_(host_cache),
+      resolver_(std::move(resolver)) {}
+
+HostResolverNat64Task::~HostResolverNat64Task() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+}
+
+void HostResolverNat64Task::Start(base::OnceClosure completion_closure) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  DCHECK(!completion_closure_);
+
+  completion_closure_ = std::move(completion_closure);
+
+  next_state_ = State::kResolve;
+  int rv = DoLoop(OK);
+  if (rv != ERR_IO_PENDING) {
+    base::SequencedTaskRunnerHandle::Get()->PostTask(
+        FROM_HERE, std::move(completion_closure_));
+  }
+}
+
+HostCache::Entry HostResolverNat64Task::GetResults() const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  DCHECK(!completion_closure_);
+  return results_;
+}
+
+int HostResolverNat64Task::DoLoop(int result) {
+  DCHECK_NE(next_state_, State::kStateNone);
+  int rv = result;
+  do {
+    State state = next_state_;
+    next_state_ = State::kStateNone;
+    switch (state) {
+      case State::kResolve:
+        DCHECK_EQ(OK, rv);
+        rv = DoResolve();
+        break;
+      case State::kResolveComplete:
+        rv = DoResolveComplete(rv);
+        break;
+      case State::kSynthesizeToIpv6:
+        DCHECK_EQ(OK, rv);
+        rv = DoSynthesizeToIpv6();
+        break;
+      default:
+        NOTREACHED();
+        rv = ERR_FAILED;
+        break;
+    }
+  } while (rv != ERR_IO_PENDING && next_state_ != State::kStateNone);
+  return rv;
+}
+
+int HostResolverNat64Task::DoResolve() {
+  next_state_ = State::kResolveComplete;
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::AAAA;
+
+  if (!resolver_) {
+    return ERR_FAILED;
+  }
+
+  request_ipv4onlyarpa_ = resolver_->CreateRequest(
+      HostPortPair("ipv4only.arpa", 80), network_anonymization_key_, net_log_,
+      parameters, resolve_context_, host_cache_);
+
+  return request_ipv4onlyarpa_->Start(base::BindOnce(
+      &HostResolverNat64Task::OnIOComplete, weak_ptr_factory_.GetWeakPtr()));
+}
+
+int HostResolverNat64Task::DoResolveComplete(int result) {
+  // If not under DNS64 and resolving ipv4only.arpa fails, return the original
+  // IPv4 address.
+  if (result != OK || request_ipv4onlyarpa_->GetEndpointResults()->empty()) {
+    IPAddress ipv4_address;
+    bool is_ip = ipv4_address.AssignFromIPLiteral(hostname_);
+    DCHECK(is_ip);
+    std::set<std::string> aliases;
+    results_ =
+        HostCache::Entry(OK, {IPEndPoint(ipv4_address, 0)}, std::move(aliases),
+                         HostCache::Entry::SOURCE_UNKNOWN);
+    return OK;
+  }
+
+  next_state_ = State::kSynthesizeToIpv6;
+  return OK;
+}
+
+int HostResolverNat64Task::DoSynthesizeToIpv6() {
+  IPAddress ipv4_address;
+  bool is_ip = ipv4_address.AssignFromIPLiteral(hostname_);
+  DCHECK(is_ip);
+
+  IPAddress ipv4onlyarpa_AAAA_address;
+
+  std::vector<IPEndPoint> converted_addresses;
+
+  for (const auto& endpoints : *request_ipv4onlyarpa_->GetEndpointResults()) {
+    for (const auto& ip_endpoint : endpoints.ip_endpoints) {
+      ipv4onlyarpa_AAAA_address = ip_endpoint.address();
+
+      Dns64PrefixLength pref64_length =
+          ExtractPref64FromIpv4onlyArpaAAAA(ipv4onlyarpa_AAAA_address);
+
+      IPAddress converted_address = ConvertIPv4ToIPv4EmbeddedIPv6(
+          ipv4_address, ipv4onlyarpa_AAAA_address, pref64_length);
+
+      IPEndPoint converted_ip_endpoint(converted_address, 0);
+      if (std::find(converted_addresses.begin(), converted_addresses.end(),
+                    converted_ip_endpoint) == converted_addresses.end()) {
+        converted_addresses.push_back(std::move(converted_ip_endpoint));
+      }
+    }
+  }
+
+  std::set<std::string> aliases;
+
+  if (converted_addresses.empty()) {
+    converted_addresses = {IPEndPoint(ipv4_address, 0)};
+  }
+
+  results_ = HostCache::Entry(OK, converted_addresses, std::move(aliases),
+                              HostCache::Entry::SOURCE_UNKNOWN);
+  return OK;
+}
+
+void HostResolverNat64Task::OnIOComplete(int result) {
+  result = DoLoop(result);
+  if (result != ERR_IO_PENDING)
+    std::move(completion_closure_).Run();
+}
+
+}  // namespace net
diff --git a/chromium/net/dns/host_resolver_nat64_task.h b/chromium/net/dns/host_resolver_nat64_task.h
new file mode 100644
index 00000000000..01fb4ffb422
--- /dev/null
+++ b/chromium/net/dns/host_resolver_nat64_task.h
@@ -0,0 +1,85 @@
+// Copyright 2022 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_DNS_HOST_RESOLVER_NAT64_TASK_H_
+#define NET_DNS_HOST_RESOLVER_NAT64_TASK_H_
+
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "base/functional/callback_forward.h"
+#include "base/memory/raw_ptr.h"
+#include "base/memory/weak_ptr.h"
+#include "base/sequence_checker.h"
+#include "net/dns/host_resolver.h"
+#include "net/dns/host_resolver_manager.h"
+#include "net/dns/public/dns_query_type.h"
+
+namespace net {
+
+class HostCache;
+
+// Representation of a single HostResolverImpl::Job task to convert an IPv4
+// address literal to an IPv4-Embedded IPv6 according to rfc6052.
+// https://www.rfc-editor.org/rfc/rfc6052
+// When a DNS64 is not found returns the original IPv4 address.
+// Destruction cancels the task and prevents any callbacks from being invoked.
+class HostResolverNat64Task {
+ public:
+  HostResolverNat64Task(base::StringPiece hostname,
+                        NetworkAnonymizationKey network_anonymization_key,
+                        NetLogWithSource net_log,
+                        ResolveContext* resolve_context,
+                        HostCache* host_cache,
+                        base::WeakPtr<HostResolverManager> resolver);
+
+  HostResolverNat64Task(const HostResolverNat64Task&) = delete;
+  HostResolverNat64Task& operator=(const HostResolverNat64Task&) = delete;
+
+  ~HostResolverNat64Task();
+
+  // Should only be called once.
+  void Start(base::OnceClosure completion_closure);
+
+  // Results only available after invocation of the completion closure.
+  HostCache::Entry GetResults() const;
+
+ private:
+  const std::string hostname_;
+  const NetworkAnonymizationKey network_anonymization_key_;
+  NetLogWithSource net_log_;
+  const raw_ptr<ResolveContext> resolve_context_;
+  const raw_ptr<HostCache> host_cache_;
+  base::OnceClosure completion_closure_;
+  base::WeakPtr<HostResolverManager> resolver_;
+
+  SEQUENCE_CHECKER(sequence_checker_);
+
+  int DoResolve();
+  int DoResolveComplete(int result);
+  int DoSynthesizeToIpv6();
+
+  void OnIOComplete(int result);
+  int DoLoop(int result);
+
+  enum class State {
+    kResolve,
+    kResolveComplete,
+    kSynthesizeToIpv6,
+    kStateNone,
+  };
+
+  State next_state_ = State::kStateNone;
+
+  std::unique_ptr<HostResolver::ResolveHostRequest> request_ipv4onlyarpa_;
+
+  HostCache::Entry results_ =
+      HostCache::Entry(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
+  base::WeakPtrFactory<HostResolverNat64Task> weak_ptr_factory_{this};
+};
+
+}  // namespace net
+
+#endif  // NET_DNS_HOST_RESOLVER_NAT64_TASK_H_
diff --git a/chromium/net/dns/host_resolver_proc.cc b/chromium/net/dns/host_resolver_proc.cc
index 08c0105989f..7f1734ae84a 100644
--- a/chromium/net/dns/host_resolver_proc.cc
+++ b/chromium/net/dns/host_resolver_proc.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,18 +6,14 @@
 
 #include <tuple>
 
-#include "build/build_config.h"
-
 #include "base/check.h"
-#include "base/threading/scoped_blocking_call.h"
+#include "base/memory/scoped_refptr.h"
+#include "base/notreached.h"
+#include "build/build_config.h"
 #include "net/base/address_family.h"
 #include "net/base/address_list.h"
 #include "net/base/net_errors.h"
-#include "net/base/sys_addrinfo.h"
-#include "net/dns/address_info.h"
-#include "net/dns/dns_reloader.h"
-#include "net/dns/dns_util.h"
-#include "net/dns/host_resolver.h"
+#include "net/dns/host_resolver_system_task.h"
 
 #if BUILDFLAG(IS_OPENBSD)
 #define AI_ADDRCONFIG 0
@@ -110,160 +106,4 @@ HostResolverProc* HostResolverProc::GetDefault() {
   return default_proc_;
 }
 
-namespace {
-
-int AddressFamilyToAF(AddressFamily address_family) {
-  switch (address_family) {
-    case ADDRESS_FAMILY_IPV4:
-      return AF_INET;
-    case ADDRESS_FAMILY_IPV6:
-      return AF_INET6;
-    case ADDRESS_FAMILY_UNSPECIFIED:
-      return AF_UNSPEC;
-  }
-}
-
-}  // namespace
-
-int SystemHostResolverCall(const std::string& host,
-                           AddressFamily address_family,
-                           HostResolverFlags host_resolver_flags,
-                           AddressList* addrlist,
-                           int* os_error_opt,
-                           handles::NetworkHandle network) {
-  // |host| should be a valid domain name. HostResolverImpl::Resolve has checks
-  // to fail early if this is not the case.
-  DCHECK(IsValidDNSDomain(host));
-
-  struct addrinfo hints = {0};
-  hints.ai_family = AddressFamilyToAF(address_family);
-
-#if BUILDFLAG(IS_WIN)
-  // DO NOT USE AI_ADDRCONFIG ON WINDOWS.
-  //
-  // The following comment in <winsock2.h> is the best documentation I found
-  // on AI_ADDRCONFIG for Windows:
-  //   Flags used in "hints" argument to getaddrinfo()
-  //       - AI_ADDRCONFIG is supported starting with Vista
-  //       - default is AI_ADDRCONFIG ON whether the flag is set or not
-  //         because the performance penalty in not having ADDRCONFIG in
-  //         the multi-protocol stack environment is severe;
-  //         this defaulting may be disabled by specifying the AI_ALL flag,
-  //         in that case AI_ADDRCONFIG must be EXPLICITLY specified to
-  //         enable ADDRCONFIG behavior
-  //
-  // Not only is AI_ADDRCONFIG unnecessary, but it can be harmful.  If the
-  // computer is not connected to a network, AI_ADDRCONFIG causes getaddrinfo
-  // to fail with WSANO_DATA (11004) for "localhost", probably because of the
-  // following note on AI_ADDRCONFIG in the MSDN getaddrinfo page:
-  //   The IPv4 or IPv6 loopback address is not considered a valid global
-  //   address.
-  // See http://crbug.com/5234.
-  //
-  // OpenBSD does not support it, either.
-  hints.ai_flags = 0;
-#else
-  hints.ai_flags = AI_ADDRCONFIG;
-#endif
-
-  // On Linux AI_ADDRCONFIG doesn't consider loopback addresses, even if only
-  // loopback addresses are configured. So don't use it when there are only
-  // loopback addresses.
-  if (host_resolver_flags & HOST_RESOLVER_LOOPBACK_ONLY)
-    hints.ai_flags &= ~AI_ADDRCONFIG;
-
-  if (host_resolver_flags & HOST_RESOLVER_CANONNAME)
-    hints.ai_flags |= AI_CANONNAME;
-
-#if BUILDFLAG(IS_WIN)
-  // See crbug.com/1176970. Flag not documented (other than the declaration
-  // comment in ws2def.h) but confirmed by Microsoft to work for this purpose
-  // and be safe.
-  if (host_resolver_flags & HOST_RESOLVER_AVOID_MULTICAST)
-    hints.ai_flags |= AI_DNS_ONLY;
-#endif  // BUILDFLAG(IS_WIN)
-
-  // Restrict result set to only this socket type to avoid duplicates.
-  hints.ai_socktype = SOCK_STREAM;
-
-  // This function can block for a long time. Use ScopedBlockingCall to increase
-  // the current thread pool's capacity and thus avoid reducing CPU usage by the
-  // current process during that time.
-  base::ScopedBlockingCall scoped_blocking_call(FROM_HERE,
-                                                base::BlockingType::WILL_BLOCK);
-
-#if BUILDFLAG(IS_POSIX) && \
-    !(BUILDFLAG(IS_APPLE) || BUILDFLAG(IS_OPENBSD) || BUILDFLAG(IS_ANDROID))
-  DnsReloaderMaybeReload();
-#endif
-  auto [ai, err, os_error] = AddressInfo::Get(host, hints, nullptr, network);
-  bool should_retry = false;
-  // If the lookup was restricted (either by address family, or address
-  // detection), and the results where all localhost of a single family,
-  // maybe we should retry.  There were several bugs related to these
-  // issues, for example http://crbug.com/42058 and http://crbug.com/49024
-  if ((hints.ai_family != AF_UNSPEC || hints.ai_flags & AI_ADDRCONFIG) && ai &&
-      ai->IsAllLocalhostOfOneFamily()) {
-    if (host_resolver_flags & HOST_RESOLVER_DEFAULT_FAMILY_SET_DUE_TO_NO_IPV6) {
-      hints.ai_family = AF_UNSPEC;
-      should_retry = true;
-    }
-    if (hints.ai_flags & AI_ADDRCONFIG) {
-      hints.ai_flags &= ~AI_ADDRCONFIG;
-      should_retry = true;
-    }
-  }
-  if (should_retry) {
-    std::tie(ai, err, os_error) =
-        AddressInfo::Get(host, hints, nullptr, network);
-  }
-
-  if (os_error_opt)
-    *os_error_opt = os_error;
-
-  if (!ai)
-    return err;
-
-  *addrlist = ai->CreateAddressList();
-  return OK;
-}
-
-SystemHostResolverProc::SystemHostResolverProc() : HostResolverProc(nullptr) {}
-
-int SystemHostResolverProc::Resolve(const std::string& hostname,
-                                    AddressFamily address_family,
-                                    HostResolverFlags host_resolver_flags,
-                                    AddressList* addr_list,
-                                    int* os_error,
-                                    handles::NetworkHandle network) {
-  return SystemHostResolverCall(hostname, address_family, host_resolver_flags,
-                                addr_list, os_error, network);
-}
-
-int SystemHostResolverProc::Resolve(const std::string& hostname,
-                                    AddressFamily address_family,
-                                    HostResolverFlags host_resolver_flags,
-                                    AddressList* addr_list,
-                                    int* os_error) {
-  return Resolve(hostname, address_family, host_resolver_flags, addr_list,
-                 os_error, handles::kInvalidNetworkHandle);
-}
-
-SystemHostResolverProc::~SystemHostResolverProc() = default;
-
-ProcTaskParams::ProcTaskParams(scoped_refptr<HostResolverProc> resolver_proc,
-                               size_t in_max_retry_attempts)
-    : resolver_proc(std::move(resolver_proc)),
-      max_retry_attempts(in_max_retry_attempts),
-      unresponsive_delay(kDnsDefaultUnresponsiveDelay) {
-  // Maximum of 4 retry attempts for host resolution.
-  static const size_t kDefaultMaxRetryAttempts = 4u;
-  if (max_retry_attempts == HostResolver::ManagerOptions::kDefaultRetryAttempts)
-    max_retry_attempts = kDefaultMaxRetryAttempts;
-}
-
-ProcTaskParams::ProcTaskParams(const ProcTaskParams& other) = default;
-
-ProcTaskParams::~ProcTaskParams() = default;
-
 }  // namespace net
diff --git a/chromium/net/dns/host_resolver_proc.h b/chromium/net/dns/host_resolver_proc.h
index 5c77dbbdf92..c1253ecaed4 100644
--- a/chromium/net/dns/host_resolver_proc.h
+++ b/chromium/net/dns/host_resolver_proc.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,7 +8,6 @@
 #include <string>
 
 #include "base/memory/ref_counted.h"
-#include "base/time/time.h"
 #include "net/base/address_family.h"
 #include "net/base/net_export.h"
 #include "net/base/network_handle.h"
@@ -17,7 +16,7 @@ namespace net {
 
 class AddressList;
 
-// Interface for a getaddrinfo()-like procedure. This is used by unit-tests
+// Interface for a getaddrinfo()-like procedure. This is used by tests
 // to control the underlying resolutions in HostResolverManager.
 // HostResolverProcs can be chained together; they fallback to the next
 // procedure in the chain by calling ResolveUsingPrevious(). Unless
@@ -69,6 +68,7 @@ class NET_EXPORT HostResolverProc
 
  private:
   friend class HostResolverManager;
+  friend class HostResolverSystemTask;
   friend class MockHostResolverBase;
   friend class ScopedDefaultHostResolverProc;
 
@@ -96,92 +96,6 @@ class NET_EXPORT HostResolverProc
   static HostResolverProc* default_proc_;
 };
 
-// Resolves `host` to an address list, using the system's default host resolver.
-// (i.e. this calls out to getaddrinfo()). If successful returns OK and fills
-// `addrlist` with a list of socket addresses. Otherwise returns a
-// network error code, and fills `os_error` with a more specific error if it
-// was non-NULL.
-// `network` is an optional parameter, when specified (!=
-// handles::kInvalidNetworkHandle) the lookup will be performed specifically for
-// `network`.
-NET_EXPORT_PRIVATE int SystemHostResolverCall(
-    const std::string& host,
-    AddressFamily address_family,
-    HostResolverFlags host_resolver_flags,
-    AddressList* addrlist,
-    int* os_error,
-    handles::NetworkHandle network = handles::kInvalidNetworkHandle);
-
-// Wraps call to SystemHostResolverCall as an instance of HostResolverProc.
-class NET_EXPORT_PRIVATE SystemHostResolverProc : public HostResolverProc {
- public:
-  SystemHostResolverProc();
-
-  SystemHostResolverProc(const SystemHostResolverProc&) = delete;
-  SystemHostResolverProc& operator=(const SystemHostResolverProc&) = delete;
-
-  int Resolve(const std::string& hostname,
-              AddressFamily address_family,
-              HostResolverFlags host_resolver_flags,
-              AddressList* addr_list,
-              int* os_error) override;
-
-  int Resolve(const std::string& hostname,
-              AddressFamily address_family,
-              HostResolverFlags host_resolver_flags,
-              AddressList* addr_list,
-              int* os_error,
-              handles::NetworkHandle network) override;
-
- protected:
-  ~SystemHostResolverProc() override;
-};
-
-// Parameters for customizing HostResolverProc behavior in HostResolvers.
-//
-// |resolver_proc| is used to perform the actual resolves; it must be
-// thread-safe since it may be run from multiple worker threads. If
-// |resolver_proc| is NULL then the default host resolver procedure is
-// used (which is SystemHostResolverProc except if overridden).
-//
-// For each attempt, we could start another attempt if host is not resolved
-// within |unresponsive_delay| time. We keep attempting to resolve the host
-// for |max_retry_attempts|. For every retry attempt, we grow the
-// |unresponsive_delay| by the |retry_factor| amount (that is retry interval
-// is multiplied by the retry factor each time). Once we have retried
-// |max_retry_attempts|, we give up on additional attempts.
-//
-struct NET_EXPORT_PRIVATE ProcTaskParams {
-  // Default delay between calls to the system resolver for the same hostname.
-  // (Can be overridden by field trial.)
-  static constexpr base::TimeDelta kDnsDefaultUnresponsiveDelay =
-      base::Seconds(6);
-
-  // Sets up defaults.
-  ProcTaskParams(scoped_refptr<HostResolverProc> resolver_proc,
-                 size_t max_retry_attempts);
-
-  ProcTaskParams(const ProcTaskParams& other);
-
-  ~ProcTaskParams();
-
-  // The procedure to use for resolving host names. This will be NULL, except
-  // in the case of unit-tests which inject custom host resolving behaviors.
-  scoped_refptr<HostResolverProc> resolver_proc;
-
-  // Maximum number retry attempts to resolve the hostname.
-  // Pass HostResolver::Options::kDefaultRetryAttempts to choose a default
-  // value.
-  size_t max_retry_attempts;
-
-  // This is the limit after which we make another attempt to resolve the host
-  // if the worker thread has not responded yet.
-  base::TimeDelta unresponsive_delay = kDnsDefaultUnresponsiveDelay;
-
-  // Factor to grow |unresponsive_delay| when we re-re-try.
-  uint32_t retry_factor = 2;
-};
-
 }  // namespace net
 
 #endif  // NET_DNS_HOST_RESOLVER_PROC_H_
diff --git a/chromium/net/dns/host_resolver_results_test_util.cc b/chromium/net/dns/host_resolver_results_test_util.cc
index b779ec3572f..0327f961f3d 100644
--- a/chromium/net/dns/host_resolver_results_test_util.cc
+++ b/chromium/net/dns/host_resolver_results_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,7 @@
 
 #include "net/base/connection_endpoint_metadata.h"
 #include "net/base/ip_endpoint.h"
-#include "net/dns/host_resolver_results.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
diff --git a/chromium/net/dns/host_resolver_results_test_util.h b/chromium/net/dns/host_resolver_results_test_util.h
index 73aa28954bd..58fb19a5567 100644
--- a/chromium/net/dns/host_resolver_results_test_util.h
+++ b/chromium/net/dns/host_resolver_results_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/host_resolver_system_task.cc b/chromium/net/dns/host_resolver_system_task.cc
new file mode 100644
index 00000000000..3dfea30a984
--- /dev/null
+++ b/chromium/net/dns/host_resolver_system_task.cc
@@ -0,0 +1,440 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/host_resolver_system_task.h"
+
+#include <memory>
+
+#include "base/functional/bind.h"
+#include "base/functional/callback.h"
+#include "base/metrics/field_trial_params.h"
+#include "base/no_destructor.h"
+#include "base/task/task_traits.h"
+#include "base/task/thread_pool.h"
+#include "base/threading/scoped_blocking_call.h"
+#include "base/trace_event/trace_event.h"
+#include "base/types/pass_key.h"
+#include "dns_reloader.h"
+#include "net/base/net_errors.h"
+#include "net/base/network_interfaces.h"
+#include "net/base/sys_addrinfo.h"
+#include "net/base/trace_constants.h"
+#include "net/dns/address_info.h"
+#include "net/dns/dns_util.h"
+
+#if BUILDFLAG(IS_WIN)
+#include "net/base/winsock_init.h"
+#endif
+
+namespace net {
+
+namespace {
+
+const base::FeatureParam<base::TaskPriority>::Option prio_modes[] = {
+    {base::TaskPriority::USER_VISIBLE, "default"},
+    {base::TaskPriority::USER_BLOCKING, "user_blocking"}};
+BASE_FEATURE(kSystemResolverPriorityExperiment,
+             "SystemResolverPriorityExperiment",
+             base::FEATURE_DISABLED_BY_DEFAULT);
+const base::FeatureParam<base::TaskPriority> priority_mode{
+    &kSystemResolverPriorityExperiment, "mode",
+    base::TaskPriority::USER_VISIBLE, &prio_modes};
+
+base::TaskTraits GetSystemDnsResolutionTaskTraits() {
+  return {base::MayBlock(), priority_mode.Get(),
+          base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN};
+}
+
+// Returns nullptr in the common case, or a task runner if the default has
+// been overridden.
+scoped_refptr<base::TaskRunner>& GetSystemDnsResolutionTaskRunnerOverride() {
+  static base::NoDestructor<scoped_refptr<base::TaskRunner>>
+      system_dns_resolution_task_runner(nullptr);
+  return *system_dns_resolution_task_runner;
+}
+
+// Posts a synchronous callback to a thread pool task runner created with
+// GetSystemDnsResolutionTaskTraits(). This task runner can be overridden by
+// assigning to GetSystemDnsResolutionTaskRunnerOverride(). `results_cb` will be
+// called later on the current sequence with the results of the DNS resolution.
+void PostSystemDnsResolutionTaskAndReply(
+    base::OnceCallback<int(AddressList* addrlist, int* os_error)>
+        system_dns_resolution_callback,
+    HostResolverSystemTask::SystemDnsResultsCallback results_cb) {
+  auto addr_list = std::make_unique<net::AddressList>();
+  net::AddressList* addr_list_ptr = addr_list.get();
+  auto os_error = std::make_unique<int>();
+  int* os_error_ptr = os_error.get();
+
+  // This callback owns |addr_list| and |os_error| and just calls |results_cb|
+  // with the results.
+  auto call_with_results_cb = base::BindOnce(
+      [](HostResolverSystemTask::SystemDnsResultsCallback results_cb,
+         std::unique_ptr<net::AddressList> addr_list,
+         std::unique_ptr<int> os_error, int net_error) {
+        std::move(results_cb).Run(std::move(*addr_list), *os_error, net_error);
+      },
+      std::move(results_cb), std::move(addr_list), std::move(os_error));
+
+  scoped_refptr<base::TaskRunner> system_dns_resolution_task_runner =
+      GetSystemDnsResolutionTaskRunnerOverride();
+  if (!system_dns_resolution_task_runner) {
+    // In production this will run on every call, otherwise some tests will
+    // leave a stale task runner around after tearing down their task
+    // environment. This should not be less performant than the regular
+    // base::ThreadPool::PostTask().
+    system_dns_resolution_task_runner =
+        base::ThreadPool::CreateTaskRunner(GetSystemDnsResolutionTaskTraits());
+  }
+  system_dns_resolution_task_runner->PostTaskAndReplyWithResult(
+      FROM_HERE,
+      base::BindOnce(std::move(system_dns_resolution_callback), addr_list_ptr,
+                     os_error_ptr),
+      std::move(call_with_results_cb));
+}
+
+int ResolveOnWorkerThread(scoped_refptr<HostResolverProc> resolver_proc,
+                          absl::optional<std::string> hostname,
+                          AddressFamily address_family,
+                          HostResolverFlags flags,
+                          handles::NetworkHandle network,
+                          AddressList* addrlist,
+                          int* os_error) {
+  std::string hostname_str = hostname ? *hostname : GetHostName();
+  if (resolver_proc) {
+    return resolver_proc->Resolve(hostname_str, address_family, flags, addrlist,
+                                  os_error, network);
+  } else {
+    return SystemHostResolverCall(hostname_str, address_family, flags, addrlist,
+                                  os_error, network);
+  }
+}
+
+// Creates NetLog parameters when the resolve failed.
+base::Value NetLogHostResolverSystemTaskFailedParams(uint32_t attempt_number,
+                                                     int net_error,
+                                                     int os_error) {
+  base::Value::Dict dict;
+  if (attempt_number)
+    dict.Set("attempt_number", base::saturated_cast<int>(attempt_number));
+
+  dict.Set("net_error", net_error);
+
+  if (os_error) {
+    dict.Set("os_error", os_error);
+#if BUILDFLAG(IS_WIN)
+    // Map the error code to a human-readable string.
+    LPWSTR error_string = nullptr;
+    FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
+                  nullptr,  // Use the internal message table.
+                  os_error,
+                  0,  // Use default language.
+                  (LPWSTR)&error_string,
+                  0,         // Buffer size.
+                  nullptr);  // Arguments (unused).
+    dict.Set("os_error_string", base::WideToUTF8(error_string));
+    LocalFree(error_string);
+#elif BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
+    dict.Set("os_error_string", gai_strerror(os_error));
+#endif
+  }
+
+  return base::Value(std::move(dict));
+}
+
+}  // namespace
+
+HostResolverSystemTask::Params::Params(
+    scoped_refptr<HostResolverProc> resolver_proc,
+    size_t in_max_retry_attempts)
+    : resolver_proc(std::move(resolver_proc)),
+      max_retry_attempts(in_max_retry_attempts),
+      unresponsive_delay(kDnsDefaultUnresponsiveDelay) {
+  // Maximum of 4 retry attempts for host resolution.
+  static const size_t kDefaultMaxRetryAttempts = 4u;
+  if (max_retry_attempts == kDefaultRetryAttempts)
+    max_retry_attempts = kDefaultMaxRetryAttempts;
+}
+
+HostResolverSystemTask::Params::Params(const Params& other) = default;
+
+HostResolverSystemTask::Params::~Params() = default;
+
+// static
+std::unique_ptr<HostResolverSystemTask> HostResolverSystemTask::Create(
+    std::string hostname,
+    AddressFamily address_family,
+    HostResolverFlags flags,
+    const Params& params,
+    const NetLogWithSource& job_net_log,
+    handles::NetworkHandle network) {
+  return std::make_unique<HostResolverSystemTask>(
+      base::PassKey<HostResolverSystemTask>(), hostname, address_family, flags,
+      params, job_net_log, network);
+}
+
+// static
+std::unique_ptr<HostResolverSystemTask>
+HostResolverSystemTask::CreateForOwnHostname(
+    AddressFamily address_family,
+    HostResolverFlags flags,
+    const Params& params,
+    const NetLogWithSource& job_net_log,
+    handles::NetworkHandle network) {
+  return std::make_unique<HostResolverSystemTask>(
+      base::PassKey<HostResolverSystemTask>(), absl::nullopt, address_family,
+      flags, params, job_net_log, network);
+}
+
+HostResolverSystemTask::HostResolverSystemTask(
+    base::PassKey<HostResolverSystemTask>,
+    absl::optional<std::string> hostname,
+    AddressFamily address_family,
+    HostResolverFlags flags,
+    const Params& params,
+    const NetLogWithSource& job_net_log,
+    handles::NetworkHandle network)
+    : hostname_(std::move(hostname)),
+      address_family_(address_family),
+      flags_(flags),
+      params_(params),
+      net_log_(job_net_log),
+      network_(network) {
+  if (hostname_) {
+    // |host| should be a valid domain name. HostResolverImpl::Resolve has
+    // checks to fail early if this is not the case.
+    DCHECK(IsValidDNSDomain(*hostname_)) << "Invalid hostname: " << *hostname_;
+  }
+  // If a resolver_proc has not been specified, try to use a default if one is
+  // set, as it may be in tests.
+  if (!params_.resolver_proc.get())
+    params_.resolver_proc = HostResolverProc::GetDefault();
+}
+
+// Cancels this HostResolverSystemTask. Any outstanding resolve attempts cannot
+// be cancelled, but they will post back to the current thread before checking
+// their WeakPtrs to find that this task is cancelled.
+HostResolverSystemTask::~HostResolverSystemTask() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  // If this is cancellation, log the EndEvent (otherwise this was logged in
+  // OnLookupComplete()).
+  if (!was_completed())
+    net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_SYSTEM_TASK);
+}
+
+void HostResolverSystemTask::Start(SystemDnsResultsCallback results_cb) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  DCHECK(results_cb);
+  DCHECK(!results_cb_);
+  results_cb_ = std::move(results_cb);
+  net_log_.BeginEvent(NetLogEventType::HOST_RESOLVER_SYSTEM_TASK);
+  StartLookupAttempt();
+}
+
+void HostResolverSystemTask::StartLookupAttempt() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  DCHECK(!was_completed());
+  ++attempt_number_;
+
+  base::OnceCallback<int(AddressList * addrlist, int* os_error)> resolve_cb =
+      base::BindOnce(&ResolveOnWorkerThread, params_.resolver_proc, hostname_,
+                     address_family_, flags_, network_);
+  PostSystemDnsResolutionTaskAndReply(
+      std::move(resolve_cb),
+      base::BindOnce(&HostResolverSystemTask::OnLookupComplete,
+                     weak_ptr_factory_.GetWeakPtr(), attempt_number_));
+
+  net_log_.AddEventWithIntParams(
+      NetLogEventType::HOST_RESOLVER_MANAGER_ATTEMPT_STARTED, "attempt_number",
+      attempt_number_);
+
+  // If the results aren't received within a given time, RetryIfNotComplete
+  // will start a new attempt if none of the outstanding attempts have
+  // completed yet.
+  // Use a WeakPtr to avoid keeping the HostResolverSystemTask alive after
+  // completion or cancellation.
+  if (attempt_number_ <= params_.max_retry_attempts) {
+    base::SequencedTaskRunnerHandle::Get()->PostDelayedTask(
+        FROM_HERE,
+        base::BindOnce(&HostResolverSystemTask::StartLookupAttempt,
+                       weak_ptr_factory_.GetWeakPtr()),
+        params_.unresponsive_delay *
+            std::pow(params_.retry_factor, attempt_number_ - 1));
+  }
+}
+
+// Callback for when DoLookup() completes.
+void HostResolverSystemTask::OnLookupComplete(const uint32_t attempt_number,
+                                              const AddressList& results,
+                                              const int os_error,
+                                              int error) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  DCHECK(!was_completed());
+
+  TRACE_EVENT0(NetTracingCategory(),
+               "HostResolverSystemTask::OnLookupComplete");
+
+  // Invalidate WeakPtrs to cancel handling of all outstanding lookup attempts
+  // and retries.
+  weak_ptr_factory_.InvalidateWeakPtrs();
+
+  // If results are empty, we should return an error.
+  bool empty_list_on_ok = (error == OK && results.empty());
+  if (empty_list_on_ok)
+    error = ERR_NAME_NOT_RESOLVED;
+
+  if (error != OK && NetworkChangeNotifier::IsOffline())
+    error = ERR_INTERNET_DISCONNECTED;
+
+  if (error != OK) {
+    net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_SYSTEM_TASK, [&] {
+      return NetLogHostResolverSystemTaskFailedParams(0, error, os_error);
+    });
+    net_log_.AddEvent(NetLogEventType::HOST_RESOLVER_MANAGER_ATTEMPT_FINISHED,
+                      [&] {
+                        return NetLogHostResolverSystemTaskFailedParams(
+                            attempt_number, error, os_error);
+                      });
+  } else {
+    net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_SYSTEM_TASK,
+                      [&] { return results.NetLogParams(); });
+    net_log_.AddEventWithIntParams(
+        NetLogEventType::HOST_RESOLVER_MANAGER_ATTEMPT_FINISHED,
+        "attempt_number", attempt_number);
+  }
+
+  std::move(results_cb_).Run(results, os_error, error);
+  // Running |results_cb_| can delete |this|.
+}
+
+void EnsureSystemHostResolverCallReady() {
+#if BUILDFLAG(IS_POSIX) && !BUILDFLAG(IS_APPLE) && !BUILDFLAG(IS_OPENBSD) && \
+    !BUILDFLAG(IS_ANDROID)
+  EnsureDnsReloaderInit();
+#elif BUILDFLAG(IS_WIN)
+  EnsureWinsockInit();
+#endif
+}
+
+namespace {
+
+int AddressFamilyToAF(AddressFamily address_family) {
+  switch (address_family) {
+    case ADDRESS_FAMILY_IPV4:
+      return AF_INET;
+    case ADDRESS_FAMILY_IPV6:
+      return AF_INET6;
+    case ADDRESS_FAMILY_UNSPECIFIED:
+      return AF_UNSPEC;
+  }
+}
+
+}  // namespace
+
+int SystemHostResolverCall(const std::string& host,
+                           AddressFamily address_family,
+                           HostResolverFlags host_resolver_flags,
+                           AddressList* addrlist,
+                           int* os_error_opt,
+                           handles::NetworkHandle network) {
+  struct addrinfo hints = {0};
+  hints.ai_family = AddressFamilyToAF(address_family);
+
+#if BUILDFLAG(IS_WIN)
+  // DO NOT USE AI_ADDRCONFIG ON WINDOWS.
+  //
+  // The following comment in <winsock2.h> is the best documentation I found
+  // on AI_ADDRCONFIG for Windows:
+  //   Flags used in "hints" argument to getaddrinfo()
+  //       - AI_ADDRCONFIG is supported starting with Vista
+  //       - default is AI_ADDRCONFIG ON whether the flag is set or not
+  //         because the performance penalty in not having ADDRCONFIG in
+  //         the multi-protocol stack environment is severe;
+  //         this defaulting may be disabled by specifying the AI_ALL flag,
+  //         in that case AI_ADDRCONFIG must be EXPLICITLY specified to
+  //         enable ADDRCONFIG behavior
+  //
+  // Not only is AI_ADDRCONFIG unnecessary, but it can be harmful.  If the
+  // computer is not connected to a network, AI_ADDRCONFIG causes getaddrinfo
+  // to fail with WSANO_DATA (11004) for "localhost", probably because of the
+  // following note on AI_ADDRCONFIG in the MSDN getaddrinfo page:
+  //   The IPv4 or IPv6 loopback address is not considered a valid global
+  //   address.
+  // See http://crbug.com/5234.
+  //
+  // OpenBSD does not support it, either.
+  hints.ai_flags = 0;
+#else
+  hints.ai_flags = AI_ADDRCONFIG;
+#endif
+
+  // On Linux AI_ADDRCONFIG doesn't consider loopback addresses, even if only
+  // loopback addresses are configured. So don't use it when there are only
+  // loopback addresses.
+  if (host_resolver_flags & HOST_RESOLVER_LOOPBACK_ONLY)
+    hints.ai_flags &= ~AI_ADDRCONFIG;
+
+  if (host_resolver_flags & HOST_RESOLVER_CANONNAME)
+    hints.ai_flags |= AI_CANONNAME;
+
+#if BUILDFLAG(IS_WIN)
+  // See crbug.com/1176970. Flag not documented (other than the declaration
+  // comment in ws2def.h) but confirmed by Microsoft to work for this purpose
+  // and be safe.
+  if (host_resolver_flags & HOST_RESOLVER_AVOID_MULTICAST)
+    hints.ai_flags |= AI_DNS_ONLY;
+#endif  // BUILDFLAG(IS_WIN)
+
+  // Restrict result set to only this socket type to avoid duplicates.
+  hints.ai_socktype = SOCK_STREAM;
+
+  // This function can block for a long time. Use ScopedBlockingCall to increase
+  // the current thread pool's capacity and thus avoid reducing CPU usage by the
+  // current process during that time.
+  base::ScopedBlockingCall scoped_blocking_call(FROM_HERE,
+                                                base::BlockingType::WILL_BLOCK);
+
+#if BUILDFLAG(IS_POSIX) && \
+    !(BUILDFLAG(IS_APPLE) || BUILDFLAG(IS_OPENBSD) || BUILDFLAG(IS_ANDROID))
+  DnsReloaderMaybeReload();
+#endif
+  auto [ai, err, os_error] = AddressInfo::Get(host, hints, nullptr, network);
+  bool should_retry = false;
+  // If the lookup was restricted (either by address family, or address
+  // detection), and the results where all localhost of a single family,
+  // maybe we should retry.  There were several bugs related to these
+  // issues, for example http://crbug.com/42058 and http://crbug.com/49024
+  if ((hints.ai_family != AF_UNSPEC || hints.ai_flags & AI_ADDRCONFIG) && ai &&
+      ai->IsAllLocalhostOfOneFamily()) {
+    if (host_resolver_flags & HOST_RESOLVER_DEFAULT_FAMILY_SET_DUE_TO_NO_IPV6) {
+      hints.ai_family = AF_UNSPEC;
+      should_retry = true;
+    }
+    if (hints.ai_flags & AI_ADDRCONFIG) {
+      hints.ai_flags &= ~AI_ADDRCONFIG;
+      should_retry = true;
+    }
+  }
+  if (should_retry) {
+    std::tie(ai, err, os_error) =
+        AddressInfo::Get(host, hints, nullptr, network);
+  }
+
+  if (os_error_opt)
+    *os_error_opt = os_error;
+
+  if (!ai)
+    return err;
+
+  *addrlist = ai->CreateAddressList();
+  return OK;
+}
+
+void SetSystemDnsResolutionTaskRunnerForTesting(  // IN-TEST
+    scoped_refptr<base::TaskRunner> task_runner) {
+  GetSystemDnsResolutionTaskRunnerOverride() = task_runner;
+}
+
+}  // namespace net
diff --git a/chromium/net/dns/host_resolver_system_task.h b/chromium/net/dns/host_resolver_system_task.h
new file mode 100644
index 00000000000..facbce2d30b
--- /dev/null
+++ b/chromium/net/dns/host_resolver_system_task.h
@@ -0,0 +1,204 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_DNS_HOST_RESOLVER_SYSTEM_TASK_H_
+#define NET_DNS_HOST_RESOLVER_SYSTEM_TASK_H_
+
+#include <string>
+
+#include "base/functional/callback.h"
+#include "base/task/task_runner.h"
+#include "base/types/pass_key.h"
+#include "net/base/address_list.h"
+#include "net/base/net_export.h"
+#include "net/base/network_handle.h"
+#include "net/dns/host_resolver_proc.h"
+#include "net/log/net_log_with_source.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
+
+namespace net {
+
+// Calls SystemHostResolverCallAsync() (or in some tests, HostResolverProc) in
+// ThreadPool. Performs retries if specified by HostResolverSystemTask::Params.
+//
+// In non-test code, the HostResolverProc is always null, and this class calls
+// SystemHostResolverCall() which calls a platform API that implements host
+// resolution. So EnsureSystemHostResolverCallReady() must be called before
+// using this class.
+//
+// Whenever we try to resolve the host, we post a delayed task to check if host
+// resolution (OnLookupComplete) is completed or not. If the original attempt
+// hasn't completed, then we start another attempt for host resolution. We take
+// the results from the first attempt that finishes and ignore the results from
+// all other attempts.
+//
+// This class is designed to be used not just by HostResolverManager, but by
+// general consumers.
+class NET_EXPORT HostResolverSystemTask {
+ public:
+  using SystemDnsResultsCallback = base::OnceCallback<
+      void(const AddressList& addr_list, int os_error, int net_error)>;
+
+  // Parameters for customizing HostResolverSystemTask behavior.
+  //
+  // |resolver_proc| is used to override resolution in tests; it must be
+  // thread-safe since it may be run from multiple worker threads. If
+  // |resolver_proc| is NULL then the default host resolver procedure is
+  // to call SystemHostResolverCall().
+  //
+  // For each attempt, we could start another attempt if host is not resolved
+  // within |unresponsive_delay| time. We keep attempting to resolve the host
+  // for |max_retry_attempts|. For every retry attempt, we grow the
+  // |unresponsive_delay| by the |retry_factor| amount (that is retry interval
+  // is multiplied by the retry factor each time). Once we have retried
+  // |max_retry_attempts|, we give up on additional attempts.
+  struct NET_EXPORT_PRIVATE Params {
+    // Default delay between calls to the system resolver for the same hostname.
+    // (Can be overridden by field trial.)
+    static constexpr base::TimeDelta kDnsDefaultUnresponsiveDelay =
+        base::Seconds(6);
+
+    // Set |max_system_retry_attempts| to this to select a default retry value.
+    static constexpr size_t kDefaultRetryAttempts = -1;
+
+    // Sets up defaults.
+    Params(scoped_refptr<HostResolverProc> resolver_proc,
+           size_t max_retry_attempts);
+
+    Params(const Params& other);
+
+    ~Params();
+
+    // The procedure to use for resolving host names. This will be NULL, except
+    // in the case of some-tests which inject custom host resolving behaviors.
+    scoped_refptr<HostResolverProc> resolver_proc;
+
+    // Maximum number retry attempts to resolve the hostname.
+    // Pass HostResolver::Options::kDefaultRetryAttempts to choose a default
+    // value.
+    size_t max_retry_attempts;
+
+    // This is the limit after which we make another attempt to resolve the host
+    // if the worker thread has not responded yet.
+    base::TimeDelta unresponsive_delay = kDnsDefaultUnresponsiveDelay;
+
+    // Factor to grow |unresponsive_delay| when we re-re-try.
+    uint32_t retry_factor = 2;
+  };
+
+  static std::unique_ptr<HostResolverSystemTask> Create(
+      std::string hostname,
+      AddressFamily address_family,
+      HostResolverFlags flags,
+      const Params& params = Params(nullptr, 0),
+      const NetLogWithSource& job_net_log = NetLogWithSource(),
+      handles::NetworkHandle network = handles::kInvalidNetworkHandle);
+
+  // Same as above but resolves the result of GetHostName() (the machine's own
+  // hostname).
+  static std::unique_ptr<HostResolverSystemTask> CreateForOwnHostname(
+      AddressFamily address_family,
+      HostResolverFlags flags,
+      const Params& params = Params(nullptr, 0),
+      const NetLogWithSource& job_net_log = NetLogWithSource(),
+      handles::NetworkHandle network = handles::kInvalidNetworkHandle);
+
+  // "Private" constructor for the above 2 static functions.
+  HostResolverSystemTask(
+      base::PassKey<HostResolverSystemTask>,
+      absl::optional<std::string> hostname,
+      AddressFamily address_family,
+      HostResolverFlags flags,
+      const Params& params = Params(nullptr, 0),
+      const NetLogWithSource& job_net_log = NetLogWithSource(),
+      handles::NetworkHandle network = handles::kInvalidNetworkHandle);
+
+  HostResolverSystemTask(const HostResolverSystemTask&) = delete;
+  HostResolverSystemTask& operator=(const HostResolverSystemTask&) = delete;
+
+  // Cancels this HostResolverSystemTask. Any outstanding resolve attempts
+  // cannot be cancelled, but they will post back to the current thread before
+  // checking their WeakPtrs to find that this task is cancelled.
+  ~HostResolverSystemTask();
+
+  // Starts the resolution task. This can only be called once per
+  // HostResolverSystemTask. `results_cb` will not be invoked synchronously and
+  // can own `this`.
+  void Start(SystemDnsResultsCallback results_cb);
+
+  bool was_completed() const {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+    return results_cb_.is_null();
+  }
+
+ private:
+  void StartLookupAttempt();
+
+  // Callback for when DoLookup() completes.
+  void OnLookupComplete(const uint32_t attempt_number,
+                        const AddressList& results,
+                        const int os_error,
+                        int error);
+
+  // If `hostname_` is absl::nullopt, this class should resolve the result of
+  // net::GetHostName() (the machine's own hostname).
+  const absl::optional<std::string> hostname_;
+  const AddressFamily address_family_;
+  const HostResolverFlags flags_;
+
+  // Holds an owning reference to the HostResolverProc that we are going to use.
+  // This may not be the current resolver procedure by the time we call
+  // ResolveAddrInfo, but that's OK... we'll use it anyways, and the owning
+  // reference ensures that it remains valid until we are done.
+  Params params_;
+
+  // The listener to the results of this HostResolverSystemTask.
+  SystemDnsResultsCallback results_cb_;
+
+  // Keeps track of the number of attempts we have made so far to resolve the
+  // host. Whenever we start an attempt to resolve the host, we increase this
+  // number.
+  uint32_t attempt_number_ = 0;
+
+  NetLogWithSource net_log_;
+
+  // Network to perform DNS lookups for.
+  const handles::NetworkHandle network_;
+
+  SEQUENCE_CHECKER(sequence_checker_);
+
+  // Used to loop back from the blocking lookup attempt tasks as well as from
+  // delayed retry tasks. Invalidate WeakPtrs on completion and cancellation to
+  // cancel handling of such posted tasks.
+  base::WeakPtrFactory<HostResolverSystemTask> weak_ptr_factory_{this};
+};
+
+// Ensures any necessary initialization occurs such that
+// SystemHostResolverCall() can be called on other threads.
+NET_EXPORT void EnsureSystemHostResolverCallReady();
+
+// Resolves `host` to an address list, using the system's default host resolver.
+// (i.e. this calls out to getaddrinfo()). If successful returns OK and fills
+// `addrlist` with a list of socket addresses. Otherwise returns a
+// network error code, and fills `os_error` with a more specific error if it
+// was non-NULL.
+// `network` is an optional parameter, when specified (!=
+// handles::kInvalidNetworkHandle) the lookup will be performed specifically for
+// `network`.
+NET_EXPORT_PRIVATE int SystemHostResolverCall(
+    const std::string& host,
+    AddressFamily address_family,
+    HostResolverFlags host_resolver_flags,
+    AddressList* addrlist,
+    int* os_error,
+    handles::NetworkHandle network = handles::kInvalidNetworkHandle);
+
+// Sets the task runner that system DNS resolution will run on, which is mostly
+// useful for tests and fuzzers that need reproducibilty of failures.
+NET_EXPORT_PRIVATE void SetSystemDnsResolutionTaskRunnerForTesting(
+    scoped_refptr<base::TaskRunner> task_runner);
+
+}  // namespace net
+
+#endif  // NET_DNS_HOST_RESOLVER_SYSTEM_TASK_H_
diff --git a/chromium/net/dns/https_record_rdata.cc b/chromium/net/dns/https_record_rdata.cc
index f9512b02852..58693d7addc 100644
--- a/chromium/net/dns/https_record_rdata.cc
+++ b/chromium/net/dns/https_record_rdata.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,7 +6,6 @@
 
 #include <stdint.h>
 
-#include <algorithm>
 #include <map>
 #include <memory>
 #include <set>
@@ -16,6 +15,7 @@
 
 #include "base/big_endian.h"
 #include "base/check.h"
+#include "base/containers/contains.h"
 #include "base/dcheck_is_on.h"
 #include "base/immediate_crash.h"
 #include "base/memory/ptr_util.h"
@@ -447,8 +447,7 @@ bool ServiceFormHttpsRecordRdata::IsCompatible() const {
 // static
 bool ServiceFormHttpsRecordRdata::IsSupportedKey(uint16_t key) {
 #if DCHECK_IS_ON()
-  return std::find(std::begin(kSupportedKeys), std::end(kSupportedKeys), key) !=
-         std::end(kSupportedKeys);
+  return base::Contains(kSupportedKeys, key);
 #else
   // Only intended for DCHECKs.
   IMMEDIATE_CRASH();
diff --git a/chromium/net/dns/https_record_rdata.h b/chromium/net/dns/https_record_rdata.h
index 39c53271636..833625ffec9 100644
--- a/chromium/net/dns/https_record_rdata.h
+++ b/chromium/net/dns/https_record_rdata.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/https_record_rdata_fuzzer.cc b/chromium/net/dns/https_record_rdata_fuzzer.cc
index a24a102f57d..4ab40a35853 100644
--- a/chromium/net/dns/https_record_rdata_fuzzer.cc
+++ b/chromium/net/dns/https_record_rdata_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/https_record_rdata_unittest.cc b/chromium/net/dns/https_record_rdata_unittest.cc
index fc481e88bd3..fc07f412b4f 100644
--- a/chromium/net/dns/https_record_rdata_unittest.cc
+++ b/chromium/net/dns/https_record_rdata_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/httpssvc_metrics.cc b/chromium/net/dns/httpssvc_metrics.cc
index 13430c99978..ffb94d84fb5 100644
--- a/chromium/net/dns/httpssvc_metrics.cc
+++ b/chromium/net/dns/httpssvc_metrics.cc
@@ -1,9 +1,10 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/dns/httpssvc_metrics.h"
 
+#include "base/containers/contains.h"
 #include "base/feature_list.h"
 #include "base/metrics/histogram.h"
 #include "base/metrics/histogram_base.h"
@@ -38,38 +39,7 @@ enum HttpssvcDnsRcode TranslateDnsRcodeForHttpssvcExperiment(uint8_t rcode) {
   NOTREACHED();
 }
 
-HttpssvcExperimentDomainCache::HttpssvcExperimentDomainCache() = default;
-HttpssvcExperimentDomainCache::~HttpssvcExperimentDomainCache() = default;
-
-bool HttpssvcExperimentDomainCache::ListContainsDomain(
-    const std::string& domain_list,
-    base::StringPiece domain,
-    absl::optional<base::flat_set<std::string>>& in_out_cached_list) {
-  if (!in_out_cached_list) {
-    in_out_cached_list = base::SplitString(
-        domain_list, ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
-  }
-  return in_out_cached_list->find(domain) != in_out_cached_list->end();
-}
-
-bool HttpssvcExperimentDomainCache::IsExperimental(base::StringPiece domain) {
-  if (!base::FeatureList::IsEnabled(features::kDnsHttpssvc))
-    return false;
-  return ListContainsDomain(features::kDnsHttpssvcExperimentDomains.Get(),
-                            domain, experimental_list_);
-}
-
-bool HttpssvcExperimentDomainCache::IsControl(base::StringPiece domain) {
-  if (!base::FeatureList::IsEnabled(features::kDnsHttpssvc))
-    return false;
-  if (features::kDnsHttpssvcControlDomainWildcard.Get())
-    return !IsExperimental(domain);
-  return ListContainsDomain(features::kDnsHttpssvcControlDomains.Get(), domain,
-                            control_list_);
-}
-
-HttpssvcMetrics::HttpssvcMetrics(bool secure, bool expect_intact)
-    : secure_(secure), expect_intact_(expect_intact) {}
+HttpssvcMetrics::HttpssvcMetrics(bool secure) : secure_(secure) {}
 
 HttpssvcMetrics::~HttpssvcMetrics() {
   RecordMetrics();
@@ -87,29 +57,6 @@ void HttpssvcMetrics::SaveAddressQueryFailure() {
   disqualified_ = true;
 }
 
-void HttpssvcMetrics::SaveForIntegrity(
-    enum HttpssvcDnsRcode rcode_integrity,
-    const std::vector<bool>& condensed_records,
-    base::TimeDelta integrity_resolve_time) {
-  DCHECK(!rcode_integrity_.has_value());
-  rcode_integrity_ = rcode_integrity;
-
-  num_integrity_records_ = condensed_records.size();
-
-  // We only record one "Integrity" sample per INTEGRITY query. In case multiple
-  // matching records are present in the response, we combine their intactness
-  // values with logical AND.
-  const bool intact =
-      std::all_of(condensed_records.cbegin(), condensed_records.cend(),
-                  [](bool b) { return b; });
-
-  DCHECK(!is_integrity_intact_.has_value());
-  is_integrity_intact_ = intact;
-
-  DCHECK(!integrity_resolve_time_.has_value());
-  integrity_resolve_time_ = integrity_resolve_time;
-}
-
 void HttpssvcMetrics::SaveForHttps(enum HttpssvcDnsRcode rcode,
                                    const std::vector<bool>& condensed_records,
                                    base::TimeDelta https_resolve_time) {
@@ -121,9 +68,7 @@ void HttpssvcMetrics::SaveForHttps(enum HttpssvcDnsRcode rcode,
   // We only record one "parsable" sample per HTTPS query. In case multiple
   // matching records are present in the response, we combine their parsable
   // values with logical AND.
-  const bool parsable =
-      std::all_of(condensed_records.cbegin(), condensed_records.cend(),
-                  [](bool b) { return b; });
+  const bool parsable = !base::Contains(condensed_records, false);
 
   DCHECK(!is_https_parsable_.has_value());
   is_https_parsable_ = parsable;
@@ -133,18 +78,15 @@ void HttpssvcMetrics::SaveForHttps(enum HttpssvcDnsRcode rcode,
 }
 
 std::string HttpssvcMetrics::BuildMetricName(
-    RecordType type,
     base::StringPiece leaf_name) const {
-  // Build shared pieces of the metric names.
-  CHECK(type == RecordType::kHttps || type == RecordType::kIntegrity);
-  base::StringPiece type_str =
-      type == RecordType::kHttps ? "RecordHttps" : "RecordIntegrity";
+  base::StringPiece type_str = "RecordHttps";
   base::StringPiece secure = secure_ ? "Secure" : "Insecure";
-  base::StringPiece expectation =
-      expect_intact_ ? "ExpectIntact" : "ExpectNoerror";
+  // This part is just a legacy from old experiments but now meaningless.
+  base::StringPiece expectation = "ExpectNoerror";
 
-  // Example INTEGRITY metric name:
-  // Net.DNS.HTTPSSVC.RecordIntegrity.Secure.ExpectIntact.DnsRcode
+  // Example metric name:
+  // Net.DNS.HTTPSSVC.RecordHttps.Secure.ExpectNoerror.DnsRcode
+  // TODO(crbug.com/1366422): Simplify the metric names.
   return base::JoinString(
       {"Net.DNS.HTTPSSVC", type_str, secure, expectation, leaf_name}, ".");
 }
@@ -156,47 +98,18 @@ void HttpssvcMetrics::RecordMetrics() {
   // We really have no metrics to record without an experimental query resolve
   // time and `address_resolve_times_`. If this HttpssvcMetrics is in an
   // inconsistent state, disqualify any metrics from being recorded.
-  if ((!integrity_resolve_time_.has_value() &&
-       !https_resolve_time_.has_value()) ||
-      address_resolve_times_.empty()) {
+  if (!https_resolve_time_.has_value() || address_resolve_times_.empty()) {
     disqualified_ = true;
   }
   if (disqualified_)
     return;
 
-  // Record the metrics that the "ExpectIntact" and "ExpectNoerror" branches
-  // have in common.
-  RecordCommonMetrics();
-
-  if (expect_intact_) {
-    // Record metrics that are unique to the "ExpectIntact" branch.
-    RecordExpectIntactMetrics();
-  } else {
-    // Record metrics that are unique to the "ExpectNoerror" branch.
-    RecordExpectNoerrorMetrics();
-  }
-}
-
-void HttpssvcMetrics::RecordCommonMetrics() {
-  DCHECK(integrity_resolve_time_.has_value() ||
-         https_resolve_time_.has_value());
-  if (integrity_resolve_time_.has_value()) {
-    base::UmaHistogramMediumTimes(
-        BuildMetricName(RecordType::kIntegrity, "ResolveTimeExperimental"),
-        *integrity_resolve_time_);
-  }
-  if (https_resolve_time_.has_value()) {
-    base::UmaHistogramMediumTimes(
-        BuildMetricName(RecordType::kHttps, "ResolveTimeExperimental"),
-        *https_resolve_time_);
-  }
+  base::UmaHistogramMediumTimes(BuildMetricName("ResolveTimeExperimental"),
+                                *https_resolve_time_);
 
-  DCHECK(!address_resolve_times_.empty());
-  // Not specific to INTEGRITY or HTTPS, but for the sake of picking one for the
-  // metric name and only recording the time once, always record the address
-  // resolve times under `kHttps`.
+  // Record the address resolve times.
   const std::string kMetricResolveTimeAddressRecord =
-      BuildMetricName(RecordType::kHttps, "ResolveTimeAddress");
+      BuildMetricName("ResolveTimeAddress");
   for (base::TimeDelta resolve_time_other : address_resolve_times_) {
     base::UmaHistogramMediumTimes(kMetricResolveTimeAddressRecord,
                                   resolve_time_other);
@@ -229,82 +142,25 @@ void HttpssvcMetrics::RecordCommonMetrics() {
   // 200% relative to the A/AAAA resolve time, twice as long.
   constexpr int64_t kMaxRatio = 20;
   constexpr int64_t kPercentScale = 10;
-  if (integrity_resolve_time_.has_value()) {
-    const int64_t resolve_time_percent = base::ClampFloor<int64_t>(
-        *integrity_resolve_time_ / *slowest_address_resolve * 100);
-    base::UmaHistogramExactLinear(
-        BuildMetricName(RecordType::kIntegrity, "ResolveTimeRatio"),
-        resolve_time_percent / kPercentScale, kMaxRatio);
-  }
-  if (https_resolve_time_.has_value()) {
-    const int64_t resolve_time_percent = base::ClampFloor<int64_t>(
-        *https_resolve_time_ / *slowest_address_resolve * 100);
-    base::UmaHistogramExactLinear(
-        BuildMetricName(RecordType::kHttps, "ResolveTimeRatio"),
-        resolve_time_percent / kPercentScale, kMaxRatio);
-  }
+  const int64_t resolve_time_percent = base::ClampFloor<int64_t>(
+      *https_resolve_time_ / *slowest_address_resolve * 100);
+  base::UmaHistogramExactLinear(BuildMetricName("ResolveTimeRatio"),
+                                resolve_time_percent / kPercentScale,
+                                kMaxRatio);
 
   if (num_https_records_ > 0) {
     DCHECK(rcode_https_.has_value());
     if (*rcode_https_ == HttpssvcDnsRcode::kNoError) {
-      base::UmaHistogramBoolean(BuildMetricName(RecordType::kHttps, "Parsable"),
+      base::UmaHistogramBoolean(BuildMetricName("Parsable"),
                                 is_https_parsable_.value_or(false));
     } else {
       // Record boolean indicating whether we received an HTTPS record and
       // an error simultaneously.
-      base::UmaHistogramBoolean(
-          BuildMetricName(RecordType::kHttps, "RecordWithError"), true);
+      base::UmaHistogramBoolean(BuildMetricName("RecordWithError"), true);
     }
   }
-}
-
-void HttpssvcMetrics::RecordExpectIntactMetrics() {
-  // Without an experimental query rcode, we can't make progress on any of these
-  // metrics.
-  DCHECK(rcode_integrity_.has_value() || rcode_https_.has_value());
-
-  // The ExpectIntact variant of the "DnsRcode" metric is only recorded when no
-  // records are received.
-  if (num_integrity_records_ == 0 && rcode_integrity_.has_value()) {
-    base::UmaHistogramEnumeration(
-        BuildMetricName(RecordType::kIntegrity, "DnsRcode"), *rcode_integrity_);
-  }
-  if (num_https_records_ == 0 && rcode_https_.has_value()) {
-    base::UmaHistogramEnumeration(
-        BuildMetricName(RecordType::kHttps, "DnsRcode"), *rcode_https_);
-  }
 
-  if (num_integrity_records_ > 0) {
-    DCHECK(rcode_integrity_.has_value());
-    if (*rcode_integrity_ == HttpssvcDnsRcode::kNoError) {
-      base::UmaHistogramBoolean(
-          BuildMetricName(RecordType::kIntegrity, "Integrity"),
-          is_integrity_intact_.value_or(false));
-    } else {
-      // Record boolean indicating whether we received an INTEGRITY record and
-      // an error simultaneously.
-      base::UmaHistogramBoolean(
-          BuildMetricName(RecordType::kIntegrity, "RecordWithError"), true);
-    }
-  }
-}
-
-void HttpssvcMetrics::RecordExpectNoerrorMetrics() {
-  if (rcode_integrity_.has_value()) {
-    base::UmaHistogramEnumeration(
-        BuildMetricName(RecordType::kIntegrity, "DnsRcode"), *rcode_integrity_);
-  }
-  if (rcode_https_.has_value()) {
-    base::UmaHistogramEnumeration(
-        BuildMetricName(RecordType::kHttps, "DnsRcode"), *rcode_https_);
-  }
-
-  // INTEGRITY only records a simple boolean when an unexpected record is
-  // received because it is extremely unlikely to be an actual INTEGRITY record.
-  if (num_integrity_records_ > 0) {
-    base::UmaHistogramBoolean(
-        BuildMetricName(RecordType::kIntegrity, "RecordReceived"), true);
-  }
+  base::UmaHistogramEnumeration(BuildMetricName("DnsRcode"), *rcode_https_);
 }
 
 }  // namespace net
diff --git a/chromium/net/dns/httpssvc_metrics.h b/chromium/net/dns/httpssvc_metrics.h
index 97416c9ff4e..afe85dbad8e 100644
--- a/chromium/net/dns/httpssvc_metrics.h
+++ b/chromium/net/dns/httpssvc_metrics.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -32,25 +32,6 @@ enum HttpssvcDnsRcode {
   kMaxValue = kRefused,
 };
 
-// Helper that classifies domains as experimental, control, or other. Queries
-// feature params and caches result to avoid repeated parsing.
-class NET_EXPORT_PRIVATE HttpssvcExperimentDomainCache {
- public:
-  HttpssvcExperimentDomainCache();
-  ~HttpssvcExperimentDomainCache();
-  bool IsExperimental(base::StringPiece domain);
-  bool IsControl(base::StringPiece domain);
-
- private:
-  bool ListContainsDomain(
-      const std::string& domain_list,
-      base::StringPiece domain,
-      absl::optional<base::flat_set<std::string>>& in_out_cached_list);
-
-  absl::optional<base::flat_set<std::string>> experimental_list_;
-  absl::optional<base::flat_set<std::string>> control_list_;
-};
-
 // Translate an RCODE value to the |HttpssvcDnsRcode| enum, which is used for
 // HTTPSSVC experimentation. The goal is to keep these values in a small,
 // contiguous range in order to satisfy the UMA enumeration function's
@@ -58,11 +39,14 @@ class NET_EXPORT_PRIVATE HttpssvcExperimentDomainCache {
 // or |kMissingDnsResponse|.
 enum HttpssvcDnsRcode TranslateDnsRcodeForHttpssvcExperiment(uint8_t rcode);
 
-// Tool for aggregating HTTPSSVC and INTEGRITY metrics. Accumulates metrics via
-// the Save* methods. Records metrics to UMA on destruction.
+// Tool for aggregating HTTPS RR metrics. Accumulates metrics via the Save*
+// methods. Records metrics to UMA on destruction.
+// TODO(crbug.com/1366422): Rework this class once we've finished with
+// HTTPS-related rollouts and have decided what metrics we want to keep
+// permanently.
 class NET_EXPORT_PRIVATE HttpssvcMetrics {
  public:
-  HttpssvcMetrics(bool secure, bool expect_intact);
+  explicit HttpssvcMetrics(bool secure);
   ~HttpssvcMetrics();
   HttpssvcMetrics(HttpssvcMetrics&) = delete;
   HttpssvcMetrics(HttpssvcMetrics&&) = delete;
@@ -76,39 +60,25 @@ class NET_EXPORT_PRIVATE HttpssvcMetrics {
   void SaveAddressQueryFailure();
 
   // Must only be called once.
-  void SaveForIntegrity(enum HttpssvcDnsRcode rcode,
-                        const std::vector<bool>& condensed_records,
-                        base::TimeDelta integrity_resolve_time);
   void SaveForHttps(enum HttpssvcDnsRcode rcode,
                     const std::vector<bool>& condensed_records,
                     base::TimeDelta https_resolve_time);
 
  private:
-  enum class RecordType { kIntegrity, kHttps };
-
-  std::string BuildMetricName(RecordType type,
-                              base::StringPiece leaf_name) const;
+  std::string BuildMetricName(base::StringPiece leaf_name) const;
 
   // Records all the aggregated metrics to UMA.
   void RecordMetrics();
-  void RecordCommonMetrics();
-  void RecordExpectIntactMetrics();
-  void RecordExpectNoerrorMetrics();
 
   const bool secure_;
-  const bool expect_intact_;
   // RecordIntegrityMetrics() will do nothing when |disqualified_| is true.
   bool disqualified_ = false;
   bool already_recorded_ = false;
-  absl::optional<enum HttpssvcDnsRcode> rcode_integrity_;
   absl::optional<enum HttpssvcDnsRcode> rcode_https_;
-  size_t num_integrity_records_ = 0;
   size_t num_https_records_ = 0;
-  absl::optional<bool> is_integrity_intact_;
   absl::optional<bool> is_https_parsable_;
-  // We never make multiple INTEGRITY or HTTPS queries per DnsTask, so we only
-  // need one TimeDelta for each qtype.
-  absl::optional<base::TimeDelta> integrity_resolve_time_;
+  // We never make multiple HTTPS queries per DnsTask, so we only need
+  // one TimeDelta for the HTTPS query.
   absl::optional<base::TimeDelta> https_resolve_time_;
   std::vector<base::TimeDelta> address_resolve_times_;
 };
diff --git a/chromium/net/dns/httpssvc_metrics_unittest.cc b/chromium/net/dns/httpssvc_metrics_unittest.cc
index 724d4bad5bd..dc63e4dc953 100644
--- a/chromium/net/dns/httpssvc_metrics_unittest.cc
+++ b/chromium/net/dns/httpssvc_metrics_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -20,167 +20,14 @@
 
 namespace net {
 
-// int: number of domains
-// bool: extra leading comma
-// bool: extra trailing comma
-using DomainListQuirksTuple = std::tuple<int, bool, bool>;
-
-// bool: DnsHttpssvc feature is enabled
-// bool: DnsHttpssvcUseIntegrity feature param
-// bool: DnsHttpssvcUseHttpssvc feature param
-// bool: DnsHttpssvcControlDomainWildcard feature param
-using HttpssvcFeatureTuple = std::tuple<bool, bool, bool, bool>;
-
-// DomainListQuirksTuple: quirks for the experimental domain list.
-// DomainListQuirksTuple: quirks for the control domain list.
-// HttpssvcFeatureTuple: config for the whole DnsHttpssvc feature.
-using ParsingTestParamTuple = std::
-    tuple<DomainListQuirksTuple, DomainListQuirksTuple, HttpssvcFeatureTuple>;
-
-// bool: whether we are querying for an experimental domain or a control domain
-// HttpssvcFeatureTuple: config for the whole DnsHttpssvc feature.
-using MetricsTestParamTuple = std::tuple<bool, HttpssvcFeatureTuple>;
-
-// Create a comma-separated list of |domains| with the given |quirks|.
-std::string FlattenDomainList(const std::vector<std::string>& domains,
-                              DomainListQuirksTuple quirks) {
-  auto [num_domains, leading_comma, trailing_comma] = quirks;
-
-  CHECK_EQ(static_cast<size_t>(num_domains), domains.size());
-  std::string flattened = base::JoinString(domains, ",");
-  if (leading_comma)
-    flattened.insert(flattened.begin(), ',');
-  if (trailing_comma)
-    flattened.push_back(',');
-  return flattened;
-}
-
-// Intermediate representation constructed from test parameters.
-struct HttpssvcFeatureConfig {
-  HttpssvcFeatureConfig() = default;
-
-  explicit HttpssvcFeatureConfig(const HttpssvcFeatureTuple& feature_tuple,
-                                 base::StringPiece experiment_domains,
-                                 base::StringPiece control_domains)
-      : experiment_domains(experiment_domains),
-        control_domains(control_domains) {
-    std::tie(enabled, use_integrity, use_httpssvc, control_domain_wildcard) =
-        feature_tuple;
-  }
-
-  void Apply(base::test::ScopedFeatureList* scoped_feature_list) const {
-    if (!enabled) {
-      scoped_feature_list->InitAndDisableFeature(features::kDnsHttpssvc);
-      return;
-    }
-    auto stringify = [](bool b) -> std::string { return b ? "true" : "false"; };
-    scoped_feature_list->InitAndEnableFeatureWithParameters(
-        features::kDnsHttpssvc,
-        {
-            {"DnsHttpssvcUseHttpssvc", stringify(use_httpssvc)},
-            {"DnsHttpssvcUseIntegrity", stringify(use_integrity)},
-            {"DnsHttpssvcEnableQueryOverInsecure", "false"},
-            {"DnsHttpssvcExperimentDomains", experiment_domains},
-            {"DnsHttpssvcControlDomains", control_domains},
-            {"DnsHttpssvcControlDomainWildcard",
-             stringify(control_domain_wildcard)},
-        });
-  }
-
-  bool enabled = false;
-  bool use_integrity = false;
-  bool use_httpssvc = false;
-  bool control_domain_wildcard = false;
-  std::string experiment_domains;
-  std::string control_domains;
-};
-
-std::vector<std::string> GenerateDomainList(base::StringPiece label, int n) {
-  std::vector<std::string> domains;
-  for (int i = 0; i < n; i++) {
-    domains.push_back(base::StrCat(
-        {"domain", base::NumberToString(i), ".", label, ".example"}));
-  }
-  return domains;
-}
-
-// Base for testing domain list parsing functions in
-// net::features::dns_httpssvc_experiment.
-class HttpssvcDomainParsingTest
-    : public ::testing::TestWithParam<ParsingTestParamTuple> {
- public:
-  void SetUp() override {
-    auto [domain_quirks_experimental, domain_quirks_control, httpssvc_feature] =
-        GetParam();
-
-    expected_experiment_domains_ = GenerateDomainList(
-        "experiment", std::get<0>(domain_quirks_experimental));
-    expected_control_domains_ =
-        GenerateDomainList("control", std::get<0>(domain_quirks_control));
-
-    config_ = HttpssvcFeatureConfig(
-        httpssvc_feature,
-        FlattenDomainList(expected_experiment_domains_,
-                          domain_quirks_experimental),
-        FlattenDomainList(expected_control_domains_, domain_quirks_control));
-    config_.Apply(&scoped_feature_list_);
-  }
-
-  const HttpssvcFeatureConfig& config() { return config_; }
-
- protected:
-  // The expected results of parsing the comma-separated domain lists in
-  // |experiment_domains| and |control_domains|, respectively.
-  std::vector<std::string> expected_experiment_domains_;
-  std::vector<std::string> expected_control_domains_;
-
- private:
-  HttpssvcFeatureConfig config_;
-  base::test::ScopedFeatureList scoped_feature_list_;
-};
-
-// This instantiation tests the domain list parser against various quirks,
-// e.g. leading comma.
-INSTANTIATE_TEST_SUITE_P(
-    HttpssvcMetricsTestDomainParsing,
-    HttpssvcDomainParsingTest,
-    testing::Combine(
-        // DomainListQuirksTuple for experimental domains. To fight back
-        // combinatorial explosion of tests, this tuple is pared down more than
-        // the one for control domains. This should not significantly hurt test
-        // coverage because |IsExperimentDomain| and |IsControlDomain| rely on a
-        // shared helper function.
-        testing::Combine(testing::Values(0, 1),
-                         testing::Values(false),
-                         testing::Values(false)),
-        // DomainListQuirksTuple for control domains.
-        testing::Combine(testing::Range(0, 3),
-                         testing::Bool(),
-                         testing::Bool()),
-        // HttpssvcFeatureTuple
-        testing::Combine(
-            testing::Bool() /* DnsHttpssvc feature enabled? */,
-            testing::Bool() /* DnsHttpssvcUseIntegrity */,
-            testing::Bool() /* DnsHttpssvcUseHttpssvc */,
-            testing::Values(false) /* DnsHttpssvcControlDomainWildcard */)));
-
 // Base for testing the metrics collection code in |HttpssvcMetrics|.
-class HttpssvcMetricsTest
-    : public ::testing::TestWithParam<std::tuple<bool, bool>> {
+class HttpssvcMetricsTest : public ::testing::TestWithParam<bool> {
  public:
-  void SetUp() override {
-    std::tie(secure_, querying_experimental_) = GetParam();
-    config_ = HttpssvcFeatureConfig(
-        {true /* enabled */, true /* use_integrity */, true /* use_httpssvc */,
-         false /* control_domain_wildcard */},
-        "", "");
-    config_.Apply(&scoped_feature_list_);
-  }
+  void SetUp() override { secure_ = GetParam(); }
 
-  std::string BuildMetricNamePrefix(base::StringPiece record_type_str,
-                                    base::StringPiece expect_str) const {
-    return base::StrCat({"Net.DNS.HTTPSSVC.", record_type_str, ".",
-                         secure_ ? "Secure." : "Insecure.", expect_str, "."});
+  std::string BuildMetricNamePrefix() const {
+    return base::StrCat({"Net.DNS.HTTPSSVC.RecordHttps.",
+                         secure_ ? "Secure." : "Insecure.", "ExpectNoerror."});
   }
 
   template <typename T>
@@ -200,96 +47,20 @@ class HttpssvcMetricsTest
   }
 
   void VerifyAddressResolveTimeMetric(
-      absl::optional<base::TimeDelta> expect_intact_time = absl::nullopt,
       absl::optional<base::TimeDelta> expect_noerror_time = absl::nullopt) {
-    const std::string kExpectIntact =
-        base::StrCat({BuildMetricNamePrefix("RecordHttps", "ExpectIntact"),
-                      "ResolveTimeAddress"});
     const std::string kExpectNoerror =
-        base::StrCat({BuildMetricNamePrefix("RecordHttps", "ExpectNoerror"),
-                      "ResolveTimeAddress"});
+        base::StrCat({BuildMetricNamePrefix(), "ResolveTimeAddress"});
 
-    ExpectSample(kExpectIntact, expect_intact_time);
     ExpectSample(kExpectNoerror, expect_noerror_time);
   }
 
-  void VerifyIntegrityMetricsForExpectIntact(
-      absl::optional<HttpssvcDnsRcode> rcode,
-      absl::optional<bool> integrity,
-      absl::optional<bool> record_with_error,
-      absl::optional<base::TimeDelta> resolve_time_integrity,
-      absl::optional<int> resolve_time_ratio) const {
-    const std::string kPrefix =
-        BuildMetricNamePrefix("RecordIntegrity", "ExpectIntact");
-    const std::string kMetricDnsRcode = base::StrCat({kPrefix, "DnsRcode"});
-    const std::string kMetricIntegrity = base::StrCat({kPrefix, "Integrity"});
-    const std::string kMetricRecordWithError =
-        base::StrCat({kPrefix, "RecordWithError"});
-    const std::string kMetricResolveTimeExperimental =
-        base::StrCat({kPrefix, "ResolveTimeExperimental"});
-    const std::string kMetricResolveTimeRatio =
-        base::StrCat({kPrefix, "ResolveTimeRatio"});
-
-    ExpectSample(kMetricDnsRcode, rcode);
-    ExpectSample(kMetricIntegrity, integrity);
-    ExpectSample(kMetricRecordWithError, record_with_error);
-    ExpectSample(kMetricResolveTimeExperimental, resolve_time_integrity);
-    ExpectSample(kMetricResolveTimeRatio, resolve_time_ratio);
-  }
-
-  void VerifyHttpsMetricsForExpectIntact(
-      absl::optional<HttpssvcDnsRcode> rcode = absl::nullopt,
-      absl::optional<bool> parsable = absl::nullopt,
-      absl::optional<bool> record_with_error = absl::nullopt,
-      absl::optional<base::TimeDelta> resolve_time_https = absl::nullopt,
-      absl::optional<int> resolve_time_ratio = absl::nullopt) const {
-    const std::string kPrefix =
-        BuildMetricNamePrefix("RecordHttps", "ExpectIntact");
-    const std::string kMetricDnsRcode = base::StrCat({kPrefix, "DnsRcode"});
-    const std::string kMetricParsable = base::StrCat({kPrefix, "Parsable"});
-    const std::string kMetricRecordWithError =
-        base::StrCat({kPrefix, "RecordWithError"});
-    const std::string kMetricResolveTimeExperimental =
-        base::StrCat({kPrefix, "ResolveTimeExperimental"});
-    const std::string kMetricResolveTimeRatio =
-        base::StrCat({kPrefix, "ResolveTimeRatio"});
-
-    ExpectSample(kMetricDnsRcode, rcode);
-    ExpectSample(kMetricParsable, parsable);
-    ExpectSample(kMetricRecordWithError, record_with_error);
-    ExpectSample(kMetricResolveTimeExperimental, resolve_time_https);
-    ExpectSample(kMetricResolveTimeRatio, resolve_time_ratio);
-  }
-
-  void VerifyIntegrityMetricsForExpectNoerror(
-      absl::optional<HttpssvcDnsRcode> rcode,
-      absl::optional<int> record_received,
-      absl::optional<base::TimeDelta> resolve_time_integrity,
-      absl::optional<int> resolve_time_ratio) const {
-    const std::string kPrefix =
-        BuildMetricNamePrefix("RecordIntegrity", "ExpectNoerror");
-    const std::string kMetricDnsRcode = base::StrCat({kPrefix, "DnsRcode"});
-    const std::string kMetricRecordReceived =
-        base::StrCat({kPrefix, "RecordReceived"});
-    const std::string kMetricResolveTimeExperimental =
-        base::StrCat({kPrefix, "ResolveTimeExperimental"});
-    const std::string kMetricResolveTimeRatio =
-        base::StrCat({kPrefix, "ResolveTimeRatio"});
-
-    ExpectSample(kMetricDnsRcode, rcode);
-    ExpectSample(kMetricRecordReceived, record_received);
-    ExpectSample(kMetricResolveTimeExperimental, resolve_time_integrity);
-    ExpectSample(kMetricResolveTimeRatio, resolve_time_ratio);
-  }
-
   void VerifyHttpsMetricsForExpectNoerror(
       absl::optional<HttpssvcDnsRcode> rcode = absl::nullopt,
       absl::optional<bool> parsable = absl::nullopt,
       absl::optional<bool> record_with_error = absl::nullopt,
       absl::optional<base::TimeDelta> resolve_time_https = absl::nullopt,
       absl::optional<int> resolve_time_ratio = absl::nullopt) const {
-    const std::string kPrefix =
-        BuildMetricNamePrefix("RecordHttps", "ExpectNoerror");
+    const std::string kPrefix = BuildMetricNamePrefix();
     const std::string kMetricDnsRcode = base::StrCat({kPrefix, "DnsRcode"});
     const std::string kMetricParsable = base::StrCat({kPrefix, "Parsable"});
     const std::string kMetricRecordWithError =
@@ -306,245 +77,44 @@ class HttpssvcMetricsTest
     ExpectSample(kMetricResolveTimeRatio, resolve_time_ratio);
   }
 
-  void VerifyIntegrityMetricsForExpectIntact() {
-    VerifyIntegrityMetricsForExpectIntact(absl::nullopt, absl::nullopt,
-                                          absl::nullopt, absl::nullopt,
-                                          absl::nullopt);
-  }
-
-  void VerifyIntegrityMetricsForExpectNoerror() {
-    VerifyIntegrityMetricsForExpectNoerror(absl::nullopt, absl::nullopt,
-                                           absl::nullopt, absl::nullopt);
-  }
-
   const base::HistogramTester& histo() const { return histogram_; }
-  const HttpssvcFeatureConfig& config() const { return config_; }
 
  protected:
   bool secure_;
-  bool querying_experimental_;
 
  private:
-  HttpssvcFeatureConfig config_;
-  base::test::ScopedFeatureList scoped_feature_list_;
   base::HistogramTester histogram_;
 };
 
-// This instantiation focuses on whether the correct metrics are recorded. The
-// domain list parser is already tested against encoding quirks in
-// |HttpssvcMetricsTestDomainParsing|, so we fix the quirks at false.
-INSTANTIATE_TEST_SUITE_P(
-    HttpssvcMetricsTestSimple,
-    HttpssvcMetricsTest,
-    testing::Combine(
-        testing::Bool(),  // Querying over DoH or Do53.
-        testing::Bool()   // Whether we are querying an experimental domain.
-        ));
-
-TEST_P(HttpssvcDomainParsingTest, ParseFeatureParamIntegrityDomains) {
-  HttpssvcExperimentDomainCache domain_cache;
-
-  const std::string kReservedDomain = "neither.example";
-  EXPECT_FALSE(domain_cache.IsExperimental(kReservedDomain));
-  EXPECT_EQ(domain_cache.IsControl(kReservedDomain),
-            config().enabled && config().control_domain_wildcard);
-
-  // If |config().use_integrity| is true, then we expect all domains in
-  // |expected_experiment_domains_| to be experimental (same goes for
-  // control domains). Otherwise, no domain should be considered experimental or
-  // control.
+INSTANTIATE_TEST_SUITE_P(HttpssvcMetricsTestSimple,
+                         HttpssvcMetricsTest,
+                         testing::Bool()  // Querying over DoH or Do53.
+);
 
-  if (!config().enabled) {
-    // When the HTTPSSVC feature is disabled, no domain should be considered
-    // experimental or control.
-    for (const std::string& experiment_domain : expected_experiment_domains_) {
-      EXPECT_FALSE(domain_cache.IsExperimental(experiment_domain));
-      EXPECT_FALSE(domain_cache.IsControl(experiment_domain));
-    }
-    for (const std::string& control_domain : expected_control_domains_) {
-      EXPECT_FALSE(domain_cache.IsExperimental(control_domain));
-      EXPECT_FALSE(domain_cache.IsControl(control_domain));
-    }
-  } else if (config().use_integrity || config().use_httpssvc) {
-    for (const std::string& experiment_domain : expected_experiment_domains_) {
-      EXPECT_TRUE(domain_cache.IsExperimental(experiment_domain));
-      EXPECT_FALSE(domain_cache.IsControl(experiment_domain));
-    }
-    for (const std::string& control_domain : expected_control_domains_) {
-      EXPECT_FALSE(domain_cache.IsExperimental(control_domain));
-      EXPECT_TRUE(domain_cache.IsControl(control_domain));
-    }
-    return;
-  }
-}
-
-// Only record metrics for a non-integrity query.
+// Only record metrics for a non-HTTPS query.
 TEST_P(HttpssvcMetricsTest, AddressAndExperimentalMissing) {
   const base::TimeDelta kResolveTime = base::Milliseconds(10);
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
+  auto metrics = absl::make_optional<HttpssvcMetrics>(secure_);
   metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
   metrics.reset();  // Record the metrics to UMA.
 
   VerifyAddressResolveTimeMetric();
-  VerifyIntegrityMetricsForExpectIntact();
-  VerifyHttpsMetricsForExpectIntact();
-  VerifyIntegrityMetricsForExpectNoerror();
-  VerifyHttpsMetricsForExpectNoerror();
-}
-
-TEST_P(HttpssvcMetricsTest, AddressAndIntegrityIntact) {
-  const base::TimeDelta kResolveTime = base::Milliseconds(10);
-  const base::TimeDelta kResolveTimeIntegrity = base::Milliseconds(15);
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
-  metrics->SaveForIntegrity(HttpssvcDnsRcode::kNoError, {true},
-                            kResolveTimeIntegrity);
-  metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
-  metrics.reset();  // Record the metrics to UMA.
-
-  VerifyHttpsMetricsForExpectIntact();
   VerifyHttpsMetricsForExpectNoerror();
-
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyIntegrityMetricsForExpectIntact(
-        absl::nullopt /* rcode */, {true} /* integrity */,
-        absl::nullopt /* record_with_error */,
-        {kResolveTimeIntegrity} /* resolve_time_integrity */,
-        {15} /* resolve_time_ratio */);
-
-    VerifyIntegrityMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyIntegrityMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
-  VerifyIntegrityMetricsForExpectNoerror(
-      {HttpssvcDnsRcode::kNoError} /* rcode */, {1} /* record_received */,
-      {kResolveTimeIntegrity} /* resolve_time_integrity */,
-      {15} /* resolve_time_ratio */);
 }
 
 TEST_P(HttpssvcMetricsTest, AddressAndHttpsParsable) {
   const base::TimeDelta kResolveTime = base::Milliseconds(10);
   const base::TimeDelta kResolveTimeHttps = base::Milliseconds(15);
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
-  metrics->SaveForHttps(HttpssvcDnsRcode::kNoError, {true}, kResolveTimeHttps);
-  metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
-  metrics.reset();  // Record the metrics to UMA.
-
-  VerifyIntegrityMetricsForExpectIntact();
-  VerifyIntegrityMetricsForExpectNoerror();
-
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyHttpsMetricsForExpectIntact(
-        absl::nullopt /* rcode */, {true} /* parsable */,
-        absl::nullopt /* record_with_error */,
-        {kResolveTimeHttps} /* resolve_time_https */,
-        {15} /* resolve_time_ratio */);
-
-    VerifyHttpsMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyHttpsMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
-  VerifyHttpsMetricsForExpectNoerror(
-      {HttpssvcDnsRcode::kNoError} /* rcode */, {true} /* parsable */,
-      absl::nullopt /* record_with_error */,
-      {kResolveTimeHttps} /* resolve_time_https */,
-      {15} /* resolve_time_ratio */);
-}
-
-TEST_P(HttpssvcMetricsTest, AddressAndIntegrityIntactAndHttpsParsable) {
-  const base::TimeDelta kResolveTime = base::Milliseconds(10);
-  const base::TimeDelta kResolveTimeIntegrity = base::Milliseconds(15);
-  const base::TimeDelta kResolveTimeHttps = base::Milliseconds(20);
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
-  metrics->SaveForIntegrity(HttpssvcDnsRcode::kNoError, {true},
-                            kResolveTimeIntegrity);
+  auto metrics = absl::make_optional<HttpssvcMetrics>(secure_);
   metrics->SaveForHttps(HttpssvcDnsRcode::kNoError, {true}, kResolveTimeHttps);
   metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
   metrics.reset();  // Record the metrics to UMA.
 
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyIntegrityMetricsForExpectIntact(
-        absl::nullopt /* rcode */, {true} /* integrity */,
-        absl::nullopt /* record_with_error */,
-        {kResolveTimeIntegrity} /* resolve_time_integrity */,
-        {15} /* resolve_time_ratio */);
-    VerifyHttpsMetricsForExpectIntact(
-        absl::nullopt /* rcode */, {true} /* parsable */,
-        absl::nullopt /* record_with_error */,
-        {kResolveTimeHttps} /* resolve_time_https */,
-        {20} /* resolve_time_ratio */);
-
-    VerifyIntegrityMetricsForExpectNoerror();
-    VerifyHttpsMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyIntegrityMetricsForExpectIntact();
-  VerifyHttpsMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
-  VerifyIntegrityMetricsForExpectNoerror(
-      {HttpssvcDnsRcode::kNoError} /* rcode */, {1} /* record_received */,
-      {kResolveTimeIntegrity} /* resolve_time_integrity */,
-      {15} /* resolve_time_ratio */);
+  VerifyAddressResolveTimeMetric({kResolveTime} /* expect_noerror_time */);
   VerifyHttpsMetricsForExpectNoerror(
       {HttpssvcDnsRcode::kNoError} /* rcode */, {true} /* parsable */,
       absl::nullopt /* record_with_error */,
       {kResolveTimeHttps} /* resolve_time_https */,
-      {20} /* resolve_time_ratio */);
-}
-
-// This test simulates an INTEGRITY response that includes no INTEGRITY records,
-// but does have an error value for the RCODE.
-TEST_P(HttpssvcMetricsTest, AddressAndIntegrityMissingWithRcode) {
-  const base::TimeDelta kResolveTime = base::Milliseconds(10);
-  const base::TimeDelta kResolveTimeIntegrity = base::Milliseconds(15);
-
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
-  metrics->SaveForIntegrity(HttpssvcDnsRcode::kNxDomain, {},
-                            kResolveTimeIntegrity);
-  metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
-  metrics.reset();  // Record the metrics to UMA.
-
-  VerifyHttpsMetricsForExpectIntact();
-  VerifyHttpsMetricsForExpectNoerror();
-
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyIntegrityMetricsForExpectIntact(
-        {HttpssvcDnsRcode::kNxDomain} /* rcode */,
-        absl::nullopt /* integrity */, absl::nullopt /* record_with_error */,
-        {kResolveTimeIntegrity} /* resolve_time_integrity */,
-        {15} /* resolve_time_ratio */);
-
-    VerifyIntegrityMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyIntegrityMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
-  VerifyIntegrityMetricsForExpectNoerror(
-      {HttpssvcDnsRcode::kNxDomain} /* rcode */,
-      absl::nullopt /* record_received */,
-      {kResolveTimeIntegrity} /* resolve_time_integrity */,
       {15} /* resolve_time_ratio */);
 }
 
@@ -554,31 +124,12 @@ TEST_P(HttpssvcMetricsTest, AddressAndHttpsMissingWithRcode) {
   const base::TimeDelta kResolveTime = base::Milliseconds(10);
   const base::TimeDelta kResolveTimeHttps = base::Milliseconds(15);
 
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
+  auto metrics = absl::make_optional<HttpssvcMetrics>(secure_);
   metrics->SaveForHttps(HttpssvcDnsRcode::kNxDomain, {}, kResolveTimeHttps);
   metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
   metrics.reset();  // Record the metrics to UMA.
 
-  VerifyIntegrityMetricsForExpectIntact();
-  VerifyIntegrityMetricsForExpectNoerror();
-
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyHttpsMetricsForExpectIntact(
-        {HttpssvcDnsRcode::kNxDomain} /* rcode */, absl::nullopt /* parsable */,
-        absl::nullopt /* record_with_error */,
-        {kResolveTimeHttps} /* resolve_time_https */,
-        {15} /* resolve_time_ratio */);
-
-    VerifyHttpsMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyHttpsMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
+  VerifyAddressResolveTimeMetric({kResolveTime} /* expect_noerror_time */);
   VerifyHttpsMetricsForExpectNoerror(
       {HttpssvcDnsRcode::kNxDomain} /* rcode */, absl::nullopt /* parsable */,
       absl::nullopt /* record_with_error */,
@@ -586,79 +137,18 @@ TEST_P(HttpssvcMetricsTest, AddressAndHttpsMissingWithRcode) {
       {15} /* resolve_time_ratio */);
 }
 
-// This test simulates an INTEGRITY response that includes an intact INTEGRITY
-// record, but also has an error RCODE.
-TEST_P(HttpssvcMetricsTest, AddressAndIntegrityIntactWithRcode) {
-  const base::TimeDelta kResolveTime = base::Milliseconds(10);
-  const base::TimeDelta kResolveTimeIntegrity = base::Milliseconds(15);
-
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
-  metrics->SaveForIntegrity(HttpssvcDnsRcode::kNxDomain, {true},
-                            kResolveTimeIntegrity);
-  metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
-  metrics.reset();  // Record the metrics to UMA.
-
-  VerifyHttpsMetricsForExpectIntact();
-  VerifyHttpsMetricsForExpectNoerror();
-
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyIntegrityMetricsForExpectIntact(
-        // "DnsRcode" metric is omitted because we received an INTEGRITY record.
-        absl::nullopt /* rcode */,
-        // "Integrity" metric is omitted because the RCODE is not NOERROR.
-        absl::nullopt /* integrity */, {true} /* record_with_error */,
-        {kResolveTimeIntegrity} /* resolve_time_integrity */,
-        {15} /* resolve_time_ratio */);
-
-    VerifyIntegrityMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyIntegrityMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
-  VerifyIntegrityMetricsForExpectNoerror(
-      {HttpssvcDnsRcode::kNxDomain} /* rcode */, {true} /* record_received */,
-      {kResolveTimeIntegrity} /* resolve_time_integrity */,
-      {15} /* resolve_time_ratio */);
-}
-
 // This test simulates an HTTPS response that includes a parsable HTTPS
 // record, but also has an error RCODE.
 TEST_P(HttpssvcMetricsTest, AddressAndHttpsParsableWithRcode) {
   const base::TimeDelta kResolveTime = base::Milliseconds(10);
   const base::TimeDelta kResolveTimeHttps = base::Milliseconds(15);
 
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
+  auto metrics = absl::make_optional<HttpssvcMetrics>(secure_);
   metrics->SaveForHttps(HttpssvcDnsRcode::kNxDomain, {true}, kResolveTimeHttps);
   metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
   metrics.reset();  // Record the metrics to UMA.
 
-  VerifyIntegrityMetricsForExpectIntact();
-  VerifyIntegrityMetricsForExpectNoerror();
-
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyHttpsMetricsForExpectIntact(
-        // "DnsRcode" metric is omitted because we received an HTTPS record.
-        absl::nullopt /* rcode */,
-        // "parsable" metric is omitted because the RCODE is not NOERROR.
-        absl::nullopt /* parsable */, {true} /* record_with_error */,
-        {kResolveTimeHttps} /* resolve_time_https */,
-        {15} /* resolve_time_ratio */);
-
-    VerifyHttpsMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyHttpsMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
+  VerifyAddressResolveTimeMetric({kResolveTime} /* expect_noerror_time */);
   VerifyHttpsMetricsForExpectNoerror(
       {HttpssvcDnsRcode::kNxDomain} /* rcode */,
       // "parsable" metric is omitted because the RCODE is not NOERROR.
@@ -667,78 +157,18 @@ TEST_P(HttpssvcMetricsTest, AddressAndHttpsParsableWithRcode) {
       {15} /* resolve_time_ratio */);
 }
 
-// This test simulates an INTEGRITY response that includes a mangled INTEGRITY
-// record *and* has an error RCODE.
-TEST_P(HttpssvcMetricsTest, AddressAndIntegrityMangledWithRcode) {
-  const base::TimeDelta kResolveTime = base::Milliseconds(10);
-  const base::TimeDelta kResolveTimeIntegrity = base::Milliseconds(15);
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
-  metrics->SaveForIntegrity(HttpssvcDnsRcode::kNxDomain, {false},
-                            kResolveTimeIntegrity);
-  metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
-  metrics.reset();  // Record the metrics to UMA.
-
-  VerifyHttpsMetricsForExpectIntact();
-  VerifyHttpsMetricsForExpectNoerror();
-
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyIntegrityMetricsForExpectIntact(
-        // "DnsRcode" metric is omitted because we received an INTEGRITY record.
-        absl::nullopt /* rcode */,
-        // "Integrity" metric is omitted because the RCODE is not NOERROR.
-        absl::nullopt /* integrity */, {true} /* record_with_error */,
-        {kResolveTimeIntegrity} /* resolve_time_integrity */,
-        {15} /* resolve_time_ratio */);
-
-    VerifyIntegrityMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyIntegrityMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
-  VerifyIntegrityMetricsForExpectNoerror(
-      {HttpssvcDnsRcode::kNxDomain} /* rcode */, {true} /* record_received */,
-      {kResolveTimeIntegrity} /* resolve_time_integrity */,
-      {15} /* resolve_time_ratio */);
-}
-
 // This test simulates an HTTPS response that includes a mangled HTTPS
 // record *and* has an error RCODE.
 TEST_P(HttpssvcMetricsTest, AddressAndHttpsMangledWithRcode) {
   const base::TimeDelta kResolveTime = base::Milliseconds(10);
   const base::TimeDelta kResolveTimeHttps = base::Milliseconds(15);
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
+  auto metrics = absl::make_optional<HttpssvcMetrics>(secure_);
   metrics->SaveForHttps(HttpssvcDnsRcode::kNxDomain, {false},
                         kResolveTimeHttps);
   metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
   metrics.reset();  // Record the metrics to UMA.
 
-  VerifyIntegrityMetricsForExpectIntact();
-  VerifyIntegrityMetricsForExpectNoerror();
-
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyHttpsMetricsForExpectIntact(
-        // "DnsRcode" metric is omitted because we received an HTTPS record.
-        absl::nullopt /* rcode */,
-        // "parsable" metric is omitted because the RCODE is not NOERROR.
-        absl::nullopt /* parsable */, {true} /* record_with_error */,
-        {kResolveTimeHttps} /* resolve_time_https */,
-        {15} /* resolve_time_ratio */);
-
-    VerifyHttpsMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyHttpsMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
+  VerifyAddressResolveTimeMetric({kResolveTime} /* expect_noerror_time */);
   VerifyHttpsMetricsForExpectNoerror(
       {HttpssvcDnsRcode::kNxDomain} /* rcode */,
       // "parsable" metric is omitted because the RCODE is not NOERROR.
@@ -747,76 +177,17 @@ TEST_P(HttpssvcMetricsTest, AddressAndHttpsMangledWithRcode) {
       {15} /* resolve_time_ratio */);
 }
 
-// This test simulates successful address queries and an INTEGRITY query that
-// timed out.
-TEST_P(HttpssvcMetricsTest, AddressAndIntegrityTimedOut) {
-  const base::TimeDelta kResolveTime = base::Milliseconds(10);
-  const base::TimeDelta kResolveTimeIntegrity = base::Milliseconds(15);
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
-  metrics->SaveForIntegrity(HttpssvcDnsRcode::kTimedOut, {},
-                            kResolveTimeIntegrity);
-  metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
-  metrics.reset();  // Record the metrics to UMA.
-
-  VerifyHttpsMetricsForExpectIntact();
-  VerifyHttpsMetricsForExpectNoerror();
-
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyIntegrityMetricsForExpectIntact(
-        {HttpssvcDnsRcode::kTimedOut} /* rcode */,
-        // "Integrity" metric is omitted because the RCODE is not NOERROR.
-        absl::nullopt /* integrity */, absl::nullopt /* record_with_error */,
-        {kResolveTimeIntegrity} /* resolve_time_integrity */,
-        {15} /* resolve_time_ratio */);
-
-    VerifyIntegrityMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyIntegrityMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
-  VerifyIntegrityMetricsForExpectNoerror(
-      {HttpssvcDnsRcode::kTimedOut} /* rcode */,
-      absl::nullopt /* record_received */,
-      {kResolveTimeIntegrity} /* resolve_time_integrity */,
-      {15} /* resolve_time_ratio */);
-}
-
 // This test simulates successful address queries and an HTTPS query that
 // timed out.
 TEST_P(HttpssvcMetricsTest, AddressAndHttpsTimedOut) {
   const base::TimeDelta kResolveTime = base::Milliseconds(10);
   const base::TimeDelta kResolveTimeHttps = base::Milliseconds(15);
-  auto metrics =
-      absl::make_optional<HttpssvcMetrics>(secure_, querying_experimental_);
+  auto metrics = absl::make_optional<HttpssvcMetrics>(secure_);
   metrics->SaveForHttps(HttpssvcDnsRcode::kTimedOut, {}, kResolveTimeHttps);
   metrics->SaveForAddressQuery(kResolveTime, HttpssvcDnsRcode::kNoError);
   metrics.reset();  // Record the metrics to UMA.
 
-  VerifyIntegrityMetricsForExpectIntact();
-  VerifyIntegrityMetricsForExpectNoerror();
-
-  if (querying_experimental_) {
-    VerifyAddressResolveTimeMetric({kResolveTime} /* expect_intact_time */);
-    VerifyHttpsMetricsForExpectIntact(
-        {HttpssvcDnsRcode::kTimedOut} /* rcode */,
-        // "parsable" metric is omitted because the RCODE is not NOERROR.
-        absl::nullopt /* parsable */, absl::nullopt /* record_with_error */,
-        {kResolveTimeHttps} /* resolve_time_https */,
-        {15} /* resolve_time_ratio */);
-
-    VerifyIntegrityMetricsForExpectNoerror();
-    return;
-  }
-
-  VerifyHttpsMetricsForExpectIntact();
-
-  VerifyAddressResolveTimeMetric(absl::nullopt /* expect_intact_time */,
-                                 {kResolveTime} /* expect_noerror_time */);
+  VerifyAddressResolveTimeMetric({kResolveTime} /* expect_noerror_time */);
   VerifyHttpsMetricsForExpectNoerror(
       {HttpssvcDnsRcode::kTimedOut} /* rcode */,
       // "parsable" metric is omitted because the RCODE is not NOERROR.
diff --git a/chromium/net/dns/integrity_record_fuzzer.cc b/chromium/net/dns/integrity_record_fuzzer.cc
deleted file mode 100644
index f2fb575d161..00000000000
--- a/chromium/net/dns/integrity_record_fuzzer.cc
+++ /dev/null
@@ -1,71 +0,0 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <limits>
-#include <memory>
-#include <string>
-#include <vector>
-
-#include "base/check_op.h"
-#include "base/strings/string_piece.h"
-#include "net/dns/record_rdata.h"
-#include "third_party/abseil-cpp/absl/types/optional.h"
-
-namespace net {
-
-namespace {
-
-base::StringPiece MakeStringPiece(const std::vector<uint8_t>& vec) {
-  return base::StringPiece(reinterpret_cast<const char*>(vec.data()),
-                           vec.size());
-}
-
-// For arbitrary data, check that parse(data).serialize() == data.
-void ParseThenSerializeProperty(const std::vector<uint8_t>& data) {
-  auto parsed = IntegrityRecordRdata::Create(MakeStringPiece(data));
-  CHECK(parsed);
-  absl::optional<std::vector<uint8_t>> maybe_serialized = parsed->Serialize();
-  // Since |data| is chosen by a fuzzer, the record's digest is unlikely to
-  // match its nonce. As a result, |parsed->IsIntact()| may be false, and thus
-  // |parsed->Serialize()| may be |absl::nullopt|.
-  CHECK_EQ(parsed->IsIntact(), !!maybe_serialized);
-  if (maybe_serialized) {
-    CHECK(data == *maybe_serialized);
-  }
-}
-
-// For arbitrary IntegrityRecordRdata r, check that parse(r.serialize()) == r.
-void SerializeThenParseProperty(const std::vector<uint8_t>& data) {
-  // Ensure that the nonce is not too long to be serialized.
-  if (data.size() > std::numeric_limits<uint16_t>::max()) {
-    // Property is vacuously true because the record is not serializable.
-    return;
-  }
-  // Build an IntegrityRecordRdata by treating |data| as a nonce.
-  IntegrityRecordRdata record(data);
-  CHECK(record.IsIntact());
-  absl::optional<std::vector<uint8_t>> maybe_serialized = record.Serialize();
-  CHECK(maybe_serialized.has_value());
-
-  // Parsing |serialized| always produces a record identical to the original.
-  auto parsed =
-      IntegrityRecordRdata::Create(MakeStringPiece(*maybe_serialized));
-  CHECK(parsed);
-  CHECK(parsed->IsIntact());
-  CHECK(parsed->IsEqual(&record));
-}
-
-}  // namespace
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  const std::vector<uint8_t> data_vec(data, data + size);
-  ParseThenSerializeProperty(data_vec);
-  SerializeThenParseProperty(data_vec);
-  // Construct a random IntegrityRecordRdata to exercise that code path. No need
-  // to exercise parse/serialize since we already did that with |data|.
-  IntegrityRecordRdata rand_record(IntegrityRecordRdata::Random());
-  return 0;
-}
-
-}  // namespace net
diff --git a/chromium/net/dns/mapped_host_resolver.cc b/chromium/net/dns/mapped_host_resolver.cc
index 0faf128db11..9ebbb804e7f 100644
--- a/chromium/net/dns/mapped_host_resolver.cc
+++ b/chromium/net/dns/mapped_host_resolver.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 #include "base/values.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/url_util.h"
 #include "net/dns/host_resolver.h"
 #include "net/log/net_log_with_source.h"
@@ -34,7 +34,7 @@ void MappedHostResolver::OnShutdown() {
 std::unique_ptr<HostResolver::ResolveHostRequest>
 MappedHostResolver::CreateRequest(
     url::SchemeHostPort host,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     NetLogWithSource source_net_log,
     absl::optional<ResolveHostParameters> optional_parameters) {
   GURL rewritten_url = host.GetURL();
@@ -44,16 +44,17 @@ MappedHostResolver::CreateRequest(
     case HostMappingRules::RewriteResult::kRewritten:
       DCHECK(rewritten_url.is_valid());
       DCHECK_NE(rewritten_url.host_piece(), "~NOTFOUND");
-      return impl_->CreateRequest(
-          url::SchemeHostPort(rewritten_url), std::move(network_isolation_key),
-          std::move(source_net_log), std::move(optional_parameters));
+      return impl_->CreateRequest(url::SchemeHostPort(rewritten_url),
+                                  std::move(network_anonymization_key),
+                                  std::move(source_net_log),
+                                  std::move(optional_parameters));
     case HostMappingRules::RewriteResult::kInvalidRewrite:
       // Treat any invalid mapping as if it was "~NOTFOUND" (which should itself
       // result in `kInvalidRewrite`).
       return CreateFailingRequest(ERR_NAME_NOT_RESOLVED);
     case HostMappingRules::RewriteResult::kNoMatchingRule:
       return impl_->CreateRequest(
-          std::move(host), std::move(network_isolation_key),
+          std::move(host), std::move(network_anonymization_key),
           std::move(source_net_log), std::move(optional_parameters));
   }
 }
@@ -61,7 +62,7 @@ MappedHostResolver::CreateRequest(
 std::unique_ptr<HostResolver::ResolveHostRequest>
 MappedHostResolver::CreateRequest(
     const HostPortPair& host,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const NetLogWithSource& source_net_log,
     const absl::optional<ResolveHostParameters>& optional_parameters) {
   HostPortPair rewritten = host;
@@ -70,8 +71,8 @@ MappedHostResolver::CreateRequest(
   if (rewritten.host() == "~NOTFOUND")
     return CreateFailingRequest(ERR_NAME_NOT_RESOLVED);
 
-  return impl_->CreateRequest(rewritten, network_isolation_key, source_net_log,
-                              optional_parameters);
+  return impl_->CreateRequest(rewritten, network_anonymization_key,
+                              source_net_log, optional_parameters);
 }
 
 std::unique_ptr<HostResolver::ProbeRequest>
diff --git a/chromium/net/dns/mapped_host_resolver.h b/chromium/net/dns/mapped_host_resolver.h
index 477f5848830..9cd0b3663bd 100644
--- a/chromium/net/dns/mapped_host_resolver.h
+++ b/chromium/net/dns/mapped_host_resolver.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -12,7 +12,7 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/host_mapping_rules.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/dns/dns_config.h"
 #include "net/dns/host_resolver.h"
 #include "net/log/net_log_with_source.h"
@@ -56,12 +56,12 @@ class NET_EXPORT MappedHostResolver : public HostResolver {
   // HostResolver methods:
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       url::SchemeHostPort host,
-      NetworkIsolationKey network_isolation_key,
+      NetworkAnonymizationKey network_anonymization_key,
       NetLogWithSource net_log,
       absl::optional<ResolveHostParameters> optional_parameters) override;
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       const HostPortPair& host,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const NetLogWithSource& net_log,
       const absl::optional<ResolveHostParameters>& optional_parameters)
       override;
diff --git a/chromium/net/dns/mapped_host_resolver_unittest.cc b/chromium/net/dns/mapped_host_resolver_unittest.cc
index 59dc88d6069..9d3fb77017c 100644
--- a/chromium/net/dns/mapped_host_resolver_unittest.cc
+++ b/chromium/net/dns/mapped_host_resolver_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -55,7 +55,7 @@ TEST(MappedHostResolverTest, Inclusion) {
   TestCompletionCallback callback;
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("www.google.com", 80),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
   int rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
@@ -69,8 +69,8 @@ TEST(MappedHostResolverTest, Inclusion) {
 
   // Try resolving "www.google.com:80". Should be remapped to "baz.com:80".
   request = resolver->CreateRequest(HostPortPair("www.google.com", 80),
-                                    NetworkIsolationKey(), NetLogWithSource(),
-                                    absl::nullopt);
+                                    NetworkAnonymizationKey(),
+                                    NetLogWithSource(), absl::nullopt);
   rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -81,8 +81,8 @@ TEST(MappedHostResolverTest, Inclusion) {
   // Try resolving "foo.com:77". This will NOT be remapped, so result
   // is "foo.com:77".
   request = resolver->CreateRequest(HostPortPair("foo.com", 77),
-                                    NetworkIsolationKey(), NetLogWithSource(),
-                                    absl::nullopt);
+                                    NetworkAnonymizationKey(),
+                                    NetLogWithSource(), absl::nullopt);
   rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -95,8 +95,8 @@ TEST(MappedHostResolverTest, Inclusion) {
 
   // Try resolving "chromium.org:61". Should be remapped to "proxy:99".
   request = resolver->CreateRequest(HostPortPair("chromium.org", 61),
-                                    NetworkIsolationKey(), NetLogWithSource(),
-                                    absl::nullopt);
+                                    NetworkAnonymizationKey(),
+                                    NetLogWithSource(), absl::nullopt);
   rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -119,7 +119,7 @@ TEST(MappedHostResolverTest, MapsHostWithScheme) {
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(
           url::SchemeHostPort(url::kHttpScheme, "to.map.test", 155),
-          NetworkIsolationKey(), NetLogWithSource(), absl::nullopt);
+          NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
@@ -148,7 +148,7 @@ TEST(MappedHostResolverTest, MapsHostWithSchemeToIpLiteral) {
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(
           url::SchemeHostPort(url::kHttpScheme, "host.test", 156),
-          NetworkIsolationKey(), NetLogWithSource(), absl::nullopt);
+          NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
@@ -174,7 +174,7 @@ TEST(MappedHostResolverTest, MapsHostWithSchemeToNonCanon) {
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(
           url::SchemeHostPort(url::kHttpScheme, "host.test", 157),
-          NetworkIsolationKey(), NetLogWithSource(), absl::nullopt);
+          NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
@@ -200,7 +200,7 @@ TEST(MappedHostResolverTest, MapsHostWithSchemeToNameWithPort) {
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(
           url::SchemeHostPort(url::kHttpScheme, "host.test", 158),
-          NetworkIsolationKey(), NetLogWithSource(), absl::nullopt);
+          NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
@@ -225,7 +225,7 @@ TEST(MappedHostResolverTest, HandlesUnmappedHostWithScheme) {
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(
           url::SchemeHostPort(url::kHttpsScheme, "unmapped.test", 155),
-          NetworkIsolationKey(), NetLogWithSource(), absl::nullopt);
+          NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
@@ -260,7 +260,7 @@ TEST(MappedHostResolverTest, Exclusion) {
   // Try resolving "www.google.com". Should not be remapped due to exclusion).
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("www.google.com", 80),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
   int rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
@@ -271,8 +271,8 @@ TEST(MappedHostResolverTest, Exclusion) {
 
   // Try resolving "chrome.com:80". Should be remapped to "baz:80".
   request = resolver->CreateRequest(HostPortPair("chrome.com", 80),
-                                    NetworkIsolationKey(), NetLogWithSource(),
-                                    absl::nullopt);
+                                    NetworkAnonymizationKey(),
+                                    NetLogWithSource(), absl::nullopt);
   rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -300,7 +300,7 @@ TEST(MappedHostResolverTest, SetRulesFromString) {
   // Try resolving "www.google.com". Should be remapped to "baz".
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("www.google.com", 80),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
   int rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
@@ -311,8 +311,8 @@ TEST(MappedHostResolverTest, SetRulesFromString) {
 
   // Try resolving "chrome.net:80". Should be remapped to "bar:60".
   request = resolver->CreateRequest(HostPortPair("chrome.net", 80),
-                                    NetworkIsolationKey(), NetLogWithSource(),
-                                    absl::nullopt);
+                                    NetworkAnonymizationKey(),
+                                    NetLogWithSource(), absl::nullopt);
   rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -355,7 +355,7 @@ TEST(MappedHostResolverTest, MapToError) {
   TestCompletionCallback callback1;
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("www.google.com", 80),
-                              NetworkIsolationKey(), NetLogWithSource(),
+                              NetworkAnonymizationKey(), NetLogWithSource(),
                               absl::nullopt);
   int rv = request->Start(callback1.callback());
   EXPECT_THAT(rv, IsError(ERR_NAME_NOT_RESOLVED));
@@ -364,8 +364,8 @@ TEST(MappedHostResolverTest, MapToError) {
   // Try resolving www.foo.com --> Should succeed.
   TestCompletionCallback callback2;
   request = resolver->CreateRequest(HostPortPair("www.foo.com", 80),
-                                    NetworkIsolationKey(), NetLogWithSource(),
-                                    absl::nullopt);
+                                    NetworkAnonymizationKey(),
+                                    NetLogWithSource(), absl::nullopt);
   rv = request->Start(callback2.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback2.WaitForResult();
@@ -388,7 +388,7 @@ TEST(MappedHostResolverTest, MapHostWithSchemeToError) {
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(
           url::SchemeHostPort(url::kWssScheme, "host.test", 155),
-          NetworkIsolationKey(), NetLogWithSource(), absl::nullopt);
+          NetworkAnonymizationKey(), NetLogWithSource(), absl::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
diff --git a/chromium/net/dns/mdns_cache.cc b/chromium/net/dns/mdns_cache.cc
index b9981d5590d..d9fa93bcab1 100644
--- a/chromium/net/dns/mdns_cache.cc
+++ b/chromium/net/dns/mdns_cache.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mdns_cache.h b/chromium/net/dns/mdns_cache.h
index e208d1be40c..a8e91bc7eb4 100644
--- a/chromium/net/dns/mdns_cache.h
+++ b/chromium/net/dns/mdns_cache.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mdns_cache_unittest.cc b/chromium/net/dns/mdns_cache_unittest.cc
index 18a89e05161..1b23e2b9c8f 100644
--- a/chromium/net/dns/mdns_cache_unittest.cc
+++ b/chromium/net/dns/mdns_cache_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mdns_client.cc b/chromium/net/dns/mdns_client.cc
index 00f7b03dc37..9e848e6fb8d 100644
--- a/chromium/net/dns/mdns_client.cc
+++ b/chromium/net/dns/mdns_client.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mdns_client.h b/chromium/net/dns/mdns_client.h
index daca09e1efe..a41a0155358 100644
--- a/chromium/net/dns/mdns_client.h
+++ b/chromium/net/dns/mdns_client.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mdns_client_impl.cc b/chromium/net/dns/mdns_client_impl.cc
index 6122762037c..e25f650afc3 100644
--- a/chromium/net/dns/mdns_client_impl.cc
+++ b/chromium/net/dns/mdns_client_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mdns_client_impl.h b/chromium/net/dns/mdns_client_impl.h
index 17c123432ff..bc98f70c03e 100644
--- a/chromium/net/dns/mdns_client_impl.h
+++ b/chromium/net/dns/mdns_client_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mdns_client_unittest.cc b/chromium/net/dns/mdns_client_unittest.cc
index 896caaa4604..2f9998c3bb0 100644
--- a/chromium/net/dns/mdns_client_unittest.cc
+++ b/chromium/net/dns/mdns_client_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mock_host_resolver.cc b/chromium/net/dns/mock_host_resolver.cc
index 3f662a4c4b3..368a620416b 100644
--- a/chromium/net/dns/mock_host_resolver.cc
+++ b/chromium/net/dns/mock_host_resolver.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -21,7 +21,6 @@
 #include "base/memory/ref_counted.h"
 #include "base/no_destructor.h"
 #include "base/notreached.h"
-#include "base/stl_util.h"
 #include "base/strings/pattern.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_split.h"
@@ -32,6 +31,7 @@
 #include "base/time/default_tick_clock.h"
 #include "base/time/tick_clock.h"
 #include "base/time/time.h"
+#include "base/types/optional_util.h"
 #include "build/build_config.h"
 #include "net/base/address_family.h"
 #include "net/base/address_list.h"
@@ -40,16 +40,17 @@
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/dns_alias_utility.h"
 #include "net/dns/dns_util.h"
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/host_resolver_manager.h"
-#include "net/dns/host_resolver_results.h"
+#include "net/dns/host_resolver_system_task.h"
 #include "net/dns/https_record_rdata.h"
 #include "net/dns/public/dns_query_type.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/host_resolver_source.h"
 #include "net/dns/public/mdns_listener_update_type.h"
 #include "net/dns/public/resolve_error_info.h"
@@ -73,43 +74,13 @@ const unsigned kMaxCacheEntries = 100;
 // TTL for the successful resolutions. Failures are not cached.
 const unsigned kCacheEntryTTLSeconds = 60;
 
-base::StringPiece GetScheme(const HostResolver::Host& endpoint) {
-  DCHECK(absl::holds_alternative<url::SchemeHostPort>(endpoint));
-  return absl::get<url::SchemeHostPort>(endpoint).scheme();
-}
-
-// In HostPortPair format (no brackets around IPv6 literals) purely for
-// compatibility with IPAddress::AssignFromIPLiteral().
-base::StringPiece GetHostname(const HostResolver::Host& endpoint) {
-  if (absl::holds_alternative<url::SchemeHostPort>(endpoint)) {
-    base::StringPiece hostname =
-        absl::get<url::SchemeHostPort>(endpoint).host();
-    if (hostname.size() >= 2 && hostname.front() == '[' &&
-        hostname.back() == ']') {
-      return hostname.substr(1, hostname.size() - 2);
-    }
-    return hostname;
-  }
-
-  DCHECK(absl::holds_alternative<HostPortPair>(endpoint));
-  return absl::get<HostPortPair>(endpoint).host();
-}
-
-uint16_t GetPort(const HostResolver::Host& endpoint) {
-  if (absl::holds_alternative<url::SchemeHostPort>(endpoint))
-    return absl::get<url::SchemeHostPort>(endpoint).port();
-
-  DCHECK(absl::holds_alternative<HostPortPair>(endpoint));
-  return absl::get<HostPortPair>(endpoint).port();
-}
-
 absl::variant<url::SchemeHostPort, std::string> GetCacheHost(
     const HostResolver::Host& endpoint) {
-  if (absl::holds_alternative<url::SchemeHostPort>(endpoint))
-    return absl::get<url::SchemeHostPort>(endpoint);
+  if (endpoint.HasScheme()) {
+    return endpoint.AsSchemeHostPort();
+  }
 
-  DCHECK(absl::holds_alternative<HostPortPair>(endpoint));
-  return absl::get<HostPortPair>(endpoint).host();
+  return endpoint.GetHostname();
 }
 
 absl::optional<HostCache::Entry> CreateCacheEntry(
@@ -165,11 +136,11 @@ class MockHostResolverBase::RequestImpl
     : public HostResolver::ResolveHostRequest {
  public:
   RequestImpl(Host request_endpoint,
-              const NetworkIsolationKey& network_isolation_key,
+              const NetworkAnonymizationKey& network_anonymization_key,
               const absl::optional<ResolveHostParameters>& optional_parameters,
               base::WeakPtr<MockHostResolverBase> resolver)
       : request_endpoint_(std::move(request_endpoint)),
-        network_isolation_key_(network_isolation_key),
+        network_anonymization_key_(network_anonymization_key),
         parameters_(optional_parameters ? optional_parameters.value()
                                         : ResolveHostParameters()),
         priority_(parameters_.initial_priority),
@@ -218,13 +189,13 @@ class MockHostResolverBase::RequestImpl
 
   const AddressList* GetAddressResults() const override {
     DCHECK(complete_);
-    return base::OptionalOrNullptr(address_results_);
+    return base::OptionalToPtr(address_results_);
   }
 
   const std::vector<HostResolverEndpointResult>* GetEndpointResults()
       const override {
     DCHECK(complete_);
-    return base::OptionalOrNullptr(endpoint_results_);
+    return base::OptionalToPtr(endpoint_results_);
   }
 
   const absl::optional<std::vector<std::string>>& GetTextResults()
@@ -245,7 +216,7 @@ class MockHostResolverBase::RequestImpl
 
   const std::set<std::string>* GetDnsAliasResults() const override {
     DCHECK(complete_);
-    return base::OptionalOrNullptr(fixed_up_dns_alias_results_);
+    return base::OptionalToPtr(fixed_up_dns_alias_results_);
   }
 
   net::ResolveErrorInfo GetResolveErrorInfo() const override {
@@ -316,8 +287,8 @@ class MockHostResolverBase::RequestImpl
 
   const Host& request_endpoint() const { return request_endpoint_; }
 
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
   }
 
   const ResolveHostParameters& parameters() const { return parameters_; }
@@ -356,7 +327,7 @@ class MockHostResolverBase::RequestImpl
               AddressFamilyToDnsQueryType(endpoint.GetFamily())) {
         if (endpoint.port() == 0) {
           corrected.emplace_back(endpoint.address(),
-                                 GetPort(request_endpoint_));
+                                 request_endpoint_.GetPort());
         } else {
           corrected.push_back(endpoint);
         }
@@ -366,12 +337,13 @@ class MockHostResolverBase::RequestImpl
   }
   std::set<std::string> FixupAliases(const std::set<std::string> aliases) {
     if (aliases.empty())
-      return std::set<std::string>{std::string(GetHostname(request_endpoint_))};
+      return std::set<std::string>{
+          std::string(request_endpoint_.GetHostnameWithoutBrackets())};
     return aliases;
   }
 
   const Host request_endpoint_;
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
   const ResolveHostParameters parameters_;
   RequestPriority priority_;
   int host_resolver_flags_;
@@ -542,11 +514,12 @@ MockHostResolverBase::RuleResolver::Resolve(
     const RuleResultOrError& result = rule.second;
 
     if (absl::holds_alternative<RuleKey::NoScheme>(key.scheme) &&
-        absl::holds_alternative<url::SchemeHostPort>(request_endpoint)) {
+        request_endpoint.HasScheme()) {
       continue;
     }
 
-    if (key.port.has_value() && key.port.value() != GetPort(request_endpoint)) {
+    if (key.port.has_value() &&
+        key.port.value() != request_endpoint.GetPort()) {
       continue;
     }
 
@@ -563,13 +536,13 @@ MockHostResolverBase::RuleResolver::Resolve(
     }
 
     if (absl::holds_alternative<RuleKey::Scheme>(key.scheme) &&
-        (!absl::holds_alternative<url::SchemeHostPort>(request_endpoint) ||
-         GetScheme(request_endpoint) !=
+        (!request_endpoint.HasScheme() ||
+         request_endpoint.GetScheme() !=
              absl::get<RuleKey::Scheme>(key.scheme))) {
       continue;
     }
 
-    if (!base::MatchPattern(GetHostname(request_endpoint),
+    if (!base::MatchPattern(request_endpoint.GetHostnameWithoutBrackets(),
                             key.hostname_pattern)) {
       continue;
     }
@@ -580,7 +553,7 @@ MockHostResolverBase::RuleResolver::Resolve(
   if (default_result_)
     return default_result_.value();
 
-  NOTREACHED() << "Request " << GetHostname(request_endpoint)
+  NOTREACHED() << "Request " << request_endpoint.GetHostname()
                << " did not match any MockHostResolver rules.";
   static const RuleResultOrError kUnexpected = ERR_UNEXPECTED;
   return kUnexpected;
@@ -736,20 +709,21 @@ void MockHostResolverBase::OnShutdown() {
 std::unique_ptr<HostResolver::ResolveHostRequest>
 MockHostResolverBase::CreateRequest(
     url::SchemeHostPort host,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     NetLogWithSource net_log,
     absl::optional<ResolveHostParameters> optional_parameters) {
-  return std::make_unique<RequestImpl>(std::move(host), network_isolation_key,
+  return std::make_unique<RequestImpl>(Host(std::move(host)),
+                                       network_anonymization_key,
                                        optional_parameters, AsWeakPtr());
 }
 
 std::unique_ptr<HostResolver::ResolveHostRequest>
 MockHostResolverBase::CreateRequest(
     const HostPortPair& host,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const NetLogWithSource& source_net_log,
     const absl::optional<ResolveHostParameters>& optional_parameters) {
-  return std::make_unique<RequestImpl>(host, network_isolation_key,
+  return std::make_unique<RequestImpl>(Host(host), network_anonymization_key,
                                        optional_parameters, AsWeakPtr());
 }
 
@@ -769,8 +743,16 @@ HostCache* MockHostResolverBase::GetHostCache() {
 }
 
 int MockHostResolverBase::LoadIntoCache(
+    absl::variant<url::SchemeHostPort, HostPortPair> endpoint,
+    const NetworkAnonymizationKey& network_anonymization_key,
+    const absl::optional<ResolveHostParameters>& optional_parameters) {
+  return LoadIntoCache(Host(std::move(endpoint)), network_anonymization_key,
+                       optional_parameters);
+}
+
+int MockHostResolverBase::LoadIntoCache(
     const Host& endpoint,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const absl::optional<ResolveHostParameters>& optional_parameters) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(cache_);
@@ -782,7 +764,7 @@ int MockHostResolverBase::LoadIntoCache(
   std::set<std::string> aliases;
   absl::optional<HostCache::EntryStaleness> stale_info;
   int rv = ResolveFromIPLiteralOrCache(
-      endpoint, network_isolation_key, parameters.dns_query_type,
+      endpoint, network_anonymization_key, parameters.dns_query_type,
       ParametersToHostResolverFlags(parameters), parameters.source,
       parameters.cache_usage, &endpoints, &aliases, &stale_info);
   if (rv != ERR_DNS_CACHE_MISS) {
@@ -792,10 +774,10 @@ int MockHostResolverBase::LoadIntoCache(
 
   // Just like the real resolver, refuse to do anything with invalid
   // hostnames.
-  if (!IsValidDNSDomain(GetHostname(endpoint)))
+  if (!IsValidDNSDomain(endpoint.GetHostnameWithoutBrackets()))
     return ERR_NAME_NOT_RESOLVED;
 
-  RequestImpl request(endpoint, network_isolation_key, optional_parameters,
+  RequestImpl request(endpoint, network_anonymization_key, optional_parameters,
                       AsWeakPtr());
   return DoSynchronousResolution(request);
 }
@@ -836,7 +818,7 @@ void MockHostResolverBase::DetachRequest(size_t id) {
 
 base::StringPiece MockHostResolverBase::request_host(size_t id) {
   DCHECK(request(id));
-  return GetHostname(request(id)->request_endpoint());
+  return request(id)->request_endpoint().GetHostnameWithoutBrackets();
 }
 
 RequestPriority MockHostResolverBase::request_priority(size_t id) {
@@ -844,10 +826,10 @@ RequestPriority MockHostResolverBase::request_priority(size_t id) {
   return request(id)->priority();
 }
 
-const NetworkIsolationKey& MockHostResolverBase::request_network_isolation_key(
-    size_t id) {
+const NetworkAnonymizationKey&
+MockHostResolverBase::request_network_anonymization_key(size_t id) {
   DCHECK(request(id));
-  return request(id)->network_isolation_key();
+  return request(id)->network_anonymization_key();
 }
 
 void MockHostResolverBase::ResolveOnlyRequestNow() {
@@ -923,7 +905,8 @@ int MockHostResolverBase::Resolve(RequestImpl* request) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   last_request_priority_ = request->parameters().initial_priority;
-  last_request_network_isolation_key_ = request->network_isolation_key();
+  last_request_network_anonymization_key_ =
+      request->network_anonymization_key();
   last_secure_dns_policy_ = request->parameters().secure_dns_policy;
   state_->IncrementNumResolve();
   std::vector<HostResolverEndpointResult> endpoints;
@@ -931,7 +914,7 @@ int MockHostResolverBase::Resolve(RequestImpl* request) {
   absl::optional<HostCache::EntryStaleness> stale_info;
   // TODO(crbug.com/1264933): Allow caching `ConnectionEndpoint` results.
   int rv = ResolveFromIPLiteralOrCache(
-      request->request_endpoint(), request->network_isolation_key(),
+      request->request_endpoint(), request->network_anonymization_key(),
       request->parameters().dns_query_type, request->host_resolver_flags(),
       request->parameters().source, request->parameters().cache_usage,
       &endpoints, &aliases, &stale_info);
@@ -950,7 +933,8 @@ int MockHostResolverBase::Resolve(RequestImpl* request) {
 
   // Just like the real resolver, refuse to do anything with invalid
   // hostnames.
-  if (!IsValidDNSDomain(GetHostname(request->request_endpoint()))) {
+  if (!IsValidDNSDomain(
+          request->request_endpoint().GetHostnameWithoutBrackets())) {
     request->SetError(ERR_NAME_NOT_RESOLVED);
     return ERR_NAME_NOT_RESOLVED;
   }
@@ -974,7 +958,7 @@ int MockHostResolverBase::Resolve(RequestImpl* request) {
 
 int MockHostResolverBase::ResolveFromIPLiteralOrCache(
     const Host& endpoint,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     DnsQueryType dns_query_type,
     HostResolverFlags flags,
     HostResolverSource source,
@@ -990,7 +974,7 @@ int MockHostResolverBase::ResolveFromIPLiteralOrCache(
   *out_stale_info = absl::nullopt;
 
   IPAddress ip_address;
-  if (ip_address.AssignFromIPLiteral(GetHostname(endpoint))) {
+  if (ip_address.AssignFromIPLiteral(endpoint.GetHostnameWithoutBrackets())) {
     const DnsQueryType desired_address_query =
         AddressFamilyToDnsQueryType(GetAddressFamily(ip_address));
     DCHECK_NE(desired_address_query, DnsQueryType::UNSPECIFIED);
@@ -1003,7 +987,7 @@ int MockHostResolverBase::ResolveFromIPLiteralOrCache(
 
     *out_endpoints = std::vector<HostResolverEndpointResult>(1);
     (*out_endpoints)[0].ip_endpoints.emplace_back(ip_address,
-                                                  GetPort(endpoint));
+                                                  endpoint.GetPort());
     if (flags & HOST_RESOLVER_CANONNAME)
       *out_aliases = {ip_address.ToString()};
     return OK;
@@ -1012,7 +996,8 @@ int MockHostResolverBase::ResolveFromIPLiteralOrCache(
   std::vector<IPEndPoint> localhost_endpoints;
   // Immediately resolve any "localhost" or recognized similar names.
   if (IsAddressType(dns_query_type) &&
-      ResolveLocalHostname(GetHostname(endpoint), &localhost_endpoints)) {
+      ResolveLocalHostname(endpoint.GetHostnameWithoutBrackets(),
+                           &localhost_endpoints)) {
     *out_endpoints = std::vector<HostResolverEndpointResult>(1);
     (*out_endpoints)[0].ip_endpoints = localhost_endpoints;
     return OK;
@@ -1028,7 +1013,7 @@ int MockHostResolverBase::ResolveFromIPLiteralOrCache(
         source == HostResolverSource::LOCAL_ONLY ? HostResolverSource::ANY
                                                  : source;
     HostCache::Key key(GetCacheHost(endpoint), dns_query_type, flags,
-                       effective_source, network_isolation_key);
+                       effective_source, network_anonymization_key);
     const std::pair<const HostCache::Key, HostCache::Entry>* cache_result;
     HostCache::EntryStaleness stale_info = HostCache::kNotStale;
     if (cache_usage ==
@@ -1101,7 +1086,7 @@ int MockHostResolverBase::DoSynchronousResolution(RequestImpl& request) {
     HostCache::Key key(
         GetCacheHost(request.request_endpoint()),
         request.parameters().dns_query_type, request.host_resolver_flags(),
-        request.parameters().source, request.network_isolation_key());
+        request.parameters().source, request.network_anonymization_key());
     // Storing a failure with TTL 0 so that it overwrites previous value.
     base::TimeDelta ttl;
     if (error == OK) {
@@ -1340,9 +1325,7 @@ int RuleBasedHostResolverProc::Resolve(const std::string& host,
         case Rule::kResolverTypeFailTimeout:
           return ERR_DNS_TIMED_OUT;
         case Rule::kResolverTypeSystem:
-#if BUILDFLAG(IS_WIN)
-          EnsureWinsockInit();
-#endif
+          EnsureSystemHostResolverCallReady();
           return SystemHostResolverCall(effective_host, address_family,
                                         host_resolver_flags, addrlist,
                                         os_error);
@@ -1498,22 +1481,22 @@ void HangingHostResolver::OnShutdown() {
 std::unique_ptr<HostResolver::ResolveHostRequest>
 HangingHostResolver::CreateRequest(
     url::SchemeHostPort host,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     NetLogWithSource net_log,
     absl::optional<ResolveHostParameters> optional_parameters) {
   // TODO(crbug.com/1206799): Propagate scheme and make affect behavior.
   return CreateRequest(HostPortPair::FromSchemeHostPort(host),
-                       network_isolation_key, net_log, optional_parameters);
+                       network_anonymization_key, net_log, optional_parameters);
 }
 
 std::unique_ptr<HostResolver::ResolveHostRequest>
 HangingHostResolver::CreateRequest(
     const HostPortPair& host,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const NetLogWithSource& source_net_log,
     const absl::optional<ResolveHostParameters>& optional_parameters) {
   last_host_ = host;
-  last_network_isolation_key_ = network_isolation_key;
+  last_network_anonymization_key_ = network_anonymization_key;
 
   if (shutting_down_)
     return CreateFailingRequest(ERR_CONTEXT_SHUT_DOWN);
diff --git a/chromium/net/dns/mock_host_resolver.h b/chromium/net/dns/mock_host_resolver.h
index 0cf319719ed..2ece15d3fb2 100644
--- a/chromium/net/dns/mock_host_resolver.h
+++ b/chromium/net/dns/mock_host_resolver.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -26,11 +26,11 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/host_resolver_proc.h"
-#include "net/dns/host_resolver_results.h"
 #include "net/dns/public/dns_query_type.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/host_resolver_source.h"
 #include "net/dns/public/mdns_listener_update_type.h"
 #include "net/dns/public/secure_dns_policy.h"
@@ -278,12 +278,12 @@ class MockHostResolverBase
   void OnShutdown() override;
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       url::SchemeHostPort host,
-      NetworkIsolationKey network_isolation_key,
+      NetworkAnonymizationKey network_anonymization_key,
       NetLogWithSource net_log,
       absl::optional<ResolveHostParameters> optional_parameters) override;
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       const HostPortPair& host,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const NetLogWithSource& net_log,
       const absl::optional<ResolveHostParameters>& optional_parameters)
       override;
@@ -297,8 +297,12 @@ class MockHostResolverBase
   // Preloads the cache with what would currently be the result of a request
   // with the given parameters. Returns the net error of the cached result.
   int LoadIntoCache(
+      absl::variant<url::SchemeHostPort, HostPortPair> endpoint,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const absl::optional<ResolveHostParameters>& optional_parameters);
+  int LoadIntoCache(
       const Host& endpoint,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const absl::optional<ResolveHostParameters>& optional_parameters);
 
   // Returns true if there are pending requests that can be resolved by invoking
@@ -330,8 +334,8 @@ class MockHostResolverBase
   // Returns the priority of the request with the given id.
   RequestPriority request_priority(size_t id);
 
-  // Returns NetworkIsolationKey of the request with the given id.
-  const NetworkIsolationKey& request_network_isolation_key(size_t id);
+  // Returns NetworkAnonymizationKey of the request with the given id.
+  const NetworkAnonymizationKey& request_network_anonymization_key(size_t id);
 
   // Like ResolveNow, but doesn't take an ID. DCHECKs if there's more than one
   // pending request.
@@ -356,11 +360,11 @@ class MockHostResolverBase
     return last_request_priority_;
   }
 
-  // Returns the NetworkIsolationKey passed in to the last call to Resolve() (or
-  // absl::nullopt if Resolve() hasn't been called yet).
-  const absl::optional<NetworkIsolationKey>&
-  last_request_network_isolation_key() {
-    return last_request_network_isolation_key_;
+  // Returns the NetworkAnonymizationKey passed in to the last call to Resolve()
+  // (or absl::nullopt if Resolve() hasn't been called yet).
+  const absl::optional<NetworkAnonymizationKey>&
+  last_request_network_anonymization_key() {
+    return last_request_network_anonymization_key_;
   }
 
   // Returns the SecureDnsPolicy of the last call to Resolve() (or
@@ -414,7 +418,7 @@ class MockHostResolverBase
   // DNS_CACHE_MISS if failed.
   int ResolveFromIPLiteralOrCache(
       const Host& endpoint,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       DnsQueryType dns_query_type,
       HostResolverFlags flags,
       HostResolverSource source,
@@ -428,7 +432,8 @@ class MockHostResolverBase
   void RemoveCancelledListener(MdnsListenerImpl* listener);
 
   RequestPriority last_request_priority_ = DEFAULT_PRIORITY;
-  absl::optional<NetworkIsolationKey> last_request_network_isolation_key_;
+  absl::optional<NetworkAnonymizationKey>
+      last_request_network_anonymization_key_;
   SecureDnsPolicy last_secure_dns_policy_ = SecureDnsPolicy::kAllow;
   bool synchronous_mode_ = false;
   bool ondemand_mode_ = false;
@@ -675,12 +680,12 @@ class HangingHostResolver : public HostResolver {
   void OnShutdown() override;
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       url::SchemeHostPort host,
-      NetworkIsolationKey network_isolation_key,
+      NetworkAnonymizationKey network_anonymization_key,
       NetLogWithSource net_log,
       absl::optional<ResolveHostParameters> optional_parameters) override;
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       const HostPortPair& host,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const NetLogWithSource& net_log,
       const absl::optional<ResolveHostParameters>& optional_parameters)
       override;
@@ -696,8 +701,8 @@ class HangingHostResolver : public HostResolver {
   // Return the corresponding values passed to the most recent call to
   // CreateRequest()
   const HostPortPair& last_host() const { return last_host_; }
-  const NetworkIsolationKey& last_network_isolation_key() const {
-    return last_network_isolation_key_;
+  const NetworkAnonymizationKey& last_network_anonymization_key() const {
+    return last_network_anonymization_key_;
   }
 
   const scoped_refptr<const State> state() const { return state_; }
@@ -707,7 +712,7 @@ class HangingHostResolver : public HostResolver {
   class ProbeRequestImpl;
 
   HostPortPair last_host_;
-  NetworkIsolationKey last_network_isolation_key_;
+  NetworkAnonymizationKey last_network_anonymization_key_;
 
   scoped_refptr<State> state_;
   bool shutting_down_ = false;
diff --git a/chromium/net/dns/mock_mdns_client.cc b/chromium/net/dns/mock_mdns_client.cc
index bbce796546d..70c49c1dad2 100644
--- a/chromium/net/dns/mock_mdns_client.cc
+++ b/chromium/net/dns/mock_mdns_client.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mock_mdns_client.h b/chromium/net/dns/mock_mdns_client.h
index 9d36e1114fd..9bc142b4192 100644
--- a/chromium/net/dns/mock_mdns_client.h
+++ b/chromium/net/dns/mock_mdns_client.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mock_mdns_socket_factory.cc b/chromium/net/dns/mock_mdns_socket_factory.cc
index 560a6e7a263..d85eb4626e1 100644
--- a/chromium/net/dns/mock_mdns_socket_factory.cc
+++ b/chromium/net/dns/mock_mdns_socket_factory.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/mock_mdns_socket_factory.h b/chromium/net/dns/mock_mdns_socket_factory.h
index ce50a884b3a..a9f3e452ee0 100644
--- a/chromium/net/dns/mock_mdns_socket_factory.h
+++ b/chromium/net/dns/mock_mdns_socket_factory.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/notify_watcher_mac.cc b/chromium/net/dns/notify_watcher_mac.cc
index c1ba558d0d7..44c0643e676 100644
--- a/chromium/net/dns/notify_watcher_mac.cc
+++ b/chromium/net/dns/notify_watcher_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/notify_watcher_mac.h b/chromium/net/dns/notify_watcher_mac.h
index 2eb629a3825..04009ae5ac9 100644
--- a/chromium/net/dns/notify_watcher_mac.h
+++ b/chromium/net/dns/notify_watcher_mac.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/nsswitch_reader.cc b/chromium/net/dns/nsswitch_reader.cc
index b875dcd1fd9..d31eaec28a0 100644
--- a/chromium/net/dns/nsswitch_reader.cc
+++ b/chromium/net/dns/nsswitch_reader.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/nsswitch_reader.h b/chromium/net/dns/nsswitch_reader.h
index 7487b94f860..4c71dca8ae4 100644
--- a/chromium/net/dns/nsswitch_reader.h
+++ b/chromium/net/dns/nsswitch_reader.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/nsswitch_reader_fuzzer.cc b/chromium/net/dns/nsswitch_reader_fuzzer.cc
index b7779cbffe8..e96d8b92ce6 100644
--- a/chromium/net/dns/nsswitch_reader_fuzzer.cc
+++ b/chromium/net/dns/nsswitch_reader_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/nsswitch_reader_unittest.cc b/chromium/net/dns/nsswitch_reader_unittest.cc
index 3e20e13d9ec..1a502bc0e2c 100644
--- a/chromium/net/dns/nsswitch_reader_unittest.cc
+++ b/chromium/net/dns/nsswitch_reader_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/opt_record_rdata.cc b/chromium/net/dns/opt_record_rdata.cc
index 43768287db6..28c595f68f6 100644
--- a/chromium/net/dns/opt_record_rdata.cc
+++ b/chromium/net/dns/opt_record_rdata.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/opt_record_rdata.h b/chromium/net/dns/opt_record_rdata.h
index ba26e870621..7583a199f52 100644
--- a/chromium/net/dns/opt_record_rdata.h
+++ b/chromium/net/dns/opt_record_rdata.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/opt_record_rdata_unittest.cc b/chromium/net/dns/opt_record_rdata_unittest.cc
index 7745bbcb08c..040eba5aac1 100644
--- a/chromium/net/dns/opt_record_rdata_unittest.cc
+++ b/chromium/net/dns/opt_record_rdata_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/BUILD.gn b/chromium/net/dns/public/BUILD.gn
index 844b39c3936..dbcecd02f61 100644
--- a/chromium/net/dns/public/BUILD.gn
+++ b/chromium/net/dns/public/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2018 The Chromium Authors. All rights reserved.
+# Copyright 2018 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -29,6 +29,8 @@ source_set("public") {
     "dns_query_type.h",
     "doh_provider_entry.cc",
     "doh_provider_entry.h",
+    "host_resolver_results.cc",
+    "host_resolver_results.h",
     "host_resolver_source.h",
     "mdns_listener_update_type.h",
     "resolve_error_info.cc",
diff --git a/chromium/net/dns/public/dns_config_overrides.cc b/chromium/net/dns/public/dns_config_overrides.cc
index 242badeb203..60263b588c4 100644
--- a/chromium/net/dns/public/dns_config_overrides.cc
+++ b/chromium/net/dns/public/dns_config_overrides.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/dns_config_overrides.h b/chromium/net/dns/public/dns_config_overrides.h
index 023eff26270..4034e0747cb 100644
--- a/chromium/net/dns/public/dns_config_overrides.h
+++ b/chromium/net/dns/public/dns_config_overrides.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/dns_over_https_config.cc b/chromium/net/dns/public/dns_over_https_config.cc
index 9eee96c580b..bcd90f7e272 100644
--- a/chromium/net/dns/public/dns_over_https_config.cc
+++ b/chromium/net/dns/public/dns_over_https_config.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -62,7 +62,7 @@ absl::optional<DnsOverHttpsConfig> FromJson(base::StringPiece json) {
   absl::optional<base::Value> value = base::JSONReader::Read(json);
   if (!value || !value->is_dict())
     return absl::nullopt;
-  return FromValue(std::move(value->GetDict()));
+  return FromValue(std::move(*value).TakeDict());
 }
 
 }  // namespace
diff --git a/chromium/net/dns/public/dns_over_https_config.h b/chromium/net/dns/public/dns_over_https_config.h
index dbc13f5d824..fb05007c130 100644
--- a/chromium/net/dns/public/dns_over_https_config.h
+++ b/chromium/net/dns/public/dns_over_https_config.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/dns_over_https_config_unittest.cc b/chromium/net/dns/public/dns_over_https_config_unittest.cc
index 6830cf53f17..8c947478b09 100644
--- a/chromium/net/dns/public/dns_over_https_config_unittest.cc
+++ b/chromium/net/dns/public/dns_over_https_config_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/dns_over_https_server_config.cc b/chromium/net/dns/public/dns_over_https_server_config.cc
index f8c3334f118..d8c243ac5a2 100644
--- a/chromium/net/dns/public/dns_over_https_server_config.cc
+++ b/chromium/net/dns/public/dns_over_https_server_config.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/dns_over_https_server_config.h b/chromium/net/dns/public/dns_over_https_server_config.h
index 312ce74e6a5..e0a319d840b 100644
--- a/chromium/net/dns/public/dns_over_https_server_config.h
+++ b/chromium/net/dns/public/dns_over_https_server_config.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/dns_over_https_server_config_unittest.cc b/chromium/net/dns/public/dns_over_https_server_config_unittest.cc
index 8c262e60703..a50ac12d317 100644
--- a/chromium/net/dns/public/dns_over_https_server_config_unittest.cc
+++ b/chromium/net/dns/public/dns_over_https_server_config_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -124,7 +124,8 @@ TEST(DnsOverHttpsServerConfigTest, FromValueSimple) {
     }
   )");
 
-  auto parsed = DnsOverHttpsServerConfig::FromValue(std::move(input.GetDict()));
+  auto parsed =
+      DnsOverHttpsServerConfig::FromValue(std::move(input).TakeDict());
 
   auto expected = DnsOverHttpsServerConfig::FromString(
       "https://dnsserver.example.net/dns-query{?dns}");
@@ -143,7 +144,8 @@ TEST(DnsOverHttpsServerConfigTest, FromValueWithEndpoints) {
     }
   )");
 
-  auto parsed = DnsOverHttpsServerConfig::FromValue(std::move(input.GetDict()));
+  auto parsed =
+      DnsOverHttpsServerConfig::FromValue(std::move(input).TakeDict());
 
   auto expected = DnsOverHttpsServerConfig::FromString(
       "https://dnsserver.example.net/dns-query{?dns}", endpoints);
@@ -158,7 +160,8 @@ TEST(DnsOverHttpsServerConfigTest, FromValueWithUnknownKey) {
     }
   )");
 
-  auto parsed = DnsOverHttpsServerConfig::FromValue(std::move(input.GetDict()));
+  auto parsed =
+      DnsOverHttpsServerConfig::FromValue(std::move(input).TakeDict());
 
   auto expected = DnsOverHttpsServerConfig::FromString(
       "https://dnsserver.example.net/dns-query{?dns}");
diff --git a/chromium/net/dns/public/dns_protocol.h b/chromium/net/dns/public/dns_protocol.h
index f3d28dee01a..21ea6d4fdc0 100644
--- a/chromium/net/dns/public/dns_protocol.h
+++ b/chromium/net/dns/public/dns_protocol.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -170,13 +170,6 @@ static const uint16_t kTypeNSEC = 47;
 static const uint16_t kTypeHttps = 65;
 static const uint16_t kTypeANY = 255;
 
-// Experimental DNS record types pending IANA assignment.
-//
-// The INTEGRITY RR type exists purely for measuring how the DNS ecosystem
-// handles new RR types.
-// https://docs.google.com/document/d/14eCqVyT_3MSj7ydqNFl1Yl0yg1fs6g24qmYUUdi5V-k/edit?usp=sharing
-static const uint16_t kExperimentalTypeIntegrity = 65521;
-
 // DNS reply codes (RCODEs).
 //
 // https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6
diff --git a/chromium/net/dns/public/dns_query_type.cc b/chromium/net/dns/public/dns_query_type.cc
index 874e09f6961..9b8f3fa9270 100644
--- a/chromium/net/dns/public/dns_query_type.cc
+++ b/chromium/net/dns/public/dns_query_type.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/dns_query_type.h b/chromium/net/dns/public/dns_query_type.h
index 43ee9934feb..b72a7b4211e 100644
--- a/chromium/net/dns/public/dns_query_type.h
+++ b/chromium/net/dns/public/dns_query_type.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,17 +15,21 @@ namespace net {
 // DNS query type for HostResolver requests.
 // See:
 // https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4
+// CAUTION: When adding new entries, remember to update `MAX` and update
+// kDnsQueryTypes below.
 enum class DnsQueryType : uint8_t {
   UNSPECIFIED = 0,
-  A,
-  AAAA,
-  TXT,
-  PTR,
-  SRV,
-  INTEGRITY,
-  HTTPS,
-  HTTPS_EXPERIMENTAL,
-  MAX = HTTPS_EXPERIMENTAL
+  A = 1,
+  AAAA = 2,
+  TXT = 3,
+  PTR = 4,
+  SRV = 5,
+  // 6 was INTEGRITY, used for an experiment (crbug.com/1052476).
+  HTTPS = 7,
+  // 8 was HTTPS_EXPERIMENTAL, used for an experiment (crbug.com/1052476).
+  // When adding new entries, remember to update `MAX` and update kDnsQueryTypes
+  // below.
+  MAX = HTTPS
 };
 
 using DnsQueryTypeSet =
@@ -39,13 +43,7 @@ inline constexpr auto kDnsQueryTypes =
          {DnsQueryType::TXT, "TXT"},
          {DnsQueryType::PTR, "PTR"},
          {DnsQueryType::SRV, "SRV"},
-         {DnsQueryType::INTEGRITY, "INTEGRITY"},
-         {DnsQueryType::HTTPS, "HTTPS"},
-         {DnsQueryType::HTTPS_EXPERIMENTAL, "HTTPS_EXPERIMENTAL"}});
-
-static_assert(std::size(kDnsQueryTypes) ==
-                  static_cast<unsigned>(DnsQueryType::MAX) + 1,
-              "All DnsQueryType values should be in kDnsQueryTypes.");
+         {DnsQueryType::HTTPS, "HTTPS"}});
 
 // `true` iff `dns_query_type` is an address-resulting type, convertible to and
 // from `net::AddressFamily`.
diff --git a/chromium/net/dns/public/doh_provider_entry.cc b/chromium/net/dns/public/doh_provider_entry.cc
index e04a49a8d32..b3d0f6774c5 100644
--- a/chromium/net/dns/public/doh_provider_entry.cc
+++ b/chromium/net/dns/public/doh_provider_entry.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -37,6 +37,12 @@ DnsOverHttpsServerConfig ParseValidDohTemplate(std::string server_template) {
 
 }  // namespace
 
+#define MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(feature_name, feature_state) \
+  ([]() {                                                                  \
+    static BASE_FEATURE(k##feature_name, #feature_name, feature_state);    \
+    return &k##feature_name;                                               \
+  })()
+
 // static
 const DohProviderEntry::List& DohProviderEntry::GetList() {
   // See /net/docs/adding_doh_providers.md for instructions on modifying this
@@ -46,20 +52,21 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
   // DohProviderId histogram suffix list in
   // tools/metrics/histograms/metadata/histogram_suffixes_list.xml.
   static const base::NoDestructor<DohProviderEntry::List> providers{{
-      new DohProviderEntry("AlekBergNl",
-                           base::Feature{"DohProviderAlekBergNl",
-                                         base::FEATURE_ENABLED_BY_DEFAULT},
-                           DohProviderIdForHistogram::kAlekBergNl,
-                           /*ip_strs=*/{}, /*dns_over_tls_hostnames=*/{},
-                           "https://dnsnl.alekberg.net/dns-query{?dns}",
-                           /*ui_name=*/"alekberg.net (NL)",
-                           /*privacy_policy=*/"https://alekberg.net/privacy",
-                           /*display_globally=*/false,
-                           /*display_countries=*/{"NL"}, LoggingLevel::kNormal),
+      new DohProviderEntry(
+          "AlekBergNl",
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderAlekBergNl, base::FEATURE_ENABLED_BY_DEFAULT),
+          DohProviderIdForHistogram::kAlekBergNl,
+          /*ip_strs=*/{}, /*dns_over_tls_hostnames=*/{},
+          "https://dnsnl.alekberg.net/dns-query{?dns}",
+          /*ui_name=*/"alekberg.net (NL)",
+          /*privacy_policy=*/"https://alekberg.net/privacy",
+          /*display_globally=*/false,
+          /*display_countries=*/{"NL"}, LoggingLevel::kNormal),
       new DohProviderEntry(
           "CleanBrowsingAdult",
-          base::Feature{"DohProviderCleanBrowsingAdult",
-                        base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderCleanBrowsingAdult, base::FEATURE_ENABLED_BY_DEFAULT),
           /*provider_id_for_histogram=*/absl::nullopt,
           {"185.228.168.10", "185.228.169.11", "2a0d:2a00:1::1",
            "2a0d:2a00:2::1"},
@@ -70,8 +77,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           LoggingLevel::kNormal),
       new DohProviderEntry(
           "CleanBrowsingFamily",
-          base::Feature{"DohProviderCleanBrowsingFamily",
-                        base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderCleanBrowsingFamily, base::FEATURE_ENABLED_BY_DEFAULT),
           DohProviderIdForHistogram::kCleanBrowsingFamily,
           {"185.228.168.168", "185.228.169.168",
            "2a0d:2a00:1::", "2a0d:2a00:2::"},
@@ -83,8 +90,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           LoggingLevel::kNormal),
       new DohProviderEntry(
           "CleanBrowsingSecure",
-          base::Feature{"DohProviderCleanBrowsingSecure",
-                        base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderCleanBrowsingSecure, base::FEATURE_ENABLED_BY_DEFAULT),
           /*provider_id_for_histogram=*/absl::nullopt,
           {"185.228.168.9", "185.228.169.9", "2a0d:2a00:1::2",
            "2a0d:2a00:2::2"},
@@ -94,8 +101,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           /*display_countries=*/{}, LoggingLevel::kNormal),
       new DohProviderEntry(
           "Cloudflare",
-          base::Feature{"DohProviderCloudflare",
-                        base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderCloudflare, base::FEATURE_ENABLED_BY_DEFAULT),
           DohProviderIdForHistogram::kCloudflare,
           {"1.1.1.1", "1.0.0.1", "2606:4700:4700::1111",
            "2606:4700:4700::1001"},
@@ -109,7 +116,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           LoggingLevel::kExtra),
       new DohProviderEntry(
           "Comcast",
-          base::Feature{"DohProviderComcast", base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderComcast, base::FEATURE_ENABLED_BY_DEFAULT),
           /*provider_id_for_histogram=*/absl::nullopt,
           {"75.75.75.75", "75.75.76.76", "2001:558:feed::1",
            "2001:558:feed::2"},
@@ -119,7 +127,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           /*display_countries=*/{}, LoggingLevel::kExtra),
       new DohProviderEntry(
           "Cox",
-          base::Feature{"DohProviderCox", base::FEATURE_DISABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderCox, base::FEATURE_DISABLED_BY_DEFAULT),
           /*provider_id_for_histogram=*/absl::nullopt,
           {"68.105.28.11", "68.105.28.12", "2001:578:3f::30"},
           /*dns_over_tls_hostnames=*/{"dot.cox.net"},
@@ -129,7 +138,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           LoggingLevel::kNormal),
       new DohProviderEntry(
           "Cznic",
-          base::Feature{"DohProviderCznic", base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderCznic, base::FEATURE_ENABLED_BY_DEFAULT),
           DohProviderIdForHistogram::kCznic,
           {"185.43.135.1", "193.17.47.1", "2001:148f:fffe::1",
            "2001:148f:ffff::1"},
@@ -140,7 +150,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           LoggingLevel::kNormal),
       new DohProviderEntry(
           "Dnssb",
-          base::Feature{"DohProviderDnssb", base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderDnssb, base::FEATURE_ENABLED_BY_DEFAULT),
           DohProviderIdForHistogram::kDnsSb,
           {"185.222.222.222", "45.11.45.11", "2a09::", "2a11::"},
           /*dns_over_tls_hostnames=*/{"dns.sb"},
@@ -150,7 +161,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           LoggingLevel::kNormal),
       new DohProviderEntry(
           "Google",
-          base::Feature{"DohProviderGoogle", base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderGoogle, base::FEATURE_ENABLED_BY_DEFAULT),
           DohProviderIdForHistogram::kGoogle,
           {"8.8.8.8", "8.8.4.4", "2001:4860:4860::8888",
            "2001:4860:4860::8844"},
@@ -162,19 +174,21 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           /*privacy_policy=*/"privacy",
           /*display_globally=*/true, /*display_countries=*/{},
           LoggingLevel::kExtra),
-      new DohProviderEntry("GoogleDns64",
-                           base::Feature{"DohProviderGoogleDns64",
-                                         base::FEATURE_ENABLED_BY_DEFAULT},
-                           /*provider_id_for_histogram=*/absl::nullopt,
-                           {"2001:4860:4860::64", "2001:4860:4860::6464"},
-                           /*dns_over_tls_hostnames=*/{"dns64.dns.google"},
-                           "https://dns64.dns.google/dns-query{?dns}",
-                           /*ui_name=*/"", /*privacy_policy=*/"",
-                           /*display_globally=*/false,
-                           /*display_countries=*/{}, LoggingLevel::kNormal),
+      new DohProviderEntry(
+          "GoogleDns64",
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderGoogleDns64, base::FEATURE_ENABLED_BY_DEFAULT),
+          /*provider_id_for_histogram=*/absl::nullopt,
+          {"2001:4860:4860::64", "2001:4860:4860::6464"},
+          /*dns_over_tls_hostnames=*/{"dns64.dns.google"},
+          "https://dns64.dns.google/dns-query{?dns}",
+          /*ui_name=*/"", /*privacy_policy=*/"",
+          /*display_globally=*/false,
+          /*display_countries=*/{}, LoggingLevel::kNormal),
       new DohProviderEntry(
           "Iij",
-          base::Feature{"DohProviderIij", base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderIij, base::FEATURE_ENABLED_BY_DEFAULT),
           DohProviderIdForHistogram::kIij, /*ip_strs=*/{},
           /*dns_over_tls_hostnames=*/{}, "https://public.dns.iij.jp/dns-query",
           /*ui_name=*/"IIJ (Public DNS)",
@@ -183,7 +197,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           LoggingLevel::kNormal),
       new DohProviderEntry(
           "NextDns",
-          base::Feature{"DohProviderNextDns", base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderNextDns, base::FEATURE_ENABLED_BY_DEFAULT),
           DohProviderIdForHistogram::kNextDns, /*ip_strs=*/{},
           /*dns_over_tls_hostnames=*/{}, "https://chromium.dns.nextdns.io",
           /*ui_name=*/"NextDNS",
@@ -192,7 +207,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           LoggingLevel::kNormal),
       new DohProviderEntry(
           "OpenDNS",
-          base::Feature{"DohProviderOpenDNS", base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderOpenDNS, base::FEATURE_ENABLED_BY_DEFAULT),
           DohProviderIdForHistogram::kOpenDns,
           {"208.67.222.222", "208.67.220.220", "2620:119:35::35",
            "2620:119:53::53"},
@@ -204,8 +220,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           LoggingLevel::kNormal),
       new DohProviderEntry(
           "OpenDNSFamily",
-          base::Feature{"DohProviderOpenDNSFamily",
-                        base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderOpenDNSFamily, base::FEATURE_ENABLED_BY_DEFAULT),
           /*provider_id_for_histogram=*/absl::nullopt,
           {"208.67.222.123", "208.67.220.123", "2620:119:35::123",
            "2620:119:53::123"},
@@ -215,8 +231,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           /*display_countries=*/{}, LoggingLevel::kNormal),
       new DohProviderEntry(
           "Quad9Cdn",
-          base::Feature{"DohProviderQuad9Cdn",
-                        base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderQuad9Cdn, base::FEATURE_ENABLED_BY_DEFAULT),
           /*provider_id_for_histogram=*/absl::nullopt,
           {"9.9.9.11", "149.112.112.11", "2620:fe::11", "2620:fe::fe:11"},
           /*dns_over_tls_hostnames=*/{"dns11.quad9.net"},
@@ -225,8 +241,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           /*display_countries=*/{}, LoggingLevel::kNormal),
       new DohProviderEntry(
           "Quad9Insecure",
-          base::Feature{"DohProviderQuad9Insecure",
-                        base::FEATURE_ENABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderQuad9Insecure, base::FEATURE_ENABLED_BY_DEFAULT),
           /*provider_id_for_histogram=*/absl::nullopt,
           {"9.9.9.10", "149.112.112.10", "2620:fe::10", "2620:fe::fe:10"},
           /*dns_over_tls_hostnames=*/{"dns10.quad9.net"},
@@ -235,8 +251,8 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           /*display_countries=*/{}, LoggingLevel::kNormal),
       new DohProviderEntry(
           "Quad9Secure",
-          base::Feature{"DohProviderQuad9Secure",
-                        base::FEATURE_DISABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderQuad9Secure, base::FEATURE_DISABLED_BY_DEFAULT),
           DohProviderIdForHistogram::kQuad9Secure,
           {"9.9.9.9", "149.112.112.112", "2620:fe::fe", "2620:fe::9"},
           /*dns_over_tls_hostnames=*/{"dns.quad9.net", "dns9.quad9.net"},
@@ -244,42 +260,46 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
           /*privacy_policy=*/"https://www.quad9.net/home/privacy/",
           /*display_globally=*/true, /*display_countries=*/{},
           LoggingLevel::kExtra),
-      new DohProviderEntry("Quickline",
-                           base::Feature{"DohProviderQuickline",
-                                         base::FEATURE_ENABLED_BY_DEFAULT},
-                           /*provider_id_for_histogram=*/absl::nullopt,
-                           {"212.60.61.246", "212.60.63.246",
-                            "2001:1a88:10:ffff::1", "2001:1a88:10:ffff::2"},
-                           /*dns_over_tls_hostnames=*/{"dot.quickline.ch"},
-                           "https://doh.quickline.ch/dns-query{?dns}",
-                           /*ui_name=*/"", /*privacy_policy=*/"",
-                           /*display_globally=*/false,
-                           /*display_countries=*/{}, LoggingLevel::kNormal),
-      new DohProviderEntry("Spectrum1",
-                           base::Feature{"DohProviderSpectrum1",
-                                         base::FEATURE_ENABLED_BY_DEFAULT},
-                           /*provider_id_for_histogram=*/absl::nullopt,
-                           {"209.18.47.61", "209.18.47.62",
-                            "2001:1998:0f00:0001::1", "2001:1998:0f00:0002::1"},
-                           /*dns_over_tls_hostnames=*/{},
-                           "https://doh-01.spectrum.com/dns-query{?dns}",
-                           /*ui_name=*/"", /*privacy_policy=*/"",
-                           /*display_globally=*/false,
-                           /*display_countries=*/{}, LoggingLevel::kNormal),
-      new DohProviderEntry("Spectrum2",
-                           base::Feature{"DohProviderSpectrum2",
-                                         base::FEATURE_ENABLED_BY_DEFAULT},
-                           /*provider_id_for_histogram=*/absl::nullopt,
-                           {"209.18.47.61", "209.18.47.62",
-                            "2001:1998:0f00:0001::1", "2001:1998:0f00:0002::1"},
-                           /*dns_over_tls_hostnames=*/{},
-                           "https://doh-02.spectrum.com/dns-query{?dns}",
-                           /*ui_name=*/"", /*privacy_policy=*/"",
-                           /*display_globally=*/false,
-                           /*display_countries=*/{}, LoggingLevel::kNormal),
+      new DohProviderEntry(
+          "Quickline",
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderQuickline, base::FEATURE_ENABLED_BY_DEFAULT),
+          /*provider_id_for_histogram=*/absl::nullopt,
+          {"212.60.61.246", "212.60.63.246", "2001:1a88:10:ffff::1",
+           "2001:1a88:10:ffff::2"},
+          /*dns_over_tls_hostnames=*/{"dot.quickline.ch"},
+          "https://doh.quickline.ch/dns-query{?dns}",
+          /*ui_name=*/"", /*privacy_policy=*/"",
+          /*display_globally=*/false,
+          /*display_countries=*/{}, LoggingLevel::kNormal),
+      new DohProviderEntry(
+          "Spectrum1",
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderSpectrum1, base::FEATURE_ENABLED_BY_DEFAULT),
+          /*provider_id_for_histogram=*/absl::nullopt,
+          {"209.18.47.61", "209.18.47.62", "2001:1998:0f00:0001::1",
+           "2001:1998:0f00:0002::1"},
+          /*dns_over_tls_hostnames=*/{},
+          "https://doh-01.spectrum.com/dns-query{?dns}",
+          /*ui_name=*/"", /*privacy_policy=*/"",
+          /*display_globally=*/false,
+          /*display_countries=*/{}, LoggingLevel::kNormal),
+      new DohProviderEntry(
+          "Spectrum2",
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderSpectrum2, base::FEATURE_ENABLED_BY_DEFAULT),
+          /*provider_id_for_histogram=*/absl::nullopt,
+          {"209.18.47.61", "209.18.47.62", "2001:1998:0f00:0001::1",
+           "2001:1998:0f00:0002::1"},
+          /*dns_over_tls_hostnames=*/{},
+          "https://doh-02.spectrum.com/dns-query{?dns}",
+          /*ui_name=*/"", /*privacy_policy=*/"",
+          /*display_globally=*/false,
+          /*display_countries=*/{}, LoggingLevel::kNormal),
       new DohProviderEntry(
           "Switch",
-          base::Feature{"DohProviderSwitch", base::FEATURE_DISABLED_BY_DEFAULT},
+          MAKE_BASE_FEATURE_WITH_STATIC_STORAGE(
+              DohProviderSwitch, base::FEATURE_DISABLED_BY_DEFAULT),
           /*provider_id_for_histogram=*/absl::nullopt,
           {"130.59.31.251", "130.59.31.248", "2001:620:0:ff::2",
            "2001:620:0:ff::3"},
@@ -291,10 +311,12 @@ const DohProviderEntry::List& DohProviderEntry::GetList() {
   return *providers;
 }
 
+#undef MAKE_BASE_FEATURE_WITH_STATIC_STORAGE
+
 // static
 DohProviderEntry DohProviderEntry::ConstructForTesting(
     std::string provider,
-    base::Feature&& feature,
+    const base::Feature* feature,
     absl::optional<DohProviderIdForHistogram> provider_id_for_histogram,
     std::set<base::StringPiece> ip_strs,
     std::set<std::string> dns_over_tls_hostnames,
@@ -304,17 +326,17 @@ DohProviderEntry DohProviderEntry::ConstructForTesting(
     bool display_globally,
     std::set<std::string> display_countries,
     LoggingLevel logging_level) {
-  return DohProviderEntry(
-      provider, std::move(feature), provider_id_for_histogram, ip_strs,
-      dns_over_tls_hostnames, dns_over_https_template, ui_name, privacy_policy,
-      display_globally, display_countries, logging_level);
+  return DohProviderEntry(provider, feature, provider_id_for_histogram, ip_strs,
+                          dns_over_tls_hostnames, dns_over_https_template,
+                          ui_name, privacy_policy, display_globally,
+                          display_countries, logging_level);
 }
 
 DohProviderEntry::~DohProviderEntry() = default;
 
 DohProviderEntry::DohProviderEntry(
     std::string provider,
-    base::Feature&& feature,
+    const base::Feature* feature,
     absl::optional<DohProviderIdForHistogram> provider_id_for_histogram,
     std::set<base::StringPiece> ip_strs,
     std::set<std::string> dns_over_tls_hostnames,
@@ -325,7 +347,7 @@ DohProviderEntry::DohProviderEntry(
     std::set<std::string> display_countries,
     LoggingLevel logging_level)
     : provider(std::move(provider)),
-      feature(std::move(feature)),
+      feature(*feature),
       provider_id_for_histogram(std::move(provider_id_for_histogram)),
       ip_addresses(ParseIPs(ip_strs)),
       dns_over_tls_hostnames(std::move(dns_over_tls_hostnames)),
diff --git a/chromium/net/dns/public/doh_provider_entry.h b/chromium/net/dns/public/doh_provider_entry.h
index f3525e368f2..1c328d3b482 100644
--- a/chromium/net/dns/public/doh_provider_entry.h
+++ b/chromium/net/dns/public/doh_provider_entry.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -65,7 +65,7 @@ struct NET_EXPORT DohProviderEntry {
   };
 
   std::string provider;
-  base::Feature feature;
+  const base::Feature& feature;
   // A provider_id_for_histogram is required for entries that are intended to
   // be visible in the UI.
   absl::optional<DohProviderIdForHistogram> provider_id_for_histogram;
@@ -85,7 +85,7 @@ struct NET_EXPORT DohProviderEntry {
 
   static DohProviderEntry ConstructForTesting(
       std::string provider,
-      base::Feature&& feature,
+      const base::Feature* feature,
       absl::optional<DohProviderIdForHistogram> provider_id_for_histogram,
       std::set<base::StringPiece> ip_strs,
       std::set<std::string> dns_over_tls_hostnames,
@@ -109,7 +109,7 @@ struct NET_EXPORT DohProviderEntry {
       std::string provider,
       // Disallow implicit copying of the `feature` parameter because there
       // cannot be more than one `base::Feature` for a given feature name.
-      base::Feature&& feature,
+      const base::Feature* feature,
       absl::optional<DohProviderIdForHistogram> provider_id_for_histogram,
       std::set<base::StringPiece> ip_strs,
       std::set<std::string> dns_over_tls_hostnames,
diff --git a/chromium/net/dns/public/doh_provider_entry_unittest.cc b/chromium/net/dns/public/doh_provider_entry_unittest.cc
index dce0d3c2371..b28033801a1 100644
--- a/chromium/net/dns/public/doh_provider_entry_unittest.cc
+++ b/chromium/net/dns/public/doh_provider_entry_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/host_resolver_results.cc b/chromium/net/dns/public/host_resolver_results.cc
index 324d4d88a4b..4b723f5344b 100644
--- a/chromium/net/dns/host_resolver_results.cc
+++ b/chromium/net/dns/public/host_resolver_results.cc
@@ -1,8 +1,8 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/dns/host_resolver_results.h"
+#include "net/dns/public/host_resolver_results.h"
 
 #include <stdint.h>
 
diff --git a/chromium/net/dns/host_resolver_results.h b/chromium/net/dns/public/host_resolver_results.h
index 972afcfed19..99b9b0144b5 100644
--- a/chromium/net/dns/host_resolver_results.h
+++ b/chromium/net/dns/public/host_resolver_results.h
@@ -1,9 +1,9 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_DNS_HOST_RESOLVER_RESULTS_H_
-#define NET_DNS_HOST_RESOLVER_RESULTS_H_
+#ifndef NET_DNS_PUBLIC_HOST_RESOLVER_RESULTS_H_
+#define NET_DNS_PUBLIC_HOST_RESOLVER_RESULTS_H_
 
 #include <string>
 #include <tuple>
@@ -43,6 +43,9 @@ struct NET_EXPORT_PRIVATE HostResolverEndpointResult {
   ConnectionEndpointMetadata metadata;
 };
 
+using HostResolverEndpointResults =
+    std::vector<net::HostResolverEndpointResult>;
+
 }  // namespace net
 
-#endif  // NET_DNS_HOST_RESOLVER_RESULTS_H_
+#endif  // NET_DNS_PUBLIC_HOST_RESOLVER_RESULTS_H_
diff --git a/chromium/net/dns/public/host_resolver_source.h b/chromium/net/dns/public/host_resolver_source.h
index 724cc7baebf..4c3a30bd9f8 100644
--- a/chromium/net/dns/public/host_resolver_source.h
+++ b/chromium/net/dns/public/host_resolver_source.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/mdns_listener_update_type.h b/chromium/net/dns/public/mdns_listener_update_type.h
index f2b5e01e3e4..7976324a804 100644
--- a/chromium/net/dns/public/mdns_listener_update_type.h
+++ b/chromium/net/dns/public/mdns_listener_update_type.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/resolv_reader.cc b/chromium/net/dns/public/resolv_reader.cc
index e05a1216feb..302ad8b2e4c 100644
--- a/chromium/net/dns/public/resolv_reader.cc
+++ b/chromium/net/dns/public/resolv_reader.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/resolv_reader.h b/chromium/net/dns/public/resolv_reader.h
index c64f8f66097..adfda47a34c 100644
--- a/chromium/net/dns/public/resolv_reader.h
+++ b/chromium/net/dns/public/resolv_reader.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/resolv_reader_unittest.cc b/chromium/net/dns/public/resolv_reader_unittest.cc
index b7a3d6ba148..f91f2b89016 100644
--- a/chromium/net/dns/public/resolv_reader_unittest.cc
+++ b/chromium/net/dns/public/resolv_reader_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/resolve_error_info.cc b/chromium/net/dns/public/resolve_error_info.cc
index cffd65f6bd5..79d91bb7c26 100644
--- a/chromium/net/dns/public/resolve_error_info.cc
+++ b/chromium/net/dns/public/resolve_error_info.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/resolve_error_info.h b/chromium/net/dns/public/resolve_error_info.h
index 2b8d49cfc35..7f466421c4d 100644
--- a/chromium/net/dns/public/resolve_error_info.h
+++ b/chromium/net/dns/public/resolve_error_info.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/scoped_res_state.cc b/chromium/net/dns/public/scoped_res_state.cc
index 9706d18b0f5..2743697bf6d 100644
--- a/chromium/net/dns/public/scoped_res_state.cc
+++ b/chromium/net/dns/public/scoped_res_state.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/scoped_res_state.h b/chromium/net/dns/public/scoped_res_state.h
index fc6da7149ca..c979c75727e 100644
--- a/chromium/net/dns/public/scoped_res_state.h
+++ b/chromium/net/dns/public/scoped_res_state.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/secure_dns_mode.h b/chromium/net/dns/public/secure_dns_mode.h
index bab665a3b23..8f45183cc61 100644
--- a/chromium/net/dns/public/secure_dns_mode.h
+++ b/chromium/net/dns/public/secure_dns_mode.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/secure_dns_policy.h b/chromium/net/dns/public/secure_dns_policy.h
index 7e95fef5590..89e47a1d6cf 100644
--- a/chromium/net/dns/public/secure_dns_policy.h
+++ b/chromium/net/dns/public/secure_dns_policy.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/util.cc b/chromium/net/dns/public/util.cc
index 0423fcd95d4..209e12c363e 100644
--- a/chromium/net/dns/public/util.cc
+++ b/chromium/net/dns/public/util.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/util.h b/chromium/net/dns/public/util.h
index b47b1525160..914fffb9b01 100644
--- a/chromium/net/dns/public/util.h
+++ b/chromium/net/dns/public/util.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/win_dns_system_settings.cc b/chromium/net/dns/public/win_dns_system_settings.cc
index d2501d8c6f7..59f6f2bc9b2 100644
--- a/chromium/net/dns/public/win_dns_system_settings.cc
+++ b/chromium/net/dns/public/win_dns_system_settings.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/win_dns_system_settings.h b/chromium/net/dns/public/win_dns_system_settings.h
index 2d6a5613f29..6f4a3c041a0 100644
--- a/chromium/net/dns/public/win_dns_system_settings.h
+++ b/chromium/net/dns/public/win_dns_system_settings.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/public/win_dns_system_settings_unittest.cc b/chromium/net/dns/public/win_dns_system_settings_unittest.cc
index 91b5017b1f0..8c20df9b298 100644
--- a/chromium/net/dns/public/win_dns_system_settings_unittest.cc
+++ b/chromium/net/dns/public/win_dns_system_settings_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/record_parsed.cc b/chromium/net/dns/record_parsed.cc
index 3d470349c94..2aed1863530 100644
--- a/chromium/net/dns/record_parsed.cc
+++ b/chromium/net/dns/record_parsed.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -66,9 +66,6 @@ std::unique_ptr<const RecordParsed> RecordParsed::CreateFrom(
     case OptRecordRdata::kType:
       rdata = OptRecordRdata::Create(record.rdata);
       break;
-    case IntegrityRecordRdata::kType:
-      rdata = IntegrityRecordRdata::Create(record.rdata);
-      break;
     case HttpsRecordRdata::kType:
       rdata = HttpsRecordRdata::Parse(record.rdata);
       break;
diff --git a/chromium/net/dns/record_parsed.h b/chromium/net/dns/record_parsed.h
index 5bbf84e9d4f..b1452d45916 100644
--- a/chromium/net/dns/record_parsed.h
+++ b/chromium/net/dns/record_parsed.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/record_parsed_unittest.cc b/chromium/net/dns/record_parsed_unittest.cc
index e2b2e7f619f..db2172e9755 100644
--- a/chromium/net/dns/record_parsed_unittest.cc
+++ b/chromium/net/dns/record_parsed_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/record_rdata.cc b/chromium/net/dns/record_rdata.cc
index a136a10ff36..27f32dcdd42 100644
--- a/chromium/net/dns/record_rdata.cc
+++ b/chromium/net/dns/record_rdata.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -21,11 +21,6 @@ namespace net {
 
 static const size_t kSrvRecordMinimumSize = 6;
 
-// The simplest INTEGRITY record is a U16-length-prefixed nonce (containing zero
-// bytes) followed by its SHA256 digest.
-static constexpr size_t kIntegrityMinimumSize =
-    sizeof(uint16_t) + IntegrityRecordRdata::kDigestLen;
-
 // Minimal HTTPS rdata is 2 octets priority + 1 octet empty name.
 static constexpr size_t kHttpsRdataMinimumSize = 3;
 
@@ -37,8 +32,6 @@ bool RecordRdata::HasValidSize(const base::StringPiece& data, uint16_t type) {
       return data.size() == IPAddress::kIPv4AddressSize;
     case dns_protocol::kTypeAAAA:
       return data.size() == IPAddress::kIPv6AddressSize;
-    case dns_protocol::kExperimentalTypeIntegrity:
-      return data.size() >= kIntegrityMinimumSize;
     case dns_protocol::kTypeHttps:
       return data.size() >= kHttpsRdataMinimumSize;
     case dns_protocol::kTypeCNAME:
@@ -302,115 +295,4 @@ bool NsecRecordRdata::GetBit(unsigned i) const {
   return (bitmap_[byte_num] & (1 << bit_num)) != 0;
 }
 
-IntegrityRecordRdata::IntegrityRecordRdata(Nonce nonce)
-    : nonce_(std::move(nonce)), digest_(Hash(nonce_)), is_intact_(true) {}
-
-IntegrityRecordRdata::IntegrityRecordRdata(Nonce nonce,
-                                           Digest digest,
-                                           size_t rdata_len)
-    : nonce_(std::move(nonce)),
-      digest_(digest),
-      is_intact_(rdata_len == LengthForSerialization(nonce_) &&
-                 Hash(nonce_) == digest_) {}
-
-IntegrityRecordRdata::IntegrityRecordRdata(IntegrityRecordRdata&&) = default;
-IntegrityRecordRdata::IntegrityRecordRdata(const IntegrityRecordRdata&) =
-    default;
-IntegrityRecordRdata::~IntegrityRecordRdata() = default;
-
-bool IntegrityRecordRdata::IsEqual(const RecordRdata* other) const {
-  if (other->Type() != Type())
-    return false;
-  const IntegrityRecordRdata* integrity_other =
-      static_cast<const IntegrityRecordRdata*>(other);
-  return is_intact_ && integrity_other->is_intact_ &&
-         nonce_ == integrity_other->nonce_ &&
-         digest_ == integrity_other->digest_;
-}
-
-uint16_t IntegrityRecordRdata::Type() const {
-  return kType;
-}
-
-// static
-std::unique_ptr<IntegrityRecordRdata> IntegrityRecordRdata::Create(
-    const base::StringPiece& data) {
-  auto reader = base::BigEndianReader::FromStringPiece(data);
-  // Parse a U16-prefixed |Nonce| followed by a |Digest|.
-  base::StringPiece parsed_nonce, parsed_digest;
-
-  // Note that even if this parse fails, we still want to create a record.
-  bool parse_success = reader.ReadU16LengthPrefixed(&parsed_nonce) &&
-                       reader.ReadPiece(&parsed_digest, kDigestLen);
-
-  const std::string kZeroDigest = std::string(kDigestLen, 0);
-  if (!parse_success) {
-    parsed_nonce = base::StringPiece();
-    parsed_digest = base::StringPiece(kZeroDigest);
-  }
-
-  Digest digest_copy{};
-  CHECK_EQ(parsed_digest.size(), digest_copy.size());
-  std::copy_n(parsed_digest.begin(), parsed_digest.size(), digest_copy.begin());
-
-  auto record = base::WrapUnique(
-      new IntegrityRecordRdata(Nonce(parsed_nonce.begin(), parsed_nonce.end()),
-                               digest_copy, data.size()));
-
-  // A failed parse implies |!IsIntact()|, though the converse is not true. The
-  // record may be considered not intact if there were trailing bytes in |data|
-  // or if |parsed_digest| is not the hash of |parsed_nonce|.
-  if (!parse_success)
-    DCHECK(!record->IsIntact());
-  return record;
-}
-
-// static
-IntegrityRecordRdata IntegrityRecordRdata::Random() {
-  constexpr uint16_t kMinNonceLen = 32;
-  constexpr uint16_t kMaxNonceLen = 512;
-
-  // Construct random nonce.
-  const uint16_t nonce_len = base::RandInt(kMinNonceLen, kMaxNonceLen);
-  Nonce nonce(nonce_len);
-  base::RandBytes(nonce.data(), nonce.size());
-
-  return IntegrityRecordRdata(std::move(nonce));
-}
-
-absl::optional<std::vector<uint8_t>> IntegrityRecordRdata::Serialize() const {
-  if (!is_intact_) {
-    return absl::nullopt;
-  }
-
-  // Create backing buffer and writer.
-  std::vector<uint8_t> serialized(LengthForSerialization(nonce_));
-  base::BigEndianWriter writer(reinterpret_cast<char*>(serialized.data()),
-                               serialized.size());
-
-  // Writes will only fail if the buffer is too small. We are asserting here
-  // that our buffer is exactly the right size, which is expected to always be
-  // true if |is_intact_|.
-  CHECK(writer.WriteU16(nonce_.size()));
-  CHECK(writer.WriteBytes(nonce_.data(), nonce_.size()));
-  CHECK(writer.WriteBytes(digest_.data(), digest_.size()));
-  CHECK_EQ(writer.remaining(), 0u);
-
-  return serialized;
-}
-
-// static
-IntegrityRecordRdata::Digest IntegrityRecordRdata::Hash(const Nonce& nonce) {
-  Digest digest{};
-  SHA256(nonce.data(), nonce.size(), digest.data());
-  return digest;
-}
-
-// static
-size_t IntegrityRecordRdata::LengthForSerialization(const Nonce& nonce) {
-  // A serialized INTEGRITY record consists of a U16-prefixed |nonce_|, followed
-  // by the bytes of |digest_|.
-  return sizeof(uint16_t) + nonce.size() + kDigestLen;
-}
-
 }  // namespace net
diff --git a/chromium/net/dns/record_rdata.h b/chromium/net/dns/record_rdata.h
index fec14d0078c..a1a522d0d0b 100644
--- a/chromium/net/dns/record_rdata.h
+++ b/chromium/net/dns/record_rdata.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -228,81 +228,6 @@ class NET_EXPORT_PRIVATE NsecRecordRdata : public RecordRdata {
   std::vector<uint8_t> bitmap_;
 };
 
-// This class parses and serializes the INTEGRITY DNS record.
-//
-// This RR was invented for a preliminary HTTPSSVC experiment. See the public
-// design doc:
-// https://docs.google.com/document/d/14eCqVyT_3MSj7ydqNFl1Yl0yg1fs6g24qmYUUdi5V-k/edit?usp=sharing
-//
-// The wire format of INTEGRITY records consists of a U16-prefixed nonce
-// followed by |kDigestLen| bytes, which should be equal to the SHA256 hash of
-// the nonce contents.
-class NET_EXPORT IntegrityRecordRdata : public RecordRdata {
- public:
-  static constexpr uint16_t kType = dns_protocol::kExperimentalTypeIntegrity;
-
-  static constexpr size_t kDigestLen = SHA256_DIGEST_LENGTH;
-
-  using Nonce = std::vector<uint8_t>;
-  using Digest = std::array<uint8_t, kDigestLen>;
-
-  IntegrityRecordRdata() = delete;
-  // Constructs a new record, computing the digest value from |nonce|.
-  explicit IntegrityRecordRdata(Nonce nonce);
-  IntegrityRecordRdata(IntegrityRecordRdata&&);
-  IntegrityRecordRdata(const IntegrityRecordRdata&);
-  ~IntegrityRecordRdata() override;
-
-  IntegrityRecordRdata& operator=(const IntegrityRecordRdata&) = default;
-  IntegrityRecordRdata& operator=(IntegrityRecordRdata&&) = default;
-
-  // RecordRdata:
-  bool IsEqual(const RecordRdata* other) const override;
-  uint16_t Type() const override;
-
-  // Attempts to parse an INTEGRITY record from |data|. Never returns nullptr.
-  // The caller can check the intactness of the record with |IsIntact()|.
-  static std::unique_ptr<IntegrityRecordRdata> Create(
-      const base::StringPiece& data);
-
-  // Generate an integrity record with a random nonce and corresponding digest.
-  // Postcondition: |IsIntact()| is true.
-  static IntegrityRecordRdata Random();
-
-  // Serialize |this| using the INTEGRITY wire format. Returns |absl::nullopt|
-  // when |!IsIntact()|.
-  absl::optional<std::vector<uint8_t>> Serialize() const;
-
-  // Precondition: |IsIntact()|.
-  const Nonce& nonce() const {
-    CHECK(is_intact_);
-    return nonce_;
-  }
-
-  // Precondition: |IsIntact()|.
-  const Digest& digest() const {
-    CHECK(is_intact_);
-    return digest_;
-  }
-
-  // To be considered intact, this record must have parsed successfully (if
-  // parsed by |Create()|) and the digest must match the hash of the nonce.
-  bool IsIntact() const { return is_intact_; }
-
- private:
-  IntegrityRecordRdata(Nonce nonce_, Digest digest_, size_t rdata_len);
-
-  static Digest Hash(const Nonce& nonce);
-
-  // Returns the exact number of bytes a record constructed from |nonce| would
-  // occupy when serialized.
-  static size_t LengthForSerialization(const Nonce& nonce);
-
-  Nonce nonce_;
-  Digest digest_;
-  bool is_intact_;
-};
-
 }  // namespace net
 
 #endif  // NET_DNS_RECORD_RDATA_H_
diff --git a/chromium/net/dns/record_rdata_unittest.cc b/chromium/net/dns/record_rdata_unittest.cc
index f507d84ebbb..e39078e33e2 100644
--- a/chromium/net/dns/record_rdata_unittest.cc
+++ b/chromium/net/dns/record_rdata_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -29,10 +29,6 @@ base::StringPiece MakeStringPiece(const uint8_t* data, unsigned size) {
   return base::StringPiece(data_cc, size);
 }
 
-base::StringPiece MakeStringPiece(const std::vector<uint8_t>& vec) {
-  return MakeStringPiece(vec.data(), vec.size());
-}
-
 TEST(RecordRdataTest, ParseSrvRecord) {
   // These are just the rdata portions of the DNS records, rather than complete
   // records, but it works well enough for this test.
@@ -241,142 +237,5 @@ TEST(RecordRdataTest, CreateNsecRecordWithOversizedBitmapReturnsNull) {
   ASSERT_FALSE(record_obj);
 }
 
-// Test that for arbitrary IntegrityRecordRdata r, Parse(Serialize(r)) == r.
-TEST(RecordRdataTest, IntegrityParseSerializeInverseProperty) {
-  IntegrityRecordRdata record(IntegrityRecordRdata::Random());
-
-  EXPECT_TRUE(record.IsIntact());
-  absl::optional<std::vector<uint8_t>> serialized = record.Serialize();
-  EXPECT_TRUE(serialized);
-
-  std::unique_ptr<IntegrityRecordRdata> reparsed =
-      IntegrityRecordRdata::Create(MakeStringPiece(*serialized));
-  EXPECT_TRUE(reparsed);
-  EXPECT_TRUE(reparsed->IsEqual(&record));
-}
-
-TEST(RecordRdataTest, IntegrityEmptyNonceCornerCase) {
-  const IntegrityRecordRdata::Nonce empty_nonce;
-  IntegrityRecordRdata record(empty_nonce);
-  EXPECT_TRUE(record.IsIntact());
-
-  absl::optional<std::vector<uint8_t>> serialized = record.Serialize();
-  EXPECT_TRUE(serialized);
-  std::unique_ptr<IntegrityRecordRdata> reparsed =
-      IntegrityRecordRdata::Create(MakeStringPiece(*serialized));
-  EXPECT_TRUE(reparsed);
-  EXPECT_TRUE(reparsed->IsIntact());
-  EXPECT_TRUE(reparsed->IsEqual(&record));
-  EXPECT_EQ(reparsed->nonce().size(), 0u);
-}
-
-TEST(RecordRdataTest, IntegrityMoveConstructor) {
-  IntegrityRecordRdata record_a(IntegrityRecordRdata::Random());
-  EXPECT_TRUE(record_a.IsIntact());
-  absl::optional<std::vector<uint8_t>> serialized_a = record_a.Serialize();
-  EXPECT_TRUE(serialized_a);
-
-  IntegrityRecordRdata record_b = std::move(record_a);
-  EXPECT_TRUE(record_b.IsIntact());
-  absl::optional<std::vector<uint8_t>> serialized_b = record_b.Serialize();
-  EXPECT_TRUE(serialized_b);
-
-  EXPECT_EQ(serialized_a, serialized_b);
-}
-
-TEST(RecordRdataTest, IntegrityRandomRecordsDiffer) {
-  IntegrityRecordRdata record_a(IntegrityRecordRdata::Random());
-  IntegrityRecordRdata record_b(IntegrityRecordRdata::Random());
-  EXPECT_TRUE(!record_a.IsEqual(&record_b));
-}
-
-TEST(RecordRdataTest, IntegritySerialize) {
-  IntegrityRecordRdata record({'A'});
-  EXPECT_TRUE(record.IsIntact());
-  const absl::optional<std::vector<uint8_t>> serialized = record.Serialize();
-  EXPECT_TRUE(serialized);
-
-  // Expected payload contains the SHA256 hash of 'A'. For the lazy:
-  //   $ echo -n A | sha256sum | cut -f1 -d' ' | sed -e 's/\(..\)/0x\1, /g'
-  const std::vector<uint8_t> expected = {
-      0, 1, 'A',  // Length prefix and nonce
-                  // Begin digest
-      0x55, 0x9a, 0xea, 0xd0, 0x82, 0x64, 0xd5, 0x79, 0x5d, 0x39, 0x09, 0x71,
-      0x8c, 0xdd, 0x05, 0xab, 0xd4, 0x95, 0x72, 0xe8, 0x4f, 0xe5, 0x55, 0x90,
-      0xee, 0xf3, 0x1a, 0x88, 0xa0, 0x8f, 0xdf, 0xfd,  // End digest
-  };
-
-  EXPECT_TRUE(*serialized == expected);
-}
-
-TEST(RecordRdataTest, IntegrityParse) {
-  const std::vector<uint8_t> serialized = {
-      0,    6,    'f',  'o',  'o',  'b',  'a',  'r',  // Length prefix and nonce
-      0xc3, 0xab, 0x8f, 0xf1, 0x37, 0x20, 0xe8, 0xad, 0x90,  // Begin digest
-      0x47, 0xdd, 0x39, 0x46, 0x6b, 0x3c, 0x89, 0x74, 0xe5, 0x92, 0xc2,
-      0xfa, 0x38, 0x3d, 0x4a, 0x39, 0x60, 0x71, 0x4c, 0xae, 0xf0, 0xc4,
-      0xf2,  // End digest
-  };
-  auto record = IntegrityRecordRdata::Create(MakeStringPiece(serialized));
-  EXPECT_TRUE(record);
-  EXPECT_TRUE(record->IsIntact());
-}
-
-TEST(RecordRdataTest, IntegrityBadParseEmptyRdata) {
-  const std::vector<uint8_t> serialized = {};
-  auto record = IntegrityRecordRdata::Create(MakeStringPiece(serialized));
-  EXPECT_TRUE(record);
-  EXPECT_FALSE(record->IsIntact());
-}
-
-TEST(RecordRdataTest, IntegrityBadParseTruncatedNonce) {
-  const std::vector<uint8_t> serialized = {
-      0, 6, 'f', 'o', 'o'  // Length prefix and truncated nonce
-  };
-  auto record = IntegrityRecordRdata::Create(MakeStringPiece(serialized));
-  EXPECT_TRUE(record);
-  EXPECT_FALSE(record->IsIntact());
-}
-
-TEST(RecordRdataTest, IntegrityBadParseTruncatedDigest) {
-  const std::vector<uint8_t> serialized = {
-      0, 6, 'f', 'o', 'o', 'b', 'a', 'r',  // Length prefix and nonce
-                                           // Begin Digest
-      0xc3, 0xab, 0x8f, 0xf1, 0x37, 0x20, 0xe8, 0xad, 0x90, 0x47, 0xdd, 0x39,
-      0x46, 0x6b, 0x3c, 0x89, 0x74, 0xe5, 0x92, 0xc2, 0xfa, 0x38, 0x3d,
-      0x4a,  // End digest
-  };
-  auto record = IntegrityRecordRdata::Create(MakeStringPiece(serialized));
-  EXPECT_TRUE(record);
-  EXPECT_FALSE(record->IsIntact());
-}
-
-TEST(RecordRdataTest, IntegrityBadParseExtraBytes) {
-  const std::vector<uint8_t> serialized = {
-      0, 6, 'f', 'o', 'o', 'b', 'a', 'r',  // Length prefix and nonce
-                                           // Begin digest
-      0xc3, 0xab, 0x8f, 0xf1, 0x37, 0x20, 0xe8, 0xad, 0x90, 0x47, 0xdd, 0x39,
-      0x46, 0x6b, 0x3c, 0x89, 0x74, 0xe5, 0x92, 0xc2, 0xfa, 0x38, 0x3d, 0x4a,
-      0x39, 0x60, 0x71, 0x4c, 0xae, 0xf0, 0xc4, 0xf2,  // End digest
-      'e', 'x', 't', 'r', 'a'                          // Trailing bytes
-  };
-  auto record = IntegrityRecordRdata::Create(MakeStringPiece(serialized));
-  EXPECT_TRUE(record);
-  EXPECT_FALSE(record->IsIntact());
-}
-
-TEST(RecordRdataTest, IntegrityCorruptedDigest) {
-  const std::vector<uint8_t> serialized = {
-      0,    6,    'f',  'o',  'o',  'b',  'a',  'r',  // Length prefix and nonce
-      0xde, 0xad, 0xbe, 0xef, 0x37, 0x20, 0xe8, 0xad, 0x90,  // Begin digest
-      0x47, 0xdd, 0x39, 0x46, 0x6b, 0x3c, 0x89, 0x74, 0xe5, 0x92, 0xc2,
-      0xfa, 0x38, 0x3d, 0x4a, 0x39, 0x60, 0x71, 0x4c, 0xae, 0xf0, 0xc4,
-      0xf2,  // End digest
-  };
-  auto record = IntegrityRecordRdata::Create(MakeStringPiece(serialized));
-  EXPECT_TRUE(record);
-  EXPECT_FALSE(record->IsIntact());
-}
-
 }  // namespace
 }  // namespace net
diff --git a/chromium/net/dns/resolve_context.cc b/chromium/net/dns/resolve_context.cc
index 4a1a56f8350..5d07d0fe90c 100644
--- a/chromium/net/dns/resolve_context.cc
+++ b/chromium/net/dns/resolve_context.cc
@@ -1,15 +1,15 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/dns/resolve_context.h"
 
-#include <algorithm>
 #include <cstdlib>
 #include <limits>
 #include <utility>
 
 #include "base/check_op.h"
+#include "base/containers/contains.h"
 #include "base/metrics/bucket_ranges.h"
 #include "base/metrics/histogram.h"
 #include "base/metrics/histogram_base.h"
@@ -566,10 +566,9 @@ bool ResolveContext::GetProviderUseExtraLogging(size_t server_index,
 
   // Use extra logging if any matching provider entries have
   // `LoggingLevel::kExtra` set.
-  return std::any_of(
-      matching_entries.begin(), matching_entries.end(), [&](const auto* entry) {
-        return entry->logging_level == DohProviderEntry::LoggingLevel::kExtra;
-      });
+  return base::Contains(matching_entries,
+                        DohProviderEntry::LoggingLevel::kExtra,
+                        &DohProviderEntry::logging_level);
 }
 
 void ResolveContext::NotifyDohStatusObserversOfSessionChanged() {
diff --git a/chromium/net/dns/resolve_context.h b/chromium/net/dns/resolve_context.h
index 86dfdcde1ba..24e5b6b0803 100644
--- a/chromium/net/dns/resolve_context.h
+++ b/chromium/net/dns/resolve_context.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/resolve_context_unittest.cc b/chromium/net/dns/resolve_context_unittest.cc
index 4414b024b5f..6bc0e28d06e 100644
--- a/chromium/net/dns/resolve_context_unittest.cc
+++ b/chromium/net/dns/resolve_context_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -329,7 +329,7 @@ TEST_F(ResolveContextTest, HostCacheInvalidation) {
 
   base::TimeTicks now;
   HostCache::Key key("example.com", DnsQueryType::UNSPECIFIED, 0,
-                     HostResolverSource::ANY, NetworkIsolationKey());
+                     HostResolverSource::ANY, NetworkAnonymizationKey());
   context.host_cache()->Set(
       key,
       HostCache::Entry(OK, /*ip_endpoints=*/{}, /*aliases=*/{},
@@ -382,7 +382,7 @@ TEST_F(ResolveContextTest, HostCacheInvalidation_SameSession) {
   // Add to the host cache and add some DoH server status.
   base::TimeTicks now;
   HostCache::Key key("example.com", DnsQueryType::UNSPECIFIED, 0,
-                     HostResolverSource::ANY, NetworkIsolationKey());
+                     HostResolverSource::ANY, NetworkAnonymizationKey());
   context.host_cache()->Set(
       key,
       HostCache::Entry(OK, /*ip_endpoints=*/{}, /*aliases=*/{"example.com"},
diff --git a/chromium/net/dns/serial_worker.cc b/chromium/net/dns/serial_worker.cc
index ee0a6c36734..878f2bb4032 100644
--- a/chromium/net/dns/serial_worker.cc
+++ b/chromium/net/dns/serial_worker.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/serial_worker.h b/chromium/net/dns/serial_worker.h
index c226fe6d010..c4158ca4d66 100644
--- a/chromium/net/dns/serial_worker.h
+++ b/chromium/net/dns/serial_worker.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/serial_worker_unittest.cc b/chromium/net/dns/serial_worker_unittest.cc
index d5e7e7fe7f3..d5962df6aaf 100644
--- a/chromium/net/dns/serial_worker_unittest.cc
+++ b/chromium/net/dns/serial_worker_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/system_dns_config_change_notifier.cc b/chromium/net/dns/system_dns_config_change_notifier.cc
index 20c460d7de7..aa058bb6b6a 100644
--- a/chromium/net/dns/system_dns_config_change_notifier.cc
+++ b/chromium/net/dns/system_dns_config_change_notifier.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/system_dns_config_change_notifier.h b/chromium/net/dns/system_dns_config_change_notifier.h
index e7f7688da0f..340687027f7 100644
--- a/chromium/net/dns/system_dns_config_change_notifier.h
+++ b/chromium/net/dns/system_dns_config_change_notifier.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/system_dns_config_change_notifier_unittest.cc b/chromium/net/dns/system_dns_config_change_notifier_unittest.cc
index 562efea84ca..46980544707 100644
--- a/chromium/net/dns/system_dns_config_change_notifier_unittest.cc
+++ b/chromium/net/dns/system_dns_config_change_notifier_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/test_dns_config_service.cc b/chromium/net/dns/test_dns_config_service.cc
index 0b266e3b71b..ed581f674c3 100644
--- a/chromium/net/dns/test_dns_config_service.cc
+++ b/chromium/net/dns/test_dns_config_service.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/dns/test_dns_config_service.h b/chromium/net/dns/test_dns_config_service.h
index e0a1ab9109e..a8da79e9e58 100644
--- a/chromium/net/dns/test_dns_config_service.h
+++ b/chromium/net/dns/test_dns_config_service.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/docs/bug-triage.md b/chromium/net/docs/bug-triage.md
index 1db4d62f383..69f8d9c690b 100644
--- a/chromium/net/docs/bug-triage.md
+++ b/chromium/net/docs/bug-triage.md
@@ -8,7 +8,7 @@ of their two days working on bug triage/investigation.
 ## 1. Review untriaged bugs
 
 Look through [this list of untriaged
-bugs](https://bugs.chromium.org/p/chromium/issues/list?sort=pri%20-stars%20-opened&q=status%3Aunconfirmed%2Cuntriaged%20-Needs%3DFeedback%20-Label%3ANetwork-Triaged%20-has%3ANextAction%20component%3DInternals%3ENetwork%2CInternals%3ENetwork%3ECache%2CInternals%3ENetwork%3ESSL%2CInternals%3ENetwork%3EQUIC%2CInternals%3ENetwork%3EAuth%2CInternals%3ENetwork%3EHTTP2%2CInternals%3ENetwork%3EProxy%2CInternals%3ENetwork%3ELibrary%2CInternals%3ENetwork%3ELogging%2CInternals%3ENetwork%3EConnectivity%2CInternals%3ENetwork%3EDomainSecurityPolicy%2CInternals%3ENetwork%3EFTP%2CInternals%3ENetwork%3EDNS).
+bugs](https://bugs.chromium.org/p/chromium/issues/list?sort=pri%20-stars%20-opened&q=status%3Aunconfirmed%2Cuntriaged%20-Needs%3DFeedback%20-Label%3ANetwork-Triaged%20-has%3ANextAction%20component%3DInternals%3ENetwork%3EReportingAndNEL%2CInternals%3ENetwork%3ECache%3ESimple%2CInternals%3ENetwork%2CInternals%3ENetwork%3ECache%2CInternals%3ENetwork%3ESSL%2CInternals%3ENetwork%3EQUIC%2CInternals%3ENetwork%3EAuth%2CInternals%3ENetwork%3EHTTP2%2CInternals%3ENetwork%3EProxy%2CInternals%3ENetwork%3ELibrary%2CInternals%3ENetwork%3ELogging%2CInternals%3ENetwork%3EConnectivity%2CInternals%3ENetwork%3EDomainSecurityPolicy%2CInternals%3ENetwork%3EFTP%2CInternals%3ENetwork%3EDNS).
 
 The goal is for this query to be empty. Bugs can be removed from the triage queue
 by doing any of the following:
@@ -72,7 +72,7 @@ crashers](https://goto.google.com/network_triage_internal#investigating-crashers
 ## 2. Follow-up on issues with the Needs-Feedback label
 
 Look through [this list of Needs=Feedback
-bugs](https://bugs.chromium.org/p/chromium/issues/list?sort=-modified%20-modified&q=Needs%3DFeedback%20component%3DInternals%3ENetwork%2CInternals%3ENetwork%3ECache%2CInternals%3ENetwork%3ESSL%2CInternals%3ENetwork%3EQUIC%2CInternals%3ENetwork%3EAuth%2CInternals%3ENetwork%3EHTTP2%2CInternals%3ENetwork%3EProxy%2CInternals%3ENetwork%3ELibrary%2CInternals%3ENetwork%3ELogging%2CInternals%3ENetwork%3EConnectivity%2CInternals%3ENetwork%3EDomainSecurityPolicy%2CInternals%3ENetwork%3EFTP%2CInternals%3ENetwork%3EDNS).
+bugs](https://bugs.chromium.org/p/chromium/issues/list?sort=-modified%20-modified&q=Needs%3DFeedback%20component%3DInternals%3ENetwork%3EReportingAndNEL%2CInternals%3ENetwork%3ECache%3ESimple%2CInternals%3ENetwork%2CInternals%3ENetwork%3ECache%2CInternals%3ENetwork%3ESSL%2CInternals%3ENetwork%3EQUIC%2CInternals%3ENetwork%3EAuth%2CInternals%3ENetwork%3EHTTP2%2CInternals%3ENetwork%3EProxy%2CInternals%3ENetwork%3ELibrary%2CInternals%3ENetwork%3ELogging%2CInternals%3ENetwork%3EConnectivity%2CInternals%3ENetwork%3EDomainSecurityPolicy%2CInternals%3ENetwork%3EFTP%2CInternals%3ENetwork%3EDNS).
 
 * If the requested feedback was provided, review the new information and repeat
   the same steps as (1) to re-triage based on the new information.
@@ -82,7 +82,7 @@ bugs](https://bugs.chromium.org/p/chromium/issues/list?sort=-modified%20-modifie
 ## 3. Ensure P0 and P1 bugs have an owner
 
 Look through [the list of unowned high priority
-bugs](https://bugs.chromium.org/p/chromium/issues/list?sort=pri%20-stars%20-opened&q=Pri%3A0%2C1%20-has%3Aowner%20-label%3ANetwork-Triaged%20component%3DInternals%3ENetwork%2CInternals%3ENetwork%3ECache%2CInternals%3ENetwork%3ESSL%2CInternals%3ENetwork%3EQUIC%2CInternals%3ENetwork%3EAuth%2CInternals%3ENetwork%3EHTTP2%2CInternals%3ENetwork%3EProxy%2CInternals%3ENetwork%3ELibrary%2CInternals%3ENetwork%3ELogging%2CInternals%3ENetwork%3EConnectivity%2CInternals%3ENetwork%3EDomainSecurityPolicy%2CInternals%3ENetwork%3EFTP%2CInternals%3ENetwork%3EDNS).
+bugs](https://bugs.chromium.org/p/chromium/issues/list?sort=pri%20-stars%20-opened&q=Pri%3A0%2C1%20-has%3Aowner%20-label%3ANetwork-Triaged%20component%3DInternals%3ENetwork%3EReportingAndNEL%2CInternals%3ENetwork%3ECache%3ESimple%2CInternals%3ENetwork%2CInternals%3ENetwork%3ECache%2CInternals%3ENetwork%3ESSL%2CInternals%3ENetwork%3EQUIC%2CInternals%3ENetwork%3EAuth%2CInternals%3ENetwork%3EHTTP2%2CInternals%3ENetwork%3EProxy%2CInternals%3ENetwork%3ELibrary%2CInternals%3ENetwork%3ELogging%2CInternals%3ENetwork%3EConnectivity%2CInternals%3ENetwork%3EDomainSecurityPolicy%2CInternals%3ENetwork%3EFTP%2CInternals%3ENetwork%3EDNS).
 These bugs should either have an owner, or be downgraded to a lower priority.
 
 ## 4. (Optional) Look through crash reports
@@ -109,6 +109,7 @@ The ones that are included are:
 Internals>Network
 Internals>Network>Auth
 Internals>Network>Cache
+Internals>Network>Cache>Simple
 Internals>Network>DNS
 Internals>Network>Connectivity
 Internals>Network>DomainSecurityPolicy
@@ -118,6 +119,7 @@ Internals>Network>Library
 Internals>Network>Logging
 Internals>Network>Proxy
 Internals>Network>QUIC
+Internals>Network>ReportingAndNEL
 Internals>Network>SSL
 ```
 
@@ -134,7 +136,6 @@ Internals>Network>DoH
 Internals>Network>EV
 Internals>Network>NetInfo
 Internals>Network>NetworkQuality
-Internals>Network>ReportingAndNEL
 Internals>Network>TrustTokens
 Internals>Network>VPN
 ```
@@ -155,7 +156,11 @@ generating and modifying shifts
   Dashboard](https://chromiumdash.appspot.com/components/Internals/Network?project=Chromium)
 
 * There is also an [internal dashboard with bug trends for Web
-  Platform](https://goto.google.com/vufyq) that includes network issues.
+  Platform](https://goto.google.com/blink-untriaged-by-team) that includes network issues.
+
+* And another [internal dashboard breaking down the bug trends for the
+  networking stack by components]
+  (https://goto.google.com/chrome-network-untriaged-by-component)
 
 * The issue tracker doesn't track any official mappings between components and
   OWNERS. This [internal document](https://goto.google.com/kojfj) enumerates
diff --git a/chromium/net/docs/generate-dot-to-png.py b/chromium/net/docs/generate-dot-to-png.py
index efde378df9d..98ebea92ba2 100755
--- a/chromium/net/docs/generate-dot-to-png.py
+++ b/chromium/net/docs/generate-dot-to-png.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright 2018 The Chromium Authors. All rights reserved.
+# Copyright 2018 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/extras/preload_data/decoder.cc b/chromium/net/extras/preload_data/decoder.cc
index 9404796ca1c..3509a604de1 100644
--- a/chromium/net/extras/preload_data/decoder.cc
+++ b/chromium/net/extras/preload_data/decoder.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/extras/preload_data/decoder.h b/chromium/net/extras/preload_data/decoder.h
index 9186927f036..8d42c1b3c77 100644
--- a/chromium/net/extras/preload_data/decoder.h
+++ b/chromium/net/extras/preload_data/decoder.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/extras/sqlite/cookie_crypto_delegate.h b/chromium/net/extras/sqlite/cookie_crypto_delegate.h
index 389325f66e9..e5ad07e2ad5 100644
--- a/chromium/net/extras/sqlite/cookie_crypto_delegate.h
+++ b/chromium/net/extras/sqlite/cookie_crypto_delegate.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc
index 071c35bf96f..c62cb2867e9 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.h b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.h
index fd9ff43ad63..681d46faad6 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.h
+++ b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_perftest.cc b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_perftest.cc
index bd9ca68f816..b3bfe2b3ec1 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_perftest.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_perftest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc
index f71881f972b..d17d09cbbb4 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -1177,7 +1177,8 @@ bool AddV9CookiesToDBImpl(sql::Database* db,
   if (!statement.is_valid())
     return false;
   sql::Transaction transaction(db);
-  transaction.Begin();
+  if (!transaction.Begin())
+    return false;
   for (const auto& cookie : cookies) {
     statement.Reset(true);
     statement.BindInt64(
@@ -1388,8 +1389,7 @@ TEST_F(SQLitePersistentCookieStoreTest, KeyInconsistency) {
   // Create a cookie on a scheme that doesn't handle cookies by default,
   // and save it.
   std::unique_ptr<CookieMonster> cookie_monster =
-      std::make_unique<CookieMonster>(store_.get(), /*net_log=*/nullptr,
-                                      /*first_party_sets_enabled=*/false);
+      std::make_unique<CookieMonster>(store_.get(), /*net_log=*/nullptr);
   ResultSavingCookieCallback<bool> cookie_scheme_callback1;
   cookie_monster->SetCookieableSchemes({"ftp", "http"},
                                        cookie_scheme_callback1.MakeCallback());
@@ -1433,8 +1433,8 @@ TEST_F(SQLitePersistentCookieStoreTest, KeyInconsistency) {
   // instances, so they should complete before the new PersistentCookieStore
   // starts looking at the state on disk.
   Create(false, false, true /* want current thread to invoke cookie monster */);
-  cookie_monster = std::make_unique<CookieMonster>(
-      store_.get(), /*net_log=*/nullptr, /*first_party_sets_enabled=*/false);
+  cookie_monster =
+      std::make_unique<CookieMonster>(store_.get(), /*net_log=*/nullptr);
   ResultSavingCookieCallback<bool> cookie_scheme_callback2;
   cookie_monster->SetCookieableSchemes({"ftp", "http"},
                                        cookie_scheme_callback2.MakeCallback());
@@ -1464,8 +1464,7 @@ TEST_F(SQLitePersistentCookieStoreTest, OpsIfInitFailed) {
       base::CreateDirectory(temp_dir_.GetPath().Append(kCookieFilename)));
   Create(false, false, true /* want current thread to invoke cookie monster */);
   std::unique_ptr<CookieMonster> cookie_monster =
-      std::make_unique<CookieMonster>(store_.get(), /*net_log=*/nullptr,
-                                      /*first_party_sets_enabled=*/false);
+      std::make_unique<CookieMonster>(store_.get(), /*net_log=*/nullptr);
 
   ResultSavingCookieCallback<CookieAccessResult> set_cookie_callback;
   GURL url("http://www.example.com/");
@@ -1652,7 +1651,8 @@ bool AddV10CookiesToDBImpl(sql::Database* db,
   if (!statement.is_valid())
     return false;
   sql::Transaction transaction(db);
-  transaction.Begin();
+  if (!transaction.Begin())
+    return false;
   for (const auto& cookie : cookies) {
     statement.Reset(true);
     statement.BindInt64(
@@ -2026,7 +2026,8 @@ bool AddV11CookiesToDB(sql::Database* db) {
   if (!statement.is_valid())
     return false;
   sql::Transaction transaction(db);
-  transaction.Begin();
+  if (!transaction.Begin())
+    return false;
   for (const auto& cookie : cookies) {
     statement.Reset(true);
     statement.BindInt64(
@@ -2073,7 +2074,8 @@ bool AddV12CookiesToDB(sql::Database* db) {
   if (!statement.is_valid())
     return false;
   sql::Transaction transaction(db);
-  transaction.Begin();
+  if (!transaction.Begin())
+    return false;
   for (const CanonicalCookie& cookie : cookies) {
     statement.Reset(true);
     statement.BindInt64(
@@ -2121,7 +2123,8 @@ bool AddV13CookiesToDB(sql::Database* db) {
   if (!statement.is_valid())
     return false;
   sql::Transaction transaction(db);
-  transaction.Begin();
+  if (!transaction.Begin())
+    return false;
   for (const CanonicalCookie& cookie : cookies) {
     statement.Reset(true);
     statement.BindInt64(
@@ -2171,7 +2174,8 @@ bool AddV15CookiesToDB(sql::Database* db) {
   if (!statement.is_valid())
     return false;
   sql::Transaction transaction(db);
-  transaction.Begin();
+  if (!transaction.Begin())
+    return false;
   for (const CanonicalCookie& cookie : cookies) {
     statement.Reset(true);
     statement.BindInt64(
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.cc b/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.cc
index b1fe702a420..d38c8699ddc 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -23,7 +23,7 @@
 #include "base/task/task_traits.h"
 #include "base/thread_annotations.h"
 #include "net/base/features.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/extras/sqlite/sqlite_persistent_store_backend_base.h"
 #include "net/reporting/reporting_endpoint.h"
 #include "sql/database.h"
@@ -42,8 +42,8 @@ namespace {
 //
 // Version 2 - 2020/10 - https://crrev.com/c/2485253
 //
-// Version 2 adds NetworkIsolationKey fields to all entries. When migrating,
-// existing entries get an empty NetworkIsolationKey value.
+// Version 2 adds NetworkAnonymizationKey fields to all entries. When migrating,
+// existing entries get an empty NetworkAnonymizationKey value.
 const int kCurrentVersionNumber = 2;
 const int kCompatibleVersionNumber = 2;
 
@@ -92,39 +92,40 @@ base::TaskPriority GetReportingAndNelStoreBackgroundSequencePriority() {
   return base::TaskPriority::USER_BLOCKING;
 }
 
-// Converts a NetworkIsolationKey to a string for serializing to disk. Returns
-// false on failure, which happens for transient keys that should not be
+// Converts a NetworkAnonymizationKey to a string for serializing to disk.
+// Returns false on failure, which happens for transient keys that should not be
 // serialized to disk.
-[[nodiscard]] bool NetworkIsolationKeyToString(
-    const NetworkIsolationKey& network_isolation_key,
+[[nodiscard]] bool NetworkAnonymizationKeyToString(
+    const NetworkAnonymizationKey& network_anonymization_key,
     std::string* out_string) {
   base::Value value;
-  if (!network_isolation_key.ToValue(&value))
+  if (!network_anonymization_key.ToValue(&value))
     return false;
   return JSONStringValueSerializer(out_string).Serialize(value);
 }
 
-// Attempts to convert a string returned by NetworkIsolationKeyToString() to
-// a NetworkIsolationKey. Returns false on failure.
-[[nodiscard]] bool NetworkIsolationKeyFromString(
+// Attempts to convert a string returned by NetworkAnonymizationKeyToString() to
+// a NetworkAnonymizationKey. Returns false on failure.
+[[nodiscard]] bool NetworkAnonymizationKeyFromString(
     const std::string& string,
-    NetworkIsolationKey* out_network_isolation_key) {
+    NetworkAnonymizationKey* out_network_anonymization_key) {
   absl::optional<base::Value> value = base::JSONReader::Read(string);
   if (!value)
     return false;
 
-  if (!NetworkIsolationKey::FromValue(*value, out_network_isolation_key))
+  if (!NetworkAnonymizationKey::FromValue(*value,
+                                          out_network_anonymization_key))
     return false;
 
-  // If NetworkIsolationKeys are disabled for reporting and NEL, but the
-  // NetworkIsolationKey is non-empty, ignore the entry. The entry will
-  // still be in the on-disk database, in case NIKs are re-enabled, it just
+  // If NetworkAnonymizationKeys are disabled for reporting and NEL, but the
+  // NetworkAnonymizationKeys is non-empty, ignore the entry. The entry will
+  // still be in the on-disk database, in case NAKs are re-enabled, it just
   // won't be loaded into memory. The entry could still be loaded with an empty
-  // NetworkIsolationKey, but that would require logic to resolve conflicts.
-  if (!out_network_isolation_key->IsEmpty() &&
+  // NetworkAnonymizationKey, but that would require logic to resolve conflicts.
+  if (!out_network_anonymization_key->IsEmpty() &&
       !base::FeatureList::IsEnabled(
           features::kPartitionNelAndReportingByNetworkIsolationKey)) {
-    *out_network_isolation_key = NetworkIsolationKey();
+    *out_network_anonymization_key = NetworkAnonymizationKey();
     return false;
   }
 
@@ -408,8 +409,9 @@ class SQLitePersistentReportingAndNelStore::Backend::PendingOperation {
 struct SQLitePersistentReportingAndNelStore::Backend::NelPolicyInfo {
   // This should only be invoked through CreatePendingOperation().
   NelPolicyInfo(const NetworkErrorLoggingService::NelPolicy& nel_policy,
-                std::string network_isolation_key_string)
-      : network_isolation_key_string(std::move(network_isolation_key_string)),
+                std::string network_anonymization_key_string)
+      : network_anonymization_key_string(
+            std::move(network_anonymization_key_string)),
         origin_scheme(nel_policy.key.origin.scheme()),
         origin_host(nel_policy.key.origin.host()),
         origin_port(nel_policy.key.origin.port()),
@@ -424,25 +426,26 @@ struct SQLitePersistentReportingAndNelStore::Backend::NelPolicyInfo {
             nel_policy.last_used.ToDeltaSinceWindowsEpoch().InMicroseconds()) {}
 
   // Creates the specified operation for the given policy. Returns nullptr for
-  // endpoints with transient NetworkIsolationKeys.
+  // endpoints with transient NetworkAnonymizationKeys.
   static std::unique_ptr<PendingOperation<NelPolicyInfo>>
   CreatePendingOperation(
       PendingOperationType type,
       const NetworkErrorLoggingService::NelPolicy& nel_policy) {
-    std::string network_isolation_key_string;
-    if (!NetworkIsolationKeyToString(nel_policy.key.network_isolation_key,
-                                     &network_isolation_key_string)) {
+    std::string network_anonymization_key_string;
+    if (!NetworkAnonymizationKeyToString(
+            nel_policy.key.network_anonymization_key,
+            &network_anonymization_key_string)) {
       return nullptr;
     }
 
     return std::make_unique<PendingOperation<NelPolicyInfo>>(
         type,
-        NelPolicyInfo(nel_policy, std::move(network_isolation_key_string)));
+        NelPolicyInfo(nel_policy, std::move(network_anonymization_key_string)));
   }
 
-  // NetworkIsolationKey associated with the request that received the policy,
-  // converted to a string via NetworkIsolationKeyToString().
-  std::string network_isolation_key_string;
+  // NetworkAnonymizationKey associated with the request that received the
+  // policy, converted to a string via NetworkAnonymizationKeyToString().
+  std::string network_anonymization_key_string;
 
   // Origin the policy was received from.
   std::string origin_scheme;
@@ -470,8 +473,9 @@ struct SQLitePersistentReportingAndNelStore::Backend::NelPolicyInfo {
 struct SQLitePersistentReportingAndNelStore::Backend::ReportingEndpointInfo {
   // This should only be invoked through CreatePendingOperation().
   ReportingEndpointInfo(const ReportingEndpoint& endpoint,
-                        std::string network_isolation_key_string)
-      : network_isolation_key_string(std::move(network_isolation_key_string)),
+                        std::string network_anonymization_key_string)
+      : network_anonymization_key_string(
+            std::move(network_anonymization_key_string)),
         origin_scheme(endpoint.group_key.origin.scheme()),
         origin_host(endpoint.group_key.origin.host()),
         origin_port(endpoint.group_key.origin.port()),
@@ -481,24 +485,25 @@ struct SQLitePersistentReportingAndNelStore::Backend::ReportingEndpointInfo {
         weight(endpoint.info.weight) {}
 
   // Creates the specified operation for the given endpoint. Returns nullptr for
-  // endpoints with transient NetworkIsolationKeys.
+  // endpoints with transient NetworkAnonymizationKeys.
   static std::unique_ptr<PendingOperation<ReportingEndpointInfo>>
   CreatePendingOperation(PendingOperationType type,
                          const ReportingEndpoint& endpoint) {
-    std::string network_isolation_key_string;
-    if (!NetworkIsolationKeyToString(endpoint.group_key.network_isolation_key,
-                                     &network_isolation_key_string)) {
+    std::string network_anonymization_key_string;
+    if (!NetworkAnonymizationKeyToString(
+            endpoint.group_key.network_anonymization_key,
+            &network_anonymization_key_string)) {
       return nullptr;
     }
 
     return std::make_unique<PendingOperation<ReportingEndpointInfo>>(
-        type, ReportingEndpointInfo(endpoint,
-                                    std::move(network_isolation_key_string)));
+        type, ReportingEndpointInfo(
+                  endpoint, std::move(network_anonymization_key_string)));
   }
 
-  // NetworkIsolationKey associated with the endpoint, converted to a string via
-  // NetworkIsolationKeyToString().
-  std::string network_isolation_key_string;
+  // NetworkAnonymizationKey associated with the endpoint, converted to a string
+  // via NetworkAnonymizationKeyString().
+  std::string network_anonymization_key_string;
 
   // Origin the endpoint was received from.
   std::string origin_scheme;
@@ -518,8 +523,9 @@ struct SQLitePersistentReportingAndNelStore::Backend::ReportingEndpointInfo {
 struct SQLitePersistentReportingAndNelStore::Backend::
     ReportingEndpointGroupInfo {
   ReportingEndpointGroupInfo(const CachedReportingEndpointGroup& group,
-                             std::string network_isolation_key_string)
-      : network_isolation_key_string(std::move(network_isolation_key_string)),
+                             std::string network_anonymization_key_string)
+      : network_anonymization_key_string(
+            std::move(network_anonymization_key_string)),
         origin_scheme(group.group_key.origin.scheme()),
         origin_host(group.group_key.origin.host()),
         origin_port(group.group_key.origin.port()),
@@ -532,24 +538,25 @@ struct SQLitePersistentReportingAndNelStore::Backend::
             group.last_used.ToDeltaSinceWindowsEpoch().InMicroseconds()) {}
 
   // Creates the specified operation for the given endpoint reporting group.
-  // Returns nullptr for groups with transient NetworkIsolationKeys.
+  // Returns nullptr for groups with transient NetworkAnonymizationKeys.
   static std::unique_ptr<PendingOperation<ReportingEndpointGroupInfo>>
   CreatePendingOperation(PendingOperationType type,
                          const CachedReportingEndpointGroup& group) {
-    std::string network_isolation_key_string;
-    if (!NetworkIsolationKeyToString(group.group_key.network_isolation_key,
-                                     &network_isolation_key_string)) {
+    std::string network_anonymization_key_string;
+    if (!NetworkAnonymizationKeyToString(
+            group.group_key.network_anonymization_key,
+            &network_anonymization_key_string)) {
       return nullptr;
     }
 
     return std::make_unique<PendingOperation<ReportingEndpointGroupInfo>>(
         type, ReportingEndpointGroupInfo(
-                  group, std::move(network_isolation_key_string)));
+                  group, std::move(network_anonymization_key_string)));
   }
 
-  // NetworkIsolationKey associated with the endpoint group, converted to a
-  // string via NetworkIsolationKeyToString().
-  std::string network_isolation_key_string;
+  // NetworkAnonymizationKey associated with the endpoint group, converted to a
+  // string via NetworkAnonymizationKeyToString().
+  std::string network_anonymization_key_string;
 
   // Origin the endpoint group was received from.
   std::string origin_scheme;
@@ -732,7 +739,7 @@ SQLitePersistentReportingAndNelStore::Backend::DoMigrateDatabaseSchema() {
 
   // Migrate from version 1 to version 2.
   //
-  // For migration purposes, the NetworkIsolationKey field of the stored
+  // For migration purposes, the NetworkAnonymizationKey field of the stored
   // policies will be populated with an empty list, which corresponds to an
   // empty NIK. This matches the behavior when NIKs are disabled. This will
   // result in effectively clearing all policies once NIKs are enabled, at
@@ -926,7 +933,8 @@ bool SQLitePersistentReportingAndNelStore::Backend::CommitNelPolicyOperation(
   switch (op->type()) {
     case PendingOperationType::ADD:
       add_statement.Reset(true);
-      add_statement.BindString(0, nel_policy_info.network_isolation_key_string);
+      add_statement.BindString(
+          0, nel_policy_info.network_anonymization_key_string);
       add_statement.BindString(1, nel_policy_info.origin_scheme);
       add_statement.BindString(2, nel_policy_info.origin_host);
       add_statement.BindInt(3, nel_policy_info.origin_port);
@@ -948,7 +956,7 @@ bool SQLitePersistentReportingAndNelStore::Backend::CommitNelPolicyOperation(
       update_access_statement.BindInt64(
           0, nel_policy_info.last_access_us_since_epoch);
       update_access_statement.BindString(
-          1, nel_policy_info.network_isolation_key_string);
+          1, nel_policy_info.network_anonymization_key_string);
       update_access_statement.BindString(2, nel_policy_info.origin_scheme);
       update_access_statement.BindString(3, nel_policy_info.origin_host);
       update_access_statement.BindInt(4, nel_policy_info.origin_port);
@@ -961,7 +969,8 @@ bool SQLitePersistentReportingAndNelStore::Backend::CommitNelPolicyOperation(
 
     case PendingOperationType::DELETE:
       del_statement.Reset(true);
-      del_statement.BindString(0, nel_policy_info.network_isolation_key_string);
+      del_statement.BindString(
+          0, nel_policy_info.network_anonymization_key_string);
       del_statement.BindString(1, nel_policy_info.origin_scheme);
       del_statement.BindString(2, nel_policy_info.origin_host);
       del_statement.BindInt(3, nel_policy_info.origin_port);
@@ -1017,7 +1026,7 @@ bool SQLitePersistentReportingAndNelStore::Backend::
     case PendingOperationType::ADD:
       add_statement.Reset(true);
       add_statement.BindString(
-          0, reporting_endpoint_info.network_isolation_key_string);
+          0, reporting_endpoint_info.network_anonymization_key_string);
       add_statement.BindString(1, reporting_endpoint_info.origin_scheme);
       add_statement.BindString(2, reporting_endpoint_info.origin_host);
       add_statement.BindInt(3, reporting_endpoint_info.origin_port);
@@ -1036,7 +1045,7 @@ bool SQLitePersistentReportingAndNelStore::Backend::
       update_details_statement.BindInt(0, reporting_endpoint_info.priority);
       update_details_statement.BindInt(1, reporting_endpoint_info.weight);
       update_details_statement.BindString(
-          2, reporting_endpoint_info.network_isolation_key_string);
+          2, reporting_endpoint_info.network_anonymization_key_string);
       update_details_statement.BindString(
           3, reporting_endpoint_info.origin_scheme);
       update_details_statement.BindString(4,
@@ -1055,7 +1064,7 @@ bool SQLitePersistentReportingAndNelStore::Backend::
     case PendingOperationType::DELETE:
       del_statement.Reset(true);
       del_statement.BindString(
-          0, reporting_endpoint_info.network_isolation_key_string);
+          0, reporting_endpoint_info.network_anonymization_key_string);
       del_statement.BindString(1, reporting_endpoint_info.origin_scheme);
       del_statement.BindString(2, reporting_endpoint_info.origin_host);
       del_statement.BindInt(3, reporting_endpoint_info.origin_port);
@@ -1121,7 +1130,7 @@ bool SQLitePersistentReportingAndNelStore::Backend::
     case PendingOperationType::ADD:
       add_statement.Reset(true);
       add_statement.BindString(
-          0, reporting_endpoint_group_info.network_isolation_key_string);
+          0, reporting_endpoint_group_info.network_anonymization_key_string);
       add_statement.BindString(1, reporting_endpoint_group_info.origin_scheme);
       add_statement.BindString(2, reporting_endpoint_group_info.origin_host);
       add_statement.BindInt(3, reporting_endpoint_group_info.origin_port);
@@ -1143,7 +1152,7 @@ bool SQLitePersistentReportingAndNelStore::Backend::
       update_access_statement.BindInt64(
           0, reporting_endpoint_group_info.last_access_us_since_epoch);
       update_access_statement.BindString(
-          1, reporting_endpoint_group_info.network_isolation_key_string);
+          1, reporting_endpoint_group_info.network_anonymization_key_string);
       update_access_statement.BindString(
           2, reporting_endpoint_group_info.origin_scheme);
       update_access_statement.BindString(
@@ -1169,7 +1178,7 @@ bool SQLitePersistentReportingAndNelStore::Backend::
       update_details_statement.BindInt64(
           2, reporting_endpoint_group_info.last_access_us_since_epoch);
       update_details_statement.BindString(
-          3, reporting_endpoint_group_info.network_isolation_key_string);
+          3, reporting_endpoint_group_info.network_anonymization_key_string);
       update_details_statement.BindString(
           4, reporting_endpoint_group_info.origin_scheme);
       update_details_statement.BindString(
@@ -1188,7 +1197,7 @@ bool SQLitePersistentReportingAndNelStore::Backend::
     case PendingOperationType::DELETE:
       del_statement.Reset(true);
       del_statement.BindString(
-          0, reporting_endpoint_group_info.network_isolation_key_string);
+          0, reporting_endpoint_group_info.network_anonymization_key_string);
       del_statement.BindString(1, reporting_endpoint_group_info.origin_scheme);
       del_statement.BindString(2, reporting_endpoint_group_info.origin_host);
       del_statement.BindInt(3, reporting_endpoint_group_info.origin_port);
@@ -1333,16 +1342,17 @@ void SQLitePersistentReportingAndNelStore::Backend::
   while (smt.Step()) {
     // Attempt to reconstitute a NEL policy from the fields stored in the
     // database.
-    NetworkIsolationKey network_isolation_key;
-    if (!NetworkIsolationKeyFromString(smt.ColumnString(0),
-                                       &network_isolation_key))
+    NetworkAnonymizationKey network_anonymization_key;
+    if (!NetworkAnonymizationKeyFromString(smt.ColumnString(0),
+                                           &network_anonymization_key))
       continue;
     NetworkErrorLoggingService::NelPolicy policy;
     policy.key = NetworkErrorLoggingService::NelPolicyKey(
-        network_isolation_key, url::Origin::CreateFromNormalizedTuple(
-                                   /* origin_scheme = */ smt.ColumnString(1),
-                                   /* origin_host = */ smt.ColumnString(2),
-                                   /* origin_port = */ smt.ColumnInt(3)));
+        network_anonymization_key,
+        url::Origin::CreateFromNormalizedTuple(
+            /* origin_scheme = */ smt.ColumnString(1),
+            /* origin_host = */ smt.ColumnString(2),
+            /* origin_port = */ smt.ColumnInt(3)));
     if (!policy.received_ip_address.AssignFromIPLiteral(smt.ColumnString(4)))
       policy.received_ip_address = IPAddress();
     policy.report_to = smt.ColumnString(5);
@@ -1419,12 +1429,12 @@ void SQLitePersistentReportingAndNelStore::Backend::
   while (endpoints_statement.Step()) {
     // Attempt to reconstitute a ReportingEndpoint from the fields stored in the
     // database.
-    NetworkIsolationKey network_isolation_key;
-    if (!NetworkIsolationKeyFromString(endpoints_statement.ColumnString(0),
-                                       &network_isolation_key))
+    NetworkAnonymizationKey network_anonymization_key;
+    if (!NetworkAnonymizationKeyFromString(endpoints_statement.ColumnString(0),
+                                           &network_anonymization_key))
       continue;
     ReportingEndpointGroupKey group_key(
-        network_isolation_key,
+        network_anonymization_key,
         /* origin = */
         url::Origin::CreateFromNormalizedTuple(
             /* origin_scheme = */ endpoints_statement.ColumnString(1),
@@ -1443,12 +1453,13 @@ void SQLitePersistentReportingAndNelStore::Backend::
   while (endpoint_groups_statement.Step()) {
     // Attempt to reconstitute a CachedReportingEndpointGroup from the fields
     // stored in the database.
-    NetworkIsolationKey network_isolation_key;
-    if (!NetworkIsolationKeyFromString(
-            endpoint_groups_statement.ColumnString(0), &network_isolation_key))
+    NetworkAnonymizationKey network_anonymization_key;
+    if (!NetworkAnonymizationKeyFromString(
+            endpoint_groups_statement.ColumnString(0),
+            &network_anonymization_key))
       continue;
     ReportingEndpointGroupKey group_key(
-        network_isolation_key,
+        network_anonymization_key,
         /* origin = */
         url::Origin::CreateFromNormalizedTuple(
             /* origin_scheme = */ endpoint_groups_statement.ColumnString(1),
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.h b/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.h
index 2f3e945f8fd..740b2b49d9c 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.h
+++ b/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store_unittest.cc b/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store_unittest.cc
index e00ba9cb61a..f1851ca1226 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store_unittest.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_reporting_and_nel_store_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -22,7 +22,7 @@
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/time.h"
 #include "net/base/features.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/network_error_logging/network_error_logging_service.h"
 #include "net/reporting/reporting_test_util.h"
 #include "net/test/test_with_task_environment.h"
@@ -184,12 +184,12 @@ class SQLitePersistentReportingAndNelStoreTest
   void TearDown() override { DestroyStore(); }
 
   NetworkErrorLoggingService::NelPolicy MakeNelPolicy(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       base::Time last_used) {
     NetworkErrorLoggingService::NelPolicy policy;
-    policy.key =
-        NetworkErrorLoggingService::NelPolicyKey(network_isolation_key, origin);
+    policy.key = NetworkErrorLoggingService::NelPolicyKey(
+        network_anonymization_key, origin);
     policy.received_ip_address = IPAddress::IPv4Localhost();
     policy.report_to = "group";
     policy.expires = kExpires;
@@ -201,7 +201,7 @@ class SQLitePersistentReportingAndNelStoreTest
   }
 
   ReportingEndpoint MakeReportingEndpoint(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       const std::string& group_name,
       const GURL& url,
@@ -212,20 +212,22 @@ class SQLitePersistentReportingAndNelStoreTest
     info.priority = priority;
     info.weight = weight;
     ReportingEndpoint endpoint(
-        ReportingEndpointGroupKey(network_isolation_key, origin, group_name),
+        ReportingEndpointGroupKey(network_anonymization_key, origin,
+                                  group_name),
         std::move(info));
     return endpoint;
   }
 
   CachedReportingEndpointGroup MakeReportingEndpointGroup(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       const std::string& group_name,
       base::Time last_used,
       OriginSubdomains include_subdomains = OriginSubdomains::DEFAULT,
       base::Time expires = kExpires) {
     return CachedReportingEndpointGroup(
-        ReportingEndpointGroupKey(network_isolation_key, origin, group_name),
+        ReportingEndpointGroupKey(network_anonymization_key, origin,
+                                  group_name),
         include_subdomains, expires, last_used);
   }
 
@@ -235,10 +237,10 @@ class SQLitePersistentReportingAndNelStoreTest
   // Use origins distinct from those used in origin fields of keys, to avoid any
   // risk of tests passing due to comparing origins that are the same but come
   // from different sources.
-  const NetworkIsolationKey kNik1_ = NetworkIsolationKey(
+  const NetworkAnonymizationKey kNak1_ = NetworkAnonymizationKey(
       SchemefulSite(GURL("https://top-frame-origin-nik1.test")),
       SchemefulSite(GURL("https://frame-origin-nik1.test")));
-  const NetworkIsolationKey kNik2_ = NetworkIsolationKey(
+  const NetworkAnonymizationKey kNak2_ = NetworkAnonymizationKey(
       SchemefulSite(GURL("https://top-frame-origin-nik2.test")),
       SchemefulSite(GURL("https://frame-origin-nik2.test")));
 
@@ -266,7 +268,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest, TestInvalidMetaTableRecovery) {
   InitializeStore();
   base::Time now = base::Time::Now();
   NetworkErrorLoggingService::NelPolicy policy1 = MakeNelPolicy(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), now);
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), now);
   store_->AddNelPolicy(policy1);
 
   // Close and reopen the database.
@@ -311,7 +313,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest, TestInvalidMetaTableRecovery) {
 
   // Verify that, after, recovery, the database persists properly.
   NetworkErrorLoggingService::NelPolicy policy2 = MakeNelPolicy(
-      kNik2_, url::Origin::Create(GURL("https://www.bar.test")), now);
+      kNak2_, url::Origin::Create(GURL("https://www.bar.test")), now);
   store_->AddNelPolicy(policy2);
   DestroyStore();
 
@@ -333,7 +335,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest, PersistNelPolicy) {
   InitializeStore();
   base::Time now = base::Time::Now();
   NetworkErrorLoggingService::NelPolicy policy = MakeNelPolicy(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), now);
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), now);
   store_->AddNelPolicy(policy);
 
   // Close and reopen the database.
@@ -374,7 +376,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest, UpdateNelPolicyAccessTime) {
   InitializeStore();
   base::Time now = base::Time::Now();
   NetworkErrorLoggingService::NelPolicy policy = MakeNelPolicy(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), now);
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), now);
   store_->AddNelPolicy(policy);
 
   policy.last_used = now + base::Days(1);
@@ -397,9 +399,9 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest, DeleteNelPolicy) {
   InitializeStore();
   base::Time now = base::Time::Now();
   NetworkErrorLoggingService::NelPolicy policy1 = MakeNelPolicy(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), now);
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), now);
   NetworkErrorLoggingService::NelPolicy policy2 = MakeNelPolicy(
-      kNik2_, url::Origin::Create(GURL("https://www.bar.test")), now);
+      kNak2_, url::Origin::Create(GURL("https://www.bar.test")), now);
   store_->AddNelPolicy(policy1);
   store_->AddNelPolicy(policy2);
 
@@ -438,15 +440,15 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   base::Time now = base::Time::Now();
   base::Time later = now + base::Days(1);
 
-  // Add 3 entries, 2 identical except for NIK, 2 identical except for origin.
+  // Add 3 entries, 2 identical except for NAK, 2 identical except for origin.
   // Entries should not conflict with each other. These are added in lexical
   // order.
   NetworkErrorLoggingService::NelPolicy policy1 =
-      MakeNelPolicy(kNik1_, kOrigin1, now);
+      MakeNelPolicy(kNak1_, kOrigin1, now);
   NetworkErrorLoggingService::NelPolicy policy2 =
-      MakeNelPolicy(kNik1_, kOrigin2, now);
+      MakeNelPolicy(kNak1_, kOrigin2, now);
   NetworkErrorLoggingService::NelPolicy policy3 =
-      MakeNelPolicy(kNik2_, kOrigin1, now);
+      MakeNelPolicy(kNak2_, kOrigin1, now);
   store_->AddNelPolicy(policy1);
   store_->AddNelPolicy(policy2);
   store_->AddNelPolicy(policy3);
@@ -454,11 +456,11 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   // Add policies that are identical except for expiration time. These should
   // trigger a warning an fail to execute.
   NetworkErrorLoggingService::NelPolicy policy4 =
-      MakeNelPolicy(kNik1_, kOrigin1, later);
+      MakeNelPolicy(kNak1_, kOrigin1, later);
   NetworkErrorLoggingService::NelPolicy policy5 =
-      MakeNelPolicy(kNik1_, kOrigin2, later);
+      MakeNelPolicy(kNak1_, kOrigin2, later);
   NetworkErrorLoggingService::NelPolicy policy6 =
-      MakeNelPolicy(kNik2_, kOrigin1, later);
+      MakeNelPolicy(kNak2_, kOrigin1, later);
   store_->AddNelPolicy(policy4);
   store_->AddNelPolicy(policy5);
   store_->AddNelPolicy(policy6);
@@ -486,7 +488,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
 
 TEST_F(SQLitePersistentReportingAndNelStoreTest, CoalesceNelPolicyOperations) {
   NetworkErrorLoggingService::NelPolicy policy =
-      MakeNelPolicy(kNik1_, url::Origin::Create(GURL("https://www.foo.test")),
+      MakeNelPolicy(kNak1_, url::Origin::Create(GURL("https://www.foo.test")),
                     base::Time::Now());
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
@@ -544,13 +546,13 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
 
   base::Time now = base::Time::Now();
   NetworkErrorLoggingService::NelPolicy policy1 = MakeNelPolicy(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), now);
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), now);
   // Only has different host.
   NetworkErrorLoggingService::NelPolicy policy2 = MakeNelPolicy(
-      kNik1_, url::Origin::Create(GURL("https://www.bar.test")), now);
-  // Only has different NetworkIsolationKey.
+      kNak1_, url::Origin::Create(GURL("https://www.bar.test")), now);
+  // Only has different NetworkAnonymizationKey.
   NetworkErrorLoggingService::NelPolicy policy3 = MakeNelPolicy(
-      kNik2_, url::Origin::Create(GURL("https://www.foo.test")), now);
+      kNak2_, url::Origin::Create(GURL("https://www.foo.test")), now);
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
                             base::WaitableEvent::InitialState::NOT_SIGNALED);
@@ -574,13 +576,13 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
 }
 
 TEST_F(SQLitePersistentReportingAndNelStoreTest,
-       DontPersistNelPoliciesWithTransientNetworkIsolationKeys) {
+       DontPersistNelPoliciesWithTransientNetworkAnonymizationKeys) {
   CreateStore();
   InitializeStore();
 
   base::Time now = base::Time::Now();
   NetworkErrorLoggingService::NelPolicy policy =
-      MakeNelPolicy(NetworkIsolationKey::CreateTransient(),
+      MakeNelPolicy(NetworkAnonymizationKey::CreateTransient(),
                     url::Origin::Create(GURL("https://www.foo.test")), now);
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
@@ -613,14 +615,14 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
 }
 
 TEST_F(SQLitePersistentReportingAndNelStoreTest,
-       NelPoliciesRestoredWithNetworkIsolationKeysDisabled) {
+       NelPoliciesRestoredWithNetworkAnonymizationKeysDisabled) {
   CreateStore();
   InitializeStore();
 
   base::Time now = base::Time::Now();
-  // Policy with non-empty NetworkIsolationKey.
+  // Policy with non-empty NetworkAnonymizationKey.
   NetworkErrorLoggingService::NelPolicy policy = MakeNelPolicy(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), now);
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), now);
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
                             base::WaitableEvent::InitialState::NOT_SIGNALED);
@@ -696,12 +698,12 @@ class SQLitePersistNelTest : public SQLitePersistentReportingAndNelStoreTest {
   }
 
   NetworkErrorLoggingService::RequestDetails MakeRequestDetails(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const GURL& url,
       Error error_type) {
     NetworkErrorLoggingService::RequestDetails details;
 
-    details.network_isolation_key = network_isolation_key;
+    details.network_anonymization_key = network_anonymization_key;
     details.uri = url;
     details.referrer = GURL("https://referrer.com/");
     details.user_agent = "Mozilla/1.0";
@@ -724,15 +726,15 @@ class SQLitePersistNelTest : public SQLitePersistentReportingAndNelStoreTest {
 TEST_F(SQLitePersistNelTest, AddAndRetrieveNelPolicy) {
   const GURL kUrl("https://www.foo.test");
   const url::Origin kOrigin = url::Origin::Create(kUrl);
-  const NetworkErrorLoggingService::NelPolicyKey kKey(kNik1_, kOrigin);
+  const NetworkErrorLoggingService::NelPolicyKey kKey(kNak1_, kOrigin);
 
-  service_->OnHeader(kNik1_, kOrigin, kServerIP, kHeader);
+  service_->OnHeader(kNak1_, kOrigin, kServerIP, kHeader);
   RunUntilIdle();
 
   EXPECT_EQ(1u, service_->GetPolicyKeysForTesting().count(kKey));
   SimulateRestart();
 
-  service_->OnRequest(MakeRequestDetails(kNik1_, kUrl, ERR_INVALID_RESPONSE));
+  service_->OnRequest(MakeRequestDetails(kNak1_, kUrl, ERR_INVALID_RESPONSE));
   RunUntilIdle();
 
   EXPECT_EQ(1u, service_->GetPolicyKeysForTesting().count(kKey));
@@ -744,22 +746,22 @@ TEST_F(SQLitePersistNelTest, AddAndRetrieveNelPolicy) {
 TEST_F(SQLitePersistNelTest, AddAndDeleteNelPolicy) {
   const GURL kUrl("https://www.foo.test");
   const url::Origin kOrigin = url::Origin::Create(kUrl);
-  const NetworkErrorLoggingService::NelPolicyKey kKey(kNik1_, kOrigin);
+  const NetworkErrorLoggingService::NelPolicyKey kKey(kNak1_, kOrigin);
 
-  service_->OnHeader(kNik1_, kOrigin, kServerIP, kHeader);
+  service_->OnHeader(kNak1_, kOrigin, kServerIP, kHeader);
   RunUntilIdle();
 
   EXPECT_EQ(1u, service_->GetPolicyKeysForTesting().count(kKey));
   SimulateRestart();
 
   // Deletes the stored policy.
-  service_->OnHeader(kNik1_, kOrigin, kServerIP, kHeaderMaxAge0);
+  service_->OnHeader(kNak1_, kOrigin, kServerIP, kHeaderMaxAge0);
   RunUntilIdle();
 
   EXPECT_EQ(0u, service_->GetPolicyKeysForTesting().count(kKey));
   SimulateRestart();
 
-  service_->OnRequest(MakeRequestDetails(kNik1_, kUrl, ERR_INVALID_RESPONSE));
+  service_->OnRequest(MakeRequestDetails(kNak1_, kUrl, ERR_INVALID_RESPONSE));
   RunUntilIdle();
 
   EXPECT_EQ(0u, service_->GetPolicyKeysForTesting().count(kKey));
@@ -769,7 +771,7 @@ TEST_F(SQLitePersistNelTest, AddAndDeleteNelPolicy) {
 TEST_F(SQLitePersistNelTest, ExpirationTimeIsPersisted) {
   const GURL kUrl("https://www.foo.test");
   const url::Origin kOrigin = url::Origin::Create(kUrl);
-  const NetworkIsolationKey kNik;
+  const NetworkAnonymizationKey kNik;
 
   service_->OnHeader(kNik, kOrigin, kServerIP, kHeader);
   RunUntilIdle();
@@ -800,14 +802,14 @@ TEST_F(SQLitePersistNelTest, OnRequestUpdatesAccessTime) {
   const GURL kUrl("https://www.foo.test");
   const url::Origin kOrigin = url::Origin::Create(kUrl);
 
-  service_->OnHeader(kNik1_, kOrigin, kServerIP, kHeader);
+  service_->OnHeader(kNak1_, kOrigin, kServerIP, kHeader);
   RunUntilIdle();
 
   SimulateRestart();
 
   // Update the access time by sending a request.
   clock_.Advance(base::Seconds(100));
-  service_->OnRequest(MakeRequestDetails(kNik1_, kUrl, ERR_INVALID_RESPONSE));
+  service_->OnRequest(MakeRequestDetails(kNak1_, kUrl, ERR_INVALID_RESPONSE));
   RunUntilIdle();
 
   EXPECT_THAT(reporting_service_->reports(),
@@ -817,7 +819,7 @@ TEST_F(SQLitePersistNelTest, OnRequestUpdatesAccessTime) {
   // Check that the policy's access time has been updated.
   base::Time now = clock_.Now();
   NetworkErrorLoggingService::NelPolicy policy =
-      MakeNelPolicy(kNik1_, kOrigin, now);
+      MakeNelPolicy(kNak1_, kOrigin, now);
   std::vector<NetworkErrorLoggingService::NelPolicy> policies;
   LoadNelPolicies(&policies);
   ASSERT_EQ(1u, policies.size());
@@ -830,16 +832,16 @@ TEST_F(SQLitePersistNelTest, RemoveSomeBrowsingData) {
   const url::Origin kOrigin1 = url::Origin::Create(kUrl1);
   const url::Origin kOrigin2 =
       url::Origin::Create(GURL("https://www.bar.test"));
-  const NetworkErrorLoggingService::NelPolicyKey kKey1(kNik1_, kOrigin1);
-  const NetworkErrorLoggingService::NelPolicyKey kKey2(kNik2_, kOrigin2);
+  const NetworkErrorLoggingService::NelPolicyKey kKey1(kNak1_, kOrigin1);
+  const NetworkErrorLoggingService::NelPolicyKey kKey2(kNak2_, kOrigin2);
 
-  service_->OnHeader(kNik1_, kOrigin1, kServerIP, kHeader);
-  service_->OnHeader(kNik2_, kOrigin2, kServerIP, kHeader);
+  service_->OnHeader(kNak1_, kOrigin1, kServerIP, kHeader);
+  service_->OnHeader(kNak2_, kOrigin2, kServerIP, kHeader);
   RunUntilIdle();
 
   SimulateRestart();
 
-  service_->OnRequest(MakeRequestDetails(kNik1_, kUrl1, ERR_INVALID_RESPONSE));
+  service_->OnRequest(MakeRequestDetails(kNak1_, kUrl1, ERR_INVALID_RESPONSE));
   RunUntilIdle();
 
   ASSERT_EQ(1u, service_->GetPolicyKeysForTesting().count(kKey1));
@@ -861,7 +863,7 @@ TEST_F(SQLitePersistNelTest, RemoveSomeBrowsingData) {
 
   SimulateRestart();
 
-  service_->OnRequest(MakeRequestDetails(kNik1_, kUrl1, ERR_INVALID_RESPONSE));
+  service_->OnRequest(MakeRequestDetails(kNak1_, kUrl1, ERR_INVALID_RESPONSE));
   RunUntilIdle();
   EXPECT_EQ(0u, service_->GetPolicyKeysForTesting().count(kKey1));
   EXPECT_EQ(1u, service_->GetPolicyKeysForTesting().count(kKey2));
@@ -873,17 +875,17 @@ TEST_F(SQLitePersistNelTest, RemoveAllBrowsingData) {
   const url::Origin kOrigin1 = url::Origin::Create(kUrl1);
   const GURL kUrl2("https://www.bar.test");
   const url::Origin kOrigin2 = url::Origin::Create(kUrl2);
-  const NetworkErrorLoggingService::NelPolicyKey kKey1(kNik1_, kOrigin1);
-  const NetworkErrorLoggingService::NelPolicyKey kKey2(kNik2_, kOrigin2);
+  const NetworkErrorLoggingService::NelPolicyKey kKey1(kNak1_, kOrigin1);
+  const NetworkErrorLoggingService::NelPolicyKey kKey2(kNak2_, kOrigin2);
 
-  service_->OnHeader(kNik1_, kOrigin1, kServerIP, kHeader);
-  service_->OnHeader(kNik2_, kOrigin2, kServerIP, kHeader);
+  service_->OnHeader(kNak1_, kOrigin1, kServerIP, kHeader);
+  service_->OnHeader(kNak2_, kOrigin2, kServerIP, kHeader);
   RunUntilIdle();
 
   SimulateRestart();
 
-  service_->OnRequest(MakeRequestDetails(kNik1_, kUrl1, ERR_INVALID_RESPONSE));
-  service_->OnRequest(MakeRequestDetails(kNik2_, kUrl2, ERR_INVALID_RESPONSE));
+  service_->OnRequest(MakeRequestDetails(kNak1_, kUrl1, ERR_INVALID_RESPONSE));
+  service_->OnRequest(MakeRequestDetails(kNak2_, kUrl2, ERR_INVALID_RESPONSE));
   RunUntilIdle();
 
   ASSERT_EQ(1u, service_->GetPolicyKeysForTesting().count(kKey1));
@@ -901,8 +903,8 @@ TEST_F(SQLitePersistNelTest, RemoveAllBrowsingData) {
 
   SimulateRestart();
 
-  service_->OnRequest(MakeRequestDetails(kNik1_, kUrl1, ERR_INVALID_RESPONSE));
-  service_->OnRequest(MakeRequestDetails(kNik2_, kUrl2, ERR_INVALID_RESPONSE));
+  service_->OnRequest(MakeRequestDetails(kNak1_, kUrl1, ERR_INVALID_RESPONSE));
+  service_->OnRequest(MakeRequestDetails(kNak2_, kUrl2, ERR_INVALID_RESPONSE));
   RunUntilIdle();
   EXPECT_EQ(0u, service_->GetPolicyKeysForTesting().count(kKey1));
   EXPECT_EQ(0u, service_->GetPolicyKeysForTesting().count(kKey2));
@@ -916,9 +918,9 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest, PersistReportingClients) {
   InitializeStore();
   base::Time now = base::Time::Now();
   ReportingEndpoint endpoint = MakeReportingEndpoint(
-      kNik1_, kOrigin, kGroupName1, GURL("https://endpoint.test/1"));
+      kNak1_, kOrigin, kGroupName1, GURL("https://endpoint.test/1"));
   CachedReportingEndpointGroup group =
-      MakeReportingEndpointGroup(kNik1_, kOrigin, kGroupName1, now);
+      MakeReportingEndpointGroup(kNak1_, kOrigin, kGroupName1, now);
 
   store_->AddReportingEndpoint(endpoint);
   store_->AddReportingEndpointGroup(group);
@@ -932,16 +934,16 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest, PersistReportingClients) {
   std::vector<CachedReportingEndpointGroup> groups;
   LoadReportingClients(&endpoints, &groups);
   ASSERT_EQ(1u, endpoints.size());
-  EXPECT_EQ(endpoint.group_key.network_isolation_key,
-            endpoints[0].group_key.network_isolation_key);
+  EXPECT_EQ(endpoint.group_key.network_anonymization_key,
+            endpoints[0].group_key.network_anonymization_key);
   EXPECT_EQ(endpoint.group_key.origin, endpoints[0].group_key.origin);
   EXPECT_EQ(endpoint.group_key.group_name, endpoints[0].group_key.group_name);
   EXPECT_EQ(endpoint.info.url, endpoints[0].info.url);
   EXPECT_EQ(endpoint.info.priority, endpoints[0].info.priority);
   EXPECT_EQ(endpoint.info.weight, endpoints[0].info.weight);
   ASSERT_EQ(1u, groups.size());
-  EXPECT_EQ(group.group_key.network_isolation_key,
-            groups[0].group_key.network_isolation_key);
+  EXPECT_EQ(group.group_key.network_anonymization_key,
+            groups[0].group_key.network_anonymization_key);
   EXPECT_EQ(group.group_key.origin, groups[0].group_key.origin);
   EXPECT_EQ(group.group_key.group_name, groups[0].group_key.group_name);
   EXPECT_EQ(group.include_subdomains, groups[0].include_subdomains);
@@ -955,7 +957,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   InitializeStore();
   base::Time now = base::Time::Now();
   CachedReportingEndpointGroup group = MakeReportingEndpointGroup(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       now);
 
   store_->AddReportingEndpointGroup(group);
@@ -971,8 +973,8 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   std::vector<CachedReportingEndpointGroup> groups;
   LoadReportingClients(&endpoints, &groups);
   ASSERT_EQ(1u, groups.size());
-  EXPECT_EQ(group.group_key.network_isolation_key,
-            groups[0].group_key.network_isolation_key);
+  EXPECT_EQ(group.group_key.network_anonymization_key,
+            groups[0].group_key.network_anonymization_key);
   EXPECT_EQ(group.group_key.origin, groups[0].group_key.origin);
   EXPECT_EQ(group.group_key.group_name, groups[0].group_key.group_name);
   EXPECT_TRUE(WithinOneMicrosecond(group.last_used, groups[0].last_used));
@@ -983,7 +985,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   CreateStore();
   InitializeStore();
   ReportingEndpoint endpoint = MakeReportingEndpoint(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       GURL("https://endpoint.test/1"));
 
   store_->AddReportingEndpoint(endpoint);
@@ -1000,8 +1002,8 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   std::vector<CachedReportingEndpointGroup> groups;
   LoadReportingClients(&endpoints, &groups);
   ASSERT_EQ(1u, endpoints.size());
-  EXPECT_EQ(endpoint.group_key.network_isolation_key,
-            endpoints[0].group_key.network_isolation_key);
+  EXPECT_EQ(endpoint.group_key.network_anonymization_key,
+            endpoints[0].group_key.network_anonymization_key);
   EXPECT_EQ(endpoint.group_key.origin, endpoints[0].group_key.origin);
   EXPECT_EQ(endpoint.group_key.group_name, endpoints[0].group_key.group_name);
   EXPECT_EQ(endpoint.info.url, endpoints[0].info.url);
@@ -1015,7 +1017,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   InitializeStore();
   base::Time now = base::Time::Now();
   CachedReportingEndpointGroup group = MakeReportingEndpointGroup(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       now, OriginSubdomains::EXCLUDE, kExpires);
 
   store_->AddReportingEndpointGroup(group);
@@ -1033,8 +1035,8 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   std::vector<CachedReportingEndpointGroup> groups;
   LoadReportingClients(&endpoints, &groups);
   ASSERT_EQ(1u, groups.size());
-  EXPECT_EQ(group.group_key.network_isolation_key,
-            groups[0].group_key.network_isolation_key);
+  EXPECT_EQ(group.group_key.network_anonymization_key,
+            groups[0].group_key.network_anonymization_key);
   EXPECT_EQ(group.group_key.origin, groups[0].group_key.origin);
   EXPECT_EQ(group.group_key.group_name, groups[0].group_key.group_name);
   EXPECT_EQ(group.include_subdomains, groups[0].include_subdomains);
@@ -1046,10 +1048,10 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest, DeleteReportingEndpoint) {
   CreateStore();
   InitializeStore();
   ReportingEndpoint endpoint1 = MakeReportingEndpoint(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       GURL("https://endpoint.test/1"));
   ReportingEndpoint endpoint2 = MakeReportingEndpoint(
-      kNik2_, url::Origin::Create(GURL("https://www.bar.test")), kGroupName2,
+      kNak2_, url::Origin::Create(GURL("https://www.bar.test")), kGroupName2,
       GURL("https://endpoint.test/2"));
 
   store_->AddReportingEndpoint(endpoint1);
@@ -1081,10 +1083,10 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest, DeleteReportingEndpointGroup) {
   InitializeStore();
   base::Time now = base::Time::Now();
   CachedReportingEndpointGroup group1 = MakeReportingEndpointGroup(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       now);
   CachedReportingEndpointGroup group2 = MakeReportingEndpointGroup(
-      kNik2_, url::Origin::Create(GURL("https://www.bar.test")), kGroupName2,
+      kNak2_, url::Origin::Create(GURL("https://www.bar.test")), kGroupName2,
       now);
 
   store_->AddReportingEndpointGroup(group1);
@@ -1122,17 +1124,17 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   CreateStore();
   InitializeStore();
 
-  // Add 3 entries, 2 identical except for NIK, 2 identical except for origin.
+  // Add 3 entries, 2 identical except for NAK, 2 identical except for origin.
   // Entries should not conflict with each other. These are added in lexical
   // order.
   ReportingEndpoint endpoint1 =
-      MakeReportingEndpoint(kNik1_, kOrigin1, kGroupName1, kEndpoint,
+      MakeReportingEndpoint(kNak1_, kOrigin1, kGroupName1, kEndpoint,
                             1 /* priority */, 1 /* weight */);
   ReportingEndpoint endpoint2 =
-      MakeReportingEndpoint(kNik1_, kOrigin2, kGroupName1, kEndpoint,
+      MakeReportingEndpoint(kNak1_, kOrigin2, kGroupName1, kEndpoint,
                             2 /* priority */, 2 /* weight */);
   ReportingEndpoint endpoint3 =
-      MakeReportingEndpoint(kNik2_, kOrigin2, kGroupName1, kEndpoint,
+      MakeReportingEndpoint(kNak2_, kOrigin2, kGroupName1, kEndpoint,
                             3 /* priority */, 3 /* weight */);
   store_->AddReportingEndpoint(endpoint1);
   store_->AddReportingEndpoint(endpoint2);
@@ -1141,13 +1143,13 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   // Add entries that are identical except for expiration time. These should
   // trigger a warning an fail to execute.
   ReportingEndpoint endpoint4 =
-      MakeReportingEndpoint(kNik1_, kOrigin1, kGroupName1, kEndpoint,
+      MakeReportingEndpoint(kNak1_, kOrigin1, kGroupName1, kEndpoint,
                             4 /* priority */, 4 /* weight */);
   ReportingEndpoint endpoint5 =
-      MakeReportingEndpoint(kNik1_, kOrigin2, kGroupName1, kEndpoint,
+      MakeReportingEndpoint(kNak1_, kOrigin2, kGroupName1, kEndpoint,
                             5 /* priority */, 5 /* weight */);
   ReportingEndpoint endpoint6 =
-      MakeReportingEndpoint(kNik2_, kOrigin2, kGroupName1, kEndpoint,
+      MakeReportingEndpoint(kNak2_, kOrigin2, kGroupName1, kEndpoint,
                             6 /* priority */, 6 /* weight */);
   store_->AddReportingEndpoint(endpoint4);
   store_->AddReportingEndpoint(endpoint5);
@@ -1193,15 +1195,15 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   base::Time now = base::Time::Now();
   base::Time later = now + base::Days(7);
 
-  // Add 3 entries, 2 identical except for NIK, 2 identical except for origin.
+  // Add 3 entries, 2 identical except for NAK, 2 identical except for origin.
   // Entries should not conflict with each other. These are added in lexical
   // order.
   CachedReportingEndpointGroup group1 =
-      MakeReportingEndpointGroup(kNik1_, kOrigin1, kGroupName1, now);
+      MakeReportingEndpointGroup(kNak1_, kOrigin1, kGroupName1, now);
   CachedReportingEndpointGroup group2 =
-      MakeReportingEndpointGroup(kNik1_, kOrigin2, kGroupName1, now);
+      MakeReportingEndpointGroup(kNak1_, kOrigin2, kGroupName1, now);
   CachedReportingEndpointGroup group3 =
-      MakeReportingEndpointGroup(kNik2_, kOrigin1, kGroupName1, now);
+      MakeReportingEndpointGroup(kNak2_, kOrigin1, kGroupName1, now);
   store_->AddReportingEndpointGroup(group1);
   store_->AddReportingEndpointGroup(group2);
   store_->AddReportingEndpointGroup(group3);
@@ -1209,11 +1211,11 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   // Add entries that are identical except for expiration time. These should
   // trigger a warning an fail to execute.
   CachedReportingEndpointGroup group4 =
-      MakeReportingEndpointGroup(kNik1_, kOrigin1, kGroupName1, later);
+      MakeReportingEndpointGroup(kNak1_, kOrigin1, kGroupName1, later);
   CachedReportingEndpointGroup group5 =
-      MakeReportingEndpointGroup(kNik1_, kOrigin2, kGroupName1, later);
+      MakeReportingEndpointGroup(kNak1_, kOrigin2, kGroupName1, later);
   CachedReportingEndpointGroup group6 =
-      MakeReportingEndpointGroup(kNik2_, kOrigin1, kGroupName1, later);
+      MakeReportingEndpointGroup(kNak2_, kOrigin1, kGroupName1, later);
   store_->AddReportingEndpointGroup(group4);
   store_->AddReportingEndpointGroup(group5);
   store_->AddReportingEndpointGroup(group6);
@@ -1248,7 +1250,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
 TEST_F(SQLitePersistentReportingAndNelStoreTest,
        CoalesceReportingEndpointOperations) {
   ReportingEndpoint endpoint = MakeReportingEndpoint(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       GURL("https://endpoint.test/1"));
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
@@ -1306,15 +1308,15 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   InitializeStore();
 
   ReportingEndpoint endpoint1 = MakeReportingEndpoint(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       GURL("https://endpoint.test/1"));
   // Only has different host.
   ReportingEndpoint endpoint2 = MakeReportingEndpoint(
-      kNik1_, url::Origin::Create(GURL("https://www.bar.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.bar.test")), kGroupName1,
       GURL("https://endpoint.test/2"));
-  // Only has different NetworkIsolationKey.
+  // Only has different NetworkAnonymizationKey.
   ReportingEndpoint endpoint3 = MakeReportingEndpoint(
-      kNik2_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak2_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       GURL("https://endpoint.test/3"));
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
@@ -1342,7 +1344,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
        CoalesceReportingEndpointGroupOperations) {
   base::Time now = base::Time::Now();
   CachedReportingEndpointGroup group = MakeReportingEndpointGroup(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       now);
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
@@ -1443,15 +1445,15 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
 
   base::Time now = base::Time::Now();
   CachedReportingEndpointGroup group1 = MakeReportingEndpointGroup(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       now);
   // Only has different host.
   CachedReportingEndpointGroup group2 = MakeReportingEndpointGroup(
-      kNik1_, url::Origin::Create(GURL("https://www.bar.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.bar.test")), kGroupName1,
       now);
-  // Only has different NetworkIsolationKey.
+  // Only has different NetworkAnonymizationKey.
   CachedReportingEndpointGroup group3 = MakeReportingEndpointGroup(
-      kNik2_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak2_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       now);
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
@@ -1476,12 +1478,12 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
 }
 
 TEST_F(SQLitePersistentReportingAndNelStoreTest,
-       DontPersistReportingEndpointsWithTransientNetworkIsolationKeys) {
+       DontPersistReportingEndpointsWithTransientNetworkAnonymizationKeys) {
   CreateStore();
   InitializeStore();
 
   ReportingEndpoint endpoint =
-      MakeReportingEndpoint(NetworkIsolationKey::CreateTransient(),
+      MakeReportingEndpoint(NetworkAnonymizationKey::CreateTransient(),
                             url::Origin::Create(GURL("https://www.foo.test")),
                             kGroupName1, GURL("https://endpoint.test/1"));
 
@@ -1515,14 +1517,15 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   ASSERT_EQ(0u, endpoints.size());
 }
 
-TEST_F(SQLitePersistentReportingAndNelStoreTest,
-       DontPersistReportingEndpointGroupsWithTransientNetworkIsolationKeys) {
+TEST_F(
+    SQLitePersistentReportingAndNelStoreTest,
+    DontPersistReportingEndpointGroupsWithTransientNetworkAnonymizationKeys) {
   CreateStore();
   InitializeStore();
 
   base::Time now = base::Time::Now();
   CachedReportingEndpointGroup group = MakeReportingEndpointGroup(
-      NetworkIsolationKey::CreateTransient(),
+      NetworkAnonymizationKey::CreateTransient(),
       url::Origin::Create(GURL("https://www.foo.test")), kGroupName1, now);
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
@@ -1558,13 +1561,13 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
 }
 
 TEST_F(SQLitePersistentReportingAndNelStoreTest,
-       ReportingEndpointsRestoredWithNetworkIsolationKeysDisabled) {
+       ReportingEndpointsRestoredWithNetworkAnonymizationKeysDisabled) {
   CreateStore();
   InitializeStore();
 
-  // Endpoint with non-empty NetworkIsolationKey.
+  // Endpoint with non-empty NetworkAnonymizationKey.
   ReportingEndpoint endpoint = MakeReportingEndpoint(
-      kNik1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
+      kNak1_, url::Origin::Create(GURL("https://www.foo.test")), kGroupName1,
       GURL("https://endpoint.test/"));
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
@@ -1613,7 +1616,7 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
 }
 
 TEST_F(SQLitePersistentReportingAndNelStoreTest,
-       ReportingEndpointGroupsRestoredWithNetworkIsolationKeysDisabled) {
+       ReportingEndpointGroupsRestoredWithNetworkAnonymizationKeysDisabled) {
   CreateStore();
   InitializeStore();
 
@@ -1622,9 +1625,9 @@ TEST_F(SQLitePersistentReportingAndNelStoreTest,
   CreateStore();
   InitializeStore();
   base::Time now = base::Time::Now();
-  // Group with non-empty NetworkIsolationKey.
+  // Group with non-empty NetworkAnonymizationKey.
   CachedReportingEndpointGroup group =
-      MakeReportingEndpointGroup(kNik1_, kOrigin, kGroupName1, now);
+      MakeReportingEndpointGroup(kNak1_, kOrigin, kGroupName1, now);
 
   base::WaitableEvent event(base::WaitableEvent::ResetPolicy::AUTOMATIC,
                             base::WaitableEvent::InitialState::NOT_SIGNALED);
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_store_backend_base.cc b/chromium/net/extras/sqlite/sqlite_persistent_store_backend_base.cc
index f7cc3a2794e..c9fc04d85ca 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_store_backend_base.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_store_backend_base.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_store_backend_base.h b/chromium/net/extras/sqlite/sqlite_persistent_store_backend_base.h
index 9f391f21187..c0d3b65a770 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_store_backend_base.h
+++ b/chromium/net/extras/sqlite/sqlite_persistent_store_backend_base.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/features.gni b/chromium/net/features.gni
index 3cf1e4ac161..2079df18166 100644
--- a/chromium/net/features.gni
+++ b/chromium/net/features.gni
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -39,13 +39,11 @@ declare_args() {
   # See https://crbug.com/649026.
   trial_comparison_cert_verifier_supported = is_mac || is_win
 
-  # Platforms where both the builtin cert verifier and a platform verifier are
-  # supported and may be switched between using the CertVerifierBuiltin feature
-  # flag. This does not include platforms where the builtin cert verifier is
-  # the only verifier supported.
-  builtin_cert_verifier_feature_supported = is_mac
-
-  # Platforms for which the builtin cert verifier can use the Chrome Root Store.
+  # Platforms for which certificate verification can be performed using the
+  # builtin cert verifier with the Chrome Root Store, and this can be
+  # configured using the ChromeRootStoreUsed feature flag. When the feature
+  # flag is false, verification may be done with the platform verifier or the
+  # builtin verifier using platform roots, depending on the platform.
   # See https://crbug.com/1216547 for status.
   chrome_root_store_supported = is_win || is_mac
 }
diff --git a/chromium/net/filter/brotli_source_stream.cc b/chromium/net/filter/brotli_source_stream.cc
index 82dd4ccc0c1..45b20947db3 100644
--- a/chromium/net/filter/brotli_source_stream.cc
+++ b/chromium/net/filter/brotli_source_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -163,7 +163,7 @@ class BrotliSourceStream : public FilterSourceStream {
     free(&array[-1]);
   }
 
-  raw_ptr<BrotliDecoderState> brotli_state_;
+  raw_ptr<BrotliDecoderState, DanglingUntriaged> brotli_state_;
 
   DecodingStatus decoding_status_ = DecodingStatus::DECODING_IN_PROGRESS;
 
diff --git a/chromium/net/filter/brotli_source_stream.h b/chromium/net/filter/brotli_source_stream.h
index d09c3e148d2..5ff3cafaba3 100644
--- a/chromium/net/filter/brotli_source_stream.h
+++ b/chromium/net/filter/brotli_source_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/brotli_source_stream_disabled.cc b/chromium/net/filter/brotli_source_stream_disabled.cc
index 986397cb94e..4fc844577fa 100644
--- a/chromium/net/filter/brotli_source_stream_disabled.cc
+++ b/chromium/net/filter/brotli_source_stream_disabled.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/brotli_source_stream_fuzzer.cc b/chromium/net/filter/brotli_source_stream_fuzzer.cc
index 1f83f6232e9..c2c5c65ab83 100644
--- a/chromium/net/filter/brotli_source_stream_fuzzer.cc
+++ b/chromium/net/filter/brotli_source_stream_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/brotli_source_stream_unittest.cc b/chromium/net/filter/brotli_source_stream_unittest.cc
index 9f847192d26..163830090ca 100644
--- a/chromium/net/filter/brotli_source_stream_unittest.cc
+++ b/chromium/net/filter/brotli_source_stream_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/filter_source_stream.cc b/chromium/net/filter/filter_source_stream.cc
index 16b46edc88c..845f6d883b1 100644
--- a/chromium/net/filter/filter_source_stream.cc
+++ b/chromium/net/filter/filter_source_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/filter_source_stream.h b/chromium/net/filter/filter_source_stream.h
index 40af692b912..69520ff533f 100644
--- a/chromium/net/filter/filter_source_stream.h
+++ b/chromium/net/filter/filter_source_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/filter_source_stream_test_util.cc b/chromium/net/filter/filter_source_stream_test_util.cc
index 643ca529a7f..2e18235b726 100644
--- a/chromium/net/filter/filter_source_stream_test_util.cc
+++ b/chromium/net/filter/filter_source_stream_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/filter_source_stream_test_util.h b/chromium/net/filter/filter_source_stream_test_util.h
index edb76df7153..ed237c88a14 100644
--- a/chromium/net/filter/filter_source_stream_test_util.h
+++ b/chromium/net/filter/filter_source_stream_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/filter_source_stream_unittest.cc b/chromium/net/filter/filter_source_stream_unittest.cc
index 16e4079c3e3..543d529da42 100644
--- a/chromium/net/filter/filter_source_stream_unittest.cc
+++ b/chromium/net/filter/filter_source_stream_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/fuzzed_source_stream.cc b/chromium/net/filter/fuzzed_source_stream.cc
index 67e61f4592c..74a1a39301d 100644
--- a/chromium/net/filter/fuzzed_source_stream.cc
+++ b/chromium/net/filter/fuzzed_source_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/fuzzed_source_stream.h b/chromium/net/filter/fuzzed_source_stream.h
index c12cf4fa94a..2817250753e 100644
--- a/chromium/net/filter/fuzzed_source_stream.h
+++ b/chromium/net/filter/fuzzed_source_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/gzip_header.cc b/chromium/net/filter/gzip_header.cc
index d6f09b03ae9..69028c17b4b 100644
--- a/chromium/net/filter/gzip_header.cc
+++ b/chromium/net/filter/gzip_header.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/gzip_header.h b/chromium/net/filter/gzip_header.h
index c3bce8c5384..a10bec988bf 100644
--- a/chromium/net/filter/gzip_header.h
+++ b/chromium/net/filter/gzip_header.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/gzip_source_stream.cc b/chromium/net/filter/gzip_source_stream.cc
index 2c73deb3543..129ca795692 100644
--- a/chromium/net/filter/gzip_source_stream.cc
+++ b/chromium/net/filter/gzip_source_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/gzip_source_stream.h b/chromium/net/filter/gzip_source_stream.h
index 625b0962093..1c0d557dc2a 100644
--- a/chromium/net/filter/gzip_source_stream.h
+++ b/chromium/net/filter/gzip_source_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/gzip_source_stream_fuzzer.cc b/chromium/net/filter/gzip_source_stream_fuzzer.cc
index 491732eff56..daf4b334dad 100644
--- a/chromium/net/filter/gzip_source_stream_fuzzer.cc
+++ b/chromium/net/filter/gzip_source_stream_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/gzip_source_stream_unittest.cc b/chromium/net/filter/gzip_source_stream_unittest.cc
index b45ca60c831..c4a109c69d7 100644
--- a/chromium/net/filter/gzip_source_stream_unittest.cc
+++ b/chromium/net/filter/gzip_source_stream_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/mock_source_stream.cc b/chromium/net/filter/mock_source_stream.cc
index 55fbaa4b4e1..90175809633 100644
--- a/chromium/net/filter/mock_source_stream.cc
+++ b/chromium/net/filter/mock_source_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/mock_source_stream.h b/chromium/net/filter/mock_source_stream.h
index 823bd18d5a5..1898d6b8f0a 100644
--- a/chromium/net/filter/mock_source_stream.h
+++ b/chromium/net/filter/mock_source_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/source_stream.cc b/chromium/net/filter/source_stream.cc
index f3981964212..f31a83863f8 100644
--- a/chromium/net/filter/source_stream.cc
+++ b/chromium/net/filter/source_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/filter/source_stream.h b/chromium/net/filter/source_stream.h
index 1844c376230..6bf7d9d7211 100644
--- a/chromium/net/filter/source_stream.h
+++ b/chromium/net/filter/source_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/first_party_sets/DIR_METADATA b/chromium/net/first_party_sets/DIR_METADATA
new file mode 100644
index 00000000000..5b87be07a55
--- /dev/null
+++ b/chromium/net/first_party_sets/DIR_METADATA
@@ -0,0 +1,12 @@
+# Metadata information for this directory.
+#
+# For more information on DIR_METADATA files, see:
+#   https://source.chromium.org/chromium/infra/infra/+/main:go/src/infra/tools/dirmd/README.md
+#
+# For the schema of this file, see Metadata message:
+#   https://source.chromium.org/chromium/infra/infra/+/main:go/src/infra/tools/dirmd/proto/dir_metadata.proto
+
+team_email: "chrome-first-party-sets@chromium.org"
+monorail {
+  component: "Internals>Network>First-Party-Sets"
+}
diff --git a/chromium/net/first_party_sets/OWNERS b/chromium/net/first_party_sets/OWNERS
new file mode 100644
index 00000000000..001f4810a37
--- /dev/null
+++ b/chromium/net/first_party_sets/OWNERS
@@ -0,0 +1 @@
+file://chrome/browser/first_party_sets/OWNERS
diff --git a/chromium/net/first_party_sets/addition_overlaps_union_find.cc b/chromium/net/first_party_sets/addition_overlaps_union_find.cc
new file mode 100644
index 00000000000..f109ded81f7
--- /dev/null
+++ b/chromium/net/first_party_sets/addition_overlaps_union_find.cc
@@ -0,0 +1,69 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/first_party_sets/addition_overlaps_union_find.h"
+
+#include <numeric>
+
+#include "base/check_op.h"
+#include "base/containers/flat_map.h"
+#include "base/containers/flat_set.h"
+
+namespace net {
+
+AdditionOverlapsUnionFind::AdditionOverlapsUnionFind(int num_sets) {
+  CHECK_GE(num_sets, 0);
+  representatives_.resize(num_sets);
+  std::iota(representatives_.begin(), representatives_.end(), 0ul);
+}
+
+AdditionOverlapsUnionFind::~AdditionOverlapsUnionFind() = default;
+
+void AdditionOverlapsUnionFind::Union(size_t set_x, size_t set_y) {
+  CHECK_GE(set_x, 0ul);
+  CHECK_LT(set_x, representatives_.size());
+  CHECK_GE(set_y, 0ul);
+  CHECK_LT(set_y, representatives_.size());
+
+  size_t root_x = Find(set_x);
+  size_t root_y = Find(set_y);
+
+  if (root_x == root_y)
+    return;
+  auto [parent, child] = std::minmax(root_x, root_y);
+  representatives_[child] = parent;
+}
+
+AdditionOverlapsUnionFind::SetsMap AdditionOverlapsUnionFind::SetsMapping() {
+  SetsMap sets;
+
+  // An insert into the flat_map and flat_set has O(n) complexity and
+  // populating sets this way will be O(n^2).
+  // This can be improved by creating an intermediate vector of pairs, each
+  // representing an entry in sets, and then constructing the map all at once.
+  // The intermediate vector stores pairs, using O(1) Insert. Another vector
+  // the size of |num_sets| will have to be used for O(1) Lookup into the
+  // first vector. This means making the intermediate vector will be O(n).
+  // After the intermediate vector is populated, and we can use
+  // base::MakeFlatMap to construct the mapping all at once.
+  // This improvement makes this method less straightforward however.
+  for (size_t i = 0; i < representatives_.size(); i++) {
+    size_t cur_rep = Find(i);
+    auto it = sets.emplace(cur_rep, base::flat_set<size_t>()).first;
+    if (i != cur_rep) {
+      it->second.insert(i);
+    }
+  }
+  return sets;
+}
+
+size_t AdditionOverlapsUnionFind::Find(size_t set) {
+  CHECK_GE(set, 0ul);
+  CHECK_LT(set, representatives_.size());
+  if (representatives_[set] != set)
+    representatives_[set] = Find(representatives_[set]);
+  return representatives_[set];
+}
+
+}  // namespace net
diff --git a/chromium/net/first_party_sets/addition_overlaps_union_find.h b/chromium/net/first_party_sets/addition_overlaps_union_find.h
new file mode 100644
index 00000000000..eeabb6eb849
--- /dev/null
+++ b/chromium/net/first_party_sets/addition_overlaps_union_find.h
@@ -0,0 +1,50 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_FIRST_PARTY_SETS_ADDITION_OVERLAPS_UNION_FIND_H_
+#define NET_FIRST_PARTY_SETS_ADDITION_OVERLAPS_UNION_FIND_H_
+
+#include "base/containers/flat_map.h"
+#include "base/containers/flat_set.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+// A helper class defining a Union-Find data structure that's used for merging
+// disjoint transitively-overlapping sets together.
+class NET_EXPORT AdditionOverlapsUnionFind {
+ public:
+  using SetsMap = base::flat_map<size_t, base::flat_set<size_t>>;
+
+  // The number of sets (num_sets) must be greater than or equal to zero.
+  explicit AdditionOverlapsUnionFind(int num_sets);
+  ~AdditionOverlapsUnionFind();
+
+  AdditionOverlapsUnionFind(const AdditionOverlapsUnionFind&) = delete;
+  AdditionOverlapsUnionFind& operator=(const AdditionOverlapsUnionFind&) =
+      delete;
+
+  // Unions the two given sets together if they are in disjoint sets, and does
+  // nothing if they are non-disjoint.
+  // Unions are non-commutative for First-Party Sets; this method always chooses
+  // the set with the lesser index as the owner.
+  // Both set indices (set_x, set_y) must be in the range [0, num_sets) where
+  // num_sets is the argument given to the constructor.
+  // If Union is called when num_sets = 0, then this will crash.
+  void Union(size_t set_x, size_t set_y);
+
+  // Returns a mapping from an addition set index 'i' to a set of indices
+  // which all have 'i' as their representative.
+  SetsMap SetsMapping();
+
+ private:
+  // Returns the index for the representative of the given set.
+  size_t Find(size_t set);
+
+  std::vector<size_t> representatives_;
+};
+
+}  // namespace net
+
+#endif  // NET_FIRST_PARTY_SETS_ADDITION_OVERLAPS_UNION_FIND_H_
diff --git a/chromium/net/first_party_sets/addition_overlaps_union_find_unittest.cc b/chromium/net/first_party_sets/addition_overlaps_union_find_unittest.cc
new file mode 100644
index 00000000000..7d4fe4498f1
--- /dev/null
+++ b/chromium/net/first_party_sets/addition_overlaps_union_find_unittest.cc
@@ -0,0 +1,82 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/first_party_sets/addition_overlaps_union_find.h"
+
+#include "base/containers/flat_map.h"
+#include "base/containers/flat_set.h"
+#include "base/test/gtest_util.h"
+#include "testing/gmock/include/gmock/gmock.h"
+
+namespace net {
+namespace {
+
+TEST(AdditionOverlapsUnionFindUnittest, InvalidNumSets) {
+  EXPECT_CHECK_DEATH(AdditionOverlapsUnionFind(-1));
+}
+
+TEST(AdditionOverlapsUnionFindUnittest, EmptyUnionFind_Union_BoundsCheckFails) {
+  AdditionOverlapsUnionFind union_find(0);
+  EXPECT_CHECK_DEATH(union_find.Union(0, 0));
+}
+
+TEST(AdditionOverlapsUnionFindUnittest, Union_BoundsCheckFails) {
+  AdditionOverlapsUnionFind union_find(3);
+
+  // Test lower bound of [0, |num_sets|)
+  EXPECT_CHECK_DEATH(union_find.Union(-1, 0));
+  EXPECT_CHECK_DEATH(union_find.Union(0, -1));
+
+  // Test upper bound of [0, |num_sets|)
+  EXPECT_CHECK_DEATH(union_find.Union(0, 3));
+  EXPECT_CHECK_DEATH(union_find.Union(3, 0));
+}
+
+TEST(AdditionOverlapsUnionFindUnittest, SetsAreTheirInitRepresentatives) {
+  EXPECT_THAT(
+      AdditionOverlapsUnionFind(4).SetsMapping(),
+      AdditionOverlapsUnionFind::SetsMap({{0, {}}, {1, {}}, {2, {}}, {3, {}}}));
+}
+
+TEST(AdditionOverlapsUnionFindUnittest, Union_ChoosesLesserSetIndex) {
+  AdditionOverlapsUnionFind union_find(3);
+
+  union_find.Union(1, 2);
+  EXPECT_THAT(union_find.SetsMapping(),
+              AdditionOverlapsUnionFind::SetsMap({{0, {}}, {1, {2}}}));
+
+  union_find.Union(0, 1);
+  EXPECT_THAT(union_find.SetsMapping(), AdditionOverlapsUnionFind::SetsMap({
+                                            {0, {1, 2}},
+                                        }));
+}
+
+TEST(AdditionOverlapsUnionFindUnittest, Union_NoOp_SameSet) {
+  AdditionOverlapsUnionFind uf(4);
+  for (int i = 0; i < 4; i++) {
+    uf.Union(i, i);
+  }
+  EXPECT_THAT(
+      AdditionOverlapsUnionFind(4).SetsMapping(),
+      AdditionOverlapsUnionFind::SetsMap({{0, {}}, {1, {}}, {2, {}}, {3, {}}}));
+}
+
+TEST(AdditionOverlapsUnionFindUnittest, Union_NoOp_SharedRepresentative) {
+  AdditionOverlapsUnionFind union_find(4);
+
+  union_find.Union(0, 2);
+  EXPECT_THAT(union_find.SetsMapping(),
+              AdditionOverlapsUnionFind::SetsMap({{0, {2}}, {1, {}}, {3, {}}}));
+
+  union_find.Union(0, 2);
+  EXPECT_THAT(union_find.SetsMapping(),
+              AdditionOverlapsUnionFind::SetsMap({{0, {2}}, {1, {}}, {3, {}}}));
+
+  union_find.Union(2, 0);
+  EXPECT_THAT(union_find.SetsMapping(),
+              AdditionOverlapsUnionFind::SetsMap({{0, {2}}, {1, {}}, {3, {}}}));
+}
+
+}  // namespace
+}  // namespace net
diff --git a/chromium/net/cookies/first_party_set_entry.cc b/chromium/net/first_party_sets/first_party_set_entry.cc
index 0bb5cca7601..26a513a995d 100644
--- a/chromium/net/cookies/first_party_set_entry.cc
+++ b/chromium/net/first_party_sets/first_party_set_entry.cc
@@ -1,11 +1,12 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/cookies/first_party_set_entry.h"
+#include "net/first_party_sets/first_party_set_entry.h"
 
 #include <tuple>
 
+#include "base/notreached.h"
 #include "net/base/schemeful_site.h"
 
 namespace net {
@@ -25,8 +26,13 @@ FirstPartySetEntry::FirstPartySetEntry(
     SiteType site_type,
     absl::optional<FirstPartySetEntry::SiteIndex> site_index)
     : primary_(primary), site_type_(site_type), site_index_(site_index) {
-  if (site_type_ == SiteType::kPrimary) {
-    DCHECK(!site_index_.has_value());
+  switch (site_type_) {
+    case SiteType::kPrimary:
+    case SiteType::kService:
+      DCHECK(!site_index_.has_value());
+      break;
+    case SiteType::kAssociated:
+      break;
   }
 }
 
@@ -56,6 +62,22 @@ bool FirstPartySetEntry::operator!=(const FirstPartySetEntry& other) const {
   return !(*this == other);
 }
 
+// static
+absl::optional<net::SiteType> FirstPartySetEntry::DeserializeSiteType(
+    int value) {
+  switch (value) {
+    case static_cast<int>(net::SiteType::kPrimary):
+      return net::SiteType::kPrimary;
+    case static_cast<int>(net::SiteType::kAssociated):
+      return net::SiteType::kAssociated;
+    case static_cast<int>(net::SiteType::kService):
+      return net::SiteType::kService;
+    default:
+      NOTREACHED() << "Unknown SiteType: " << value;
+  }
+  return absl::nullopt;
+}
+
 std::ostream& operator<<(std::ostream& os,
                          const FirstPartySetEntry::SiteIndex& index) {
   os << index.value();
diff --git a/chromium/net/cookies/first_party_set_entry.h b/chromium/net/first_party_sets/first_party_set_entry.h
index d4a8b7e8d12..cd100cdd120 100644
--- a/chromium/net/cookies/first_party_set_entry.h
+++ b/chromium/net/first_party_sets/first_party_set_entry.h
@@ -1,22 +1,29 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_COOKIES_FIRST_PARTY_SET_ENTRY_H_
-#define NET_COOKIES_FIRST_PARTY_SET_ENTRY_H_
+#ifndef NET_FIRST_PARTY_SETS_FIRST_PARTY_SET_ENTRY_H_
+#define NET_FIRST_PARTY_SETS_FIRST_PARTY_SET_ENTRY_H_
 
 #include "net/base/net_export.h"
 #include "net/base/schemeful_site.h"
 
 namespace net {
 
+// These values are persisted to DB. Entries should not be renumbered and
+// numeric values should never be reused.
 enum class SiteType {
   // The First-Party Set declaration listed this site as the "primary" site for
   // the set.
-  kPrimary,
+  kPrimary = 0,
   // The First-Party Set declaration listed this site as an associated site in
   // the set.
-  kAssociated,
+  kAssociated = 1,
+  // The First-Party Set declaration listed this site as a service site in the
+  // set.
+  kService = 2,
+
+  // Update FirstPartySetEntry::DeserializeSiteType if new SiteType is added.
 };
 
 // This class bundles together metadata associated with an entry in a
@@ -56,6 +63,8 @@ class NET_EXPORT FirstPartySetEntry {
   bool operator==(const FirstPartySetEntry& other) const;
   bool operator!=(const FirstPartySetEntry& other) const;
 
+  static absl::optional<net::SiteType> DeserializeSiteType(int value);
+
   const SchemefulSite& primary() const { return primary_; }
 
   SiteType site_type() const { return site_type_; }
@@ -81,4 +90,4 @@ NET_EXPORT std::ostream& operator<<(std::ostream& os,
 
 }  // namespace net
 
-#endif  // NET_COOKIES_FIRST_PARTY_SET_ENTRY_H_
+#endif  // NET_FIRST_PARTY_SETS_FIRST_PARTY_SET_ENTRY_H_
diff --git a/chromium/net/cookies/first_party_set_metadata.cc b/chromium/net/first_party_sets/first_party_set_metadata.cc
index 0937d897ee3..26521fa5f9b 100644
--- a/chromium/net/cookies/first_party_set_metadata.cc
+++ b/chromium/net/first_party_sets/first_party_set_metadata.cc
@@ -1,13 +1,13 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/cookies/first_party_set_metadata.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
 
 #include <tuple>
 
-#include "base/stl_util.h"
-#include "net/cookies/first_party_set_entry.h"
+#include "base/types/optional_util.h"
+#include "net/first_party_sets/first_party_set_entry.h"
 
 namespace net {
 
@@ -32,12 +32,23 @@ bool FirstPartySetMetadata::operator==(
          std::tie(other.context_, other.frame_entry_, other.top_frame_entry_);
 }
 
+bool FirstPartySetMetadata::operator!=(
+    const FirstPartySetMetadata& other) const {
+  return !(*this == other);
+}
+
 std::ostream& operator<<(std::ostream& os,
                          const FirstPartySetMetadata& metadata) {
   os << "{" << metadata.context() << ", "
-     << base::OptionalOrNullptr(metadata.frame_entry()) << ", "
-     << base::OptionalOrNullptr(metadata.top_frame_entry()) << "}";
+     << base::OptionalToPtr(metadata.frame_entry()) << ", "
+     << base::OptionalToPtr(metadata.top_frame_entry()) << "}";
   return os;
 }
 
+bool FirstPartySetMetadata::AreSitesInSameFirstPartySet() const {
+  if (!frame_entry_ || !top_frame_entry_)
+    return false;
+  return frame_entry_->primary() == top_frame_entry_->primary();
+}
+
 }  // namespace net
diff --git a/chromium/net/cookies/first_party_set_metadata.h b/chromium/net/first_party_sets/first_party_set_metadata.h
index 5d54d5564ac..a532a2619f2 100644
--- a/chromium/net/cookies/first_party_set_metadata.h
+++ b/chromium/net/first_party_sets/first_party_set_metadata.h
@@ -1,13 +1,13 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_COOKIES_FIRST_PARTY_SET_METADATA_H_
-#define NET_COOKIES_FIRST_PARTY_SET_METADATA_H_
+#ifndef NET_FIRST_PARTY_SETS_FIRST_PARTY_SET_METADATA_H_
+#define NET_FIRST_PARTY_SETS_FIRST_PARTY_SET_METADATA_H_
 
 #include "net/base/net_export.h"
-#include "net/cookies/first_party_set_entry.h"
-#include "net/cookies/same_party_context.h"
+#include "net/first_party_sets/first_party_set_entry.h"
+#include "net/first_party_sets/same_party_context.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace net {
@@ -31,6 +31,7 @@ class NET_EXPORT FirstPartySetMetadata {
   ~FirstPartySetMetadata();
 
   bool operator==(const FirstPartySetMetadata& other) const;
+  bool operator!=(const FirstPartySetMetadata& other) const;
 
   const SamePartyContext& context() const { return context_; }
 
@@ -43,6 +44,12 @@ class NET_EXPORT FirstPartySetMetadata {
     return top_frame_entry_;
   }
 
+  // Returns true if `frame_entry` and `top_frame_entry` are both non-null and
+  // have the same primary. This is different from `context_.context_type()`
+  // because it only checks if the the frames' sites are in the same set
+  // regardless of their ancestor chain.
+  bool AreSitesInSameFirstPartySet() const;
+
  private:
   SamePartyContext context_ = SamePartyContext();
   absl::optional<FirstPartySetEntry> frame_entry_ = absl::nullopt;
@@ -54,4 +61,4 @@ NET_EXPORT std::ostream& operator<<(std::ostream& os,
 
 }  // namespace net
 
-#endif  // NET_COOKIES_FIRST_PARTY_SET_METADATA_H_
+#endif  // NET_FIRST_PARTY_SETS_FIRST_PARTY_SET_METADATA_H_
diff --git a/chromium/net/first_party_sets/first_party_sets_cache_filter.cc b/chromium/net/first_party_sets/first_party_sets_cache_filter.cc
new file mode 100644
index 00000000000..402dbdfa908
--- /dev/null
+++ b/chromium/net/first_party_sets/first_party_sets_cache_filter.cc
@@ -0,0 +1,60 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/first_party_sets/first_party_sets_cache_filter.h"
+
+namespace net {
+
+FirstPartySetsCacheFilter::MatchInfo::MatchInfo() = default;
+
+FirstPartySetsCacheFilter::MatchInfo::MatchInfo(
+    const FirstPartySetsCacheFilter::MatchInfo& other) = default;
+
+FirstPartySetsCacheFilter::MatchInfo::MatchInfo::~MatchInfo() = default;
+
+bool FirstPartySetsCacheFilter::MatchInfo::operator==(
+    const FirstPartySetsCacheFilter::MatchInfo& other) const {
+  return std::tie(clear_at_run_id, browser_run_id) ==
+         std::tie(other.clear_at_run_id, other.browser_run_id);
+}
+
+FirstPartySetsCacheFilter::FirstPartySetsCacheFilter() = default;
+FirstPartySetsCacheFilter::FirstPartySetsCacheFilter(
+    base::flat_map<net::SchemefulSite, int64_t> filter,
+    int64_t browser_run_id)
+    : filter_(std::move(filter)), browser_run_id_(std::move(browser_run_id)) {
+  if (browser_run_id_ == 0) {
+    DCHECK(filter_.empty());
+  }
+}
+
+FirstPartySetsCacheFilter::FirstPartySetsCacheFilter(
+    FirstPartySetsCacheFilter&& other) = default;
+FirstPartySetsCacheFilter& FirstPartySetsCacheFilter::operator=(
+    FirstPartySetsCacheFilter&& other) = default;
+
+FirstPartySetsCacheFilter::~FirstPartySetsCacheFilter() = default;
+
+bool FirstPartySetsCacheFilter::operator==(
+    const FirstPartySetsCacheFilter& other) const {
+  return std::tie(filter_, browser_run_id_) ==
+         std::tie(other.filter_, other.browser_run_id_);
+}
+
+FirstPartySetsCacheFilter FirstPartySetsCacheFilter::Clone() const {
+  return FirstPartySetsCacheFilter(filter_, browser_run_id_);
+}
+
+FirstPartySetsCacheFilter::MatchInfo FirstPartySetsCacheFilter::GetMatchInfo(
+    const net::SchemefulSite& site) const {
+  FirstPartySetsCacheFilter::MatchInfo res;
+  if (browser_run_id_ > 0) {
+    res.browser_run_id = browser_run_id_;
+    if (const auto it = filter_.find(site); it != filter_.end())
+      res.clear_at_run_id = it->second;
+  }
+  return res;
+}
+
+}  // namespace net
diff --git a/chromium/net/first_party_sets/first_party_sets_cache_filter.h b/chromium/net/first_party_sets/first_party_sets_cache_filter.h
new file mode 100644
index 00000000000..81ad165dae5
--- /dev/null
+++ b/chromium/net/first_party_sets/first_party_sets_cache_filter.h
@@ -0,0 +1,84 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_FIRST_PARTY_SETS_FIRST_PARTY_SETS_CACHE_FILTER_H_
+#define NET_FIRST_PARTY_SETS_FIRST_PARTY_SETS_CACHE_FILTER_H_
+
+#include "base/containers/flat_map.h"
+#include "net/base/net_export.h"
+#include "net/base/schemeful_site.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
+
+namespace mojo {
+template <typename DataViewType, typename T>
+struct StructTraits;
+}  // namespace mojo
+namespace network::mojom {
+class FirstPartySetsCacheFilterDataView;
+}  // namespace network::mojom
+
+namespace net {
+
+// This class stores the First-Party Sets configuration to filter cache access
+// for a request in the given network context.
+class NET_EXPORT FirstPartySetsCacheFilter {
+ public:
+  // This struct bundles together the info needed to filter cache for a request.
+  struct NET_EXPORT MatchInfo {
+    MatchInfo();
+    MatchInfo(const MatchInfo& other);
+    ~MatchInfo();
+    bool operator==(const MatchInfo& other) const;
+
+    // Stores the ID used to check whether cache should be bypassed. Only not
+    // null if the request site matches the filter; nullopt if don't match.
+    absl::optional<int64_t> clear_at_run_id;
+    // The ID used to mark the new cache. It should be either a positive number
+    // or nullopt.
+    absl::optional<int64_t> browser_run_id;
+  };
+
+  // The default cache filter is no-op.
+  FirstPartySetsCacheFilter();
+  explicit FirstPartySetsCacheFilter(
+      base::flat_map<net::SchemefulSite, int64_t> filter,
+      int64_t browser_run_id);
+
+  FirstPartySetsCacheFilter(FirstPartySetsCacheFilter&& other);
+  FirstPartySetsCacheFilter& operator=(FirstPartySetsCacheFilter&& other);
+
+  ~FirstPartySetsCacheFilter();
+
+  bool operator==(const FirstPartySetsCacheFilter& other) const;
+
+  FirstPartySetsCacheFilter Clone() const;
+
+  MatchInfo GetMatchInfo(const SchemefulSite& site) const;
+
+ private:
+  // mojo (de)serialization needs access to private details.
+  friend struct mojo::StructTraits<
+      network::mojom::FirstPartySetsCacheFilterDataView,
+      FirstPartySetsCacheFilter>;
+
+  const base::flat_map<net::SchemefulSite, int64_t>& filter() const {
+    return filter_;
+  }
+
+  int64_t browser_run_id() const { return browser_run_id_; }
+
+  // The filter used to bypass cache. The key is site may be bypassed for
+  // cache access, the value indicates the browser run of which the site
+  // was marked to be cleared.
+  base::flat_map<net::SchemefulSite, int64_t> filter_;
+
+  // The id of the current browser run, to mark the cache entry when persisting.
+  // The cache filter should be no-op if this is 0.
+  // TODO(crbug.com/657632): Make this optional.
+  int64_t browser_run_id_ = 0;
+};
+
+}  // namespace net
+
+#endif  // NET_FIRST_PARTY_SETS_FIRST_PARTY_SETS_CACHE_FILTER_H_
diff --git a/chromium/net/first_party_sets/first_party_sets_cache_filter_unittest.cc b/chromium/net/first_party_sets/first_party_sets_cache_filter_unittest.cc
new file mode 100644
index 00000000000..6fb6efe594c
--- /dev/null
+++ b/chromium/net/first_party_sets/first_party_sets_cache_filter_unittest.cc
@@ -0,0 +1,45 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/first_party_sets/first_party_sets_cache_filter.h"
+
+#include "net/base/schemeful_site.h"
+#include "testing/gmock/include/gmock/gmock-matchers.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+
+namespace net {
+
+TEST(FirstPartySetsCacheFilterTest, GetMatchInfo_EmptyFilter) {
+  EXPECT_EQ(FirstPartySetsCacheFilter().GetMatchInfo(
+                SchemefulSite(GURL("https://example.test"))),
+            FirstPartySetsCacheFilter::MatchInfo());
+}
+
+TEST(FirstPartySetsCacheFilterTest, GetMatchInfo_NotMatch) {
+  SchemefulSite example(GURL("https://example.test"));
+  SchemefulSite foo(GURL("https://foo.test"));
+  const int64_t kBrowserRunId = 3;
+
+  FirstPartySetsCacheFilter cache_filter(
+      /*filter_=*/{{example, 2}}, kBrowserRunId);
+  FirstPartySetsCacheFilter::MatchInfo match_info;
+  match_info.browser_run_id = kBrowserRunId;
+  EXPECT_EQ(cache_filter.GetMatchInfo(foo), match_info);
+}
+
+TEST(FirstPartySetsCacheFilterTest, GetMatchInfo_Match) {
+  SchemefulSite example(GURL("https://example.test"));
+  const int64_t kBrowserRunId = 3;
+
+  FirstPartySetsCacheFilter cache_filter(
+      /*filter_=*/{{example, 2}}, kBrowserRunId);
+  FirstPartySetsCacheFilter::MatchInfo match_info;
+  match_info.clear_at_run_id = 2;
+  match_info.browser_run_id = kBrowserRunId;
+  EXPECT_EQ(cache_filter.GetMatchInfo(example), match_info);
+}
+
+}  // namespace net
diff --git a/chromium/net/first_party_sets/first_party_sets_context_config.cc b/chromium/net/first_party_sets/first_party_sets_context_config.cc
new file mode 100644
index 00000000000..52ed31070ba
--- /dev/null
+++ b/chromium/net/first_party_sets/first_party_sets_context_config.cc
@@ -0,0 +1,53 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/first_party_sets/first_party_sets_context_config.h"
+
+namespace net {
+
+FirstPartySetsContextConfig::FirstPartySetsContextConfig() = default;
+FirstPartySetsContextConfig::FirstPartySetsContextConfig(
+    FirstPartySetsContextConfig::OverrideSets customizations)
+    : customizations_(std::move(customizations)) {}
+
+FirstPartySetsContextConfig::FirstPartySetsContextConfig(
+    FirstPartySetsContextConfig&& other) = default;
+FirstPartySetsContextConfig& FirstPartySetsContextConfig::operator=(
+    FirstPartySetsContextConfig&& other) = default;
+
+FirstPartySetsContextConfig::~FirstPartySetsContextConfig() = default;
+
+FirstPartySetsContextConfig FirstPartySetsContextConfig::Clone() const {
+  return FirstPartySetsContextConfig(customizations_);
+}
+
+bool FirstPartySetsContextConfig::operator==(
+    const FirstPartySetsContextConfig& other) const {
+  return customizations_ == other.customizations_;
+}
+
+absl::optional<absl::optional<FirstPartySetEntry>>
+FirstPartySetsContextConfig::FindOverride(const SchemefulSite& site) const {
+  if (const auto it = customizations_.find(site); it != customizations_.end()) {
+    return it->second;
+  }
+  return absl::nullopt;
+}
+
+bool FirstPartySetsContextConfig::Contains(const SchemefulSite& site) const {
+  return FindOverride(site).has_value();
+}
+
+bool FirstPartySetsContextConfig::ForEachCustomizationEntry(
+    base::FunctionRef<bool(const SchemefulSite&,
+                           const absl::optional<FirstPartySetEntry>&)> f)
+    const {
+  for (const auto& [site, maybe_entry] : customizations_) {
+    if (!f(site, maybe_entry))
+      return false;
+  }
+  return true;
+}
+
+}  // namespace net
diff --git a/chromium/net/first_party_sets/first_party_sets_context_config.h b/chromium/net/first_party_sets/first_party_sets_context_config.h
new file mode 100644
index 00000000000..76f127a7f05
--- /dev/null
+++ b/chromium/net/first_party_sets/first_party_sets_context_config.h
@@ -0,0 +1,83 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_FIRST_PARTY_SETS_FIRST_PARTY_SETS_CONTEXT_CONFIG_H_
+#define NET_FIRST_PARTY_SETS_FIRST_PARTY_SETS_CONTEXT_CONFIG_H_
+
+#include "base/containers/flat_map.h"
+#include "base/functional/function_ref.h"
+#include "net/base/schemeful_site.h"
+#include "net/first_party_sets/first_party_set_entry.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
+
+namespace mojo {
+template <typename DataViewType, typename T>
+struct StructTraits;
+}  // namespace mojo
+namespace network::mojom {
+class FirstPartySetsContextConfigDataView;
+}  // namespace network::mojom
+
+namespace net {
+
+// This struct bundles together the customized settings to First-Party Sets
+// info in the given network context.
+class NET_EXPORT FirstPartySetsContextConfig {
+ public:
+  using OverrideSets =
+      base::flat_map<SchemefulSite, absl::optional<FirstPartySetEntry>>;
+
+  FirstPartySetsContextConfig();
+  explicit FirstPartySetsContextConfig(OverrideSets customizations);
+
+  FirstPartySetsContextConfig(FirstPartySetsContextConfig&& other);
+  FirstPartySetsContextConfig& operator=(FirstPartySetsContextConfig&& other);
+
+  ~FirstPartySetsContextConfig();
+
+  FirstPartySetsContextConfig Clone() const;
+
+  bool operator==(const FirstPartySetsContextConfig& other) const;
+
+  bool empty() const { return customizations_.empty(); }
+
+  // Finds an override for the given site, in this context. Returns:
+  // - nullopt if no override was found.
+  // - optional(nullopt) if an override was found, and it's a deletion.
+  // - optional(optional(entry)) if an override was found, and it's a
+  // modification/addition.
+  absl::optional<absl::optional<FirstPartySetEntry>> FindOverride(
+      const SchemefulSite& site) const;
+
+  // Returns whether an override can be found for the given site in this
+  // context.
+  bool Contains(const SchemefulSite& site) const;
+
+  // Synchronously iterate over all the override entries. Each iteration will be
+  // invoked with the relevant site and the override that applies to it. The
+  // override will be `nullopt` if it is a deletion, or `optional(entry)` if it
+  // is a modification of an existing entry, or an addition.
+  //
+  // Returns early if any of the iterations returns false. Returns false if
+  // iteration was incomplete; true if all iterations returned true. No
+  // guarantees are made re: iteration order.
+  bool ForEachCustomizationEntry(
+      base::FunctionRef<bool(const SchemefulSite&,
+                             const absl::optional<FirstPartySetEntry>&)> f)
+      const;
+
+ private:
+  // mojo (de)serialization needs access to private details.
+  friend struct mojo::StructTraits<
+      network::mojom::FirstPartySetsContextConfigDataView,
+      FirstPartySetsContextConfig>;
+
+  const OverrideSets& customizations() const { return customizations_; }
+
+  OverrideSets customizations_;
+};
+
+}  // namespace net
+
+#endif  // NET_FIRST_PARTY_SETS_FIRST_PARTY_SETS_CONTEXT_CONFIG_H_
\ No newline at end of file
diff --git a/chromium/net/first_party_sets/first_party_sets_context_config_unittest.cc b/chromium/net/first_party_sets/first_party_sets_context_config_unittest.cc
new file mode 100644
index 00000000000..743a5e5d667
--- /dev/null
+++ b/chromium/net/first_party_sets/first_party_sets_context_config_unittest.cc
@@ -0,0 +1,96 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/first_party_sets/first_party_sets_context_config.h"
+
+#include "net/base/schemeful_site.h"
+#include "net/first_party_sets/first_party_set_entry.h"
+#include "net/first_party_sets/first_party_sets_context_config.h"
+#include "testing/gmock/include/gmock/gmock-matchers.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
+#include "url/gurl.h"
+
+using ::testing::Optional;
+
+namespace net {
+
+TEST(FirstPartySetsContextConfigTest, FindOverride_empty) {
+  EXPECT_EQ(FirstPartySetsContextConfig().FindOverride(
+                SchemefulSite(GURL("https://example.test"))),
+            absl::nullopt);
+}
+
+TEST(FirstPartySetsContextConfigTest, FindOverride_irrelevant) {
+  SchemefulSite example(GURL("https://example.test"));
+  FirstPartySetEntry entry(example, SiteType::kPrimary, absl::nullopt);
+  SchemefulSite foo(GURL("https://foo.test"));
+
+  EXPECT_EQ(FirstPartySetsContextConfig({{example, entry}}).FindOverride(foo),
+            absl::nullopt);
+}
+
+TEST(FirstPartySetsContextConfigTest, FindOverride_deletion) {
+  SchemefulSite example(GURL("https://example.test"));
+
+  EXPECT_THAT(FirstPartySetsContextConfig({{example, absl::nullopt}})
+                  .FindOverride(example),
+              Optional(absl::nullopt));
+}
+
+TEST(FirstPartySetsContextConfigTest, FindOverride_modification) {
+  SchemefulSite example(GURL("https://example.test"));
+  FirstPartySetEntry entry(example, SiteType::kPrimary, absl::nullopt);
+
+  EXPECT_THAT(
+      FirstPartySetsContextConfig({{example, entry}}).FindOverride(example),
+      Optional(Optional(entry)));
+}
+
+TEST(FirstPartySetsContextConfigTest, Contains) {
+  SchemefulSite example(GURL("https://example.test"));
+  SchemefulSite decoy(GURL("https://decoy.test"));
+
+  FirstPartySetsContextConfig config({{example, absl::nullopt}});
+
+  EXPECT_TRUE(config.Contains(example));
+  EXPECT_FALSE(config.Contains(decoy));
+}
+
+TEST(FirstPartySetsContextConfigTest, ForEachCustomizationEntry_FullIteration) {
+  SchemefulSite example(GURL("https://example.test"));
+  SchemefulSite foo(GURL("https://foo.test"));
+
+  FirstPartySetsContextConfig config(
+      {{example, absl::nullopt}, {foo, absl::nullopt}});
+
+  int count = 0;
+  EXPECT_TRUE(config.ForEachCustomizationEntry(
+      [&](const SchemefulSite& site,
+          const absl::optional<FirstPartySetEntry>& entry) {
+        ++count;
+        return true;
+      }));
+  EXPECT_EQ(count, 2);
+}
+
+TEST(FirstPartySetsContextConfigTest, ForEachCustomizationEntry_EarlyReturn) {
+  SchemefulSite example(GURL("https://example.test"));
+  SchemefulSite foo(GURL("https://foo.test"));
+
+  FirstPartySetsContextConfig config(
+      {{example, absl::nullopt}, {foo, absl::nullopt}});
+
+  int count = 0;
+  EXPECT_FALSE(config.ForEachCustomizationEntry(
+      [&](const SchemefulSite& site,
+          const absl::optional<FirstPartySetEntry>& entry) {
+        ++count;
+        return count < 1;
+      }));
+  EXPECT_EQ(count, 1);
+}
+
+}  // namespace net
diff --git a/chromium/net/first_party_sets/global_first_party_sets.cc b/chromium/net/first_party_sets/global_first_party_sets.cc
new file mode 100644
index 00000000000..0e8dc036ef4
--- /dev/null
+++ b/chromium/net/first_party_sets/global_first_party_sets.cc
@@ -0,0 +1,411 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/first_party_sets/global_first_party_sets.h"
+
+#include <set>
+#include <tuple>
+
+#include "base/containers/contains.h"
+#include "base/containers/flat_map.h"
+#include "base/containers/flat_set.h"
+#include "base/functional/function_ref.h"
+#include "base/metrics/histogram_macros.h"
+#include "base/timer/elapsed_timer.h"
+#include "base/types/optional_util.h"
+#include "net/base/schemeful_site.h"
+#include "net/first_party_sets/addition_overlaps_union_find.h"
+#include "net/first_party_sets/first_party_set_entry.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
+#include "net/first_party_sets/first_party_sets_context_config.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
+
+namespace net {
+
+namespace {
+
+using FlattenedSets = base::flat_map<SchemefulSite, FirstPartySetEntry>;
+using SingleSet = base::flat_map<SchemefulSite, FirstPartySetEntry>;
+
+// Converts WS to HTTP, and WSS to HTTPS.
+SchemefulSite NormalizeScheme(const SchemefulSite& site) {
+  SchemefulSite normalized_site = site;
+  normalized_site.ConvertWebSocketToHttp();
+  return normalized_site;
+}
+
+// Converts a list of First-Party Sets from a SingleSet to a FlattenedSet
+// representation.
+FlattenedSets SetListToFlattenedSets(const std::vector<SingleSet>& set_list) {
+  FlattenedSets sets;
+  for (const auto& set : set_list) {
+    for (const auto& site_and_entry : set) {
+      bool inserted = sets.emplace(site_and_entry).second;
+      DCHECK(inserted);
+    }
+  }
+  return sets;
+}
+
+// Adds all sets in a list of First-Party Sets into `site_to_entry` which maps
+// from a site to its entry.
+void UpdateCustomizations(
+    const std::vector<SingleSet>& set_list,
+    std::vector<std::pair<SchemefulSite, absl::optional<FirstPartySetEntry>>>&
+        site_to_entry) {
+  for (const auto& set : set_list) {
+    for (const auto& site_and_entry : set) {
+      site_to_entry.emplace_back(site_and_entry);
+    }
+  }
+}
+
+const SchemefulSite& ProjectKey(
+    const std::pair<SchemefulSite, absl::optional<FirstPartySetEntry>>& p) {
+  return p.first;
+}
+
+SamePartyContext::Type ContextTypeFromBool(bool is_same_party) {
+  return is_same_party ? SamePartyContext::Type::kSameParty
+                       : SamePartyContext::Type::kCrossParty;
+}
+
+}  // namespace
+
+GlobalFirstPartySets::GlobalFirstPartySets() = default;
+
+GlobalFirstPartySets::GlobalFirstPartySets(
+    base::flat_map<SchemefulSite, FirstPartySetEntry> entries,
+    base::flat_map<SchemefulSite, SchemefulSite> aliases)
+    : GlobalFirstPartySets(std::move(entries),
+                           std::move(aliases),
+                           FirstPartySetsContextConfig()) {}
+
+GlobalFirstPartySets::GlobalFirstPartySets(
+    base::flat_map<SchemefulSite, FirstPartySetEntry> entries,
+    base::flat_map<SchemefulSite, SchemefulSite> aliases,
+    FirstPartySetsContextConfig manual_config)
+    : entries_(std::move(entries)),
+      aliases_(std::move(aliases)),
+      manual_config_(std::move(manual_config)) {
+  // `aliases_` can only be nonempty if `entries_` is also nonempty.
+  if (!aliases_.empty())
+    DCHECK(!entries_.empty());
+}
+
+GlobalFirstPartySets::GlobalFirstPartySets(GlobalFirstPartySets&&) = default;
+GlobalFirstPartySets& GlobalFirstPartySets::operator=(GlobalFirstPartySets&&) =
+    default;
+
+GlobalFirstPartySets::~GlobalFirstPartySets() = default;
+
+bool GlobalFirstPartySets::operator==(const GlobalFirstPartySets& other) const {
+  return std::tie(entries_, aliases_, manual_config_) ==
+         std::tie(other.entries_, other.aliases_, other.manual_config_);
+}
+
+bool GlobalFirstPartySets::operator!=(const GlobalFirstPartySets& other) const {
+  return !(*this == other);
+}
+
+GlobalFirstPartySets GlobalFirstPartySets::Clone() const {
+  return GlobalFirstPartySets(entries_, aliases_, manual_config_.Clone());
+}
+
+absl::optional<FirstPartySetEntry> GlobalFirstPartySets::FindEntry(
+    const SchemefulSite& site,
+    const FirstPartySetsContextConfig& config) const {
+  return FindEntry(site, &config);
+}
+
+absl::optional<FirstPartySetEntry> GlobalFirstPartySets::FindEntry(
+    const SchemefulSite& site,
+    const FirstPartySetsContextConfig* config) const {
+  const SchemefulSite normalized_site = NormalizeScheme(site);
+
+  // Check if `normalized_site` can be found in the customizations first.
+  if (config) {
+    if (const auto entry = config->FindOverride(normalized_site);
+        entry.has_value()) {
+      return entry.value();
+    }
+  }
+
+  // Now see if it's in the manual config (with or without a manual alias).
+  if (const auto manual_entry = manual_config_.FindOverride(normalized_site);
+      manual_entry.has_value()) {
+    return manual_entry.value();
+  }
+
+  // Finally, look up in `entries_`, applying an alias if applicable.
+  const auto canonical_it = aliases_.find(normalized_site);
+  const SchemefulSite& canonical_site =
+      canonical_it == aliases_.end() ? normalized_site : canonical_it->second;
+  if (const auto entry_it = entries_.find(canonical_site);
+      entry_it != entries_.end()) {
+    return entry_it->second;
+  }
+
+  return absl::nullopt;
+}
+
+base::flat_map<SchemefulSite, FirstPartySetEntry>
+GlobalFirstPartySets::FindEntries(
+    const base::flat_set<SchemefulSite>& sites,
+    const FirstPartySetsContextConfig& config) const {
+  std::vector<std::pair<SchemefulSite, FirstPartySetEntry>> sites_to_entries;
+  for (const SchemefulSite& site : sites) {
+    const absl::optional<FirstPartySetEntry> entry = FindEntry(site, config);
+    if (entry.has_value()) {
+      sites_to_entries.emplace_back(site, entry.value());
+    }
+  }
+  return sites_to_entries;
+}
+
+FirstPartySetMetadata GlobalFirstPartySets::ComputeMetadata(
+    const SchemefulSite& site,
+    const SchemefulSite* top_frame_site,
+    const std::set<SchemefulSite>& party_context,
+    const FirstPartySetsContextConfig& fps_context_config) const {
+  const base::ElapsedTimer timer;
+
+  SamePartyContext::Type context_type =
+      ContextTypeFromBool(IsContextSamePartyWithSite(
+          site, top_frame_site, party_context, fps_context_config));
+
+  SamePartyContext context(context_type);
+
+  UMA_HISTOGRAM_CUSTOM_MICROSECONDS_TIMES(
+      "Cookie.FirstPartySets.ComputeContext.Latency", timer.Elapsed(),
+      base::Microseconds(1), base::Milliseconds(100), 50);
+
+  absl::optional<FirstPartySetEntry> top_frame_entry =
+      top_frame_site ? FindEntry(*top_frame_site, fps_context_config)
+                     : absl::nullopt;
+
+  return FirstPartySetMetadata(
+      context, base::OptionalToPtr(FindEntry(site, fps_context_config)),
+      base::OptionalToPtr(top_frame_entry));
+}
+
+bool GlobalFirstPartySets::IsContextSamePartyWithSite(
+    const SchemefulSite& site,
+    const SchemefulSite* top_frame_site,
+    const std::set<SchemefulSite>& party_context,
+    const FirstPartySetsContextConfig& fps_context_config) const {
+  const absl::optional<FirstPartySetEntry> site_entry =
+      FindEntry(site, fps_context_config);
+  if (!site_entry.has_value())
+    return false;
+
+  const auto is_in_same_set_as_frame_site =
+      [this, &site_entry,
+       &fps_context_config](const SchemefulSite& context_site) -> bool {
+    const absl::optional<FirstPartySetEntry> context_entry =
+        FindEntry(context_site, fps_context_config);
+    return context_entry.has_value() &&
+           context_entry->primary() == site_entry->primary();
+  };
+
+  if (top_frame_site && !is_in_same_set_as_frame_site(*top_frame_site))
+    return false;
+
+  return base::ranges::all_of(party_context, is_in_same_set_as_frame_site);
+}
+
+void GlobalFirstPartySets::ApplyManuallySpecifiedSet(
+    const base::flat_map<SchemefulSite, FirstPartySetEntry>& manual_entries) {
+  DCHECK(manual_config_.empty());
+  // We handle the manually-specified set the same way as we handle
+  // replacement enterprise policy sets.
+  manual_config_ = ComputeConfig(
+      /*replacement_sets=*/{manual_entries}, /*addition_sets=*/{});
+  manual_sets_ = manual_entries;
+}
+
+FirstPartySetsContextConfig GlobalFirstPartySets::ComputeConfig(
+    const std::vector<SingleSet>& replacement_sets,
+    const std::vector<SingleSet>& addition_sets) const {
+  // Maps a site to its new entry if it has one.
+  std::vector<std::pair<SchemefulSite, absl::optional<FirstPartySetEntry>>>
+      site_to_entry;
+
+  std::vector<base::flat_map<SchemefulSite, FirstPartySetEntry>>
+      normalized_additions = NormalizeAdditionSets(addition_sets);
+
+  // Create flattened versions of the sets for easier lookup.
+  FlattenedSets flattened_replacements =
+      SetListToFlattenedSets(replacement_sets);
+  FlattenedSets flattened_additions =
+      SetListToFlattenedSets(normalized_additions);
+
+  // All of the custom sets are automatically inserted into site_to_owner.
+  UpdateCustomizations(replacement_sets, site_to_entry);
+  UpdateCustomizations(normalized_additions, site_to_entry);
+
+  // Maps old owner to new entry.
+  base::flat_map<SchemefulSite, FirstPartySetEntry> addition_intersected_owners;
+  for (const auto& [new_member, new_entry] : flattened_additions) {
+    if (const auto entry = FindEntry(new_member, /*config=*/nullptr);
+        entry.has_value()) {
+      // Found an overlap with the existing list of sets.
+      addition_intersected_owners.emplace(entry->primary(), new_entry);
+    }
+  }
+
+  // Maps an existing owner to the members it lost due to replacement.
+  base::flat_map<SchemefulSite, base::flat_set<SchemefulSite>>
+      potential_singletons;
+  for (const auto& [member, set_entry] : flattened_replacements) {
+    if (member == set_entry.primary())
+      continue;
+    if (auto existing_entry = FindEntry(member, /*config=*/nullptr);
+        existing_entry.has_value() && existing_entry->primary() != member) {
+      if (!addition_intersected_owners.contains(existing_entry->primary()) &&
+          !flattened_additions.contains(existing_entry->primary()) &&
+          !flattened_replacements.contains(existing_entry->primary())) {
+        potential_singletons[existing_entry->primary()].insert(member);
+      }
+    }
+  }
+
+  // Find the existing owners that have left their existing sets, and whose
+  // existing members should be removed from their set (excluding any custom
+  // sets that those members are involved in).
+  base::flat_set<SchemefulSite> replaced_existing_owners;
+  for (const auto& [site, unused_owner] : flattened_replacements) {
+    if (const auto entry = FindEntry(site, /*config=*/nullptr);
+        entry.has_value() && entry->primary() == site) {
+      // Site was an owner in the existing sets.
+      bool inserted = replaced_existing_owners.emplace(site).second;
+      DCHECK(inserted);
+    }
+  }
+
+  // Find out which potential singletons are actually singletons; delete
+  // members whose owners left; and reparent the sets that intersected with
+  // an addition set.
+  for (const auto& [member, set_entry] : entries_) {
+    // Reparent all sites in any intersecting addition sets.
+    if (auto entry = addition_intersected_owners.find(set_entry.primary());
+        entry != addition_intersected_owners.end() &&
+        !flattened_replacements.contains(member)) {
+      site_to_entry.emplace_back(
+          member, FirstPartySetEntry(entry->second.primary(),
+                                     member == entry->second.primary()
+                                         ? SiteType::kPrimary
+                                         : SiteType::kAssociated,
+                                     absl::nullopt));
+    }
+    if (member == set_entry.primary())
+      continue;
+    // Remove non-singletons from the potential list.
+    if (auto entry = potential_singletons.find(set_entry.primary());
+        entry != potential_singletons.end() &&
+        !entry->second.contains(member)) {
+      // This owner lost members, but it still has at least one (`member`),
+      // so it's not a singleton.
+      potential_singletons.erase(entry);
+    }
+    // Remove members from sets whose owner left.
+    if (replaced_existing_owners.contains(set_entry.primary()) &&
+        !flattened_replacements.contains(member) &&
+        !addition_intersected_owners.contains(set_entry.primary())) {
+      site_to_entry.emplace_back(member, absl::nullopt);
+    }
+  }
+  // Any owner remaining in `potential_singleton` is a real singleton, so delete
+  // it:
+  for (auto& [owner, members] : potential_singletons) {
+    site_to_entry.emplace_back(owner, absl::nullopt);
+  }
+
+  // For every public alias that would now refer to a site in the overlay, which
+  // is not already contained in the overlay, we explicitly ignore that alias.
+  for (const auto& [alias, site] : aliases_) {
+    if (base::Contains(site_to_entry, site, ProjectKey) &&
+        !base::Contains(site_to_entry, alias, ProjectKey)) {
+      site_to_entry.emplace_back(alias, absl::nullopt);
+    }
+  }
+
+  return FirstPartySetsContextConfig(std::move(site_to_entry));
+}
+
+std::vector<base::flat_map<SchemefulSite, FirstPartySetEntry>>
+GlobalFirstPartySets::NormalizeAdditionSets(
+    const std::vector<base::flat_map<SchemefulSite, FirstPartySetEntry>>&
+        addition_sets) const {
+  // Find all the addition sets that intersect with any given public set.
+  base::flat_map<SchemefulSite, base::flat_set<size_t>> addition_set_overlaps;
+  for (size_t set_idx = 0; set_idx < addition_sets.size(); set_idx++) {
+    for (const auto& site_and_entry : addition_sets[set_idx]) {
+      if (auto entry = FindEntry(site_and_entry.first, /*config=*/nullptr);
+          entry.has_value()) {
+        addition_set_overlaps[entry->primary()].insert(set_idx);
+      }
+    }
+  }
+
+  // Union together all transitively-overlapping addition sets.
+  AdditionOverlapsUnionFind union_finder(addition_sets.size());
+  for (auto& [public_site, addition_set_indices] : addition_set_overlaps) {
+    for (size_t representative : addition_set_indices) {
+      union_finder.Union(*addition_set_indices.begin(), representative);
+    }
+  }
+
+  // Now build the new addition sets, with all transitive overlaps eliminated.
+  std::vector<SingleSet> normalized_additions;
+  for (auto& [rep, children] : union_finder.SetsMapping()) {
+    SingleSet normalized = addition_sets[rep];
+    const SchemefulSite& rep_primary =
+        addition_sets[rep].begin()->second.primary();
+    for (size_t child_set_idx : children) {
+      for (const auto& child_site_and_entry : addition_sets[child_set_idx]) {
+        bool inserted =
+            normalized
+                .emplace(child_site_and_entry.first,
+                         FirstPartySetEntry(rep_primary, SiteType::kAssociated,
+                                            absl::nullopt))
+                .second;
+        DCHECK(inserted);
+      }
+    }
+    normalized_additions.push_back(normalized);
+  }
+  return normalized_additions;
+}
+
+bool GlobalFirstPartySets::ForEachPublicSetEntry(
+    base::FunctionRef<bool(const SchemefulSite&, const FirstPartySetEntry&)> f)
+    const {
+  for (const auto& [site, entry] : entries_) {
+    if (!f(site, entry))
+      return false;
+  }
+  for (const auto& [alias, canonical] : aliases_) {
+    auto it = entries_.find(canonical);
+    DCHECK(it != entries_.end());
+    if (!f(alias, it->second))
+      return false;
+  }
+  return true;
+}
+
+std::ostream& operator<<(std::ostream& os, const GlobalFirstPartySets& sets) {
+  os << "{entries = {";
+  for (const auto& [site, entry] : sets.entries()) {
+    os << "{" << site.Serialize() << ": " << entry << "}, ";
+  }
+  os << "}, aliases = {";
+  for (const auto& [alias, canonical] : sets.aliases()) {
+    os << "{" << alias.Serialize() << ": " << canonical.Serialize() << "}, ";
+  }
+  os << "}}";
+  return os;
+}
+
+}  // namespace net
diff --git a/chromium/net/first_party_sets/global_first_party_sets.h b/chromium/net/first_party_sets/global_first_party_sets.h
new file mode 100644
index 00000000000..e921ef92282
--- /dev/null
+++ b/chromium/net/first_party_sets/global_first_party_sets.h
@@ -0,0 +1,182 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_FIRST_PARTY_SETS_GLOBAL_FIRST_PARTY_SETS_H_
+#define NET_FIRST_PARTY_SETS_GLOBAL_FIRST_PARTY_SETS_H_
+
+#include <set>
+
+#include "base/containers/flat_map.h"
+#include "base/containers/flat_set.h"
+#include "base/functional/function_ref.h"
+#include "net/base/net_export.h"
+#include "net/base/schemeful_site.h"
+#include "net/first_party_sets/first_party_set_entry.h"
+#include "net/first_party_sets/first_party_sets_context_config.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
+
+namespace mojo {
+template <typename DataViewType, typename T>
+struct StructTraits;
+}  // namespace mojo
+namespace network::mojom {
+class GlobalFirstPartySetsDataView;
+}  // namespace network::mojom
+
+namespace net {
+
+class FirstPartySetMetadata;
+
+// This class holds all of the info associated with the First-Party Sets known
+// to this browser, after they've been parsed. This is suitable for plumbing
+// from the browser process to the network service, or for answering queries.
+// This class does not contain per-BrowserContext customizations, but supports
+// application of those customizations.
+class NET_EXPORT GlobalFirstPartySets {
+ public:
+  GlobalFirstPartySets();
+  GlobalFirstPartySets(
+      base::flat_map<SchemefulSite, FirstPartySetEntry> entries,
+      base::flat_map<SchemefulSite, SchemefulSite> aliases);
+  GlobalFirstPartySets(
+      base::flat_map<SchemefulSite, FirstPartySetEntry> entries,
+      base::flat_map<SchemefulSite, SchemefulSite> aliases,
+      FirstPartySetsContextConfig manual_config);
+
+  GlobalFirstPartySets(GlobalFirstPartySets&&);
+  GlobalFirstPartySets& operator=(GlobalFirstPartySets&&);
+
+  ~GlobalFirstPartySets();
+
+  bool operator==(const GlobalFirstPartySets& other) const;
+  bool operator!=(const GlobalFirstPartySets& other) const;
+
+  // Creates a clone of this instance.
+  GlobalFirstPartySets Clone() const;
+
+  // Returns a FirstPartySetsContextConfig suitable for passing into
+  // FindEntries, in order to respect the overrides given by `replacement_sets`
+  // and `addition_sets`.
+  //
+  // Preconditions: sets defined by `replacement_sets` and
+  // `addition_sets` must be disjoint.
+  FirstPartySetsContextConfig ComputeConfig(
+      const std::vector<base::flat_map<SchemefulSite, FirstPartySetEntry>>&
+          replacement_sets,
+      const std::vector<base::flat_map<SchemefulSite, FirstPartySetEntry>>&
+          addition_sets) const;
+
+  // Returns the entry corresponding to the given `site`, if one exists.
+  // Respects any customization/overlay specified by `config`. This is
+  // semi-agnostic to scheme: it just cares whether the scheme is secure or
+  // insecure.
+  absl::optional<FirstPartySetEntry> FindEntry(
+      const SchemefulSite& site,
+      const FirstPartySetsContextConfig& config) const;
+
+  // Batched version of `FindEntry`. Where `FindEntry` would have returned
+  // nullopt, this just omits from the result map.
+  base::flat_map<SchemefulSite, FirstPartySetEntry> FindEntries(
+      const base::flat_set<SchemefulSite>& sites,
+      const FirstPartySetsContextConfig& config) const;
+
+  // Computes the First-Party Set metadata related to the given request context.
+  FirstPartySetMetadata ComputeMetadata(
+      const SchemefulSite& site,
+      const SchemefulSite* top_frame_site,
+      const std::set<SchemefulSite>& party_context,
+      const FirstPartySetsContextConfig& fps_context_config) const;
+
+  // Modifies this instance such that it will respect the given
+  // manually-specified set. `manual_entries` should contain entries for aliases
+  // as well as "canonical" sites.
+  void ApplyManuallySpecifiedSet(
+      const base::flat_map<SchemefulSite, FirstPartySetEntry>& manual_entries);
+
+  // Synchronously iterate over all entries in the public sets (i.e. not
+  // including any manual set entries). Returns early if any of the iterations
+  // returns false. Returns false if iteration was incomplete; true if all
+  // iterations returned true. No guarantees are made re: iteration order.
+  // Aliases are included.
+  bool ForEachPublicSetEntry(
+      base::FunctionRef<bool(const SchemefulSite&, const FirstPartySetEntry&)>
+          f) const;
+
+  // Whether the global sets are empty.
+  bool empty() const { return entries_.empty() && manual_config_.empty(); }
+
+  const base::flat_map<SchemefulSite, FirstPartySetEntry>& manual_sets() const {
+    return manual_sets_;
+  }
+
+ private:
+  // mojo (de)serialization needs access to private details.
+  friend struct mojo::StructTraits<network::mojom::GlobalFirstPartySetsDataView,
+                                   GlobalFirstPartySets>;
+
+  friend NET_EXPORT std::ostream& operator<<(std::ostream& os,
+                                             const GlobalFirstPartySets& sets);
+
+  // Same as the public version of FindEntry, but is allowed to omit the
+  // `config` argument (i.e. pass nullptr instead of a reference).
+  absl::optional<FirstPartySetEntry> FindEntry(
+      const SchemefulSite& site,
+      const FirstPartySetsContextConfig* config) const;
+
+  // Preprocesses a collection of "addition" sets, such that any sets that
+  // transitively overlap (when taking the current `entries_` of this map, plus
+  // the manual config, into account) are unioned together. I.e., this ensures
+  // that at most one addition set intersects with any given global set.
+  std::vector<base::flat_map<SchemefulSite, FirstPartySetEntry>>
+  NormalizeAdditionSets(
+      const std::vector<base::flat_map<SchemefulSite, FirstPartySetEntry>>&
+          addition_sets) const;
+
+  // Returns whether `site` is same-party with `party_context`, and
+  // `top_frame_site` (if it is not nullptr). That is, is `site`'s owner the
+  // same as the owners of every member of `party_context` and of
+  // `top_frame_site`? Note: if `site` is not a member of a First-Party Set,
+  // then this returns false. If `top_frame_site` is nullptr, then it is
+  // ignored.
+  bool IsContextSamePartyWithSite(
+      const SchemefulSite& site,
+      const SchemefulSite* top_frame_site,
+      const std::set<SchemefulSite>& party_context,
+      const FirstPartySetsContextConfig& fps_context_config) const;
+
+  const base::flat_map<SchemefulSite, FirstPartySetEntry>& entries() const {
+    return entries_;
+  }
+
+  const base::flat_map<SchemefulSite, SchemefulSite>& aliases() const {
+    return aliases_;
+  }
+
+  const FirstPartySetsContextConfig& manual_config() const {
+    return manual_config_;
+  }
+
+  // Represents the mapping of site -> entry, where keys are sites within sets,
+  // and values are entries of the sets.
+  base::flat_map<SchemefulSite, FirstPartySetEntry> entries_;
+
+  // The site aliases. Used to normalize a given SchemefulSite into its
+  // canonical representative, before looking it up in `entries_`.
+  base::flat_map<SchemefulSite, SchemefulSite> aliases_;
+
+  // Stores the customizations induced by the manually-specified set. May be
+  // empty if no switch was provided.
+  FirstPartySetsContextConfig manual_config_;
+
+  // A map representing the manually-specified sets. Contains entries for
+  // aliases as well as canonical sites.
+  base::flat_map<SchemefulSite, FirstPartySetEntry> manual_sets_;
+};
+
+NET_EXPORT std::ostream& operator<<(std::ostream& os,
+                                    const GlobalFirstPartySets& sets);
+
+}  // namespace net
+
+#endif  // NET_FIRST_PARTY_SETS_GLOBAL_FIRST_PARTY_SETS_H_
diff --git a/chromium/net/first_party_sets/global_first_party_sets_unittest.cc b/chromium/net/first_party_sets/global_first_party_sets_unittest.cc
new file mode 100644
index 00000000000..6dfb4a68815
--- /dev/null
+++ b/chromium/net/first_party_sets/global_first_party_sets_unittest.cc
@@ -0,0 +1,1314 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/first_party_sets/global_first_party_sets.h"
+
+#include <set>
+#include <string>
+
+#include "base/containers/flat_map.h"
+#include "net/base/schemeful_site.h"
+#include "net/first_party_sets/first_party_set_entry.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
+#include "net/first_party_sets/first_party_sets_context_config.h"
+#include "testing/gmock/include/gmock/gmock-matchers.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
+#include "url/gurl.h"
+
+using ::testing::IsEmpty;
+using ::testing::Optional;
+using ::testing::Pair;
+using ::testing::UnorderedElementsAre;
+
+namespace net {
+
+const SchemefulSite kPrimary(GURL("https://primary.test"));
+const SchemefulSite kPrimary2(GURL("https://primary2.test"));
+const SchemefulSite kPrimary3(GURL("https://primary3.test"));
+const SchemefulSite kAssociated1(GURL("https://associated1.test"));
+const SchemefulSite kAssociated1Cctld(GURL("https://associated1.cctld"));
+const SchemefulSite kAssociated1Cctld2(GURL("https://associated1.cctld2"));
+const SchemefulSite kAssociated2(GURL("https://associated2.test"));
+const SchemefulSite kAssociated3(GURL("https://associated3.test"));
+const SchemefulSite kAssociated4(GURL("https://associated4.test"));
+const SchemefulSite kService(GURL("https://service.test"));
+
+class GlobalFirstPartySetsTest : public ::testing::Test {
+ public:
+  GlobalFirstPartySetsTest() = default;
+};
+
+TEST_F(GlobalFirstPartySetsTest, FindEntry_Nonexistent) {
+  SchemefulSite example(GURL("https://example.test"));
+
+  EXPECT_THAT(
+      GlobalFirstPartySets().FindEntry(example, FirstPartySetsContextConfig()),
+      absl::nullopt);
+}
+
+TEST_F(GlobalFirstPartySetsTest, FindEntry_Exists) {
+  SchemefulSite example(GURL("https://example.test"));
+  SchemefulSite decoy_site(GURL("https://decoy.test"));
+  FirstPartySetEntry entry(example, SiteType::kPrimary, absl::nullopt);
+  FirstPartySetEntry decoy_entry(example, SiteType::kAssociated, 1);
+
+  EXPECT_THAT(GlobalFirstPartySets(
+                  {
+                      {example, entry},
+                      {decoy_site, decoy_entry},
+                  },
+                  {})
+                  .FindEntry(example, FirstPartySetsContextConfig()),
+              Optional(entry));
+}
+
+TEST_F(GlobalFirstPartySetsTest, FindEntry_ExistsWhenNormalized) {
+  SchemefulSite https_example(GURL("https://example.test"));
+  SchemefulSite wss_example(GURL("wss://example.test"));
+  FirstPartySetEntry entry(https_example, SiteType::kPrimary, absl::nullopt);
+
+  EXPECT_THAT(GlobalFirstPartySets(
+                  {
+                      {https_example, entry},
+                  },
+                  {})
+                  .FindEntry(wss_example, FirstPartySetsContextConfig()),
+              Optional(entry));
+}
+
+TEST_F(GlobalFirstPartySetsTest, FindEntry_ExistsViaOverride) {
+  SchemefulSite example(GURL("https://example.test"));
+  FirstPartySetEntry public_entry(example, SiteType::kPrimary, absl::nullopt);
+  FirstPartySetEntry override_entry(example, SiteType::kAssociated, 1);
+
+  FirstPartySetsContextConfig config({{example, override_entry}});
+
+  EXPECT_THAT(GlobalFirstPartySets(
+                  {
+                      {example, public_entry},
+                  },
+                  {})
+                  .FindEntry(example, config),
+              Optional(override_entry));
+}
+
+TEST_F(GlobalFirstPartySetsTest, FindEntry_RemovedViaOverride) {
+  SchemefulSite example(GURL("https://example.test"));
+  FirstPartySetEntry public_entry(example, SiteType::kPrimary, absl::nullopt);
+
+  FirstPartySetsContextConfig config({{example, absl::nullopt}});
+
+  EXPECT_THAT(GlobalFirstPartySets(
+                  {
+                      {example, public_entry},
+                  },
+                  {})
+                  .FindEntry(example, config),
+              absl::nullopt);
+}
+
+TEST_F(GlobalFirstPartySetsTest, FindEntry_ExistsViaAlias) {
+  SchemefulSite example(GURL("https://example.test"));
+  SchemefulSite example_cctld(GURL("https://example.cctld"));
+  FirstPartySetEntry entry(example, SiteType::kPrimary, absl::nullopt);
+
+  EXPECT_THAT(GlobalFirstPartySets(
+                  {
+                      {example, entry},
+                  },
+                  {{example_cctld, example}})
+                  .FindEntry(example_cctld, FirstPartySetsContextConfig()),
+              Optional(entry));
+}
+
+TEST_F(GlobalFirstPartySetsTest, FindEntry_ExistsViaOverrideWithDecoyAlias) {
+  SchemefulSite example(GURL("https://example.test"));
+  SchemefulSite example_cctld(GURL("https://example.cctld"));
+  FirstPartySetEntry public_entry(example, SiteType::kPrimary, absl::nullopt);
+  FirstPartySetEntry override_entry(example, SiteType::kAssociated, 1);
+
+  FirstPartySetsContextConfig config({{example_cctld, override_entry}});
+
+  EXPECT_THAT(GlobalFirstPartySets(
+                  {
+                      {example, public_entry},
+                  },
+                  {{example_cctld, example}})
+                  .FindEntry(example_cctld, config),
+              Optional(override_entry));
+}
+
+TEST_F(GlobalFirstPartySetsTest, FindEntry_RemovedViaOverrideWithDecoyAlias) {
+  SchemefulSite example(GURL("https://example.test"));
+  SchemefulSite example_cctld(GURL("https://example.cctld"));
+  FirstPartySetEntry public_entry(example, SiteType::kPrimary, absl::nullopt);
+
+  FirstPartySetsContextConfig config({{example_cctld, absl::nullopt}});
+
+  EXPECT_THAT(GlobalFirstPartySets(
+                  {
+                      {example, public_entry},
+                  },
+                  {{example_cctld, example}})
+                  .FindEntry(example_cctld, config),
+              absl::nullopt);
+}
+
+TEST_F(GlobalFirstPartySetsTest, FindEntry_AliasesIgnoredForConfig) {
+  SchemefulSite example(GURL("https://example.test"));
+  SchemefulSite example_cctld(GURL("https://example.cctld"));
+  FirstPartySetEntry public_entry(example, SiteType::kPrimary, absl::nullopt);
+  FirstPartySetEntry override_entry(example, SiteType::kAssociated, 1);
+
+  FirstPartySetsContextConfig config({{example, override_entry}});
+
+  // FindEntry should ignore aliases when using the customizations. Public
+  // aliases only apply to sites in the public sets.
+  EXPECT_THAT(GlobalFirstPartySets(
+                  {
+                      {example, public_entry},
+                  },
+                  {{example_cctld, example}})
+                  .FindEntry(example_cctld, config),
+              public_entry);
+}
+
+TEST_F(GlobalFirstPartySetsTest, Empty_Empty) {
+  EXPECT_TRUE(GlobalFirstPartySets().empty());
+}
+
+TEST_F(GlobalFirstPartySetsTest, Empty_NonemptyEntries) {
+  EXPECT_FALSE(
+      GlobalFirstPartySets(
+          {
+              {kPrimary,
+               FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+              {kAssociated4,
+               FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+          },
+          {})
+          .empty());
+}
+
+TEST_F(GlobalFirstPartySetsTest, Empty_NonemptyManualSet) {
+  GlobalFirstPartySets sets;
+  sets.ApplyManuallySpecifiedSet({
+      {kPrimary,
+       FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+      {kAssociated4, FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+  });
+  EXPECT_FALSE(sets.empty());
+}
+
+class PopulatedGlobalFirstPartySetsTest : public GlobalFirstPartySetsTest {
+ public:
+  PopulatedGlobalFirstPartySetsTest()
+      : global_sets_(
+            {
+                {kPrimary, FirstPartySetEntry(kPrimary,
+                                              SiteType::kPrimary,
+                                              absl::nullopt)},
+                {kAssociated1,
+                 FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+                {kAssociated2,
+                 FirstPartySetEntry(kPrimary, SiteType::kAssociated, 1)},
+                {kService, FirstPartySetEntry(kPrimary,
+                                              SiteType::kService,
+                                              absl::nullopt)},
+                {kPrimary2, FirstPartySetEntry(kPrimary2,
+                                               SiteType::kPrimary,
+                                               absl::nullopt)},
+                {kAssociated3,
+                 FirstPartySetEntry(kPrimary2, SiteType::kAssociated, 0)},
+            },
+            {
+                {kAssociated1Cctld, kAssociated1},
+            }) {}
+
+  GlobalFirstPartySets& global_sets() { return global_sets_; }
+
+ private:
+  GlobalFirstPartySets global_sets_;
+};
+
+TEST_F(PopulatedGlobalFirstPartySetsTest,
+       ApplyManuallySpecifiedSet_DeduplicatesPrimaryPrimary) {
+  // kPrimary overlaps as primary of both sets, so the existing set should be
+  // wiped out.
+  global_sets().ApplyManuallySpecifiedSet({
+      {kPrimary,
+       FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+      {kAssociated4, FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+  });
+
+  EXPECT_THAT(
+      global_sets().FindEntries(
+          {
+              kPrimary,
+              kAssociated1,
+              kAssociated2,
+              kAssociated4,
+              kService,
+              kAssociated1Cctld,
+          },
+          FirstPartySetsContextConfig()),
+      UnorderedElementsAre(
+          Pair(kPrimary,
+               FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)),
+          Pair(kAssociated4,
+               FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0))));
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest,
+       ApplyManuallySpecifiedSet_DeduplicatesPrimaryNonprimary) {
+  // kPrimary overlaps as a primary of the public set and non-primary of the CLI
+  // set, so the existing set should be wiped out.
+  global_sets().ApplyManuallySpecifiedSet({
+      {kPrimary3,
+       FirstPartySetEntry(kPrimary3, SiteType::kPrimary, absl::nullopt)},
+      {kPrimary, FirstPartySetEntry(kPrimary3, SiteType::kAssociated, 0)},
+  });
+
+  EXPECT_THAT(
+      global_sets().FindEntries(
+          {
+              kPrimary,
+              kAssociated1,
+              kAssociated2,
+              kAssociated4,
+              kService,
+              kPrimary3,
+              kAssociated1Cctld,
+          },
+          FirstPartySetsContextConfig()),
+      UnorderedElementsAre(
+          Pair(kPrimary3, FirstPartySetEntry(kPrimary3, SiteType::kPrimary,
+                                             absl::nullopt)),
+          Pair(kPrimary,
+               FirstPartySetEntry(kPrimary3, SiteType::kAssociated, 0))));
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest,
+       ApplyManuallySpecifiedSet_DeduplicatesNonprimaryPrimary) {
+  // kAssociated1 overlaps as a non-primary of the public set and primary of the
+  // CLI set, so the CLI set should steal it and wipe out its alias, but
+  // otherwise leave the set intact.
+  global_sets().ApplyManuallySpecifiedSet({
+      {kAssociated1,
+       FirstPartySetEntry(kAssociated1, SiteType::kPrimary, absl::nullopt)},
+      {kAssociated4,
+       FirstPartySetEntry(kAssociated1, SiteType::kAssociated, 0)},
+  });
+
+  EXPECT_THAT(
+      global_sets().FindEntries(
+          {
+              kPrimary,
+              kAssociated1,
+              kAssociated2,
+              kAssociated4,
+              kService,
+              kPrimary3,
+              kAssociated1Cctld,
+          },
+          FirstPartySetsContextConfig()),
+      UnorderedElementsAre(
+          Pair(kPrimary,
+               FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)),
+          Pair(kAssociated2,
+               FirstPartySetEntry(kPrimary, SiteType::kAssociated, 1)),
+          Pair(kService,
+               FirstPartySetEntry(kPrimary, SiteType::kService, absl::nullopt)),
+          Pair(kAssociated1,
+               FirstPartySetEntry(kAssociated1, SiteType::kPrimary,
+                                  absl::nullopt)),
+          Pair(kAssociated4,
+               FirstPartySetEntry(kAssociated1, SiteType::kAssociated, 0))));
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest,
+       ApplyManuallySpecifiedSet_DeduplicatesNonprimaryNonprimary) {
+  // kAssociated1 overlaps as a non-primary of the public set and non-primary of
+  // the CLI set, so the CLI set should steal it and wipe out its alias.
+  global_sets().ApplyManuallySpecifiedSet({
+      {kPrimary3,
+       FirstPartySetEntry(kPrimary3, SiteType::kPrimary, absl::nullopt)},
+      {kAssociated1, FirstPartySetEntry(kPrimary3, SiteType::kAssociated, 0)},
+  });
+
+  EXPECT_THAT(
+      global_sets().FindEntries(
+          {
+              kPrimary,
+              kAssociated1,
+              kAssociated2,
+              kAssociated4,
+              kService,
+              kPrimary3,
+              kAssociated1Cctld,
+          },
+          FirstPartySetsContextConfig()),
+      UnorderedElementsAre(
+          Pair(kPrimary,
+               FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)),
+          Pair(kAssociated2,
+               FirstPartySetEntry(kPrimary, SiteType::kAssociated, 1)),
+          Pair(kService,
+               FirstPartySetEntry(kPrimary, SiteType::kService, absl::nullopt)),
+          Pair(kPrimary3, FirstPartySetEntry(kPrimary3, SiteType::kPrimary,
+                                             absl::nullopt)),
+          Pair(kAssociated1,
+               FirstPartySetEntry(kPrimary3, SiteType::kAssociated, 0))));
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest,
+       ApplyManuallySpecifiedSet_PrunesInducedSingletons) {
+  // Steal kAssociated3, so that kPrimary2 becomes a singleton, and verify that
+  // kPrimary2 is no longer considered in a set.
+  global_sets().ApplyManuallySpecifiedSet({
+      {kPrimary3,
+       FirstPartySetEntry(kPrimary3, SiteType::kPrimary, absl::nullopt)},
+      {kAssociated3, FirstPartySetEntry(kPrimary3, SiteType::kAssociated, 0)},
+  });
+
+  EXPECT_THAT(
+      global_sets().FindEntries({kPrimary2}, FirstPartySetsContextConfig()),
+      IsEmpty());
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest,
+       ApplyManuallySpecifiedSet_RespectsManualAlias) {
+  // Both the public sets and the locally-defined set define an alias for
+  // kAssociated1, but both define a different set for that site too.  Only the
+  // locally-defined alias should be observable.
+  global_sets().ApplyManuallySpecifiedSet({
+      {kPrimary3,
+       FirstPartySetEntry(kPrimary3, SiteType::kPrimary, absl::nullopt)},
+      {kAssociated1, FirstPartySetEntry(kPrimary3, SiteType::kAssociated, 0)},
+      {kAssociated1Cctld2,
+       FirstPartySetEntry(kPrimary3, SiteType::kAssociated, 0)},
+  });
+
+  EXPECT_THAT(
+      global_sets().FindEntries(
+          {
+              kAssociated1,
+              kAssociated1Cctld,
+              kAssociated1Cctld2,
+          },
+          FirstPartySetsContextConfig()),
+      UnorderedElementsAre(
+          Pair(kAssociated1,
+               FirstPartySetEntry(kPrimary3, SiteType::kAssociated, 0)),
+          Pair(kAssociated1Cctld2,
+               FirstPartySetEntry(kPrimary3, SiteType::kAssociated, 0))));
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest, ForEachPublicSetEntry_FullIteration) {
+  int count = 0;
+  EXPECT_TRUE(global_sets().ForEachPublicSetEntry(
+      [&](const SchemefulSite& site, const FirstPartySetEntry& entry) {
+        ++count;
+        return true;
+      }));
+  EXPECT_EQ(count, 7);
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest, ForEachPublicSetEntry_EarlyReturn) {
+  int count = 0;
+  EXPECT_FALSE(global_sets().ForEachPublicSetEntry(
+      [&](const SchemefulSite& site, const FirstPartySetEntry& entry) {
+        ++count;
+        return count < 4;
+      }));
+  EXPECT_EQ(count, 4);
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest, ComputeMetadata_EmptyContext) {
+  SchemefulSite nonmember(GURL("https://nonmember.test"));
+
+  for (const SchemefulSite* top_frame :
+       std::initializer_list<const SchemefulSite*>{&kPrimary, nullptr}) {
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(nonmember, top_frame, {},
+                                   FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kCrossParty);
+
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(kPrimary, top_frame, {},
+                                   FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kSameParty);
+
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(SchemefulSite(GURL("http://primary.test")),
+                                   top_frame, {}, FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kCrossParty);
+  }
+
+  EXPECT_EQ(global_sets()
+                .ComputeMetadata(kPrimary, &nonmember, {},
+                                 FirstPartySetsContextConfig())
+                .context()
+                .context_type(),
+            SamePartyContext::Type::kCrossParty);
+  EXPECT_EQ(global_sets()
+                .ComputeMetadata(nonmember, &kPrimary, {},
+                                 FirstPartySetsContextConfig())
+                .context()
+                .context_type(),
+            SamePartyContext::Type::kCrossParty);
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest, ComputeMetadata_ContextIsNonmember) {
+  SchemefulSite nonmember(GURL("https://nonmember.test"));
+  std::set<SchemefulSite> context({nonmember});
+
+  for (const SchemefulSite* top_frame :
+       std::initializer_list<const SchemefulSite*>{&kPrimary, nullptr}) {
+    for (const SchemefulSite& site : std::initializer_list<SchemefulSite>{
+             kPrimary,
+             SchemefulSite(GURL("http://primary.test")),
+             SchemefulSite(GURL("http://associated1.test")),
+             SchemefulSite(GURL("http://primary2.test")),
+             SchemefulSite(GURL("http://associated3.test")),
+             nonmember,
+         }) {
+      EXPECT_EQ(global_sets()
+                    .ComputeMetadata(site, top_frame, context,
+                                     FirstPartySetsContextConfig())
+                    .context()
+                    .context_type(),
+                SamePartyContext::Type::kCrossParty)
+          << site;
+    }
+  }
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest, ComputeMetadata_ContextIsPrimary) {
+  std::set<SchemefulSite> context({kPrimary});
+
+  for (const SchemefulSite* top_frame :
+       std::initializer_list<const SchemefulSite*>{&kPrimary, nullptr}) {
+    for (const SchemefulSite& site : std::initializer_list<SchemefulSite>{
+             SchemefulSite(GURL("http://primary.test")),
+             kPrimary2,
+             kAssociated3,
+             SchemefulSite(GURL("https://nonmember.test")),
+         }) {
+      EXPECT_EQ(global_sets()
+                    .ComputeMetadata(site, top_frame, context,
+                                     FirstPartySetsContextConfig())
+                    .context()
+                    .context_type(),
+                SamePartyContext::Type::kCrossParty)
+          << site;
+    }
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(kPrimary, top_frame, context,
+                                   FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kSameParty);
+
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(kAssociated1, top_frame, context,
+                                   FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kSameParty);
+  }
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest, ComputeMetadata_ContextIsNonprimary) {
+  std::set<SchemefulSite> context({kAssociated1});
+
+  for (const SchemefulSite* top_frame :
+       std::initializer_list<const SchemefulSite*>{&kPrimary, nullptr}) {
+    for (const SchemefulSite& site : std::initializer_list<SchemefulSite>{
+             SchemefulSite(GURL("http://primary.test")),
+             kPrimary2,
+             kAssociated3,
+             SchemefulSite(GURL("https://nonmember.test")),
+         }) {
+      EXPECT_EQ(global_sets()
+                    .ComputeMetadata(site, top_frame, context,
+                                     FirstPartySetsContextConfig())
+                    .context()
+                    .context_type(),
+                SamePartyContext::Type::kCrossParty)
+          << site;
+    }
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(kPrimary, top_frame, context,
+                                   FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kSameParty);
+
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(kPrimary, top_frame, context,
+                                   FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kSameParty);
+
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(kAssociated1, top_frame, context,
+                                   FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kSameParty);
+  }
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest,
+       ComputeMetadata_ContextIsPrimaryAndNonprimary) {
+  std::set<SchemefulSite> context({kPrimary, kAssociated1});
+
+  for (const SchemefulSite* top_frame :
+       std::initializer_list<const SchemefulSite*>{&kPrimary, nullptr}) {
+    for (const SchemefulSite& site : std::initializer_list<SchemefulSite>{
+             SchemefulSite(GURL("http://primary.test")),
+             kPrimary2,
+             kAssociated3,
+             SchemefulSite(GURL("https://nonmember.test")),
+         }) {
+      EXPECT_EQ(global_sets()
+                    .ComputeMetadata(site, top_frame, context,
+                                     FirstPartySetsContextConfig())
+                    .context()
+                    .context_type(),
+                SamePartyContext::Type::kCrossParty)
+          << site;
+    }
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(kPrimary, top_frame, context,
+                                   FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kSameParty);
+
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(kAssociated1, top_frame, context,
+                                   FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kSameParty);
+
+    EXPECT_EQ(global_sets()
+                  .ComputeMetadata(kAssociated2, top_frame, context,
+                                   FirstPartySetsContextConfig())
+                  .context()
+                  .context_type(),
+              SamePartyContext::Type::kSameParty);
+  }
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest, ComputeMetadata_ContextMixesParties) {
+  std::set<SchemefulSite> context({kPrimary, kAssociated1, kPrimary2});
+
+  for (const SchemefulSite* top_frame :
+       std::initializer_list<const SchemefulSite*>{&kPrimary, nullptr}) {
+    for (const SchemefulSite& site : std::initializer_list<SchemefulSite>{
+             kPrimary,
+             SchemefulSite(GURL("http://primary.test")),
+             kAssociated1,
+             kPrimary2,
+             kAssociated3,
+             SchemefulSite(GURL("https://nonmember.test")),
+         }) {
+      EXPECT_EQ(global_sets()
+                    .ComputeMetadata(site, top_frame, context,
+                                     FirstPartySetsContextConfig())
+                    .context()
+                    .context_type(),
+                SamePartyContext::Type::kCrossParty)
+          << site;
+    }
+  }
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest,
+       ComputeMetadata_ContextMixesMembersAndNonmembers) {
+  std::set<SchemefulSite> context({
+      kPrimary,
+      kAssociated1,
+      SchemefulSite(GURL("http://nonmember.test")),
+  });
+
+  for (const SchemefulSite* top_frame :
+       std::initializer_list<const SchemefulSite*>{&kPrimary, nullptr}) {
+    for (const SchemefulSite& site : std::initializer_list<SchemefulSite>{
+             kPrimary,
+             SchemefulSite(GURL("http://primary.test")),
+             kAssociated1,
+             kPrimary2,
+             kAssociated3,
+             SchemefulSite(GURL("https://nonmember.test")),
+         }) {
+      EXPECT_EQ(global_sets()
+                    .ComputeMetadata(site, top_frame, context,
+                                     FirstPartySetsContextConfig())
+                    .context()
+                    .context_type(),
+                SamePartyContext::Type::kCrossParty)
+          << site;
+    }
+  }
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest, ComputeMetadata_ContextMixesSchemes) {
+  SchemefulSite primary_http(GURL("http://primary.test"));
+  std::set<SchemefulSite> context({kPrimary, kAssociated1, primary_http});
+
+  for (const SchemefulSite* top_frame :
+       std::initializer_list<const SchemefulSite*>{&kPrimary, nullptr}) {
+    for (const SchemefulSite& site : std::initializer_list<SchemefulSite>{
+             kPrimary,
+             primary_http,
+             kAssociated1,
+             kPrimary2,
+             kAssociated3,
+             SchemefulSite(GURL("https://nonmember.test")),
+         }) {
+      EXPECT_EQ(global_sets()
+                    .ComputeMetadata(site, top_frame, context,
+                                     FirstPartySetsContextConfig())
+                    .context()
+                    .context_type(),
+                SamePartyContext::Type::kCrossParty)
+          << site;
+    }
+  }
+}
+
+TEST_F(PopulatedGlobalFirstPartySetsTest, ComputeMetadata) {
+  SchemefulSite nonmember(GURL("https://nonmember.test"));
+  SchemefulSite nonmember1(GURL("https://nonmember1.test"));
+  SchemefulSite wss_associated1(GURL("wss://associated1.test"));
+  SchemefulSite wss_nonmember(GURL("wss://nonmember.test"));
+  FirstPartySetEntry primary_entry(kPrimary, SiteType::kPrimary, absl::nullopt);
+  FirstPartySetEntry associated_entry(kPrimary, SiteType::kAssociated, 0);
+
+  // Works as usual for sites that are in First-Party sets.
+  EXPECT_EQ(
+      global_sets().ComputeMetadata(kAssociated1, &kAssociated1, {kAssociated1},
+                                    FirstPartySetsContextConfig()),
+      FirstPartySetMetadata(
+          SamePartyContext(SamePartyContext::Type::kSameParty),
+          &associated_entry, &associated_entry));
+  EXPECT_EQ(
+      global_sets().ComputeMetadata(kPrimary, &kAssociated1, {kAssociated1},
+                                    FirstPartySetsContextConfig()),
+      FirstPartySetMetadata(
+          SamePartyContext(SamePartyContext::Type::kSameParty), &primary_entry,
+          &associated_entry));
+  EXPECT_EQ(
+      global_sets().ComputeMetadata(kAssociated1, &kPrimary, {kAssociated1},
+                                    FirstPartySetsContextConfig()),
+      FirstPartySetMetadata(
+          SamePartyContext(SamePartyContext::Type::kSameParty),
+          &associated_entry, &primary_entry));
+  EXPECT_EQ(
+      global_sets().ComputeMetadata(kAssociated1, &kAssociated1, {kPrimary},
+                                    FirstPartySetsContextConfig()),
+      FirstPartySetMetadata(
+          SamePartyContext(SamePartyContext::Type::kSameParty),
+          &associated_entry, &associated_entry));
+  EXPECT_EQ(global_sets().ComputeMetadata(kAssociated1, &kAssociated1,
+                                          {kAssociated1, kPrimary},
+                                          FirstPartySetsContextConfig()),
+            FirstPartySetMetadata(
+                SamePartyContext(SamePartyContext::Type::kSameParty),
+                &associated_entry, &associated_entry));
+
+  // Works if the site is provided with WSS scheme instead of HTTPS.
+  EXPECT_EQ(global_sets().ComputeMetadata(wss_associated1, &kAssociated1,
+                                          {kAssociated1, kPrimary},
+                                          FirstPartySetsContextConfig()),
+            FirstPartySetMetadata(
+                SamePartyContext(SamePartyContext::Type::kSameParty),
+                &associated_entry, &associated_entry));
+
+  EXPECT_EQ(
+      global_sets().ComputeMetadata(nonmember, &kAssociated1, {kAssociated1},
+                                    FirstPartySetsContextConfig()),
+      FirstPartySetMetadata(
+          SamePartyContext(SamePartyContext::Type::kCrossParty), nullptr,
+          &associated_entry));
+  EXPECT_EQ(
+      global_sets().ComputeMetadata(kAssociated1, &nonmember, {kAssociated1},
+                                    FirstPartySetsContextConfig()),
+      FirstPartySetMetadata(
+          SamePartyContext(SamePartyContext::Type::kCrossParty),
+          &associated_entry, nullptr));
+  EXPECT_EQ(global_sets().ComputeMetadata(wss_nonmember, &wss_associated1,
+                                          {kAssociated1, kPrimary},
+                                          FirstPartySetsContextConfig()),
+            FirstPartySetMetadata(
+                SamePartyContext(SamePartyContext::Type::kCrossParty), nullptr,
+                &associated_entry));
+
+  EXPECT_EQ(global_sets().ComputeMetadata(nonmember, &nonmember, {nonmember},
+                                          FirstPartySetsContextConfig()),
+            FirstPartySetMetadata(
+                SamePartyContext(SamePartyContext::Type::kCrossParty), nullptr,
+                nullptr));
+
+  EXPECT_EQ(global_sets().ComputeMetadata(kAssociated1, &kAssociated1,
+                                          {kAssociated1, nonmember},
+                                          FirstPartySetsContextConfig()),
+            FirstPartySetMetadata(
+                SamePartyContext(SamePartyContext::Type::kCrossParty),
+                &associated_entry, &associated_entry));
+}
+
+TEST_F(GlobalFirstPartySetsTest, ComputeConfig_Empty) {
+  EXPECT_EQ(GlobalFirstPartySets(
+                /*entries=*/
+                {
+                    {kPrimary, FirstPartySetEntry(kPrimary, SiteType::kPrimary,
+                                                  absl::nullopt)},
+                    {kAssociated1,
+                     FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+                },
+                /*aliases=*/{})
+                .ComputeConfig({}, {}),
+            FirstPartySetsContextConfig());
+}
+
+TEST_F(GlobalFirstPartySetsTest,
+       ComputeConfig_Replacements_NoIntersection_NoRemoval) {
+  GlobalFirstPartySets sets(
+      /*entries=*/
+      {
+          {kPrimary,
+           FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+          {kAssociated1,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+      },
+      /*aliases=*/{});
+  FirstPartySetsContextConfig config = sets.ComputeConfig(
+      /*replacement_sets=*/
+      {
+          {
+              {kPrimary2, FirstPartySetEntry(kPrimary2, SiteType::kPrimary,
+                                             absl::nullopt)},
+              {kAssociated2,
+               FirstPartySetEntry(kPrimary2, SiteType::kAssociated,
+                                  absl::nullopt)},
+          },
+      },
+      /*addition_sets=*/{});
+  EXPECT_THAT(
+      sets.FindEntries({kAssociated2, kPrimary2}, config),
+      UnorderedElementsAre(
+          Pair(kAssociated2,
+               FirstPartySetEntry(kPrimary2, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(kPrimary2, FirstPartySetEntry(kPrimary2, SiteType::kPrimary,
+                                             absl::nullopt))));
+}
+
+// The common associated site between the policy and existing set is removed
+// from its previous set.
+TEST_F(
+    GlobalFirstPartySetsTest,
+    ComputeConfig_Replacements_ReplacesExistingAssociatedSite_RemovedFromFormerSet) {
+  GlobalFirstPartySets sets(
+      /*entries=*/
+      {
+          {kPrimary,
+           FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+          {kAssociated1,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+          {kAssociated2,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 1)},
+      },
+      /*aliases=*/{});
+  FirstPartySetsContextConfig config = sets.ComputeConfig(
+      /*replacement_sets=*/
+      {
+          {
+              {kPrimary2, FirstPartySetEntry(kPrimary2, SiteType::kPrimary,
+                                             absl::nullopt)},
+              {kAssociated2,
+               FirstPartySetEntry(kPrimary2, SiteType::kAssociated,
+                                  absl::nullopt)},
+          },
+      },
+      /*addition_sets=*/{});
+  EXPECT_THAT(
+      sets.FindEntries({kPrimary2, kAssociated2}, config),
+      UnorderedElementsAre(
+          Pair(kAssociated2,
+               FirstPartySetEntry(kPrimary2, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(kPrimary2, FirstPartySetEntry(kPrimary2, SiteType::kPrimary,
+                                             absl::nullopt))));
+}
+
+// The common primary between the policy and existing set is removed and its
+// former associated sites are removed since they are now unowned.
+TEST_F(
+    GlobalFirstPartySetsTest,
+    ComputeConfig_Replacements_ReplacesExistingPrimary_RemovesFormerAssociatedSites) {
+  GlobalFirstPartySets sets(
+      /*entries=*/
+      {
+          {kPrimary,
+           FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+          {kAssociated1,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+          {kAssociated2,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 1)},
+      },
+      /*aliases=*/{});
+  FirstPartySetsContextConfig config = sets.ComputeConfig(
+      /*replacement_sets=*/
+      {
+          {
+              {kPrimary,
+               FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+              {kAssociated3, FirstPartySetEntry(kPrimary, SiteType::kAssociated,
+                                                absl::nullopt)},
+          },
+      },
+      /*addition_sets=*/{});
+  EXPECT_THAT(
+      sets.FindEntries({kAssociated3, kPrimary, kAssociated1, kAssociated2},
+                       config),
+      UnorderedElementsAre(
+          Pair(kAssociated3, FirstPartySetEntry(kPrimary, SiteType::kAssociated,
+                                                absl::nullopt)),
+          Pair(kPrimary, FirstPartySetEntry(kPrimary, SiteType::kPrimary,
+                                            absl::nullopt))));
+}
+
+// The common associated site between the policy and existing set is removed and
+// any leftover singletons are deleted.
+TEST_F(
+    GlobalFirstPartySetsTest,
+    ComputeConfig_Replacements_ReplacesExistingAssociatedSite_RemovesSingletons) {
+  GlobalFirstPartySets sets(
+      /*entries=*/
+      {
+          {kPrimary,
+           FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+          {kAssociated1,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+      },
+      /*aliases=*/{});
+  FirstPartySetsContextConfig config = sets.ComputeConfig(
+      /*replacement_sets=*/
+      {
+          {
+              {kPrimary3, FirstPartySetEntry(kPrimary3, SiteType::kPrimary,
+                                             absl::nullopt)},
+              {kAssociated1,
+               FirstPartySetEntry(kPrimary3, SiteType::kAssociated,
+                                  absl::nullopt)},
+          },
+      },
+      /*addition_sets=*/{});
+  EXPECT_THAT(
+      sets.FindEntries({kAssociated1, kPrimary3, kPrimary}, config),
+      UnorderedElementsAre(
+          Pair(kAssociated1,
+               FirstPartySetEntry(kPrimary3, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(kPrimary3, FirstPartySetEntry(kPrimary3, SiteType::kPrimary,
+                                             absl::nullopt))));
+}
+
+// The policy set and the existing set have nothing in common so the policy set
+// gets added in without updating the existing set.
+TEST_F(GlobalFirstPartySetsTest,
+       ComputeConfig_Additions_NoIntersection_AddsWithoutUpdating) {
+  GlobalFirstPartySets sets(
+      /*entries=*/
+      {
+          {kPrimary,
+           FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+          {kAssociated1,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+      },
+      /*aliases=*/{});
+  FirstPartySetsContextConfig config = sets.ComputeConfig(
+      /*replacement_sets=*/{},
+      /*addition_sets=*/{
+          {
+              {kPrimary2, FirstPartySetEntry(kPrimary2, SiteType::kPrimary,
+                                             absl::nullopt)},
+              {kAssociated2,
+               FirstPartySetEntry(kPrimary2, SiteType::kAssociated,
+                                  absl::nullopt)},
+          },
+      });
+  EXPECT_THAT(
+      sets.FindEntries({kAssociated2, kPrimary2}, config),
+      UnorderedElementsAre(
+          Pair(kAssociated2,
+               FirstPartySetEntry(kPrimary2, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(kPrimary2, FirstPartySetEntry(kPrimary2, SiteType::kPrimary,
+                                             absl::nullopt))));
+}
+
+// The primary of a policy set is also an associated site in an existing set.
+// The policy set absorbs all sites in the existing set into its
+// associated sites.
+TEST_F(
+    GlobalFirstPartySetsTest,
+    ComputeConfig_Additions_PolicyPrimaryIsExistingAssociatedSite_PolicySetAbsorbsExistingSet) {
+  GlobalFirstPartySets sets(
+      /*entries=*/
+      {
+          {kPrimary,
+           FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+          {kAssociated1,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+      },
+      /*aliases=*/{});
+  FirstPartySetsContextConfig config = sets.ComputeConfig(
+      /*replacement_sets=*/{},
+      /*addition_sets=*/{
+          {
+              {kAssociated1,
+               FirstPartySetEntry(kAssociated1, SiteType::kPrimary,
+                                  absl::nullopt)},
+              {kAssociated2,
+               FirstPartySetEntry(kAssociated1, SiteType::kAssociated,
+                                  absl::nullopt)},
+              {kAssociated3,
+               FirstPartySetEntry(kAssociated1, SiteType::kAssociated,
+                                  absl::nullopt)},
+          },
+      });
+  EXPECT_THAT(
+      sets.FindEntries({kPrimary, kAssociated2, kAssociated3, kAssociated1},
+                       config),
+      UnorderedElementsAre(
+          Pair(kPrimary, FirstPartySetEntry(kAssociated1, SiteType::kAssociated,
+                                            absl::nullopt)),
+          Pair(kAssociated2,
+               FirstPartySetEntry(kAssociated1, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(kAssociated3,
+               FirstPartySetEntry(kAssociated1, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(kAssociated1,
+               FirstPartySetEntry(kAssociated1, SiteType::kPrimary,
+                                  absl::nullopt))));
+}
+
+// The primary of a policy set is also a primary of an existing set.
+// The policy set absorbs all of its primary's existing associated sites into
+// its associated sites.
+TEST_F(
+    GlobalFirstPartySetsTest,
+    ComputeConfig_Additions_PolicyPrimaryIsExistingPrimary_PolicySetAbsorbsExistingAssociatedSites) {
+  GlobalFirstPartySets sets(
+      /*entries=*/
+      {
+          {kPrimary,
+           FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+          {kAssociated1,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+          {kAssociated3,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 1)},
+      },
+      /*aliases=*/{});
+  FirstPartySetsContextConfig config = sets.ComputeConfig(
+      /*replacement_sets=*/{},
+      /*addition_sets=*/{{
+          {kPrimary,
+           FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+          {kAssociated2,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, absl::nullopt)},
+      }});
+  EXPECT_THAT(
+      sets.FindEntries({kAssociated1, kAssociated2, kAssociated3, kPrimary},
+                       config),
+      UnorderedElementsAre(
+          Pair(kAssociated1, FirstPartySetEntry(kPrimary, SiteType::kAssociated,
+                                                absl::nullopt)),
+          Pair(kAssociated2, FirstPartySetEntry(kPrimary, SiteType::kAssociated,
+                                                absl::nullopt)),
+          Pair(kAssociated3, FirstPartySetEntry(kPrimary, SiteType::kAssociated,
+                                                absl::nullopt)),
+          Pair(kPrimary, FirstPartySetEntry(kPrimary, SiteType::kPrimary,
+                                            absl::nullopt))));
+}
+
+// Existing set overlaps with both replacement and addition set.
+TEST_F(
+    GlobalFirstPartySetsTest,
+    ComputeConfig_ReplacementsAndAdditions_SetListsOverlapWithSameExistingSet) {
+  GlobalFirstPartySets sets(
+      /*entries=*/
+      {
+          {kPrimary,
+           FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+          {kAssociated1,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 0)},
+          {kAssociated2,
+           FirstPartySetEntry(kPrimary, SiteType::kAssociated, 1)},
+      },
+      /*aliases=*/{});
+  FirstPartySetsContextConfig config = sets.ComputeConfig(
+      /*replacement_sets=*/
+      {
+          {
+              {kPrimary2, FirstPartySetEntry(kPrimary2, SiteType::kPrimary,
+                                             absl::nullopt)},
+              {kAssociated1,
+               FirstPartySetEntry(kPrimary2, SiteType::kAssociated,
+                                  absl::nullopt)},
+          },
+      },
+      /*addition_sets=*/{
+          {
+              {kPrimary,
+               FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)},
+              {kAssociated3, FirstPartySetEntry(kPrimary, SiteType::kAssociated,
+                                                absl::nullopt)},
+          },
+      });
+  EXPECT_THAT(
+      sets.FindEntries(
+          {kAssociated1, kAssociated2, kAssociated3, kPrimary, kPrimary2},
+          config),
+      UnorderedElementsAre(
+          Pair(kAssociated1,
+               FirstPartySetEntry(kPrimary2, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(kAssociated2, FirstPartySetEntry(kPrimary, SiteType::kAssociated,
+                                                absl::nullopt)),
+          Pair(kAssociated3, FirstPartySetEntry(kPrimary, SiteType::kAssociated,
+                                                absl::nullopt)),
+          Pair(kPrimary,
+               FirstPartySetEntry(kPrimary, SiteType::kPrimary, absl::nullopt)),
+          Pair(kPrimary2, FirstPartySetEntry(kPrimary2, SiteType::kPrimary,
+                                             absl::nullopt))));
+}
+
+TEST_F(GlobalFirstPartySetsTest, TransitiveOverlap_TwoCommonPrimaries) {
+  SchemefulSite primary0(GURL("https://primary0.test"));
+  SchemefulSite associated_site0(GURL("https://associatedsite0.test"));
+  SchemefulSite primary1(GURL("https://primary1.test"));
+  SchemefulSite associated_site1(GURL("https://associatedsite1.test"));
+  SchemefulSite primary2(GURL("https://primary2.test"));
+  SchemefulSite associated_site2(GURL("https://associatedsite2.test"));
+  SchemefulSite primary42(GURL("https://primary42.test"));
+  SchemefulSite associated_site42(GURL("https://associatedsite42.test"));
+  // {primary1, {associated_site1}} and {primary2, {associated_site2}}
+  // transitively overlap with the existing set. primary1 takes primaryship of
+  // the normalized addition set since it was provided first. The other addition
+  // sets are unaffected.
+  GlobalFirstPartySets sets(
+      /*entries=*/
+      {
+          {primary1,
+           FirstPartySetEntry(primary1, SiteType::kPrimary, absl::nullopt)},
+          {primary2, FirstPartySetEntry(primary1, SiteType::kAssociated, 0)},
+      },
+      /*aliases=*/{});
+  FirstPartySetsContextConfig config = sets.ComputeConfig(
+      /*replacement_sets=*/{},
+      /*addition_sets=*/{
+          {{primary0,
+            FirstPartySetEntry(primary0, SiteType::kPrimary, absl::nullopt)},
+           {associated_site0,
+            FirstPartySetEntry(primary0, SiteType::kAssociated,
+                               absl::nullopt)}},
+          {{primary1,
+            FirstPartySetEntry(primary1, SiteType::kPrimary, absl::nullopt)},
+           {associated_site1,
+            FirstPartySetEntry(primary1, SiteType::kAssociated,
+                               absl::nullopt)}},
+          {{primary2,
+            FirstPartySetEntry(primary2, SiteType::kPrimary, absl::nullopt)},
+           {associated_site2,
+            FirstPartySetEntry(primary2, SiteType::kAssociated,
+                               absl::nullopt)}},
+          {{primary42,
+            FirstPartySetEntry(primary42, SiteType::kPrimary, absl::nullopt)},
+           {associated_site42,
+            FirstPartySetEntry(primary42, SiteType::kAssociated,
+                               absl::nullopt)}},
+      });
+  EXPECT_THAT(
+      sets.FindEntries(
+          {
+              associated_site0,
+              associated_site1,
+              associated_site2,
+              associated_site42,
+              primary0,
+              primary1,
+              primary2,
+              primary42,
+          },
+          config),
+      UnorderedElementsAre(
+          Pair(associated_site0,
+               FirstPartySetEntry(primary0, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(associated_site1,
+               FirstPartySetEntry(primary1, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(associated_site2,
+               FirstPartySetEntry(primary1, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(associated_site42,
+               FirstPartySetEntry(primary42, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(primary0,
+               FirstPartySetEntry(primary0, SiteType::kPrimary, absl::nullopt)),
+          Pair(primary1,
+               FirstPartySetEntry(primary1, SiteType::kPrimary, absl::nullopt)),
+          Pair(primary2, FirstPartySetEntry(primary1, SiteType::kAssociated,
+                                            absl::nullopt)),
+          Pair(primary42, FirstPartySetEntry(primary42, SiteType::kPrimary,
+                                             absl::nullopt))));
+}
+
+TEST_F(GlobalFirstPartySetsTest, TransitiveOverlap_TwoCommonAssociatedSites) {
+  SchemefulSite primary0(GURL("https://primary0.test"));
+  SchemefulSite associated_site0(GURL("https://associatedsite0.test"));
+  SchemefulSite primary1(GURL("https://primary1.test"));
+  SchemefulSite associated_site1(GURL("https://associatedsite1.test"));
+  SchemefulSite primary2(GURL("https://primary2.test"));
+  SchemefulSite associated_site2(GURL("https://associatedsite2.test"));
+  SchemefulSite primary42(GURL("https://primary42.test"));
+  SchemefulSite associated_site42(GURL("https://associatedsite42.test"));
+  // {primary1, {associated_site1}} and {primary2, {associated_site2}}
+  // transitively overlap with the existing set. primary2 takes primaryship of
+  // the normalized addition set since it was provided first. The other addition
+  // sets are unaffected.
+  GlobalFirstPartySets sets(
+      /*entries=*/
+      {
+          {primary2,
+           FirstPartySetEntry(primary2, SiteType::kPrimary, absl::nullopt)},
+          {primary1, FirstPartySetEntry(primary2, SiteType::kAssociated, 0)},
+      },
+      /*aliases=*/{});
+  FirstPartySetsContextConfig config = sets.ComputeConfig(
+      /*replacement_sets=*/{},
+      /*addition_sets=*/{
+          {{primary0,
+            FirstPartySetEntry(primary0, SiteType::kPrimary, absl::nullopt)},
+           {associated_site0,
+            FirstPartySetEntry(primary0, SiteType::kAssociated,
+                               absl::nullopt)}},
+          {{primary2,
+            FirstPartySetEntry(primary2, SiteType::kPrimary, absl::nullopt)},
+           {associated_site2,
+            FirstPartySetEntry(primary2, SiteType::kAssociated,
+                               absl::nullopt)}},
+          {{primary1,
+            FirstPartySetEntry(primary1, SiteType::kPrimary, absl::nullopt)},
+           {associated_site1,
+            FirstPartySetEntry(primary1, SiteType::kAssociated,
+                               absl::nullopt)}},
+          {{primary42,
+            FirstPartySetEntry(primary42, SiteType::kPrimary, absl::nullopt)},
+           {associated_site42,
+            FirstPartySetEntry(primary42, SiteType::kAssociated,
+                               absl::nullopt)}},
+      });
+  EXPECT_THAT(
+      sets.FindEntries(
+          {
+              associated_site0,
+              associated_site1,
+              associated_site2,
+              associated_site42,
+              primary0,
+              primary1,
+              primary2,
+              primary42,
+          },
+          config),
+      UnorderedElementsAre(
+          Pair(associated_site0,
+               FirstPartySetEntry(primary0, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(associated_site1,
+               FirstPartySetEntry(primary2, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(associated_site2,
+               FirstPartySetEntry(primary2, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(associated_site42,
+               FirstPartySetEntry(primary42, SiteType::kAssociated,
+                                  absl::nullopt)),
+          Pair(primary0,
+               FirstPartySetEntry(primary0, SiteType::kPrimary, absl::nullopt)),
+          Pair(primary1, FirstPartySetEntry(primary2, SiteType::kAssociated,
+                                            absl::nullopt)),
+          Pair(primary2,
+               FirstPartySetEntry(primary2, SiteType::kPrimary, absl::nullopt)),
+          Pair(primary42, FirstPartySetEntry(primary42, SiteType::kPrimary,
+                                             absl::nullopt))));
+}
+
+class GlobalFirstPartySetsWithConfigTest
+    : public PopulatedGlobalFirstPartySetsTest {
+ public:
+  GlobalFirstPartySetsWithConfigTest()
+      : config_({
+            // New entry:
+            {kPrimary3,
+             {FirstPartySetEntry(kPrimary3,
+                                 SiteType::kPrimary,
+                                 absl::nullopt)}},
+            // Removed entry:
+            {kAssociated1, absl::nullopt},
+            // Remapped entry:
+            {kAssociated3,
+             {FirstPartySetEntry(kPrimary3, SiteType::kAssociated, 0)}},
+            // Removed alias:
+            {kAssociated1Cctld, absl::nullopt},
+        }) {}
+
+  FirstPartySetsContextConfig& config() { return config_; }
+
+ private:
+  FirstPartySetsContextConfig config_;
+};
+
+TEST_F(GlobalFirstPartySetsWithConfigTest, ComputeMetadata) {
+  FirstPartySetEntry example_primary_entry(kPrimary, SiteType::kPrimary,
+                                           absl::nullopt);
+  FirstPartySetEntry foo_primary_entry(kPrimary3, SiteType::kPrimary,
+                                       absl::nullopt);
+  FirstPartySetEntry foo_associated_entry(kPrimary3, SiteType::kAssociated, 0);
+
+  // kAssociated1 has been removed from its set.
+  EXPECT_EQ(
+      global_sets().ComputeMetadata(kAssociated1, &kPrimary, {}, config()),
+      FirstPartySetMetadata(
+          SamePartyContext(SamePartyContext::Type::kCrossParty), nullptr,
+          &example_primary_entry));
+
+  // kAssociated3 and kPrimary3 are sites in a new set.
+  EXPECT_EQ(
+      global_sets().ComputeMetadata(kAssociated3, &kPrimary3, {}, config()),
+      FirstPartySetMetadata(
+          SamePartyContext(SamePartyContext::Type::kSameParty),
+          &foo_associated_entry, &foo_primary_entry));
+}
+
+}  // namespace net
diff --git a/chromium/net/cookies/same_party_context.cc b/chromium/net/first_party_sets/same_party_context.cc
index 1e97738b649..afa9ddf645c 100644
--- a/chromium/net/cookies/same_party_context.cc
+++ b/chromium/net/first_party_sets/same_party_context.cc
@@ -1,8 +1,8 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/cookies/same_party_context.h"
+#include "net/first_party_sets/same_party_context.h"
 
 #include <ostream>
 
diff --git a/chromium/net/cookies/same_party_context.h b/chromium/net/first_party_sets/same_party_context.h
index 7235492281c..448f000d8ab 100644
--- a/chromium/net/cookies/same_party_context.h
+++ b/chromium/net/first_party_sets/same_party_context.h
@@ -1,9 +1,9 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_COOKIES_SAME_PARTY_CONTEXT_H_
-#define NET_COOKIES_SAME_PARTY_CONTEXT_H_
+#ifndef NET_FIRST_PARTY_SETS_SAME_PARTY_CONTEXT_H_
+#define NET_FIRST_PARTY_SETS_SAME_PARTY_CONTEXT_H_
 
 #include <ostream>
 
@@ -48,4 +48,4 @@ NET_EXPORT std::ostream& operator<<(std::ostream& os,
 
 }  // namespace net
 
-#endif  // NET_COOKIES_SAME_PARTY_CONTEXT_H_
+#endif  // NET_FIRST_PARTY_SETS_SAME_PARTY_CONTEXT_H_
diff --git a/chromium/net/http/BUILD.gn b/chromium/net/http/BUILD.gn
index 3bdcf9d6b94..e4685afe9a7 100644
--- a/chromium/net/http/BUILD.gn
+++ b/chromium/net/http/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/http/alternate_protocol_usage.h b/chromium/net/http/alternate_protocol_usage.h
new file mode 100644
index 00000000000..849ce821349
--- /dev/null
+++ b/chromium/net/http/alternate_protocol_usage.h
@@ -0,0 +1,39 @@
+// Copyright (c) 2022 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_HTTP_ALTERNATE_PROTOCOL_USAGE_H_
+#define NET_HTTP_ALTERNATE_PROTOCOL_USAGE_H_
+
+namespace net {
+
+// The reason why Chrome uses a specific transport protocol for HTTP semantics.
+enum AlternateProtocolUsage {
+  // Alternate Protocol was used without racing a normal connection.
+  ALTERNATE_PROTOCOL_USAGE_NO_RACE = 0,
+  // Alternate Protocol was used by winning a race with a normal connection.
+  ALTERNATE_PROTOCOL_USAGE_WON_RACE = 1,
+  // Alternate Protocol was not used by losing a race with a normal connection.
+  ALTERNATE_PROTOCOL_USAGE_MAIN_JOB_WON_RACE = 2,
+  // Alternate Protocol was not used because no Alternate-Protocol information
+  // was available when the request was issued, but an Alternate-Protocol header
+  // was present in the response.
+  ALTERNATE_PROTOCOL_USAGE_MAPPING_MISSING = 3,
+  // Alternate Protocol was not used because it was marked broken.
+  ALTERNATE_PROTOCOL_USAGE_BROKEN = 4,
+  // HTTPS DNS protocol upgrade job was used without racing with a normal
+  // connection and an Alternate Protocol job.
+  ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_WITHOUT_RACE = 5,
+  // HTTPS DNS protocol upgrade job won a race with a normal connection and
+  // an Alternate Protocol job.
+  ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_RACE = 6,
+  // This value is used when the reason is unknown and also used as the default
+  // value.
+  ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON = 7,
+  // Maximum value for the enum.
+  ALTERNATE_PROTOCOL_USAGE_MAX,
+};
+
+}  // namespace net
+
+#endif  // NET_HTTP_ALTERNATE_PROTOCOL_USAGE_H_
diff --git a/chromium/net/http/alternative_service.cc b/chromium/net/http/alternative_service.cc
index f713303c2af..b00f65b91c7 100644
--- a/chromium/net/http/alternative_service.cc
+++ b/chromium/net/http/alternative_service.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/alternative_service.h b/chromium/net/http/alternative_service.h
index 90656bf0939..480b45220c6 100644
--- a/chromium/net/http/alternative_service.h
+++ b/chromium/net/http/alternative_service.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,6 +14,7 @@
 #include "base/time/time.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_export.h"
+#include "net/http/alternate_protocol_usage.h"
 #include "net/quic/quic_http_utils.h"
 #include "net/socket/next_proto.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_versions.h"
@@ -21,29 +22,6 @@
 
 namespace net {
 
-enum AlternateProtocolUsage {
-  // Alternate Protocol was used without racing a normal connection.
-  ALTERNATE_PROTOCOL_USAGE_NO_RACE = 0,
-  // Alternate Protocol was used by winning a race with a normal connection.
-  ALTERNATE_PROTOCOL_USAGE_WON_RACE = 1,
-  // Alternate Protocol was not used by losing a race with a normal connection.
-  ALTERNATE_PROTOCOL_USAGE_MAIN_JOB_WON_RACE = 2,
-  // Alternate Protocol was not used because no Alternate-Protocol information
-  // was available when the request was issued, but an Alternate-Protocol header
-  // was present in the response.
-  ALTERNATE_PROTOCOL_USAGE_MAPPING_MISSING = 3,
-  // Alternate Protocol was not used because it was marked broken.
-  ALTERNATE_PROTOCOL_USAGE_BROKEN = 4,
-  // HTTPS DNS protocol upgrade job was used without racing with a normal
-  // connection and an Alternate Protocol job.
-  ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_WITOUT_RACE = 5,
-  // HTTPS DNS protocol upgrade job won a race with a normal connection and
-  // an Alternate Protocol job.
-  ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_RACE = 6,
-  // Maximum value for the enum.
-  ALTERNATE_PROTOCOL_USAGE_MAX,
-};
-
 // Log a histogram to reflect |usage|.
 NET_EXPORT void HistogramAlternateProtocolUsage(AlternateProtocolUsage usage,
                                                 bool is_google_host);
diff --git a/chromium/net/http/alternative_service_unittest.cc b/chromium/net/http/alternative_service_unittest.cc
index c788980b3bd..95ddd97d526 100644
--- a/chromium/net/http/alternative_service_unittest.cc
+++ b/chromium/net/http/alternative_service_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/bidirectional_stream.cc b/chromium/net/http/bidirectional_stream.cc
index 28bd9a89f8c..26bfa94ca65 100644
--- a/chromium/net/http/bidirectional_stream.cc
+++ b/chromium/net/http/bidirectional_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -259,7 +259,7 @@ void BidirectionalStream::OnHeadersReceived(
   load_timing_info_.receive_headers_end = base::TimeTicks::Now();
   read_end_time_ = load_timing_info_.receive_headers_end;
   session_->http_stream_factory()->ProcessAlternativeServices(
-      session_, net::NetworkIsolationKey(), response_info.headers.get(),
+      session_, net::NetworkAnonymizationKey(), response_info.headers.get(),
       url::SchemeHostPort(request_info_->url));
   delegate_->OnHeadersReceived(response_headers);
 }
diff --git a/chromium/net/http/bidirectional_stream.h b/chromium/net/http/bidirectional_stream.h
index cae471b0f05..4e26d353a59 100644
--- a/chromium/net/http/bidirectional_stream.h
+++ b/chromium/net/http/bidirectional_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/bidirectional_stream_impl.cc b/chromium/net/http/bidirectional_stream_impl.cc
index b8d11dbce82..2113227443d 100644
--- a/chromium/net/http/bidirectional_stream_impl.cc
+++ b/chromium/net/http/bidirectional_stream_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/bidirectional_stream_impl.h b/chromium/net/http/bidirectional_stream_impl.h
index 2c151347984..80a4b0f7e8f 100644
--- a/chromium/net/http/bidirectional_stream_impl.h
+++ b/chromium/net/http/bidirectional_stream_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/bidirectional_stream_request_info.cc b/chromium/net/http/bidirectional_stream_request_info.cc
index 2b8cabfd09c..9d44ad061f0 100644
--- a/chromium/net/http/bidirectional_stream_request_info.cc
+++ b/chromium/net/http/bidirectional_stream_request_info.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/bidirectional_stream_request_info.h b/chromium/net/http/bidirectional_stream_request_info.h
index 51c75ec5d33..f37786aa426 100644
--- a/chromium/net/http/bidirectional_stream_request_info.h
+++ b/chromium/net/http/bidirectional_stream_request_info.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/bidirectional_stream_unittest.cc b/chromium/net/http/bidirectional_stream_unittest.cc
index e6ac53f5fc1..0d086a7f45a 100644
--- a/chromium/net/http/bidirectional_stream_unittest.cc
+++ b/chromium/net/http/bidirectional_stream_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -432,7 +432,7 @@ class BidirectionalStreamTest : public TestWithTaskEnvironment {
     SpdySessionKey key(host_port_pair_, ProxyServer::Direct(),
                        PRIVACY_MODE_DISABLED,
                        SpdySessionKey::IsProxySession::kFalse, socket_tag,
-                       NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                       NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
     session_ =
         CreateSpdySession(http_session_.get(), key,
                           NetLogWithSource::Make(NetLogSourceType::NONE));
@@ -624,7 +624,7 @@ TEST_F(BidirectionalStreamTest, ClientAuthRequestIgnored) {
   SpdySessionKey key(host_port_pair_, ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   auto request_info = std::make_unique<BidirectionalStreamRequestInfo>();
   request_info->method = "GET";
   request_info->url = default_url_;
@@ -1728,7 +1728,7 @@ TEST_F(BidirectionalStreamTest, TestHonorAlternativeServiceHeader) {
 
   AlternativeServiceInfoVector alternative_service_info_vector =
       http_session_->http_server_properties()->GetAlternativeServiceInfos(
-          url::SchemeHostPort(default_url_), NetworkIsolationKey());
+          url::SchemeHostPort(default_url_), NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   AlternativeService alternative_service(kProtoQUIC, "www.example.org", 443);
   EXPECT_EQ(alternative_service,
diff --git a/chromium/net/http/broken_alternative_services.cc b/chromium/net/http/broken_alternative_services.cc
index 865277568c4..f2021ec3c58 100644
--- a/chromium/net/http/broken_alternative_services.cc
+++ b/chromium/net/http/broken_alternative_services.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -59,19 +59,19 @@ base::TimeDelta ComputeBrokenAlternativeServiceExpirationDelay(
 
 BrokenAlternativeService::BrokenAlternativeService(
     const AlternativeService& alternative_service,
-    const NetworkIsolationKey& network_isolation_key,
-    bool use_network_isolation_key)
+    const NetworkAnonymizationKey& network_anonymization_key,
+    bool use_network_anonymization_key)
     : alternative_service(alternative_service),
-      network_isolation_key(use_network_isolation_key ? network_isolation_key
-                                                      : NetworkIsolationKey()) {
-}
+      network_anonymization_key(use_network_anonymization_key
+                                    ? network_anonymization_key
+                                    : NetworkAnonymizationKey()) {}
 
 BrokenAlternativeService::~BrokenAlternativeService() = default;
 
 bool BrokenAlternativeService::operator<(
     const BrokenAlternativeService& other) const {
-  return std::tie(alternative_service, network_isolation_key) <
-         std::tie(other.alternative_service, other.network_isolation_key);
+  return std::tie(alternative_service, network_anonymization_key) <
+         std::tie(other.alternative_service, other.network_anonymization_key);
 }
 
 BrokenAlternativeServices::BrokenAlternativeServices(
@@ -378,7 +378,7 @@ void BrokenAlternativeServices::ExpireBrokenAlternateProtocolMappings() {
     }
 
     delegate_->OnExpireBrokenAlternativeService(
-        it->first.alternative_service, it->first.network_isolation_key);
+        it->first.alternative_service, it->first.network_anonymization_key);
 
     broken_alternative_service_map_.erase(it->first);
     broken_alternative_service_list_.erase(it);
diff --git a/chromium/net/http/broken_alternative_services.h b/chromium/net/http/broken_alternative_services.h
index f2e1782445d..a706067a807 100644
--- a/chromium/net/http/broken_alternative_services.h
+++ b/chromium/net/http/broken_alternative_services.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -13,7 +13,7 @@
 #include "base/memory/weak_ptr.h"
 #include "base/time/time.h"
 #include "base/timer/timer.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/http/alternative_service.h"
 
 namespace base {
@@ -25,11 +25,12 @@ namespace net {
 // Contains information about a broken alternative service, and the context in
 // which it's known to be broken.
 struct NET_EXPORT_PRIVATE BrokenAlternativeService {
-  // If |use_network_isolation_key| is false, |network_isolation_key| is
-  // ignored, and an empty NetworkIsolationKey is used instead.
-  BrokenAlternativeService(const AlternativeService& alternative_service,
-                           const NetworkIsolationKey& network_isolation_key,
-                           bool use_network_isolation_key);
+  // If |use_network_anonymization_key| is false, |network_anonymization_key| is
+  // ignored, and an empty NetworkAnonymizationKey is used instead.
+  BrokenAlternativeService(
+      const AlternativeService& alternative_service,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      bool use_network_anonymization_key);
 
   ~BrokenAlternativeService();
 
@@ -38,8 +39,8 @@ struct NET_EXPORT_PRIVATE BrokenAlternativeService {
   AlternativeService alternative_service;
 
   // The context in which the alternative service is known to be broken in. Used
-  // to avoid cross-NetworkIsolationKey communication.
-  NetworkIsolationKey network_isolation_key;
+  // to avoid cross-NetworkAnonymizationKey communication.
+  NetworkAnonymizationKey network_anonymization_key;
 };
 
 // Stores broken alternative services and when their brokenness expires.
@@ -73,7 +74,7 @@ class NET_EXPORT_PRIVATE BrokenAlternativeServices {
     // Called when a broken alternative service's expiration time is reached.
     virtual void OnExpireBrokenAlternativeService(
         const AlternativeService& expired_alternative_service,
-        const NetworkIsolationKey& network_isolation_key) = 0;
+        const NetworkAnonymizationKey& network_anonymization_key) = 0;
     virtual ~Delegate() = default;
   };
 
@@ -111,8 +112,8 @@ class NET_EXPORT_PRIVATE BrokenAlternativeServices {
 
   // Marks |broken_alternative_service| as recently broken. Being recently
   // broken will cause WasAlternativeServiceRecentlyBroken(alternative_service,
-  // network_isolation_key) to return true until Confirm(alternative_service,
-  // network_isolation_key) is called.
+  // network_anonymization_key) to return true until
+  // Confirm(alternative_service, network_anonymization_key) is called.
   void MarkRecentlyBroken(
       const BrokenAlternativeService& broken_alternative_service);
 
diff --git a/chromium/net/http/broken_alternative_services_unittest.cc b/chromium/net/http/broken_alternative_services_unittest.cc
index a7b58a266f6..745d75f242c 100644
--- a/chromium/net/http/broken_alternative_services_unittest.cc
+++ b/chromium/net/http/broken_alternative_services_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 #include "base/test/test_mock_time_task_runner.h"
 #include "base/time/tick_clock.h"
 #include "base/time/time.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
@@ -34,17 +34,17 @@ class BrokenAlternativeServicesTest
         broken_services_(50, this, broken_services_clock_) {
     SchemefulSite site1(GURL("http://foo.test"));
     SchemefulSite site2(GURL("http://bar.test"));
-    network_isolation_key1_ = NetworkIsolationKey(site1, site1);
-    network_isolation_key2_ = NetworkIsolationKey(site2, site2);
+    network_anonymization_key1_ = NetworkAnonymizationKey(site1, site1);
+    network_anonymization_key2_ = NetworkAnonymizationKey(site2, site2);
   }
 
   // BrokenAlternativeServices::Delegate implementation
   void OnExpireBrokenAlternativeService(
       const AlternativeService& expired_alternative_service,
-      const NetworkIsolationKey& network_isolation_key) override {
+      const NetworkAnonymizationKey& network_anonymization_key) override {
     expired_alt_svcs_.emplace_back(expired_alternative_service,
-                                   network_isolation_key,
-                                   true /* use_network_isolation_key */);
+                                   network_anonymization_key,
+                                   true /* use_network_anonymization_key */);
   }
 
   void TestExponentialBackoff(base::TimeDelta initial_delay,
@@ -61,20 +61,20 @@ class BrokenAlternativeServicesTest
 
   std::vector<BrokenAlternativeService> expired_alt_svcs_;
 
-  NetworkIsolationKey network_isolation_key1_;
-  NetworkIsolationKey network_isolation_key2_;
+  NetworkAnonymizationKey network_anonymization_key1_;
+  NetworkAnonymizationKey network_anonymization_key2_;
 };
 
 TEST_F(BrokenAlternativeServicesTest, MarkBroken) {
   const BrokenAlternativeService alternative_service1(
-      AlternativeService(kProtoHTTP2, "foo", 443), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoHTTP2, "foo", 443), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
   const BrokenAlternativeService alternative_service2(
-      AlternativeService(kProtoHTTP2, "foo", 1234), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoHTTP2, "foo", 1234), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
   const BrokenAlternativeService alternative_service3(
-      AlternativeService(kProtoHTTP2, "foo", 443), network_isolation_key2_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoHTTP2, "foo", 443), network_anonymization_key2_,
+      true /* use_network_anonymization_key */);
 
   EXPECT_FALSE(broken_services_.IsBroken(alternative_service1));
   EXPECT_FALSE(broken_services_.IsBroken(alternative_service2));
@@ -121,14 +121,14 @@ TEST_F(BrokenAlternativeServicesTest, MarkBroken) {
 
 TEST_F(BrokenAlternativeServicesTest, MarkBrokenUntilDefaultNetworkChanges) {
   const BrokenAlternativeService alternative_service1(
-      AlternativeService(kProtoHTTP2, "foo", 443), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoHTTP2, "foo", 443), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
   const BrokenAlternativeService alternative_service2(
-      AlternativeService(kProtoHTTP2, "foo", 1234), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoHTTP2, "foo", 1234), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
   const BrokenAlternativeService alternative_service3(
-      AlternativeService(kProtoHTTP2, "foo", 443), network_isolation_key2_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoHTTP2, "foo", 443), network_anonymization_key2_,
+      true /* use_network_anonymization_key */);
   EXPECT_FALSE(broken_services_.IsBroken(alternative_service1));
   EXPECT_FALSE(broken_services_.WasRecentlyBroken(alternative_service1));
   EXPECT_FALSE(broken_services_.IsBroken(alternative_service2));
@@ -189,11 +189,11 @@ TEST_F(BrokenAlternativeServicesTest, MarkBrokenUntilDefaultNetworkChanges) {
 
 TEST_F(BrokenAlternativeServicesTest, MarkRecentlyBroken) {
   const BrokenAlternativeService alternative_service1(
-      AlternativeService(kProtoHTTP2, "foo", 443), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoHTTP2, "foo", 443), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
   const BrokenAlternativeService alternative_service2(
-      AlternativeService(kProtoHTTP2, "foo", 443), network_isolation_key2_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoHTTP2, "foo", 443), network_anonymization_key2_,
+      true /* use_network_anonymization_key */);
 
   EXPECT_FALSE(broken_services_.IsBroken(alternative_service1));
   EXPECT_FALSE(broken_services_.WasRecentlyBroken(alternative_service1));
@@ -227,14 +227,14 @@ TEST_F(BrokenAlternativeServicesTest, MarkRecentlyBroken) {
 
 TEST_F(BrokenAlternativeServicesTest, OnDefaultNetworkChanged) {
   BrokenAlternativeService alternative_service1(
-      AlternativeService(kProtoQUIC, "foo", 443), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
   BrokenAlternativeService alternative_service2(
-      AlternativeService(kProtoQUIC, "bar", 443), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "bar", 443), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
   BrokenAlternativeService alternative_service3(
-      AlternativeService(kProtoQUIC, "foo", 443), network_isolation_key2_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), network_anonymization_key2_,
+      true /* use_network_anonymization_key */);
 
   EXPECT_FALSE(broken_services_.IsBroken(alternative_service1));
   EXPECT_FALSE(broken_services_.WasRecentlyBroken(alternative_service1));
@@ -310,8 +310,8 @@ TEST_F(BrokenAlternativeServicesTest, OnDefaultNetworkChanged) {
 TEST_F(BrokenAlternativeServicesTest,
        ExpireBrokenAlternativeServiceOnDefaultNetwork) {
   BrokenAlternativeService alternative_service(
-      AlternativeService(kProtoQUIC, "foo", 443), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
 
   broken_services_.MarkBrokenUntilDefaultNetworkChanges(alternative_service);
 
@@ -338,15 +338,15 @@ TEST_F(BrokenAlternativeServicesTest,
   EXPECT_EQ(1u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service.alternative_service,
             expired_alt_svcs_[0].alternative_service);
-  EXPECT_EQ(alternative_service.network_isolation_key,
-            expired_alt_svcs_[0].network_isolation_key);
+  EXPECT_EQ(alternative_service.network_anonymization_key,
+            expired_alt_svcs_[0].network_anonymization_key);
   EXPECT_TRUE(broken_services_.WasRecentlyBroken(alternative_service));
 }
 
 TEST_F(BrokenAlternativeServicesTest, ExpireBrokenAlternateProtocolMappings) {
   BrokenAlternativeService alternative_service(
-      AlternativeService(kProtoQUIC, "foo", 443), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
 
   broken_services_.MarkBroken(alternative_service);
 
@@ -373,16 +373,16 @@ TEST_F(BrokenAlternativeServicesTest, ExpireBrokenAlternateProtocolMappings) {
   EXPECT_EQ(1u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service.alternative_service,
             expired_alt_svcs_[0].alternative_service);
-  EXPECT_EQ(alternative_service.network_isolation_key,
-            expired_alt_svcs_[0].network_isolation_key);
+  EXPECT_EQ(alternative_service.network_anonymization_key,
+            expired_alt_svcs_[0].network_anonymization_key);
   EXPECT_TRUE(broken_services_.WasRecentlyBroken(alternative_service));
 }
 
 TEST_F(BrokenAlternativeServicesTest, IsBroken) {
   // Tests the IsBroken() methods.
   BrokenAlternativeService alternative_service(
-      AlternativeService(kProtoQUIC, "foo", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
   base::TimeTicks brokenness_expiration;
 
   EXPECT_FALSE(broken_services_.IsBroken(alternative_service));
@@ -425,8 +425,8 @@ TEST_F(BrokenAlternativeServicesTest, IsBroken) {
 // - brokenness expires after two intervals.
 TEST_F(BrokenAlternativeServicesTest, BrokenAfterBrokenOnDefaultNetwork) {
   BrokenAlternativeService alternative_service(
-      AlternativeService(kProtoQUIC, "foo", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
 
   // Mark the alternative service broken on the default network.
   broken_services_.MarkBrokenUntilDefaultNetworkChanges(alternative_service);
@@ -475,8 +475,8 @@ TEST_F(BrokenAlternativeServicesTest, BrokenAfterBrokenOnDefaultNetwork) {
 // - (signal received that default network changes);
 TEST_F(BrokenAlternativeServicesTest, BrokenOnDefaultNetworkAfterBroken) {
   BrokenAlternativeService alternative_service(
-      AlternativeService(kProtoQUIC, "foo", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
 
   // Mark the alternative service broken.
   broken_services_.MarkBroken(alternative_service);
@@ -518,8 +518,8 @@ TEST_F(BrokenAlternativeServicesTest, BrokenOnDefaultNetworkAfterBroken) {
 TEST_F(BrokenAlternativeServicesTest,
        BrokenUntilDefaultNetworkChangeWithExponentialBackoff) {
   BrokenAlternativeService alternative_service(
-      AlternativeService(kProtoQUIC, "foo", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
 
   // Mark the alternative service broken on the default network.
   broken_services_.MarkBrokenUntilDefaultNetworkChanges(alternative_service);
@@ -578,8 +578,8 @@ TEST_F(BrokenAlternativeServicesTest, ExponentialBackoff) {
   // longer apply.
 
   BrokenAlternativeService alternative_service(
-      AlternativeService(kProtoQUIC, "foo", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
 
   broken_services_.MarkBroken(alternative_service);
   test_task_runner_->FastForwardBy(base::Minutes(5) - base::Seconds(1));
@@ -667,8 +667,8 @@ void BrokenAlternativeServicesTest::TestExponentialBackoff(
                                   exponential_backoff_on_initial_delay);
 
   BrokenAlternativeService alternative_service(
-      AlternativeService(kProtoQUIC, "foo", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
 
   broken_services_.MarkBroken(alternative_service);
   test_task_runner_->FastForwardBy(initial_delay - base::Seconds(1));
@@ -739,11 +739,11 @@ TEST_F(BrokenAlternativeServicesTest, RemoveExpiredBrokenAltSvc) {
   // expire before A.
 
   BrokenAlternativeService alternative_service1(
-      AlternativeService(kProtoQUIC, "foo", 443), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
   BrokenAlternativeService alternative_service2(
-      AlternativeService(kProtoQUIC, "bar", 443), network_isolation_key2_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "bar", 443), network_anonymization_key2_,
+      true /* use_network_anonymization_key */);
 
   // Repeately mark |alternative_service1| broken and let brokenness expire.
   // Do this a few times.
@@ -754,8 +754,8 @@ TEST_F(BrokenAlternativeServicesTest, RemoveExpiredBrokenAltSvc) {
   EXPECT_EQ(1u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service1.alternative_service,
             expired_alt_svcs_.back().alternative_service);
-  EXPECT_EQ(alternative_service1.network_isolation_key,
-            expired_alt_svcs_.back().network_isolation_key);
+  EXPECT_EQ(alternative_service1.network_anonymization_key,
+            expired_alt_svcs_.back().network_anonymization_key);
 
   broken_services_.MarkBroken(alternative_service1);
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
@@ -763,8 +763,8 @@ TEST_F(BrokenAlternativeServicesTest, RemoveExpiredBrokenAltSvc) {
   EXPECT_EQ(2u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service1.alternative_service,
             expired_alt_svcs_.back().alternative_service);
-  EXPECT_EQ(alternative_service1.network_isolation_key,
-            expired_alt_svcs_.back().network_isolation_key);
+  EXPECT_EQ(alternative_service1.network_anonymization_key,
+            expired_alt_svcs_.back().network_anonymization_key);
 
   broken_services_.MarkBroken(alternative_service1);
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
@@ -772,8 +772,8 @@ TEST_F(BrokenAlternativeServicesTest, RemoveExpiredBrokenAltSvc) {
   EXPECT_EQ(3u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service1.alternative_service,
             expired_alt_svcs_.back().alternative_service);
-  EXPECT_EQ(alternative_service1.network_isolation_key,
-            expired_alt_svcs_.back().network_isolation_key);
+  EXPECT_EQ(alternative_service1.network_anonymization_key,
+            expired_alt_svcs_.back().network_anonymization_key);
 
   expired_alt_svcs_.clear();
 
@@ -803,8 +803,8 @@ TEST_F(BrokenAlternativeServicesTest, RemoveExpiredBrokenAltSvc) {
   EXPECT_EQ(1u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service2.alternative_service,
             expired_alt_svcs_[0].alternative_service);
-  EXPECT_EQ(alternative_service2.network_isolation_key,
-            expired_alt_svcs_[0].network_isolation_key);
+  EXPECT_EQ(alternative_service2.network_anonymization_key,
+            expired_alt_svcs_[0].network_anonymization_key);
 
   // Advance time until one time quantum before |alternative_service1|'s
   // brokenness expires
@@ -816,8 +816,8 @@ TEST_F(BrokenAlternativeServicesTest, RemoveExpiredBrokenAltSvc) {
   EXPECT_EQ(1u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service2.alternative_service,
             expired_alt_svcs_[0].alternative_service);
-  EXPECT_EQ(alternative_service2.network_isolation_key,
-            expired_alt_svcs_[0].network_isolation_key);
+  EXPECT_EQ(alternative_service2.network_anonymization_key,
+            expired_alt_svcs_[0].network_anonymization_key);
 
   // Advance time by one time quantum.  |alternative_service1| should no longer
   // be broken.
@@ -828,24 +828,24 @@ TEST_F(BrokenAlternativeServicesTest, RemoveExpiredBrokenAltSvc) {
   EXPECT_EQ(2u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service2.alternative_service,
             expired_alt_svcs_[0].alternative_service);
-  EXPECT_EQ(alternative_service2.network_isolation_key,
-            expired_alt_svcs_[0].network_isolation_key);
+  EXPECT_EQ(alternative_service2.network_anonymization_key,
+            expired_alt_svcs_[0].network_anonymization_key);
   EXPECT_EQ(alternative_service1.alternative_service,
             expired_alt_svcs_[1].alternative_service);
-  EXPECT_EQ(alternative_service1.network_isolation_key,
-            expired_alt_svcs_[1].network_isolation_key);
+  EXPECT_EQ(alternative_service1.network_anonymization_key,
+            expired_alt_svcs_[1].network_anonymization_key);
 }
 
 // Same as above, but checks a single alternative service with two different
-// NetworkIsolationKeys.
+// NetworkAnonymizationKeys.
 TEST_F(BrokenAlternativeServicesTest,
-       RemoveExpiredBrokenAltSvcWithNetworkIsolationKey) {
+       RemoveExpiredBrokenAltSvcWithNetworkAnonymizationKey) {
   BrokenAlternativeService alternative_service1(
-      AlternativeService(kProtoQUIC, "foo", 443), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
   BrokenAlternativeService alternative_service2(
-      AlternativeService(kProtoQUIC, "foo", 443), network_isolation_key2_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), network_anonymization_key2_,
+      true /* use_network_anonymization_key */);
 
   // Repeately mark |alternative_service1| broken and let brokenness expire.
   // Do this a few times.
@@ -856,8 +856,8 @@ TEST_F(BrokenAlternativeServicesTest,
   EXPECT_EQ(1u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service1.alternative_service,
             expired_alt_svcs_.back().alternative_service);
-  EXPECT_EQ(alternative_service1.network_isolation_key,
-            expired_alt_svcs_.back().network_isolation_key);
+  EXPECT_EQ(alternative_service1.network_anonymization_key,
+            expired_alt_svcs_.back().network_anonymization_key);
 
   broken_services_.MarkBroken(alternative_service1);
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
@@ -865,8 +865,8 @@ TEST_F(BrokenAlternativeServicesTest,
   EXPECT_EQ(2u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service1.alternative_service,
             expired_alt_svcs_.back().alternative_service);
-  EXPECT_EQ(alternative_service1.network_isolation_key,
-            expired_alt_svcs_.back().network_isolation_key);
+  EXPECT_EQ(alternative_service1.network_anonymization_key,
+            expired_alt_svcs_.back().network_anonymization_key);
 
   broken_services_.MarkBroken(alternative_service1);
   EXPECT_EQ(1u, test_task_runner_->GetPendingTaskCount());
@@ -874,8 +874,8 @@ TEST_F(BrokenAlternativeServicesTest,
   EXPECT_EQ(3u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service1.alternative_service,
             expired_alt_svcs_.back().alternative_service);
-  EXPECT_EQ(alternative_service1.network_isolation_key,
-            expired_alt_svcs_.back().network_isolation_key);
+  EXPECT_EQ(alternative_service1.network_anonymization_key,
+            expired_alt_svcs_.back().network_anonymization_key);
 
   expired_alt_svcs_.clear();
 
@@ -905,8 +905,8 @@ TEST_F(BrokenAlternativeServicesTest,
   EXPECT_EQ(1u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service2.alternative_service,
             expired_alt_svcs_[0].alternative_service);
-  EXPECT_EQ(alternative_service2.network_isolation_key,
-            expired_alt_svcs_[0].network_isolation_key);
+  EXPECT_EQ(alternative_service2.network_anonymization_key,
+            expired_alt_svcs_[0].network_anonymization_key);
 
   // Advance time until one time quantum before |alternative_service1|'s
   // brokenness expires
@@ -918,8 +918,8 @@ TEST_F(BrokenAlternativeServicesTest,
   EXPECT_EQ(1u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service2.alternative_service,
             expired_alt_svcs_[0].alternative_service);
-  EXPECT_EQ(alternative_service2.network_isolation_key,
-            expired_alt_svcs_[0].network_isolation_key);
+  EXPECT_EQ(alternative_service2.network_anonymization_key,
+            expired_alt_svcs_[0].network_anonymization_key);
 
   // Advance time by one time quantum.  |alternative_service1| should no longer
   // be broken.
@@ -930,21 +930,21 @@ TEST_F(BrokenAlternativeServicesTest,
   EXPECT_EQ(2u, expired_alt_svcs_.size());
   EXPECT_EQ(alternative_service2.alternative_service,
             expired_alt_svcs_[0].alternative_service);
-  EXPECT_EQ(alternative_service2.network_isolation_key,
-            expired_alt_svcs_[0].network_isolation_key);
+  EXPECT_EQ(alternative_service2.network_anonymization_key,
+            expired_alt_svcs_[0].network_anonymization_key);
   EXPECT_EQ(alternative_service1.alternative_service,
             expired_alt_svcs_[1].alternative_service);
-  EXPECT_EQ(alternative_service1.network_isolation_key,
-            expired_alt_svcs_[1].network_isolation_key);
+  EXPECT_EQ(alternative_service1.network_anonymization_key,
+            expired_alt_svcs_[1].network_anonymization_key);
 }
 
 TEST_F(BrokenAlternativeServicesTest, SetBrokenAlternativeServices) {
   BrokenAlternativeService alternative_service1(
-      AlternativeService(kProtoQUIC, "foo1", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo1", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
   BrokenAlternativeService alternative_service2(
-      AlternativeService(kProtoQUIC, "foo2", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo2", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
 
   base::TimeDelta delay1 = base::Minutes(1);
 
@@ -1000,14 +1000,14 @@ TEST_F(BrokenAlternativeServicesTest, SetBrokenAlternativeServices) {
 TEST_F(BrokenAlternativeServicesTest,
        SetBrokenAlternativeServicesWithExisting) {
   BrokenAlternativeService alternative_service1(
-      AlternativeService(kProtoQUIC, "foo1", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo1", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
   BrokenAlternativeService alternative_service2(
-      AlternativeService(kProtoQUIC, "foo2", 443), network_isolation_key1_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo2", 443), network_anonymization_key1_,
+      true /* use_network_anonymization_key */);
   BrokenAlternativeService alternative_service3(
-      AlternativeService(kProtoQUIC, "foo3", 443), network_isolation_key2_,
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo3", 443), network_anonymization_key2_,
+      true /* use_network_anonymization_key */);
 
   std::unique_ptr<BrokenAlternativeServiceList> broken_list =
       std::make_unique<BrokenAlternativeServiceList>();
@@ -1080,18 +1080,18 @@ TEST_F(BrokenAlternativeServicesTest,
   auto it = broken_services_.recently_broken_alternative_services().begin();
   EXPECT_EQ(alternative_service2.alternative_service,
             it->first.alternative_service);
-  EXPECT_EQ(alternative_service2.network_isolation_key,
-            it->first.network_isolation_key);
+  EXPECT_EQ(alternative_service2.network_anonymization_key,
+            it->first.network_anonymization_key);
   ++it;
   EXPECT_EQ(alternative_service1.alternative_service,
             it->first.alternative_service);
-  EXPECT_EQ(alternative_service1.network_isolation_key,
-            it->first.network_isolation_key);
+  EXPECT_EQ(alternative_service1.network_anonymization_key,
+            it->first.network_anonymization_key);
   ++it;
   EXPECT_EQ(alternative_service3.alternative_service,
             it->first.alternative_service);
-  EXPECT_EQ(alternative_service3.network_isolation_key,
-            it->first.network_isolation_key);
+  EXPECT_EQ(alternative_service3.network_anonymization_key,
+            it->first.network_anonymization_key);
 }
 
 TEST_F(BrokenAlternativeServicesTest, ScheduleExpireTaskAfterExpire) {
@@ -1099,11 +1099,11 @@ TEST_F(BrokenAlternativeServicesTest, ScheduleExpireTaskAfterExpire) {
   // is scheduled for the next broken alt svc in the expiration queue.
 
   BrokenAlternativeService alternative_service1(
-      AlternativeService(kProtoQUIC, "foo", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
   BrokenAlternativeService alternative_service2(
-      AlternativeService(kProtoQUIC, "bar", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "bar", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
 
   // Mark |alternative_service1| broken and let brokenness expire. This will
   // increase its expiration delay the next time it's marked broken.
@@ -1128,11 +1128,11 @@ TEST_F(BrokenAlternativeServicesTest, ScheduleExpireTaskAfterExpire) {
 
 TEST_F(BrokenAlternativeServicesTest, Clear) {
   BrokenAlternativeService alternative_service1(
-      AlternativeService(kProtoQUIC, "foo", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "foo", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
   BrokenAlternativeService alternative_service2(
-      AlternativeService(kProtoQUIC, "bar", 443), NetworkIsolationKey(),
-      true /* use_network_isolation_key */);
+      AlternativeService(kProtoQUIC, "bar", 443), NetworkAnonymizationKey(),
+      true /* use_network_anonymization_key */);
 
   broken_services_.MarkBroken(alternative_service1);
   broken_services_.MarkRecentlyBroken(alternative_service2);
diff --git a/chromium/net/http/http_auth.cc b/chromium/net/http/http_auth.cc
index 55240b53bc6..aa64f0a7e14 100644
--- a/chromium/net/http/http_auth.cc
+++ b/chromium/net/http/http_auth.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -36,7 +36,7 @@ void HttpAuth::ChooseBestChallenge(
     HttpAuthHandlerFactory* http_auth_handler_factory,
     const HttpResponseHeaders& response_headers,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     Target target,
     const url::SchemeHostPort& scheme_host_port,
     const std::set<Scheme>& disabled_schemes,
@@ -54,7 +54,7 @@ void HttpAuth::ChooseBestChallenge(
   while (response_headers.EnumerateHeader(&iter, header_name, &cur_challenge)) {
     std::unique_ptr<HttpAuthHandler> cur;
     int rv = http_auth_handler_factory->CreateAuthHandlerFromString(
-        cur_challenge, target, ssl_info, network_isolation_key,
+        cur_challenge, target, ssl_info, network_anonymization_key,
         scheme_host_port, net_log, host_resolver, &cur);
     if (rv != OK) {
       VLOG(1) << "Unable to create AuthHandler. Status: "
diff --git a/chromium/net/http/http_auth.h b/chromium/net/http/http_auth.h
index 319d2d31189..9698ffaf166 100644
--- a/chromium/net/http/http_auth.h
+++ b/chromium/net/http/http_auth.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -29,7 +29,7 @@ class HttpAuthHandlerFactory;
 class HttpResponseHeaders;
 class HostResolver;
 class NetLogWithSource;
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class SSLInfo;
 
 // Utility class for http authentication.
@@ -178,7 +178,7 @@ class NET_EXPORT_PRIVATE HttpAuth {
       HttpAuthHandlerFactory* http_auth_handler_factory,
       const HttpResponseHeaders& response_headers,
       const SSLInfo& ssl_info,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       Target target,
       const url::SchemeHostPort& scheme_host_port,
       const std::set<Scheme>& disabled_schemes,
diff --git a/chromium/net/http/http_auth_cache.cc b/chromium/net/http/http_auth_cache.cc
index 4ae47ed7cd2..3fa569f53e3 100644
--- a/chromium/net/http/http_auth_cache.cc
+++ b/chromium/net/http/http_auth_cache.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -68,21 +68,22 @@ struct IsEnclosedBy {
 
 namespace net {
 
-HttpAuthCache::HttpAuthCache(bool key_server_entries_by_network_isolation_key)
-    : key_server_entries_by_network_isolation_key_(
-          key_server_entries_by_network_isolation_key) {}
+HttpAuthCache::HttpAuthCache(
+    bool key_server_entries_by_network_anonymization_key)
+    : key_server_entries_by_network_anonymization_key_(
+          key_server_entries_by_network_anonymization_key) {}
 
 HttpAuthCache::~HttpAuthCache() = default;
 
-void HttpAuthCache::SetKeyServerEntriesByNetworkIsolationKey(
-    bool key_server_entries_by_network_isolation_key) {
-  if (key_server_entries_by_network_isolation_key_ ==
-      key_server_entries_by_network_isolation_key) {
+void HttpAuthCache::SetKeyServerEntriesByNetworkAnonymizationKey(
+    bool key_server_entries_by_network_anonymization_key) {
+  if (key_server_entries_by_network_anonymization_key_ ==
+      key_server_entries_by_network_anonymization_key) {
     return;
   }
 
-  key_server_entries_by_network_isolation_key_ =
-      key_server_entries_by_network_isolation_key;
+  key_server_entries_by_network_anonymization_key_ =
+      key_server_entries_by_network_anonymization_key;
   base::EraseIf(entries_, [](EntryMap::value_type& entry_map_pair) {
     return entry_map_pair.first.target == HttpAuth::AUTH_SERVER;
   });
@@ -90,15 +91,15 @@ void HttpAuthCache::SetKeyServerEntriesByNetworkIsolationKey(
 
 // Performance: O(logN+n), where N is the total number of entries, n is the
 // number of realm entries for the given SchemeHostPort, target, and with a
-// matching NetworkIsolationKey.
+// matching NetworkAnonymizationKey.
 HttpAuthCache::Entry* HttpAuthCache::Lookup(
     const url::SchemeHostPort& scheme_host_port,
     HttpAuth::Target target,
     const std::string& realm,
     HttpAuth::Scheme scheme,
-    const NetworkIsolationKey& network_isolation_key) {
-  EntryMap::iterator entry_it = LookupEntryIt(scheme_host_port, target, realm,
-                                              scheme, network_isolation_key);
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  EntryMap::iterator entry_it = LookupEntryIt(
+      scheme_host_port, target, realm, scheme, network_anonymization_key);
   if (entry_it == entries_.end())
     return nullptr;
   return &(entry_it->second);
@@ -106,13 +107,13 @@ HttpAuthCache::Entry* HttpAuthCache::Lookup(
 
 // Performance: O(logN+n*m), where N is the total number of entries, n is the
 // number of realm entries for the given SchemeHostPort, target, and
-// NetworkIsolationKey, m is the number of path entries per realm. Both n and m
-// are expected to be small; m is kept small because AddPath() only keeps the
-// shallowest entry.
+// NetworkAnonymizationKey, m is the number of path entries per realm. Both n
+// and m are expected to be small; m is kept small because AddPath() only keeps
+// the shallowest entry.
 HttpAuthCache::Entry* HttpAuthCache::LookupByPath(
     const url::SchemeHostPort& scheme_host_port,
     HttpAuth::Target target,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const std::string& path) {
 #if DCHECK_IS_ON()
   CheckSchemeHostPortIsValid(scheme_host_port);
@@ -128,8 +129,8 @@ HttpAuthCache::Entry* HttpAuthCache::LookupByPath(
   // Linear scan through the <scheme, realm> entries for the given
   // SchemeHostPort.
   auto entry_range = entries_.equal_range(
-      EntryMapKey(scheme_host_port, target, network_isolation_key,
-                  key_server_entries_by_network_isolation_key_));
+      EntryMapKey(scheme_host_port, target, network_anonymization_key,
+                  key_server_entries_by_network_anonymization_key_));
   auto best_match_it = entries_.end();
   size_t best_match_length = 0;
   for (auto it = entry_range.first; it != entry_range.second; ++it) {
@@ -155,7 +156,7 @@ HttpAuthCache::Entry* HttpAuthCache::Add(
     HttpAuth::Target target,
     const std::string& realm,
     HttpAuth::Scheme scheme,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const std::string& auth_challenge,
     const AuthCredentials& credentials,
     const std::string& path) {
@@ -167,13 +168,13 @@ HttpAuthCache::Entry* HttpAuthCache::Add(
   base::TimeTicks now_ticks = tick_clock_->NowTicks();
 
   // Check for existing entry (we will re-use it if present).
-  HttpAuthCache::Entry* entry =
-      Lookup(scheme_host_port, target, realm, scheme, network_isolation_key);
+  HttpAuthCache::Entry* entry = Lookup(scheme_host_port, target, realm, scheme,
+                                       network_anonymization_key);
   if (!entry) {
     // Failsafe to prevent unbounded memory growth of the cache.
     //
     // Data was collected in June of 2019, before entries were keyed on either
-    // HttpAuth::Target or NetworkIsolationKey. That data indicated that the
+    // HttpAuth::Target or NetworkAnonymizationKey. That data indicated that the
     // eviction rate was at around 0.05%. I.e. 0.05% of the time the number of
     // entries in the cache exceed kMaxNumRealmEntries. The evicted entry is
     // roughly half an hour old (median), and it's been around 25 minutes since
@@ -182,13 +183,13 @@ HttpAuthCache::Entry* HttpAuthCache::Add(
       DLOG(WARNING) << "Num auth cache entries reached limit -- evicting";
       EvictLeastRecentlyUsedEntry();
     }
-    entry =
-        &(entries_
-              .emplace(std::make_pair(
-                  EntryMapKey(scheme_host_port, target, network_isolation_key,
-                              key_server_entries_by_network_isolation_key_),
-                  Entry()))
-              ->second);
+    entry = &(
+        entries_
+            .emplace(std::make_pair(
+                EntryMapKey(scheme_host_port, target, network_anonymization_key,
+                            key_server_entries_by_network_anonymization_key_),
+                Entry()))
+            ->second);
     entry->scheme_host_port_ = scheme_host_port;
     entry->realm_ = realm;
     entry->scheme_ = scheme;
@@ -280,14 +281,15 @@ bool HttpAuthCache::Entry::HasEnclosingPath(const std::string& dir,
   return false;
 }
 
-bool HttpAuthCache::Remove(const url::SchemeHostPort& scheme_host_port,
-                           HttpAuth::Target target,
-                           const std::string& realm,
-                           HttpAuth::Scheme scheme,
-                           const NetworkIsolationKey& network_isolation_key,
-                           const AuthCredentials& credentials) {
-  EntryMap::iterator entry_it = LookupEntryIt(scheme_host_port, target, realm,
-                                              scheme, network_isolation_key);
+bool HttpAuthCache::Remove(
+    const url::SchemeHostPort& scheme_host_port,
+    HttpAuth::Target target,
+    const std::string& realm,
+    HttpAuth::Scheme scheme,
+    const NetworkAnonymizationKey& network_anonymization_key,
+    const AuthCredentials& credentials) {
+  EntryMap::iterator entry_it = LookupEntryIt(
+      scheme_host_port, target, realm, scheme, network_anonymization_key);
   if (entry_it == entries_.end())
     return false;
   Entry& entry = entry_it->second;
@@ -321,10 +323,10 @@ bool HttpAuthCache::UpdateStaleChallenge(
     HttpAuth::Target target,
     const std::string& realm,
     HttpAuth::Scheme scheme,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const std::string& auth_challenge) {
-  HttpAuthCache::Entry* entry =
-      Lookup(scheme_host_port, target, realm, scheme, network_isolation_key);
+  HttpAuthCache::Entry* entry = Lookup(scheme_host_port, target, realm, scheme,
+                                       network_anonymization_key);
   if (!entry)
     return false;
   entry->UpdateStaleChallenge(auth_challenge);
@@ -340,13 +342,14 @@ void HttpAuthCache::CopyProxyEntriesFrom(const HttpAuthCache& other) {
     if (it->first.target != HttpAuth::AUTH_PROXY)
       continue;
 
-    // Sanity check - proxy entries should have an empty NetworkIsolationKey.
-    DCHECK(NetworkIsolationKey() == it->first.network_isolation_key);
+    // Sanity check - proxy entries should have an empty
+    // NetworkAnonymizationKey.
+    DCHECK(NetworkAnonymizationKey() == it->first.network_anonymization_key);
 
     // Add an Entry with one of the original entry's paths.
     DCHECK(e.paths_.size() > 0);
     Entry* entry = Add(e.scheme_host_port(), it->first.target, e.realm(),
-                       e.scheme(), it->first.network_isolation_key,
+                       e.scheme(), it->first.network_anonymization_key,
                        e.auth_challenge(), e.credentials(), e.paths_.back());
     // Copy all other paths.
     for (auto it2 = std::next(e.paths_.rbegin()); it2 != e.paths_.rend(); ++it2)
@@ -359,21 +362,22 @@ void HttpAuthCache::CopyProxyEntriesFrom(const HttpAuthCache& other) {
 HttpAuthCache::EntryMapKey::EntryMapKey(
     const url::SchemeHostPort& scheme_host_port,
     HttpAuth::Target target,
-    const NetworkIsolationKey& network_isolation_key,
-    bool key_server_entries_by_network_isolation_key)
+    const NetworkAnonymizationKey& network_anonymization_key,
+    bool key_server_entries_by_network_anonymization_key)
     : scheme_host_port(scheme_host_port),
       target(target),
-      network_isolation_key(target == HttpAuth::AUTH_SERVER &&
-                                    key_server_entries_by_network_isolation_key
-                                ? network_isolation_key
-                                : NetworkIsolationKey()) {}
+      network_anonymization_key(
+          target == HttpAuth::AUTH_SERVER &&
+                  key_server_entries_by_network_anonymization_key
+              ? network_anonymization_key
+              : NetworkAnonymizationKey()) {}
 
 HttpAuthCache::EntryMapKey::~EntryMapKey() = default;
 
 bool HttpAuthCache::EntryMapKey::operator<(const EntryMapKey& other) const {
-  return std::tie(scheme_host_port, target, network_isolation_key) <
+  return std::tie(scheme_host_port, target, network_anonymization_key) <
          std::tie(other.scheme_host_port, other.target,
-                  other.network_isolation_key);
+                  other.network_anonymization_key);
 }
 
 size_t HttpAuthCache::GetEntriesSizeForTesting() {
@@ -385,16 +389,16 @@ HttpAuthCache::EntryMap::iterator HttpAuthCache::LookupEntryIt(
     HttpAuth::Target target,
     const std::string& realm,
     HttpAuth::Scheme scheme,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
 #if DCHECK_IS_ON()
   CheckSchemeHostPortIsValid(scheme_host_port);
 #endif
 
   // Linear scan through the <scheme, realm> entries for the given
-  // SchemeHostPort and NetworkIsolationKey.
+  // SchemeHostPort and NetworkAnonymizationKey.
   auto entry_range = entries_.equal_range(
-      EntryMapKey(scheme_host_port, target, network_isolation_key,
-                  key_server_entries_by_network_isolation_key_));
+      EntryMapKey(scheme_host_port, target, network_anonymization_key,
+                  key_server_entries_by_network_anonymization_key_));
   for (auto it = entry_range.first; it != entry_range.second; ++it) {
     Entry& entry = it->second;
     DCHECK(entry.scheme_host_port() == scheme_host_port);
diff --git a/chromium/net/http/http_auth_cache.h b/chromium/net/http/http_auth_cache.h
index 030de45ddc1..4b3b0a812ee 100644
--- a/chromium/net/http/http_auth_cache.h
+++ b/chromium/net/http/http_auth_cache.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,7 +18,7 @@
 #include "base/time/default_tick_clock.h"
 #include "base/time/time.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/http/http_auth.h"
 #include "url/scheme_host_port.h"
 
@@ -123,21 +123,21 @@ class NET_EXPORT HttpAuthCache {
   enum { kMaxNumPathsPerRealmEntry = 10 };
   enum { kMaxNumRealmEntries = 20 };
 
-  // If |key_server_entries_by_network_isolation_key| is true, all
-  // HttpAuth::AUTH_SERVER operations are keyed by NetworkIsolationKey.
-  // Otherwise, NetworkIsolationKey arguments are ignored.
-  explicit HttpAuthCache(bool key_server_entries_by_network_isolation_key);
+  // If |key_server_entries_by_network_anonymization_key| is true, all
+  // HttpAuth::AUTH_SERVER operations are keyed by NetworkAnonymizationKey.
+  // Otherwise, NetworkAnonymizationKey arguments are ignored.
+  explicit HttpAuthCache(bool key_server_entries_by_network_anonymization_key);
 
   HttpAuthCache(const HttpAuthCache&) = delete;
   HttpAuthCache& operator=(const HttpAuthCache&) = delete;
 
   ~HttpAuthCache();
 
-  // Sets whether server entries are keyed by NetworkIsolationKey.
+  // Sets whether server entries are keyed by NetworkAnonymizationKey.
   // If this results in changing the value of the setting, all current server
   // entries are deleted.
-  void SetKeyServerEntriesByNetworkIsolationKey(
-      bool key_server_entries_by_network_isolation_key);
+  void SetKeyServerEntriesByNetworkAnonymizationKey(
+      bool key_server_entries_by_network_anonymization_key);
 
   // Find the realm entry on server |origin| for realm |realm| and
   // scheme |scheme|. If a matching entry is found, move it up by one place
@@ -152,7 +152,7 @@ class NET_EXPORT HttpAuthCache {
                 HttpAuth::Target target,
                 const std::string& realm,
                 HttpAuth::Scheme scheme,
-                const NetworkIsolationKey& network_isolation_key);
+                const NetworkAnonymizationKey& network_anonymization_key);
 
   // Find the entry on server |origin| whose protection space includes
   // |path|. This uses the assumption in RFC 2617 section 2 that deeper
@@ -165,7 +165,7 @@ class NET_EXPORT HttpAuthCache {
   //   returns  - the matched entry or nullptr.
   Entry* LookupByPath(const url::SchemeHostPort& scheme_host_port,
                       HttpAuth::Target target,
-                      const NetworkIsolationKey& network_isolation_key,
+                      const NetworkAnonymizationKey& network_anonymization_key,
                       const std::string& path);
 
   // Add an entry on server |scheme_host_port| for realm |handler->realm()| and
@@ -183,7 +183,7 @@ class NET_EXPORT HttpAuthCache {
              HttpAuth::Target target,
              const std::string& realm,
              HttpAuth::Scheme scheme,
-             const NetworkIsolationKey& network_isolation_key,
+             const NetworkAnonymizationKey& network_anonymization_key,
              const std::string& auth_challenge,
              const AuthCredentials& credentials,
              const std::string& path);
@@ -199,7 +199,7 @@ class NET_EXPORT HttpAuthCache {
               HttpAuth::Target target,
               const std::string& realm,
               HttpAuth::Scheme scheme,
-              const NetworkIsolationKey& network_isolation_key,
+              const NetworkAnonymizationKey& network_anonymization_key,
               const AuthCredentials& credentials);
 
   // Clears cache entries added between |begin_time| inclusively and |end_time|
@@ -215,17 +215,18 @@ class NET_EXPORT HttpAuthCache {
   // |auth_challenge| and the nonce count is reset.
   // |UpdateStaleChallenge()| returns true if a matching entry exists in the
   // cache, false otherwise.
-  bool UpdateStaleChallenge(const url::SchemeHostPort& scheme_host_port,
-                            HttpAuth::Target target,
-                            const std::string& realm,
-                            HttpAuth::Scheme scheme,
-                            const NetworkIsolationKey& network_isolation_key,
-                            const std::string& auth_challenge);
+  bool UpdateStaleChallenge(
+      const url::SchemeHostPort& scheme_host_port,
+      HttpAuth::Target target,
+      const std::string& realm,
+      HttpAuth::Scheme scheme,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const std::string& auth_challenge);
 
   // Copies all entries from |other| cache with a target of
   // HttpAuth::AUTH_PROXY. |this| and |other| need not have the same
-  // |key_server_entries_by_network_isolation_key_| value, since proxy
-  // credentials are not keyed on NetworkIsolationKey.
+  // |key_server_entries_by_network_anonymization_key_| value, since proxy
+  // credentials are not keyed on NetworkAnonymizationKey.
   void CopyProxyEntriesFrom(const HttpAuthCache& other);
 
   size_t GetEntriesSizeForTesting();
@@ -234,26 +235,26 @@ class NET_EXPORT HttpAuthCache {
   }
   void set_clock_for_testing(const base::Clock* clock) { clock_ = clock; }
 
-  bool key_server_entries_by_network_isolation_key() const {
-    return key_server_entries_by_network_isolation_key_;
+  bool key_server_entries_by_network_anonymization_key() const {
+    return key_server_entries_by_network_anonymization_key_;
   }
 
  private:
   struct EntryMapKey {
     EntryMapKey(const url::SchemeHostPort& scheme_host_port,
                 HttpAuth::Target target,
-                const NetworkIsolationKey& network_isolation_key,
-                bool key_server_entries_by_network_isolation_key);
+                const NetworkAnonymizationKey& network_anonymization_key,
+                bool key_server_entries_by_network_anonymization_key);
     ~EntryMapKey();
 
     bool operator<(const EntryMapKey& other) const;
 
     url::SchemeHostPort scheme_host_port;
     HttpAuth::Target target;
-    // Empty if |key_server_entries_by_network_isolation_key| is false, |target|
-    // is HttpAuth::AUTH_PROXY, or an empty NetworkIsolationKey is passed in to
-    // the EntryMap constructor.
-    NetworkIsolationKey network_isolation_key;
+    // Empty if |key_server_entries_by_network_anonymization_key| is false,
+    // |target| is HttpAuth::AUTH_PROXY, or an empty NetworkAnonymizationKey is
+    // passed in to the EntryMap constructor.
+    NetworkAnonymizationKey network_anonymization_key;
   };
 
   using EntryMap = std::multimap<EntryMapKey, Entry>;
@@ -267,11 +268,11 @@ class NET_EXPORT HttpAuthCache {
       HttpAuth::Target target,
       const std::string& realm,
       HttpAuth::Scheme scheme,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   void EvictLeastRecentlyUsedEntry();
 
-  bool key_server_entries_by_network_isolation_key_;
+  bool key_server_entries_by_network_anonymization_key_;
 
   EntryMap entries_;
 };
diff --git a/chromium/net/http/http_auth_cache_unittest.cc b/chromium/net/http/http_auth_cache_unittest.cc
index c2f2ce7c6e4..42bc72ef2a9 100644
--- a/chromium/net/http/http_auth_cache_unittest.cc
+++ b/chromium/net/http/http_auth_cache_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 #include "base/test/simple_test_tick_clock.h"
 #include "base/time/time.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/http/http_auth_cache.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -52,74 +52,77 @@ AuthCredentials CreateASCIICredentials(const char* username,
 TEST(HttpAuthCacheTest, Basic) {
   url::SchemeHostPort scheme_host_port(GURL("http://www.google.com"));
   url::SchemeHostPort scheme_host_port2(GURL("http://www.foobar.com"));
-  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache cache(false /* key_entries_by_network_anonymization_key */);
   HttpAuthCache::Entry* entry;
 
   // Add cache entries for 4 realms: "Realm1", "Realm2", "Realm3" and
   // "Realm4"
 
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "Basic realm=Realm1",
             CreateASCIICredentials("realm1-user", "realm1-password"),
             "/foo/bar/index.html");
 
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "Basic realm=Realm2",
             CreateASCIICredentials("realm2-user", "realm2-password"),
             "/foo2/index.html");
 
   cache.Add(
       scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(), "Basic realm=Realm3",
+      HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
+      "Basic realm=Realm3",
       CreateASCIICredentials("realm3-basic-user", "realm3-basic-password"),
       std::string());
 
   cache.Add(
       scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-      HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+      HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey(),
       "Digest realm=Realm3",
       CreateASCIICredentials("realm3-digest-user", "realm3-digest-password"),
       "/baz/index.html");
 
   cache.Add(
       scheme_host_port, HttpAuth::AUTH_SERVER, kRealm4,
-      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(), "Basic realm=Realm4",
+      HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
+      "Basic realm=Realm4",
       CreateASCIICredentials("realm4-basic-user", "realm4-basic-password"),
       "/");
 
   cache.Add(scheme_host_port2, HttpAuth::AUTH_SERVER, kRealm5,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "Basic realm=Realm5",
             CreateASCIICredentials("realm5-user", "realm5-password"), "/");
   cache.Add(
       scheme_host_port2, HttpAuth::AUTH_SERVER, kRealm3,
-      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(), "Basic realm=Realm3",
+      HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
+      "Basic realm=Realm3",
       CreateASCIICredentials("realm3-basic-user", "realm3-basic-password"),
       std::string());
 
   // There is no Realm5 in `scheme_host_port`.
   entry = cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm5,
-                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
   EXPECT_FALSE(entry);
 
   // While Realm3 does exist, the scheme is wrong.
   entry = cache.Lookup(url::SchemeHostPort(GURL("https://www.google.com")),
                        HttpAuth::AUTH_SERVER, kRealm3,
-                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
   EXPECT_FALSE(entry);
 
   // Realm, scheme ok, authentication scheme wrong
   entry = cache.Lookup(url::SchemeHostPort(GURL("https://www.google.com")),
                        HttpAuth::AUTH_SERVER, kRealm1,
-                       HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
+                       HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey());
   EXPECT_FALSE(entry);
 
   // Valid lookup by SchemeHostPort, realm, scheme.
   entry = cache.Lookup(url::SchemeHostPort(GURL("http://www.google.com:80")),
                        HttpAuth::AUTH_SERVER, kRealm3,
-                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
   ASSERT_TRUE(entry);
   EXPECT_EQ(HttpAuth::AUTH_SCHEME_BASIC, entry->scheme());
   EXPECT_EQ(kRealm3, entry->realm());
@@ -131,7 +134,7 @@ TEST(HttpAuthCacheTest, Basic) {
   HttpAuthCache::Entry* entry2 =
       cache.Lookup(url::SchemeHostPort(GURL("http://www.foobar.com:80")),
                    HttpAuth::AUTH_SERVER, kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
-                   NetworkIsolationKey());
+                   NetworkAnonymizationKey());
   ASSERT_TRUE(entry2);
   EXPECT_NE(entry, entry2);
 
@@ -139,7 +142,7 @@ TEST(HttpAuthCacheTest, Basic) {
   // SchemeHostPort, realm in the cache.
   entry = cache.Lookup(url::SchemeHostPort(GURL("http://www.google.com:80")),
                        HttpAuth::AUTH_SERVER, kRealm3,
-                       HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
+                       HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey());
   ASSERT_TRUE(entry);
   EXPECT_EQ(HttpAuth::AUTH_SCHEME_DIGEST, entry->scheme());
   EXPECT_EQ(kRealm3, entry->realm());
@@ -149,7 +152,7 @@ TEST(HttpAuthCacheTest, Basic) {
 
   // Valid lookup by realm.
   entry = cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
   ASSERT_TRUE(entry);
   EXPECT_EQ(HttpAuth::AUTH_SCHEME_BASIC, entry->scheme());
   EXPECT_EQ(kRealm2, entry->realm());
@@ -160,10 +163,10 @@ TEST(HttpAuthCacheTest, Basic) {
   // Check that subpaths are recognized.
   HttpAuthCache::Entry* p_realm2_entry =
       cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-                   HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                   HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
   HttpAuthCache::Entry* p_realm4_entry =
       cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm4,
-                   HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                   HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
   EXPECT_TRUE(p_realm2_entry);
   EXPECT_TRUE(p_realm4_entry);
   HttpAuthCache::Entry realm2_entry = *p_realm2_entry;
@@ -172,67 +175,67 @@ TEST(HttpAuthCacheTest, Basic) {
   // LookupByPath() should return the closest enclosing path.
   // Positive tests:
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/foo2/index.html");
+                             NetworkAnonymizationKey(), "/foo2/index.html");
   EXPECT_TRUE(realm2_entry.IsEqualForTesting(*entry));
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/foo2/foobar.html");
+                             NetworkAnonymizationKey(), "/foo2/foobar.html");
   EXPECT_TRUE(realm2_entry.IsEqualForTesting(*entry));
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/foo2/bar/index.html");
+                             NetworkAnonymizationKey(), "/foo2/bar/index.html");
   EXPECT_TRUE(realm2_entry.IsEqualForTesting(*entry));
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/foo2/");
+                             NetworkAnonymizationKey(), "/foo2/");
   EXPECT_TRUE(realm2_entry.IsEqualForTesting(*entry));
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/foo2");
+                             NetworkAnonymizationKey(), "/foo2");
   EXPECT_TRUE(realm4_entry.IsEqualForTesting(*entry));
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/");
+                             NetworkAnonymizationKey(), "/");
   EXPECT_TRUE(realm4_entry.IsEqualForTesting(*entry));
 
   // Negative tests:
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/foo3/index.html");
+                             NetworkAnonymizationKey(), "/foo3/index.html");
   EXPECT_FALSE(realm2_entry.IsEqualForTesting(*entry));
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), std::string());
+                             NetworkAnonymizationKey(), std::string());
   EXPECT_FALSE(realm2_entry.IsEqualForTesting(*entry));
 
   // Confirm we find the same realm, different auth scheme by path lookup
   HttpAuthCache::Entry* p_realm3_digest_entry =
       cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
+                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey());
   EXPECT_TRUE(p_realm3_digest_entry);
   HttpAuthCache::Entry realm3_digest_entry = *p_realm3_digest_entry;
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/baz/index.html");
+                             NetworkAnonymizationKey(), "/baz/index.html");
   EXPECT_TRUE(realm3_digest_entry.IsEqualForTesting(*entry));
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/baz/");
+                             NetworkAnonymizationKey(), "/baz/");
   EXPECT_TRUE(realm3_digest_entry.IsEqualForTesting(*entry));
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/baz");
+                             NetworkAnonymizationKey(), "/baz");
   EXPECT_FALSE(realm3_digest_entry.IsEqualForTesting(*entry));
 
   // Confirm we find the same realm, different auth scheme by path lookup
   HttpAuthCache::Entry* p_realm3DigestEntry =
       cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
+                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey());
   EXPECT_TRUE(p_realm3DigestEntry);
   HttpAuthCache::Entry realm3DigestEntry = *p_realm3DigestEntry;
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/baz/index.html");
+                             NetworkAnonymizationKey(), "/baz/index.html");
   EXPECT_TRUE(realm3DigestEntry.IsEqualForTesting(*entry));
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/baz/");
+                             NetworkAnonymizationKey(), "/baz/");
   EXPECT_TRUE(realm3DigestEntry.IsEqualForTesting(*entry));
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), "/baz");
+                             NetworkAnonymizationKey(), "/baz");
   EXPECT_FALSE(realm3DigestEntry.IsEqualForTesting(*entry));
 
   // Lookup using empty path (may be used for proxy).
   entry = cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                             NetworkIsolationKey(), std::string());
+                             NetworkAnonymizationKey(), std::string());
   EXPECT_TRUE(entry);
   EXPECT_EQ(HttpAuth::AUTH_SCHEME_BASIC, entry->scheme());
   EXPECT_EQ(kRealm3, entry->realm());
@@ -248,95 +251,98 @@ TEST(HttpAuthCacheTest, SeparateByTarget) {
   const char kServerPath[] = "/foo/bar/index.html";
 
   url::SchemeHostPort scheme_host_port(GURL("http://www.google.com"));
-  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache cache(false /* key_entries_by_network_anonymization_key */);
   HttpAuthCache::Entry* entry;
 
   // Add AUTH_SERVER entry.
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "Basic realm=Realm1", AuthCredentials(kServerUser, kServerPass),
             kServerPath);
 
   // Make sure credentials are only accessible with AUTH_SERVER target.
   entry = cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
   ASSERT_TRUE(entry);
   EXPECT_EQ(entry->credentials().username(), kServerUser);
   EXPECT_EQ(entry->credentials().password(), kServerPass);
   EXPECT_EQ(entry, cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                                      NetworkIsolationKey(), kServerPath));
+                                      NetworkAnonymizationKey(), kServerPath));
   EXPECT_FALSE(cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm1,
                             HttpAuth::AUTH_SCHEME_BASIC,
-                            NetworkIsolationKey()));
+                            NetworkAnonymizationKey()));
   EXPECT_FALSE(cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_PROXY,
-                                  NetworkIsolationKey(), kServerPath));
+                                  NetworkAnonymizationKey(), kServerPath));
 
   // Add AUTH_PROXY entry with same SchemeHostPort and realm but different
   // credentials.
   cache.Add(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm1,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "Basic realm=Realm1", AuthCredentials(kProxyUser, kProxyPass), "/");
 
   // Make sure credentials are only accessible with the corresponding target.
   entry = cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
   ASSERT_TRUE(entry);
   EXPECT_EQ(entry->credentials().username(), kServerUser);
   EXPECT_EQ(entry->credentials().password(), kServerPass);
   EXPECT_EQ(entry, cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                                      NetworkIsolationKey(), kServerPath));
+                                      NetworkAnonymizationKey(), kServerPath));
   entry = cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm1,
-                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
   ASSERT_TRUE(entry);
   EXPECT_EQ(entry->credentials().username(), kProxyUser);
   EXPECT_EQ(entry->credentials().password(), kProxyPass);
   EXPECT_EQ(entry, cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_PROXY,
-                                      NetworkIsolationKey(), "/"));
+                                      NetworkAnonymizationKey(), "/"));
 
   // Remove the AUTH_SERVER entry.
   EXPECT_TRUE(cache.Remove(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                           HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                           HttpAuth::AUTH_SCHEME_BASIC,
+                           NetworkAnonymizationKey(),
                            AuthCredentials(kServerUser, kServerPass)));
 
   // Verify that only the AUTH_SERVER entry was removed.
   EXPECT_FALSE(cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
                             HttpAuth::AUTH_SCHEME_BASIC,
-                            NetworkIsolationKey()));
+                            NetworkAnonymizationKey()));
   EXPECT_FALSE(cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                                  NetworkIsolationKey(), kServerPath));
+                                  NetworkAnonymizationKey(), kServerPath));
   entry = cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm1,
-                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
   ASSERT_TRUE(entry);
   EXPECT_EQ(entry->credentials().username(), kProxyUser);
   EXPECT_EQ(entry->credentials().password(), kProxyPass);
   EXPECT_EQ(entry, cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_PROXY,
-                                      NetworkIsolationKey(), "/"));
+                                      NetworkAnonymizationKey(), "/"));
 
   // Remove the AUTH_PROXY entry.
   EXPECT_TRUE(cache.Remove(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm1,
-                           HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                           HttpAuth::AUTH_SCHEME_BASIC,
+                           NetworkAnonymizationKey(),
                            AuthCredentials(kProxyUser, kProxyPass)));
 
   // Verify that neither entry remains.
   EXPECT_FALSE(cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
                             HttpAuth::AUTH_SCHEME_BASIC,
-                            NetworkIsolationKey()));
+                            NetworkAnonymizationKey()));
   EXPECT_FALSE(cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                                  NetworkIsolationKey(), kServerPath));
+                                  NetworkAnonymizationKey(), kServerPath));
   EXPECT_FALSE(cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm1,
                             HttpAuth::AUTH_SCHEME_BASIC,
-                            NetworkIsolationKey()));
+                            NetworkAnonymizationKey()));
   EXPECT_FALSE(cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_PROXY,
-                                  NetworkIsolationKey(), "/"));
+                                  NetworkAnonymizationKey(), "/"));
 }
 
-// Make sure server credentials with different NetworkIsolationKeys are treated
-// separately if |key_entries_by_network_isolation_key| is set to true.
-TEST(HttpAuthCacheTest, SeparateServersByNetworkIsolationKey) {
+// Make sure server credentials with different NetworkAnonymizationKeys are
+// treated separately if |key_entries_by_network_anonymization_key| is set to
+// true.
+TEST(HttpAuthCacheTest, SeparateServersByNetworkAnonymizationKey) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   url::SchemeHostPort kSchemeHostPort(GURL("http://www.google.com"));
   const char kPath[] = "/";
@@ -346,55 +352,58 @@ TEST(HttpAuthCacheTest, SeparateServersByNetworkIsolationKey) {
   const std::u16string kUser2 = u"user2";
   const std::u16string kPass2 = u"pass2";
 
-  for (bool key_entries_by_network_isolation_key : {false, true}) {
-    HttpAuthCache cache(key_entries_by_network_isolation_key);
+  for (bool key_entries_by_network_anonymization_key : {false, true}) {
+    HttpAuthCache cache(key_entries_by_network_anonymization_key);
     HttpAuthCache::Entry* entry;
 
-    // Add entry for kNetworkIsolationKey1.
+    // Add entry for kNetworkAnonymizationKey1.
     cache.Add(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
-              HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1,
+              HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1,
               "Basic realm=Realm1", AuthCredentials(kUser1, kPass1), kPath);
 
-    entry = cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
-                         HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+    entry =
+        cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
+                     HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1);
     ASSERT_TRUE(entry);
     EXPECT_EQ(entry->credentials().username(), kUser1);
     EXPECT_EQ(entry->credentials().password(), kPass1);
     EXPECT_EQ(entry, cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_SERVER,
-                                        kNetworkIsolationKey1, kPath));
-    if (key_entries_by_network_isolation_key) {
+                                        kNetworkAnonymizationKey1, kPath));
+    if (key_entries_by_network_anonymization_key) {
       EXPECT_FALSE(cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
                                 HttpAuth::AUTH_SCHEME_BASIC,
-                                kNetworkIsolationKey2));
+                                kNetworkAnonymizationKey2));
       EXPECT_FALSE(cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_SERVER,
-                                      kNetworkIsolationKey2, kPath));
+                                      kNetworkAnonymizationKey2, kPath));
     } else {
       EXPECT_EQ(entry, cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER,
                                     kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
-                                    kNetworkIsolationKey2));
+                                    kNetworkAnonymizationKey2));
       EXPECT_EQ(entry,
                 cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_SERVER,
-                                   kNetworkIsolationKey2, kPath));
+                                   kNetworkAnonymizationKey2, kPath));
     }
 
-    // Add entry for kNetworkIsolationKey2.
+    // Add entry for kNetworkAnonymizationKey2.
     cache.Add(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
-              HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2,
+              HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2,
               "Basic realm=Realm1", AuthCredentials(kUser2, kPass2), kPath);
 
-    entry = cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
-                         HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2);
+    entry =
+        cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
+                     HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2);
     ASSERT_TRUE(entry);
     EXPECT_EQ(entry->credentials().username(), kUser2);
     EXPECT_EQ(entry->credentials().password(), kPass2);
     EXPECT_EQ(entry, cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_SERVER,
-                                        kNetworkIsolationKey2, kPath));
-    entry = cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
-                         HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+                                        kNetworkAnonymizationKey2, kPath));
+    entry =
+        cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
+                     HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1);
     ASSERT_TRUE(entry);
     EXPECT_EQ(entry, cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_SERVER,
-                                        kNetworkIsolationKey1, kPath));
-    if (key_entries_by_network_isolation_key) {
+                                        kNetworkAnonymizationKey1, kPath));
+    if (key_entries_by_network_anonymization_key) {
       EXPECT_EQ(entry->credentials().username(), kUser1);
       EXPECT_EQ(entry->credentials().password(), kPass1);
     } else {
@@ -404,40 +413,42 @@ TEST(HttpAuthCacheTest, SeparateServersByNetworkIsolationKey) {
 
     // Remove the entry that was just added.
     EXPECT_TRUE(cache.Remove(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
-                             HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2,
+                             HttpAuth::AUTH_SCHEME_BASIC,
+                             kNetworkAnonymizationKey2,
                              AuthCredentials(kUser2, kPass2)));
 
     EXPECT_FALSE(cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
                               HttpAuth::AUTH_SCHEME_BASIC,
-                              kNetworkIsolationKey2));
+                              kNetworkAnonymizationKey2));
     EXPECT_FALSE(cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_SERVER,
-                                    kNetworkIsolationKey2, kPath));
-    if (key_entries_by_network_isolation_key) {
-      entry = cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
-                           HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+                                    kNetworkAnonymizationKey2, kPath));
+    if (key_entries_by_network_anonymization_key) {
+      entry =
+          cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
+                       HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1);
       ASSERT_TRUE(entry);
       EXPECT_EQ(entry->credentials().username(), kUser1);
       EXPECT_EQ(entry->credentials().password(), kPass1);
       EXPECT_EQ(entry,
                 cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_SERVER,
-                                   kNetworkIsolationKey1, kPath));
+                                   kNetworkAnonymizationKey1, kPath));
     } else {
       EXPECT_FALSE(cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
                                 HttpAuth::AUTH_SCHEME_BASIC,
-                                kNetworkIsolationKey1));
+                                kNetworkAnonymizationKey1));
       EXPECT_FALSE(cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_SERVER,
-                                      kNetworkIsolationKey1, kPath));
+                                      kNetworkAnonymizationKey1, kPath));
     }
   }
 }
 
-// Make sure added proxy credentials ignore NetworkIsolationKey, even if if
-// |key_entries_by_network_isolation_key| is set to true.
-TEST(HttpAuthCacheTest, NeverSeparateProxiesByNetworkIsolationKey) {
+// Make sure added proxy credentials ignore NetworkAnonymizationKey, even if if
+// |key_entries_by_network_anonymization_key| is set to true.
+TEST(HttpAuthCacheTest, NeverSeparateProxiesByNetworkAnonymizationKey) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   url::SchemeHostPort kSchemeHostPort(GURL("http://www.google.com"));
   const char kPath[] = "/";
@@ -447,71 +458,75 @@ TEST(HttpAuthCacheTest, NeverSeparateProxiesByNetworkIsolationKey) {
   const std::u16string kUser2 = u"user2";
   const std::u16string kPass2 = u"pass2";
 
-  for (bool key_entries_by_network_isolation_key : {false, true}) {
-    HttpAuthCache cache(key_entries_by_network_isolation_key);
+  for (bool key_entries_by_network_anonymization_key : {false, true}) {
+    HttpAuthCache cache(key_entries_by_network_anonymization_key);
     HttpAuthCache::Entry* entry;
 
-    // Add entry for kNetworkIsolationKey1.
+    // Add entry for kNetworkAnonymizationKey1.
     cache.Add(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
-              HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1,
+              HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1,
               "Basic realm=Realm1", AuthCredentials(kUser1, kPass1), kPath);
 
-    entry = cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
-                         HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+    entry =
+        cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
+                     HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1);
     ASSERT_TRUE(entry);
     EXPECT_EQ(entry->credentials().username(), kUser1);
     EXPECT_EQ(entry->credentials().password(), kPass1);
     EXPECT_EQ(entry, cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_PROXY,
-                                        kNetworkIsolationKey1, kPath));
-    EXPECT_EQ(entry,
-              cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
-                           HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+                                        kNetworkAnonymizationKey1, kPath));
+    EXPECT_EQ(entry, cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY,
+                                  kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+                                  kNetworkAnonymizationKey2));
     EXPECT_EQ(entry, cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_PROXY,
-                                        kNetworkIsolationKey2, kPath));
+                                        kNetworkAnonymizationKey2, kPath));
 
-    // Add entry for kNetworkIsolationKey2. It should overwrite the entry for
-    // kNetworkIsolationKey1.
+    // Add entry for kNetworkAnonymizationKey2. It should overwrite the entry
+    // for kNetworkAnonymizationKey1.
     cache.Add(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
-              HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2,
+              HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2,
               "Basic realm=Realm1", AuthCredentials(kUser2, kPass2), kPath);
 
-    entry = cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
-                         HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2);
+    entry =
+        cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
+                     HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2);
     ASSERT_TRUE(entry);
     EXPECT_EQ(entry->credentials().username(), kUser2);
     EXPECT_EQ(entry->credentials().password(), kPass2);
     EXPECT_EQ(entry, cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_PROXY,
-                                        kNetworkIsolationKey2, kPath));
-    EXPECT_EQ(entry,
-              cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
-                           HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1));
+                                        kNetworkAnonymizationKey2, kPath));
+    EXPECT_EQ(entry, cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY,
+                                  kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+                                  kNetworkAnonymizationKey1));
     EXPECT_EQ(entry, cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_PROXY,
-                                        kNetworkIsolationKey1, kPath));
+                                        kNetworkAnonymizationKey1, kPath));
 
-    // Remove the entry that was just added using an empty NetworkIsolationKey.
+    // Remove the entry that was just added using an empty
+    // NetworkAnonymizationKey.
     EXPECT_TRUE(cache.Remove(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
-                             HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                             HttpAuth::AUTH_SCHEME_BASIC,
+                             NetworkAnonymizationKey(),
                              AuthCredentials(kUser2, kPass2)));
 
     EXPECT_FALSE(cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
                               HttpAuth::AUTH_SCHEME_BASIC,
-                              kNetworkIsolationKey2));
+                              kNetworkAnonymizationKey2));
     EXPECT_FALSE(cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_PROXY,
-                                    kNetworkIsolationKey2, kPath));
+                                    kNetworkAnonymizationKey2, kPath));
     EXPECT_FALSE(cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
                               HttpAuth::AUTH_SCHEME_BASIC,
-                              kNetworkIsolationKey1));
+                              kNetworkAnonymizationKey1));
     EXPECT_FALSE(cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_PROXY,
-                                    kNetworkIsolationKey1, kPath));
+                                    kNetworkAnonymizationKey1, kPath));
   }
 }
 
-// Test that SetKeyServerEntriesByNetworkIsolationKey() deletes server
+// Test that SetKeyServerEntriesByNetworkAnonymizationKey() deletes server
 // credentials when it toggles the setting. This test uses an empty
-// NetworkIsolationKey() for all entries, as the interesting part of this method
-// is what type entries are deleted, which doesn't depend on the
-// NetworkIsolationKey the entries use.
-TEST(HttpAuthCacheTest, SetKeyServerEntriesByNetworkIsolationKey) {
+// NetworkAnonymizationKey() for all entries, as the interesting part of this
+// method is what type entries are deleted, which doesn't depend on the
+// NetworkAnonymizationKey the entries use.
+TEST(HttpAuthCacheTest, SetKeyServerEntriesByNetworkAnonymizationKey) {
   const url::SchemeHostPort kSchemeHostPort(GURL("http://www.google.com"));
   const char kPath[] = "/";
 
@@ -520,44 +535,46 @@ TEST(HttpAuthCacheTest, SetKeyServerEntriesByNetworkIsolationKey) {
   const std::u16string kUser2 = u"user2";
   const std::u16string kPass2 = u"pass2";
 
-  for (bool initially_key_entries_by_network_isolation_key : {false, true}) {
-    for (bool to_key_entries_by_network_isolation_key : {false, true}) {
-      HttpAuthCache cache(initially_key_entries_by_network_isolation_key);
-      EXPECT_EQ(initially_key_entries_by_network_isolation_key,
-                cache.key_server_entries_by_network_isolation_key());
+  for (bool initially_key_entries_by_network_anonymization_key :
+       {false, true}) {
+    for (bool to_key_entries_by_network_anonymization_key : {false, true}) {
+      HttpAuthCache cache(initially_key_entries_by_network_anonymization_key);
+      EXPECT_EQ(initially_key_entries_by_network_anonymization_key,
+                cache.key_server_entries_by_network_anonymization_key());
 
       cache.Add(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
-                HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
                 "Basic realm=Realm1", AuthCredentials(kUser1, kPass1), kPath);
       cache.Add(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
-                HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
                 "Basic realm=Realm1", AuthCredentials(kUser2, kPass2), kPath);
 
       EXPECT_TRUE(cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_PROXY, kRealm1,
                                HttpAuth::AUTH_SCHEME_BASIC,
-                               NetworkIsolationKey()));
+                               NetworkAnonymizationKey()));
       EXPECT_TRUE(cache.Lookup(kSchemeHostPort, HttpAuth::AUTH_SERVER, kRealm1,
                                HttpAuth::AUTH_SCHEME_BASIC,
-                               NetworkIsolationKey()));
+                               NetworkAnonymizationKey()));
 
-      cache.SetKeyServerEntriesByNetworkIsolationKey(
-          to_key_entries_by_network_isolation_key);
-      EXPECT_EQ(to_key_entries_by_network_isolation_key,
-                cache.key_server_entries_by_network_isolation_key());
+      cache.SetKeyServerEntriesByNetworkAnonymizationKey(
+          to_key_entries_by_network_anonymization_key);
+      EXPECT_EQ(to_key_entries_by_network_anonymization_key,
+                cache.key_server_entries_by_network_anonymization_key());
 
       // AUTH_PROXY credentials should always remain in the cache.
-      HttpAuthCache::Entry* entry = cache.LookupByPath(
-          kSchemeHostPort, HttpAuth::AUTH_PROXY, NetworkIsolationKey(), kPath);
+      HttpAuthCache::Entry* entry =
+          cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_PROXY,
+                             NetworkAnonymizationKey(), kPath);
       ASSERT_TRUE(entry);
       EXPECT_EQ(entry->credentials().username(), kUser1);
       EXPECT_EQ(entry->credentials().password(), kPass1);
 
       entry = cache.LookupByPath(kSchemeHostPort, HttpAuth::AUTH_SERVER,
-                                 NetworkIsolationKey(), kPath);
+                                 NetworkAnonymizationKey(), kPath);
       // AUTH_SERVER credentials should only remain in the cache if the proxy
       // configuration changes.
-      EXPECT_EQ(initially_key_entries_by_network_isolation_key ==
-                    to_key_entries_by_network_isolation_key,
+      EXPECT_EQ(initially_key_entries_by_network_anonymization_key ==
+                    to_key_entries_by_network_anonymization_key,
                 !!entry);
       if (entry) {
         EXPECT_EQ(entry->credentials().username(), kUser2);
@@ -602,25 +619,27 @@ TEST(HttpAuthCacheTest, AddPath) {
 // Calling Add when the realm entry already exists, should append that
 // path.
 TEST(HttpAuthCacheTest, AddToExistingEntry) {
-  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache cache(false /* key_entries_by_network_anonymization_key */);
   url::SchemeHostPort scheme_host_port(GURL("http://www.foobar.com:70"));
   const std::string kAuthChallenge = "Basic realm=MyRealm";
   const std::string kRealm = "MyRealm";
 
   HttpAuthCache::Entry* orig_entry = cache.Add(
       scheme_host_port, HttpAuth::AUTH_SERVER, kRealm,
-      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(), kAuthChallenge,
+      HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(), kAuthChallenge,
       CreateASCIICredentials("user1", "password1"), "/x/y/z/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(), kAuthChallenge,
-            CreateASCIICredentials("user2", "password2"), "/z/y/x/");
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
+            kAuthChallenge, CreateASCIICredentials("user2", "password2"),
+            "/z/y/x/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(), kAuthChallenge,
-            CreateASCIICredentials("user3", "password3"), "/z/y");
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
+            kAuthChallenge, CreateASCIICredentials("user3", "password3"),
+            "/z/y");
 
   HttpAuthCache::Entry* entry =
       cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm,
-                   HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+                   HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
 
   EXPECT_TRUE(entry == orig_entry);
   EXPECT_EQ(u"user3", entry->credentials().username());
@@ -634,75 +653,83 @@ TEST(HttpAuthCacheTest, AddToExistingEntry) {
 TEST(HttpAuthCacheTest, Remove) {
   url::SchemeHostPort scheme_host_port(GURL("http://foobar2.com"));
 
-  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache cache(false /* key_entries_by_network_anonymization_key */);
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm1", AuthCredentials(kAlice, k123), "/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm2", CreateASCIICredentials("bob", "princess"),
             "/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm3", AuthCredentials(kAdmin, kPassword), "/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-            HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey(),
             "digest realm=Realm3", AuthCredentials(kRoot, kWileCoyote), "/");
 
   // Fails, because there is no realm "Realm5".
   EXPECT_FALSE(cache.Remove(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm5,
-                            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                            HttpAuth::AUTH_SCHEME_BASIC,
+                            NetworkAnonymizationKey(),
                             AuthCredentials(kAlice, k123)));
 
   // Fails because the origin is wrong.
-  EXPECT_FALSE(cache.Remove(url::SchemeHostPort(GURL("http://foobar2.com:100")),
-                            HttpAuth::AUTH_SERVER, kRealm1,
-                            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
-                            AuthCredentials(kAlice, k123)));
+  EXPECT_FALSE(
+      cache.Remove(url::SchemeHostPort(GURL("http://foobar2.com:100")),
+                   HttpAuth::AUTH_SERVER, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+                   NetworkAnonymizationKey(), AuthCredentials(kAlice, k123)));
 
   // Fails because the username is wrong.
   EXPECT_FALSE(cache.Remove(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                            HttpAuth::AUTH_SCHEME_BASIC,
+                            NetworkAnonymizationKey(),
                             AuthCredentials(kAlice2, k123)));
 
   // Fails because the password is wrong.
   EXPECT_FALSE(cache.Remove(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                            HttpAuth::AUTH_SCHEME_BASIC,
+                            NetworkAnonymizationKey(),
                             AuthCredentials(kAlice, k1234)));
 
   // Fails because the authentication type is wrong.
   EXPECT_FALSE(cache.Remove(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                            HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+                            HttpAuth::AUTH_SCHEME_DIGEST,
+                            NetworkAnonymizationKey(),
                             AuthCredentials(kAlice, k123)));
 
   // Succeeds.
   EXPECT_TRUE(cache.Remove(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                           HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                           HttpAuth::AUTH_SCHEME_BASIC,
+                           NetworkAnonymizationKey(),
                            AuthCredentials(kAlice, k123)));
 
   // Fails because we just deleted the entry!
   EXPECT_FALSE(cache.Remove(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                            HttpAuth::AUTH_SCHEME_BASIC,
+                            NetworkAnonymizationKey(),
                             AuthCredentials(kAlice, k123)));
 
   // Succeed when there are two authentication types for the same origin,realm.
   EXPECT_TRUE(cache.Remove(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-                           HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+                           HttpAuth::AUTH_SCHEME_DIGEST,
+                           NetworkAnonymizationKey(),
                            AuthCredentials(kRoot, kWileCoyote)));
 
   // Succeed as above, but when entries were added in opposite order
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-            HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey(),
             "digest realm=Realm3", AuthCredentials(kRoot, kWileCoyote), "/");
   EXPECT_TRUE(cache.Remove(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-                           HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                           HttpAuth::AUTH_SCHEME_BASIC,
+                           NetworkAnonymizationKey(),
                            AuthCredentials(kAdmin, kPassword)));
 
   // Make sure that removing one entry still leaves the other available for
   // lookup.
   HttpAuthCache::Entry* entry =
       cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
+                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey());
   EXPECT_FALSE(nullptr == entry);
 }
 
@@ -714,31 +741,31 @@ TEST(HttpAuthCacheTest, ClearEntriesAddedBetween) {
   base::SimpleTestClock test_clock;
   test_clock.SetNow(start_time);
 
-  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache cache(false /* key_entries_by_network_anonymization_key */);
   cache.set_clock_for_testing(&test_clock);
 
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm1", AuthCredentials(kAlice, k123), "/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm2", AuthCredentials(kRoot, kWileCoyote), "/");
 
   test_clock.Advance(base::Seconds(10));  // Time now 12:00:10
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm3", AuthCredentials(kAlice2, k1234), "/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm4,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm4", AuthCredentials(kUsername, kPassword), "/");
   // Add path to existing entry.
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm2", AuthCredentials(kAdmin, kPassword), "/baz/");
 
   test_clock.Advance(base::Seconds(10));  // Time now 12:00:20
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm5,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm5", AuthCredentials(kAlice3, k12345), "/");
 
   base::Time test_time1;
@@ -748,41 +775,41 @@ TEST(HttpAuthCacheTest, ClearEntriesAddedBetween) {
   cache.ClearEntriesAddedBetween(test_time1, test_time2);
 
   // Realms 1 and 2 are older than 12:00:05 and should not be cleared
-  EXPECT_NE(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
-  EXPECT_NE(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+  EXPECT_NE(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
+  EXPECT_NE(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
 
   // Realms 5 is newer than 12:00:15 and should not be cleared
-  EXPECT_NE(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm5,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+  EXPECT_NE(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm5, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
 
   // Creation time is set for a whole entry rather than for a particular path.
   // Path added within the requested duration isn't be removed.
   EXPECT_NE(nullptr, cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                                        NetworkIsolationKey(), "/baz/"));
+                                        NetworkAnonymizationKey(), "/baz/"));
 
   // Realms 3 and 4 are between 12:00:05 and 12:00:10 and should be cleared.
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm4,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm4, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
 
   cache.ClearEntriesAddedBetween(start_time - base::Seconds(1),
                                  base::Time::Max());
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
   EXPECT_EQ(nullptr, cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                                        NetworkIsolationKey(), "/baz/"));
+                                        NetworkAnonymizationKey(), "/baz/"));
 }
 
 TEST(HttpAuthCacheTest, ClearEntriesAddedBetweenWithAllTimeValues) {
@@ -791,45 +818,45 @@ TEST(HttpAuthCacheTest, ClearEntriesAddedBetweenWithAllTimeValues) {
   base::SimpleTestClock test_clock;
   test_clock.SetNow(base::Time::Now());
 
-  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache cache(false /* key_entries_by_network_anonymization_key */);
   cache.set_clock_for_testing(&test_clock);
 
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm1", AuthCredentials(kAlice, k123), "/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm2", AuthCredentials(kRoot, kWileCoyote), "/");
 
   test_clock.Advance(base::Seconds(10));
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm3", AuthCredentials(kAlice2, k1234), "/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm4,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm4", AuthCredentials(kUsername, kPassword), "/");
   // Add path to existing entry.
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm2", AuthCredentials(kAdmin, kPassword), "/baz/");
 
   cache.ClearEntriesAddedBetween(base::Time::Min(), base::Time::Max());
 
   // All entries should be cleared.
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
   EXPECT_EQ(nullptr, cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                                        NetworkIsolationKey(), "/baz/"));
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm4,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+                                        NetworkAnonymizationKey(), "/baz/"));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm4, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
 }
 
 TEST(HttpAuthCacheTest, ClearAllEntries) {
@@ -838,54 +865,54 @@ TEST(HttpAuthCacheTest, ClearAllEntries) {
   base::SimpleTestClock test_clock;
   test_clock.SetNow(base::Time::Now());
 
-  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache cache(false /* key_entries_by_network_anonymization_key */);
   cache.set_clock_for_testing(&test_clock);
 
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm1", AuthCredentials(kAlice, k123), "/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm2", AuthCredentials(kRoot, kWileCoyote), "/");
 
   test_clock.Advance(base::Seconds(10));
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm3", AuthCredentials(kAlice2, k1234), "/");
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm4,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm4", AuthCredentials(kUsername, kPassword), "/");
   // Add path to existing entry.
   cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
             "basic realm=Realm2", AuthCredentials(kAdmin, kPassword), "/baz/");
 
   test_clock.Advance(base::Seconds(55));
   cache.ClearAllEntries();
 
   // All entries should be cleared.
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
   EXPECT_EQ(nullptr, cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_SERVER,
-                                        NetworkIsolationKey(), "/baz/"));
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm3,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
-  EXPECT_EQ(nullptr,
-            cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm4,
-                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+                                        NetworkAnonymizationKey(), "/baz/"));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
+  EXPECT_EQ(nullptr, cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
+                                  kRealm4, HttpAuth::AUTH_SCHEME_BASIC,
+                                  NetworkAnonymizationKey()));
 }
 
 TEST(HttpAuthCacheTest, UpdateStaleChallenge) {
-  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache cache(false /* key_entries_by_network_anonymization_key */);
   url::SchemeHostPort scheme_host_port(GURL("http://foobar2.com"));
   HttpAuthCache::Entry* entry_pre = cache.Add(
       scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-      HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+      HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey(),
       "Digest realm=Realm1,"
       "nonce=\"s3MzvFhaBAA=4c520af5acd9d8d7ae26947529d18c8eae1e98f4\"",
       CreateASCIICredentials("realm-digest-user", "realm-digest-password"),
@@ -898,7 +925,7 @@ TEST(HttpAuthCacheTest, UpdateStaleChallenge) {
 
   bool update_success = cache.UpdateStaleChallenge(
       scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-      HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+      HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey(),
       "Digest realm=Realm1,"
       "nonce=\"claGgoRXBAA=7583377687842fdb7b56ba0555d175baa0b800e3\","
       "stale=\"true\"");
@@ -908,14 +935,14 @@ TEST(HttpAuthCacheTest, UpdateStaleChallenge) {
   // the nonce count should be reset to 0.
   HttpAuthCache::Entry* entry_post =
       cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
+                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey());
   ASSERT_TRUE(entry_post != nullptr);
   EXPECT_EQ(2, entry_post->IncrementNonceCount());
 
   // UpdateStaleChallenge will fail if an entry doesn't exist in the cache.
   bool update_failure = cache.UpdateStaleChallenge(
       scheme_host_port, HttpAuth::AUTH_SERVER, kRealm2,
-      HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+      HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey(),
       "Digest realm=Realm2,"
       "nonce=\"claGgoRXBAA=7583377687842fdb7b56ba0555d175baa0b800e3\","
       "stale=\"true\"");
@@ -927,64 +954,66 @@ TEST(HttpAuthCacheTest, CopyProxyEntriesFrom) {
   std::string path("/some/path");
   std::string another_path("/another/path");
 
-  HttpAuthCache first_cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache first_cache(
+      false /* key_entries_by_network_anonymization_key */);
   HttpAuthCache::Entry* entry;
 
   first_cache.Add(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm1,
-                  HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                  HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
                   "basic realm=Realm1", AuthCredentials(kAlice, k123), path);
   first_cache.Add(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm2,
-                  HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                  HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
                   "basic realm=Realm2", AuthCredentials(kAlice2, k1234), path);
   first_cache.Add(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm3,
-                  HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+                  HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey(),
                   "digest realm=Realm3", AuthCredentials(kRoot, kWileCoyote),
                   path);
   entry = first_cache.Add(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm3,
-                          HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
-                          "digest realm=Realm3",
+                          HttpAuth::AUTH_SCHEME_DIGEST,
+                          NetworkAnonymizationKey(), "digest realm=Realm3",
                           AuthCredentials(kRoot, kWileCoyote), another_path);
 
   EXPECT_EQ(2, entry->IncrementNonceCount());
 
   // Server entry, which should not be copied.
   first_cache.Add(scheme_host_port, HttpAuth::AUTH_SERVER, kRealm1,
-                  HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                  HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
                   "basic realm=Realm1", AuthCredentials(kAlice, k123), path);
 
-  HttpAuthCache second_cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache second_cache(
+      false /* key_entries_by_network_anonymization_key */);
   // Will be overwritten by kRoot:kWileCoyote.
   second_cache.Add(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm3,
-                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkAnonymizationKey(),
                    "digest realm=Realm3", AuthCredentials(kAlice2, k1234),
                    path);
   // Should be left intact.
   second_cache.Add(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm4,
-                   HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                   HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
                    "basic realm=Realm4", AuthCredentials(kAdmin, kRoot), path);
 
   second_cache.CopyProxyEntriesFrom(first_cache);
 
   // Copied from first_cache.
-  entry =
-      second_cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm1,
-                          HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+  entry = second_cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm1,
+                              HttpAuth::AUTH_SCHEME_BASIC,
+                              NetworkAnonymizationKey());
   EXPECT_TRUE(nullptr != entry);
   EXPECT_EQ(kAlice, entry->credentials().username());
   EXPECT_EQ(k123, entry->credentials().password());
 
   // Copied from first_cache.
-  entry =
-      second_cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm2,
-                          HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+  entry = second_cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm2,
+                              HttpAuth::AUTH_SCHEME_BASIC,
+                              NetworkAnonymizationKey());
   EXPECT_TRUE(nullptr != entry);
   EXPECT_EQ(kAlice2, entry->credentials().username());
   EXPECT_EQ(k1234, entry->credentials().password());
 
   // Overwritten from first_cache.
-  entry =
-      second_cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm3,
-                          HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
+  entry = second_cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm3,
+                              HttpAuth::AUTH_SCHEME_DIGEST,
+                              NetworkAnonymizationKey());
   EXPECT_TRUE(nullptr != entry);
   EXPECT_EQ(kRoot, entry->credentials().username());
   EXPECT_EQ(kWileCoyote, entry->credentials().password());
@@ -993,15 +1022,15 @@ TEST(HttpAuthCacheTest, CopyProxyEntriesFrom) {
 
   // All paths should get copied.
   entry = second_cache.LookupByPath(scheme_host_port, HttpAuth::AUTH_PROXY,
-                                    NetworkIsolationKey(), another_path);
+                                    NetworkAnonymizationKey(), another_path);
   EXPECT_TRUE(nullptr != entry);
   EXPECT_EQ(kRoot, entry->credentials().username());
   EXPECT_EQ(kWileCoyote, entry->credentials().password());
 
   // Left intact in second_cache.
-  entry =
-      second_cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm4,
-                          HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+  entry = second_cache.Lookup(scheme_host_port, HttpAuth::AUTH_PROXY, kRealm4,
+                              HttpAuth::AUTH_SCHEME_BASIC,
+                              NetworkAnonymizationKey());
   EXPECT_TRUE(nullptr != entry);
   EXPECT_EQ(kAdmin, entry->credentials().username());
   EXPECT_EQ(kRoot, entry->credentials().password());
@@ -1009,10 +1038,10 @@ TEST(HttpAuthCacheTest, CopyProxyEntriesFrom) {
   // AUTH_SERVER entry should not have been copied from first_cache.
   EXPECT_TRUE(first_cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
                                  kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
-                                 NetworkIsolationKey()));
+                                 NetworkAnonymizationKey()));
   EXPECT_FALSE(second_cache.Lookup(scheme_host_port, HttpAuth::AUTH_SERVER,
                                    kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
-                                   NetworkIsolationKey()));
+                                   NetworkAnonymizationKey()));
 }
 
 // Test fixture class for eviction tests (contains helpers for bulk
@@ -1021,7 +1050,7 @@ class HttpAuthCacheEvictionTest : public testing::Test {
  protected:
   HttpAuthCacheEvictionTest()
       : scheme_host_port_(GURL("http://www.google.com")),
-        cache_(false /* key_entries_by_network_isolation_key */) {}
+        cache_(false /* key_entries_by_network_anonymization_key */) {}
 
   std::string GenerateRealm(int realm_i) {
     return base::StringPrintf("Realm %d", realm_i);
@@ -1037,7 +1066,7 @@ class HttpAuthCacheEvictionTest : public testing::Test {
 
   void AddPathToRealm(int realm_i, int path_i) {
     cache_.Add(scheme_host_port_, HttpAuth::AUTH_SERVER, GenerateRealm(realm_i),
-               HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+               HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
                std::string(), AuthCredentials(kUsername, kPassword),
                GeneratePath(realm_i, path_i));
   }
@@ -1045,7 +1074,7 @@ class HttpAuthCacheEvictionTest : public testing::Test {
   void CheckRealmExistence(int realm_i, bool exists) {
     const HttpAuthCache::Entry* entry = cache_.Lookup(
         scheme_host_port_, HttpAuth::AUTH_SERVER, GenerateRealm(realm_i),
-        HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+        HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey());
     if (exists) {
       EXPECT_FALSE(entry == nullptr);
       EXPECT_EQ(GenerateRealm(realm_i), entry->realm());
@@ -1056,7 +1085,7 @@ class HttpAuthCacheEvictionTest : public testing::Test {
 
   void CheckPathExistence(int realm_i, int path_i, bool exists) {
     const HttpAuthCache::Entry* entry = cache_.LookupByPath(
-        scheme_host_port_, HttpAuth::AUTH_SERVER, NetworkIsolationKey(),
+        scheme_host_port_, HttpAuth::AUTH_SERVER, NetworkAnonymizationKey(),
         GeneratePath(realm_i, path_i));
     if (exists) {
       EXPECT_FALSE(entry == nullptr);
diff --git a/chromium/net/http/http_auth_challenge_tokenizer.cc b/chromium/net/http/http_auth_challenge_tokenizer.cc
index 2c5006f06bc..4fd48aadc75 100644
--- a/chromium/net/http/http_auth_challenge_tokenizer.cc
+++ b/chromium/net/http/http_auth_challenge_tokenizer.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_challenge_tokenizer.h b/chromium/net/http/http_auth_challenge_tokenizer.h
index 400817855af..9fa384a4c1a 100644
--- a/chromium/net/http/http_auth_challenge_tokenizer.h
+++ b/chromium/net/http/http_auth_challenge_tokenizer.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_challenge_tokenizer_fuzzer.cc b/chromium/net/http/http_auth_challenge_tokenizer_fuzzer.cc
index 92813449b50..b1a685deb7f 100644
--- a/chromium/net/http/http_auth_challenge_tokenizer_fuzzer.cc
+++ b/chromium/net/http/http_auth_challenge_tokenizer_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_challenge_tokenizer_unittest.cc b/chromium/net/http/http_auth_challenge_tokenizer_unittest.cc
index 8921fb99422..8e1d4a11300 100644
--- a/chromium/net/http/http_auth_challenge_tokenizer_unittest.cc
+++ b/chromium/net/http/http_auth_challenge_tokenizer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_controller.cc b/chromium/net/http/http_auth_controller.cc
index 01809ad2869..81f79ca4d75 100644
--- a/chromium/net/http/http_auth_controller.cc
+++ b/chromium/net/http/http_auth_controller.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -43,7 +43,7 @@ base::Value ControllerParamsToValue(HttpAuth::Target target, const GURL& url) {
 HttpAuthController::HttpAuthController(
     HttpAuth::Target target,
     const GURL& auth_url,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     HttpAuthCache* http_auth_cache,
     HttpAuthHandlerFactory* http_auth_handler_factory,
     HostResolver* host_resolver)
@@ -51,7 +51,7 @@ HttpAuthController::HttpAuthController(
       auth_url_(auth_url),
       auth_scheme_host_port_(auth_url),
       auth_path_(auth_url.path()),
-      network_isolation_key_(network_isolation_key),
+      network_anonymization_key_(network_anonymization_key),
       http_auth_cache_(http_auth_cache),
       http_auth_handler_factory_(http_auth_handler_factory),
       host_resolver_(host_resolver) {
@@ -124,7 +124,7 @@ bool HttpAuthController::SelectPreemptiveAuth(
   // the number of http auth cache entries is expected to be very small.
   // (For most users in fact, it will be 0.)
   HttpAuthCache::Entry* entry = http_auth_cache_->LookupByPath(
-      auth_scheme_host_port_, target_, network_isolation_key_, auth_path_);
+      auth_scheme_host_port_, target_, network_anonymization_key_, auth_path_);
   if (!entry)
     return false;
 
@@ -134,7 +134,7 @@ bool HttpAuthController::SelectPreemptiveAuth(
   std::unique_ptr<HttpAuthHandler> handler_preemptive;
   int rv_create =
       http_auth_handler_factory_->CreatePreemptiveAuthHandlerFromString(
-          entry->auth_challenge(), target_, network_isolation_key_,
+          entry->auth_challenge(), target_, network_anonymization_key_,
           auth_scheme_host_port_, entry->IncrementNonceCount(), net_log_,
           host_resolver_, &handler_preemptive);
   if (rv_create != OK)
@@ -196,7 +196,7 @@ int HttpAuthController::HandleAuthChallenge(
       case HttpAuth::AUTHORIZATION_RESULT_STALE:
         if (http_auth_cache_->UpdateStaleChallenge(
                 auth_scheme_host_port_, target_, handler_->realm(),
-                handler_->auth_scheme(), network_isolation_key_,
+                handler_->auth_scheme(), network_anonymization_key_,
                 challenge_used)) {
           InvalidateCurrentHandler(INVALIDATE_HANDLER);
         } else {
@@ -230,10 +230,10 @@ int HttpAuthController::HandleAuthChallenge(
   do {
     if (!handler_.get() && can_send_auth) {
       // Find the best authentication challenge that we support.
-      HttpAuth::ChooseBestChallenge(http_auth_handler_factory_, *headers,
-                                    ssl_info, network_isolation_key_, target_,
-                                    auth_scheme_host_port_, disabled_schemes_,
-                                    net_log_, host_resolver_, &handler_);
+      HttpAuth::ChooseBestChallenge(
+          http_auth_handler_factory_, *headers, ssl_info,
+          network_anonymization_key_, target_, auth_scheme_host_port_,
+          disabled_schemes_, net_log_, host_resolver_, &handler_);
     }
 
     if (!handler_.get()) {
@@ -321,7 +321,7 @@ void HttpAuthController::ResetAuth(const AuthCredentials& credentials) {
       break;
     default:
       http_auth_cache_->Add(auth_scheme_host_port_, target_, handler_->realm(),
-                            handler_->auth_scheme(), network_isolation_key_,
+                            handler_->auth_scheme(), network_anonymization_key_,
                             handler_->challenge(), identity_.credentials,
                             auth_path_);
       break;
@@ -371,7 +371,7 @@ void HttpAuthController::InvalidateRejectedAuthFromCache() {
   // Note: we require the credentials to match before invalidating
   // since the entry in the cache may be newer than what we used last time.
   http_auth_cache_->Remove(auth_scheme_host_port_, target_, handler_->realm(),
-                           handler_->auth_scheme(), network_isolation_key_,
+                           handler_->auth_scheme(), network_anonymization_key_,
                            identity_.credentials);
 }
 
@@ -423,7 +423,7 @@ bool HttpAuthController::SelectNextAuthIdentityToTry() {
   // Check the auth cache for a realm entry.
   HttpAuthCache::Entry* entry = http_auth_cache_->Lookup(
       auth_scheme_host_port_, target_, handler_->realm(),
-      handler_->auth_scheme(), network_isolation_key_);
+      handler_->auth_scheme(), network_anonymization_key_);
 
   if (entry) {
     identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP;
diff --git a/chromium/net/http/http_auth_controller.h b/chromium/net/http/http_auth_controller.h
index 6b346bd1be7..a30aec26671 100644
--- a/chromium/net/http/http_auth_controller.h
+++ b/chromium/net/http/http_auth_controller.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,7 +14,7 @@
 #include "base/threading/thread_checker.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/http/http_auth.h"
 #include "net/http/http_auth_preferences.h"
 #include "net/log/net_log_with_source.h"
@@ -62,9 +62,10 @@ class NET_EXPORT_PRIVATE HttpAuthController
   //       If |target| is PROXY, then |auth_url| should have no hierarchical
   //       part since that is meaningless.
   //
-  // * |network_isolation_key| specifies the NetworkIsolationKey associated with
+  // * |network_anonymization_key| specifies the NetworkAnonymizationKey
+  // associated with
   //       the resource load. Depending on settings, credentials may be scoped
-  //       to a single NetworkIsolationKey.
+  //       to a single NetworkAnonymizationKey.
   //
   // * |http_auth_cache| specifies the credentials cache to use. During
   //       authentication if explicit (user-provided) credentials are used and
@@ -87,7 +88,7 @@ class NET_EXPORT_PRIVATE HttpAuthController
   //       context allows ambient authentication using default credentials.
   HttpAuthController(HttpAuth::Target target,
                      const GURL& auth_url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      HttpAuthCache* http_auth_cache,
                      HttpAuthHandlerFactory* http_auth_handler_factory,
                      HostResolver* host_resolver);
@@ -203,8 +204,8 @@ class NET_EXPORT_PRIVATE HttpAuthController
   // For proxy authentication, the path is empty.
   const std::string auth_path_;
 
-  // NetworkIsolationKey associated with the request.
-  const NetworkIsolationKey network_isolation_key_;
+  // NetworkAnonymizationKey associated with the request.
+  const NetworkAnonymizationKey network_anonymization_key_;
 
   // |handler_| encapsulates the logic for the particular auth-scheme.
   // This includes the challenge's parameters. If nullptr, then there is no
diff --git a/chromium/net/http/http_auth_controller_unittest.cc b/chromium/net/http/http_auth_controller_unittest.cc
index c553b83d33f..1a2c5a191ab 100644
--- a/chromium/net/http/http_auth_controller_unittest.cc
+++ b/chromium/net/http/http_auth_controller_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,6 +7,7 @@
 #include <algorithm>
 #include <utility>
 
+#include "base/ranges/algorithm.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/test/task_environment.h"
 #include "net/base/net_errors.h"
@@ -57,7 +58,7 @@ void RunSingleRoundAuthTest(
     SchemeState scheme_state,
     const NetLogWithSource& net_log = NetLogWithSource()) {
   HttpAuthCache dummy_auth_cache(
-      false /* key_server_entries_by_network_isolation_key */);
+      false /* key_server_entries_by_network_anonymization_key */);
 
   HttpRequestInfo request;
   request.method = "GET";
@@ -80,7 +81,7 @@ void RunSingleRoundAuthTest(
   scoped_refptr<HttpAuthController> controller(
       base::MakeRefCounted<HttpAuthController>(
           HttpAuth::AUTH_PROXY, GURL("http://example.com"),
-          NetworkIsolationKey(), &dummy_auth_cache, &auth_handler_factory,
+          NetworkAnonymizationKey(), &dummy_auth_cache, &auth_handler_factory,
           host_resolver.get()));
   SSLInfo null_ssl_info;
   ASSERT_EQ(OK, controller->HandleAuthChallenge(headers, null_ssl_info, false,
@@ -147,8 +148,8 @@ TEST(HttpAuthControllerTest, Logging) {
   // There should be at least two events.
   ASSERT_GE(entries.size(), 2u);
 
-  auto begin = std::find_if(
-      entries.begin(), entries.end(), [](const NetLogEntry& e) -> bool {
+  auto begin =
+      base::ranges::find_if(entries, [](const NetLogEntry& e) {
         if (e.type != NetLogEventType::AUTH_CONTROLLER ||
             e.phase != NetLogEventPhase::BEGIN)
           return false;
@@ -163,12 +164,10 @@ TEST(HttpAuthControllerTest, Logging) {
         return true;
       });
   EXPECT_TRUE(begin != entries.end());
-  auto end = std::find_if(++begin, entries.end(),
-                          [](const NetLogEntry& e) -> bool {
-                            return e.type == NetLogEventType::AUTH_CONTROLLER &&
-                                   e.phase == NetLogEventPhase::END;
-                          });
-  EXPECT_TRUE(end != entries.end());
+  EXPECT_TRUE(std::any_of(++begin, entries.end(), [](const NetLogEntry& e) {
+    return e.type == NetLogEventType::AUTH_CONTROLLER &&
+           e.phase == NetLogEventPhase::END;
+  }));
 }
 
 // If an HttpAuthHandler indicates that it doesn't allow explicit
@@ -183,10 +182,11 @@ TEST(HttpAuthControllerTest, NoExplicitCredentialsAllowed) {
     }
 
    protected:
-    bool Init(HttpAuthChallengeTokenizer* challenge,
-              const SSLInfo& ssl_info,
-              const NetworkIsolationKey& network_isolation_key) override {
-      HttpAuthHandlerMock::Init(challenge, ssl_info, network_isolation_key);
+    bool Init(
+        HttpAuthChallengeTokenizer* challenge,
+        const SSLInfo& ssl_info,
+        const NetworkAnonymizationKey& network_anonymization_key) override {
+      HttpAuthHandlerMock::Init(challenge, ssl_info, network_anonymization_key);
       set_allows_default_credentials(true);
       set_allows_explicit_credentials(false);
       set_connection_based(true);
@@ -218,7 +218,7 @@ TEST(HttpAuthControllerTest, NoExplicitCredentialsAllowed) {
 
   NetLogWithSource dummy_log;
   HttpAuthCache dummy_auth_cache(
-      false /* key_server_entries_by_network_isolation_key */);
+      false /* key_server_entries_by_network_anonymization_key */);
   HttpRequestInfo request;
   request.method = "GET";
   request.url = GURL("http://example.com");
@@ -269,7 +269,7 @@ TEST(HttpAuthControllerTest, NoExplicitCredentialsAllowed) {
   scoped_refptr<HttpAuthController> controller(
       base::MakeRefCounted<HttpAuthController>(
           HttpAuth::AUTH_SERVER, GURL("http://example.com"),
-          NetworkIsolationKey(), &dummy_auth_cache, &auth_handler_factory,
+          NetworkAnonymizationKey(), &dummy_auth_cache, &auth_handler_factory,
           host_resolver.get()));
   SSLInfo null_ssl_info;
   ASSERT_EQ(OK, controller->HandleAuthChallenge(headers, null_ssl_info, false,
diff --git a/chromium/net/http/http_auth_filter.cc b/chromium/net/http/http_auth_filter.cc
index 4ba89ced773..255186c383c 100644
--- a/chromium/net/http/http_auth_filter.cc
+++ b/chromium/net/http/http_auth_filter.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_filter.h b/chromium/net/http/http_auth_filter.h
index f24b81dc906..de86a01a8a0 100644
--- a/chromium/net/http/http_auth_filter.h
+++ b/chromium/net/http/http_auth_filter.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_filter_unittest.cc b/chromium/net/http/http_auth_filter_unittest.cc
index dae854d45c9..67b8505672b 100644
--- a/chromium/net/http/http_auth_filter_unittest.cc
+++ b/chromium/net/http/http_auth_filter_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_gssapi_posix.cc b/chromium/net/http/http_auth_gssapi_posix.cc
index e3ab2d76ce6..326bc0decd3 100644
--- a/chromium/net/http/http_auth_gssapi_posix.cc
+++ b/chromium/net/http/http_auth_gssapi_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_gssapi_posix.h b/chromium/net/http/http_auth_gssapi_posix.h
index 3acd8bcbffa..903a1b72cc0 100644
--- a/chromium/net/http/http_auth_gssapi_posix.h
+++ b/chromium/net/http/http_auth_gssapi_posix.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_gssapi_posix_unittest.cc b/chromium/net/http/http_auth_gssapi_posix_unittest.cc
index 31076e26490..c474a27aa0e 100644
--- a/chromium/net/http/http_auth_gssapi_posix_unittest.cc
+++ b/chromium/net/http/http_auth_gssapi_posix_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_handler.cc b/chromium/net/http/http_auth_handler.cc
index eb138c893c3..a5bd1d6dbd9 100644
--- a/chromium/net/http/http_auth_handler.cc
+++ b/chromium/net/http/http_auth_handler.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -24,7 +24,7 @@ bool HttpAuthHandler::InitFromChallenge(
     HttpAuthChallengeTokenizer* challenge,
     HttpAuth::Target target,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::SchemeHostPort& scheme_host_port,
     const NetLogWithSource& net_log) {
   scheme_host_port_ = scheme_host_port;
@@ -35,7 +35,7 @@ bool HttpAuthHandler::InitFromChallenge(
 
   auth_challenge_ = challenge->challenge_text();
   net_log_.BeginEvent(NetLogEventType::AUTH_HANDLER_INIT);
-  bool ok = Init(challenge, ssl_info, network_isolation_key);
+  bool ok = Init(challenge, ssl_info, network_anonymization_key);
   net_log_.EndEvent(NetLogEventType::AUTH_HANDLER_INIT, [&]() {
     base::Value::Dict params;
     params.Set("succeeded", ok);
diff --git a/chromium/net/http/http_auth_handler.h b/chromium/net/http/http_auth_handler.h
index 5348b90c000..55689ab6e18 100644
--- a/chromium/net/http/http_auth_handler.h
+++ b/chromium/net/http/http_auth_handler.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,7 +15,7 @@
 
 namespace net {
 
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class HttpAuthChallengeTokenizer;
 struct HttpRequestInfo;
 class SSLInfo;
@@ -48,15 +48,16 @@ class NET_EXPORT_PRIVATE HttpAuthHandler {
   // |target| and |scheme_host_port| are both stored for later use, and are not
   //      part of the initial challenge.
   // |ssl_info| must be valid if the underlying connection used a certificate.
-  // |network_isolation_key| the NetworkIsolationKey associated with the
+  // |network_anonymization_key| the NetworkAnonymizationKey associated with the
   //      challenge. Used for host resolutions, if any are needed.
   // |net_log| to be used for logging.
-  bool InitFromChallenge(HttpAuthChallengeTokenizer* challenge,
-                         HttpAuth::Target target,
-                         const SSLInfo& ssl_info,
-                         const NetworkIsolationKey& network_isolation_key,
-                         const url::SchemeHostPort& scheme_host_port,
-                         const NetLogWithSource& net_log);
+  bool InitFromChallenge(
+      HttpAuthChallengeTokenizer* challenge,
+      HttpAuth::Target target,
+      const SSLInfo& ssl_info,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const url::SchemeHostPort& scheme_host_port,
+      const NetLogWithSource& net_log);
 
   // Determines how the previous authorization attempt was received.
   //
@@ -185,13 +186,15 @@ class NET_EXPORT_PRIVATE HttpAuthHandler {
   // If the request was sent over an encrypted connection, |ssl_info| is valid
   // and describes the connection.
   //
-  // NetworkIsolationKey is the NetworkIsolationKey associated with the request.
+  // NetworkAnonymizationKey is the NetworkAnonymizationKey associated with the
+  // request.
   //
   // Implementations are expected to initialize the following members:
   // scheme_, realm_, score_, properties_
-  virtual bool Init(HttpAuthChallengeTokenizer* challenge,
-                    const SSLInfo& ssl_info,
-                    const NetworkIsolationKey& network_isolation_key) = 0;
+  virtual bool Init(
+      HttpAuthChallengeTokenizer* challenge,
+      const SSLInfo& ssl_info,
+      const NetworkAnonymizationKey& network_anonymization_key) = 0;
 
   // |GenerateAuthTokenImpl()} is the auth-scheme specific implementation
   // of generating the next auth token. Callers should use |GenerateAuthToken()|
diff --git a/chromium/net/http/http_auth_handler_basic.cc b/chromium/net/http/http_auth_handler_basic.cc
index 4314d8b7faf..9b4eec2bd5f 100644
--- a/chromium/net/http/http_auth_handler_basic.cc
+++ b/chromium/net/http/http_auth_handler_basic.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -61,7 +61,7 @@ bool ParseRealm(const HttpAuthChallengeTokenizer& tokenizer,
 bool HttpAuthHandlerBasic::Init(
     HttpAuthChallengeTokenizer* challenge,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   auth_scheme_ = HttpAuth::AUTH_SCHEME_BASIC;
   score_ = 1;
   properties_ = 0;
@@ -118,7 +118,7 @@ int HttpAuthHandlerBasic::Factory::CreateAuthHandler(
     HttpAuthChallengeTokenizer* challenge,
     HttpAuth::Target target,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::SchemeHostPort& scheme_host_port,
     CreateReason reason,
     int digest_nonce_count,
@@ -134,8 +134,8 @@ int HttpAuthHandlerBasic::Factory::CreateAuthHandler(
   //                 method and only constructing when valid.
   auto tmp_handler = std::make_unique<HttpAuthHandlerBasic>();
   if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info,
-                                      network_isolation_key, scheme_host_port,
-                                      net_log)) {
+                                      network_anonymization_key,
+                                      scheme_host_port, net_log)) {
     return ERR_INVALID_RESPONSE;
   }
   *handler = std::move(tmp_handler);
diff --git a/chromium/net/http/http_auth_handler_basic.h b/chromium/net/http/http_auth_handler_basic.h
index c0391b36998..5ad2ebfe18a 100644
--- a/chromium/net/http/http_auth_handler_basic.h
+++ b/chromium/net/http/http_auth_handler_basic.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -23,16 +23,17 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerBasic : public HttpAuthHandler {
     Factory();
     ~Factory() override;
 
-    int CreateAuthHandler(HttpAuthChallengeTokenizer* challenge,
-                          HttpAuth::Target target,
-                          const SSLInfo& ssl_info,
-                          const NetworkIsolationKey& network_isolation_key,
-                          const url::SchemeHostPort& scheme_host_port,
-                          CreateReason reason,
-                          int digest_nonce_count,
-                          const NetLogWithSource& net_log,
-                          HostResolver* host_resolver,
-                          std::unique_ptr<HttpAuthHandler>* handler) override;
+    int CreateAuthHandler(
+        HttpAuthChallengeTokenizer* challenge,
+        HttpAuth::Target target,
+        const SSLInfo& ssl_info,
+        const NetworkAnonymizationKey& network_anonymization_key,
+        const url::SchemeHostPort& scheme_host_port,
+        CreateReason reason,
+        int digest_nonce_count,
+        const NetLogWithSource& net_log,
+        HostResolver* host_resolver,
+        std::unique_ptr<HttpAuthHandler>* handler) override;
   };
 
   ~HttpAuthHandlerBasic() override = default;
@@ -41,7 +42,7 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerBasic : public HttpAuthHandler {
   // HttpAuthHandler
   bool Init(HttpAuthChallengeTokenizer* challenge,
             const SSLInfo& ssl_info,
-            const NetworkIsolationKey& network_isolation_key) override;
+            const NetworkAnonymizationKey& network_anonymization_key) override;
   int GenerateAuthTokenImpl(const AuthCredentials* credentials,
                             const HttpRequestInfo* request,
                             CompletionOnceCallback callback,
diff --git a/chromium/net/http/http_auth_handler_basic_fuzzer.cc b/chromium/net/http/http_auth_handler_basic_fuzzer.cc
index 29299ab624e..d6054317651 100644
--- a/chromium/net/http/http_auth_handler_basic_fuzzer.cc
+++ b/chromium/net/http/http_auth_handler_basic_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -26,7 +26,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
   net::HttpAuthHandlerBasic::Factory factory;
   factory.CreateAuthHandlerFromString(challenge, net::HttpAuth::AUTH_SERVER,
-                                      null_ssl_info, net::NetworkIsolationKey(),
+                                      null_ssl_info, net::NetworkAnonymizationKey(),
                                       scheme_host_port, net::NetLogWithSource(),
                                       host_resolver.get(), &basic);
   return 0;
diff --git a/chromium/net/http/http_auth_handler_basic_unittest.cc b/chromium/net/http/http_auth_handler_basic_unittest.cc
index 136041b70e5..c238b172098 100644
--- a/chromium/net/http/http_auth_handler_basic_unittest.cc
+++ b/chromium/net/http/http_auth_handler_basic_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,7 @@
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
@@ -51,7 +51,7 @@ TEST(HttpAuthHandlerBasicTest, GenerateAuthToken) {
     std::unique_ptr<HttpAuthHandler> basic;
     EXPECT_EQ(OK, factory.CreateAuthHandlerFromString(
                       challenge, HttpAuth::AUTH_SERVER, null_ssl_info,
-                      NetworkIsolationKey(), scheme_host_port,
+                      NetworkAnonymizationKey(), scheme_host_port,
                       NetLogWithSource(), host_resolver.get(), &basic));
     AuthCredentials credentials(base::ASCIIToUTF16(test.username),
                                 base::ASCIIToUTF16(test.password));
@@ -107,8 +107,8 @@ TEST(HttpAuthHandlerBasicTest, HandleAnotherChallenge) {
   std::unique_ptr<HttpAuthHandler> basic;
   EXPECT_EQ(OK, factory.CreateAuthHandlerFromString(
                     tests[0].challenge, HttpAuth::AUTH_SERVER, null_ssl_info,
-                    NetworkIsolationKey(), scheme_host_port, NetLogWithSource(),
-                    host_resolver.get(), &basic));
+                    NetworkAnonymizationKey(), scheme_host_port,
+                    NetLogWithSource(), host_resolver.get(), &basic));
 
   for (const auto& test : tests) {
     std::string challenge(test.challenge);
@@ -209,8 +209,9 @@ TEST(HttpAuthHandlerBasicTest, InitFromChallenge) {
     auto host_resolver = std::make_unique<MockHostResolver>();
     std::unique_ptr<HttpAuthHandler> basic;
     int rv = factory.CreateAuthHandlerFromString(
-        challenge, HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
-        scheme_host_port, NetLogWithSource(), host_resolver.get(), &basic);
+        challenge, HttpAuth::AUTH_SERVER, null_ssl_info,
+        NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
+        host_resolver.get(), &basic);
     EXPECT_EQ(test.expected_rv, rv);
     if (rv == OK)
       EXPECT_EQ(test.expected_realm, basic->realm());
@@ -235,7 +236,7 @@ TEST(HttpAuthHandlerBasicTest, BasicAuthRequiresHTTPS) {
   // Ensure that HTTP is disallowed.
   EXPECT_THAT(factory.CreateAuthHandlerFromString(
                   challenge, HttpAuth::AUTH_SERVER, null_ssl_info,
-                  NetworkIsolationKey(), nonsecure_scheme_host_port,
+                  NetworkAnonymizationKey(), nonsecure_scheme_host_port,
                   NetLogWithSource(), host_resolver.get(), &basic),
               IsError(ERR_UNSUPPORTED_AUTH_SCHEME));
 
@@ -243,7 +244,7 @@ TEST(HttpAuthHandlerBasicTest, BasicAuthRequiresHTTPS) {
   url::SchemeHostPort secure_scheme_host_port(GURL("https://www.example.com"));
   EXPECT_THAT(factory.CreateAuthHandlerFromString(
                   challenge, HttpAuth::AUTH_SERVER, null_ssl_info,
-                  NetworkIsolationKey(), secure_scheme_host_port,
+                  NetworkAnonymizationKey(), secure_scheme_host_port,
                   NetLogWithSource(), host_resolver.get(), &basic),
               IsOk());
 }
diff --git a/chromium/net/http/http_auth_handler_digest.cc b/chromium/net/http/http_auth_handler_digest.cc
index 63c58b6892f..1baa39fc6df 100644
--- a/chromium/net/http/http_auth_handler_digest.cc
+++ b/chromium/net/http/http_auth_handler_digest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -92,7 +92,7 @@ int HttpAuthHandlerDigest::Factory::CreateAuthHandler(
     HttpAuthChallengeTokenizer* challenge,
     HttpAuth::Target target,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::SchemeHostPort& scheme_host_port,
     CreateReason reason,
     int digest_nonce_count,
@@ -104,8 +104,8 @@ int HttpAuthHandlerDigest::Factory::CreateAuthHandler(
   auto tmp_handler = base::WrapUnique(
       new HttpAuthHandlerDigest(digest_nonce_count, nonce_generator_.get()));
   if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info,
-                                      network_isolation_key, scheme_host_port,
-                                      net_log)) {
+                                      network_anonymization_key,
+                                      scheme_host_port, net_log)) {
     return ERR_INVALID_RESPONSE;
   }
   *handler = std::move(tmp_handler);
@@ -115,7 +115,7 @@ int HttpAuthHandlerDigest::Factory::CreateAuthHandler(
 bool HttpAuthHandlerDigest::Init(
     HttpAuthChallengeTokenizer* challenge,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   return ParseChallenge(challenge);
 }
 
diff --git a/chromium/net/http/http_auth_handler_digest.h b/chromium/net/http/http_auth_handler_digest.h
index 1d81a1f518d..c010ae7f29d 100644
--- a/chromium/net/http/http_auth_handler_digest.h
+++ b/chromium/net/http/http_auth_handler_digest.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -77,16 +77,17 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerDigest : public HttpAuthHandler {
     void set_nonce_generator(
         std::unique_ptr<const NonceGenerator> nonce_generator);
 
-    int CreateAuthHandler(HttpAuthChallengeTokenizer* challenge,
-                          HttpAuth::Target target,
-                          const SSLInfo& ssl_info,
-                          const NetworkIsolationKey& network_isolation_key,
-                          const url::SchemeHostPort& scheme_host_port,
-                          CreateReason reason,
-                          int digest_nonce_count,
-                          const NetLogWithSource& net_log,
-                          HostResolver* host_resolver,
-                          std::unique_ptr<HttpAuthHandler>* handler) override;
+    int CreateAuthHandler(
+        HttpAuthChallengeTokenizer* challenge,
+        HttpAuth::Target target,
+        const SSLInfo& ssl_info,
+        const NetworkAnonymizationKey& network_anonymization_key,
+        const url::SchemeHostPort& scheme_host_port,
+        CreateReason reason,
+        int digest_nonce_count,
+        const NetLogWithSource& net_log,
+        HostResolver* host_resolver,
+        std::unique_ptr<HttpAuthHandler>* handler) override;
 
    private:
     std::unique_ptr<const NonceGenerator> nonce_generator_;
@@ -98,7 +99,7 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerDigest : public HttpAuthHandler {
   // HttpAuthHandler
   bool Init(HttpAuthChallengeTokenizer* challenge,
             const SSLInfo& ssl_info,
-            const NetworkIsolationKey& network_isolation_key) override;
+            const NetworkAnonymizationKey& network_anonymization_key) override;
   int GenerateAuthTokenImpl(const AuthCredentials* credentials,
                             const HttpRequestInfo* request,
                             CompletionOnceCallback callback,
diff --git a/chromium/net/http/http_auth_handler_digest_fuzzer.cc b/chromium/net/http/http_auth_handler_digest_fuzzer.cc
index 4c258f872cd..cd35576042f 100644
--- a/chromium/net/http/http_auth_handler_digest_fuzzer.cc
+++ b/chromium/net/http/http_auth_handler_digest_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,7 +7,7 @@
 #include <memory>
 #include <string>
 
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_handler.h"
@@ -30,10 +30,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   std::unique_ptr<net::HttpAuthHandler> handler;
 
   net::HttpAuthHandlerDigest::Factory factory;
-  factory.CreateAuthHandlerFromString(challenge, net::HttpAuth::AUTH_SERVER,
-                                      null_ssl_info, net::NetworkIsolationKey(),
-                                      scheme_host_port, net::NetLogWithSource(),
-                                      host_resolver.get(), &handler);
+  factory.CreateAuthHandlerFromString(
+      challenge, net::HttpAuth::AUTH_SERVER, null_ssl_info,
+      net::NetworkAnonymizationKey(), scheme_host_port, net::NetLogWithSource(),
+      host_resolver.get(), &handler);
 
   if (handler) {
     auto followup = "Digest " + data_provider.ConsumeRemainingBytesAsString();
diff --git a/chromium/net/http/http_auth_handler_digest_unittest.cc b/chromium/net/http/http_auth_handler_digest_unittest.cc
index cba4635bee3..835321630db 100644
--- a/chromium/net/http/http_auth_handler_digest_unittest.cc
+++ b/chromium/net/http/http_auth_handler_digest_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,7 +9,7 @@
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
@@ -68,8 +68,8 @@ bool RespondToChallenge(HttpAuth::Target target,
   url::SchemeHostPort scheme_host_port(
       target == HttpAuth::AUTH_SERVER ? GURL(request_url) : GURL(proxy_name));
   int rv_create = factory->CreateAuthHandlerFromString(
-      challenge, target, null_ssl_info, NetworkIsolationKey(), scheme_host_port,
-      NetLogWithSource(), host_resolver.get(), &handler);
+      challenge, target, null_ssl_info, NetworkAnonymizationKey(),
+      scheme_host_port, NetLogWithSource(), host_resolver.get(), &handler);
   if (rv_create != OK || handler.get() == nullptr) {
     ADD_FAILURE() << "Unable to create auth handler.";
     return false;
@@ -369,7 +369,7 @@ TEST(HttpAuthHandlerDigestTest, ParseChallenge) {
     std::unique_ptr<HttpAuthHandler> handler;
     int rv = factory->CreateAuthHandlerFromString(
         test.challenge, HttpAuth::AUTH_SERVER, null_ssl_info,
-        NetworkIsolationKey(), scheme_host_port, NetLogWithSource(),
+        NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
         host_resolver.get(), &handler);
     if (test.parsed_success) {
       EXPECT_THAT(rv, IsOk());
@@ -534,7 +534,7 @@ TEST(HttpAuthHandlerDigestTest, AssembleCredentials) {
     std::unique_ptr<HttpAuthHandler> handler;
     int rv = factory->CreateAuthHandlerFromString(
         test.challenge, HttpAuth::AUTH_SERVER, null_ssl_info,
-        NetworkIsolationKey(), scheme_host_port, NetLogWithSource(),
+        NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
         host_resolver.get(), &handler);
     EXPECT_THAT(rv, IsOk());
     ASSERT_TRUE(handler != nullptr);
@@ -561,7 +561,7 @@ TEST(HttpAuthHandlerDigest, HandleAnotherChallenge) {
   SSLInfo null_ssl_info;
   int rv = factory->CreateAuthHandlerFromString(
       default_challenge, HttpAuth::AUTH_SERVER, null_ssl_info,
-      NetworkIsolationKey(), scheme_host_port, NetLogWithSource(),
+      NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
       host_resolver.get(), &handler);
   EXPECT_THAT(rv, IsOk());
   ASSERT_TRUE(handler.get() != nullptr);
diff --git a/chromium/net/http/http_auth_handler_factory.cc b/chromium/net/http/http_auth_handler_factory.cc
index d3dce69123b..a88617f604a 100644
--- a/chromium/net/http/http_auth_handler_factory.cc
+++ b/chromium/net/http/http_auth_handler_factory.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -58,13 +58,13 @@ int HttpAuthHandlerFactory::CreateAuthHandlerFromString(
     const std::string& challenge,
     HttpAuth::Target target,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::SchemeHostPort& scheme_host_port,
     const NetLogWithSource& net_log,
     HostResolver* host_resolver,
     std::unique_ptr<HttpAuthHandler>* handler) {
   HttpAuthChallengeTokenizer props(challenge.begin(), challenge.end());
-  return CreateAuthHandler(&props, target, ssl_info, network_isolation_key,
+  return CreateAuthHandler(&props, target, ssl_info, network_anonymization_key,
                            scheme_host_port, CREATE_CHALLENGE, 1, net_log,
                            host_resolver, handler);
 }
@@ -72,7 +72,7 @@ int HttpAuthHandlerFactory::CreateAuthHandlerFromString(
 int HttpAuthHandlerFactory::CreatePreemptiveAuthHandlerFromString(
     const std::string& challenge,
     HttpAuth::Target target,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::SchemeHostPort& scheme_host_port,
     int digest_nonce_count,
     const NetLogWithSource& net_log,
@@ -80,9 +80,10 @@ int HttpAuthHandlerFactory::CreatePreemptiveAuthHandlerFromString(
     std::unique_ptr<HttpAuthHandler>* handler) {
   HttpAuthChallengeTokenizer props(challenge.begin(), challenge.end());
   SSLInfo null_ssl_info;
-  return CreateAuthHandler(&props, target, null_ssl_info, network_isolation_key,
-                           scheme_host_port, CREATE_PREEMPTIVE,
-                           digest_nonce_count, net_log, host_resolver, handler);
+  return CreateAuthHandler(&props, target, null_ssl_info,
+                           network_anonymization_key, scheme_host_port,
+                           CREATE_PREEMPTIVE, digest_nonce_count, net_log,
+                           host_resolver, handler);
 }
 
 HttpAuthHandlerRegistryFactory::HttpAuthHandlerRegistryFactory(
@@ -194,7 +195,7 @@ int HttpAuthHandlerRegistryFactory::CreateAuthHandler(
     HttpAuthChallengeTokenizer* challenge,
     HttpAuth::Target target,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::SchemeHostPort& scheme_host_port,
     CreateReason reason,
     int digest_nonce_count,
@@ -220,8 +221,9 @@ int HttpAuthHandlerRegistryFactory::CreateAuthHandler(
       net_error = ERR_UNSUPPORTED_AUTH_SCHEME;
     } else {
       net_error = factory->CreateAuthHandler(
-          challenge, target, ssl_info, network_isolation_key, scheme_host_port,
-          reason, digest_nonce_count, net_log, host_resolver, handler);
+          challenge, target, ssl_info, network_anonymization_key,
+          scheme_host_port, reason, digest_nonce_count, net_log, host_resolver,
+          handler);
     }
   }
 
diff --git a/chromium/net/http/http_auth_handler_factory.h b/chromium/net/http/http_auth_handler_factory.h
index 4f1b3b466e5..8c9f268a5a2 100644
--- a/chromium/net/http/http_auth_handler_factory.h
+++ b/chromium/net/http/http_auth_handler_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -33,7 +33,7 @@ class HttpAuthHandler;
 class HttpAuthHandlerRegistryFactory;
 class HttpAuthPreferences;
 class NetLogWithSource;
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 
 // An HttpAuthHandlerFactory is used to create HttpAuthHandler objects.
 // The HttpAuthHandlerFactory object _must_ outlive any of the HttpAuthHandler
@@ -104,7 +104,7 @@ class NET_EXPORT HttpAuthHandlerFactory {
       HttpAuthChallengeTokenizer* challenge,
       HttpAuth::Target target,
       const SSLInfo& ssl_info,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::SchemeHostPort& scheme_host_port,
       CreateReason create_reason,
       int digest_nonce_count,
@@ -121,7 +121,7 @@ class NET_EXPORT HttpAuthHandlerFactory {
       const std::string& challenge,
       HttpAuth::Target target,
       const SSLInfo& ssl_info,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::SchemeHostPort& scheme_host_port,
       const NetLogWithSource& net_log,
       HostResolver* host_resolver,
@@ -135,7 +135,7 @@ class NET_EXPORT HttpAuthHandlerFactory {
   int CreatePreemptiveAuthHandlerFromString(
       const std::string& challenge,
       HttpAuth::Target target,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::SchemeHostPort& scheme_host_port,
       int digest_nonce_count,
       const NetLogWithSource& net_log,
@@ -225,16 +225,17 @@ class NET_EXPORT HttpAuthHandlerRegistryFactory
   // scheme is used and the factory was created with
   // |negotiate_disable_cname_lookup| false, |host_resolver| must not be null,
   // and it must remain valid for the lifetime of the created |handler|.
-  int CreateAuthHandler(HttpAuthChallengeTokenizer* challenge,
-                        HttpAuth::Target target,
-                        const SSLInfo& ssl_info,
-                        const NetworkIsolationKey& network_isolation_key,
-                        const url::SchemeHostPort& scheme_host_port,
-                        CreateReason reason,
-                        int digest_nonce_count,
-                        const NetLogWithSource& net_log,
-                        HostResolver* host_resolver,
-                        std::unique_ptr<HttpAuthHandler>* handler) override;
+  int CreateAuthHandler(
+      HttpAuthChallengeTokenizer* challenge,
+      HttpAuth::Target target,
+      const SSLInfo& ssl_info,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const url::SchemeHostPort& scheme_host_port,
+      CreateReason reason,
+      int digest_nonce_count,
+      const NetLogWithSource& net_log,
+      HostResolver* host_resolver,
+      std::unique_ptr<HttpAuthHandler>* handler) override;
 
 #if BUILDFLAG(USE_KERBEROS) && !BUILDFLAG(IS_ANDROID) && BUILDFLAG(IS_POSIX)
   absl::optional<std::string> GetNegotiateLibraryNameForTesting() const;
diff --git a/chromium/net/http/http_auth_handler_factory_unittest.cc b/chromium/net/http/http_auth_handler_factory_unittest.cc
index 49eba343b6e..9c388b0bc30 100644
--- a/chromium/net/http/http_auth_handler_factory_unittest.cc
+++ b/chromium/net/http/http_auth_handler_factory_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -41,16 +41,17 @@ class MockHttpAuthHandlerFactory : public HttpAuthHandlerFactory {
       return_code_(return_code) {}
   ~MockHttpAuthHandlerFactory() override = default;
 
-  int CreateAuthHandler(HttpAuthChallengeTokenizer* challenge,
-                        HttpAuth::Target target,
-                        const SSLInfo& ssl_info,
-                        const NetworkIsolationKey& network_isolation_key,
-                        const url::SchemeHostPort& scheme_host_port,
-                        CreateReason reason,
-                        int nonce_count,
-                        const NetLogWithSource& net_log,
-                        HostResolver* host_resolver,
-                        std::unique_ptr<HttpAuthHandler>* handler) override {
+  int CreateAuthHandler(
+      HttpAuthChallengeTokenizer* challenge,
+      HttpAuth::Target target,
+      const SSLInfo& ssl_info,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const url::SchemeHostPort& scheme_host_port,
+      CreateReason reason,
+      int nonce_count,
+      const NetLogWithSource& net_log,
+      HostResolver* host_resolver,
+      std::unique_ptr<HttpAuthHandler>* handler) override {
     handler->reset();
     return return_code_;
   }
@@ -82,60 +83,60 @@ TEST(HttpAuthHandlerFactoryTest, RegistryFactory) {
   std::unique_ptr<HttpAuthHandler> handler;
 
   // No schemes should be supported in the beginning.
-  EXPECT_EQ(
-      ERR_UNSUPPORTED_AUTH_SCHEME,
-      registry_factory.CreateAuthHandlerFromString(
-          "Basic", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
-          scheme_host_port, NetLogWithSource(), host_resovler.get(), &handler));
+  EXPECT_EQ(ERR_UNSUPPORTED_AUTH_SCHEME,
+            registry_factory.CreateAuthHandlerFromString(
+                "Basic", HttpAuth::AUTH_SERVER, null_ssl_info,
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
+                host_resovler.get(), &handler));
 
   // Test what happens with a single scheme.
   registry_factory.RegisterSchemeFactory("Basic",
                                          std::move(mock_factory_basic));
-  EXPECT_EQ(
-      kBasicReturnCode,
-      registry_factory.CreateAuthHandlerFromString(
-          "Basic", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
-          scheme_host_port, NetLogWithSource(), host_resovler.get(), &handler));
-  EXPECT_EQ(
-      ERR_UNSUPPORTED_AUTH_SCHEME,
-      registry_factory.CreateAuthHandlerFromString(
-          "Digest", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
-          scheme_host_port, NetLogWithSource(), host_resovler.get(), &handler));
+  EXPECT_EQ(kBasicReturnCode,
+            registry_factory.CreateAuthHandlerFromString(
+                "Basic", HttpAuth::AUTH_SERVER, null_ssl_info,
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
+                host_resovler.get(), &handler));
+  EXPECT_EQ(ERR_UNSUPPORTED_AUTH_SCHEME,
+            registry_factory.CreateAuthHandlerFromString(
+                "Digest", HttpAuth::AUTH_SERVER, null_ssl_info,
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
+                host_resovler.get(), &handler));
 
   // Test multiple schemes
   registry_factory.RegisterSchemeFactory("Digest",
                                          std::move(mock_factory_digest));
-  EXPECT_EQ(
-      kBasicReturnCode,
-      registry_factory.CreateAuthHandlerFromString(
-          "Basic", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
-          scheme_host_port, NetLogWithSource(), host_resovler.get(), &handler));
-  EXPECT_EQ(
-      kDigestReturnCode,
-      registry_factory.CreateAuthHandlerFromString(
-          "Digest", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
-          scheme_host_port, NetLogWithSource(), host_resovler.get(), &handler));
+  EXPECT_EQ(kBasicReturnCode,
+            registry_factory.CreateAuthHandlerFromString(
+                "Basic", HttpAuth::AUTH_SERVER, null_ssl_info,
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
+                host_resovler.get(), &handler));
+  EXPECT_EQ(kDigestReturnCode,
+            registry_factory.CreateAuthHandlerFromString(
+                "Digest", HttpAuth::AUTH_SERVER, null_ssl_info,
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
+                host_resovler.get(), &handler));
 
   // Test case-insensitivity
-  EXPECT_EQ(
-      kBasicReturnCode,
-      registry_factory.CreateAuthHandlerFromString(
-          "basic", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
-          scheme_host_port, NetLogWithSource(), host_resovler.get(), &handler));
+  EXPECT_EQ(kBasicReturnCode,
+            registry_factory.CreateAuthHandlerFromString(
+                "basic", HttpAuth::AUTH_SERVER, null_ssl_info,
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
+                host_resovler.get(), &handler));
 
   // Test replacement of existing auth scheme
   registry_factory.RegisterSchemeFactory(
       "Digest", std::move(mock_factory_digest_replace));
-  EXPECT_EQ(
-      kBasicReturnCode,
-      registry_factory.CreateAuthHandlerFromString(
-          "Basic", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
-          scheme_host_port, NetLogWithSource(), host_resovler.get(), &handler));
-  EXPECT_EQ(
-      kDigestReturnCodeReplace,
-      registry_factory.CreateAuthHandlerFromString(
-          "Digest", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
-          scheme_host_port, NetLogWithSource(), host_resovler.get(), &handler));
+  EXPECT_EQ(kBasicReturnCode,
+            registry_factory.CreateAuthHandlerFromString(
+                "Basic", HttpAuth::AUTH_SERVER, null_ssl_info,
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
+                host_resovler.get(), &handler));
+  EXPECT_EQ(kDigestReturnCodeReplace,
+            registry_factory.CreateAuthHandlerFromString(
+                "Digest", HttpAuth::AUTH_SERVER, null_ssl_info,
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
+                host_resovler.get(), &handler));
 }
 
 TEST(HttpAuthHandlerFactoryTest, DefaultFactory) {
@@ -153,7 +154,7 @@ TEST(HttpAuthHandlerFactoryTest, DefaultFactory) {
     std::unique_ptr<HttpAuthHandler> handler;
     int rv = http_auth_handler_factory->CreateAuthHandlerFromString(
         "Basic realm=\"FooBar\"", HttpAuth::AUTH_SERVER, null_ssl_info,
-        NetworkIsolationKey(), server_scheme_host_port, NetLogWithSource(),
+        NetworkAnonymizationKey(), server_scheme_host_port, NetLogWithSource(),
         host_resolver.get(), &handler);
     EXPECT_THAT(rv, IsOk());
     ASSERT_FALSE(handler.get() == nullptr);
@@ -167,7 +168,7 @@ TEST(HttpAuthHandlerFactoryTest, DefaultFactory) {
     std::unique_ptr<HttpAuthHandler> handler;
     int rv = http_auth_handler_factory->CreateAuthHandlerFromString(
         "UNSUPPORTED realm=\"FooBar\"", HttpAuth::AUTH_SERVER, null_ssl_info,
-        NetworkIsolationKey(), server_scheme_host_port, NetLogWithSource(),
+        NetworkAnonymizationKey(), server_scheme_host_port, NetLogWithSource(),
         host_resolver.get(), &handler);
     EXPECT_THAT(rv, IsError(ERR_UNSUPPORTED_AUTH_SCHEME));
     EXPECT_TRUE(handler.get() == nullptr);
@@ -176,7 +177,7 @@ TEST(HttpAuthHandlerFactoryTest, DefaultFactory) {
     std::unique_ptr<HttpAuthHandler> handler;
     int rv = http_auth_handler_factory->CreateAuthHandlerFromString(
         "Digest realm=\"FooBar\", nonce=\"xyz\"", HttpAuth::AUTH_PROXY,
-        null_ssl_info, NetworkIsolationKey(), proxy_scheme_host_port,
+        null_ssl_info, NetworkAnonymizationKey(), proxy_scheme_host_port,
         NetLogWithSource(), host_resolver.get(), &handler);
     EXPECT_THAT(rv, IsOk());
     ASSERT_FALSE(handler.get() == nullptr);
@@ -189,7 +190,7 @@ TEST(HttpAuthHandlerFactoryTest, DefaultFactory) {
   {
     std::unique_ptr<HttpAuthHandler> handler;
     int rv = http_auth_handler_factory->CreateAuthHandlerFromString(
-        "NTLM", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
+        "NTLM", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkAnonymizationKey(),
         server_scheme_host_port, NetLogWithSource(), host_resolver.get(),
         &handler);
     EXPECT_THAT(rv, IsOk());
@@ -204,7 +205,7 @@ TEST(HttpAuthHandlerFactoryTest, DefaultFactory) {
     std::unique_ptr<HttpAuthHandler> handler;
     int rv = http_auth_handler_factory->CreateAuthHandlerFromString(
         "Negotiate", HttpAuth::AUTH_SERVER, null_ssl_info,
-        NetworkIsolationKey(), server_scheme_host_port, NetLogWithSource(),
+        NetworkAnonymizationKey(), server_scheme_host_port, NetLogWithSource(),
         host_resolver.get(), &handler);
 // Note the default factory doesn't support Kerberos on Android
 #if BUILDFLAG(USE_KERBEROS) && !BUILDFLAG(IS_ANDROID)
@@ -267,7 +268,7 @@ TEST(HttpAuthHandlerFactoryTest, HttpAuthUrlFilter) {
     for (const TestCase& test_case : kTestCases) {
       std::unique_ptr<HttpAuthHandler> handler;
       int rv = http_auth_handler_factory->CreateAuthHandlerFromString(
-          test_case.challenge, target, null_ssl_info, NetworkIsolationKey(),
+          test_case.challenge, target, null_ssl_info, NetworkAnonymizationKey(),
           url::SchemeHostPort(test_case.origin), NetLogWithSource(),
           host_resolver.get(), &handler);
       EXPECT_THAT(rv, IsError(test_case.expected_net_error));
@@ -324,7 +325,7 @@ TEST(HttpAuthHandlerFactoryTest, BasicFactoryRespectsHTTPEnabledPref) {
     for (const TestCase& test_case : kTestCases) {
       std::unique_ptr<HttpAuthHandler> handler;
       int rv = http_auth_handler_factory->CreateAuthHandlerFromString(
-          test_case.challenge, target, null_ssl_info, NetworkIsolationKey(),
+          test_case.challenge, target, null_ssl_info, NetworkAnonymizationKey(),
           test_case.scheme_host_port, NetLogWithSource(), host_resolver.get(),
           &handler);
       EXPECT_THAT(rv, IsError(test_case.expected_net_error));
@@ -374,7 +375,7 @@ TEST(HttpAuthHandlerFactoryTest, LogCreateAuthHandlerResults) {
       std::unique_ptr<HttpAuthHandler> handler;
       int rv = http_auth_handler_factory->CreateAuthHandlerFromString(
           test_case.challenge, test_case.auth_target, null_ssl_info,
-          NetworkIsolationKey(), scheme_host_port,
+          NetworkAnonymizationKey(), scheme_host_port,
           NetLogWithSource::Make(NetLogSourceType::NONE), host_resolver.get(),
           &handler);
       EXPECT_THAT(rv, IsError(test_case.expected_net_error));
diff --git a/chromium/net/http/http_auth_handler_fuzzer.cc b/chromium/net/http/http_auth_handler_fuzzer.cc
index a325a3e0d8f..c5b060918a5 100644
--- a/chromium/net/http/http_auth_handler_fuzzer.cc
+++ b/chromium/net/http/http_auth_handler_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -45,7 +45,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
   factory->CreateAuthHandlerFromString(
       challenge, net::HttpAuth::AUTH_SERVER, null_ssl_info,
-      net::NetworkIsolationKey(), scheme_host_port, net::NetLogWithSource(),
+      net::NetworkAnonymizationKey(), scheme_host_port, net::NetLogWithSource(),
       host_resolver.get(), &handler);
 
   if (handler) {
diff --git a/chromium/net/http/http_auth_handler_mock.cc b/chromium/net/http/http_auth_handler_mock.cc
index 4bffe8b912a..311d062ecd6 100644
--- a/chromium/net/http/http_auth_handler_mock.cc
+++ b/chromium/net/http/http_auth_handler_mock.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -65,7 +65,7 @@ bool HttpAuthHandlerMock::AllowsExplicitCredentials() {
 bool HttpAuthHandlerMock::Init(
     HttpAuthChallengeTokenizer* challenge,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   EXPECT_EQ(State::WAIT_FOR_INIT, state_);
   state_ = State::WAIT_FOR_GENERATE_AUTH_TOKEN;
   auth_scheme_ = HttpAuth::AUTH_SCHEME_MOCK;
@@ -155,7 +155,7 @@ int HttpAuthHandlerMock::Factory::CreateAuthHandler(
     HttpAuthChallengeTokenizer* challenge,
     HttpAuth::Target target,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::SchemeHostPort& scheme_host_port,
     CreateReason reason,
     int nonce_count,
@@ -170,8 +170,8 @@ int HttpAuthHandlerMock::Factory::CreateAuthHandler(
   handlers.erase(handlers.begin());
   if (do_init_from_challenge_ &&
       !tmp_handler->InitFromChallenge(challenge, target, ssl_info,
-                                      network_isolation_key, scheme_host_port,
-                                      net_log)) {
+                                      network_anonymization_key,
+                                      scheme_host_port, net_log)) {
     return ERR_INVALID_RESPONSE;
   }
   handler->swap(tmp_handler);
diff --git a/chromium/net/http/http_auth_handler_mock.h b/chromium/net/http/http_auth_handler_mock.h
index 70f1738fe61..deb724a4770 100644
--- a/chromium/net/http/http_auth_handler_mock.h
+++ b/chromium/net/http/http_auth_handler_mock.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -53,7 +53,7 @@ class HttpAuthHandlerMock : public HttpAuthHandler {
     int CreateAuthHandler(HttpAuthChallengeTokenizer* challenge,
                           HttpAuth::Target target,
                           const SSLInfo& ssl_info,
-                          const NetworkIsolationKey& network_isolation_key,
+                          const NetworkAnonymizationKey& network_isolation_key,
                           const url::SchemeHostPort& scheme_host_port,
                           CreateReason reason,
                           int nonce_count,
@@ -99,7 +99,7 @@ class HttpAuthHandlerMock : public HttpAuthHandler {
   bool AllowsExplicitCredentials() override;
   bool Init(HttpAuthChallengeTokenizer* challenge,
             const SSLInfo& ssl_info,
-            const NetworkIsolationKey& network_isolation_key) override;
+            const NetworkAnonymizationKey& network_isolation_key) override;
   int GenerateAuthTokenImpl(const AuthCredentials* credentials,
                             const HttpRequestInfo* request,
                             CompletionOnceCallback callback,
diff --git a/chromium/net/http/http_auth_handler_negotiate.cc b/chromium/net/http/http_auth_handler_negotiate.cc
index 1e83a068a2b..cc488fad4bc 100644
--- a/chromium/net/http/http_auth_handler_negotiate.cc
+++ b/chromium/net/http/http_auth_handler_negotiate.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -89,7 +89,7 @@ int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
     HttpAuthChallengeTokenizer* challenge,
     HttpAuth::Target target,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::SchemeHostPort& scheme_host_port,
     CreateReason reason,
     int digest_nonce_count,
@@ -140,8 +140,8 @@ int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
           http_auth_preferences(), host_resolver));
 #endif
   if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info,
-                                      network_isolation_key, scheme_host_port,
-                                      net_log)) {
+                                      network_anonymization_key,
+                                      scheme_host_port, net_log)) {
     return ERR_INVALID_RESPONSE;
   }
   handler->swap(tmp_handler);
@@ -180,8 +180,8 @@ bool HttpAuthHandlerNegotiate::AllowsExplicitCredentials() {
 bool HttpAuthHandlerNegotiate::Init(
     HttpAuthChallengeTokenizer* challenge,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key) {
-  network_isolation_key_ = network_isolation_key;
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  network_anonymization_key_ = network_anonymization_key;
 #if BUILDFLAG(IS_POSIX)
   if (!auth_system_->Init(net_log())) {
     VLOG(1) << "can't initialize GSSAPI library";
@@ -352,7 +352,7 @@ int HttpAuthHandlerNegotiate::DoResolveCanonicalName() {
   HostResolver::ResolveHostParameters parameters;
   parameters.include_canonical_name = true;
   resolve_host_request_ = resolver_->CreateRequest(
-      scheme_host_port_, network_isolation_key_, net_log(), parameters);
+      scheme_host_port_, network_anonymization_key_, net_log(), parameters);
   return resolve_host_request_->Start(base::BindOnce(
       &HttpAuthHandlerNegotiate::OnIOComplete, base::Unretained(this)));
 }
diff --git a/chromium/net/http/http_auth_handler_negotiate.h b/chromium/net/http/http_auth_handler_negotiate.h
index 73f2c22780c..4be97136fa7 100644
--- a/chromium/net/http/http_auth_handler_negotiate.h
+++ b/chromium/net/http/http_auth_handler_negotiate.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -69,7 +69,7 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNegotiate : public HttpAuthHandler {
     int CreateAuthHandler(HttpAuthChallengeTokenizer* challenge,
                           HttpAuth::Target target,
                           const SSLInfo& ssl_info,
-                          const NetworkIsolationKey& network_isolation_key,
+                          const NetworkAnonymizationKey& network_isolation_key,
                           const url::SchemeHostPort& scheme_host_port,
                           CreateReason reason,
                           int digest_nonce_count,
@@ -102,7 +102,7 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNegotiate : public HttpAuthHandler {
   // HttpAuthHandler
   bool Init(HttpAuthChallengeTokenizer* challenge,
             const SSLInfo& ssl_info,
-            const NetworkIsolationKey& network_isolation_key) override;
+            const NetworkAnonymizationKey& network_isolation_key) override;
   int GenerateAuthTokenImpl(const AuthCredentials* credentials,
                             const HttpRequestInfo* request,
                             CompletionOnceCallback callback,
@@ -135,7 +135,7 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNegotiate : public HttpAuthHandler {
   std::unique_ptr<HttpAuthMechanism> auth_system_;
   const raw_ptr<HostResolver> resolver_;
 
-  NetworkIsolationKey network_isolation_key_;
+  NetworkAnonymizationKey network_anonymization_key_;
 
   // Members which are needed for DNS lookup + SPN.
   std::unique_ptr<HostResolver::ResolveHostRequest> resolve_host_request_;
diff --git a/chromium/net/http/http_auth_handler_negotiate_unittest.cc b/chromium/net/http/http_auth_handler_negotiate_unittest.cc
index 310b2180c1c..f61ca4c01e4 100644
--- a/chromium/net/http/http_auth_handler_negotiate_unittest.cc
+++ b/chromium/net/http/http_auth_handler_negotiate_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -60,7 +60,7 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
   void SetUp() override {
     scoped_feature_list_.InitAndEnableFeature(
         features::kSplitHostCacheByNetworkIsolationKey);
-    network_isolation_key_ = NetworkIsolationKey::CreateTransient();
+    network_anoymization_key_ = NetworkAnonymizationKey::CreateTransient();
 #if BUILDFLAG(IS_WIN)
     auto auth_library =
         std::make_unique<MockAuthLibrary>(const_cast<wchar_t*>(NEGOSSP_NAME));
@@ -240,7 +240,7 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
     SSLInfo null_ssl_info;
     int rv = factory_->CreateAuthHandlerFromString(
         "Negotiate", HttpAuth::AUTH_SERVER, null_ssl_info,
-        network_isolation_key(), scheme_host_port, NetLogWithSource(),
+        network_anonymization_key(), scheme_host_port, NetLogWithSource(),
         resolver_.get(), &generic_handler);
     if (rv != OK)
       return rv;
@@ -256,14 +256,14 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
     return http_auth_preferences_.get();
   }
 
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anoymization_key_;
   }
 
  private:
   base::test::ScopedFeatureList scoped_feature_list_;
 
-  NetworkIsolationKey network_isolation_key_;
+  NetworkAnonymizationKey network_anoymization_key_;
 
 #if BUILDFLAG(IS_WIN)
   std::unique_ptr<SecPkgInfoW> security_package_;
@@ -351,23 +351,23 @@ TEST_F(HttpAuthHandlerNegotiateTest, CnameSync) {
   EXPECT_EQ("HTTP@canonical.example.com", auth_handler->spn_for_testing());
 #endif
 
-  // Make sure a cache-only lookup with the wrong NetworkIsolationKey (an empty
-  // one) fails, to make sure the right NetworkIsolationKey was used.
+  // Make sure a cache-only lookup with the wrong NetworkAnonymizationKey (an
+  // empty one) fails, to make sure the right NetworkAnonymizationKey was used.
   url::SchemeHostPort scheme_host_port{GURL(url_string)};
   HostResolver::ResolveHostParameters resolve_params;
   resolve_params.include_canonical_name = true;
   resolve_params.source = HostResolverSource::LOCAL_ONLY;
   std::unique_ptr<HostResolver::ResolveHostRequest> host_request1 =
-      resolver()->CreateRequest(scheme_host_port, NetworkIsolationKey(),
+      resolver()->CreateRequest(scheme_host_port, NetworkAnonymizationKey(),
                                 NetLogWithSource(), resolve_params);
   TestCompletionCallback callback2;
   int result = host_request1->Start(callback2.callback());
   EXPECT_EQ(ERR_NAME_NOT_RESOLVED, callback2.GetResult(result));
 
-  // Make sure a cache-only lookup with the same NetworkIsolationKey succeeds,
-  // to make sure the right NetworkIsolationKey was used.
+  // Make sure a cache-only lookup with the same NetworkAnonymizationKey
+  // succeeds, to make sure the right NetworkAnonymizationKey was used.
   std::unique_ptr<HostResolver::ResolveHostRequest> host_request2 =
-      resolver()->CreateRequest(scheme_host_port, network_isolation_key(),
+      resolver()->CreateRequest(scheme_host_port, network_anonymization_key(),
                                 NetLogWithSource(), resolve_params);
   TestCompletionCallback callback3;
   result = host_request2->Start(callback3.callback());
@@ -393,23 +393,23 @@ TEST_F(HttpAuthHandlerNegotiateTest, CnameAsync) {
   EXPECT_EQ("HTTP@canonical.example.com", auth_handler->spn_for_testing());
 #endif
 
-  // Make sure a cache-only lookup with the wrong NetworkIsolationKey (an empty
-  // one) fails, to make sure the right NetworkIsolationKey was used.
+  // Make sure a cache-only lookup with the wrong NetworkAnonymizationKey (an
+  // empty one) fails, to make sure the right NetworkAnonymizationKey was used.
   url::SchemeHostPort scheme_host_port{GURL(url_string)};
   HostResolver::ResolveHostParameters resolve_params;
   resolve_params.include_canonical_name = true;
   resolve_params.source = HostResolverSource::LOCAL_ONLY;
   std::unique_ptr<HostResolver::ResolveHostRequest> host_request1 =
-      resolver()->CreateRequest(scheme_host_port, NetworkIsolationKey(),
+      resolver()->CreateRequest(scheme_host_port, NetworkAnonymizationKey(),
                                 NetLogWithSource(), resolve_params);
   TestCompletionCallback callback2;
   int result = host_request1->Start(callback2.callback());
   EXPECT_EQ(ERR_NAME_NOT_RESOLVED, callback2.GetResult(result));
 
-  // Make sure a cache-only lookup with the same NetworkIsolationKey succeeds,
-  // to make sure the right NetworkIsolationKey was used.
+  // Make sure a cache-only lookup with the same NetworkAnonymizationKey
+  // succeeds, to make sure the right NetworkAnonymizationKey was used.
   std::unique_ptr<HostResolver::ResolveHostRequest> host_request2 =
-      resolver()->CreateRequest(scheme_host_port, network_isolation_key(),
+      resolver()->CreateRequest(scheme_host_port, network_anonymization_key(),
                                 NetLogWithSource(), resolve_params);
   TestCompletionCallback callback3;
   result = host_request2->Start(callback3.callback());
@@ -464,7 +464,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, MissingGSSAPI) {
   url::SchemeHostPort scheme_host_port(GURL("http://www.example.com"));
   std::unique_ptr<HttpAuthHandler> generic_handler;
   int rv = negotiate_factory->CreateAuthHandlerFromString(
-      "Negotiate", HttpAuth::AUTH_SERVER, SSLInfo(), NetworkIsolationKey(),
+      "Negotiate", HttpAuth::AUTH_SERVER, SSLInfo(), NetworkAnonymizationKey(),
       scheme_host_port, NetLogWithSource(), resolver(), &generic_handler);
   EXPECT_THAT(rv, IsError(ERR_UNSUPPORTED_AUTH_SCHEME));
   EXPECT_TRUE(generic_handler.get() == nullptr);
@@ -538,8 +538,8 @@ TEST_F(HttpAuthHandlerNegotiateTest, OverrideAuthSystem) {
   std::unique_ptr<HttpAuthHandler> handler;
   EXPECT_EQ(OK, negotiate_factory->CreateAuthHandlerFromString(
                     "Negotiate", HttpAuth::AUTH_SERVER, SSLInfo(),
-                    NetworkIsolationKey(), scheme_host_port, NetLogWithSource(),
-                    resolver(), &handler));
+                    NetworkAnonymizationKey(), scheme_host_port,
+                    NetLogWithSource(), resolver(), &handler));
   EXPECT_TRUE(handler);
 
   TestCompletionCallback callback;
diff --git a/chromium/net/http/http_auth_handler_ntlm.cc b/chromium/net/http/http_auth_handler_ntlm.cc
index 48615130f5a..d4d731aeb80 100644
--- a/chromium/net/http/http_auth_handler_ntlm.cc
+++ b/chromium/net/http/http_auth_handler_ntlm.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,7 +18,7 @@ HttpAuthHandlerNTLM::Factory::~Factory() = default;
 bool HttpAuthHandlerNTLM::Init(
     HttpAuthChallengeTokenizer* tok,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   auth_scheme_ = HttpAuth::AUTH_SCHEME_NTLM;
   score_ = 3;
   properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
diff --git a/chromium/net/http/http_auth_handler_ntlm.h b/chromium/net/http/http_auth_handler_ntlm.h
index d10b4417af6..a0cc9c58022 100644
--- a/chromium/net/http/http_auth_handler_ntlm.h
+++ b/chromium/net/http/http_auth_handler_ntlm.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -54,16 +54,17 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNTLM : public HttpAuthHandler {
 
     ~Factory() override;
 
-    int CreateAuthHandler(HttpAuthChallengeTokenizer* challenge,
-                          HttpAuth::Target target,
-                          const SSLInfo& ssl_info,
-                          const NetworkIsolationKey& network_isolation_key,
-                          const url::SchemeHostPort& scheme_host_port,
-                          CreateReason reason,
-                          int digest_nonce_count,
-                          const NetLogWithSource& net_log,
-                          HostResolver* host_resolver,
-                          std::unique_ptr<HttpAuthHandler>* handler) override;
+    int CreateAuthHandler(
+        HttpAuthChallengeTokenizer* challenge,
+        HttpAuth::Target target,
+        const SSLInfo& ssl_info,
+        const NetworkAnonymizationKey& network_anonymization_key,
+        const url::SchemeHostPort& scheme_host_port,
+        CreateReason reason,
+        int digest_nonce_count,
+        const NetLogWithSource& net_log,
+        HostResolver* host_resolver,
+        std::unique_ptr<HttpAuthHandler>* handler) override;
 #if defined(NTLM_SSPI)
     // Set the SSPILibrary to use. Typically the only callers which need to use
     // this are unit tests which pass in a mocked-out version of the SSPI
@@ -102,7 +103,7 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNTLM : public HttpAuthHandler {
   // HttpAuthHandler
   bool Init(HttpAuthChallengeTokenizer* tok,
             const SSLInfo& ssl_info,
-            const NetworkIsolationKey& network_isolation_key) override;
+            const NetworkAnonymizationKey& network_anonymization_key) override;
   int GenerateAuthTokenImpl(const AuthCredentials* credentials,
                             const HttpRequestInfo* request,
                             CompletionOnceCallback callback,
diff --git a/chromium/net/http/http_auth_handler_ntlm_portable.cc b/chromium/net/http/http_auth_handler_ntlm_portable.cc
index 7381263fecf..e7294fe7957 100644
--- a/chromium/net/http/http_auth_handler_ntlm_portable.cc
+++ b/chromium/net/http/http_auth_handler_ntlm_portable.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -16,7 +16,7 @@ int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
     HttpAuthChallengeTokenizer* challenge,
     HttpAuth::Target target,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::SchemeHostPort& scheme_host_port,
     CreateReason reason,
     int digest_nonce_count,
@@ -32,8 +32,8 @@ int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
   auto tmp_handler =
       std::make_unique<HttpAuthHandlerNTLM>(http_auth_preferences());
   if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info,
-                                      network_isolation_key, scheme_host_port,
-                                      net_log)) {
+                                      network_anonymization_key,
+                                      scheme_host_port, net_log)) {
     return ERR_INVALID_RESPONSE;
   }
   *handler = std::move(tmp_handler);
diff --git a/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc b/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc
index 19175390090..63e8153c9d3 100644
--- a/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc
+++ b/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "build/build_config.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
@@ -56,7 +56,7 @@ class HttpAuthHandlerNtlmPortableTest : public PlatformTest {
     SSLInfo null_ssl_info;
 
     return factory_->CreateAuthHandlerFromString(
-        "NTLM", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
+        "NTLM", HttpAuth::AUTH_SERVER, null_ssl_info, NetworkAnonymizationKey(),
         scheme_host_port, NetLogWithSource(), nullptr, &auth_handler_);
   }
 
diff --git a/chromium/net/http/http_auth_handler_ntlm_win.cc b/chromium/net/http/http_auth_handler_ntlm_win.cc
index 2c0bc7bef49..4fa74e60d4d 100644
--- a/chromium/net/http/http_auth_handler_ntlm_win.cc
+++ b/chromium/net/http/http_auth_handler_ntlm_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -22,7 +22,7 @@ int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
     HttpAuthChallengeTokenizer* challenge,
     HttpAuth::Target target,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::SchemeHostPort& scheme_host_port,
     CreateReason reason,
     int digest_nonce_count,
@@ -36,7 +36,7 @@ int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
   auto tmp_handler = std::make_unique<HttpAuthHandlerNTLM>(
       sspi_library_.get(), http_auth_preferences());
   if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info,
-                                      network_isolation_key, scheme_host_port,
+                                      network_anonymization_key, scheme_host_port,
                                       net_log))
     return ERR_INVALID_RESPONSE;
   *handler = std::move(tmp_handler);
diff --git a/chromium/net/http/http_auth_handler_unittest.cc b/chromium/net/http/http_auth_handler_unittest.cc
index 3d0e5f25711..6e6c84c2108 100644
--- a/chromium/net/http/http_auth_handler_unittest.cc
+++ b/chromium/net/http/http_auth_handler_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,7 +8,7 @@
 #include "base/strings/utf_string_conversions.h"
 #include "base/test/task_environment.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_handler_mock.h"
@@ -45,7 +45,7 @@ TEST(HttpAuthHandlerTest, NetLog) {
       // AUTHORIZATION_RESULT_REJECT.
       mock_handler.set_connection_based(true);
       mock_handler.InitFromChallenge(
-          &tokenizer, target, SSLInfo(), NetworkIsolationKey(),
+          &tokenizer, target, SSLInfo(), NetworkAnonymizationKey(),
           scheme_host_port, NetLogWithSource::Make(NetLogSourceType::NONE));
       mock_handler.SetGenerateExpectation(async, OK);
       mock_handler.GenerateAuthToken(&credentials, &request,
diff --git a/chromium/net/http/http_auth_mechanism.h b/chromium/net/http/http_auth_mechanism.h
index 85d404be2c8..5e3a4db5c9c 100644
--- a/chromium/net/http/http_auth_mechanism.h
+++ b/chromium/net/http/http_auth_mechanism.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_multi_round_parse.cc b/chromium/net/http/http_auth_multi_round_parse.cc
index 915db115a3a..956309d0a35 100644
--- a/chromium/net/http/http_auth_multi_round_parse.cc
+++ b/chromium/net/http/http_auth_multi_round_parse.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_multi_round_parse.h b/chromium/net/http/http_auth_multi_round_parse.h
index 034444e6cd4..a47e71766c4 100644
--- a/chromium/net/http/http_auth_multi_round_parse.h
+++ b/chromium/net/http/http_auth_multi_round_parse.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_multi_round_parse_unittest.cc b/chromium/net/http/http_auth_multi_round_parse_unittest.cc
index aa078d06bcb..f4410aa8af2 100644
--- a/chromium/net/http/http_auth_multi_round_parse_unittest.cc
+++ b/chromium/net/http/http_auth_multi_round_parse_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_ntlm_mechanism.cc b/chromium/net/http/http_auth_ntlm_mechanism.cc
index 95ab598c86a..e783e1c8238 100644
--- a/chromium/net/http/http_auth_ntlm_mechanism.cc
+++ b/chromium/net/http/http_auth_ntlm_mechanism.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_ntlm_mechanism.h b/chromium/net/http/http_auth_ntlm_mechanism.h
index bba843e4677..a451ab77fc8 100644
--- a/chromium/net/http/http_auth_ntlm_mechanism.h
+++ b/chromium/net/http/http_auth_ntlm_mechanism.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_preferences.cc b/chromium/net/http/http_auth_preferences.cc
index fac4cde5991..7e46b432d46 100644
--- a/chromium/net/http/http_auth_preferences.cc
+++ b/chromium/net/http/http_auth_preferences.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_preferences.h b/chromium/net/http/http_auth_preferences.h
index 5f7d46c49d7..677a3524f8f 100644
--- a/chromium/net/http/http_auth_preferences.h
+++ b/chromium/net/http/http_auth_preferences.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_preferences_unittest.cc b/chromium/net/http/http_auth_preferences_unittest.cc
index e95f8888c7c..57557fbd626 100644
--- a/chromium/net/http/http_auth_preferences_unittest.cc
+++ b/chromium/net/http/http_auth_preferences_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_scheme.cc b/chromium/net/http/http_auth_scheme.cc
index 4adfc7465ca..040f5b0663b 100644
--- a/chromium/net/http/http_auth_scheme.cc
+++ b/chromium/net/http/http_auth_scheme.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_scheme.h b/chromium/net/http/http_auth_scheme.h
index fc74da99a4f..99ec247c2ba 100644
--- a/chromium/net/http/http_auth_scheme.h
+++ b/chromium/net/http/http_auth_scheme.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_sspi_win.cc b/chromium/net/http/http_auth_sspi_win.cc
index 02ce74d36c9..6de1653204e 100644
--- a/chromium/net/http/http_auth_sspi_win.cc
+++ b/chromium/net/http/http_auth_sspi_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_sspi_win.h b/chromium/net/http/http_auth_sspi_win.h
index 77d04087072..08c7cd3a031 100644
--- a/chromium/net/http/http_auth_sspi_win.h
+++ b/chromium/net/http/http_auth_sspi_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_sspi_win_unittest.cc b/chromium/net/http/http_auth_sspi_win_unittest.cc
index 116728d5b6e..b665b0f5ab4 100644
--- a/chromium/net/http/http_auth_sspi_win_unittest.cc
+++ b/chromium/net/http/http_auth_sspi_win_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_auth_unittest.cc b/chromium/net/http/http_auth_unittest.cc
index 7ee55269aab..e772e67b5cb 100644
--- a/chromium/net/http/http_auth_unittest.cc
+++ b/chromium/net/http/http_auth_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -44,8 +44,8 @@ std::unique_ptr<HttpAuthHandlerMock> CreateMockHandler(bool connection_based) {
   url::SchemeHostPort scheme_host_port(GURL("https://www.example.com"));
   SSLInfo null_ssl_info;
   EXPECT_TRUE(auth_handler->InitFromChallenge(
-      &challenge, HttpAuth::AUTH_SERVER, null_ssl_info, NetworkIsolationKey(),
-      scheme_host_port, NetLogWithSource()));
+      &challenge, HttpAuth::AUTH_SERVER, null_ssl_info,
+      NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource()));
   return auth_handler;
 }
 
@@ -149,7 +149,7 @@ TEST(HttpAuthTest, ChooseBestChallenge) {
     std::unique_ptr<HttpAuthHandler> handler;
     HttpAuth::ChooseBestChallenge(
         http_auth_handler_factory.get(), *headers, null_ssl_info,
-        NetworkIsolationKey(), HttpAuth::AUTH_SERVER, scheme_host_port,
+        NetworkAnonymizationKey(), HttpAuth::AUTH_SERVER, scheme_host_port,
         disabled_schemes, NetLogWithSource(), host_resolver.get(), &handler);
 
     if (handler.get()) {
diff --git a/chromium/net/http/http_basic_state.cc b/chromium/net/http/http_basic_state.cc
index fe5233bab8d..72ad54a7fbd 100644
--- a/chromium/net/http/http_basic_state.cc
+++ b/chromium/net/http/http_basic_state.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_basic_state.h b/chromium/net/http/http_basic_state.h
index 12164fd5941..bc82c4fce24 100644
--- a/chromium/net/http/http_basic_state.h
+++ b/chromium/net/http/http_basic_state.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/http/http_basic_state_unittest.cc b/chromium/net/http/http_basic_state_unittest.cc
index 3cd757a287a..d03e9dec699 100644
--- a/chromium/net/http/http_basic_state_unittest.cc
+++ b/chromium/net/http/http_basic_state_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_basic_stream.cc b/chromium/net/http/http_basic_stream.cc
index d3e39277eeb..6f9d4a7e09e 100644
--- a/chromium/net/http/http_basic_stream.cc
+++ b/chromium/net/http/http_basic_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_basic_stream.h b/chromium/net/http/http_basic_stream.h
index da8e5253743..fc654945a61 100644
--- a/chromium/net/http/http_basic_stream.h
+++ b/chromium/net/http/http_basic_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/http/http_byte_range.cc b/chromium/net/http/http_byte_range.cc
index 95a46785606..67a7fdc1098 100644
--- a/chromium/net/http/http_byte_range.cc
+++ b/chromium/net/http/http_byte_range.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright 2009 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_byte_range.h b/chromium/net/http/http_byte_range.h
index 5b6a76c9858..5a144d17f42 100644
--- a/chromium/net/http/http_byte_range.h
+++ b/chromium/net/http/http_byte_range.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_byte_range_unittest.cc b/chromium/net/http/http_byte_range_unittest.cc
index 845c4bc50fb..a3ea249b05b 100644
--- a/chromium/net/http/http_byte_range_unittest.cc
+++ b/chromium/net/http/http_byte_range_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright 2009 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_cache.cc b/chromium/net/http/http_cache.cc
index 1ee1910d709..2bd3f6a479f 100644
--- a/chromium/net/http/http_cache.cc
+++ b/chromium/net/http/http_cache.cc
@@ -1,10 +1,9 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_cache.h"
 
-#include <algorithm>
 #include <utility>
 
 #include "base/bind.h"
@@ -21,6 +20,7 @@
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/pickle.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/strcat.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
@@ -29,11 +29,13 @@
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/default_clock.h"
 #include "build/build_config.h"
+#include "http_request_info.h"
 #include "net/base/cache_type.h"
 #include "net/base/features.h"
 #include "net/base/io_buffer.h"
 #include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/network_isolation_key.h"
 #include "net/base/upload_data_stream.h"
 #include "net/disk_cache/disk_cache.h"
@@ -218,8 +220,8 @@ class HttpCache::WorkItem {
 
  private:
   WorkItemOperation operation_;
-  raw_ptr<Transaction> transaction_;
-  raw_ptr<ActiveEntry*> entry_;
+  raw_ptr<Transaction, DanglingUntriaged> transaction_;
+  raw_ptr<ActiveEntry*, DanglingUntriaged> entry_;
   CompletionOnceCallback callback_;  // User callback.
 };
 
@@ -356,6 +358,10 @@ void HttpCache::OnExternalCacheHit(
   request_info.url = url;
   request_info.method = http_method;
   request_info.network_isolation_key = network_isolation_key;
+  request_info.network_anonymization_key =
+      net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+          network_isolation_key);
+
   request_info.is_subframe_document_resource = is_subframe_document_resource;
   if (base::FeatureList::IsEnabled(features::kSplitCacheByIncludeCredentials)) {
     if (!used_credentials)
@@ -688,6 +694,9 @@ void HttpCache::DoomMainEntryForUrl(const GURL& url,
   temp_info.url = url;
   temp_info.method = "GET";
   temp_info.network_isolation_key = isolation_key;
+  temp_info.network_anonymization_key =
+      net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+          isolation_key);
   temp_info.is_subframe_document_resource = is_subframe_document_resource;
   // This method is always used for "POST" requests, which never use the
   // single-keyed cache, so therefore it is correct that use_single_keyed_cache
@@ -927,8 +936,7 @@ void HttpCache::DoneWithEntry(ActiveEntry* entry,
     entry->GetEntry()->CancelSparseIO();
 
   // Transaction is waiting in the done_headers_queue.
-  auto it = std::find(entry->done_headers_queue.begin(),
-                      entry->done_headers_queue.end(), transaction);
+  auto it = base::ranges::find(entry->done_headers_queue, transaction);
   if (it != entry->done_headers_queue.end()) {
     entry->done_headers_queue.erase(it);
 
@@ -988,6 +996,8 @@ void HttpCache::WritersDoneWritingToEntry(ActiveEntry* entry,
   DCHECK(entry->writers->IsEmpty());
   DCHECK(success || make_readers.empty());
 
+  entry->writers_done_writing_to_entry_history = absl::make_optional(success);
+
   if (!success && should_keep_entry) {
     // Restart already validated transactions so that they are able to read
     // the truncated status of the entry.
@@ -1106,8 +1116,9 @@ void HttpCache::ProcessQueuedTransactions(ActiveEntry* entry) {
   // Post a task instead of invoking the io callback of another transaction here
   // to avoid re-entrancy.
   base::ThreadTaskRunnerHandle::Get()->PostTask(
-      FROM_HERE, base::BindOnce(&HttpCache::OnProcessQueuedTransactions,
-                                GetWeakPtr(), entry));
+      FROM_HERE,
+      base::BindOnce(&HttpCache::OnProcessQueuedTransactions, GetWeakPtr(),
+                     base::UnsafeDanglingUntriaged(entry)));
 }
 
 void HttpCache::ProcessAddToEntryQueue(ActiveEntry* entry) {
diff --git a/chromium/net/http/http_cache.h b/chromium/net/http/http_cache.h
index 987e073e93e..60e7e73957d 100644
--- a/chromium/net/http/http_cache.h
+++ b/chromium/net/http/http_cache.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -393,6 +393,8 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory {
 
     // True if entry is doomed.
     bool doomed = false;
+
+    absl::optional<bool> writers_done_writing_to_entry_history;
   };
 
   using ActiveEntriesMap =
diff --git a/chromium/net/http/http_cache_lookup_manager.cc b/chromium/net/http/http_cache_lookup_manager.cc
index 194eb3fba6c..e20baca0823 100644
--- a/chromium/net/http/http_cache_lookup_manager.cc
+++ b/chromium/net/http/http_cache_lookup_manager.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,8 +10,8 @@
 #include "base/containers/contains.h"
 #include "base/values.h"
 #include "net/base/load_flags.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/http/http_request_info.h"
-
 namespace net {
 
 // Returns parameters associated with the start of a server push lookup
@@ -46,7 +46,9 @@ int HttpCacheLookupManager::LookupTransaction::StartLookup(
   });
 
   request_->url = push_helper_->GetURL();
-  request_->network_isolation_key = push_helper_->GetNetworkIsolationKey();
+  // TODO(crbug/1355929) Remove push helper.
+  request_->network_isolation_key = NetworkIsolationKey();
+  request_->network_anonymization_key = NetworkAnonymizationKey();
   request_->method = "GET";
   request_->load_flags = LOAD_ONLY_FROM_CACHE | LOAD_SKIP_CACHE_VALIDATION;
   cache->CreateTransaction(DEFAULT_PRIORITY, &transaction_);
diff --git a/chromium/net/http/http_cache_lookup_manager.h b/chromium/net/http/http_cache_lookup_manager.h
index 8da45d7d494..4c047bf417b 100644
--- a/chromium/net/http/http_cache_lookup_manager.h
+++ b/chromium/net/http/http_cache_lookup_manager.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_cache_lookup_manager_unittest.cc b/chromium/net/http/http_cache_lookup_manager_unittest.cc
index 21162a339fc..27e4e68af85 100644
--- a/chromium/net/http/http_cache_lookup_manager_unittest.cc
+++ b/chromium/net/http/http_cache_lookup_manager_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -19,6 +19,7 @@
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest-param-test.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 
 using net::test::IsOk;
 
@@ -34,8 +35,9 @@ class MockServerPushHelper : public ServerPushDelegate::ServerPushHelper {
 
   const GURL& GetURL() const override { return request_url_; }
 
-  NetworkIsolationKey GetNetworkIsolationKey() const override {
-    return network_isolation_key_;
+  NetworkAnonymizationKey GetNetworkAnonymizationKey() const override {
+    return NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+        network_isolation_key_);
   }
 
   void set_network_isolation_key(
@@ -64,6 +66,8 @@ std::unique_ptr<MockTransaction> CreateMockTransaction(const GURL& url) {
       base::Time(),
       "<html><body>Google Blah Blah</body></html>",
       {},
+      absl::nullopt,
+      absl::nullopt,
       TEST_MODE_NORMAL,
       nullptr,
       nullptr,
@@ -83,7 +87,6 @@ void PopulateCacheEntry(HttpCache* cache, const GURL& request_url) {
   AddMockTransaction(mock_trans.get());
 
   MockHttpRequest request(*(mock_trans.get()));
-
   std::unique_ptr<HttpTransaction> trans;
   int rv = cache->CreateTransaction(DEFAULT_PRIORITY, &trans);
   EXPECT_THAT(rv, IsOk());
diff --git a/chromium/net/http/http_cache_transaction.cc b/chromium/net/http/http_cache_transaction.cc
index fc53e0bb1ac..3ed7ea38ce9 100644
--- a/chromium/net/http/http_cache_transaction.cc
+++ b/chromium/net/http/http_cache_transaction.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -13,6 +13,7 @@
 #include <algorithm>
 #include <memory>
 #include <string>
+#include <type_traits>
 #include <utility>
 
 #include "base/auto_reset.h"
@@ -52,6 +53,7 @@
 #include "net/http/http_log_util.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_request_info.h"
+#include "net/http/http_response_headers.h"
 #include "net/http/http_status_code.h"
 #include "net/http/http_util.h"
 #include "net/http/webfonts_histogram.h"
@@ -112,6 +114,13 @@ void RecordPervasivePayloadIndex(const char* histogram_name, int index) {
   }
 }
 
+bool ShouldByPassCacheForFirstPartySets(
+    const absl::optional<int64_t>& clear_at_run_id,
+    const absl::optional<int64_t>& written_at_run_id) {
+  return clear_at_run_id.has_value() &&
+         (!written_at_run_id.has_value() ||
+          written_at_run_id.value() < clear_at_run_id.value());
+}
 }  // namespace
 
 #define CACHE_STATUS_HISTOGRAMS(type)                                      \
@@ -227,6 +236,7 @@ int HttpCache::Transaction::Start(const HttpRequestInfo* request,
                                   CompletionOnceCallback callback,
                                   const NetLogWithSource& net_log) {
   DCHECK(request);
+  DCHECK(request->IsConsistent());
   DCHECK(!callback.is_null());
   TRACE_EVENT_WITH_FLOW1("net", "HttpCacheTransaction::Start",
                          TRACE_ID_LOCAL(trace_id_), TRACE_EVENT_FLAG_FLOW_OUT,
@@ -379,6 +389,7 @@ int HttpCache::Transaction::TransitionToReadingState() {
       // is reading the auth response from the network.
       // TODO(http://crbug.com/740947) to get rid of this state in future.
       next_state_ = STATE_NETWORK_READ;
+
       return OK;
     }
 
@@ -1577,6 +1588,14 @@ int HttpCache::Transaction::DoCacheReadResponseComplete(int result) {
     return OnCacheReadError(result, true);
   }
 
+  // If the read response matches the clearing filter of FPS, doom the entry
+  // and restart transaction.
+  if (ShouldByPassCacheForFirstPartySets(initial_request_->fps_cache_filter,
+                                         response_.browser_run_id)) {
+    result = ERR_CACHE_ENTRY_NOT_SUITABLE;
+    return OnCacheReadError(result, true);
+  }
+
   if (response_.single_keyed_cache_entry_unusable) {
     RecordPervasivePayloadIndex("Network.CacheTransparency.MarkedUnusable",
                                 request_->pervasive_payloads_index_for_logging);
@@ -1677,7 +1696,8 @@ int HttpCache::Transaction::DoCacheWriteUpdatedPrefetchResponse(int result) {
   // transaction then metadata will be written to cache twice. If prefetching
   // becomes more common, consider combining the writes.
   TransitionToState(STATE_WRITE_UPDATED_PREFETCH_RESPONSE_COMPLETE);
-  return WriteResponseInfoToEntry(*updated_prefetch_response_.get(), false);
+  return WriteResponseInfoToEntry(*updated_prefetch_response_.get(),
+                                  truncated_);
 }
 
 int HttpCache::Transaction::DoCacheWriteUpdatedPrefetchResponseComplete(
@@ -2172,6 +2192,9 @@ int HttpCache::Transaction::DoOverwriteCachedResponse() {
     TransitionToState(STATE_PARTIAL_HEADERS_RECEIVED);
     return OK;
   }
+  // Mark the response with browser_run_id before it gets written.
+  if (initial_request_->browser_run_id.has_value())
+    response_.browser_run_id = initial_request_->browser_run_id;
 
   TransitionToState(STATE_CACHE_WRITE_RESPONSE);
   return OK;
@@ -2462,6 +2485,10 @@ int HttpCache::Transaction::DoNetworkReadComplete(int result) {
 }
 
 int HttpCache::Transaction::DoCacheReadData() {
+  if (entry_) {
+    DCHECK(InWriters() || entry_->TransactionInReaders(this));
+  }
+
   TRACE_EVENT_WITH_FLOW2(
       "net", "HttpCacheTransaction::DoCacheReadData", TRACE_ID_LOCAL(trace_id_),
       TRACE_EVENT_FLAG_FLOW_IN | TRACE_EVENT_FLAG_FLOW_OUT, "read_offset",
@@ -2487,6 +2514,10 @@ int HttpCache::Transaction::DoCacheReadData() {
 }
 
 int HttpCache::Transaction::DoCacheReadDataComplete(int result) {
+  if (entry_) {
+    DCHECK(InWriters() || entry_->TransactionInReaders(this));
+  }
+
   TRACE_EVENT_WITH_FLOW1("net", "HttpCacheTransaction::DoCacheReadDataComplete",
                          TRACE_ID_LOCAL(trace_id_),
                          TRACE_EVENT_FLAG_FLOW_IN | TRACE_EVENT_FLAG_FLOW_OUT,
@@ -2947,6 +2978,77 @@ int HttpCache::Transaction::RestartNetworkRequestWithAuth(
   return rv;
 }
 
+// These values are persisted to logs. Entries should not be renumbered and
+// numeric values should never be reused.
+enum class PrefetchReuseState : uint8_t {
+  kNone = 0,
+
+  // Bit 0 represents if it's reused first time
+  kFirstReuse = 1 << 0,
+
+  // Bit 1 represents if it's reused within the time window
+  kReusedWithinTimeWindow = 1 << 1,
+
+  // Bit 2-3 represents the freshness based on cache headers
+  kFresh = 0 << 2,
+  kAlwaysValidate = 1 << 2,
+  kExpired = 2 << 2,
+  kStale = 3 << 2,
+
+  // histograms require a named max value
+  kBitMaskForAllAttributes = kStale | kReusedWithinTimeWindow | kFirstReuse,
+  kMaxValue = kBitMaskForAllAttributes
+};
+
+namespace {
+std::underlying_type<PrefetchReuseState>::type to_underlying(
+    PrefetchReuseState state) {
+  DCHECK_LE(PrefetchReuseState::kNone, state);
+  DCHECK_LE(state, PrefetchReuseState::kMaxValue);
+
+  return static_cast<std::underlying_type<PrefetchReuseState>::type>(state);
+}
+
+PrefetchReuseState to_reuse_state(
+    std::underlying_type<PrefetchReuseState>::type value) {
+  PrefetchReuseState state = static_cast<PrefetchReuseState>(value);
+  DCHECK_LE(PrefetchReuseState::kNone, state);
+  DCHECK_LE(state, PrefetchReuseState::kMaxValue);
+  return state;
+}
+}  // namespace
+
+PrefetchReuseState ComputePrefetchReuseState(ValidationType type,
+                                             bool first_reuse,
+                                             bool reused_within_time_window,
+                                             bool validate_flag) {
+  std::underlying_type<PrefetchReuseState>::type reuse_state =
+      to_underlying(PrefetchReuseState::kNone);
+
+  if (first_reuse)
+    reuse_state |= to_underlying(PrefetchReuseState::kFirstReuse);
+
+  if (reused_within_time_window)
+    reuse_state |= to_underlying(PrefetchReuseState::kReusedWithinTimeWindow);
+
+  if (validate_flag)
+    reuse_state |= to_underlying(PrefetchReuseState::kAlwaysValidate);
+  else {
+    switch (type) {
+      case VALIDATION_SYNCHRONOUS:
+        reuse_state |= to_underlying(PrefetchReuseState::kExpired);
+        break;
+      case VALIDATION_ASYNCHRONOUS:
+        reuse_state |= to_underlying(PrefetchReuseState::kStale);
+        break;
+      case VALIDATION_NONE:
+        reuse_state |= to_underlying(PrefetchReuseState::kFresh);
+        break;
+    }
+  }
+  return to_reuse_state(reuse_state);
+}
+
 ValidationType HttpCache::Transaction::RequiresValidation() {
   // TODO(darin): need to do more work here:
   //  - make sure we have a matching request method
@@ -2964,30 +3066,49 @@ ValidationType HttpCache::Transaction::RequiresValidation() {
   if (effective_load_flags_ & LOAD_SKIP_CACHE_VALIDATION)
     return VALIDATION_NONE;
 
+  if (method_ == "PUT" || method_ == "DELETE" || method_ == "PATCH")
+    return VALIDATION_SYNCHRONOUS;
+
+  bool validate_flag = effective_load_flags_ & LOAD_VALIDATE_CACHE;
+
+  ValidationType validation_required_by_headers =
+      validate_flag ? VALIDATION_SYNCHRONOUS
+                    : response_.headers->RequiresValidation(
+                          response_.request_time, response_.response_time,
+                          cache_->clock_->Now());
+
   base::TimeDelta response_time_in_cache =
       cache_->clock_->Now() - response_.response_time;
-  if (response_.unused_since_prefetch &&
-      !(effective_load_flags_ & LOAD_PREFETCH) &&
-      (response_time_in_cache < base::Minutes(kPrefetchReuseMins)) &&
+
+  if (!(effective_load_flags_ & LOAD_PREFETCH) &&
       (response_time_in_cache >= base::TimeDelta())) {
+    bool reused_within_time_window =
+        response_time_in_cache < base::Minutes(kPrefetchReuseMins);
+    bool first_reuse = response_.unused_since_prefetch;
+
+    base::UmaHistogramLongTimes("HttpCache.PrefetchReuseTime",
+                                response_time_in_cache);
+    if (first_reuse) {
+      base::UmaHistogramLongTimes("HttpCache.PrefetchFirstReuseTime",
+                                  response_time_in_cache);
+    }
+
+    base::UmaHistogramEnumeration(
+        "HttpCache.PrefetchReuseState",
+        ComputePrefetchReuseState(validation_required_by_headers, first_reuse,
+                                  reused_within_time_window, validate_flag));
     // The first use of a resource after prefetch within a short window skips
     // validation.
-    return VALIDATION_NONE;
+    if (first_reuse && reused_within_time_window) {
+      return VALIDATION_NONE;
+    }
   }
 
-  if (effective_load_flags_ & LOAD_VALIDATE_CACHE) {
+  if (validate_flag) {
     validation_cause_ = VALIDATION_CAUSE_VALIDATE_FLAG;
     return VALIDATION_SYNCHRONOUS;
   }
 
-  if (method_ == "PUT" || method_ == "DELETE" || method_ == "PATCH")
-    return VALIDATION_SYNCHRONOUS;
-
-  ValidationType validation_required_by_headers =
-      response_.headers->RequiresValidation(response_.request_time,
-                                            response_.response_time,
-                                            cache_->clock_->Now());
-
   if (validation_required_by_headers != VALIDATION_NONE) {
     HttpResponseHeaders::FreshnessLifetimes lifetimes =
         response_.headers->GetFreshnessLifetimes(response_.response_time);
diff --git a/chromium/net/http/http_cache_transaction.h b/chromium/net/http/http_cache_transaction.h
index 0a937a3b13e..2ba016c45ab 100644
--- a/chromium/net/http/http_cache_transaction.h
+++ b/chromium/net/http/http_cache_transaction.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_cache_unittest.cc b/chromium/net/http/http_cache_unittest.cc
index 931e1322fc7..9e02783e893 100644
--- a/chromium/net/http/http_cache_unittest.cc
+++ b/chromium/net/http/http_cache_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -73,6 +73,7 @@
 #include "net/websockets/websocket_handshake_stream_base.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/origin.h"
 
 using net::test::IsError;
@@ -389,6 +390,8 @@ const MockTransaction kFastNoStoreGET_Transaction = {
     base::Time(),
     "<html><body>Google Blah Blah</body></html>",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_SYNC_NET_START,
     &FastTransactionServer::FastNoStoreHandler,
     nullptr,
@@ -592,6 +595,8 @@ const MockTransaction kRangeGET_TransactionOK = {
     base::Time(),
     "rg: 40-49 ",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     &RangeTransactionServer::RangeHandler,
     nullptr,
@@ -824,6 +829,8 @@ class HttpSplitCacheKeyTest : public HttpCacheTest {
     request_info.url = url;
     request_info.method = "GET";
     request_info.network_isolation_key = net::NetworkIsolationKey(site, site);
+    request_info.network_anonymization_key =
+        net::NetworkAnonymizationKey(site, site);
     MockHttpCache cache;
     return *cache.http_cache()->GenerateCacheKeyForRequest(&request_info);
   }
@@ -1217,6 +1224,7 @@ TEST_P(HttpCacheTest_SplitCacheFeature, SimpleGETVerifyGoogleFontMetrics) {
   AddMockTransaction(&transaction);
   MockHttpRequest request(transaction);
   request.network_isolation_key = NetworkIsolationKey(site_a, site_a);
+  request.network_anonymization_key = NetworkAnonymizationKey(site_a, site_a);
 
   // Attempt to populate the cache.
   RunTransactionTestWithRequest(cache.http_cache(), transaction, request,
@@ -1996,6 +2004,82 @@ TEST_F(HttpCacheTest, SimpleGET_UnusedSincePrefetchWriteError) {
       NetLogWithSource::Make(NetLogSourceType::NONE), nullptr);
 }
 
+// Make sure that if a prefetch entry is truncated, then an attempt to re-use it
+// gets aborted in connected handler that truncated bit is not lost.
+TEST_F(HttpCacheTest, PrefetchTruncateCancelInConnectedCallback) {
+  MockHttpCache cache;
+
+  ScopedMockTransaction transaction(kSimpleGET_Transaction);
+  transaction.response_headers =
+      "Last-Modified: Wed, 28 Nov 2007 00:40:09 GMT\n"
+      "Content-Length: 20\n"
+      "Etag: \"foopy\"\n";
+  transaction.data = "01234567890123456789";
+  transaction.load_flags |= LOAD_PREFETCH | LOAD_CAN_USE_RESTRICTED_PREFETCH;
+
+  // Do a truncated read of a prefetch request.
+  {
+    MockHttpRequest request(transaction);
+    Context c;
+
+    int rv = cache.CreateTransaction(&c.trans);
+    ASSERT_THAT(rv, IsOk());
+
+    rv = c.callback.GetResult(
+        c.trans->Start(&request, c.callback.callback(), NetLogWithSource()));
+    ASSERT_THAT(rv, IsOk());
+
+    // Read less than the whole thing.
+    scoped_refptr<IOBufferWithSize> buf =
+        base::MakeRefCounted<IOBufferWithSize>(10);
+    rv = c.callback.GetResult(
+        c.trans->Read(buf.get(), buf->size(), c.callback.callback()));
+    EXPECT_EQ(buf->size(), rv);
+
+    // Destroy the transaction.
+    c.trans.reset();
+    base::RunLoop().RunUntilIdle();
+
+    VerifyTruncatedFlag(&cache, request.CacheKey(), /*flag_value=*/true,
+                        /*data_size=*/10);
+  }
+
+  // Do a fetch that can use prefetch that aborts in connected handler.
+  transaction.load_flags &= ~LOAD_PREFETCH;
+  {
+    MockHttpRequest request(transaction);
+    Context c;
+
+    int rv = cache.CreateTransaction(&c.trans);
+    ASSERT_THAT(rv, IsOk());
+    c.trans->SetConnectedCallback(base::BindRepeating(
+        [](const TransportInfo& info, CompletionOnceCallback callback) -> int {
+          return net::ERR_ABORTED;
+        }));
+    rv = c.callback.GetResult(
+        c.trans->Start(&request, c.callback.callback(), NetLogWithSource()));
+    EXPECT_EQ(net::ERR_ABORTED, rv);
+
+    // Destroy the transaction.
+    c.trans.reset();
+    base::RunLoop().RunUntilIdle();
+
+    VerifyTruncatedFlag(&cache, request.CacheKey(), /*flag_value=*/true,
+                        /*data_size=*/10);
+  }
+
+  // Now try again without abort.
+  {
+    MockHttpRequest request(transaction);
+    RunTransactionTestWithRequest(cache.http_cache(), transaction, request,
+                                  /*response_info=*/nullptr);
+    base::RunLoop().RunUntilIdle();
+
+    VerifyTruncatedFlag(&cache, request.CacheKey(), /*flag_value=*/false,
+                        /*data_size=*/20);
+  }
+}
+
 static void PreserveRequestHeaders_Handler(const HttpRequestInfo* request,
                                            std::string* response_status,
                                            std::string* response_headers,
@@ -6976,6 +7060,7 @@ TEST_F(HttpCacheTest, SimplePOST_Invalidate_205_SplitCache) {
   AddMockTransaction(&transaction);
   MockHttpRequest req1(transaction);
   req1.network_isolation_key = NetworkIsolationKey(site_a, site_a);
+  req1.network_anonymization_key = NetworkAnonymizationKey(site_a, site_a);
 
   // Attempt to populate the cache.
   RunTransactionTestWithRequest(cache.http_cache(), transaction, req1, nullptr);
@@ -6983,6 +7068,7 @@ TEST_F(HttpCacheTest, SimplePOST_Invalidate_205_SplitCache) {
   // Same for a different origin.
   MockHttpRequest req1b(transaction);
   req1b.network_isolation_key = NetworkIsolationKey(site_b, site_b);
+  req1b.network_anonymization_key = NetworkAnonymizationKey(site_b, site_b);
   RunTransactionTestWithRequest(cache.http_cache(), transaction, req1b,
                                 nullptr);
 
@@ -7000,6 +7086,7 @@ TEST_F(HttpCacheTest, SimplePOST_Invalidate_205_SplitCache) {
   MockHttpRequest req2(transaction);
   req2.upload_data_stream = &upload_data_stream;
   req2.network_isolation_key = NetworkIsolationKey(site_a, site_a);
+  req2.network_anonymization_key = NetworkAnonymizationKey(site_a, site_a);
 
   RunTransactionTestWithRequest(cache.http_cache(), transaction, req2, nullptr);
 
@@ -10953,6 +11040,8 @@ TEST_F(HttpCacheTest, SplitCacheWithNetworkIsolationKey) {
   // Request with a.com as the top frame and subframe origins. It shouldn't be
   // cached.
   trans_info.network_isolation_key = NetworkIsolationKey(site_a, site_a);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_a, site_a);
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -10968,6 +11057,8 @@ TEST_F(HttpCacheTest, SplitCacheWithNetworkIsolationKey) {
 
   // Now request with b.com as the subframe origin. It shouldn't be cached.
   trans_info.network_isolation_key = NetworkIsolationKey(site_a, site_b);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_a, site_b);
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -10979,6 +11070,8 @@ TEST_F(HttpCacheTest, SplitCacheWithNetworkIsolationKey) {
 
   // a.com should still be cached.
   trans_info.network_isolation_key = NetworkIsolationKey(site_a, site_a);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_a, site_a);
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_TRUE(response.was_cached);
@@ -10986,6 +11079,8 @@ TEST_F(HttpCacheTest, SplitCacheWithNetworkIsolationKey) {
   // Now make a request with an opaque subframe site.  It shouldn't be
   // cached.
   trans_info.network_isolation_key = NetworkIsolationKey(site_a, site_data);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_a, site_data);
   EXPECT_EQ(absl::nullopt, trans_info.network_isolation_key.ToCacheKeyString());
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
@@ -11007,6 +11102,7 @@ TEST_F(HttpCacheTest, SplitCacheWithNetworkIsolationKey) {
 
   MockHttpRequest post_info = MockHttpRequest(kSimplePOST_Transaction);
   post_info.network_isolation_key = NetworkIsolationKey(site_a, site_a);
+  post_info.network_anonymization_key = NetworkAnonymizationKey(site_a, site_a);
   post_info.upload_data_stream = &upload_data_stream;
 
   RunTransactionTestWithRequest(cache.http_cache(), kSimplePOST_Transaction,
@@ -11032,6 +11128,8 @@ TEST_F(HttpCacheTest, HttpCacheProfileThirdPartyCSS) {
   // Requesting with the same top-frame site should not count as third-party
   // but should still be recorded as CSS
   trans_info.network_isolation_key = NetworkIsolationKey(site_a, site_a);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_a, site_a);
   trans_info.possibly_top_frame_origin = origin_a;
 
   RunTransactionTestWithRequest(cache.http_cache(), transaction, trans_info,
@@ -11044,6 +11142,8 @@ TEST_F(HttpCacheTest, HttpCacheProfileThirdPartyCSS) {
   // Requesting with a different top-frame site should count as third-party
   // and recorded as CSS
   trans_info.network_isolation_key = NetworkIsolationKey(site_b, site_b);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_b, site_b);
   trans_info.possibly_top_frame_origin = origin_b;
 
   RunTransactionTestWithRequest(cache.http_cache(), transaction, trans_info,
@@ -11071,6 +11171,8 @@ TEST_F(HttpCacheTest, HttpCacheProfileThirdPartyJavaScript) {
   // Requesting with the same top-frame site should not count as third-party
   // but should still be recorded as JavaScript
   trans_info.network_isolation_key = NetworkIsolationKey(site_a, site_a);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_a, site_a);
   trans_info.possibly_top_frame_origin = origin_a;
 
   RunTransactionTestWithRequest(cache.http_cache(), transaction, trans_info,
@@ -11083,6 +11185,8 @@ TEST_F(HttpCacheTest, HttpCacheProfileThirdPartyJavaScript) {
   // Requesting with a different top-frame site should count as third-party
   // and recorded as JavaScript
   trans_info.network_isolation_key = NetworkIsolationKey(site_b, site_b);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_b, site_b);
   trans_info.possibly_top_frame_origin = origin_b;
 
   RunTransactionTestWithRequest(cache.http_cache(), transaction, trans_info,
@@ -11110,6 +11214,8 @@ TEST_F(HttpCacheTest, HttpCacheProfileThirdPartyFont) {
   // Requesting with the same top-frame site should not count as third-party
   // but should still be recorded as a font
   trans_info.network_isolation_key = NetworkIsolationKey(site_a, site_a);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_a, site_a);
   trans_info.possibly_top_frame_origin = origin_a;
 
   RunTransactionTestWithRequest(cache.http_cache(), transaction, trans_info,
@@ -11122,6 +11228,8 @@ TEST_F(HttpCacheTest, HttpCacheProfileThirdPartyFont) {
   // Requesting with a different top-frame site should count as third-party
   // and recorded as a font
   trans_info.network_isolation_key = NetworkIsolationKey(site_b, site_b);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_b, site_b);
   trans_info.possibly_top_frame_origin = origin_b;
 
   RunTransactionTestWithRequest(cache.http_cache(), transaction, trans_info,
@@ -11147,6 +11255,7 @@ TEST_F(HttpCacheTest, SplitCache) {
   // A request without a top frame origin is not cached at all.
   MockHttpRequest trans_info = MockHttpRequest(kSimpleGET_Transaction);
   trans_info.network_isolation_key = net::NetworkIsolationKey();
+  trans_info.network_anonymization_key = net::NetworkAnonymizationKey();
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -11163,7 +11272,9 @@ TEST_F(HttpCacheTest, SplitCache) {
   // Now request with a.com as the top frame origin. It shouldn't be cached
   // since the cached resource has a different top frame origin.
   net::NetworkIsolationKey key_a(site_a, site_a);
+  net::NetworkAnonymizationKey nak_a(site_a, site_a);
   trans_info.network_isolation_key = key_a;
+  trans_info.network_anonymization_key = nak_a;
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -11192,6 +11303,8 @@ TEST_F(HttpCacheTest, SplitCache) {
 
   // Now request with b.com as the top frame origin. It shouldn't be cached.
   trans_info.network_isolation_key = NetworkIsolationKey(site_b, site_b);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_b, site_b);
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -11203,6 +11316,7 @@ TEST_F(HttpCacheTest, SplitCache) {
 
   // a.com should still be cached.
   trans_info.network_isolation_key = key_a;
+  trans_info.network_anonymization_key = nak_a;
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_TRUE(response.was_cached);
@@ -11210,6 +11324,8 @@ TEST_F(HttpCacheTest, SplitCache) {
   // Now make a request with an opaque top frame origin.  It shouldn't be
   // cached.
   trans_info.network_isolation_key = NetworkIsolationKey(site_data, site_data);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(site_data, site_data);
   EXPECT_EQ(absl::nullopt, trans_info.network_isolation_key.ToCacheKeyString());
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
@@ -11231,6 +11347,7 @@ TEST_F(HttpCacheTest, SplitCache) {
 
   MockHttpRequest post_info = MockHttpRequest(kSimplePOST_Transaction);
   post_info.network_isolation_key = NetworkIsolationKey(site_a, site_a);
+  post_info.network_anonymization_key = NetworkAnonymizationKey(site_a, site_a);
   post_info.upload_data_stream = &upload_data_stream;
 
   RunTransactionTestWithRequest(cache.http_cache(), kSimplePOST_Transaction,
@@ -11250,7 +11367,9 @@ TEST_F(HttpCacheTest, SplitCacheEnabledByDefault) {
   SchemefulSite site_b(GURL("http://b.com"));
   MockHttpRequest trans_info = MockHttpRequest(kSimpleGET_Transaction);
   net::NetworkIsolationKey key_a(site_a, site_a);
+  net::NetworkAnonymizationKey nak_a(site_a, site_a);
   trans_info.network_isolation_key = key_a;
+  trans_info.network_anonymization_key = nak_a;
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -11262,7 +11381,9 @@ TEST_F(HttpCacheTest, SplitCacheEnabledByDefault) {
   EXPECT_TRUE(response.was_cached);
 
   net::NetworkIsolationKey key_b(site_b, site_b);
+  net::NetworkAnonymizationKey nak_b(site_b, site_b);
   trans_info.network_isolation_key = key_b;
+  trans_info.network_anonymization_key = nak_b;
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -11293,7 +11414,9 @@ TEST_F(HttpCacheTest, SplitCacheUsesRegistrableDomain) {
   SchemefulSite site_b(GURL("http://b.foo.com"));
 
   net::NetworkIsolationKey key_a(site_a, site_a);
+  net::NetworkAnonymizationKey nak_a(site_a, site_a);
   trans_info.network_isolation_key = key_a;
+  trans_info.network_anonymization_key = nak_a;
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -11304,7 +11427,9 @@ TEST_F(HttpCacheTest, SplitCacheUsesRegistrableDomain) {
   // The second request with a different origin but the same registrable domain
   // should be a cache hit.
   net::NetworkIsolationKey key_b(site_b, site_b);
+  net::NetworkAnonymizationKey nak_b(site_b, site_b);
   trans_info.network_isolation_key = key_b;
+  trans_info.network_anonymization_key = nak_b;
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_TRUE(response.was_cached);
@@ -11312,7 +11437,9 @@ TEST_F(HttpCacheTest, SplitCacheUsesRegistrableDomain) {
   // Request with a different registrable domain. It should be a cache miss.
   SchemefulSite new_site_a(GURL("http://a.bar.com"));
   net::NetworkIsolationKey new_key_a(new_site_a, new_site_a);
+  net::NetworkAnonymizationKey new_nak_a(new_site_a, new_site_a);
   trans_info.network_isolation_key = new_key_a;
+  trans_info.network_anonymization_key = new_nak_a;
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -11330,6 +11457,7 @@ TEST_F(HttpCacheTest, NonSplitCache) {
   // A request without a top frame is cached normally.
   MockHttpRequest trans_info = MockHttpRequest(kSimpleGET_Transaction);
   trans_info.network_isolation_key = NetworkIsolationKey();
+  trans_info.network_anonymization_key = NetworkAnonymizationKey();
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -11343,6 +11471,8 @@ TEST_F(HttpCacheTest, NonSplitCache) {
   // cached object.
   const SchemefulSite kSiteA(GURL("http://a.com/"));
   trans_info.network_isolation_key = NetworkIsolationKey(kSiteA, kSiteA);
+  trans_info.network_anonymization_key =
+      NetworkAnonymizationKey(kSiteA, kSiteA);
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_TRUE(response.was_cached);
@@ -13529,6 +13659,71 @@ TEST_F(HttpCacheTest, DnsAliasesRevalidation) {
   EXPECT_THAT(response.dns_aliases, testing::ElementsAre("alias3", "alias4"));
 }
 
+TEST_F(HttpCacheTest, FirstPartySetsBypassCache_ShouldBypass_NoId) {
+  MockHttpCache cache;
+  HttpResponseInfo response;
+  ScopedMockTransaction transaction(kSimpleGET_Transaction);
+
+  RunTransactionTestWithResponseInfo(cache.http_cache(), transaction,
+                                     &response);
+  EXPECT_FALSE(response.was_cached);
+
+  transaction.fps_cache_filter = {5};
+  RunTransactionTestWithResponseInfo(cache.http_cache(), transaction,
+                                     &response);
+  EXPECT_FALSE(response.was_cached);
+}
+
+TEST_F(HttpCacheTest, FirstPartySetsBypassCache_ShouldBypass_IdTooSmall) {
+  MockHttpCache cache;
+  HttpResponseInfo response;
+  ScopedMockTransaction transaction(kSimpleGET_Transaction);
+  const int64_t kBrowserRunId = 4;
+  transaction.browser_run_id = {kBrowserRunId};
+  RunTransactionTestWithResponseInfo(cache.http_cache(), transaction,
+                                     &response);
+  EXPECT_FALSE(response.was_cached);
+  EXPECT_TRUE(response.browser_run_id.has_value());
+  EXPECT_EQ(kBrowserRunId, response.browser_run_id.value());
+
+  transaction.fps_cache_filter = {5};
+  RunTransactionTestWithResponseInfo(cache.http_cache(), transaction,
+                                     &response);
+  EXPECT_FALSE(response.was_cached);
+}
+
+TEST_F(HttpCacheTest, FirstPartySetsBypassCache_ShouldNotBypass) {
+  MockHttpCache cache;
+  HttpResponseInfo response;
+  ScopedMockTransaction transaction(kSimpleGET_Transaction);
+  const int64_t kBrowserRunId = 5;
+  transaction.browser_run_id = {kBrowserRunId};
+  RunTransactionTestWithResponseInfo(cache.http_cache(), transaction,
+                                     &response);
+  EXPECT_FALSE(response.was_cached);
+  EXPECT_TRUE(response.browser_run_id.has_value());
+  EXPECT_EQ(kBrowserRunId, response.browser_run_id.value());
+
+  transaction.fps_cache_filter = {5};
+  RunTransactionTestWithResponseInfo(cache.http_cache(), transaction,
+                                     &response);
+  EXPECT_TRUE(response.was_cached);
+}
+
+TEST_F(HttpCacheTest, FirstPartySetsBypassCache_ShouldNotBypass_NoFilter) {
+  MockHttpCache cache;
+  HttpResponseInfo response;
+  ScopedMockTransaction transaction(kSimpleGET_Transaction);
+
+  RunTransactionTestWithResponseInfo(cache.http_cache(), transaction,
+                                     &response);
+  EXPECT_FALSE(response.was_cached);
+
+  RunTransactionTestWithResponseInfo(cache.http_cache(), transaction,
+                                     &response);
+  EXPECT_TRUE(response.was_cached);
+}
+
 TEST_F(HttpCacheTest, SecurityHeadersAreCopiedToConditionalizedResponse) {
   MockHttpCache cache;
   HttpResponseInfo response;
@@ -13590,6 +13785,9 @@ class HttpCacheSingleKeyedCacheTest : public HttpCacheTest {
 
     MockHttpRequest request(transaction);
     request.network_isolation_key = network_isolation_key;
+    request.network_anonymization_key =
+        net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+            network_isolation_key);
     request.checksum = checksum;
 
     HttpResponseInfo response_info;
diff --git a/chromium/net/http/http_cache_writers.cc b/chromium/net/http/http_cache_writers.cc
index 76b70c258b5..cd4abe0ed41 100644
--- a/chromium/net/http/http_cache_writers.cc
+++ b/chromium/net/http/http_cache_writers.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -461,8 +461,9 @@ int HttpCache::Writers::DoNetworkReadComplete(int result) {
 void HttpCache::Writers::OnNetworkReadFailure(int result) {
   ProcessFailure(result);
 
-  if (active_transaction_)
+  if (active_transaction_) {
     EraseTransaction(active_transaction_, result);
+  }
   active_transaction_ = nullptr;
 
   if (ShouldTruncate())
@@ -522,7 +523,7 @@ int HttpCache::Writers::DoCacheWriteDataComplete(int result) {
     if (write_len_ > 0) {
       checksum_->Update(read_buf_->data(), write_len_);
     } else {
-      CHECK(active_transaction_);
+      DCHECK(active_transaction_);
       if (!active_transaction_->ResponseChecksumMatches(std::move(checksum_))) {
         next_state_ = State::MARK_SINGLE_KEYED_CACHE_ENTRY_UNUSABLE;
         return result;
@@ -598,16 +599,18 @@ void HttpCache::Writers::OnDataReceived(int result) {
       return;
     }
 
-    if (active_transaction_)
+    if (active_transaction_) {
       EraseTransaction(active_transaction_, result);
+    }
     active_transaction_ = nullptr;
     CompleteWaitingForReadTransactions(write_len_);
 
     // Invoke entry processing.
     DCHECK(ContainsOnlyIdleWriters());
     TransactionSet make_readers;
-    for (auto& writer : all_writers_)
+    for (auto& writer : all_writers_) {
       make_readers.insert(writer.first);
+    }
     all_writers_.clear();
     SetCacheCallback(true, make_readers);
     // We assume the set callback will be called immediately.
@@ -662,8 +665,9 @@ void HttpCache::Writers::CompleteWaitingForReadTransactions(int result) {
 
     // If its response completion or failure, this transaction needs to be
     // removed from writers.
-    if (result <= 0)
+    if (result <= 0) {
       EraseTransaction(transaction, result);
+    }
   }
 }
 
diff --git a/chromium/net/http/http_cache_writers.h b/chromium/net/http/http_cache_writers.h
index 7de8dde0c7c..f149fc819b1 100644
--- a/chromium/net/http/http_cache_writers.h
+++ b/chromium/net/http/http_cache_writers.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -115,9 +115,6 @@ class NET_EXPORT_PRIVATE HttpCache::Writers {
   // Returns true if this object is empty.
   bool IsEmpty() const { return all_writers_.empty(); }
 
-  // Invoked during HttpCache's destruction.
-  void Clear() { all_writers_.clear(); }
-
   // Returns true if |transaction| is part of writers.
   bool HasTransaction(const Transaction* transaction) const {
     return all_writers_.count(const_cast<Transaction*>(transaction)) > 0;
@@ -249,7 +246,7 @@ class NET_EXPORT_PRIVATE HttpCache::Writers {
   raw_ptr<HttpCache> const cache_ = nullptr;
 
   // Owner of |this|.
-  raw_ptr<ActiveEntry> const entry_ = nullptr;
+  raw_ptr<ActiveEntry, DanglingUntriaged> const entry_ = nullptr;
 
   std::unique_ptr<HttpTransaction> network_transaction_;
 
diff --git a/chromium/net/http/http_cache_writers_unittest.cc b/chromium/net/http/http_cache_writers_unittest.cc
index 275b6b7ad3d..4fdc2c9c1c9 100644
--- a/chromium/net/http/http_cache_writers_unittest.cc
+++ b/chromium/net/http/http_cache_writers_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_chunked_decoder.cc b/chromium/net/http/http_chunked_decoder.cc
index c6ae91fbd6e..ee237122262 100644
--- a/chromium/net/http/http_chunked_decoder.cc
+++ b/chromium/net/http/http_chunked_decoder.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_chunked_decoder.h b/chromium/net/http/http_chunked_decoder.h
index 99afb0b0d90..7224db008f7 100644
--- a/chromium/net/http/http_chunked_decoder.h
+++ b/chromium/net/http/http_chunked_decoder.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_chunked_decoder_fuzzer.cc b/chromium/net/http/http_chunked_decoder_fuzzer.cc
index 91506579672..0da008cb8a6 100644
--- a/chromium/net/http/http_chunked_decoder_fuzzer.cc
+++ b/chromium/net/http/http_chunked_decoder_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_chunked_decoder_unittest.cc b/chromium/net/http/http_chunked_decoder_unittest.cc
index f3a34c1ba91..2dab8cc7c33 100644
--- a/chromium/net/http/http_chunked_decoder_unittest.cc
+++ b/chromium/net/http/http_chunked_decoder_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright 2006-2008 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_content_disposition.cc b/chromium/net/http/http_content_disposition.cc
index c007c3caba9..f70d98eb3cc 100644
--- a/chromium/net/http/http_content_disposition.cc
+++ b/chromium/net/http/http_content_disposition.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_content_disposition.h b/chromium/net/http/http_content_disposition.h
index 476eebeabf7..ddebc54cc98 100644
--- a/chromium/net/http/http_content_disposition.h
+++ b/chromium/net/http/http_content_disposition.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_content_disposition_fuzzer.cc b/chromium/net/http/http_content_disposition_fuzzer.cc
index d6769e3bcb7..35ab03cded4 100644
--- a/chromium/net/http/http_content_disposition_fuzzer.cc
+++ b/chromium/net/http/http_content_disposition_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_content_disposition_unittest.cc b/chromium/net/http/http_content_disposition_unittest.cc
index d526dbfc716..be60ce1b6b5 100644
--- a/chromium/net/http/http_content_disposition_unittest.cc
+++ b/chromium/net/http/http_content_disposition_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_log_util.cc b/chromium/net/http/http_log_util.cc
index 70d15a64f28..f96f34aff35 100644
--- a/chromium/net/http/http_log_util.cc
+++ b/chromium/net/http/http_log_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_log_util.h b/chromium/net/http/http_log_util.h
index ca417487338..247483995da 100644
--- a/chromium/net/http/http_log_util.h
+++ b/chromium/net/http/http_log_util.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_log_util_unittest.cc b/chromium/net/http/http_log_util_unittest.cc
index c4406c8afdb..29637c25b48 100644
--- a/chromium/net/http/http_log_util_unittest.cc
+++ b/chromium/net/http/http_log_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_network_layer.cc b/chromium/net/http/http_network_layer.cc
index a9415436277..d1cc859e1bc 100644
--- a/chromium/net/http/http_network_layer.cc
+++ b/chromium/net/http/http_network_layer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_network_layer.h b/chromium/net/http/http_network_layer.h
index 4bbf32f1f2b..e40d5171660 100644
--- a/chromium/net/http/http_network_layer.h
+++ b/chromium/net/http/http_network_layer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_network_layer_unittest.cc b/chromium/net/http/http_network_layer_unittest.cc
index 3578cdf0025..51b7dd208da 100644
--- a/chromium/net/http/http_network_layer_unittest.cc
+++ b/chromium/net/http/http_network_layer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_network_session.cc b/chromium/net/http/http_network_session.cc
index e90b6c1c30b..19656f80e31 100644
--- a/chromium/net/http/http_network_session.cc
+++ b/chromium/net/http/http_network_session.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -140,7 +140,7 @@ HttpNetworkSession::HttpNetworkSession(const HttpNetworkSessionParams& params,
       proxy_resolution_service_(context.proxy_resolution_service),
       ssl_config_service_(context.ssl_config_service),
       http_auth_cache_(
-          params.key_auth_cache_server_entries_by_network_isolation_key),
+          params.key_auth_cache_server_entries_by_network_anonymization_key),
       ssl_client_session_cache_(SSLClientSessionCache::Config()),
       ssl_client_context_(context.ssl_config_service,
                           context.cert_verifier,
diff --git a/chromium/net/http/http_network_session.h b/chromium/net/http/http_network_session.h
index e447de32fc9..04f77473a72 100644
--- a/chromium/net/http/http_network_session.h
+++ b/chromium/net/http/http_network_session.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -165,7 +165,7 @@ struct NET_EXPORT HttpNetworkSessionParams {
   // If true, idle sockets won't be closed when memory pressure happens.
   bool disable_idle_sockets_close_on_memory_pressure = false;
 
-  bool key_auth_cache_server_entries_by_network_isolation_key = false;
+  bool key_auth_cache_server_entries_by_network_anonymization_key = false;
 
   // If true, enable sending PRIORITY_UPDATE frames until SETTINGS frame
   // arrives.  After SETTINGS frame arrives, do not send PRIORITY_UPDATE
@@ -211,9 +211,8 @@ struct NET_EXPORT HttpNetworkSessionContext {
   raw_ptr<NetworkQualityEstimator> network_quality_estimator;
   raw_ptr<QuicContext> quic_context;
 #if BUILDFLAG(ENABLE_REPORTING)
-  raw_ptr<ReportingService, DanglingUntriaged> reporting_service;
-  raw_ptr<NetworkErrorLoggingService, DanglingUntriaged>
-      network_error_logging_service;
+  raw_ptr<ReportingService> reporting_service;
+  raw_ptr<NetworkErrorLoggingService> network_error_logging_service;
 #endif
 
     // Optional factory to use for creating QuicCryptoClientStreams.
@@ -338,9 +337,8 @@ class NET_EXPORT HttpNetworkSession {
   const raw_ptr<HostResolver> host_resolver_;
 
 #if BUILDFLAG(ENABLE_REPORTING)
-  const raw_ptr<ReportingService, DanglingUntriaged> reporting_service_;
-  const raw_ptr<NetworkErrorLoggingService, DanglingUntriaged>
-      network_error_logging_service_;
+  const raw_ptr<ReportingService> reporting_service_;
+  const raw_ptr<NetworkErrorLoggingService> network_error_logging_service_;
 #endif
   const raw_ptr<ProxyResolutionService> proxy_resolution_service_;
   const raw_ptr<SSLConfigService> ssl_config_service_;
diff --git a/chromium/net/http/http_network_session_peer.cc b/chromium/net/http/http_network_session_peer.cc
index 547596adba0..8cddda30c67 100644
--- a/chromium/net/http/http_network_session_peer.cc
+++ b/chromium/net/http/http_network_session_peer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_network_session_peer.h b/chromium/net/http/http_network_session_peer.h
index 8a76d9fd381..9f421445ba0 100644
--- a/chromium/net/http/http_network_session_peer.h
+++ b/chromium/net/http/http_network_session_peer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_network_transaction.cc b/chromium/net/http/http_network_transaction.cc
index 180daca912d..84f5b7e3019 100644
--- a/chromium/net/http/http_network_transaction.cc
+++ b/chromium/net/http/http_network_transaction.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -151,10 +151,11 @@ int HttpNetworkTransaction::Start(const HttpRequestInfo* request_info,
     return ERR_CACHE_MISS;
 
   DCHECK(request_info->traffic_annotation.is_valid());
+  DCHECK(request_info->IsConsistent());
   net_log_ = net_log;
   request_ = request_info;
   url_ = request_->url;
-  network_isolation_key_ = request_->network_isolation_key;
+  network_anonymization_key_ = request_->network_anonymization_key;
 #if BUILDFLAG(ENABLE_REPORTING)
   // Store values for later use in NEL report generation.
   request_method_ = request_->method;
@@ -308,7 +309,7 @@ void HttpNetworkTransaction::PrepareForAuthRestart(HttpAuth::Target target) {
   if (target == HttpAuth::AUTH_SERVER &&
       auth_controllers_[target]->NeedsHTTP11()) {
     session_->http_server_properties()->SetHTTP11Required(
-        url::SchemeHostPort(request_->url), network_isolation_key_);
+        url::SchemeHostPort(request_->url), network_anonymization_key_);
   }
 
   bool keep_alive = false;
@@ -553,6 +554,8 @@ void HttpNetworkTransaction::OnStreamReady(const SSLConfig& used_ssl_config,
   response_.was_alpn_negotiated = stream_request_->was_alpn_negotiated();
   response_.alpn_negotiated_protocol =
       NextProtoToString(stream_request_->negotiated_protocol());
+  response_.alternate_protocol_usage =
+      stream_request_->alternate_protocol_usage();
   response_.was_fetched_via_spdy = stream_request_->using_spdy();
   response_.dns_aliases = stream_->GetDnsAliases();
   SetProxyInfoInReponse(used_proxy_info, &response_);
@@ -935,7 +938,7 @@ int HttpNetworkTransaction::DoGenerateProxyAuthToken() {
   HttpAuth::Target target = HttpAuth::AUTH_PROXY;
   if (!auth_controllers_[target].get())
     auth_controllers_[target] = base::MakeRefCounted<HttpAuthController>(
-        target, AuthURL(target), request_->network_isolation_key,
+        target, AuthURL(target), request_->network_anonymization_key,
         session_->http_auth_cache(), session_->http_auth_handler_factory(),
         session_->host_resolver());
   return auth_controllers_[target]->MaybeGenerateAuthToken(request_,
@@ -955,7 +958,7 @@ int HttpNetworkTransaction::DoGenerateServerAuthToken() {
   HttpAuth::Target target = HttpAuth::AUTH_SERVER;
   if (!auth_controllers_[target].get()) {
     auth_controllers_[target] = base::MakeRefCounted<HttpAuthController>(
-        target, AuthURL(target), request_->network_isolation_key,
+        target, AuthURL(target), request_->network_anonymization_key,
         session_->http_auth_cache(), session_->http_auth_handler_factory(),
         session_->host_resolver());
     if (request_->load_flags & LOAD_DO_NOT_USE_EMBEDDED_IDENTITY)
@@ -1233,7 +1236,7 @@ int HttpNetworkTransaction::DoReadHeadersComplete(int result) {
     if (response_.ssl_info.is_valid() &&
         !IsCertStatusError(response_.ssl_info.cert_status)) {
       session_->http_stream_factory()->ProcessAlternativeServices(
-          session_, network_isolation_key_, response_.headers.get(),
+          session_, network_anonymization_key_, response_.headers.get(),
           url::SchemeHostPort(request_->url));
     }
   }
@@ -1332,7 +1335,7 @@ int HttpNetworkTransaction::DoReadBodyComplete(int result) {
       HistogramBrokenAlternateProtocolLocation(
           BROKEN_ALTERNATE_PROTOCOL_LOCATION_HTTP_NETWORK_TRANSACTION);
       session_->http_server_properties()->MarkAlternativeServiceBroken(
-          retried_alternative_service_, network_isolation_key_);
+          retried_alternative_service_, network_anonymization_key_);
     }
 
 #if BUILDFLAG(ENABLE_REPORTING)
@@ -1402,7 +1405,7 @@ void HttpNetworkTransaction::ProcessReportToHeader() {
     return;
 
   reporting_service->ProcessReportToHeader(url::Origin::Create(url_),
-                                           network_isolation_key_, value);
+                                           network_anonymization_key_, value);
 }
 
 void HttpNetworkTransaction::ProcessNetworkErrorLoggingHeader() {
@@ -1432,7 +1435,7 @@ void HttpNetworkTransaction::ProcessNetworkErrorLoggingHeader() {
   if (remote_endpoint_.address().empty())
     return;
 
-  network_error_logging_service->OnHeader(network_isolation_key_,
+  network_error_logging_service->OnHeader(network_anonymization_key_,
                                           url::Origin::Create(url_),
                                           remote_endpoint_.address(), value);
 }
@@ -1473,7 +1476,7 @@ void HttpNetworkTransaction::GenerateNetworkErrorLoggingReport(int rv) {
 
   NetworkErrorLoggingService::RequestDetails details;
 
-  details.network_isolation_key = network_isolation_key_;
+  details.network_anonymization_key = network_anonymization_key_;
   details.uri = url_;
   if (!request_referrer_.empty())
     details.referrer = GURL(request_referrer_);
@@ -1642,7 +1645,7 @@ int HttpNetworkTransaction::HandleIOError(int error) {
     case ERR_QUIC_PROTOCOL_ERROR:
       if (GetResponseHeaders() != nullptr ||
           !stream_->GetAlternativeService(&retried_alternative_service_)) {
-        // If the response headers have already been recieved and passed up
+        // If the response headers have already been received and passed up
         // then the request can not be retried. Also, if there was no
         // alternative service used for this request, then there is no
         // alternative service to be disabled.
@@ -1651,7 +1654,7 @@ int HttpNetworkTransaction::HandleIOError(int error) {
       if (HasExceededMaxRetries())
         break;
       if (session_->http_server_properties()->IsAlternativeServiceBroken(
-              retried_alternative_service_, network_isolation_key_)) {
+              retried_alternative_service_, network_anonymization_key_)) {
         // If the alternative service was marked as broken while the request
         // was in flight, retry the request which will not use the broken
         // alternative service.
diff --git a/chromium/net/http/http_network_transaction.h b/chromium/net/http/http_network_transaction.h
index 525a4b1f9de..432c5542aaf 100644
--- a/chromium/net/http/http_network_transaction.h
+++ b/chromium/net/http/http_network_transaction.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -20,7 +20,7 @@
 #include "net/base/completion_repeating_callback.h"
 #include "net/base/net_error_details.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/request_priority.h"
 #include "net/http/http_auth.h"
 #include "net/http/http_request_headers.h"
@@ -337,7 +337,7 @@ class NET_EXPORT_PRIVATE HttpNetworkTransaction
 
   // Copied from |request_|, as it's needed after the response body has been
   // read.
-  NetworkIsolationKey network_isolation_key_;
+  NetworkAnonymizationKey network_anonymization_key_;
 
   // |proxy_info_| is the ProxyInfo used by the HttpStreamRequest.
   ProxyInfo proxy_info_;
diff --git a/chromium/net/http/http_network_transaction_unittest.cc b/chromium/net/http/http_network_transaction_unittest.cc
index 0897eb3e2ba..a64a16a289b 100644
--- a/chromium/net/http/http_network_transaction_unittest.cc
+++ b/chromium/net/http/http_network_transaction_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -297,7 +297,7 @@ class CapturingProxyResolver : public ProxyResolver {
  public:
   struct LookupInfo {
     GURL url;
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
   };
 
   CapturingProxyResolver()
@@ -309,13 +309,13 @@ class CapturingProxyResolver : public ProxyResolver {
   ~CapturingProxyResolver() override = default;
 
   int GetProxyForURL(const GURL& url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
                      const NetLogWithSource& net_log) override {
     results->UseProxyServer(proxy_server_);
-    lookup_info_.push_back(LookupInfo{url, network_isolation_key});
+    lookup_info_.push_back(LookupInfo{url, network_anonymization_key});
     return OK;
   }
 
@@ -617,6 +617,10 @@ class HttpNetworkTransactionTest : public PlatformTest,
 
   const CommonConnectJobParams dummy_connect_job_params_;
 
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey =
+      NetworkAnonymizationKey(SchemefulSite(GURL("https://foo.test/")),
+                              SchemefulSite(GURL("https://bar.test/")));
+
   const net::NetworkIsolationKey kNetworkIsolationKey =
       NetworkIsolationKey(SchemefulSite(GURL("https://foo.test/")),
                           SchemefulSite(GURL("https://bar.test/")));
@@ -3729,7 +3733,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyNoKeepAliveHttp10) {
   HttpAuthCache::Entry* entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(url::SchemeHostPort(GURL("http://myproxy:70"))),
       HttpAuth::AUTH_PROXY, "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC,
-      NetworkIsolationKey());
+      NetworkAnonymizationKey());
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo, entry->credentials().username());
   ASSERT_EQ(kBar, entry->credentials().password());
@@ -4509,14 +4513,14 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyMatchesServerAuthNoTunnel) {
   HttpAuthCache::Entry* entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(url::SchemeHostPort(GURL("http://myproxy:70"))),
       HttpAuth::AUTH_PROXY, "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC,
-      NetworkIsolationKey());
+      NetworkAnonymizationKey());
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo, entry->credentials().username());
   ASSERT_EQ(kBar, entry->credentials().password());
   entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(url::SchemeHostPort(GURL("http://myproxy:70"))),
       HttpAuth::AUTH_SERVER, "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC,
-      NetworkIsolationKey());
+      NetworkAnonymizationKey());
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo2, entry->credentials().username());
   ASSERT_EQ(kBar2, entry->credentials().password());
@@ -4542,20 +4546,22 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyMatchesServerAuthNoTunnel) {
 
 // Test the no-tunnel HTTP auth case where proxy and server origins and realms
 // are the same, but the user/passwords are different, and with different
-// NetworkIsolationKeys. Sends one request with a NIK, response to both proxy
-// and auth challenges, sends another request with another NIK, expecting only
-// the proxy credentials to be cached, and thus sees only a server auth
+// NetworkAnonymizationKeys. Sends one request with a NIK, response to both
+// proxy and auth challenges, sends another request with another NIK, expecting
+// only the proxy credentials to be cached, and thus sees only a server auth
 // challenge. Then sends a request with the original NIK, expecting cached proxy
 // and auth credentials that match the ones used in the first request.
 //
 // Serves to verify credentials are correctly separated based on
-// HttpAuth::Target and NetworkIsolationKeys, but NetworkIsolationKey only
-// affects server credentials, not proxy credentials.
+// HttpAuth::Target and NetworkAnonymizationKeys, but NetworkAnonymizationKey
+// only affects server credentials, not proxy credentials.
 TEST_F(HttpNetworkTransactionTest,
-       BasicAuthProxyMatchesServerAuthWithNetworkIsolationKeyNoTunnel) {
+       BasicAuthProxyMatchesServerAuthWithNetworkAnonymizationKeyNoTunnel) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
   const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
 
   // This test would need to use a single socket without this option enabled.
@@ -4573,7 +4579,8 @@ TEST_F(HttpNetworkTransactionTest,
       NetLogWithSource::Make(NetLogSourceType::NONE);
 
   session_deps_.net_log = NetLog::Get();
-  session_deps_.key_auth_cache_server_entries_by_network_isolation_key = true;
+  session_deps_.key_auth_cache_server_entries_by_network_anonymization_key =
+      true;
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
   MockWrite data_writes[] = {
@@ -4630,7 +4637,7 @@ TEST_F(HttpNetworkTransactionTest,
   session_deps_.socket_factory->AddSocketDataProvider(&data);
 
   MockWrite data_writes2[] = {
-      // Initial request using a different NetworkIsolationKey includes the
+      // Initial request using a different NetworkAnonymizationKey includes the
       // cached proxy credentials, but not server credentials.
       MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
                 "Host: myproxy:70\r\n"
@@ -4669,6 +4676,7 @@ TEST_F(HttpNetworkTransactionTest,
   request.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
   request.network_isolation_key = kNetworkIsolationKey1;
+  request.network_anonymization_key = kNetworkAnonymizationKey1;
 
   auto trans =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
@@ -4704,36 +4712,39 @@ TEST_F(HttpNetworkTransactionTest,
   EXPECT_EQ("hello", response_data);
 
   // Check that the proxy credentials were cached correctly. The should be
-  // accessible with any NetworkIsolationKey.
+  // accessible with any NetworkAnonymizationKey.
   HttpAuthCache::Entry* entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(url::SchemeHostPort(GURL("http://myproxy:70"))),
       HttpAuth::AUTH_PROXY, "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC,
-      kNetworkIsolationKey1);
+      kNetworkAnonymizationKey1);
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo, entry->credentials().username());
   ASSERT_EQ(kBar, entry->credentials().password());
   EXPECT_EQ(entry, session->http_auth_cache()->Lookup(
                        url::SchemeHostPort(GURL("http://myproxy:70")),
                        HttpAuth::AUTH_PROXY, "MyRealm1",
-                       HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+                       HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2));
 
   // Check that the server credentials were cached correctly. The should be
-  // accessible with only kNetworkIsolationKey1.
+  // accessible with only kNetworkAnonymizationKey1.
   entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(GURL("http://myproxy:70")), HttpAuth::AUTH_SERVER,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1);
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo2, entry->credentials().username());
   ASSERT_EQ(kBar2, entry->credentials().password());
-  // Looking up the server entry with another NetworkIsolationKey should fail.
+  // Looking up the server entry with another NetworkAnonymizationKey should
+  // fail.
   EXPECT_FALSE(session->http_auth_cache()->Lookup(
       url::SchemeHostPort(GURL("http://myproxy:70")), HttpAuth::AUTH_SERVER,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2));
 
-  // Make another request with a different NetworkIsolationKey. It should use
-  // another socket, reuse the cached proxy credentials, but result in a server
-  // auth challenge.
+  // Make another request with a different NetworkAnonymizationKey. It should
+  // use another socket, reuse the cached proxy credentials, but result in a
+  // server auth challenge.
   request.network_isolation_key = kNetworkIsolationKey2;
+  request.network_anonymization_key = kNetworkAnonymizationKey2;
+
   trans =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
   rv = trans->Start(&request, callback.callback(), net_log_with_source);
@@ -4761,33 +4772,34 @@ TEST_F(HttpNetworkTransactionTest,
   // Check that the proxy credentials are still cached.
   entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(GURL("http://myproxy:70")), HttpAuth::AUTH_PROXY,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1);
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo, entry->credentials().username());
   ASSERT_EQ(kBar, entry->credentials().password());
   EXPECT_EQ(entry, session->http_auth_cache()->Lookup(
                        url::SchemeHostPort(GURL("http://myproxy:70")),
                        HttpAuth::AUTH_PROXY, "MyRealm1",
-                       HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+                       HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2));
 
   // Check that the correct server credentials are cached for each
-  // NetworkIsolationKey.
+  // NetworkAnonymizationKey.
   entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(GURL("http://myproxy:70")), HttpAuth::AUTH_SERVER,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1);
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo2, entry->credentials().username());
   ASSERT_EQ(kBar2, entry->credentials().password());
   entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(GURL("http://myproxy:70")), HttpAuth::AUTH_SERVER,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2);
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2);
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo3, entry->credentials().username());
   ASSERT_EQ(kBar3, entry->credentials().password());
 
-  // Make a request with the original NetworkIsolationKey. It should reuse the
-  // first socket, and the proxy credentials sent on the first socket.
+  // Make a request with the original NetworkAnonymizationKey. It should reuse
+  // the first socket, and the proxy credentials sent on the first socket.
   request.network_isolation_key = kNetworkIsolationKey1;
+  request.network_anonymization_key = kNetworkAnonymizationKey1;
   trans =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
   rv = trans->Start(&request, callback.callback(), net_log_with_source);
@@ -4806,10 +4818,12 @@ TEST_F(HttpNetworkTransactionTest,
 
 // Much like the test above, but uses tunnelled connections.
 TEST_F(HttpNetworkTransactionTest,
-       BasicAuthProxyMatchesServerAuthWithNetworkIsolationKeyWithTunnel) {
+       BasicAuthProxyMatchesServerAuthWithNetworkAnonymizationKeyWithTunnel) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
   const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
 
   // This test would need to use a single socket without this option enabled.
@@ -4826,7 +4840,8 @@ TEST_F(HttpNetworkTransactionTest,
   NetLogWithSource net_log_with_source =
       NetLogWithSource::Make(NetLogSourceType::NONE);
   session_deps_.net_log = NetLog::Get();
-  session_deps_.key_auth_cache_server_entries_by_network_isolation_key = true;
+  session_deps_.key_auth_cache_server_entries_by_network_anonymization_key =
+      true;
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
   MockWrite data_writes[] = {
@@ -4893,7 +4908,7 @@ TEST_F(HttpNetworkTransactionTest,
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl2);
 
   MockWrite data_writes2[] = {
-      // Initial request using a different NetworkIsolationKey includes the
+      // Initial request using a different NetworkAnonymizationKey includes the
       // cached proxy credentials when establishing a tunnel.
       MockWrite("CONNECT myproxy:70 HTTP/1.1\r\n"
                 "Host: myproxy:70\r\n"
@@ -4942,6 +4957,7 @@ TEST_F(HttpNetworkTransactionTest,
   request.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
   request.network_isolation_key = kNetworkIsolationKey1;
+  request.network_anonymization_key = kNetworkAnonymizationKey1;
 
   auto trans =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
@@ -4977,36 +4993,39 @@ TEST_F(HttpNetworkTransactionTest,
   EXPECT_EQ("hello", response_data);
 
   // Check that the proxy credentials were cached correctly. The should be
-  // accessible with any NetworkIsolationKey.
+  // accessible with any NetworkAnonymizationKey.
   HttpAuthCache::Entry* entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(url::SchemeHostPort(GURL("https://myproxy:70"))),
       HttpAuth::AUTH_PROXY, "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC,
-      kNetworkIsolationKey1);
+      kNetworkAnonymizationKey1);
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo, entry->credentials().username());
   ASSERT_EQ(kBar, entry->credentials().password());
   EXPECT_EQ(entry, session->http_auth_cache()->Lookup(
                        url::SchemeHostPort(GURL("https://myproxy:70")),
                        HttpAuth::AUTH_PROXY, "MyRealm1",
-                       HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+                       HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2));
 
   // Check that the server credentials were cached correctly. The should be
-  // accessible with only kNetworkIsolationKey1.
+  // accessible with only kNetworkAnonymizationKey1.
   entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(GURL("https://myproxy:70")), HttpAuth::AUTH_SERVER,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1);
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo2, entry->credentials().username());
   ASSERT_EQ(kBar2, entry->credentials().password());
-  // Looking up the server entry with another NetworkIsolationKey should fail.
+  // Looking up the server entry with another NetworkAnonymiationKey should
+  // fail.
   EXPECT_FALSE(session->http_auth_cache()->Lookup(
       url::SchemeHostPort(GURL("https://myproxy:70")), HttpAuth::AUTH_SERVER,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2));
 
-  // Make another request with a different NetworkIsolationKey. It should use
+  // Make another request with a different NetworkAnonymiationKey. It should use
   // another socket, reuse the cached proxy credentials, but result in a server
   // auth challenge.
   request.network_isolation_key = kNetworkIsolationKey2;
+  request.network_anonymization_key = kNetworkAnonymizationKey2;
+
   trans =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
   rv = trans->Start(&request, callback.callback(), net_log_with_source);
@@ -5034,33 +5053,35 @@ TEST_F(HttpNetworkTransactionTest,
   // Check that the proxy credentials are still cached.
   entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(GURL("https://myproxy:70")), HttpAuth::AUTH_PROXY,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1);
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo, entry->credentials().username());
   ASSERT_EQ(kBar, entry->credentials().password());
   EXPECT_EQ(entry, session->http_auth_cache()->Lookup(
                        url::SchemeHostPort(GURL("https://myproxy:70")),
                        HttpAuth::AUTH_PROXY, "MyRealm1",
-                       HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+                       HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2));
 
   // Check that the correct server credentials are cached for each
-  // NetworkIsolationKey.
+  // NetworkAnonymiationKey.
   entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(GURL("https://myproxy:70")), HttpAuth::AUTH_SERVER,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey1);
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo2, entry->credentials().username());
   ASSERT_EQ(kBar2, entry->credentials().password());
   entry = session->http_auth_cache()->Lookup(
       url::SchemeHostPort(GURL("https://myproxy:70")), HttpAuth::AUTH_SERVER,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2);
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, kNetworkAnonymizationKey2);
   ASSERT_TRUE(entry);
   ASSERT_EQ(kFoo3, entry->credentials().username());
   ASSERT_EQ(kBar3, entry->credentials().password());
 
-  // Make a request with the original NetworkIsolationKey. It should reuse the
-  // first socket, and the proxy credentials sent on the first socket.
+  // Make a request with the original NetworkAnonymiationKey. It should reuse
+  // the first socket, and the proxy credentials sent on the first socket.
   request.network_isolation_key = kNetworkIsolationKey1;
+  request.network_anonymization_key = kNetworkAnonymizationKey1;
+
   trans =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
   rv = trans->Start(&request, callback.callback(), net_log_with_source);
@@ -5958,7 +5979,7 @@ class SameProxyWithDifferentSchemesProxyResolver : public ProxyResolver {
 
   // ProxyResolver implementation.
   int GetProxyForURL(const GURL& url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -6409,8 +6430,8 @@ TEST_F(HttpNetworkTransactionTest, HttpProxyLoadTimingWithPacTwoRequests) {
   session->CloseAllConnections(ERR_FAILED, "Very good reason");
 }
 
-// Make sure that NetworkIsolationKeys are passed down to the proxy layer.
-TEST_F(HttpNetworkTransactionTest, ProxyResolvedWithNetworkIsolationKey) {
+// Make sure that NetworkAnonymizationKeys are passed down to the proxy layer.
+TEST_F(HttpNetworkTransactionTest, ProxyResolvedWithNetworkAnonymizationKey) {
   const SchemefulSite kSite(GURL("https://foo.test/"));
 
   ProxyConfig proxy_config;
@@ -6691,7 +6712,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsProxySpdyGetWithSessionRace) {
   SpdySessionKey key(HostPortPair("proxy", 70), ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kTrue, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session =
       CreateSpdySession(session.get(), key, net_log_with_source);
 
@@ -9382,7 +9403,7 @@ TEST_F(HttpNetworkTransactionTest, NTLMOverHttp2WithWebsockets) {
   EXPECT_THAT(initial_callback.GetResult(rv), IsOk());
 
   EXPECT_FALSE(session->http_server_properties()->RequiresHTTP11(
-      url::SchemeHostPort(kInitialUrl), NetworkIsolationKey()));
+      url::SchemeHostPort(kInitialUrl), NetworkAnonymizationKey()));
 
   HttpRequestInfo websocket_request_info;
   websocket_request_info.method = "GET";
@@ -9433,7 +9454,7 @@ TEST_F(HttpNetworkTransactionTest, NTLMOverHttp2WithWebsockets) {
   // part here is that the scheme that requires HTTP/1.1 should be HTTPS, not
   // WSS.
   EXPECT_TRUE(session->http_server_properties()->RequiresHTTP11(
-      url::SchemeHostPort(kInitialUrl), NetworkIsolationKey()));
+      url::SchemeHostPort(kInitialUrl), NetworkAnonymizationKey()));
 }
 
 #endif  // BUILDFLAG(ENABLE_WEBSOCKETS)
@@ -12694,7 +12715,7 @@ std::unique_ptr<HttpNetworkSession> SetupSessionForGroupIdTests(
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
       url::SchemeHostPort("https", "host.with.alternate", 443),
-      NetworkIsolationKey(), alternative_service, expiration);
+      NetworkAnonymizationKey(), alternative_service, expiration);
 
   return session;
 }
@@ -12724,7 +12745,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForDirectConnections) {
           "http://www.example.org/direct",
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpScheme, "www.example.org", 80),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           false,
       },
@@ -12733,7 +12754,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForDirectConnections) {
           "http://[2001:1418:13:1::25]/direct",
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpScheme, "[2001:1418:13:1::25]", 80),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           false,
       },
@@ -12744,7 +12765,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForDirectConnections) {
           "https://www.example.org/direct_ssl",
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpsScheme, "www.example.org", 443),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           true,
       },
@@ -12754,7 +12775,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForDirectConnections) {
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpsScheme, "[2001:1418:13:1::25]",
                                   443),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           true,
       },
@@ -12764,7 +12785,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForDirectConnections) {
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpsScheme, "host.with.alternate",
                                   443),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           true,
       },
@@ -12802,7 +12823,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForHTTPProxyConnections) {
           "http://www.example.org/http_proxy_normal",
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpScheme, "www.example.org", 80),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           false,
       },
@@ -12813,7 +12834,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForHTTPProxyConnections) {
           "https://www.example.org/http_connect_ssl",
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpsScheme, "www.example.org", 443),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           true,
       },
@@ -12824,7 +12845,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForHTTPProxyConnections) {
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpsScheme, "host.with.alternate",
                                   443),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           true,
       },
@@ -12862,7 +12883,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForSOCKSConnections) {
           "http://www.example.org/socks4_direct",
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpScheme, "www.example.org", 80),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           false,
       },
@@ -12871,7 +12892,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForSOCKSConnections) {
           "http://www.example.org/socks5_direct",
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpScheme, "www.example.org", 80),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           false,
       },
@@ -12882,7 +12903,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForSOCKSConnections) {
           "https://www.example.org/socks4_ssl",
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpsScheme, "www.example.org", 443),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           true,
       },
@@ -12891,7 +12912,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForSOCKSConnections) {
           "https://www.example.org/socks5_ssl",
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpsScheme, "www.example.org", 443),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           true,
       },
@@ -12902,7 +12923,7 @@ TEST_F(HttpNetworkTransactionTest, GroupIdForSOCKSConnections) {
           ClientSocketPool::GroupId(
               url::SchemeHostPort(url::kHttpsScheme, "host.with.alternate",
                                   443),
-              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+              PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
           true,
       },
@@ -13524,7 +13545,7 @@ TEST_F(HttpNetworkTransactionTest, IgnoreAltSvcWithInvalidCert) {
       session->http_server_properties();
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+          ->GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
 
   EXPECT_THAT(callback.WaitForResult(), IsOk());
@@ -13542,7 +13563,7 @@ TEST_F(HttpNetworkTransactionTest, IgnoreAltSvcWithInvalidCert) {
 
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+          ->GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
 }
 
@@ -13583,7 +13604,7 @@ TEST_F(HttpNetworkTransactionTest, HonorAlternativeServiceHeader) {
       session->http_server_properties();
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+          ->GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
 
   EXPECT_THAT(callback.WaitForResult(), IsOk());
@@ -13600,8 +13621,8 @@ TEST_F(HttpNetworkTransactionTest, HonorAlternativeServiceHeader) {
   EXPECT_EQ("hello world", response_data);
 
   AlternativeServiceInfoVector alternative_service_info_vector =
-      http_server_properties->GetAlternativeServiceInfos(test_server,
-                                                         NetworkIsolationKey());
+      http_server_properties->GetAlternativeServiceInfos(
+          test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   AlternativeService alternative_service(kProtoHTTP2, "mail.example.org", 443);
   EXPECT_EQ(alternative_service,
@@ -13609,13 +13630,13 @@ TEST_F(HttpNetworkTransactionTest, HonorAlternativeServiceHeader) {
 }
 
 TEST_F(HttpNetworkTransactionTest,
-       HonorAlternativeServiceHeaderWithNetworkIsolationKey) {
+       HonorAlternativeServiceHeaderWithNetworkAnonymizationKey) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // SpdySessionKeys to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // SpdySessionKeys to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -13625,8 +13646,10 @@ TEST_F(HttpNetworkTransactionTest,
       std::make_unique<HttpServerProperties>();
 
   const SchemefulSite kSite1(GURL("https://foo.test/"));
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
   const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
 
   MockRead data_reads[] = {
@@ -13643,6 +13666,7 @@ TEST_F(HttpNetworkTransactionTest,
   request.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
   request.network_isolation_key = kNetworkIsolationKey1;
+  request.network_anonymization_key = kNetworkAnonymizationKey1;
 
   StaticSocketDataProvider data(data_reads, base::span<MockWrite>());
   session_deps_.socket_factory->AddSocketDataProvider(&data);
@@ -13666,7 +13690,7 @@ TEST_F(HttpNetworkTransactionTest,
       session->http_server_properties();
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(test_server, kNetworkIsolationKey1)
+          ->GetAlternativeServiceInfos(test_server, kNetworkAnonymizationKey1)
           .empty());
 
   EXPECT_THAT(callback.WaitForResult(), IsOk());
@@ -13683,22 +13707,22 @@ TEST_F(HttpNetworkTransactionTest,
   EXPECT_EQ("hello world", response_data);
 
   AlternativeServiceInfoVector alternative_service_info_vector =
-      http_server_properties->GetAlternativeServiceInfos(test_server,
-                                                         kNetworkIsolationKey1);
+      http_server_properties->GetAlternativeServiceInfos(
+          test_server, kNetworkAnonymizationKey1);
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   AlternativeService alternative_service(kProtoHTTP2, "mail.example.org", 443);
   EXPECT_EQ(alternative_service,
             alternative_service_info_vector[0].alternative_service());
 
   // Make sure the alternative service information is only associated with
-  // kNetworkIsolationKey1.
+  // kNetworkAnonymizationKey1.
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+          ->GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(test_server, kNetworkIsolationKey2)
+          ->GetAlternativeServiceInfos(test_server, kNetworkAnonymizationKey2)
           .empty());
 }
 
@@ -13733,7 +13757,7 @@ TEST_F(HttpNetworkTransactionTest,
       session->http_server_properties();
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+          ->GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
 
   int rv = trans.Start(&request, callback.callback(), NetLogWithSource());
@@ -13753,7 +13777,7 @@ TEST_F(HttpNetworkTransactionTest,
 
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+          ->GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
 }
 
@@ -13793,7 +13817,7 @@ TEST_F(HttpNetworkTransactionTest,
                                          444);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      url::SchemeHostPort(request.url), NetworkIsolationKey(),
+      url::SchemeHostPort(request.url), NetworkAnonymizationKey(),
       alternative_service, expiration);
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
@@ -13834,7 +13858,7 @@ TEST_F(HttpNetworkTransactionTest,
   AlternativeService alternative_service(kProtoHTTP2, "", 444);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      url::SchemeHostPort(request.url), NetworkIsolationKey(),
+      url::SchemeHostPort(request.url), NetworkAnonymizationKey(),
       alternative_service, expiration);
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
@@ -13854,12 +13878,12 @@ TEST_F(HttpNetworkTransactionTest, ClearAlternativeServices) {
   AlternativeService alternative_service(kProtoQUIC, "", 80);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetQuicAlternativeService(
-      test_server, NetworkIsolationKey(), alternative_service, expiration,
+      test_server, NetworkAnonymizationKey(), alternative_service, expiration,
       session->context().quic_context->params()->supported_versions);
-  EXPECT_EQ(1u,
-            http_server_properties
-                ->GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
-                .size());
+  EXPECT_EQ(1u, http_server_properties
+                    ->GetAlternativeServiceInfos(test_server,
+                                                 NetworkAnonymizationKey())
+                    .size());
 
   // Send a clear header.
   MockRead data_reads[] = {
@@ -13904,7 +13928,7 @@ TEST_F(HttpNetworkTransactionTest, ClearAlternativeServices) {
 
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+          ->GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
 }
 
@@ -13945,7 +13969,7 @@ TEST_F(HttpNetworkTransactionTest, HonorMultipleAlternativeServiceHeaders) {
       session->http_server_properties();
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+          ->GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
 
   EXPECT_THAT(callback.WaitForResult(), IsOk());
@@ -13962,8 +13986,8 @@ TEST_F(HttpNetworkTransactionTest, HonorMultipleAlternativeServiceHeaders) {
   EXPECT_EQ("hello world", response_data);
 
   AlternativeServiceInfoVector alternative_service_info_vector =
-      http_server_properties->GetAlternativeServiceInfos(test_server,
-                                                         NetworkIsolationKey());
+      http_server_properties->GetAlternativeServiceInfos(
+          test_server, NetworkAnonymizationKey());
   ASSERT_EQ(2u, alternative_service_info_vector.size());
 
   AlternativeService alternative_service(kProtoHTTP2, "www.example.com", 443);
@@ -14013,11 +14037,11 @@ TEST_F(HttpNetworkTransactionTest, IdentifyQuicBroken) {
   AlternativeService alternative_service(kProtoQUIC, alternative);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       DefaultSupportedQuicVersions());
   // Mark the QUIC alternative service as broken.
-  http_server_properties->MarkAlternativeServiceBroken(alternative_service,
-                                                       NetworkIsolationKey());
+  http_server_properties->MarkAlternativeServiceBroken(
+      alternative_service, NetworkAnonymizationKey());
 
   HttpRequestInfo request;
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
@@ -14088,14 +14112,15 @@ TEST_F(HttpNetworkTransactionTest, IdentifyQuicNotBroken) {
           session->context().quic_context->params()->supported_versions));
 
   http_server_properties->SetAlternativeServices(
-      server, NetworkIsolationKey(), alternative_service_info_vector);
+      server, NetworkAnonymizationKey(), alternative_service_info_vector);
 
   // Mark one of the QUIC alternative service as broken.
-  http_server_properties->MarkAlternativeServiceBroken(alternative_service1,
-                                                       NetworkIsolationKey());
-  EXPECT_EQ(2u, http_server_properties
-                    ->GetAlternativeServiceInfos(server, NetworkIsolationKey())
-                    .size());
+  http_server_properties->MarkAlternativeServiceBroken(
+      alternative_service1, NetworkAnonymizationKey());
+  EXPECT_EQ(2u,
+            http_server_properties
+                ->GetAlternativeServiceInfos(server, NetworkAnonymizationKey())
+                .size());
 
   HttpRequestInfo request;
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
@@ -14148,7 +14173,7 @@ TEST_F(HttpNetworkTransactionTest, MarkBrokenAlternateProtocolAndFallback) {
                                                666);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration);
+      server, NetworkAnonymizationKey(), alternative_service, expiration);
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
   TestCompletionCallback callback;
@@ -14167,13 +14192,13 @@ TEST_F(HttpNetworkTransactionTest, MarkBrokenAlternateProtocolAndFallback) {
   EXPECT_EQ("hello world", response_data);
 
   const AlternativeServiceInfoVector alternative_service_info_vector =
-      http_server_properties->GetAlternativeServiceInfos(server,
-                                                         NetworkIsolationKey());
+      http_server_properties->GetAlternativeServiceInfos(
+          server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service,
             alternative_service_info_vector[0].alternative_service());
   EXPECT_TRUE(http_server_properties->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 }
 
 // Ensure that we are not allowed to redirect traffic via an alternate protocol
@@ -14213,8 +14238,8 @@ TEST_F(HttpNetworkTransactionTest, AlternateProtocolPortRestrictedBlocked) {
                                          kUnrestrictedAlternatePort);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      url::SchemeHostPort(restricted_port_request.url), NetworkIsolationKey(),
-      alternative_service, expiration);
+      url::SchemeHostPort(restricted_port_request.url),
+      NetworkAnonymizationKey(), alternative_service, expiration);
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
   TestCompletionCallback callback;
@@ -14264,8 +14289,8 @@ TEST_F(HttpNetworkTransactionTest, AlternateProtocolPortRestrictedPermitted) {
                                          kUnrestrictedAlternatePort);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      url::SchemeHostPort(restricted_port_request.url), NetworkIsolationKey(),
-      alternative_service, expiration);
+      url::SchemeHostPort(restricted_port_request.url),
+      NetworkAnonymizationKey(), alternative_service, expiration);
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
   TestCompletionCallback callback;
@@ -14314,8 +14339,8 @@ TEST_F(HttpNetworkTransactionTest, AlternateProtocolPortRestrictedAllowed) {
                                          kRestrictedAlternatePort);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      url::SchemeHostPort(restricted_port_request.url), NetworkIsolationKey(),
-      alternative_service, expiration);
+      url::SchemeHostPort(restricted_port_request.url),
+      NetworkAnonymizationKey(), alternative_service, expiration);
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
   TestCompletionCallback callback;
@@ -14364,8 +14389,8 @@ TEST_F(HttpNetworkTransactionTest, AlternateProtocolPortUnrestrictedAllowed1) {
                                          kRestrictedAlternatePort);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      url::SchemeHostPort(unrestricted_port_request.url), NetworkIsolationKey(),
-      alternative_service, expiration);
+      url::SchemeHostPort(unrestricted_port_request.url),
+      NetworkAnonymizationKey(), alternative_service, expiration);
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
   TestCompletionCallback callback;
@@ -14414,8 +14439,8 @@ TEST_F(HttpNetworkTransactionTest, AlternateProtocolPortUnrestrictedAllowed2) {
                                          kUnrestrictedAlternatePort);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      url::SchemeHostPort(unrestricted_port_request.url), NetworkIsolationKey(),
-      alternative_service, expiration);
+      url::SchemeHostPort(unrestricted_port_request.url),
+      NetworkAnonymizationKey(), alternative_service, expiration);
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
   TestCompletionCallback callback;
@@ -14456,7 +14481,7 @@ TEST_F(HttpNetworkTransactionTest, AlternateProtocolUnsafeBlocked) {
                                          kUnsafePort);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      url::SchemeHostPort(request.url), NetworkIsolationKey(),
+      url::SchemeHostPort(request.url), NetworkAnonymizationKey(),
       alternative_service, expiration);
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
@@ -14785,7 +14810,7 @@ TEST_F(HttpNetworkTransactionTest, UseOriginNotAlternativeForProxy) {
   AlternativeService alternative_service(kProtoHTTP2, alternative);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration);
+      server, NetworkAnonymizationKey(), alternative_service, expiration);
 
   // Non-alternative job should hang.
   MockConnect never_finishing_connect(SYNCHRONOUS, ERR_IO_PENDING);
@@ -15022,7 +15047,7 @@ TEST_F(HttpNetworkTransactionTest,
   SpdySessionKey key(host_port_pair, ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session =
       CreateSpdySession(session.get(), key, NetLogWithSource());
 
@@ -15854,9 +15879,9 @@ TEST_F(HttpNetworkTransactionTest, GenerateAuthToken) {
         url::SchemeHostPort scheme_host_port(GURL(test_config.proxy_url));
         HttpAuthChallengeTokenizer tokenizer(auth_challenge.begin(),
                                              auth_challenge.end());
-        auth_handler->InitFromChallenge(&tokenizer, HttpAuth::AUTH_PROXY,
-                                        empty_ssl_info, NetworkIsolationKey(),
-                                        scheme_host_port, NetLogWithSource());
+        auth_handler->InitFromChallenge(
+            &tokenizer, HttpAuth::AUTH_PROXY, empty_ssl_info,
+            NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource());
         auth_handler->SetGenerateExpectation(
             test_config.proxy_auth_timing == AUTH_ASYNC,
             n == 0 ? test_config.first_generate_proxy_token_rv : OK);
@@ -15871,7 +15896,7 @@ TEST_F(HttpNetworkTransactionTest, GenerateAuthToken) {
       HttpAuthChallengeTokenizer tokenizer(auth_challenge.begin(),
                                            auth_challenge.end());
       auth_handler->InitFromChallenge(&tokenizer, HttpAuth::AUTH_SERVER,
-                                      empty_ssl_info, NetworkIsolationKey(),
+                                      empty_ssl_info, NetworkAnonymizationKey(),
                                       scheme_host_port, NetLogWithSource());
       auth_handler->SetGenerateExpectation(
           test_config.server_auth_timing == AUTH_ASYNC,
@@ -15884,9 +15909,9 @@ TEST_F(HttpNetworkTransactionTest, GenerateAuthToken) {
       // transaction using the same auth scheme.
       std::unique_ptr<HttpAuthHandlerMock> second_handler =
           std::make_unique<HttpAuthHandlerMock>();
-      second_handler->InitFromChallenge(&tokenizer, HttpAuth::AUTH_SERVER,
-                                        empty_ssl_info, NetworkIsolationKey(),
-                                        scheme_host_port, NetLogWithSource());
+      second_handler->InitFromChallenge(
+          &tokenizer, HttpAuth::AUTH_SERVER, empty_ssl_info,
+          NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource());
       second_handler->SetGenerateExpectation(true, OK);
       auth_factory_ptr->AddMockHandler(std::move(second_handler),
                                        HttpAuth::AUTH_SERVER);
@@ -16002,7 +16027,7 @@ TEST_F(HttpNetworkTransactionTest, MultiRoundAuth) {
                                        auth_challenge.end());
   SSLInfo empty_ssl_info;
   auth_handler->InitFromChallenge(&tokenizer, HttpAuth::AUTH_SERVER,
-                                  empty_ssl_info, NetworkIsolationKey(),
+                                  empty_ssl_info, NetworkAnonymizationKey(),
                                   url::SchemeHostPort(url), NetLogWithSource());
   auth_factory_ptr->AddMockHandler(std::move(auth_handler),
                                    HttpAuth::AUTH_SERVER);
@@ -16089,7 +16114,7 @@ TEST_F(HttpNetworkTransactionTest, MultiRoundAuth) {
 
   const ClientSocketPool::GroupId kSocketGroup(
       url::SchemeHostPort(url::kHttpScheme, "www.example.com", 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
 
   // First round of authentication.
@@ -16705,7 +16730,7 @@ TEST_F(HttpNetworkTransactionTest, PreconnectWithExistingSpdySession) {
   SpdySessionKey key(host_port_pair, ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session =
       CreateSpdySession(session.get(), key, NetLogWithSource());
 
@@ -17276,7 +17301,7 @@ TEST_F(HttpNetworkTransactionTest, UseIPConnectionPooling) {
 
   // Preload mail.example.com into HostCache.
   rv = session_deps_.host_resolver->LoadIntoCache(
-      HostPortPair("mail.example.com", 443), NetworkIsolationKey(),
+      HostPortPair("mail.example.com", 443), NetworkAnonymizationKey(),
       absl::nullopt);
   EXPECT_THAT(rv, IsOk());
 
@@ -17451,7 +17476,7 @@ TEST_F(HttpNetworkTransactionTest, RetryWithoutConnectionPooling) {
 
   // Preload mail.example.org into HostCache.
   int rv = session_deps_.host_resolver->LoadIntoCache(
-      HostPortPair("mail.example.org", 443), NetworkIsolationKey(),
+      HostPortPair("mail.example.org", 443), NetworkAnonymizationKey(),
       absl::nullopt);
   EXPECT_THAT(rv, IsOk());
 
@@ -17578,7 +17603,7 @@ TEST_F(HttpNetworkTransactionTest, ReturnHTTP421OnRetry) {
 
   // Preload mail.example.org into HostCache.
   int rv = session_deps_.host_resolver->LoadIntoCache(
-      HostPortPair("mail.example.org", 443), NetworkIsolationKey(),
+      HostPortPair("mail.example.org", 443), NetworkAnonymizationKey(),
       absl::nullopt);
   EXPECT_THAT(rv, IsOk());
 
@@ -17853,7 +17878,7 @@ TEST_F(HttpNetworkTransactionTest,
 
   // Preload cache entries into HostCache.
   rv = session_deps_.host_resolver->LoadIntoCache(
-      HostPortPair("mail.example.com", 443), NetworkIsolationKey(),
+      HostPortPair("mail.example.com", 443), NetworkAnonymizationKey(),
       absl::nullopt);
   EXPECT_THAT(rv, IsOk());
 
@@ -17988,7 +18013,7 @@ TEST_F(HttpNetworkTransactionTest, AlternativeServiceNotOnHttp11) {
   AlternativeService alternative_service(kProtoHTTP2, alternative);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration);
+      server, NetworkAnonymizationKey(), alternative_service, expiration);
 
   HttpRequestInfo request;
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
@@ -18056,7 +18081,7 @@ TEST_F(HttpNetworkTransactionTest, FailedAlternativeServiceIsNotUserVisible) {
   AlternativeService alternative_service(kProtoHTTP2, alternative);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration);
+      server, NetworkAnonymizationKey(), alternative_service, expiration);
 
   HttpNetworkTransaction trans1(DEFAULT_PRIORITY, session.get());
   HttpRequestInfo request1;
@@ -18083,7 +18108,7 @@ TEST_F(HttpNetworkTransactionTest, FailedAlternativeServiceIsNotUserVisible) {
   // Alternative should be marked as broken, because HTTP/1.1 is not sufficient
   // for alternative service.
   EXPECT_TRUE(http_server_properties->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   // Since |alternative_service| is broken, a second transaction to server
   // should not start an alternate Job.  It should pool to existing connection
@@ -18166,7 +18191,7 @@ TEST_F(HttpNetworkTransactionTest, AlternativeServiceShouldNotPoolToHttp11) {
   AlternativeService alternative_service(kProtoHTTP2, alternative);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties->SetHttp2AlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration);
+      server, NetworkAnonymizationKey(), alternative_service, expiration);
 
   // First transaction to alternative to open an HTTP/1.1 socket.
   HttpRequestInfo request1;
@@ -18627,7 +18652,7 @@ TEST_F(HttpNetworkTransactionTest, CloseIdleSpdySessionToOpenNewOne) {
   SpdySessionKey spdy_session_key_a(
       host_port_pair_a, ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_FALSE(
       HasSpdySession(session->spdy_session_pool(), spdy_session_key_a));
 
@@ -18663,7 +18688,7 @@ TEST_F(HttpNetworkTransactionTest, CloseIdleSpdySessionToOpenNewOne) {
   SpdySessionKey spdy_session_key_b(
       host_port_pair_b, ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_FALSE(
       HasSpdySession(session->spdy_session_pool(), spdy_session_key_b));
   HttpRequestInfo request2;
@@ -18696,7 +18721,7 @@ TEST_F(HttpNetworkTransactionTest, CloseIdleSpdySessionToOpenNewOne) {
   SpdySessionKey spdy_session_key_a1(
       host_port_pair_a1, ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_FALSE(
       HasSpdySession(session->spdy_session_pool(), spdy_session_key_a1));
   HttpRequestInfo request3;
@@ -19779,7 +19804,7 @@ TEST_F(HttpNetworkTransactionTest, ProxyHeadersNotSentOverWsTunnel) {
 
   session->http_auth_cache()->Add(
       url::SchemeHostPort(GURL("http://myproxy:70/")), HttpAuth::AUTH_PROXY,
-      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+      "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
       "Basic realm=MyRealm1", AuthCredentials(kFoo, kBar), "/");
 
   TestWebSocketHandshakeStreamCreateHelper websocket_stream_create_helper;
@@ -20145,7 +20170,7 @@ class HttpNetworkTransactionReportingTest
       public ::testing::WithParamInterface<bool> {
  protected:
   HttpNetworkTransactionReportingTest() {
-    std::vector<base::Feature> required_features = {
+    std::vector<base::test::FeatureRef> required_features = {
         features::kPartitionNelAndReportingByNetworkIsolationKey};
     if (UseDocumentReporting()) {
       required_features.push_back(features::kDocumentReporting);
@@ -20180,7 +20205,7 @@ class HttpNetworkTransactionReportingTest
     request.traffic_annotation =
         net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
     request.network_isolation_key = kNetworkIsolationKey;
-
+    request.network_anonymization_key = kNetworkAnonymizationKey;
     MockWrite data_writes[] = {
         MockWrite("GET / HTTP/1.1\r\n"
                   "Host: www.example.org\r\n"
@@ -20247,7 +20272,7 @@ TEST_P(HttpNetworkTransactionReportingTest, ProcessReportToHeaderHttps) {
   const ReportingEndpoint endpoint =
       reporting_context()->cache()->GetEndpointForTesting(
           ReportingEndpointGroupKey(
-              kNetworkIsolationKey,
+              kNetworkAnonymizationKey,
               url::Origin::Create(GURL("https://www.example.org/")), "nel"),
           GURL("https://www.example.org/upload/"));
   EXPECT_TRUE(endpoint);
@@ -20294,6 +20319,7 @@ class HttpNetworkTransactionNetworkErrorLoggingTest
     request_.method = "GET";
     request_.url = GURL(url_);
     request_.network_isolation_key = kNetworkIsolationKey;
+    request_.network_anonymization_key = kNetworkAnonymizationKey;
     request_.extra_headers = extra_headers_;
     request_.reporting_upload_depth = reporting_upload_depth_;
     request_.traffic_annotation =
@@ -20359,7 +20385,7 @@ class HttpNetworkTransactionNetworkErrorLoggingTest
     const NetworkErrorLoggingService::RequestDetails& error =
         network_error_logging_service()->errors()[index];
     EXPECT_EQ(url_, error.uri);
-    EXPECT_EQ(kNetworkIsolationKey, error.network_isolation_key);
+    EXPECT_EQ(kNetworkAnonymizationKey, error.network_anonymization_key);
     EXPECT_EQ(kReferrer, error.referrer);
     EXPECT_EQ(kUserAgent, error.user_agent);
     EXPECT_EQ(server_ip, error.server_ip);
@@ -20464,7 +20490,7 @@ TEST_F(HttpNetworkTransactionNetworkErrorLoggingTest, ProcessNelHeaderHttps) {
   RequestPolicy();
   ASSERT_EQ(1u, network_error_logging_service()->headers().size());
   const auto& header = network_error_logging_service()->headers()[0];
-  EXPECT_EQ(kNetworkIsolationKey, header.network_isolation_key);
+  EXPECT_EQ(kNetworkAnonymizationKey, header.network_anonymization_key);
   EXPECT_EQ(url::Origin::Create(GURL("https://www.example.org/")),
             header.origin);
   EXPECT_EQ(IPAddress::IPv4Localhost(), header.received_ip_address);
@@ -21109,7 +21135,7 @@ TEST_F(HttpNetworkTransactionNetworkErrorLoggingTest,
 
   // Preload mail.example.org into HostCache.
   int rv = session_deps_.host_resolver->LoadIntoCache(
-      HostPortPair("mail.example.org", 443), NetworkIsolationKey(),
+      HostPortPair("mail.example.org", 443), NetworkAnonymizationKey(),
       absl::nullopt);
   EXPECT_THAT(rv, IsOk());
 
@@ -22655,12 +22681,14 @@ TEST_F(HttpNetworkTransactionTest, ClientCertSocketReuse) {
 }
 
 // Test for kPartitionConnectionsByNetworkIsolationKey. Runs 3 requests in
-// sequence with two different NetworkIsolationKeys, the first and last have the
-// same key, the second a different one. Checks that the requests are
+// sequence with two different NetworkAnonymizationKeys, the first and last have
+// the same key, the second a different one. Checks that the requests are
 // partitioned across sockets as expected.
 TEST_F(HttpNetworkTransactionTest, NetworkIsolation) {
   const SchemefulSite kSite1(GURL("http://origin1/"));
   const SchemefulSite kSite2(GURL("http://origin2/"));
+  NetworkAnonymizationKey network_anonymization_key1(kSite1, kSite1);
+  NetworkAnonymizationKey network_anonymization_key2(kSite2, kSite2);
   NetworkIsolationKey network_isolation_key1(kSite1, kSite1);
   NetworkIsolationKey network_isolation_key2(kSite2, kSite2);
 
@@ -22765,6 +22793,7 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolation) {
     request1.traffic_annotation =
         net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
     request1.network_isolation_key = network_isolation_key1;
+    request1.network_anonymization_key = network_anonymization_key1;
     auto trans1 = std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY,
                                                            session.get());
     int rv = trans1->Start(&request1, callback.callback(), NetLogWithSource());
@@ -22780,6 +22809,7 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolation) {
     request2.traffic_annotation =
         net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
     request2.network_isolation_key = network_isolation_key2;
+    request2.network_anonymization_key = network_anonymization_key2;
     auto trans2 = std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY,
                                                            session.get());
     rv = trans2->Start(&request2, callback.callback(), NetLogWithSource());
@@ -22795,6 +22825,7 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolation) {
     request3.traffic_annotation =
         net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
     request3.network_isolation_key = network_isolation_key1;
+    request3.network_anonymization_key = network_anonymization_key1;
     auto trans3 = std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY,
                                                            session.get());
     rv = trans3->Start(&request3, callback.callback(), NetLogWithSource());
@@ -22809,6 +22840,8 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolation) {
 TEST_F(HttpNetworkTransactionTest, NetworkIsolationH2) {
   const SchemefulSite kSite1(GURL("http://origin1/"));
   const SchemefulSite kSite2(GURL("http://origin2/"));
+  NetworkAnonymizationKey network_anonymization_key1(kSite1, kSite1);
+  NetworkAnonymizationKey network_anonymization_key2(kSite2, kSite2);
   NetworkIsolationKey network_isolation_key1(kSite1, kSite1);
   NetworkIsolationKey network_isolation_key2(kSite2, kSite2);
 
@@ -22979,6 +23012,8 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationH2) {
       request1.traffic_annotation =
           net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
       request1.network_isolation_key = network_isolation_key1;
+      request1.network_anonymization_key = network_anonymization_key1;
+
       auto trans1 =
           std::make_unique<HttpNetworkTransaction>(LOWEST, session.get());
       int rv =
@@ -22995,6 +23030,7 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationH2) {
       request2.traffic_annotation =
           net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
       request2.network_isolation_key = network_isolation_key2;
+      request2.network_anonymization_key = network_anonymization_key2;
       auto trans2 =
           std::make_unique<HttpNetworkTransaction>(LOWEST, session.get());
       rv = trans2->Start(&request2, callback.callback(), NetLogWithSource());
@@ -23010,6 +23046,8 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationH2) {
       request3.traffic_annotation =
           net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
       request3.network_isolation_key = network_isolation_key1;
+      request3.network_anonymization_key = network_anonymization_key1;
+
       auto trans3 =
           std::make_unique<HttpNetworkTransaction>(LOWEST, session.get());
       rv = trans3->Start(&request3, callback.callback(), NetLogWithSource());
@@ -23022,9 +23060,9 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationH2) {
   }
 }
 
-// Preconnect two sockets with different NetworkIsolationKeys when
-// features::kPartitionConnectionsByNetworkIsolationKey is enabled. Then issue a
-// request and make sure the correct socket is used. Loops three times,
+// Preconnect two sockets with different NetworkAnonymizationKeys when
+// features::kPartitionConnectionsByNetworkIsolationKey is enabled. Then
+// issue a request and make sure the correct socket is used. Loops three times,
 // expecting to use the first preconnect, second preconnect, and neither.
 TEST_F(HttpNetworkTransactionTest, NetworkIsolationPreconnect) {
   base::test::ScopedFeatureList feature_list;
@@ -23040,10 +23078,12 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationPreconnect) {
   const SchemefulSite kSite1(GURL("http://origin1/"));
   const SchemefulSite kSite2(GURL("http://origin2/"));
   const SchemefulSite kSite3(GURL("http://origin3/"));
+  NetworkAnonymizationKey preconnect1_anonymization_key(kSite1, kSite1);
+  NetworkAnonymizationKey preconnect2_anonymization_key(kSite2, kSite2);
+  NetworkAnonymizationKey not_preconnected_anonymization_key(kSite3, kSite3);
   NetworkIsolationKey preconnect1_isolation_key(kSite1, kSite1);
   NetworkIsolationKey preconnect2_isolation_key(kSite2, kSite2);
   NetworkIsolationKey not_preconnected_isolation_key(kSite3, kSite3);
-
   // Test that only preconnects with
   for (TestCase test_case :
        {TestCase::kUseFirstPreconnect, TestCase::kUseSecondPreconnect,
@@ -23079,6 +23119,7 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationPreconnect) {
                                          base::span<const MockRead>(),
                                          base::span<const MockWrite>());
 
+    NetworkAnonymizationKey network_anonymization_key_for_request;
     NetworkIsolationKey network_isolation_key_for_request;
 
     switch (test_case) {
@@ -23086,17 +23127,21 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationPreconnect) {
         session_deps.socket_factory->AddSocketDataProvider(&used_socket_data);
         session_deps.socket_factory->AddSocketDataProvider(&preconnect2_data);
         network_isolation_key_for_request = preconnect1_isolation_key;
+        network_anonymization_key_for_request = preconnect1_anonymization_key;
         break;
       case TestCase::kUseSecondPreconnect:
         session_deps.socket_factory->AddSocketDataProvider(&preconnect1_data);
         session_deps.socket_factory->AddSocketDataProvider(&used_socket_data);
         network_isolation_key_for_request = preconnect2_isolation_key;
+        network_anonymization_key_for_request = preconnect2_anonymization_key;
         break;
       case TestCase::kDontUsePreconnect:
         session_deps.socket_factory->AddSocketDataProvider(&preconnect1_data);
         session_deps.socket_factory->AddSocketDataProvider(&preconnect2_data);
         session_deps.socket_factory->AddSocketDataProvider(&used_socket_data);
         network_isolation_key_for_request = not_preconnected_isolation_key;
+        network_anonymization_key_for_request =
+            not_preconnected_anonymization_key;
         break;
     }
 
@@ -23110,12 +23155,15 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationPreconnect) {
         net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
     request.network_isolation_key = preconnect1_isolation_key;
+    request.network_anonymization_key = preconnect1_anonymization_key;
     session->http_stream_factory()->PreconnectStreams(1, request);
 
     request.network_isolation_key = preconnect2_isolation_key;
+    request.network_anonymization_key = preconnect2_anonymization_key;
     session->http_stream_factory()->PreconnectStreams(1, request);
 
     request.network_isolation_key = network_isolation_key_for_request;
+    request.network_anonymization_key = network_anonymization_key_for_request;
 
     EXPECT_EQ(2, GetIdleSocketCountInTransportSocketPool(session.get()));
 
@@ -23148,8 +23196,8 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationPreconnect) {
   }
 }
 
-// Test that the NetworkIsolationKey is passed down to SSLConfig so the session
-// cache is isolated.
+// Test that the NetworkAnonymizationKey is passed down to SSLConfig so the
+// session cache is isolated.
 TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSL) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
@@ -23159,8 +23207,10 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSL) {
 
   const SchemefulSite kSite1(GURL("http://origin1/"));
   const SchemefulSite kSite2(GURL("http://origin2/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
+  const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
   // The server always sends Connection: close, so each request goes over a
@@ -23208,13 +23258,13 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSL) {
 
   SSLSocketDataProvider ssl_data1(ASYNC, OK);
   ssl_data1.expected_host_and_port = HostPortPair("foo.test", 443);
-  ssl_data1.expected_network_isolation_key = kNetworkIsolationKey1;
+  ssl_data1.expected_network_anonymization_key = kNetworkAnonymizationKey1;
   SSLSocketDataProvider ssl_data2(ASYNC, OK);
   ssl_data2.expected_host_and_port = HostPortPair("foo.test", 443);
-  ssl_data2.expected_network_isolation_key = kNetworkIsolationKey2;
+  ssl_data2.expected_network_anonymization_key = kNetworkAnonymizationKey2;
   SSLSocketDataProvider ssl_data3(ASYNC, OK);
   ssl_data3.expected_host_and_port = HostPortPair("foo.test", 443);
-  ssl_data3.expected_network_isolation_key = kNetworkIsolationKey1;
+  ssl_data3.expected_network_anonymization_key = kNetworkAnonymizationKey1;
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_data1);
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_data2);
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_data3);
@@ -23226,6 +23276,8 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSL) {
   request1.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
   request1.network_isolation_key = kNetworkIsolationKey1;
+  request1.network_anonymization_key = kNetworkAnonymizationKey1;
+
   auto trans1 =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
   int rv = trans1->Start(&request1, callback.callback(), NetLogWithSource());
@@ -23241,6 +23293,7 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSL) {
   request2.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
   request2.network_isolation_key = kNetworkIsolationKey2;
+  request2.network_anonymization_key = kNetworkAnonymizationKey2;
   auto trans2 =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
   rv = trans2->Start(&request2, callback.callback(), NetLogWithSource());
@@ -23256,6 +23309,7 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSL) {
   request3.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
   request3.network_isolation_key = kNetworkIsolationKey1;
+  request3.network_anonymization_key = kNetworkAnonymizationKey1;
   auto trans3 =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
   rv = trans3->Start(&request3, callback.callback(), NetLogWithSource());
@@ -23266,8 +23320,8 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSL) {
   trans3.reset();
 }
 
-// Test that the NetworkIsolationKey is passed down to SSLConfig so the session
-// cache is isolated, for both origins and proxies.
+// Test that the NetworkAnonymizationKey is passed down to SSLConfig so the
+// session cache is isolated, for both origins and proxies.
 TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSLProxy) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
@@ -23281,8 +23335,10 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSLProxy) {
 
   const SchemefulSite kSite1(GURL("http://origin1/"));
   const SchemefulSite kSite2(GURL("http://origin2/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
+  const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
   // Make both a tunneled and non-tunneled request.
@@ -23292,6 +23348,7 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSLProxy) {
   request1.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
   request1.network_isolation_key = kNetworkIsolationKey1;
+  request1.network_anonymization_key = kNetworkAnonymizationKey1;
 
   HttpRequestInfo request2;
   request2.method = "GET";
@@ -23299,6 +23356,7 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSLProxy) {
   request2.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
   request2.network_isolation_key = kNetworkIsolationKey2;
+  request2.network_anonymization_key = kNetworkAnonymizationKey2;
 
   const MockWrite kWrites1[] = {
       MockWrite("CONNECT foo.test:443 HTTP/1.1\r\n"
@@ -23334,13 +23392,13 @@ TEST_F(HttpNetworkTransactionTest, NetworkIsolationSSLProxy) {
 
   SSLSocketDataProvider ssl_proxy1(ASYNC, OK);
   ssl_proxy1.expected_host_and_port = HostPortPair("myproxy", 70);
-  ssl_proxy1.expected_network_isolation_key = kNetworkIsolationKey1;
+  ssl_proxy1.expected_network_anonymization_key = kNetworkAnonymizationKey1;
   SSLSocketDataProvider ssl_origin1(ASYNC, OK);
   ssl_origin1.expected_host_and_port = HostPortPair("foo.test", 443);
-  ssl_origin1.expected_network_isolation_key = kNetworkIsolationKey1;
+  ssl_origin1.expected_network_anonymization_key = kNetworkAnonymizationKey1;
   SSLSocketDataProvider ssl_proxy2(ASYNC, OK);
   ssl_proxy2.expected_host_and_port = HostPortPair("myproxy", 70);
-  ssl_proxy2.expected_network_isolation_key = kNetworkIsolationKey2;
+  ssl_proxy2.expected_network_anonymization_key = kNetworkAnonymizationKey2;
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_proxy1);
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_origin1);
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl_proxy2);
diff --git a/chromium/net/http/http_proxy_client_socket.cc b/chromium/net/http/http_proxy_client_socket.cc
index 59e203f374a..91757dd1a38 100644
--- a/chromium/net/http/http_proxy_client_socket.cc
+++ b/chromium/net/http/http_proxy_client_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_proxy_client_socket.h b/chromium/net/http/http_proxy_client_socket.h
index 4ac6588f139..0a85c0f71fe 100644
--- a/chromium/net/http/http_proxy_client_socket.h
+++ b/chromium/net/http/http_proxy_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_proxy_client_socket_fuzzer.cc b/chromium/net/http/http_proxy_client_socket_fuzzer.cc
index fc3af857cd8..10db3136b97 100644
--- a/chromium/net/http/http_proxy_client_socket_fuzzer.cc
+++ b/chromium/net/http/http_proxy_client_socket_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -17,7 +17,7 @@
 #include "net/base/address_list.h"
 #include "net/base/auth.h"
 #include "net/base/host_port_pair.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/http/http_auth_cache.h"
 #include "net/http/http_auth_handler_basic.h"
@@ -50,7 +50,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Create auth handler supporting basic and digest schemes.  Other schemes can
   // make system calls, which doesn't seem like a great idea.
   net::HttpAuthCache auth_cache(
-      false /* key_server_entries_by_network_isolation_key */);
+      false /* key_server_entries_by_network_anonymization_key */);
   net::HttpAuthPreferences http_auth_preferences;
   http_auth_preferences.set_allowed_schemes(
       std::set<std::string>{net::kBasicAuthScheme, net::kDigestAuthScheme});
@@ -60,7 +60,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   scoped_refptr<net::HttpAuthController> auth_controller(
       base::MakeRefCounted<net::HttpAuthController>(
           net::HttpAuth::AUTH_PROXY, GURL("http://proxy:42/"),
-          net::NetworkIsolationKey(), &auth_cache, &auth_handler_factory,
+          net::NetworkAnonymizationKey(), &auth_cache, &auth_handler_factory,
           nullptr));
   // Determine if the HttpProxyClientSocket should be told the underlying socket
   // is HTTPS.
diff --git a/chromium/net/http/http_proxy_client_socket_unittest.cc b/chromium/net/http/http_proxy_client_socket_unittest.cc
index 7fb2455eea4..bb0aeca523f 100644
--- a/chromium/net/http/http_proxy_client_socket_unittest.cc
+++ b/chromium/net/http/http_proxy_client_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_proxy_connect_job.cc b/chromium/net/http/http_proxy_connect_job.cc
index 47bcec0954a..c6a60d5a30f 100644
--- a/chromium/net/http/http_proxy_connect_job.cc
+++ b/chromium/net/http/http_proxy_connect_job.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -130,13 +130,13 @@ HttpProxySocketParams::HttpProxySocketParams(
     const HostPortPair& endpoint,
     bool tunnel,
     const NetworkTrafficAnnotationTag traffic_annotation,
-    const NetworkIsolationKey& network_isolation_key)
+    const NetworkAnonymizationKey& network_anonymization_key)
     : transport_params_(std::move(transport_params)),
       ssl_params_(std::move(ssl_params)),
       is_quic_(is_quic),
       endpoint_(endpoint),
       tunnel_(tunnel),
-      network_isolation_key_(network_isolation_key),
+      network_anonymization_key_(network_anonymization_key),
       traffic_annotation_(traffic_annotation) {
   // This is either a connection to an HTTP proxy or an SSL/QUIC proxy.
   DCHECK(transport_params_ || ssl_params_);
@@ -194,7 +194,7 @@ HttpProxyConnectJob::HttpProxyConnectJob(
                     HttpAuth::AUTH_PROXY,
                     GURL((params_->ssl_params() ? "https://" : "http://") +
                          GetDestination().ToString()),
-                    params_->network_isolation_key(),
+                    params_->network_anonymization_key(),
                     common_connect_job_params->http_auth_cache,
                     common_connect_job_params->http_auth_handler_factory,
                     host_resolver())
@@ -655,7 +655,7 @@ int HttpProxyConnectJob::DoQuicProxyCreateSession() {
       url::SchemeHostPort(url::kHttpsScheme, proxy_server.host(),
                           proxy_server.port()),
       quic_version, ssl_params->privacy_mode(), kH2QuicTunnelPriority,
-      socket_tag(), params_->network_isolation_key(),
+      socket_tag(), params_->network_anonymization_key(),
       ssl_params->GetDirectConnectionParams()->secure_dns_policy(),
       /*use_dns_aliases=*/false, /*require_dns_https_alpn=*/false,
       ssl_params->ssl_config().GetCertVerifyFlags(),
@@ -814,7 +814,7 @@ SpdySessionKey HttpProxyConnectJob::CreateSpdySessionKey() const {
   return SpdySessionKey(
       GetDestination(), ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
       SpdySessionKey::IsProxySession::kTrue, socket_tag(),
-      params_->network_isolation_key(),
+      params_->network_anonymization_key(),
       params_->ssl_params()->GetDirectConnectionParams()->secure_dns_policy());
 }
 
diff --git a/chromium/net/http/http_proxy_connect_job.h b/chromium/net/http/http_proxy_connect_job.h
index 8587092cf1a..17d26d8f4a2 100644
--- a/chromium/net/http/http_proxy_connect_job.h
+++ b/chromium/net/http/http_proxy_connect_job.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -13,7 +13,7 @@
 #include "base/time/time.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/request_priority.h"
 #include "net/dns/public/resolve_error_info.h"
 #include "net/http/http_auth.h"
@@ -43,13 +43,14 @@ class QuicStreamRequest;
 class NET_EXPORT_PRIVATE HttpProxySocketParams
     : public base::RefCounted<HttpProxySocketParams> {
  public:
-  HttpProxySocketParams(scoped_refptr<TransportSocketParams> transport_params,
-                        scoped_refptr<SSLSocketParams> ssl_params,
-                        bool is_quic,
-                        const HostPortPair& endpoint,
-                        bool tunnel,
-                        const NetworkTrafficAnnotationTag traffic_annotation,
-                        const NetworkIsolationKey& network_isolation_key);
+  HttpProxySocketParams(
+      scoped_refptr<TransportSocketParams> transport_params,
+      scoped_refptr<SSLSocketParams> ssl_params,
+      bool is_quic,
+      const HostPortPair& endpoint,
+      bool tunnel,
+      const NetworkTrafficAnnotationTag traffic_annotation,
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   HttpProxySocketParams(const HttpProxySocketParams&) = delete;
   HttpProxySocketParams& operator=(const HttpProxySocketParams&) = delete;
@@ -63,8 +64,8 @@ class NET_EXPORT_PRIVATE HttpProxySocketParams
   bool is_quic() const { return is_quic_; }
   const HostPortPair& endpoint() const { return endpoint_; }
   bool tunnel() const { return tunnel_; }
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
   }
   const NetworkTrafficAnnotationTag traffic_annotation() const {
     return traffic_annotation_;
@@ -79,7 +80,7 @@ class NET_EXPORT_PRIVATE HttpProxySocketParams
   bool is_quic_;
   const HostPortPair endpoint_;
   const bool tunnel_;
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
   const NetworkTrafficAnnotationTag traffic_annotation_;
 };
 
diff --git a/chromium/net/http/http_proxy_connect_job_unittest.cc b/chromium/net/http/http_proxy_connect_job_unittest.cc
index b433ca83e12..9f9a9fc7347 100644
--- a/chromium/net/http/http_proxy_connect_job_unittest.cc
+++ b/chromium/net/http/http_proxy_connect_job_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -21,7 +21,7 @@
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "net/base/host_port_pair.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/proxy_string_util.h"
 #include "net/base/test_proxy_delegate.h"
 #include "net/dns/mock_host_resolver.h"
@@ -118,7 +118,7 @@ class HttpProxyConnectJobTest : public ::testing::TestWithParam<HttpProxyType>,
     if (GetParam() != HTTP)
       return nullptr;
     return base::MakeRefCounted<TransportSocketParams>(
-        HostPortPair(kHttpProxyHost, 80), NetworkIsolationKey(),
+        HostPortPair(kHttpProxyHost, 80), NetworkAnonymizationKey(),
         secure_dns_policy, OnHostResolutionCallback(),
         /*supported_alpns=*/base::flat_set<std::string>());
   }
@@ -129,11 +129,11 @@ class HttpProxyConnectJobTest : public ::testing::TestWithParam<HttpProxyType>,
       return nullptr;
     return base::MakeRefCounted<SSLSocketParams>(
         base::MakeRefCounted<TransportSocketParams>(
-            HostPortPair(kHttpsProxyHost, 443), NetworkIsolationKey(),
+            HostPortPair(kHttpsProxyHost, 443), NetworkAnonymizationKey(),
             secure_dns_policy, OnHostResolutionCallback(),
             /*supported_alpns=*/base::flat_set<std::string>()),
         nullptr, nullptr, HostPortPair(kHttpsProxyHost, 443), SSLConfig(),
-        PRIVACY_MODE_DISABLED, NetworkIsolationKey());
+        PRIVACY_MODE_DISABLED, NetworkAnonymizationKey());
   }
 
   // Returns a correctly constructed HttpProxyParams for the HTTP or HTTPS
@@ -145,7 +145,7 @@ class HttpProxyConnectJobTest : public ::testing::TestWithParam<HttpProxyType>,
         CreateHttpProxyParams(secure_dns_policy),
         CreateHttpsProxyParams(secure_dns_policy), false /* is_quic */,
         HostPortPair(kEndpointHost, tunnel ? 443 : 80), tunnel,
-        TRAFFIC_ANNOTATION_FOR_TESTS, NetworkIsolationKey());
+        TRAFFIC_ANNOTATION_FOR_TESTS, NetworkAnonymizationKey());
   }
 
   std::unique_ptr<HttpProxyConnectJob> CreateConnectJobForHttpRequest(
@@ -795,7 +795,7 @@ TEST_P(HttpProxyConnectJobTest, HaveAuth) {
                          : GURL(std::string("https://") + kHttpsProxyHost));
   session_->http_auth_cache()->Add(
       proxy_scheme_host_port, HttpAuth::AUTH_PROXY, "MyRealm1",
-      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+      HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
       "Basic realm=MyRealm1", AuthCredentials(kFoo, kBar), "/");
 
   for (IoMode io_mode : {SYNCHRONOUS, ASYNC}) {
@@ -937,15 +937,15 @@ TEST_P(HttpProxyConnectJobTest, SpdySessionKeyDisableSecureDns) {
   TestConnectJobDelegate test_delegate;
   auto ssl_params = base::MakeRefCounted<SSLSocketParams>(
       base::MakeRefCounted<TransportSocketParams>(
-          HostPortPair(kHttpsProxyHost, 443), NetworkIsolationKey(),
+          HostPortPair(kHttpsProxyHost, 443), NetworkAnonymizationKey(),
           SecureDnsPolicy::kDisable, OnHostResolutionCallback(),
           /*supported_alpns=*/base::flat_set<std::string>()),
       nullptr, nullptr, HostPortPair(kHttpsProxyHost, 443), SSLConfig(),
-      PRIVACY_MODE_DISABLED, NetworkIsolationKey());
+      PRIVACY_MODE_DISABLED, NetworkAnonymizationKey());
   auto http_proxy_params = base::MakeRefCounted<HttpProxySocketParams>(
       nullptr /* tcp_params */, std::move(ssl_params), false /* is_quic */,
       HostPortPair(kEndpointHost, 443),
-      /*tunnel=*/true, TRAFFIC_ANNOTATION_FOR_TESTS, NetworkIsolationKey());
+      /*tunnel=*/true, TRAFFIC_ANNOTATION_FOR_TESTS, NetworkAnonymizationKey());
 
   std::unique_ptr<ConnectJob> connect_job = CreateConnectJob(
       std::move(http_proxy_params), &test_delegate, DEFAULT_PRIORITY);
@@ -957,7 +957,7 @@ TEST_P(HttpProxyConnectJobTest, SpdySessionKeyDisableSecureDns) {
           SpdySessionKey(HostPortPair(kHttpsProxyHost, 443),
                          ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                          SpdySessionKey::IsProxySession::kTrue, SocketTag(),
-                         NetworkIsolationKey(), SecureDnsPolicy::kDisable),
+                         NetworkAnonymizationKey(), SecureDnsPolicy::kDisable),
           /* enable_ip_based_pooling = */ false,
           /* is_websocket = */ false, NetLogWithSource()));
   EXPECT_FALSE(
@@ -965,7 +965,7 @@ TEST_P(HttpProxyConnectJobTest, SpdySessionKeyDisableSecureDns) {
           SpdySessionKey(HostPortPair(kHttpsProxyHost, 443),
                          ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                          SpdySessionKey::IsProxySession::kTrue, SocketTag(),
-                         NetworkIsolationKey(), SecureDnsPolicy::kAllow),
+                         NetworkAnonymizationKey(), SecureDnsPolicy::kAllow),
           /* enable_ip_based_pooling = */ false,
           /* is_websocket = */ false, NetLogWithSource()));
 }
diff --git a/chromium/net/http/http_raw_request_headers.cc b/chromium/net/http/http_raw_request_headers.cc
index 7d1f0b8f03b..cc72e256fab 100644
--- a/chromium/net/http/http_raw_request_headers.cc
+++ b/chromium/net/http/http_raw_request_headers.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_raw_request_headers.h b/chromium/net/http/http_raw_request_headers.h
index 2986dbebfd0..4cd2c745a7e 100644
--- a/chromium/net/http/http_raw_request_headers.h
+++ b/chromium/net/http/http_raw_request_headers.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_request_headers.cc b/chromium/net/http/http_request_headers.cc
index 55e366bf4cd..13f417be7df 100644
--- a/chromium/net/http/http_request_headers.cc
+++ b/chromium/net/http/http_request_headers.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_request_headers.h b/chromium/net/http/http_request_headers.h
index 0f4257c657f..bf07c8d93ac 100644
--- a/chromium/net/http/http_request_headers.h
+++ b/chromium/net/http/http_request_headers.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/http/http_request_headers_unittest.cc b/chromium/net/http/http_request_headers_unittest.cc
index a321427253f..18d9bb5bab4 100644
--- a/chromium/net/http/http_request_headers_unittest.cc
+++ b/chromium/net/http/http_request_headers_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_request_info.cc b/chromium/net/http/http_request_info.cc
index adac030ea8d..0f36d557ef8 100644
--- a/chromium/net/http/http_request_info.cc
+++ b/chromium/net/http/http_request_info.cc
@@ -1,9 +1,10 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_request_info.h"
-
+#include "net/base/network_anonymization_key.h"
+#include "net/base/network_isolation_key.h"
 #include "net/dns/public/secure_dns_policy.h"
 
 namespace net {
@@ -14,4 +15,10 @@ HttpRequestInfo::HttpRequestInfo(const HttpRequestInfo& other) = default;
 
 HttpRequestInfo::~HttpRequestInfo() = default;
 
+bool HttpRequestInfo::IsConsistent() const {
+  return network_anonymization_key ==
+         NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+             network_isolation_key);
+}
+
 }  // namespace net
diff --git a/chromium/net/http/http_request_info.h b/chromium/net/http/http_request_info.h
index ff52954b981..028b9d30f68 100644
--- a/chromium/net/http/http_request_info.h
+++ b/chromium/net/http/http_request_info.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,6 +10,7 @@
 #include "base/memory/raw_ptr.h"
 #include "net/base/idempotency.h"
 #include "net/base/net_export.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/network_isolation_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/dns/public/secure_dns_policy.h"
@@ -29,6 +30,8 @@ struct NET_EXPORT HttpRequestInfo {
   HttpRequestInfo(const HttpRequestInfo& other);
   ~HttpRequestInfo();
 
+  bool IsConsistent() const;
+
   // The requested URL.
   GURL url;
 
@@ -36,9 +39,17 @@ struct NET_EXPORT HttpRequestInfo {
   std::string method;
 
   // This key is used to isolate requests from different contexts in accessing
-  // shared network resources like the cache.
+  // shared cache.
   NetworkIsolationKey network_isolation_key;
 
+  // This key is used to isolate requests from different contexts in accessing
+  // shared network resources.
+
+  // TODO @brgoldstein: populate this field from the
+  // NetworkContext::PreconnectSockets path. And the HTTPCacheLookupManager
+  // path.
+  NetworkAnonymizationKey network_anonymization_key;
+
   // True if it is a subframe's document resource.
   bool is_subframe_document_resource = false;
 
@@ -96,6 +107,15 @@ struct NET_EXPORT HttpRequestInfo {
   // Checksum of the request body and selected headers, in upper-case
   // hexadecimal. Only non-empty if the USE_SINGLE_KEYED_CACHE load flag is set.
   std::string checksum;
+
+  // If not null, the value is used to evaluate whether the cache entry should
+  // be bypassed; if is null, that means the request site does not match the
+  // filter.
+  absl::optional<int64_t> fps_cache_filter;
+
+  // Use as ID to mark the cache entry when persisting. Should be a positive
+  // number once set.
+  absl::optional<int64_t> browser_run_id;
 };
 
 }  // namespace net
diff --git a/chromium/net/http/http_request_info_unittest.cc b/chromium/net/http/http_request_info_unittest.cc
new file mode 100644
index 00000000000..832e931bdb6
--- /dev/null
+++ b/chromium/net/http/http_request_info_unittest.cc
@@ -0,0 +1,109 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/http/http_request_info.h"
+#include "base/test/scoped_feature_list.h"
+#include "net/base/features.h"
+#include "net/base/network_anonymization_key.h"
+#include "net/base/network_isolation_key.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+TEST(HTTPRequestInfoTest, IsConsistent) {
+  // TODO(brgoldstein): refactor this test with new testing config enum when
+  // you update NetworkAnonymizationKey tests and IsolationInfo tests.
+
+  // Triple keyed NIK and NAK.
+  base::test::ScopedFeatureList scoped_feature_list_;
+  std::vector<base::test::FeatureRef> disabled_features_1 = {};
+  disabled_features_1.push_back(
+      net::features::kForceIsolationInfoFrameOriginToTopLevelFrame);
+  disabled_features_1.push_back(
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey);
+  disabled_features_1.push_back(
+      net::features::kEnableCrossSiteFlagNetworkAnonymizationKey);
+  scoped_feature_list_.InitWithFeatures({}, disabled_features_1);
+
+  const SchemefulSite kTestSiteA = SchemefulSite(GURL("http://a.test/"));
+  const SchemefulSite kTestSiteB = SchemefulSite(GURL("http://b.test/"));
+
+  net::HttpRequestInfo empty_request_info;
+
+  net::HttpRequestInfo request_info_different_nik_nak;
+  request_info_different_nik_nak.network_isolation_key =
+      NetworkIsolationKey(kTestSiteA, kTestSiteB);
+  request_info_different_nik_nak.network_anonymization_key =
+      NetworkAnonymizationKey(kTestSiteB, kTestSiteA);
+
+  net::HttpRequestInfo triple_keys_request_info;
+  triple_keys_request_info.network_isolation_key =
+      NetworkIsolationKey(kTestSiteA, kTestSiteB);
+  triple_keys_request_info.network_anonymization_key =
+      NetworkAnonymizationKey(kTestSiteA, kTestSiteB);
+
+  net::HttpRequestInfo triple_nik_double_nak_request_info;
+  triple_nik_double_nak_request_info.network_isolation_key =
+      NetworkIsolationKey(kTestSiteA, kTestSiteB);
+
+  EXPECT_FALSE(request_info_different_nik_nak.IsConsistent());
+  EXPECT_TRUE(triple_keys_request_info.IsConsistent());
+
+  // Double key NIK and triple key NAK.
+  scoped_feature_list_.Reset();
+  std::vector<base::test::FeatureRef> enabled_features_2 = {};
+  std::vector<base::test::FeatureRef> disabled_features_2 = {};
+  enabled_features_2.push_back(
+      net::features::kForceIsolationInfoFrameOriginToTopLevelFrame);
+  disabled_features_2.push_back(
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey);
+  disabled_features_2.push_back(
+      net::features::kEnableCrossSiteFlagNetworkAnonymizationKey);
+  scoped_feature_list_.InitWithFeatures(enabled_features_2,
+                                        disabled_features_2);
+  // This is not a valid key confiugrations so
+  // NetworkAnonymizationKey::CreateFromNetworkIsolationKey should always
+  // DCHECK.
+  EXPECT_DEATH_IF_SUPPORTED(triple_keys_request_info.IsConsistent(), "");
+
+  // Triple key NIK and double key NAK.
+  scoped_feature_list_.Reset();
+  std::vector<base::test::FeatureRef> enabled_features_3 = {};
+  std::vector<base::test::FeatureRef> disabled_features_3 = {};
+  disabled_features_3.push_back(
+      net::features::kForceIsolationInfoFrameOriginToTopLevelFrame);
+  enabled_features_3.push_back(
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey);
+  disabled_features_3.push_back(
+      net::features::kEnableCrossSiteFlagNetworkAnonymizationKey);
+  scoped_feature_list_.InitWithFeatures(enabled_features_3,
+                                        disabled_features_3);
+
+  EXPECT_FALSE(triple_keys_request_info.IsConsistent());
+
+  // Triple key NIK and double key with cross site flag NAK.
+  scoped_feature_list_.Reset();
+  std::vector<base::test::FeatureRef> enabled_features_4 = {};
+  std::vector<base::test::FeatureRef> disabled_features_4 = {};
+  disabled_features_3.push_back(
+      net::features::kForceIsolationInfoFrameOriginToTopLevelFrame);
+  enabled_features_3.push_back(
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey);
+  enabled_features_4.push_back(
+      net::features::kEnableCrossSiteFlagNetworkAnonymizationKey);
+  scoped_feature_list_.InitWithFeatures(enabled_features_4,
+                                        disabled_features_4);
+
+  EXPECT_FALSE(triple_keys_request_info.IsConsistent());
+  EXPECT_FALSE(triple_nik_double_nak_request_info.IsConsistent());
+
+  net::HttpRequestInfo triple_nik_double_xsite_bit_nak_request_info;
+  triple_nik_double_xsite_bit_nak_request_info.network_isolation_key =
+      NetworkIsolationKey(kTestSiteA, kTestSiteB);
+  triple_nik_double_xsite_bit_nak_request_info.network_anonymization_key =
+      NetworkAnonymizationKey(kTestSiteA, kTestSiteB, true);
+
+  EXPECT_TRUE(triple_nik_double_xsite_bit_nak_request_info.IsConsistent());
+}
+}  // namespace net
diff --git a/chromium/net/http/http_response_body_drainer.cc b/chromium/net/http/http_response_body_drainer.cc
index 0be2c28d986..b4887a43c2d 100644
--- a/chromium/net/http/http_response_body_drainer.cc
+++ b/chromium/net/http/http_response_body_drainer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_response_body_drainer.h b/chromium/net/http/http_response_body_drainer.h
index c1007ab08e7..df73c9543ca 100644
--- a/chromium/net/http/http_response_body_drainer.h
+++ b/chromium/net/http/http_response_body_drainer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_response_body_drainer_unittest.cc b/chromium/net/http/http_response_body_drainer_unittest.cc
index d4bc1bdec10..a40bce93c7f 100644
--- a/chromium/net/http/http_response_body_drainer_unittest.cc
+++ b/chromium/net/http/http_response_body_drainer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_response_headers.cc b/chromium/net/http/http_response_headers.cc
index 54a82879c64..17d9b46cc3d 100644
--- a/chromium/net/http/http_response_headers.cc
+++ b/chromium/net/http/http_response_headers.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -19,6 +19,7 @@
 #include "base/logging.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/pickle.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/escape.h"
 #include "base/strings/strcat.h"
 #include "base/strings/string_number_conversions.h"
@@ -460,8 +461,7 @@ void HttpResponseHeaders::Parse(const std::string& raw_input) {
 
   // ParseStatusLine adds a normalized status line to raw_headers_
   std::string::const_iterator line_begin = raw_input.begin();
-  std::string::const_iterator line_end =
-      std::find(line_begin, raw_input.end(), '\0');
+  std::string::const_iterator line_end = base::ranges::find(raw_input, '\0');
   // has_headers = true, if there is any data following the status line.
   // Used by ParseStatusLine() to decide if a HTTP/0.9 is really a HTTP/1.0.
   bool has_headers =
@@ -545,10 +545,9 @@ std::string HttpResponseHeaders::GetStatusText() const {
   // '<http_version> SP <response_code>' or
   // '<http_version> SP <response_code> SP <status_text>'.
   std::string status_text = GetStatusLine();
-  std::string::const_iterator begin = status_text.begin();
-  std::string::const_iterator end = status_text.end();
   // Seek to beginning of <response_code>.
-  begin = std::find(begin, end, ' ');
+  std::string::const_iterator begin = base::ranges::find(status_text, ' ');
+  std::string::const_iterator end = status_text.end();
   CHECK(begin != end);
   ++begin;
   CHECK(begin != end);
diff --git a/chromium/net/http/http_response_headers.h b/chromium/net/http/http_response_headers.h
index d49f1f66f36..5edf7025bc2 100644
--- a/chromium/net/http/http_response_headers.h
+++ b/chromium/net/http/http_response_headers.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_response_headers_unittest.cc b/chromium/net/http/http_response_headers_unittest.cc
index 0007e534e87..fa3c2d34d78 100644
--- a/chromium/net/http/http_response_headers_unittest.cc
+++ b/chromium/net/http/http_response_headers_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_response_info.cc b/chromium/net/http/http_response_info.cc
index d0b6fc231c3..72b007acd8a 100644
--- a/chromium/net/http/http_response_info.cc
+++ b/chromium/net/http/http_response_info.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -16,6 +16,7 @@
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_connection_status_flags.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_versions.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 #include "third_party/boringssl/src/include/openssl/ssl.h"
 
 using base::Time;
@@ -124,6 +125,9 @@ enum {
   // This bit is set if the response has `encrypted_client_hello` set.
   RESPONSE_INFO_ENCRYPTED_CLIENT_HELLO = 1 << 29,
 
+  // This bit is set if the response has `browser_run_id` set.
+  RESPONSE_INFO_BROWSER_RUN_ID = 1 << 30,
+
   // This enum only has a few bits (`1 << 31` is the limit). If allocating the
   // last flag, instead allocate it as `RESPONSE_INFO_HAS_EXTRA_FLAGS` to
   // signal another flags word.
@@ -388,6 +392,14 @@ bool HttpResponseInfo::InitFromPickle(const base::Pickle& pickle,
   ssl_info.encrypted_client_hello =
       (flags & RESPONSE_INFO_ENCRYPTED_CLIENT_HELLO) != 0;
 
+  // Read browser_run_id.
+  if (flags & RESPONSE_INFO_BROWSER_RUN_ID) {
+    int64_t id;
+    if (!iter.ReadInt64(&id))
+      return false;
+    browser_run_id = absl::make_optional(id);
+  }
+
   return true;
 }
 
@@ -435,6 +447,8 @@ void HttpResponseInfo::Persist(base::Pickle* pickle,
     flags |= RESPONSE_INFO_HAS_DNS_ALIASES;
   if (ssl_info.encrypted_client_hello)
     flags |= RESPONSE_INFO_ENCRYPTED_CLIENT_HELLO;
+  if (browser_run_id.has_value())
+    flags |= RESPONSE_INFO_BROWSER_RUN_ID;
 
   pickle->WriteInt(flags);
   pickle->WriteInt64(request_time.ToInternalValue());
@@ -489,6 +503,10 @@ void HttpResponseInfo::Persist(base::Pickle* pickle,
     for (const auto& alias : dns_aliases)
       pickle->WriteString(alias);
   }
+
+  if (browser_run_id.has_value()) {
+    pickle->WriteInt64(browser_run_id.value());
+  }
 }
 
 bool HttpResponseInfo::DidUseQuic() const {
diff --git a/chromium/net/http/http_response_info.h b/chromium/net/http/http_response_info.h
index b96254383e8..f8b39a7ad88 100644
--- a/chromium/net/http/http_response_info.h
+++ b/chromium/net/http/http_response_info.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,6 +14,7 @@
 #include "net/base/net_export.h"
 #include "net/base/proxy_server.h"
 #include "net/dns/public/resolve_error_info.h"
+#include "net/http/alternate_protocol_usage.h"
 #include "net/http/http_vary_data.h"
 #include "net/ssl/ssl_info.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
@@ -219,6 +220,11 @@ class NET_EXPORT HttpResponseInfo {
   // Protocol negotiated with the server.
   std::string alpn_negotiated_protocol;
 
+  // The reason why Chrome uses a specific transport protocol for HTTP
+  // semantics.
+  net::AlternateProtocolUsage alternate_protocol_usage =
+      net::AlternateProtocolUsage::ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON;
+
   // The type of connection used for this response.
   ConnectionInfo connection_info = CONNECTION_INFO_UNKNOWN;
 
@@ -261,6 +267,10 @@ class NET_EXPORT HttpResponseInfo {
   // in no particular order.
   std::set<std::string> dns_aliases;
 
+  // If not null, this indicates the response is stored during a certain browser
+  // session. Used for filtering cache access.
+  absl::optional<int64_t> browser_run_id;
+
   static std::string ConnectionInfoToString(ConnectionInfo connection_info);
 };
 
diff --git a/chromium/net/http/http_response_info_unittest.cc b/chromium/net/http/http_response_info_unittest.cc
index 921c71ca66a..e8133cdddfe 100644
--- a/chromium/net/http/http_response_info_unittest.cc
+++ b/chromium/net/http/http_response_info_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -261,6 +261,22 @@ TEST_F(HttpResponseInfoTest, EmptyDnsAliases) {
   EXPECT_TRUE(restored_response_info.dns_aliases.empty());
 }
 
+// Test that `browser_run_id` is preserved.
+TEST_F(HttpResponseInfoTest, BrowserRunId) {
+  response_info_.browser_run_id = 1;
+  net::HttpResponseInfo restored_response_info;
+  PickleAndRestore(response_info_, &restored_response_info);
+  EXPECT_EQ(1, restored_response_info.browser_run_id);
+}
+
+// Test that an empty `browser_run_id` is preserved and doesn't throw an error.
+TEST_F(HttpResponseInfoTest, EmptyBrowserRunId) {
+  response_info_.browser_run_id = absl::nullopt;
+  net::HttpResponseInfo restored_response_info;
+  PickleAndRestore(response_info_, &restored_response_info);
+  EXPECT_FALSE(restored_response_info.browser_run_id.has_value());
+}
+
 }  // namespace
 
 }  // namespace net
diff --git a/chromium/net/http/http_security_headers.cc b/chromium/net/http/http_security_headers.cc
index 15defb9c4ff..52f508aeddb 100644
--- a/chromium/net/http/http_security_headers.cc
+++ b/chromium/net/http/http_security_headers.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_security_headers.h b/chromium/net/http/http_security_headers.h
index 310136af166..65d55d5691c 100644
--- a/chromium/net/http/http_security_headers.h
+++ b/chromium/net/http/http_security_headers.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_security_headers_expect_ct_fuzzer.cc b/chromium/net/http/http_security_headers_expect_ct_fuzzer.cc
index 4eade8be796..ecb18d73b03 100644
--- a/chromium/net/http/http_security_headers_expect_ct_fuzzer.cc
+++ b/chromium/net/http/http_security_headers_expect_ct_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_security_headers_hsts_fuzzer.cc b/chromium/net/http/http_security_headers_hsts_fuzzer.cc
index a1b0968d7b1..2afab78b6db 100644
--- a/chromium/net/http/http_security_headers_hsts_fuzzer.cc
+++ b/chromium/net/http/http_security_headers_hsts_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_security_headers_unittest.cc b/chromium/net/http/http_security_headers_unittest.cc
index 4d4369c2b4a..110bd1b0ec4 100644
--- a/chromium/net/http/http_security_headers_unittest.cc
+++ b/chromium/net/http/http_security_headers_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_server_properties.cc b/chromium/net/http/http_server_properties.cc
index 887ffee8148..24fed5ba745 100644
--- a/chromium/net/http/http_server_properties.cc
+++ b/chromium/net/http/http_server_properties.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -72,11 +72,12 @@ bool HttpServerProperties::ServerInfo::operator==(
 
 HttpServerProperties::ServerInfoMapKey::ServerInfoMapKey(
     url::SchemeHostPort server,
-    const NetworkIsolationKey& network_isolation_key,
-    bool use_network_isolation_key)
+    const NetworkAnonymizationKey& network_anonymization_key,
+    bool use_network_anonymization_key)
     : server(std::move(server)),
-      network_isolation_key(use_network_isolation_key ? network_isolation_key
-                                                      : NetworkIsolationKey()) {
+      network_anonymization_key(use_network_anonymization_key
+                                    ? network_anonymization_key
+                                    : NetworkAnonymizationKey()) {
   // Scheme should have been normalized before this method was called.
   DCHECK_NE(this->server.scheme(), url::kWsScheme);
   DCHECK_NE(this->server.scheme(), url::kWssScheme);
@@ -86,32 +87,32 @@ HttpServerProperties::ServerInfoMapKey::~ServerInfoMapKey() = default;
 
 bool HttpServerProperties::ServerInfoMapKey::operator<(
     const ServerInfoMapKey& other) const {
-  return std::tie(server, network_isolation_key) <
-         std::tie(other.server, other.network_isolation_key);
+  return std::tie(server, network_anonymization_key) <
+         std::tie(other.server, other.network_anonymization_key);
 }
 
 HttpServerProperties::QuicServerInfoMapKey::QuicServerInfoMapKey(
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key,
-    bool use_network_isolation_key)
+    const NetworkAnonymizationKey& network_anonymization_key,
+    bool use_network_anonymization_key)
     : server_id(server_id),
-      network_isolation_key(use_network_isolation_key ? network_isolation_key
-                                                      : NetworkIsolationKey()) {
-}
+      network_anonymization_key(use_network_anonymization_key
+                                    ? network_anonymization_key
+                                    : NetworkAnonymizationKey()) {}
 
 HttpServerProperties::QuicServerInfoMapKey::~QuicServerInfoMapKey() = default;
 
 bool HttpServerProperties::QuicServerInfoMapKey::operator<(
     const QuicServerInfoMapKey& other) const {
-  return std::tie(server_id, network_isolation_key) <
-         std::tie(other.server_id, other.network_isolation_key);
+  return std::tie(server_id, network_anonymization_key) <
+         std::tie(other.server_id, other.network_anonymization_key);
 }
 
 // Used in tests.
 bool HttpServerProperties::QuicServerInfoMapKey::operator==(
     const QuicServerInfoMapKey& other) const {
-  return std::tie(server_id, network_isolation_key) ==
-         std::tie(other.server_id, other.network_isolation_key);
+  return std::tie(server_id, network_anonymization_key) ==
+         std::tie(other.server_id, other.network_anonymization_key);
 }
 
 HttpServerProperties::ServerInfoMap::ServerInfoMap()
@@ -140,7 +141,7 @@ HttpServerProperties::HttpServerProperties(
     : tick_clock_(tick_clock ? tick_clock
                              : base::DefaultTickClock::GetInstance()),
       clock_(clock ? clock : base::DefaultClock::GetInstance()),
-      use_network_isolation_key_(base::FeatureList::IsEnabled(
+      use_network_anonymization_key_(base::FeatureList::IsEnabled(
           features::kPartitionHttpServerPropertiesByNetworkIsolationKey)),
       is_initialized_(pref_delegate.get() == nullptr),
       properties_manager_(
@@ -204,15 +205,15 @@ void HttpServerProperties::Clear(base::OnceClosure callback) {
 
 bool HttpServerProperties::SupportsRequestPriority(
     const url::SchemeHostPort& server,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   if (server.host().empty())
     return false;
 
-  if (GetSupportsSpdy(server, network_isolation_key))
+  if (GetSupportsSpdy(server, network_anonymization_key))
     return true;
   const AlternativeServiceInfoVector alternative_service_info_vector =
-      GetAlternativeServiceInfos(server, network_isolation_key);
+      GetAlternativeServiceInfos(server, network_anonymization_key);
   for (const AlternativeServiceInfo& alternative_service_info :
        alternative_service_info_vector) {
     if (alternative_service_info.alternative_service().protocol == kProtoQUIC) {
@@ -224,63 +225,63 @@ bool HttpServerProperties::SupportsRequestPriority(
 
 bool HttpServerProperties::GetSupportsSpdy(
     const url::SchemeHostPort& server,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   return GetSupportsSpdyInternal(NormalizeSchemeHostPort(server),
-                                 network_isolation_key);
+                                 network_anonymization_key);
 }
 
 void HttpServerProperties::SetSupportsSpdy(
     const url::SchemeHostPort& server,
-    const net::NetworkIsolationKey& network_isolation_key,
+    const net::NetworkAnonymizationKey& network_anonymization_key,
     bool supports_spdy) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   SetSupportsSpdyInternal(NormalizeSchemeHostPort(server),
-                          network_isolation_key, supports_spdy);
+                          network_anonymization_key, supports_spdy);
 }
 
 bool HttpServerProperties::RequiresHTTP11(
     const url::SchemeHostPort& server,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   return RequiresHTTP11Internal(NormalizeSchemeHostPort(server),
-                                network_isolation_key);
+                                network_anonymization_key);
 }
 
 void HttpServerProperties::SetHTTP11Required(
     const url::SchemeHostPort& server,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   SetHTTP11RequiredInternal(NormalizeSchemeHostPort(server),
-                            network_isolation_key);
+                            network_anonymization_key);
 }
 
 void HttpServerProperties::MaybeForceHTTP11(
     const url::SchemeHostPort& server,
-    const net::NetworkIsolationKey& network_isolation_key,
+    const net::NetworkAnonymizationKey& network_anonymization_key,
     SSLConfig* ssl_config) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   MaybeForceHTTP11Internal(NormalizeSchemeHostPort(server),
-                           network_isolation_key, ssl_config);
+                           network_anonymization_key, ssl_config);
 }
 
 AlternativeServiceInfoVector HttpServerProperties::GetAlternativeServiceInfos(
     const url::SchemeHostPort& origin,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   return GetAlternativeServiceInfosInternal(NormalizeSchemeHostPort(origin),
-                                            network_isolation_key);
+                                            network_anonymization_key);
 }
 
 void HttpServerProperties::SetHttp2AlternativeService(
     const url::SchemeHostPort& origin,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const AlternativeService& alternative_service,
     base::Time expiration) {
   DCHECK_EQ(alternative_service.protocol, kProtoHTTP2);
 
   SetAlternativeServices(
-      origin, network_isolation_key,
+      origin, network_anonymization_key,
       AlternativeServiceInfoVector(
           /*size=*/1, AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
                           alternative_service, expiration)));
@@ -288,14 +289,14 @@ void HttpServerProperties::SetHttp2AlternativeService(
 
 void HttpServerProperties::SetQuicAlternativeService(
     const url::SchemeHostPort& origin,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const AlternativeService& alternative_service,
     base::Time expiration,
     const quic::ParsedQuicVersionVector& advertised_versions) {
   DCHECK(alternative_service.protocol == kProtoQUIC);
 
   SetAlternativeServices(
-      origin, network_isolation_key,
+      origin, network_anonymization_key,
       AlternativeServiceInfoVector(
           /*size=*/1,
           AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
@@ -304,64 +305,68 @@ void HttpServerProperties::SetQuicAlternativeService(
 
 void HttpServerProperties::SetAlternativeServices(
     const url::SchemeHostPort& origin,
-    const net::NetworkIsolationKey& network_isolation_key,
+    const net::NetworkAnonymizationKey& network_anonymization_key,
     const AlternativeServiceInfoVector& alternative_service_info_vector) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   SetAlternativeServicesInternal(NormalizeSchemeHostPort(origin),
-                                 network_isolation_key,
+                                 network_anonymization_key,
                                  alternative_service_info_vector);
 }
 
 void HttpServerProperties::MarkAlternativeServiceBroken(
     const AlternativeService& alternative_service,
-    const net::NetworkIsolationKey& network_isolation_key) {
-  broken_alternative_services_.MarkBroken(BrokenAlternativeService(
-      alternative_service, network_isolation_key, use_network_isolation_key_));
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
+  broken_alternative_services_.MarkBroken(
+      BrokenAlternativeService(alternative_service, network_anonymization_key,
+                               use_network_anonymization_key_));
   MaybeQueueWriteProperties();
 }
 
 void HttpServerProperties::
     MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
         const AlternativeService& alternative_service,
-        const net::NetworkIsolationKey& network_isolation_key) {
+        const net::NetworkAnonymizationKey& network_anonymization_key) {
   broken_alternative_services_.MarkBrokenUntilDefaultNetworkChanges(
-      BrokenAlternativeService(alternative_service, network_isolation_key,
-                               use_network_isolation_key_));
+      BrokenAlternativeService(alternative_service, network_anonymization_key,
+                               use_network_anonymization_key_));
   MaybeQueueWriteProperties();
 }
 
 void HttpServerProperties::MarkAlternativeServiceRecentlyBroken(
     const AlternativeService& alternative_service,
-    const net::NetworkIsolationKey& network_isolation_key) {
-  broken_alternative_services_.MarkRecentlyBroken(BrokenAlternativeService(
-      alternative_service, network_isolation_key, use_network_isolation_key_));
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
+  broken_alternative_services_.MarkRecentlyBroken(
+      BrokenAlternativeService(alternative_service, network_anonymization_key,
+                               use_network_anonymization_key_));
   MaybeQueueWriteProperties();
 }
 
 bool HttpServerProperties::IsAlternativeServiceBroken(
     const AlternativeService& alternative_service,
-    const net::NetworkIsolationKey& network_isolation_key) const {
-  return broken_alternative_services_.IsBroken(BrokenAlternativeService(
-      alternative_service, network_isolation_key, use_network_isolation_key_));
+    const net::NetworkAnonymizationKey& network_anonymization_key) const {
+  return broken_alternative_services_.IsBroken(
+      BrokenAlternativeService(alternative_service, network_anonymization_key,
+                               use_network_anonymization_key_));
 }
 
 bool HttpServerProperties::WasAlternativeServiceRecentlyBroken(
     const AlternativeService& alternative_service,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   return broken_alternative_services_.WasRecentlyBroken(
-      BrokenAlternativeService(alternative_service, network_isolation_key,
-                               use_network_isolation_key_));
+      BrokenAlternativeService(alternative_service, network_anonymization_key,
+                               use_network_anonymization_key_));
 }
 
 void HttpServerProperties::ConfirmAlternativeService(
     const AlternativeService& alternative_service,
-    const net::NetworkIsolationKey& network_isolation_key) {
-  bool old_value =
-      IsAlternativeServiceBroken(alternative_service, network_isolation_key);
-  broken_alternative_services_.Confirm(BrokenAlternativeService(
-      alternative_service, network_isolation_key, use_network_isolation_key_));
-  bool new_value =
-      IsAlternativeServiceBroken(alternative_service, network_isolation_key);
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
+  bool old_value = IsAlternativeServiceBroken(alternative_service,
+                                              network_anonymization_key);
+  broken_alternative_services_.Confirm(
+      BrokenAlternativeService(alternative_service, network_anonymization_key,
+                               use_network_anonymization_key_));
+  bool new_value = IsAlternativeServiceBroken(alternative_service,
+                                              network_anonymization_key);
 
   // For persisting, we only care about the value returned by
   // IsAlternativeServiceBroken. If that value changes, then call persist.
@@ -395,9 +400,10 @@ base::Value HttpServerProperties::GetAlternativeServiceInfoAsValue() const {
       }
       base::TimeTicks brokenness_expiration_ticks;
       if (broken_alternative_services_.IsBroken(
-              BrokenAlternativeService(alternative_service,
-                                       server_info.first.network_isolation_key,
-                                       use_network_isolation_key_),
+              BrokenAlternativeService(
+                  alternative_service,
+                  server_info.first.network_anonymization_key,
+                  use_network_anonymization_key_),
               &brokenness_expiration_ticks)) {
         // Convert |brokenness_expiration| from TimeTicks to Time
         base::Time brokenness_expiration =
@@ -419,8 +425,8 @@ base::Value HttpServerProperties::GetAlternativeServiceInfoAsValue() const {
       continue;
     base::Value::Dict dict;
     dict.Set("server", key.server.Serialize());
-    dict.Set("network_isolation_key",
-             key.network_isolation_key.ToDebugString());
+    dict.Set("network_anonymization_key",
+             key.network_anonymization_key.ToDebugString());
     dict.Set("alternative_service", std::move(alternative_service_list));
     dict_list.Append(std::move(dict));
   }
@@ -459,32 +465,32 @@ void HttpServerProperties::ClearLastLocalAddressWhenQuicWorked() {
 
 void HttpServerProperties::SetServerNetworkStats(
     const url::SchemeHostPort& server,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ServerNetworkStats stats) {
   SetServerNetworkStatsInternal(NormalizeSchemeHostPort(server),
-                                network_isolation_key, std::move(stats));
+                                network_anonymization_key, std::move(stats));
 }
 
 void HttpServerProperties::ClearServerNetworkStats(
     const url::SchemeHostPort& server,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   ClearServerNetworkStatsInternal(NormalizeSchemeHostPort(server),
-                                  network_isolation_key);
+                                  network_anonymization_key);
 }
 
 const ServerNetworkStats* HttpServerProperties::GetServerNetworkStats(
     const url::SchemeHostPort& server,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   return GetServerNetworkStatsInternal(NormalizeSchemeHostPort(server),
-                                       network_isolation_key);
+                                       network_anonymization_key);
 }
 
 void HttpServerProperties::SetQuicServerInfo(
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const std::string& server_info) {
   QuicServerInfoMapKey key =
-      CreateQuicServerInfoKey(server_id, network_isolation_key);
+      CreateQuicServerInfoKey(server_id, network_anonymization_key);
   auto it = quic_server_info_map_.Peek(key);
   bool changed =
       (it == quic_server_info_map_.end() || it->second != server_info);
@@ -496,9 +502,9 @@ void HttpServerProperties::SetQuicServerInfo(
 
 const std::string* HttpServerProperties::GetQuicServerInfo(
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   QuicServerInfoMapKey key =
-      CreateQuicServerInfoKey(server_id, network_isolation_key);
+      CreateQuicServerInfoKey(server_id, network_anonymization_key);
   auto it = quic_server_info_map_.Get(key);
   if (it != quic_server_info_map_.end()) {
     // Since |canonical_server_info_map_| should always map to the most
@@ -516,8 +522,8 @@ const std::string* HttpServerProperties::GetQuicServerInfo(
     return nullptr;
 
   // When search in |quic_server_info_map_|, do not change the MRU order.
-  it = quic_server_info_map_.Peek(
-      CreateQuicServerInfoKey(canonical_itr->second, network_isolation_key));
+  it = quic_server_info_map_.Peek(CreateQuicServerInfoKey(
+      canonical_itr->second, network_anonymization_key));
   if (it != quic_server_info_map_.end())
     return &it->second;
 
@@ -576,13 +582,13 @@ bool HttpServerProperties::IsInitialized() const {
 
 void HttpServerProperties::OnExpireBrokenAlternativeService(
     const AlternativeService& expired_alternative_service,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   // Remove every occurrence of |expired_alternative_service| from
   // |alternative_service_map_|.
   for (auto map_it = server_info_map_.begin();
        map_it != server_info_map_.end();) {
     if (!map_it->second.alternative_services.has_value() ||
-        map_it->first.network_isolation_key != network_isolation_key) {
+        map_it->first.network_anonymization_key != network_anonymization_key) {
       ++map_it;
       continue;
     }
@@ -605,7 +611,8 @@ void HttpServerProperties::OnExpireBrokenAlternativeService(
     // from both |canonical_alt_svc_map_| and
     // |alternative_service_map_|.
     if (service_info->empty()) {
-      RemoveAltSvcCanonicalHost(map_it->first.server, network_isolation_key);
+      RemoveAltSvcCanonicalHost(map_it->first.server,
+                                network_anonymization_key);
       map_it->second.alternative_services.reset();
       map_it = server_info_map_.EraseIfEmpty(map_it);
       continue;
@@ -620,7 +627,7 @@ base::TimeDelta HttpServerProperties::GetUpdatePrefsDelayForTesting() {
 
 bool HttpServerProperties::GetSupportsSpdyInternal(
     url::SchemeHostPort server,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK_NE(server.scheme(), url::kWsScheme);
   DCHECK_NE(server.scheme(), url::kWssScheme);
@@ -628,14 +635,14 @@ bool HttpServerProperties::GetSupportsSpdyInternal(
     return false;
 
   auto server_info = server_info_map_.Get(
-      CreateServerInfoKey(std::move(server), network_isolation_key));
+      CreateServerInfoKey(std::move(server), network_anonymization_key));
   return server_info != server_info_map_.end() &&
          server_info->second.supports_spdy.value_or(false);
 }
 
 void HttpServerProperties::SetSupportsSpdyInternal(
     url::SchemeHostPort server,
-    const net::NetworkIsolationKey& network_isolation_key,
+    const net::NetworkAnonymizationKey& network_anonymization_key,
     bool supports_spdy) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK_NE(server.scheme(), url::kWsScheme);
@@ -644,7 +651,7 @@ void HttpServerProperties::SetSupportsSpdyInternal(
     return;
 
   auto server_info = server_info_map_.GetOrPut(
-      CreateServerInfoKey(std::move(server), network_isolation_key));
+      CreateServerInfoKey(std::move(server), network_anonymization_key));
   // If value is already the same as |supports_spdy|, or value is unset and
   // |supports_spdy| is false, don't queue a write.
   bool queue_write =
@@ -657,7 +664,7 @@ void HttpServerProperties::SetSupportsSpdyInternal(
 
 bool HttpServerProperties::RequiresHTTP11Internal(
     url::SchemeHostPort server,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK_NE(server.scheme(), url::kWsScheme);
   DCHECK_NE(server.scheme(), url::kWssScheme);
@@ -665,14 +672,14 @@ bool HttpServerProperties::RequiresHTTP11Internal(
     return false;
 
   auto spdy_info = server_info_map_.Get(
-      CreateServerInfoKey(std::move(server), network_isolation_key));
+      CreateServerInfoKey(std::move(server), network_anonymization_key));
   return spdy_info != server_info_map_.end() &&
          spdy_info->second.requires_http11.value_or(false);
 }
 
 void HttpServerProperties::SetHTTP11RequiredInternal(
     url::SchemeHostPort server,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK_NE(server.scheme(), url::kWsScheme);
   DCHECK_NE(server.scheme(), url::kWssScheme);
@@ -680,7 +687,8 @@ void HttpServerProperties::SetHTTP11RequiredInternal(
     return;
 
   server_info_map_
-      .GetOrPut(CreateServerInfoKey(std::move(server), network_isolation_key))
+      .GetOrPut(
+          CreateServerInfoKey(std::move(server), network_anonymization_key))
       ->second.requires_http11 = true;
   // No need to call MaybeQueueWriteProperties(), as this information is not
   // persisted to preferences.
@@ -688,12 +696,12 @@ void HttpServerProperties::SetHTTP11RequiredInternal(
 
 void HttpServerProperties::MaybeForceHTTP11Internal(
     url::SchemeHostPort server,
-    const net::NetworkIsolationKey& network_isolation_key,
+    const net::NetworkAnonymizationKey& network_anonymization_key,
     SSLConfig* ssl_config) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK_NE(server.scheme(), url::kWsScheme);
   DCHECK_NE(server.scheme(), url::kWssScheme);
-  if (RequiresHTTP11(std::move(server), network_isolation_key)) {
+  if (RequiresHTTP11(std::move(server), network_anonymization_key)) {
     ssl_config->alpn_protos.clear();
     ssl_config->alpn_protos.push_back(kProtoHTTP11);
   }
@@ -702,7 +710,7 @@ void HttpServerProperties::MaybeForceHTTP11Internal(
 AlternativeServiceInfoVector
 HttpServerProperties::GetAlternativeServiceInfosInternal(
     const url::SchemeHostPort& origin,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK_NE(origin.scheme(), url::kWsScheme);
   DCHECK_NE(origin.scheme(), url::kWssScheme);
@@ -711,8 +719,8 @@ HttpServerProperties::GetAlternativeServiceInfosInternal(
   // |valid_alternative_service_infos|.
   AlternativeServiceInfoVector valid_alternative_service_infos;
   const base::Time now = clock_->Now();
-  auto map_it =
-      server_info_map_.Get(CreateServerInfoKey(origin, network_isolation_key));
+  auto map_it = server_info_map_.Get(
+      CreateServerInfoKey(origin, network_anonymization_key));
   if (map_it != server_info_map_.end() &&
       map_it->second.alternative_services.has_value()) {
     AlternativeServiceInfoVector* service_info =
@@ -753,12 +761,12 @@ HttpServerProperties::GetAlternativeServiceInfosInternal(
     return valid_alternative_service_infos;
   }
 
-  auto canonical = GetCanonicalAltSvcHost(origin, network_isolation_key);
+  auto canonical = GetCanonicalAltSvcHost(origin, network_anonymization_key);
   if (canonical == canonical_alt_svc_map_.end()) {
     return AlternativeServiceInfoVector();
   }
   map_it = server_info_map_.Get(
-      CreateServerInfoKey(canonical->second, network_isolation_key));
+      CreateServerInfoKey(canonical->second, network_anonymization_key));
   if (map_it == server_info_map_.end() ||
       !map_it->second.alternative_services.has_value()) {
     return AlternativeServiceInfoVector();
@@ -774,13 +782,13 @@ HttpServerProperties::GetAlternativeServiceInfosInternal(
     if (alternative_service.host.empty()) {
       alternative_service.host = canonical->second.host();
       if (IsAlternativeServiceBroken(alternative_service,
-                                     network_isolation_key)) {
+                                     network_anonymization_key)) {
         ++it;
         continue;
       }
       alternative_service.host = origin.host();
     } else if (IsAlternativeServiceBroken(alternative_service,
-                                          network_isolation_key)) {
+                                          network_anonymization_key)) {
       ++it;
       continue;
     }
@@ -803,17 +811,17 @@ HttpServerProperties::GetAlternativeServiceInfosInternal(
 
 void HttpServerProperties::SetAlternativeServicesInternal(
     const url::SchemeHostPort& origin,
-    const net::NetworkIsolationKey& network_isolation_key,
+    const net::NetworkAnonymizationKey& network_anonymization_key,
     const AlternativeServiceInfoVector& alternative_service_info_vector) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK_NE(origin.scheme(), url::kWsScheme);
   DCHECK_NE(origin.scheme(), url::kWssScheme);
 
   if (alternative_service_info_vector.empty()) {
-    RemoveAltSvcCanonicalHost(origin, network_isolation_key);
+    RemoveAltSvcCanonicalHost(origin, network_anonymization_key);
     // Don't bother moving to front when erasing information.
     auto it = server_info_map_.Peek(
-        CreateServerInfoKey(origin, network_isolation_key));
+        CreateServerInfoKey(origin, network_anonymization_key));
 
     if (it == server_info_map_.end() ||
         !it->second.alternative_services.has_value()) {
@@ -827,7 +835,7 @@ void HttpServerProperties::SetAlternativeServicesInternal(
   }
 
   auto it = server_info_map_.GetOrPut(
-      CreateServerInfoKey(origin, network_isolation_key));
+      CreateServerInfoKey(origin, network_anonymization_key));
   bool need_update_pref = true;
   if (it->second.alternative_services.has_value()) {
     DCHECK(!it->second.empty());
@@ -864,13 +872,13 @@ void HttpServerProperties::SetAlternativeServicesInternal(
   }
 
   const bool previously_no_alternative_services =
-      (GetIteratorWithAlternativeServiceInfo(origin, network_isolation_key) ==
-       server_info_map_.end());
+      (GetIteratorWithAlternativeServiceInfo(
+           origin, network_anonymization_key) == server_info_map_.end());
 
   it->second.alternative_services = alternative_service_info_vector;
 
   if (previously_no_alternative_services &&
-      !GetAlternativeServiceInfos(origin, network_isolation_key).empty()) {
+      !GetAlternativeServiceInfos(origin, network_anonymization_key).empty()) {
     // TODO(rch): Consider the case where multiple requests are started
     // before the first completes. In this case, only one of the jobs
     // would reach this code, whereas all of them should should have.
@@ -887,7 +895,7 @@ void HttpServerProperties::SetAlternativeServicesInternal(
       url::SchemeHostPort canonical_server(kCanonicalScheme, *canonical_suffix,
                                            origin.port());
       canonical_alt_svc_map_[CreateServerInfoKey(
-          canonical_server, network_isolation_key)] = origin;
+          canonical_server, network_anonymization_key)] = origin;
     }
   }
 
@@ -897,14 +905,14 @@ void HttpServerProperties::SetAlternativeServicesInternal(
 
 void HttpServerProperties::SetServerNetworkStatsInternal(
     url::SchemeHostPort server,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ServerNetworkStats stats) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK_NE(server.scheme(), url::kWsScheme);
   DCHECK_NE(server.scheme(), url::kWssScheme);
 
   auto server_info = server_info_map_.GetOrPut(
-      CreateServerInfoKey(std::move(server), network_isolation_key));
+      CreateServerInfoKey(std::move(server), network_anonymization_key));
   bool changed = !server_info->second.server_network_stats.has_value() ||
                  server_info->second.server_network_stats.value() != stats;
 
@@ -916,9 +924,9 @@ void HttpServerProperties::SetServerNetworkStatsInternal(
 
 void HttpServerProperties::ClearServerNetworkStatsInternal(
     url::SchemeHostPort server,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   auto server_info = server_info_map_.Peek(
-      CreateServerInfoKey(std::move(server), network_isolation_key));
+      CreateServerInfoKey(std::move(server), network_anonymization_key));
   // If stats are empty, nothing to do.
   if (server_info == server_info_map_.end() ||
       !server_info->second.server_network_stats.has_value()) {
@@ -935,13 +943,13 @@ void HttpServerProperties::ClearServerNetworkStatsInternal(
 
 const ServerNetworkStats* HttpServerProperties::GetServerNetworkStatsInternal(
     url::SchemeHostPort server,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK_NE(server.scheme(), url::kWsScheme);
   DCHECK_NE(server.scheme(), url::kWssScheme);
 
   auto server_info = server_info_map_.Get(
-      CreateServerInfoKey(std::move(server), network_isolation_key));
+      CreateServerInfoKey(std::move(server), network_anonymization_key));
   if (server_info == server_info_map_.end() ||
       !server_info->second.server_network_stats.has_value()) {
     return nullptr;
@@ -952,36 +960,36 @@ const ServerNetworkStats* HttpServerProperties::GetServerNetworkStatsInternal(
 HttpServerProperties::QuicServerInfoMapKey
 HttpServerProperties::CreateQuicServerInfoKey(
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key) const {
-  return QuicServerInfoMapKey(server_id, network_isolation_key,
-                              use_network_isolation_key_);
+    const NetworkAnonymizationKey& network_anonymization_key) const {
+  return QuicServerInfoMapKey(server_id, network_anonymization_key,
+                              use_network_anonymization_key_);
 }
 
 HttpServerProperties::ServerInfoMapKey
 HttpServerProperties::CreateServerInfoKey(
     const url::SchemeHostPort& server,
-    const NetworkIsolationKey& network_isolation_key) const {
-  return ServerInfoMapKey(server, network_isolation_key,
-                          use_network_isolation_key_);
+    const NetworkAnonymizationKey& network_anonymization_key) const {
+  return ServerInfoMapKey(server, network_anonymization_key,
+                          use_network_anonymization_key_);
 }
 
 HttpServerProperties::ServerInfoMap::const_iterator
 HttpServerProperties::GetIteratorWithAlternativeServiceInfo(
     const url::SchemeHostPort& server,
-    const net::NetworkIsolationKey& network_isolation_key) {
-  ServerInfoMap::const_iterator it =
-      server_info_map_.Get(CreateServerInfoKey(server, network_isolation_key));
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
+  ServerInfoMap::const_iterator it = server_info_map_.Get(
+      CreateServerInfoKey(server, network_anonymization_key));
   if (it != server_info_map_.end() && it->second.alternative_services)
     return it;
 
-  auto canonical = GetCanonicalAltSvcHost(server, network_isolation_key);
+  auto canonical = GetCanonicalAltSvcHost(server, network_anonymization_key);
   if (canonical == canonical_alt_svc_map_.end()) {
     return server_info_map_.end();
   }
 
   const url::SchemeHostPort canonical_server = canonical->second;
   it = server_info_map_.Get(
-      CreateServerInfoKey(canonical_server, network_isolation_key));
+      CreateServerInfoKey(canonical_server, network_anonymization_key));
   if (it == server_info_map_.end() || !it->second.alternative_services)
     return server_info_map_.end();
 
@@ -993,19 +1001,19 @@ HttpServerProperties::GetIteratorWithAlternativeServiceInfo(
       alternative_service.host = canonical_server.host();
     }
     if (!IsAlternativeServiceBroken(alternative_service,
-                                    network_isolation_key)) {
+                                    network_anonymization_key)) {
       return it;
     }
   }
 
-  RemoveAltSvcCanonicalHost(canonical_server, network_isolation_key);
+  RemoveAltSvcCanonicalHost(canonical_server, network_anonymization_key);
   return server_info_map_.end();
 }
 
 HttpServerProperties::CanonicalMap::const_iterator
 HttpServerProperties::GetCanonicalAltSvcHost(
     const url::SchemeHostPort& server,
-    const net::NetworkIsolationKey& network_isolation_key) const {
+    const net::NetworkAnonymizationKey& network_anonymization_key) const {
   const char* kCanonicalScheme = "https";
   if (server.scheme() != kCanonicalScheme)
     return canonical_alt_svc_map_.end();
@@ -1017,7 +1025,7 @@ HttpServerProperties::GetCanonicalAltSvcHost(
   url::SchemeHostPort canonical_server(kCanonicalScheme, *canonical_suffix,
                                        server.port());
   return canonical_alt_svc_map_.find(
-      CreateServerInfoKey(canonical_server, network_isolation_key));
+      CreateServerInfoKey(canonical_server, network_anonymization_key));
 }
 
 HttpServerProperties::QuicCanonicalMap::const_iterator
@@ -1031,14 +1039,14 @@ HttpServerProperties::GetCanonicalServerInfoHost(
   quic::QuicServerId canonical_server_id(*canonical_suffix,
                                          key.server_id.privacy_mode_enabled(),
                                          key.server_id.port());
-  return canonical_server_info_map_.find(
-      CreateQuicServerInfoKey(canonical_server_id, key.network_isolation_key));
+  return canonical_server_info_map_.find(CreateQuicServerInfoKey(
+      canonical_server_id, key.network_anonymization_key));
 }
 
 void HttpServerProperties::RemoveAltSvcCanonicalHost(
     const url::SchemeHostPort& server,
-    const NetworkIsolationKey& network_isolation_key) {
-  auto canonical = GetCanonicalAltSvcHost(server, network_isolation_key);
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  auto canonical = GetCanonicalAltSvcHost(server, network_anonymization_key);
   if (canonical == canonical_alt_svc_map_.end())
     return;
 
@@ -1054,7 +1062,7 @@ void HttpServerProperties::UpdateCanonicalServerInfoMap(
       *suffix, key.server_id.privacy_mode_enabled(), key.server_id.port());
 
   canonical_server_info_map_[CreateQuicServerInfoKey(
-      canonical_server, key.network_isolation_key)] = key.server_id;
+      canonical_server, key.network_anonymization_key)] = key.server_id;
 }
 
 const std::string* HttpServerProperties::GetCanonicalSuffix(
@@ -1112,10 +1120,10 @@ void HttpServerProperties::OnServerInfoLoaded(
 
   // Perform a simple sanity check on loaded data, when DCHECKs are enabled.
 #if DCHECK_IS_ON()
-  if (!use_network_isolation_key_) {
+  if (!use_network_anonymization_key_) {
     for (auto server_info = server_info_map->begin();
          server_info != server_info_map->end(); ++server_info) {
-      DCHECK(server_info->first.network_isolation_key.IsEmpty());
+      DCHECK(server_info->first.network_anonymization_key.IsEmpty());
     }
   }
 #endif  // DCHECK_IS_ON()
@@ -1163,7 +1171,7 @@ void HttpServerProperties::OnServerInfoLoaded(
     ServerInfoMapKey key = CreateServerInfoKey(
         url::SchemeHostPort(kCanonicalScheme, *canonical_suffix,
                             kCanonicalPort),
-        it.first.network_isolation_key);
+        it.first.network_anonymization_key);
     // If we already have a valid canonical server, we're done.
     if (base::Contains(canonical_alt_svc_map_, key)) {
       auto key_it = server_info_map_.Peek(key);
diff --git a/chromium/net/http/http_server_properties.h b/chromium/net/http/http_server_properties.h
index e262aad6098..912b1de8f34 100644
--- a/chromium/net/http/http_server_properties.h
+++ b/chromium/net/http/http_server_properties.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -26,7 +26,7 @@
 #include "net/base/host_port_pair.h"
 #include "net/base/ip_address.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/http/alternative_service.h"
 #include "net/http/broken_alternative_services.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_bandwidth.h"
@@ -162,13 +162,13 @@ class NET_EXPORT HttpServerProperties
   };
 
   struct NET_EXPORT ServerInfoMapKey {
-    // If |use_network_isolation_key| is false, an empty NetworkIsolationKey is
-    // used instead of |network_isolation_key|. Note that |server| can be passed
-    // in via std::move(), since most callsites can pass a recently created
-    // SchemeHostPort.
+    // If |use_network_anonymization_key| is false, an empty
+    // NetworkAnonymizationKey is used instead of |network_anonymization_key|.
+    // Note that |server| can be passed in via std::move(), since most callsites
+    // can pass a recently created SchemeHostPort.
     ServerInfoMapKey(url::SchemeHostPort server,
-                     const NetworkIsolationKey& network_isolation_key,
-                     bool use_network_isolation_key);
+                     const NetworkAnonymizationKey& network_anonymization_key,
+                     bool use_network_anonymization_key);
     ~ServerInfoMapKey();
 
     bool operator<(const ServerInfoMapKey& other) const;
@@ -178,7 +178,7 @@ class NET_EXPORT HttpServerProperties
     // with values passed into to HttpServerProperties methods.
     url::SchemeHostPort server;
 
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
   };
 
   class NET_EXPORT ServerInfoMap
@@ -201,11 +201,12 @@ class NET_EXPORT HttpServerProperties
   };
 
   struct NET_EXPORT QuicServerInfoMapKey {
-    // If |use_network_isolation_key| is false, an empty NetworkIsolationKey is
-    // used instead of |network_isolation_key|.
-    QuicServerInfoMapKey(const quic::QuicServerId& server_id,
-                         const NetworkIsolationKey& network_isolation_key,
-                         bool use_network_isolation_key);
+    // If |use_network_anonymization_key| is false, an empty
+    // NetworkAnonymizationKey is used instead of |network_anonymization_key|.
+    QuicServerInfoMapKey(
+        const quic::QuicServerId& server_id,
+        const NetworkAnonymizationKey& network_anonymization_key,
+        bool use_network_anonymization_key);
     ~QuicServerInfoMapKey();
 
     bool operator<(const QuicServerInfoMapKey& other) const;
@@ -214,7 +215,7 @@ class NET_EXPORT HttpServerProperties
     bool operator==(const QuicServerInfoMapKey& other) const;
 
     quic::QuicServerId server_id;
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
   };
 
   // Max number of quic servers to store is not hardcoded and can be set.
@@ -250,8 +251,8 @@ class NET_EXPORT HttpServerProperties
   // disk.
   void Clear(base::OnceClosure callback);
 
-  // Returns true if |server|, in the context of |network_isolation_key|, has
-  // previously supported a network protocol which honors request
+  // Returns true if |server|, in the context of |network_anonymization_key|,
+  // has previously supported a network protocol which honors request
   // prioritization.
   //
   // Note that this also implies that the server supports request
@@ -259,47 +260,52 @@ class NET_EXPORT HttpServerProperties
   // multiple requests.
   bool SupportsRequestPriority(
       const url::SchemeHostPort& server,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Returns the value set by SetSupportsSpdy(). If not set, returns false.
-  bool GetSupportsSpdy(const url::SchemeHostPort& server,
-                       const net::NetworkIsolationKey& network_isolation_key);
+  bool GetSupportsSpdy(
+      const url::SchemeHostPort& server,
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Records whether |server| supports H2 or not. Information is restricted to
-  // the context of |network_isolation_key|, to prevent cross-site information
-  // leakage.
-  void SetSupportsSpdy(const url::SchemeHostPort& server,
-                       const net::NetworkIsolationKey& network_isolation_key,
-                       bool supports_spdy);
+  // the context of |network_anonymization_key|, to prevent cross-site
+  // information leakage.
+  void SetSupportsSpdy(
+      const url::SchemeHostPort& server,
+      const net::NetworkAnonymizationKey& network_anonymization_key,
+      bool supports_spdy);
 
   // Returns true if |server| has required HTTP/1.1 via HTTP/2 error code, in
-  // the context of |network_isolation_key|.
-  bool RequiresHTTP11(const url::SchemeHostPort& server,
-                      const net::NetworkIsolationKey& network_isolation_key);
+  // the context of |network_anonymization_key|.
+  bool RequiresHTTP11(
+      const url::SchemeHostPort& server,
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Require HTTP/1.1 on subsequent connections, in the context of
-  // |network_isolation_key|.  Not persisted.
-  void SetHTTP11Required(const url::SchemeHostPort& server,
-                         const net::NetworkIsolationKey& network_isolation_key);
+  // |network_anonymization_key|.  Not persisted.
+  void SetHTTP11Required(
+      const url::SchemeHostPort& server,
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Modify SSLConfig to force HTTP/1.1 if necessary.
-  void MaybeForceHTTP11(const url::SchemeHostPort& server,
-                        const net::NetworkIsolationKey& network_isolation_key,
-                        SSLConfig* ssl_config);
+  void MaybeForceHTTP11(
+      const url::SchemeHostPort& server,
+      const net::NetworkAnonymizationKey& network_anonymization_key,
+      SSLConfig* ssl_config);
 
   // Return all alternative services for |origin|, learned in the context of
-  // |network_isolation_key|, including broken ones. Returned alternative
+  // |network_anonymization_key|, including broken ones. Returned alternative
   // services never have empty hostnames.
   AlternativeServiceInfoVector GetAlternativeServiceInfos(
       const url::SchemeHostPort& origin,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Set a single HTTP/2 alternative service for |origin|.  Previous
   // alternative services for |origin| are discarded.
   // |alternative_service.host| may be empty.
   void SetHttp2AlternativeService(
       const url::SchemeHostPort& origin,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const AlternativeService& alternative_service,
       base::Time expiration);
 
@@ -308,56 +314,58 @@ class NET_EXPORT HttpServerProperties
   // |alternative_service.host| may be empty.
   void SetQuicAlternativeService(
       const url::SchemeHostPort& origin,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const AlternativeService& alternative_service,
       base::Time expiration,
       const quic::ParsedQuicVersionVector& advertised_versions);
 
   // Set alternative services for |origin|, learned in the context of
-  // |network_isolation_key|.  Previous alternative services for |origin| are
-  // discarded. Hostnames in |alternative_service_info_vector| may be empty.
+  // |network_anonymization_key|.  Previous alternative services for |origin|
+  // are discarded. Hostnames in |alternative_service_info_vector| may be empty.
   // |alternative_service_info_vector| may be empty.
   void SetAlternativeServices(
       const url::SchemeHostPort& origin,
-      const net::NetworkIsolationKey& network_isolation_key,
+      const net::NetworkAnonymizationKey& network_anonymization_key,
       const AlternativeServiceInfoVector& alternative_service_info_vector);
 
   // Marks |alternative_service| as broken in the context of
-  // |network_isolation_key|. |alternative_service.host| must not be empty.
+  // |network_anonymization_key|. |alternative_service.host| must not be empty.
   void MarkAlternativeServiceBroken(
       const AlternativeService& alternative_service,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Marks |alternative_service| as broken in the context of
-  // |network_isolation_key| until the default network changes.
+  // |network_anonymization_key| until the default network changes.
   // |alternative_service.host| must not be empty.
   void MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
       const AlternativeService& alternative_service,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Marks |alternative_service| as recently broken in the context of
-  // |network_isolation_key|. |alternative_service.host| must not be empty.
+  // |network_anonymization_key|. |alternative_service.host| must not be empty.
   void MarkAlternativeServiceRecentlyBroken(
       const AlternativeService& alternative_service,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Returns true iff |alternative_service| is currently broken in the context
-  // of |network_isolation_key|. |alternative_service.host| must not be empty.
+  // of |network_anonymization_key|. |alternative_service.host| must not be
+  // empty.
   bool IsAlternativeServiceBroken(
       const AlternativeService& alternative_service,
-      const net::NetworkIsolationKey& network_isolation_key) const;
+      const net::NetworkAnonymizationKey& network_anonymization_key) const;
 
   // Returns true iff |alternative_service| was recently broken in the context
-  // of |network_isolation_key|. |alternative_service.host| must not be empty.
+  // of |network_anonymization_key|. |alternative_service.host| must not be
+  // empty.
   bool WasAlternativeServiceRecentlyBroken(
       const AlternativeService& alternative_service,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Confirms that |alternative_service| is working in the context of
-  // |network_isolation_key|. |alternative_service.host| must not be empty.
+  // |network_anonymization_key|. |alternative_service.host| must not be empty.
   void ConfirmAlternativeService(
       const AlternativeService& alternative_service,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Called when the default network changes.
   // Clears all the alternative services that were marked broken until the
@@ -378,31 +386,33 @@ class NET_EXPORT HttpServerProperties
   void ClearLastLocalAddressWhenQuicWorked();
 
   // Sets |stats| for |server|.
-  void SetServerNetworkStats(const url::SchemeHostPort& server,
-                             const NetworkIsolationKey& network_isolation_key,
-                             ServerNetworkStats stats);
+  void SetServerNetworkStats(
+      const url::SchemeHostPort& server,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      ServerNetworkStats stats);
 
   // Clears any stats for |server|.
   void ClearServerNetworkStats(
       const url::SchemeHostPort& server,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Returns any stats for |server| or nullptr if there are none.
   const ServerNetworkStats* GetServerNetworkStats(
       const url::SchemeHostPort& server,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Save QuicServerInfo (in std::string form) for the given |server_id|, in the
-  // context of |network_isolation_key|.
-  void SetQuicServerInfo(const quic::QuicServerId& server_id,
-                         const NetworkIsolationKey& network_isolation_key,
-                         const std::string& server_info);
+  // context of |network_anonymization_key|.
+  void SetQuicServerInfo(
+      const quic::QuicServerId& server_id,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const std::string& server_info);
 
   // Get QuicServerInfo (in std::string form) for the given |server_id|, in the
-  // context of |network_isolation_key|.
+  // context of |network_anonymization_key|.
   const std::string* GetQuicServerInfo(
       const quic::QuicServerId& server_id,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Returns all persistent QuicServerInfo objects.
   const QuicServerInfoMap& quic_server_info_map() const;
@@ -427,7 +437,7 @@ class NET_EXPORT HttpServerProperties
   // BrokenAlternativeServices::Delegate method.
   void OnExpireBrokenAlternativeService(
       const AlternativeService& expired_alternative_service,
-      const NetworkIsolationKey& network_isolation_key) override;
+      const NetworkAnonymizationKey& network_anonymization_key) override;
 
   static base::TimeDelta GetUpdatePrefsDelayForTesting();
 
@@ -498,60 +508,60 @@ class NET_EXPORT HttpServerProperties
   // with the incorrect scheme would still be available.
   bool GetSupportsSpdyInternal(
       url::SchemeHostPort server,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
   void SetSupportsSpdyInternal(
       url::SchemeHostPort server,
-      const net::NetworkIsolationKey& network_isolation_key,
+      const net::NetworkAnonymizationKey& network_anonymization_key,
       bool supports_spdy);
   bool RequiresHTTP11Internal(
       url::SchemeHostPort server,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
   void SetHTTP11RequiredInternal(
       url::SchemeHostPort server,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
   void MaybeForceHTTP11Internal(
       url::SchemeHostPort server,
-      const net::NetworkIsolationKey& network_isolation_key,
+      const net::NetworkAnonymizationKey& network_anonymization_key,
       SSLConfig* ssl_config);
   AlternativeServiceInfoVector GetAlternativeServiceInfosInternal(
       const url::SchemeHostPort& origin,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
   void SetAlternativeServicesInternal(
       const url::SchemeHostPort& origin,
-      const net::NetworkIsolationKey& network_isolation_key,
+      const net::NetworkAnonymizationKey& network_anonymization_key,
       const AlternativeServiceInfoVector& alternative_service_info_vector);
   void SetServerNetworkStatsInternal(
       url::SchemeHostPort server,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       ServerNetworkStats stats);
   void ClearServerNetworkStatsInternal(
       url::SchemeHostPort server,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
   const ServerNetworkStats* GetServerNetworkStatsInternal(
       url::SchemeHostPort server,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Helper functions to use the passed in parameters and
-  // |use_network_isolation_key_| to create a [Quic]ServerInfoMapKey.
+  // |use_network_anonymization_key_| to create a [Quic]ServerInfoMapKey.
   ServerInfoMapKey CreateServerInfoKey(
       const url::SchemeHostPort& server,
-      const NetworkIsolationKey& network_isolation_key) const;
+      const NetworkAnonymizationKey& network_anonymization_key) const;
   QuicServerInfoMapKey CreateQuicServerInfoKey(
       const quic::QuicServerId& server_id,
-      const NetworkIsolationKey& network_isolation_key) const;
+      const NetworkAnonymizationKey& network_anonymization_key) const;
 
-  // Return the iterator for |server| in the context of |network_isolation_key|,
-  // or for its canonical host, or end. Skips over ServerInfos without
-  // |alternative_service_info| populated.
+  // Return the iterator for |server| in the context of
+  // |network_anonymization_key|, or for its canonical host, or end. Skips over
+  // ServerInfos without |alternative_service_info| populated.
   ServerInfoMap::const_iterator GetIteratorWithAlternativeServiceInfo(
       const url::SchemeHostPort& server,
-      const net::NetworkIsolationKey& network_isolation_key);
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Return the canonical host for |server|  in the context of
-  // |network_isolation_key|, or end if none exists.
+  // |network_anonymization_key|, or end if none exists.
   CanonicalMap::const_iterator GetCanonicalAltSvcHost(
       const url::SchemeHostPort& server,
-      const net::NetworkIsolationKey& network_isolation_key) const;
+      const net::NetworkAnonymizationKey& network_anonymization_key) const;
 
   // Return the canonical host with the same canonical suffix as |server|.
   // The returned canonical host can be used to search for server info in
@@ -560,10 +570,10 @@ class NET_EXPORT HttpServerProperties
       const QuicServerInfoMapKey& key) const;
 
   // Remove the canonical alt-svc host for |server| with
-  // |network_isolation_key|.
+  // |network_anonymization_key|.
   void RemoveAltSvcCanonicalHost(
       const url::SchemeHostPort& server,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Update |canonical_server_info_map_| with the new canonical host.
   // The |key| should have the corresponding server info associated with it
@@ -611,7 +621,7 @@ class NET_EXPORT HttpServerProperties
 
   // Cached value of kPartitionHttpServerPropertiesByNetworkIsolationKey
   // feature. Cached to improve performance.
-  const bool use_network_isolation_key_;
+  const bool use_network_anonymization_key_;
 
   // Set to true once initial properties have been retrieved from disk by
   // |properties_manager_|. Always true if |properties_manager_| is nullptr.
diff --git a/chromium/net/http/http_server_properties_manager.cc b/chromium/net/http/http_server_properties_manager.cc
index a383e1c7d79..7275447518a 100644
--- a/chromium/net/http/http_server_properties_manager.cc
+++ b/chromium/net/http/http_server_properties_manager.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -42,7 +42,7 @@ const int kMaxBrokenAlternativeServicesToPersist = 200;
 
 const char kServerKey[] = "server";
 const char kQuicServerIdKey[] = "server_id";
-const char kNetworkIsolationKey[] = "isolation";
+const char kNetworkAnonymizationKey[] = "anonymization";
 const char kVersionKey[] = "version";
 const char kServersKey[] = "servers";
 const char kSupportsSpdyKey[] = "supports_spdy";
@@ -73,7 +73,7 @@ AlternativeServiceInfoVector GetAlternativeServiceToPersist(
     base::Time now,
     const HttpServerPropertiesManager::GetCannonicalSuffix&
         get_canonical_suffix,
-    std::set<std::pair<std::string, NetworkIsolationKey>>*
+    std::set<std::pair<std::string, NetworkAnonymizationKey>>*
         persisted_canonical_suffix_set) {
   if (!alternative_services)
     return AlternativeServiceInfoVector();
@@ -95,8 +95,8 @@ AlternativeServiceInfoVector GetAlternativeServiceToPersist(
   if (canonical_suffix) {
     // Don't save if have already saved information associated with the same
     // canonical suffix.
-    std::pair<std::string, NetworkIsolationKey> index(
-        *canonical_suffix, server_info_key.network_isolation_key);
+    std::pair<std::string, NetworkAnonymizationKey> index(
+        *canonical_suffix, server_info_key.network_anonymization_key);
     if (persisted_canonical_suffix_set->find(index) !=
         persisted_canonical_suffix_set->end()) {
       return AlternativeServiceInfoVector();
@@ -116,18 +116,19 @@ void AddAlternativeServiceFieldsToDictionaryValue(
   dict.Set(kProtocolKey, NextProtoToString(alternative_service.protocol));
 }
 
-// Fails in the case of NetworkIsolationKeys that can't be persisted to disk,
-// like unique origins.
+// Fails in the case of NetworkAnonymizationKeys that can't be persisted to
+// disk, like unique origins.
 bool TryAddBrokenAlternativeServiceFieldsToDictionaryValue(
     const BrokenAlternativeService& broken_alt_service,
     base::Value::Dict& dict) {
-  base::Value network_isolation_key_value;
-  if (!broken_alt_service.network_isolation_key.ToValue(
-          &network_isolation_key_value)) {
+  base::Value network_anonymization_key_value;
+  if (!broken_alt_service.network_anonymization_key.ToValue(
+          &network_anonymization_key_value)) {
     return false;
   }
 
-  dict.Set(kNetworkIsolationKey, std::move(network_isolation_key_value));
+  dict.Set(kNetworkAnonymizationKey,
+           std::move(network_anonymization_key_value));
   AddAlternativeServiceFieldsToDictionaryValue(
       broken_alt_service.alternative_service, dict);
   return true;
@@ -152,30 +153,30 @@ std::string QuicServerIdToString(const quic::QuicServerId& server_id) {
 }
 
 // Takes in a base::Value::Dict, and whether NetworkIsolationKeys are enabled
-// for HttpServerProperties, and extracts the NetworkIsolationKey stored with
-// the |kNetworkIsolationKey| in the dictionary, and writes it to
-// |out_network_isolation_key|. Returns false if unable to load a
-// NetworkIsolationKey, or the NetworkIsolationKey is non-empty, but
-// |use_network_isolation_key| is false.
+// for HttpServerProperties, and extracts the NetworkAnonymizationKey stored
+// with the |kNetworkAnonymizationKey| in the dictionary, and writes it to
+// |out_network_anonymization_key|. Returns false if unable to load a
+// NetworkAnonymizationKey, or the NetworkAnonymizationKey is non-empty, but
+// |use_network_anonymization_key| is false.
 bool GetNetworkIsolationKeyFromDict(
     const base::Value::Dict& dict,
-    bool use_network_isolation_key,
-    NetworkIsolationKey* out_network_isolation_key) {
-  const base::Value* network_isolation_key_value =
-      dict.Find(kNetworkIsolationKey);
-  NetworkIsolationKey network_isolation_key;
-  if (!network_isolation_key_value ||
-      !NetworkIsolationKey::FromValue(*network_isolation_key_value,
-                                      &network_isolation_key)) {
+    bool use_network_anonymization_key,
+    NetworkAnonymizationKey* out_network_anonymization_key) {
+  const base::Value* network_anonymization_key_value =
+      dict.Find(kNetworkAnonymizationKey);
+  NetworkAnonymizationKey network_anonymization_key;
+  if (!network_anonymization_key_value ||
+      !NetworkAnonymizationKey::FromValue(*network_anonymization_key_value,
+                                          &network_anonymization_key)) {
     return false;
   }
 
   // Fail if NetworkIsolationKeys are disabled, but the entry has a non-empty
-  // NetworkIsolationKey.
-  if (!use_network_isolation_key && !network_isolation_key.IsEmpty())
+  // NetworkAnonymizationKey.
+  if (!use_network_anonymization_key && !network_anonymization_key.IsEmpty())
     return false;
 
-  *out_network_isolation_key = std::move(network_isolation_key);
+  *out_network_anonymization_key = std::move(network_anonymization_key);
   return true;
 }
 
@@ -274,7 +275,7 @@ void HttpServerPropertiesManager::ReadPrefs(
       std::make_unique<HttpServerProperties::QuicServerInfoMap>(
           max_server_configs_stored_in_properties_);
 
-  bool use_network_isolation_key = base::FeatureList::IsEnabled(
+  bool use_network_anonymization_key = base::FeatureList::IsEnabled(
       features::kPartitionHttpServerPropertiesByNetworkIsolationKey);
 
   // Iterate `servers_list` (least-recently-used item is in the front) so that
@@ -285,10 +286,11 @@ void HttpServerPropertiesManager::ReadPrefs(
       continue;
     }
     AddServerData(server_dict_value.GetDict(), server_info_map->get(),
-                  use_network_isolation_key);
+                  use_network_anonymization_key);
   }
 
-  AddToQuicServerInfoMap(http_server_properties_dict, use_network_isolation_key,
+  AddToQuicServerInfoMap(http_server_properties_dict,
+                         use_network_anonymization_key,
                          quic_server_info_map->get());
 
   // Read list containing broken and recently-broken alternative services, if
@@ -311,8 +313,8 @@ void HttpServerPropertiesManager::ReadPrefs(
         continue;
       }
       AddToBrokenAlternativeServices(
-          broken_alt_svc_entry_dict_value.GetDict(), use_network_isolation_key,
-          broken_alternative_service_list->get(),
+          broken_alt_svc_entry_dict_value.GetDict(),
+          use_network_anonymization_key, broken_alternative_service_list->get(),
           recently_broken_alternative_services->get());
     }
   }
@@ -338,7 +340,7 @@ void HttpServerPropertiesManager::ReadPrefs(
 
 void HttpServerPropertiesManager::AddToBrokenAlternativeServices(
     const base::Value::Dict& broken_alt_svc_entry_dict,
-    bool use_network_isolation_key,
+    bool use_network_anonymization_key,
     BrokenAlternativeServiceList* broken_alternative_service_list,
     RecentlyBrokenAlternativeServices* recently_broken_alternative_services) {
   AlternativeService alt_service;
@@ -348,10 +350,10 @@ void HttpServerPropertiesManager::AddToBrokenAlternativeServices(
     return;
   }
 
-  NetworkIsolationKey network_isolation_key;
+  NetworkAnonymizationKey network_anonymization_key;
   if (!GetNetworkIsolationKeyFromDict(broken_alt_svc_entry_dict,
-                                      use_network_isolation_key,
-                                      &network_isolation_key)) {
+                                      use_network_anonymization_key,
+                                      &network_anonymization_key)) {
     return;
   }
 
@@ -373,8 +375,8 @@ void HttpServerPropertiesManager::AddToBrokenAlternativeServices(
       return;
     }
     recently_broken_alternative_services->Put(
-        BrokenAlternativeService(alt_service, network_isolation_key,
-                                 use_network_isolation_key),
+        BrokenAlternativeService(alt_service, network_anonymization_key,
+                                 use_network_anonymization_key),
         broken_count.value());
     contains_broken_count_or_broken_until = true;
   }
@@ -398,8 +400,8 @@ void HttpServerPropertiesManager::AddToBrokenAlternativeServices(
         clock_->NowTicks() +
         (base::Time::FromTimeT(expiration_time_t) - base::Time::Now());
     broken_alternative_service_list->push_back(std::make_pair(
-        BrokenAlternativeService(alt_service, network_isolation_key,
-                                 use_network_isolation_key),
+        BrokenAlternativeService(alt_service, network_anonymization_key,
+                                 use_network_anonymization_key),
         expiration_time_ticks));
     contains_broken_count_or_broken_until = true;
   }
@@ -413,15 +415,15 @@ void HttpServerPropertiesManager::AddToBrokenAlternativeServices(
 void HttpServerPropertiesManager::AddServerData(
     const base::Value::Dict& server_dict,
     HttpServerProperties::ServerInfoMap* server_info_map,
-    bool use_network_isolation_key) {
+    bool use_network_anonymization_key) {
   // Get server's scheme/host/pair.
   const std::string* server_str = server_dict.FindString(kServerKey);
-  NetworkIsolationKey network_isolation_key;
+  NetworkAnonymizationKey network_anonymization_key;
   // Can't load entry if server name missing, or if the network isolation key is
   // missing or invalid.
-  if (!server_str ||
-      !GetNetworkIsolationKeyFromDict(server_dict, use_network_isolation_key,
-                                      &network_isolation_key)) {
+  if (!server_str || !GetNetworkIsolationKeyFromDict(
+                         server_dict, use_network_anonymization_key,
+                         &network_anonymization_key)) {
     return;
   }
 
@@ -440,8 +442,8 @@ void HttpServerPropertiesManager::AddServerData(
 
   if (!server_info.empty()) {
     server_info_map->Put(HttpServerProperties::ServerInfoMapKey(
-                             std::move(spdy_server), network_isolation_key,
-                             use_network_isolation_key),
+                             std::move(spdy_server), network_anonymization_key,
+                             use_network_anonymization_key),
                          std::move(server_info));
   }
 }
@@ -640,7 +642,7 @@ void HttpServerPropertiesManager::ParseNetworkStats(
 
 void HttpServerPropertiesManager::AddToQuicServerInfoMap(
     const base::Value::Dict& http_server_properties_dict,
-    bool use_network_isolation_key,
+    bool use_network_anonymization_key,
     HttpServerProperties::QuicServerInfoMap* quic_server_info_map) {
   const base::Value::List* quic_server_info_list =
       http_server_properties_dict.FindList(kQuicServers);
@@ -668,10 +670,10 @@ void HttpServerPropertiesManager::AddToQuicServerInfoMap(
       continue;
     }
 
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
     if (!GetNetworkIsolationKeyFromDict(*quic_server_info_dict,
-                                        use_network_isolation_key,
-                                        &network_isolation_key)) {
+                                        use_network_anonymization_key,
+                                        &network_anonymization_key)) {
       DVLOG(1) << "Malformed http_server_properties quic server dict: "
                << *quic_server_id_str;
       continue;
@@ -684,10 +686,10 @@ void HttpServerPropertiesManager::AddToQuicServerInfoMap(
                << *quic_server_id_str;
       continue;
     }
-    quic_server_info_map->Put(
-        HttpServerProperties::QuicServerInfoMapKey(
-            quic_server_id, network_isolation_key, use_network_isolation_key),
-        *quic_server_info);
+    quic_server_info_map->Put(HttpServerProperties::QuicServerInfoMapKey(
+                                  quic_server_id, network_anonymization_key,
+                                  use_network_anonymization_key),
+                              *quic_server_info);
   }
 }
 
@@ -706,7 +708,7 @@ void HttpServerPropertiesManager::WriteToPrefs(
   // existing prefs.
   on_prefs_loaded_callback_.Reset();
 
-  std::set<std::pair<std::string, NetworkIsolationKey>>
+  std::set<std::pair<std::string, NetworkAnonymizationKey>>
       persisted_canonical_suffix_set;
   const base::Time now = base::Time::Now();
   base::Value::Dict http_server_properties_dict;
@@ -715,11 +717,13 @@ void HttpServerPropertiesManager::WriteToPrefs(
   // |http_server_properties_dict|.
   base::Value::List servers_list;
   for (const auto& [key, server_info] : server_info_map) {
-    // If can't convert the NetworkIsolationKey to a value, don't save to disk.
-    // Generally happens because the key is for a unique origin.
-    base::Value network_isolation_key_value;
-    if (!key.network_isolation_key.ToValue(&network_isolation_key_value))
+    // If can't convert the NetworkAnonymizationKey to a value, don't save to
+    // disk. Generally happens because the key is for a unique origin.
+    base::Value network_anonymization_key_value;
+    if (!key.network_anonymization_key.ToValue(
+            &network_anonymization_key_value)) {
       continue;
+    }
 
     base::Value::Dict server_dict;
 
@@ -745,8 +749,8 @@ void HttpServerPropertiesManager::WriteToPrefs(
     if (server_dict.empty())
       continue;
     server_dict.Set(kServerKey, key.server.Serialize());
-    server_dict.Set(kNetworkIsolationKey,
-                    std::move(network_isolation_key_value));
+    server_dict.Set(kNetworkAnonymizationKey,
+                    std::move(network_anonymization_key_value));
     servers_list.Append(std::move(server_dict));
   }
   // Reverse `servers_list`. The least recently used item will be in the front.
@@ -841,16 +845,18 @@ void HttpServerPropertiesManager::SaveQuicServerInfoMapToServerPrefs(
     return;
   base::Value::List quic_servers_list;
   for (const auto& [key, server_info] : base::Reversed(quic_server_info_map)) {
-    base::Value network_isolation_key_value;
+    base::Value network_anonymization_key_value;
     // Don't save entries with ephemeral NIKs.
-    if (!key.network_isolation_key.ToValue(&network_isolation_key_value))
+    if (!key.network_anonymization_key.ToValue(
+            &network_anonymization_key_value)) {
       continue;
+    }
 
     base::Value::Dict quic_server_pref_dict;
     quic_server_pref_dict.Set(kQuicServerIdKey,
                               QuicServerIdToString(key.server_id));
-    quic_server_pref_dict.Set(kNetworkIsolationKey,
-                              std::move(network_isolation_key_value));
+    quic_server_pref_dict.Set(kNetworkAnonymizationKey,
+                              std::move(network_anonymization_key_value));
     quic_server_pref_dict.Set(kServerInfoKey, server_info);
 
     quic_servers_list.Append(std::move(quic_server_pref_dict));
@@ -927,8 +933,8 @@ void HttpServerPropertiesManager::SaveBrokenAlternativeServicesToPrefs(
     }
   }
 
-  // This can happen if all the entries are for NetworkIsolationKeys for opaque
-  // origins, which isn't exactly common, but can theoretically happen.
+  // This can happen if all the entries are for NetworkAnonymizationKeys for
+  // opaque origins, which isn't exactly common, but can theoretically happen.
   if (json_list.empty())
     return;
 
diff --git a/chromium/net/http/http_server_properties_manager.h b/chromium/net/http/http_server_properties_manager.h
index 9be5265ae9d..5412cabc947 100644
--- a/chromium/net/http/http_server_properties_manager.h
+++ b/chromium/net/http/http_server_properties_manager.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -106,7 +106,7 @@ class NET_EXPORT_PRIVATE HttpServerPropertiesManager {
   // by the time this method is called, calling this will prevent it from ever
   // being invoked, as this method will overwrite any previous preferences.
   //
-  // Entries associated with NetworkIsolationKeys for opaque origins are not
+  // Entries associated with NetworkAnonymizationKeys for opaque origins are not
   // written to disk.
   void WriteToPrefs(
       const HttpServerProperties::ServerInfoMap& server_info_map,
@@ -134,7 +134,7 @@ class NET_EXPORT_PRIVATE HttpServerPropertiesManager {
 
   void AddServerData(const base::Value::Dict& server_dict,
                      HttpServerProperties::ServerInfoMap* server_info_map,
-                     bool use_network_isolation_key);
+                     bool use_network_anonymization_key);
 
   // Helper method used for parsing an alternative service from JSON.
   // |dict| is the JSON dictionary to be parsed. It should contain fields
@@ -172,11 +172,11 @@ class NET_EXPORT_PRIVATE HttpServerPropertiesManager {
                          HttpServerProperties::ServerInfo* server_info);
   void AddToQuicServerInfoMap(
       const base::Value::Dict& server_dict,
-      bool use_network_isolation_key,
+      bool use_network_anonymization_key,
       HttpServerProperties::QuicServerInfoMap* quic_server_info_map);
   void AddToBrokenAlternativeServices(
       const base::Value::Dict& broken_alt_svc_entry_dict,
-      bool use_network_isolation_key,
+      bool use_network_anonymization_key,
       BrokenAlternativeServiceList* broken_alternative_service_list,
       RecentlyBrokenAlternativeServices* recently_broken_alternative_services);
 
diff --git a/chromium/net/http/http_server_properties_manager_unittest.cc b/chromium/net/http/http_server_properties_manager_unittest.cc
index 3ba9c9b6249..512510b2a2d 100644
--- a/chromium/net/http/http_server_properties_manager_unittest.cc
+++ b/chromium/net/http/http_server_properties_manager_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -44,25 +44,25 @@ using ::testing::Invoke;
 using ::testing::Mock;
 using ::testing::StrictMock;
 
-enum class NetworkIsolationKeyMode {
+enum class NetworkAnonymizationKeyMode {
   kDisabled,
   kEnabled,
 };
 
-const NetworkIsolationKeyMode kNetworkIsolationKeyModes[] = {
-    NetworkIsolationKeyMode::kDisabled,
-    NetworkIsolationKeyMode::kEnabled,
+const NetworkAnonymizationKeyMode kNetworkAnonymizationKeyModes[] = {
+    NetworkAnonymizationKeyMode::kDisabled,
+    NetworkAnonymizationKeyMode::kEnabled,
 };
 
-std::unique_ptr<base::test::ScopedFeatureList> SetNetworkIsolationKeyMode(
-    NetworkIsolationKeyMode mode) {
+std::unique_ptr<base::test::ScopedFeatureList> SetNetworkAnonymizationKeyMode(
+    NetworkAnonymizationKeyMode mode) {
   auto feature_list = std::make_unique<base::test::ScopedFeatureList>();
   switch (mode) {
-    case NetworkIsolationKeyMode::kDisabled:
+    case NetworkAnonymizationKeyMode::kDisabled:
       feature_list->InitAndDisableFeature(
           features::kPartitionHttpServerPropertiesByNetworkIsolationKey);
       break;
-    case NetworkIsolationKeyMode::kEnabled:
+    case NetworkAnonymizationKeyMode::kEnabled:
       feature_list->InitAndEnableFeature(
           features::kPartitionHttpServerPropertiesByNetworkIsolationKey);
       break;
@@ -269,11 +269,12 @@ class HttpServerPropertiesManagerTest : public testing::Test,
     http_server_props_.reset();
   }
 
-  bool HasAlternativeService(const url::SchemeHostPort& server,
-                             const NetworkIsolationKey& network_isolation_key) {
+  bool HasAlternativeService(
+      const url::SchemeHostPort& server,
+      const NetworkAnonymizationKey& network_anonymization_key) {
     const AlternativeServiceInfoVector alternative_service_info_vector =
-        http_server_props_->GetAlternativeServiceInfos(server,
-                                                       network_isolation_key);
+        http_server_props_->GetAlternativeServiceInfos(
+            server, network_anonymization_key);
     return !alternative_service_info_vector.empty();
   }
 
@@ -339,10 +340,10 @@ TEST_F(HttpServerPropertiesManagerTest, BadCachedHostPortPair) {
                                     google_host_port_pair.port());
 
   EXPECT_FALSE(http_server_props_->SupportsRequestPriority(
-      gooler_server, NetworkIsolationKey()));
-  EXPECT_FALSE(HasAlternativeService(gooler_server, NetworkIsolationKey()));
+      gooler_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(HasAlternativeService(gooler_server, NetworkAnonymizationKey()));
   const ServerNetworkStats* stats1 = http_server_props_->GetServerNetworkStats(
-      gooler_server, NetworkIsolationKey());
+      gooler_server, NetworkAnonymizationKey());
   EXPECT_EQ(nullptr, stats1);
   EXPECT_EQ(0u, http_server_props_->quic_server_info_map().size());
 }
@@ -376,7 +377,7 @@ TEST_F(HttpServerPropertiesManagerTest, BadCachedAltProtocolPort) {
   // Verify alternative service is not set.
   EXPECT_FALSE(
       HasAlternativeService(url::SchemeHostPort("http", "www.google.com", 80),
-                            NetworkIsolationKey()));
+                            NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesManagerTest, SupportsSpdy) {
@@ -385,11 +386,13 @@ TEST_F(HttpServerPropertiesManagerTest, SupportsSpdy) {
   // Add mail.google.com:443 as a supporting spdy server.
   url::SchemeHostPort spdy_server("https", "mail.google.com", 443);
   EXPECT_FALSE(http_server_props_->SupportsRequestPriority(
-      spdy_server, NetworkIsolationKey()));
-  http_server_props_->SetSupportsSpdy(spdy_server, NetworkIsolationKey(), true);
+      spdy_server, NetworkAnonymizationKey()));
+  http_server_props_->SetSupportsSpdy(spdy_server, NetworkAnonymizationKey(),
+                                      true);
   // Setting the value to the same thing again should not trigger another pref
   // update.
-  http_server_props_->SetSupportsSpdy(spdy_server, NetworkIsolationKey(), true);
+  http_server_props_->SetSupportsSpdy(spdy_server, NetworkAnonymizationKey(),
+                                      true);
 
   // Run the task.
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
@@ -399,12 +402,13 @@ TEST_F(HttpServerPropertiesManagerTest, SupportsSpdy) {
 
   // Setting the value to the same thing again should not trigger another pref
   // update.
-  http_server_props_->SetSupportsSpdy(spdy_server, NetworkIsolationKey(), true);
+  http_server_props_->SetSupportsSpdy(spdy_server, NetworkAnonymizationKey(),
+                                      true);
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
   EXPECT_EQ(0u, GetPendingMainThreadTaskCount());
 
   EXPECT_TRUE(http_server_props_->SupportsRequestPriority(
-      spdy_server, NetworkIsolationKey()));
+      spdy_server, NetworkAnonymizationKey()));
 }
 
 // Regression test for crbug.com/670519. Test that there is only one pref update
@@ -419,8 +423,9 @@ TEST_F(HttpServerPropertiesManagerTest,
   // of 60ms.
   url::SchemeHostPort spdy_server("https", "mail.google.com", 443);
   EXPECT_FALSE(http_server_props_->SupportsRequestPriority(
-      spdy_server, NetworkIsolationKey()));
-  http_server_props_->SetSupportsSpdy(spdy_server, NetworkIsolationKey(), true);
+      spdy_server, NetworkAnonymizationKey()));
+  http_server_props_->SetSupportsSpdy(spdy_server, NetworkAnonymizationKey(),
+                                      true);
   // The pref update task should be scheduled.
   EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
 
@@ -431,7 +436,7 @@ TEST_F(HttpServerPropertiesManagerTest,
   // Set another spdy server to trigger another call to
   // ScheduleUpdatePrefs. There should be no new update posted.
   url::SchemeHostPort spdy_server2("https", "drive.google.com", 443);
-  http_server_props_->SetSupportsSpdy(spdy_server2, NetworkIsolationKey(),
+  http_server_props_->SetSupportsSpdy(spdy_server2, NetworkAnonymizationKey(),
                                       true);
   EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
 
@@ -442,14 +447,14 @@ TEST_F(HttpServerPropertiesManagerTest,
   EXPECT_EQ(0u, GetPendingMainThreadTaskCount());
 
   EXPECT_TRUE(http_server_props_->SupportsRequestPriority(
-      spdy_server, NetworkIsolationKey()));
+      spdy_server, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->SupportsRequestPriority(
-      spdy_server2, NetworkIsolationKey()));
+      spdy_server2, NetworkAnonymizationKey()));
   // Set the third spdy server to trigger one more call to
   // ScheduleUpdatePrefs. A new update task should be posted now since the
   // previous one is completed.
   url::SchemeHostPort spdy_server3("https", "maps.google.com", 443);
-  http_server_props_->SetSupportsSpdy(spdy_server3, NetworkIsolationKey(),
+  http_server_props_->SetSupportsSpdy(spdy_server3, NetworkAnonymizationKey(),
                                       true);
   EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
 
@@ -463,15 +468,16 @@ TEST_F(HttpServerPropertiesManagerTest, GetAlternativeServiceInfos) {
   InitializePrefs();
 
   url::SchemeHostPort spdy_server_mail("http", "mail.google.com", 80);
-  EXPECT_FALSE(HasAlternativeService(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(spdy_server_mail, NetworkAnonymizationKey()));
   const AlternativeService alternative_service(kProtoHTTP2, "mail.google.com",
                                                443);
   http_server_props_->SetHttp2AlternativeService(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service,
+      spdy_server_mail, NetworkAnonymizationKey(), alternative_service,
       one_day_from_now_);
   // ExpectScheduleUpdatePrefs() should be called only once.
   http_server_props_->SetHttp2AlternativeService(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service,
+      spdy_server_mail, NetworkAnonymizationKey(), alternative_service,
       one_day_from_now_);
 
   // Run the task.
@@ -482,7 +488,7 @@ TEST_F(HttpServerPropertiesManagerTest, GetAlternativeServiceInfos) {
 
   AlternativeServiceInfoVector alternative_service_info_vector =
       http_server_props_->GetAlternativeServiceInfos(spdy_server_mail,
-                                                     NetworkIsolationKey());
+                                                     NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service,
             alternative_service_info_vector[0].alternative_service());
@@ -492,7 +498,8 @@ TEST_F(HttpServerPropertiesManagerTest, SetAlternativeServices) {
   InitializePrefs();
 
   url::SchemeHostPort spdy_server_mail("http", "mail.google.com", 80);
-  EXPECT_FALSE(HasAlternativeService(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(spdy_server_mail, NetworkAnonymizationKey()));
   AlternativeServiceInfoVector alternative_service_info_vector;
   const AlternativeService alternative_service1(kProtoHTTP2, "mail.google.com",
                                                 443);
@@ -504,11 +511,13 @@ TEST_F(HttpServerPropertiesManagerTest, SetAlternativeServices) {
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           alternative_service2, one_day_from_now_, advertised_versions_));
-  http_server_props_->SetAlternativeServices(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service_info_vector);
+  http_server_props_->SetAlternativeServices(spdy_server_mail,
+                                             NetworkAnonymizationKey(),
+                                             alternative_service_info_vector);
   // ExpectScheduleUpdatePrefs() should be called only once.
-  http_server_props_->SetAlternativeServices(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service_info_vector);
+  http_server_props_->SetAlternativeServices(spdy_server_mail,
+                                             NetworkAnonymizationKey(),
+                                             alternative_service_info_vector);
 
   // Run the task.
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
@@ -517,7 +526,7 @@ TEST_F(HttpServerPropertiesManagerTest, SetAlternativeServices) {
 
   AlternativeServiceInfoVector alternative_service_info_vector2 =
       http_server_props_->GetAlternativeServiceInfos(spdy_server_mail,
-                                                     NetworkIsolationKey());
+                                                     NetworkAnonymizationKey());
   ASSERT_EQ(2u, alternative_service_info_vector2.size());
   EXPECT_EQ(alternative_service1,
             alternative_service_info_vector2[0].alternative_service());
@@ -529,16 +538,19 @@ TEST_F(HttpServerPropertiesManagerTest, SetAlternativeServicesEmpty) {
   InitializePrefs();
 
   url::SchemeHostPort spdy_server_mail("http", "mail.google.com", 80);
-  EXPECT_FALSE(HasAlternativeService(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(spdy_server_mail, NetworkAnonymizationKey()));
   const AlternativeService alternative_service(kProtoHTTP2, "mail.google.com",
                                                443);
-  http_server_props_->SetAlternativeServices(
-      spdy_server_mail, NetworkIsolationKey(), AlternativeServiceInfoVector());
+  http_server_props_->SetAlternativeServices(spdy_server_mail,
+                                             NetworkAnonymizationKey(),
+                                             AlternativeServiceInfoVector());
 
   EXPECT_EQ(0u, GetPendingMainThreadTaskCount());
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
 
-  EXPECT_FALSE(HasAlternativeService(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(spdy_server_mail, NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesManagerTest, ConfirmAlternativeService) {
@@ -548,36 +560,37 @@ TEST_F(HttpServerPropertiesManagerTest, ConfirmAlternativeService) {
   AlternativeService alternative_service;
 
   spdy_server_mail = url::SchemeHostPort("http", "mail.google.com", 80);
-  EXPECT_FALSE(HasAlternativeService(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(spdy_server_mail, NetworkAnonymizationKey()));
   alternative_service = AlternativeService(kProtoHTTP2, "mail.google.com", 443);
 
   http_server_props_->SetHttp2AlternativeService(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service,
+      spdy_server_mail, NetworkAnonymizationKey(), alternative_service,
       one_day_from_now_);
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
 
   http_server_props_->MarkAlternativeServiceBroken(alternative_service,
-                                                   NetworkIsolationKey());
+                                                   NetworkAnonymizationKey());
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   // In addition to the pref update task, there's now a task to mark the
   // alternative service as no longer broken.
   EXPECT_EQ(2u, GetPendingMainThreadTaskCount());
 
   http_server_props_->ConfirmAlternativeService(alternative_service,
-                                                NetworkIsolationKey());
+                                                NetworkAnonymizationKey());
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   EXPECT_EQ(2u, GetPendingMainThreadTaskCount());
 
@@ -587,20 +600,21 @@ TEST_F(HttpServerPropertiesManagerTest, ConfirmAlternativeService) {
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
 
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 }
 
 // Check the case that prefs are loaded only after setting alternative service
 // info. Prefs should not be written until after the load happens.
 TEST_F(HttpServerPropertiesManagerTest, LateLoadAlternativeServiceInfo) {
   url::SchemeHostPort spdy_server_mail("http", "mail.google.com", 80);
-  EXPECT_FALSE(HasAlternativeService(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(spdy_server_mail, NetworkAnonymizationKey()));
   const AlternativeService alternative_service(kProtoHTTP2, "mail.google.com",
                                                443);
   http_server_props_->SetHttp2AlternativeService(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service,
+      spdy_server_mail, NetworkAnonymizationKey(), alternative_service,
       one_day_from_now_);
 
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
@@ -609,7 +623,7 @@ TEST_F(HttpServerPropertiesManagerTest, LateLoadAlternativeServiceInfo) {
 
   AlternativeServiceInfoVector alternative_service_info_vector =
       http_server_props_->GetAlternativeServiceInfos(spdy_server_mail,
-                                                     NetworkIsolationKey());
+                                                     NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service,
             alternative_service_info_vector[0].alternative_service());
@@ -619,14 +633,14 @@ TEST_F(HttpServerPropertiesManagerTest, LateLoadAlternativeServiceInfo) {
                   true /* expect_pref_update */);
   alternative_service_info_vector =
       http_server_props_->GetAlternativeServiceInfos(spdy_server_mail,
-                                                     NetworkIsolationKey());
+                                                     NetworkAnonymizationKey());
   EXPECT_EQ(1u, alternative_service_info_vector.size());
 
   // Updating the entry should result in a task to save prefs. Have to at least
   // double (or half) the lifetime, to ensure the change triggers a save to
   // prefs.
   http_server_props_->SetHttp2AlternativeService(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service,
+      spdy_server_mail, NetworkAnonymizationKey(), alternative_service,
       one_day_from_now_ + base::Days(2));
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
   EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
@@ -634,7 +648,7 @@ TEST_F(HttpServerPropertiesManagerTest, LateLoadAlternativeServiceInfo) {
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
   alternative_service_info_vector =
       http_server_props_->GetAlternativeServiceInfos(spdy_server_mail,
-                                                     NetworkIsolationKey());
+                                                     NetworkAnonymizationKey());
   EXPECT_EQ(1u, alternative_service_info_vector.size());
 }
 
@@ -642,11 +656,12 @@ TEST_F(HttpServerPropertiesManagerTest, LateLoadAlternativeServiceInfo) {
 TEST_F(HttpServerPropertiesManagerTest,
        ClearPrefsBeforeLoadAlternativeServiceInfo) {
   url::SchemeHostPort spdy_server_mail("http", "mail.google.com", 80);
-  EXPECT_FALSE(HasAlternativeService(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(spdy_server_mail, NetworkAnonymizationKey()));
   const AlternativeService alternative_service(kProtoHTTP2, "mail.google.com",
                                                443);
   http_server_props_->SetHttp2AlternativeService(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service,
+      spdy_server_mail, NetworkAnonymizationKey(), alternative_service,
       one_day_from_now_);
 
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
@@ -656,7 +671,7 @@ TEST_F(HttpServerPropertiesManagerTest,
 
   AlternativeServiceInfoVector alternative_service_info_vector =
       http_server_props_->GetAlternativeServiceInfos(spdy_server_mail,
-                                                     NetworkIsolationKey());
+                                                     NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service,
             alternative_service_info_vector[0].alternative_service());
@@ -675,12 +690,12 @@ TEST_F(HttpServerPropertiesManagerTest,
   EXPECT_TRUE(callback_invoked_);
   alternative_service_info_vector =
       http_server_props_->GetAlternativeServiceInfos(spdy_server_mail,
-                                                     NetworkIsolationKey());
+                                                     NetworkAnonymizationKey());
   EXPECT_EQ(0u, alternative_service_info_vector.size());
 
   // Re-creating the entry should result in a task to save prefs.
   http_server_props_->SetHttp2AlternativeService(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service,
+      spdy_server_mail, NetworkAnonymizationKey(), alternative_service,
       one_day_from_now_);
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
   EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
@@ -688,7 +703,7 @@ TEST_F(HttpServerPropertiesManagerTest,
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
   alternative_service_info_vector =
       http_server_props_->GetAlternativeServiceInfos(spdy_server_mail,
-                                                     NetworkIsolationKey());
+                                                     NetworkAnonymizationKey());
   EXPECT_EQ(1u, alternative_service_info_vector.size());
 }
 
@@ -700,36 +715,37 @@ TEST_F(HttpServerPropertiesManagerTest,
   AlternativeService alternative_service;
 
   spdy_server_mail = url::SchemeHostPort("http", "mail.google.com", 80);
-  EXPECT_FALSE(HasAlternativeService(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(spdy_server_mail, NetworkAnonymizationKey()));
   alternative_service = AlternativeService(kProtoHTTP2, "mail.google.com", 443);
 
   http_server_props_->SetHttp2AlternativeService(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service,
+      spdy_server_mail, NetworkAnonymizationKey(), alternative_service,
       one_day_from_now_);
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
 
   http_server_props_->MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   // In addition to the pref update task, there's now a task to mark the
   // alternative service as no longer broken.
   EXPECT_EQ(2u, GetPendingMainThreadTaskCount());
 
   http_server_props_->ConfirmAlternativeService(alternative_service,
-                                                NetworkIsolationKey());
+                                                NetworkAnonymizationKey());
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   EXPECT_EQ(2u, GetPendingMainThreadTaskCount());
 
@@ -739,9 +755,9 @@ TEST_F(HttpServerPropertiesManagerTest,
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
 
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesManagerTest,
@@ -752,25 +768,26 @@ TEST_F(HttpServerPropertiesManagerTest,
   AlternativeService alternative_service;
 
   spdy_server_mail = url::SchemeHostPort("http", "mail.google.com", 80);
-  EXPECT_FALSE(HasAlternativeService(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(spdy_server_mail, NetworkAnonymizationKey()));
   alternative_service = AlternativeService(kProtoHTTP2, "mail.google.com", 443);
 
   http_server_props_->SetHttp2AlternativeService(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service,
+      spdy_server_mail, NetworkAnonymizationKey(), alternative_service,
       one_day_from_now_);
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
 
   http_server_props_->MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   // In addition to the pref update task, there's now a task to mark the
   // alternative service as no longer broken.
@@ -778,9 +795,9 @@ TEST_F(HttpServerPropertiesManagerTest,
 
   http_server_props_->OnDefaultNetworkChanged();
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   EXPECT_EQ(2u, GetPendingMainThreadTaskCount());
 
@@ -790,9 +807,9 @@ TEST_F(HttpServerPropertiesManagerTest,
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
 
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesManagerTest, OnDefaultNetworkChangedWithBrokenOnly) {
@@ -802,25 +819,26 @@ TEST_F(HttpServerPropertiesManagerTest, OnDefaultNetworkChangedWithBrokenOnly) {
   AlternativeService alternative_service;
 
   spdy_server_mail = url::SchemeHostPort("http", "mail.google.com", 80);
-  EXPECT_FALSE(HasAlternativeService(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(spdy_server_mail, NetworkAnonymizationKey()));
   alternative_service = AlternativeService(kProtoHTTP2, "mail.google.com", 443);
 
   http_server_props_->SetHttp2AlternativeService(
-      spdy_server_mail, NetworkIsolationKey(), alternative_service,
+      spdy_server_mail, NetworkAnonymizationKey(), alternative_service,
       one_day_from_now_);
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
 
   http_server_props_->MarkAlternativeServiceBroken(alternative_service,
-                                                   NetworkIsolationKey());
+                                                   NetworkAnonymizationKey());
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   // In addition to the pref update task, there's now a task to mark the
   // alternative service as no longer broken.
@@ -828,9 +846,9 @@ TEST_F(HttpServerPropertiesManagerTest, OnDefaultNetworkChangedWithBrokenOnly) {
 
   http_server_props_->OnDefaultNetworkChanged();
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   EXPECT_EQ(2u, GetPendingMainThreadTaskCount());
 
@@ -840,9 +858,9 @@ TEST_F(HttpServerPropertiesManagerTest, OnDefaultNetworkChangedWithBrokenOnly) {
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
 
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesManagerTest, LastLocalAddressWhenQuicWorked) {
@@ -876,15 +894,15 @@ TEST_F(HttpServerPropertiesManagerTest, ServerNetworkStats) {
 
   url::SchemeHostPort mail_server("http", "mail.google.com", 80);
   const ServerNetworkStats* stats = http_server_props_->GetServerNetworkStats(
-      mail_server, NetworkIsolationKey());
+      mail_server, NetworkAnonymizationKey());
   EXPECT_EQ(nullptr, stats);
   ServerNetworkStats stats1;
   stats1.srtt = base::Microseconds(10);
-  http_server_props_->SetServerNetworkStats(mail_server, NetworkIsolationKey(),
-                                            stats1);
+  http_server_props_->SetServerNetworkStats(mail_server,
+                                            NetworkAnonymizationKey(), stats1);
   // Another task should not be scheduled.
-  http_server_props_->SetServerNetworkStats(mail_server, NetworkIsolationKey(),
-                                            stats1);
+  http_server_props_->SetServerNetworkStats(mail_server,
+                                            NetworkAnonymizationKey(), stats1);
 
   // Run the task.
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
@@ -893,17 +911,17 @@ TEST_F(HttpServerPropertiesManagerTest, ServerNetworkStats) {
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
 
   // Another task should not be scheduled.
-  http_server_props_->SetServerNetworkStats(mail_server, NetworkIsolationKey(),
-                                            stats1);
+  http_server_props_->SetServerNetworkStats(mail_server,
+                                            NetworkAnonymizationKey(), stats1);
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
   EXPECT_EQ(GetPendingMainThreadTaskCount(), 0u);
 
   const ServerNetworkStats* stats2 = http_server_props_->GetServerNetworkStats(
-      mail_server, NetworkIsolationKey());
+      mail_server, NetworkAnonymizationKey());
   EXPECT_EQ(10, stats2->srtt.ToInternalValue());
 
   http_server_props_->ClearServerNetworkStats(mail_server,
-                                              NetworkIsolationKey());
+                                              NetworkAnonymizationKey());
 
   // Run the task.
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
@@ -912,7 +930,7 @@ TEST_F(HttpServerPropertiesManagerTest, ServerNetworkStats) {
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
 
   EXPECT_EQ(nullptr, http_server_props_->GetServerNetworkStats(
-                         mail_server, NetworkIsolationKey()));
+                         mail_server, NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesManagerTest, QuicServerInfo) {
@@ -920,13 +938,13 @@ TEST_F(HttpServerPropertiesManagerTest, QuicServerInfo) {
 
   quic::QuicServerId mail_quic_server_id("mail.google.com", 80, false);
   EXPECT_EQ(nullptr, http_server_props_->GetQuicServerInfo(
-                         mail_quic_server_id, NetworkIsolationKey()));
+                         mail_quic_server_id, NetworkAnonymizationKey()));
   std::string quic_server_info1("quic_server_info1");
   http_server_props_->SetQuicServerInfo(
-      mail_quic_server_id, NetworkIsolationKey(), quic_server_info1);
+      mail_quic_server_id, NetworkAnonymizationKey(), quic_server_info1);
   // Another task should not be scheduled.
   http_server_props_->SetQuicServerInfo(
-      mail_quic_server_id, NetworkIsolationKey(), quic_server_info1);
+      mail_quic_server_id, NetworkAnonymizationKey(), quic_server_info1);
 
   // Run the task.
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
@@ -934,12 +952,13 @@ TEST_F(HttpServerPropertiesManagerTest, QuicServerInfo) {
   FastForwardUntilNoTasksRemain();
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
 
-  EXPECT_EQ(quic_server_info1, *http_server_props_->GetQuicServerInfo(
-                                   mail_quic_server_id, NetworkIsolationKey()));
+  EXPECT_EQ(quic_server_info1,
+            *http_server_props_->GetQuicServerInfo(mail_quic_server_id,
+                                                   NetworkAnonymizationKey()));
 
   // Another task should not be scheduled.
   http_server_props_->SetQuicServerInfo(
-      mail_quic_server_id, NetworkIsolationKey(), quic_server_info1);
+      mail_quic_server_id, NetworkAnonymizationKey(), quic_server_info1);
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
   EXPECT_EQ(0u, GetPendingMainThreadTaskCount());
 }
@@ -963,20 +982,21 @@ TEST_F(HttpServerPropertiesManagerTest, Clear) {
   alt_svc_info_vector.push_back(
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
           broken_alternative_service, one_day_from_now_));
-  http_server_props_->SetAlternativeServices(spdy_server, NetworkIsolationKey(),
-                                             alt_svc_info_vector);
+  http_server_props_->SetAlternativeServices(
+      spdy_server, NetworkAnonymizationKey(), alt_svc_info_vector);
 
   http_server_props_->MarkAlternativeServiceBroken(broken_alternative_service,
-                                                   NetworkIsolationKey());
-  http_server_props_->SetSupportsSpdy(spdy_server, NetworkIsolationKey(), true);
+                                                   NetworkAnonymizationKey());
+  http_server_props_->SetSupportsSpdy(spdy_server, NetworkAnonymizationKey(),
+                                      true);
   http_server_props_->SetLastLocalAddressWhenQuicWorked(actual_address);
   ServerNetworkStats stats;
   stats.srtt = base::Microseconds(10);
-  http_server_props_->SetServerNetworkStats(spdy_server, NetworkIsolationKey(),
-                                            stats);
+  http_server_props_->SetServerNetworkStats(spdy_server,
+                                            NetworkAnonymizationKey(), stats);
 
   http_server_props_->SetQuicServerInfo(
-      mail_quic_server_id, NetworkIsolationKey(), quic_server_info1);
+      mail_quic_server_id, NetworkAnonymizationKey(), quic_server_info1);
 
   // Advance time by just enough so that the prefs update task is executed but
   // not the task to expire the brokenness of |broken_alternative_service|.
@@ -985,17 +1005,18 @@ TEST_F(HttpServerPropertiesManagerTest, Clear) {
   EXPECT_EQ(1, pref_delegate_->GetAndClearNumPrefUpdates());
 
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      broken_alternative_service, NetworkIsolationKey()));
+      broken_alternative_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->SupportsRequestPriority(
-      spdy_server, NetworkIsolationKey()));
-  EXPECT_TRUE(HasAlternativeService(spdy_server, NetworkIsolationKey()));
+      spdy_server, NetworkAnonymizationKey()));
+  EXPECT_TRUE(HasAlternativeService(spdy_server, NetworkAnonymizationKey()));
   EXPECT_TRUE(
       http_server_props_->WasLastLocalAddressWhenQuicWorked(actual_address));
   const ServerNetworkStats* stats1 = http_server_props_->GetServerNetworkStats(
-      spdy_server, NetworkIsolationKey());
+      spdy_server, NetworkAnonymizationKey());
   EXPECT_EQ(10, stats1->srtt.ToInternalValue());
-  EXPECT_EQ(quic_server_info1, *http_server_props_->GetQuicServerInfo(
-                                   mail_quic_server_id, NetworkIsolationKey()));
+  EXPECT_EQ(quic_server_info1,
+            *http_server_props_->GetQuicServerInfo(mail_quic_server_id,
+                                                   NetworkAnonymizationKey()));
 
   // Clear http server data, which should instantly update prefs.
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
@@ -1012,16 +1033,16 @@ TEST_F(HttpServerPropertiesManagerTest, Clear) {
   EXPECT_TRUE(callback_invoked_);
 
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      broken_alternative_service, NetworkIsolationKey()));
+      broken_alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->SupportsRequestPriority(
-      spdy_server, NetworkIsolationKey()));
-  EXPECT_FALSE(HasAlternativeService(spdy_server, NetworkIsolationKey()));
+      spdy_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(HasAlternativeService(spdy_server, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->HasLastLocalAddressWhenQuicWorked());
   const ServerNetworkStats* stats2 = http_server_props_->GetServerNetworkStats(
-      spdy_server, NetworkIsolationKey());
+      spdy_server, NetworkAnonymizationKey());
   EXPECT_EQ(nullptr, stats2);
   EXPECT_EQ(nullptr, http_server_props_->GetQuicServerInfo(
-                         mail_quic_server_id, NetworkIsolationKey()));
+                         mail_quic_server_id, NetworkAnonymizationKey()));
 }
 
 // https://crbug.com/444956: Add 200 alternative_service servers followed by
@@ -1039,14 +1060,14 @@ TEST_F(HttpServerPropertiesManagerTest, BadLastLocalAddressWhenQuicWorked) {
     alternative_service_list.Append(std::move(alternative_service_dict));
     server_dict.Set("alternative_service", std::move(alternative_service_list));
     server_dict.Set("server", StringPrintf("https://www.google.com:%d", i));
-    server_dict.Set("isolation", base::Value(base::Value::Type::LIST));
+    server_dict.Set("anonymization", base::Value(base::Value::Type::LIST));
     servers_list.Append(std::move(server_dict));
   }
 
   // Set the server preference for http://mail.google.com server.
   base::Value::Dict server_dict2;
   server_dict2.Set("server", "https://mail.google.com");
-  server_dict2.Set("isolation", base::Value(base::Value::Type::LIST));
+  server_dict2.Set("anonymization", base::Value(base::Value::Type::LIST));
   servers_list.Append(std::move(server_dict2));
 
   base::Value http_server_properties_dict = DictWithVersion();
@@ -1068,8 +1089,8 @@ TEST_F(HttpServerPropertiesManagerTest, BadLastLocalAddressWhenQuicWorked) {
       server_gurl = GURL(StringPrintf("https://www.google.com:%d", i));
     url::SchemeHostPort server(server_gurl);
     AlternativeServiceInfoVector alternative_service_info_vector =
-        http_server_props_->GetAlternativeServiceInfos(server,
-                                                       NetworkIsolationKey());
+        http_server_props_->GetAlternativeServiceInfos(
+            server, NetworkAnonymizationKey());
     ASSERT_EQ(1u, alternative_service_info_vector.size());
     EXPECT_EQ(
         kProtoQUIC,
@@ -1104,39 +1125,41 @@ TEST_F(HttpServerPropertiesManagerTest, UpdatePrefsWithCache) {
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
           www_alternative_service2, expiration2));
-  http_server_props_->SetAlternativeServices(server_www, NetworkIsolationKey(),
-                                             alternative_service_info_vector);
+  http_server_props_->SetAlternativeServices(
+      server_www, NetworkAnonymizationKey(), alternative_service_info_vector);
 
   AlternativeService mail_alternative_service(kProtoHTTP2, "foo.google.com",
                                               444);
   base::Time expiration3 = base::Time::Max();
   http_server_props_->SetHttp2AlternativeService(
-      server_mail, NetworkIsolationKey(), mail_alternative_service,
+      server_mail, NetworkAnonymizationKey(), mail_alternative_service,
       expiration3);
 
   http_server_props_->MarkAlternativeServiceBroken(www_alternative_service2,
-                                                   NetworkIsolationKey());
+                                                   NetworkAnonymizationKey());
   http_server_props_->MarkAlternativeServiceRecentlyBroken(
-      mail_alternative_service, NetworkIsolationKey());
+      mail_alternative_service, NetworkAnonymizationKey());
 
   // #3: Set SPDY server map
-  http_server_props_->SetSupportsSpdy(server_www, NetworkIsolationKey(), false);
-  http_server_props_->SetSupportsSpdy(server_mail, NetworkIsolationKey(), true);
+  http_server_props_->SetSupportsSpdy(server_www, NetworkAnonymizationKey(),
+                                      false);
+  http_server_props_->SetSupportsSpdy(server_mail, NetworkAnonymizationKey(),
+                                      true);
   http_server_props_->SetSupportsSpdy(
       url::SchemeHostPort("http", "not_persisted.com", 80),
-      NetworkIsolationKey(), false);
+      NetworkAnonymizationKey(), false);
 
   // #4: Set ServerNetworkStats.
   ServerNetworkStats stats;
   stats.srtt = base::TimeDelta::FromInternalValue(42);
-  http_server_props_->SetServerNetworkStats(server_mail, NetworkIsolationKey(),
-                                            stats);
+  http_server_props_->SetServerNetworkStats(server_mail,
+                                            NetworkAnonymizationKey(), stats);
 
   // #5: Set quic_server_info string.
   quic::QuicServerId mail_quic_server_id("mail.google.com", 80, false);
   std::string quic_server_info1("quic_server_info1");
   http_server_props_->SetQuicServerInfo(
-      mail_quic_server_id, NetworkIsolationKey(), quic_server_info1);
+      mail_quic_server_id, NetworkAnonymizationKey(), quic_server_info1);
 
   // #6: Set SupportsQuic.
   IPAddress actual_address(127, 0, 0, 1);
@@ -1199,12 +1222,12 @@ TEST_F(HttpServerPropertiesManagerTest, UpdatePrefsWithCache) {
   const char expected_json[] =
       "{"
       "\"broken_alternative_services\":"
-      "[{\"broken_count\":1,\"host\":\"www.google.com\",\"isolation\":[],"
+      "[{\"anonymization\":[],\"broken_count\":1,\"host\":\"www.google.com\","
       "\"port\":1234,\"protocol_str\":\"h2\"},"
-      "{\"broken_count\":1,\"host\":\"foo.google.com\",\"isolation\":[],"
+      "{\"anonymization\":[],\"broken_count\":1,\"host\":\"foo.google.com\","
       "\"port\":444,\"protocol_str\":\"h2\"}],"
       "\"quic_servers\":"
-      "[{\"isolation\":[],"
+      "[{\"anonymization\":[],"
       "\"server_id\":\"https://mail.google.com:80\","
       "\"server_info\":\"quic_server_info1\"}],"
       "\"servers\":["
@@ -1213,12 +1236,12 @@ TEST_F(HttpServerPropertiesManagerTest, UpdatePrefsWithCache) {
       "\"protocol_str\":\"h2\"},"
       "{\"advertised_alpns\":[],\"expiration\":\"13758804000000000\","
       "\"host\":\"www.google.com\",\"port\":1234,\"protocol_str\":\"h2\"}],"
-      "\"isolation\":[],"
+      "\"anonymization\":[],"
       "\"server\":\"https://www.google.com:80\"},"
       "{\"alternative_service\":[{\"advertised_alpns\":[],"
       "\"expiration\":\"9223372036854775807\",\"host\":\"foo.google.com\","
       "\"port\":444,\"protocol_str\":\"h2\"}],"
-      "\"isolation\":[],"
+      "\"anonymization\":[],"
       "\"network_stats\":{\"srtt\":42},"
       "\"server\":\"https://mail.google.com:80\","
       "\"supports_spdy\":true}],"
@@ -1317,7 +1340,7 @@ TEST_F(HttpServerPropertiesManagerTest, DoNotPersistExpiredAlternativeService) {
           broken_alternative_service, time_one_day_later));
   // #1: MarkAlternativeServiceBroken().
   http_server_props_->MarkAlternativeServiceBroken(broken_alternative_service,
-                                                   NetworkIsolationKey());
+                                                   NetworkAnonymizationKey());
 
   const AlternativeService expired_alternative_service(
       kProtoHTTP2, "expired.example.com", 443);
@@ -1334,7 +1357,7 @@ TEST_F(HttpServerPropertiesManagerTest, DoNotPersistExpiredAlternativeService) {
 
   const url::SchemeHostPort server("https", "www.example.com", 443);
   // #2: SetAlternativeServices().
-  http_server_props_->SetAlternativeServices(server, NetworkIsolationKey(),
+  http_server_props_->SetAlternativeServices(server, NetworkAnonymizationKey(),
                                              alternative_service_info_vector);
 
   // |net_test_task_runner_| has a remaining pending task to expire
@@ -1361,11 +1384,11 @@ TEST_F(HttpServerPropertiesManagerTest, DoNotPersistExpiredAlternativeService) {
   ASSERT_TRUE(server_str);
   EXPECT_EQ("https://www.example.com", *server_str);
 
-  const base::Value* network_isolation_key_value =
-      server_pref_dict.GetDict().Find("isolation");
-  ASSERT_TRUE(network_isolation_key_value);
-  ASSERT_EQ(base::Value::Type::LIST, network_isolation_key_value->type());
-  EXPECT_TRUE(network_isolation_key_value->GetList().empty());
+  const base::Value* network_anonymization_key_value =
+      server_pref_dict.GetDict().Find("anonymization");
+  ASSERT_TRUE(network_anonymization_key_value);
+  ASSERT_EQ(base::Value::Type::LIST, network_anonymization_key_value->type());
+  EXPECT_TRUE(network_anonymization_key_value->GetList().empty());
 
   const base::Value::List* altsvc_list =
       server_pref_dict.GetDict().FindList("alternative_service");
@@ -1471,27 +1494,27 @@ TEST_F(HttpServerPropertiesManagerTest, PersistAdvertisedVersionsToPref) {
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
           h2_alternative_service, expiration2));
-  http_server_props_->SetAlternativeServices(server_www, NetworkIsolationKey(),
-                                             alternative_service_info_vector);
+  http_server_props_->SetAlternativeServices(
+      server_www, NetworkAnonymizationKey(), alternative_service_info_vector);
 
   // Set another QUIC alternative service with a single advertised QUIC version.
   AlternativeService mail_alternative_service(kProtoQUIC, "foo.google.com",
                                               444);
   base::Time expiration3 = base::Time::Max();
   http_server_props_->SetQuicAlternativeService(
-      server_mail, NetworkIsolationKey(), mail_alternative_service, expiration3,
-      advertised_versions_);
+      server_mail, NetworkAnonymizationKey(), mail_alternative_service,
+      expiration3, advertised_versions_);
   // #3: Set ServerNetworkStats.
   ServerNetworkStats stats;
   stats.srtt = base::TimeDelta::FromInternalValue(42);
-  http_server_props_->SetServerNetworkStats(server_mail, NetworkIsolationKey(),
-                                            stats);
+  http_server_props_->SetServerNetworkStats(server_mail,
+                                            NetworkAnonymizationKey(), stats);
 
   // #4: Set quic_server_info string.
   quic::QuicServerId mail_quic_server_id("mail.google.com", 80, false);
   std::string quic_server_info1("quic_server_info1");
   http_server_props_->SetQuicServerInfo(
-      mail_quic_server_id, NetworkIsolationKey(), quic_server_info1);
+      mail_quic_server_id, NetworkAnonymizationKey(), quic_server_info1);
 
   // #5: Set SupportsQuic.
   IPAddress actual_address(127, 0, 0, 1);
@@ -1506,7 +1529,7 @@ TEST_F(HttpServerPropertiesManagerTest, PersistAdvertisedVersionsToPref) {
   // Verify preferences with correct advertised version field.
   const char expected_json[] =
       "{\"quic_servers\":["
-      "{\"isolation\":[],"
+      "{\"anonymization\":[],"
       "\"server_id\":\"https://mail.google.com:80\","
       "\"server_info\":\"quic_server_info1\"}],"
       "\"servers\":["
@@ -1516,13 +1539,13 @@ TEST_F(HttpServerPropertiesManagerTest, PersistAdvertisedVersionsToPref) {
       "\"port\":443,\"protocol_str\":\"quic\"},{\"advertised_alpns\":[],"
       "\"expiration\":\"13758804000000000\",\"host\":\"www.google.com\","
       "\"port\":1234,\"protocol_str\":\"h2\"}],"
-      "\"isolation\":[],"
+      "\"anonymization\":[],"
       "\"server\":\"https://www.google.com:80\"},"
       "{\"alternative_service\":[{"
       "\"advertised_alpns\":[\"h3\"],"
       "\"expiration\":\"9223372036854775807\","
       "\"host\":\"foo.google.com\",\"port\":444,\"protocol_str\":\"quic\"}],"
-      "\"isolation\":[],"
+      "\"anonymization\":[],"
       "\"network_stats\":{\"srtt\":42},"
       "\"server\":\"https://mail.google.com:80\"}],"
       "\"supports_quic\":{"
@@ -1605,14 +1628,14 @@ TEST_F(HttpServerPropertiesManagerTest,
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           quic_alternative_service1, expiration1, advertised_versions_));
-  http_server_props_->SetAlternativeServices(server_www, NetworkIsolationKey(),
-                                             alternative_service_info_vector);
+  http_server_props_->SetAlternativeServices(
+      server_www, NetworkAnonymizationKey(), alternative_service_info_vector);
 
   // Set quic_server_info string.
   quic::QuicServerId mail_quic_server_id("mail.google.com", 80, false);
   std::string quic_server_info1("quic_server_info1");
   http_server_props_->SetQuicServerInfo(
-      mail_quic_server_id, NetworkIsolationKey(), quic_server_info1);
+      mail_quic_server_id, NetworkAnonymizationKey(), quic_server_info1);
 
   // Set SupportsQuic.
   IPAddress actual_address(127, 0, 0, 1);
@@ -1627,7 +1650,7 @@ TEST_F(HttpServerPropertiesManagerTest,
   // Verify preferences with correct advertised version field.
   const char expected_json[] =
       "{\"quic_servers\":"
-      "[{\"isolation\":[],"
+      "[{\"anonymization\":[],"
       "\"server_id\":\"https://mail.google.com:80\","
       "\"server_info\":\"quic_server_info1\"}],"
       "\"servers\":["
@@ -1635,7 +1658,7 @@ TEST_F(HttpServerPropertiesManagerTest,
       "\"advertised_alpns\":[\"h3\"],"
       "\"expiration\":\"13756212000000000\",\"port\":443,"
       "\"protocol_str\":\"quic\"}],"
-      "\"isolation\":[],"
+      "\"anonymization\":[],"
       "\"server\":\"https://www.google.com:80\"}],"
       "\"supports_quic\":"
       "{\"address\":\"127.0.0.1\",\"used_quic\":true},\"version\":5}";
@@ -1656,8 +1679,8 @@ TEST_F(HttpServerPropertiesManagerTest,
   alternative_service_info_vector_2.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           quic_alternative_service1, expiration1, advertised_versions));
-  http_server_props_->SetAlternativeServices(server_www, NetworkIsolationKey(),
-                                             alternative_service_info_vector_2);
+  http_server_props_->SetAlternativeServices(
+      server_www, NetworkAnonymizationKey(), alternative_service_info_vector_2);
 
   // Update Prefs.
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
@@ -1668,7 +1691,7 @@ TEST_F(HttpServerPropertiesManagerTest,
   // Verify preferences updated with new advertised versions.
   const char expected_json_updated[] =
       "{\"quic_servers\":"
-      "[{\"isolation\":[],"
+      "[{\"anonymization\":[],"
       "\"server_id\":\"https://mail.google.com:80\","
       "\"server_info\":\"quic_server_info1\"}],"
       "\"servers\":["
@@ -1676,7 +1699,7 @@ TEST_F(HttpServerPropertiesManagerTest,
       "[{\"advertised_alpns\":[\"h3-Q046\",\"h3-Q043\"],"
       "\"expiration\":\"13756212000000000\",\"port\":443,"
       "\"protocol_str\":\"quic\"}],"
-      "\"isolation\":[],"
+      "\"anonymization\":[],"
       "\"server\":\"https://www.google.com:80\"}],"
       "\"supports_quic\":"
       "{\"address\":\"127.0.0.1\",\"used_quic\":true},\"version\":5}";
@@ -1692,8 +1715,8 @@ TEST_F(HttpServerPropertiesManagerTest,
   alternative_service_info_vector_3.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           quic_alternative_service1, expiration1, advertised_versions_2));
-  http_server_props_->SetAlternativeServices(server_www, NetworkIsolationKey(),
-                                             alternative_service_info_vector_3);
+  http_server_props_->SetAlternativeServices(
+      server_www, NetworkAnonymizationKey(), alternative_service_info_vector_3);
 
   // Change in version ordering causes prefs update.
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
@@ -1704,7 +1727,7 @@ TEST_F(HttpServerPropertiesManagerTest,
   // Verify preferences updated with new advertised versions.
   const char expected_json_updated2[] =
       "{\"quic_servers\":"
-      "[{\"isolation\":[],"
+      "[{\"anonymization\":[],"
       "\"server_id\":\"https://mail.google.com:80\","
       "\"server_info\":\"quic_server_info1\"}],"
       "\"servers\":["
@@ -1712,7 +1735,7 @@ TEST_F(HttpServerPropertiesManagerTest,
       "[{\"advertised_alpns\":[\"h3-Q043\",\"h3-Q046\"],"
       "\"expiration\":\"13756212000000000\",\"port\":443,"
       "\"protocol_str\":\"quic\"}],"
-      "\"isolation\":[],"
+      "\"anonymization\":[],"
       "\"server\":\"https://www.google.com:80\"}],"
       "\"supports_quic\":"
       "{\"address\":\"127.0.0.1\",\"used_quic\":true},\"version\":5}";
@@ -1728,11 +1751,11 @@ TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
                                                     "cached_rbroken", 443);
 
   http_server_props_->MarkAlternativeServiceBroken(cached_broken_service,
-                                                   NetworkIsolationKey());
+                                                   NetworkAnonymizationKey());
   http_server_props_->MarkAlternativeServiceBroken(cached_broken_service2,
-                                                   NetworkIsolationKey());
+                                                   NetworkAnonymizationKey());
   http_server_props_->MarkAlternativeServiceRecentlyBroken(
-      cached_recently_broken_service, NetworkIsolationKey());
+      cached_recently_broken_service, NetworkAnonymizationKey());
 
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
   // There should be a task to remove remove alt services from the cache of
@@ -1753,24 +1776,24 @@ TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
       "{\"broken_until\":\"" +
       expiration_str +
       "\","
-      "\"host\":\"www.google.com\",\"isolation\":[],"
+      "\"host\":\"www.google.com\",\"anonymization\":[],"
       "\"port\":1234,\"protocol_str\":\"h2\"},"
       "{\"broken_count\":2,\"broken_until\":\"" +
       expiration_str +
       "\","
-      "\"host\":\"cached_broken\",\"isolation\":[],"
+      "\"host\":\"cached_broken\",\"anonymization\":[],"
       "\"port\":443,\"protocol_str\":\"quic\"},"
       "{\"broken_count\":3,"
-      "\"host\":\"cached_rbroken\",\"isolation\":[],"
+      "\"host\":\"cached_rbroken\",\"anonymization\":[],"
       "\"port\":443,\"protocol_str\":\"quic\"}],"
       "\"quic_servers\":["
-      "{\"isolation\":[],"
+      "{\"anonymization\":[],"
       "\"server_id\":\"https://mail.google.com:80\","
       "\"server_info\":\"quic_server_info1\"}"
       "],"
       "\"servers\":["
       "{\"server\":\"https://www.google.com:80\","
-      "\"isolation\":[],"
+      "\"anonymization\":[],"
       "\"alternative_service\":["
       "{\"expiration\":\"13756212000000000\",\"port\":443,"
       "\"protocol_str\":\"h2\"},"
@@ -1779,7 +1802,7 @@ TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
       "]"
       "},"
       "{\"server\":\"https://mail.google.com:80\","
-      "\"isolation\":[],"
+      "\"anonymization\":[],"
       "\"alternative_service\":["
       "{\"expiration\":\"9223372036854775807\",\"host\":\"foo.google.com\","
       "\"port\":444,\"protocol_str\":\"h2\"}"
@@ -1812,7 +1835,7 @@ TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
   AlternativeServiceInfoVector alternative_service_info_vector =
       http_server_props_->GetAlternativeServiceInfos(
           url::SchemeHostPort("https", "www.google.com", 80),
-          NetworkIsolationKey());
+          NetworkAnonymizationKey());
   ASSERT_EQ(2u, alternative_service_info_vector.size());
 
   EXPECT_EQ(kProtoHTTP2,
@@ -1842,7 +1865,7 @@ TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
   alternative_service_info_vector =
       http_server_props_->GetAlternativeServiceInfos(
           url::SchemeHostPort("https", "mail.google.com", 80),
-          NetworkIsolationKey());
+          NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
 
   EXPECT_EQ(kProtoHTTP2,
@@ -1860,11 +1883,11 @@ TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
   //
   AlternativeService prefs_broken_service(kProtoHTTP2, "www.google.com", 1234);
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      cached_broken_service, NetworkIsolationKey()));
+      cached_broken_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      cached_broken_service2, NetworkIsolationKey()));
+      cached_broken_service2, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      prefs_broken_service, NetworkIsolationKey()));
+      prefs_broken_service, NetworkAnonymizationKey()));
 
   // Verify brokenness expiration times.
   // |cached_broken_service|'s expiration time should've been overwritten by the
@@ -1875,25 +1898,25 @@ TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
   FastForwardBy(base::Minutes(5) -
                 HttpServerProperties::GetUpdatePrefsDelayForTesting());
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      cached_broken_service, NetworkIsolationKey()));
+      cached_broken_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      cached_broken_service2, NetworkIsolationKey()));
+      cached_broken_service2, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      prefs_broken_service, NetworkIsolationKey()));
+      prefs_broken_service, NetworkAnonymizationKey()));
   FastForwardBy(base::Days(1));
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      cached_broken_service, NetworkIsolationKey()));
+      cached_broken_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      cached_broken_service2, NetworkIsolationKey()));
+      cached_broken_service2, NetworkAnonymizationKey()));
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      prefs_broken_service, NetworkIsolationKey()));
+      prefs_broken_service, NetworkAnonymizationKey()));
 
   // Now that |prefs_broken_service|'s brokenness has expired, it should've
   // been removed from the alternative services info vectors of all servers.
   alternative_service_info_vector =
       http_server_props_->GetAlternativeServiceInfos(
           url::SchemeHostPort("https", "www.google.com", 80),
-          NetworkIsolationKey());
+          NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
 
   //
@@ -1909,60 +1932,60 @@ TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
   // broken.
 
   EXPECT_TRUE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      prefs_broken_service, NetworkIsolationKey()));
+      prefs_broken_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      cached_recently_broken_service, NetworkIsolationKey()));
+      cached_recently_broken_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      cached_broken_service, NetworkIsolationKey()));
+      cached_broken_service, NetworkAnonymizationKey()));
   EXPECT_TRUE(http_server_props_->WasAlternativeServiceRecentlyBroken(
-      cached_broken_service2, NetworkIsolationKey()));
+      cached_broken_service2, NetworkAnonymizationKey()));
   // Make sure |prefs_broken_service| has the right expiration delay when marked
   // broken. Since |prefs_broken_service| had no broken_count specified in the
   // prefs, a broken_count value of 1 should have been assumed by
   // |http_server_props_|.
   http_server_props_->MarkAlternativeServiceBroken(prefs_broken_service,
-                                                   NetworkIsolationKey());
+                                                   NetworkAnonymizationKey());
   EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
   EXPECT_NE(0u, GetPendingMainThreadTaskCount());
   FastForwardBy(base::Minutes(10) - base::TimeDelta::FromInternalValue(1));
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      prefs_broken_service, NetworkIsolationKey()));
+      prefs_broken_service, NetworkAnonymizationKey()));
   FastForwardBy(base::TimeDelta::FromInternalValue(1));
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      prefs_broken_service, NetworkIsolationKey()));
+      prefs_broken_service, NetworkAnonymizationKey()));
   // Make sure |cached_recently_broken_service| has the right expiration delay
   // when marked broken.
   http_server_props_->MarkAlternativeServiceBroken(
-      cached_recently_broken_service, NetworkIsolationKey());
+      cached_recently_broken_service, NetworkAnonymizationKey());
   EXPECT_NE(0u, GetPendingMainThreadTaskCount());
   FastForwardBy(base::Minutes(40) - base::TimeDelta::FromInternalValue(1));
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      cached_recently_broken_service, NetworkIsolationKey()));
+      cached_recently_broken_service, NetworkAnonymizationKey()));
   FastForwardBy(base::TimeDelta::FromInternalValue(1));
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      cached_recently_broken_service, NetworkIsolationKey()));
+      cached_recently_broken_service, NetworkAnonymizationKey()));
   // Make sure |cached_broken_service| has the right expiration delay when
   // marked broken.
   http_server_props_->MarkAlternativeServiceBroken(cached_broken_service,
-                                                   NetworkIsolationKey());
+                                                   NetworkAnonymizationKey());
   EXPECT_NE(0u, GetPendingMainThreadTaskCount());
   FastForwardBy(base::Minutes(20) - base::TimeDelta::FromInternalValue(1));
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      cached_broken_service, NetworkIsolationKey()));
+      cached_broken_service, NetworkAnonymizationKey()));
   FastForwardBy(base::TimeDelta::FromInternalValue(1));
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      cached_broken_service, NetworkIsolationKey()));
+      cached_broken_service, NetworkAnonymizationKey()));
   // Make sure |cached_broken_service2| has the right expiration delay when
   // marked broken.
   http_server_props_->MarkAlternativeServiceBroken(cached_broken_service2,
-                                                   NetworkIsolationKey());
+                                                   NetworkAnonymizationKey());
   EXPECT_NE(0u, GetPendingMainThreadTaskCount());
   FastForwardBy(base::Minutes(10) - base::TimeDelta::FromInternalValue(1));
   EXPECT_TRUE(http_server_props_->IsAlternativeServiceBroken(
-      cached_broken_service2, NetworkIsolationKey()));
+      cached_broken_service2, NetworkAnonymizationKey()));
   FastForwardBy(base::TimeDelta::FromInternalValue(1));
   EXPECT_FALSE(http_server_props_->IsAlternativeServiceBroken(
-      cached_broken_service2, NetworkIsolationKey()));
+      cached_broken_service2, NetworkAnonymizationKey()));
 
   //
   // Verify ServerNetworkStats.
@@ -1970,7 +1993,7 @@ TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
   const ServerNetworkStats* server_network_stats =
       http_server_props_->GetServerNetworkStats(
           url::SchemeHostPort("https", "mail.google.com", 80),
-          NetworkIsolationKey());
+          NetworkAnonymizationKey());
   EXPECT_TRUE(server_network_stats);
   EXPECT_EQ(server_network_stats->srtt, base::TimeDelta::FromInternalValue(42));
 
@@ -1978,7 +2001,8 @@ TEST_F(HttpServerPropertiesManagerTest, UpdateCacheWithPrefs) {
   // Verify QUIC server info.
   //
   const std::string* quic_server_info = http_server_props_->GetQuicServerInfo(
-      quic::QuicServerId("mail.google.com", 80, false), NetworkIsolationKey());
+      quic::QuicServerId("mail.google.com", 80, false),
+      NetworkAnonymizationKey());
   EXPECT_EQ("quic_server_info1", *quic_server_info);
 
   //
@@ -2011,17 +2035,20 @@ TEST_F(HttpServerPropertiesManagerTest, ForceHTTP11) {
 
   // Set kServer1 to support H2, but require HTTP/1.1.  Set kServer2 to only
   // require HTTP/1.1.
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer1, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->RequiresHTTP11(kServer1, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->RequiresHTTP11(kServer2, NetworkIsolationKey()));
-  properties->SetSupportsSpdy(kServer1, NetworkIsolationKey(), true);
-  properties->SetHTTP11Required(kServer1, NetworkIsolationKey());
-  properties->SetHTTP11Required(kServer2, NetworkIsolationKey());
-  EXPECT_TRUE(properties->GetSupportsSpdy(kServer1, NetworkIsolationKey()));
-  EXPECT_TRUE(properties->RequiresHTTP11(kServer1, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2, NetworkIsolationKey()));
-  EXPECT_TRUE(properties->RequiresHTTP11(kServer2, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      properties->GetSupportsSpdy(kServer1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(properties->RequiresHTTP11(kServer1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      properties->GetSupportsSpdy(kServer2, NetworkAnonymizationKey()));
+  EXPECT_FALSE(properties->RequiresHTTP11(kServer2, NetworkAnonymizationKey()));
+  properties->SetSupportsSpdy(kServer1, NetworkAnonymizationKey(), true);
+  properties->SetHTTP11Required(kServer1, NetworkAnonymizationKey());
+  properties->SetHTTP11Required(kServer2, NetworkAnonymizationKey());
+  EXPECT_TRUE(properties->GetSupportsSpdy(kServer1, NetworkAnonymizationKey()));
+  EXPECT_TRUE(properties->RequiresHTTP11(kServer1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      properties->GetSupportsSpdy(kServer2, NetworkAnonymizationKey()));
+  EXPECT_TRUE(properties->RequiresHTTP11(kServer2, NetworkAnonymizationKey()));
 
   // Wait until the data's been written to prefs, and then tear down the
   // HttpServerProperties.
@@ -2035,7 +2062,7 @@ TEST_F(HttpServerPropertiesManagerTest, ForceHTTP11) {
   base::JSONWriter::Write(saved_value, &preferences_json);
   EXPECT_EQ(
       "{\"servers\":["
-      "{\"isolation\":[],"
+      "{\"anonymization\":[],"
       "\"server\":\"https://foo.test\","
       "\"supports_spdy\":true}],"
       "\"version\":5}",
@@ -2049,30 +2076,36 @@ TEST_F(HttpServerPropertiesManagerTest, ForceHTTP11) {
 
   // Before the data has loaded, set kServer1 and kServer3 as requiring
   // HTTP/1.1.
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer1, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->RequiresHTTP11(kServer1, NetworkIsolationKey()));
-  properties->SetHTTP11Required(kServer1, NetworkIsolationKey());
-  properties->SetHTTP11Required(kServer3, NetworkIsolationKey());
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer1, NetworkIsolationKey()));
-  EXPECT_TRUE(properties->RequiresHTTP11(kServer1, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->RequiresHTTP11(kServer2, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer3, NetworkIsolationKey()));
-  EXPECT_TRUE(properties->RequiresHTTP11(kServer3, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      properties->GetSupportsSpdy(kServer1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(properties->RequiresHTTP11(kServer1, NetworkAnonymizationKey()));
+  properties->SetHTTP11Required(kServer1, NetworkAnonymizationKey());
+  properties->SetHTTP11Required(kServer3, NetworkAnonymizationKey());
+  EXPECT_FALSE(
+      properties->GetSupportsSpdy(kServer1, NetworkAnonymizationKey()));
+  EXPECT_TRUE(properties->RequiresHTTP11(kServer1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      properties->GetSupportsSpdy(kServer2, NetworkAnonymizationKey()));
+  EXPECT_FALSE(properties->RequiresHTTP11(kServer2, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      properties->GetSupportsSpdy(kServer3, NetworkAnonymizationKey()));
+  EXPECT_TRUE(properties->RequiresHTTP11(kServer3, NetworkAnonymizationKey()));
 
   // The data loads.
   unowned_pref_delegate->InitializePrefs(saved_value);
 
   // The properties should contain a combination of the old and new data.
-  EXPECT_TRUE(properties->GetSupportsSpdy(kServer1, NetworkIsolationKey()));
-  EXPECT_TRUE(properties->RequiresHTTP11(kServer1, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->RequiresHTTP11(kServer2, NetworkIsolationKey()));
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer3, NetworkIsolationKey()));
-  EXPECT_TRUE(properties->RequiresHTTP11(kServer3, NetworkIsolationKey()));
+  EXPECT_TRUE(properties->GetSupportsSpdy(kServer1, NetworkAnonymizationKey()));
+  EXPECT_TRUE(properties->RequiresHTTP11(kServer1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      properties->GetSupportsSpdy(kServer2, NetworkAnonymizationKey()));
+  EXPECT_FALSE(properties->RequiresHTTP11(kServer2, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      properties->GetSupportsSpdy(kServer3, NetworkAnonymizationKey()));
+  EXPECT_TRUE(properties->RequiresHTTP11(kServer3, NetworkAnonymizationKey()));
 }
 
-TEST_F(HttpServerPropertiesManagerTest, NetworkIsolationKeyServerInfo) {
+TEST_F(HttpServerPropertiesManagerTest, NetworkAnonymizationKeyServerInfo) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const SchemefulSite kSite2(GURL("https://bar.test/"));
   const SchemefulSite kOpaqueSite(GURL("data:text/plain,Hello World"));
@@ -2082,85 +2115,89 @@ TEST_F(HttpServerPropertiesManagerTest, NetworkIsolationKeyServerInfo) {
   HttpServerProperties::ServerInfo server_info;
   server_info.supports_spdy = true;
 
-  for (auto save_network_isolation_key_mode : kNetworkIsolationKeyModes) {
-    SCOPED_TRACE(static_cast<int>(save_network_isolation_key_mode));
+  for (auto save_network_anonymization_key_mode :
+       kNetworkAnonymizationKeyModes) {
+    SCOPED_TRACE(static_cast<int>(save_network_anonymization_key_mode));
 
-    // Save prefs using |save_network_isolation_key_mode|.
+    // Save prefs using |save_network_anonymization_key_mode|.
     base::Value saved_value;
     {
       // Configure the the feature.
       std::unique_ptr<base::test::ScopedFeatureList> feature_list =
-          SetNetworkIsolationKeyMode(save_network_isolation_key_mode);
+          SetNetworkAnonymizationKeyMode(save_network_anonymization_key_mode);
 
       // This parameter is normally calculated by HttpServerProperties based on
       // the kPartitionHttpServerPropertiesByNetworkIsolationKey feature, but
       // this test doesn't use that class.
-      bool use_network_isolation_key =
-          save_network_isolation_key_mode != NetworkIsolationKeyMode::kDisabled;
+      bool use_network_anonymization_key =
+          save_network_anonymization_key_mode !=
+          NetworkAnonymizationKeyMode::kDisabled;
 
       HttpServerProperties::ServerInfoMap server_info_map;
 
       // Add server info entry using two origins with value of |server_info|.
-      // NetworkIsolationKey's constructor takes the state of the
-      // kAppendFrameOriginToNetworkIsolationKey feature into account, so need
-      // to make sure to call the constructor after setting up the feature
+      // NetworkAnonymizationKey's constructor takes the state of the
+      // kAppendFrameOriginToNetworkAnonymizationKey feature into account, so
+      // need to make sure to call the constructor after setting up the feature
       // above.
       HttpServerProperties::ServerInfoMapKey server_info_key(
-          kServer, NetworkIsolationKey(kSite1, kSite2),
-          use_network_isolation_key);
+          kServer, NetworkAnonymizationKey(kSite1, kSite2),
+          use_network_anonymization_key);
       server_info_map.Put(server_info_key, server_info);
 
-      // Also add an etry with an opaque origin, if |use_network_isolation_key|
-      // is true. This value should not be saved to disk, since opaque origins
-      // are only meaningful within a browsing session.
-      if (use_network_isolation_key) {
+      // Also add an etry with an opaque origin, if
+      // |use_network_anonymization_key| is true. This value should not be saved
+      // to disk, since opaque origins are only meaningful within a browsing
+      // session.
+      if (use_network_anonymization_key) {
         HttpServerProperties::ServerInfoMapKey server_info_key2(
-            kServer2, NetworkIsolationKey(kOpaqueSite, kOpaqueSite),
-            use_network_isolation_key);
+            kServer2, NetworkAnonymizationKey(kOpaqueSite, kOpaqueSite),
+            use_network_anonymization_key);
         server_info_map.Put(server_info_key2, server_info);
       }
 
       saved_value = ServerInfoMapToValue(server_info_map);
     }
 
-    for (auto load_network_isolation_key_mode : kNetworkIsolationKeyModes) {
-      SCOPED_TRACE(static_cast<int>(load_network_isolation_key_mode));
+    for (auto load_network_anonymization_key_mode :
+         kNetworkAnonymizationKeyModes) {
+      SCOPED_TRACE(static_cast<int>(load_network_anonymization_key_mode));
 
       std::unique_ptr<base::test::ScopedFeatureList> feature_list =
-          SetNetworkIsolationKeyMode(load_network_isolation_key_mode);
+          SetNetworkAnonymizationKeyMode(load_network_anonymization_key_mode);
       std::unique_ptr<HttpServerProperties::ServerInfoMap> server_info_map2 =
           ValueToServerInfoMap(saved_value);
       ASSERT_TRUE(server_info_map2);
-      if (save_network_isolation_key_mode ==
-          NetworkIsolationKeyMode::kDisabled) {
-        // If NetworkIsolationKey was disabled when saving, it was saved with an
-        // empty NetworkIsolationKey, which should always be loaded
+      if (save_network_anonymization_key_mode ==
+          NetworkAnonymizationKeyMode::kDisabled) {
+        // If NetworkAnonymizationKey was disabled when saving, it was saved
+        // with an empty NetworkAnonymizationKey, which should always be loaded
         // successfully. This is needed to continue to support consumers that
-        // don't use NetworkIsolationKeys.
+        // don't use NetworkAnonymizationKeys.
         ASSERT_EQ(1u, server_info_map2->size());
         const HttpServerProperties::ServerInfoMapKey& server_info_key2 =
             server_info_map2->begin()->first;
         const HttpServerProperties::ServerInfo& server_info2 =
             server_info_map2->begin()->second;
         EXPECT_EQ(kServer, server_info_key2.server);
-        EXPECT_EQ(NetworkIsolationKey(),
-                  server_info_key2.network_isolation_key);
+        EXPECT_EQ(NetworkAnonymizationKey(),
+                  server_info_key2.network_anonymization_key);
         EXPECT_EQ(server_info, server_info2);
-      } else if (save_network_isolation_key_mode ==
-                 load_network_isolation_key_mode) {
+      } else if (save_network_anonymization_key_mode ==
+                 load_network_anonymization_key_mode) {
         // If the save and load modes are the same, the load should succeed, and
-        // the network isolation keys should match.
+        // the network anonymization keys should match.
         ASSERT_EQ(1u, server_info_map2->size());
         const HttpServerProperties::ServerInfoMapKey& server_info_key2 =
             server_info_map2->begin()->first;
         const HttpServerProperties::ServerInfo& server_info2 =
             server_info_map2->begin()->second;
         EXPECT_EQ(kServer, server_info_key2.server);
-        EXPECT_EQ(NetworkIsolationKey(kSite1, kSite2),
-                  server_info_key2.network_isolation_key);
+        EXPECT_EQ(NetworkAnonymizationKey(kSite1, kSite2),
+                  server_info_key2.network_anonymization_key);
         EXPECT_EQ(server_info, server_info2);
       } else {
-        // Otherwise, the NetworkIsolationKey doesn't make sense with the
+        // Otherwise, the NetworkAnonymizationKey doesn't make sense with the
         // current feature values, so the ServerInfo should be discarded.
         EXPECT_EQ(0u, server_info_map2->size());
       }
@@ -2168,16 +2205,16 @@ TEST_F(HttpServerPropertiesManagerTest, NetworkIsolationKeyServerInfo) {
   }
 }
 
-// Tests a full round trip with a NetworkIsolationKey, using the
+// Tests a full round trip with a NetworkAnonymizationKey, using the
 // HttpServerProperties interface.
-TEST_F(HttpServerPropertiesManagerTest, NetworkIsolationKeyIntegration) {
+TEST_F(HttpServerPropertiesManagerTest, NetworkAnonymizationKeyIntegration) {
   const SchemefulSite kSite(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey(kSite, kSite);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey(kSite, kSite);
   const url::SchemeHostPort kServer("https", "baz.test", 443);
 
   const SchemefulSite kOpaqueSite(GURL("data:text/plain,Hello World"));
-  const NetworkIsolationKey kOpaqueSiteNetworkIsolationKey(kOpaqueSite,
-                                                           kOpaqueSite);
+  const NetworkAnonymizationKey kOpaqueSiteNetworkAnonymizationKey(kOpaqueSite,
+                                                                   kOpaqueSite);
   const url::SchemeHostPort kServer2("https", "zab.test", 443);
 
   base::test::ScopedFeatureList feature_list;
@@ -2195,20 +2232,22 @@ TEST_F(HttpServerPropertiesManagerTest, NetworkIsolationKeyIntegration) {
   unowned_pref_delegate->InitializePrefs(
       base::Value(base::Value::Type::DICTIONARY));
 
-  // Set a values using kNetworkIsolationKey.
-  properties->SetSupportsSpdy(kServer, kNetworkIsolationKey, true);
-  EXPECT_TRUE(properties->GetSupportsSpdy(kServer, kNetworkIsolationKey));
+  // Set a values using kNetworkAnonymizationKey.
+  properties->SetSupportsSpdy(kServer, kNetworkAnonymizationKey, true);
+  EXPECT_TRUE(properties->GetSupportsSpdy(kServer, kNetworkAnonymizationKey));
   EXPECT_FALSE(
-      properties->GetSupportsSpdy(kServer, kOpaqueSiteNetworkIsolationKey));
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer, NetworkIsolationKey()));
+      properties->GetSupportsSpdy(kServer, kOpaqueSiteNetworkAnonymizationKey));
+  EXPECT_FALSE(properties->GetSupportsSpdy(kServer, NetworkAnonymizationKey()));
 
   // Opaque origins should works with HttpServerProperties, but not be persisted
   // to disk.
-  properties->SetSupportsSpdy(kServer2, kOpaqueSiteNetworkIsolationKey, true);
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2, kNetworkIsolationKey));
-  EXPECT_TRUE(
-      properties->GetSupportsSpdy(kServer2, kOpaqueSiteNetworkIsolationKey));
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2, NetworkIsolationKey()));
+  properties->SetSupportsSpdy(kServer2, kOpaqueSiteNetworkAnonymizationKey,
+                              true);
+  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2, kNetworkAnonymizationKey));
+  EXPECT_TRUE(properties->GetSupportsSpdy(kServer2,
+                                          kOpaqueSiteNetworkAnonymizationKey));
+  EXPECT_FALSE(
+      properties->GetSupportsSpdy(kServer2, NetworkAnonymizationKey()));
 
   // Wait until the data's been written to prefs, and then tear down the
   // HttpServerProperties.
@@ -2224,31 +2263,32 @@ TEST_F(HttpServerPropertiesManagerTest, NetworkIsolationKeyIntegration) {
       std::move(pref_delegate), /*net_log=*/nullptr, GetMockTickClock());
   unowned_pref_delegate->InitializePrefs(saved_value);
 
-  // The information set using kNetworkIsolationKey on the original
+  // The information set using kNetworkAnonymizationKey on the original
   // HttpServerProperties should also be set on the restored
   // HttpServerProperties.
-  EXPECT_TRUE(properties->GetSupportsSpdy(kServer, kNetworkIsolationKey));
+  EXPECT_TRUE(properties->GetSupportsSpdy(kServer, kNetworkAnonymizationKey));
   EXPECT_FALSE(
-      properties->GetSupportsSpdy(kServer, kOpaqueSiteNetworkIsolationKey));
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer, NetworkIsolationKey()));
-
-  // The information set using kOpaqueSiteNetworkIsolationKey should not have
-  // been restored.
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2, kNetworkIsolationKey));
+      properties->GetSupportsSpdy(kServer, kOpaqueSiteNetworkAnonymizationKey));
+  EXPECT_FALSE(properties->GetSupportsSpdy(kServer, NetworkAnonymizationKey()));
+
+  // The information set using kOpaqueSiteNetworkAnonymizationKey should not
+  // have been restored.
+  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2, kNetworkAnonymizationKey));
+  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2,
+                                           kOpaqueSiteNetworkAnonymizationKey));
   EXPECT_FALSE(
-      properties->GetSupportsSpdy(kServer2, kOpaqueSiteNetworkIsolationKey));
-  EXPECT_FALSE(properties->GetSupportsSpdy(kServer2, NetworkIsolationKey()));
+      properties->GetSupportsSpdy(kServer2, NetworkAnonymizationKey()));
 }
 
 // Tests a full round trip to prefs and back in the canonical suffix case.
-// Enable NetworkIsolationKeys, as they have some interactions with the
+// Enable NetworkAnonymizationKeys, as they have some interactions with the
 // canonical suffix logic.
 TEST_F(HttpServerPropertiesManagerTest,
-       CanonicalSuffixRoundTripWithNetworkIsolationKey) {
+       CanonicalSuffixRoundTripWithNetworkAnonymizationKey) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
   // Three servers with the same canonical suffix (".c.youtube.com").
   const url::SchemeHostPort kServer1("https", "foo.c.youtube.com", 443);
   const url::SchemeHostPort kServer2("https", "bar.c.youtube.com", 443);
@@ -2289,78 +2329,78 @@ TEST_F(HttpServerPropertiesManagerTest,
   unowned_pref_delegate->InitializePrefs(
       base::Value(base::Value::Type::DICTIONARY));
 
-  // Set alternative services for kServer1 using kNetworkIsolationKey1. That
+  // Set alternative services for kServer1 using kNetworkAnonymizationKey1. That
   // information should be retrieved when fetching information for any server
-  // with the same canonical suffix, when using kNetworkIsolationKey1.
-  properties->SetAlternativeServices(kServer1, kNetworkIsolationKey1,
+  // with the same canonical suffix, when using kNetworkAnonymizationKey1.
+  properties->SetAlternativeServices(kServer1, kNetworkAnonymizationKey1,
                                      alt_service_vector1);
   EXPECT_EQ(
-      1u,
-      properties->GetAlternativeServiceInfos(kServer1, kNetworkIsolationKey1)
-          .size());
+      1u, properties
+              ->GetAlternativeServiceInfos(kServer1, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      1u,
-      properties->GetAlternativeServiceInfos(kServer2, kNetworkIsolationKey1)
-          .size());
+      1u, properties
+              ->GetAlternativeServiceInfos(kServer2, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      1u,
-      properties->GetAlternativeServiceInfos(kServer3, kNetworkIsolationKey1)
-          .size());
+      1u, properties
+              ->GetAlternativeServiceInfos(kServer3, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      0u,
-      properties->GetAlternativeServiceInfos(kServer1, kNetworkIsolationKey2)
-          .size());
+      0u, properties
+              ->GetAlternativeServiceInfos(kServer1, kNetworkAnonymizationKey2)
+              .size());
 
   // Set different alternative services for kServer2 using
-  // kNetworkIsolationKey1. It should not affect information retrieved for
+  // kNetworkAnonymizationKey1. It should not affect information retrieved for
   // kServer1, but should for kServer2 and kServer3.
-  properties->SetAlternativeServices(kServer2, kNetworkIsolationKey1,
+  properties->SetAlternativeServices(kServer2, kNetworkAnonymizationKey1,
                                      alt_service_vector2);
   EXPECT_EQ(
-      1u,
-      properties->GetAlternativeServiceInfos(kServer1, kNetworkIsolationKey1)
-          .size());
+      1u, properties
+              ->GetAlternativeServiceInfos(kServer1, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      2u,
-      properties->GetAlternativeServiceInfos(kServer2, kNetworkIsolationKey1)
-          .size());
+      2u, properties
+              ->GetAlternativeServiceInfos(kServer2, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      2u,
-      properties->GetAlternativeServiceInfos(kServer3, kNetworkIsolationKey1)
-          .size());
+      2u, properties
+              ->GetAlternativeServiceInfos(kServer3, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      0u,
-      properties->GetAlternativeServiceInfos(kServer1, kNetworkIsolationKey2)
-          .size());
+      0u, properties
+              ->GetAlternativeServiceInfos(kServer1, kNetworkAnonymizationKey2)
+              .size());
 
-  // Set different information for kServer1 using kNetworkIsolationKey2. It
-  // should not affect information stored for kNetworkIsolationKey1.
-  properties->SetAlternativeServices(kServer1, kNetworkIsolationKey2,
+  // Set different information for kServer1 using kNetworkAnonymizationKey2. It
+  // should not affect information stored for kNetworkAnonymizationKey1.
+  properties->SetAlternativeServices(kServer1, kNetworkAnonymizationKey2,
                                      alt_service_vector3);
   EXPECT_EQ(
-      1u,
-      properties->GetAlternativeServiceInfos(kServer1, kNetworkIsolationKey1)
-          .size());
+      1u, properties
+              ->GetAlternativeServiceInfos(kServer1, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      2u,
-      properties->GetAlternativeServiceInfos(kServer2, kNetworkIsolationKey1)
-          .size());
+      2u, properties
+              ->GetAlternativeServiceInfos(kServer2, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      2u,
-      properties->GetAlternativeServiceInfos(kServer3, kNetworkIsolationKey1)
-          .size());
+      2u, properties
+              ->GetAlternativeServiceInfos(kServer3, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      3u,
-      properties->GetAlternativeServiceInfos(kServer1, kNetworkIsolationKey2)
-          .size());
+      3u, properties
+              ->GetAlternativeServiceInfos(kServer1, kNetworkAnonymizationKey2)
+              .size());
   EXPECT_EQ(
-      3u,
-      properties->GetAlternativeServiceInfos(kServer2, kNetworkIsolationKey2)
-          .size());
+      3u, properties
+              ->GetAlternativeServiceInfos(kServer2, kNetworkAnonymizationKey2)
+              .size());
   EXPECT_EQ(
-      3u,
-      properties->GetAlternativeServiceInfos(kServer3, kNetworkIsolationKey2)
-          .size());
+      3u, properties
+              ->GetAlternativeServiceInfos(kServer3, kNetworkAnonymizationKey2)
+              .size());
 
   // Wait until the data's been written to prefs, and then tear down the
   // HttpServerProperties.
@@ -2376,39 +2416,39 @@ TEST_F(HttpServerPropertiesManagerTest,
       std::move(pref_delegate), /*net_log=*/nullptr, GetMockTickClock());
   unowned_pref_delegate->InitializePrefs(saved_value);
 
-  // Only the last of the values learned for kNetworkIsolationKey1 should have
-  // been saved, and the value for kNetworkIsolationKey2 as well. The canonical
-  // suffix logic should still be respected.
+  // Only the last of the values learned for kNetworkAnonymizationKey1 should
+  // have been saved, and the value for kNetworkAnonymizationKey2 as well. The
+  // canonical suffix logic should still be respected.
   EXPECT_EQ(
-      2u,
-      properties->GetAlternativeServiceInfos(kServer1, kNetworkIsolationKey1)
-          .size());
+      2u, properties
+              ->GetAlternativeServiceInfos(kServer1, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      2u,
-      properties->GetAlternativeServiceInfos(kServer2, kNetworkIsolationKey1)
-          .size());
+      2u, properties
+              ->GetAlternativeServiceInfos(kServer2, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      2u,
-      properties->GetAlternativeServiceInfos(kServer3, kNetworkIsolationKey1)
-          .size());
+      2u, properties
+              ->GetAlternativeServiceInfos(kServer3, kNetworkAnonymizationKey1)
+              .size());
   EXPECT_EQ(
-      3u,
-      properties->GetAlternativeServiceInfos(kServer1, kNetworkIsolationKey2)
-          .size());
+      3u, properties
+              ->GetAlternativeServiceInfos(kServer1, kNetworkAnonymizationKey2)
+              .size());
   EXPECT_EQ(
-      3u,
-      properties->GetAlternativeServiceInfos(kServer2, kNetworkIsolationKey2)
-          .size());
+      3u, properties
+              ->GetAlternativeServiceInfos(kServer2, kNetworkAnonymizationKey2)
+              .size());
   EXPECT_EQ(
-      3u,
-      properties->GetAlternativeServiceInfos(kServer3, kNetworkIsolationKey2)
-          .size());
+      3u, properties
+              ->GetAlternativeServiceInfos(kServer3, kNetworkAnonymizationKey2)
+              .size());
 }
 
-// Tests a full round trip with a NetworkIsolationKey, using the
+// Tests a full round trip with a NetworkAnonymizationKey, using the
 // HttpServerProperties interface and setting alternative services as broken.
 TEST_F(HttpServerPropertiesManagerTest,
-       NetworkIsolationKeyBrokenAltServiceRoundTrip) {
+       NetworkAnonymizationKeyBrokenAltServiceRoundTrip) {
   const SchemefulSite kSite1(GURL("https://foo1.test/"));
   const SchemefulSite kSite2(GURL("https://foo2.test/"));
 
@@ -2417,20 +2457,21 @@ TEST_F(HttpServerPropertiesManagerTest,
   const AlternativeService kAlternativeService2(kProtoHTTP2,
                                                 "alt.service2.test", 443);
 
-  for (auto save_network_isolation_key_mode : kNetworkIsolationKeyModes) {
-    SCOPED_TRACE(static_cast<int>(save_network_isolation_key_mode));
+  for (auto save_network_anonymization_key_mode :
+       kNetworkAnonymizationKeyModes) {
+    SCOPED_TRACE(static_cast<int>(save_network_anonymization_key_mode));
 
-    // Save prefs using |save_network_isolation_key_mode|.
+    // Save prefs using |save_network_anonymization_key_mode|.
     base::Value saved_value;
     {
       // Configure the the feature.
       std::unique_ptr<base::test::ScopedFeatureList> feature_list =
-          SetNetworkIsolationKeyMode(save_network_isolation_key_mode);
+          SetNetworkAnonymizationKeyMode(save_network_anonymization_key_mode);
 
-      // The NetworkIsolationKey constructor checks the field trial state, so
-      // need to create the keys only after setting up the field trials.
-      const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-      const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+      // The NetworkAnonymizationKey constructor checks the field trial state,
+      // so need to create the keys only after setting up the field trials.
+      const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+      const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
       // Create and initialize an HttpServerProperties, must be done after
       // setting the feature.
@@ -2445,51 +2486,51 @@ TEST_F(HttpServerPropertiesManagerTest,
           base::Value(base::Value::Type::DICTIONARY));
 
       // Set kAlternativeService1 as broken in the context of
-      // kNetworkIsolationKey1, and kAlternativeService2 as broken in the
-      // context of the empty NetworkIsolationKey2, and recently broken in the
-      // context of the empty NetworkIsolationKey.
+      // kNetworkAnonymizationKey1, and kAlternativeService2 as broken in the
+      // context of the empty NetworkAnonymizationKey2, and recently broken in
+      // the context of the empty NetworkAnonymizationKey.
       properties->MarkAlternativeServiceBroken(kAlternativeService1,
-                                               kNetworkIsolationKey1);
-      properties->MarkAlternativeServiceRecentlyBroken(kAlternativeService2,
-                                                       NetworkIsolationKey());
+                                               kNetworkAnonymizationKey1);
+      properties->MarkAlternativeServiceRecentlyBroken(
+          kAlternativeService2, NetworkAnonymizationKey());
       properties->MarkAlternativeServiceBroken(kAlternativeService2,
-                                               kNetworkIsolationKey2);
+                                               kNetworkAnonymizationKey2);
 
       // Verify values were set.
       EXPECT_TRUE(properties->IsAlternativeServiceBroken(
-          kAlternativeService1, kNetworkIsolationKey1));
+          kAlternativeService1, kNetworkAnonymizationKey1));
       EXPECT_TRUE(properties->WasAlternativeServiceRecentlyBroken(
-          kAlternativeService1, kNetworkIsolationKey1));
-      // When NetworkIsolationKeys are disabled, kAlternativeService2 is marked
-      // as broken regardless of the values passed to NetworkIsolationKey's
-      // constructor.
-      EXPECT_EQ(
-          save_network_isolation_key_mode == NetworkIsolationKeyMode::kDisabled,
-          properties->IsAlternativeServiceBroken(kAlternativeService2,
-                                                 NetworkIsolationKey()));
+          kAlternativeService1, kNetworkAnonymizationKey1));
+      // When NetworkAnonymizationKeys are disabled, kAlternativeService2 is
+      // marked as broken regardless of the values passed to
+      // NetworkAnonymizationKey's constructor.
+      EXPECT_EQ(save_network_anonymization_key_mode ==
+                    NetworkAnonymizationKeyMode::kDisabled,
+                properties->IsAlternativeServiceBroken(
+                    kAlternativeService2, NetworkAnonymizationKey()));
       EXPECT_TRUE(properties->WasAlternativeServiceRecentlyBroken(
-          kAlternativeService2, NetworkIsolationKey()));
+          kAlternativeService2, NetworkAnonymizationKey()));
       EXPECT_TRUE(properties->IsAlternativeServiceBroken(
-          kAlternativeService2, kNetworkIsolationKey2));
+          kAlternativeService2, kNetworkAnonymizationKey2));
       EXPECT_TRUE(properties->WasAlternativeServiceRecentlyBroken(
-          kAlternativeService2, kNetworkIsolationKey2));
+          kAlternativeService2, kNetworkAnonymizationKey2));
 
-      // If NetworkIsolationKeys are enabled, there should be no
-      // cross-contamination of the NetworkIsolationKeys.
-      if (save_network_isolation_key_mode !=
-          NetworkIsolationKeyMode::kDisabled) {
+      // If NetworkAnonymizationKeys are enabled, there should be no
+      // cross-contamination of the NetworkAnonymizationKeys.
+      if (save_network_anonymization_key_mode !=
+          NetworkAnonymizationKeyMode::kDisabled) {
         EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-            kAlternativeService2, kNetworkIsolationKey1));
+            kAlternativeService2, kNetworkAnonymizationKey1));
         EXPECT_FALSE(properties->WasAlternativeServiceRecentlyBroken(
-            kAlternativeService2, kNetworkIsolationKey1));
+            kAlternativeService2, kNetworkAnonymizationKey1));
         EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-            kAlternativeService1, NetworkIsolationKey()));
+            kAlternativeService1, NetworkAnonymizationKey()));
         EXPECT_FALSE(properties->WasAlternativeServiceRecentlyBroken(
-            kAlternativeService1, NetworkIsolationKey()));
+            kAlternativeService1, NetworkAnonymizationKey()));
         EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-            kAlternativeService1, kNetworkIsolationKey2));
+            kAlternativeService1, kNetworkAnonymizationKey2));
         EXPECT_FALSE(properties->WasAlternativeServiceRecentlyBroken(
-            kAlternativeService1, kNetworkIsolationKey2));
+            kAlternativeService1, kNetworkAnonymizationKey2));
       }
 
       // Wait until the data's been written to prefs, and then create a copy of
@@ -2499,16 +2540,17 @@ TEST_F(HttpServerPropertiesManagerTest,
     }
 
     // Now try and load the data in each of the feature modes.
-    for (auto load_network_isolation_key_mode : kNetworkIsolationKeyModes) {
-      SCOPED_TRACE(static_cast<int>(load_network_isolation_key_mode));
+    for (auto load_network_anonymization_key_mode :
+         kNetworkAnonymizationKeyModes) {
+      SCOPED_TRACE(static_cast<int>(load_network_anonymization_key_mode));
 
       std::unique_ptr<base::test::ScopedFeatureList> feature_list =
-          SetNetworkIsolationKeyMode(load_network_isolation_key_mode);
+          SetNetworkAnonymizationKeyMode(load_network_anonymization_key_mode);
 
-      // The NetworkIsolationKey constructor checks the field trial state, so
-      // need to create the keys only after setting up the field trials.
-      const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-      const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+      // The NetworkAnonymizationKey constructor checks the field trial state,
+      // so need to create the keys only after setting up the field trials.
+      const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+      const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
       // Create a new HttpServerProperties, loading the data from before.
       std::unique_ptr<MockPrefDelegate> pref_delegate =
@@ -2520,95 +2562,95 @@ TEST_F(HttpServerPropertiesManagerTest,
                                                  GetMockTickClock());
       unowned_pref_delegate->InitializePrefs(saved_value);
 
-      if (save_network_isolation_key_mode ==
-          NetworkIsolationKeyMode::kDisabled) {
-        // If NetworkIsolationKey was disabled when saving, it was saved with an
-        // empty NetworkIsolationKey, which should always be loaded
+      if (save_network_anonymization_key_mode ==
+          NetworkAnonymizationKeyMode::kDisabled) {
+        // If NetworkAnonymizationKey was disabled when saving, it was saved
+        // with an empty NetworkAnonymizationKey, which should always be loaded
         // successfully. This is needed to continue to support consumers that
-        // don't use NetworkIsolationKeys.
+        // don't use NetworkAnonymizationKeys.
         EXPECT_TRUE(properties->IsAlternativeServiceBroken(
-            kAlternativeService1, NetworkIsolationKey()));
+            kAlternativeService1, NetworkAnonymizationKey()));
         EXPECT_TRUE(properties->WasAlternativeServiceRecentlyBroken(
-            kAlternativeService1, NetworkIsolationKey()));
+            kAlternativeService1, NetworkAnonymizationKey()));
         EXPECT_TRUE(properties->IsAlternativeServiceBroken(
-            kAlternativeService2, NetworkIsolationKey()));
+            kAlternativeService2, NetworkAnonymizationKey()));
         EXPECT_TRUE(properties->WasAlternativeServiceRecentlyBroken(
-            kAlternativeService2, NetworkIsolationKey()));
-      } else if (save_network_isolation_key_mode ==
-                 load_network_isolation_key_mode) {
+            kAlternativeService2, NetworkAnonymizationKey()));
+      } else if (save_network_anonymization_key_mode ==
+                 load_network_anonymization_key_mode) {
         // If the save and load modes are the same, the load should succeed, and
-        // the network isolation keys should match.
+        // the network anonymization keys should match.
         EXPECT_TRUE(properties->IsAlternativeServiceBroken(
-            kAlternativeService1, kNetworkIsolationKey1));
+            kAlternativeService1, kNetworkAnonymizationKey1));
         EXPECT_TRUE(properties->WasAlternativeServiceRecentlyBroken(
-            kAlternativeService1, kNetworkIsolationKey1));
-        // When NetworkIsolationKeys are disabled, kAlternativeService2 is
+            kAlternativeService1, kNetworkAnonymizationKey1));
+        // When NetworkAnonymizationKeys are disabled, kAlternativeService2 is
         // marked as broken regardless of the values passed to
-        // NetworkIsolationKey's constructor.
-        EXPECT_EQ(save_network_isolation_key_mode ==
-                      NetworkIsolationKeyMode::kDisabled,
+        // NetworkAnonymizationKey's constructor.
+        EXPECT_EQ(save_network_anonymization_key_mode ==
+                      NetworkAnonymizationKeyMode::kDisabled,
                   properties->IsAlternativeServiceBroken(
-                      kAlternativeService2, NetworkIsolationKey()));
+                      kAlternativeService2, NetworkAnonymizationKey()));
         EXPECT_TRUE(properties->WasAlternativeServiceRecentlyBroken(
-            kAlternativeService2, NetworkIsolationKey()));
+            kAlternativeService2, NetworkAnonymizationKey()));
         EXPECT_TRUE(properties->IsAlternativeServiceBroken(
-            kAlternativeService2, kNetworkIsolationKey2));
+            kAlternativeService2, kNetworkAnonymizationKey2));
         EXPECT_TRUE(properties->WasAlternativeServiceRecentlyBroken(
-            kAlternativeService2, kNetworkIsolationKey2));
+            kAlternativeService2, kNetworkAnonymizationKey2));
 
-        // If NetworkIsolationKeys are enabled, there should be no
-        // cross-contamination of the NetworkIsolationKeys.
-        if (save_network_isolation_key_mode !=
-            NetworkIsolationKeyMode::kDisabled) {
+        // If NetworkAnonymizationKeys are enabled, there should be no
+        // cross-contamination of the NetworkAnonymizationKeys.
+        if (save_network_anonymization_key_mode !=
+            NetworkAnonymizationKeyMode::kDisabled) {
           EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-              kAlternativeService2, kNetworkIsolationKey1));
+              kAlternativeService2, kNetworkAnonymizationKey1));
           EXPECT_FALSE(properties->WasAlternativeServiceRecentlyBroken(
-              kAlternativeService2, kNetworkIsolationKey1));
+              kAlternativeService2, kNetworkAnonymizationKey1));
           EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-              kAlternativeService1, NetworkIsolationKey()));
+              kAlternativeService1, NetworkAnonymizationKey()));
           EXPECT_FALSE(properties->WasAlternativeServiceRecentlyBroken(
-              kAlternativeService1, NetworkIsolationKey()));
+              kAlternativeService1, NetworkAnonymizationKey()));
           EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-              kAlternativeService1, kNetworkIsolationKey2));
+              kAlternativeService1, kNetworkAnonymizationKey2));
           EXPECT_FALSE(properties->WasAlternativeServiceRecentlyBroken(
-              kAlternativeService1, kNetworkIsolationKey2));
+              kAlternativeService1, kNetworkAnonymizationKey2));
         }
       } else {
-        // Otherwise, only the values set with an empty NetworkIsolationKey
+        // Otherwise, only the values set with an empty NetworkAnonymizationKey
         // should have been loaded successfully.
         EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-            kAlternativeService1, kNetworkIsolationKey1));
+            kAlternativeService1, kNetworkAnonymizationKey1));
         EXPECT_FALSE(properties->WasAlternativeServiceRecentlyBroken(
-            kAlternativeService1, kNetworkIsolationKey1));
+            kAlternativeService1, kNetworkAnonymizationKey1));
         EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-            kAlternativeService2, NetworkIsolationKey()));
+            kAlternativeService2, NetworkAnonymizationKey()));
         EXPECT_TRUE(properties->WasAlternativeServiceRecentlyBroken(
-            kAlternativeService2, NetworkIsolationKey()));
+            kAlternativeService2, NetworkAnonymizationKey()));
         EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-            kAlternativeService2, kNetworkIsolationKey2));
-        // If the load mode is NetworkIsolationKeyMode::kDisabled,
-        // kNetworkIsolationKey2 is NetworkIsolationKey().
-        EXPECT_EQ(load_network_isolation_key_mode ==
-                      NetworkIsolationKeyMode::kDisabled,
+            kAlternativeService2, kNetworkAnonymizationKey2));
+        // If the load mode is NetworkAnonymizationKeyMode::kDisabled,
+        // kNetworkAnonymizationKey2 is NetworkAnonymizationKey().
+        EXPECT_EQ(load_network_anonymization_key_mode ==
+                      NetworkAnonymizationKeyMode::kDisabled,
                   properties->WasAlternativeServiceRecentlyBroken(
-                      kAlternativeService2, kNetworkIsolationKey2));
+                      kAlternativeService2, kNetworkAnonymizationKey2));
 
-        // There should be no cross-contamination of NetworkIsolationKeys, if
-        // NetworkIsolationKeys are enabled.
-        if (load_network_isolation_key_mode !=
-            NetworkIsolationKeyMode::kDisabled) {
+        // There should be no cross-contamination of NetworkAnonymizationKeys,
+        // if NetworkAnonymizationKeys are enabled.
+        if (load_network_anonymization_key_mode !=
+            NetworkAnonymizationKeyMode::kDisabled) {
           EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-              kAlternativeService2, kNetworkIsolationKey1));
+              kAlternativeService2, kNetworkAnonymizationKey1));
           EXPECT_FALSE(properties->WasAlternativeServiceRecentlyBroken(
-              kAlternativeService2, kNetworkIsolationKey1));
+              kAlternativeService2, kNetworkAnonymizationKey1));
           EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-              kAlternativeService1, NetworkIsolationKey()));
+              kAlternativeService1, NetworkAnonymizationKey()));
           EXPECT_FALSE(properties->WasAlternativeServiceRecentlyBroken(
-              kAlternativeService1, NetworkIsolationKey()));
+              kAlternativeService1, NetworkAnonymizationKey()));
           EXPECT_FALSE(properties->IsAlternativeServiceBroken(
-              kAlternativeService1, kNetworkIsolationKey2));
+              kAlternativeService1, kNetworkAnonymizationKey2));
           EXPECT_FALSE(properties->WasAlternativeServiceRecentlyBroken(
-              kAlternativeService1, kNetworkIsolationKey2));
+              kAlternativeService1, kNetworkAnonymizationKey2));
         }
       }
     }
@@ -2617,9 +2659,10 @@ TEST_F(HttpServerPropertiesManagerTest,
 
 // Make sure broken alt services with opaque origins aren't saved.
 TEST_F(HttpServerPropertiesManagerTest,
-       NetworkIsolationKeyBrokenAltServiceOpaqueOrigin) {
+       NetworkAnonymizationKeyBrokenAltServiceOpaqueOrigin) {
   const SchemefulSite kOpaqueSite(GURL("data:text/plain,Hello World"));
-  const NetworkIsolationKey kNetworkIsolationKey(kOpaqueSite, kOpaqueSite);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey(kOpaqueSite,
+                                                         kOpaqueSite);
   const AlternativeService kAlternativeService(kProtoHTTP2, "alt.service1.test",
                                                443);
 
@@ -2640,13 +2683,13 @@ TEST_F(HttpServerPropertiesManagerTest,
       base::Value(base::Value::Type::DICTIONARY));
 
   properties->MarkAlternativeServiceBroken(kAlternativeService,
-                                           kNetworkIsolationKey);
+                                           kNetworkAnonymizationKey);
 
   // Verify values were set.
   EXPECT_TRUE(properties->IsAlternativeServiceBroken(kAlternativeService,
-                                                     kNetworkIsolationKey));
+                                                     kNetworkAnonymizationKey));
   EXPECT_TRUE(properties->WasAlternativeServiceRecentlyBroken(
-      kAlternativeService, kNetworkIsolationKey));
+      kAlternativeService, kNetworkAnonymizationKey));
 
   // Wait until the data's been written to prefs, and then create a copy of
   // the prefs data.
@@ -2659,10 +2702,10 @@ TEST_F(HttpServerPropertiesManagerTest,
   EXPECT_EQ("{\"servers\":[],\"version\":5}", preferences_json);
 }
 
-// Tests a full round trip with a NetworkIsolationKey, using the
+// Tests a full round trip with a NetworkAnonymizationKey, using the
 // HttpServerProperties interface and setting QuicServerInfo.
 TEST_F(HttpServerPropertiesManagerTest,
-       NetworkIsolationKeyQuicServerInfoRoundTrip) {
+       NetworkAnonymizationKeyQuicServerInfoRoundTrip) {
   const SchemefulSite kSite1(GURL("https://foo1.test/"));
   const SchemefulSite kSite2(GURL("https://foo2.test/"));
 
@@ -2675,20 +2718,21 @@ TEST_F(HttpServerPropertiesManagerTest,
   const char kQuicServerInfo2[] = "info2";
   const char kQuicServerInfo3[] = "info3";
 
-  for (auto save_network_isolation_key_mode : kNetworkIsolationKeyModes) {
-    SCOPED_TRACE(static_cast<int>(save_network_isolation_key_mode));
+  for (auto save_network_anonymization_key_mode :
+       kNetworkAnonymizationKeyModes) {
+    SCOPED_TRACE(static_cast<int>(save_network_anonymization_key_mode));
 
-    // Save prefs using |save_network_isolation_key_mode|.
+    // Save prefs using |save_network_anonymization_key_mode|.
     base::Value saved_value;
     {
       // Configure the the feature.
       std::unique_ptr<base::test::ScopedFeatureList> feature_list =
-          SetNetworkIsolationKeyMode(save_network_isolation_key_mode);
+          SetNetworkAnonymizationKeyMode(save_network_anonymization_key_mode);
 
-      // The NetworkIsolationKey constructor checks the field trial state, so
-      // need to create the keys only after setting up the field trials.
-      const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-      const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+      // The NetworkAnonymizationKey constructor checks the field trial state,
+      // so need to create the keys only after setting up the field trials.
+      const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+      const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
       // Create and initialize an HttpServerProperties, must be done after
       // setting the feature.
@@ -2703,37 +2747,37 @@ TEST_F(HttpServerPropertiesManagerTest,
           base::Value(base::Value::Type::DICTIONARY));
 
       // Set kServer1 to kQuicServerInfo1 in the context of
-      // kNetworkIsolationKey1, Set kServer2 to kQuicServerInfo2 in the context
-      // of kNetworkIsolationKey2, and kServer1 to kQuicServerInfo3 in the
-      // context of NetworkIsolationKey().
-      properties->SetQuicServerInfo(kServer1, kNetworkIsolationKey1,
+      // kNetworkAnonymizationKey1, Set kServer2 to kQuicServerInfo2 in the
+      // context of kNetworkAnonymizationKey2, and kServer1 to kQuicServerInfo3
+      // in the context of NetworkAnonymizationKey().
+      properties->SetQuicServerInfo(kServer1, kNetworkAnonymizationKey1,
                                     kQuicServerInfo1);
-      properties->SetQuicServerInfo(kServer2, kNetworkIsolationKey2,
+      properties->SetQuicServerInfo(kServer2, kNetworkAnonymizationKey2,
                                     kQuicServerInfo2);
-      properties->SetQuicServerInfo(kServer1, NetworkIsolationKey(),
+      properties->SetQuicServerInfo(kServer1, NetworkAnonymizationKey(),
                                     kQuicServerInfo3);
 
       // Verify values were set.
-      if (save_network_isolation_key_mode !=
-          NetworkIsolationKeyMode::kDisabled) {
+      if (save_network_anonymization_key_mode !=
+          NetworkAnonymizationKeyMode::kDisabled) {
         EXPECT_EQ(kQuicServerInfo1, *properties->GetQuicServerInfo(
-                                        kServer1, kNetworkIsolationKey1));
+                                        kServer1, kNetworkAnonymizationKey1));
         EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                               kServer1, kNetworkIsolationKey2));
+                               kServer1, kNetworkAnonymizationKey2));
         EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
-                                        kServer1, NetworkIsolationKey()));
+                                        kServer1, NetworkAnonymizationKey()));
 
         EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                               kServer2, kNetworkIsolationKey1));
+                               kServer2, kNetworkAnonymizationKey1));
         EXPECT_EQ(kQuicServerInfo2, *properties->GetQuicServerInfo(
-                                        kServer2, kNetworkIsolationKey2));
+                                        kServer2, kNetworkAnonymizationKey2));
         EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                               kServer2, NetworkIsolationKey()));
+                               kServer2, NetworkAnonymizationKey()));
       } else {
         EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
-                                        kServer1, NetworkIsolationKey()));
+                                        kServer1, NetworkAnonymizationKey()));
         EXPECT_EQ(kQuicServerInfo2, *properties->GetQuicServerInfo(
-                                        kServer2, NetworkIsolationKey()));
+                                        kServer2, NetworkAnonymizationKey()));
       }
 
       // Wait until the data's been written to prefs, and then create a copy of
@@ -2743,16 +2787,17 @@ TEST_F(HttpServerPropertiesManagerTest,
     }
 
     // Now try and load the data in each of the feature modes.
-    for (auto load_network_isolation_key_mode : kNetworkIsolationKeyModes) {
-      SCOPED_TRACE(static_cast<int>(load_network_isolation_key_mode));
+    for (auto load_network_anonymization_key_mode :
+         kNetworkAnonymizationKeyModes) {
+      SCOPED_TRACE(static_cast<int>(load_network_anonymization_key_mode));
 
       std::unique_ptr<base::test::ScopedFeatureList> feature_list =
-          SetNetworkIsolationKeyMode(load_network_isolation_key_mode);
+          SetNetworkAnonymizationKeyMode(load_network_anonymization_key_mode);
 
-      // The NetworkIsolationKey constructor checks the field trial state, so
-      // need to create the keys only after setting up the field trials.
-      const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-      const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+      // The NetworkAnonymizationKey constructor checks the field trial state,
+      // so need to create the keys only after setting up the field trials.
+      const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+      const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
       // Create a new HttpServerProperties, loading the data from before.
       std::unique_ptr<MockPrefDelegate> pref_delegate =
@@ -2764,66 +2809,66 @@ TEST_F(HttpServerPropertiesManagerTest,
                                                  GetMockTickClock());
       unowned_pref_delegate->InitializePrefs(saved_value);
 
-      if (save_network_isolation_key_mode ==
-          NetworkIsolationKeyMode::kDisabled) {
-        // If NetworkIsolationKey was disabled when saving, entries were saved
-        // with an empty NetworkIsolationKey, which should always be loaded
-        // successfully. This is needed to continue to support consumers that
-        // don't use NetworkIsolationKeys.
+      if (save_network_anonymization_key_mode ==
+          NetworkAnonymizationKeyMode::kDisabled) {
+        // If NetworkAnonymizationKey was disabled when saving, entries were
+        // saved with an empty NetworkAnonymizationKey, which should always be
+        // loaded successfully. This is needed to continue to support consumers
+        // that don't use NetworkAnonymizationKeys.
         EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
-                                        kServer1, NetworkIsolationKey()));
+                                        kServer1, NetworkAnonymizationKey()));
         EXPECT_EQ(kQuicServerInfo2, *properties->GetQuicServerInfo(
-                                        kServer2, NetworkIsolationKey()));
-        if (load_network_isolation_key_mode !=
-            NetworkIsolationKeyMode::kDisabled) {
+                                        kServer2, NetworkAnonymizationKey()));
+        if (load_network_anonymization_key_mode !=
+            NetworkAnonymizationKeyMode::kDisabled) {
           EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                                 kServer1, kNetworkIsolationKey1));
+                                 kServer1, kNetworkAnonymizationKey1));
           EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                                 kServer1, kNetworkIsolationKey2));
+                                 kServer1, kNetworkAnonymizationKey2));
 
           EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                                 kServer2, kNetworkIsolationKey1));
+                                 kServer2, kNetworkAnonymizationKey1));
           EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                                 kServer2, kNetworkIsolationKey2));
+                                 kServer2, kNetworkAnonymizationKey2));
         }
-      } else if (save_network_isolation_key_mode ==
-                 load_network_isolation_key_mode) {
+      } else if (save_network_anonymization_key_mode ==
+                 load_network_anonymization_key_mode) {
         // If the save and load modes are the same, the load should succeed, and
-        // the network isolation keys should match.
+        // the network anonymization keys should match.
         EXPECT_EQ(kQuicServerInfo1, *properties->GetQuicServerInfo(
-                                        kServer1, kNetworkIsolationKey1));
+                                        kServer1, kNetworkAnonymizationKey1));
         EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                               kServer1, kNetworkIsolationKey2));
+                               kServer1, kNetworkAnonymizationKey2));
         EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
-                                        kServer1, NetworkIsolationKey()));
+                                        kServer1, NetworkAnonymizationKey()));
 
         EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                               kServer2, kNetworkIsolationKey1));
+                               kServer2, kNetworkAnonymizationKey1));
         EXPECT_EQ(kQuicServerInfo2, *properties->GetQuicServerInfo(
-                                        kServer2, kNetworkIsolationKey2));
+                                        kServer2, kNetworkAnonymizationKey2));
         EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                               kServer2, NetworkIsolationKey()));
+                               kServer2, NetworkAnonymizationKey()));
       } else {
-        // Otherwise, only the value set with an empty NetworkIsolationKey
+        // Otherwise, only the value set with an empty NetworkAnonymizationKey
         // should have been loaded successfully.
         EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
-                                        kServer1, NetworkIsolationKey()));
+                                        kServer1, NetworkAnonymizationKey()));
 
         EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                               kServer2, kNetworkIsolationKey1));
+                               kServer2, kNetworkAnonymizationKey1));
         EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                               kServer2, kNetworkIsolationKey2));
+                               kServer2, kNetworkAnonymizationKey2));
         EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                               kServer2, NetworkIsolationKey()));
+                               kServer2, NetworkAnonymizationKey()));
 
-        // There should be no cross-contamination of NetworkIsolationKeys, if
-        // NetworkIsolationKeys are enabled.
-        if (load_network_isolation_key_mode !=
-            NetworkIsolationKeyMode::kDisabled) {
+        // There should be no cross-contamination of NetworkAnonymizationKeys,
+        // if NetworkAnonymizationKeys are enabled.
+        if (load_network_anonymization_key_mode !=
+            NetworkAnonymizationKeyMode::kDisabled) {
           EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                                 kServer1, kNetworkIsolationKey1));
+                                 kServer1, kNetworkAnonymizationKey1));
           EXPECT_EQ(nullptr, properties->GetQuicServerInfo(
-                                 kServer1, kNetworkIsolationKey2));
+                                 kServer1, kNetworkAnonymizationKey2));
         }
       }
     }
@@ -2831,14 +2876,14 @@ TEST_F(HttpServerPropertiesManagerTest,
 }
 
 // Tests a full round trip to prefs and back in the canonical suffix for
-// QuicServerInfo case. Enable NetworkIsolationKeys, as they have some
+// QuicServerInfo case. Enable NetworkAnonymizationKeys, as they have some
 // interactions with the canonical suffix logic.
 TEST_F(HttpServerPropertiesManagerTest,
-       NetworkIsolationKeyQuicServerInfoCanonicalSuffixRoundTrip) {
+       NetworkAnonymizationKeyQuicServerInfoCanonicalSuffixRoundTrip) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   // Three servers with the same canonical suffix (".c.youtube.com").
   const quic::QuicServerId kServer1("foo.c.youtube.com", 443,
@@ -2867,48 +2912,50 @@ TEST_F(HttpServerPropertiesManagerTest,
   unowned_pref_delegate->InitializePrefs(
       base::Value(base::Value::Type::DICTIONARY));
 
-  // Set kQuicServerInfo1 for kServer1 using kNetworkIsolationKey1. That
+  // Set kQuicServerInfo1 for kServer1 using kNetworkAnonymizationKey1. That
   // information should be retrieved when fetching information for any server
-  // with the same canonical suffix, when using kNetworkIsolationKey1.
-  properties->SetQuicServerInfo(kServer1, kNetworkIsolationKey1,
+  // with the same canonical suffix, when using kNetworkAnonymizationKey1.
+  properties->SetQuicServerInfo(kServer1, kNetworkAnonymizationKey1,
                                 kQuicServerInfo1);
-  EXPECT_EQ(kQuicServerInfo1,
-            *properties->GetQuicServerInfo(kServer1, kNetworkIsolationKey1));
-  EXPECT_EQ(kQuicServerInfo1,
-            *properties->GetQuicServerInfo(kServer2, kNetworkIsolationKey1));
-  EXPECT_EQ(kQuicServerInfo1,
-            *properties->GetQuicServerInfo(kServer3, kNetworkIsolationKey1));
-  EXPECT_FALSE(properties->GetQuicServerInfo(kServer1, kNetworkIsolationKey2));
-
-  // Set kQuicServerInfo2 for kServer2 using kNetworkIsolationKey1. It should
-  // not affect information retrieved for kServer1, but should for kServer2 and
-  // kServer3.
-  properties->SetQuicServerInfo(kServer2, kNetworkIsolationKey1,
+  EXPECT_EQ(kQuicServerInfo1, *properties->GetQuicServerInfo(
+                                  kServer1, kNetworkAnonymizationKey1));
+  EXPECT_EQ(kQuicServerInfo1, *properties->GetQuicServerInfo(
+                                  kServer2, kNetworkAnonymizationKey1));
+  EXPECT_EQ(kQuicServerInfo1, *properties->GetQuicServerInfo(
+                                  kServer3, kNetworkAnonymizationKey1));
+  EXPECT_FALSE(
+      properties->GetQuicServerInfo(kServer1, kNetworkAnonymizationKey2));
+
+  // Set kQuicServerInfo2 for kServer2 using kNetworkAnonymizationKey1. It
+  // should not affect information retrieved for kServer1, but should for
+  // kServer2 and kServer3.
+  properties->SetQuicServerInfo(kServer2, kNetworkAnonymizationKey1,
                                 kQuicServerInfo2);
-  EXPECT_EQ(kQuicServerInfo1,
-            *properties->GetQuicServerInfo(kServer1, kNetworkIsolationKey1));
-  EXPECT_EQ(kQuicServerInfo2,
-            *properties->GetQuicServerInfo(kServer2, kNetworkIsolationKey1));
-  EXPECT_EQ(kQuicServerInfo2,
-            *properties->GetQuicServerInfo(kServer3, kNetworkIsolationKey1));
-  EXPECT_FALSE(properties->GetQuicServerInfo(kServer1, kNetworkIsolationKey2));
-
-  // Set kQuicServerInfo3 for kServer1 using kNetworkIsolationKey2. It should
-  // not affect information stored for kNetworkIsolationKey1.
-  properties->SetQuicServerInfo(kServer1, kNetworkIsolationKey2,
+  EXPECT_EQ(kQuicServerInfo1, *properties->GetQuicServerInfo(
+                                  kServer1, kNetworkAnonymizationKey1));
+  EXPECT_EQ(kQuicServerInfo2, *properties->GetQuicServerInfo(
+                                  kServer2, kNetworkAnonymizationKey1));
+  EXPECT_EQ(kQuicServerInfo2, *properties->GetQuicServerInfo(
+                                  kServer3, kNetworkAnonymizationKey1));
+  EXPECT_FALSE(
+      properties->GetQuicServerInfo(kServer1, kNetworkAnonymizationKey2));
+
+  // Set kQuicServerInfo3 for kServer1 using kNetworkAnonymizationKey2. It
+  // should not affect information stored for kNetworkAnonymizationKey1.
+  properties->SetQuicServerInfo(kServer1, kNetworkAnonymizationKey2,
                                 kQuicServerInfo3);
-  EXPECT_EQ(kQuicServerInfo1,
-            *properties->GetQuicServerInfo(kServer1, kNetworkIsolationKey1));
-  EXPECT_EQ(kQuicServerInfo2,
-            *properties->GetQuicServerInfo(kServer2, kNetworkIsolationKey1));
-  EXPECT_EQ(kQuicServerInfo2,
-            *properties->GetQuicServerInfo(kServer3, kNetworkIsolationKey1));
-  EXPECT_EQ(kQuicServerInfo3,
-            *properties->GetQuicServerInfo(kServer1, kNetworkIsolationKey2));
-  EXPECT_EQ(kQuicServerInfo3,
-            *properties->GetQuicServerInfo(kServer2, kNetworkIsolationKey2));
-  EXPECT_EQ(kQuicServerInfo3,
-            *properties->GetQuicServerInfo(kServer3, kNetworkIsolationKey2));
+  EXPECT_EQ(kQuicServerInfo1, *properties->GetQuicServerInfo(
+                                  kServer1, kNetworkAnonymizationKey1));
+  EXPECT_EQ(kQuicServerInfo2, *properties->GetQuicServerInfo(
+                                  kServer2, kNetworkAnonymizationKey1));
+  EXPECT_EQ(kQuicServerInfo2, *properties->GetQuicServerInfo(
+                                  kServer3, kNetworkAnonymizationKey1));
+  EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
+                                  kServer1, kNetworkAnonymizationKey2));
+  EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
+                                  kServer2, kNetworkAnonymizationKey2));
+  EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
+                                  kServer3, kNetworkAnonymizationKey2));
 
   // Wait until the data's been written to prefs, and then tear down the
   // HttpServerProperties.
@@ -2928,28 +2975,29 @@ TEST_F(HttpServerPropertiesManagerTest,
   // servers.
   //
   // TODO(mmenke): The rest of this test corresponds exactly to behavior in
-  // CanonicalSuffixRoundTripWithNetworkIsolationKey. It seems like these lines
-  // should correspond as well.
-  EXPECT_EQ(kQuicServerInfo1,
-            *properties->GetQuicServerInfo(kServer1, kNetworkIsolationKey1));
-  EXPECT_EQ(kQuicServerInfo2,
-            *properties->GetQuicServerInfo(kServer2, kNetworkIsolationKey1));
-  EXPECT_EQ(kQuicServerInfo2,
-            *properties->GetQuicServerInfo(kServer3, kNetworkIsolationKey1));
-  EXPECT_EQ(kQuicServerInfo3,
-            *properties->GetQuicServerInfo(kServer1, kNetworkIsolationKey2));
-  EXPECT_EQ(kQuicServerInfo3,
-            *properties->GetQuicServerInfo(kServer2, kNetworkIsolationKey2));
-  EXPECT_EQ(kQuicServerInfo3,
-            *properties->GetQuicServerInfo(kServer3, kNetworkIsolationKey2));
+  // CanonicalSuffixRoundTripWithNetworkAnonymizationKey. It seems like these
+  // lines should correspond as well.
+  EXPECT_EQ(kQuicServerInfo1, *properties->GetQuicServerInfo(
+                                  kServer1, kNetworkAnonymizationKey1));
+  EXPECT_EQ(kQuicServerInfo2, *properties->GetQuicServerInfo(
+                                  kServer2, kNetworkAnonymizationKey1));
+  EXPECT_EQ(kQuicServerInfo2, *properties->GetQuicServerInfo(
+                                  kServer3, kNetworkAnonymizationKey1));
+  EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
+                                  kServer1, kNetworkAnonymizationKey2));
+  EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
+                                  kServer2, kNetworkAnonymizationKey2));
+  EXPECT_EQ(kQuicServerInfo3, *properties->GetQuicServerInfo(
+                                  kServer3, kNetworkAnonymizationKey2));
 }
 
-// Make sure QuicServerInfo associated with NetworkIsolationKeys with opaque
+// Make sure QuicServerInfo associated with NetworkAnonymizationKeys with opaque
 // origins aren't saved.
 TEST_F(HttpServerPropertiesManagerTest,
-       NetworkIsolationKeyQuicServerInfoOpaqueOrigin) {
+       NetworkAnonymizationKeyQuicServerInfoOpaqueOrigin) {
   const SchemefulSite kOpaqueSite(GURL("data:text/plain,Hello World"));
-  const NetworkIsolationKey kNetworkIsolationKey(kOpaqueSite, kOpaqueSite);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey(kOpaqueSite,
+                                                         kOpaqueSite);
   const quic::QuicServerId kServer("foo", 443,
                                    false /* privacy_mode_enabled */);
 
@@ -2969,9 +3017,9 @@ TEST_F(HttpServerPropertiesManagerTest,
   unowned_pref_delegate->InitializePrefs(
       base::Value(base::Value::Type::DICTIONARY));
 
-  properties->SetQuicServerInfo(kServer, kNetworkIsolationKey,
+  properties->SetQuicServerInfo(kServer, kNetworkAnonymizationKey,
                                 "QuicServerInfo");
-  EXPECT_TRUE(properties->GetQuicServerInfo(kServer, kNetworkIsolationKey));
+  EXPECT_TRUE(properties->GetQuicServerInfo(kServer, kNetworkAnonymizationKey));
 
   // Wait until the data's been written to prefs, and then create a copy of
   // the prefs data.
@@ -3006,7 +3054,7 @@ TEST_F(HttpServerPropertiesManagerTest, AdvertisedVersionsRoundTrip) {
         AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
             quic_alternative_service, expiration, advertised_versions));
     http_server_props_->SetAlternativeServices(
-        server, NetworkIsolationKey(), alternative_service_info_vector_in);
+        server, NetworkAnonymizationKey(), alternative_service_info_vector_in);
     // Save to JSON.
     EXPECT_EQ(0, pref_delegate_->GetAndClearNumPrefUpdates());
     EXPECT_NE(0u, GetPendingMainThreadTaskCount());
@@ -3050,8 +3098,8 @@ TEST_F(HttpServerPropertiesManagerTest, AdvertisedVersionsRoundTrip) {
 TEST_F(HttpServerPropertiesManagerTest, SameOrderAfterReload) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
@@ -3083,22 +3131,22 @@ TEST_F(HttpServerPropertiesManagerTest, SameOrderAfterReload) {
   const url::SchemeHostPort kServer1("https", "1.example", 443);
   const url::SchemeHostPort kServer2("https", "2.example", 443);
   const url::SchemeHostPort kServer3("https", "3.example", 443);
-  properties->SetAlternativeServices(kServer1, kNetworkIsolationKey1,
+  properties->SetAlternativeServices(kServer1, kNetworkAnonymizationKey1,
                                      {alt_service1});
-  properties->SetAlternativeServices(kServer2, kNetworkIsolationKey1,
+  properties->SetAlternativeServices(kServer2, kNetworkAnonymizationKey1,
                                      {alt_service2});
-  properties->SetAlternativeServices(kServer3, kNetworkIsolationKey2,
+  properties->SetAlternativeServices(kServer3, kNetworkAnonymizationKey2,
                                      {alt_service3});
 
   // Set quic_server_info.
   quic::QuicServerId quic_server_id1("quic1.example", 80, false);
   quic::QuicServerId quic_server_id2("quic2.example", 80, false);
   quic::QuicServerId quic_server_id3("quic3.example", 80, false);
-  properties->SetQuicServerInfo(quic_server_id1, kNetworkIsolationKey1,
+  properties->SetQuicServerInfo(quic_server_id1, kNetworkAnonymizationKey1,
                                 "quic_server_info1");
-  properties->SetQuicServerInfo(quic_server_id2, kNetworkIsolationKey1,
+  properties->SetQuicServerInfo(quic_server_id2, kNetworkAnonymizationKey1,
                                 "quic_server_info2");
-  properties->SetQuicServerInfo(quic_server_id3, kNetworkIsolationKey2,
+  properties->SetQuicServerInfo(quic_server_id3, kNetworkAnonymizationKey2,
                                 "quic_server_info3");
 
   // Set broken_alternative_service info.
@@ -3106,13 +3154,13 @@ TEST_F(HttpServerPropertiesManagerTest, SameOrderAfterReload) {
   AlternativeService broken_service2(kProtoQUIC, "broken2.example", 443);
   AlternativeService broken_service3(kProtoQUIC, "broken3.example", 443);
   properties->MarkAlternativeServiceBroken(broken_service1,
-                                           kNetworkIsolationKey1);
+                                           kNetworkAnonymizationKey1);
   FastForwardBy(base::Milliseconds(1));
   properties->MarkAlternativeServiceBroken(broken_service2,
-                                           kNetworkIsolationKey1);
+                                           kNetworkAnonymizationKey1);
   FastForwardBy(base::Milliseconds(1));
   properties->MarkAlternativeServiceBroken(broken_service3,
-                                           kNetworkIsolationKey2);
+                                           kNetworkAnonymizationKey2);
 
   // The first item of `server_info_map` must be the latest item.
   EXPECT_EQ(3u, properties->server_info_map_for_testing().size());
diff --git a/chromium/net/http/http_server_properties_unittest.cc b/chromium/net/http/http_server_properties_unittest.cc
index d933e6cab06..8a7e389dc89 100644
--- a/chromium/net/http/http_server_properties_unittest.cc
+++ b/chromium/net/http/http_server_properties_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -44,9 +44,10 @@ class HttpServerPropertiesPeer {
       HttpServerProperties* impl,
       const AlternativeService& alternative_service,
       base::TimeTicks when,
-      const NetworkIsolationKey network_isolation_key = NetworkIsolationKey()) {
+      const NetworkAnonymizationKey network_anonymization_key =
+          NetworkAnonymizationKey()) {
     BrokenAlternativeService broken_alternative_service(
-        alternative_service, network_isolation_key,
+        alternative_service, network_anonymization_key,
         true /* use_network_isolation_key */);
     BrokenAlternativeServiceList::iterator unused_it;
     impl->broken_alternative_services_.AddToBrokenListAndMap(
@@ -71,11 +72,11 @@ class HttpServerPropertiesPeer {
 
 namespace {
 
-// Creates a ServerInfoMapKey without a NetworkIsolationKey.
+// Creates a ServerInfoMapKey without a NetworkAnonymizationKey.
 HttpServerProperties::ServerInfoMapKey CreateSimpleKey(
     const url::SchemeHostPort& server) {
   return HttpServerProperties::ServerInfoMapKey(
-      server, net::NetworkIsolationKey(),
+      server, net::NetworkAnonymizationKey(),
       false /* use_network_isolation_key */);
 }
 
@@ -95,9 +96,9 @@ class HttpServerPropertiesTest : public TestWithTaskEnvironment {
     test_clock_.Advance(base::Seconds(12345));
 
     SchemefulSite site1(GURL("https://foo.test/"));
-    network_isolation_key1_ = NetworkIsolationKey(site1, site1);
+    network_isolation_key1_ = NetworkAnonymizationKey(site1, site1);
     SchemefulSite site2(GURL("https://bar.test/"));
-    network_isolation_key2_ = NetworkIsolationKey(site2, site2);
+    network_isolation_key2_ = NetworkAnonymizationKey(site2, site2);
   }
 
   // This is a little awkward, but need to create and configure the
@@ -111,10 +112,11 @@ class HttpServerPropertiesTest : public TestWithTaskEnvironment {
     return feature_list;
   }
 
-  bool HasAlternativeService(const url::SchemeHostPort& origin,
-                             const NetworkIsolationKey& network_isolation_key) {
+  bool HasAlternativeService(
+      const url::SchemeHostPort& origin,
+      const NetworkAnonymizationKey& network_anonymization_key) {
     const AlternativeServiceInfoVector alternative_service_info_vector =
-        impl_.GetAlternativeServiceInfos(origin, network_isolation_key);
+        impl_.GetAlternativeServiceInfos(origin, network_anonymization_key);
     return !alternative_service_info_vector.empty();
   }
 
@@ -122,11 +124,11 @@ class HttpServerPropertiesTest : public TestWithTaskEnvironment {
                              const AlternativeService& alternative_service) {
     const base::Time expiration = test_clock_.Now() + base::Days(1);
     if (alternative_service.protocol == kProtoQUIC) {
-      impl_.SetQuicAlternativeService(origin, NetworkIsolationKey(),
+      impl_.SetQuicAlternativeService(origin, NetworkAnonymizationKey(),
                                       alternative_service, expiration,
                                       DefaultSupportedQuicVersions());
     } else {
-      impl_.SetHttp2AlternativeService(origin, NetworkIsolationKey(),
+      impl_.SetHttp2AlternativeService(origin, NetworkAnonymizationKey(),
                                        alternative_service, expiration);
     }
   }
@@ -142,8 +144,8 @@ class HttpServerPropertiesTest : public TestWithTaskEnvironment {
 
   // Two different non-empty network isolation keys for use in tests that need
   // them.
-  NetworkIsolationKey network_isolation_key1_;
-  NetworkIsolationKey network_isolation_key2_;
+  NetworkAnonymizationKey network_isolation_key1_;
+  NetworkAnonymizationKey network_isolation_key2_;
 
   HttpServerProperties impl_;
 };
@@ -160,40 +162,45 @@ TEST_F(HttpServerPropertiesTest, SetSupportsSpdy) {
   url::SchemeHostPort https_photos_server("https", "photos.google.com", 443);
   url::SchemeHostPort valid_google_server((GURL("https://www.google.com")));
 
-  impl_.SetSupportsSpdy(https_www_server, NetworkIsolationKey(), true);
-  impl_.SetSupportsSpdy(http_photo_server, NetworkIsolationKey(), true);
-  impl_.SetSupportsSpdy(https_mail_server, NetworkIsolationKey(), false);
-  EXPECT_TRUE(impl_.GetSupportsSpdy(https_www_server, NetworkIsolationKey()));
+  impl_.SetSupportsSpdy(https_www_server, NetworkAnonymizationKey(), true);
+  impl_.SetSupportsSpdy(http_photo_server, NetworkAnonymizationKey(), true);
+  impl_.SetSupportsSpdy(https_mail_server, NetworkAnonymizationKey(), false);
   EXPECT_TRUE(
-      impl_.SupportsRequestPriority(https_www_server, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(http_photo_server, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(https_www_server, NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.SupportsRequestPriority(https_www_server,
+                                            NetworkAnonymizationKey()));
   EXPECT_TRUE(
-      impl_.SupportsRequestPriority(http_photo_server, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(https_mail_server, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(http_photo_server, NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.SupportsRequestPriority(http_photo_server,
+                                            NetworkAnonymizationKey()));
   EXPECT_FALSE(
-      impl_.SupportsRequestPriority(https_mail_server, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(https_mail_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.SupportsRequestPriority(https_mail_server,
+                                             NetworkAnonymizationKey()));
   EXPECT_FALSE(
-      impl_.GetSupportsSpdy(http_google_server, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(http_google_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.SupportsRequestPriority(http_google_server,
+                                             NetworkAnonymizationKey()));
   EXPECT_FALSE(
-      impl_.SupportsRequestPriority(http_google_server, NetworkIsolationKey()));
-  EXPECT_FALSE(
-      impl_.GetSupportsSpdy(https_photos_server, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(https_photos_server, NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.SupportsRequestPriority(https_photos_server,
-                                             NetworkIsolationKey()));
+                                             NetworkAnonymizationKey()));
   EXPECT_TRUE(
-      impl_.GetSupportsSpdy(valid_google_server, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(valid_google_server, NetworkAnonymizationKey()));
   EXPECT_TRUE(impl_.SupportsRequestPriority(valid_google_server,
-                                            NetworkIsolationKey()));
+                                            NetworkAnonymizationKey()));
 
   // Flip values of two servers.
-  impl_.SetSupportsSpdy(https_www_server, NetworkIsolationKey(), false);
-  impl_.SetSupportsSpdy(https_mail_server, NetworkIsolationKey(), true);
-  EXPECT_FALSE(impl_.GetSupportsSpdy(https_www_server, NetworkIsolationKey()));
+  impl_.SetSupportsSpdy(https_www_server, NetworkAnonymizationKey(), false);
+  impl_.SetSupportsSpdy(https_mail_server, NetworkAnonymizationKey(), true);
   EXPECT_FALSE(
-      impl_.SupportsRequestPriority(https_www_server, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(https_mail_server, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(https_www_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.SupportsRequestPriority(https_www_server,
+                                             NetworkAnonymizationKey()));
   EXPECT_TRUE(
-      impl_.SupportsRequestPriority(https_mail_server, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(https_mail_server, NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.SupportsRequestPriority(https_mail_server,
+                                            NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesTest, SetSupportsSpdyWebSockets) {
@@ -204,34 +211,34 @@ TEST_F(HttpServerPropertiesTest, SetSupportsSpdyWebSockets) {
   url::SchemeHostPort http_server("http", "www.test.com", 443);
   url::SchemeHostPort ws_server("ws", "www.test.com", 443);
 
-  EXPECT_FALSE(impl_.GetSupportsSpdy(https_server, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(wss_server, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(http_server, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(ws_server, NetworkIsolationKey()));
-
-  impl_.SetSupportsSpdy(wss_server, NetworkIsolationKey(), true);
-  EXPECT_TRUE(impl_.GetSupportsSpdy(https_server, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(wss_server, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(http_server, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(ws_server, NetworkIsolationKey()));
-
-  impl_.SetSupportsSpdy(http_server, NetworkIsolationKey(), true);
-  EXPECT_TRUE(impl_.GetSupportsSpdy(https_server, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(wss_server, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(http_server, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(ws_server, NetworkIsolationKey()));
-
-  impl_.SetSupportsSpdy(https_server, NetworkIsolationKey(), false);
-  EXPECT_FALSE(impl_.GetSupportsSpdy(https_server, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(wss_server, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(http_server, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(ws_server, NetworkIsolationKey()));
-
-  impl_.SetSupportsSpdy(ws_server, NetworkIsolationKey(), false);
-  EXPECT_FALSE(impl_.GetSupportsSpdy(https_server, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(wss_server, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(http_server, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(ws_server, NetworkIsolationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(https_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(wss_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(http_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(ws_server, NetworkAnonymizationKey()));
+
+  impl_.SetSupportsSpdy(wss_server, NetworkAnonymizationKey(), true);
+  EXPECT_TRUE(impl_.GetSupportsSpdy(https_server, NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.GetSupportsSpdy(wss_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(http_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(ws_server, NetworkAnonymizationKey()));
+
+  impl_.SetSupportsSpdy(http_server, NetworkAnonymizationKey(), true);
+  EXPECT_TRUE(impl_.GetSupportsSpdy(https_server, NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.GetSupportsSpdy(wss_server, NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.GetSupportsSpdy(http_server, NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.GetSupportsSpdy(ws_server, NetworkAnonymizationKey()));
+
+  impl_.SetSupportsSpdy(https_server, NetworkAnonymizationKey(), false);
+  EXPECT_FALSE(impl_.GetSupportsSpdy(https_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(wss_server, NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.GetSupportsSpdy(http_server, NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.GetSupportsSpdy(ws_server, NetworkAnonymizationKey()));
+
+  impl_.SetSupportsSpdy(ws_server, NetworkAnonymizationKey(), false);
+  EXPECT_FALSE(impl_.GetSupportsSpdy(https_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(wss_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(http_server, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(ws_server, NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesTest, SetSupportsSpdyWithNetworkIsolationKey) {
@@ -239,30 +246,33 @@ TEST_F(HttpServerPropertiesTest, SetSupportsSpdyWithNetworkIsolationKey) {
 
   EXPECT_FALSE(impl_.GetSupportsSpdy(kServer, network_isolation_key1_));
   EXPECT_FALSE(impl_.SupportsRequestPriority(kServer, network_isolation_key1_));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(kServer, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.SupportsRequestPriority(kServer, NetworkIsolationKey()));
+  EXPECT_FALSE(impl_.GetSupportsSpdy(kServer, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      impl_.SupportsRequestPriority(kServer, NetworkAnonymizationKey()));
 
   // Without network isolation keys enabled for HttpServerProperties, passing in
-  // a NetworkIsolationKey should have no effect on behavior.
+  // a NetworkAnonymizationKey should have no effect on behavior.
   for (const auto& network_isolation_key_to_set :
-       {NetworkIsolationKey(), network_isolation_key1_}) {
+       {NetworkAnonymizationKey(), network_isolation_key1_}) {
     impl_.SetSupportsSpdy(kServer, network_isolation_key_to_set, true);
     EXPECT_TRUE(impl_.GetSupportsSpdy(kServer, network_isolation_key1_));
     EXPECT_TRUE(
         impl_.SupportsRequestPriority(kServer, network_isolation_key1_));
-    EXPECT_TRUE(impl_.GetSupportsSpdy(kServer, NetworkIsolationKey()));
-    EXPECT_TRUE(impl_.SupportsRequestPriority(kServer, NetworkIsolationKey()));
+    EXPECT_TRUE(impl_.GetSupportsSpdy(kServer, NetworkAnonymizationKey()));
+    EXPECT_TRUE(
+        impl_.SupportsRequestPriority(kServer, NetworkAnonymizationKey()));
 
     impl_.SetSupportsSpdy(kServer, network_isolation_key_to_set, false);
     EXPECT_FALSE(impl_.GetSupportsSpdy(kServer, network_isolation_key1_));
     EXPECT_FALSE(
         impl_.SupportsRequestPriority(kServer, network_isolation_key1_));
-    EXPECT_FALSE(impl_.GetSupportsSpdy(kServer, NetworkIsolationKey()));
-    EXPECT_FALSE(impl_.SupportsRequestPriority(kServer, NetworkIsolationKey()));
+    EXPECT_FALSE(impl_.GetSupportsSpdy(kServer, NetworkAnonymizationKey()));
+    EXPECT_FALSE(
+        impl_.SupportsRequestPriority(kServer, NetworkAnonymizationKey()));
   }
 
   // With network isolation keys enabled for HttpServerProperties, the
-  // NetworkIsolationKey argument should be respected.
+  // NetworkAnonymizationKey argument should be respected.
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
@@ -276,41 +286,41 @@ TEST_F(HttpServerPropertiesTest, SetSupportsSpdyWithNetworkIsolationKey) {
   EXPECT_FALSE(properties.GetSupportsSpdy(kServer, network_isolation_key1_));
   EXPECT_FALSE(
       properties.SupportsRequestPriority(kServer, network_isolation_key1_));
-  EXPECT_FALSE(properties.GetSupportsSpdy(kServer, NetworkIsolationKey()));
+  EXPECT_FALSE(properties.GetSupportsSpdy(kServer, NetworkAnonymizationKey()));
   EXPECT_FALSE(
-      properties.SupportsRequestPriority(kServer, NetworkIsolationKey()));
+      properties.SupportsRequestPriority(kServer, NetworkAnonymizationKey()));
 
   properties.SetSupportsSpdy(kServer, network_isolation_key1_, true);
   EXPECT_TRUE(properties.GetSupportsSpdy(kServer, network_isolation_key1_));
   EXPECT_TRUE(
       properties.SupportsRequestPriority(kServer, network_isolation_key1_));
-  EXPECT_FALSE(properties.GetSupportsSpdy(kServer, NetworkIsolationKey()));
+  EXPECT_FALSE(properties.GetSupportsSpdy(kServer, NetworkAnonymizationKey()));
   EXPECT_FALSE(
-      properties.SupportsRequestPriority(kServer, NetworkIsolationKey()));
+      properties.SupportsRequestPriority(kServer, NetworkAnonymizationKey()));
 
-  properties.SetSupportsSpdy(kServer, NetworkIsolationKey(), true);
+  properties.SetSupportsSpdy(kServer, NetworkAnonymizationKey(), true);
   EXPECT_TRUE(properties.GetSupportsSpdy(kServer, network_isolation_key1_));
   EXPECT_TRUE(
       properties.SupportsRequestPriority(kServer, network_isolation_key1_));
-  EXPECT_TRUE(properties.GetSupportsSpdy(kServer, NetworkIsolationKey()));
+  EXPECT_TRUE(properties.GetSupportsSpdy(kServer, NetworkAnonymizationKey()));
   EXPECT_TRUE(
-      properties.SupportsRequestPriority(kServer, NetworkIsolationKey()));
+      properties.SupportsRequestPriority(kServer, NetworkAnonymizationKey()));
 
   properties.SetSupportsSpdy(kServer, network_isolation_key1_, false);
   EXPECT_FALSE(properties.GetSupportsSpdy(kServer, network_isolation_key1_));
   EXPECT_FALSE(
       properties.SupportsRequestPriority(kServer, network_isolation_key1_));
-  EXPECT_TRUE(properties.GetSupportsSpdy(kServer, NetworkIsolationKey()));
+  EXPECT_TRUE(properties.GetSupportsSpdy(kServer, NetworkAnonymizationKey()));
   EXPECT_TRUE(
-      properties.SupportsRequestPriority(kServer, NetworkIsolationKey()));
+      properties.SupportsRequestPriority(kServer, NetworkAnonymizationKey()));
 
-  properties.SetSupportsSpdy(kServer, NetworkIsolationKey(), false);
+  properties.SetSupportsSpdy(kServer, NetworkAnonymizationKey(), false);
   EXPECT_FALSE(properties.GetSupportsSpdy(kServer, network_isolation_key1_));
   EXPECT_FALSE(
       properties.SupportsRequestPriority(kServer, network_isolation_key1_));
-  EXPECT_FALSE(properties.GetSupportsSpdy(kServer, NetworkIsolationKey()));
+  EXPECT_FALSE(properties.GetSupportsSpdy(kServer, NetworkAnonymizationKey()));
   EXPECT_FALSE(
-      properties.SupportsRequestPriority(kServer, NetworkIsolationKey()));
+      properties.SupportsRequestPriority(kServer, NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesTest, LoadSupportsSpdy) {
@@ -329,7 +339,7 @@ TEST_F(HttpServerPropertiesTest, LoadSupportsSpdy) {
       std::make_unique<HttpServerProperties::ServerInfoMap>();
   impl_.OnServerInfoLoadedForTesting(std::move(spdy_servers));
   EXPECT_FALSE(
-      impl_.GetSupportsSpdy(spdy_server_google, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(spdy_server_google, NetworkAnonymizationKey()));
 
   // Check by initializing www.google.com:443 and photos.google.com:443 as spdy
   // servers.
@@ -339,20 +349,21 @@ TEST_F(HttpServerPropertiesTest, LoadSupportsSpdy) {
   spdy_servers1->Put(CreateSimpleKey(spdy_server_photos), no_spdy);
   impl_.OnServerInfoLoadedForTesting(std::move(spdy_servers1));
   // Note: these calls affect MRU order.
-  EXPECT_TRUE(impl_.GetSupportsSpdy(spdy_server_google, NetworkIsolationKey()));
+  EXPECT_TRUE(
+      impl_.GetSupportsSpdy(spdy_server_google, NetworkAnonymizationKey()));
   EXPECT_FALSE(
-      impl_.GetSupportsSpdy(spdy_server_photos, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(spdy_server_photos, NetworkAnonymizationKey()));
 
   // Verify google and photos are in the list in MRU order.
   ASSERT_EQ(2U, impl_.server_info_map_for_testing().size());
   auto it = impl_.server_info_map_for_testing().begin();
   EXPECT_EQ(spdy_server_photos, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.supports_spdy.has_value());
   EXPECT_FALSE(*it->second.supports_spdy);
   ++it;
   EXPECT_EQ(spdy_server_google, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.supports_spdy.has_value());
   EXPECT_TRUE(*it->second.supports_spdy);
 
@@ -369,31 +380,34 @@ TEST_F(HttpServerPropertiesTest, LoadSupportsSpdy) {
   ASSERT_EQ(4U, impl_.server_info_map_for_testing().size());
   it = impl_.server_info_map_for_testing().begin();
   EXPECT_EQ(spdy_server_photos, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.supports_spdy.has_value());
   EXPECT_FALSE(*it->second.supports_spdy);
   ++it;
   EXPECT_EQ(spdy_server_google, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.supports_spdy.has_value());
   EXPECT_TRUE(*it->second.supports_spdy);
   ++it;
   EXPECT_EQ(spdy_server_docs, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.supports_spdy.has_value());
   EXPECT_TRUE(*it->second.supports_spdy);
   ++it;
   EXPECT_EQ(spdy_server_mail, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.supports_spdy.has_value());
   EXPECT_TRUE(*it->second.supports_spdy);
 
   // Check these in reverse MRU order so that MRU order stays the same.
-  EXPECT_TRUE(impl_.GetSupportsSpdy(spdy_server_mail, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(spdy_server_docs, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(spdy_server_google, NetworkIsolationKey()));
+  EXPECT_TRUE(
+      impl_.GetSupportsSpdy(spdy_server_mail, NetworkAnonymizationKey()));
+  EXPECT_TRUE(
+      impl_.GetSupportsSpdy(spdy_server_docs, NetworkAnonymizationKey()));
+  EXPECT_TRUE(
+      impl_.GetSupportsSpdy(spdy_server_google, NetworkAnonymizationKey()));
   EXPECT_FALSE(
-      impl_.GetSupportsSpdy(spdy_server_photos, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(spdy_server_photos, NetworkAnonymizationKey()));
 
   // Verify that old values loaded from disk take precedence over newer learned
   // values and also verify the recency list order is unchanged.
@@ -407,53 +421,57 @@ TEST_F(HttpServerPropertiesTest, LoadSupportsSpdy) {
   ASSERT_EQ(4U, impl_.server_info_map_for_testing().size());
   it = impl_.server_info_map_for_testing().begin();
   EXPECT_EQ(spdy_server_photos, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.supports_spdy.has_value());
   EXPECT_TRUE(*it->second.supports_spdy);
   ++it;
   EXPECT_EQ(spdy_server_google, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.supports_spdy.has_value());
   EXPECT_TRUE(*it->second.supports_spdy);
   ++it;
   EXPECT_EQ(spdy_server_docs, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.supports_spdy.has_value());
   EXPECT_TRUE(*it->second.supports_spdy);
   ++it;
   EXPECT_EQ(spdy_server_mail, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.supports_spdy.has_value());
   EXPECT_FALSE(*it->second.supports_spdy);
 
   // Verify photos server doesn't support SPDY and other servers support SPDY.
-  EXPECT_FALSE(impl_.GetSupportsSpdy(spdy_server_mail, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(spdy_server_docs, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(spdy_server_google, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(spdy_server_photos, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      impl_.GetSupportsSpdy(spdy_server_mail, NetworkAnonymizationKey()));
+  EXPECT_TRUE(
+      impl_.GetSupportsSpdy(spdy_server_docs, NetworkAnonymizationKey()));
+  EXPECT_TRUE(
+      impl_.GetSupportsSpdy(spdy_server_google, NetworkAnonymizationKey()));
+  EXPECT_TRUE(
+      impl_.GetSupportsSpdy(spdy_server_photos, NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesTest, SupportsRequestPriority) {
   url::SchemeHostPort spdy_server_empty("https", std::string(), 443);
-  EXPECT_FALSE(
-      impl_.SupportsRequestPriority(spdy_server_empty, NetworkIsolationKey()));
+  EXPECT_FALSE(impl_.SupportsRequestPriority(spdy_server_empty,
+                                             NetworkAnonymizationKey()));
 
   // Add www.google.com:443 as supporting SPDY.
   url::SchemeHostPort spdy_server_google("https", "www.google.com", 443);
-  impl_.SetSupportsSpdy(spdy_server_google, NetworkIsolationKey(), true);
-  EXPECT_TRUE(
-      impl_.SupportsRequestPriority(spdy_server_google, NetworkIsolationKey()));
+  impl_.SetSupportsSpdy(spdy_server_google, NetworkAnonymizationKey(), true);
+  EXPECT_TRUE(impl_.SupportsRequestPriority(spdy_server_google,
+                                            NetworkAnonymizationKey()));
 
   // Add mail.google.com:443 as not supporting SPDY.
   url::SchemeHostPort spdy_server_mail("https", "mail.google.com", 443);
-  EXPECT_FALSE(
-      impl_.SupportsRequestPriority(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_FALSE(impl_.SupportsRequestPriority(spdy_server_mail,
+                                             NetworkAnonymizationKey()));
 
   // Add docs.google.com:443 as supporting SPDY.
   url::SchemeHostPort spdy_server_docs("https", "docs.google.com", 443);
-  impl_.SetSupportsSpdy(spdy_server_docs, NetworkIsolationKey(), true);
-  EXPECT_TRUE(
-      impl_.SupportsRequestPriority(spdy_server_docs, NetworkIsolationKey()));
+  impl_.SetSupportsSpdy(spdy_server_docs, NetworkAnonymizationKey(), true);
+  EXPECT_TRUE(impl_.SupportsRequestPriority(spdy_server_docs,
+                                            NetworkAnonymizationKey()));
 
   // Add www.youtube.com:443 as supporting QUIC.
   url::SchemeHostPort youtube_server("https", "www.youtube.com", 443);
@@ -461,7 +479,7 @@ TEST_F(HttpServerPropertiesTest, SupportsRequestPriority) {
                                                 443);
   SetAlternativeService(youtube_server, alternative_service1);
   EXPECT_TRUE(
-      impl_.SupportsRequestPriority(youtube_server, NetworkIsolationKey()));
+      impl_.SupportsRequestPriority(youtube_server, NetworkAnonymizationKey()));
 
   // Add www.example.com:443 with two alternative services, one supporting QUIC.
   url::SchemeHostPort example_server("https", "www.example.com", 443);
@@ -469,30 +487,32 @@ TEST_F(HttpServerPropertiesTest, SupportsRequestPriority) {
   SetAlternativeService(example_server, alternative_service2);
   SetAlternativeService(example_server, alternative_service1);
   EXPECT_TRUE(
-      impl_.SupportsRequestPriority(example_server, NetworkIsolationKey()));
+      impl_.SupportsRequestPriority(example_server, NetworkAnonymizationKey()));
 
   // Verify all the entries are the same after additions.
+  EXPECT_TRUE(impl_.SupportsRequestPriority(spdy_server_google,
+                                            NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.SupportsRequestPriority(spdy_server_mail,
+                                             NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.SupportsRequestPriority(spdy_server_docs,
+                                            NetworkAnonymizationKey()));
   EXPECT_TRUE(
-      impl_.SupportsRequestPriority(spdy_server_google, NetworkIsolationKey()));
-  EXPECT_FALSE(
-      impl_.SupportsRequestPriority(spdy_server_mail, NetworkIsolationKey()));
+      impl_.SupportsRequestPriority(youtube_server, NetworkAnonymizationKey()));
   EXPECT_TRUE(
-      impl_.SupportsRequestPriority(spdy_server_docs, NetworkIsolationKey()));
-  EXPECT_TRUE(
-      impl_.SupportsRequestPriority(youtube_server, NetworkIsolationKey()));
-  EXPECT_TRUE(
-      impl_.SupportsRequestPriority(example_server, NetworkIsolationKey()));
+      impl_.SupportsRequestPriority(example_server, NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesTest, ClearSupportsSpdy) {
   // Add www.google.com:443 and mail.google.com:443 as supporting SPDY.
   url::SchemeHostPort spdy_server_google("https", "www.google.com", 443);
-  impl_.SetSupportsSpdy(spdy_server_google, NetworkIsolationKey(), true);
+  impl_.SetSupportsSpdy(spdy_server_google, NetworkAnonymizationKey(), true);
   url::SchemeHostPort spdy_server_mail("https", "mail.google.com", 443);
-  impl_.SetSupportsSpdy(spdy_server_mail, NetworkIsolationKey(), true);
+  impl_.SetSupportsSpdy(spdy_server_mail, NetworkAnonymizationKey(), true);
 
-  EXPECT_TRUE(impl_.GetSupportsSpdy(spdy_server_google, NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.GetSupportsSpdy(spdy_server_mail, NetworkIsolationKey()));
+  EXPECT_TRUE(
+      impl_.GetSupportsSpdy(spdy_server_google, NetworkAnonymizationKey()));
+  EXPECT_TRUE(
+      impl_.GetSupportsSpdy(spdy_server_mail, NetworkAnonymizationKey()));
 
   base::RunLoop run_loop;
   bool callback_invoked_ = false;
@@ -503,8 +523,9 @@ TEST_F(HttpServerPropertiesTest, ClearSupportsSpdy) {
       },
       &callback_invoked_, run_loop.QuitClosure()));
   EXPECT_FALSE(
-      impl_.GetSupportsSpdy(spdy_server_google, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetSupportsSpdy(spdy_server_mail, NetworkIsolationKey()));
+      impl_.GetSupportsSpdy(spdy_server_google, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      impl_.GetSupportsSpdy(spdy_server_mail, NetworkAnonymizationKey()));
 
   // Callback should be run asynchronously.
   EXPECT_FALSE(callback_invoked_);
@@ -517,50 +538,51 @@ TEST_F(HttpServerPropertiesTest, MRUOfServerInfoMap) {
   url::SchemeHostPort spdy_server_mail("https", "mail.google.com", 443);
 
   // Add www.google.com:443 as supporting SPDY.
-  impl_.SetSupportsSpdy(spdy_server_google, NetworkIsolationKey(), true);
+  impl_.SetSupportsSpdy(spdy_server_google, NetworkAnonymizationKey(), true);
   ASSERT_EQ(1u, impl_.server_info_map_for_testing().size());
   auto it = impl_.server_info_map_for_testing().begin();
   ASSERT_EQ(spdy_server_google, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
 
   // Add mail.google.com:443 as supporting SPDY. Verify mail.google.com:443 and
   // www.google.com:443 are in the list.
-  impl_.SetSupportsSpdy(spdy_server_mail, NetworkIsolationKey(), true);
+  impl_.SetSupportsSpdy(spdy_server_mail, NetworkAnonymizationKey(), true);
   ASSERT_EQ(2u, impl_.server_info_map_for_testing().size());
   it = impl_.server_info_map_for_testing().begin();
   ASSERT_EQ(spdy_server_mail, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ++it;
   ASSERT_EQ(spdy_server_google, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
 
   // Get www.google.com:443. It should become the most-recently-used server.
-  EXPECT_TRUE(impl_.GetSupportsSpdy(spdy_server_google, NetworkIsolationKey()));
+  EXPECT_TRUE(
+      impl_.GetSupportsSpdy(spdy_server_google, NetworkAnonymizationKey()));
   ASSERT_EQ(2u, impl_.server_info_map_for_testing().size());
   it = impl_.server_info_map_for_testing().begin();
   ASSERT_EQ(spdy_server_google, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ++it;
   ASSERT_EQ(spdy_server_mail, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
 }
 
 typedef HttpServerPropertiesTest AlternateProtocolServerPropertiesTest;
 
 TEST_F(AlternateProtocolServerPropertiesTest, Basic) {
   url::SchemeHostPort test_server("http", "foo", 80);
-  EXPECT_FALSE(HasAlternativeService(test_server, NetworkIsolationKey()));
+  EXPECT_FALSE(HasAlternativeService(test_server, NetworkAnonymizationKey()));
 
   AlternativeService alternative_service(kProtoHTTP2, "foo", 443);
   SetAlternativeService(test_server, alternative_service);
   const AlternativeServiceInfoVector alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service,
             alternative_service_info_vector[0].alternative_service());
 
   impl_.Clear(base::OnceClosure());
-  EXPECT_FALSE(HasAlternativeService(test_server, NetworkIsolationKey()));
+  EXPECT_FALSE(HasAlternativeService(test_server, NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest, ExcludeOrigin) {
@@ -589,11 +611,11 @@ TEST_F(AlternateProtocolServerPropertiesTest, ExcludeOrigin) {
   alternative_service_info_vector.push_back(alternative_service_info4);
 
   url::SchemeHostPort test_server("https", "foo", 443);
-  impl_.SetAlternativeServices(test_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(test_server, NetworkAnonymizationKey(),
                                alternative_service_info_vector);
 
   const AlternativeServiceInfoVector alternative_service_info_vector2 =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(3u, alternative_service_info_vector2.size());
   EXPECT_EQ(alternative_service_info2, alternative_service_info_vector2[0]);
   EXPECT_EQ(alternative_service_info3, alternative_service_info_vector2[1]);
@@ -610,7 +632,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, Set) {
   const base::Time now = test_clock_.Now();
   base::Time expiration1 = now + base::Days(1);
   // 1st entry in the memory.
-  impl_.SetHttp2AlternativeService(test_server1, NetworkIsolationKey(),
+  impl_.SetHttp2AlternativeService(test_server1, NetworkAnonymizationKey(),
                                    alternative_service1, expiration1);
 
   // |test_server2| has an alternative service, which will be
@@ -624,7 +646,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, Set) {
           alternative_service2, expiration2));
   url::SchemeHostPort test_server2("http", "foo2", 80);
   // 0th entry in the memory.
-  impl_.SetAlternativeServices(test_server2, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(test_server2, NetworkAnonymizationKey(),
                                alternative_service_info_vector);
 
   // Prepare |server_info_map| to be loaded by OnServerInfoLoadedForTesting().
@@ -662,7 +684,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, Set) {
   auto map_it = map.begin();
 
   EXPECT_EQ(test_server2, map_it->first.server);
-  EXPECT_TRUE(map_it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(map_it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(map_it->second.alternative_services.has_value());
   const AlternativeServiceInfoVector* service_info =
       &map_it->second.alternative_services.value();
@@ -672,7 +694,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, Set) {
 
   ++map_it;
   EXPECT_EQ(test_server1, map_it->first.server);
-  EXPECT_TRUE(map_it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(map_it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(map_it->second.alternative_services.has_value());
   service_info = &map_it->second.alternative_services.value();
   ASSERT_EQ(1u, service_info->size());
@@ -681,7 +703,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, Set) {
 
   ++map_it;
   EXPECT_EQ(map_it->first.server, test_server3);
-  EXPECT_TRUE(map_it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(map_it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(map_it->second.alternative_services.has_value());
   service_info = &map_it->second.alternative_services.value();
   ASSERT_EQ(1u, service_info->size());
@@ -700,75 +722,90 @@ TEST_F(AlternateProtocolServerPropertiesTest, SetWebSockets) {
   AlternativeService alternative_service(kProtoHTTP2, "bar", 443);
 
   EXPECT_EQ(
-      0u, impl_.GetAlternativeServiceInfos(https_server, NetworkIsolationKey())
+      0u,
+      impl_.GetAlternativeServiceInfos(https_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      0u,
+      impl_.GetAlternativeServiceInfos(wss_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      0u,
+      impl_.GetAlternativeServiceInfos(http_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      0u, impl_.GetAlternativeServiceInfos(ws_server, NetworkAnonymizationKey())
               .size());
-  EXPECT_EQ(0u,
-            impl_.GetAlternativeServiceInfos(wss_server, NetworkIsolationKey())
-                .size());
-  EXPECT_EQ(0u,
-            impl_.GetAlternativeServiceInfos(http_server, NetworkIsolationKey())
-                .size());
-  EXPECT_EQ(0u,
-            impl_.GetAlternativeServiceInfos(ws_server, NetworkIsolationKey())
-                .size());
 
   SetAlternativeService(wss_server, alternative_service);
   EXPECT_EQ(
-      1u, impl_.GetAlternativeServiceInfos(https_server, NetworkIsolationKey())
+      1u,
+      impl_.GetAlternativeServiceInfos(https_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      1u,
+      impl_.GetAlternativeServiceInfos(wss_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      0u,
+      impl_.GetAlternativeServiceInfos(http_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      0u, impl_.GetAlternativeServiceInfos(ws_server, NetworkAnonymizationKey())
               .size());
-  EXPECT_EQ(1u,
-            impl_.GetAlternativeServiceInfos(wss_server, NetworkIsolationKey())
-                .size());
-  EXPECT_EQ(0u,
-            impl_.GetAlternativeServiceInfos(http_server, NetworkIsolationKey())
-                .size());
-  EXPECT_EQ(0u,
-            impl_.GetAlternativeServiceInfos(ws_server, NetworkIsolationKey())
-                .size());
 
   SetAlternativeService(http_server, alternative_service);
   EXPECT_EQ(
-      1u, impl_.GetAlternativeServiceInfos(https_server, NetworkIsolationKey())
+      1u,
+      impl_.GetAlternativeServiceInfos(https_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      1u,
+      impl_.GetAlternativeServiceInfos(wss_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      1u,
+      impl_.GetAlternativeServiceInfos(http_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      1u, impl_.GetAlternativeServiceInfos(ws_server, NetworkAnonymizationKey())
               .size());
-  EXPECT_EQ(1u,
-            impl_.GetAlternativeServiceInfos(wss_server, NetworkIsolationKey())
-                .size());
-  EXPECT_EQ(1u,
-            impl_.GetAlternativeServiceInfos(http_server, NetworkIsolationKey())
-                .size());
-  EXPECT_EQ(1u,
-            impl_.GetAlternativeServiceInfos(ws_server, NetworkIsolationKey())
-                .size());
-
-  impl_.SetAlternativeServices(https_server, NetworkIsolationKey(),
+
+  impl_.SetAlternativeServices(https_server, NetworkAnonymizationKey(),
                                AlternativeServiceInfoVector());
   EXPECT_EQ(
-      0u, impl_.GetAlternativeServiceInfos(https_server, NetworkIsolationKey())
+      0u,
+      impl_.GetAlternativeServiceInfos(https_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      0u,
+      impl_.GetAlternativeServiceInfos(wss_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      1u,
+      impl_.GetAlternativeServiceInfos(http_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      1u, impl_.GetAlternativeServiceInfos(ws_server, NetworkAnonymizationKey())
               .size());
-  EXPECT_EQ(0u,
-            impl_.GetAlternativeServiceInfos(wss_server, NetworkIsolationKey())
-                .size());
-  EXPECT_EQ(1u,
-            impl_.GetAlternativeServiceInfos(http_server, NetworkIsolationKey())
-                .size());
-  EXPECT_EQ(1u,
-            impl_.GetAlternativeServiceInfos(ws_server, NetworkIsolationKey())
-                .size());
-
-  impl_.SetAlternativeServices(ws_server, NetworkIsolationKey(),
+
+  impl_.SetAlternativeServices(ws_server, NetworkAnonymizationKey(),
                                AlternativeServiceInfoVector());
   EXPECT_EQ(
-      0u, impl_.GetAlternativeServiceInfos(https_server, NetworkIsolationKey())
+      0u,
+      impl_.GetAlternativeServiceInfos(https_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      0u,
+      impl_.GetAlternativeServiceInfos(wss_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      0u,
+      impl_.GetAlternativeServiceInfos(http_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      0u, impl_.GetAlternativeServiceInfos(ws_server, NetworkAnonymizationKey())
               .size());
-  EXPECT_EQ(0u,
-            impl_.GetAlternativeServiceInfos(wss_server, NetworkIsolationKey())
-                .size());
-  EXPECT_EQ(0u,
-            impl_.GetAlternativeServiceInfos(http_server, NetworkIsolationKey())
-                .size());
-  EXPECT_EQ(0u,
-            impl_.GetAlternativeServiceInfos(ws_server, NetworkIsolationKey())
-                .size());
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest, SetWithNetworkIsolationKey) {
@@ -781,30 +818,32 @@ TEST_F(AlternateProtocolServerPropertiesTest, SetWithNetworkIsolationKey) {
   EXPECT_TRUE(impl_.GetAlternativeServiceInfos(kServer, network_isolation_key1_)
                   .empty());
   EXPECT_TRUE(
-      impl_.GetAlternativeServiceInfos(kServer, NetworkIsolationKey()).empty());
+      impl_.GetAlternativeServiceInfos(kServer, NetworkAnonymizationKey())
+          .empty());
 
   // Without network isolation keys enabled for HttpServerProperties, passing in
-  // a NetworkIsolationKey should have no effect on behavior.
+  // a NetworkAnonymizationKey should have no effect on behavior.
   for (const auto& network_isolation_key_to_set :
-       {NetworkIsolationKey(), network_isolation_key1_}) {
+       {NetworkAnonymizationKey(), network_isolation_key1_}) {
     impl_.SetAlternativeServices(kServer, network_isolation_key_to_set,
                                  kAlternativeServices);
     EXPECT_EQ(kAlternativeServices, impl_.GetAlternativeServiceInfos(
                                         kServer, network_isolation_key1_));
-    EXPECT_EQ(kAlternativeServices,
-              impl_.GetAlternativeServiceInfos(kServer, NetworkIsolationKey()));
+    EXPECT_EQ(kAlternativeServices, impl_.GetAlternativeServiceInfos(
+                                        kServer, NetworkAnonymizationKey()));
 
     impl_.SetAlternativeServices(kServer, network_isolation_key_to_set,
                                  AlternativeServiceInfoVector());
     EXPECT_TRUE(
         impl_.GetAlternativeServiceInfos(kServer, network_isolation_key1_)
             .empty());
-    EXPECT_TRUE(impl_.GetAlternativeServiceInfos(kServer, NetworkIsolationKey())
-                    .empty());
+    EXPECT_TRUE(
+        impl_.GetAlternativeServiceInfos(kServer, NetworkAnonymizationKey())
+            .empty());
   }
 
   // Check that with network isolation keys enabled for HttpServerProperties,
-  // the NetworkIsolationKey argument is respected.
+  // the NetworkAnonymizationKey argument is respected.
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
@@ -820,15 +859,15 @@ TEST_F(AlternateProtocolServerPropertiesTest, SetWithNetworkIsolationKey) {
   EXPECT_EQ(kAlternativeServices, properties.GetAlternativeServiceInfos(
                                       kServer, network_isolation_key1_));
   EXPECT_TRUE(
-      properties.GetAlternativeServiceInfos(kServer, NetworkIsolationKey())
+      properties.GetAlternativeServiceInfos(kServer, NetworkAnonymizationKey())
           .empty());
 
-  properties.SetAlternativeServices(kServer, NetworkIsolationKey(),
+  properties.SetAlternativeServices(kServer, NetworkAnonymizationKey(),
                                     kAlternativeServices);
   EXPECT_EQ(kAlternativeServices, properties.GetAlternativeServiceInfos(
                                       kServer, network_isolation_key1_));
   EXPECT_EQ(kAlternativeServices, properties.GetAlternativeServiceInfos(
-                                      kServer, NetworkIsolationKey()));
+                                      kServer, NetworkAnonymizationKey()));
 
   properties.SetAlternativeServices(kServer, network_isolation_key1_,
                                     AlternativeServiceInfoVector());
@@ -836,15 +875,15 @@ TEST_F(AlternateProtocolServerPropertiesTest, SetWithNetworkIsolationKey) {
       properties.GetAlternativeServiceInfos(kServer, network_isolation_key1_)
           .empty());
   EXPECT_EQ(kAlternativeServices, properties.GetAlternativeServiceInfos(
-                                      kServer, NetworkIsolationKey()));
+                                      kServer, NetworkAnonymizationKey()));
 
-  properties.SetAlternativeServices(kServer, NetworkIsolationKey(),
+  properties.SetAlternativeServices(kServer, NetworkAnonymizationKey(),
                                     AlternativeServiceInfoVector());
   EXPECT_TRUE(
       properties.GetAlternativeServiceInfos(kServer, network_isolation_key1_)
           .empty());
   EXPECT_TRUE(
-      properties.GetAlternativeServiceInfos(kServer, NetworkIsolationKey())
+      properties.GetAlternativeServiceInfos(kServer, NetworkAnonymizationKey())
           .empty());
 }
 
@@ -859,16 +898,16 @@ TEST_F(AlternateProtocolServerPropertiesTest, SetWithEmptyHostname) {
                                                                  "foo", 1234);
   SetAlternativeService(server, alternative_service_with_empty_hostname);
   impl_.MarkAlternativeServiceBroken(alternative_service_with_foo_hostname,
-                                     NetworkIsolationKey());
+                                     NetworkAnonymizationKey());
 
   std::unique_ptr<HttpServerProperties::ServerInfoMap> server_info_map =
       std::make_unique<HttpServerProperties::ServerInfoMap>();
   impl_.OnServerInfoLoadedForTesting(std::move(server_info_map));
 
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(
-      alternative_service_with_foo_hostname, NetworkIsolationKey()));
+      alternative_service_with_foo_hostname, NetworkAnonymizationKey()));
   const AlternativeServiceInfoVector alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service_with_foo_hostname,
             alternative_service_info_vector[0].alternative_service());
@@ -898,17 +937,19 @@ TEST_F(AlternateProtocolServerPropertiesTest, EmptyVector) {
   // |server_info_map_|, emptying the AlternativeServiceInfoVector
   // corresponding to |server|.
   ASSERT_TRUE(
-      impl_.GetAlternativeServiceInfos(server, NetworkIsolationKey()).empty());
+      impl_.GetAlternativeServiceInfos(server, NetworkAnonymizationKey())
+          .empty());
 
   // GetAlternativeServiceInfos() should remove this key from
   // |server_info_map_|, and SetAlternativeServices() should not crash.
   impl_.SetAlternativeServices(
-      server, NetworkIsolationKey(),
+      server, NetworkAnonymizationKey(),
       AlternativeServiceInfoVector(/*size=*/1, alternative_service_info));
 
   // There should still be no alternative service assigned to |server|.
   ASSERT_TRUE(
-      impl_.GetAlternativeServiceInfos(server, NetworkIsolationKey()).empty());
+      impl_.GetAlternativeServiceInfos(server, NetworkAnonymizationKey())
+          .empty());
 }
 
 // Regression test for https://crbug.com/516486 for the canonical host case.
@@ -935,19 +976,21 @@ TEST_F(AlternateProtocolServerPropertiesTest, EmptyVectorForCanonical) {
   // corresponding to |canonical_server|, even when looking up
   // alternative services for |server|.
   ASSERT_TRUE(
-      impl_.GetAlternativeServiceInfos(server, NetworkIsolationKey()).empty());
+      impl_.GetAlternativeServiceInfos(server, NetworkAnonymizationKey())
+          .empty());
 
   // GetAlternativeServiceInfos() should remove this key from
   // |server_info_map_|, and SetAlternativeServices() should not crash.
   impl_.SetAlternativeServices(
-      canonical_server, NetworkIsolationKey(),
+      canonical_server, NetworkAnonymizationKey(),
       AlternativeServiceInfoVector(/*size=*/1, alternative_service_info));
 
   // There should still be no alternative service assigned to
   // |canonical_server|.
-  ASSERT_TRUE(
-      impl_.GetAlternativeServiceInfos(canonical_server, NetworkIsolationKey())
-          .empty());
+  ASSERT_TRUE(impl_
+                  .GetAlternativeServiceInfos(canonical_server,
+                                              NetworkAnonymizationKey())
+                  .empty());
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest, ClearServerWithCanonical) {
@@ -960,12 +1003,12 @@ TEST_F(AlternateProtocolServerPropertiesTest, ClearServerWithCanonical) {
           alternative_service, expiration, DefaultSupportedQuicVersions());
 
   impl_.SetAlternativeServices(
-      canonical_server, NetworkIsolationKey(),
+      canonical_server, NetworkAnonymizationKey(),
       AlternativeServiceInfoVector(/*size=*/1, alternative_service_info));
 
   // Make sure the canonical service is returned for the other server.
   const AlternativeServiceInfoVector alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(kProtoQUIC,
             alternative_service_info_vector[0].alternative_service().protocol);
@@ -975,11 +1018,12 @@ TEST_F(AlternateProtocolServerPropertiesTest, ClearServerWithCanonical) {
   // cleared.
   // GetAlternativeServices() should remove this key from
   // |server_info_map_|, and SetAlternativeServices() should not crash.
-  impl_.SetAlternativeServices(server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(server, NetworkAnonymizationKey(),
                                AlternativeServiceInfoVector());
 
   ASSERT_TRUE(
-      impl_.GetAlternativeServiceInfos(server, NetworkIsolationKey()).empty());
+      impl_.GetAlternativeServiceInfos(server, NetworkAnonymizationKey())
+          .empty());
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest, MRUOfGetAlternativeServiceInfos) {
@@ -994,14 +1038,14 @@ TEST_F(AlternateProtocolServerPropertiesTest, MRUOfGetAlternativeServiceInfos) {
       impl_.server_info_map_for_testing();
   auto it = map.begin();
   EXPECT_EQ(test_server2, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.alternative_services.has_value());
   ASSERT_EQ(1u, it->second.alternative_services->size());
   EXPECT_EQ(alternative_service2,
             it->second.alternative_services.value()[0].alternative_service());
 
   const AlternativeServiceInfoVector alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server1, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server1, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service1,
             alternative_service_info_vector[0].alternative_service());
@@ -1009,7 +1053,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, MRUOfGetAlternativeServiceInfos) {
   // GetAlternativeServices should reorder the AlternateProtocol map.
   it = map.begin();
   EXPECT_EQ(test_server1, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.alternative_services.has_value());
   ASSERT_EQ(1u, it->second.alternative_services->size());
   EXPECT_EQ(alternative_service1,
@@ -1021,23 +1065,23 @@ TEST_F(AlternateProtocolServerPropertiesTest, SetBroken) {
   const AlternativeService alternative_service1(kProtoHTTP2, "foo", 443);
   SetAlternativeService(test_server, alternative_service1);
   AlternativeServiceInfoVector alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service1,
             alternative_service_info_vector[0].alternative_service());
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
 
   // GetAlternativeServiceInfos should return the broken alternative service.
   impl_.MarkAlternativeServiceBroken(alternative_service1,
-                                     NetworkIsolationKey());
+                                     NetworkAnonymizationKey());
   alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service1,
             alternative_service_info_vector[0].alternative_service());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
 
   // SetAlternativeServices should add a broken alternative service to the map.
   AlternativeServiceInfoVector alternative_service_info_vector2;
@@ -1049,29 +1093,29 @@ TEST_F(AlternateProtocolServerPropertiesTest, SetBroken) {
   alternative_service_info_vector2.push_back(
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
           alternative_service2, expiration));
-  impl_.SetAlternativeServices(test_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(test_server, NetworkAnonymizationKey(),
                                alternative_service_info_vector2);
   alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(2u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service1,
             alternative_service_info_vector[0].alternative_service());
   EXPECT_EQ(alternative_service2,
             alternative_service_info_vector[1].alternative_service());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service2,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
 
   // SetAlternativeService should add a broken alternative service to the map.
   SetAlternativeService(test_server, alternative_service1);
   alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service1,
             alternative_service_info_vector[0].alternative_service());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -1080,24 +1124,24 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   const AlternativeService alternative_service1(kProtoHTTP2, "foo", 443);
   SetAlternativeService(test_server, alternative_service1);
   AlternativeServiceInfoVector alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service1,
             alternative_service_info_vector[0].alternative_service());
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
 
   // Mark the alternative service as broken until the default network changes.
   impl_.MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
-      alternative_service1, NetworkIsolationKey());
+      alternative_service1, NetworkAnonymizationKey());
   // The alternative service should be persisted and marked as broken.
   alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service1,
             alternative_service_info_vector[0].alternative_service());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
 
   // SetAlternativeServices should add a broken alternative service to the map.
   AlternativeServiceInfoVector alternative_service_info_vector2;
@@ -1109,29 +1153,29 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   alternative_service_info_vector2.push_back(
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
           alternative_service2, expiration));
-  impl_.SetAlternativeServices(test_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(test_server, NetworkAnonymizationKey(),
                                alternative_service_info_vector2);
   alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(2u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service1,
             alternative_service_info_vector[0].alternative_service());
   EXPECT_EQ(alternative_service2,
             alternative_service_info_vector[1].alternative_service());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service2,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
 
   // SetAlternativeService should add a broken alternative service to the map.
   SetAlternativeService(test_server, alternative_service1);
   alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(alternative_service1,
             alternative_service_info_vector[0].alternative_service());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest, MaxAge) {
@@ -1154,11 +1198,11 @@ TEST_F(AlternateProtocolServerPropertiesTest, MaxAge) {
           alternative_service2, now + one_day));
 
   url::SchemeHostPort test_server("http", "foo", 80);
-  impl_.SetAlternativeServices(test_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(test_server, NetworkAnonymizationKey(),
                                alternative_service_info_vector);
 
   AlternativeServiceInfoVector alternative_service_info_vector2 =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector2.size());
   EXPECT_EQ(alternative_service2,
             alternative_service_info_vector2[0].alternative_service());
@@ -1184,12 +1228,12 @@ TEST_F(AlternateProtocolServerPropertiesTest, MaxAgeCanonical) {
           alternative_service2, now + one_day));
 
   url::SchemeHostPort canonical_server("https", "bar.c.youtube.com", 443);
-  impl_.SetAlternativeServices(canonical_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(canonical_server, NetworkAnonymizationKey(),
                                alternative_service_info_vector);
 
   url::SchemeHostPort test_server("https", "foo.c.youtube.com", 443);
   AlternativeServiceInfoVector alternative_service_info_vector2 =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector2.size());
   EXPECT_EQ(alternative_service2,
             alternative_service_info_vector2[0].alternative_service());
@@ -1208,14 +1252,14 @@ TEST_F(AlternateProtocolServerPropertiesTest, AlternativeServiceWithScheme) {
           alternative_service2, expiration));
   // Set Alt-Svc list for |http_server|.
   url::SchemeHostPort http_server("http", "foo", 80);
-  impl_.SetAlternativeServices(http_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(http_server, NetworkAnonymizationKey(),
                                alternative_service_info_vector);
 
   const net::HttpServerProperties::ServerInfoMap& map =
       impl_.server_info_map_for_testing();
   auto it = map.begin();
   EXPECT_EQ(http_server, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.alternative_services.has_value());
   ASSERT_EQ(2u, it->second.alternative_services->size());
   EXPECT_EQ(alternative_service1,
@@ -1226,29 +1270,34 @@ TEST_F(AlternateProtocolServerPropertiesTest, AlternativeServiceWithScheme) {
   // Check Alt-Svc list should not be set for |https_server|.
   url::SchemeHostPort https_server("https", "foo", 80);
   EXPECT_EQ(
-      0u, impl_.GetAlternativeServiceInfos(https_server, NetworkIsolationKey())
-              .size());
+      0u,
+      impl_.GetAlternativeServiceInfos(https_server, NetworkAnonymizationKey())
+          .size());
 
   // Set Alt-Svc list for |https_server|.
-  impl_.SetAlternativeServices(https_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(https_server, NetworkAnonymizationKey(),
                                alternative_service_info_vector);
   EXPECT_EQ(
-      2u, impl_.GetAlternativeServiceInfos(https_server, NetworkIsolationKey())
-              .size());
-  EXPECT_EQ(2u,
-            impl_.GetAlternativeServiceInfos(http_server, NetworkIsolationKey())
-                .size());
+      2u,
+      impl_.GetAlternativeServiceInfos(https_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      2u,
+      impl_.GetAlternativeServiceInfos(http_server, NetworkAnonymizationKey())
+          .size());
 
   // Clear Alt-Svc list for |http_server|.
-  impl_.SetAlternativeServices(http_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(http_server, NetworkAnonymizationKey(),
                                AlternativeServiceInfoVector());
 
-  EXPECT_EQ(0u,
-            impl_.GetAlternativeServiceInfos(http_server, NetworkIsolationKey())
-                .size());
   EXPECT_EQ(
-      2u, impl_.GetAlternativeServiceInfos(https_server, NetworkIsolationKey())
-              .size());
+      0u,
+      impl_.GetAlternativeServiceInfos(http_server, NetworkAnonymizationKey())
+          .size());
+  EXPECT_EQ(
+      2u,
+      impl_.GetAlternativeServiceInfos(https_server, NetworkAnonymizationKey())
+          .size());
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest, ClearAlternativeServices) {
@@ -1263,14 +1312,14 @@ TEST_F(AlternateProtocolServerPropertiesTest, ClearAlternativeServices) {
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
           alternative_service2, expiration));
   url::SchemeHostPort test_server("http", "foo", 80);
-  impl_.SetAlternativeServices(test_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(test_server, NetworkAnonymizationKey(),
                                alternative_service_info_vector);
 
   const net::HttpServerProperties::ServerInfoMap& map =
       impl_.server_info_map_for_testing();
   auto it = map.begin();
   EXPECT_EQ(test_server, it->first.server);
-  EXPECT_TRUE(it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(it->second.alternative_services.has_value());
   ASSERT_EQ(2u, it->second.alternative_services->size());
   EXPECT_EQ(alternative_service1,
@@ -1278,7 +1327,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, ClearAlternativeServices) {
   EXPECT_EQ(alternative_service2,
             it->second.alternative_services.value()[1].alternative_service());
 
-  impl_.SetAlternativeServices(test_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(test_server, NetworkAnonymizationKey(),
                                AlternativeServiceInfoVector());
   EXPECT_TRUE(map.empty());
 }
@@ -1294,25 +1343,25 @@ TEST_F(AlternateProtocolServerPropertiesTest, BrokenShadowsCanonical) {
                                                    "bar.c.youtube.com", 1234);
   SetAlternativeService(canonical_server, canonical_alternative_service);
   AlternativeServiceInfoVector alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(canonical_alternative_service,
             alternative_service_info_vector[0].alternative_service());
 
   const AlternativeService broken_alternative_service(kProtoHTTP2, "foo", 443);
   impl_.MarkAlternativeServiceBroken(broken_alternative_service,
-                                     NetworkIsolationKey());
+                                     NetworkAnonymizationKey());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(broken_alternative_service,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
 
   SetAlternativeService(test_server, broken_alternative_service);
   alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(broken_alternative_service,
             alternative_service_info_vector[0].alternative_service());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(broken_alternative_service,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest, ClearBroken) {
@@ -1320,16 +1369,16 @@ TEST_F(AlternateProtocolServerPropertiesTest, ClearBroken) {
   const AlternativeService alternative_service(kProtoHTTP2, "foo", 443);
   SetAlternativeService(test_server, alternative_service);
   impl_.MarkAlternativeServiceBroken(alternative_service,
-                                     NetworkIsolationKey());
-  ASSERT_TRUE(HasAlternativeService(test_server, NetworkIsolationKey()));
+                                     NetworkAnonymizationKey());
+  ASSERT_TRUE(HasAlternativeService(test_server, NetworkAnonymizationKey()));
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
   // SetAlternativeServices should leave a broken alternative service marked
   // as such.
-  impl_.SetAlternativeServices(test_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(test_server, NetworkAnonymizationKey(),
                                AlternativeServiceInfoVector());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -1338,7 +1387,7 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   const AlternativeService alternative_service(kProtoHTTP2, "foo", 443);
   const base::Time expiration = test_clock_.Now() + base::Days(1);
 
-  // Without NetworkIsolationKeys enabled, the NetworkIsolationKey parameter
+  // Without NetworkIsolationKeys enabled, the NetworkAnonymizationKey parameter
   // should be ignored.
   impl_.SetHttp2AlternativeService(server, network_isolation_key1_,
                                    alternative_service, expiration);
@@ -1446,22 +1495,23 @@ TEST_F(AlternateProtocolServerPropertiesTest, MarkRecentlyBroken) {
   SetAlternativeService(server, alternative_service);
 
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   impl_.MarkAlternativeServiceRecentlyBroken(alternative_service,
-                                             NetworkIsolationKey());
+                                             NetworkAnonymizationKey());
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(alternative_service,
-                                                        NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(
+      alternative_service, NetworkAnonymizationKey()));
 
-  impl_.ConfirmAlternativeService(alternative_service, NetworkIsolationKey());
+  impl_.ConfirmAlternativeService(alternative_service,
+                                  NetworkAnonymizationKey());
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -1470,7 +1520,7 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   const AlternativeService alternative_service(kProtoHTTP2, "foo", 443);
   const base::Time expiration = test_clock_.Now() + base::Days(1);
 
-  // Without NetworkIsolationKeys enabled, the NetworkIsolationKey parameter
+  // Without NetworkIsolationKeys enabled, the NetworkAnonymizationKey parameter
   // should be ignored.
   impl_.SetHttp2AlternativeService(server, network_isolation_key1_,
                                    alternative_service, expiration);
@@ -1578,22 +1628,23 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   SetAlternativeService(server, alternative_service);
 
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   impl_.MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                               NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(alternative_service,
-                                                        NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(
+      alternative_service, NetworkAnonymizationKey()));
 
-  impl_.ConfirmAlternativeService(alternative_service, NetworkIsolationKey());
+  impl_.ConfirmAlternativeService(alternative_service,
+                                  NetworkAnonymizationKey());
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -1602,7 +1653,7 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   const AlternativeService alternative_service(kProtoHTTP2, "foo", 443);
   const base::Time expiration = test_clock_.Now() + base::Days(1);
 
-  // Without NetworkIsolationKeys enabled, the NetworkIsolationKey parameter
+  // Without NetworkIsolationKeys enabled, the NetworkAnonymizationKey parameter
   // should be ignored.
   impl_.SetHttp2AlternativeService(server, network_isolation_key1_,
                                    alternative_service, expiration);
@@ -1711,61 +1762,61 @@ TEST_F(AlternateProtocolServerPropertiesTest, OnDefaultNetworkChanged) {
 
   SetAlternativeService(server, alternative_service);
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   impl_.MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                               NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(alternative_service,
-                                                        NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(
+      alternative_service, NetworkAnonymizationKey()));
 
   // Default network change clears alt svc broken until default network changes.
   impl_.OnDefaultNetworkChanged();
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   impl_.MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                               NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(alternative_service,
-                                                        NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(
+      alternative_service, NetworkAnonymizationKey()));
 
   impl_.MarkAlternativeServiceBroken(alternative_service,
-                                     NetworkIsolationKey());
+                                     NetworkAnonymizationKey());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                               NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(alternative_service,
-                                                        NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(
+      alternative_service, NetworkAnonymizationKey()));
 
   // Default network change doesn't affect alt svc that was simply marked broken
   // most recently.
   impl_.OnDefaultNetworkChanged();
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                               NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(alternative_service,
-                                                        NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(
+      alternative_service, NetworkAnonymizationKey()));
 
   impl_.MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                               NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(alternative_service,
-                                                        NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(
+      alternative_service, NetworkAnonymizationKey()));
 
   // Default network change clears alt svc that was marked broken until default
   // network change most recently even if the alt svc was initially marked
   // broken.
   impl_.OnDefaultNetworkChanged();
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -1824,10 +1875,11 @@ TEST_F(AlternateProtocolServerPropertiesTest,
 
 TEST_F(AlternateProtocolServerPropertiesTest, Canonical) {
   url::SchemeHostPort test_server("https", "foo.c.youtube.com", 443);
-  EXPECT_FALSE(HasAlternativeService(test_server, NetworkIsolationKey()));
+  EXPECT_FALSE(HasAlternativeService(test_server, NetworkAnonymizationKey()));
 
   url::SchemeHostPort canonical_server("https", "bar.c.youtube.com", 443);
-  EXPECT_FALSE(HasAlternativeService(canonical_server, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      HasAlternativeService(canonical_server, NetworkAnonymizationKey()));
 
   AlternativeServiceInfoVector alternative_service_info_vector;
   const AlternativeService canonical_alternative_service1(
@@ -1841,13 +1893,13 @@ TEST_F(AlternateProtocolServerPropertiesTest, Canonical) {
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
           canonical_alternative_service2, expiration));
-  impl_.SetAlternativeServices(canonical_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(canonical_server, NetworkAnonymizationKey(),
                                alternative_service_info_vector);
 
   // Since |test_server| does not have an alternative service itself,
   // GetAlternativeServiceInfos should return those of |canonical_server|.
   AlternativeServiceInfoVector alternative_service_info_vector2 =
-      impl_.GetAlternativeServiceInfos(test_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey());
   ASSERT_EQ(2u, alternative_service_info_vector2.size());
   EXPECT_EQ(canonical_alternative_service1,
             alternative_service_info_vector2[0].alternative_service());
@@ -1876,9 +1928,9 @@ TEST_F(AlternateProtocolServerPropertiesTest, ClearCanonical) {
                                                    "bar.c.youtube.com", 1234);
 
   SetAlternativeService(canonical_server, canonical_alternative_service);
-  impl_.SetAlternativeServices(canonical_server, NetworkIsolationKey(),
+  impl_.SetAlternativeServices(canonical_server, NetworkAnonymizationKey(),
                                AlternativeServiceInfoVector());
-  EXPECT_FALSE(HasAlternativeService(test_server, NetworkIsolationKey()));
+  EXPECT_FALSE(HasAlternativeService(test_server, NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -1929,11 +1981,12 @@ TEST_F(AlternateProtocolServerPropertiesTest,
           .GetAlternativeServiceInfos(test_server, network_isolation_key2_)
           .empty());
   EXPECT_TRUE(
-      properties.GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+      properties
+          .GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
 
   // Now add an alternative service entry for network_isolation_key2_ for a
-  // different server and different NetworkIsolationKey, but with the same
+  // different server and different NetworkAnonymizationKey, but with the same
   // canonical suffix.
   url::SchemeHostPort canonical_server2("https", "shrimp.c.youtube.com", 443);
   properties.SetAlternativeServices(canonical_server2, network_isolation_key2_,
@@ -1950,7 +2003,8 @@ TEST_F(AlternateProtocolServerPropertiesTest,
               .GetAlternativeServiceInfos(test_server, network_isolation_key1_)
               .size());
   EXPECT_TRUE(
-      properties.GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+      properties
+          .GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
 
   // Clearing the alternate service state of network_isolation_key1_'s canonical
@@ -1966,7 +2020,8 @@ TEST_F(AlternateProtocolServerPropertiesTest,
           .GetAlternativeServiceInfos(test_server, network_isolation_key1_)
           .empty());
   EXPECT_TRUE(
-      properties.GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
+      properties
+          .GetAlternativeServiceInfos(test_server, NetworkAnonymizationKey())
           .empty());
 }
 
@@ -1977,10 +2032,10 @@ TEST_F(AlternateProtocolServerPropertiesTest, CanonicalBroken) {
                                                    "bar.c.youtube.com", 1234);
 
   SetAlternativeService(canonical_server, canonical_alternative_service);
-  EXPECT_TRUE(HasAlternativeService(test_server, NetworkIsolationKey()));
+  EXPECT_TRUE(HasAlternativeService(test_server, NetworkAnonymizationKey()));
   impl_.MarkAlternativeServiceBroken(canonical_alternative_service,
-                                     NetworkIsolationKey());
-  EXPECT_FALSE(HasAlternativeService(test_server, NetworkIsolationKey()));
+                                     NetworkAnonymizationKey());
+  EXPECT_FALSE(HasAlternativeService(test_server, NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -1991,10 +2046,10 @@ TEST_F(AlternateProtocolServerPropertiesTest,
                                                    "bar.c.youtube.com", 1234);
 
   SetAlternativeService(canonical_server, canonical_alternative_service);
-  EXPECT_TRUE(HasAlternativeService(test_server, NetworkIsolationKey()));
+  EXPECT_TRUE(HasAlternativeService(test_server, NetworkAnonymizationKey()));
   impl_.MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
-      canonical_alternative_service, NetworkIsolationKey());
-  EXPECT_FALSE(HasAlternativeService(test_server, NetworkIsolationKey()));
+      canonical_alternative_service, NetworkAnonymizationKey());
+  EXPECT_FALSE(HasAlternativeService(test_server, NetworkAnonymizationKey()));
 }
 
 // Adding an alternative service for a new host overrides canonical host.
@@ -2005,7 +2060,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, CanonicalOverride) {
                                              1234);
   SetAlternativeService(bar_server, bar_alternative_service);
   AlternativeServiceInfoVector alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(foo_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(foo_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(bar_alternative_service,
             alternative_service_info_vector[0].alternative_service());
@@ -2015,7 +2070,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, CanonicalOverride) {
                                              443);
   SetAlternativeService(qux_server, qux_alternative_service);
   alternative_service_info_vector =
-      impl_.GetAlternativeServiceInfos(foo_server, NetworkIsolationKey());
+      impl_.GetAlternativeServiceInfos(foo_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   EXPECT_EQ(qux_alternative_service,
             alternative_service_info_vector[0].alternative_service());
@@ -2029,7 +2084,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, ClearWithCanonical) {
 
   SetAlternativeService(canonical_server, canonical_alternative_service);
   impl_.Clear(base::OnceClosure());
-  EXPECT_FALSE(HasAlternativeService(test_server, NetworkIsolationKey()));
+  EXPECT_FALSE(HasAlternativeService(test_server, NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -2037,26 +2092,26 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   url::SchemeHostPort server("https", "foo", 443);
   AlternativeService alternative_service(kProtoQUIC, "foo", 443);
   SetAlternativeService(server, alternative_service);
-  EXPECT_TRUE(HasAlternativeService(server, NetworkIsolationKey()));
+  EXPECT_TRUE(HasAlternativeService(server, NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   base::TimeTicks past = test_tick_clock_->NowTicks() - base::Seconds(42);
   HttpServerPropertiesPeer::AddBrokenAlternativeServiceWithExpirationTime(
       &impl_, alternative_service, past);
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                               NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(alternative_service,
-                                                        NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(
+      alternative_service, NetworkAnonymizationKey()));
 
   HttpServerPropertiesPeer::ExpireBrokenAlternateProtocolMappings(&impl_);
-  EXPECT_FALSE(HasAlternativeService(server, NetworkIsolationKey()));
+  EXPECT_FALSE(HasAlternativeService(server, NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                NetworkIsolationKey()));
-  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(alternative_service,
-                                                        NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
+  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(
+      alternative_service, NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -2147,17 +2202,17 @@ TEST_F(AlternateProtocolServerPropertiesTest, RemoveExpiredBrokenAltSvc) {
   url::SchemeHostPort foo_server("https", "foo", 443);
   AlternativeService bar_alternative_service(kProtoQUIC, "bar", 443);
   SetAlternativeService(foo_server, bar_alternative_service);
-  EXPECT_TRUE(HasAlternativeService(foo_server, NetworkIsolationKey()));
+  EXPECT_TRUE(HasAlternativeService(foo_server, NetworkAnonymizationKey()));
 
   url::SchemeHostPort bar_server1("http", "bar", 80);
   AlternativeService nohost_alternative_service(kProtoQUIC, "", 443);
   SetAlternativeService(bar_server1, nohost_alternative_service);
-  EXPECT_TRUE(HasAlternativeService(bar_server1, NetworkIsolationKey()));
+  EXPECT_TRUE(HasAlternativeService(bar_server1, NetworkAnonymizationKey()));
 
   url::SchemeHostPort bar_server2("https", "bar", 443);
   AlternativeService baz_alternative_service(kProtoQUIC, "baz", 1234);
   SetAlternativeService(bar_server2, baz_alternative_service);
-  EXPECT_TRUE(HasAlternativeService(bar_server2, NetworkIsolationKey()));
+  EXPECT_TRUE(HasAlternativeService(bar_server2, NetworkAnonymizationKey()));
 
   // Mark "bar:443" as broken.
   base::TimeTicks past = test_tick_clock_->NowTicks() - base::Seconds(42);
@@ -2168,16 +2223,16 @@ TEST_F(AlternateProtocolServerPropertiesTest, RemoveExpiredBrokenAltSvc) {
   HttpServerPropertiesPeer::ExpireBrokenAlternateProtocolMappings(&impl_);
 
   // "foo:443" should have no alternative service now.
-  EXPECT_FALSE(HasAlternativeService(foo_server, NetworkIsolationKey()));
+  EXPECT_FALSE(HasAlternativeService(foo_server, NetworkAnonymizationKey()));
   // "bar:80" should have no alternative service now.
-  EXPECT_FALSE(HasAlternativeService(bar_server1, NetworkIsolationKey()));
+  EXPECT_FALSE(HasAlternativeService(bar_server1, NetworkAnonymizationKey()));
   // The alternative service of "bar:443" should be unaffected.
-  EXPECT_TRUE(HasAlternativeService(bar_server2, NetworkIsolationKey()));
+  EXPECT_TRUE(HasAlternativeService(bar_server2, NetworkAnonymizationKey()));
 
-  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(bar_alternative_service,
-                                                        NetworkIsolationKey()));
+  EXPECT_TRUE(impl_.WasAlternativeServiceRecentlyBroken(
+      bar_alternative_service, NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.WasAlternativeServiceRecentlyBroken(
-      baz_alternative_service, NetworkIsolationKey()));
+      baz_alternative_service, NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -2190,12 +2245,12 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   impl_.SetBrokenAlternativeServicesDelayParams(initial_delay, true);
   for (int i = 0; i < 10; ++i) {
     impl_.MarkAlternativeServiceBroken(alternative_service,
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
     // |impl_| should have posted task to expire the brokenness of
     // |alternative_service|
     EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
     EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                 NetworkIsolationKey()));
+                                                 NetworkAnonymizationKey()));
 
     // Advance time by just enough so that |alternative_service|'s brokenness
     // expires.
@@ -2204,7 +2259,7 @@ TEST_F(AlternateProtocolServerPropertiesTest,
     // Ensure brokenness of |alternative_service| has expired.
     EXPECT_EQ(0u, GetPendingMainThreadTaskCount());
     EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                  NetworkIsolationKey()));
+                                                  NetworkAnonymizationKey()));
   }
 }
 
@@ -2218,12 +2273,12 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   impl_.SetBrokenAlternativeServicesDelayParams(initial_delay, false);
   for (int i = 0; i < 10; ++i) {
     impl_.MarkAlternativeServiceBroken(alternative_service,
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
     // |impl_| should have posted task to expire the brokenness of
     // |alternative_service|
     EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
     EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                 NetworkIsolationKey()));
+                                                 NetworkAnonymizationKey()));
 
     // Advance time by just enough so that |alternative_service|'s brokenness
     // expires.
@@ -2236,7 +2291,7 @@ TEST_F(AlternateProtocolServerPropertiesTest,
     // Ensure brokenness of |alternative_service| has expired.
     EXPECT_EQ(0u, GetPendingMainThreadTaskCount());
     EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service,
-                                                  NetworkIsolationKey()));
+                                                  NetworkAnonymizationKey()));
   }
 }
 
@@ -2262,13 +2317,13 @@ TEST_F(AlternateProtocolServerPropertiesTest, RemoveExpiredBrokenAltSvc2) {
   // This will increase its time until expiration.
   for (int i = 0; i < 3; ++i) {
     impl_.MarkAlternativeServiceBroken(alternative_service1,
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
     // |impl_| should have posted task to expire the brokenness of
     // |alternative_service1|
     EXPECT_EQ(1u, GetPendingMainThreadTaskCount());
     EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                                 NetworkIsolationKey()));
+                                                 NetworkAnonymizationKey()));
 
     // Advance time by just enough so that |alternative_service1|'s brokenness
     // expires.
@@ -2277,34 +2332,34 @@ TEST_F(AlternateProtocolServerPropertiesTest, RemoveExpiredBrokenAltSvc2) {
     // Ensure brokenness of |alternative_service1| has expired.
     EXPECT_EQ(0u, GetPendingMainThreadTaskCount());
     EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                                  NetworkIsolationKey()));
+                                                  NetworkAnonymizationKey()));
   }
 
   impl_.MarkAlternativeServiceBroken(alternative_service1,
-                                     NetworkIsolationKey());
+                                     NetworkAnonymizationKey());
   impl_.MarkAlternativeServiceBroken(alternative_service2,
-                                     NetworkIsolationKey());
+                                     NetworkAnonymizationKey());
 
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service2,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
 
   // Advance time by just enough so that |alternative_service2|'s brokennness
   // expires.
   FastForwardBy(BROKEN_ALT_SVC_EXPIRE_DELAYS[0]);
 
   EXPECT_TRUE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                               NetworkIsolationKey()));
+                                               NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service2,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
 
   // Advance time by enough so that |alternative_service1|'s brokenness expires.
   FastForwardBy(BROKEN_ALT_SVC_EXPIRE_DELAYS[3] -
                 BROKEN_ALT_SVC_EXPIRE_DELAYS[0]);
 
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service1,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.IsAlternativeServiceBroken(alternative_service2,
-                                                NetworkIsolationKey()));
+                                                NetworkAnonymizationKey()));
 }
 
 // Regression test for https://crbug.com/994537. Having a ServerInfo entry
@@ -2315,12 +2370,12 @@ TEST_F(AlternateProtocolServerPropertiesTest, RemoveExpiredBrokenAltSvc3) {
   const url::SchemeHostPort kServer1("https", "foo", 443);
   const AlternativeService kAltService(kProtoQUIC, "bar", 443);
   SetAlternativeService(kServer1, kAltService);
-  EXPECT_TRUE(HasAlternativeService(kServer1, NetworkIsolationKey()));
+  EXPECT_TRUE(HasAlternativeService(kServer1, NetworkAnonymizationKey()));
 
   // Add an entry to ServerInfo for another server, without an alternative
   // service value.
   const url::SchemeHostPort kServer2("http", "bar", 80);
-  impl_.SetSupportsSpdy(kServer2, NetworkIsolationKey(), false);
+  impl_.SetSupportsSpdy(kServer2, NetworkAnonymizationKey(), false);
 
   // Mark kAltService as broken.
   base::TimeTicks past = test_tick_clock_->NowTicks() - base::Seconds(42);
@@ -2330,7 +2385,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, RemoveExpiredBrokenAltSvc3) {
   // Expire brokenness of kAltService. This call should not hang.
   HttpServerPropertiesPeer::ExpireBrokenAlternateProtocolMappings(&impl_);
 
-  EXPECT_FALSE(HasAlternativeService(kServer1, NetworkIsolationKey()));
+  EXPECT_FALSE(HasAlternativeService(kServer1, NetworkAnonymizationKey()));
 }
 
 TEST_F(AlternateProtocolServerPropertiesTest,
@@ -2363,21 +2418,21 @@ TEST_F(AlternateProtocolServerPropertiesTest,
           DefaultSupportedQuicVersions()));
 
   impl_.SetAlternativeServices(url::SchemeHostPort("https", "youtube.com", 443),
-                               NetworkIsolationKey(),
+                               NetworkAnonymizationKey(),
                                alternative_service_info_vector);
 
   impl_.MarkAlternativeServiceBroken(AlternativeService(kProtoQUIC, "bar", 443),
-                                     NetworkIsolationKey());
+                                     NetworkAnonymizationKey());
 
   impl_.MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
-      AlternativeService(kProtoQUIC, "baz", 443), NetworkIsolationKey());
+      AlternativeService(kProtoQUIC, "baz", 443), NetworkAnonymizationKey());
 
   alternative_service_info_vector.clear();
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
           AlternativeService(kProtoHTTP2, "foo2", 443), now + base::Days(1)));
   impl_.SetAlternativeServices(url::SchemeHostPort("http", "test.com", 80),
-                               NetworkIsolationKey(),
+                               NetworkAnonymizationKey(),
                                alternative_service_info_vector);
 
   const char expected_json[] =
@@ -2385,7 +2440,7 @@ TEST_F(AlternateProtocolServerPropertiesTest,
       "{"
       "\"alternative_service\":"
       "[\"h2 foo2:443, expires 2018-01-25 15:12:53\"],"
-      "\"network_isolation_key\":\"null null\","
+      "\"network_anonymization_key\":\"null null\","
       "\"server\":\"http://test.com\""
       "},"
       "{"
@@ -2395,7 +2450,7 @@ TEST_F(AlternateProtocolServerPropertiesTest,
       " (broken until 2018-01-24 15:17:53)\","
       "\"quic baz:443, expires 2018-01-24 16:12:53"
       " (broken until 2018-01-24 15:17:53)\"],"
-      "\"network_isolation_key\":\"null null\","
+      "\"network_anonymization_key\":\"null null\","
       "\"server\":\"https://youtube.com\""
       "}"
       "]";
@@ -2496,7 +2551,7 @@ TEST_F(HttpServerPropertiesTest, LoadServerNetworkStats) {
       std::make_unique<HttpServerProperties::ServerInfoMap>();
   impl_.OnServerInfoLoadedForTesting(std::move(load_server_info_map));
   const ServerNetworkStats* stats =
-      impl_.GetServerNetworkStats(google_server, NetworkIsolationKey());
+      impl_.GetServerNetworkStats(google_server, NetworkAnonymizationKey());
   EXPECT_EQ(nullptr, stats);
 
   // Check by initializing with www.google.com:443.
@@ -2512,7 +2567,7 @@ TEST_F(HttpServerPropertiesTest, LoadServerNetworkStats) {
   // Verify data for www.google.com:443.
   ASSERT_EQ(1u, impl_.server_info_map_for_testing().size());
   EXPECT_EQ(stats_google, *(impl_.GetServerNetworkStats(
-                              google_server, NetworkIsolationKey())));
+                              google_server, NetworkAnonymizationKey())));
 
   // Test recency order and overwriting of data.
   //
@@ -2524,7 +2579,8 @@ TEST_F(HttpServerPropertiesTest, LoadServerNetworkStats) {
   stats_docs.srtt = base::Microseconds(20);
   stats_docs.bandwidth_estimate = quic::QuicBandwidth::FromBitsPerSecond(200);
   // Recency order will be |docs_server| and |google_server|.
-  impl_.SetServerNetworkStats(docs_server, NetworkIsolationKey(), stats_docs);
+  impl_.SetServerNetworkStats(docs_server, NetworkAnonymizationKey(),
+                              stats_docs);
 
   // Prepare |server_info_map| to be loaded by OnServerInfoLoadedForTesting().
   std::unique_ptr<HttpServerProperties::ServerInfoMap> server_info_map =
@@ -2554,17 +2610,17 @@ TEST_F(HttpServerPropertiesTest, LoadServerNetworkStats) {
   auto map_it = map.begin();
 
   EXPECT_EQ(docs_server, map_it->first.server);
-  EXPECT_TRUE(map_it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(map_it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(map_it->second.server_network_stats.has_value());
   EXPECT_EQ(new_stats_docs, *map_it->second.server_network_stats);
   ++map_it;
   EXPECT_EQ(google_server, map_it->first.server);
-  EXPECT_TRUE(map_it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(map_it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(map_it->second.server_network_stats.has_value());
   EXPECT_EQ(stats_google, *map_it->second.server_network_stats);
   ++map_it;
   EXPECT_EQ(mail_server, map_it->first.server);
-  EXPECT_TRUE(map_it->first.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(map_it->first.network_anonymization_key.IsEmpty());
   ASSERT_TRUE(map_it->second.server_network_stats.has_value());
   EXPECT_EQ(stats_mail, *map_it->second.server_network_stats);
 }
@@ -2573,28 +2629,29 @@ TEST_F(HttpServerPropertiesTest, SetServerNetworkStats) {
   url::SchemeHostPort foo_http_server("http", "foo", 443);
   url::SchemeHostPort foo_https_server("https", "foo", 443);
   EXPECT_EQ(nullptr, impl_.GetServerNetworkStats(foo_http_server,
-                                                 NetworkIsolationKey()));
+                                                 NetworkAnonymizationKey()));
   EXPECT_EQ(nullptr, impl_.GetServerNetworkStats(foo_https_server,
-                                                 NetworkIsolationKey()));
+                                                 NetworkAnonymizationKey()));
 
   ServerNetworkStats stats1;
   stats1.srtt = base::Microseconds(10);
   stats1.bandwidth_estimate = quic::QuicBandwidth::FromBitsPerSecond(100);
-  impl_.SetServerNetworkStats(foo_http_server, NetworkIsolationKey(), stats1);
+  impl_.SetServerNetworkStats(foo_http_server, NetworkAnonymizationKey(),
+                              stats1);
 
   const ServerNetworkStats* stats2 =
-      impl_.GetServerNetworkStats(foo_http_server, NetworkIsolationKey());
+      impl_.GetServerNetworkStats(foo_http_server, NetworkAnonymizationKey());
   EXPECT_EQ(10, stats2->srtt.ToInternalValue());
   EXPECT_EQ(100, stats2->bandwidth_estimate.ToBitsPerSecond());
   // Https server should have nothing set for server network stats.
   EXPECT_EQ(nullptr, impl_.GetServerNetworkStats(foo_https_server,
-                                                 NetworkIsolationKey()));
+                                                 NetworkAnonymizationKey()));
 
   impl_.Clear(base::OnceClosure());
   EXPECT_EQ(nullptr, impl_.GetServerNetworkStats(foo_http_server,
-                                                 NetworkIsolationKey()));
+                                                 NetworkAnonymizationKey()));
   EXPECT_EQ(nullptr, impl_.GetServerNetworkStats(foo_https_server,
-                                                 NetworkIsolationKey()));
+                                                 NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesTest, ClearServerNetworkStats) {
@@ -2602,17 +2659,18 @@ TEST_F(HttpServerPropertiesTest, ClearServerNetworkStats) {
   stats.srtt = base::Microseconds(10);
   stats.bandwidth_estimate = quic::QuicBandwidth::FromBitsPerSecond(100);
   url::SchemeHostPort foo_https_server("https", "foo", 443);
-  impl_.SetServerNetworkStats(foo_https_server, NetworkIsolationKey(), stats);
+  impl_.SetServerNetworkStats(foo_https_server, NetworkAnonymizationKey(),
+                              stats);
 
-  impl_.ClearServerNetworkStats(foo_https_server, NetworkIsolationKey());
+  impl_.ClearServerNetworkStats(foo_https_server, NetworkAnonymizationKey());
   EXPECT_EQ(nullptr, impl_.GetServerNetworkStats(foo_https_server,
-                                                 NetworkIsolationKey()));
+                                                 NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesTest, OnQuicServerInfoMapLoaded) {
   quic::QuicServerId google_quic_server_id("www.google.com", 443, true);
   HttpServerProperties::QuicServerInfoMapKey google_key(
-      google_quic_server_id, NetworkIsolationKey(),
+      google_quic_server_id, NetworkAnonymizationKey(),
       false /* use_network_isolation_key */);
 
   const int kMaxQuicServerEntries = 10;
@@ -2639,9 +2697,9 @@ TEST_F(HttpServerPropertiesTest, OnQuicServerInfoMapLoaded) {
 
   // Verify data for www.google.com:443.
   EXPECT_EQ(1u, impl_.quic_server_info_map().size());
-  EXPECT_EQ(
-      google_server_info,
-      *impl_.GetQuicServerInfo(google_quic_server_id, NetworkIsolationKey()));
+  EXPECT_EQ(google_server_info,
+            *impl_.GetQuicServerInfo(google_quic_server_id,
+                                     NetworkAnonymizationKey()));
 
   // Test recency order and overwriting of data.
   //
@@ -2650,10 +2708,10 @@ TEST_F(HttpServerPropertiesTest, OnQuicServerInfoMapLoaded) {
   // entry for |docs_server|.
   quic::QuicServerId docs_quic_server_id("docs.google.com", 443, true);
   HttpServerProperties::QuicServerInfoMapKey docs_key(
-      docs_quic_server_id, NetworkIsolationKey(),
+      docs_quic_server_id, NetworkAnonymizationKey(),
       false /* use_network_isolation_key */);
   std::string docs_server_info("docs_quic_server_info");
-  impl_.SetQuicServerInfo(docs_quic_server_id, NetworkIsolationKey(),
+  impl_.SetQuicServerInfo(docs_quic_server_id, NetworkAnonymizationKey(),
                           docs_server_info);
 
   // Recency order will be |docs_server| and |google_server|.
@@ -2679,7 +2737,7 @@ TEST_F(HttpServerPropertiesTest, OnQuicServerInfoMapLoaded) {
   // Add data for mail.google.com:443.
   quic::QuicServerId mail_quic_server_id("mail.google.com", 443, true);
   HttpServerProperties::QuicServerInfoMapKey mail_key(
-      mail_quic_server_id, NetworkIsolationKey(),
+      mail_quic_server_id, NetworkAnonymizationKey(),
       false /* use_network_isolation_key */);
   std::string mail_server_info("mail_quic_server_info");
   quic_server_info_map->Put(mail_key, mail_server_info);
@@ -2715,7 +2773,7 @@ TEST_F(HttpServerPropertiesTest, OnQuicServerInfoMapLoaded) {
   EXPECT_EQ(google_server_info, memory_map1_it->second);
   // |QuicServerInfo| for |mail_quic_server_id| shouldn't be there.
   EXPECT_EQ(nullptr, impl_.GetQuicServerInfo(mail_quic_server_id,
-                                             NetworkIsolationKey()));
+                                             NetworkAnonymizationKey()));
 }
 
 TEST_F(HttpServerPropertiesTest, SetQuicServerInfo) {
@@ -2727,20 +2785,21 @@ TEST_F(HttpServerPropertiesTest, SetQuicServerInfo) {
   std::string quic_server_info3("quic_server_info3");
 
   // Without network isolation keys enabled for HttpServerProperties, passing in
-  // a NetworkIsolationKey should have no effect on behavior.
-  impl_.SetQuicServerInfo(server1, NetworkIsolationKey(), quic_server_info1);
+  // a NetworkAnonymizationKey should have no effect on behavior.
+  impl_.SetQuicServerInfo(server1, NetworkAnonymizationKey(),
+                          quic_server_info1);
   EXPECT_EQ(quic_server_info1,
-            *(impl_.GetQuicServerInfo(server1, NetworkIsolationKey())));
-  EXPECT_FALSE(impl_.GetQuicServerInfo(server2, NetworkIsolationKey()));
+            *(impl_.GetQuicServerInfo(server1, NetworkAnonymizationKey())));
+  EXPECT_FALSE(impl_.GetQuicServerInfo(server2, NetworkAnonymizationKey()));
   EXPECT_EQ(quic_server_info1,
             *(impl_.GetQuicServerInfo(server1, network_isolation_key1_)));
   EXPECT_FALSE(impl_.GetQuicServerInfo(server2, network_isolation_key1_));
 
   impl_.SetQuicServerInfo(server2, network_isolation_key1_, quic_server_info2);
   EXPECT_EQ(quic_server_info1,
-            *(impl_.GetQuicServerInfo(server1, NetworkIsolationKey())));
+            *(impl_.GetQuicServerInfo(server1, NetworkAnonymizationKey())));
   EXPECT_EQ(quic_server_info2,
-            *(impl_.GetQuicServerInfo(server2, NetworkIsolationKey())));
+            *(impl_.GetQuicServerInfo(server2, NetworkAnonymizationKey())));
   EXPECT_EQ(quic_server_info1,
             *(impl_.GetQuicServerInfo(server1, network_isolation_key1_)));
   EXPECT_EQ(quic_server_info2,
@@ -2748,17 +2807,17 @@ TEST_F(HttpServerPropertiesTest, SetQuicServerInfo) {
 
   impl_.SetQuicServerInfo(server1, network_isolation_key1_, quic_server_info3);
   EXPECT_EQ(quic_server_info3,
-            *(impl_.GetQuicServerInfo(server1, NetworkIsolationKey())));
+            *(impl_.GetQuicServerInfo(server1, NetworkAnonymizationKey())));
   EXPECT_EQ(quic_server_info2,
-            *(impl_.GetQuicServerInfo(server2, NetworkIsolationKey())));
+            *(impl_.GetQuicServerInfo(server2, NetworkAnonymizationKey())));
   EXPECT_EQ(quic_server_info3,
             *(impl_.GetQuicServerInfo(server1, network_isolation_key1_)));
   EXPECT_EQ(quic_server_info2,
             *(impl_.GetQuicServerInfo(server2, network_isolation_key1_)));
 
   impl_.Clear(base::OnceClosure());
-  EXPECT_FALSE(impl_.GetQuicServerInfo(server1, NetworkIsolationKey()));
-  EXPECT_FALSE(impl_.GetQuicServerInfo(server2, NetworkIsolationKey()));
+  EXPECT_FALSE(impl_.GetQuicServerInfo(server1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(impl_.GetQuicServerInfo(server2, NetworkAnonymizationKey()));
   EXPECT_FALSE(impl_.GetQuicServerInfo(server1, network_isolation_key1_));
   EXPECT_FALSE(impl_.GetQuicServerInfo(server2, network_isolation_key1_));
 
@@ -2771,36 +2830,41 @@ TEST_F(HttpServerPropertiesTest, SetQuicServerInfo) {
                                   nullptr /* net_log */, test_tick_clock_,
                                   &test_clock_);
 
-  properties.SetQuicServerInfo(server1, NetworkIsolationKey(),
+  properties.SetQuicServerInfo(server1, NetworkAnonymizationKey(),
                                quic_server_info1);
-  EXPECT_EQ(quic_server_info1,
-            *(properties.GetQuicServerInfo(server1, NetworkIsolationKey())));
-  EXPECT_FALSE(properties.GetQuicServerInfo(server2, NetworkIsolationKey()));
+  EXPECT_EQ(quic_server_info1, *(properties.GetQuicServerInfo(
+                                   server1, NetworkAnonymizationKey())));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server2, NetworkAnonymizationKey()));
   EXPECT_FALSE(properties.GetQuicServerInfo(server1, network_isolation_key1_));
   EXPECT_FALSE(properties.GetQuicServerInfo(server2, network_isolation_key1_));
 
   properties.SetQuicServerInfo(server1, network_isolation_key1_,
                                quic_server_info2);
-  EXPECT_EQ(quic_server_info1,
-            *(properties.GetQuicServerInfo(server1, NetworkIsolationKey())));
-  EXPECT_FALSE(properties.GetQuicServerInfo(server2, NetworkIsolationKey()));
+  EXPECT_EQ(quic_server_info1, *(properties.GetQuicServerInfo(
+                                   server1, NetworkAnonymizationKey())));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server2, NetworkAnonymizationKey()));
   EXPECT_EQ(quic_server_info2,
             *(properties.GetQuicServerInfo(server1, network_isolation_key1_)));
   EXPECT_FALSE(properties.GetQuicServerInfo(server2, network_isolation_key1_));
 
   properties.SetQuicServerInfo(server2, network_isolation_key1_,
                                quic_server_info3);
-  EXPECT_EQ(quic_server_info1,
-            *(properties.GetQuicServerInfo(server1, NetworkIsolationKey())));
-  EXPECT_FALSE(properties.GetQuicServerInfo(server2, NetworkIsolationKey()));
+  EXPECT_EQ(quic_server_info1, *(properties.GetQuicServerInfo(
+                                   server1, NetworkAnonymizationKey())));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server2, NetworkAnonymizationKey()));
   EXPECT_EQ(quic_server_info2,
             *(properties.GetQuicServerInfo(server1, network_isolation_key1_)));
   EXPECT_EQ(quic_server_info3,
             *(properties.GetQuicServerInfo(server2, network_isolation_key1_)));
 
   properties.Clear(base::OnceClosure());
-  EXPECT_FALSE(properties.GetQuicServerInfo(server1, NetworkIsolationKey()));
-  EXPECT_FALSE(properties.GetQuicServerInfo(server2, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server2, NetworkAnonymizationKey()));
   EXPECT_FALSE(properties.GetQuicServerInfo(server1, network_isolation_key1_));
   EXPECT_FALSE(properties.GetQuicServerInfo(server2, network_isolation_key1_));
 }
@@ -2812,13 +2876,13 @@ TEST_F(HttpServerPropertiesTest, QuicServerInfoCanonicalSuffixMatch) {
   // Add a host with a canonical suffix.
   quic::QuicServerId foo_server_id("foo.googlevideo.com", 443, false);
   std::string foo_server_info("foo_server_info");
-  impl_.SetQuicServerInfo(foo_server_id, NetworkIsolationKey(),
+  impl_.SetQuicServerInfo(foo_server_id, NetworkAnonymizationKey(),
                           foo_server_info);
 
   // Add a host that has a different canonical suffix.
   quic::QuicServerId baz_server_id("baz.video.com", 443, false);
   std::string baz_server_info("baz_server_info");
-  impl_.SetQuicServerInfo(baz_server_id, NetworkIsolationKey(),
+  impl_.SetQuicServerInfo(baz_server_id, NetworkAnonymizationKey(),
                           baz_server_info);
 
   // Create SchemeHostPort with a host that has the initial canonical suffix.
@@ -2826,7 +2890,7 @@ TEST_F(HttpServerPropertiesTest, QuicServerInfoCanonicalSuffixMatch) {
 
   // Check the the server info associated with "foo" is returned for "bar".
   const std::string* bar_server_info =
-      impl_.GetQuicServerInfo(bar_server_id, NetworkIsolationKey());
+      impl_.GetQuicServerInfo(bar_server_id, NetworkAnonymizationKey());
   ASSERT_TRUE(bar_server_info != nullptr);
   EXPECT_EQ(foo_server_info, *bar_server_info);
 }
@@ -2867,8 +2931,10 @@ TEST_F(HttpServerPropertiesTest,
   EXPECT_EQ(server_info1, *fetched_server_info);
   EXPECT_FALSE(properties.GetQuicServerInfo(server1, network_isolation_key2_));
   EXPECT_FALSE(properties.GetQuicServerInfo(server2, network_isolation_key2_));
-  EXPECT_FALSE(properties.GetQuicServerInfo(server1, NetworkIsolationKey()));
-  EXPECT_FALSE(properties.GetQuicServerInfo(server2, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server2, NetworkAnonymizationKey()));
 
   // Set different QuicServerInfo for the same canononical suffix and
   // |network_isolation_key2_|. Both infos should be retriveable by using the
@@ -2890,8 +2956,10 @@ TEST_F(HttpServerPropertiesTest,
       properties.GetQuicServerInfo(server2, network_isolation_key2_);
   ASSERT_TRUE(fetched_server_info);
   EXPECT_EQ(server_info2, *fetched_server_info);
-  EXPECT_FALSE(properties.GetQuicServerInfo(server1, NetworkIsolationKey()));
-  EXPECT_FALSE(properties.GetQuicServerInfo(server2, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server2, NetworkAnonymizationKey()));
 
   // Clearing should destroy all information.
   properties.Clear(base::OnceClosure());
@@ -2899,8 +2967,10 @@ TEST_F(HttpServerPropertiesTest,
   EXPECT_FALSE(properties.GetQuicServerInfo(server2, network_isolation_key1_));
   EXPECT_FALSE(properties.GetQuicServerInfo(server1, network_isolation_key2_));
   EXPECT_FALSE(properties.GetQuicServerInfo(server2, network_isolation_key2_));
-  EXPECT_FALSE(properties.GetQuicServerInfo(server1, NetworkIsolationKey()));
-  EXPECT_FALSE(properties.GetQuicServerInfo(server2, NetworkIsolationKey()));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server1, NetworkAnonymizationKey()));
+  EXPECT_FALSE(
+      properties.GetQuicServerInfo(server2, NetworkAnonymizationKey()));
 }
 
 // Verifies that GetQuicServerInfo() returns the MRU entry if multiple records
@@ -2911,26 +2981,29 @@ TEST_F(HttpServerPropertiesTest,
   // suffixes.
   quic::QuicServerId h1_server_id("h1.googlevideo.com", 443, false);
   std::string h1_server_info("h1_server_info");
-  impl_.SetQuicServerInfo(h1_server_id, NetworkIsolationKey(), h1_server_info);
+  impl_.SetQuicServerInfo(h1_server_id, NetworkAnonymizationKey(),
+                          h1_server_info);
 
   quic::QuicServerId h2_server_id("h2.googlevideo.com", 443, false);
   std::string h2_server_info("h2_server_info");
-  impl_.SetQuicServerInfo(h2_server_id, NetworkIsolationKey(), h2_server_info);
+  impl_.SetQuicServerInfo(h2_server_id, NetworkAnonymizationKey(),
+                          h2_server_info);
 
   // Create quic::QuicServerId to use for the search.
   quic::QuicServerId foo_server_id("foo.googlevideo.com", 443, false);
 
   // Check that 'h2' info is returned since it is MRU.
   const std::string* server_info =
-      impl_.GetQuicServerInfo(foo_server_id, NetworkIsolationKey());
+      impl_.GetQuicServerInfo(foo_server_id, NetworkAnonymizationKey());
   ASSERT_TRUE(server_info != nullptr);
   EXPECT_EQ(h2_server_info, *server_info);
 
   // Access 'h1' info, so it becomes MRU.
-  impl_.GetQuicServerInfo(h1_server_id, NetworkIsolationKey());
+  impl_.GetQuicServerInfo(h1_server_id, NetworkAnonymizationKey());
 
   // Check that 'h1' info is returned since it is MRU now.
-  server_info = impl_.GetQuicServerInfo(foo_server_id, NetworkIsolationKey());
+  server_info =
+      impl_.GetQuicServerInfo(foo_server_id, NetworkAnonymizationKey());
   ASSERT_TRUE(server_info != nullptr);
   EXPECT_EQ(h1_server_info, *server_info);
 }
@@ -2942,18 +3015,20 @@ TEST_F(HttpServerPropertiesTest,
   // Add a host with a matching canonical name.
   quic::QuicServerId h1_server_id("h1.googlevideo.com", 443, false);
   HttpServerProperties::QuicServerInfoMapKey h1_key(
-      h1_server_id, NetworkIsolationKey(),
+      h1_server_id, NetworkAnonymizationKey(),
       false /* use_network_isolation_key */);
   std::string h1_server_info("h1_server_info");
-  impl_.SetQuicServerInfo(h1_server_id, NetworkIsolationKey(), h1_server_info);
+  impl_.SetQuicServerInfo(h1_server_id, NetworkAnonymizationKey(),
+                          h1_server_info);
 
   // Add a host hosts with a non-matching canonical name.
   quic::QuicServerId h2_server_id("h2.video.com", 443, false);
   HttpServerProperties::QuicServerInfoMapKey h2_key(
-      h2_server_id, NetworkIsolationKey(),
+      h2_server_id, NetworkAnonymizationKey(),
       false /* use_network_isolation_key */);
   std::string h2_server_info("h2_server_info");
-  impl_.SetQuicServerInfo(h2_server_id, NetworkIsolationKey(), h2_server_info);
+  impl_.SetQuicServerInfo(h2_server_id, NetworkAnonymizationKey(),
+                          h2_server_info);
 
   // Check that "h2.video.com" is the MRU entry in the map.
   EXPECT_EQ(h2_key, impl_.quic_server_info_map().begin()->first);
@@ -2962,7 +3037,7 @@ TEST_F(HttpServerPropertiesTest,
   // ("h1.googlevideo.com").
   quic::QuicServerId foo_server_id("foo.googlevideo.com", 443, false);
   const std::string* server_info =
-      impl_.GetQuicServerInfo(foo_server_id, NetworkIsolationKey());
+      impl_.GetQuicServerInfo(foo_server_id, NetworkAnonymizationKey());
   ASSERT_TRUE(server_info != nullptr);
 
   // Check that the search (although successful) hasn't changed the MRU order of
@@ -2970,7 +3045,7 @@ TEST_F(HttpServerPropertiesTest,
   EXPECT_EQ(h2_key, impl_.quic_server_info_map().begin()->first);
 
   // Search for "h1.googlevideo.com" directly, so it becomes MRU
-  impl_.GetQuicServerInfo(h1_server_id, NetworkIsolationKey());
+  impl_.GetQuicServerInfo(h1_server_id, NetworkAnonymizationKey());
 
   // Check that "h1.googlevideo.com" is the MRU entry now.
   EXPECT_EQ(h1_key, impl_.quic_server_info_map().begin()->first);
@@ -2986,19 +3061,20 @@ TEST_F(HttpServerPropertiesTest, QuicServerInfoCanonicalSuffixMatchSetInfoMap) {
   // entry stored in memory cache.
   quic::QuicServerId h1_server_id("h1.googlevideo.com", 443, false);
   std::string h1_server_info("h1_server_info_memory_cache");
-  impl_.SetQuicServerInfo(h1_server_id, NetworkIsolationKey(), h1_server_info);
+  impl_.SetQuicServerInfo(h1_server_id, NetworkAnonymizationKey(),
+                          h1_server_info);
 
   // Prepare a map with host info and add it using SetQuicServerInfoMap(). That
   // will simulate info records read from the persistence storage.
   quic::QuicServerId h2_server_id("h2.googlevideo.com", 443, false);
   HttpServerProperties::QuicServerInfoMapKey h2_key(
-      h2_server_id, NetworkIsolationKey(),
+      h2_server_id, NetworkAnonymizationKey(),
       false /* use_network_isolation_key */);
   std::string h2_server_info("h2_server_info_from_disk");
 
   quic::QuicServerId h3_server_id("h3.ggpht.com", 443, false);
   HttpServerProperties::QuicServerInfoMapKey h3_key(
-      h3_server_id, NetworkIsolationKey(),
+      h3_server_id, NetworkAnonymizationKey(),
       false /* use_network_isolation_key */);
   std::string h3_server_info("h3_server_info_from_disk");
 
@@ -3018,14 +3094,15 @@ TEST_F(HttpServerPropertiesTest, QuicServerInfoCanonicalSuffixMatchSetInfoMap) {
   // persistence storage and, therefore, are most recently used.
   quic::QuicServerId foo_server_id("foo.googlevideo.com", 443, false);
   const std::string* server_info =
-      impl_.GetQuicServerInfo(foo_server_id, NetworkIsolationKey());
+      impl_.GetQuicServerInfo(foo_server_id, NetworkAnonymizationKey());
   ASSERT_TRUE(server_info != nullptr);
   EXPECT_EQ(h1_server_info, *server_info);
 
   // Check that server info that was added using SetQuicServerInfoMap() can be
   // found.
   foo_server_id = quic::QuicServerId("foo.ggpht.com", 443, false);
-  server_info = impl_.GetQuicServerInfo(foo_server_id, NetworkIsolationKey());
+  server_info =
+      impl_.GetQuicServerInfo(foo_server_id, NetworkAnonymizationKey());
   ASSERT_TRUE(server_info != nullptr);
   EXPECT_EQ(h3_server_info, *server_info);
 }
diff --git a/chromium/net/http/http_status_code.cc b/chromium/net/http/http_status_code.cc
index 7ad16c916f5..d9ccc32ca8e 100644
--- a/chromium/net/http/http_status_code.cc
+++ b/chromium/net/http/http_status_code.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_status_code.h b/chromium/net/http/http_status_code.h
index 37407e14c20..ffef0174dba 100644
--- a/chromium/net/http/http_status_code.h
+++ b/chromium/net/http/http_status_code.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_status_code_list.h b/chromium/net/http/http_status_code_list.h
index b690287b348..49ccb19bdbe 100644
--- a/chromium/net/http/http_status_code_list.h
+++ b/chromium/net/http/http_status_code_list.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_status_code_unittest.cc b/chromium/net/http/http_status_code_unittest.cc
index 962b89d3acf..77d2f1fe4f4 100644
--- a/chromium/net/http/http_status_code_unittest.cc
+++ b/chromium/net/http/http_status_code_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_stream.h b/chromium/net/http/http_stream.h
index 2b35bca0f8f..f8f40d216cc 100644
--- a/chromium/net/http/http_stream.h
+++ b/chromium/net/http/http_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/http/http_stream_factory.cc b/chromium/net/http/http_stream_factory.cc
index 010bbe37441..704bd67e804 100644
--- a/chromium/net/http/http_stream_factory.cc
+++ b/chromium/net/http/http_stream_factory.cc
@@ -1,9 +1,10 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_stream_factory.h"
 
+#include <cstddef>
 #include <tuple>
 #include <utility>
 
@@ -50,7 +51,7 @@ HttpStreamFactory::~HttpStreamFactory() = default;
 
 void HttpStreamFactory::ProcessAlternativeServices(
     HttpNetworkSession* session,
-    const net::NetworkIsolationKey& network_isolation_key,
+    const net::NetworkAnonymizationKey& network_anonymization_key,
     const HttpResponseHeaders* headers,
     const url::SchemeHostPort& http_server) {
   if (!headers->HasHeader(kAlternativeServiceHeader))
@@ -67,7 +68,7 @@ void HttpStreamFactory::ProcessAlternativeServices(
   }
 
   session->http_server_properties()->SetAlternativeServices(
-      RewriteHost(http_server), network_isolation_key,
+      RewriteHost(http_server), network_anonymization_key,
       net::ProcessAlternativeServices(
           alternative_service_vector, session->params().enable_http2,
           session->params().enable_quic,
@@ -165,7 +166,7 @@ std::unique_ptr<HttpStreamRequest> HttpStreamFactory::RequestStreamInternal(
 }
 
 void HttpStreamFactory::PreconnectStreams(int num_streams,
-                                          const HttpRequestInfo& request_info) {
+                                          HttpRequestInfo& request_info) {
   DCHECK(request_info.url.is_valid());
 
   auto job_controller = std::make_unique<JobController>(
diff --git a/chromium/net/http/http_stream_factory.h b/chromium/net/http/http_stream_factory.h
index e22f5481c66..972a6bea8bb 100644
--- a/chromium/net/http/http_stream_factory.h
+++ b/chromium/net/http/http_stream_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -72,7 +72,7 @@ class NET_EXPORT HttpStreamFactory {
 
   void ProcessAlternativeServices(
       HttpNetworkSession* session,
-      const net::NetworkIsolationKey& network_isolation_key,
+      const net::NetworkAnonymizationKey& network_anonymization_key,
       const HttpResponseHeaders* headers,
       const url::SchemeHostPort& http_server);
 
@@ -118,7 +118,7 @@ class NET_EXPORT HttpStreamFactory {
       const NetLogWithSource& net_log);
 
   // Requests that enough connections for |num_streams| be opened.
-  void PreconnectStreams(int num_streams, const HttpRequestInfo& info);
+  void PreconnectStreams(int num_streams, HttpRequestInfo& info);
 
   const HostMappingRules* GetHostMappingRules() const;
 
diff --git a/chromium/net/http/http_stream_factory_job.cc b/chromium/net/http/http_stream_factory_job.cc
index aed8dbf53a9..c4a4e046b8f 100644
--- a/chromium/net/http/http_stream_factory_job.cc
+++ b/chromium/net/http/http_stream_factory_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -66,8 +66,9 @@ namespace {
 
 // Experiment to preconnect only one connection if HttpServerProperties is
 // not supported or initialized.
-const base::Feature kLimitEarlyPreconnectsExperiment{
-    "LimitEarlyPreconnects", base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kLimitEarlyPreconnectsExperiment,
+             "LimitEarlyPreconnects",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
 }  // namespace
 
@@ -167,13 +168,14 @@ HttpStreamFactory::Job::Job(Delegate* delegate,
       quic_request_(session_->quic_stream_factory()),
       pushed_stream_id_(kNoPushedStreamFound),
       spdy_session_key_(
-          using_quic_ ? SpdySessionKey()
-                      : GetSpdySessionKey(proxy_info_.proxy_server(),
-                                          origin_url_,
-                                          request_info_.privacy_mode,
-                                          request_info_.socket_tag,
-                                          request_info_.network_isolation_key,
-                                          request_info_.secure_dns_policy)) {
+          using_quic_
+              ? SpdySessionKey()
+              : GetSpdySessionKey(proxy_info_.proxy_server(),
+                                  origin_url_,
+                                  request_info_.privacy_mode,
+                                  request_info_.socket_tag,
+                                  request_info_.network_anonymization_key,
+                                  request_info_.secure_dns_policy)) {
   // Websocket `destination` schemes should be converted to HTTP(S).
   DCHECK(base::EqualsCaseInsensitiveASCII(destination_.scheme(),
                                           url::kHttpScheme) ||
@@ -262,7 +264,7 @@ int HttpStreamFactory::Job::Preconnect(int num_streams) {
       request_info_.url.SchemeIsCryptographic();
   if (connect_one_stream || http_server_properties->SupportsRequestPriority(
                                 url::SchemeHostPort(request_info_.url),
-                                request_info_.network_isolation_key)) {
+                                request_info_.network_anonymization_key)) {
     num_streams_ = 1;
   } else {
     num_streams_ = num_streams;
@@ -331,7 +333,7 @@ bool HttpStreamFactory::Job::HasAvailableQuicSession() const {
   bool require_dns_https_alpn = (job_type_ == DNS_ALPN_H3);
   return quic_request_.CanUseExistingSession(
       origin_url_, request_info_.privacy_mode, request_info_.socket_tag,
-      request_info_.network_isolation_key, request_info_.secure_dns_policy,
+      request_info_.network_anonymization_key, request_info_.secure_dns_policy,
       require_dns_https_alpn, destination_);
 }
 
@@ -343,7 +345,7 @@ bool HttpStreamFactory::Job::TargettedSocketGroupHasActiveSocket() const {
   DCHECK(pool);
   ClientSocketPool::GroupId connection_group(
       destination_, request_info_.privacy_mode,
-      request_info_.network_isolation_key, request_info_.secure_dns_policy);
+      request_info_.network_anonymization_key, request_info_.secure_dns_policy);
   return pool->HasActiveSocket(connection_group);
 }
 
@@ -405,7 +407,7 @@ SpdySessionKey HttpStreamFactory::Job::GetSpdySessionKey(
     const GURL& origin_url,
     PrivacyMode privacy_mode,
     const SocketTag& socket_tag,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     SecureDnsPolicy secure_dns_policy) {
   // In the case that we're using an HTTPS proxy for an HTTP url, look for a
   // HTTP/2 proxy session *to* the proxy, instead of to the origin server.
@@ -413,11 +415,12 @@ SpdySessionKey HttpStreamFactory::Job::GetSpdySessionKey(
     return SpdySessionKey(proxy_server.host_port_pair(), ProxyServer::Direct(),
                           PRIVACY_MODE_DISABLED,
                           SpdySessionKey::IsProxySession::kTrue, socket_tag,
-                          network_isolation_key, secure_dns_policy);
+                          network_anonymization_key, secure_dns_policy);
   }
   return SpdySessionKey(HostPortPair::FromURL(origin_url), proxy_server,
                         privacy_mode, SpdySessionKey::IsProxySession::kFalse,
-                        socket_tag, network_isolation_key, secure_dns_policy);
+                        socket_tag, network_anonymization_key,
+                        secure_dns_policy);
 }
 
 bool HttpStreamFactory::Job::CanUseExistingSpdySession() const {
@@ -426,7 +429,7 @@ bool HttpStreamFactory::Job::CanUseExistingSpdySession() const {
   if (proxy_info_.is_direct() &&
       session_->http_server_properties()->RequiresHTTP11(
           url::SchemeHostPort(request_info_.url),
-          request_info_.network_isolation_key)) {
+          request_info_.network_anonymization_key)) {
     return false;
   }
 
@@ -850,14 +853,14 @@ int HttpStreamFactory::Job::DoInitConnectionImpl() {
   if (http_server_properties) {
     http_server_properties->MaybeForceHTTP11(
         url::SchemeHostPort(request_info_.url),
-        request_info_.network_isolation_key, &server_ssl_config_);
+        request_info_.network_anonymization_key, &server_ssl_config_);
     if (proxy_info_.is_https()) {
       http_server_properties->MaybeForceHTTP11(
           url::SchemeHostPort(
               url::kHttpsScheme,
               proxy_info_.proxy_server().host_port_pair().host(),
               proxy_info_.proxy_server().host_port_pair().port()),
-          request_info_.network_isolation_key, &proxy_ssl_config_);
+          request_info_.network_anonymization_key, &proxy_ssl_config_);
     }
   }
 
@@ -874,7 +877,7 @@ int HttpStreamFactory::Job::DoInitConnectionImpl() {
     return PreconnectSocketsForHttpRequest(
         destination_, request_info_.load_flags, priority_, session_,
         proxy_info_, server_ssl_config_, proxy_ssl_config_,
-        request_info_.privacy_mode, request_info_.network_isolation_key,
+        request_info_.privacy_mode, request_info_.network_anonymization_key,
         request_info_.secure_dns_policy, net_log_, num_streams_,
         std::move(callback));
   }
@@ -899,14 +902,14 @@ int HttpStreamFactory::Job::DoInitConnectionImpl() {
     return InitSocketHandleForWebSocketRequest(
         destination_, request_info_.load_flags, priority_, session_,
         proxy_info_, websocket_server_ssl_config, proxy_ssl_config_,
-        request_info_.privacy_mode, request_info_.network_isolation_key,
+        request_info_.privacy_mode, request_info_.network_anonymization_key,
         net_log_, connection_.get(), io_callback_, proxy_auth_callback);
   }
 
   return InitSocketHandleForHttpRequest(
       destination_, request_info_.load_flags, priority_, session_, proxy_info_,
       server_ssl_config_, proxy_ssl_config_, request_info_.privacy_mode,
-      request_info_.network_isolation_key, request_info_.secure_dns_policy,
+      request_info_.network_anonymization_key, request_info_.secure_dns_policy,
       request_info_.socket_tag, net_log_, connection_.get(), io_callback_,
       proxy_auth_callback);
 }
@@ -933,10 +936,10 @@ int HttpStreamFactory::Job::DoInitConnectionImplQuic() {
 
   int rv = quic_request_.Request(
       std::move(destination), quic_version_, request_info_.privacy_mode,
-      priority_, request_info_.socket_tag, request_info_.network_isolation_key,
-      request_info_.secure_dns_policy, proxy_info_.is_direct(),
-      require_dns_https_alpn, ssl_config->GetCertVerifyFlags(), url, net_log_,
-      &net_error_details_,
+      priority_, request_info_.socket_tag,
+      request_info_.network_anonymization_key, request_info_.secure_dns_policy,
+      proxy_info_.is_direct(), require_dns_https_alpn,
+      ssl_config->GetCertVerifyFlags(), url, net_log_, &net_error_details_,
       base::BindOnce(&Job::OnFailedOnDefaultNetwork, ptr_factory_.GetWeakPtr()),
       io_callback_);
   if (rv == OK) {
@@ -1235,9 +1238,9 @@ int HttpStreamFactory::Job::DoCreateStream() {
   HttpServerProperties* http_server_properties =
       session_->http_server_properties();
   if (http_server_properties) {
-    http_server_properties->SetSupportsSpdy(scheme_host_port,
-                                            request_info_.network_isolation_key,
-                                            true /* supports_spdy */);
+    http_server_properties->SetSupportsSpdy(
+        scheme_host_port, request_info_.network_anonymization_key,
+        true /* supports_spdy */);
   }
 
   // Create a SpdyHttpStream or a BidirectionalStreamImpl attached to the
@@ -1347,7 +1350,7 @@ bool HttpStreamFactory::Job::ShouldThrottleConnectForSpdy() const {
       spdy_session_key_.host_port_pair().port());
   // Only throttle the request if the server is believed to support H2.
   return session_->http_server_properties()->GetSupportsSpdy(
-      scheme_host_port, request_info_.network_isolation_key);
+      scheme_host_port, request_info_.network_anonymization_key);
 }
 
 }  // namespace net
diff --git a/chromium/net/http/http_stream_factory_job.h b/chromium/net/http/http_stream_factory_job.h
index c5a47f914bf..e982c079f2c 100644
--- a/chromium/net/http/http_stream_factory_job.h
+++ b/chromium/net/http/http_stream_factory_job.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -332,7 +332,7 @@ class HttpStreamFactory::Job
       const GURL& origin_url,
       PrivacyMode privacy_mode,
       const SocketTag& socket_tag,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       SecureDnsPolicy secure_dns_policy);
 
   // Returns true if the current request can use an existing spdy session.
diff --git a/chromium/net/http/http_stream_factory_job_controller.cc b/chromium/net/http/http_stream_factory_job_controller.cc
index 46435687f15..ec0f16bdd1b 100644
--- a/chromium/net/http/http_stream_factory_job_controller.cc
+++ b/chromium/net/http/http_stream_factory_job_controller.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -164,6 +164,11 @@ HttpStreamFactory::JobController::JobController(
                                           url::kWsScheme) ||
          base::EqualsCaseInsensitiveASCII(request_info_.url.scheme_piece(),
                                           url::kWssScheme));
+  // Preconnects do not require a NetworkIsolationKey so we don't require it to
+  // be set consistently with the NetworkAnonymizationKey here.
+  if (!is_preconnect) {
+    DCHECK(request_info.IsConsistent());
+  }
 
   net_log_.BeginEvent(NetLogEventType::HTTP_STREAM_JOB_CONTROLLER, [&] {
     return NetLogJobControllerParams(request_info, is_preconnect);
@@ -299,8 +304,7 @@ void HttpStreamFactory::JobController::OnStreamReady(
   std::unique_ptr<HttpStream> stream = job->ReleaseStream();
   DCHECK(stream);
 
-  MarkRequestComplete(job->was_alpn_negotiated(), job->negotiated_protocol(),
-                      job->using_spdy());
+  MarkRequestComplete(job);
 
   if (!request_)
     return;
@@ -331,8 +335,7 @@ void HttpStreamFactory::JobController::OnBidirectionalStreamImplReady(
     return;
   }
 
-  MarkRequestComplete(job->was_alpn_negotiated(), job->negotiated_protocol(),
-                      job->using_spdy());
+  MarkRequestComplete(job);
 
   if (!request_)
     return;
@@ -354,8 +357,7 @@ void HttpStreamFactory::JobController::OnWebSocketHandshakeStreamReady(
     const ProxyInfo& used_proxy_info,
     std::unique_ptr<WebSocketHandshakeStreamBase> stream) {
   DCHECK(job);
-  MarkRequestComplete(job->was_alpn_negotiated(), job->negotiated_protocol(),
-                      job->using_spdy());
+  MarkRequestComplete(job);
 
   if (!request_)
     return;
@@ -754,7 +756,7 @@ int HttpStreamFactory::JobController::DoResolveProxy() {
   CompletionOnceCallback io_callback =
       base::BindOnce(&JobController::OnIOComplete, base::Unretained(this));
   return session_->proxy_resolution_service()->ResolveProxy(
-      origin_url, request_info_.method, request_info_.network_isolation_key,
+      origin_url, request_info_.method, request_info_.network_anonymization_key,
       &proxy_info_, std::move(io_callback), &proxy_resolve_request_, net_log_);
 }
 
@@ -823,7 +825,7 @@ int HttpStreamFactory::JobController::DoCreateJobs() {
       session_->IsQuicEnabled() && proxy_info_.is_direct() &&
       !session_->http_server_properties()->IsAlternativeServiceBroken(
           GetAlternativeServiceForDnsJob(origin_url),
-          request_info_.network_isolation_key);
+          request_info_.network_anonymization_key);
 
   if (is_preconnect_) {
     // Due to how the socket pools handle priorities and idle sockets, only IDLE
@@ -874,7 +876,11 @@ int HttpStreamFactory::JobController::DoCreateJobs() {
 
   // Alternative Service can only be set for HTTPS requests while Alternative
   // Proxy is set for HTTP requests.
-  if (alternative_service_info_.protocol() != kProtoUnknown) {
+  // The main job may use HTTP/3 if the origin is specified in
+  // `--origin-to-force-quic-on` switch. In that case, do not create
+  // `alternative_job_` and `dns_alpn_h3_job_`.
+  if ((alternative_service_info_.protocol() != kProtoUnknown) &&
+      !main_job_->using_quic()) {
     DCHECK(request_info_.url.SchemeIs(url::kHttpsScheme));
     DCHECK(!is_websocket_);
     DVLOG(1) << "Selected alternative service (host: "
@@ -898,7 +904,7 @@ int HttpStreamFactory::JobController::DoCreateJobs() {
         alternative_service_info_.protocol(), quic_version);
   }
 
-  if (dns_alpn_h3_job_enabled) {
+  if (dns_alpn_h3_job_enabled && !main_job_->using_quic()) {
     DCHECK(!is_websocket_);
     url::SchemeHostPort dns_alpn_h3_destination =
         url::SchemeHostPort(origin_url);
@@ -1037,19 +1043,20 @@ void HttpStreamFactory::JobController::OrphanUnboundJob() {
 void HttpStreamFactory::JobController::OnJobSucceeded(Job* job) {
   DCHECK(job);
   if (!bound_job_) {
-    if ((main_job_ && alternative_job_) || dns_alpn_h3_job_)
-      ReportAlternateProtocolUsage(job);
     BindJob(job);
     return;
   }
 }
 
-void HttpStreamFactory::JobController::MarkRequestComplete(
-    bool was_alpn_negotiated,
-    NextProto negotiated_protocol,
-    bool using_spdy) {
-  if (request_)
-    request_->Complete(was_alpn_negotiated, negotiated_protocol, using_spdy);
+void HttpStreamFactory::JobController::MarkRequestComplete(Job* job) {
+  if (request_) {
+    AlternateProtocolUsage alternate_protocol_usage =
+        CalculateAlternateProtocolUsage(job);
+    request_->Complete(job->was_alpn_negotiated(), job->negotiated_protocol(),
+                       alternate_protocol_usage, job->using_spdy());
+    ReportAlternateProtocolUsage(alternate_protocol_usage,
+                                 HasGoogleHost(job->origin_url()));
+  }
 }
 
 void HttpStreamFactory::JobController::MaybeReportBrokenAlternativeService(
@@ -1076,7 +1083,7 @@ void HttpStreamFactory::JobController::MaybeReportBrokenAlternativeService(
     // network changes.
     session_->http_server_properties()
         ->MarkAlternativeServiceBrokenUntilDefaultNetworkChanges(
-            alt_service, request_info_.network_isolation_key);
+            alt_service, request_info_.network_anonymization_key);
     return;
   }
 
@@ -1094,7 +1101,7 @@ void HttpStreamFactory::JobController::MaybeReportBrokenAlternativeService(
   HistogramBrokenAlternateProtocolLocation(
       BROKEN_ALTERNATE_PROTOCOL_LOCATION_HTTP_STREAM_FACTORY_JOB_ALT);
   session_->http_server_properties()->MarkAlternativeServiceBroken(
-      alt_service, request_info_.network_isolation_key);
+      alt_service, request_info_.network_anonymization_key);
 }
 
 void HttpStreamFactory::JobController::MaybeNotifyFactoryOfCompletion() {
@@ -1183,7 +1190,7 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
   const AlternativeServiceInfoVector alternative_service_info_vector =
       http_server_properties.GetAlternativeServiceInfos(
           url::SchemeHostPort(original_url),
-          request_info.network_isolation_key);
+          request_info.network_anonymization_key);
   if (alternative_service_info_vector.empty())
     return AlternativeServiceInfo();
 
@@ -1201,7 +1208,7 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
       quic_advertised = true;
     const bool is_broken = http_server_properties.IsAlternativeServiceBroken(
         alternative_service_info.alternative_service(),
-        request_info.network_isolation_key);
+        request_info.network_anonymization_key);
     net_log_.AddEvent(
         NetLogEventType::HTTP_STREAM_JOB_CONTROLLER_ALT_SVC_FOUND, [&] {
           return NetLogAltSvcParams(&alternative_service_info, is_broken);
@@ -1265,7 +1272,7 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
     RewriteUrlWithHostMappingRules(mapped_origin);
     QuicSessionKey session_key(
         HostPortPair::FromURL(mapped_origin), request_info.privacy_mode,
-        request_info.socket_tag, request_info.network_isolation_key,
+        request_info.socket_tag, request_info.network_anonymization_key,
         request_info.secure_dns_policy, /*require_dns_https_alpn=*/false);
 
     GURL destination = CreateAltSvcUrl(
@@ -1315,40 +1322,38 @@ quic::ParsedQuicVersion HttpStreamFactory::JobController::SelectQuicVersion(
 }
 
 void HttpStreamFactory::JobController::ReportAlternateProtocolUsage(
-    Job* job) const {
-  DCHECK((main_job_ && alternative_job_) || dns_alpn_h3_job_);
+    AlternateProtocolUsage alternate_protocol_usage,
+    bool is_google_host) const {
+  DCHECK_LT(alternate_protocol_usage, ALTERNATE_PROTOCOL_USAGE_MAX);
+  HistogramAlternateProtocolUsage(alternate_protocol_usage, is_google_host);
+}
 
-  bool is_google_host = HasGoogleHost(job->origin_url());
+bool HttpStreamFactory::JobController::IsJobOrphaned(Job* job) const {
+  return !request_ || (job_bound_ && bound_job_ != job);
+}
 
-  if (job == main_job_.get()) {
-    HistogramAlternateProtocolUsage(ALTERNATE_PROTOCOL_USAGE_MAIN_JOB_WON_RACE,
-                                    is_google_host);
-    return;
-  }
-  if (job == alternative_job_.get()) {
-    if (job->using_existing_quic_session()) {
-      HistogramAlternateProtocolUsage(ALTERNATE_PROTOCOL_USAGE_NO_RACE,
-                                      is_google_host);
-      return;
+AlternateProtocolUsage
+HttpStreamFactory::JobController::CalculateAlternateProtocolUsage(
+    Job* job) const {
+  if ((main_job_ && alternative_job_) || dns_alpn_h3_job_) {
+    if (job == main_job_.get()) {
+      return ALTERNATE_PROTOCOL_USAGE_MAIN_JOB_WON_RACE;
     }
-
-    HistogramAlternateProtocolUsage(ALTERNATE_PROTOCOL_USAGE_WON_RACE,
-                                    is_google_host);
-  }
-  if (job == dns_alpn_h3_job_.get()) {
-    if (job->using_existing_quic_session()) {
-      HistogramAlternateProtocolUsage(
-          ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_WITOUT_RACE,
-          is_google_host);
-      return;
+    if (job == alternative_job_.get()) {
+      if (job->using_existing_quic_session()) {
+        return ALTERNATE_PROTOCOL_USAGE_NO_RACE;
+      }
+      return ALTERNATE_PROTOCOL_USAGE_WON_RACE;
+    }
+    if (job == dns_alpn_h3_job_.get()) {
+      if (job->using_existing_quic_session()) {
+        return ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_WITHOUT_RACE;
+      }
+      return ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_RACE;
     }
-    HistogramAlternateProtocolUsage(
-        ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_RACE, is_google_host);
   }
-}
-
-bool HttpStreamFactory::JobController::IsJobOrphaned(Job* job) const {
-  return !request_ || (job_bound_ && bound_job_ != job);
+  // TODO(crbug.com/1345536): Implement better logic to support uncovered cases.
+  return ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON;
 }
 
 int HttpStreamFactory::JobController::ReconsiderProxyAfterError(Job* job,
diff --git a/chromium/net/http/http_stream_factory_job_controller.h b/chromium/net/http/http_stream_factory_job_controller.h
index 2356e9bdce3..1b0d4f5c0de 100644
--- a/chromium/net/http/http_stream_factory_job_controller.h
+++ b/chromium/net/http/http_stream_factory_job_controller.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -201,9 +201,7 @@ class HttpStreamFactory::JobController
   void ClearInappropriateJobs();
 
   // Marks completion of the |request_|.
-  void MarkRequestComplete(bool was_alpn_negotiated,
-                           NextProto negotiated_protocol,
-                           bool using_spdy);
+  void MarkRequestComplete(Job* job);
 
   // Called when all Jobs complete. Reports alternative service brokenness to
   // HttpServerProperties if apply and resets net errors afterwards:
@@ -258,11 +256,19 @@ class HttpStreamFactory::JobController
 
   // Records histogram metrics for the usage of alternative protocol. Must be
   // called when |job| has succeeded and the other job will be orphaned.
-  void ReportAlternateProtocolUsage(Job* job) const;
+  void ReportAlternateProtocolUsage(
+      AlternateProtocolUsage alternate_protocol_usage,
+      bool is_google_host) const;
 
   // Returns whether |job| is an orphaned job.
   bool IsJobOrphaned(Job* job) const;
 
+  // Calculates why Chrome uses a specific transport protocol for HTTP semantics
+  // and returns it as an enum.
+  // This returns ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON as a default value
+  // when the reason is unknown.
+  AlternateProtocolUsage CalculateAlternateProtocolUsage(Job* job) const;
+
   // Called when a Job encountered a network error that could be resolved by
   // trying a new proxy configuration. If there is another proxy configuration
   // to try then this method sets |next_state_| appropriately and returns either
diff --git a/chromium/net/http/http_stream_factory_job_controller_unittest.cc b/chromium/net/http/http_stream_factory_job_controller_unittest.cc
index 63097239951..a6a817170af 100644
--- a/chromium/net/http/http_stream_factory_job_controller_unittest.cc
+++ b/chromium/net/http/http_stream_factory_job_controller_unittest.cc
@@ -1,16 +1,16 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_stream_factory_job_controller.h"
 
-#include <algorithm>
 #include <list>
 #include <memory>
 #include <string>
 #include <utility>
 #include <vector>
 
+#include "base/containers/contains.h"
 #include "base/memory/ptr_util.h"
 #include "base/memory/raw_ptr.h"
 #include "base/memory/scoped_refptr.h"
@@ -314,11 +314,11 @@ class HttpStreamFactoryJobControllerTestBase : public TestWithTaskEnvironment {
     base::Time expiration = base::Time::Now() + base::Days(1);
     if (alternative_service.protocol == kProtoQUIC) {
       session_->http_server_properties()->SetQuicAlternativeService(
-          server, NetworkIsolationKey(), alternative_service, expiration,
+          server, NetworkAnonymizationKey(), alternative_service, expiration,
           quic_context_.params()->supported_versions);
     } else {
       session_->http_server_properties()->SetHttp2AlternativeService(
-          server, NetworkIsolationKey(), alternative_service, expiration);
+          server, NetworkAnonymizationKey(), alternative_service, expiration);
     }
   }
 
@@ -327,12 +327,12 @@ class HttpStreamFactoryJobControllerTestBase : public TestWithTaskEnvironment {
     const url::SchemeHostPort server(request_info.url);
     const AlternativeServiceInfoVector alternative_service_info_vector =
         session_->http_server_properties()->GetAlternativeServiceInfos(
-            server, NetworkIsolationKey());
+            server, NetworkAnonymizationKey());
     EXPECT_EQ(1u, alternative_service_info_vector.size());
     EXPECT_EQ(should_mark_broken,
               session_->http_server_properties()->IsAlternativeServiceBroken(
                   alternative_service_info_vector[0].alternative_service(),
-                  NetworkIsolationKey()));
+                  NetworkAnonymizationKey()));
   }
 
   void TestAltJobSucceedsAfterMainJobFailed(
@@ -1281,7 +1281,7 @@ TEST_P(HttpStreamFactoryJobControllerTest,
   AlternativeService alternative_service(kProtoQUIC, server.host(), 443);
   base::Time expiration = base::Time::Now() + base::Days(1);
   session_->http_server_properties()->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       {quic::ParsedQuicVersion::Unsupported()});
 
   request_ =
@@ -1313,14 +1313,14 @@ TEST_P(HttpStreamFactoryJobControllerTest,
   AlternativeService alternative_service(kProtoQUIC, server.host(), 443);
   base::Time expiration = base::Time::Now() + base::Days(1);
   session_->http_server_properties()->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       quic_context_.params()->supported_versions);
 
   // Enable QUIC but mark the alternative service as recently broken.
   QuicStreamFactory* quic_stream_factory = session_->quic_stream_factory();
   quic_stream_factory->set_is_quic_known_to_work_on_current_network(true);
   session_->http_server_properties()->MarkAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
 
   request_ =
       job_controller_->Start(&request_delegate_, nullptr, net_log_with_source_,
@@ -1371,18 +1371,18 @@ TEST_P(HttpStreamFactoryJobControllerTest,
   AlternativeService alternative_service(kProtoQUIC, server.host(), 443);
   base::Time expiration = base::Time::Now() + base::Days(1);
   session_->http_server_properties()->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       quic_context_.params()->supported_versions);
 
   // Enable QUIC but mark the alternative service as recently broken.
   QuicStreamFactory* quic_stream_factory = session_->quic_stream_factory();
   quic_stream_factory->set_is_quic_known_to_work_on_current_network(true);
   session_->http_server_properties()->MarkAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
 
   // Confirm the alt service.
   session_->http_server_properties()->ConfirmAlternativeService(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
 
   request_ =
       job_controller_->Start(&request_delegate_, nullptr, net_log_with_source_,
@@ -2289,7 +2289,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, HostResolutionHang) {
   stats1.srtt = base::Microseconds(10);
   session_->http_server_properties()->SetServerNetworkStats(
       url::SchemeHostPort(GURL("https://www.google.com")),
-      NetworkIsolationKey(), stats1);
+      NetworkAnonymizationKey(), stats1);
 
   url::SchemeHostPort server(request_info.url);
   AlternativeService alternative_service(kProtoQUIC, server.host(), 443);
@@ -2362,7 +2362,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, DelayedTCP) {
   stats1.srtt = base::Microseconds(10);
   session_->http_server_properties()->SetServerNetworkStats(
       url::SchemeHostPort(GURL("https://www.google.com")),
-      NetworkIsolationKey(), stats1);
+      NetworkAnonymizationKey(), stats1);
 
   url::SchemeHostPort server(request_info.url);
   AlternativeService alternative_service(kProtoQUIC, server.host(), 443);
@@ -2426,7 +2426,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, ResumeMainJobLaterCanceled) {
   stats1.srtt = base::Microseconds(10);
   session_->http_server_properties()->SetServerNetworkStats(
       url::SchemeHostPort(GURL("https://www.google.com")),
-      NetworkIsolationKey(), stats1);
+      NetworkAnonymizationKey(), stats1);
 
   url::SchemeHostPort server(request_info.url);
   AlternativeService alternative_service(kProtoQUIC, server.host(), 443);
@@ -2459,7 +2459,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, ResumeMainJobLaterCanceled) {
   // Now the alt service is marked as broken (e.g. through a different request),
   // so only non-alt job is restarted.
   session_->http_server_properties()->MarkAlternativeServiceBroken(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
 
   job_controller_->OnStreamFailed(job_factory_.main_job(), ERR_FAILED,
                                   SSLConfig());
@@ -2504,7 +2504,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, DelayedTCPWithLargeSrtt) {
   stats1.srtt = base::Seconds(100);
   session_->http_server_properties()->SetServerNetworkStats(
       url::SchemeHostPort(GURL("https://www.google.com")),
-      NetworkIsolationKey(), stats1);
+      NetworkAnonymizationKey(), stats1);
 
   url::SchemeHostPort server(request_info.url);
   AlternativeService alternative_service(kProtoQUIC, server.host(), 443);
@@ -2566,7 +2566,7 @@ TEST_P(HttpStreamFactoryJobControllerTest,
   stats1.srtt = base::Microseconds(10);
   session_->http_server_properties()->SetServerNetworkStats(
       url::SchemeHostPort(GURL("https://www.google.com")),
-      NetworkIsolationKey(), stats1);
+      NetworkAnonymizationKey(), stats1);
 
   url::SchemeHostPort server(request_info.url);
   AlternativeService alternative_service(kProtoQUIC, server.host(), 443);
@@ -2656,7 +2656,7 @@ TEST_P(HttpStreamFactoryJobControllerTest,
   // Sets server support HTTP/2.
   url::SchemeHostPort server(request_info.url);
   session_->http_server_properties()->SetSupportsSpdy(
-      server, NetworkIsolationKey(), true);
+      server, NetworkAnonymizationKey(), true);
 
   job_controller_->Preconnect(/*num_streams=*/5);
   // Only one job is started.
@@ -2694,8 +2694,10 @@ TEST_P(HttpStreamFactoryJobControllerTest,
 
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
   const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(ASYNC, OK));
@@ -2705,12 +2707,13 @@ TEST_P(HttpStreamFactoryJobControllerTest,
   request_info.method = "GET";
   request_info.url = GURL("http://www.example.com");
   request_info.network_isolation_key = kNetworkIsolationKey1;
+  request_info.network_anonymization_key = kNetworkAnonymizationKey1;
   Initialize(request_info);
 
   // Sets server support HTTP/2, using kNetworkIsolationKey.
   url::SchemeHostPort server(request_info.url);
   session_->http_server_properties()->SetSupportsSpdy(
-      server, kNetworkIsolationKey1, true);
+      server, kNetworkAnonymizationKey1, true);
 
   job_controller_->Preconnect(/*num_streams=*/5);
   // Only one job is started.
@@ -2739,6 +2742,9 @@ TEST_P(HttpStreamFactoryJobControllerTest,
     }
 
     request_info.network_isolation_key = other_network_isolation_key;
+    request_info.network_anonymization_key =
+        net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+            other_network_isolation_key);
     MockHttpStreamRequestDelegate request_delegate;
     auto job_controller = std::make_unique<HttpStreamFactory::JobController>(
         factory_, &request_delegate, session_.get(), &job_factory_,
@@ -2775,7 +2781,7 @@ TEST_P(HttpStreamFactoryJobControllerTest,
   SpdySessionKey key(host_port_pair, ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   std::ignore = CreateFakeSpdySession(session_->spdy_session_pool(), key);
 
   // Handshake will fail asynchronously after mock data is unpaused.
@@ -2792,7 +2798,7 @@ TEST_P(HttpStreamFactoryJobControllerTest,
   stats1.srtt = base::Milliseconds(100);
   session_->http_server_properties()->SetServerNetworkStats(
       url::SchemeHostPort(GURL("https://www.google.com")),
-      NetworkIsolationKey(), stats1);
+      NetworkAnonymizationKey(), stats1);
 
   url::SchemeHostPort server(request_info.url);
   AlternativeService alternative_service(kProtoQUIC, server.host(), 443);
@@ -2834,7 +2840,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, SpdySessionInterruptsPreconnect) {
   // Sets server support HTTP/2.
   url::SchemeHostPort server(request_info.url);
   session_->http_server_properties()->SetSupportsSpdy(
-      server, NetworkIsolationKey(), true);
+      server, NetworkAnonymizationKey(), true);
 
   // Start a non-preconnect request.
   std::unique_ptr<HttpStreamRequest> stream_request = job_controller_->Start(
@@ -2873,7 +2879,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, SpdySessionInterruptsPreconnect) {
           SpdySessionKey(
               HostPortPair::FromURL(request_info.url), ProxyServer::Direct(),
               request_info.privacy_mode, SpdySessionKey::IsProxySession::kFalse,
-              request_info.socket_tag, request_info.network_isolation_key,
+              request_info.socket_tag, request_info.network_anonymization_key,
               request_info.secure_dns_policy),
           false /* enable_ip_based_pooling */, false /* is_websocket */,
           NetLogWithSource());
@@ -2953,7 +2959,7 @@ TEST_P(HttpStreamFactoryJobControllerTest,
                            ProxyServer::Direct(), request_info.privacy_mode,
                            SpdySessionKey::IsProxySession::kFalse,
                            request_info.socket_tag,
-                           request_info.network_isolation_key,
+                           request_info.network_anonymization_key,
                            request_info.secure_dns_policy),
             /*enable_ip_based_pooling=*/false, /*is_websocket=*/false,
             NetLogWithSource());
@@ -2986,7 +2992,8 @@ TEST_P(HttpStreamFactoryJobControllerTest,
     const SpdySessionKey spdy_session_key = SpdySessionKey(
         HostPortPair::FromURL(other_request_info.url), ProxyServer::Direct(),
         other_request_info.privacy_mode, SpdySessionKey::IsProxySession::kFalse,
-        other_request_info.socket_tag, other_request_info.network_isolation_key,
+        other_request_info.socket_tag,
+        other_request_info.network_anonymization_key,
         other_request_info.secure_dns_policy);
     EXPECT_FALSE(session_->spdy_session_pool()->FindAvailableSession(
         spdy_session_key, /*enable_ip_based_pooling=*/false,
@@ -3059,7 +3066,7 @@ TEST_F(JobControllerLimitMultipleH2Requests, MultipleRequests) {
   // Sets server support HTTP/2.
   url::SchemeHostPort server(request_info.url);
   session_->http_server_properties()->SetSupportsSpdy(
-      server, NetworkIsolationKey(), true);
+      server, NetworkAnonymizationKey(), true);
 
   std::vector<std::unique_ptr<MockHttpStreamRequestDelegate>> request_delegates;
   std::vector<std::unique_ptr<HttpStreamRequest>> requests;
@@ -3116,8 +3123,10 @@ TEST_F(JobControllerLimitMultipleH2Requests,
 
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
   const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   tcp_data_ = std::make_unique<SequencedSocketData>(
       MockConnect(SYNCHRONOUS, ERR_IO_PENDING), base::span<MockRead>(),
@@ -3130,7 +3139,7 @@ TEST_F(JobControllerLimitMultipleH2Requests,
   // Sets server support HTTP/2.
   url::SchemeHostPort server(request_info.url);
   session_->http_server_properties()->SetSupportsSpdy(
-      server, kNetworkIsolationKey1, true);
+      server, kNetworkAnonymizationKey1, true);
 
   std::vector<std::unique_ptr<MockHttpStreamRequestDelegate>> request_delegates;
   std::vector<std::unique_ptr<HttpStreamRequest>> requests;
@@ -3142,6 +3151,9 @@ TEST_F(JobControllerLimitMultipleH2Requests,
          {NetworkIsolationKey(), kNetworkIsolationKey1,
           kNetworkIsolationKey2}) {
       request_info.network_isolation_key = network_isolation_key;
+      request_info.network_anonymization_key =
+          net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+              network_isolation_key);
       // For kNetworkIsolationKey1, all requests but the first will be
       // throttled.
       if (i == 0 || network_isolation_key != kNetworkIsolationKey1) {
@@ -3175,13 +3187,13 @@ TEST_F(JobControllerLimitMultipleH2Requests,
           HttpNetworkSession::NORMAL_SOCKET_POOL, ProxyServer::Direct()));
   ClientSocketPool::GroupId group_id0(
       url::SchemeHostPort(request_info.url), request_info.privacy_mode,
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   ClientSocketPool::GroupId group_id1(
       url::SchemeHostPort(request_info.url), request_info.privacy_mode,
-      kNetworkIsolationKey1, SecureDnsPolicy::kAllow);
+      kNetworkAnonymizationKey1, SecureDnsPolicy::kAllow);
   ClientSocketPool::GroupId group_id2(
       url::SchemeHostPort(request_info.url), request_info.privacy_mode,
-      kNetworkIsolationKey2, SecureDnsPolicy::kAllow);
+      kNetworkAnonymizationKey2, SecureDnsPolicy::kAllow);
   EXPECT_EQ(static_cast<uint32_t>(kNumRequests),
             socket_pool->NumConnectJobsInGroupForTesting(group_id0));
   EXPECT_EQ(1u, socket_pool->NumConnectJobsInGroupForTesting(group_id1));
@@ -3224,7 +3236,7 @@ TEST_F(JobControllerLimitMultipleH2Requests, MultipleRequestsFirstRequestHang) {
   // Sets server support HTTP/2.
   url::SchemeHostPort server(request_info.url);
   session_->http_server_properties()->SetSupportsSpdy(
-      server, NetworkIsolationKey(), true);
+      server, NetworkAnonymizationKey(), true);
 
   std::vector<std::unique_ptr<MockHttpStreamRequestDelegate>> request_delegates;
   std::vector<std::unique_ptr<HttpStreamRequest>> requests;
@@ -3298,7 +3310,7 @@ TEST_F(JobControllerLimitMultipleH2Requests,
   // Sets server support HTTP/2.
   url::SchemeHostPort server(request_info.url);
   session_->http_server_properties()->SetSupportsSpdy(
-      server, NetworkIsolationKey(), true);
+      server, NetworkAnonymizationKey(), true);
 
   std::vector<std::unique_ptr<MockHttpStreamRequestDelegate>> request_delegates;
   std::vector<std::unique_ptr<HttpStreamRequest>> requests;
@@ -3355,7 +3367,7 @@ TEST_F(JobControllerLimitMultipleH2Requests, MultiplePreconnects) {
   // Sets server support HTTP/2.
   url::SchemeHostPort server(request_info.url);
   session_->http_server_properties()->SetSupportsSpdy(
-      server, NetworkIsolationKey(), true);
+      server, NetworkAnonymizationKey(), true);
 
   std::vector<std::unique_ptr<MockHttpStreamRequestDelegate>> request_delegates;
   for (int i = 0; i < kNumRequests; ++i) {
@@ -3403,7 +3415,7 @@ TEST_F(JobControllerLimitMultipleH2Requests, H1NegotiatedForFirstRequest) {
   // Sets server support HTTP/2.
   url::SchemeHostPort server(request_info.url);
   session_->http_server_properties()->SetSupportsSpdy(
-      server, NetworkIsolationKey(), true);
+      server, NetworkAnonymizationKey(), true);
 
   std::vector<std::unique_ptr<MockHttpStreamRequestDelegate>> request_delegates;
   std::vector<std::unique_ptr<HttpStreamRequest>> requests;
@@ -3469,7 +3481,7 @@ TEST_F(JobControllerLimitMultipleH2Requests, QuicJobNotThrottled) {
 
   // Sets server support HTTP/2.
   session_->http_server_properties()->SetSupportsSpdy(
-      server, NetworkIsolationKey(), true);
+      server, NetworkAnonymizationKey(), true);
 
   // Use default job factory so that Resume() is not mocked out.
   HttpStreamFactory::JobFactory default_job_factory;
@@ -3646,7 +3658,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, GetAlternativeServiceInfoFor) {
 
   // Set alternative service with no advertised version.
   session_->http_server_properties()->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       quic::ParsedQuicVersionVector());
 
   AlternativeServiceInfo alt_svc_info =
@@ -3661,7 +3673,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, GetAlternativeServiceInfoFor) {
   quic::ParsedQuicVersionVector supported_versions =
       quic_context_.params()->supported_versions;
   session_->http_server_properties()->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       supported_versions);
 
   alt_svc_info = JobControllerPeer::GetAlternativeServiceInfoFor(
@@ -3686,8 +3698,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, GetAlternativeServiceInfoFor) {
   quic::ParsedQuicVersion unsupported_version_2 =
       quic::ParsedQuicVersion::Unsupported();
   for (const quic::ParsedQuicVersion& version : quic::AllSupportedVersions()) {
-    if (std::find(supported_versions.begin(), supported_versions.end(),
-                  version) != supported_versions.end())
+    if (base::Contains(supported_versions, version))
       continue;
     if (unsupported_version_1 == quic::ParsedQuicVersion::Unsupported()) {
       unsupported_version_1 = version;
@@ -3704,7 +3715,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, GetAlternativeServiceInfoFor) {
   quic::ParsedQuicVersionVector mixed_quic_versions = {
       unsupported_version_1, quic_context_.params()->supported_versions[0]};
   session_->http_server_properties()->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       mixed_quic_versions);
 
   alt_svc_info = JobControllerPeer::GetAlternativeServiceInfoFor(
@@ -3717,7 +3728,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, GetAlternativeServiceInfoFor) {
   // Set alternative service for the same server with two unsupported QUIC
   // versions: |unsupported_version_1|, |unsupported_version_2|.
   session_->http_server_properties()->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       {unsupported_version_1, unsupported_version_2});
 
   alt_svc_info = JobControllerPeer::GetAlternativeServiceInfoFor(
@@ -3739,13 +3750,18 @@ void HttpStreamFactoryJobControllerTestBase::TestAltSvcVersionSelection(
   NetworkIsolationKey network_isolation_key(
       SchemefulSite(GURL("https://example.com")),
       SchemefulSite(GURL("https://example.com")));
+  NetworkAnonymizationKey network_anonymization_key(
+      SchemefulSite(GURL("https://example.com")),
+      SchemefulSite(GURL("https://example.com")));
   request_info.network_isolation_key = network_isolation_key;
+  request_info.network_anonymization_key = network_anonymization_key;
+
   Initialize(request_info);
   url::SchemeHostPort origin(request_info.url);
   auto headers = base::MakeRefCounted<HttpResponseHeaders>("");
   headers->AddHeader("alt-svc", alt_svc_header);
   session_->http_stream_factory()->ProcessAlternativeServices(
-      session_.get(), network_isolation_key, headers.get(), origin);
+      session_.get(), network_anonymization_key, headers.get(), origin);
   AlternativeServiceInfo alt_svc_info =
       JobControllerPeer::GetAlternativeServiceInfoFor(
           job_controller_, request_info, &request_delegate_,
@@ -3813,7 +3829,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, QuicHostAllowlist) {
   quic::ParsedQuicVersionVector supported_versions =
       quic_context_.params()->supported_versions;
   session_->http_server_properties()->SetQuicAlternativeService(
-      server, NetworkIsolationKey(),
+      server, NetworkAnonymizationKey(),
       AlternativeService(kProtoQUIC, "www.example.com", 443), expiration,
       supported_versions);
 
@@ -3838,7 +3854,7 @@ TEST_P(HttpStreamFactoryJobControllerTest, QuicHostAllowlist) {
   EXPECT_EQ(supported_versions, advertised_versions);
 
   session_->http_server_properties()->SetQuicAlternativeService(
-      server, NetworkIsolationKey(),
+      server, NetworkAnonymizationKey(),
       AlternativeService(kProtoQUIC, "www.example.org", 443), expiration,
       supported_versions);
 
@@ -3985,7 +4001,7 @@ class HttpStreamFactoryJobControllerDnsHttpsAlpnTest
                  require_dns_https_alpn ? quic::ParsedQuicVersion::Unsupported()
                                         : version_,
                  PRIVACY_MODE_DISABLED, DEFAULT_PRIORITY, SocketTag(),
-                 NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                 NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                  /*use_dns_aliases=*/true, require_dns_https_alpn,
                  /*cert_verify_flags=*/0, GURL("https://www.example.org/"),
                  net_log_with_source_, &net_error_details,
@@ -4013,7 +4029,7 @@ class HttpStreamFactoryJobControllerDnsHttpsAlpnTest
   bool IsAlternativeServiceBroken(GURL& url) {
     return session_->http_server_properties()->IsAlternativeServiceBroken(
         AlternativeService(kProtoQUIC, HostPortPair::FromURL(url)),
-        NetworkIsolationKey());
+        NetworkAnonymizationKey());
   }
 
   raw_ptr<HttpStreamFactory::JobController> job_controller2_ = nullptr;
@@ -4143,9 +4159,11 @@ TEST_F(HttpStreamFactoryJobControllerDnsHttpsAlpnTest,
 
   base::HistogramTester histogram_tester;
   MakeMainJobSucceed(/*expect_stream_ready=*/true);
-  // Net.AlternateProtocolUsage must not record anything, when HTTPS record with
-  // alpn is not available.
-  histogram_tester.ExpectTotalCount("Net.AlternateProtocolUsage", 0);
+  // Net.AlternateProtocolUsage records
+  // ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON, when only main job exists.
+  histogram_tester.ExpectUniqueSample(
+      "Net.AlternateProtocolUsage", ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON,
+      1);
 
   request_.reset();
   EXPECT_TRUE(HttpStreamFactoryPeer::IsJobControllerDeleted(factory_));
@@ -4183,9 +4201,11 @@ TEST_F(HttpStreamFactoryJobControllerDnsHttpsAlpnTest,
 
   base::HistogramTester histogram_tester;
   MakeMainJobSucceed(/*expect_stream_ready=*/true);
-  // Net.AlternateProtocolUsage must not record anything, when HTTPS record with
-  // alpn is not available.
-  histogram_tester.ExpectTotalCount("Net.AlternateProtocolUsage", 0);
+  // Net.AlternateProtocolUsage records
+  // ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON, when only main job exists.
+  histogram_tester.ExpectUniqueSample(
+      "Net.AlternateProtocolUsage", ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON,
+      1);
 
   request_.reset();
   EXPECT_TRUE(HttpStreamFactoryPeer::IsJobControllerDeleted(factory_));
@@ -4226,9 +4246,11 @@ TEST_F(HttpStreamFactoryJobControllerDnsHttpsAlpnTest,
 
   base::HistogramTester histogram_tester;
   MakeMainJobSucceed(/*expect_stream_ready=*/true);
-  // Net.AlternateProtocolUsage must not record anything, when HTTPS record with
-  // alpn is not available.
-  histogram_tester.ExpectTotalCount("Net.AlternateProtocolUsage", 0);
+  // Net.AlternateProtocolUsage records
+  // ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON, when only main job exists.
+  histogram_tester.ExpectUniqueSample(
+      "Net.AlternateProtocolUsage", ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON,
+      1);
 
   request_.reset();
   EXPECT_TRUE(HttpStreamFactoryPeer::IsJobControllerDeleted(factory_));
@@ -4412,7 +4434,7 @@ TEST_F(HttpStreamFactoryJobControllerDnsHttpsAlpnTest,
   SpdySessionKey key(HostPortPair::FromURL(request_info.url),
                      ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   std::ignore = CreateFakeSpdySession(session_->spdy_session_pool(), key);
 
   request_ = CreateJobControllerAndStart(request_info);
@@ -4633,7 +4655,7 @@ TEST_F(HttpStreamFactoryJobControllerDnsHttpsAlpnTest,
   }
   histogram_tester.ExpectUniqueSample(
       "Net.AlternateProtocolUsage",
-      ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_WITOUT_RACE, 1);
+      ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_WITHOUT_RACE, 1);
   CheckJobsStatus(/*main_job_exists=*/false, /*alternative_job_exists=*/false,
                   /*dns_alpn_h3_job_exists=*/true,
                   "DNS alpn H3 job must exist.");
@@ -4655,7 +4677,7 @@ TEST_F(HttpStreamFactoryJobControllerDnsHttpsAlpnTest,
   SpdySessionKey key(HostPortPair::FromURL(request_info.url),
                      ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   std::ignore = CreateFakeSpdySession(session_->spdy_session_pool(), key);
 
   auto stream = ConnectQuicHttpStream(/*alt_destination=*/false,
@@ -4678,7 +4700,7 @@ TEST_F(HttpStreamFactoryJobControllerDnsHttpsAlpnTest,
   }
   histogram_tester.ExpectUniqueSample(
       "Net.AlternateProtocolUsage",
-      ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_WITOUT_RACE, 1);
+      ALTERNATE_PROTOCOL_USAGE_DNS_ALPN_H3_JOB_WON_WITHOUT_RACE, 1);
 
   CheckJobsStatus(/*main_job_exists=*/false, /*alternative_job_exists=*/false,
                   /*dns_alpn_h3_job_exists=*/true,
@@ -4921,9 +4943,11 @@ TEST_F(HttpStreamFactoryJobControllerDnsHttpsAlpnTest,
 
   // Make |main_job| succeed.
   MakeMainJobSucceed(/*expect_stream_ready=*/true);
-  // Net.AlternateProtocolUsage must not record anything, when DNS alpn job
-  // failed.
-  histogram_tester.ExpectTotalCount("Net.AlternateProtocolUsage", 0);
+  // Net.AlternateProtocolUsage records
+  // ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON, when only main job exists.
+  histogram_tester.ExpectUniqueSample(
+      "Net.AlternateProtocolUsage", ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON,
+      1);
 
   CheckJobsStatus(/*main_job_exists=*/true, /*alternative_job_exists=*/false,
                   /*dns_alpn_h3_job_exists=*/false,
diff --git a/chromium/net/http/http_stream_factory_test_util.cc b/chromium/net/http/http_stream_factory_test_util.cc
index e3932b382a9..b934d2e7d76 100644
--- a/chromium/net/http/http_stream_factory_test_util.cc
+++ b/chromium/net/http/http_stream_factory_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_stream_factory_test_util.h b/chromium/net/http/http_stream_factory_test_util.h
index 72f75007348..bae8052f727 100644
--- a/chromium/net/http/http_stream_factory_test_util.h
+++ b/chromium/net/http/http_stream_factory_test_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_stream_factory_unittest.cc b/chromium/net/http/http_stream_factory_unittest.cc
index 27b43aa80a5..88768a79ec7 100644
--- a/chromium/net/http/http_stream_factory_unittest.cc
+++ b/chromium/net/http/http_stream_factory_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -373,7 +373,7 @@ TestCase kTests[] = {
 
 void PreconnectHelperForURL(int num_streams,
                             const GURL& url,
-                            NetworkIsolationKey network_isolation_key,
+                            NetworkAnonymizationKey network_anonymization_key,
                             SecureDnsPolicy secure_dns_policy,
                             HttpNetworkSession* session) {
   HttpNetworkSessionPeer peer(session);
@@ -386,7 +386,7 @@ void PreconnectHelperForURL(int num_streams,
   request.method = "GET";
   request.url = url;
   request.load_flags = 0;
-  request.network_isolation_key = network_isolation_key;
+  request.network_anonymization_key = network_anonymization_key;
   request.secure_dns_policy = secure_dns_policy;
   request.traffic_annotation =
       MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
@@ -398,7 +398,7 @@ void PreconnectHelperForURL(int num_streams,
 void PreconnectHelper(const TestCase& test, HttpNetworkSession* session) {
   GURL url =
       test.ssl ? GURL("https://www.google.com") : GURL("http://www.google.com");
-  PreconnectHelperForURL(test.num_streams, url, NetworkIsolationKey(),
+  PreconnectHelperForURL(test.num_streams, url, NetworkAnonymizationKey(),
                          SecureDnsPolicy::kAllow, session);
 }
 
@@ -406,12 +406,12 @@ ClientSocketPool::GroupId GetGroupId(const TestCase& test) {
   if (test.ssl) {
     return ClientSocketPool::GroupId(
         url::SchemeHostPort(url::kHttpsScheme, "www.google.com", 443),
-        PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+        PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
         SecureDnsPolicy::kAllow);
   }
   return ClientSocketPool::GroupId(
       url::SchemeHostPort(url::kHttpScheme, "www.google.com", 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
 }
 
@@ -438,7 +438,7 @@ class CapturePreconnectsTransportSocketPool : public TransportClientSocketPool {
     last_group_id_ = ClientSocketPool::GroupId(
         url::SchemeHostPort(url::kHttpsScheme,
                             "unexpected.to.conflict.with.anything.test", 9999),
-        PrivacyMode::PRIVACY_MODE_ENABLED, NetworkIsolationKey(),
+        PrivacyMode::PRIVACY_MODE_ENABLED, NetworkAnonymizationKey(),
         SecureDnsPolicy::kAllow);
   }
 
@@ -593,7 +593,7 @@ TEST_F(HttpStreamFactoryTest, PreconnectDirectWithExistingSpdySession) {
     SpdySessionKey key(host_port_pair, ProxyServer::Direct(),
                        PRIVACY_MODE_DISABLED,
                        SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                       NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                       NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
     std::ignore = CreateFakeSpdySession(session->spdy_session_pool(), key);
 
     CommonConnectJobParams common_connect_job_params =
@@ -642,12 +642,12 @@ TEST_F(HttpStreamFactoryTest, PreconnectUnsafePort) {
   peer.SetClientSocketPoolManager(std::move(mock_pool_manager));
 
   PreconnectHelperForURL(1, GURL("http://www.google.com:7"),
-                         NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                         NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                          session.get());
   EXPECT_EQ(-1, transport_conn_pool->last_num_streams());
 }
 
-// Verify that preconnects use the specified NetworkIsolationKey.
+// Verify that preconnects use the specified NetworkAnonymizationKey.
 TEST_F(HttpStreamFactoryTest, PreconnectNetworkIsolationKey) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
@@ -674,19 +674,19 @@ TEST_F(HttpStreamFactoryTest, PreconnectNetworkIsolationKey) {
   const GURL kURL("http://foo.test/");
   SchemefulSite kSiteFoo(GURL("http://foo.test"));
   SchemefulSite kSiteBar(GURL("http://bar.test"));
-  const NetworkIsolationKey kKey1(kSiteFoo, kSiteFoo);
-  const NetworkIsolationKey kKey2(kSiteBar, kSiteBar);
+  const NetworkAnonymizationKey kKey1(kSiteFoo, kSiteFoo);
+  const NetworkAnonymizationKey kKey2(kSiteBar, kSiteBar);
   PreconnectHelperForURL(1, kURL, kKey1, SecureDnsPolicy::kAllow,
                          session.get());
   EXPECT_EQ(1, transport_conn_pool->last_num_streams());
   EXPECT_EQ(kKey1,
-            transport_conn_pool->last_group_id().network_isolation_key());
+            transport_conn_pool->last_group_id().network_anonymization_key());
 
   PreconnectHelperForURL(2, kURL, kKey2, SecureDnsPolicy::kAllow,
                          session.get());
   EXPECT_EQ(2, transport_conn_pool->last_num_streams());
   EXPECT_EQ(kKey2,
-            transport_conn_pool->last_group_id().network_isolation_key());
+            transport_conn_pool->last_group_id().network_anonymization_key());
 }
 
 // Verify that preconnects use the specified Secure DNS Tag.
@@ -712,13 +712,13 @@ TEST_F(HttpStreamFactoryTest, PreconnectDisableSecureDns) {
   const GURL kURL("http://foo.test/");
   SchemefulSite kSiteFoo(GURL("http://foo.test"));
   SchemefulSite kSiteBar(GURL("http://bar.test"));
-  PreconnectHelperForURL(1, kURL, NetworkIsolationKey(),
+  PreconnectHelperForURL(1, kURL, NetworkAnonymizationKey(),
                          SecureDnsPolicy::kAllow, session.get());
   EXPECT_EQ(1, transport_conn_pool->last_num_streams());
   EXPECT_EQ(SecureDnsPolicy::kAllow,
             transport_conn_pool->last_group_id().secure_dns_policy());
 
-  PreconnectHelperForURL(2, kURL, NetworkIsolationKey(),
+  PreconnectHelperForURL(2, kURL, NetworkAnonymizationKey(),
                          SecureDnsPolicy::kDisable, session.get());
   EXPECT_EQ(2, transport_conn_pool->last_num_streams());
   EXPECT_EQ(SecureDnsPolicy::kDisable,
@@ -1010,7 +1010,7 @@ TEST_F(HttpStreamFactoryTest, UsePreConnectIfNoZeroRTT) {
     url::SchemeHostPort server("https", host_port_pair.host(),
                                host_port_pair.port());
     http_server_properties.SetQuicAlternativeService(
-        server, NetworkIsolationKey(), alternative_service, expiration,
+        server, NetworkAnonymizationKey(), alternative_service, expiration,
         DefaultSupportedQuicVersions());
 
     HttpNetworkSessionContext session_context =
@@ -1031,7 +1031,7 @@ TEST_F(HttpStreamFactoryTest, UsePreConnectIfNoZeroRTT) {
     auto mock_pool_manager = std::make_unique<MockClientSocketPoolManager>();
     mock_pool_manager->SetSocketPool(proxy_server, std::move(http_proxy_pool));
     peer.SetClientSocketPoolManager(std::move(mock_pool_manager));
-    PreconnectHelperForURL(num_streams, url, NetworkIsolationKey(),
+    PreconnectHelperForURL(num_streams, url, NetworkAnonymizationKey(),
                            SecureDnsPolicy::kAllow, session.get());
     EXPECT_EQ(num_streams, http_proxy_pool_ptr->last_num_streams());
   }
@@ -1643,8 +1643,8 @@ TEST_F(HttpStreamFactoryTest, RequestSpdyHttpStreamHttpURL) {
 
   HttpServerProperties* http_server_properties =
       session->spdy_session_pool()->http_server_properties();
-  EXPECT_FALSE(http_server_properties->GetSupportsSpdy(scheme_host_port,
-                                                       NetworkIsolationKey()));
+  EXPECT_FALSE(http_server_properties->GetSupportsSpdy(
+      scheme_host_port, NetworkAnonymizationKey()));
 
   // Now request a stream.
   HttpRequestInfo request_info;
@@ -1671,19 +1671,21 @@ TEST_F(HttpStreamFactoryTest, RequestSpdyHttpStreamHttpURL) {
       0, GetSocketPoolGroupCount(session->GetSocketPool(
              HttpNetworkSession::NORMAL_SOCKET_POOL, ProxyServer::Direct())));
   EXPECT_FALSE(waiter.used_proxy_info().is_direct());
-  EXPECT_TRUE(http_server_properties->GetSupportsSpdy(scheme_host_port,
-                                                      NetworkIsolationKey()));
+  EXPECT_TRUE(http_server_properties->GetSupportsSpdy(
+      scheme_host_port, NetworkAnonymizationKey()));
 }
 
 // Same as above, but checks HttpServerProperties is updated using the correct
-// NetworkIsolationKey. When/if NetworkIsolationKey is enabled by default, this
-// should probably be merged into the above test.
+// NetworkAnonymizationKey. When/if NetworkAnonymizationKey is enabled by
+// default, this should probably be merged into the above test.
 TEST_F(HttpStreamFactoryTest,
-       RequestSpdyHttpStreamHttpURLWithNetworkIsolationKey) {
+       RequestSpdyHttpStreamHttpURLWithNetworkAnonymizationKey) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
+  const NetworkIsolationKey kNetworkIsolationKey2(kSite1, kSite1);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
@@ -1713,8 +1715,8 @@ TEST_F(HttpStreamFactoryTest,
 
   HttpServerProperties* http_server_properties =
       session->spdy_session_pool()->http_server_properties();
-  EXPECT_FALSE(http_server_properties->GetSupportsSpdy(scheme_host_port,
-                                                       kNetworkIsolationKey1));
+  EXPECT_FALSE(http_server_properties->GetSupportsSpdy(
+      scheme_host_port, kNetworkAnonymizationKey1));
 
   // Now request a stream.
   HttpRequestInfo request_info;
@@ -1722,6 +1724,7 @@ TEST_F(HttpStreamFactoryTest,
   request_info.url = GURL("http://www.google.com");
   request_info.load_flags = 0;
   request_info.network_isolation_key = kNetworkIsolationKey1;
+  request_info.network_anonymization_key = kNetworkAnonymizationKey1;
   request_info.traffic_annotation =
       MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
@@ -1742,13 +1745,13 @@ TEST_F(HttpStreamFactoryTest,
       0, GetSocketPoolGroupCount(session->GetSocketPool(
              HttpNetworkSession::NORMAL_SOCKET_POOL, ProxyServer::Direct())));
   EXPECT_FALSE(waiter.used_proxy_info().is_direct());
-  EXPECT_TRUE(http_server_properties->GetSupportsSpdy(scheme_host_port,
-                                                      kNetworkIsolationKey1));
-  // Other NetworkIsolationKeys should not be recorded as supporting SPDY.
-  EXPECT_FALSE(http_server_properties->GetSupportsSpdy(scheme_host_port,
-                                                       NetworkIsolationKey()));
-  EXPECT_FALSE(http_server_properties->GetSupportsSpdy(scheme_host_port,
-                                                       kNetworkIsolationKey2));
+  EXPECT_TRUE(http_server_properties->GetSupportsSpdy(
+      scheme_host_port, kNetworkAnonymizationKey1));
+  // Other NetworkAnonymizationKeys should not be recorded as supporting SPDY.
+  EXPECT_FALSE(http_server_properties->GetSupportsSpdy(
+      scheme_host_port, NetworkAnonymizationKey()));
+  EXPECT_FALSE(http_server_properties->GetSupportsSpdy(
+      scheme_host_port, kNetworkAnonymizationKey2));
 }
 
 // Tests that when a new SpdySession is established, duplicated idle H2 sockets
@@ -1789,8 +1792,8 @@ TEST_F(HttpStreamFactoryTest, NewSpdySessionCloseIdleH2Sockets) {
             std::move(ssl_config_for_origin),
             /*ssl_config_for_proxy=*/nullptr);
     ClientSocketPool::GroupId group_id(
-        destination, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
-        SecureDnsPolicy::kAllow);
+        destination, PrivacyMode::PRIVACY_MODE_DISABLED,
+        NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
     int rv = connection->Init(
         group_id, socket_params, absl::nullopt /* proxy_annotation_tag */,
         MEDIUM, SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
@@ -2059,7 +2062,7 @@ class HttpStreamFactoryBidirectionalQuicTest
                                                  alternative_destination, 443);
     base::Time expiration = base::Time::Now() + base::Days(1);
     http_server_properties_.SetQuicAlternativeService(
-        request_url, NetworkIsolationKey(), alternative_service, expiration,
+        request_url, NetworkAnonymizationKey(), alternative_service, expiration,
         session_->context().quic_context->params()->supported_versions);
   }
 
@@ -3559,16 +3562,16 @@ TEST_F(ProcessAlternativeServicesTest, ProcessEmptyAltSvc) {
   session_ =
       std::make_unique<HttpNetworkSession>(session_params_, session_context_);
   url::SchemeHostPort origin;
-  NetworkIsolationKey network_isolation_key;
+  NetworkAnonymizationKey network_anonymization_key;
 
   auto headers = base::MakeRefCounted<HttpResponseHeaders>("");
 
   session_->http_stream_factory()->ProcessAlternativeServices(
-      session_.get(), network_isolation_key, headers.get(), origin);
+      session_.get(), network_anonymization_key, headers.get(), origin);
 
   AlternativeServiceInfoVector alternatives =
-      http_server_properties_.GetAlternativeServiceInfos(origin,
-                                                         network_isolation_key);
+      http_server_properties_.GetAlternativeServiceInfos(
+          origin, network_anonymization_key);
   EXPECT_TRUE(alternatives.empty());
 }
 
@@ -3577,29 +3580,30 @@ TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcClear) {
       std::make_unique<HttpNetworkSession>(session_params_, session_context_);
   url::SchemeHostPort origin(url::kHttpsScheme, "example.com", 443);
 
-  NetworkIsolationKey network_isolation_key(
+  NetworkAnonymizationKey network_anonymization_key(
       SchemefulSite(GURL("https://example.com")),
       SchemefulSite(GURL("https://example.com")));
 
   http_server_properties_.SetAlternativeServices(
-      origin, network_isolation_key,
+      origin, network_anonymization_key,
       {AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           {kProtoQUIC, "", 443}, base::Time::Now() + base::Seconds(30),
           quic::AllSupportedVersions())});
 
-  EXPECT_FALSE(http_server_properties_
-                   .GetAlternativeServiceInfos(origin, network_isolation_key)
-                   .empty());
+  EXPECT_FALSE(
+      http_server_properties_
+          .GetAlternativeServiceInfos(origin, network_anonymization_key)
+          .empty());
 
   auto headers = base::MakeRefCounted<HttpResponseHeaders>("");
   headers->AddHeader("alt-svc", "clear");
 
   session_->http_stream_factory()->ProcessAlternativeServices(
-      session_.get(), network_isolation_key, headers.get(), origin);
+      session_.get(), network_anonymization_key, headers.get(), origin);
 
   AlternativeServiceInfoVector alternatives =
-      http_server_properties_.GetAlternativeServiceInfos(origin,
-                                                         network_isolation_key);
+      http_server_properties_.GetAlternativeServiceInfos(
+          origin, network_anonymization_key);
   EXPECT_TRUE(alternatives.empty());
 }
 
@@ -3609,7 +3613,7 @@ TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcQuicIetf) {
       std::make_unique<HttpNetworkSession>(session_params_, session_context_);
   url::SchemeHostPort origin(url::kHttpsScheme, "example.com", 443);
 
-  NetworkIsolationKey network_isolation_key(
+  NetworkAnonymizationKey network_anonymization_key(
       SchemefulSite(GURL("https://example.com")),
       SchemefulSite(GURL("https://example.com")));
 
@@ -3620,7 +3624,7 @@ TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcQuicIetf) {
                      "h3-Q043=\":443\"");
 
   session_->http_stream_factory()->ProcessAlternativeServices(
-      session_.get(), network_isolation_key, headers.get(), origin);
+      session_.get(), network_anonymization_key, headers.get(), origin);
 
   quic::ParsedQuicVersionVector versions = {
       quic::ParsedQuicVersion::Draft29(),
@@ -3628,8 +3632,8 @@ TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcQuicIetf) {
       quic::ParsedQuicVersion::Q043(),
   };
   AlternativeServiceInfoVector alternatives =
-      http_server_properties_.GetAlternativeServiceInfos(origin,
-                                                         network_isolation_key);
+      http_server_properties_.GetAlternativeServiceInfos(
+          origin, network_anonymization_key);
   ASSERT_EQ(versions.size(), alternatives.size());
   for (size_t i = 0; i < alternatives.size(); ++i) {
     EXPECT_EQ(kProtoQUIC, alternatives[i].protocol());
@@ -3646,7 +3650,7 @@ TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcHttp2) {
       std::make_unique<HttpNetworkSession>(session_params_, session_context_);
   url::SchemeHostPort origin(url::kHttpsScheme, "example.com", 443);
 
-  NetworkIsolationKey network_isolation_key(
+  NetworkAnonymizationKey network_anonymization_key(
       SchemefulSite(GURL("https://example.com")),
       SchemefulSite(GURL("https://example.com")));
 
@@ -3654,11 +3658,11 @@ TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcHttp2) {
   headers->AddHeader("alt-svc", "h2=\"other.example.com:443\"");
 
   session_->http_stream_factory()->ProcessAlternativeServices(
-      session_.get(), network_isolation_key, headers.get(), origin);
+      session_.get(), network_anonymization_key, headers.get(), origin);
 
   AlternativeServiceInfoVector alternatives =
-      http_server_properties_.GetAlternativeServiceInfos(origin,
-                                                         network_isolation_key);
+      http_server_properties_.GetAlternativeServiceInfos(
+          origin, network_anonymization_key);
   ASSERT_EQ(1u, alternatives.size());
   EXPECT_EQ(kProtoHTTP2, alternatives[0].protocol());
   EXPECT_EQ(HostPortPair("other.example.com", 443),
diff --git a/chromium/net/http/http_stream_parser.cc b/chromium/net/http/http_stream_parser.cc
index 8609f3d3a47..c1cb5f2f253 100644
--- a/chromium/net/http/http_stream_parser.cc
+++ b/chromium/net/http/http_stream_parser.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_stream_parser.h b/chromium/net/http/http_stream_parser.h
index b9287d07343..6b1801d2148 100644
--- a/chromium/net/http/http_stream_parser.h
+++ b/chromium/net/http/http_stream_parser.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -217,7 +217,7 @@ class NET_EXPORT_PRIVATE HttpStreamParser {
   State io_state_ = STATE_NONE;
 
   // Null when read state machine is invoked.
-  raw_ptr<const HttpRequestInfo> request_;
+  raw_ptr<const HttpRequestInfo, DanglingUntriaged> request_;
 
   // The request header data.  May include a merged request body.
   scoped_refptr<DrainableIOBuffer> request_headers_;
@@ -249,7 +249,7 @@ class NET_EXPORT_PRIVATE HttpStreamParser {
   // cannot be safely accessed after reading the final set of headers, as the
   // caller of SendRequest may have been destroyed - this happens in the case an
   // HttpResponseBodyDrainer is used.
-  raw_ptr<HttpResponseInfo> response_ = nullptr;
+  raw_ptr<HttpResponseInfo, DanglingUntriaged> response_ = nullptr;
 
   // Time at which the first bytes of the first header response including
   // informational responses (1xx) are about to be parsed. This corresponds to
@@ -304,7 +304,7 @@ class NET_EXPORT_PRIVATE HttpStreamParser {
   // The underlying socket, owned by the caller. The HttpStreamParser must be
   // destroyed before the caller destroys the socket, or relinquishes ownership
   // of it.
-  raw_ptr<StreamSocket> stream_socket_;
+  raw_ptr<StreamSocket, DanglingUntriaged> stream_socket_;
 
   // Whether the socket has already been used. Only used in HTTP/0.9 detection
   // logic.
diff --git a/chromium/net/http/http_stream_parser_fuzzer.cc b/chromium/net/http/http_stream_parser_fuzzer.cc
index 9f023feb58b..31548c40dcb 100644
--- a/chromium/net/http/http_stream_parser_fuzzer.cc
+++ b/chromium/net/http/http_stream_parser_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_stream_parser_unittest.cc b/chromium/net/http/http_stream_parser_unittest.cc
index 981df1366ac..00b8c218997 100644
--- a/chromium/net/http/http_stream_parser_unittest.cc
+++ b/chromium/net/http/http_stream_parser_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_stream_request.cc b/chromium/net/http/http_stream_request.cc
index a938d5dcc53..6d7f574abdf 100644
--- a/chromium/net/http/http_stream_request.cc
+++ b/chromium/net/http/http_stream_request.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -38,13 +38,16 @@ HttpStreamRequest::~HttpStreamRequest() {
   helper_.ExtractAsDangling()->OnRequestComplete();  // May delete `*helper_`;
 }
 
-void HttpStreamRequest::Complete(bool was_alpn_negotiated,
-                                 NextProto negotiated_protocol,
-                                 bool using_spdy) {
+void HttpStreamRequest::Complete(
+    bool was_alpn_negotiated,
+    NextProto negotiated_protocol,
+    AlternateProtocolUsage alternate_protocol_usage,
+    bool using_spdy) {
   DCHECK(!completed_);
   completed_ = true;
   was_alpn_negotiated_ = was_alpn_negotiated;
   negotiated_protocol_ = negotiated_protocol;
+  alternate_protocol_usage_ = alternate_protocol_usage;
   using_spdy_ = using_spdy;
 }
 
@@ -70,6 +73,11 @@ NextProto HttpStreamRequest::negotiated_protocol() const {
   return negotiated_protocol_;
 }
 
+AlternateProtocolUsage HttpStreamRequest::alternate_protocol_usage() const {
+  DCHECK(completed_);
+  return alternate_protocol_usage_;
+}
+
 bool HttpStreamRequest::using_spdy() const {
   DCHECK(completed_);
   return using_spdy_;
diff --git a/chromium/net/http/http_stream_request.h b/chromium/net/http/http_stream_request.h
index 9f4b3ada44b..2df01994b8f 100644
--- a/chromium/net/http/http_stream_request.h
+++ b/chromium/net/http/http_stream_request.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -181,6 +181,7 @@ class NET_EXPORT_PRIVATE HttpStreamRequest {
   // Marks completion of the request. Must be called before OnStreamReady().
   void Complete(bool was_alpn_negotiated,
                 NextProto negotiated_protocol,
+                AlternateProtocolUsage alternate_protocol_usage,
                 bool using_spdy);
 
   // Called by |helper_| to record connection attempts made by the socket
@@ -196,6 +197,10 @@ class NET_EXPORT_PRIVATE HttpStreamRequest {
   // Protocol negotiated with the server.
   NextProto negotiated_protocol() const;
 
+  // The reason why Chrome uses a specific transport protocol for HTTP
+  // semantics.
+  AlternateProtocolUsage alternate_protocol_usage() const;
+
   // Returns true if this stream is being fetched over SPDY.
   bool using_spdy() const;
 
@@ -230,6 +235,10 @@ class NET_EXPORT_PRIVATE HttpStreamRequest {
   bool was_alpn_negotiated_ = false;
   // Protocol negotiated with the server.
   NextProto negotiated_protocol_ = kProtoUnknown;
+  // The reason why Chrome uses a specific transport protocol for HTTP
+  // semantics.
+  AlternateProtocolUsage alternate_protocol_usage_ =
+      AlternateProtocolUsage::ALTERNATE_PROTOCOL_USAGE_UNSPECIFIED_REASON;
   bool using_spdy_ = false;
   ConnectionAttempts connection_attempts_;
   const StreamType stream_type_;
diff --git a/chromium/net/http/http_stream_request_unittest.cc b/chromium/net/http/http_stream_request_unittest.cc
index bd31793c593..29c05b9cb4e 100644
--- a/chromium/net/http/http_stream_request_unittest.cc
+++ b/chromium/net/http/http_stream_request_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_transaction.h b/chromium/net/http/http_transaction.h
index 0d28e304e82..bf59d6f6b60 100644
--- a/chromium/net/http/http_transaction.h
+++ b/chromium/net/http/http_transaction.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_transaction_factory.h b/chromium/net/http/http_transaction_factory.h
index b04d1d32421..a9cfbc45cc9 100644
--- a/chromium/net/http/http_transaction_factory.h
+++ b/chromium/net/http/http_transaction_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_transaction_test_util.cc b/chromium/net/http/http_transaction_test_util.cc
index 865099933cd..d78e1130361 100644
--- a/chromium/net/http/http_transaction_test_util.cc
+++ b/chromium/net/http/http_transaction_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -64,6 +64,8 @@ const MockTransaction kSimpleGET_Transaction = {
     base::Time(),
     "<html><body>Google Blah Blah</body></html>",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     nullptr,
     nullptr,
@@ -86,6 +88,8 @@ const MockTransaction kSimplePOST_Transaction = {
     base::Time(),
     "<html><body>Google Blah Blah</body></html>",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     nullptr,
     nullptr,
@@ -109,6 +113,8 @@ const MockTransaction kTypicalGET_Transaction = {
     base::Time(),
     "<html><body>Google Blah Blah</body></html>",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     nullptr,
     nullptr,
@@ -132,6 +138,8 @@ const MockTransaction kETagGET_Transaction = {
     base::Time(),
     "<html><body>Google Blah Blah</body></html>",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     nullptr,
     nullptr,
@@ -154,6 +162,8 @@ const MockTransaction kRangeGET_Transaction = {
     base::Time(),
     "<html><body>Google Blah Blah</body></html>",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     nullptr,
     nullptr,
@@ -201,6 +211,9 @@ MockHttpRequest::MockHttpRequest(const MockTransaction& t) {
   load_flags = t.load_flags;
   SchemefulSite site(url);
   network_isolation_key = NetworkIsolationKey(site, site);
+  network_anonymization_key = NetworkAnonymizationKey(site, site);
+  fps_cache_filter = t.fps_cache_filter;
+  browser_run_id = t.browser_run_id;
 }
 
 std::string MockHttpRequest::CacheKey() {
diff --git a/chromium/net/http/http_transaction_test_util.h b/chromium/net/http/http_transaction_test_util.h
index 71541b55510..aaa3fcd8b21 100644
--- a/chromium/net/http/http_transaction_test_util.h
+++ b/chromium/net/http/http_transaction_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -35,6 +35,7 @@
 #include "net/http/http_response_info.h"
 #include "net/log/net_log_source.h"
 #include "net/socket/connection_attempts.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace net {
 
@@ -91,6 +92,8 @@ struct MockTransaction {
   // known aliases, e.g. from A, AAAA, or HTTPS, not just from the address used
   // for the connection, in no particular order.
   std::set<std::string> dns_aliases;
+  absl::optional<int64_t> fps_cache_filter;
+  absl::optional<int64_t> browser_run_id;
   int test_mode;
   MockTransactionHandler handler;
   MockTransactionReadHandler read_handler;
diff --git a/chromium/net/http/http_util.cc b/chromium/net/http/http_util.cc
index 7aa436ea73c..395ade601b1 100644
--- a/chromium/net/http/http_util.cc
+++ b/chromium/net/http/http_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_util.h b/chromium/net/http/http_util.h
index 7733270cf20..eb7f086b416 100644
--- a/chromium/net/http/http_util.h
+++ b/chromium/net/http/http_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_util_unittest.cc b/chromium/net/http/http_util_unittest.cc
index c5c278f9890..20043c92d26 100644
--- a/chromium/net/http/http_util_unittest.cc
+++ b/chromium/net/http/http_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_vary_data.cc b/chromium/net/http/http_vary_data.cc
index 9b444b9b16c..bcc2b415889 100644
--- a/chromium/net/http/http_vary_data.cc
+++ b/chromium/net/http/http_vary_data.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_vary_data.h b/chromium/net/http/http_vary_data.h
index c2512465554..6b3ff5084c8 100644
--- a/chromium/net/http/http_vary_data.h
+++ b/chromium/net/http/http_vary_data.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_vary_data_unittest.cc b/chromium/net/http/http_vary_data_unittest.cc
index b4b3d4c5dfb..0bef6e81994 100644
--- a/chromium/net/http/http_vary_data_unittest.cc
+++ b/chromium/net/http/http_vary_data_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright 2006-2008 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/http_version.h b/chromium/net/http/http_version.h
index 29cbf81b254..e91e5611359 100644
--- a/chromium/net/http/http_version.h
+++ b/chromium/net/http/http_version.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright 2006-2008 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/mock_allow_http_auth_preferences.cc b/chromium/net/http/mock_allow_http_auth_preferences.cc
index 4e7f2cf0523..850b481d51a 100644
--- a/chromium/net/http/mock_allow_http_auth_preferences.cc
+++ b/chromium/net/http/mock_allow_http_auth_preferences.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/mock_allow_http_auth_preferences.h b/chromium/net/http/mock_allow_http_auth_preferences.h
index 5820c7365ef..390b0cab3e5 100644
--- a/chromium/net/http/mock_allow_http_auth_preferences.h
+++ b/chromium/net/http/mock_allow_http_auth_preferences.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/mock_gssapi_library_posix.cc b/chromium/net/http/mock_gssapi_library_posix.cc
index 5daabe70a82..58763e56afa 100644
--- a/chromium/net/http/mock_gssapi_library_posix.cc
+++ b/chromium/net/http/mock_gssapi_library_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/mock_gssapi_library_posix.h b/chromium/net/http/mock_gssapi_library_posix.h
index d04ca82bb33..6f770ccd830 100644
--- a/chromium/net/http/mock_gssapi_library_posix.h
+++ b/chromium/net/http/mock_gssapi_library_posix.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/mock_http_cache.cc b/chromium/net/http/mock_http_cache.cc
index a96faaaf05a..1020ccda317 100644
--- a/chromium/net/http/mock_http_cache.cc
+++ b/chromium/net/http/mock_http_cache.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/mock_http_cache.h b/chromium/net/http/mock_http_cache.h
index 2c95830c666..6b2af24e8ff 100644
--- a/chromium/net/http/mock_http_cache.h
+++ b/chromium/net/http/mock_http_cache.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/mock_sspi_library_win.cc b/chromium/net/http/mock_sspi_library_win.cc
index a6cb1b7087f..3e75c56bb70 100644
--- a/chromium/net/http/mock_sspi_library_win.cc
+++ b/chromium/net/http/mock_sspi_library_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/mock_sspi_library_win.h b/chromium/net/http/mock_sspi_library_win.h
index bb37f67c0f0..bebc0414ffd 100644
--- a/chromium/net/http/mock_sspi_library_win.h
+++ b/chromium/net/http/mock_sspi_library_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/partial_data.cc b/chromium/net/http/partial_data.cc
index 7c60c5114b6..1b691a07cc3 100644
--- a/chromium/net/http/partial_data.cc
+++ b/chromium/net/http/partial_data.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/partial_data.h b/chromium/net/http/partial_data.h
index 4f6fe440574..6586272f7ab 100644
--- a/chromium/net/http/partial_data.h
+++ b/chromium/net/http/partial_data.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/proxy_client_socket.cc b/chromium/net/http/proxy_client_socket.cc
index 949fd7ef00c..745ef0e7699 100644
--- a/chromium/net/http/proxy_client_socket.cc
+++ b/chromium/net/http/proxy_client_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/proxy_client_socket.h b/chromium/net/http/proxy_client_socket.h
index 09319659f2a..4ef2ba1efc9 100644
--- a/chromium/net/http/proxy_client_socket.h
+++ b/chromium/net/http/proxy_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/proxy_fallback.cc b/chromium/net/http/proxy_fallback.cc
index a404ffa1e35..18bf2f336f5 100644
--- a/chromium/net/http/proxy_fallback.cc
+++ b/chromium/net/http/proxy_fallback.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/proxy_fallback.h b/chromium/net/http/proxy_fallback.h
index a0763a352da..230ac857181 100644
--- a/chromium/net/http/proxy_fallback.h
+++ b/chromium/net/http/proxy_fallback.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/structured_headers.h b/chromium/net/http/structured_headers.h
index 73b7e616eec..6f8289be31d 100644
--- a/chromium/net/http/structured_headers.h
+++ b/chromium/net/http/structured_headers.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/structured_headers_fuzzer.cc b/chromium/net/http/structured_headers_fuzzer.cc
index b8b3b6fc308..a69a0591035 100644
--- a/chromium/net/http/structured_headers_fuzzer.cc
+++ b/chromium/net/http/structured_headers_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/test_upload_data_stream_not_allow_http1.cc b/chromium/net/http/test_upload_data_stream_not_allow_http1.cc
index 5fc9f8a00b6..b36813020d1 100644
--- a/chromium/net/http/test_upload_data_stream_not_allow_http1.cc
+++ b/chromium/net/http/test_upload_data_stream_not_allow_http1.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/test_upload_data_stream_not_allow_http1.h b/chromium/net/http/test_upload_data_stream_not_allow_http1.h
index 50d33f6c807..555615d9c57 100644
--- a/chromium/net/http/test_upload_data_stream_not_allow_http1.h
+++ b/chromium/net/http/test_upload_data_stream_not_allow_http1.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_persister.cc b/chromium/net/http/transport_security_persister.cc
index 95053920611..4c354f66f86 100644
--- a/chromium/net/http/transport_security_persister.cc
+++ b/chromium/net/http/transport_security_persister.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -22,7 +22,7 @@
 #include "base/values.h"
 #include "crypto/sha2.h"
 #include "net/base/features.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/cert/x509_certificate.h"
 #include "net/http/transport_security_state.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
@@ -82,7 +82,7 @@ const char kForceHTTPS[] = "force-https";
 const char kDefault[] = "default";
 
 // Key names in serialized Expect-CT entries.
-const char kNetworkIsolationKey[] = "nik";
+const char kNetworkAnonymizationKey[] = "nak";
 const char kExpectCTObserved[] = "expect_ct_observed";
 const char kExpectCTExpiry[] = "expect_ct_expiry";
 const char kExpectCTEnforce[] = "expect_ct_enforce";
@@ -97,8 +97,7 @@ std::string LoadState(const base::FilePath& path) {
 }
 
 bool IsDynamicExpectCTEnabled() {
-  return base::FeatureList::IsEnabled(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  return base::FeatureList::IsEnabled(kDynamicExpectCTFeature);
 }
 
 // Serializes STS data from |state| to a Value.
@@ -195,13 +194,14 @@ base::Value::List SerializeExpectCTData(TransportSecurityState* state) {
 
     base::Value::Dict ct_entry;
 
-    base::Value network_isolation_key_value;
-    // Don't serialize entries with transient NetworkIsolationKeys.
-    if (!expect_ct_iterator.network_isolation_key().ToValue(
-            &network_isolation_key_value)) {
+    base::Value network_anonymization_key_value;
+    // Don't serialize entries with transient NetworkAnonymizationKeys.
+    if (!expect_ct_iterator.network_anonymization_key().ToValue(
+            &network_anonymization_key_value)) {
       continue;
     }
-    ct_entry.Set(kNetworkIsolationKey, std::move(network_isolation_key_value));
+    ct_entry.Set(kNetworkAnonymizationKey,
+                 std::move(network_anonymization_key_value));
 
     ct_entry.Set(kHostname,
                  HashedDomainToExternalString(expect_ct_iterator.hostname()));
@@ -232,8 +232,8 @@ void DeserializeExpectCTData(const base::Value& ct_list,
       continue;
 
     const std::string* hostname = ct_dict->FindString(kHostname);
-    const base::Value* network_isolation_key_value =
-        ct_dict->Find(kNetworkIsolationKey);
+    const base::Value* network_anonymization_key_value =
+        ct_dict->Find(kNetworkAnonymizationKey);
     absl::optional<double> expect_ct_last_observed =
         ct_dict->FindDouble(kExpectCTObserved);
     absl::optional<double> expect_ct_expiry =
@@ -243,7 +243,7 @@ void DeserializeExpectCTData(const base::Value& ct_list,
     const std::string* expect_ct_report_uri =
         ct_dict->FindString(kExpectCTReportUri);
 
-    if (!hostname || !network_isolation_key_value ||
+    if (!hostname || !network_anonymization_key_value ||
         !expect_ct_last_observed.has_value() || !expect_ct_expiry.has_value() ||
         !expect_ct_enforce.has_value() || !expect_ct_report_uri) {
       continue;
@@ -268,19 +268,20 @@ void DeserializeExpectCTData(const base::Value& ct_list,
     if (hashed.empty())
       continue;
 
-    NetworkIsolationKey network_isolation_key;
-    if (!NetworkIsolationKey::FromValue(*network_isolation_key_value,
-                                        &network_isolation_key)) {
+    NetworkAnonymizationKey network_anonymization_key;
+    if (!NetworkAnonymizationKey::FromValue(*network_anonymization_key_value,
+                                            &network_anonymization_key)) {
       continue;
     }
 
-    // If Expect-CT is not being partitioned by NetworkIsolationKey, but
-    // |network_isolation_key| is not empty, drop the entry, to avoid ambiguity
-    // and favor entries that were saved with an empty NetworkIsolationKey.
-    if (!partition_by_nik && !network_isolation_key.IsEmpty())
+    // If Expect-CT is not being partitioned by NetworkAnonymizationKey, but
+    // |network_anonymization_key| is not empty, drop the entry, to avoid
+    // ambiguity and favor entries that were saved with an empty
+    // NetworkAnonymizationKey.
+    if (!partition_by_nik && !network_anonymization_key.IsEmpty())
       continue;
 
-    state->AddOrUpdateEnabledExpectCTHosts(hashed, network_isolation_key,
+    state->AddOrUpdateEnabledExpectCTHosts(hashed, network_anonymization_key,
                                            expect_ct_state);
   }
 }
diff --git a/chromium/net/http/transport_security_persister.h b/chromium/net/http/transport_security_persister.h
index 0edd9eefc86..0c86590b6c9 100644
--- a/chromium/net/http/transport_security_persister.h
+++ b/chromium/net/http/transport_security_persister.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_persister_unittest.cc b/chromium/net/http/transport_security_persister_unittest.cc
index a45a44f407e..6cc68e683ca 100644
--- a/chromium/net/http/transport_security_persister_unittest.cc
+++ b/chromium/net/http/transport_security_persister_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -20,7 +20,7 @@
 #include "base/test/scoped_feature_list.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/features.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/http/transport_security_state.h"
 #include "net/test/test_with_task_environment.h"
@@ -90,8 +90,7 @@ INSTANTIATE_TEST_SUITE_P(All, TransportSecurityPersisterTest, testing::Bool());
 // Tests that LoadEntries() clears existing non-static entries.
 TEST_P(TransportSecurityPersisterTest, LoadEntriesClearsExistingState) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   TransportSecurityState::STSState sts_state;
   TransportSecurityState::ExpectCTState expect_ct_state;
@@ -103,17 +102,17 @@ TEST_P(TransportSecurityPersisterTest, LoadEntriesClearsExistingState) {
 
   state_->AddHSTS(kYahooDomain, expiry, false /* include subdomains */);
   state_->AddExpectCT(kYahooDomain, expiry, true /* enforce */, GURL(),
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
 
   EXPECT_TRUE(state_->GetDynamicSTSState(kYahooDomain, &sts_state));
   EXPECT_TRUE(state_->GetDynamicExpectCTState(
-      kYahooDomain, NetworkIsolationKey(), &expect_ct_state));
+      kYahooDomain, NetworkAnonymizationKey(), &expect_ct_state));
 
   persister_->LoadEntries("{\"version\":2}");
 
   EXPECT_FALSE(state_->GetDynamicSTSState(kYahooDomain, &sts_state));
   EXPECT_FALSE(state_->GetDynamicExpectCTState(
-      kYahooDomain, NetworkIsolationKey(), &expect_ct_state));
+      kYahooDomain, NetworkAnonymizationKey(), &expect_ct_state));
 }
 
 // Tests that serializing -> deserializing -> reserializing results in the same
@@ -160,21 +159,20 @@ TEST_P(TransportSecurityPersisterTest, SerializeData2) {
 
 TEST_P(TransportSecurityPersisterTest, SerializeData3) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   const GURL report_uri(kReportUri);
   // Add an entry.
   base::Time expiry = base::Time::Now() + base::Seconds(1000);
   bool include_subdomains = false;
   state_->AddHSTS("www.example.com", expiry, include_subdomains);
   state_->AddExpectCT("www.example.com", expiry, true /* enforce */, GURL(),
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
 
   // Add another entry.
   expiry = base::Time::Now() + base::Seconds(3000);
   state_->AddHSTS("www.example.net", expiry, include_subdomains);
   state_->AddExpectCT("www.example.net", expiry, false /* enforce */,
-                      report_uri, NetworkIsolationKey());
+                      report_uri, NetworkAnonymizationKey());
 
   // Save a copy of everything.
   std::set<std::string> sts_saved;
@@ -309,19 +307,18 @@ TEST_P(TransportSecurityPersisterTest, DeserializeDataOldMergedDictionary) {
 // Tests that dynamic Expect-CT state is serialized and deserialized correctly.
 TEST_P(TransportSecurityPersisterTest, ExpectCT) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   const GURL report_uri(kReportUri);
   TransportSecurityState::ExpectCTState expect_ct_state;
   static const char kTestDomain[] = "example.test";
 
   EXPECT_FALSE(state_->GetDynamicExpectCTState(
-      kTestDomain, NetworkIsolationKey(), &expect_ct_state));
+      kTestDomain, NetworkAnonymizationKey(), &expect_ct_state));
 
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::Seconds(1000);
   state_->AddExpectCT(kTestDomain, expiry, true /* enforce */, GURL(),
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
   std::string serialized;
   EXPECT_TRUE(persister_->SerializeData(&serialized));
   // LoadEntries() clears existing dynamic data before loading entries from
@@ -330,7 +327,7 @@ TEST_P(TransportSecurityPersisterTest, ExpectCT) {
 
   TransportSecurityState::ExpectCTState new_expect_ct_state;
   EXPECT_TRUE(state_->GetDynamicExpectCTState(
-      kTestDomain, NetworkIsolationKey(), &new_expect_ct_state));
+      kTestDomain, NetworkAnonymizationKey(), &new_expect_ct_state));
   EXPECT_TRUE(new_expect_ct_state.enforce);
   EXPECT_TRUE(new_expect_ct_state.report_uri.is_empty());
   EXPECT_EQ(expiry, new_expect_ct_state.expiry);
@@ -338,11 +335,11 @@ TEST_P(TransportSecurityPersisterTest, ExpectCT) {
   // Update the state for the domain and check that it is
   // serialized/deserialized correctly.
   state_->AddExpectCT(kTestDomain, expiry, false /* enforce */, report_uri,
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
   EXPECT_TRUE(persister_->SerializeData(&serialized));
   persister_->LoadEntries(serialized);
   EXPECT_TRUE(state_->GetDynamicExpectCTState(
-      kTestDomain, NetworkIsolationKey(), &new_expect_ct_state));
+      kTestDomain, NetworkAnonymizationKey(), &new_expect_ct_state));
   EXPECT_FALSE(new_expect_ct_state.enforce);
   EXPECT_EQ(report_uri, new_expect_ct_state.report_uri);
   EXPECT_EQ(expiry, new_expect_ct_state.expiry);
@@ -352,20 +349,19 @@ TEST_P(TransportSecurityPersisterTest, ExpectCT) {
 // when there is also STS data present.
 TEST_P(TransportSecurityPersisterTest, ExpectCTWithSTSDataPresent) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   const GURL report_uri(kReportUri);
   TransportSecurityState::ExpectCTState expect_ct_state;
   static const char kTestDomain[] = "example.test";
 
   EXPECT_FALSE(state_->GetDynamicExpectCTState(
-      kTestDomain, NetworkIsolationKey(), &expect_ct_state));
+      kTestDomain, NetworkAnonymizationKey(), &expect_ct_state));
 
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::Seconds(1000);
   state_->AddHSTS(kTestDomain, expiry, false /* include subdomains */);
   state_->AddExpectCT(kTestDomain, expiry, true /* enforce */, GURL(),
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
 
   std::string serialized;
   EXPECT_TRUE(persister_->SerializeData(&serialized));
@@ -375,7 +371,7 @@ TEST_P(TransportSecurityPersisterTest, ExpectCTWithSTSDataPresent) {
 
   TransportSecurityState::ExpectCTState new_expect_ct_state;
   EXPECT_TRUE(state_->GetDynamicExpectCTState(
-      kTestDomain, NetworkIsolationKey(), &new_expect_ct_state));
+      kTestDomain, NetworkAnonymizationKey(), &new_expect_ct_state));
   EXPECT_TRUE(new_expect_ct_state.enforce);
   EXPECT_TRUE(new_expect_ct_state.report_uri.is_empty());
   EXPECT_EQ(expiry, new_expect_ct_state.expiry);
@@ -390,44 +386,42 @@ TEST_P(TransportSecurityPersisterTest, ExpectCTWithSTSDataPresent) {
 // is disabled.
 TEST_P(TransportSecurityPersisterTest, ExpectCTDisabled) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndDisableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndDisableFeature(kDynamicExpectCTFeature);
   const GURL report_uri(kReportUri);
   TransportSecurityState::ExpectCTState expect_ct_state;
   static const char kTestDomain[] = "example.test";
 
   EXPECT_FALSE(state_->GetDynamicExpectCTState(
-      kTestDomain, NetworkIsolationKey(), &expect_ct_state));
+      kTestDomain, NetworkAnonymizationKey(), &expect_ct_state));
 
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::Seconds(1000);
   state_->AddExpectCT(kTestDomain, expiry, true /* enforce */, GURL(),
-                      NetworkIsolationKey());
+                      NetworkAnonymizationKey());
   std::string serialized;
   EXPECT_TRUE(persister_->SerializeData(&serialized));
   persister_->LoadEntries(serialized);
 
   TransportSecurityState::ExpectCTState new_expect_ct_state;
   EXPECT_FALSE(state_->GetDynamicExpectCTState(
-      kTestDomain, NetworkIsolationKey(), &new_expect_ct_state));
+      kTestDomain, NetworkAnonymizationKey(), &new_expect_ct_state));
 }
 
-// Save data with several NetworkIsolationKeys with
+// Save data with several NetworkAnonymizationKeys with
 // kPartitionExpectCTStateByNetworkIsolationKey enabled, and then load it with
 // the feature enabled or disabled, based on partition_expect_ct_state().
 TEST_P(TransportSecurityPersisterTest, ExpectCTWithNetworkIsolationKey) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   const GURL report_uri(kReportUri);
   static const char kTestDomain[] = "example.test";
   const SchemefulSite kSite(GURL("https://somewhere.else.test"));
-  const NetworkIsolationKey empty_network_isolation_key;
-  const NetworkIsolationKey network_isolation_key(kSite /* top_frame_site */,
-                                                  kSite /* frame_site */);
-  const NetworkIsolationKey transient_network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  const NetworkAnonymizationKey empty_network_anonymization_key;
+  const NetworkAnonymizationKey network_anonymization_key(
+      kSite /* top_frame_site */, kSite /* frame_site */);
+  const NetworkAnonymizationKey transient_network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
 
   const base::Time current_time(base::Time::Now());
   const base::Time expiry1 = current_time + base::Seconds(1000);
@@ -450,19 +444,19 @@ TEST_P(TransportSecurityPersisterTest, ExpectCTWithNetworkIsolationKey) {
         transport_security_file_path_);
     TransportSecurityState::ExpectCTState expect_ct_state;
     state2.AddExpectCT(kTestDomain, expiry1, true /* enforce */, GURL(),
-                       empty_network_isolation_key);
+                       empty_network_anonymization_key);
     state2.AddExpectCT(kTestDomain, expiry2, true /* enforce */, GURL(),
-                       network_isolation_key);
+                       network_anonymization_key);
     state2.AddExpectCT(kTestDomain, expiry3, true /* enforce */, GURL(),
-                       transient_network_isolation_key);
+                       transient_network_anonymization_key);
     EXPECT_TRUE(persister2.SerializeData(&serialized));
 
     EXPECT_TRUE(state2.GetDynamicExpectCTState(
-        kTestDomain, empty_network_isolation_key, &expect_ct_state));
+        kTestDomain, empty_network_anonymization_key, &expect_ct_state));
     EXPECT_TRUE(state2.GetDynamicExpectCTState(
-        kTestDomain, network_isolation_key, &expect_ct_state));
+        kTestDomain, network_anonymization_key, &expect_ct_state));
     EXPECT_TRUE(state2.GetDynamicExpectCTState(
-        kTestDomain, transient_network_isolation_key, &expect_ct_state));
+        kTestDomain, transient_network_anonymization_key, &expect_ct_state));
   }
 
   // Load entries into the other persister.
@@ -471,27 +465,28 @@ TEST_P(TransportSecurityPersisterTest, ExpectCTWithNetworkIsolationKey) {
   if (partition_expect_ct_state()) {
     TransportSecurityState::ExpectCTState new_expect_ct_state;
     EXPECT_TRUE(state_->GetDynamicExpectCTState(
-        kTestDomain, empty_network_isolation_key, &new_expect_ct_state));
+        kTestDomain, empty_network_anonymization_key, &new_expect_ct_state));
     EXPECT_TRUE(new_expect_ct_state.enforce);
     EXPECT_TRUE(new_expect_ct_state.report_uri.is_empty());
     EXPECT_EQ(expiry1, new_expect_ct_state.expiry);
 
     EXPECT_TRUE(state_->GetDynamicExpectCTState(
-        kTestDomain, network_isolation_key, &new_expect_ct_state));
+        kTestDomain, network_anonymization_key, &new_expect_ct_state));
     EXPECT_TRUE(new_expect_ct_state.enforce);
     EXPECT_TRUE(new_expect_ct_state.report_uri.is_empty());
     EXPECT_EQ(expiry2, new_expect_ct_state.expiry);
 
-    // The data associated with the transient NetworkIsolationKey should not
+    // The data associated with the transient NetworkAnonymizationKey should not
     // have been saved.
     EXPECT_FALSE(state_->GetDynamicExpectCTState(
-        kTestDomain, transient_network_isolation_key, &new_expect_ct_state));
+        kTestDomain, transient_network_anonymization_key,
+        &new_expect_ct_state));
   } else {
     std::set<std::string> expect_ct_saved;
     TransportSecurityState::ExpectCTStateIterator expect_ct_iter(*state_);
     ASSERT_TRUE(expect_ct_iter.HasNext());
-    EXPECT_EQ(empty_network_isolation_key,
-              expect_ct_iter.network_isolation_key());
+    EXPECT_EQ(empty_network_anonymization_key,
+              expect_ct_iter.network_anonymization_key());
     EXPECT_TRUE(expect_ct_iter.domain_state().enforce);
     EXPECT_TRUE(expect_ct_iter.domain_state().report_uri.is_empty());
     expect_ct_iter.Advance();
@@ -499,13 +494,13 @@ TEST_P(TransportSecurityPersisterTest, ExpectCTWithNetworkIsolationKey) {
   }
 }
 
-// Test the case when deserializing a NetworkIsolationKey fails.
+// Test the case when deserializing a NetworkAnonymizationKey fails.
 TEST_P(TransportSecurityPersisterTest,
        ExpectCTNetworkIsolationKeyDeserializationFails) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
-      {TransportSecurityState::kDynamicExpectCTFeature,
+      {kDynamicExpectCTFeature,
        features::kPartitionExpectCTStateByNetworkIsolationKey},
       // disabled_features
       {});
@@ -513,9 +508,9 @@ TEST_P(TransportSecurityPersisterTest,
   const GURL report_uri(kReportUri);
   static const char kTestDomain[] = "example.test";
   const SchemefulSite kSite(GURL("https://somewhere.else.test"));
-  const NetworkIsolationKey empty_network_isolation_key;
-  const NetworkIsolationKey network_isolation_key(kSite /* top_frame_site */,
-                                                  kSite /* frame_site */);
+  const NetworkAnonymizationKey empty_network_anonymization_key;
+  const NetworkAnonymizationKey network_anonymization_key(
+      kSite /* top_frame_site */, kSite /* frame_site */);
   const base::Time current_time(base::Time::Now());
   const base::Time expiry1 = current_time + base::Seconds(1000);
   const base::Time expiry2 = current_time + base::Seconds(2000);
@@ -531,20 +526,20 @@ TEST_P(TransportSecurityPersisterTest,
       transport_security_file_path_);
   TransportSecurityState::ExpectCTState expect_ct_state;
   state2.AddExpectCT(kTestDomain, expiry1, true /* enforce */, GURL(),
-                     empty_network_isolation_key);
+                     empty_network_anonymization_key);
   state2.AddExpectCT(kTestDomain, expiry2, true /* enforce */, GURL(),
-                     network_isolation_key);
+                     network_anonymization_key);
   EXPECT_TRUE(persister2.SerializeData(&serialized));
 
   EXPECT_TRUE(state2.GetDynamicExpectCTState(
-      kTestDomain, empty_network_isolation_key, &expect_ct_state));
-  EXPECT_TRUE(state2.GetDynamicExpectCTState(kTestDomain, network_isolation_key,
-                                             &expect_ct_state));
+      kTestDomain, empty_network_anonymization_key, &expect_ct_state));
+  EXPECT_TRUE(state2.GetDynamicExpectCTState(
+      kTestDomain, network_anonymization_key, &expect_ct_state));
 
-  // Replace reference to |network_isolation_key|'s value with an invalid NIK
-  // value.
+  // Replace reference to |network_anonymization_key|'s value with an invalid
+  // NIK value.
   base::Value nik_value;
-  ASSERT_TRUE(network_isolation_key.ToValue(&nik_value));
+  ASSERT_TRUE(network_anonymization_key.ToValue(&nik_value));
   std::string nik_string;
   ASSERT_TRUE(base::JSONWriter::Write(nik_value, &nik_string));
   base::ReplaceFirstSubstringAfterOffset(&serialized, 0, nik_string,
@@ -553,13 +548,13 @@ TEST_P(TransportSecurityPersisterTest,
   // Load entries into the other persister.
   persister_->LoadEntries(serialized);
 
-  // The entry with the non-empty NetworkIsolationKey should be dropped, since
-  // its NIK is now invalid. The other entry should be preserved.
+  // The entry with the non-empty NetworkAnonymizationKey should be dropped,
+  // since its NIK is now invalid. The other entry should be preserved.
   std::set<std::string> expect_ct_saved;
   TransportSecurityState::ExpectCTStateIterator expect_ct_iter(*state_);
   ASSERT_TRUE(expect_ct_iter.HasNext());
-  EXPECT_EQ(empty_network_isolation_key,
-            expect_ct_iter.network_isolation_key());
+  EXPECT_EQ(empty_network_anonymization_key,
+            expect_ct_iter.network_anonymization_key());
   EXPECT_TRUE(expect_ct_iter.domain_state().enforce);
   EXPECT_TRUE(expect_ct_iter.domain_state().report_uri.is_empty());
   expect_ct_iter.Advance();
diff --git a/chromium/net/http/transport_security_state.cc b/chromium/net/http/transport_security_state.cc
index cbe5d84732f..deb1e3b944f 100644
--- a/chromium/net/http/transport_security_state.cc
+++ b/chromium/net/http/transport_security_state.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -71,8 +71,7 @@ const size_t kReportCacheKeyLength = 16;
 bool g_ct_required_for_testing = false;
 
 bool IsDynamicExpectCTEnabled() {
-  return base::FeatureList::IsEnabled(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  return base::FeatureList::IsEnabled(kDynamicExpectCTFeature);
 }
 
 base::Value GetPEMEncodedChainAsList(const net::X509Certificate* cert_chain) {
@@ -382,12 +381,14 @@ bool DecodeHSTSPreload(const std::string& search_hostname, PreloadResult* out) {
 }  // namespace
 
 // static
-const base::Feature TransportSecurityState::kDynamicExpectCTFeature{
-    "DynamicExpectCT", base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kDynamicExpectCTFeature,
+             "DynamicExpectCT",
+             base::FEATURE_DISABLED_BY_DEFAULT);
 
 // static
-const base::Feature TransportSecurityState::kCertificateTransparencyEnforcement{
-    "CertificateTransparencyEnforcement", base::FEATURE_ENABLED_BY_DEFAULT};
+BASE_FEATURE(kCertificateTransparencyEnforcement,
+             "CertificateTransparencyEnforcement",
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
 void SetTransportSecurityStateSourceForTesting(
     const TransportSecurityStateSource* source) {
@@ -459,7 +460,7 @@ TransportSecurityState::PKPStatus TransportSecurityState::CheckPublicKeyPins(
     const X509Certificate* served_certificate_chain,
     const X509Certificate* validated_certificate_chain,
     const PublicKeyPinReportStatus report_status,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     std::string* pinning_failure_log) {
   // Perform pin validation only if the server actually has public key pins.
   if (!HasPublicKeyPins(host_port_pair.host())) {
@@ -469,7 +470,7 @@ TransportSecurityState::PKPStatus TransportSecurityState::CheckPublicKeyPins(
   PKPStatus pin_validity = CheckPublicKeyPinsImpl(
       host_port_pair, is_issued_by_known_root, public_key_hashes,
       served_certificate_chain, validated_certificate_chain, report_status,
-      network_isolation_key, pinning_failure_log);
+      network_anonymization_key, pinning_failure_log);
 
   // Don't track statistics when a local trust anchor would override the pinning
   // anyway.
@@ -497,7 +498,7 @@ TransportSecurityState::CheckCTRequirements(
         signed_certificate_timestamps,
     const ExpectCTReportStatus report_status,
     ct::CTPolicyCompliance policy_compliance,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   using CTRequirementLevel = RequireCTDelegate::CTRequirementLevel;
   std::string hostname = host_port_pair.host();
 
@@ -528,13 +529,13 @@ TransportSecurityState::CheckCTRequirements(
   bool required_via_expect_ct = false;
   ExpectCTState state;
   if (IsDynamicExpectCTEnabled() &&
-      GetDynamicExpectCTState(hostname, network_isolation_key, &state)) {
+      GetDynamicExpectCTState(hostname, network_anonymization_key, &state)) {
     if (!complies && expect_ct_reporter_ && !state.report_uri.is_empty() &&
         report_status == ENABLE_EXPECT_CT_REPORTS) {
       MaybeNotifyExpectCTFailed(
           host_port_pair, state.report_uri, state.expiry,
           validated_certificate_chain, served_certificate_chain,
-          signed_certificate_timestamps, network_isolation_key);
+          signed_certificate_timestamps, network_anonymization_key);
     }
     required_via_expect_ct = state.enforce;
   }
@@ -721,7 +722,7 @@ void TransportSecurityState::AddExpectCTInternal(
     const base::Time& expiry,
     bool enforce,
     const GURL& report_uri,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   if (!IsDynamicExpectCTEnabled())
     return;
@@ -741,7 +742,7 @@ void TransportSecurityState::AddExpectCTInternal(
   // Only store new state when Expect-CT is explicitly enabled. If it is
   // disabled, remove the state from the enabled hosts.
   ExpectCTStateIndex index = CreateExpectCTStateIndex(
-      HashHost(canonicalized_host), network_isolation_key);
+      HashHost(canonicalized_host), network_anonymization_key);
   if (expect_ct_state.enforce || !expect_ct_state.report_uri.is_empty()) {
     enabled_expect_ct_hosts_[index] = expect_ct_state;
     MaybePruneExpectCTState();
@@ -766,7 +767,7 @@ TransportSecurityState::CheckPinsAndMaybeSendReport(
     const X509Certificate* served_certificate_chain,
     const X509Certificate* validated_certificate_chain,
     const TransportSecurityState::PublicKeyPinReportStatus report_status,
-    const net::NetworkIsolationKey& network_isolation_key,
+    const net::NetworkAnonymizationKey& network_anonymization_key,
     std::string* failure_log) {
   if (pkp_state.CheckPublicKeyPins(hashes, failure_log))
     return PKPStatus::OK;
@@ -807,7 +808,7 @@ TransportSecurityState::CheckPinsAndMaybeSendReport(
       base::TimeTicks::Now() + base::Minutes(kTimeToRememberReportsMins));
 
   report_sender_->Send(pkp_state.report_uri, "application/json; charset=utf-8",
-                       serialized_report, network_isolation_key,
+                       serialized_report, network_anonymization_key,
                        base::OnceCallback<void()>(),
                        base::OnceCallback<void(const GURL&, int, int)>());
   return PKPStatus::VIOLATED;
@@ -841,7 +842,7 @@ void TransportSecurityState::MaybeNotifyExpectCTFailed(
     const X509Certificate* served_certificate_chain,
     const SignedCertificateTimestampAndStatusList&
         signed_certificate_timestamps,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   // Do not send repeated reports to the same host/port pair within
   // |kTimeToRememberReportsMins|. Theoretically, there could be scenarios in
   // which the same host/port generates different reports and it would be useful
@@ -859,7 +860,7 @@ void TransportSecurityState::MaybeNotifyExpectCTFailed(
   expect_ct_reporter_->OnExpectCTFailed(
       host_port_pair, report_uri, expiration, validated_certificate_chain,
       served_certificate_chain, signed_certificate_timestamps,
-      network_isolation_key);
+      network_anonymization_key);
 }
 
 bool TransportSecurityState::DeleteDynamicDataForHost(const std::string& host) {
@@ -1014,17 +1015,17 @@ void TransportSecurityState::AddExpectCT(
     const base::Time& expiry,
     bool enforce,
     const GURL& report_uri,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   AddExpectCTInternal(host, base::Time::Now(), expiry, enforce, report_uri,
-                      network_isolation_key);
+                      network_anonymization_key);
 }
 
 void TransportSecurityState::ProcessExpectCTHeader(
     const std::string& value,
     const HostPortPair& host_port_pair,
     const SSLInfo& ssl_info,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // If a site sends `Expect-CT: preload` and appears on the preload list, they
@@ -1049,7 +1050,7 @@ void TransportSecurityState::ProcessExpectCTHeader(
       MaybeNotifyExpectCTFailed(
           host_port_pair, state.report_uri, base::Time(), ssl_info.cert.get(),
           ssl_info.unverified_cert.get(),
-          ssl_info.signed_certificate_timestamps, network_isolation_key);
+          ssl_info.signed_certificate_timestamps, network_anonymization_key);
     }
     return;
   }
@@ -1089,17 +1090,17 @@ void TransportSecurityState::ProcessExpectCTHeader(
     }
     ExpectCTState state;
     if (expect_ct_reporter_ && !report_uri.is_empty() &&
-        !GetDynamicExpectCTState(host_port_pair.host(), network_isolation_key,
-                                 &state)) {
+        !GetDynamicExpectCTState(host_port_pair.host(),
+                                 network_anonymization_key, &state)) {
       MaybeNotifyExpectCTFailed(
           host_port_pair, report_uri, base::Time(), ssl_info.cert.get(),
           ssl_info.unverified_cert.get(),
-          ssl_info.signed_certificate_timestamps, network_isolation_key);
+          ssl_info.signed_certificate_timestamps, network_anonymization_key);
     }
     return;
   }
   AddExpectCTInternal(host_port_pair.host(), now, now + max_age, enforce,
-                      report_uri, network_isolation_key);
+                      report_uri, network_anonymization_key);
 }
 
 // static
@@ -1135,7 +1136,7 @@ TransportSecurityState::CheckPublicKeyPinsImpl(
     const X509Certificate* served_certificate_chain,
     const X509Certificate* validated_certificate_chain,
     const PublicKeyPinReportStatus report_status,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     std::string* failure_log) {
   PKPState pkp_state;
   bool found_state = GetPKPState(host_port_pair.host(), &pkp_state);
@@ -1146,7 +1147,7 @@ TransportSecurityState::CheckPublicKeyPinsImpl(
   return CheckPinsAndMaybeSendReport(
       host_port_pair, is_issued_by_known_root, pkp_state, hashes,
       served_certificate_chain, validated_certificate_chain, report_status,
-      network_isolation_key, failure_log);
+      network_anonymization_key, failure_log);
 }
 
 bool TransportSecurityState::GetStaticSTSState(const std::string& host,
@@ -1342,7 +1343,7 @@ bool TransportSecurityState::GetDynamicPKPState(const std::string& host,
 
 bool TransportSecurityState::GetDynamicExpectCTState(
     const std::string& host,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ExpectCTState* result) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
@@ -1352,7 +1353,7 @@ bool TransportSecurityState::GetDynamicExpectCTState(
 
   base::Time current_time(base::Time::Now());
   auto j = enabled_expect_ct_hosts_.find(CreateExpectCTStateIndex(
-      HashHost(canonicalized_host), network_isolation_key));
+      HashHost(canonicalized_host), network_anonymization_key));
   if (j == enabled_expect_ct_hosts_.end())
     return false;
   // If the entry is invalid, drop it.
@@ -1376,12 +1377,12 @@ void TransportSecurityState::AddOrUpdateEnabledSTSHosts(
 
 void TransportSecurityState::AddOrUpdateEnabledExpectCTHosts(
     const std::string& hashed_host,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const ExpectCTState& state) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(state.enforce || !state.report_uri.is_empty());
   enabled_expect_ct_hosts_[CreateExpectCTStateIndex(
-      hashed_host, network_isolation_key)] = state;
+      hashed_host, network_anonymization_key)] = state;
 }
 
 TransportSecurityState::STSState::STSState() = default;
@@ -1412,12 +1413,12 @@ TransportSecurityState::ExpectCTState::~ExpectCTState() = default;
 
 TransportSecurityState::ExpectCTStateIndex::ExpectCTStateIndex(
     const std::string& hashed_host,
-    const NetworkIsolationKey& network_isolation_key,
-    bool respect_network_isolation_keyn_key)
+    const NetworkAnonymizationKey& network_anonymization_key,
+    bool respect_network_anonymization_key)
     : hashed_host(hashed_host),
-      network_isolation_key(respect_network_isolation_keyn_key
-                                ? network_isolation_key
-                                : NetworkIsolationKey()) {}
+      network_anonymization_key(respect_network_anonymization_key
+                                    ? network_anonymization_key
+                                    : NetworkAnonymizationKey()) {}
 
 TransportSecurityState::ExpectCTStateIterator::ExpectCTStateIterator(
     const TransportSecurityState& state)
@@ -1491,8 +1492,8 @@ bool TransportSecurityState::PKPState::HasPublicKeyPins() const {
 TransportSecurityState::ExpectCTStateIndex
 TransportSecurityState::CreateExpectCTStateIndex(
     const std::string& hashed_host,
-    const NetworkIsolationKey& network_isolation_key) {
-  return ExpectCTStateIndex(hashed_host, network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  return ExpectCTStateIndex(hashed_host, network_anonymization_key,
                             key_expect_ct_by_nik_);
 }
 
@@ -1535,7 +1536,7 @@ void TransportSecurityState::MaybePruneExpectCTState() {
       return;
 
     // Entries that are older than the prunable time window, are report-only, or
-    // have a transient NetworkIsolationKey, are considered prunable.
+    // have a transient NetworkAnonymizationKey, are considered prunable.
     //
     // If |key_expect_ct_by_nik_| is false, all entries have an empty NIK.
     // IsTransient() returns true for the empty NIK, despite entries being saved
@@ -1544,7 +1545,7 @@ void TransportSecurityState::MaybePruneExpectCTState() {
             last_prunable_observation_time ||
         !expect_ct_iterator->second.enforce ||
         (key_expect_ct_by_nik_ &&
-         expect_ct_iterator->first.network_isolation_key.IsTransient())) {
+         expect_ct_iterator->first.network_anonymization_key.IsTransient())) {
       prunable_expect_ct_entries.push_back(expect_ct_iterator);
     }
     ++expect_ct_iterator;
@@ -1572,22 +1573,23 @@ void TransportSecurityState::MaybePruneExpectCTState() {
   }
 
   // If there are fewer than |kExpectCTPruneMin| entries remaining, or entries
-  // are not being keyed by NetworkIsolationKey, nothing left to do.
+  // are not being keyed by NetworkAnonymizationKey, nothing left to do.
   if (enabled_expect_ct_hosts_.size() <= expect_ct_prune_min ||
       !key_expect_ct_by_nik_) {
     return;
   }
 
-  // Otherwise, cap the number of entries per NetworkIsolationKey to
+  // Otherwise, cap the number of entries per NetworkAnonymizationKey to
   // |kMaxEntriesPerNik|.
 
   // Create a vector of all the ExpectCT entries for each NIK.
-  std::map<net::NetworkIsolationKey, std::vector<ExpectCTStateMap::iterator>>
+  std::map<net::NetworkAnonymizationKey,
+           std::vector<ExpectCTStateMap::iterator>>
       nik_map;
   for (auto expect_ct_iterator = enabled_expect_ct_hosts_.begin();
        expect_ct_iterator != enabled_expect_ct_hosts_.end();
        ++expect_ct_iterator) {
-    nik_map[expect_ct_iterator->first.network_isolation_key].push_back(
+    nik_map[expect_ct_iterator->first.network_anonymization_key].push_back(
         expect_ct_iterator);
   }
 
@@ -1614,8 +1616,8 @@ bool TransportSecurityState::ExpectCTPruningSorter(
     const ExpectCTStateMap::iterator& it2) {
   // std::tie requires r-values, so have to put these on the stack to use
   // std::tie.
-  bool is_not_transient1 = !it1->first.network_isolation_key.IsTransient();
-  bool is_not_transient2 = !it2->first.network_isolation_key.IsTransient();
+  bool is_not_transient1 = !it1->first.network_anonymization_key.IsTransient();
+  bool is_not_transient2 = !it2->first.network_anonymization_key.IsTransient();
   return std::tie(is_not_transient1, it1->second.enforce,
                   it1->second.last_observed) <
          std::tie(is_not_transient2, it2->second.enforce,
diff --git a/chromium/net/http/transport_security_state.h b/chromium/net/http/transport_security_state.h
index 99899b7c5c2..464cbd182e1 100644
--- a/chromium/net/http/transport_security_state.h
+++ b/chromium/net/http/transport_security_state.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -21,7 +21,7 @@
 #include "net/base/expiring_cache.h"
 #include "net/base/hash_value.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/cert/signed_certificate_timestamp_and_status.h"
 #include "net/http/transport_security_state_source.h"
 #include "net/log/net_log_with_source.h"
@@ -35,10 +35,19 @@ enum class CTPolicyCompliance;
 }
 
 class HostPortPair;
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class SSLInfo;
 class X509Certificate;
 
+// Feature that controls whether Expect-CT HTTP headers are parsed, processed,
+// and stored.
+NET_EXPORT BASE_DECLARE_FEATURE(kDynamicExpectCTFeature);
+
+// Feature that controls whether Certificate Transparency is enforced. This
+// feature is default enabled and meant only as an emergency killswitch. It
+// will not enable enforcement in platforms that otherwise have it disabled.
+NET_EXPORT BASE_DECLARE_FEATURE(kCertificateTransparencyEnforcement);
+
 void NET_EXPORT_PRIVATE SetTransportSecurityStateSourceForTesting(
     const TransportSecurityStateSource* source);
 
@@ -246,28 +255,29 @@ class NET_EXPORT TransportSecurityState {
     base::Time expiry;
   };
 
-  // Unlike other data, Expect-CT information is indexed by NetworkIsolationKey
-  // in addition to domain hash, to prevent leaking user IDs across different
-  // first party contexts. Public only because ExpectCTStateIterator is public
-  // and depends on it.
+  // Unlike other data, Expect-CT information is indexed by
+  // NetworkAnonymizationKey in addition to domain hash, to prevent leaking user
+  // IDs across different first party contexts. Public only because
+  // ExpectCTStateIterator is public and depends on it.
   struct ExpectCTStateIndex {
-    // Creates an ExpectCTStateIndex. Uses an empty NetworkIsolationKey instead
-    // of the passed in one, depending on |respect_network_isolation_key|.
-    // The value of features::kPartitionExpectCTStateByNetworkIsolationKey is
-    // cached on creation of the TransportSecurityState, and then passed in to
-    // this method whenever an ExpectCTStateIndex() is created, to avoid
-    // constantly querying the field trial.
+    // Creates an ExpectCTStateIndex. Uses an empty NetworkAnonymizationKey
+    // instead of the passed in one, depending on
+    // |respect_network_anonymization_key|. The value of
+    // features::kPartitionExpectCTStateByNetworkIsolationKey is cached on
+    // creation of the TransportSecurityState, and then passed in to this method
+    // whenever an ExpectCTStateIndex() is created, to avoid constantly querying
+    // the field trial.
     ExpectCTStateIndex(const std::string& hashed_host,
-                       const NetworkIsolationKey& network_isolation_key,
-                       bool respect_network_isolation_key);
+                       const NetworkAnonymizationKey& network_anonymization_key,
+                       bool respect_network_anonymization_key);
 
     bool operator<(const ExpectCTStateIndex& other) const {
-      return std::tie(hashed_host, network_isolation_key) <
-             std::tie(other.hashed_host, other.network_isolation_key);
+      return std::tie(hashed_host, network_anonymization_key) <
+             std::tie(other.hashed_host, other.network_anonymization_key);
     }
 
     std::string hashed_host;
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
   };
 
   class NET_EXPORT ExpectCTStateIterator {
@@ -278,8 +288,8 @@ class NET_EXPORT TransportSecurityState {
     bool HasNext() const { return iterator_ != end_; }
     void Advance() { ++iterator_; }
     const std::string& hostname() const { return iterator_->first.hashed_host; }
-    const NetworkIsolationKey& network_isolation_key() const {
-      return iterator_->first.network_isolation_key;
+    const NetworkAnonymizationKey& network_anonymization_key() const {
+      return iterator_->first.network_anonymization_key;
     }
     const ExpectCTState& domain_state() const { return iterator_->second; }
 
@@ -302,7 +312,7 @@ class NET_EXPORT TransportSecurityState {
     virtual void Send(const GURL& report_uri,
                       base::StringPiece content_type,
                       base::StringPiece report,
-                      const NetworkIsolationKey& network_isolation_key,
+                      const NetworkAnonymizationKey& network_anonymization_key,
                       base::OnceCallback<void()> success_callback,
                       base::OnceCallback<void(const GURL&,
                                               int /* net_error */,
@@ -329,7 +339,7 @@ class NET_EXPORT TransportSecurityState {
         const X509Certificate* served_certificate_chain,
         const SignedCertificateTimestampAndStatusList&
             signed_certificate_timestamps,
-        const NetworkIsolationKey& network_isolation_key) = 0;
+        const NetworkAnonymizationKey& network_anonymization_key) = 0;
 
    protected:
     virtual ~ExpectCTReporter() = default;
@@ -392,15 +402,6 @@ class NET_EXPORT TransportSecurityState {
     CT_REQUIREMENTS_NOT_MET,
   };
 
-  // Feature that controls whether Expect-CT HTTP headers are parsed, processed,
-  // and stored.
-  static const base::Feature kDynamicExpectCTFeature;
-
-  // Feature that controls whether Certificate Transparency is enforced. This
-  // feature is default enabled and meant only as an emergency killswitch. It
-  // will not enable enforcement in platforms that otherwise have it disabled.
-  static const base::Feature kCertificateTransparencyEnforcement;
-
   TransportSecurityState();
 
   // Creates a TransportSecurityState object that will skip the check to force
@@ -429,7 +430,7 @@ class NET_EXPORT TransportSecurityState {
       const X509Certificate* served_certificate_chain,
       const X509Certificate* validated_certificate_chain,
       const PublicKeyPinReportStatus report_status,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       std::string* failure_log);
   bool HasPublicKeyPins(const std::string& host);
 
@@ -457,7 +458,7 @@ class NET_EXPORT TransportSecurityState {
           signed_certificate_timestamps,
       const ExpectCTReportStatus report_status,
       ct::CTPolicyCompliance policy_compliance,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Assign a |Delegate| for persisting the transport security state. If
   // |NULL|, state will not be persisted. The caller retains
@@ -521,7 +522,7 @@ class NET_EXPORT TransportSecurityState {
   // TransportSecurityState.
   void AddOrUpdateEnabledExpectCTHosts(
       const std::string& hashed_host,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const ExpectCTState& state);
 
   // Deletes all dynamic data (e.g. HSTS or HPKP data) created between a time
@@ -567,9 +568,10 @@ class NET_EXPORT TransportSecurityState {
   // entries that have expired.
   bool GetDynamicSTSState(const std::string& host, STSState* result);
   bool GetDynamicPKPState(const std::string& host, PKPState* result);
-  bool GetDynamicExpectCTState(const std::string& host,
-                               const NetworkIsolationKey& network_isolation_key,
-                               ExpectCTState* result);
+  bool GetDynamicExpectCTState(
+      const std::string& host,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      ExpectCTState* result);
 
   // Processes an HSTS header value from the host, adding entries to
   // dynamic state if necessary.
@@ -598,7 +600,7 @@ class NET_EXPORT TransportSecurityState {
                    const base::Time& expiry,
                    bool enforce,
                    const GURL& report_uri,
-                   const NetworkIsolationKey& network_isolation_key);
+                   const NetworkAnonymizationKey& network_anonymization_key);
 
   // Enables or disables public key pinning bypass for local trust anchors.
   // Disabling the bypass for local trust anchors is highly discouraged.
@@ -618,10 +620,11 @@ class NET_EXPORT TransportSecurityState {
   // wants to opt-in to the static report-only version of Expect-CT. If the
   // given host is present on the preload list and the build is timely and the
   // connection is not CT-compliant, then a report will be sent.
-  void ProcessExpectCTHeader(const std::string& value,
-                             const HostPortPair& host_port_pair,
-                             const SSLInfo& ssl_info,
-                             const NetworkIsolationKey& network_isolation_key);
+  void ProcessExpectCTHeader(
+      const std::string& value,
+      const HostPortPair& host_port_pair,
+      const SSLInfo& ssl_info,
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   void AssertCalledOnValidThread() const {
     DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
@@ -678,7 +681,7 @@ class NET_EXPORT TransportSecurityState {
       const X509Certificate* served_certificate_chain,
       const X509Certificate* validated_certificate_chain,
       const PublicKeyPinReportStatus report_status,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       std::string* failure_log);
 
   // If a Delegate is present, notify it that the internal state has
@@ -699,12 +702,13 @@ class NET_EXPORT TransportSecurityState {
                        bool include_subdomains,
                        const HashValueVector& hashes,
                        const GURL& report_uri);
-  void AddExpectCTInternal(const std::string& host,
-                           const base::Time& last_observed,
-                           const base::Time& expiry,
-                           bool enforce,
-                           const GURL& report_uri,
-                           const NetworkIsolationKey& network_isolation_key);
+  void AddExpectCTInternal(
+      const std::string& host,
+      const base::Time& last_observed,
+      const base::Time& expiry,
+      bool enforce,
+      const GURL& report_uri,
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Returns true if a request to |host_port_pair| with the given
   // SubjectPublicKeyInfo |hashes| satisfies the pins in |pkp_state|,
@@ -721,7 +725,7 @@ class NET_EXPORT TransportSecurityState {
       const X509Certificate* served_certificate_chain,
       const X509Certificate* validated_certificate_chain,
       const TransportSecurityState::PublicKeyPinReportStatus report_status,
-      const net::NetworkIsolationKey& network_isolation_key,
+      const net::NetworkAnonymizationKey& network_anonymization_key,
       std::string* failure_log);
 
   // Returns true and updates |*expect_ct_result| iff there is a static
@@ -737,13 +741,13 @@ class NET_EXPORT TransportSecurityState {
       const X509Certificate* served_certificate_chain,
       const SignedCertificateTimestampAndStatusList&
           signed_certificate_timestamps,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Convenience method to create ExpectCTStateIndex, taking into account
   // |key_expect_ct_by_nik_|.
   ExpectCTStateIndex CreateExpectCTStateIndex(
       const std::string& hashed_host,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Checks if Expect-CT entries should be pruned, based on number of them and
   // when entries were last pruned, and then performs pruning if necessary.
@@ -793,11 +797,11 @@ class NET_EXPORT TransportSecurityState {
   ReportCache sent_hpkp_reports_cache_;
   ReportCache sent_expect_ct_reports_cache_;
 
-  // Whether Expect-CT data should keyed by a NetworkIsolationKey. When false,
-  // ExpectCTStateIndex is always created with an empty NetworkIsolationKey.
-  // Populated based on features::kPartitionExpectCTStateByNetworkIsolationKey
-  // on construction of the TransportSecurityStateObject to avoid repeatedly
-  // querying the feature.
+  // Whether Expect-CT data should keyed by a NetworkAnonymizationKey. When
+  // false, ExpectCTStateIndex is always created with an empty
+  // NetworkAnonymizationKey. Populated based on
+  // features::kPartitionExpectCTStateByNetworkIsolationKey on construction of
+  // the TransportSecurityStateObject to avoid repeatedly querying the feature.
   bool key_expect_ct_by_nik_;
 
   // The earliest possible time for the next pruning of Expect-CT state.
diff --git a/chromium/net/http/transport_security_state_ct_policies.inc b/chromium/net/http/transport_security_state_ct_policies.inc
index 75f25ab39e2..d500ae515e3 100644
--- a/chromium/net/http/transport_security_state_ct_policies.inc
+++ b/chromium/net/http/transport_security_state_ct_policies.inc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_source.cc b/chromium/net/http/transport_security_state_source.cc
index 587c5dfd072..397192f0f53 100644
--- a/chromium/net/http/transport_security_state_source.cc
+++ b/chromium/net/http/transport_security_state_source.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_source.h b/chromium/net/http/transport_security_state_source.h
index 9a6f5efd1d3..f1f149199cf 100644
--- a/chromium/net/http/transport_security_state_source.h
+++ b/chromium/net/http/transport_security_state_source.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_static.json.gz b/chromium/net/http/transport_security_state_static.json.gz
index f2ce129fb1c..ff8611693d6 100644
--- a/chromium/net/http/transport_security_state_static.json.gz
+++ b/chromium/net/http/transport_security_state_static.json.gz
diff --git a/chromium/net/http/transport_security_state_static.pins b/chromium/net/http/transport_security_state_static.pins
index 5dda8457382..c82d0c59384 100644
--- a/chromium/net/http/transport_security_state_static.pins
+++ b/chromium/net/http/transport_security_state_static.pins
@@ -43,9 +43,9 @@
 #   hash function for preloaded entries again (we have already done so once).
 #
 
-# Last updated: 2022-09-19 12:54 UTC
+# Last updated: 2022-11-14 12:54 UTC
 PinsListTimestamp
-1663592078
+1668430477
 
 TestSPKI
 sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
@@ -1703,91 +1703,6 @@ CxGiCPQqVxPgfNSh+2CPd2Xv04lNeuw6gG89DlOhHuoFKRlmPnom+gwqhz3ZXMfz
 TfmvjrBokzCICA==
 -----END CERTIFICATE-----
 
-# From https://www.identrust.com/certificates/trustid/root-download-x3.html
-# (Linked from https://letsencrypt.org/certificates/#cross-signing )
-DSTRootCAX3
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
-
-Swehack
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3v9udw+4dwnRdMlUrXA1
-uQ3Lsp8IxXkU8ZdyLpMKpeloFGGSfYGeuNYsKwWOTbEy3jX6q5YaNv2Zj8713aeW
-d81ibmFj7qNeNRex4W7B2VdFrcajiCkSH5zkx0vmJtkHHdahJIeeDqqDpYa6z+Tk
-ZgNMdl+aUmTc/AjhrdRmLSb2dZ1MLfH9kG1FHlVaTncfg8r9DWUlf5riIbS1Laoy
-CeOnMgq81BWK3lTo81kISzXb7F/p8AElwBl+tmWp7TyF5YWgRKCEjWoM5KuE+kzN
-9trGPvBkagza1xU74mUlnuZ+Vnd9NCsRuvN4y6GFcGPWGTQYP9OpUf0V2bamvt9h
-/QIDAQAB
------END PUBLIC KEY-----
-
-SwehackBackup
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw4T1egfJDsyGLJSs3XQx
-hH9mxcdawb9+XYhjWVeBtHB0s0YF1bZzMYT/b0uPHgzZ0GLcxvMcYBDIMcbLWjsE
-3Fx8qxNIflfFV5O/kv8aMlfWumMwB4jFgn5qxroCgk15gl2+laTOpHnm57PoSh+A
-guLs21PaKe9VG8cpC22FxN7gsxJZYqm7Rt9Vkr+1LCVsSJxTATkUB6k8wfKq12ae
-7t+tj1KS5bP2Nt5TXlaD+UoqcCEZBWMDN1jxZsubDwjt4uknwyn2s8SfR0rT5Phz
-egwjkHHGssbCBe4wMPFK5WEgIgfJik34IJ2zOqpN/ONglKkaG9izQxrikQ0k1xae
-7QIDAQAB
------END PUBLIC KEY-----
-
-# https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/970/108/intermediate-2-sha-2-comodo-rsa-domain-validation-secure-server-ca
-# https://crt.sh/?q=02AB57E4E67A0CB48DD2FF34830E8AC40F4476FB08CA6BE3F5CD846F646840F0
-COMODORSADomainValidationSecureServerCA
------BEGIN CERTIFICATE-----
-MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
-hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
-A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
-BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
-MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
-EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
-Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
-bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
-bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
-Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
-ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
-UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
-c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
-MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
-30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
-HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
-BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
-bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
-AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
-T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
-ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
-mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
-e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
-P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
-dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
-2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
-V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
-HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
-j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
-0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
-lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
-+AZxAeKCINT+b72x
------END CERTIFICATE-----
-
 # DigiCert Global Root G2
 # https://www.digicert.com/CACerts/DigiCertGlobalRootG2.crt
 DigiCertGlobalRootG2
diff --git a/chromium/net/http/transport_security_state_static.template b/chromium/net/http/transport_security_state_static.template
index 58d1f8af822..9cc189cb8e0 100644
--- a/chromium/net/http/transport_security_state_static.template
+++ b/chromium/net/http/transport_security_state_static.template
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_static_fuzzer.cc b/chromium/net/http/transport_security_state_static_fuzzer.cc
index 6b3e7a02edb..57cf176f636 100644
--- a/chromium/net/http/transport_security_state_static_fuzzer.cc
+++ b/chromium/net/http/transport_security_state_static_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_static_unittest.pins b/chromium/net/http/transport_security_state_static_unittest.pins
index fc583a79637..fca860eec54 100644
--- a/chromium/net/http/transport_security_state_static_unittest.pins
+++ b/chromium/net/http/transport_security_state_static_unittest.pins
@@ -1,4 +1,4 @@
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
diff --git a/chromium/net/http/transport_security_state_static_unittest.template b/chromium/net/http/transport_security_state_static_unittest.template
index 8d08caa1872..02489bd5743 100644
--- a/chromium/net/http/transport_security_state_static_unittest.template
+++ b/chromium/net/http/transport_security_state_static_unittest.template
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_static_unittest1.json b/chromium/net/http/transport_security_state_static_unittest1.json
index c8bf2e31b2d..f702cf1d090 100644
--- a/chromium/net/http/transport_security_state_static_unittest1.json
+++ b/chromium/net/http/transport_security_state_static_unittest1.json
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_static_unittest2.json b/chromium/net/http/transport_security_state_static_unittest2.json
index 6b5bd8d422d..f07c9e88d49 100644
--- a/chromium/net/http/transport_security_state_static_unittest2.json
+++ b/chromium/net/http/transport_security_state_static_unittest2.json
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_static_unittest3.json b/chromium/net/http/transport_security_state_static_unittest3.json
index f7981819294..fe69b5e2a25 100644
--- a/chromium/net/http/transport_security_state_static_unittest3.json
+++ b/chromium/net/http/transport_security_state_static_unittest3.json
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_static_unittest_default.json b/chromium/net/http/transport_security_state_static_unittest_default.json
index 9dda91bdf1c..58c52d6f1d7 100644
--- a/chromium/net/http/transport_security_state_static_unittest_default.json
+++ b/chromium/net/http/transport_security_state_static_unittest_default.json
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_static_unittest_default.pins b/chromium/net/http/transport_security_state_static_unittest_default.pins
index 486dc8bb9ce..54de87e5780 100644
--- a/chromium/net/http/transport_security_state_static_unittest_default.pins
+++ b/chromium/net/http/transport_security_state_static_unittest_default.pins
@@ -1,4 +1,4 @@
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 #
diff --git a/chromium/net/http/transport_security_state_test_util.cc b/chromium/net/http/transport_security_state_test_util.cc
index 248a004747d..64b8eabb6b5 100644
--- a/chromium/net/http/transport_security_state_test_util.cc
+++ b/chromium/net/http/transport_security_state_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_test_util.h b/chromium/net/http/transport_security_state_test_util.h
index 7e743eb3efe..9e6f045b4dc 100644
--- a/chromium/net/http/transport_security_state_test_util.h
+++ b/chromium/net/http/transport_security_state_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/transport_security_state_unittest.cc b/chromium/net/http/transport_security_state_unittest.cc
index e6a28e588b3..905bbb70ba5 100644
--- a/chromium/net/http/transport_security_state_unittest.cc
+++ b/chromium/net/http/transport_security_state_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -35,7 +35,7 @@
 #include "net/base/hash_value.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/base/test_completion_callback.h"
 #include "net/cert/asn1_util.h"
@@ -129,34 +129,34 @@ class MockCertificateReportSender
       const GURL& report_uri,
       base::StringPiece content_type,
       base::StringPiece report,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       base::OnceCallback<void()> success_callback,
       base::OnceCallback<void(const GURL&, int, int)> error_callback) override {
     latest_report_uri_ = report_uri;
     latest_report_.assign(report.data(), report.size());
     latest_content_type_.assign(content_type.data(), content_type.size());
-    latest_network_isolation_key_ = network_isolation_key;
+    latest_network_anonymization_key_ = network_anonymization_key;
   }
 
   void Clear() {
     latest_report_uri_ = GURL();
     latest_report_ = std::string();
     latest_content_type_ = std::string();
-    latest_network_isolation_key_ = NetworkIsolationKey();
+    latest_network_anonymization_key_ = NetworkAnonymizationKey();
   }
 
   const GURL& latest_report_uri() { return latest_report_uri_; }
   const std::string& latest_report() { return latest_report_; }
   const std::string& latest_content_type() { return latest_content_type_; }
-  const NetworkIsolationKey& latest_network_isolation_key() {
-    return latest_network_isolation_key_;
+  const NetworkAnonymizationKey& latest_network_anonymization_key() {
+    return latest_network_anonymization_key_;
   }
 
  private:
   GURL latest_report_uri_;
   std::string latest_report_;
   std::string latest_content_type_;
-  NetworkIsolationKey latest_network_isolation_key_;
+  NetworkAnonymizationKey latest_network_anonymization_key_;
 };
 
 // A mock ReportSenderInterface that simulates a net error on every report sent.
@@ -173,7 +173,7 @@ class MockFailingCertificateReportSender
       const GURL& report_uri,
       base::StringPiece content_type,
       base::StringPiece report,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       base::OnceCallback<void()> success_callback,
       base::OnceCallback<void(const GURL&, int, int)> error_callback) override {
     ASSERT_FALSE(error_callback.is_null());
@@ -199,7 +199,7 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
       const X509Certificate* served_certificate_chain,
       const SignedCertificateTimestampAndStatusList&
           signed_certificate_timestamps,
-      const NetworkIsolationKey& network_isolation_key) override {
+      const NetworkAnonymizationKey& network_anonymization_key) override {
     num_failures_++;
     host_port_pair_ = host_port_pair;
     report_uri_ = report_uri;
@@ -207,7 +207,7 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
     served_certificate_chain_ = served_certificate_chain;
     validated_certificate_chain_ = validated_certificate_chain;
     signed_certificate_timestamps_ = signed_certificate_timestamps;
-    network_isolation_key_ = network_isolation_key;
+    network_anonymization_key_ = network_anonymization_key;
   }
 
   const HostPortPair& host_port_pair() const { return host_port_pair_; }
@@ -224,8 +224,8 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
       const {
     return signed_certificate_timestamps_;
   }
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
   }
 
  private:
@@ -236,7 +236,7 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
   raw_ptr<const X509Certificate> served_certificate_chain_;
   raw_ptr<const X509Certificate> validated_certificate_chain_;
   SignedCertificateTimestampAndStatusList signed_certificate_timestamps_;
-  NetworkIsolationKey network_isolation_key_;
+  NetworkAnonymizationKey network_anonymization_key_;
 };
 
 class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
@@ -343,14 +343,15 @@ std::string CreateUniqueHostName() {
   return base::StringPrintf("%i.test", ++count);
 }
 
-// As with CreateUniqueHostName(), returns a unique NetworkIsolationKey for use
-// with Expect-CT pruning tests.
-NetworkIsolationKey CreateUniqueNetworkIsolationKey(bool is_transient) {
+// As with CreateUniqueHostName(), returns a unique NetworkAnonymizationKey for
+// use with Expect-CT pruning tests.
+NetworkAnonymizationKey CreateUniqueNetworkAnonymizationKey(bool is_transient) {
   if (is_transient)
-    return NetworkIsolationKey::CreateTransient();
+    return NetworkAnonymizationKey::CreateTransient();
   SchemefulSite site = SchemefulSite(url::Origin::CreateFromNormalizedTuple(
       "https", CreateUniqueHostName(), 443));
-  return NetworkIsolationKey(site /* top_frame_site */, site /* frame_site */);
+  return NetworkAnonymizationKey(site /* top_frame_site */,
+                                 site /* frame_site */);
 }
 
 }  // namespace
@@ -365,6 +366,10 @@ class TransportSecurityStateTest : public ::testing::Test,
     // Need mocked out time for pruning tests. Don't start with a
     // time of 0, as code doesn't generally expect it.
     FastForwardBy(base::Days(1));
+
+    // By default Expect-CT should be disabled, but enable it for tests.
+    EXPECT_FALSE(base::FeatureList::IsEnabled(kDynamicExpectCTFeature));
+    scoped_feature_list_.InitAndEnableFeature(kDynamicExpectCTFeature);
   }
 
   ~TransportSecurityStateTest() override {
@@ -416,6 +421,9 @@ class TransportSecurityStateTest : public ::testing::Test,
                         TransportSecurityState::ExpectCTState* result) {
     return state->GetStaticExpectCTState(host, result);
   }
+
+ private:
+  base::test::ScopedFeatureList scoped_feature_list_;
 };
 
 TEST_F(TransportSecurityStateTest, DomainNameOddities) {
@@ -786,8 +794,7 @@ TEST_F(TransportSecurityStateTest, NewPinsOverride) {
 
 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataBetween) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   TransportSecurityState::ExpectCTState expect_ct_state;
 
   TransportSecurityState state;
@@ -798,36 +805,37 @@ TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataBetween) {
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
   EXPECT_FALSE(state.HasPublicKeyPins("example.com"));
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example.com", NetworkIsolationKey(), &expect_ct_state));
+      "example.com", NetworkAnonymizationKey(), &expect_ct_state));
   bool include_subdomains = false;
   state.AddHSTS("example.com", expiry, include_subdomains);
   state.AddHPKP("example.com", expiry, include_subdomains,
                 GetSampleSPKIHashes(), GURL());
-  state.AddExpectCT("example.com", expiry, true, GURL(), NetworkIsolationKey());
+  state.AddExpectCT("example.com", expiry, true, GURL(),
+                    NetworkAnonymizationKey());
 
   state.DeleteAllDynamicDataBetween(expiry, base::Time::Max(),
                                     base::DoNothing());
   EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
   EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
   EXPECT_TRUE(state.GetDynamicExpectCTState(
-      "example.com", NetworkIsolationKey(), &expect_ct_state));
+      "example.com", NetworkAnonymizationKey(), &expect_ct_state));
   state.DeleteAllDynamicDataBetween(older, current_time, base::DoNothing());
   EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
   EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
   EXPECT_TRUE(state.GetDynamicExpectCTState(
-      "example.com", NetworkIsolationKey(), &expect_ct_state));
+      "example.com", NetworkAnonymizationKey(), &expect_ct_state));
   state.DeleteAllDynamicDataBetween(base::Time(), current_time,
                                     base::DoNothing());
   EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
   EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
   EXPECT_TRUE(state.GetDynamicExpectCTState(
-      "example.com", NetworkIsolationKey(), &expect_ct_state));
+      "example.com", NetworkAnonymizationKey(), &expect_ct_state));
   state.DeleteAllDynamicDataBetween(older, base::Time::Max(),
                                     base::DoNothing());
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
   EXPECT_FALSE(state.HasPublicKeyPins("example.com"));
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example.com", NetworkIsolationKey(), &expect_ct_state));
+      "example.com", NetworkAnonymizationKey(), &expect_ct_state));
 
   // Dynamic data in |state| should be empty now.
   EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext());
@@ -839,7 +847,7 @@ TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       /* enabled_features */
-      {TransportSecurityState::kDynamicExpectCTFeature,
+      {kDynamicExpectCTFeature,
        features::kPartitionExpectCTStateByNetworkIsolationKey},
       /* disabled_features */
       {});
@@ -848,13 +856,13 @@ TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
   const base::Time expiry = current_time + base::Seconds(1000);
   bool include_subdomains = false;
 
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   state.AddHSTS("example1.test", expiry, include_subdomains);
   state.AddHPKP("example1.test", expiry, include_subdomains,
                 GetSampleSPKIHashes(), GURL());
   state.AddExpectCT("example1.test", expiry, true, GURL(),
-                    NetworkIsolationKey());
+                    NetworkAnonymizationKey());
 
   EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test"));
@@ -862,23 +870,23 @@ TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
   EXPECT_FALSE(state.HasPublicKeyPins("example2.test"));
   TransportSecurityState::ExpectCTState expect_ct_state;
   EXPECT_TRUE(state.GetDynamicExpectCTState(
-      "example1.test", NetworkIsolationKey(), &expect_ct_state));
+      "example1.test", NetworkAnonymizationKey(), &expect_ct_state));
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example2.test", NetworkIsolationKey(), &expect_ct_state));
+      "example2.test", NetworkAnonymizationKey(), &expect_ct_state));
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example1.test", network_isolation_key, &expect_ct_state));
+      "example1.test", network_anonymization_key, &expect_ct_state));
   state.AddExpectCT("example1.test", expiry, true, GURL(),
-                    network_isolation_key);
+                    network_anonymization_key);
   EXPECT_TRUE(state.GetDynamicExpectCTState(
-      "example1.test", network_isolation_key, &expect_ct_state));
+      "example1.test", network_anonymization_key, &expect_ct_state));
 
   EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test"));
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test"));
   EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example1.test", NetworkIsolationKey(), &expect_ct_state));
+      "example1.test", NetworkAnonymizationKey(), &expect_ct_state));
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example1.test", network_isolation_key, &expect_ct_state));
+      "example1.test", network_anonymization_key, &expect_ct_state));
 }
 
 TEST_F(TransportSecurityStateTest, LongNames) {
@@ -940,8 +948,8 @@ TEST_F(TransportSecurityStateTest, PreloadedPKPReportUri) {
       net::features::kStaticKeyPinningEnforcement);
   const char kPreloadedPinDomain[] = "with-report-uri-pkp.preloaded.test";
   HostPortPair host_port_pair(kPreloadedPinDomain, kPort);
-  net::NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  net::NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
 
   TransportSecurityState state;
   state.SetPinningListAlwaysTimelyForTesting(true);
@@ -978,7 +986,7 @@ TEST_F(TransportSecurityStateTest, PreloadedPKPReportUri) {
             state.CheckPublicKeyPins(host_port_pair, true, bad_hashes,
                                      cert1.get(), cert2.get(),
                                      TransportSecurityState::ENABLE_PIN_REPORTS,
-                                     network_isolation_key, &failure_log));
+                                     network_anonymization_key, &failure_log));
 
   EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri());
 
@@ -989,8 +997,8 @@ TEST_F(TransportSecurityStateTest, PreloadedPKPReportUri) {
   ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(
       report, host_port_pair, pkp_state.include_subdomains, pkp_state.domain,
       cert1.get(), cert2.get(), pkp_state.spki_hashes));
-  EXPECT_EQ(network_isolation_key,
-            mock_report_sender.latest_network_isolation_key());
+  EXPECT_EQ(network_anonymization_key,
+            mock_report_sender.latest_network_anonymization_key());
 }
 
 // Tests that report URIs are thrown out if they point to the same host,
@@ -999,8 +1007,8 @@ TEST_F(TransportSecurityStateTest, HPKPReportUriToSameHost) {
   HostPortPair host_port_pair(kHost, kPort);
   GURL https_report_uri("https://example.test/report");
   GURL http_report_uri("http://example.test/report");
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   TransportSecurityState state;
   MockCertificateReportSender mock_report_sender;
   state.SetReportSender(&mock_report_sender);
@@ -1033,7 +1041,7 @@ TEST_F(TransportSecurityStateTest, HPKPReportUriToSameHost) {
             state.CheckPublicKeyPins(host_port_pair, true, bad_hashes,
                                      cert1.get(), cert2.get(),
                                      TransportSecurityState::ENABLE_PIN_REPORTS,
-                                     network_isolation_key, &failure_log));
+                                     network_anonymization_key, &failure_log));
 
   EXPECT_TRUE(mock_report_sender.latest_report_uri().is_empty());
 
@@ -1043,11 +1051,11 @@ TEST_F(TransportSecurityStateTest, HPKPReportUriToSameHost) {
             state.CheckPublicKeyPins(host_port_pair, true, bad_hashes,
                                      cert1.get(), cert2.get(),
                                      TransportSecurityState::ENABLE_PIN_REPORTS,
-                                     network_isolation_key, &failure_log));
+                                     network_anonymization_key, &failure_log));
 
   EXPECT_EQ(http_report_uri, mock_report_sender.latest_report_uri());
-  EXPECT_EQ(network_isolation_key,
-            mock_report_sender.latest_network_isolation_key());
+  EXPECT_EQ(network_anonymization_key,
+            mock_report_sender.latest_network_anonymization_key());
 }
 
 // Tests that static (preloaded) expect CT state is read correctly.
@@ -1083,15 +1091,16 @@ TEST_F(TransportSecurityStateTest, InvalidExpectCTHeader) {
   TransportSecurityStateTest::EnableStaticExpectCT(&state);
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
-  state.ProcessExpectCTHeader("", host_port, ssl_info, NetworkIsolationKey());
+  state.ProcessExpectCTHeader("", host_port, ssl_info,
+                              NetworkAnonymizationKey());
   EXPECT_EQ(0u, reporter.num_failures());
 
   state.ProcessExpectCTHeader("blah blah", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(0u, reporter.num_failures());
 
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
@@ -1117,12 +1126,12 @@ TEST_F(TransportSecurityStateTest, ExpectCTNonPublicRoot) {
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(0u, reporter.num_failures());
 
   ssl_info.is_issued_by_known_root = true;
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
@@ -1148,13 +1157,13 @@ TEST_F(TransportSecurityStateTest, ExpectCTComplianceNotAvailable) {
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(0u, reporter.num_failures());
 
   ssl_info.ct_policy_compliance =
       ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS;
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
@@ -1180,13 +1189,13 @@ TEST_F(TransportSecurityStateTest, ExpectCTCompliantCert) {
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(0u, reporter.num_failures());
 
   ssl_info.ct_policy_compliance =
       ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS;
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
@@ -1212,7 +1221,7 @@ TEST_F(TransportSecurityStateTest, PreloadedExpectCTBuildNotTimely) {
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(0u, reporter.num_failures());
 
   // Sanity-check that the reporter is notified if the build is timely and the
@@ -1220,7 +1229,7 @@ TEST_F(TransportSecurityStateTest, PreloadedExpectCTBuildNotTimely) {
   ssl_info.ct_policy_compliance =
       ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS;
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
@@ -1246,20 +1255,20 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTBuildNotTimely) {
   state.SetExpectCTReporter(&reporter);
   const char kHeader[] = "max-age=10, report-uri=http://report.test";
   state.ProcessExpectCTHeader(kHeader, host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
 
   // No report should have been sent and the state should not have been saved.
   EXPECT_EQ(0u, reporter.num_failures());
   TransportSecurityState::ExpectCTState expect_ct_state;
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example.test", NetworkIsolationKey(), &expect_ct_state));
+      "example.test", NetworkAnonymizationKey(), &expect_ct_state));
 
   // Sanity-check that the reporter is notified if the build is timely and the
   // connection is not compliant.
   ssl_info.ct_policy_compliance =
       ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS;
   state.ProcessExpectCTHeader(kHeader, host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
@@ -1285,12 +1294,12 @@ TEST_F(TransportSecurityStateTest, ExpectCTNotPreloaded) {
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(0u, reporter.num_failures());
 
   host_port.set_host(kExpectCTStaticHostname);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
@@ -1314,15 +1323,15 @@ TEST_F(TransportSecurityStateTest, ExpectCTReporter) {
                        std::string(), std::string(), base::Time::Now(),
                        ct::SCT_STATUS_INVALID_SIGNATURE,
                        &ssl_info.signed_certificate_timestamps);
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
 
   TransportSecurityState state;
   TransportSecurityStateTest::EnableStaticExpectCT(&state);
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              network_isolation_key);
+                              network_anonymization_key);
   EXPECT_EQ(1u, reporter.num_failures());
   EXPECT_EQ(host_port.host(), reporter.host_port_pair().host());
   EXPECT_EQ(host_port.port(), reporter.host_port_pair().port());
@@ -1337,7 +1346,7 @@ TEST_F(TransportSecurityStateTest, ExpectCTReporter) {
             reporter.signed_certificate_timestamps()[0].status);
   EXPECT_EQ(ssl_info.signed_certificate_timestamps[0].sct,
             reporter.signed_certificate_timestamps()[0].sct);
-  EXPECT_EQ(network_isolation_key, reporter.network_isolation_key());
+  EXPECT_EQ(network_anonymization_key, reporter.network_anonymization_key());
 }
 
 // Tests that the Expect CT reporter is not notified for repeated noncompliant
@@ -1366,12 +1375,12 @@ TEST_F(TransportSecurityStateTest, RepeatedExpectCTReportsForStaticExpectCT) {
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(1u, reporter.num_failures());
 
   // After processing a second header, the report should not be sent again.
   state.ProcessExpectCTHeader("preload", host_port, ssl_info,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
@@ -1634,7 +1643,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-            NetworkIsolationKey());
+            NetworkAnonymizationKey());
 
     MockRequireCTDelegate always_require_delegate;
     EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_, _, _))
@@ -1647,7 +1656,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-            NetworkIsolationKey()));
+            NetworkAnonymizationKey()));
     EXPECT_EQ(
         TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
         state.CheckCTRequirements(
@@ -1655,7 +1664,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
-            NetworkIsolationKey()));
+            NetworkAnonymizationKey()));
     EXPECT_EQ(
         TransportSecurityState::CT_REQUIREMENTS_MET,
         state.CheckCTRequirements(
@@ -1663,7 +1672,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
-            NetworkIsolationKey()));
+            NetworkAnonymizationKey()));
     EXPECT_EQ(
         TransportSecurityState::CT_REQUIREMENTS_MET,
         state.CheckCTRequirements(
@@ -1671,7 +1680,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY,
-            NetworkIsolationKey()));
+            NetworkAnonymizationKey()));
 
     state.SetRequireCTDelegate(nullptr);
     EXPECT_EQ(
@@ -1681,7 +1690,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-            NetworkIsolationKey()));
+            NetworkAnonymizationKey()));
   }
 
   // If CT is not required, then regardless of the CT state for the host,
@@ -1694,7 +1703,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-            NetworkIsolationKey());
+            NetworkAnonymizationKey());
 
     MockRequireCTDelegate never_require_delegate;
     EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_, _, _))
@@ -1707,7 +1716,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-            NetworkIsolationKey()));
+            NetworkAnonymizationKey()));
     EXPECT_EQ(
         TransportSecurityState::CT_NOT_REQUIRED,
         state.CheckCTRequirements(
@@ -1715,7 +1724,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
-            NetworkIsolationKey()));
+            NetworkAnonymizationKey()));
 
     state.SetRequireCTDelegate(nullptr);
     EXPECT_EQ(
@@ -1725,7 +1734,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-            NetworkIsolationKey()));
+            NetworkAnonymizationKey()));
   }
 
   // If the Delegate is in the default state, then it should return the same
@@ -1738,7 +1747,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-            NetworkIsolationKey());
+            NetworkAnonymizationKey());
 
     MockRequireCTDelegate default_require_ct_delegate;
     EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_, _, _))
@@ -1751,7 +1760,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-            NetworkIsolationKey()));
+            NetworkAnonymizationKey()));
 
     state.SetRequireCTDelegate(nullptr);
     EXPECT_EQ(
@@ -1761,7 +1770,7 @@ TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
             cert.get(), SignedCertificateTimestampAndStatusList(),
             TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
             ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-            NetworkIsolationKey()));
+            NetworkAnonymizationKey()));
   }
 }
 
@@ -1780,7 +1789,7 @@ class CTEmergencyDisableTest
       scoped_feature_list_.Init();
     } else {
       scoped_feature_list_.InitAndDisableFeature(
-          TransportSecurityState::kCertificateTransparencyEnforcement);
+          kCertificateTransparencyEnforcement);
     }
   }
   void SetUp() override {
@@ -1824,28 +1833,28 @@ TEST_P(CTEmergencyDisableTest, CTEmergencyDisable) {
                 cert.get(), SignedCertificateTimestampAndStatusList(),
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                NetworkIsolationKey()));
+                NetworkAnonymizationKey()));
   EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
             state_.CheckCTRequirements(
                 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
                 cert.get(), SignedCertificateTimestampAndStatusList(),
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
-                NetworkIsolationKey()));
+                NetworkAnonymizationKey()));
   EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
             state_.CheckCTRequirements(
                 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
                 cert.get(), SignedCertificateTimestampAndStatusList(),
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
-                NetworkIsolationKey()));
+                NetworkAnonymizationKey()));
   EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
             state_.CheckCTRequirements(
                 HostPortPair("www.example.com", 443), true, hashes, cert.get(),
                 cert.get(), SignedCertificateTimestampAndStatusList(),
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY,
-                NetworkIsolationKey()));
+                NetworkAnonymizationKey()));
 
   state_.SetRequireCTDelegate(nullptr);
   EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
@@ -1854,7 +1863,7 @@ TEST_P(CTEmergencyDisableTest, CTEmergencyDisable) {
                 cert.get(), SignedCertificateTimestampAndStatusList(),
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                NetworkIsolationKey()));
+                NetworkAnonymizationKey()));
 }
 
 INSTANTIATE_TEST_SUITE_P(
@@ -1924,7 +1933,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
           before_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
 
   // ... but certificates issued after 1 June 2016 are required to be...
   EXPECT_EQ(
@@ -1934,7 +1943,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
           after_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
   EXPECT_EQ(
       TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
       state.CheckCTRequirements(
@@ -1942,7 +1951,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
           after_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
   EXPECT_EQ(
       TransportSecurityState::CT_REQUIREMENTS_MET,
       state.CheckCTRequirements(
@@ -1950,7 +1959,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
           after_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
   EXPECT_EQ(
       TransportSecurityState::CT_REQUIREMENTS_MET,
       state.CheckCTRequirements(
@@ -1958,7 +1967,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
           after_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
 
   // ... unless they were issued by an excluded intermediate.
   hashes.push_back(HashValue(google_hash_value));
@@ -1969,7 +1978,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
           before_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
   EXPECT_EQ(
       TransportSecurityState::CT_NOT_REQUIRED,
       state.CheckCTRequirements(
@@ -1977,7 +1986,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
           after_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
 
   // And other certificates should remain unaffected.
   SHA256HashValue unrelated_hash_value = {{0x01, 0x02}};
@@ -1991,7 +2000,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
                 SignedCertificateTimestampAndStatusList(),
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                NetworkIsolationKey()));
+                NetworkAnonymizationKey()));
   EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
             state.CheckCTRequirements(
                 HostPortPair("www.example.com", 443), true, unrelated_hashes,
@@ -1999,7 +2008,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
                 SignedCertificateTimestampAndStatusList(),
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                NetworkIsolationKey()));
+                NetworkAnonymizationKey()));
 }
 
 // Tests that Certificate Transparency is required for all of the Symantec
@@ -2033,7 +2042,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantecManagedCAs) {
           before_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
   EXPECT_EQ(
       TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
       state.CheckCTRequirements(
@@ -2041,7 +2050,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantecManagedCAs) {
           before_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
   EXPECT_EQ(
       TransportSecurityState::CT_REQUIREMENTS_MET,
       state.CheckCTRequirements(
@@ -2049,7 +2058,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantecManagedCAs) {
           before_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
   EXPECT_EQ(
       TransportSecurityState::CT_REQUIREMENTS_MET,
       state.CheckCTRequirements(
@@ -2057,7 +2066,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantecManagedCAs) {
           before_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
 
   scoped_refptr<X509Certificate> after_cert =
       ImportCertFromFile(GetTestCertsDirectory(), "post_june_2016.pem");
@@ -2070,7 +2079,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantecManagedCAs) {
           after_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
   EXPECT_EQ(
       TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
       state.CheckCTRequirements(
@@ -2078,7 +2087,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantecManagedCAs) {
           after_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
   EXPECT_EQ(
       TransportSecurityState::CT_REQUIREMENTS_MET,
       state.CheckCTRequirements(
@@ -2086,7 +2095,7 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantecManagedCAs) {
           after_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
   EXPECT_EQ(
       TransportSecurityState::CT_REQUIREMENTS_MET,
       state.CheckCTRequirements(
@@ -2094,37 +2103,35 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantecManagedCAs) {
           after_cert.get(), SignedCertificateTimestampAndStatusList(),
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
-          NetworkIsolationKey()));
+          NetworkAnonymizationKey()));
 }
 
 // Tests that dynamic Expect-CT state is cleared from ClearDynamicData().
 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   const std::string host("example.test");
   TransportSecurityState state;
   TransportSecurityState::ExpectCTState expect_ct_state;
   const base::Time current_time = base::Time::Now();
   const base::Time expiry = current_time + base::Seconds(1000);
 
-  state.AddExpectCT(host, expiry, true, GURL(), NetworkIsolationKey());
-  EXPECT_TRUE(state.GetDynamicExpectCTState(host, NetworkIsolationKey(),
+  state.AddExpectCT(host, expiry, true, GURL(), NetworkAnonymizationKey());
+  EXPECT_TRUE(state.GetDynamicExpectCTState(host, NetworkAnonymizationKey(),
                                             &expect_ct_state));
   EXPECT_TRUE(expect_ct_state.enforce);
   EXPECT_TRUE(expect_ct_state.report_uri.is_empty());
   EXPECT_EQ(expiry, expect_ct_state.expiry);
 
   state.ClearDynamicData();
-  EXPECT_FALSE(state.GetDynamicExpectCTState(host, NetworkIsolationKey(),
+  EXPECT_FALSE(state.GetDynamicExpectCTState(host, NetworkAnonymizationKey(),
                                              &expect_ct_state));
 }
 
 // Tests that dynamic Expect-CT state can be added and retrieved.
 TEST_F(TransportSecurityStateTest, DynamicExpectCTState) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   const std::string host("example.test");
   TransportSecurityState state;
   TransportSecurityState::ExpectCTState expect_ct_state;
@@ -2132,8 +2139,8 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTState) {
   const base::Time expiry = current_time + base::Seconds(1000);
 
   // Test that Expect-CT state can be added and retrieved.
-  state.AddExpectCT(host, expiry, true, GURL(), NetworkIsolationKey());
-  EXPECT_TRUE(state.GetDynamicExpectCTState(host, NetworkIsolationKey(),
+  state.AddExpectCT(host, expiry, true, GURL(), NetworkAnonymizationKey());
+  EXPECT_TRUE(state.GetDynamicExpectCTState(host, NetworkAnonymizationKey(),
                                             &expect_ct_state));
   EXPECT_TRUE(expect_ct_state.enforce);
   EXPECT_TRUE(expect_ct_state.report_uri.is_empty());
@@ -2142,8 +2149,8 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTState) {
   // Test that Expect-CT can be updated (e.g. by changing |enforce| to false and
   // adding a report-uri).
   const GURL report_uri("https://example-report.test");
-  state.AddExpectCT(host, expiry, false, report_uri, NetworkIsolationKey());
-  EXPECT_TRUE(state.GetDynamicExpectCTState(host, NetworkIsolationKey(),
+  state.AddExpectCT(host, expiry, false, report_uri, NetworkAnonymizationKey());
+  EXPECT_TRUE(state.GetDynamicExpectCTState(host, NetworkAnonymizationKey(),
                                             &expect_ct_state));
   EXPECT_FALSE(expect_ct_state.enforce);
   EXPECT_EQ(report_uri, expect_ct_state.report_uri);
@@ -2151,8 +2158,8 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTState) {
 
   // Test that Expect-CT state is discarded when expired.
   state.AddExpectCT(host, current_time - base::Seconds(1000), true, report_uri,
-                    NetworkIsolationKey());
-  EXPECT_FALSE(state.GetDynamicExpectCTState(host, NetworkIsolationKey(),
+                    NetworkAnonymizationKey());
+  EXPECT_FALSE(state.GetDynamicExpectCTState(host, NetworkAnonymizationKey(),
                                              &expect_ct_state));
 }
 
@@ -2175,17 +2182,16 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTDeduping) {
   SignedCertificateTimestampAndStatusList sct_list;
 
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   base::Time now = base::Time::Now();
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   TransportSecurityState::ExpectCTState expect_ct_state;
   EXPECT_TRUE(state.GetDynamicExpectCTState(
-      "example.test", NetworkIsolationKey(), &expect_ct_state));
+      "example.test", NetworkAnonymizationKey(), &expect_ct_state));
   EXPECT_EQ(GURL("http://foo.test"), expect_ct_state.report_uri);
   EXPECT_TRUE(expect_ct_state.enforce);
   EXPECT_LT(now, expect_ct_state.expiry);
@@ -2201,7 +2207,7 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTDeduping) {
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                NetworkIsolationKey()));
+                NetworkAnonymizationKey()));
   EXPECT_EQ(1u, reporter.num_failures());
 
   // The second time it fails to meet CT requirements, a report should not be
@@ -2212,7 +2218,7 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTDeduping) {
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                NetworkIsolationKey()));
+                NetworkAnonymizationKey()));
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
@@ -2235,14 +2241,13 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTCompliantConnection) {
   SignedCertificateTimestampAndStatusList sct_list;
 
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
 
   // No report should be sent when the header was processed over a connection
   // that complied with CT policy.
@@ -2252,7 +2257,7 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTCompliantConnection) {
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
-                NetworkIsolationKey()));
+                NetworkAnonymizationKey()));
   EXPECT_EQ(0u, reporter.num_failures());
 }
 
@@ -2265,23 +2270,22 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTHeaderProcessingDeduping) {
   ssl.ct_policy_compliance = ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
 
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   TransportSecurityState::ExpectCTState expect_ct_state;
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example.test", NetworkIsolationKey(), &expect_ct_state));
+      "example.test", NetworkAnonymizationKey(), &expect_ct_state));
   // The first time the header was received over a connection that failed to
   // meet CT requirements, a report should be sent.
   EXPECT_EQ(1u, reporter.num_failures());
 
   // The second time the header was received, no report should be sent.
   state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   EXPECT_EQ(1u, reporter.num_failures());
 }
 
@@ -2289,16 +2293,15 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTHeaderProcessingDeduping) {
 // enabled.
 TEST_F(TransportSecurityStateTest, DynamicExpectCTStateDisabled) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndDisableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndDisableFeature(kDynamicExpectCTFeature);
   const std::string host("example.test");
   TransportSecurityState state;
   TransportSecurityState::ExpectCTState expect_ct_state;
   const base::Time current_time = base::Time::Now();
   const base::Time expiry = current_time + base::Seconds(1000);
 
-  state.AddExpectCT(host, expiry, true, GURL(), NetworkIsolationKey());
-  EXPECT_FALSE(state.GetDynamicExpectCTState(host, NetworkIsolationKey(),
+  state.AddExpectCT(host, expiry, true, GURL(), NetworkAnonymizationKey());
+  EXPECT_FALSE(state.GetDynamicExpectCTState(host, NetworkAnonymizationKey(),
                                              &expect_ct_state));
 }
 
@@ -2314,30 +2317,28 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCT) {
   // First test that the header is not processed when the feature is disabled.
   {
     base::test::ScopedFeatureList feature_list;
-    feature_list.InitAndDisableFeature(
-        TransportSecurityState::kDynamicExpectCTFeature);
+    feature_list.InitAndDisableFeature(kDynamicExpectCTFeature);
     TransportSecurityState state;
     state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl,
-                                NetworkIsolationKey());
+                                NetworkAnonymizationKey());
     TransportSecurityState::ExpectCTState expect_ct_state;
     EXPECT_FALSE(state.GetDynamicExpectCTState(
-        "example.test", NetworkIsolationKey(), &expect_ct_state));
+        "example.test", NetworkAnonymizationKey(), &expect_ct_state));
   }
 
   // Now test that the header is processed when the feature is enabled.
   {
     base::test::ScopedFeatureList feature_list;
-    feature_list.InitAndEnableFeature(
-        TransportSecurityState::kDynamicExpectCTFeature);
+    feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
     base::Time now = base::Time::Now();
     TransportSecurityState state;
     MockExpectCTReporter reporter;
     state.SetExpectCTReporter(&reporter);
     state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl,
-                                NetworkIsolationKey());
+                                NetworkAnonymizationKey());
     TransportSecurityState::ExpectCTState expect_ct_state;
     EXPECT_TRUE(state.GetDynamicExpectCTState(
-        "example.test", NetworkIsolationKey(), &expect_ct_state));
+        "example.test", NetworkAnonymizationKey(), &expect_ct_state));
     EXPECT_EQ(GURL("http://foo.test"), expect_ct_state.report_uri);
     EXPECT_TRUE(expect_ct_state.enforce);
     EXPECT_LT(now, expect_ct_state.expiry);
@@ -2355,16 +2356,15 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTPrivateRoot) {
   ssl.ct_policy_compliance = ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
 
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   TransportSecurityState::ExpectCTState expect_ct_state;
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example.test", NetworkIsolationKey(), &expect_ct_state));
+      "example.test", NetworkAnonymizationKey(), &expect_ct_state));
   EXPECT_EQ(0u, reporter.num_failures());
 }
 
@@ -2387,16 +2387,15 @@ TEST_F(TransportSecurityStateTest, DynamicExpectCTNoComplianceDetails) {
   ssl.cert = cert2;
 
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl,
-                              NetworkIsolationKey());
+                              NetworkAnonymizationKey());
   TransportSecurityState::ExpectCTState expect_ct_state;
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example.test", NetworkIsolationKey(), &expect_ct_state));
+      "example.test", NetworkAnonymizationKey(), &expect_ct_state));
   EXPECT_EQ(0u, reporter.num_failures());
 }
 
@@ -2423,19 +2422,18 @@ TEST_F(TransportSecurityStateTest,
                        ct::SCT_STATUS_INVALID_SIGNATURE,
                        &ssl.signed_certificate_timestamps);
 
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.ProcessExpectCTHeader(kHeader, HostPortPair("example.test", 443), ssl,
-                              network_isolation_key);
+                              network_anonymization_key);
   TransportSecurityState::ExpectCTState expect_ct_state;
   EXPECT_FALSE(state.GetDynamicExpectCTState(
-      "example.test", NetworkIsolationKey(), &expect_ct_state));
+      "example.test", NetworkAnonymizationKey(), &expect_ct_state));
   EXPECT_EQ(1u, reporter.num_failures());
   EXPECT_EQ("example.test", reporter.host_port_pair().host());
   EXPECT_TRUE(reporter.expiration().is_null());
@@ -2447,7 +2445,7 @@ TEST_F(TransportSecurityStateTest,
             reporter.signed_certificate_timestamps()[0].status);
   EXPECT_EQ(ssl.signed_certificate_timestamps[0].sct,
             reporter.signed_certificate_timestamps()[0].sct);
-  EXPECT_EQ(network_isolation_key, reporter.network_isolation_key());
+  EXPECT_EQ(network_anonymization_key, reporter.network_anonymization_key());
 }
 
 // Tests that CheckCTRequirements() returns the correct response if a connection
@@ -2466,21 +2464,22 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
                        std::string(), std::string(), base::Time::Now(),
                        ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list);
 
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.AddExpectCT("example.test", expiry, true /* enforce */,
-                    GURL("https://example-report.test"), network_isolation_key);
+                    GURL("https://example-report.test"),
+                    network_anonymization_key);
   state.AddExpectCT("example-report-only.test", expiry, false /* enforce */,
-                    GURL("https://example-report.test"), network_isolation_key);
+                    GURL("https://example-report.test"),
+                    network_anonymization_key);
   state.AddExpectCT("example-enforce-only.test", expiry, true /* enforce */,
-                    GURL(), network_isolation_key);
+                    GURL(), network_anonymization_key);
 
   // Test that a connection to an unrelated host is not affected.
   EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
@@ -2489,14 +2488,14 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(TransportSecurityState::CT_NOT_REQUIRED,
             state.CheckCTRequirements(
                 HostPortPair("example2.test", 443), true, HashValueVector(),
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(0u, reporter.num_failures());
 
   // A connection to an Expect-CT host should be closed and reported.
@@ -2506,7 +2505,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(1u, reporter.num_failures());
   EXPECT_EQ("example.test", reporter.host_port_pair().host());
   EXPECT_EQ(443, reporter.host_port_pair().port());
@@ -2517,7 +2516,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
   EXPECT_EQ(sct_list[0].status,
             reporter.signed_certificate_timestamps()[0].status);
   EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
-  EXPECT_EQ(network_isolation_key, reporter.network_isolation_key());
+  EXPECT_EQ(network_anonymization_key, reporter.network_anonymization_key());
 
   // A compliant connection to an Expect-CT host should not be closed or
   // reported.
@@ -2527,7 +2526,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(1u, reporter.num_failures());
   EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_MET,
             state.CheckCTRequirements(
@@ -2535,7 +2534,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_BUILD_NOT_TIMELY,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(1u, reporter.num_failures());
 
   // A connection to a report-only host should be reported only.
@@ -2545,7 +2544,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
                 HashValueVector(), cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(2u, reporter.num_failures());
   EXPECT_EQ("example-report-only.test", reporter.host_port_pair().host());
   EXPECT_EQ(443, reporter.host_port_pair().port());
@@ -2555,7 +2554,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
   EXPECT_EQ(sct_list[0].status,
             reporter.signed_certificate_timestamps()[0].status);
   EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
-  EXPECT_EQ(network_isolation_key, reporter.network_isolation_key());
+  EXPECT_EQ(network_anonymization_key, reporter.network_anonymization_key());
 
   // A connection to an enforce-only host should be closed but not reported.
   EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
@@ -2564,7 +2563,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
                 HashValueVector(), cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_DIVERSE_SCTS,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(2u, reporter.num_failures());
 
   // A connection with a private root should be neither enforced nor reported.
@@ -2574,7 +2573,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(2u, reporter.num_failures());
 
   // A connection with DISABLE_EXPECT_CT_REPORTS should not send a report.
@@ -2584,7 +2583,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCT) {
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::DISABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(2u, reporter.num_failures());
 }
 
@@ -2608,18 +2607,18 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCTAndDelegate) {
   MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
                        std::string(), std::string(), base::Time::Now(),
                        ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list);
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
 
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.AddExpectCT("example.test", expiry, false /* enforce */,
-                    GURL("https://example-report.test"), network_isolation_key);
+                    GURL("https://example-report.test"),
+                    network_anonymization_key);
 
   // A connection to an Expect-CT host, which also requires CT by the delegate,
   // should be closed and reported.
@@ -2633,7 +2632,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCTAndDelegate) {
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(1u, reporter.num_failures());
   EXPECT_EQ("example.test", reporter.host_port_pair().host());
   EXPECT_EQ(443, reporter.host_port_pair().port());
@@ -2644,7 +2643,7 @@ TEST_F(TransportSecurityStateTest, CheckCTRequirementsWithExpectCTAndDelegate) {
   EXPECT_EQ(sct_list[0].status,
             reporter.signed_certificate_timestamps()[0].status);
   EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
-  EXPECT_EQ(network_isolation_key, reporter.network_isolation_key());
+  EXPECT_EQ(network_anonymization_key, reporter.network_anonymization_key());
 }
 
 // Tests that for a host that explicitly disabled CT by delegate and is also
@@ -2668,18 +2667,18 @@ TEST_F(TransportSecurityStateTest,
   MakeTestSCTAndStatus(ct::SignedCertificateTimestamp::SCT_EMBEDDED, "test_log",
                        std::string(), std::string(), base::Time::Now(),
                        ct::SCT_STATUS_INVALID_SIGNATURE, &sct_list);
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
 
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   TransportSecurityState state;
   MockExpectCTReporter reporter;
   state.SetExpectCTReporter(&reporter);
   state.AddExpectCT("example.test", expiry, false /* enforce */,
-                    GURL("https://example-report.test"), network_isolation_key);
+                    GURL("https://example-report.test"),
+                    network_anonymization_key);
 
   // A connection to an Expect-CT host, which is exempted from the CT
   // requirements by the delegate, should be reported but not closed.
@@ -2693,7 +2692,7 @@ TEST_F(TransportSecurityStateTest,
                 cert1.get(), cert2.get(), sct_list,
                 TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                 ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                network_isolation_key));
+                network_anonymization_key));
   EXPECT_EQ(1u, reporter.num_failures());
   EXPECT_EQ("example.test", reporter.host_port_pair().host());
   EXPECT_EQ(443, reporter.host_port_pair().port());
@@ -2704,7 +2703,7 @@ TEST_F(TransportSecurityStateTest,
   EXPECT_EQ(sct_list[0].status,
             reporter.signed_certificate_timestamps()[0].status);
   EXPECT_EQ(sct_list[0].sct, reporter.signed_certificate_timestamps()[0].sct);
-  EXPECT_EQ(network_isolation_key, reporter.network_isolation_key());
+  EXPECT_EQ(network_anonymization_key, reporter.network_anonymization_key());
 }
 
 #if BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
@@ -3232,8 +3231,8 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReportRateLimiting) {
   HostPortPair host_port_pair(kHost, kPort);
   HostPortPair subdomain_host_port_pair(kSubdomain, kPort);
   GURL report_uri(kReportUri);
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
@@ -3263,7 +3262,7 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReportRateLimiting) {
             state.CheckPublicKeyPins(host_port_pair, true, bad_hashes,
                                      cert1.get(), cert2.get(),
                                      TransportSecurityState::ENABLE_PIN_REPORTS,
-                                     network_isolation_key, &failure_log));
+                                     network_anonymization_key, &failure_log));
 
   // A report should have been sent. Check that it contains the
   // right information.
@@ -3273,8 +3272,8 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReportRateLimiting) {
   ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, true, kHost,
                                           cert1.get(), cert2.get(),
                                           good_hashes));
-  EXPECT_EQ(network_isolation_key,
-            mock_report_sender.latest_network_isolation_key());
+  EXPECT_EQ(network_anonymization_key,
+            mock_report_sender.latest_network_anonymization_key());
   mock_report_sender.Clear();
 
   // Now trigger the same violation; a duplicative report should not be
@@ -3283,11 +3282,11 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReportRateLimiting) {
             state.CheckPublicKeyPins(host_port_pair, true, bad_hashes,
                                      cert1.get(), cert2.get(),
                                      TransportSecurityState::ENABLE_PIN_REPORTS,
-                                     network_isolation_key, &failure_log));
+                                     network_anonymization_key, &failure_log));
   EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
   EXPECT_EQ(std::string(), mock_report_sender.latest_report());
-  EXPECT_EQ(NetworkIsolationKey(),
-            mock_report_sender.latest_network_isolation_key());
+  EXPECT_EQ(NetworkAnonymizationKey(),
+            mock_report_sender.latest_network_anonymization_key());
 }
 
 TEST_F(TransportSecurityStateStaticTest, HPKPReporting) {
@@ -3297,8 +3296,8 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReporting) {
   HostPortPair host_port_pair(kHost, kPort);
   HostPortPair subdomain_host_port_pair(kSubdomain, kPort);
   GURL report_uri(kReportUri);
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
@@ -3328,7 +3327,7 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReporting) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::DISABLE_PIN_REPORTS,
-                network_isolation_key, &failure_log));
+                network_anonymization_key, &failure_log));
 
   // No report should have been sent because of the DISABLE_PIN_REPORTS
   // argument.
@@ -3339,7 +3338,7 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReporting) {
             state.CheckPublicKeyPins(host_port_pair, true, good_hashes,
                                      cert1.get(), cert2.get(),
                                      TransportSecurityState::ENABLE_PIN_REPORTS,
-                                     network_isolation_key, &failure_log));
+                                     network_anonymization_key, &failure_log));
 
   // No report should have been sent because there was no violation.
   EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
@@ -3349,7 +3348,7 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReporting) {
             state.CheckPublicKeyPins(host_port_pair, false, bad_hashes,
                                      cert1.get(), cert2.get(),
                                      TransportSecurityState::ENABLE_PIN_REPORTS,
-                                     network_isolation_key, &failure_log));
+                                     network_anonymization_key, &failure_log));
 
   // No report should have been sent because the certificate chained to a
   // non-public root.
@@ -3360,7 +3359,7 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReporting) {
             state.CheckPublicKeyPins(host_port_pair, false, good_hashes,
                                      cert1.get(), cert2.get(),
                                      TransportSecurityState::ENABLE_PIN_REPORTS,
-                                     network_isolation_key, &failure_log));
+                                     network_anonymization_key, &failure_log));
 
   // No report should have been sent because there was no violation, even though
   // the certificate chained to a local trust anchor.
@@ -3371,7 +3370,7 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReporting) {
             state.CheckPublicKeyPins(host_port_pair, true, bad_hashes,
                                      cert1.get(), cert2.get(),
                                      TransportSecurityState::ENABLE_PIN_REPORTS,
-                                     network_isolation_key, &failure_log));
+                                     network_anonymization_key, &failure_log));
 
   // Now a report should have been sent. Check that it contains the
   // right information.
@@ -3388,7 +3387,7 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReporting) {
             state.CheckPublicKeyPins(subdomain_host_port_pair, true, bad_hashes,
                                      cert1.get(), cert2.get(),
                                      TransportSecurityState::ENABLE_PIN_REPORTS,
-                                     network_isolation_key, &failure_log));
+                                     network_anonymization_key, &failure_log));
 
   // Now a report should have been sent for the subdomain. Check that it
   // contains the right information.
@@ -3400,8 +3399,8 @@ TEST_F(TransportSecurityStateStaticTest, HPKPReporting) {
   ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair,
                                           true, kHost, cert1.get(), cert2.get(),
                                           good_hashes));
-  EXPECT_EQ(network_isolation_key,
-            mock_report_sender.latest_network_isolation_key());
+  EXPECT_EQ(network_anonymization_key,
+            mock_report_sender.latest_network_anonymization_key());
 }
 
 TEST_F(TransportSecurityStateTest, WriteSizeDecodeSize) {
@@ -3445,13 +3444,12 @@ TEST_F(TransportSecurityStateTest, DecodeSizeFour) {
 #endif  // BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
 
 TEST_F(TransportSecurityStateTest,
-       PartitionExpectCTStateByNetworkIsolationKey) {
+       PartitionExpectCTStateByNetworkAnonymizationKey) {
   const char kDomain[] = "example.test";
   HostPortPair host_port_pair(kDomain, 443);
 
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   const base::Time expiry = base::Time::Now() + base::Seconds(1000);
 
@@ -3463,13 +3461,13 @@ TEST_F(TransportSecurityStateTest,
   hashes.push_back(
       HashValue(X509Certificate::CalculateFingerprint256(cert->cert_buffer())));
 
-  // An ExpectCT entry is set using network_isolation_key1, and then accessed
-  // using both keys. It should only be accessible using the other key when
-  // kPartitionExpectCTStateByNetworkIsolationKey is disabled.
-  NetworkIsolationKey network_isolation_key1 =
-      NetworkIsolationKey::CreateTransient();
-  NetworkIsolationKey network_isolation_key2 =
-      NetworkIsolationKey::CreateTransient();
+  // An ExpectCT entry is set using network_anonymization_key1, and then
+  // accessed using both keys. It should only be accessible using the other key
+  // when kPartitionExpectCTStateByNetworkIsolationKey is disabled.
+  NetworkAnonymizationKey network_anonymization_key1 =
+      NetworkAnonymizationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key2 =
+      NetworkAnonymizationKey::CreateTransient();
 
   for (bool partition_expect_ct_state : {false, true}) {
     base::test::ScopedFeatureList feature_list2;
@@ -3483,16 +3481,17 @@ TEST_F(TransportSecurityStateTest,
 
     // Add Expect-CT entry.
     TransportSecurityState state;
-    state.AddExpectCT(kDomain, expiry, true, GURL(), network_isolation_key1);
+    state.AddExpectCT(kDomain, expiry, true, GURL(),
+                      network_anonymization_key1);
     TransportSecurityState::ExpectCTState expect_ct_state;
-    EXPECT_TRUE(state.GetDynamicExpectCTState(kDomain, network_isolation_key1,
-                                              &expect_ct_state));
+    EXPECT_TRUE(state.GetDynamicExpectCTState(
+        kDomain, network_anonymization_key1, &expect_ct_state));
 
     // The Expect-CT entry should only be respected with
-    // |network_isolation_key2| when
+    // |network_anonymization_key2| when
     // kPartitionExpectCTStateByNetworkIsolationKey is disabled.
     EXPECT_EQ(!partition_expect_ct_state,
-              state.GetDynamicExpectCTState(kDomain, network_isolation_key2,
+              state.GetDynamicExpectCTState(kDomain, network_anonymization_key2,
                                             &expect_ct_state));
     EXPECT_EQ(TransportSecurityState::CT_REQUIREMENTS_NOT_MET,
               state.CheckCTRequirements(
@@ -3500,7 +3499,7 @@ TEST_F(TransportSecurityStateTest,
                   SignedCertificateTimestampAndStatusList(),
                   TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                   ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                  network_isolation_key1));
+                  network_anonymization_key1));
     EXPECT_EQ(!partition_expect_ct_state,
               TransportSecurityState::CT_REQUIREMENTS_NOT_MET ==
                   state.CheckCTRequirements(
@@ -3508,10 +3507,10 @@ TEST_F(TransportSecurityStateTest,
                       SignedCertificateTimestampAndStatusList(),
                       TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
                       ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS,
-                      network_isolation_key2));
+                      network_anonymization_key2));
 
-    // An Expect-CT header with |network_isolation_key2| should only overwrite
-    // the entry when |partition_expect_ct_state| is false.
+    // An Expect-CT header with |network_anonymization_key2| should only
+    // overwrite the entry when |partition_expect_ct_state| is false.
     SSLInfo ssl_info;
     ssl_info.ct_policy_compliance =
         ct::CTPolicyCompliance::CT_POLICY_COMPLIES_VIA_SCTS;
@@ -3520,28 +3519,28 @@ TEST_F(TransportSecurityStateTest,
     state.SetExpectCTReporter(&reporter);
     const char kHeader[] = "max-age=0";
     state.ProcessExpectCTHeader(kHeader, host_port_pair, ssl_info,
-                                network_isolation_key2);
+                                network_anonymization_key2);
     EXPECT_EQ(partition_expect_ct_state,
-              state.GetDynamicExpectCTState(kDomain, network_isolation_key1,
+              state.GetDynamicExpectCTState(kDomain, network_anonymization_key1,
                                             &expect_ct_state));
 
-    // An Expect-CT header with |network_isolation_key1| should always overwrite
-    // the added entry.
+    // An Expect-CT header with |network_anonymization_key1| should always
+    // overwrite the added entry.
     state.ProcessExpectCTHeader(kHeader, host_port_pair, ssl_info,
-                                network_isolation_key1);
-    EXPECT_FALSE(state.GetDynamicExpectCTState(kDomain, network_isolation_key1,
-                                               &expect_ct_state));
+                                network_anonymization_key1);
+    EXPECT_FALSE(state.GetDynamicExpectCTState(
+        kDomain, network_anonymization_key1, &expect_ct_state));
   }
 }
 
 // Tests the eviction logic and priority of pruning resources, before applying
-// the per-NetworkIsolationKey limit.
+// the per-NetworkAnonymizationKey limit.
 TEST_F(TransportSecurityStateTest, PruneExpectCTPriority) {
   const GURL report_uri(kReportUri);
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
-      {TransportSecurityState::kDynamicExpectCTFeature,
+      {kDynamicExpectCTFeature,
        features::kPartitionExpectCTStateByNetworkIsolationKey},
       // disabled_features
       {});
@@ -3719,11 +3718,11 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTPriority) {
     TransportSecurityState state;
     base::Time first_group_observation_time = base::Time::Now();
     for (size_t i = 0; i < kGroupSize; ++i) {
-      // All entries use a unique NetworkIsolationKey, so
-      // NetworkIsolationKey-based pruning will do nothing.
+      // All entries use a unique NetworkAnonymizationKey, so
+      // NetworkAnonymizationKey-based pruning will do nothing.
       state.AddExpectCT(CreateUniqueHostName(), first_group_expiry,
                         test_case.first_group_has_enforce, report_uri,
-                        CreateUniqueNetworkIsolationKey(
+                        CreateUniqueNetworkAnonymizationKey(
                             test_case.first_group_has_transient_nik));
     }
 
@@ -3749,7 +3748,7 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTPriority) {
     for (size_t i = 0; i < kGroupSize; ++i) {
       state.AddExpectCT(CreateUniqueHostName(), second_group_expiry,
                         test_case.second_group_has_enforce, report_uri,
-                        CreateUniqueNetworkIsolationKey(
+                        CreateUniqueNetworkAnonymizationKey(
                             test_case.second_group_has_transient_nik));
     }
 
@@ -3769,7 +3768,7 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTPriority) {
       state.AddExpectCT(
           CreateUniqueHostName(), base::Time::Now() + base::Seconds(1),
           true /* enforce */, report_uri,
-          CreateUniqueNetworkIsolationKey(false /* is_transient */));
+          CreateUniqueNetworkAnonymizationKey(false /* is_transient */));
     }
 
     size_t first_group_size = 0;
@@ -3804,16 +3803,15 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTPriority) {
 TEST_F(TransportSecurityStateTest, PruneExpectCTDelay) {
   const GURL report_uri(kReportUri);
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   TransportSecurityState state;
   base::Time expiry = base::Time::Now() + base::Days(10);
   // Add prunable entries until pruning is triggered.
   for (int i = 0; i < features::kExpectCTPruneMax.Get(); ++i) {
-    state.AddExpectCT(CreateUniqueHostName(), expiry, false /* enforce */,
-                      report_uri,
-                      CreateUniqueNetworkIsolationKey(true /* is_transient */));
+    state.AddExpectCT(
+        CreateUniqueHostName(), expiry, false /* enforce */, report_uri,
+        CreateUniqueNetworkAnonymizationKey(true /* is_transient */));
   }
   // Should have removed enough entries to get down to kExpectCTPruneMin
   // entries.
@@ -3823,9 +3821,9 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTDelay) {
   // Add more prunable entries, but pruning should not be triggered, due to the
   // delay between subsequent pruning tasks.
   for (int i = 0; i < features::kExpectCTPruneMax.Get(); ++i) {
-    state.AddExpectCT(CreateUniqueHostName(), expiry, false /* enforce */,
-                      report_uri,
-                      CreateUniqueNetworkIsolationKey(true /* is_transient */));
+    state.AddExpectCT(
+        CreateUniqueHostName(), expiry, false /* enforce */, report_uri,
+        CreateUniqueNetworkAnonymizationKey(true /* is_transient */));
   }
   EXPECT_EQ(
       features::kExpectCTPruneMax.Get() + features::kExpectCTPruneMin.Get(),
@@ -3839,9 +3837,9 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTDelay) {
 
   // Another entry is added, which triggers pruning, now that enough time has
   // passed.
-  state.AddExpectCT(CreateUniqueHostName(), expiry, false /* enforce */,
-                    report_uri,
-                    CreateUniqueNetworkIsolationKey(true /* is_transient */));
+  state.AddExpectCT(
+      CreateUniqueHostName(), expiry, false /* enforce */, report_uri,
+      CreateUniqueNetworkAnonymizationKey(true /* is_transient */));
   EXPECT_EQ(features::kExpectCTPruneMin.Get(),
             static_cast<int>(state.num_expect_ct_entries_for_testing()));
 
@@ -3855,9 +3853,9 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTDelay) {
   for (int i = 0; i < features::kExpectCTPruneMax.Get() -
                           features::kExpectCTPruneMin.Get();
        ++i) {
-    state.AddExpectCT(CreateUniqueHostName(), expiry, false /* enforce */,
-                      report_uri,
-                      CreateUniqueNetworkIsolationKey(true /* is_transient */));
+    state.AddExpectCT(
+        CreateUniqueHostName(), expiry, false /* enforce */, report_uri,
+        CreateUniqueNetworkAnonymizationKey(true /* is_transient */));
   }
   EXPECT_EQ(features::kExpectCTPruneMin.Get(),
             static_cast<int>(state.num_expect_ct_entries_for_testing()));
@@ -3866,12 +3864,12 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTDelay) {
 // Test that Expect-CT pruning respects kExpectCTMaxEntriesPerNik, which is only
 // applied if there are more than kExpectCTPruneMin entries after global
 // pruning.
-TEST_F(TransportSecurityStateTest, PruneExpectCTNetworkIsolationKeyLimit) {
+TEST_F(TransportSecurityStateTest, PruneExpectCTNetworkAnonymizationKeyLimit) {
   const GURL report_uri(kReportUri);
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
-      {TransportSecurityState::kDynamicExpectCTFeature,
+      {kDynamicExpectCTFeature,
        features::kPartitionExpectCTStateByNetworkIsolationKey},
       // disabled_features
       {});
@@ -3889,19 +3887,19 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTNetworkIsolationKeyLimit) {
   for (int i = 0; i < features::kExpectCTPruneMax.Get(); ++i) {
     state.AddExpectCT(
         CreateUniqueHostName(), expiry1, true /* enforce */, report_uri,
-        CreateUniqueNetworkIsolationKey(false /* is_transient */));
+        CreateUniqueNetworkAnonymizationKey(false /* is_transient */));
   }
   EXPECT_EQ(features::kExpectCTPruneMax.Get(),
             static_cast<int>(state.num_expect_ct_entries_for_testing()));
 
   // Add kExpectCTMaxEntriesPerNik non-prunable entries with a single NIK,
   // allowing pruning to run each time. No entries should be deleted.
-  NetworkIsolationKey network_isolation_key =
-      CreateUniqueNetworkIsolationKey(false /* is_transient */);
+  NetworkAnonymizationKey network_anonymization_key =
+      CreateUniqueNetworkAnonymizationKey(false /* is_transient */);
   for (int i = 0; i < features::kExpectCTMaxEntriesPerNik.Get(); ++i) {
     FastForwardBy(base::Seconds(features::kExpectCTPruneDelaySecs.Get()));
     state.AddExpectCT(CreateUniqueHostName(), expiry2, true /* enforce */,
-                      report_uri, network_isolation_key);
+                      report_uri, network_anonymization_key);
     EXPECT_EQ(features::kExpectCTPruneMax.Get() + i + 1,
               static_cast<int>(state.num_expect_ct_entries_for_testing()));
   }
@@ -3912,7 +3910,7 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTNetworkIsolationKeyLimit) {
   for (int i = 0; i < features::kExpectCTMaxEntriesPerNik.Get(); ++i) {
     FastForwardBy(base::Seconds(features::kExpectCTPruneDelaySecs.Get()));
     state.AddExpectCT(CreateUniqueHostName(), expiry3, true /* enforce */,
-                      report_uri, network_isolation_key);
+                      report_uri, network_anonymization_key);
     EXPECT_EQ(features::kExpectCTPruneMax.Get() +
                   features::kExpectCTMaxEntriesPerNik.Get(),
               static_cast<int>(state.num_expect_ct_entries_for_testing()));
@@ -3924,10 +3922,12 @@ TEST_F(TransportSecurityStateTest, PruneExpectCTNetworkIsolationKeyLimit) {
     for (TransportSecurityState::ExpectCTStateIterator iterator(state);
          iterator.HasNext(); iterator.Advance()) {
       if (iterator.domain_state().expiry == expiry2) {
-        EXPECT_EQ(network_isolation_key, iterator.network_isolation_key());
+        EXPECT_EQ(network_anonymization_key,
+                  iterator.network_anonymization_key());
         ++num_expiry2_entries;
       } else if (iterator.domain_state().expiry == expiry3) {
-        EXPECT_EQ(network_isolation_key, iterator.network_isolation_key());
+        EXPECT_EQ(network_anonymization_key,
+                  iterator.network_anonymization_key());
         ++num_expiry3_entries;
       }
     }
@@ -3943,8 +3943,8 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsListValidPin) {
       net::features::kStaticKeyPinningEnforcement);
   HostPortPair host_port_pair(kHost, kPort);
   GURL report_uri(kReportUri);
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
@@ -3968,7 +3968,7 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsListValidPin) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::ENABLE_PIN_REPORTS,
-                network_isolation_key, &unused_failure_log));
+                network_anonymization_key, &unused_failure_log));
 
   // Update the pins list, adding bad_hashes to the accepted hashes for this
   // host.
@@ -3993,7 +3993,7 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsListValidPin) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::ENABLE_PIN_REPORTS,
-                network_isolation_key, &unused_failure_log));
+                network_anonymization_key, &unused_failure_log));
 }
 
 TEST_F(TransportSecurityStateTest, UpdateKeyPinsListNotValidPin) {
@@ -4002,8 +4002,8 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsListNotValidPin) {
       net::features::kStaticKeyPinningEnforcement);
   HostPortPair host_port_pair(kHost, kPort);
   GURL report_uri(kReportUri);
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
@@ -4027,7 +4027,7 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsListNotValidPin) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, good_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::ENABLE_PIN_REPORTS,
-                network_isolation_key, &unused_failure_log));
+                network_anonymization_key, &unused_failure_log));
 
   // Update the pins list, adding good_hashes to the rejected hashes for this
   // host.
@@ -4052,7 +4052,7 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsListNotValidPin) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, good_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::ENABLE_PIN_REPORTS,
-                network_isolation_key, &unused_failure_log));
+                network_anonymization_key, &unused_failure_log));
 }
 
 TEST_F(TransportSecurityStateTest, UpdateKeyPinsEmptyList) {
@@ -4061,8 +4061,8 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsEmptyList) {
       net::features::kStaticKeyPinningEnforcement);
   HostPortPair host_port_pair(kHost, kPort);
   GURL report_uri(kReportUri);
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
@@ -4086,7 +4086,7 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsEmptyList) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::ENABLE_PIN_REPORTS,
-                network_isolation_key, &unused_failure_log));
+                network_anonymization_key, &unused_failure_log));
 
   // Update the pins list with an empty list.
   state.UpdatePinList({}, {}, base::Time::Now());
@@ -4096,7 +4096,7 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsEmptyList) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::ENABLE_PIN_REPORTS,
-                network_isolation_key, &unused_failure_log));
+                network_anonymization_key, &unused_failure_log));
 }
 
 TEST_F(TransportSecurityStateTest, UpdateKeyPinsListTimestamp) {
@@ -4105,8 +4105,8 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsListTimestamp) {
       net::features::kStaticKeyPinningEnforcement);
   HostPortPair host_port_pair(kHost, kPort);
   GURL report_uri(kReportUri);
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
@@ -4130,7 +4130,7 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsListTimestamp) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::ENABLE_PIN_REPORTS,
-                network_isolation_key, &unused_failure_log));
+                network_anonymization_key, &unused_failure_log));
 
   // TransportSecurityStateTest sets a flag when EnableStaticPins is called that
   // results in TransportSecurityState considering the pins list as always
@@ -4162,7 +4162,7 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsListTimestamp) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::ENABLE_PIN_REPORTS,
-                network_isolation_key, &unused_failure_log));
+                network_anonymization_key, &unused_failure_log));
 
   // Update the pins list again, with a timestamp <70 days old.
   state.UpdatePinList({test_pinset}, {test_pinsetinfo},
@@ -4173,7 +4173,7 @@ TEST_F(TransportSecurityStateTest, UpdateKeyPinsListTimestamp) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::ENABLE_PIN_REPORTS,
-                network_isolation_key, &unused_failure_log));
+                network_anonymization_key, &unused_failure_log));
 }
 
 class TransportSecurityStatePinningKillswitchTest
@@ -4191,8 +4191,8 @@ class TransportSecurityStatePinningKillswitchTest
 TEST_F(TransportSecurityStatePinningKillswitchTest, PinningKillswitchSet) {
   HostPortPair host_port_pair(kHost, kPort);
   GURL report_uri(kReportUri);
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   // Two dummy certs to use as the server-sent and validated chains. The
   // contents don't matter.
   scoped_refptr<X509Certificate> cert1 =
@@ -4216,7 +4216,7 @@ TEST_F(TransportSecurityStatePinningKillswitchTest, PinningKillswitchSet) {
             state.CheckPublicKeyPins(
                 host_port_pair, true, bad_hashes, cert1.get(), cert2.get(),
                 TransportSecurityState::ENABLE_PIN_REPORTS,
-                network_isolation_key, &unused_failure_log));
+                network_anonymization_key, &unused_failure_log));
 }
 
 }  // namespace net
diff --git a/chromium/net/http/url_security_manager.cc b/chromium/net/http/url_security_manager.cc
index ece7f042c4f..cbf9248f17a 100644
--- a/chromium/net/http/url_security_manager.cc
+++ b/chromium/net/http/url_security_manager.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/url_security_manager.h b/chromium/net/http/url_security_manager.h
index 764aceb7c47..f89bd17308e 100644
--- a/chromium/net/http/url_security_manager.h
+++ b/chromium/net/http/url_security_manager.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/url_security_manager_posix.cc b/chromium/net/http/url_security_manager_posix.cc
index c181a9087a3..0a2966e5026 100644
--- a/chromium/net/http/url_security_manager_posix.cc
+++ b/chromium/net/http/url_security_manager_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/url_security_manager_unittest.cc b/chromium/net/http/url_security_manager_unittest.cc
index 0d59ffbd548..b55befa87bb 100644
--- a/chromium/net/http/url_security_manager_unittest.cc
+++ b/chromium/net/http/url_security_manager_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/url_security_manager_win.cc b/chromium/net/http/url_security_manager_win.cc
index aa07b494910..8f7c4196acf 100644
--- a/chromium/net/http/url_security_manager_win.cc
+++ b/chromium/net/http/url_security_manager_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/webfonts_histogram.cc b/chromium/net/http/webfonts_histogram.cc
index f353536be5e..c028a112378 100644
--- a/chromium/net/http/webfonts_histogram.cc
+++ b/chromium/net/http/webfonts_histogram.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/webfonts_histogram.h b/chromium/net/http/webfonts_histogram.h
index 6583650fe60..73437531a5e 100644
--- a/chromium/net/http/webfonts_histogram.h
+++ b/chromium/net/http/webfonts_histogram.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/http/webfonts_histogram_unittest.cc b/chromium/net/http/webfonts_histogram_unittest.cc
index 7c112510bee..1ba24dd47c2 100644
--- a/chromium/net/http/webfonts_histogram_unittest.cc
+++ b/chromium/net/http/webfonts_histogram_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/file_net_log_observer.cc b/chromium/net/log/file_net_log_observer.cc
index b1a1a91b4e1..8b034930ca1 100644
--- a/chromium/net/log/file_net_log_observer.cc
+++ b/chromium/net/log/file_net_log_observer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/file_net_log_observer.h b/chromium/net/log/file_net_log_observer.h
index 00569a61db8..071d7d7de14 100644
--- a/chromium/net/log/file_net_log_observer.h
+++ b/chromium/net/log/file_net_log_observer.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/file_net_log_observer_unittest.cc b/chromium/net/log/file_net_log_observer_unittest.cc
index acc6c5a0090..95875253d3e 100644
--- a/chromium/net/log/file_net_log_observer_unittest.cc
+++ b/chromium/net/log/file_net_log_observer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log.cc b/chromium/net/log/net_log.cc
index 6ea2341512d..53177340737 100644
--- a/chromium/net/log/net_log.cc
+++ b/chromium/net/log/net_log.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,6 +8,7 @@
 #include "base/containers/contains.h"
 #include "base/no_destructor.h"
 #include "base/notreached.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/values.h"
 #include "net/log/net_log_values.h"
@@ -104,7 +105,7 @@ void NetLog::RemoveObserver(NetLog::ThreadSafeObserver* observer) {
 
   DCHECK_EQ(this, observer->net_log_);
 
-  auto it = std::find(observers_.begin(), observers_.end(), observer);
+  auto it = base::ranges::find(observers_, observer);
   DCHECK(it != observers_.end());
   observers_.erase(it);
 
@@ -132,8 +133,7 @@ void NetLog::RemoveCaptureModeObserver(
   DCHECK_EQ(this, observer->net_log_);
   DCHECK(HasCaptureModeObserver(observer));
 
-  auto it = std::find(capture_mode_observers_.begin(),
-                      capture_mode_observers_.end(), observer);
+  auto it = base::ranges::find(capture_mode_observers_, observer);
   DCHECK(it != capture_mode_observers_.end());
   capture_mode_observers_.erase(it);
 
diff --git a/chromium/net/log/net_log.h b/chromium/net/log/net_log.h
index d041ab81311..d07c0384618 100644
--- a/chromium/net/log/net_log.h
+++ b/chromium/net/log/net_log.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_capture_mode.cc b/chromium/net/log/net_log_capture_mode.cc
index 40b072aa9f8..32851e2dff7 100644
--- a/chromium/net/log/net_log_capture_mode.cc
+++ b/chromium/net/log/net_log_capture_mode.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_capture_mode.h b/chromium/net/log/net_log_capture_mode.h
index cef1b25cff1..1760e195a4f 100644
--- a/chromium/net/log/net_log_capture_mode.h
+++ b/chromium/net/log/net_log_capture_mode.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_capture_mode_unittest.cc b/chromium/net/log/net_log_capture_mode_unittest.cc
index ea4fa30c7c2..dc381ba842d 100644
--- a/chromium/net/log/net_log_capture_mode_unittest.cc
+++ b/chromium/net/log/net_log_capture_mode_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_entry.cc b/chromium/net/log/net_log_entry.cc
index 25c763e482a..2045440520d 100644
--- a/chromium/net/log/net_log_entry.cc
+++ b/chromium/net/log/net_log_entry.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_entry.h b/chromium/net/log/net_log_entry.h
index e2013bf7a65..4e213da9660 100644
--- a/chromium/net/log/net_log_entry.h
+++ b/chromium/net/log/net_log_entry.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_event_type.cc b/chromium/net/log/net_log_event_type.cc
index 069b3dca603..fd02d8044f3 100644
--- a/chromium/net/log/net_log_event_type.cc
+++ b/chromium/net/log/net_log_event_type.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_event_type.h b/chromium/net/log/net_log_event_type.h
index 1a58d675698..396b4280752 100644
--- a/chromium/net/log/net_log_event_type.h
+++ b/chromium/net/log/net_log_event_type.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_event_type_list.h b/chromium/net/log/net_log_event_type_list.h
index 352db1172b7..8f11ed037d5 100644
--- a/chromium/net/log/net_log_event_type_list.h
+++ b/chromium/net/log/net_log_event_type_list.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -53,7 +53,7 @@ EVENT_TYPE(REQUEST_ALIVE)
 //                               the host cache>,
 //     "is_speculative": <Whether this request was started by the DNS
 //                        prefetcher>,
-//     "network_isolation_key": <NetworkIsolationKey associated with the
+//     "network_isolation_key": <NetworkAnonymizationKey associated with the
 //                               request>,
 //     "secure_dns_policy": <SecureDnsPolicy of the request>,
 //   }
@@ -106,9 +106,9 @@ EVENT_TYPE(HOST_RESOLVER_MANAGER_CREATE_JOB)
 //   {
 //     "dns_query_type": <DnsQueryType of the job>,
 //     "host": <Serialized scheme/host/port associated with the job>,
-//     "network_isolation_key": <NetworkIsolationKey associated with the job>,
-//     "secure_dns_mode": <SecureDnsMode of the job>,
-//     "source_dependency": <Source id, if any, of what created the job>,
+//     "network_isolation_key": <NetworkAnonymizationKey associated with the
+//     job>, "secure_dns_mode": <SecureDnsMode of the job>, "source_dependency":
+//     <Source id, if any, of what created the job>,
 //   }
 //
 // The END phase will contain these parameters:
@@ -183,8 +183,8 @@ EVENT_TYPE(HOST_RESOLVER_MANAGER_JOB_REQUEST_ATTACH)
 //   }
 EVENT_TYPE(HOST_RESOLVER_MANAGER_JOB_REQUEST_DETACH)
 
-// The creation/completion of a HostResolverManager::ProcTask to call
-// getaddrinfo. The BEGIN phase contains the following parameters:
+// The creation/completion of a HostResolverSystemTask to call getaddrinfo. The
+// BEGIN phase contains the following parameters:
 //
 //   {
 //     "hostname": <Hostname associated with the request>,
@@ -199,7 +199,7 @@ EVENT_TYPE(HOST_RESOLVER_MANAGER_JOB_REQUEST_DETACH)
 //     "net_error": <The net error code integer for the failure>,
 //     "os_error": <The exact error code integer that getaddrinfo() returned>,
 //   }
-EVENT_TYPE(HOST_RESOLVER_MANAGER_PROC_TASK)
+EVENT_TYPE(HOST_RESOLVER_SYSTEM_TASK)
 
 // The creation/completion of a HostResolverManager::DnsTask to manage a
 // DnsTransaction. The BEGIN phase contains the following parameters:
@@ -795,6 +795,21 @@ EVENT_TYPE(HTTP_PROXY_CONNECT_JOB_CONNECT)
 //   }
 EVENT_TYPE(SSL_CONNECT_JOB_RESTART_WITH_ECH_CONFIG_LIST)
 
+// This event is logged when the TransportConnectJob IPv6 fallback timer expires
+// and the IPv4 addresses are attempted.
+EVENT_TYPE(TRANSPORT_CONNECT_JOB_IPV6_FALLBACK)
+
+// This event is logged whenever the ConnectJob attempts a new TCP connection.
+// association. The ConnectJob may attempt multiple addresses in parallel, so
+// this event does not log when the connection attempt succeeds or fails. The
+// source dependency may be used to determine this.
+//
+//   {
+//     "address": <String of the network address being attempted>,
+//     "source_dependency": <The source identifier for the new socket.>,
+//   }
+EVENT_TYPE(TRANSPORT_CONNECT_JOB_CONNECT_ATTEMPT)
+
 // ------------------------------------------------------------------------
 // ClientSocketPoolBaseHelper
 // ------------------------------------------------------------------------
@@ -1760,7 +1775,7 @@ EVENT_TYPE(HTTP2_PROXY_CLIENT_SESSION)
 //     "host": <The origin hostname that the Job serves>,
 //     "port": <The origin port>,
 //     "privacy_mode": <The privacy mode of the Job>,
-//     "network_isolation_key": <The NetworkIsolationKey of the Job>,
+//     "network_anonymization_key": <The NetworkAnonymizationKey of the Job>,
 //   }
 EVENT_TYPE(QUIC_STREAM_FACTORY_JOB)
 
@@ -1807,9 +1822,11 @@ EVENT_TYPE(QUIC_STREAM_FACTORY_JOB_STALE_HOST_RESOLUTION_MATCHED)
 //     "host": <The origin hostname string>,
 //     "port": <The origin port>,
 //     "privacy_mode": <The privacy mode of the session>,
-//     "network_isolation_key": <The NetworkIsolationKey of the session>,
-//     "require_confirmation": <True if the session will wait for a successful
-//                              QUIC handshake before vending streams>,
+//     "network_anonymization_key": <The NetworkAnonymizationKey of the
+//                                   session>,
+//     "require_confirmation": <True if the session will wait for a
+//                              successful QUIC handshake before vending
+//                              streams>,
 //     "cert_verify_flags": <The certificate verification flags for the
 //                           session>,
 //   }
diff --git a/chromium/net/log/net_log_source.cc b/chromium/net/log/net_log_source.cc
index d19b586bd24..9342ae66a33 100644
--- a/chromium/net/log/net_log_source.cc
+++ b/chromium/net/log/net_log_source.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,26 +7,10 @@
 #include <memory>
 #include <utility>
 
-#include "base/bind.h"
-#include "base/callback.h"
-#include "base/check_op.h"
 #include "base/values.h"
-#include "net/log/net_log_capture_mode.h"
 
 namespace net {
 
-namespace {
-
-base::Value SourceEventParametersCallback(const NetLogSource source) {
-  if (!source.IsValid())
-    return base::Value();
-  base::Value::Dict event_params;
-  source.AddToEventParameters(event_params);
-  return base::Value(std::move(event_params));
-}
-
-}  // namespace
-
 // LoadTimingInfo requires this be 0.
 const uint32_t NetLogSource::kInvalidId = 0;
 
@@ -57,7 +41,11 @@ void NetLogSource::AddToEventParameters(base::Value::Dict& event_params) const {
 }
 
 base::Value NetLogSource::ToEventParameters() const {
-  return SourceEventParametersCallback(*this);
+  if (!IsValid())
+    return base::Value();
+  base::Value::Dict event_params;
+  AddToEventParameters(event_params);
+  return base::Value(std::move(event_params));
 }
 
 }  // namespace net
diff --git a/chromium/net/log/net_log_source.h b/chromium/net/log/net_log_source.h
index 9ce41b3ec4a..50b502f406b 100644
--- a/chromium/net/log/net_log_source.h
+++ b/chromium/net/log/net_log_source.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_source_type.h b/chromium/net/log/net_log_source_type.h
index 72ea14d18ca..c3ff70d4621 100644
--- a/chromium/net/log/net_log_source_type.h
+++ b/chromium/net/log/net_log_source_type.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_source_type_list.h b/chromium/net/log/net_log_source_type_list.h
index 55a66fce82c..4efa9dabf98 100644
--- a/chromium/net/log/net_log_source_type_list.h
+++ b/chromium/net/log/net_log_source_type_list.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_unittest.cc b/chromium/net/log/net_log_unittest.cc
index da4c60ba04a..772f6ea0ad9 100644
--- a/chromium/net/log/net_log_unittest.cc
+++ b/chromium/net/log/net_log_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_util.cc b/chromium/net/log/net_log_util.cc
index 216771e804b..cfc9c648a76 100644
--- a/chromium/net/log/net_log_util.cc
+++ b/chromium/net/log/net_log_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_util.h b/chromium/net/log/net_log_util.h
index de00035727b..8406bf304cf 100644
--- a/chromium/net/log/net_log_util.h
+++ b/chromium/net/log/net_log_util.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_util_unittest.cc b/chromium/net/log/net_log_util_unittest.cc
index 9b3a0c8d174..ba8026dc787 100644
--- a/chromium/net/log/net_log_util_unittest.cc
+++ b/chromium/net/log/net_log_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -75,11 +75,8 @@ TEST(NetLogUtil, GetNetInfoIncludesFieldTrials) {
       std::make_unique<base::FeatureList>());
 
   // Add and activate a new Field Trial.
-  base::FieldTrial* field_trial = base::FieldTrialList::FactoryGetFieldTrial(
-      "NewFieldTrial", 100, "Default", base::FieldTrial::ONE_TIME_RANDOMIZED,
-      nullptr);
-  field_trial->AppendGroup("Active", 100);
-  EXPECT_EQ(field_trial->group_name(), "Active");
+  base::FieldTrialList::CreateFieldTrial("NewFieldTrial", "Active");
+  EXPECT_EQ(base::FieldTrialList::FindFullName("NewFieldTrial"), "Active");
 
   auto context = CreateTestURLRequestContextBuilder()->Build();
   base::Value net_info(GetNetInfo(context.get()));
diff --git a/chromium/net/log/net_log_values.cc b/chromium/net/log/net_log_values.cc
index e87ea6595fb..3c2f0f929ce 100644
--- a/chromium/net/log/net_log_values.cc
+++ b/chromium/net/log/net_log_values.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_values.h b/chromium/net/log/net_log_values.h
index 471adbd32f2..bae04e666ec 100644
--- a/chromium/net/log/net_log_values.h
+++ b/chromium/net/log/net_log_values.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_values_unittest.cc b/chromium/net/log/net_log_values_unittest.cc
index fd5396c5dd7..fbd11b5642d 100644
--- a/chromium/net/log/net_log_values_unittest.cc
+++ b/chromium/net/log/net_log_values_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_with_source.cc b/chromium/net/log/net_log_with_source.cc
index edf4865aa6f..b4af2e43d8f 100644
--- a/chromium/net/log/net_log_with_source.cc
+++ b/chromium/net/log/net_log_with_source.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/net_log_with_source.h b/chromium/net/log/net_log_with_source.h
index b8143998808..c4e8f9e2c6c 100644
--- a/chromium/net/log/net_log_with_source.h
+++ b/chromium/net/log/net_log_with_source.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/test_net_log.cc b/chromium/net/log/test_net_log.cc
index e526263241a..cf7739c8f11 100644
--- a/chromium/net/log/test_net_log.cc
+++ b/chromium/net/log/test_net_log.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/test_net_log.h b/chromium/net/log/test_net_log.h
index adbbebe1ec9..9cf081984c4 100644
--- a/chromium/net/log/test_net_log.h
+++ b/chromium/net/log/test_net_log.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/test_net_log_util.cc b/chromium/net/log/test_net_log_util.cc
index 794234ef33f..9c62fc7b3e1 100644
--- a/chromium/net/log/test_net_log_util.cc
+++ b/chromium/net/log/test_net_log_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/test_net_log_util.h b/chromium/net/log/test_net_log_util.h
index 9caef59fd25..2fae1ada3a3 100644
--- a/chromium/net/log/test_net_log_util.h
+++ b/chromium/net/log/test_net_log_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/trace_net_log_observer.cc b/chromium/net/log/trace_net_log_observer.cc
index 1ffddd05542..b5669a353ca 100644
--- a/chromium/net/log/trace_net_log_observer.cc
+++ b/chromium/net/log/trace_net_log_observer.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/trace_net_log_observer.h b/chromium/net/log/trace_net_log_observer.h
index 568f533f609..eda1f92cc24 100644
--- a/chromium/net/log/trace_net_log_observer.h
+++ b/chromium/net/log/trace_net_log_observer.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/log/trace_net_log_observer_unittest.cc b/chromium/net/log/trace_net_log_observer_unittest.cc
index 2f73e4dd916..2f8f17d246e 100644
--- a/chromium/net/log/trace_net_log_observer_unittest.cc
+++ b/chromium/net/log/trace_net_log_observer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/network_error_logging/OWNERS b/chromium/net/network_error_logging/OWNERS
index acbf93af41e..4392ef47220 100644
--- a/chromium/net/network_error_logging/OWNERS
+++ b/chromium/net/network_error_logging/OWNERS
@@ -1 +1 @@
-yhirano@chromium.org
+ricea@chromium.org
diff --git a/chromium/net/network_error_logging/mock_persistent_nel_store.cc b/chromium/net/network_error_logging/mock_persistent_nel_store.cc
index 1d252d57ef6..7183a18ca52 100644
--- a/chromium/net/network_error_logging/mock_persistent_nel_store.cc
+++ b/chromium/net/network_error_logging/mock_persistent_nel_store.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/network_error_logging/mock_persistent_nel_store.h b/chromium/net/network_error_logging/mock_persistent_nel_store.h
index b896d901cba..6324e9615ab 100644
--- a/chromium/net/network_error_logging/mock_persistent_nel_store.h
+++ b/chromium/net/network_error_logging/mock_persistent_nel_store.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/network_error_logging/mock_persistent_nel_store_unittest.cc b/chromium/net/network_error_logging/mock_persistent_nel_store_unittest.cc
index bbc1e8d4b09..fdafb7dab82 100644
--- a/chromium/net/network_error_logging/mock_persistent_nel_store_unittest.cc
+++ b/chromium/net/network_error_logging/mock_persistent_nel_store_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,7 +7,7 @@
 #include "base/location.h"
 #include "base/strings/strcat.h"
 #include "base/test/bind.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/network_error_logging/mock_persistent_nel_store.h"
 #include "net/network_error_logging/network_error_logging_service.h"
@@ -21,10 +21,10 @@ namespace {
 
 NetworkErrorLoggingService::NelPolicy MakePolicy(
     const url::Origin& origin,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   NetworkErrorLoggingService::NelPolicy policy;
-  policy.key =
-      NetworkErrorLoggingService::NelPolicyKey(network_isolation_key, origin);
+  policy.key = NetworkErrorLoggingService::NelPolicyKey(
+      network_anonymization_key, origin);
   policy.expires = base::Time();
   policy.last_used = base::Time();
 
@@ -57,11 +57,11 @@ class MockPersistentNelStoreTest : public testing::Test {
  protected:
   const url::Origin origin_ =
       url::Origin::Create(GURL("https://example.test/"));
-  const NetworkIsolationKey network_isolation_key_ =
-      NetworkIsolationKey(SchemefulSite(GURL("https://foo.test/")),
-                          SchemefulSite(GURL("https://bar.test/")));
+  const NetworkAnonymizationKey network_anonymization_key_ =
+      NetworkAnonymizationKey(SchemefulSite(GURL("https://foo.test/")),
+                              SchemefulSite(GURL("https://bar.test/")));
   const NetworkErrorLoggingService::NelPolicy nel_policy_ =
-      MakePolicy(origin_, network_isolation_key_);
+      MakePolicy(origin_, network_anonymization_key_);
 };
 
 // Test that FinishLoading() runs the callback.
@@ -104,8 +104,8 @@ TEST_F(MockPersistentNelStoreTest, PreStoredPolicies) {
   store.FinishLoading(true /* load_success */);
   ASSERT_EQ(1u, loaded_policies.size());
   EXPECT_EQ(origin_, loaded_policies[0].key.origin);
-  EXPECT_EQ(network_isolation_key_,
-            loaded_policies[0].key.network_isolation_key);
+  EXPECT_EQ(network_anonymization_key_,
+            loaded_policies[0].key.network_anonymization_key);
 
   EXPECT_EQ(1u, store.GetAllCommands().size());
   EXPECT_TRUE(store.VerifyCommands(expected_commands));
diff --git a/chromium/net/network_error_logging/network_error_logging_service.cc b/chromium/net/network_error_logging/network_error_logging_service.cc
index 47dafaa3621..8386057099e 100644
--- a/chromium/net/network_error_logging/network_error_logging_service.cc
+++ b/chromium/net/network_error_logging/network_error_logging_service.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -167,7 +167,7 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
 
   // NetworkErrorLoggingService implementation:
 
-  void OnHeader(const NetworkIsolationKey& network_isolation_key,
+  void OnHeader(const NetworkAnonymizationKey& network_anonymization_key,
                 const url::Origin& origin,
                 const IPAddress& received_ip_address,
                 const std::string& value) override {
@@ -181,8 +181,8 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     // task_backlog_, so the callback will not outlive |*this|.
     DoOrBacklogTask(base::BindOnce(
         &NetworkErrorLoggingServiceImpl::DoOnHeader, base::Unretained(this),
-        respect_network_isolation_key_ ? network_isolation_key
-                                       : NetworkIsolationKey(),
+        respect_network_anonymization_key_ ? network_anonymization_key
+                                           : NetworkAnonymizationKey(),
         origin, received_ip_address, value, header_received_time));
   }
 
@@ -193,8 +193,8 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     if (!reporting_service_)
       return;
 
-    if (!respect_network_isolation_key_)
-      details.network_isolation_key = NetworkIsolationKey();
+    if (!respect_network_anonymization_key_)
+      details.network_anonymization_key = NetworkAnonymizationKey();
 
     base::Time request_received_time = clock_->Now();
     // base::Unretained is safe because the callback gets stored in
@@ -216,8 +216,8 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
       return;
     }
 
-    if (!respect_network_isolation_key_)
-      details.network_isolation_key = NetworkIsolationKey();
+    if (!respect_network_anonymization_key_)
+      details.network_anonymization_key = NetworkAnonymizationKey();
 
     base::Time request_received_time = clock_->Now();
     // base::Unretained is safe because the callback gets stored in
@@ -254,8 +254,8 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
       const NelPolicyKey& key = key_and_policy.first;
       const NelPolicy& policy = key_and_policy.second;
       base::Value::Dict policy_dict;
-      policy_dict.Set("networkIsolationKey",
-                      key.network_isolation_key.ToDebugString());
+      policy_dict.Set("NetworkAnonymizationKey",
+                      key.network_anonymization_key.ToDebugString());
       policy_dict.Set("origin", key.origin.Serialize());
       policy_dict.Set("includeSubdomains", policy.include_subdomains);
       policy_dict.Set("reportTo", policy.report_to);
@@ -293,8 +293,8 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
   // true.
   //
   // Wildcard policies are accessed by domain name, not full origin. The key
-  // consists of the NetworkIsolationKey of the policy, plus a string which is
-  // the host part of the policy's origin.
+  // consists of the NetworkAnonymizationKey of the policy, plus a string which
+  // is the host part of the policy's origin.
   //
   // Looking up a wildcard policy for a domain yields the wildcard policy with
   // the longest host part (most specific subdomain) that is a substring of the
@@ -335,7 +335,7 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
 
   // Set based on features::kPartitionNelAndReportingByNetworkIsolationKey on
   // construction.
-  bool respect_network_isolation_key_ = base::FeatureList::IsEnabled(
+  bool respect_network_anonymization_key_ = base::FeatureList::IsEnabled(
       features::kPartitionNelAndReportingByNetworkIsolationKey);
 
   base::WeakPtrFactory<NetworkErrorLoggingServiceImpl> weak_factory_{this};
@@ -368,7 +368,7 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     task_backlog_.clear();
   }
 
-  void DoOnHeader(const NetworkIsolationKey& network_isolation_key,
+  void DoOnHeader(const NetworkAnonymizationKey& network_anonymization_key,
                   const url::Origin& origin,
                   const IPAddress& received_ip_address,
                   const std::string& value,
@@ -376,7 +376,7 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     DCHECK(initialized_);
 
     NelPolicy policy;
-    policy.key = NelPolicyKey(network_isolation_key, origin);
+    policy.key = NelPolicyKey(network_anonymization_key, origin);
     policy.received_ip_address = received_ip_address;
     policy.last_used = header_received_time;
 
@@ -418,12 +418,12 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     DCHECK(reporting_service_);
     DCHECK(initialized_);
 
-    if (!respect_network_isolation_key_)
-      details.network_isolation_key = NetworkIsolationKey();
+    if (!respect_network_anonymization_key_)
+      details.network_anonymization_key = NetworkAnonymizationKey();
 
     auto report_origin = url::Origin::Create(details.uri);
     const NelPolicy* policy =
-        FindPolicyForReport(details.network_isolation_key, report_origin);
+        FindPolicyForReport(details.network_anonymization_key, report_origin);
     if (!policy)
       return;
 
@@ -488,7 +488,7 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     // A null reporting source token is used since this report is not associated
     // with any particular document.
     reporting_service_->QueueReport(
-        details.uri, absl::nullopt, details.network_isolation_key,
+        details.uri, absl::nullopt, details.network_anonymization_key,
         details.user_agent, policy->report_to, kReportType,
         CreateReportBody(phase_string, type_string, sampling_fraction.value(),
                          details),
@@ -501,7 +501,7 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
 
     const auto report_origin = url::Origin::Create(details.outer_url);
     const NelPolicy* policy =
-        FindPolicyForReport(details.network_isolation_key, report_origin);
+        FindPolicyForReport(details.network_anonymization_key, report_origin);
     if (!policy) {
       RecordSignedExchangeRequestOutcome(
           RequestOutcome::kDiscardedNoOriginPolicy);
@@ -538,7 +538,7 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     // A null reporting source token is used since this report is not associated
     // with any particular document.
     reporting_service_->QueueReport(
-        details.outer_url, absl::nullopt, details.network_isolation_key,
+        details.outer_url, absl::nullopt, details.network_anonymization_key,
         details.user_agent, policy->report_to, kReportType,
         CreateSignedExchangeReportBody(details, sampling_fraction.value()),
         0 /* depth */);
@@ -592,7 +592,7 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
       return false;
 
     base::Value::Dict* dict = value->GetIfDict();
-    if (!value)
+    if (!dict)
       return false;
 
     // Max-Age property is missing or malformed.
@@ -636,19 +636,19 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
   }
 
   const NelPolicy* FindPolicyForReport(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& report_origin) const {
     DCHECK(initialized_);
 
     auto it =
-        policies_.find(NelPolicyKey(network_isolation_key, report_origin));
+        policies_.find(NelPolicyKey(network_anonymization_key, report_origin));
     if (it != policies_.end() && clock_->Now() < it->second.expires)
       return &it->second;
 
     std::string domain = report_origin.host();
     const NelPolicy* wildcard_policy = nullptr;
     while (!wildcard_policy && !domain.empty()) {
-      wildcard_policy = FindWildcardPolicy(network_isolation_key, domain);
+      wildcard_policy = FindWildcardPolicy(network_anonymization_key, domain);
       domain = GetSuperdomain(domain);
     }
 
@@ -656,12 +656,12 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
   }
 
   const NelPolicy* FindWildcardPolicy(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const std::string& domain) const {
     DCHECK(!domain.empty());
 
     auto it = wildcard_policies_.find(
-        WildcardNelPolicyKey(network_isolation_key, domain));
+        WildcardNelPolicyKey(network_anonymization_key, domain));
     if (it == wildcard_policies_.end())
       return nullptr;
 
@@ -886,23 +886,23 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
 NetworkErrorLoggingService::NelPolicyKey::NelPolicyKey() = default;
 
 NetworkErrorLoggingService::NelPolicyKey::NelPolicyKey(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin)
-    : network_isolation_key(network_isolation_key), origin(origin) {}
+    : network_anonymization_key(network_anonymization_key), origin(origin) {}
 
 NetworkErrorLoggingService::NelPolicyKey::NelPolicyKey(
     const NelPolicyKey& other) = default;
 
 bool NetworkErrorLoggingService::NelPolicyKey::operator<(
     const NelPolicyKey& other) const {
-  return std::tie(network_isolation_key, origin) <
-         std::tie(other.network_isolation_key, other.origin);
+  return std::tie(network_anonymization_key, origin) <
+         std::tie(other.network_anonymization_key, other.origin);
 }
 
 bool NetworkErrorLoggingService::NelPolicyKey::operator==(
     const NelPolicyKey& other) const {
-  return std::tie(network_isolation_key, origin) ==
-         std::tie(other.network_isolation_key, other.origin);
+  return std::tie(network_anonymization_key, origin) ==
+         std::tie(other.network_anonymization_key, other.origin);
 }
 
 bool NetworkErrorLoggingService::NelPolicyKey::operator!=(
@@ -916,13 +916,13 @@ NetworkErrorLoggingService::WildcardNelPolicyKey::WildcardNelPolicyKey() =
     default;
 
 NetworkErrorLoggingService::WildcardNelPolicyKey::WildcardNelPolicyKey(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const std::string& domain)
-    : network_isolation_key(network_isolation_key), domain(domain) {}
+    : network_anonymization_key(network_anonymization_key), domain(domain) {}
 
 NetworkErrorLoggingService::WildcardNelPolicyKey::WildcardNelPolicyKey(
     const NelPolicyKey& origin_key)
-    : WildcardNelPolicyKey(origin_key.network_isolation_key,
+    : WildcardNelPolicyKey(origin_key.network_anonymization_key,
                            origin_key.origin.host()) {}
 
 NetworkErrorLoggingService::WildcardNelPolicyKey::WildcardNelPolicyKey(
@@ -930,8 +930,8 @@ NetworkErrorLoggingService::WildcardNelPolicyKey::WildcardNelPolicyKey(
 
 bool NetworkErrorLoggingService::WildcardNelPolicyKey::operator<(
     const WildcardNelPolicyKey& other) const {
-  return std::tie(network_isolation_key, domain) <
-         std::tie(other.network_isolation_key, other.domain);
+  return std::tie(network_anonymization_key, domain) <
+         std::tie(other.network_anonymization_key, other.domain);
 }
 
 NetworkErrorLoggingService::WildcardNelPolicyKey::~WildcardNelPolicyKey() =
diff --git a/chromium/net/network_error_logging/network_error_logging_service.h b/chromium/net/network_error_logging/network_error_logging_service.h
index 90fd2a89c32..a057e620f9a 100644
--- a/chromium/net/network_error_logging/network_error_logging_service.h
+++ b/chromium/net/network_error_logging/network_error_logging_service.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,7 +18,7 @@
 #include "net/base/ip_address.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "url/gurl.h"
 #include "url/origin.h"
 
@@ -47,7 +47,7 @@ class NET_EXPORT NetworkErrorLoggingService {
   // Every (NIK, origin) pair can have at most one policy.
   struct NET_EXPORT NelPolicyKey {
     NelPolicyKey();
-    NelPolicyKey(const NetworkIsolationKey& network_isolation_key,
+    NelPolicyKey(const NetworkAnonymizationKey& network_anonymization_key,
                  const url::Origin& origin);
     NelPolicyKey(const NelPolicyKey& other);
     ~NelPolicyKey();
@@ -59,7 +59,7 @@ class NET_EXPORT NetworkErrorLoggingService {
     // The NIK of the request this policy was received from. This will be used
     // for any requests uploading reports according to this policy. (Not
     // included in the report itself.)
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
 
     url::Origin origin;
   };
@@ -68,8 +68,9 @@ class NET_EXPORT NetworkErrorLoggingService {
   // subdomains.
   struct WildcardNelPolicyKey {
     WildcardNelPolicyKey();
-    WildcardNelPolicyKey(const NetworkIsolationKey& network_isolation_key,
-                         const std::string& domain);
+    WildcardNelPolicyKey(
+        const NetworkAnonymizationKey& network_anonymization_key,
+        const std::string& domain);
     explicit WildcardNelPolicyKey(const NelPolicyKey& origin_key);
     WildcardNelPolicyKey(const WildcardNelPolicyKey& other);
     ~WildcardNelPolicyKey();
@@ -79,7 +80,7 @@ class NET_EXPORT NetworkErrorLoggingService {
     // The NIK of the request this policy was received from. This will be used
     // for any requests uploading reports according to this policy. (Not
     // included in the report itself.)
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
 
     std::string domain;
   };
@@ -117,9 +118,9 @@ class NET_EXPORT NetworkErrorLoggingService {
     RequestDetails(const RequestDetails& other);
     ~RequestDetails();
 
-    // NetworkIsolationKey of the request triggering the error. Not included
+    // NetworkAnonymizationKey of the request triggering the error. Not included
     // in the uploaded report.
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
 
     GURL uri;
     GURL referrer;
@@ -147,9 +148,9 @@ class NET_EXPORT NetworkErrorLoggingService {
     SignedExchangeReportDetails(const SignedExchangeReportDetails& other);
     ~SignedExchangeReportDetails();
 
-    // NetworkIsolationKey of the request triggering the error. Not included
+    // NetworkAnonymizationKey of the request triggering the error. Not included
     // in the uploaded report.
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
 
     bool success;
     std::string type;
@@ -225,13 +226,14 @@ class NET_EXPORT NetworkErrorLoggingService {
 
   virtual ~NetworkErrorLoggingService();
 
-  // Ingests a "NEL:" header received for |network_isolation_key| and |origin|
-  // from |received_ip_address| with normalized value |value|. May or may not
-  // actually set a policy for that origin.
-  virtual void OnHeader(const NetworkIsolationKey& network_isolation_key,
-                        const url::Origin& origin,
-                        const IPAddress& received_ip_address,
-                        const std::string& value) = 0;
+  // Ingests a "NEL:" header received for |network_anonymization_key| and
+  // |origin| from |received_ip_address| with normalized value |value|. May or
+  // may not actually set a policy for that origin.
+  virtual void OnHeader(
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const url::Origin& origin,
+      const IPAddress& received_ip_address,
+      const std::string& value) = 0;
 
   // Considers queueing a network error report for the request described in
   // |details|.  The contents of |details| might be changed, depending on the
diff --git a/chromium/net/network_error_logging/network_error_logging_service_unittest.cc b/chromium/net/network_error_logging/network_error_logging_service_unittest.cc
index 00eeb788d89..5152eba6814 100644
--- a/chromium/net/network_error_logging/network_error_logging_service_unittest.cc
+++ b/chromium/net/network_error_logging/network_error_logging_service_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -62,7 +62,7 @@ class NetworkErrorLoggingServiceTest : public ::testing::TestWithParam<bool> {
   }
 
   NetworkErrorLoggingService::RequestDetails MakeRequestDetails(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const GURL& url,
       Error error_type,
       std::string method = "GET",
@@ -70,7 +70,7 @@ class NetworkErrorLoggingServiceTest : public ::testing::TestWithParam<bool> {
       IPAddress server_ip = IPAddress()) {
     NetworkErrorLoggingService::RequestDetails details;
 
-    details.network_isolation_key = network_isolation_key;
+    details.network_anonymization_key = network_anonymization_key;
     details.uri = url;
     details.referrer = kReferrer_;
     details.user_agent = kUserAgent_;
@@ -86,7 +86,7 @@ class NetworkErrorLoggingServiceTest : public ::testing::TestWithParam<bool> {
 
   NetworkErrorLoggingService::SignedExchangeReportDetails
   MakeSignedExchangeReportDetails(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       bool success,
       const std::string& type,
       const GURL& outer_url,
@@ -94,7 +94,7 @@ class NetworkErrorLoggingServiceTest : public ::testing::TestWithParam<bool> {
       const GURL& cert_url,
       const IPAddress& server_ip_address) {
     NetworkErrorLoggingService::SignedExchangeReportDetails details;
-    details.network_isolation_key = network_isolation_key;
+    details.network_anonymization_key = network_anonymization_key;
     details.success = success;
     details.type = type;
     details.outer_url = outer_url;
@@ -116,26 +116,26 @@ class NetworkErrorLoggingServiceTest : public ::testing::TestWithParam<bool> {
   }
 
   // These methods are design so that using them together will create unique
-  // Origin, NetworkIsolationKey pairs, but they do return repeated values when
-  // called separately, so they can be used to ensure that reports are keyed on
-  // both NIK and Origin.
+  // Origin, NetworkAnonymizationKey pairs, but they do return repeated values
+  // when called separately, so they can be used to ensure that reports are
+  // keyed on both NIK and Origin.
   url::Origin MakeOrigin(size_t index) {
     GURL url(base::StringPrintf("https://example%zd.com/", index / 2));
     return url::Origin::Create(url);
   }
-  NetworkIsolationKey MakeNetworkIsolationKey(size_t index) {
+  NetworkAnonymizationKey MakeNetworkAnonymizationKey(size_t index) {
     SchemefulSite site(
         GURL(base::StringPrintf("https://example%zd.com/", (index + 1) / 2)));
-    return NetworkIsolationKey(site, site);
+    return NetworkAnonymizationKey(site, site);
   }
 
   NetworkErrorLoggingService::NelPolicy MakePolicy(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       base::Time expires = base::Time(),
       base::Time last_used = base::Time()) {
     NetworkErrorLoggingService::NelPolicy policy;
-    policy.key = NelPolicyKey(network_isolation_key, origin);
+    policy.key = NelPolicyKey(network_anonymization_key, origin);
     policy.expires = expires;
     policy.last_used = last_used;
 
@@ -143,14 +143,14 @@ class NetworkErrorLoggingServiceTest : public ::testing::TestWithParam<bool> {
   }
 
   // Returns whether the NetworkErrorLoggingService has a policy corresponding
-  // to |network_isolation_key| and |origin|. Returns true if so, even if the
-  // policy is expired.
-  bool HasPolicy(const NetworkIsolationKey& network_isolation_key,
+  // to |network_anonymization_key| and |origin|. Returns true if so, even if
+  // the policy is expired.
+  bool HasPolicy(const NetworkAnonymizationKey& network_anonymization_key,
                  const url::Origin& origin) {
     std::set<NelPolicyKey> all_policy_keys =
         service_->GetPolicyKeysForTesting();
-    return all_policy_keys.find(NelPolicyKey(network_isolation_key, origin)) !=
-           all_policy_keys.end();
+    return all_policy_keys.find(NelPolicyKey(network_anonymization_key,
+                                             origin)) != all_policy_keys.end();
   }
 
   size_t PolicyCount() { return service_->GetPolicyKeysForTesting().size(); }
@@ -181,11 +181,11 @@ class NetworkErrorLoggingServiceTest : public ::testing::TestWithParam<bool> {
   const url::Origin kOriginDifferentHost_ =
       url::Origin::Create(kUrlDifferentHost_);
   const url::Origin kOriginEtld_ = url::Origin::Create(kUrlEtld_);
-  const NetworkIsolationKey kNik_ =
-      NetworkIsolationKey(SchemefulSite(kOrigin_), SchemefulSite(kOrigin_));
-  const NetworkIsolationKey kOtherNik_ =
-      NetworkIsolationKey(SchemefulSite(kOriginDifferentHost_),
-                          SchemefulSite(kOriginDifferentHost_));
+  const NetworkAnonymizationKey kNik_ =
+      NetworkAnonymizationKey(SchemefulSite(kOrigin_), SchemefulSite(kOrigin_));
+  const NetworkAnonymizationKey kOtherNik_ =
+      NetworkAnonymizationKey(SchemefulSite(kOriginDifferentHost_),
+                              SchemefulSite(kOriginDifferentHost_));
 
   const std::string kHeader_ = "{\"report_to\":\"group\",\"max_age\":86400}";
   const std::string kHeaderSuccessFraction0_ =
@@ -277,7 +277,7 @@ TEST_P(NetworkErrorLoggingServiceTest, PolicyKeyMatchesNikAndOrigin) {
       MakeRequestDetails(kNik_, kUrl_, ERR_CONNECTION_REFUSED));
   EXPECT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports()[0].user_agent);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
@@ -315,7 +315,7 @@ TEST_P(NetworkErrorLoggingServiceTest,
       MakeRequestDetails(kNik_, kUrl_, ERR_CONNECTION_REFUSED));
   EXPECT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports()[0].user_agent);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
@@ -325,13 +325,13 @@ TEST_P(NetworkErrorLoggingServiceTest,
       MakeRequestDetails(kNik_, kUrl_, ERR_CONNECTION_REFUSED));
   EXPECT_EQ(2u, reports().size());
   EXPECT_EQ(kUrl_, reports()[1].url);
-  EXPECT_EQ(kNik_, reports()[1].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[1].network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports()[1].user_agent);
   EXPECT_EQ(kGroup_, reports()[1].group);
   EXPECT_EQ(kType_, reports()[1].type);
 }
 
-TEST_P(NetworkErrorLoggingServiceTest, NetworkIsolationKeyDisabled) {
+TEST_P(NetworkErrorLoggingServiceTest, NetworkAnonymizationKeyDisabled) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndDisableFeature(
       features::kPartitionNelAndReportingByNetworkIsolationKey);
@@ -352,7 +352,7 @@ TEST_P(NetworkErrorLoggingServiceTest, NetworkIsolationKeyDisabled) {
       MakeRequestDetails(kOtherNik_, kUrl_, ERR_CONNECTION_REFUSED));
   EXPECT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(NetworkIsolationKey(), reports()[0].network_isolation_key);
+  EXPECT_EQ(NetworkAnonymizationKey(), reports()[0].network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports()[0].user_agent);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
@@ -422,7 +422,7 @@ TEST_P(NetworkErrorLoggingServiceTest, SuccessReportQueued) {
 
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports()[0].user_agent);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
@@ -467,7 +467,7 @@ TEST_P(NetworkErrorLoggingServiceTest, FailureReportQueued) {
 
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports()[0].user_agent);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
@@ -559,7 +559,7 @@ TEST_P(NetworkErrorLoggingServiceTest, HttpErrorReportQueued) {
 
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports()[0].user_agent);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
@@ -602,7 +602,7 @@ TEST_P(NetworkErrorLoggingServiceTest, SuccessReportDowngraded) {
 
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
   EXPECT_EQ(0, reports()[0].depth);
@@ -643,7 +643,7 @@ TEST_P(NetworkErrorLoggingServiceTest, FailureReportDowngraded) {
 
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
   EXPECT_EQ(0, reports()[0].depth);
@@ -684,7 +684,7 @@ TEST_P(NetworkErrorLoggingServiceTest, HttpErrorReportDowngraded) {
 
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
   EXPECT_EQ(0, reports()[0].depth);
@@ -725,7 +725,7 @@ TEST_P(NetworkErrorLoggingServiceTest, DNSFailureReportNotDowngraded) {
 
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
   EXPECT_EQ(0, reports()[0].depth);
@@ -765,7 +765,7 @@ TEST_P(NetworkErrorLoggingServiceTest, SuccessPOSTReportQueued) {
 
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
   EXPECT_EQ(0, reports()[0].depth);
@@ -1151,7 +1151,7 @@ TEST_P(NetworkErrorLoggingServiceTest, StatusAsValue) {
       {
         "originPolicies": [
           {
-            "networkIsolationKey": "https://example.com https://example.com",
+            "NetworkAnonymizationKey": "https://example.com https://example.com",
             "origin": "https://example.com",
             "includeSubdomains": false,
             "expires": "86400000",
@@ -1160,7 +1160,7 @@ TEST_P(NetworkErrorLoggingServiceTest, StatusAsValue) {
             "failureFraction": 1.0,
           },
           {
-            "networkIsolationKey": "https://example.com https://example.com",
+            "NetworkAnonymizationKey": "https://example.com https://example.com",
             "origin": "https://invalid-types.example.com",
             "includeSubdomains": false,
             "expires": "86400000",
@@ -1169,7 +1169,7 @@ TEST_P(NetworkErrorLoggingServiceTest, StatusAsValue) {
             "failureFraction": 1.0,
           },
           {
-            "networkIsolationKey": "https://example.com https://example.com",
+            "NetworkAnonymizationKey": "https://example.com https://example.com",
             "origin": "https://somewhere-else.com",
             "includeSubdomains": false,
             "expires": "86400000",
@@ -1178,7 +1178,7 @@ TEST_P(NetworkErrorLoggingServiceTest, StatusAsValue) {
             "failureFraction": 1.0,
           },
           {
-            "networkIsolationKey": "https://somewhere-else.com https://somewhere-else.com",
+            "NetworkAnonymizationKey": "https://somewhere-else.com https://somewhere-else.com",
             "origin": "https://subdomain.example.com",
             "includeSubdomains": true,
             "expires": "86400000",
@@ -1192,6 +1192,10 @@ TEST_P(NetworkErrorLoggingServiceTest, StatusAsValue) {
   EXPECT_EQ(expected, actual);
 }
 
+TEST_P(NetworkErrorLoggingServiceTest, InvalidHeaderData) {
+  service()->OnHeader(kNik_, kOrigin_, kServerIP_, "0");
+}
+
 TEST_P(NetworkErrorLoggingServiceTest, NoReportingService_SignedExchange) {
   service_ = NetworkErrorLoggingService::Create(store_.get());
 
@@ -1242,7 +1246,7 @@ TEST_P(NetworkErrorLoggingServiceTest, SuccessReportQueued_SignedExchange) {
       kNik_, true, "ok", kUrl_, kInnerUrl_, kCertUrl_, kServerIP_));
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports()[0].user_agent);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
@@ -1296,7 +1300,7 @@ TEST_P(NetworkErrorLoggingServiceTest, FailureReportQueued_SignedExchange) {
       kNik_, false, "sxg.failed", kUrl_, kInnerUrl_, kCertUrl_, kServerIP_));
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(kNik_, reports()[0].network_isolation_key);
+  EXPECT_EQ(kNik_, reports()[0].network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports()[0].user_agent);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
@@ -1365,7 +1369,7 @@ TEST_P(NetworkErrorLoggingServiceTest, MismatchingIPAddress_SignedExchange) {
 }
 
 TEST_P(NetworkErrorLoggingServiceTest,
-       SignedExchangeNetworkIsolationKeyDisabled) {
+       SignedExchangeNetworkAnonymizationKeyDisabled) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndDisableFeature(
       features::kPartitionNelAndReportingByNetworkIsolationKey);
@@ -1387,7 +1391,7 @@ TEST_P(NetworkErrorLoggingServiceTest,
 
   ASSERT_EQ(1u, reports().size());
   EXPECT_EQ(kUrl_, reports()[0].url);
-  EXPECT_EQ(NetworkIsolationKey(), reports()[0].network_isolation_key);
+  EXPECT_EQ(NetworkAnonymizationKey(), reports()[0].network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports()[0].user_agent);
   EXPECT_EQ(kGroup_, reports()[0].group);
   EXPECT_EQ(kType_, reports()[0].type);
@@ -1402,8 +1406,8 @@ TEST_P(NetworkErrorLoggingServiceTest, EvictAllExpiredPoliciesFirst) {
 
   // Add 100 policies then make them expired.
   for (size_t i = 0; i < 100; ++i) {
-    service()->OnHeader(MakeNetworkIsolationKey(i), MakeOrigin(i), kServerIP_,
-                        kHeader_);
+    service()->OnHeader(MakeNetworkAnonymizationKey(i), MakeOrigin(i),
+                        kServerIP_, kHeader_);
   }
   // Make the rest of the test run synchronously.
   FinishLoading(true /* load_success */);
@@ -1415,8 +1419,8 @@ TEST_P(NetworkErrorLoggingServiceTest, EvictAllExpiredPoliciesFirst) {
 
   // Reach the max policy limit.
   for (size_t i = 100; i < NetworkErrorLoggingService::kMaxPolicies; ++i) {
-    service()->OnHeader(MakeNetworkIsolationKey(i), MakeOrigin(i), kServerIP_,
-                        kHeader_);
+    service()->OnHeader(MakeNetworkAnonymizationKey(i), MakeOrigin(i),
+                        kServerIP_, kHeader_);
   }
   EXPECT_EQ(NetworkErrorLoggingService::kMaxPolicies, PolicyCount());
 
@@ -1431,8 +1435,8 @@ TEST_P(NetworkErrorLoggingServiceTest, EvictLeastRecentlyUsedPolicy) {
 
   // A policy's |last_used| is updated when it is added
   for (size_t i = 0; i < NetworkErrorLoggingService::kMaxPolicies; ++i) {
-    service()->OnHeader(MakeNetworkIsolationKey(i), MakeOrigin(i), kServerIP_,
-                        kHeader_);
+    service()->OnHeader(MakeNetworkAnonymizationKey(i), MakeOrigin(i),
+                        kServerIP_, kHeader_);
     clock.Advance(base::Seconds(1));
   }
   // Make the rest of the test run synchronously.
@@ -1448,11 +1452,11 @@ TEST_P(NetworkErrorLoggingServiceTest, EvictLeastRecentlyUsedPolicy) {
   EXPECT_EQ(PolicyCount(), NetworkErrorLoggingService::kMaxPolicies);
 
   EXPECT_FALSE(
-      HasPolicy(MakeNetworkIsolationKey(0), MakeOrigin(0)));  // evicted
+      HasPolicy(MakeNetworkAnonymizationKey(0), MakeOrigin(0)));  // evicted
   std::set<NelPolicyKey> all_policy_keys = service()->GetPolicyKeysForTesting();
   for (size_t i = 1; i < NetworkErrorLoggingService::kMaxPolicies; ++i) {
     // Avoid n calls to HasPolicy(), which would be O(n^2).
-    NelPolicyKey key(MakeNetworkIsolationKey(i), MakeOrigin(i));
+    NelPolicyKey key(MakeNetworkAnonymizationKey(i), MakeOrigin(i));
     EXPECT_EQ(1u, all_policy_keys.count(key));
   }
   EXPECT_TRUE(HasPolicy(kNik_, kOrigin_));
@@ -1464,7 +1468,7 @@ TEST_P(NetworkErrorLoggingServiceTest, EvictLeastRecentlyUsedPolicy) {
       MakeRequestDetails(kNik_, kOrigin_.GetURL(), ERR_CONNECTION_REFUSED));
   clock.Advance(base::Seconds(1));
   for (size_t i = NetworkErrorLoggingService::kMaxPolicies - 1; i >= 1; --i) {
-    service()->OnRequest(MakeRequestDetails(MakeNetworkIsolationKey(i),
+    service()->OnRequest(MakeRequestDetails(MakeNetworkAnonymizationKey(i),
                                             MakeOrigin(i).GetURL(),
                                             ERR_CONNECTION_REFUSED));
     clock.Advance(base::Seconds(1));
@@ -1476,7 +1480,7 @@ TEST_P(NetworkErrorLoggingServiceTest, EvictLeastRecentlyUsedPolicy) {
   all_policy_keys = service()->GetPolicyKeysForTesting();
   for (size_t i = NetworkErrorLoggingService::kMaxPolicies - 1; i >= 1; --i) {
     // Avoid n calls to HasPolicy(), which would be O(n^2).
-    NelPolicyKey key(MakeNetworkIsolationKey(i), MakeOrigin(i));
+    NelPolicyKey key(MakeNetworkAnonymizationKey(i), MakeOrigin(i));
     EXPECT_EQ(1u, all_policy_keys.count(key));
   }
   EXPECT_TRUE(HasPolicy(kNik_, kOriginSubdomain_));  // most recently added
diff --git a/chromium/net/network_error_logging/network_error_logging_test_util.cc b/chromium/net/network_error_logging/network_error_logging_test_util.cc
index c4ad0cffb6c..56d20f6f0b8 100644
--- a/chromium/net/network_error_logging/network_error_logging_test_util.cc
+++ b/chromium/net/network_error_logging/network_error_logging_test_util.cc
@@ -1,11 +1,10 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/network_error_logging/network_error_logging_test_util.h"
 
-#include <algorithm>
-
+#include "base/containers/contains.h"
 #include "net/base/ip_address.h"
 
 namespace net {
@@ -14,13 +13,13 @@ TestNetworkErrorLoggingService::TestNetworkErrorLoggingService() = default;
 TestNetworkErrorLoggingService::~TestNetworkErrorLoggingService() = default;
 
 void TestNetworkErrorLoggingService::OnHeader(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin,
     const IPAddress& received_ip_address,
     const std::string& value) {
   VLOG(1) << "Received NEL policy for " << origin;
   Header header;
-  header.network_isolation_key = network_isolation_key;
+  header.network_anonymization_key = network_anonymization_key;
   header.origin = origin;
   header.received_ip_address = received_ip_address;
   header.value = value;
@@ -44,10 +43,8 @@ void TestNetworkErrorLoggingService::RemoveAllBrowsingData() {}
 
 bool TestNetworkErrorLoggingService::Header::MatchesAddressList(
     const AddressList& address_list) const {
-  return std::any_of(address_list.begin(), address_list.end(),
-                     [this](const IPEndPoint& endpoint) {
-                       return endpoint.address() == received_ip_address;
-                     });
+  return base::Contains(address_list, received_ip_address,
+                        &IPEndPoint::address);
 }
 
 }  // namespace net
diff --git a/chromium/net/network_error_logging/network_error_logging_test_util.h b/chromium/net/network_error_logging/network_error_logging_test_util.h
index acb0aa68c84..0a2733794a9 100644
--- a/chromium/net/network_error_logging/network_error_logging_test_util.h
+++ b/chromium/net/network_error_logging/network_error_logging_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -30,7 +30,7 @@ class TestNetworkErrorLoggingService : public NetworkErrorLoggingService {
     // addresses in |address_list|.
     bool MatchesAddressList(const AddressList& address_list) const;
 
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
     url::Origin origin;
     IPAddress received_ip_address;
     std::string value;
@@ -49,7 +49,7 @@ class TestNetworkErrorLoggingService : public NetworkErrorLoggingService {
   const std::vector<RequestDetails>& errors() { return errors_; }
 
   // NetworkErrorLoggingService implementation
-  void OnHeader(const NetworkIsolationKey& network_isolation_key,
+  void OnHeader(const NetworkAnonymizationKey& network_anonymization_key,
                 const url::Origin& origin,
                 const IPAddress& received_ip_address,
                 const std::string& value) override;
diff --git a/chromium/net/network_error_logging/persistent_reporting_and_nel_store.h b/chromium/net/network_error_logging/persistent_reporting_and_nel_store.h
index 49ae5848770..12bcaea9f01 100644
--- a/chromium/net/network_error_logging/persistent_reporting_and_nel_store.h
+++ b/chromium/net/network_error_logging/persistent_reporting_and_nel_store.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/cached_network_quality.cc b/chromium/net/nqe/cached_network_quality.cc
index 0001ff75188..5b20caff061 100644
--- a/chromium/net/nqe/cached_network_quality.cc
+++ b/chromium/net/nqe/cached_network_quality.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/cached_network_quality.h b/chromium/net/nqe/cached_network_quality.h
index 364b1649eb7..92182fd84e1 100644
--- a/chromium/net/nqe/cached_network_quality.h
+++ b/chromium/net/nqe/cached_network_quality.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/effective_connection_type.cc b/chromium/net/nqe/effective_connection_type.cc
index f227a865ff4..c3bddc8d077 100644
--- a/chromium/net/nqe/effective_connection_type.cc
+++ b/chromium/net/nqe/effective_connection_type.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/effective_connection_type.h b/chromium/net/nqe/effective_connection_type.h
index 445801dce5f..c0b0ab8dc63 100644
--- a/chromium/net/nqe/effective_connection_type.h
+++ b/chromium/net/nqe/effective_connection_type.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/effective_connection_type_observer.h b/chromium/net/nqe/effective_connection_type_observer.h
index a3142b5d3d9..6c04abcf88b 100644
--- a/chromium/net/nqe/effective_connection_type_observer.h
+++ b/chromium/net/nqe/effective_connection_type_observer.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/effective_connection_type_unittest.cc b/chromium/net/nqe/effective_connection_type_unittest.cc
index 0c32da17c78..b0ffa8cc2e3 100644
--- a/chromium/net/nqe/effective_connection_type_unittest.cc
+++ b/chromium/net/nqe/effective_connection_type_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/event_creator.cc b/chromium/net/nqe/event_creator.cc
index 42168e4bd3d..5007dc0b304 100644
--- a/chromium/net/nqe/event_creator.cc
+++ b/chromium/net/nqe/event_creator.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/event_creator.h b/chromium/net/nqe/event_creator.h
index 4eb856502f5..57a5f31b514 100644
--- a/chromium/net/nqe/event_creator.h
+++ b/chromium/net/nqe/event_creator.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/event_creator_unittest.cc b/chromium/net/nqe/event_creator_unittest.cc
index df3c71cf49e..6c90f32340e 100644
--- a/chromium/net/nqe/event_creator_unittest.cc
+++ b/chromium/net/nqe/event_creator_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_id.cc b/chromium/net/nqe/network_id.cc
index aad99b4f211..de9dc1b604a 100644
--- a/chromium/net/nqe/network_id.cc
+++ b/chromium/net/nqe/network_id.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_id.h b/chromium/net/nqe/network_id.h
index a669548e72e..d776a468003 100644
--- a/chromium/net/nqe/network_id.h
+++ b/chromium/net/nqe/network_id.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_id_unittest.cc b/chromium/net/nqe/network_id_unittest.cc
index bb685307aac..aeb7f52b93b 100644
--- a/chromium/net/nqe/network_id_unittest.cc
+++ b/chromium/net/nqe/network_id_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_qualities_prefs_manager.cc b/chromium/net/nqe/network_qualities_prefs_manager.cc
index 1bf9bb509bc..a5da9235538 100644
--- a/chromium/net/nqe/network_qualities_prefs_manager.cc
+++ b/chromium/net/nqe/network_qualities_prefs_manager.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_qualities_prefs_manager.h b/chromium/net/nqe/network_qualities_prefs_manager.h
index 9691e3186ac..b72ae2998fa 100644
--- a/chromium/net/nqe/network_qualities_prefs_manager.h
+++ b/chromium/net/nqe/network_qualities_prefs_manager.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_qualities_prefs_manager_unittest.cc b/chromium/net/nqe/network_qualities_prefs_manager_unittest.cc
index 345d6d3fc9b..58917b6775a 100644
--- a/chromium/net/nqe/network_qualities_prefs_manager_unittest.cc
+++ b/chromium/net/nqe/network_qualities_prefs_manager_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality.cc b/chromium/net/nqe/network_quality.cc
index ee660175268..c77abd2eb03 100644
--- a/chromium/net/nqe/network_quality.cc
+++ b/chromium/net/nqe/network_quality.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality.h b/chromium/net/nqe/network_quality.h
index 5867e278e6b..9bddacd915a 100644
--- a/chromium/net/nqe/network_quality.h
+++ b/chromium/net/nqe/network_quality.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_estimator.cc b/chromium/net/nqe/network_quality_estimator.cc
index 54814bd9720..f01003fb857 100644
--- a/chromium/net/nqe/network_quality_estimator.cc
+++ b/chromium/net/nqe/network_quality_estimator.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -903,7 +903,8 @@ void NetworkQualityEstimator::AddEffectiveConnectionTypeObserver(
       FROM_HERE,
       base::BindOnce(&NetworkQualityEstimator::
                          NotifyEffectiveConnectionTypeObserverIfPresent,
-                     weak_ptr_factory_.GetWeakPtr(), observer));
+                     weak_ptr_factory_.GetWeakPtr(),
+                     base::UnsafeDanglingUntriaged(observer)));
 }
 
 void NetworkQualityEstimator::RemoveEffectiveConnectionTypeObserver(
@@ -924,7 +925,8 @@ void NetworkQualityEstimator::AddPeerToPeerConnectionsCountObserver(
       FROM_HERE,
       base::BindOnce(&NetworkQualityEstimator::
                          NotifyPeerToPeerConnectionsCountObserverIfPresent,
-                     weak_ptr_factory_.GetWeakPtr(), observer));
+                     weak_ptr_factory_.GetWeakPtr(),
+                     base::UnsafeDanglingUntriaged(observer)));
 }
 
 void NetworkQualityEstimator::RemovePeerToPeerConnectionsCountObserver(
diff --git a/chromium/net/nqe/network_quality_estimator.h b/chromium/net/nqe/network_quality_estimator.h
index 23bf4ee7a26..4ab4aa28530 100644
--- a/chromium/net/nqe/network_quality_estimator.h
+++ b/chromium/net/nqe/network_quality_estimator.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_estimator_params.cc b/chromium/net/nqe/network_quality_estimator_params.cc
index 0b81b9f48db..3ec940c602c 100644
--- a/chromium/net/nqe/network_quality_estimator_params.cc
+++ b/chromium/net/nqe/network_quality_estimator_params.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_estimator_params.h b/chromium/net/nqe/network_quality_estimator_params.h
index b71ccc72d93..972dfafe95a 100644
--- a/chromium/net/nqe/network_quality_estimator_params.h
+++ b/chromium/net/nqe/network_quality_estimator_params.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_estimator_params_unittest.cc b/chromium/net/nqe/network_quality_estimator_params_unittest.cc
index 5ef76fda094..09c4d3a80ba 100644
--- a/chromium/net/nqe/network_quality_estimator_params_unittest.cc
+++ b/chromium/net/nqe/network_quality_estimator_params_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_estimator_test_util.cc b/chromium/net/nqe/network_quality_estimator_test_util.cc
index 92b9964cf11..6bce3dcdb84 100644
--- a/chromium/net/nqe/network_quality_estimator_test_util.cc
+++ b/chromium/net/nqe/network_quality_estimator_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_estimator_test_util.h b/chromium/net/nqe/network_quality_estimator_test_util.h
index 5a1b9aa8379..67e0fe9a329 100644
--- a/chromium/net/nqe/network_quality_estimator_test_util.h
+++ b/chromium/net/nqe/network_quality_estimator_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_estimator_unittest.cc b/chromium/net/nqe/network_quality_estimator_unittest.cc
index 8bca56e3028..8bf38787185 100644
--- a/chromium/net/nqe/network_quality_estimator_unittest.cc
+++ b/chromium/net/nqe/network_quality_estimator_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_estimator_util.cc b/chromium/net/nqe/network_quality_estimator_util.cc
index 6dddd842ae0..570707e6d26 100644
--- a/chromium/net/nqe/network_quality_estimator_util.cc
+++ b/chromium/net/nqe/network_quality_estimator_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -25,13 +25,13 @@ namespace {
 
 bool IsPrivateHost(HostResolver* host_resolver,
                    const HostPortPair& host_port_pair,
-                   const NetworkIsolationKey& network_isolation_key,
+                   const NetworkAnonymizationKey& network_anonymization_key,
                    NetLogWithSource net_log) {
   // Try resolving |host_port_pair.host()| synchronously.
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::LOCAL_ONLY;
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
-      host_resolver->CreateRequest(host_port_pair, network_isolation_key,
+      host_resolver->CreateRequest(host_port_pair, network_anonymization_key,
                                    net_log, parameters);
 
   int rv = request->Start(base::BindOnce([](int error) { NOTREACHED(); }));
@@ -55,17 +55,18 @@ namespace internal {
 
 bool IsRequestForPrivateHost(const URLRequest& request,
                              NetLogWithSource net_log) {
-  // Using the request's NetworkIsolationKey isn't necessary for privacy
+  // Using the request's NetworkAnonymizationKey isn't necessary for privacy
   // reasons, but is needed to maximize the chances of a cache hit.
   return IsPrivateHost(
       request.context()->host_resolver(), HostPortPair::FromURL(request.url()),
-      request.isolation_info().network_isolation_key(), net_log);
+      request.isolation_info().network_anonymization_key(), net_log);
 }
 
-bool IsPrivateHostForTesting(HostResolver* host_resolver,
-                             const HostPortPair& host_port_pair,
-                             const NetworkIsolationKey& network_isolation_key) {
-  return IsPrivateHost(host_resolver, host_port_pair, network_isolation_key,
+bool IsPrivateHostForTesting(
+    HostResolver* host_resolver,
+    const HostPortPair& host_port_pair,
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  return IsPrivateHost(host_resolver, host_port_pair, network_anonymization_key,
                        NetLogWithSource());
 }
 
diff --git a/chromium/net/nqe/network_quality_estimator_util.h b/chromium/net/nqe/network_quality_estimator_util.h
index 0233956ecfb..e91459ab97f 100644
--- a/chromium/net/nqe/network_quality_estimator_util.h
+++ b/chromium/net/nqe/network_quality_estimator_util.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,7 +14,7 @@ namespace net {
 
 class HostPortPair;
 class HostResolver;
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class URLRequest;
 
 namespace nqe::internal {
@@ -39,7 +39,7 @@ NET_EXPORT_PRIVATE bool IsRequestForPrivateHost(const URLRequest& request,
 NET_EXPORT_PRIVATE bool IsPrivateHostForTesting(
     HostResolver* host_resolver,
     const HostPortPair& host_port_pair,
-    const NetworkIsolationKey& network_isolation_key);
+    const NetworkAnonymizationKey& network_isolation_key);
 
 }  // namespace nqe::internal
 
diff --git a/chromium/net/nqe/network_quality_estimator_util_unittest.cc b/chromium/net/nqe/network_quality_estimator_util_unittest.cc
index 211f071f074..ab21d2bb275 100644
--- a/chromium/net/nqe/network_quality_estimator_util_unittest.cc
+++ b/chromium/net/nqe/network_quality_estimator_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -49,34 +49,36 @@ TEST(NetworkQualityEstimatorUtilTest, MAYBE_ReservedHost) {
   EXPECT_EQ(0u, mock_host_resolver.num_resolve());
 
   // Load hostnames into HostResolver cache.
-  int rv = mock_host_resolver.LoadIntoCache(
-      HostPortPair("example1.com", 443), NetworkIsolationKey(), absl::nullopt);
+  int rv = mock_host_resolver.LoadIntoCache(HostPortPair("example1.com", 443),
+                                            NetworkAnonymizationKey(),
+                                            absl::nullopt);
   EXPECT_EQ(OK, rv);
   rv = mock_host_resolver.LoadIntoCache(HostPortPair("example2.com", 443),
-                                        NetworkIsolationKey(), absl::nullopt);
+                                        NetworkAnonymizationKey(),
+                                        absl::nullopt);
   EXPECT_EQ(OK, rv);
 
   EXPECT_EQ(2u, mock_host_resolver.num_non_local_resolves());
 
   EXPECT_FALSE(IsPrivateHostForTesting(
       &mock_host_resolver, HostPortPair("2607:f8b0:4006:819::200e", 80),
-      NetworkIsolationKey()));
+      NetworkAnonymizationKey()));
 
   EXPECT_TRUE(IsPrivateHostForTesting(&mock_host_resolver,
                                       HostPortPair("192.168.0.1", 443),
-                                      NetworkIsolationKey()));
+                                      NetworkAnonymizationKey()));
 
   EXPECT_FALSE(IsPrivateHostForTesting(&mock_host_resolver,
                                        HostPortPair("92.168.0.1", 443),
-                                       NetworkIsolationKey()));
+                                       NetworkAnonymizationKey()));
 
   EXPECT_TRUE(IsPrivateHostForTesting(&mock_host_resolver,
                                       HostPortPair("example1.com", 443),
-                                      NetworkIsolationKey()));
+                                      NetworkAnonymizationKey()));
 
   EXPECT_FALSE(IsPrivateHostForTesting(&mock_host_resolver,
                                        HostPortPair("example2.com", 443),
-                                       NetworkIsolationKey()));
+                                       NetworkAnonymizationKey()));
 
   // IsPrivateHostForTesting() should have queried only the resolver's cache.
   EXPECT_EQ(2u, mock_host_resolver.num_non_local_resolves());
@@ -104,17 +106,18 @@ TEST(NetworkQualityEstimatorUtilTest, MAYBE_ReservedHostUncached) {
   // Not in DNS host cache, so should not be marked as private.
   EXPECT_FALSE(IsPrivateHostForTesting(&mock_host_resolver,
                                        HostPortPair("example3.com", 443),
-                                       NetworkIsolationKey()));
+                                       NetworkAnonymizationKey()));
   EXPECT_EQ(0u, mock_host_resolver.num_non_local_resolves());
 
-  int rv = mock_host_resolver.LoadIntoCache(
-      HostPortPair("example3.com", 443), NetworkIsolationKey(), absl::nullopt);
+  int rv = mock_host_resolver.LoadIntoCache(HostPortPair("example3.com", 443),
+                                            NetworkAnonymizationKey(),
+                                            absl::nullopt);
   EXPECT_EQ(OK, rv);
   EXPECT_EQ(1u, mock_host_resolver.num_non_local_resolves());
 
   EXPECT_TRUE(IsPrivateHostForTesting(&mock_host_resolver,
                                       HostPortPair("example3.com", 443),
-                                      NetworkIsolationKey()));
+                                      NetworkAnonymizationKey()));
 
   // IsPrivateHostForTesting() should have queried only the resolver's cache.
   EXPECT_EQ(1u, mock_host_resolver.num_non_local_resolves());
@@ -129,12 +132,12 @@ TEST(NetworkQualityEstimatorUtilTest, MAYBE_ReservedHostUncached) {
 #define MAYBE_ReservedHostUncachedWithNetworkIsolationKey \
   ReservedHostUncachedWithNetworkIsolationKey
 #endif
-// Make sure that IsPrivateHostForTesting() uses the NetworkIsolationKey
+// Make sure that IsPrivateHostForTesting() uses the NetworkAnonymizationKey
 // provided to it.
 TEST(NetworkQualityEstimatorUtilTest,
      MAYBE_ReservedHostUncachedWithNetworkIsolationKey) {
   const SchemefulSite kSite(GURL("https://foo.test/"));
-  const net::NetworkIsolationKey kNetworkIsolationKey(kSite, kSite);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey(kSite, kSite);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
@@ -150,26 +153,27 @@ TEST(NetworkQualityEstimatorUtilTest,
   // Not in DNS host cache, so should not be marked as private.
   EXPECT_FALSE(IsPrivateHostForTesting(&mock_host_resolver,
                                        HostPortPair("example3.com", 443),
-                                       kNetworkIsolationKey));
+                                       kNetworkAnonymizationKey));
   EXPECT_EQ(0u, mock_host_resolver.num_non_local_resolves());
 
-  int rv = mock_host_resolver.LoadIntoCache(
-      HostPortPair("example3.com", 443), kNetworkIsolationKey, absl::nullopt);
+  int rv =
+      mock_host_resolver.LoadIntoCache(HostPortPair("example3.com", 443),
+                                       kNetworkAnonymizationKey, absl::nullopt);
   EXPECT_EQ(OK, rv);
   EXPECT_EQ(1u, mock_host_resolver.num_non_local_resolves());
 
   EXPECT_TRUE(IsPrivateHostForTesting(&mock_host_resolver,
                                       HostPortPair("example3.com", 443),
-                                      kNetworkIsolationKey));
+                                      kNetworkAnonymizationKey));
 
   // IsPrivateHostForTesting() should have queried only the resolver's cache.
   EXPECT_EQ(1u, mock_host_resolver.num_non_local_resolves());
 
   // IsPrivateHostForTesting should return false when using a different
-  // NetworkIsolationKey (in this case, any empty one).
+  // NetworkAnonymizationKey (in this case, any empty one).
   EXPECT_FALSE(IsPrivateHostForTesting(&mock_host_resolver,
                                        HostPortPair("example3.com", 443),
-                                       NetworkIsolationKey()));
+                                       NetworkAnonymizationKey()));
 }
 
 #if BUILDFLAG(IS_IOS)
@@ -191,23 +195,27 @@ TEST(NetworkQualityEstimatorUtilTest, MAYBE_Localhost) {
 
   auto rules = base::MakeRefCounted<net::RuleBasedHostResolverProc>(nullptr);
 
+  EXPECT_TRUE(IsPrivateHostForTesting(resolver.get(),
+                                      HostPortPair("localhost", 443),
+                                      NetworkAnonymizationKey()));
+  EXPECT_TRUE(IsPrivateHostForTesting(resolver.get(),
+                                      HostPortPair("127.0.0.1", 80),
+                                      NetworkAnonymizationKey()));
   EXPECT_TRUE(IsPrivateHostForTesting(
-      resolver.get(), HostPortPair("localhost", 443), NetworkIsolationKey()));
-  EXPECT_TRUE(IsPrivateHostForTesting(
-      resolver.get(), HostPortPair("127.0.0.1", 80), NetworkIsolationKey()));
-  EXPECT_TRUE(IsPrivateHostForTesting(
-      resolver.get(), HostPortPair("0.0.0.0", 80), NetworkIsolationKey()));
+      resolver.get(), HostPortPair("0.0.0.0", 80), NetworkAnonymizationKey()));
   EXPECT_TRUE(IsPrivateHostForTesting(resolver.get(), HostPortPair("::1", 80),
-                                      NetworkIsolationKey()));
-  EXPECT_FALSE(IsPrivateHostForTesting(
-      resolver.get(), HostPortPair("google.com", 80), NetworkIsolationKey()));
+                                      NetworkAnonymizationKey()));
+  EXPECT_FALSE(IsPrivateHostForTesting(resolver.get(),
+                                       HostPortPair("google.com", 80),
+                                       NetworkAnonymizationKey()));
 
   // Legacy localhost names.
-  EXPECT_FALSE(IsPrivateHostForTesting(
-      resolver.get(), HostPortPair("localhost6", 443), NetworkIsolationKey()));
+  EXPECT_FALSE(IsPrivateHostForTesting(resolver.get(),
+                                       HostPortPair("localhost6", 443),
+                                       NetworkAnonymizationKey()));
   EXPECT_FALSE(IsPrivateHostForTesting(
       resolver.get(), HostPortPair("localhost6.localdomain6", 443),
-      NetworkIsolationKey()));
+      NetworkAnonymizationKey()));
 }
 
 }  // namespace
diff --git a/chromium/net/nqe/network_quality_observation.cc b/chromium/net/nqe/network_quality_observation.cc
index 3f41b231159..0e0f7a539fe 100644
--- a/chromium/net/nqe/network_quality_observation.cc
+++ b/chromium/net/nqe/network_quality_observation.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_observation.h b/chromium/net/nqe/network_quality_observation.h
index 2978d04c9f3..e01e284c2eb 100644
--- a/chromium/net/nqe/network_quality_observation.h
+++ b/chromium/net/nqe/network_quality_observation.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_observation_source.h b/chromium/net/nqe/network_quality_observation_source.h
index 653da444b9d..b712d2d5eb3 100644
--- a/chromium/net/nqe/network_quality_observation_source.h
+++ b/chromium/net/nqe/network_quality_observation_source.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_store.cc b/chromium/net/nqe/network_quality_store.cc
index 59a08f8ac5e..4b1bfbf7395 100644
--- a/chromium/net/nqe/network_quality_store.cc
+++ b/chromium/net/nqe/network_quality_store.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_store.h b/chromium/net/nqe/network_quality_store.h
index 40d4b443fb5..3b1096e9487 100644
--- a/chromium/net/nqe/network_quality_store.h
+++ b/chromium/net/nqe/network_quality_store.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/network_quality_store_unittest.cc b/chromium/net/nqe/network_quality_store_unittest.cc
index 3383a13fa36..57eb1e39342 100644
--- a/chromium/net/nqe/network_quality_store_unittest.cc
+++ b/chromium/net/nqe/network_quality_store_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/observation_buffer.cc b/chromium/net/nqe/observation_buffer.cc
index e0e81b106b3..eb620a4278f 100644
--- a/chromium/net/nqe/observation_buffer.cc
+++ b/chromium/net/nqe/observation_buffer.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/observation_buffer.h b/chromium/net/nqe/observation_buffer.h
index 22429484f33..4f564176b7a 100644
--- a/chromium/net/nqe/observation_buffer.h
+++ b/chromium/net/nqe/observation_buffer.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/observation_buffer_unittest.cc b/chromium/net/nqe/observation_buffer_unittest.cc
index a153497da61..ed92cd269ac 100644
--- a/chromium/net/nqe/observation_buffer_unittest.cc
+++ b/chromium/net/nqe/observation_buffer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/peer_to_peer_connections_count_observer.h b/chromium/net/nqe/peer_to_peer_connections_count_observer.h
index 0077fa4b5d7..3b754a430e6 100644
--- a/chromium/net/nqe/peer_to_peer_connections_count_observer.h
+++ b/chromium/net/nqe/peer_to_peer_connections_count_observer.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/pref_names.cc b/chromium/net/nqe/pref_names.cc
index a1e5dcf3778..7bf77fb558a 100644
--- a/chromium/net/nqe/pref_names.cc
+++ b/chromium/net/nqe/pref_names.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/pref_names.h b/chromium/net/nqe/pref_names.h
index 8dd7213c4e6..2ded1760523 100644
--- a/chromium/net/nqe/pref_names.h
+++ b/chromium/net/nqe/pref_names.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/proto/network_id_proto.proto b/chromium/net/nqe/proto/network_id_proto.proto
index a6d217a8c82..dc41642e064 100644
--- a/chromium/net/nqe/proto/network_id_proto.proto
+++ b/chromium/net/nqe/proto/network_id_proto.proto
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/rtt_throughput_estimates_observer.h b/chromium/net/nqe/rtt_throughput_estimates_observer.h
index 1794345c4b6..14e51bed6fd 100644
--- a/chromium/net/nqe/rtt_throughput_estimates_observer.h
+++ b/chromium/net/nqe/rtt_throughput_estimates_observer.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/socket_watcher.cc b/chromium/net/nqe/socket_watcher.cc
index fccea328a9a..8f782fa7537 100644
--- a/chromium/net/nqe/socket_watcher.cc
+++ b/chromium/net/nqe/socket_watcher.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/socket_watcher.h b/chromium/net/nqe/socket_watcher.h
index db651b26a09..fa435c5acaf 100644
--- a/chromium/net/nqe/socket_watcher.h
+++ b/chromium/net/nqe/socket_watcher.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/socket_watcher_factory.cc b/chromium/net/nqe/socket_watcher_factory.cc
index f7684b2df8b..95d85c425a7 100644
--- a/chromium/net/nqe/socket_watcher_factory.cc
+++ b/chromium/net/nqe/socket_watcher_factory.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/socket_watcher_factory.h b/chromium/net/nqe/socket_watcher_factory.h
index 9ff7d447287..216d4b4cc0a 100644
--- a/chromium/net/nqe/socket_watcher_factory.h
+++ b/chromium/net/nqe/socket_watcher_factory.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/socket_watcher_unittest.cc b/chromium/net/nqe/socket_watcher_unittest.cc
index a6512d88207..2f2f9279461 100644
--- a/chromium/net/nqe/socket_watcher_unittest.cc
+++ b/chromium/net/nqe/socket_watcher_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/throughput_analyzer.cc b/chromium/net/nqe/throughput_analyzer.cc
index fa0fa625f31..abb2336adb6 100644
--- a/chromium/net/nqe/throughput_analyzer.cc
+++ b/chromium/net/nqe/throughput_analyzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/throughput_analyzer.h b/chromium/net/nqe/throughput_analyzer.h
index f0aeb5c344b..0fe584f2be6 100644
--- a/chromium/net/nqe/throughput_analyzer.h
+++ b/chromium/net/nqe/throughput_analyzer.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/nqe/throughput_analyzer_unittest.cc b/chromium/net/nqe/throughput_analyzer_unittest.cc
index 38ed6a08ba0..5e10973db47 100644
--- a/chromium/net/nqe/throughput_analyzer_unittest.cc
+++ b/chromium/net/nqe/throughput_analyzer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -58,7 +58,7 @@ std::unique_ptr<HostResolver> CreateMockHostResolver() {
   // local.com resolves to a private IP address.
   host_resolver->rules()->AddRule("local.com", "127.0.0.1");
   host_resolver->LoadIntoCache(HostPortPair("local.com", 80),
-                               NetworkIsolationKey(), absl::nullopt);
+                               NetworkAnonymizationKey(), absl::nullopt);
   // Hosts not listed here (e.g., "example.com") are treated as external. See
   // ThroughputAnalyzerTest.PrivateHost below.
 
@@ -117,10 +117,10 @@ TEST_F(ThroughputAnalyzerTest, PrivateHost) {
   auto host_resolver = CreateMockHostResolver();
   EXPECT_FALSE(nqe::internal::IsPrivateHostForTesting(
       host_resolver.get(), HostPortPair("example.com", 80),
-      NetworkIsolationKey()));
+      NetworkAnonymizationKey()));
   EXPECT_TRUE(nqe::internal::IsPrivateHostForTesting(
       host_resolver.get(), HostPortPair("local.com", 80),
-      NetworkIsolationKey()));
+      NetworkAnonymizationKey()));
 }
 
 #if BUILDFLAG(IS_IOS) || BUILDFLAG(IS_ANDROID)
@@ -159,10 +159,10 @@ TEST_F(ThroughputAnalyzerTest, MAYBE_MaximumRequests) {
 
     // Start more requests than the maximum number of requests that can be held
     // in the memory.
-    EXPECT_EQ(test_case.is_local,
-              nqe::internal::IsPrivateHostForTesting(
-                  context->host_resolver(),
-                  HostPortPair::FromURL(test_case.url), NetworkIsolationKey()));
+    EXPECT_EQ(test_case.is_local, nqe::internal::IsPrivateHostForTesting(
+                                      context->host_resolver(),
+                                      HostPortPair::FromURL(test_case.url),
+                                      NetworkAnonymizationKey()));
     for (size_t i = 0; i < 1000; ++i) {
       std::unique_ptr<URLRequest> request(
           context->CreateRequest(test_case.url, DEFAULT_PRIORITY,
@@ -179,16 +179,18 @@ TEST_F(ThroughputAnalyzerTest, MAYBE_MaximumRequests) {
 
 #if BUILDFLAG(IS_IOS)
 // Flaky on iOS: crbug.com/672917.
-#define MAYBE_MaximumRequestsWithNetworkIsolationKey \
-  DISABLED_MaximumRequestsWithNetworkIsolationKey
+#define MAYBE_MaximumRequestsWithNetworkAnonymizationKey \
+  DISABLED_MaximumRequestsWithNetworkAnonymizationKey
 #else
-#define MAYBE_MaximumRequestsWithNetworkIsolationKey \
-  MaximumRequestsWithNetworkIsolationKey
+#define MAYBE_MaximumRequestsWithNetworkAnonymizationKey \
+  MaximumRequestsWithNetworkAnonymizationKey
 #endif
-// Make sure that the NetworkIsolationKey is respected when resolving a host
+// Make sure that the NetworkAnonymizationKey is respected when resolving a host
 // from the cache.
-TEST_F(ThroughputAnalyzerTest, MAYBE_MaximumRequestsWithNetworkIsolationKey) {
+TEST_F(ThroughputAnalyzerTest,
+       MAYBE_MaximumRequestsWithNetworkAnonymizationKey) {
   const SchemefulSite kSite(GURL("https://foo.test/"));
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey(kSite, kSite);
   const net::NetworkIsolationKey kNetworkIsolationKey(kSite, kSite);
   const GURL kUrl = GURL("http://foo.test/test.html");
 
@@ -209,17 +211,17 @@ TEST_F(ThroughputAnalyzerTest, MAYBE_MaximumRequestsWithNetworkIsolationKey) {
     auto mock_host_resolver = std::make_unique<MockCachingHostResolver>();
 
     // Add an entry to the host cache mapping kUrl to non-local IP when using an
-    // empty NetworkIsolationKey.
+    // empty NetworkAnonymizationKey.
     mock_host_resolver->rules()->AddRule(kUrl.host(), "1.2.3.4");
     mock_host_resolver->LoadIntoCache(HostPortPair::FromURL(kUrl),
-                                      NetworkIsolationKey(), absl::nullopt);
+                                      NetworkAnonymizationKey(), absl::nullopt);
 
     // Add an entry to the host cache mapping kUrl to local IP when using
-    // kNetworkIsolationKey.
+    // kNetworkAnonymizationKey.
     mock_host_resolver->rules()->ClearRules();
     mock_host_resolver->rules()->AddRule(kUrl.host(), "127.0.0.1");
     mock_host_resolver->LoadIntoCache(HostPortPair::FromURL(kUrl),
-                                      kNetworkIsolationKey, absl::nullopt);
+                                      kNetworkAnonymizationKey, absl::nullopt);
 
     context_builder->set_host_resolver(std::move(mock_host_resolver));
     auto context = context_builder->Build();
@@ -232,8 +234,8 @@ TEST_F(ThroughputAnalyzerTest, MAYBE_MaximumRequestsWithNetworkIsolationKey) {
     EXPECT_EQ(use_network_isolation_key,
               nqe::internal::IsPrivateHostForTesting(
                   context->host_resolver(), HostPortPair::FromURL(kUrl),
-                  use_network_isolation_key ? kNetworkIsolationKey
-                                            : NetworkIsolationKey()));
+                  use_network_isolation_key ? kNetworkAnonymizationKey
+                                            : NetworkAnonymizationKey()));
     for (size_t i = 0; i < 1000; ++i) {
       std::unique_ptr<URLRequest> request(
           context->CreateRequest(kUrl, DEFAULT_PRIORITY, &test_delegate,
diff --git a/chromium/net/nqe/weighted_observation.h b/chromium/net/nqe/weighted_observation.h
index 55881a82b6e..f4dadc49d47 100644
--- a/chromium/net/nqe/weighted_observation.h
+++ b/chromium/net/nqe/weighted_observation.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm.cc b/chromium/net/ntlm/ntlm.cc
index 95c7e37b3c5..5167140dfd5 100644
--- a/chromium/net/ntlm/ntlm.cc
+++ b/chromium/net/ntlm/ntlm.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm.h b/chromium/net/ntlm/ntlm.h
index caa51ae0d05..121b9e0460b 100644
--- a/chromium/net/ntlm/ntlm.h
+++ b/chromium/net/ntlm/ntlm.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_buffer_reader.cc b/chromium/net/ntlm/ntlm_buffer_reader.cc
index 6368b225016..e9f5950de9e 100644
--- a/chromium/net/ntlm/ntlm_buffer_reader.cc
+++ b/chromium/net/ntlm/ntlm_buffer_reader.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_buffer_reader.h b/chromium/net/ntlm/ntlm_buffer_reader.h
index 5448f39efd8..d838f6edfa3 100644
--- a/chromium/net/ntlm/ntlm_buffer_reader.h
+++ b/chromium/net/ntlm/ntlm_buffer_reader.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_buffer_reader_unittest.cc b/chromium/net/ntlm/ntlm_buffer_reader_unittest.cc
index ec11a29d76e..056815db816 100644
--- a/chromium/net/ntlm/ntlm_buffer_reader_unittest.cc
+++ b/chromium/net/ntlm/ntlm_buffer_reader_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_buffer_writer.cc b/chromium/net/ntlm/ntlm_buffer_writer.cc
index 5a2f6fbfdd1..edb31c65457 100644
--- a/chromium/net/ntlm/ntlm_buffer_writer.cc
+++ b/chromium/net/ntlm/ntlm_buffer_writer.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_buffer_writer.h b/chromium/net/ntlm/ntlm_buffer_writer.h
index b810541ca80..c28fc08c574 100644
--- a/chromium/net/ntlm/ntlm_buffer_writer.h
+++ b/chromium/net/ntlm/ntlm_buffer_writer.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_buffer_writer_unittest.cc b/chromium/net/ntlm/ntlm_buffer_writer_unittest.cc
index a03a1f01272..0e248866c6e 100644
--- a/chromium/net/ntlm/ntlm_buffer_writer_unittest.cc
+++ b/chromium/net/ntlm/ntlm_buffer_writer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_client.cc b/chromium/net/ntlm/ntlm_client.cc
index 357b66e0ac7..b151d2d2757 100644
--- a/chromium/net/ntlm/ntlm_client.cc
+++ b/chromium/net/ntlm/ntlm_client.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_client.h b/chromium/net/ntlm/ntlm_client.h
index 5acab8c057d..a87edf0011c 100644
--- a/chromium/net/ntlm/ntlm_client.h
+++ b/chromium/net/ntlm/ntlm_client.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_client_fuzzer.cc b/chromium/net/ntlm/ntlm_client_fuzzer.cc
index 549f1805fed..51c8b7f5ee4 100644
--- a/chromium/net/ntlm/ntlm_client_fuzzer.cc
+++ b/chromium/net/ntlm/ntlm_client_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_client_unittest.cc b/chromium/net/ntlm/ntlm_client_unittest.cc
index 78a072e440a..29970c5266b 100644
--- a/chromium/net/ntlm/ntlm_client_unittest.cc
+++ b/chromium/net/ntlm/ntlm_client_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_constants.cc b/chromium/net/ntlm/ntlm_constants.cc
index b4436d190ed..95a1e8fc0fe 100644
--- a/chromium/net/ntlm/ntlm_constants.cc
+++ b/chromium/net/ntlm/ntlm_constants.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_constants.h b/chromium/net/ntlm/ntlm_constants.h
index 015134333d9..12f181ba617 100644
--- a/chromium/net/ntlm/ntlm_constants.h
+++ b/chromium/net/ntlm/ntlm_constants.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_test_data.h b/chromium/net/ntlm/ntlm_test_data.h
index 8ad35b323d3..46138e72b62 100644
--- a/chromium/net/ntlm/ntlm_test_data.h
+++ b/chromium/net/ntlm/ntlm_test_data.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ntlm/ntlm_unittest.cc b/chromium/net/ntlm/ntlm_unittest.cc
index 7088e44646b..6db29dae271 100644
--- a/chromium/net/ntlm/ntlm_unittest.cc
+++ b/chromium/net/ntlm/ntlm_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/configured_proxy_resolution_request.cc b/chromium/net/proxy_resolution/configured_proxy_resolution_request.cc
index c2c89758af5..49344657740 100644
--- a/chromium/net/proxy_resolution/configured_proxy_resolution_request.cc
+++ b/chromium/net/proxy_resolution/configured_proxy_resolution_request.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -19,7 +19,7 @@ ConfiguredProxyResolutionRequest::ConfiguredProxyResolutionRequest(
     ConfiguredProxyResolutionService* service,
     const GURL& url,
     const std::string& method,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ProxyInfo* results,
     CompletionOnceCallback user_callback,
     const NetLogWithSource& net_log)
@@ -28,7 +28,7 @@ ConfiguredProxyResolutionRequest::ConfiguredProxyResolutionRequest(
       results_(results),
       url_(url),
       method_(method),
-      network_isolation_key_(network_isolation_key),
+      network_anonymization_key_(network_anonymization_key),
       net_log_(net_log),
       creation_time_(base::TimeTicks::Now()) {
   DCHECK(!user_callback_.is_null());
@@ -61,7 +61,7 @@ int ConfiguredProxyResolutionRequest::Start() {
     return OK;
 
   return service_->GetProxyResolver()->GetProxyForURL(
-      url_, network_isolation_key_, results_,
+      url_, network_anonymization_key_, results_,
       base::BindOnce(&ConfiguredProxyResolutionRequest::QueryComplete,
                      base::Unretained(this)),
       &resolve_job_, net_log_);
diff --git a/chromium/net/proxy_resolution/configured_proxy_resolution_request.h b/chromium/net/proxy_resolution/configured_proxy_resolution_request.h
index ad88693cc8d..87ccd3825a2 100644
--- a/chromium/net/proxy_resolution/configured_proxy_resolution_request.h
+++ b/chromium/net/proxy_resolution/configured_proxy_resolution_request.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 #include "base/memory/raw_ptr.h"
 #include "base/time/time.h"
 #include "net/base/completion_once_callback.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/log/net_log_with_source.h"
 #include "net/proxy_resolution/proxy_resolution_request.h"
 #include "net/proxy_resolution/proxy_resolver.h"
@@ -32,7 +32,7 @@ class ConfiguredProxyResolutionRequest final : public ProxyResolutionRequest {
       ConfiguredProxyResolutionService* service,
       const GURL& url,
       const std::string& method,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       ProxyInfo* results,
       const CompletionOnceCallback user_callback,
       const NetLogWithSource& net_log);
@@ -86,7 +86,7 @@ class ConfiguredProxyResolutionRequest final : public ProxyResolutionRequest {
   raw_ptr<ProxyInfo> results_;
   const GURL url_;
   const std::string method_;
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
   std::unique_ptr<ProxyResolver::Request> resolve_job_;
   MutableNetworkTrafficAnnotationTag traffic_annotation_;
   NetLogWithSource net_log_;
diff --git a/chromium/net/proxy_resolution/configured_proxy_resolution_service.cc b/chromium/net/proxy_resolution/configured_proxy_resolution_service.cc
index 929ddb38ccc..45a5e755fe1 100644
--- a/chromium/net/proxy_resolution/configured_proxy_resolution_service.cc
+++ b/chromium/net/proxy_resolution/configured_proxy_resolution_service.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -26,7 +26,7 @@
 #include "build/chromeos_buildflags.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_info_source_list.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/proxy_delegate.h"
 #include "net/base/proxy_server.h"
 #include "net/base/proxy_string_util.h"
@@ -185,7 +185,7 @@ class ProxyResolverNull : public ProxyResolver {
 
   // ProxyResolver implementation.
   int GetProxyForURL(const GURL& url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -202,7 +202,7 @@ class ProxyResolverFromPacString : public ProxyResolver {
       : pac_string_(pac_string) {}
 
   int GetProxyForURL(const GURL& url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -892,7 +892,7 @@ ConfiguredProxyResolutionService::CreateFixedFromAutoDetectedPacResultForTest(
 int ConfiguredProxyResolutionService::ResolveProxy(
     const GURL& raw_url,
     const std::string& method,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ProxyInfo* result,
     CompletionOnceCallback callback,
     std::unique_ptr<ProxyResolutionRequest>* out_request,
@@ -927,7 +927,7 @@ int ConfiguredProxyResolutionService::ResolveProxy(
   }
 
   auto req = std::make_unique<ConfiguredProxyResolutionRequest>(
-      this, url, method, network_isolation_key, result, std::move(callback),
+      this, url, method, network_anonymization_key, result, std::move(callback),
       net_log);
 
   if (current_state_ == STATE_READY) {
diff --git a/chromium/net/proxy_resolution/configured_proxy_resolution_service.h b/chromium/net/proxy_resolution/configured_proxy_resolution_service.h
index b640467a1c9..700cbc85c9d 100644
--- a/chromium/net/proxy_resolution/configured_proxy_resolution_service.h
+++ b/chromium/net/proxy_resolution/configured_proxy_resolution_service.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -125,7 +125,7 @@ class NET_EXPORT ConfiguredProxyResolutionService
   //   3.  named proxy
   int ResolveProxy(const GURL& url,
                    const std::string& method,
-                   const NetworkIsolationKey& network_isolation_key,
+                   const NetworkAnonymizationKey& network_anonymization_key,
                    ProxyInfo* results,
                    CompletionOnceCallback callback,
                    std::unique_ptr<ProxyResolutionRequest>* request,
diff --git a/chromium/net/proxy_resolution/configured_proxy_resolution_service_unittest.cc b/chromium/net/proxy_resolution/configured_proxy_resolution_service_unittest.cc
index 37e3a18dd69..1ac9a3b5045 100644
--- a/chromium/net/proxy_resolution/configured_proxy_resolution_service_unittest.cc
+++ b/chromium/net/proxy_resolution/configured_proxy_resolution_service_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -374,7 +374,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, Direct) {
   TestCompletionCallback callback;
   RecordingNetLogObserver net_log_observer;
   std::unique_ptr<ProxyResolutionRequest> request;
-  int rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(),
+  int rv = service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
                                 &info, callback.callback(), &request,
                                 NetLogWithSource::Make(NetLogSourceType::NONE));
   EXPECT_THAT(rv, IsOk());
@@ -419,7 +419,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, OnResolveProxyCallbackAddProxy) {
   // mark the first server as bad.
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback.callback(), &request, net_log_with_source);
   EXPECT_THAT(rv, IsOk());
   EXPECT_EQ("badproxy:8080", ProxyServerToProxyUri(info.proxy_server()));
@@ -432,7 +432,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, OnResolveProxyCallbackAddProxy) {
   // Verify that network delegate is invoked.
   TestResolveProxyDelegate delegate;
   service.SetProxyDelegate(&delegate);
-  rv = service.ResolveProxy(url, "GET", NetworkIsolationKey(), &info,
+  rv = service.ResolveProxy(url, "GET", NetworkAnonymizationKey(), &info,
                             callback.callback(), &request, net_log_with_source);
   EXPECT_EQ(1, delegate.num_resolve_proxy_called());
   EXPECT_THAT(delegate.proxy_retry_info(), ElementsAre(Key("badproxy:8080")));
@@ -444,20 +444,20 @@ TEST_F(ConfiguredProxyResolutionServiceTest, OnResolveProxyCallbackAddProxy) {
   delegate.set_add_proxy(true);
 
   // Callback should interpose:
-  rv = service.ResolveProxy(url, "GET", NetworkIsolationKey(), &info,
+  rv = service.ResolveProxy(url, "GET", NetworkAnonymizationKey(), &info,
                             callback.callback(), &request, net_log_with_source);
   EXPECT_FALSE(info.is_direct());
   EXPECT_EQ(info.proxy_server().host_port_pair().host(), "delegate_proxy.com");
   delegate.set_add_proxy(false);
 
   // Check non-bypassed URL:
-  rv = service.ResolveProxy(url, "GET", NetworkIsolationKey(), &info,
+  rv = service.ResolveProxy(url, "GET", NetworkAnonymizationKey(), &info,
                             callback.callback(), &request, net_log_with_source);
   EXPECT_FALSE(info.is_direct());
   EXPECT_EQ(info.proxy_server().host_port_pair().host(), "foopy1");
 
   // Check bypassed URL:
-  rv = service.ResolveProxy(bypass_url, "GET", NetworkIsolationKey(), &info,
+  rv = service.ResolveProxy(bypass_url, "GET", NetworkAnonymizationKey(), &info,
                             callback.callback(), &request, net_log_with_source);
   EXPECT_TRUE(info.is_direct());
 }
@@ -487,7 +487,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   // First, warm up the ConfiguredProxyResolutionService.
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback.callback(), &request, net_log_with_source);
   EXPECT_THAT(rv, IsOk());
 
@@ -496,19 +496,19 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   delegate.set_remove_proxy(true);
 
   // Callback should interpose:
-  rv = service.ResolveProxy(url, "GET", NetworkIsolationKey(), &info,
+  rv = service.ResolveProxy(url, "GET", NetworkAnonymizationKey(), &info,
                             callback.callback(), &request, net_log_with_source);
   EXPECT_TRUE(info.is_direct());
   delegate.set_remove_proxy(false);
 
   // Check non-bypassed URL:
-  rv = service.ResolveProxy(url, "GET", NetworkIsolationKey(), &info,
+  rv = service.ResolveProxy(url, "GET", NetworkAnonymizationKey(), &info,
                             callback.callback(), &request, net_log_with_source);
   EXPECT_FALSE(info.is_direct());
   EXPECT_EQ(info.proxy_server().host_port_pair().host(), "foopy1");
 
   // Check bypassed URL:
-  rv = service.ResolveProxy(bypass_url, "GET", NetworkIsolationKey(), &info,
+  rv = service.ResolveProxy(bypass_url, "GET", NetworkAnonymizationKey(), &info,
                             callback.callback(), &request, net_log_with_source);
   EXPECT_TRUE(info.is_direct());
 }
@@ -570,13 +570,13 @@ TEST_F(ConfiguredProxyResolutionServiceTest, CallbackDeletesRequest) {
   net::CompletionOnceCallback callback2 =
       base::BindOnce([](int result) { ASSERT_FALSE(true); });
 
-  int rv =
-      service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                            callback.callback(), &request, NetLogWithSource());
+  int rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                                 &info, callback.callback(), &request,
+                                 NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
-  rv = service->ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info,
-                             std::move(callback2), &request2,
+  rv = service->ResolveProxy(url2, std::string(), NetworkAnonymizationKey(),
+                             &info, std::move(callback2), &request2,
                              NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -634,13 +634,13 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   DeletingCallback<ProxyResolutionRequest> callback(&request2),
       callback2(&request);
 
-  int rv =
-      service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                            callback.callback(), &request, NetLogWithSource());
+  int rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                                 &info, callback.callback(), &request,
+                                 NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
-  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                             callback2.callback(), &request2,
+  rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                             &info, callback2.callback(), &request2,
                              NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -683,7 +683,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, CallbackDeletesSelf) {
 
   std::unique_ptr<ProxyResolutionRequest> request1;
   TestCompletionCallback callback1;
-  int rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(),
+  int rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
                                  &info, callback1.callback(), &request1,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
@@ -691,15 +691,15 @@ TEST_F(ConfiguredProxyResolutionServiceTest, CallbackDeletesSelf) {
   GURL url2("http://www.example.com/");
   std::unique_ptr<ProxyResolutionRequest> request2;
   DeletingCallback<ProxyResolutionRequest> callback2(&request2);
-  rv = service->ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info,
-                             callback2.callback(), &request2,
+  rv = service->ResolveProxy(url2, std::string(), NetworkAnonymizationKey(),
+                             &info, callback2.callback(), &request2,
                              NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   std::unique_ptr<ProxyResolutionRequest> request3;
   TestCompletionCallback callback3;
-  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                             callback3.callback(), &request3,
+  rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                             &info, callback3.callback(), &request3,
                              NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -751,22 +751,22 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
 
   std::unique_ptr<ProxyResolutionRequest> request1;
   TestCompletionCallback callback1;
-  int rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(),
+  int rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
                                  &info, callback1.callback(), &request1,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   std::unique_ptr<ProxyResolutionRequest> request2;
   DeletingCallback<ProxyResolutionRequest> callback2(&request2);
-  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                             callback2.callback(), &request2,
+  rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                             &info, callback2.callback(), &request2,
                              NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   std::unique_ptr<ProxyResolutionRequest> request3;
   TestCompletionCallback callback3;
-  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                             callback3.callback(), &request3,
+  rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                             &info, callback3.callback(), &request3,
                              NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -799,8 +799,8 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyServiceDeletedBeforeRequest) {
     ConfiguredProxyResolutionService service(std::move(config_service),
                                              std::move(factory), nullptr,
                                              /*quick_check_enabled=*/true);
-    rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                              callback.callback(), &request,
+    rv = service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                              &info, callback.callback(), &request,
                               NetLogWithSource::Make(NetLogSourceType::NONE));
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -839,24 +839,24 @@ TEST_F(ConfiguredProxyResolutionServiceTest, CallbackDeletesService) {
 
   DeletingCallback<ConfiguredProxyResolutionService> callback(&service);
   std::unique_ptr<ProxyResolutionRequest> request1;
-  int rv =
-      service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                            callback.callback(), &request1, NetLogWithSource());
+  int rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                                 &info, callback.callback(), &request1,
+                                 NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(LOAD_STATE_RESOLVING_PROXY_FOR_URL, request1->GetLoadState());
 
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                             callback2.callback(), &request2,
+  rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                             &info, callback2.callback(), &request2,
                              NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionRequest> request3;
-  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                             callback3.callback(), &request3,
+  rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                             &info, callback3.callback(), &request3,
                              NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -888,7 +888,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PAC) {
   std::unique_ptr<ProxyResolutionRequest> request;
   RecordingNetLogObserver net_log_observer;
 
-  int rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(),
+  int rv = service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
                                 &info, callback.callback(), &request,
                                 NetLogWithSource::Make(NetLogSourceType::NONE));
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
@@ -951,7 +951,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PAC_NoIdentityOrHash) {
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -985,7 +985,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PAC_FailoverWithoutDirect) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1034,7 +1034,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PAC_RuntimeError) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1093,7 +1093,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PAC_FailoverAfterDirect) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1151,7 +1151,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PAC_ConfigSourcePropagates) {
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback.callback(), &request, NetLogWithSource());
   ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
   factory_ptr->pending_requests()[0]->CompleteNowWithForwarder(OK, &resolver);
@@ -1192,7 +1192,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyResolverFails) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1219,8 +1219,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyResolverFails) {
   // The second resolve request will try to run through the proxy resolver,
   // regardless of whether the first request failed in it.
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                            callback2.callback(), &request, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
+                           callback2.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1258,7 +1259,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1288,8 +1289,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   EXPECT_TRUE(factory_ptr->pending_requests().empty());
 
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                            callback2.callback(), &request, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
+                           callback2.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, factory_ptr->pending_requests().size());
@@ -1331,14 +1333,14 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1, request2;
-  int rv =
-      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(url1, std::string(), NetworkAnonymizationKey(),
+                                &info, callback1.callback(), &request1,
+                                NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   TestCompletionCallback callback2;
-  rv =
-      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(url2, std::string(), NetworkAnonymizationKey(),
+                            &info, callback2.callback(), &request2,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, factory_ptr->pending_requests().size());
@@ -1406,7 +1408,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1426,8 +1428,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   // mandatory PAC script, ConfiguredProxyResolutionService must not implicitly
   // fall-back to DIRECT.
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                            callback2.callback(), &request, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
+                           callback2.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_MANDATORY_PROXY_CONFIGURATION_FAILED));
   EXPECT_FALSE(info.is_direct());
 }
@@ -1462,7 +1465,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1511,7 +1514,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1535,8 +1538,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   // The second resolve request will try to run through the proxy resolver,
   // regardless of whether the first request failed in it.
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                            callback2.callback(), &request, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
+                           callback2.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1574,7 +1578,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyFallback) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1621,8 +1625,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyFallback) {
   service.SetProxyDelegate(nullptr);
 
   TestCompletionCallback callback3;
-  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                            callback3.callback(), &request, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
+                           callback3.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1668,8 +1673,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyFallback) {
 
   // Look up proxies again
   TestCompletionCallback callback7;
-  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
-                            callback7.callback(), &request, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
+                           callback7.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1713,7 +1719,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyFallbackToDirect) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1779,7 +1785,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyFallback_BadConfig) {
   std::unique_ptr<ProxyResolutionRequest> request;
   service.SetProxyDelegate(&delegate);
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1812,8 +1818,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyFallback_BadConfig) {
   // Fake a PAC failure.
   ProxyInfo info2;
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info2,
-                            callback2.callback(), &request, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                            &info2, callback2.callback(), &request,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1834,9 +1841,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyFallback_BadConfig) {
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionRequest> request3;
-  rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info3,
-                           callback3.callback(), &request3, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                            &info3, callback3.callback(), &request3,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1884,7 +1891,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyFallback_BadConfigMandatory) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1918,9 +1925,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyFallback_BadConfigMandatory) {
   ProxyInfo info2;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionRequest> request3;
-  rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info2,
-                           callback3.callback(), &request3, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                            &info2, callback3.callback(), &request3,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1942,9 +1949,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyFallback_BadConfigMandatory) {
   ProxyInfo info3;
   TestCompletionCallback callback4;
   std::unique_ptr<ProxyResolutionRequest> request4;
-  rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info3,
-                           callback4.callback(), &request4, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
+                            &info3, callback4.callback(), &request4,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1983,14 +1990,14 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ProxyBypassList) {
   std::unique_ptr<ProxyResolutionRequest> request2;
 
   // Request for a .org domain should bypass proxy.
-  rv = service.ResolveProxy(url1, std::string(), NetworkIsolationKey(),
+  rv = service.ResolveProxy(url1, std::string(), NetworkAnonymizationKey(),
                             &info[0], callback[0].callback(), &request1,
                             NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(info[0].is_direct());
 
   // Request for a .com domain hits the proxy.
-  rv = service.ResolveProxy(url2, std::string(), NetworkIsolationKey(),
+  rv = service.ResolveProxy(url2, std::string(), NetworkAnonymizationKey(),
                             &info[1], callback[1].callback(), &request2,
                             NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
@@ -2045,7 +2052,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PerProtocolProxyTests) {
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
@@ -2059,7 +2066,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PerProtocolProxyTests) {
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_TRUE(info.is_direct());
@@ -2073,7 +2080,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PerProtocolProxyTests) {
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
@@ -2088,7 +2095,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PerProtocolProxyTests) {
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
@@ -2112,7 +2119,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     ASSERT_THAT(rv, IsOk());
     // Should be test, even if there are no HTTP proxies configured.
@@ -2129,7 +2136,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     ASSERT_THAT(rv, IsOk());
     // Used the HTTPS proxy. So traffic annotation should test.
@@ -2145,7 +2152,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     ASSERT_THAT(rv, IsOk());
     // ProxyConfig is empty. Traffic annotation should still be TEST.
@@ -2172,7 +2179,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, DefaultProxyFallbackToSOCKS) {
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
@@ -2186,7 +2193,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, DefaultProxyFallbackToSOCKS) {
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
@@ -2201,7 +2208,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, DefaultProxyFallbackToSOCKS) {
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
@@ -2216,7 +2223,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, DefaultProxyFallbackToSOCKS) {
     ProxyInfo info;
     TestCompletionCallback callback;
     int rv = service.ResolveProxy(
-        test_url, std::string(), NetworkIsolationKey(), &info,
+        test_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
@@ -2246,9 +2253,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, CancelInProgressRequest) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
-  int rv =
-      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(url1, std::string(), NetworkAnonymizationKey(),
+                                &info1, callback1.callback(), &request1,
+                                NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Successfully initialize the PAC script.
@@ -2261,9 +2268,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, CancelInProgressRequest) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv =
-      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(url2, std::string(), NetworkAnonymizationKey(),
+                            &info2, callback2.callback(), &request2,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   GetPendingJobsForURLs(resolver, url1, url2);
@@ -2271,9 +2278,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, CancelInProgressRequest) {
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionRequest> request3;
-  rv =
-      service.ResolveProxy(url3, std::string(), NetworkIsolationKey(), &info3,
-                           callback3.callback(), &request3, NetLogWithSource());
+  rv = service.ResolveProxy(url3, std::string(), NetworkAnonymizationKey(),
+                            &info3, callback3.callback(), &request3,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   GetPendingJobsForURLs(resolver, url1, url2, url3);
 
@@ -2326,9 +2333,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, InitialPACScriptDownload) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
-  int rv =
-      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(url1, std::string(), NetworkAnonymizationKey(),
+                                &info1, callback1.callback(), &request1,
+                                NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered download of PAC script.
@@ -2338,17 +2345,17 @@ TEST_F(ConfiguredProxyResolutionServiceTest, InitialPACScriptDownload) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv =
-      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(url2, std::string(), NetworkAnonymizationKey(),
+                            &info2, callback2.callback(), &request2,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionRequest> request3;
-  rv =
-      service.ResolveProxy(url3, std::string(), NetworkIsolationKey(), &info3,
-                           callback3.callback(), &request3, NetLogWithSource());
+  rv = service.ResolveProxy(url3, std::string(), NetworkAnonymizationKey(),
+                            &info3, callback3.callback(), &request3,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Nothing has been sent to the factory yet.
@@ -2435,9 +2442,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
-  int rv =
-      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(url1, std::string(), NetworkAnonymizationKey(),
+                                &info1, callback1.callback(), &request1,
+                                NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered download of PAC script.
@@ -2447,9 +2454,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv =
-      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(url2, std::string(), NetworkAnonymizationKey(),
+                            &info2, callback2.callback(), &request2,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // At this point the ConfiguredProxyResolutionService should be waiting for
@@ -2503,7 +2510,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, CancelWhilePACFetching) {
   std::unique_ptr<ProxyResolutionRequest> request1;
   RecordingNetLogObserver net_log_observer;
   int rv = service.ResolveProxy(GURL("http://request1"), std::string(),
-                                NetworkIsolationKey(), &info1,
+                                NetworkAnonymizationKey(), &info1,
                                 callback1.callback(), &request1,
                                 NetLogWithSource::Make(NetLogSourceType::NONE));
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
@@ -2515,17 +2522,17 @@ TEST_F(ConfiguredProxyResolutionServiceTest, CancelWhilePACFetching) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request2"), std::string(), NetworkAnonymizationKey(), &info2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionRequest> request3;
-  rv = service.ResolveProxy(GURL("http://request3"), std::string(),
-                            NetworkIsolationKey(), &info3, callback3.callback(),
-                            &request3, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request3"), std::string(), NetworkAnonymizationKey(), &info3,
+      callback3.callback(), &request3, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Nothing has been sent to the factory yet.
@@ -2606,17 +2613,17 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
-  int rv =
-      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(url1, std::string(), NetworkAnonymizationKey(),
+                                &info1, callback1.callback(), &request1,
+                                NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv =
-      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(url2, std::string(), NetworkAnonymizationKey(),
+                            &info2, callback2.callback(), &request2,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that nothing has been sent to the proxy resolver factory yet.
@@ -2694,17 +2701,17 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
-  int rv =
-      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(url1, std::string(), NetworkAnonymizationKey(),
+                                &info1, callback1.callback(), &request1,
+                                NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv =
-      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(url2, std::string(), NetworkAnonymizationKey(),
+                            &info2, callback2.callback(), &request2,
+                            NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that nothing has been sent to the proxy resolver factory yet.
@@ -2776,16 +2783,16 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      GURL("http://request1"), std::string(), NetworkAnonymizationKey(), &info1,
       callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request2"), std::string(), NetworkAnonymizationKey(), &info2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that nothing has been sent to the proxy resolver factory yet.
@@ -2841,7 +2848,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, BypassDoesntApplyToPac) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://www.google.com"), std::string(), NetworkIsolationKey(),
+      GURL("http://www.google.com"), std::string(), NetworkAnonymizationKey(),
       &info1, callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -2872,9 +2879,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, BypassDoesntApplyToPac) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://www.google.com"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://www.google.com"), std::string(), NetworkAnonymizationKey(),
+      &info2, callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -2915,7 +2922,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://www.google.com"), std::string(), NetworkIsolationKey(),
+      GURL("http://www.google.com"), std::string(), NetworkAnonymizationKey(),
       &info1, callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -2950,7 +2957,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv =
-      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+      service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(), &info,
                            callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -2978,7 +2985,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, UpdateConfigFromPACToDirect) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://www.google.com"), std::string(), NetworkIsolationKey(),
+      GURL("http://www.google.com"), std::string(), NetworkAnonymizationKey(),
       &info1, callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -3007,9 +3014,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, UpdateConfigFromPACToDirect) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://www.google.com"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://www.google.com"), std::string(), NetworkAnonymizationKey(),
+      &info2, callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
 
   EXPECT_TRUE(info2.is_direct());
@@ -3044,7 +3051,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, NetworkChangeTriggersPacRefetch) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      GURL("http://request1"), std::string(), NetworkAnonymizationKey(), &info1,
       callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -3087,9 +3094,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, NetworkChangeTriggersPacRefetch) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request2"), std::string(), NetworkAnonymizationKey(), &info2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // This second request should have triggered the re-download of the PAC
@@ -3165,7 +3172,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PACScriptRefetchAfterFailure) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      GURL("http://request1"), std::string(), NetworkAnonymizationKey(), &info1,
       callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -3226,9 +3233,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PACScriptRefetchAfterFailure) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request2"), std::string(), NetworkAnonymizationKey(), &info2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that it was sent to the resolver.
@@ -3277,7 +3284,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      GURL("http://request1"), std::string(), NetworkAnonymizationKey(), &info1,
       callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -3344,9 +3351,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request2"), std::string(), NetworkAnonymizationKey(), &info2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that it was sent to the resolver.
@@ -3395,7 +3402,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      GURL("http://request1"), std::string(), NetworkAnonymizationKey(), &info1,
       callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -3459,9 +3466,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request2"), std::string(), NetworkAnonymizationKey(), &info2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that it was sent to the resolver.
@@ -3509,7 +3516,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PACScriptRefetchAfterSuccess) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      GURL("http://request1"), std::string(), NetworkAnonymizationKey(), &info1,
       callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -3571,9 +3578,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PACScriptRefetchAfterSuccess) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request2"), std::string(), NetworkAnonymizationKey(), &info2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(info2.is_direct());
 }
@@ -3685,7 +3692,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PACScriptRefetchAfterActivity) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      GURL("http://request1"), std::string(), NetworkAnonymizationKey(), &info1,
       callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -3730,9 +3737,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PACScriptRefetchAfterActivity) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request2"), std::string(), NetworkAnonymizationKey(), &info2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // This request should have sent work to the resolver; complete it.
@@ -3762,9 +3769,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, PACScriptRefetchAfterActivity) {
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionRequest> request3;
-  rv = service.ResolveProxy(GURL("http://request3"), std::string(),
-                            NetworkIsolationKey(), &info3, callback3.callback(),
-                            &request3, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request3"), std::string(), NetworkAnonymizationKey(), &info3,
+      callback3.callback(), &request3, NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(info3.is_direct());
 }
@@ -3794,7 +3801,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, IpAddressChangeResetsProxy) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      GURL("http://request1"), std::string(), NetworkAnonymizationKey(), &info1,
       callback1.callback(), &request1, NetLogWithSource());
   ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
   ASSERT_TRUE(fetcher_ptr->has_pending_request());
@@ -3821,9 +3828,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, IpAddressChangeResetsProxy) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://request1"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request1"), std::string(), NetworkAnonymizationKey(), &info2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   EXPECT_THAT(resolver.pending_jobs(), testing::IsEmpty());
 
@@ -3861,7 +3868,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, DnsChangeTriggersPoll) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      GURL("http://request1"), std::string(), NetworkAnonymizationKey(), &info1,
       callback1.callback(), &request1, NetLogWithSource());
   ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
   ASSERT_TRUE(fetcher_ptr->has_pending_request());
@@ -3886,9 +3893,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, DnsChangeTriggersPoll) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionRequest> request2;
-  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
-                            NetworkIsolationKey(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request2"), std::string(), NetworkAnonymizationKey(), &info2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   ASSERT_THAT(resolver.pending_jobs(), testing::SizeIs(1));
   resolver.pending_jobs()[0]->CompleteNow(OK);
@@ -3902,9 +3909,9 @@ TEST_F(ConfiguredProxyResolutionServiceTest, DnsChangeTriggersPoll) {
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionRequest> request3;
-  rv = service.ResolveProxy(GURL("http://request3"), std::string(),
-                            NetworkIsolationKey(), &info3, callback3.callback(),
-                            &request3, NetLogWithSource());
+  rv = service.ResolveProxy(
+      GURL("http://request3"), std::string(), NetworkAnonymizationKey(), &info3,
+      callback3.callback(), &request3, NetLogWithSource());
   ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
   ASSERT_THAT(factory_ptr->pending_requests(), testing::SizeIs(1));
   EXPECT_EQ(kValidPacScript216,
@@ -3959,9 +3966,9 @@ class SanitizeUrlHelper {
     ProxyInfo info;
     TestCompletionCallback callback;
     std::unique_ptr<ProxyResolutionRequest> request;
-    int rv = service_->ResolveProxy(url, std::string(), NetworkIsolationKey(),
-                                    &info, callback.callback(), &request,
-                                    NetLogWithSource());
+    int rv = service_->ResolveProxy(
+        url, std::string(), NetworkAnonymizationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
     // First step is to download the PAC script.
@@ -3988,7 +3995,7 @@ class SanitizeUrlHelper {
     TestCompletionCallback callback;
     std::unique_ptr<ProxyResolutionRequest> request1;
     int rv = service_->ResolveProxy(
-        raw_url, std::string(), NetworkIsolationKey(), &info,
+        raw_url, std::string(), NetworkAnonymizationKey(), &info,
         callback.callback(), &request1, NetLogWithSource());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -4123,7 +4130,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, OnShutdownWithLiveRequest) {
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv = service.ResolveProxy(
-      GURL("http://request/"), std::string(), NetworkIsolationKey(), &info,
+      GURL("http://request/"), std::string(), NetworkAnonymizationKey(), &info,
       callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -4159,7 +4166,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, OnShutdownFollowedByRequest) {
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionRequest> request;
   int rv = service.ResolveProxy(
-      GURL("http://request/"), std::string(), NetworkIsolationKey(), &info,
+      GURL("http://request/"), std::string(), NetworkAnonymizationKey(), &info,
       callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_FALSE(fetcher_ptr->has_pending_request());
@@ -4196,7 +4203,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
   ProxyInfo info1;
   TestCompletionCallback callback1;
   int rv = service->ResolveProxy(
-      GURL("http://www.example.com"), std::string(), NetworkIsolationKey(),
+      GURL("http://www.example.com"), std::string(), NetworkAnonymizationKey(),
       &info1, callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_EQ("foopy1:8080", ProxyServerToProxyUri(info1.proxy_server()));
@@ -4210,7 +4217,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest,
       std::unique_ptr<ProxyResolutionRequest> request;
       ProxyInfo info;
       TestCompletionCallback callback;
-      rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(),
+      rv = service->ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
                                  &info, callback.callback(), &request,
                                  NetLogWithSource());
       EXPECT_THAT(rv, IsOk());
@@ -4244,7 +4251,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ImplicitlyBypassWithPac) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionRequest> request1;
   int rv = service.ResolveProxy(
-      GURL("http://www.google.com"), std::string(), NetworkIsolationKey(),
+      GURL("http://www.google.com"), std::string(), NetworkAnonymizationKey(),
       &info1, callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -4278,7 +4285,7 @@ TEST_F(ConfiguredProxyResolutionServiceTest, ImplicitlyBypassWithPac) {
       std::unique_ptr<ProxyResolutionRequest> request;
       ProxyInfo info;
       TestCompletionCallback callback;
-      rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(),
+      rv = service.ResolveProxy(url, std::string(), NetworkAnonymizationKey(),
                                 &info, callback.callback(), &request,
                                 NetLogWithSource());
       EXPECT_THAT(rv, IsOk());
diff --git a/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.cc b/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.cc
index 0399e2473e2..98b07a994ab 100644
--- a/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.cc
+++ b/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.h b/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.h
index 7838bf5b3a4..df9d0d715e1 100644
--- a/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.h
+++ b/chromium/net/proxy_resolution/dhcp_pac_file_fetcher.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/mock_pac_file_fetcher.cc b/chromium/net/proxy_resolution/mock_pac_file_fetcher.cc
index aa9508049b1..0b966584701 100644
--- a/chromium/net/proxy_resolution/mock_pac_file_fetcher.cc
+++ b/chromium/net/proxy_resolution/mock_pac_file_fetcher.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/mock_pac_file_fetcher.h b/chromium/net/proxy_resolution/mock_pac_file_fetcher.h
index 2947259a180..3a83590c928 100644
--- a/chromium/net/proxy_resolution/mock_pac_file_fetcher.h
+++ b/chromium/net/proxy_resolution/mock_pac_file_fetcher.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/mock_proxy_resolver.cc b/chromium/net/proxy_resolution/mock_proxy_resolver.cc
index 4a099722259..5d4465108c7 100644
--- a/chromium/net/proxy_resolution/mock_proxy_resolver.cc
+++ b/chromium/net/proxy_resolution/mock_proxy_resolver.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,6 +8,7 @@
 #include <utility>
 
 #include "base/check.h"
+#include "base/ranges/algorithm.h"
 
 namespace net {
 
@@ -49,7 +50,7 @@ MockAsyncProxyResolver::~MockAsyncProxyResolver() = default;
 
 int MockAsyncProxyResolver::GetProxyForURL(
     const GURL& url,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ProxyInfo* results,
     CompletionOnceCallback callback,
     std::unique_ptr<Request>* request,
@@ -64,7 +65,7 @@ int MockAsyncProxyResolver::GetProxyForURL(
 }
 
 void MockAsyncProxyResolver::AddCancelledJob(std::unique_ptr<Job> job) {
-  auto it = std::find(pending_jobs_.begin(), pending_jobs_.end(), job.get());
+  auto it = base::ranges::find(pending_jobs_, job.get());
   // Because this is called always when RequestImpl is destructed,
   // we need to check if it is still in pending jobs.
   if (it != pending_jobs_.end()) {
@@ -75,7 +76,7 @@ void MockAsyncProxyResolver::AddCancelledJob(std::unique_ptr<Job> job) {
 
 void MockAsyncProxyResolver::RemovePendingJob(Job* job) {
   DCHECK(job);
-  auto it = std::find(pending_jobs_.begin(), pending_jobs_.end(), job);
+  auto it = base::ranges::find(pending_jobs_, job);
   DCHECK(it != pending_jobs_.end());
   pending_jobs_.erase(it);
 }
@@ -155,8 +156,7 @@ int MockAsyncProxyResolverFactory::CreateProxyResolver(
 }
 
 void MockAsyncProxyResolverFactory::RemovePendingRequest(Request* request) {
-  auto it =
-      std::find(pending_requests_.begin(), pending_requests_.end(), request);
+  auto it = base::ranges::find(pending_requests_, request);
   DCHECK(it != pending_requests_.end());
   pending_requests_.erase(it);
 }
@@ -173,12 +173,12 @@ ForwardingProxyResolver::ForwardingProxyResolver(ProxyResolver* impl)
 
 int ForwardingProxyResolver::GetProxyForURL(
     const GURL& query_url,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ProxyInfo* results,
     CompletionOnceCallback callback,
     std::unique_ptr<Request>* request,
     const NetLogWithSource& net_log) {
-  return impl_->GetProxyForURL(query_url, network_isolation_key, results,
+  return impl_->GetProxyForURL(query_url, network_anonymization_key, results,
                                std::move(callback), request, net_log);
 }
 
diff --git a/chromium/net/proxy_resolution/mock_proxy_resolver.h b/chromium/net/proxy_resolution/mock_proxy_resolver.h
index 746bd75ea9d..12bad7fd4c7 100644
--- a/chromium/net/proxy_resolution/mock_proxy_resolver.h
+++ b/chromium/net/proxy_resolution/mock_proxy_resolver.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 #include "base/memory/raw_ptr.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/proxy_resolution/proxy_resolver.h"
 #include "net/proxy_resolution/proxy_resolver_factory.h"
 #include "url/gurl.h"
@@ -61,7 +61,7 @@ class MockAsyncProxyResolver : public ProxyResolver {
 
   // ProxyResolver implementation.
   int GetProxyForURL(const GURL& url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -153,7 +153,7 @@ class ForwardingProxyResolver : public ProxyResolver {
 
   // ProxyResolver overrides.
   int GetProxyForURL(const GURL& query_url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
diff --git a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc
index 1d4429bd4c3..7a2167347ce 100644
--- a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc
+++ b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -21,7 +21,7 @@
 #include "base/threading/thread_restrictions.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/log/net_log.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_with_source.h"
@@ -30,7 +30,7 @@
 
 namespace net {
 
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 
 // http://crbug.com/69710
 class MultiThreadedProxyResolverScopedAllowJoinOnIO
@@ -125,7 +125,7 @@ class MultiThreadedProxyResolver : public ProxyResolver,
 
   // ProxyResolver implementation:
   int GetProxyForURL(const GURL& url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -273,7 +273,7 @@ class MultiThreadedProxyResolver::GetProxyForURLJob : public Job {
   // |url|         -- the URL of the query.
   // |results|     -- the structure to fill with proxy resolve results.
   GetProxyForURLJob(const GURL& url,
-                    const NetworkIsolationKey& network_isolation_key,
+                    const NetworkAnonymizationKey& network_anonymization_key,
                     ProxyInfo* results,
                     CompletionOnceCallback callback,
                     const NetLogWithSource& net_log)
@@ -281,7 +281,7 @@ class MultiThreadedProxyResolver::GetProxyForURLJob : public Job {
         results_(results),
         net_log_(net_log),
         url_(url),
-        network_isolation_key_(network_isolation_key) {
+        network_anonymization_key_(network_anonymization_key) {
     DCHECK(callback_);
   }
 
@@ -308,9 +308,9 @@ class MultiThreadedProxyResolver::GetProxyForURLJob : public Job {
   void Run(scoped_refptr<base::SingleThreadTaskRunner> origin_runner) override {
     ProxyResolver* resolver = executor()->resolver();
     DCHECK(resolver);
-    int rv =
-        resolver->GetProxyForURL(url_, network_isolation_key_, &results_buf_,
-                                 CompletionOnceCallback(), nullptr, net_log_);
+    int rv = resolver->GetProxyForURL(url_, network_anonymization_key_,
+                                      &results_buf_, CompletionOnceCallback(),
+                                      nullptr, net_log_);
     DCHECK_NE(rv, ERR_IO_PENDING);
 
     origin_runner->PostTask(
@@ -342,7 +342,7 @@ class MultiThreadedProxyResolver::GetProxyForURLJob : public Job {
   NetLogWithSource net_log_;
 
   const GURL url_;
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
 
   // Usable from within DoQuery on the worker thread.
   ProxyInfo results_buf_;
@@ -444,7 +444,7 @@ MultiThreadedProxyResolver::~MultiThreadedProxyResolver() {
 
 int MultiThreadedProxyResolver::GetProxyForURL(
     const GURL& url,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ProxyInfo* results,
     CompletionOnceCallback callback,
     std::unique_ptr<Request>* request,
@@ -453,7 +453,7 @@ int MultiThreadedProxyResolver::GetProxyForURL(
   DCHECK(!callback.is_null());
 
   auto job = base::MakeRefCounted<GetProxyForURLJob>(
-      url, network_isolation_key, results, std::move(callback), net_log);
+      url, network_anonymization_key, results, std::move(callback), net_log);
 
   // Completion will be notified through |callback|, unless the caller cancels
   // the request using |request|.
diff --git a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.h b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.h
index afaa419ae9a..b0e9827eed7 100644
--- a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.h
+++ b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc
index 12eb336bb4d..52e1dd6b9dd 100644
--- a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc
+++ b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -20,7 +20,7 @@
 #include "base/threading/thread_checker_impl.h"
 #include "base/time/time.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/base/test_completion_callback.h"
 #include "net/log/net_log_event_type.h"
@@ -54,13 +54,13 @@ class MockProxyResolver : public ProxyResolver {
 
   // ProxyResolver implementation.
   int GetProxyForURL(const GURL& query_url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
                      const NetLogWithSource& net_log) override {
     last_query_url_ = query_url;
-    last_network_isolation_key_ = network_isolation_key;
+    last_network_anonymization_key_ = network_anonymization_key;
 
     if (!resolve_latency_.is_zero())
       base::PlatformThread::Sleep(resolve_latency_);
@@ -87,8 +87,8 @@ class MockProxyResolver : public ProxyResolver {
 
   // Return the most recent values passed to GetProxyForURL(), if any.
   const GURL& last_query_url() const { return last_query_url_; }
-  const NetworkIsolationKey& last_network_isolation_key() const {
-    return last_network_isolation_key_;
+  const NetworkAnonymizationKey& last_network_anonymization_key() const {
+    return last_network_anonymization_key_;
   }
 
  private:
@@ -97,7 +97,7 @@ class MockProxyResolver : public ProxyResolver {
   base::TimeDelta resolve_latency_;
 
   GURL last_query_url_;
-  NetworkIsolationKey last_network_isolation_key_;
+  NetworkAnonymizationKey last_network_anonymization_key_;
 };
 
 
@@ -147,7 +147,7 @@ class BlockableProxyResolver : public MockProxyResolver {
   }
 
   int GetProxyForURL(const GURL& query_url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -166,9 +166,9 @@ class BlockableProxyResolver : public MockProxyResolver {
       }
     }
 
-    return MockProxyResolver::GetProxyForURL(query_url, network_isolation_key,
-                                             results, std::move(callback),
-                                             request, net_log);
+    return MockProxyResolver::GetProxyForURL(
+        query_url, network_anonymization_key, results, std::move(callback),
+        request, net_log);
   }
 
  private:
@@ -279,10 +279,10 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_Basic) {
   TestCompletionCallback callback0;
   RecordingNetLogObserver net_log_observer;
   ProxyInfo results0;
-  rv =
-      resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
-                                &results0, callback0.callback(), nullptr,
-                                NetLogWithSource::Make(NetLogSourceType::NONE));
+  rv = resolver().GetProxyForURL(
+      GURL("http://request0"), NetworkAnonymizationKey(), &results0,
+      callback0.callback(), nullptr,
+      NetLogWithSource::Make(NetLogSourceType::NONE));
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Wait for request 0 to finish.
@@ -303,23 +303,23 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_Basic) {
 
   TestCompletionCallback callback1;
   ProxyInfo results1;
-  rv = resolver().GetProxyForURL(GURL("http://request1"), NetworkIsolationKey(),
-                                 &results1, callback1.callback(), nullptr,
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request1"), NetworkAnonymizationKey(), &results1,
+      callback1.callback(), nullptr, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback2;
   ProxyInfo results2;
-  rv = resolver().GetProxyForURL(GURL("http://request2"), NetworkIsolationKey(),
-                                 &results2, callback2.callback(), nullptr,
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request2"), NetworkAnonymizationKey(), &results2,
+      callback2.callback(), nullptr, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback3;
   ProxyInfo results3;
-  rv = resolver().GetProxyForURL(GURL("http://request3"), NetworkIsolationKey(),
-                                 &results3, callback3.callback(), nullptr,
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request3"), NetworkAnonymizationKey(), &results3,
+      callback3.callback(), nullptr, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Wait for the requests to finish (they must finish in the order they were
@@ -357,9 +357,9 @@ TEST_F(MultiThreadedProxyResolverTest,
   RecordingNetLogObserver net_log_observer;
   NetLogWithSource log_with_source0 =
       NetLogWithSource::Make(NetLogSourceType::NONE);
-  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
-                                 &results0, callback0.callback(), &request0,
-                                 log_with_source0);
+  rv = resolver().GetProxyForURL(
+      GURL("http://request0"), NetworkAnonymizationKey(), &results0,
+      callback0.callback(), &request0, log_with_source0);
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Start 2 more requests (request1 and request2).
@@ -368,9 +368,9 @@ TEST_F(MultiThreadedProxyResolverTest,
   ProxyInfo results1;
   NetLogWithSource log_with_source1 =
       NetLogWithSource::Make(NetLogSourceType::NONE);
-  rv = resolver().GetProxyForURL(GURL("http://request1"), NetworkIsolationKey(),
-                                 &results1, callback1.callback(), nullptr,
-                                 log_with_source1);
+  rv = resolver().GetProxyForURL(
+      GURL("http://request1"), NetworkAnonymizationKey(), &results1,
+      callback1.callback(), nullptr, log_with_source1);
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   std::unique_ptr<ProxyResolver::Request> request2;
@@ -378,9 +378,9 @@ TEST_F(MultiThreadedProxyResolverTest,
   ProxyInfo results2;
   NetLogWithSource log_with_source2 =
       NetLogWithSource::Make(NetLogSourceType::NONE);
-  rv = resolver().GetProxyForURL(GURL("http://request2"), NetworkIsolationKey(),
-                                 &results2, callback2.callback(), &request2,
-                                 log_with_source2);
+  rv = resolver().GetProxyForURL(
+      GURL("http://request2"), NetworkAnonymizationKey(), &results2,
+      callback2.callback(), &request2, log_with_source2);
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Unblock the worker thread so the requests can continue running.
@@ -441,9 +441,9 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_CancelRequest) {
   std::unique_ptr<ProxyResolver::Request> request0;
   TestCompletionCallback callback0;
   ProxyInfo results0;
-  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
-                                 &results0, callback0.callback(), &request0,
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request0"), NetworkAnonymizationKey(), &results0,
+      callback0.callback(), &request0, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Wait until requests 0 reaches the worker thread.
@@ -453,24 +453,24 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_CancelRequest) {
 
   TestCompletionCallback callback1;
   ProxyInfo results1;
-  rv = resolver().GetProxyForURL(GURL("http://request1"), NetworkIsolationKey(),
-                                 &results1, callback1.callback(), nullptr,
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request1"), NetworkAnonymizationKey(), &results1,
+      callback1.callback(), nullptr, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   std::unique_ptr<ProxyResolver::Request> request2;
   TestCompletionCallback callback2;
   ProxyInfo results2;
-  rv = resolver().GetProxyForURL(GURL("http://request2"), NetworkIsolationKey(),
-                                 &results2, callback2.callback(), &request2,
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request2"), NetworkAnonymizationKey(), &results2,
+      callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback3;
   ProxyInfo results3;
-  rv = resolver().GetProxyForURL(GURL("http://request3"), NetworkIsolationKey(),
-                                 &results3, callback3.callback(), nullptr,
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request3"), NetworkAnonymizationKey(), &results3,
+      callback3.callback(), nullptr, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Cancel request0 (inprogress) and request2 (pending).
@@ -498,10 +498,11 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_CancelRequest) {
   EXPECT_FALSE(callback2.have_result());
 }
 
-// Make sure the NetworkIsolationKey makes it to the resolver.
-TEST_F(MultiThreadedProxyResolverTest, SingleThread_WithNetworkIsolationKey) {
+// Make sure the NetworkAnonymizationKey makes it to the resolver.
+TEST_F(MultiThreadedProxyResolverTest,
+       SingleThread_WithNetworkAnonymizationKey) {
   const SchemefulSite kSite(GURL("https://origin.test/"));
-  const net::NetworkIsolationKey kNetworkIsolationKey(kSite, kSite);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey(kSite, kSite);
   const GURL kUrl("https://url.test/");
 
   const size_t kNumThreads = 1u;
@@ -516,7 +517,7 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_WithNetworkIsolationKey) {
   std::unique_ptr<ProxyResolver::Request> request;
   TestCompletionCallback callback;
   ProxyInfo results;
-  rv = resolver().GetProxyForURL(kUrl, kNetworkIsolationKey, &results,
+  rv = resolver().GetProxyForURL(kUrl, kNetworkAnonymizationKey, &results,
                                  callback.callback(), &request,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
@@ -528,8 +529,8 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_WithNetworkIsolationKey) {
   EXPECT_EQ(0, callback.WaitForResult());
 
   EXPECT_EQ(kUrl, factory().resolvers()[0]->last_query_url());
-  EXPECT_EQ(kNetworkIsolationKey,
-            factory().resolvers()[0]->last_network_isolation_key());
+  EXPECT_EQ(kNetworkAnonymizationKey,
+            factory().resolvers()[0]->last_network_anonymization_key());
 }
 
 // Test that deleting MultiThreadedProxyResolver while requests are
@@ -548,23 +549,23 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_CancelRequestByDeleting) {
 
   TestCompletionCallback callback0;
   ProxyInfo results0;
-  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
-                                 &results0, callback0.callback(), nullptr,
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request0"), NetworkAnonymizationKey(), &results0,
+      callback0.callback(), nullptr, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback1;
   ProxyInfo results1;
-  rv = resolver().GetProxyForURL(GURL("http://request1"), NetworkIsolationKey(),
-                                 &results1, callback1.callback(), nullptr,
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request1"), NetworkAnonymizationKey(), &results1,
+      callback1.callback(), nullptr, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback2;
   ProxyInfo results2;
-  rv = resolver().GetProxyForURL(GURL("http://request2"), NetworkIsolationKey(),
-                                 &results2, callback2.callback(), nullptr,
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request2"), NetworkAnonymizationKey(), &results2,
+      callback2.callback(), nullptr, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Wait until request 0 reaches the worker thread.
@@ -609,9 +610,9 @@ TEST_F(MultiThreadedProxyResolverTest, ThreeThreads_Basic) {
 
   // Start request 0 -- this should run on thread 0 as there is nothing else
   // going on right now.
-  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
-                                 &results[0], callback[0].callback(),
-                                 &request[0], NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request0"), NetworkAnonymizationKey(), &results[0],
+      callback[0].callback(), &request[0], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Wait for request 0 to finish.
@@ -626,14 +627,14 @@ TEST_F(MultiThreadedProxyResolverTest, ThreeThreads_Basic) {
   // We now block the first resolver to ensure a request is sent to the second
   // thread.
   factory().resolvers()[0]->Block();
-  rv = resolver().GetProxyForURL(GURL("http://request1"), NetworkIsolationKey(),
-                                 &results[1], callback[1].callback(),
-                                 &request[1], NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request1"), NetworkAnonymizationKey(), &results[1],
+      callback[1].callback(), &request[1], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   factory().resolvers()[0]->WaitUntilBlocked();
-  rv = resolver().GetProxyForURL(GURL("http://request2"), NetworkIsolationKey(),
-                                 &results[2], callback[2].callback(),
-                                 &request[2], NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request2"), NetworkAnonymizationKey(), &results[2],
+      callback[2].callback(), &request[2], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   EXPECT_EQ(0, callback[2].WaitForResult());
   ASSERT_EQ(2u, factory().resolvers().size());
@@ -641,14 +642,14 @@ TEST_F(MultiThreadedProxyResolverTest, ThreeThreads_Basic) {
   // We now block the second resolver as well to ensure a request is sent to the
   // third thread.
   factory().resolvers()[1]->Block();
-  rv = resolver().GetProxyForURL(GURL("http://request3"), NetworkIsolationKey(),
-                                 &results[3], callback[3].callback(),
-                                 &request[3], NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request3"), NetworkAnonymizationKey(), &results[3],
+      callback[3].callback(), &request[3], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   factory().resolvers()[1]->WaitUntilBlocked();
-  rv = resolver().GetProxyForURL(GURL("http://request4"), NetworkIsolationKey(),
-                                 &results[4], callback[4].callback(),
-                                 &request[4], NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request4"), NetworkAnonymizationKey(), &results[4],
+      callback[4].callback(), &request[4], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   EXPECT_EQ(0, callback[4].WaitForResult());
 
@@ -667,17 +668,17 @@ TEST_F(MultiThreadedProxyResolverTest, ThreeThreads_Basic) {
   // will reach the resolver, but the second will still be queued when canceled.
   // Start a third request so we can be sure the resolver has completed running
   // the first request.
-  rv = resolver().GetProxyForURL(GURL("http://request5"), NetworkIsolationKey(),
-                                 &results[5], callback[5].callback(),
-                                 &request[5], NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request5"), NetworkAnonymizationKey(), &results[5],
+      callback[5].callback(), &request[5], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  rv = resolver().GetProxyForURL(GURL("http://request6"), NetworkIsolationKey(),
-                                 &results[6], callback[6].callback(),
-                                 &request[6], NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request6"), NetworkAnonymizationKey(), &results[6],
+      callback[6].callback(), &request[6], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  rv = resolver().GetProxyForURL(GURL("http://request7"), NetworkIsolationKey(),
-                                 &results[7], callback[7].callback(),
-                                 &request[7], NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request7"), NetworkAnonymizationKey(), &results[7],
+      callback[7].callback(), &request[7], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   request[5].reset();
   request[6].reset();
@@ -721,9 +722,9 @@ TEST_F(MultiThreadedProxyResolverTest, OneThreadBlocked) {
 
   factory().resolvers()[0]->Block();
 
-  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
-                                 &results[0], callback[0].callback(),
-                                 &request[0], NetLogWithSource());
+  rv = resolver().GetProxyForURL(
+      GURL("http://request0"), NetworkAnonymizationKey(), &results[0],
+      callback[0].callback(), &request[0], NetLogWithSource());
 
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   factory().resolvers()[0]->WaitUntilBlocked();
@@ -733,8 +734,9 @@ TEST_F(MultiThreadedProxyResolverTest, OneThreadBlocked) {
 
   for (int i = 1; i < kNumRequests; ++i) {
     rv = resolver().GetProxyForURL(
-        GURL(base::StringPrintf("http://request%d", i)), NetworkIsolationKey(),
-        &results[i], callback[i].callback(), &request[i], NetLogWithSource());
+        GURL(base::StringPrintf("http://request%d", i)),
+        NetworkAnonymizationKey(), &results[i], callback[i].callback(),
+        &request[i], NetLogWithSource());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   }
 
diff --git a/chromium/net/proxy_resolution/network_delegate_error_observer.cc b/chromium/net/proxy_resolution/network_delegate_error_observer.cc
index 563af122fb7..448fda64c83 100644
--- a/chromium/net/proxy_resolution/network_delegate_error_observer.cc
+++ b/chromium/net/proxy_resolution/network_delegate_error_observer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/network_delegate_error_observer.h b/chromium/net/proxy_resolution/network_delegate_error_observer.h
index edbda8d544c..34c9661bc70 100644
--- a/chromium/net/proxy_resolution/network_delegate_error_observer.h
+++ b/chromium/net/proxy_resolution/network_delegate_error_observer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/network_delegate_error_observer_unittest.cc b/chromium/net/proxy_resolution/network_delegate_error_observer_unittest.cc
index e545a905a0c..38aa667caf8 100644
--- a/chromium/net/proxy_resolution/network_delegate_error_observer_unittest.cc
+++ b/chromium/net/proxy_resolution/network_delegate_error_observer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/pac_file_data.cc b/chromium/net/proxy_resolution/pac_file_data.cc
index eee2fce42ac..10259174911 100644
--- a/chromium/net/proxy_resolution/pac_file_data.cc
+++ b/chromium/net/proxy_resolution/pac_file_data.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/pac_file_data.h b/chromium/net/proxy_resolution/pac_file_data.h
index fe8f1187686..255c670b065 100644
--- a/chromium/net/proxy_resolution/pac_file_data.h
+++ b/chromium/net/proxy_resolution/pac_file_data.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/pac_file_decider.cc b/chromium/net/proxy_resolution/pac_file_decider.cc
index 62af8a9e40e..0189a564942 100644
--- a/chromium/net/proxy_resolution/pac_file_decider.cc
+++ b/chromium/net/proxy_resolution/pac_file_decider.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -283,7 +283,7 @@ int PacFileDecider::DoQuickCheck() {
       pac_file_fetcher_->GetRequestContext()->host_resolver();
   resolve_request_ = host_resolver->CreateRequest(
       HostPortPair(host, 80),
-      pac_file_fetcher_->isolation_info().network_isolation_key(), net_log_,
+      pac_file_fetcher_->isolation_info().network_anonymization_key(), net_log_,
       parameters);
 
   CompletionRepeatingCallback callback = base::BindRepeating(
diff --git a/chromium/net/proxy_resolution/pac_file_decider.h b/chromium/net/proxy_resolution/pac_file_decider.h
index 86ba3b7cac8..a64b17056db 100644
--- a/chromium/net/proxy_resolution/pac_file_decider.h
+++ b/chromium/net/proxy_resolution/pac_file_decider.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/pac_file_decider_unittest.cc b/chromium/net/proxy_resolution/pac_file_decider_unittest.cc
index df2cbd23b9c..23eed849a88 100644
--- a/chromium/net/proxy_resolution/pac_file_decider_unittest.cc
+++ b/chromium/net/proxy_resolution/pac_file_decider_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -395,12 +395,12 @@ TEST_F(PacFileDeciderQuickCheckTest, AsyncSuccess) {
   EXPECT_THAT(StartDecider(), IsError(ERR_IO_PENDING));
   ASSERT_TRUE(host_resolver().has_pending_requests());
 
-  // The DNS lookup should be pending, and be using the same NetworkIsolationKey
-  // as the PacFileFetcher, so wpad fetches can reuse the DNS lookup result from
-  // the wpad quick check, if it succeeds.
+  // The DNS lookup should be pending, and be using the same
+  // NetworkAnonymizationKey as the PacFileFetcher, so wpad fetches can reuse
+  // the DNS lookup result from the wpad quick check, if it succeeds.
   ASSERT_EQ(1u, host_resolver().last_id());
-  EXPECT_EQ(fetcher_.isolation_info().network_isolation_key(),
-            host_resolver().request_network_isolation_key(1));
+  EXPECT_EQ(fetcher_.isolation_info().network_anonymization_key(),
+            host_resolver().request_network_anonymization_key(1));
 
   host_resolver().ResolveAllPending();
   callback_.WaitForResult();
@@ -419,12 +419,12 @@ TEST_F(PacFileDeciderQuickCheckTest, AsyncFail) {
   EXPECT_THAT(StartDecider(), IsError(ERR_IO_PENDING));
   ASSERT_TRUE(host_resolver().has_pending_requests());
 
-  // The DNS lookup should be pending, and be using the same NetworkIsolationKey
-  // as the PacFileFetcher, so wpad fetches can reuse the DNS lookup result from
-  // the wpad quick check, if it succeeds.
+  // The DNS lookup should be pending, and be using the same
+  // NetworkAnonymizationKey as the PacFileFetcher, so wpad fetches can reuse
+  // the DNS lookup result from the wpad quick check, if it succeeds.
   ASSERT_EQ(1u, host_resolver().last_id());
-  EXPECT_EQ(fetcher_.isolation_info().network_isolation_key(),
-            host_resolver().request_network_isolation_key(1));
+  EXPECT_EQ(fetcher_.isolation_info().network_anonymization_key(),
+            host_resolver().request_network_anonymization_key(1));
 
   host_resolver().ResolveAllPending();
   callback_.WaitForResult();
diff --git a/chromium/net/proxy_resolution/pac_file_fetcher.cc b/chromium/net/proxy_resolution/pac_file_fetcher.cc
index d21e48defb4..e2dce19c39d 100644
--- a/chromium/net/proxy_resolution/pac_file_fetcher.cc
+++ b/chromium/net/proxy_resolution/pac_file_fetcher.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/pac_file_fetcher.h b/chromium/net/proxy_resolution/pac_file_fetcher.h
index 6faf8d75969..138d0a5ad24 100644
--- a/chromium/net/proxy_resolution/pac_file_fetcher.h
+++ b/chromium/net/proxy_resolution/pac_file_fetcher.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/pac_file_fetcher_impl.cc b/chromium/net/proxy_resolution/pac_file_fetcher_impl.cc
index 313f6860f0f..1132aa030ef 100644
--- a/chromium/net/proxy_resolution/pac_file_fetcher_impl.cc
+++ b/chromium/net/proxy_resolution/pac_file_fetcher_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/pac_file_fetcher_impl.h b/chromium/net/proxy_resolution/pac_file_fetcher_impl.h
index 185554dc99d..29872485d45 100644
--- a/chromium/net/proxy_resolution/pac_file_fetcher_impl.h
+++ b/chromium/net/proxy_resolution/pac_file_fetcher_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc b/chromium/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc
index 39601b88429..3f7b229acac 100644
--- a/chromium/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc
+++ b/chromium/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -263,13 +263,13 @@ TEST_F(PacFileFetcherImplTest, IsolationInfo) {
   EXPECT_EQ(u"-downloadable.pac-\n", text);
 
   // Check that the URL in kDestination is in the HostCache, with
-  // the fetcher's IsolationInfo / NetworkIsolationKey, and no others.
+  // the fetcher's IsolationInfo / NetworkAnonymizationKey, and no others.
   net::HostResolver::ResolveHostParameters params;
   params.source = net::HostResolverSource::LOCAL_ONLY;
   std::unique_ptr<net::HostResolver::ResolveHostRequest> host_request =
       context_->host_resolver()->CreateRequest(
           url::SchemeHostPort(url),
-          pac_fetcher->isolation_info().network_isolation_key(),
+          pac_fetcher->isolation_info().network_anonymization_key(),
           net::NetLogWithSource(), params);
   net::TestCompletionCallback callback2;
   result = host_request->Start(callback2.callback());
@@ -280,10 +280,10 @@ TEST_F(PacFileFetcherImplTest, IsolationInfo) {
   EXPECT_EQ(1u, context_->host_resolver()->GetHostCache()->size());
 
   // Make sure the cache is actually returning different results based on
-  // NetworkIsolationKey.
+  // NetworkAnonymizationKey.
   host_request = context_->host_resolver()->CreateRequest(
-      url::SchemeHostPort(url), NetworkIsolationKey(), net::NetLogWithSource(),
-      params);
+      url::SchemeHostPort(url), NetworkAnonymizationKey(),
+      net::NetLogWithSource(), params);
   net::TestCompletionCallback callback3;
   result = host_request->Start(callback3.callback());
   EXPECT_EQ(net::ERR_NAME_NOT_RESOLVED, callback3.GetResult(result));
diff --git a/chromium/net/proxy_resolution/parse_proxy_bypass_rules_fuzzer.cc b/chromium/net/proxy_resolution/parse_proxy_bypass_rules_fuzzer.cc
index 6f2b98765c6..00bc0b0b343 100644
--- a/chromium/net/proxy_resolution/parse_proxy_bypass_rules_fuzzer.cc
+++ b/chromium/net/proxy_resolution/parse_proxy_bypass_rules_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/parse_proxy_list_fuzzer.cc b/chromium/net/proxy_resolution/parse_proxy_list_fuzzer.cc
index 2e2731c547b..e6789aa01a6 100644
--- a/chromium/net/proxy_resolution/parse_proxy_list_fuzzer.cc
+++ b/chromium/net/proxy_resolution/parse_proxy_list_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/parse_proxy_list_pac_fuzzer.cc b/chromium/net/proxy_resolution/parse_proxy_list_pac_fuzzer.cc
index 370a647b6e0..71cde6e6bc9 100644
--- a/chromium/net/proxy_resolution/parse_proxy_list_pac_fuzzer.cc
+++ b/chromium/net/proxy_resolution/parse_proxy_list_pac_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/parse_proxy_rules_fuzzer.cc b/chromium/net/proxy_resolution/parse_proxy_rules_fuzzer.cc
index 19431c2732d..cc75f55880b 100644
--- a/chromium/net/proxy_resolution/parse_proxy_rules_fuzzer.cc
+++ b/chromium/net/proxy_resolution/parse_proxy_rules_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/polling_proxy_config_service.cc b/chromium/net/proxy_resolution/polling_proxy_config_service.cc
index cc3b8e6e73e..912f48d2f6a 100644
--- a/chromium/net/proxy_resolution/polling_proxy_config_service.cc
+++ b/chromium/net/proxy_resolution/polling_proxy_config_service.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/polling_proxy_config_service.h b/chromium/net/proxy_resolution/polling_proxy_config_service.h
index 0a00618c1a6..653ce423634 100644
--- a/chromium/net/proxy_resolution/polling_proxy_config_service.h
+++ b/chromium/net/proxy_resolution/polling_proxy_config_service.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_bypass_rules.cc b/chromium/net/proxy_resolution/proxy_bypass_rules.cc
index 59ee7b429a7..dd15d15021d 100644
--- a/chromium/net/proxy_resolution/proxy_bypass_rules.cc
+++ b/chromium/net/proxy_resolution/proxy_bypass_rules.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_bypass_rules.h b/chromium/net/proxy_resolution/proxy_bypass_rules.h
index 73f60990f71..8db3323a78b 100644
--- a/chromium/net/proxy_resolution/proxy_bypass_rules.h
+++ b/chromium/net/proxy_resolution/proxy_bypass_rules.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_bypass_rules_unittest.cc b/chromium/net/proxy_resolution/proxy_bypass_rules_unittest.cc
index 91e7e8d5f0f..a08428b7eb9 100644
--- a/chromium/net/proxy_resolution/proxy_bypass_rules_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_bypass_rules_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config.cc b/chromium/net/proxy_resolution/proxy_config.cc
index 89dcb6d0c3b..ee992d8efa0 100644
--- a/chromium/net/proxy_resolution/proxy_config.cc
+++ b/chromium/net/proxy_resolution/proxy_config.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config.h b/chromium/net/proxy_resolution/proxy_config.h
index 17e364c90fd..d041b912eea 100644
--- a/chromium/net/proxy_resolution/proxy_config.h
+++ b/chromium/net/proxy_resolution/proxy_config.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service.cc b/chromium/net/proxy_resolution/proxy_config_service.cc
index 25d8a321619..27544e1a295 100644
--- a/chromium/net/proxy_resolution/proxy_config_service.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service.h b/chromium/net/proxy_resolution/proxy_config_service.h
index 9c8273781da..d2681d46311 100644
--- a/chromium/net/proxy_resolution/proxy_config_service.h
+++ b/chromium/net/proxy_resolution/proxy_config_service.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_android.cc b/chromium/net/proxy_resolution/proxy_config_service_android.cc
index 4eb28c616a2..2e614257b64 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_android.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service_android.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_android.h b/chromium/net/proxy_resolution/proxy_config_service_android.h
index 5161dae6767..dcd39258a8f 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_android.h
+++ b/chromium/net/proxy_resolution/proxy_config_service_android.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_android_unittest.cc b/chromium/net/proxy_resolution/proxy_config_service_android_unittest.cc
index e22c517146c..98ebf5dcfb4 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_android_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service_android_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_common_unittest.cc b/chromium/net/proxy_resolution/proxy_config_service_common_unittest.cc
index 386137783c9..30c8d82c434 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_common_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service_common_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright 2009 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_common_unittest.h b/chromium/net/proxy_resolution/proxy_config_service_common_unittest.h
index 35c6fd65207..c2df13961c3 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_common_unittest.h
+++ b/chromium/net/proxy_resolution/proxy_config_service_common_unittest.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_fixed.cc b/chromium/net/proxy_resolution/proxy_config_service_fixed.cc
index 92dadcc1892..9c1a4116726 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_fixed.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service_fixed.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_fixed.h b/chromium/net/proxy_resolution/proxy_config_service_fixed.h
index 86733f38371..ff05795f2f0 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_fixed.h
+++ b/chromium/net/proxy_resolution/proxy_config_service_fixed.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_ios.cc b/chromium/net/proxy_resolution/proxy_config_service_ios.cc
index d22f25936d8..33fca97b6df 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_ios.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service_ios.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_ios.h b/chromium/net/proxy_resolution/proxy_config_service_ios.h
index 6169aeaf896..737ca147f40 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_ios.h
+++ b/chromium/net/proxy_resolution/proxy_config_service_ios.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_linux.cc b/chromium/net/proxy_resolution/proxy_config_service_linux.cc
index 9b51cf450a6..38cc85fdb6d 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_linux.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service_linux.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -1250,6 +1250,7 @@ ProxyConfigServiceLinux::Delegate::Delegate(
           std::make_unique<SettingGetterImplKDE>(env_var_getter_.get());
       break;
     case base::nix::DESKTOP_ENVIRONMENT_XFCE:
+    case base::nix::DESKTOP_ENVIRONMENT_LXQT:
     case base::nix::DESKTOP_ENVIRONMENT_OTHER:
       break;
   }
diff --git a/chromium/net/proxy_resolution/proxy_config_service_linux.h b/chromium/net/proxy_resolution/proxy_config_service_linux.h
index 2210fc4ea77..7a978082151 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_linux.h
+++ b/chromium/net/proxy_resolution/proxy_config_service_linux.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_linux_unittest.cc b/chromium/net/proxy_resolution/proxy_config_service_linux_unittest.cc
index 3e2267b26b6..1e0e8db8d01 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_linux_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service_linux_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_mac.cc b/chromium/net/proxy_resolution/proxy_config_service_mac.cc
index 77d3cd8f10d..e51583a79f8 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_mac.cc
+++ b/chromium/net/proxy_resolution/proxy_config_service_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_service_mac.h b/chromium/net/proxy_resolution/proxy_config_service_mac.h
index fadb5082369..817db470d70 100644
--- a/chromium/net/proxy_resolution/proxy_config_service_mac.h
+++ b/chromium/net/proxy_resolution/proxy_config_service_mac.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_unittest.cc b/chromium/net/proxy_resolution/proxy_config_unittest.cc
index 2d3d9eb94f3..385adcbc084 100644
--- a/chromium/net/proxy_resolution/proxy_config_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_config_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_with_annotation.cc b/chromium/net/proxy_resolution/proxy_config_with_annotation.cc
index 79f469cf8e1..37ef504be20 100644
--- a/chromium/net/proxy_resolution/proxy_config_with_annotation.cc
+++ b/chromium/net/proxy_resolution/proxy_config_with_annotation.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_config_with_annotation.h b/chromium/net/proxy_resolution/proxy_config_with_annotation.h
index 019f2fd1aa7..5e554df1860 100644
--- a/chromium/net/proxy_resolution/proxy_config_with_annotation.h
+++ b/chromium/net/proxy_resolution/proxy_config_with_annotation.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_info.cc b/chromium/net/proxy_resolution/proxy_info.cc
index f1e2f909792..3a2e4651dea 100644
--- a/chromium/net/proxy_resolution/proxy_info.cc
+++ b/chromium/net/proxy_resolution/proxy_info.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_info.h b/chromium/net/proxy_resolution/proxy_info.h
index e2d926e5938..00d3da38cf5 100644
--- a/chromium/net/proxy_resolution/proxy_info.h
+++ b/chromium/net/proxy_resolution/proxy_info.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_info_unittest.cc b/chromium/net/proxy_resolution/proxy_info_unittest.cc
index 8492c00a0cc..e4480cb1eed 100644
--- a/chromium/net/proxy_resolution/proxy_info_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_info_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_list.cc b/chromium/net/proxy_resolution/proxy_list.cc
index 8bb53de00dc..13f77002142 100644
--- a/chromium/net/proxy_resolution/proxy_list.cc
+++ b/chromium/net/proxy_resolution/proxy_list.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_list.h b/chromium/net/proxy_resolution/proxy_list.h
index 7497a5f507a..667d3412045 100644
--- a/chromium/net/proxy_resolution/proxy_list.h
+++ b/chromium/net/proxy_resolution/proxy_list.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_list_unittest.cc b/chromium/net/proxy_resolution/proxy_list_unittest.cc
index 350c101416e..0f4fdd8894f 100644
--- a/chromium/net/proxy_resolution/proxy_list_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_list_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright 2006-2008 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_resolution_request.h b/chromium/net/proxy_resolution/proxy_resolution_request.h
index 1e729b375cd..3cea2cb6156 100644
--- a/chromium/net/proxy_resolution/proxy_resolution_request.h
+++ b/chromium/net/proxy_resolution/proxy_resolution_request.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_resolution_service.h b/chromium/net/proxy_resolution/proxy_resolution_service.h
index 6f9147bbdf2..3dffc54907c 100644
--- a/chromium/net/proxy_resolution/proxy_resolution_service.h
+++ b/chromium/net/proxy_resolution/proxy_resolution_service.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 #include "base/time/time.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/proxy_server.h"
 #include "net/log/net_log_with_source.h"
 #include "net/proxy_resolution/proxy_info.h"
@@ -46,13 +46,14 @@ class NET_EXPORT ProxyResolutionService {
   // otherwise).  |request| must not be nullptr.
   //
   // Profiling information for the request is saved to |net_log| if non-nullptr.
-  virtual int ResolveProxy(const GURL& url,
-                           const std::string& method,
-                           const NetworkIsolationKey& network_isolation_key,
-                           ProxyInfo* results,
-                           CompletionOnceCallback callback,
-                           std::unique_ptr<ProxyResolutionRequest>* request,
-                           const NetLogWithSource& net_log) = 0;
+  virtual int ResolveProxy(
+      const GURL& url,
+      const std::string& method,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      ProxyInfo* results,
+      CompletionOnceCallback callback,
+      std::unique_ptr<ProxyResolutionRequest>* request,
+      const NetLogWithSource& net_log) = 0;
 
   // Called to report that the last proxy connection succeeded.  If |proxy_info|
   // has a non empty proxy_retry_info map, the proxies that have been tried (and
diff --git a/chromium/net/proxy_resolution/proxy_resolve_dns_operation.h b/chromium/net/proxy_resolution/proxy_resolve_dns_operation.h
index 57dc1549e48..08f7845c995 100644
--- a/chromium/net/proxy_resolution/proxy_resolve_dns_operation.h
+++ b/chromium/net/proxy_resolution/proxy_resolve_dns_operation.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_resolver.h b/chromium/net/proxy_resolution/proxy_resolver.h
index db6b053a59f..d8078b5b948 100644
--- a/chromium/net/proxy_resolution/proxy_resolver.h
+++ b/chromium/net/proxy_resolution/proxy_resolver.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -16,7 +16,7 @@
 namespace net {
 
 class NetLogWithSource;
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class ProxyInfo;
 
 // Interface for "proxy resolvers". A ProxyResolver fills in a list of proxies
@@ -47,13 +47,14 @@ class NET_EXPORT_PRIVATE ProxyResolver {
   //
   // |network_isolation_key| is used for any DNS lookups associated with the
   // request, if net's HostResolver is used. If the underlying platform itself
-  // handles proxy resolution, |network_isolation_key| will be ignored.
-  virtual int GetProxyForURL(const GURL& url,
-                             const NetworkIsolationKey& network_isolation_key,
-                             ProxyInfo* results,
-                             CompletionOnceCallback callback,
-                             std::unique_ptr<Request>* request,
-                             const NetLogWithSource& net_log) = 0;
+  // handles proxy resolution, |network_anonymization_key| will be ignored.
+  virtual int GetProxyForURL(
+      const GURL& url,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      ProxyInfo* results,
+      CompletionOnceCallback callback,
+      std::unique_ptr<Request>* request,
+      const NetLogWithSource& net_log) = 0;
 };
 
 }  // namespace net
diff --git a/chromium/net/proxy_resolution/proxy_resolver_error_observer.h b/chromium/net/proxy_resolution/proxy_resolver_error_observer.h
index 4ee27bf0632..b5b3621b245 100644
--- a/chromium/net/proxy_resolution/proxy_resolver_error_observer.h
+++ b/chromium/net/proxy_resolution/proxy_resolver_error_observer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_resolver_factory.cc b/chromium/net/proxy_resolution/proxy_resolver_factory.cc
index 24500c0fea9..aefd5d92d2b 100644
--- a/chromium/net/proxy_resolution/proxy_resolver_factory.cc
+++ b/chromium/net/proxy_resolution/proxy_resolver_factory.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_resolver_factory.h b/chromium/net/proxy_resolution/proxy_resolver_factory.h
index 125b47f192a..20e2697137a 100644
--- a/chromium/net/proxy_resolution/proxy_resolver_factory.h
+++ b/chromium/net/proxy_resolution/proxy_resolver_factory.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_resolver_mac.cc b/chromium/net/proxy_resolution/proxy_resolver_mac.cc
index df89ff1dc96..885d7f53c49 100644
--- a/chromium/net/proxy_resolution/proxy_resolver_mac.cc
+++ b/chromium/net/proxy_resolution/proxy_resolver_mac.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -33,7 +33,7 @@
 
 namespace net {
 
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 
 namespace {
 
@@ -203,7 +203,7 @@ class ProxyResolverMac : public ProxyResolver {
 
   // ProxyResolver methods:
   int GetProxyForURL(const GURL& url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anonymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -223,7 +223,7 @@ ProxyResolverMac::~ProxyResolverMac() = default;
 // inspired by http://developer.apple.com/samplecode/CFProxySupportTool/
 int ProxyResolverMac::GetProxyForURL(
     const GURL& query_url,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ProxyInfo* results,
     CompletionOnceCallback /*callback*/,
     std::unique_ptr<Request>* /*request*/,
diff --git a/chromium/net/proxy_resolution/proxy_resolver_mac.h b/chromium/net/proxy_resolution/proxy_resolver_mac.h
index 27034a78347..819b7d32bc0 100644
--- a/chromium/net/proxy_resolution/proxy_resolver_mac.h
+++ b/chromium/net/proxy_resolution/proxy_resolver_mac.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/proxy_retry_info.h b/chromium/net/proxy_resolution/proxy_retry_info.h
index 2f85527bc71..e451433e880 100644
--- a/chromium/net/proxy_resolution/proxy_retry_info.h
+++ b/chromium/net/proxy_resolution/proxy_retry_info.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Copyright 2006-2008 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win.cc b/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win.cc
index 948a1cc5682..0245b68ae34 100644
--- a/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win.cc
+++ b/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win.h b/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win.h
index 40b13cc3e3c..43c34b2c915 100644
--- a/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win.h
+++ b/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win_unittest.cc b/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win_unittest.cc
index 3a096142609..85c0f8a59d7 100644
--- a/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win_unittest.cc
+++ b/chromium/net/proxy_resolution/win/dhcp_pac_file_adapter_fetcher_win_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win.cc b/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win.cc
index cf73ed28d7b..3db8560b8cb 100644
--- a/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win.cc
+++ b/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win.h b/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win.h
index d09a8e4b866..0ae123076bc 100644
--- a/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win.h
+++ b/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win_unittest.cc b/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win_unittest.cc
index 83502ae8dd6..d2b0f8dbd7d 100644
--- a/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win_unittest.cc
+++ b/chromium/net/proxy_resolution/win/dhcp_pac_file_fetcher_win_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/dhcpcsvc_init_win.cc b/chromium/net/proxy_resolution/win/dhcpcsvc_init_win.cc
index d9a7c6697ca..a1b1b6f28f9 100644
--- a/chromium/net/proxy_resolution/win/dhcpcsvc_init_win.cc
+++ b/chromium/net/proxy_resolution/win/dhcpcsvc_init_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/dhcpcsvc_init_win.h b/chromium/net/proxy_resolution/win/dhcpcsvc_init_win.h
index e6809e67c25..94b5bb2c299 100644
--- a/chromium/net/proxy_resolution/win/dhcpcsvc_init_win.h
+++ b/chromium/net/proxy_resolution/win/dhcpcsvc_init_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/proxy_config_service_win.cc b/chromium/net/proxy_resolution/win/proxy_config_service_win.cc
index 70fdd50fa40..92c8d510e67 100644
--- a/chromium/net/proxy_resolution/win/proxy_config_service_win.cc
+++ b/chromium/net/proxy_resolution/win/proxy_config_service_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,6 +11,7 @@
 #include "base/callback.h"
 #include "base/callback_helpers.h"
 #include "base/logging.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/string_tokenizer.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
@@ -126,10 +127,8 @@ bool ProxyConfigServiceWin::AddKeyToWatchList(HKEY rootkey,
 
 void ProxyConfigServiceWin::OnObjectSignaled(base::win::RegKey* key) {
   // Figure out which registry key signalled this change.
-  auto it = std::find_if(keys_to_watch_.begin(), keys_to_watch_.end(),
-                         [key](const std::unique_ptr<base::win::RegKey>& ptr) {
-                           return ptr.get() == key;
-                         });
+  auto it = base::ranges::find(keys_to_watch_, key,
+                               &std::unique_ptr<base::win::RegKey>::get);
   DCHECK(it != keys_to_watch_.end());
 
   // Keep watching the registry key.
diff --git a/chromium/net/proxy_resolution/win/proxy_config_service_win.h b/chromium/net/proxy_resolution/win/proxy_config_service_win.h
index 6d3df0377ba..97bdc6f97a4 100644
--- a/chromium/net/proxy_resolution/win/proxy_config_service_win.h
+++ b/chromium/net/proxy_resolution/win/proxy_config_service_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/proxy_config_service_win_unittest.cc b/chromium/net/proxy_resolution/win/proxy_config_service_win_unittest.cc
index 25cd518cca0..26e135bf055 100644
--- a/chromium/net/proxy_resolution/win/proxy_config_service_win_unittest.cc
+++ b/chromium/net/proxy_resolution/win/proxy_config_service_win_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/proxy_resolver_winhttp.cc b/chromium/net/proxy_resolution/win/proxy_resolver_winhttp.cc
index ae5fa944af7..53acf4da1a4 100644
--- a/chromium/net/proxy_resolution/win/proxy_resolver_winhttp.cc
+++ b/chromium/net/proxy_resolution/win/proxy_resolver_winhttp.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -61,7 +61,7 @@ class ProxyResolverWinHttp : public ProxyResolver {
 
   // ProxyResolver implementation:
   int GetProxyForURL(const GURL& url,
-                     const NetworkIsolationKey& network_isolation_key,
+                     const NetworkAnonymizationKey& network_anymization_key,
                      ProxyInfo* results,
                      CompletionOnceCallback /*callback*/,
                      std::unique_ptr<Request>* /*request*/,
@@ -89,7 +89,7 @@ ProxyResolverWinHttp::~ProxyResolverWinHttp() {
 
 int ProxyResolverWinHttp::GetProxyForURL(
     const GURL& query_url,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ProxyInfo* results,
     CompletionOnceCallback /*callback*/,
     std::unique_ptr<Request>* /*request*/,
diff --git a/chromium/net/proxy_resolution/win/proxy_resolver_winhttp.h b/chromium/net/proxy_resolution/win/proxy_resolver_winhttp.h
index b4208f0cce3..08811a9783d 100644
--- a/chromium/net/proxy_resolution/win/proxy_resolver_winhttp.h
+++ b/chromium/net/proxy_resolution/win/proxy_resolver_winhttp.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_request.cc b/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_request.cc
index ea50d9dd3ec..de044168566 100644
--- a/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_request.cc
+++ b/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_request.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_request.h b/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_request.h
index 8c764395ac2..bd1e800b346 100644
--- a/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_request.h
+++ b/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_request.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service.cc b/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service.cc
index f29b9ad9731..8e8909dbcd1 100644
--- a/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service.cc
+++ b/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -68,7 +68,7 @@ WindowsSystemProxyResolutionService::~WindowsSystemProxyResolutionService() {
 int WindowsSystemProxyResolutionService::ResolveProxy(
     const GURL& url,
     const std::string& method,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     ProxyInfo* results,
     CompletionOnceCallback callback,
     std::unique_ptr<ProxyResolutionRequest>* request,
diff --git a/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service.h b/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service.h
index 8c2331e1d5a..8d418d6acda 100644
--- a/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service.h
+++ b/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -48,7 +48,7 @@ class NET_EXPORT WindowsSystemProxyResolutionService
   // ProxyResolutionService implementation
   int ResolveProxy(const GURL& url,
                    const std::string& method,
-                   const NetworkIsolationKey& network_isolation_key,
+                   const NetworkAnonymizationKey& network_anonymization_key,
                    ProxyInfo* results,
                    CompletionOnceCallback callback,
                    std::unique_ptr<ProxyResolutionRequest>* request,
diff --git a/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service_unittest.cc b/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service_unittest.cc
index 6f0c896e706..246ece3b320 100644
--- a/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service_unittest.cc
+++ b/chromium/net/proxy_resolution/win/windows_system_proxy_resolution_service_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -129,7 +129,7 @@ class WindowsSystemProxyResolutionServiceTest : public TestWithTaskEnvironment {
     NetLogWithSource log;
     std::unique_ptr<ProxyResolutionRequest> request;
     int result = service()->ResolveProxy(kResourceUrl, std::string(),
-                                         NetworkIsolationKey(), &info,
+                                         NetworkAnonymizationKey(), &info,
                                          callback.callback(), &request, log);
 
     ASSERT_THAT(result, IsError(ERR_IO_PENDING));
@@ -168,7 +168,7 @@ TEST_F(WindowsSystemProxyResolutionServiceTest, ResolveProxyFailed) {
   NetLogWithSource log;
   std::unique_ptr<ProxyResolutionRequest> request;
   int result = service()->ResolveProxy(kResourceUrl, std::string(),
-                                       NetworkIsolationKey(), &info,
+                                       NetworkAnonymizationKey(), &info,
                                        callback.callback(), &request, log);
 
   ASSERT_THAT(result, IsError(ERR_IO_PENDING));
@@ -192,7 +192,7 @@ TEST_F(WindowsSystemProxyResolutionServiceTest, ResolveProxyCancelled) {
   NetLogWithSource log;
   std::unique_ptr<ProxyResolutionRequest> request;
   int result = service()->ResolveProxy(kResourceUrl, std::string(),
-                                       NetworkIsolationKey(), &info,
+                                       NetworkAnonymizationKey(), &info,
                                        callback.callback(), &request, log);
 
   ASSERT_THAT(result, IsError(ERR_IO_PENDING));
@@ -234,7 +234,7 @@ TEST_F(WindowsSystemProxyResolutionServiceTest,
   TestCompletionCallback first_callback;
   std::unique_ptr<ProxyResolutionRequest> first_request;
   int result = service()->ResolveProxy(
-      kResourceUrl, std::string(), NetworkIsolationKey(), &first_proxy_info,
+      kResourceUrl, std::string(), NetworkAnonymizationKey(), &first_proxy_info,
       first_callback.callback(), &first_request, log);
   ASSERT_THAT(result, IsError(ERR_IO_PENDING));
   ASSERT_NE(first_request, nullptr);
@@ -243,7 +243,7 @@ TEST_F(WindowsSystemProxyResolutionServiceTest,
   TestCompletionCallback second_callback;
   std::unique_ptr<ProxyResolutionRequest> second_request;
   result = service()->ResolveProxy(
-      kResourceUrl, std::string(), NetworkIsolationKey(), &second_proxy_info,
+      kResourceUrl, std::string(), NetworkAnonymizationKey(), &second_proxy_info,
       second_callback.callback(), &second_request, log);
   ASSERT_THAT(result, IsError(ERR_IO_PENDING));
   ASSERT_NE(second_request, nullptr);
@@ -271,7 +271,7 @@ TEST_F(WindowsSystemProxyResolutionServiceTest,
   TestCompletionCallback first_callback;
   std::unique_ptr<ProxyResolutionRequest> first_request;
   int result = service()->ResolveProxy(
-      kResourceUrl, std::string(), NetworkIsolationKey(), &first_proxy_info,
+      kResourceUrl, std::string(), NetworkAnonymizationKey(), &first_proxy_info,
       first_callback.callback(), &first_request, log);
   ASSERT_THAT(result, IsError(ERR_IO_PENDING));
   ASSERT_NE(first_request, nullptr);
@@ -280,7 +280,7 @@ TEST_F(WindowsSystemProxyResolutionServiceTest,
   TestCompletionCallback second_callback;
   std::unique_ptr<ProxyResolutionRequest> second_request;
   result = service()->ResolveProxy(
-      kResourceUrl, std::string(), NetworkIsolationKey(), &second_proxy_info,
+      kResourceUrl, std::string(), NetworkAnonymizationKey(), &second_proxy_info,
       second_callback.callback(), &second_request, log);
   ASSERT_THAT(result, IsError(ERR_IO_PENDING));
   ASSERT_NE(second_request, nullptr);
diff --git a/chromium/net/proxy_resolution/win/windows_system_proxy_resolver.h b/chromium/net/proxy_resolution/win/windows_system_proxy_resolver.h
index d958e50ed4a..d42ef8d25ef 100644
--- a/chromium/net/proxy_resolution/win/windows_system_proxy_resolver.h
+++ b/chromium/net/proxy_resolution/win/windows_system_proxy_resolver.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/proxy_resolution/win/winhttp_status.h b/chromium/net/proxy_resolution/win/winhttp_status.h
index f945936cb6d..975d714dab3 100644
--- a/chromium/net/proxy_resolution/win/winhttp_status.h
+++ b/chromium/net/proxy_resolution/win/winhttp_status.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/address_utils.h b/chromium/net/quic/address_utils.h
index b80e5870bd6..ec2de5d52d2 100644
--- a/chromium/net/quic/address_utils.h
+++ b/chromium/net/quic/address_utils.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,8 +9,8 @@
 
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
-#include "net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address.h"
-#include "net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address_family.h"
+#include "net/third_party/quiche/src/quiche/common/quiche_ip_address.h"
+#include "net/third_party/quiche/src/quiche/common/quiche_ip_address_family.h"
 #include "net/third_party/quiche/src/quiche/quic/platform/api/quic_socket_address.h"
 
 namespace net {
@@ -34,18 +34,18 @@ inline IPAddress ToIPAddress(quic::QuicIpAddress address) {
   }
 
   switch (address.address_family()) {
-    case quic::IpAddressFamily::IP_V4: {
+    case quiche::IpAddressFamily::IP_V4: {
       in_addr raw_address = address.GetIPv4();
       return IPAddress(reinterpret_cast<const uint8_t*>(&raw_address),
                        sizeof(raw_address));
     }
-    case quic::IpAddressFamily::IP_V6: {
+    case quiche::IpAddressFamily::IP_V6: {
       in6_addr raw_address = address.GetIPv6();
       return IPAddress(reinterpret_cast<const uint8_t*>(&raw_address),
                        sizeof(raw_address));
     }
     default:
-      DCHECK_EQ(address.address_family(), quic::IpAddressFamily::IP_UNSPEC);
+      DCHECK_EQ(address.address_family(), quiche::IpAddressFamily::IP_UNSPEC);
       return IPAddress();
   }
 }
diff --git a/chromium/net/quic/bidirectional_stream_quic_impl.cc b/chromium/net/quic/bidirectional_stream_quic_impl.cc
index 1e017f842d5..3ca2e57a315 100644
--- a/chromium/net/quic/bidirectional_stream_quic_impl.cc
+++ b/chromium/net/quic/bidirectional_stream_quic_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/bidirectional_stream_quic_impl.h b/chromium/net/quic/bidirectional_stream_quic_impl.h
index 33c430982fa..f866bf7e330 100644
--- a/chromium/net/quic/bidirectional_stream_quic_impl.h
+++ b/chromium/net/quic/bidirectional_stream_quic_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc b/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc
index 3838daac8b7..2b515e34287 100644
--- a/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc
+++ b/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -54,6 +54,7 @@
 #include "net/third_party/quiche/src/quiche/quic/core/quic_connection.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/mock_clock.h"
+#include "net/third_party/quiche/src/quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/mock_random.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.h"
@@ -525,7 +526,7 @@ class BidirectionalStreamQuicImplTest
         ToQuicSocketAddress(peer_addr_), helper_.get(), alarm_factory_.get(),
         new QuicChromiumPacketWriter(socket.get(), runner_.get()),
         true /* owns_writer */, quic::Perspective::IS_CLIENT,
-        quic::test::SupportedVersions(version_));
+        quic::test::SupportedVersions(version_), connection_id_generator_);
     if (connection_->version().KnowsWhichDecrypterToUse()) {
       connection_->InstallDecrypter(
           quic::ENCRYPTION_FORWARD_SECURE,
@@ -541,7 +542,7 @@ class BidirectionalStreamQuicImplTest
         base::WrapUnique(static_cast<QuicServerInfo*>(nullptr)),
         QuicSessionKey(kDefaultServerHostName, kDefaultServerPort,
                        PRIVACY_MODE_DISABLED, SocketTag(),
-                       NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                       NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                        /*require_dns_https_alpn=*/false),
         /*require_confirmation=*/false,
         /*migrate_session_early_v2=*/false,
@@ -842,6 +843,7 @@ class BidirectionalStreamQuicImplTest
   std::unique_ptr<StaticSocketDataProvider> socket_data_;
   std::vector<PacketToWrite> writes_;
   url::SchemeHostPort destination_;
+  quic::test::MockConnectionIdGenerator connection_id_generator_;
   quic::test::NoopQpackStreamSenderDelegate noop_qpack_stream_sender_delegate_;
 };
 
diff --git a/chromium/net/quic/crypto/proof_source_chromium.cc b/chromium/net/quic/crypto/proof_source_chromium.cc
index 8da8b0f52ac..64f538de728 100644
--- a/chromium/net/quic/crypto/proof_source_chromium.cc
+++ b/chromium/net/quic/crypto/proof_source_chromium.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/crypto/proof_source_chromium.h b/chromium/net/quic/crypto/proof_source_chromium.h
index b13951dd2af..6cfbc034e21 100644
--- a/chromium/net/quic/crypto/proof_source_chromium.h
+++ b/chromium/net/quic/crypto/proof_source_chromium.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/crypto/proof_test_chromium.cc b/chromium/net/quic/crypto/proof_test_chromium.cc
index 8933e51532d..7e7b6e126d7 100644
--- a/chromium/net/quic/crypto/proof_test_chromium.cc
+++ b/chromium/net/quic/crypto/proof_test_chromium.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/crypto/proof_verifier_chromium.cc b/chromium/net/quic/crypto/proof_verifier_chromium.cc
index ef2198f4750..99c83d95cd0 100644
--- a/chromium/net/quic/crypto/proof_verifier_chromium.cc
+++ b/chromium/net/quic/crypto/proof_verifier_chromium.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,7 +18,7 @@
 #include "crypto/signature_verifier.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
@@ -412,7 +412,7 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
             cert_verify_result.public_key_hashes, cert_.get(),
             cert_verify_result.verified_cert.get(),
             TransportSecurityState::ENABLE_PIN_REPORTS,
-            proof_verifier_->network_isolation_key_,
+            proof_verifier_->network_anonymization_key_,
             &verify_details_->pinning_failure_log);
     switch (pin_validity) {
       case TransportSecurityState::PKPStatus::VIOLATED:
@@ -537,7 +537,7 @@ int ProofVerifierChromium::Job::CheckCTCompliance() {
           cert_verify_result.scts,
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           cert_verify_result.policy_compliance,
-          proof_verifier_->network_isolation_key_);
+          proof_verifier_->network_anonymization_key_);
 
   if (sct_auditing_delegate_) {
     sct_auditing_delegate_->MaybeEnqueueReport(
@@ -562,13 +562,13 @@ ProofVerifierChromium::ProofVerifierChromium(
     TransportSecurityState* transport_security_state,
     SCTAuditingDelegate* sct_auditing_delegate,
     std::set<std::string> hostnames_to_allow_unknown_roots,
-    const NetworkIsolationKey& network_isolation_key)
+    const NetworkAnonymizationKey& network_anonymization_key)
     : cert_verifier_(cert_verifier),
       ct_policy_enforcer_(ct_policy_enforcer),
       transport_security_state_(transport_security_state),
       sct_auditing_delegate_(sct_auditing_delegate),
       hostnames_to_allow_unknown_roots_(hostnames_to_allow_unknown_roots),
-      network_isolation_key_(network_isolation_key) {
+      network_anonymization_key_(network_anonymization_key) {
   DCHECK(cert_verifier_);
   DCHECK(ct_policy_enforcer_);
   DCHECK(transport_security_state_);
diff --git a/chromium/net/quic/crypto/proof_verifier_chromium.h b/chromium/net/quic/crypto/proof_verifier_chromium.h
index 57a6ae73037..bc23e4f1fde 100644
--- a/chromium/net/quic/crypto/proof_verifier_chromium.h
+++ b/chromium/net/quic/crypto/proof_verifier_chromium.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,7 +14,7 @@
 #include "base/compiler_specific.h"
 #include "base/memory/raw_ptr.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/x509_certificate.h"
 #include "net/log/net_log_with_source.h"
@@ -70,12 +70,13 @@ struct ProofVerifyContextChromium : public quic::ProofVerifyContext {
 // is capable of handling multiple simultaneous requests.
 class NET_EXPORT_PRIVATE ProofVerifierChromium : public quic::ProofVerifier {
  public:
-  ProofVerifierChromium(CertVerifier* cert_verifier,
-                        CTPolicyEnforcer* ct_policy_enforcer,
-                        TransportSecurityState* transport_security_state,
-                        SCTAuditingDelegate* sct_auditing_delegate,
-                        std::set<std::string> hostnames_to_allow_unknown_roots,
-                        const NetworkIsolationKey& network_isolation_key);
+  ProofVerifierChromium(
+      CertVerifier* cert_verifier,
+      CTPolicyEnforcer* ct_policy_enforcer,
+      TransportSecurityState* transport_security_state,
+      SCTAuditingDelegate* sct_auditing_delegate,
+      std::set<std::string> hostnames_to_allow_unknown_roots,
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   ProofVerifierChromium(const ProofVerifierChromium&) = delete;
   ProofVerifierChromium& operator=(const ProofVerifierChromium&) = delete;
@@ -127,7 +128,7 @@ class NET_EXPORT_PRIVATE ProofVerifierChromium : public quic::ProofVerifier {
 
   std::set<std::string> hostnames_to_allow_unknown_roots_;
 
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
 };
 
 }  // namespace net
diff --git a/chromium/net/quic/crypto/proof_verifier_chromium_test.cc b/chromium/net/quic/crypto/proof_verifier_chromium_test.cc
index ca64d1f8959..efad4ab667f 100644
--- a/chromium/net/quic/crypto/proof_verifier_chromium_test.cc
+++ b/chromium/net/quic/crypto/proof_verifier_chromium_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,7 +15,7 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/features.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/cert/cert_and_ct_verifier.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
@@ -139,7 +139,7 @@ const quic::QuicTransportVersion kTestTransportVersion =
 }  // namespace
 
 // A mock ReportSenderInterface that just remembers the latest report
-// URI and its NetworkIsolationKey.
+// URI and its NetworkAnonymizationKey.
 class MockCertificateReportSender
     : public TransportSecurityState::ReportSenderInterface {
  public:
@@ -150,21 +150,21 @@ class MockCertificateReportSender
       const GURL& report_uri,
       base::StringPiece content_type,
       base::StringPiece report,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       base::OnceCallback<void()> success_callback,
       base::OnceCallback<void(const GURL&, int, int)> error_callback) override {
     latest_report_uri_ = report_uri;
-    latest_network_isolation_key_ = network_isolation_key;
+    latest_network_anonymization_key_ = network_anonymization_key;
   }
 
   const GURL& latest_report_uri() { return latest_report_uri_; }
-  const NetworkIsolationKey& latest_network_isolation_key() {
-    return latest_network_isolation_key_;
+  const NetworkAnonymizationKey& latest_network_anonymization_key() {
+    return latest_network_anonymization_key_;
   }
 
  private:
   GURL latest_report_uri_;
-  NetworkIsolationKey latest_network_isolation_key_;
+  NetworkAnonymizationKey latest_network_anonymization_key_;
 };
 
 class ProofVerifierChromiumTest : public ::testing::Test {
@@ -250,7 +250,7 @@ TEST_F(ProofVerifierChromiumTest, VerifyProof) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -284,7 +284,7 @@ TEST_F(ProofVerifierChromiumTest, FailsIfCertFails) {
   MockCertVerifier dummy_verifier;
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -338,7 +338,7 @@ TEST_F(ProofVerifierChromiumTest, ValidSCTList) {
 
   ProofVerifierChromium proof_verifier(&cert_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyCertChain(
@@ -380,7 +380,7 @@ TEST_F(ProofVerifierChromiumTest, InvalidSCTList) {
 
   ProofVerifierChromium proof_verifier(&cert_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyCertChain(
@@ -397,7 +397,7 @@ TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) {
   FailsTestCertVerifier cert_verifier;
   ProofVerifierChromium proof_verifier(&cert_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -421,7 +421,7 @@ TEST_F(ProofVerifierChromiumTest, PreservesEVIfAllowed) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -464,7 +464,7 @@ TEST_F(ProofVerifierChromiumTest, StripsEVIfNotAllowed) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -511,7 +511,7 @@ TEST_F(ProofVerifierChromiumTest, IsFatalErrorNotSetForNonFatalError) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -547,7 +547,7 @@ TEST_F(ProofVerifierChromiumTest, IsFatalErrorSetForFatalError) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -586,7 +586,7 @@ TEST_F(ProofVerifierChromiumTest, PKPEnforced) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -634,9 +634,9 @@ TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) {
   transport_security_state_.SetPinningListAlwaysTimelyForTesting(true);
   ScopedTransportSecurityStateSource scoped_security_state_source;
 
-  ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
-                                       &transport_security_state_, nullptr,
-                                       {kCTAndPKPHost}, NetworkIsolationKey());
+  ProofVerifierChromium proof_verifier(
+      &dummy_verifier, &ct_policy_enforcer_, &transport_security_state_,
+      nullptr, {kCTAndPKPHost}, NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -664,8 +664,8 @@ TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) {
 
 // Test that PKP errors result in sending reports.
 TEST_F(ProofVerifierChromiumTest, PKPReport) {
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
 
   MockCertificateReportSender report_sender;
   transport_security_state_.SetReportSender(&report_sender);
@@ -689,7 +689,7 @@ TEST_F(ProofVerifierChromiumTest, PKPReport) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       network_isolation_key);
+                                       network_anonymization_key);
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -721,8 +721,8 @@ TEST_F(ProofVerifierChromiumTest, PKPReport) {
   EXPECT_NE("", verify_details->pinning_failure_log);
 
   EXPECT_EQ(report_uri, report_sender.latest_report_uri());
-  EXPECT_EQ(network_isolation_key,
-            report_sender.latest_network_isolation_key());
+  EXPECT_EQ(network_anonymization_key,
+            report_sender.latest_network_anonymization_key());
 }
 
 // Test that when CT is required (in this case, by the delegate), the
@@ -749,7 +749,7 @@ TEST_F(ProofVerifierChromiumTest, CTIsRequired) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -808,7 +808,7 @@ TEST_F(ProofVerifierChromiumTest, PKPAndCTBothTested) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -848,7 +848,7 @@ TEST_F(ProofVerifierChromiumTest, UnknownRootRejected) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr, {},
-                                       NetworkIsolationKey());
+                                       NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -877,9 +877,9 @@ TEST_F(ProofVerifierChromiumTest, UnknownRootAcceptedWithOverride) {
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_, OK);
 
-  ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
-                                       &transport_security_state_, nullptr,
-                                       {kTestHostname}, NetworkIsolationKey());
+  ProofVerifierChromium proof_verifier(
+      &dummy_verifier, &ct_policy_enforcer_, &transport_security_state_,
+      nullptr, {kTestHostname}, NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -915,7 +915,7 @@ TEST_F(ProofVerifierChromiumTest, UnknownRootAcceptedWithWildcardOverride) {
 
   ProofVerifierChromium proof_verifier(&dummy_verifier, &ct_policy_enforcer_,
                                        &transport_security_state_, nullptr,
-                                       {""}, NetworkIsolationKey());
+                                       {""}, NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
@@ -964,7 +964,7 @@ TEST_F(ProofVerifierChromiumTest, SCTAuditingReportCollected) {
 
   ProofVerifierChromium proof_verifier(
       &cert_verifier, &ct_policy_enforcer_, &transport_security_state_,
-      &sct_auditing_delegate, {}, NetworkIsolationKey());
+      &sct_auditing_delegate, {}, NetworkAnonymizationKey());
 
   auto callback = std::make_unique<DummyProofVerifierCallback>();
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
diff --git a/chromium/net/quic/crypto_test_utils_chromium.cc b/chromium/net/quic/crypto_test_utils_chromium.cc
index db68335933e..311275112ac 100644
--- a/chromium/net/quic/crypto_test_utils_chromium.cc
+++ b/chromium/net/quic/crypto_test_utils_chromium.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,7 @@
 #include "base/check.h"
 #include "base/memory/ref_counted.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
diff --git a/chromium/net/quic/crypto_test_utils_chromium.h b/chromium/net/quic/crypto_test_utils_chromium.h
index 065d4e56d51..4f7414376f0 100644
--- a/chromium/net/quic/crypto_test_utils_chromium.h
+++ b/chromium/net/quic/crypto_test_utils_chromium.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/dedicated_web_transport_http3_client.cc b/chromium/net/quic/dedicated_web_transport_http3_client.cc
index 9d3116ea232..9a618169e10 100644
--- a/chromium/net/quic/dedicated_web_transport_http3_client.cc
+++ b/chromium/net/quic/dedicated_web_transport_http3_client.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -66,7 +66,7 @@ class ChromiumWebTransportFingerprintProofVerifier
 };
 
 std::unique_ptr<quic::ProofVerifier> CreateProofVerifier(
-    const NetworkIsolationKey& isolation_key,
+    const NetworkAnonymizationKey& anonymization_key,
     URLRequestContext* context,
     const WebTransportParameters& parameters) {
   if (parameters.server_certificate_fingerprints.empty()) {
@@ -75,7 +75,7 @@ std::unique_ptr<quic::ProofVerifier> CreateProofVerifier(
         context->transport_security_state(), context->sct_auditing_delegate(),
         HostsFromOrigins(
             context->quic_context()->params()->origins_to_force_quic_on),
-        isolation_key);
+        anonymization_key);
   }
 
   auto verifier =
@@ -260,12 +260,12 @@ DedicatedWebTransportHttp3Client::DedicatedWebTransportHttp3Client(
     const GURL& url,
     const url::Origin& origin,
     WebTransportClientVisitor* visitor,
-    const NetworkIsolationKey& isolation_key,
+    const NetworkAnonymizationKey& anonymization_key,
     URLRequestContext* context,
     const WebTransportParameters& parameters)
     : url_(url),
       origin_(origin),
-      isolation_key_(isolation_key),
+      anonymization_key_(anonymization_key),
       context_(context),
       visitor_(visitor),
       quic_context_(context->quic_context()),
@@ -279,13 +279,15 @@ DedicatedWebTransportHttp3Client::DedicatedWebTransportHttp3Client(
       // (currently, all certificate verification errors result in "TLS
       // handshake error" even when more detailed message is available).  This
       // requires implementing ProofHandler::OnProofVerifyDetailsAvailable.
-      crypto_config_(CreateProofVerifier(isolation_key_, context, parameters),
-                     /* session_cache */ nullptr) {
+      crypto_config_(
+          CreateProofVerifier(anonymization_key_, context, parameters),
+          /* session_cache */ nullptr) {
   net_log_.BeginEvent(
       NetLogEventType::QUIC_SESSION_WEBTRANSPORT_CLIENT_ALIVE, [&] {
         base::Value::Dict dict;
         dict.Set("url", url.possibly_invalid_spec());
-        dict.Set("network_isolation_key", isolation_key.ToDebugString());
+        dict.Set("network_anonymization_key",
+                 anonymization_key.ToDebugString());
         return base::Value(std::move(dict));
       });
 }
@@ -294,6 +296,9 @@ DedicatedWebTransportHttp3Client::~DedicatedWebTransportHttp3Client() {
   net_log_.EndEventWithNetErrorCode(
       NetLogEventType::QUIC_SESSION_WEBTRANSPORT_CLIENT_ALIVE,
       error_ ? error_->net_error : OK);
+  // |session_| owns this, so we need to make sure we release it before
+  // it gets dangling.
+  connection_ = nullptr;
 }
 
 void DedicatedWebTransportHttp3Client::Connect() {
@@ -359,8 +364,10 @@ void DedicatedWebTransportHttp3Client::DoLoop(int rv) {
         DCHECK_EQ(rv, OK);
         rv = DoConnect();
         break;
+      case CONNECT_STATE_CONNECT_CONFIGURE:
+        rv = DoConnectConfigure(rv);
+        break;
       case CONNECT_STATE_CONNECT_COMPLETE:
-        DCHECK_EQ(rv, OK);
         rv = DoConnectComplete();
         break;
       case CONNECT_STATE_SEND_REQUEST:
@@ -421,7 +428,7 @@ int DedicatedWebTransportHttp3Client::DoInit() {
 int DedicatedWebTransportHttp3Client::DoCheckProxy() {
   next_connect_state_ = CONNECT_STATE_CHECK_PROXY_COMPLETE;
   return context_->proxy_resolution_service()->ResolveProxy(
-      url_, /* method */ "CONNECT", isolation_key_, &proxy_info_,
+      url_, /* method */ "CONNECT", anonymization_key_, &proxy_info_,
       base::BindOnce(&DedicatedWebTransportHttp3Client::DoLoop,
                      base::Unretained(this)),
       &proxy_resolution_request_, net_log_);
@@ -443,7 +450,7 @@ int DedicatedWebTransportHttp3Client::DoResolveHost() {
   next_connect_state_ = CONNECT_STATE_RESOLVE_HOST_COMPLETE;
   HostResolver::ResolveHostParameters parameters;
   resolve_host_request_ = context_->host_resolver()->CreateRequest(
-      url::SchemeHostPort(url_), isolation_key_, net_log_, absl::nullopt);
+      url::SchemeHostPort(url_), anonymization_key_, net_log_, absl::nullopt);
   return resolve_host_request_->Start(base::BindOnce(
       &DedicatedWebTransportHttp3Client::DoLoop, base::Unretained(this)));
 }
@@ -458,7 +465,7 @@ int DedicatedWebTransportHttp3Client::DoResolveHostComplete(int rv) {
 }
 
 int DedicatedWebTransportHttp3Client::DoConnect() {
-  int rv = OK;
+  next_connect_state_ = CONNECT_STATE_CONNECT_CONFIGURE;
 
   // TODO(vasilvv): consider unifying parts of this code with QuicSocketFactory
   // (which currently has a lot of code specific to QuicChromiumClientSession).
@@ -472,27 +479,9 @@ int DedicatedWebTransportHttp3Client::DoConnect() {
 
   IPEndPoint server_address =
       *resolve_host_request_->GetAddressResults()->begin();
-  rv = socket_->Connect(server_address);
-  if (rv != OK)
-    return rv;
-
-  rv = socket_->SetReceiveBufferSize(kQuicSocketReceiveBufferSize);
-  if (rv != OK)
-    return rv;
-
-  rv = socket_->SetDoNotFragment();
-  if (rv == ERR_NOT_IMPLEMENTED)
-    rv = OK;
-  if (rv != OK)
-    return rv;
-
-  rv = socket_->SetSendBufferSize(quic::kMaxOutgoingPacketSize * 20);
-  if (rv != OK)
-    return rv;
-
-  CreateConnection();
-  next_connect_state_ = CONNECT_STATE_CONNECT_COMPLETE;
-  return ERR_IO_PENDING;
+  return socket_->ConnectAsync(
+      server_address, base::BindOnce(&DedicatedWebTransportHttp3Client::DoLoop,
+                                     base::Unretained(this)));
 }
 
 void DedicatedWebTransportHttp3Client::CreateConnection() {
@@ -511,8 +500,8 @@ void DedicatedWebTransportHttp3Client::CreateConnection() {
       ToQuicSocketAddress(server_address), quic_context_->helper(),
       alarm_factory_.get(),
       new QuicChromiumPacketWriter(socket_.get(), task_runner_),
-      /* owns_writer */ true, quic::Perspective::IS_CLIENT,
-      supported_versions_);
+      /* owns_writer */ true, quic::Perspective::IS_CLIENT, supported_versions_,
+      connection_id_generator_);
   connection_ = connection.get();
   connection->SetMaxPacketLength(quic_context_->params()->max_packet_length);
 
@@ -556,6 +545,34 @@ int DedicatedWebTransportHttp3Client::DoConnectComplete() {
   return OK;
 }
 
+int DedicatedWebTransportHttp3Client::DoConnectConfigure(int rv) {
+  if (rv != OK) {
+    return rv;
+  }
+
+  rv = socket_->SetReceiveBufferSize(kQuicSocketReceiveBufferSize);
+  if (rv != OK) {
+    return rv;
+  }
+
+  rv = socket_->SetDoNotFragment();
+  if (rv == ERR_NOT_IMPLEMENTED) {
+    rv = OK;
+  }
+  if (rv != OK) {
+    return rv;
+  }
+
+  rv = socket_->SetSendBufferSize(quic::kMaxOutgoingPacketSize * 20);
+  if (rv != OK) {
+    return rv;
+  }
+
+  next_connect_state_ = CONNECT_STATE_CONNECT_COMPLETE;
+  CreateConnection();
+  return ERR_IO_PENDING;
+}
+
 void DedicatedWebTransportHttp3Client::OnSettingsReceived() {
   DCHECK_EQ(next_connect_state_, CONNECT_STATE_CONNECT_COMPLETE);
   // Wait until the SETTINGS parser is finished, and then send the request.
diff --git a/chromium/net/quic/dedicated_web_transport_http3_client.h b/chromium/net/quic/dedicated_web_transport_http3_client.h
index b13993c2293..778bf403ac7 100644
--- a/chromium/net/quic/dedicated_web_transport_http3_client.h
+++ b/chromium/net/quic/dedicated_web_transport_http3_client.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,7 +7,7 @@
 
 #include "base/memory/raw_ptr.h"
 #include "base/memory/weak_ptr.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/dns/host_resolver.h"
 #include "net/log/net_log_with_source.h"
 #include "net/proxy_resolution/proxy_info.h"
@@ -20,9 +20,11 @@
 #include "net/socket/client_socket_factory.h"
 #include "net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_client_config.h"
 #include "net/third_party/quiche/src/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.h"
+#include "net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator.h"
 #include "net/third_party/quiche/src/quiche/quic/core/http/quic_client_push_promise_index.h"
 #include "net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_client_session.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_config.h"
+#include "net/third_party/quiche/src/quiche/quic/core/quic_connection_id.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_versions.h"
 #include "net/third_party/quiche/src/quiche/quic/core/web_transport_interface.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
@@ -43,12 +45,13 @@ class NET_EXPORT DedicatedWebTransportHttp3Client
       public QuicChromiumPacketWriter::Delegate {
  public:
   // |visitor| and |context| must outlive this object.
-  DedicatedWebTransportHttp3Client(const GURL& url,
-                                   const url::Origin& origin,
-                                   WebTransportClientVisitor* visitor,
-                                   const NetworkIsolationKey& isolation_key,
-                                   URLRequestContext* context,
-                                   const WebTransportParameters& parameters);
+  DedicatedWebTransportHttp3Client(
+      const GURL& url,
+      const url::Origin& origin,
+      WebTransportClientVisitor* visitor,
+      const NetworkAnonymizationKey& anonymization_key,
+      URLRequestContext* context,
+      const WebTransportParameters& parameters);
   ~DedicatedWebTransportHttp3Client() override;
 
   WebTransportState state() const { return state_; }
@@ -104,6 +107,7 @@ class NET_EXPORT DedicatedWebTransportHttp3Client
     CONNECT_STATE_RESOLVE_HOST,
     CONNECT_STATE_RESOLVE_HOST_COMPLETE,
     CONNECT_STATE_CONNECT,
+    CONNECT_STATE_CONNECT_CONFIGURE,
     CONNECT_STATE_CONNECT_COMPLETE,
     CONNECT_STATE_SEND_REQUEST,
     CONNECT_STATE_CONFIRM_CONNECTION,
@@ -123,6 +127,7 @@ class NET_EXPORT DedicatedWebTransportHttp3Client
   int DoResolveHostComplete(int rv);
   // Establishes the QUIC connection.
   int DoConnect();
+  int DoConnectConfigure(int rv);
   int DoConnectComplete();
   void CreateConnection();
   // Sends the CONNECT request to establish a WebTransport session.
@@ -139,7 +144,7 @@ class NET_EXPORT DedicatedWebTransportHttp3Client
 
   const GURL url_;
   const url::Origin origin_;
-  const NetworkIsolationKey isolation_key_;
+  const NetworkAnonymizationKey anonymization_key_;
   const raw_ptr<URLRequestContext> context_;          // Unowned.
   const raw_ptr<WebTransportClientVisitor> visitor_;  // Unowned.
 
@@ -170,13 +175,15 @@ class NET_EXPORT DedicatedWebTransportHttp3Client
   std::unique_ptr<HostResolver::ResolveHostRequest> resolve_host_request_;
 
   std::unique_ptr<DatagramClientSocket> socket_;
-  raw_ptr<quic::QuicConnection> connection_;  // owned by |session_|
   std::unique_ptr<quic::QuicSpdyClientSession> session_;
+  raw_ptr<quic::QuicConnection> connection_;  // owned by |session_|
   raw_ptr<quic::QuicSpdyStream> connect_stream_ = nullptr;
   raw_ptr<quic::WebTransportSession> web_transport_session_ = nullptr;
   std::unique_ptr<QuicChromiumPacketReader> packet_reader_;
   std::unique_ptr<QuicEventLogger> event_logger_;
   quic::QuicClientPushPromiseIndex push_promise_index_;
+  quic::DeterministicConnectionIdGenerator connection_id_generator_{
+      quic::kQuicDefaultConnectionIdLength};
 
   absl::optional<WebTransportCloseInfo> close_info_;
 
diff --git a/chromium/net/quic/dedicated_web_transport_http3_client_test.cc b/chromium/net/quic/dedicated_web_transport_http3_client_test.cc
index a68940ef83f..0681bc4123e 100644
--- a/chromium/net/quic/dedicated_web_transport_http3_client_test.cc
+++ b/chromium/net/quic/dedicated_web_transport_http3_client_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -98,8 +98,8 @@ class DedicatedWebTransportHttp3Test : public TestWithTaskEnvironment {
   DedicatedWebTransportHttp3Test() {
     quic::QuicEnableVersion(quic::ParsedQuicVersion::RFCv1());
     origin_ = url::Origin::Create(GURL{"https://example.org"});
-    isolation_key_ =
-        NetworkIsolationKey(SchemefulSite(origin_), SchemefulSite(origin_));
+    anonymization_key_ =
+        NetworkAnonymizationKey(SchemefulSite(origin_), SchemefulSite(origin_));
 
     URLRequestContextBuilder builder;
     builder.set_proxy_resolution_service(
@@ -185,13 +185,13 @@ class DedicatedWebTransportHttp3Test : public TestWithTaskEnvironment {
 
   int port_ = 0;
   url::Origin origin_;
-  NetworkIsolationKey isolation_key_;
+  NetworkAnonymizationKey anonymization_key_;
 };
 
 TEST_F(DedicatedWebTransportHttp3Test, Connect) {
   StartServer();
   client_ = std::make_unique<DedicatedWebTransportHttp3Client>(
-      GetURL("/echo"), origin_, &visitor_, isolation_key_, context_.get(),
+      GetURL("/echo"), origin_, &visitor_, anonymization_key_, context_.get(),
       WebTransportParameters());
 
   EXPECT_CALL(visitor_, OnConnected(_)).WillOnce(StopRunning());
@@ -213,7 +213,7 @@ TEST_F(DedicatedWebTransportHttp3Test, Connect) {
 TEST_F(DedicatedWebTransportHttp3Test, MAYBE_CloseTimeout) {
   StartServer();
   client_ = std::make_unique<DedicatedWebTransportHttp3Client>(
-      GetURL("/echo"), origin_, &visitor_, isolation_key_, context_.get(),
+      GetURL("/echo"), origin_, &visitor_, anonymization_key_, context_.get(),
       WebTransportParameters());
 
   EXPECT_CALL(visitor_, OnConnected(_)).WillOnce(StopRunning());
@@ -239,7 +239,7 @@ TEST_F(DedicatedWebTransportHttp3Test, MAYBE_CloseTimeout) {
 TEST_F(DedicatedWebTransportHttp3Test, CloseReason) {
   StartServer();
   client_ = std::make_unique<DedicatedWebTransportHttp3Client>(
-      GetURL("/session-close"), origin_, &visitor_, isolation_key_,
+      GetURL("/session-close"), origin_, &visitor_, anonymization_key_,
       context_.get(), WebTransportParameters());
 
   EXPECT_CALL(visitor_, OnConnected(_)).WillOnce(StopRunning());
diff --git a/chromium/net/quic/mock_crypto_client_stream.cc b/chromium/net/quic/mock_crypto_client_stream.cc
index 5252179de20..44755301f15 100644
--- a/chromium/net/quic/mock_crypto_client_stream.cc
+++ b/chromium/net/quic/mock_crypto_client_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_crypto_client_stream.h b/chromium/net/quic/mock_crypto_client_stream.h
index 0abfd5e6870..a1571598360 100644
--- a/chromium/net/quic/mock_crypto_client_stream.h
+++ b/chromium/net/quic/mock_crypto_client_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_crypto_client_stream_factory.cc b/chromium/net/quic/mock_crypto_client_stream_factory.cc
index af9a93d3e43..2ac6dcebe4c 100644
--- a/chromium/net/quic/mock_crypto_client_stream_factory.cc
+++ b/chromium/net/quic/mock_crypto_client_stream_factory.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_crypto_client_stream_factory.h b/chromium/net/quic/mock_crypto_client_stream_factory.h
index 7b0e8017b58..c6cf2c26d78 100644
--- a/chromium/net/quic/mock_crypto_client_stream_factory.h
+++ b/chromium/net/quic/mock_crypto_client_stream_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_decrypter.cc b/chromium/net/quic/mock_decrypter.cc
index 6fd77f4d511..e46a85cab00 100644
--- a/chromium/net/quic/mock_decrypter.cc
+++ b/chromium/net/quic/mock_decrypter.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_decrypter.h b/chromium/net/quic/mock_decrypter.h
index 285b026403d..03efc9b51d7 100644
--- a/chromium/net/quic/mock_decrypter.h
+++ b/chromium/net/quic/mock_decrypter.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_encrypter.cc b/chromium/net/quic/mock_encrypter.cc
index d1009d24ea5..3f613110879 100644
--- a/chromium/net/quic/mock_encrypter.cc
+++ b/chromium/net/quic/mock_encrypter.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_encrypter.h b/chromium/net/quic/mock_encrypter.h
index 1c2f7aa4764..e50ea191538 100644
--- a/chromium/net/quic/mock_encrypter.h
+++ b/chromium/net/quic/mock_encrypter.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_quic_context.cc b/chromium/net/quic/mock_quic_context.cc
index 9c818a32fd1..81ae9519078 100644
--- a/chromium/net/quic/mock_quic_context.cc
+++ b/chromium/net/quic/mock_quic_context.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_quic_context.h b/chromium/net/quic/mock_quic_context.h
index c4da37132b9..829c15df9d7 100644
--- a/chromium/net/quic/mock_quic_context.h
+++ b/chromium/net/quic/mock_quic_context.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_quic_data.cc b/chromium/net/quic/mock_quic_data.cc
index da0bb625524..dd299290224 100644
--- a/chromium/net/quic/mock_quic_data.cc
+++ b/chromium/net/quic/mock_quic_data.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/mock_quic_data.h b/chromium/net/quic/mock_quic_data.h
index c163365e6c4..9c9dea776f9 100644
--- a/chromium/net/quic/mock_quic_data.h
+++ b/chromium/net/quic/mock_quic_data.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/network_connection.cc b/chromium/net/quic/network_connection.cc
index 970a5ccf0ad..1b23e46c017 100644
--- a/chromium/net/quic/network_connection.cc
+++ b/chromium/net/quic/network_connection.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/network_connection.h b/chromium/net/quic/network_connection.h
index e2ea7472cfc..d58b726461a 100644
--- a/chromium/net/quic/network_connection.h
+++ b/chromium/net/quic/network_connection.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/network_connection_unittest.cc b/chromium/net/quic/network_connection_unittest.cc
index 51054cfb20e..1abc7f1146a 100644
--- a/chromium/net/quic/network_connection_unittest.cc
+++ b/chromium/net/quic/network_connection_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/platform/impl/quic_chromium_clock.cc b/chromium/net/quic/platform/impl/quic_chromium_clock.cc
index e8c20cd1b4c..1379171fc8a 100644
--- a/chromium/net/quic/platform/impl/quic_chromium_clock.cc
+++ b/chromium/net/quic/platform/impl/quic_chromium_clock.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/platform/impl/quic_chromium_clock.h b/chromium/net/quic/platform/impl/quic_chromium_clock.h
index e4f0ba58786..cc6d124635b 100644
--- a/chromium/net/quic/platform/impl/quic_chromium_clock.h
+++ b/chromium/net/quic/platform/impl/quic_chromium_clock.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/platform/impl/quic_chromium_clock_test.cc b/chromium/net/quic/platform/impl/quic_chromium_clock_test.cc
index c6356da8268..80b97c4c701 100644
--- a/chromium/net/quic/platform/impl/quic_chromium_clock_test.cc
+++ b/chromium/net/quic/platform/impl/quic_chromium_clock_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/platform/impl/quic_test_flags_utils.cc b/chromium/net/quic/platform/impl/quic_test_flags_utils.cc
index 3c268bd3f30..968b82f83b2 100644
--- a/chromium/net/quic/platform/impl/quic_test_flags_utils.cc
+++ b/chromium/net/quic/platform/impl/quic_test_flags_utils.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/platform/impl/quic_test_flags_utils.h b/chromium/net/quic/platform/impl/quic_test_flags_utils.h
index 7b97186adb5..aab944e256c 100644
--- a/chromium/net/quic/platform/impl/quic_test_flags_utils.h
+++ b/chromium/net/quic/platform/impl/quic_test_flags_utils.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/properties_based_quic_server_info.cc b/chromium/net/quic/properties_based_quic_server_info.cc
index 338bc059e4d..283f39fbefe 100644
--- a/chromium/net/quic/properties_based_quic_server_info.cc
+++ b/chromium/net/quic/properties_based_quic_server_info.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -25,10 +25,10 @@ namespace net {
 
 PropertiesBasedQuicServerInfo::PropertiesBasedQuicServerInfo(
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     HttpServerProperties* http_server_properties)
     : QuicServerInfo(server_id),
-      network_isolation_key_(network_isolation_key),
+      network_anonymization_key_(network_anonymization_key),
       http_server_properties_(http_server_properties) {
   DCHECK(http_server_properties_);
 }
@@ -37,7 +37,7 @@ PropertiesBasedQuicServerInfo::~PropertiesBasedQuicServerInfo() = default;
 
 bool PropertiesBasedQuicServerInfo::Load() {
   const string* data = http_server_properties_->GetQuicServerInfo(
-      server_id_, network_isolation_key_);
+      server_id_, network_anonymization_key_);
   string decoded;
   if (!data) {
     RecordQuicServerInfoFailure(PARSE_NO_DATA_FAILURE);
@@ -57,8 +57,8 @@ bool PropertiesBasedQuicServerInfo::Load() {
 void PropertiesBasedQuicServerInfo::Persist() {
   string encoded;
   base::Base64Encode(Serialize(), &encoded);
-  http_server_properties_->SetQuicServerInfo(server_id_, network_isolation_key_,
-                                             encoded);
+  http_server_properties_->SetQuicServerInfo(
+      server_id_, network_anonymization_key_, encoded);
 }
 
 }  // namespace net
diff --git a/chromium/net/quic/properties_based_quic_server_info.h b/chromium/net/quic/properties_based_quic_server_info.h
index aafd390e7ca..c065de90816 100644
--- a/chromium/net/quic/properties_based_quic_server_info.h
+++ b/chromium/net/quic/properties_based_quic_server_info.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,7 +8,7 @@
 #include "base/memory/raw_ptr.h"
 #include "base/memory/weak_ptr.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/quic/quic_server_info.h"
 
 namespace net {
@@ -22,7 +22,7 @@ class NET_EXPORT_PRIVATE PropertiesBasedQuicServerInfo : public QuicServerInfo {
  public:
   PropertiesBasedQuicServerInfo(
       const quic::QuicServerId& server_id,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       HttpServerProperties* http_server_properties);
 
   PropertiesBasedQuicServerInfo(const PropertiesBasedQuicServerInfo&) = delete;
@@ -36,7 +36,7 @@ class NET_EXPORT_PRIVATE PropertiesBasedQuicServerInfo : public QuicServerInfo {
   void Persist() override;
 
  private:
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
   const raw_ptr<HttpServerProperties> http_server_properties_;
 };
 
diff --git a/chromium/net/quic/properties_based_quic_server_info_test.cc b/chromium/net/quic/properties_based_quic_server_info_test.cc
index 967a1cdb0f2..c13636448ca 100644
--- a/chromium/net/quic/properties_based_quic_server_info_test.cc
+++ b/chromium/net/quic/properties_based_quic_server_info_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -32,7 +32,7 @@ class PropertiesBasedQuicServerInfoTest : public ::testing::Test {
   PropertiesBasedQuicServerInfoTest()
       : server_id_("www.google.com", 443, PRIVACY_MODE_DISABLED),
         server_info_(server_id_,
-                     NetworkIsolationKey(),
+                     NetworkAnonymizationKey(),
                      &http_server_properties_) {}
 
   // Initialize |server_info_| object and persist it.
@@ -69,8 +69,8 @@ TEST_F(PropertiesBasedQuicServerInfoTest, Update) {
   InitializeAndPersist();
 
   // Read the persisted data and verify we have read the data correctly.
-  PropertiesBasedQuicServerInfo server_info1(server_id_, NetworkIsolationKey(),
-                                             &http_server_properties_);
+  PropertiesBasedQuicServerInfo server_info1(
+      server_id_, NetworkAnonymizationKey(), &http_server_properties_);
   EXPECT_TRUE(server_info1.Load());
 
   // Verify the data.
@@ -84,8 +84,8 @@ TEST_F(PropertiesBasedQuicServerInfoTest, Update) {
   server_info1.Persist();
 
   // Read the persisted data and verify we have read the data correctly.
-  PropertiesBasedQuicServerInfo server_info2(server_id_, NetworkIsolationKey(),
-                                             &http_server_properties_);
+  PropertiesBasedQuicServerInfo server_info2(
+      server_id_, NetworkAnonymizationKey(), &http_server_properties_);
   EXPECT_TRUE(server_info2.Load());
 
   // Verify updated data.
diff --git a/chromium/net/quic/quic_address_mismatch.cc b/chromium/net/quic/quic_address_mismatch.cc
index 16df1ebe2a7..b5ff93b3138 100644
--- a/chromium/net/quic/quic_address_mismatch.cc
+++ b/chromium/net/quic/quic_address_mismatch.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_address_mismatch.h b/chromium/net/quic/quic_address_mismatch.h
index 85b338c5f25..62e86b430e6 100644
--- a/chromium/net/quic/quic_address_mismatch.h
+++ b/chromium/net/quic/quic_address_mismatch.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_address_mismatch_test.cc b/chromium/net/quic/quic_address_mismatch_test.cc
index 956c04776ec..e586997fcf7 100644
--- a/chromium/net/quic/quic_address_mismatch_test.cc
+++ b/chromium/net/quic/quic_address_mismatch_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_chromium_alarm_factory.cc b/chromium/net/quic/quic_chromium_alarm_factory.cc
index e70fdf70e72..a5261420d9e 100644
--- a/chromium/net/quic/quic_chromium_alarm_factory.cc
+++ b/chromium/net/quic/quic_chromium_alarm_factory.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_chromium_alarm_factory.h b/chromium/net/quic/quic_chromium_alarm_factory.h
index 69cc5cd6f59..1cb660070ad 100644
--- a/chromium/net/quic/quic_chromium_alarm_factory.h
+++ b/chromium/net/quic/quic_chromium_alarm_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/quic/quic_chromium_alarm_factory_test.cc b/chromium/net/quic/quic_chromium_alarm_factory_test.cc
index f40903e11a9..37d70678236 100644
--- a/chromium/net/quic/quic_chromium_alarm_factory_test.cc
+++ b/chromium/net/quic/quic_chromium_alarm_factory_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_chromium_client_session.cc b/chromium/net/quic/quic_chromium_client_session.cc
index d91504d1f1a..a9ff250f043 100644
--- a/chromium/net/quic/quic_chromium_client_session.cc
+++ b/chromium/net/quic/quic_chromium_client_session.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,6 +18,7 @@
 #include "base/metrics/sparse_histogram.h"
 #include "base/no_destructor.h"
 #include "base/observer_list.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "base/task/single_thread_task_runner.h"
@@ -29,7 +30,7 @@
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/network_activity_monitor.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/url_util.h"
 #include "net/cert/signed_certificate_timestamp_and_status.h"
@@ -295,8 +296,8 @@ base::Value NetLogQuicClientSessionParams(
   dict.Set("port", session_key->server_id().port());
   dict.Set("privacy_mode",
            PrivacyModeToDebugString(session_key->privacy_mode()));
-  dict.Set("network_isolation_key",
-           session_key->network_isolation_key().ToDebugString());
+  dict.Set("network_anonymization_key",
+           session_key->network_anonymization_key().ToDebugString());
   dict.Set("require_confirmation", require_confirmation);
   dict.Set("cert_verify_flags", cert_verify_flags);
   dict.Set("connection_id", connection_id.ToString());
@@ -342,14 +343,13 @@ class QuicServerPushHelper : public ServerPushDelegate::ServerPushHelper {
       session_->CancelPush(request_url_);
     }
   }
-
   const GURL& GetURL() const override { return request_url_; }
 
-  NetworkIsolationKey GetNetworkIsolationKey() const override {
+  NetworkAnonymizationKey GetNetworkAnonymizationKey() const override {
     if (session_) {
-      return session_->quic_session_key().network_isolation_key();
+      return session_->quic_session_key().network_anonymization_key();
     }
-    return NetworkIsolationKey();
+    return NetworkAnonymizationKey();
   }
 
  private:
@@ -824,7 +824,8 @@ void QuicChromiumClientSession::ConnectionMigrationValidationResultDelegate::
 void QuicChromiumClientSession::ConnectionMigrationValidationResultDelegate::
     OnPathValidationFailure(
         std::unique_ptr<quic::QuicPathValidationContext> context) {
-  session_->connection()->OnPathValidationFailureAtClient();
+  session_->connection()->OnPathValidationFailureAtClient(
+      /*is_multi_port=*/false);
   // Note that socket, packet writer, and packet reader in |context| will be
   // discarded.
   auto* chrome_context =
@@ -852,7 +853,8 @@ void QuicChromiumClientSession::PortMigrationValidationResultDelegate::
 void QuicChromiumClientSession::PortMigrationValidationResultDelegate::
     OnPathValidationFailure(
         std::unique_ptr<quic::QuicPathValidationContext> context) {
-  session_->connection()->OnPathValidationFailureAtClient();
+  session_->connection()->OnPathValidationFailureAtClient(
+      /*is_multi_port=*/false);
   // Note that socket, packet writer, and packet reader in |context| will be
   // discarded.
   auto* chrome_context =
@@ -1018,8 +1020,8 @@ QuicChromiumClientSession::QuicChromiumClientSession(
     connection->SetMaxPacketLength(connection->max_packet_length() -
                                    kAdditionalOverheadForIPv6);
   }
-  connect_timing_.dns_start = dns_resolution_start_time;
-  connect_timing_.dns_end = dns_resolution_end_time;
+  connect_timing_.domain_lookup_start = dns_resolution_start_time;
+  connect_timing_.domain_lookup_end = dns_resolution_end_time;
   if (!retransmittable_on_wire_timeout.IsZero()) {
     connection->set_initial_retransmittable_on_wire_timeout(
         retransmittable_on_wire_timeout);
@@ -1068,8 +1070,6 @@ QuicChromiumClientSession::~QuicChromiumClientSession() {
 
   UMA_HISTOGRAM_COUNTS_1M("Net.QuicSession.NumTotalStreams",
                           num_total_streams_);
-  UMA_HISTOGRAM_COUNTS_1M("Net.QuicNumSentClientHellos",
-                          crypto_stream_->num_sent_client_hellos());
   UMA_HISTOGRAM_COUNTS_1M("Net.QuicSession.Pushed", streams_pushed_count_);
   UMA_HISTOGRAM_COUNTS_1M("Net.QuicSession.PushedAndClaimed",
                           streams_pushed_and_claimed_count_);
@@ -1314,8 +1314,7 @@ int QuicChromiumClientSession::TryCreateStream(StreamRequest* request) {
 void QuicChromiumClientSession::CancelRequest(StreamRequest* request) {
   // Remove |request| from the queue while preserving the order of the
   // other elements.
-  auto it =
-      std::find(stream_requests_.begin(), stream_requests_.end(), request);
+  auto it = base::ranges::find(stream_requests_, request);
   if (it != stream_requests_.end()) {
     it = stream_requests_.erase(it);
   }
@@ -1536,9 +1535,9 @@ bool QuicChromiumClientSession::CanPool(
     return false;
   }
 
-  return SpdySession::CanPool(transport_security_state_, ssl_info,
-                              *ssl_config_service_, session_key_.host(),
-                              hostname, session_key_.network_isolation_key());
+  return SpdySession::CanPool(
+      transport_security_state_, ssl_info, *ssl_config_service_,
+      session_key_.host(), hostname, session_key_.network_anonymization_key());
 }
 
 bool QuicChromiumClientSession::ShouldCreateIncomingStream(
@@ -1844,6 +1843,40 @@ void QuicChromiumClientSession::OnConnectionClosed(
 
   logger_->OnConnectionClosed(frame, source);
 
+  const quic::QuicConnection::MultiPortStats* multi_port_stats =
+      connection()->multi_port_stats();
+  if (multi_port_stats != nullptr) {
+    UMA_HISTOGRAM_COUNTS_1000("Net.QuicMultiPort.NumDefaultPathDegrading",
+                              multi_port_stats->num_path_degrading);
+    UMA_HISTOGRAM_COUNTS_1000(
+        "Net.QuicMultiPort.NumMultiPortFailureWhenPathNotDegrading",
+        multi_port_stats
+            ->num_multi_port_probe_failures_when_path_not_degrading);
+    if (multi_port_stats->num_path_degrading > 0) {
+      base::UmaHistogramSparse(
+          "Net.QuicMultiPort.AltPortRttWhenPathDegradingVsGeneral",
+          static_cast<int>(
+              multi_port_stats->rtt_stats_when_default_path_degrading
+                  .smoothed_rtt()
+                  .ToMilliseconds() *
+              100 /
+              multi_port_stats->rtt_stats.smoothed_rtt().ToMilliseconds()));
+      UMA_HISTOGRAM_COUNTS_1000(
+          "Net.QuicMultiPort.NumMultiPortFailureWhenPathDegrading",
+          multi_port_stats->num_multi_port_probe_failures_when_path_degrading);
+      base::UmaHistogramPercentage(
+          "Net.QuicMultiPort.AltPortFailureWhenPathDegradingVsGeneral",
+          static_cast<int>(
+              multi_port_stats
+                  ->num_multi_port_probe_failures_when_path_degrading *
+              100 /
+              (multi_port_stats
+                   ->num_multi_port_probe_failures_when_path_not_degrading +
+               multi_port_stats
+                   ->num_multi_port_probe_failures_when_path_degrading)));
+    }
+  }
+
   RecordConnectionCloseErrorCode(frame, source, session_key_.host(),
                                  OneRttKeysAvailable());
   if (OneRttKeysAvailable()) {
@@ -2705,7 +2738,7 @@ void QuicChromiumClientSession::OnPathDegrading() {
   for (auto& observer : connectivity_observer_list_)
     observer.OnSessionPathDegrading(this, current_network);
 
-  if (!stream_factory_)
+  if (!stream_factory_ || connection()->multi_port_enabled())
     return;
 
   if (allow_port_migration_ && !migrate_session_early_v2_) {
@@ -3280,8 +3313,10 @@ base::Value QuicChromiumClientSession::GetInfoAsValue(
 
   dict.Set("total_streams", static_cast<int>(num_total_streams_));
   dict.Set("peer_address", peer_address().ToString());
+  // TODO(https://crbug.com/1343856): Update "network_isolation_key" to
+  // "network_anonymization_key" and change NetLog viewer.
   dict.Set("network_isolation_key",
-           session_key_.network_isolation_key().ToDebugString());
+           session_key_.network_anonymization_key().ToDebugString());
   dict.Set("connection_id", connection_id().ToString());
   if (!connection()->client_connection_id().IsEmpty()) {
     dict.Set("client_connection_id",
@@ -3403,9 +3438,10 @@ void QuicChromiumClientSession::OnCryptoHandshakeComplete() {
       connect_timing_.connect_end - connect_timing_.connect_start);
   // Track how long it has taken to finish handshake after we have finished
   // DNS host resolution.
-  if (!connect_timing_.dns_end.is_null()) {
-    UMA_HISTOGRAM_TIMES("Net.QuicSession.HostResolution.HandshakeConfirmedTime",
-                        tick_clock_->NowTicks() - connect_timing_.dns_end);
+  if (!connect_timing_.domain_lookup_end.is_null()) {
+    UMA_HISTOGRAM_TIMES(
+        "Net.QuicSession.HostResolution.HandshakeConfirmedTime",
+        tick_clock_->NowTicks() - connect_timing_.domain_lookup_end);
   }
 
   auto it = handles_.begin();
diff --git a/chromium/net/quic/quic_chromium_client_session.h b/chromium/net/quic/quic_chromium_client_session.h
index 4a75846c76d..54edb82c63b 100644
--- a/chromium/net/quic/quic_chromium_client_session.h
+++ b/chromium/net/quic/quic_chromium_client_session.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/quic/quic_chromium_client_session_peer.cc b/chromium/net/quic/quic_chromium_client_session_peer.cc
index ebb966aaf1f..7d892fc0cd2 100644
--- a/chromium/net/quic/quic_chromium_client_session_peer.cc
+++ b/chromium/net/quic/quic_chromium_client_session_peer.cc
@@ -1,11 +1,10 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/quic_chromium_client_session_peer.h"
 
 #include "net/dns/public/secure_dns_policy.h"
-#include "net/quic/quic_chromium_client_session.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 
 namespace net::test {
@@ -17,7 +16,7 @@ void QuicChromiumClientSessionPeer::SetHostname(
                                session->session_key_.server_id().port(),
                                session->session_key_.privacy_mode());
   session->session_key_ =
-      QuicSessionKey(server_id, SocketTag(), NetworkIsolationKey(),
+      QuicSessionKey(server_id, SocketTag(), NetworkAnonymizationKey(),
                      SecureDnsPolicy::kAllow, /*require_dns_https_alpn=*/false);
 }
 
@@ -48,4 +47,10 @@ bool QuicChromiumClientSessionPeer::GetSessionGoingAway(
   return session->going_away_;
 }
 
+// static
+MigrationCause QuicChromiumClientSessionPeer::GetCurrentMigrationCause(
+    QuicChromiumClientSession* session) {
+  return session->current_migration_cause_;
+}
+
 }  // namespace net::test
diff --git a/chromium/net/quic/quic_chromium_client_session_peer.h b/chromium/net/quic/quic_chromium_client_session_peer.h
index 5c060d696fb..bf4c58f2e61 100644
--- a/chromium/net/quic/quic_chromium_client_session_peer.h
+++ b/chromium/net/quic/quic_chromium_client_session_peer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,11 +9,11 @@
 
 #include <string>
 
+#include "net/quic/quic_chromium_client_session.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_packets.h"
 
 namespace net {
 
-class QuicChromiumClientSession;
 class QuicChromiumClientStream;
 
 namespace test {
@@ -36,6 +36,9 @@ class QuicChromiumClientSessionPeer {
       QuicChromiumClientSession* session);
 
   static bool GetSessionGoingAway(QuicChromiumClientSession* session);
+
+  static MigrationCause GetCurrentMigrationCause(
+      QuicChromiumClientSession* session);
 };
 
 }  // namespace test
diff --git a/chromium/net/quic/quic_chromium_client_session_test.cc b/chromium/net/quic/quic_chromium_client_session_test.cc
index d5d4a4ed58a..a60982812ba 100644
--- a/chromium/net/quic/quic_chromium_client_session_test.cc
+++ b/chromium/net/quic/quic_chromium_client_session_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -16,7 +16,7 @@
 #include "base/time/default_tick_clock.h"
 #include "build/build_config.h"
 #include "net/base/features.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/base/test_completion_callback.h"
 #include "net/cert/cert_verify_result.h"
@@ -60,6 +60,7 @@
 #include "net/third_party/quiche/src/quiche/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quiche/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/crypto_test_utils.h"
+#include "net/third_party/quiche/src/quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/quic_client_promised_info_peer.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.h"
@@ -144,7 +145,7 @@ class QuicChromiumClientSessionTest
                      kServerPort,
                      PRIVACY_MODE_DISABLED,
                      SocketTag(),
-                     NetworkIsolationKey(),
+                     NetworkAnonymizationKey(),
                      SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false),
         destination_(url::kHttpsScheme, kServerHostname, kServerPort),
@@ -188,7 +189,7 @@ class QuicChromiumClientSessionTest
         quic::QuicUtils::CreateRandomConnectionId(&random_),
         quic::QuicSocketAddress(), ToQuicSocketAddress(kIpEndPoint), &helper_,
         &alarm_factory_, writer, true, quic::Perspective::IS_CLIENT,
-        quic::test::SupportedVersions(version_));
+        quic::test::SupportedVersions(version_), connection_id_generator_);
     session_ = std::make_unique<TestingQuicChromiumClientSession>(
         connection, std::move(socket),
         /*stream_factory=*/nullptr, &crypto_client_stream_factory_, &clock_,
@@ -198,7 +199,7 @@ class QuicChromiumClientSessionTest
         /*migrate_session_on_network_change_v2=*/false, default_network_,
         quic::QuicTime::Delta::FromMilliseconds(
             kDefaultRetransmittableOnWireTimeout.InMilliseconds()),
-        /*migrate_idle_session=*/false, /*allow_port_migration=*/false,
+        /*migrate_idle_session=*/false, allow_port_migration_,
         kDefaultIdleSessionMigrationPeriod, kMaxTimeOnNonDefaultNetwork,
         kMaxMigrationsToNonDefaultNetworkOnWriteError,
         kMaxMigrationsToNonDefaultNetworkOnPathDegrading,
@@ -312,6 +313,8 @@ class QuicChromiumClientSessionTest
   QuicTestPacketMaker server_maker_;
   ProofVerifyDetailsChromium verify_details_;
   bool migrate_session_early_v2_ = false;
+  bool allow_port_migration_ = false;
+  quic::test::MockConnectionIdGenerator connection_id_generator_;
   quic::test::NoopQpackStreamSenderDelegate noop_qpack_stream_sender_delegate_;
 };
 
@@ -1640,17 +1643,17 @@ TEST_P(QuicChromiumClientSessionTest, CanPool) {
   EXPECT_TRUE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
   EXPECT_FALSE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_ENABLED, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
   EXPECT_FALSE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kDisable,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kDisable,
                      /*require_dns_https_alpn=*/false)));
 #if BUILDFLAG(IS_ANDROID)
   SocketTag tag1(SocketTag::UNSET_UID, 0x12345678);
@@ -1658,33 +1661,33 @@ TEST_P(QuicChromiumClientSessionTest, CanPool) {
   EXPECT_FALSE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, tag1,
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
   EXPECT_FALSE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, tag2,
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 #endif
   EXPECT_TRUE(session_->CanPool(
       "mail.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
   EXPECT_TRUE(session_->CanPool(
       "mail.example.com",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
   EXPECT_FALSE(session_->CanPool(
       "mail.google.com",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 
   const SchemefulSite kSiteFoo(GURL("http://foo.test/"));
 
-  // Check that NetworkIsolationKey is respected when feature is enabled.
+  // Check that NetworkAnonymizationKey is respected when feature is enabled.
   {
     base::test::ScopedFeatureList feature_list;
     feature_list.InitAndDisableFeature(
@@ -1692,7 +1695,7 @@ TEST_P(QuicChromiumClientSessionTest, CanPool) {
     EXPECT_TRUE(session_->CanPool(
         "mail.example.com",
         QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                       NetworkIsolationKey(kSiteFoo, kSiteFoo),
+                       NetworkAnonymizationKey(kSiteFoo, kSiteFoo),
                        SecureDnsPolicy::kAllow,
                        /*require_dns_https_alpn=*/false)));
   }
@@ -1703,7 +1706,7 @@ TEST_P(QuicChromiumClientSessionTest, CanPool) {
     EXPECT_FALSE(session_->CanPool(
         "mail.example.com",
         QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                       NetworkIsolationKey(kSiteFoo, kSiteFoo),
+                       NetworkAnonymizationKey(kSiteFoo, kSiteFoo),
                        SecureDnsPolicy::kAllow,
                        /*require_dns_https_alpn=*/false)));
   }
@@ -1713,20 +1716,20 @@ TEST_P(QuicChromiumClientSessionTest, CanPoolExpectCT) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       /* enabled_features */
-      {TransportSecurityState::kDynamicExpectCTFeature,
+      {kDynamicExpectCTFeature,
        features::kPartitionExpectCTStateByNetworkIsolationKey,
        features::kPartitionConnectionsByNetworkIsolationKey},
       /* disabled_features */
       {});
 
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   // Need to create a session key after setting
   // kPartitionExpectCTStateByNetworkIsolationKey, otherwise, it will ignore the
-  // NetworkIsolationKey value.
+  // NetworkAnonymizationKey value.
   session_key_ =
       QuicSessionKey(kServerHostname, kServerPort, PRIVACY_MODE_DISABLED,
-                     SocketTag(), network_isolation_key,
+                     SocketTag(), network_anonymization_key,
                      SecureDnsPolicy::kAllow, /*require_dns_https_alpn=*/false);
 
   // Need to create this after enabling
@@ -1762,50 +1765,50 @@ TEST_P(QuicChromiumClientSessionTest, CanPoolExpectCT) {
   EXPECT_TRUE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     network_isolation_key, SecureDnsPolicy::kAllow,
+                     network_anonymization_key, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 
-  // Adding Expect-CT data for different NetworkIsolationKeys should have no
+  // Adding Expect-CT data for different NetworkAnonymizationKeys should have no
   // effect.
   base::Time expiry = base::Time::Now() + base::Days(1);
   transport_security_state_->AddExpectCT(
       "www.example.org", expiry, true /* enforce */, GURL() /* report_url */,
-      NetworkIsolationKey::CreateTransient());
+      NetworkAnonymizationKey::CreateTransient());
   transport_security_state_->AddExpectCT(
       "www.example.org", expiry, true /* enforce */, GURL() /* report_url */,
-      NetworkIsolationKey());
+      NetworkAnonymizationKey());
   EXPECT_TRUE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     network_isolation_key, SecureDnsPolicy::kAllow,
+                     network_anonymization_key, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 
-  // Adding Expect-CT data for the same NetworkIsolationKey should prevent
+  // Adding Expect-CT data for the same NetworkAnonymizationKey should prevent
   // pooling.
   transport_security_state_->AddExpectCT(
       "www.example.org", expiry, true /* enforce */, GURL() /* report_url */,
-      network_isolation_key);
+      network_anonymization_key);
   EXPECT_FALSE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     network_isolation_key, SecureDnsPolicy::kAllow,
+                     network_anonymization_key, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 }
 
-// Much as above, but uses a non-empty NetworkIsolationKey.
-TEST_P(QuicChromiumClientSessionTest, CanPoolWithNetworkIsolationKey) {
+// Much as above, but uses a non-empty NetworkAnonymizationKey.
+TEST_P(QuicChromiumClientSessionTest, CanPoolWithNetworkAnonymizationKey) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
       features::kPartitionConnectionsByNetworkIsolationKey);
 
   const SchemefulSite kSiteFoo(GURL("http://foo.test/"));
   const SchemefulSite kSiteBar(GURL("http://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSiteFoo, kSiteFoo);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSiteBar, kSiteBar);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSiteFoo, kSiteFoo);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSiteBar, kSiteBar);
 
   session_key_ =
       QuicSessionKey(kServerHostname, kServerPort, PRIVACY_MODE_DISABLED,
-                     SocketTag(), kNetworkIsolationKey1,
+                     SocketTag(), kNetworkAnonymizationKey1,
                      SecureDnsPolicy::kAllow, /*require_dns_https_alpn=*/false);
 
   MockQuicData quic_data(version_);
@@ -1831,12 +1834,12 @@ TEST_P(QuicChromiumClientSessionTest, CanPoolWithNetworkIsolationKey) {
   EXPECT_TRUE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     kNetworkIsolationKey1, SecureDnsPolicy::kAllow,
+                     kNetworkAnonymizationKey1, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
   EXPECT_FALSE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_ENABLED, SocketTag(),
-                     kNetworkIsolationKey1, SecureDnsPolicy::kAllow,
+                     kNetworkAnonymizationKey1, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 #if BUILDFLAG(IS_ANDROID)
   SocketTag tag1(SocketTag::UNSET_UID, 0x12345678);
@@ -1844,39 +1847,39 @@ TEST_P(QuicChromiumClientSessionTest, CanPoolWithNetworkIsolationKey) {
   EXPECT_FALSE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, tag1,
-                     kNetworkIsolationKey1, SecureDnsPolicy::kAllow,
+                     kNetworkAnonymizationKey1, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
   EXPECT_FALSE(session_->CanPool(
       "www.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, tag2,
-                     kNetworkIsolationKey1, SecureDnsPolicy::kAllow,
+                     kNetworkAnonymizationKey1, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 #endif
   EXPECT_TRUE(session_->CanPool(
       "mail.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     kNetworkIsolationKey1, SecureDnsPolicy::kAllow,
+                     kNetworkAnonymizationKey1, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
   EXPECT_TRUE(session_->CanPool(
       "mail.example.com",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     kNetworkIsolationKey1, SecureDnsPolicy::kAllow,
+                     kNetworkAnonymizationKey1, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
   EXPECT_FALSE(session_->CanPool(
       "mail.google.com",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     kNetworkIsolationKey1, SecureDnsPolicy::kAllow,
+                     kNetworkAnonymizationKey1, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 
   EXPECT_FALSE(session_->CanPool(
       "mail.example.com",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     kNetworkIsolationKey2, SecureDnsPolicy::kAllow,
+                     kNetworkAnonymizationKey2, SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
   EXPECT_FALSE(session_->CanPool(
       "mail.example.com",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 }
 
@@ -1924,7 +1927,7 @@ TEST_P(QuicChromiumClientSessionTest, ConnectionNotPooledWithDifferentPin) {
   EXPECT_FALSE(session_->CanPool(
       kPreloadedPKPHost,
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 }
 
@@ -1959,7 +1962,7 @@ TEST_P(QuicChromiumClientSessionTest, ConnectionPooledWithMatchingPin) {
   EXPECT_TRUE(session_->CanPool(
       "mail.example.org",
       QuicSessionKey("foo", 1234, PRIVACY_MODE_DISABLED, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                      /*require_dns_https_alpn=*/false)));
 }
 
@@ -2454,6 +2457,32 @@ TEST_P(QuicChromiumClientSessionTest,
   EXPECT_EQ(0u, connectivity_monitor_->GetNumDegradingSessions());
 }
 
+// This test verifies that when multi-port and port migration is enabled, path
+// degrading won't trigger port migration.
+TEST_P(QuicChromiumClientSessionTest, DegradingWithMultiPortEnabled) {
+  if (!version_.UsesHttp3())
+    return;
+  // Default network is always set to handles::kInvalidNetworkHandle.
+  default_network_ = handles::kInvalidNetworkHandle;
+  connectivity_monitor_ =
+      std::make_unique<QuicConnectivityMonitor>(default_network_);
+  allow_port_migration_ = true;
+  SetIetfConnectionMigrationFlagsAndConnectionOptions();
+  auto options = config_.SendConnectionOptions();
+  options.push_back(quic::kMPQC);
+  config_.SetConnectionOptionsToSend(options);
+
+  Initialize();
+  EXPECT_TRUE(session_->connection()->multi_port_enabled());
+
+  session_->ReallyOnPathDegrading();
+  EXPECT_EQ(1u, connectivity_monitor_->GetNumDegradingSessions());
+
+  EXPECT_EQ(
+      UNKNOWN_CAUSE,
+      QuicChromiumClientSessionPeer::GetCurrentMigrationCause(session_.get()));
+}
+
 // This test verifies that when the handles::NetworkHandle is not supported, and
 // there are speculated network change reported via OnIPAddressChange, session
 // still reports to the connectivity monitor correctly on path degrading
diff --git a/chromium/net/quic/quic_chromium_client_stream.cc b/chromium/net/quic/quic_chromium_client_stream.cc
index fe7e3a5e1ef..7baf3511e5b 100644
--- a/chromium/net/quic/quic_chromium_client_stream.cc
+++ b/chromium/net/quic/quic_chromium_client_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -678,9 +678,10 @@ void QuicChromiumClientStream::OnError(int error) {
 }
 
 int QuicChromiumClientStream::Read(IOBuffer* buf, int buf_len) {
-  // TODO(https://crbug.com/1335423): Change to DCHECK_GT() or remove after bug
+  // TODO(https://crbug.com/1335423): Change to DCHECK() or remove after bug
   // is fixed.
   CHECK_GT(buf_len, 0);
+  CHECK(buf->data());
 
   if (IsDoneReading())
     return 0;  // EOF
diff --git a/chromium/net/quic/quic_chromium_client_stream.h b/chromium/net/quic/quic_chromium_client_stream.h
index f67150e0ded..b087ab1687c 100644
--- a/chromium/net/quic/quic_chromium_client_stream.h
+++ b/chromium/net/quic/quic_chromium_client_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/quic/quic_chromium_client_stream_test.cc b/chromium/net/quic/quic_chromium_client_stream_test.cc
index ca08d843ca6..7a47c2578c8 100644
--- a/chromium/net/quic/quic_chromium_client_stream_test.cc
+++ b/chromium/net/quic/quic_chromium_client_stream_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_chromium_connection_helper.cc b/chromium/net/quic/quic_chromium_connection_helper.cc
index 85d6a0709e5..4d8575de274 100644
--- a/chromium/net/quic/quic_chromium_connection_helper.cc
+++ b/chromium/net/quic/quic_chromium_connection_helper.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_chromium_connection_helper.h b/chromium/net/quic/quic_chromium_connection_helper.h
index 5a3eb30ec3d..9af666962a1 100644
--- a/chromium/net/quic/quic_chromium_connection_helper.h
+++ b/chromium/net/quic/quic_chromium_connection_helper.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
@@ -19,9 +19,12 @@
 
 namespace quic {
 class QuicClock;
+}  // namespace quic
 
+namespace quiche {
 class QuicRandom;
-}  // namespace quic
+}  // namespace quiche
+
 namespace net {
 
 class NET_EXPORT_PRIVATE QuicChromiumConnectionHelper
diff --git a/chromium/net/quic/quic_chromium_connection_helper_test.cc b/chromium/net/quic/quic_chromium_connection_helper_test.cc
index 3049fdcf198..f86b245e60b 100644
--- a/chromium/net/quic/quic_chromium_connection_helper_test.cc
+++ b/chromium/net/quic/quic_chromium_connection_helper_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_chromium_packet_reader.cc b/chromium/net/quic/quic_chromium_packet_reader.cc
index 34c3a6e402b..f416987ed8c 100644
--- a/chromium/net/quic/quic_chromium_packet_reader.cc
+++ b/chromium/net/quic/quic_chromium_packet_reader.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_chromium_packet_reader.h b/chromium/net/quic/quic_chromium_packet_reader.h
index 9db08249c0a..1ab3e0b5a12 100644
--- a/chromium/net/quic/quic_chromium_packet_reader.h
+++ b/chromium/net/quic/quic_chromium_packet_reader.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/quic/quic_chromium_packet_writer.cc b/chromium/net/quic/quic_chromium_packet_writer.cc
index 4540cb94318..70488cc5d4c 100644
--- a/chromium/net/quic/quic_chromium_packet_writer.cc
+++ b/chromium/net/quic/quic_chromium_packet_writer.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_chromium_packet_writer.h b/chromium/net/quic/quic_chromium_packet_writer.h
index 5535eefd74d..1fc16f3e0e9 100644
--- a/chromium/net/quic/quic_chromium_packet_writer.h
+++ b/chromium/net/quic/quic_chromium_packet_writer.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_clock_skew_detector.cc b/chromium/net/quic/quic_clock_skew_detector.cc
index f2ce31485a3..1b88afcd8f1 100644
--- a/chromium/net/quic/quic_clock_skew_detector.cc
+++ b/chromium/net/quic/quic_clock_skew_detector.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_clock_skew_detector.h b/chromium/net/quic/quic_clock_skew_detector.h
index f57b5fcbd2c..e827969bc47 100644
--- a/chromium/net/quic/quic_clock_skew_detector.h
+++ b/chromium/net/quic/quic_clock_skew_detector.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_clock_skew_detector_test.cc b/chromium/net/quic/quic_clock_skew_detector_test.cc
index ee7d6e36a02..b46a6a17672 100644
--- a/chromium/net/quic/quic_clock_skew_detector_test.cc
+++ b/chromium/net/quic/quic_clock_skew_detector_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_connection_logger.cc b/chromium/net/quic/quic_connection_logger.cc
index 2bddbdf95c5..6b529a3df66 100644
--- a/chromium/net/quic/quic_connection_logger.cc
+++ b/chromium/net/quic/quic_connection_logger.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_connection_logger.h b/chromium/net/quic/quic_connection_logger.h
index f070213d01e..705c7f30b09 100644
--- a/chromium/net/quic/quic_connection_logger.h
+++ b/chromium/net/quic/quic_connection_logger.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_connectivity_monitor.cc b/chromium/net/quic/quic_connectivity_monitor.cc
index 1040a92855c..1d369a6a48c 100644
--- a/chromium/net/quic/quic_connectivity_monitor.cc
+++ b/chromium/net/quic/quic_connectivity_monitor.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_connectivity_monitor.h b/chromium/net/quic/quic_connectivity_monitor.h
index 117f6f05402..273e1b3a68f 100644
--- a/chromium/net/quic/quic_connectivity_monitor.h
+++ b/chromium/net/quic/quic_connectivity_monitor.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_context.cc b/chromium/net/quic/quic_context.cc
index 9f10dcf781d..481130a5190 100644
--- a/chromium/net/quic/quic_context.cc
+++ b/chromium/net/quic/quic_context.cc
@@ -1,9 +1,10 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/quic_context.h"
 
+#include "base/containers/contains.h"
 #include "net/quic/platform/impl/quic_chromium_clock.h"
 #include "net/quic/quic_chromium_connection_helper.h"
 #include "net/third_party/quiche/src/quiche/quic/core/crypto/crypto_protocol.h"
@@ -53,8 +54,7 @@ quic::QuicConfig InitializeQuicConfig(const QuicParams& params) {
       quic::QuicTime::Delta::FromMicroseconds(
           params.max_idle_time_before_crypto_handshake.InMicroseconds()));
   quic::QuicTagVector copt_to_send = params.connection_options;
-  if (std::find(copt_to_send.begin(), copt_to_send.end(), quic::kRVCM) ==
-      copt_to_send.end()) {
+  if (!base::Contains(copt_to_send, quic::kRVCM)) {
     copt_to_send.push_back(quic::kRVCM);
   }
   config.SetConnectionOptionsToSend(copt_to_send);
diff --git a/chromium/net/quic/quic_context.h b/chromium/net/quic/quic_context.h
index cc49d51796c..79d0226f5f3 100644
--- a/chromium/net/quic/quic_context.h
+++ b/chromium/net/quic/quic_context.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_crypto_client_config_handle.cc b/chromium/net/quic/quic_crypto_client_config_handle.cc
index afd48a9cea5..5aa3a4d3d63 100644
--- a/chromium/net/quic/quic_crypto_client_config_handle.cc
+++ b/chromium/net/quic/quic_crypto_client_config_handle.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_crypto_client_config_handle.h b/chromium/net/quic/quic_crypto_client_config_handle.h
index 4e17d772edc..191c19a18c7 100644
--- a/chromium/net/quic/quic_crypto_client_config_handle.h
+++ b/chromium/net/quic/quic_crypto_client_config_handle.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_crypto_client_stream_factory.cc b/chromium/net/quic/quic_crypto_client_stream_factory.cc
index 4b2bd7e4846..0983164bab4 100644
--- a/chromium/net/quic/quic_crypto_client_stream_factory.cc
+++ b/chromium/net/quic/quic_crypto_client_stream_factory.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_crypto_client_stream_factory.h b/chromium/net/quic/quic_crypto_client_stream_factory.h
index b6d4a772e2c..786852a6f63 100644
--- a/chromium/net/quic/quic_crypto_client_stream_factory.h
+++ b/chromium/net/quic/quic_crypto_client_stream_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_crypto_framer_parse_message_fuzzer.cc b/chromium/net/quic/quic_crypto_framer_parse_message_fuzzer.cc
index 74f2144fee0..9a8f310ce83 100644
--- a/chromium/net/quic/quic_crypto_framer_parse_message_fuzzer.cc
+++ b/chromium/net/quic/quic_crypto_framer_parse_message_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_end_to_end_unittest.cc b/chromium/net/quic/quic_end_to_end_unittest.cc
index 6ccb73a1b5a..d83a32a4841 100644
--- a/chromium/net/quic/quic_end_to_end_unittest.cc
+++ b/chromium/net/quic/quic_end_to_end_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_event_logger.cc b/chromium/net/quic/quic_event_logger.cc
index 27509320d3b..89190afb899 100644
--- a/chromium/net/quic/quic_event_logger.cc
+++ b/chromium/net/quic/quic_event_logger.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_event_logger.h b/chromium/net/quic/quic_event_logger.h
index 40a5c7d3ee0..95e1e769614 100644
--- a/chromium/net/quic/quic_event_logger.h
+++ b/chromium/net/quic/quic_event_logger.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_http3_logger.cc b/chromium/net/quic/quic_http3_logger.cc
index b1fef6c22ec..45609983f63 100644
--- a/chromium/net/quic/quic_http3_logger.cc
+++ b/chromium/net/quic/quic_http3_logger.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "net/quic/quic_http3_logger.h"
diff --git a/chromium/net/quic/quic_http3_logger.h b/chromium/net/quic/quic_http3_logger.h
index 535d14494f6..3c54639f11c 100644
--- a/chromium/net/quic/quic_http3_logger.h
+++ b/chromium/net/quic/quic_http3_logger.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_http_stream.cc b/chromium/net/quic/quic_http_stream.cc
index 8d78f375ab9..8115ae0c81d 100644
--- a/chromium/net/quic/quic_http_stream.cc
+++ b/chromium/net/quic/quic_http_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_http_stream.h b/chromium/net/quic/quic_http_stream.h
index d19f78d725d..c4d743ccff0 100644
--- a/chromium/net/quic/quic_http_stream.h
+++ b/chromium/net/quic/quic_http_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_http_stream_test.cc b/chromium/net/quic/quic_http_stream_test.cc
index 285025629c0..c60fe65b5f1 100644
--- a/chromium/net/quic/quic_http_stream_test.cc
+++ b/chromium/net/quic/quic_http_stream_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -68,6 +68,7 @@
 #include "net/third_party/quiche/src/quiche/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/mock_clock.h"
+#include "net/third_party/quiche/src/quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/mock_random.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.h"
@@ -162,7 +163,8 @@ class TestQuicConnection : public quic::QuicConnection {
                      IPEndPoint address,
                      QuicChromiumConnectionHelper* helper,
                      QuicChromiumAlarmFactory* alarm_factory,
-                     quic::QuicPacketWriter* writer)
+                     quic::QuicPacketWriter* writer,
+                     quic::ConnectionIdGeneratorInterface& generator)
       : quic::QuicConnection(connection_id,
                              quic::QuicSocketAddress(),
                              ToQuicSocketAddress(address),
@@ -171,7 +173,8 @@ class TestQuicConnection : public quic::QuicConnection {
                              writer,
                              true /* owns_writer */,
                              quic::Perspective::IS_CLIENT,
-                             versions) {}
+                             versions,
+                             generator) {}
 
   void SetSendAlgorithm(quic::SendAlgorithmInterface* send_algorithm) {
     quic::test::QuicConnectionPeer::SetSendAlgorithm(this, send_algorithm);
@@ -375,8 +378,9 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<TestParams>,
     connection_ = new TestQuicConnection(
         quic::test::SupportedVersions(version_), connection_id_, peer_addr_,
         helper_.get(), alarm_factory_.get(),
-        new QuicChromiumPacketWriter(
-            socket.get(), base::ThreadTaskRunnerHandle::Get().get()));
+        new QuicChromiumPacketWriter(socket.get(),
+                                     base::ThreadTaskRunnerHandle::Get().get()),
+        connection_id_generator_);
     connection_->set_visitor(&visitor_);
     connection_->SetSendAlgorithm(send_algorithm_);
 
@@ -398,7 +402,7 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<TestParams>,
         base::WrapUnique(static_cast<QuicServerInfo*>(nullptr)),
         QuicSessionKey(kDefaultServerHostName, kDefaultServerPort,
                        PRIVACY_MODE_DISABLED, SocketTag(),
-                       NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                       NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                        /*require_dns_https_alpn=*/false),
         /*require_confirmation=*/false,
         /*migrate_session_early_v2=*/false,
@@ -704,6 +708,7 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<TestParams>,
   std::unique_ptr<StaticSocketDataProvider> socket_data_;
   QuicPacketPrinter printer_;
   std::vector<PacketToWrite> writes_;
+  quic::test::MockConnectionIdGenerator connection_id_generator_;
   quic::test::NoopQpackStreamSenderDelegate noop_qpack_stream_sender_delegate_;
 };
 
diff --git a/chromium/net/quic/quic_http_utils.cc b/chromium/net/quic/quic_http_utils.cc
index 49f7925cf8f..c5cb9bfea32 100644
--- a/chromium/net/quic/quic_http_utils.cc
+++ b/chromium/net/quic/quic_http_utils.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_http_utils.h b/chromium/net/quic/quic_http_utils.h
index dbb5c2fd305..a39b25d4067 100644
--- a/chromium/net/quic/quic_http_utils.h
+++ b/chromium/net/quic/quic_http_utils.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_http_utils_test.cc b/chromium/net/quic/quic_http_utils_test.cc
index d6b662b89b1..eac3d6e405d 100644
--- a/chromium/net/quic/quic_http_utils_test.cc
+++ b/chromium/net/quic/quic_http_utils_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_network_transaction_unittest.cc b/chromium/net/quic/quic_network_transaction_unittest.cc
index 16d29da8157..e826aa68ba3 100644
--- a/chromium/net/quic/quic_network_transaction_unittest.cc
+++ b/chromium/net/quic/quic_network_transaction_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -23,7 +23,7 @@
 #include "net/base/features.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/mock_network_change_notifier.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/base/test_completion_callback.h"
 #include "net/base/test_proxy_delegate.h"
@@ -792,14 +792,14 @@ class QuicNetworkTransactionTest
 
   void AddQuicAlternateProtocolMapping(
       MockCryptoClientStream::HandshakeMode handshake_mode,
-      const NetworkIsolationKey& network_isolation_key =
-          NetworkIsolationKey()) {
+      const NetworkAnonymizationKey& network_anonymization_key =
+          NetworkAnonymizationKey()) {
     crypto_client_stream_factory_.set_handshake_mode(handshake_mode);
     url::SchemeHostPort server(request_.url);
     AlternativeService alternative_service(kProtoQUIC, server.host(), 443);
     base::Time expiration = base::Time::Now() + base::Days(1);
     http_server_properties_->SetQuicAlternativeService(
-        server, network_isolation_key, alternative_service, expiration,
+        server, network_anonymization_key, alternative_service, expiration,
         supported_versions_);
   }
 
@@ -812,37 +812,37 @@ class QuicNetworkTransactionTest
                                            alternative.port());
     base::Time expiration = base::Time::Now() + base::Days(1);
     http_server_properties_->SetQuicAlternativeService(
-        server, NetworkIsolationKey(), alternative_service, expiration,
+        server, NetworkAnonymizationKey(), alternative_service, expiration,
         supported_versions_);
   }
 
   void ExpectBrokenAlternateProtocolMapping(
-      const NetworkIsolationKey& network_isolation_key =
-          NetworkIsolationKey()) {
+      const NetworkAnonymizationKey& network_anonymization_key =
+          NetworkAnonymizationKey()) {
     const url::SchemeHostPort server(request_.url);
     const AlternativeServiceInfoVector alternative_service_info_vector =
         http_server_properties_->GetAlternativeServiceInfos(
-            server, network_isolation_key);
+            server, network_anonymization_key);
     EXPECT_EQ(1u, alternative_service_info_vector.size());
     EXPECT_TRUE(http_server_properties_->IsAlternativeServiceBroken(
         alternative_service_info_vector[0].alternative_service(),
-        network_isolation_key));
+        network_anonymization_key));
   }
 
   void ExpectQuicAlternateProtocolMapping(
-      const NetworkIsolationKey& network_isolation_key =
-          NetworkIsolationKey()) {
+      const NetworkAnonymizationKey& network_anonymization_key =
+          NetworkAnonymizationKey()) {
     const url::SchemeHostPort server(request_.url);
     const AlternativeServiceInfoVector alternative_service_info_vector =
         http_server_properties_->GetAlternativeServiceInfos(
-            server, network_isolation_key);
+            server, network_anonymization_key);
     EXPECT_EQ(1u, alternative_service_info_vector.size());
     EXPECT_EQ(
         kProtoQUIC,
         alternative_service_info_vector[0].alternative_service().protocol);
     EXPECT_FALSE(http_server_properties_->IsAlternativeServiceBroken(
         alternative_service_info_vector[0].alternative_service(),
-        network_isolation_key));
+        network_anonymization_key));
   }
 
   void AddHangingNonAlternateProtocolSocketData() {
@@ -1845,12 +1845,12 @@ TEST_P(QuicNetworkTransactionTest, DoNotUseQuicForUnsupportedVersion) {
                                          443);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties_->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       {unsupported_version});
 
   AlternativeServiceInfoVector alt_svc_info_vector =
       http_server_properties_->GetAlternativeServiceInfos(
-          server, NetworkIsolationKey());
+          server, NetworkAnonymizationKey());
   EXPECT_EQ(1u, alt_svc_info_vector.size());
   EXPECT_EQ(kProtoQUIC, alt_svc_info_vector[0].alternative_service().protocol);
   EXPECT_EQ(1u, alt_svc_info_vector[0].advertised_versions().size());
@@ -1913,7 +1913,7 @@ TEST_P(QuicNetworkTransactionTest, DoNotUseQuicForUnsupportedVersion) {
   // Check alternative service list is updated with new versions.
   alt_svc_info_vector =
       session_->http_server_properties()->GetAlternativeServiceInfos(
-          server, NetworkIsolationKey());
+          server, NetworkAnonymizationKey());
   VerifyQuicVersionsInAlternativeServices(alt_svc_info_vector,
                                           supported_versions_);
 }
@@ -1932,7 +1932,7 @@ TEST_P(QuicNetworkTransactionTest, RetryMisdirectedRequest) {
                                          443);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties_->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       supported_versions_);
 
   // First try: The alternative job uses QUIC and reports an HTTP 421
@@ -2157,9 +2157,9 @@ TEST_P(QuicNetworkTransactionTest, UseIetfAlternativeServiceForQuic) {
   SendRequestAndExpectQuicResponse("hello!");
 }
 
-// Much like above, but makes sure NetworkIsolationKey is respected.
+// Much like above, but makes sure NetworkAnonymizationKey is respected.
 TEST_P(QuicNetworkTransactionTest,
-       UseAlternativeServiceForQuicWithNetworkIsolationKey) {
+       UseAlternativeServiceForQuicWithNetworkAnonymizationKey) {
   if (version_.AlpnDeferToRFCv1()) {
     // These versions currently do not support Alt-Svc.
     return;
@@ -2177,8 +2177,11 @@ TEST_P(QuicNetworkTransactionTest,
 
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+
   const SchemefulSite kSite2(GURL("https://bar.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   MockRead http_reads[] = {
       MockRead("HTTP/1.1 200 OK\r\n"), MockRead(alt_svc_header_.data()),
@@ -2188,7 +2191,7 @@ TEST_P(QuicNetworkTransactionTest,
 
   AddCertificate(&ssl_data_);
 
-  // Request with empty NetworkIsolationKey.
+  // Request with empty NetworkAnonymizationKey.
   StaticSocketDataProvider http_data1(http_reads, base::span<MockWrite>());
   socket_factory_.AddSocketDataProvider(&http_data1);
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
@@ -2235,18 +2238,22 @@ TEST_P(QuicNetworkTransactionTest,
   CreateSession();
 
   // This is first so that the test fails if alternative service info is
-  // written with the right NetworkIsolationKey, but always queried with an
+  // written with the right NetworkAnonymizationKey, but always queried with an
   // empty one.
   request_.network_isolation_key = NetworkIsolationKey();
+  request_.network_anonymization_key = NetworkAnonymizationKey();
   SendRequestAndExpectHttpResponse("hello world");
   request_.network_isolation_key = kNetworkIsolationKey1;
+  request_.network_anonymization_key = kNetworkAnonymizationKey1;
   SendRequestAndExpectHttpResponse("hello world");
   request_.network_isolation_key = kNetworkIsolationKey2;
+  request_.network_anonymization_key = kNetworkAnonymizationKey2;
   SendRequestAndExpectHttpResponse("hello world");
 
-  // Only use QUIC when using a NetworkIsolationKey which has been used when
+  // Only use QUIC when using a NetworkAnonymizationKey which has been used when
   // alternative service information was received.
   request_.network_isolation_key = kNetworkIsolationKey1;
+  request_.network_anonymization_key = kNetworkAnonymizationKey1;
   SendRequestAndExpectQuicResponse("hello!");
 }
 
@@ -2463,13 +2470,13 @@ TEST_P(QuicNetworkTransactionTest, SetAlternativeServiceWithScheme) {
   url::SchemeHostPort http_server("http", "mail.example.org", 443);
   url::SchemeHostPort https_server("https", "mail.example.org", 443);
   // Check alternative service is set for the correct origin.
-  EXPECT_EQ(
-      2u, http_server_properties
-              ->GetAlternativeServiceInfos(https_server, NetworkIsolationKey())
-              .size());
+  EXPECT_EQ(2u, http_server_properties
+                    ->GetAlternativeServiceInfos(https_server,
+                                                 NetworkAnonymizationKey())
+                    .size());
   EXPECT_TRUE(
       http_server_properties
-          ->GetAlternativeServiceInfos(http_server, NetworkIsolationKey())
+          ->GetAlternativeServiceInfos(http_server, NetworkAnonymizationKey())
           .empty());
 }
 
@@ -2506,10 +2513,10 @@ TEST_P(QuicNetworkTransactionTest, DoNotGetAltSvcForDifferentOrigin) {
 
   const url::SchemeHostPort https_server(request_.url);
   // Check alternative service is set.
-  EXPECT_EQ(
-      2u, http_server_properties
-              ->GetAlternativeServiceInfos(https_server, NetworkIsolationKey())
-              .size());
+  EXPECT_EQ(2u, http_server_properties
+                    ->GetAlternativeServiceInfos(https_server,
+                                                 NetworkAnonymizationKey())
+                    .size());
 
   // Send http request to the same origin but with diffrent scheme, should not
   // use QUIC.
@@ -2579,7 +2586,7 @@ TEST_P(QuicNetworkTransactionTest,
   const url::SchemeHostPort https_server(request_.url);
   const AlternativeServiceInfoVector alt_svc_info_vector =
       session_->http_server_properties()->GetAlternativeServiceInfos(
-          https_server, NetworkIsolationKey());
+          https_server, NetworkAnonymizationKey());
   VerifyQuicVersionsInAlternativeServices(alt_svc_info_vector,
                                           supported_versions_);
 }
@@ -2971,14 +2978,16 @@ TEST_P(
 
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
+       // Need to partition connections by NetworkAnonymizationKey for
        // QuicSessionAliasKey to include NetworkIsolationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
@@ -3056,11 +3065,14 @@ TEST_P(
   // QUIC connection requires handshake to be confirmed and sends CHLO to the
   // peer.
   AddQuicAlternateProtocolMapping(
-      MockCryptoClientStream::COLD_START_WITH_CHLO_SENT, kNetworkIsolationKey1);
+      MockCryptoClientStream::COLD_START_WITH_CHLO_SENT,
+      kNetworkAnonymizationKey1);
   AddQuicAlternateProtocolMapping(
-      MockCryptoClientStream::COLD_START_WITH_CHLO_SENT, kNetworkIsolationKey2);
+      MockCryptoClientStream::COLD_START_WITH_CHLO_SENT,
+      kNetworkAnonymizationKey2);
 
   request_.network_isolation_key = kNetworkIsolationKey1;
+  request_.network_anonymization_key = kNetworkAnonymizationKey1;
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session_.get());
   TestCompletionCallback callback;
   int rv = trans.Start(&request_, callback.callback(), net_log_with_source_);
@@ -3080,8 +3092,8 @@ TEST_P(
 
   // The second connection hasn't finish handshake, verify that QUIC is not
   // marked as broken.
-  ExpectQuicAlternateProtocolMapping(kNetworkIsolationKey1);
-  ExpectQuicAlternateProtocolMapping(kNetworkIsolationKey2);
+  ExpectQuicAlternateProtocolMapping(kNetworkAnonymizationKey1);
+  ExpectQuicAlternateProtocolMapping(kNetworkAnonymizationKey2);
   // Explicitly confirm the handshake on the second connection.
   crypto_client_stream_factory_.last_stream()
       ->NotifySessionOneRttKeyAvailable();
@@ -3090,16 +3102,16 @@ TEST_P(
   base::RunLoop().RunUntilIdle();
 
   // Verify that QUIC is marked as broken for kNetworkIsolationKey1 only.
-  ExpectBrokenAlternateProtocolMapping(kNetworkIsolationKey1);
-  ExpectQuicAlternateProtocolMapping(kNetworkIsolationKey2);
+  ExpectBrokenAlternateProtocolMapping(kNetworkAnonymizationKey1);
+  ExpectQuicAlternateProtocolMapping(kNetworkAnonymizationKey2);
 
   // Deliver a message to notify the new network becomes default, the previous
   // brokenness will be clear as the brokenness is bond with old default
   // network.
   scoped_mock_change_notifier_->mock_network_change_notifier()
       ->NotifyNetworkMadeDefault(kNewNetworkForTests);
-  ExpectQuicAlternateProtocolMapping(kNetworkIsolationKey1);
-  ExpectQuicAlternateProtocolMapping(kNetworkIsolationKey2);
+  ExpectQuicAlternateProtocolMapping(kNetworkAnonymizationKey1);
+  ExpectQuicAlternateProtocolMapping(kNetworkAnonymizationKey2);
 
   ASSERT_TRUE(quic_data2.AllReadDataConsumed());
   ASSERT_TRUE(quic_data2.AllWriteDataConsumed());
@@ -3686,7 +3698,7 @@ TEST_P(QuicNetworkTransactionTest,
   ASSERT_TRUE(http_data.AllReadDataConsumed());
 }
 
-// Much like above test, but verifies that NetworkIsolationKey is respected.
+// Much like above test, but verifies that NetworkAnonymizationKey is respected.
 TEST_P(QuicNetworkTransactionTest,
        ProtocolErrorAfterHandshakeConfirmedThenBrokenWithNetworkIsolationKey) {
   if (version_.AlpnDeferToRFCv1()) {
@@ -3695,8 +3707,10 @@ TEST_P(QuicNetworkTransactionTest,
   }
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
@@ -3772,13 +3786,14 @@ TEST_P(QuicNetworkTransactionTest,
   CreateSession();
 
   AddQuicAlternateProtocolMapping(MockCryptoClientStream::ZERO_RTT,
-                                  kNetworkIsolationKey1);
+                                  kNetworkAnonymizationKey1);
   AddQuicAlternateProtocolMapping(MockCryptoClientStream::ZERO_RTT,
-                                  kNetworkIsolationKey2);
+                                  kNetworkAnonymizationKey2);
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session_.get());
   TestCompletionCallback callback;
   request_.network_isolation_key = kNetworkIsolationKey1;
+  request_.network_anonymization_key = kNetworkAnonymizationKey1;
   int rv = trans.Start(&request_, callback.callback(), net_log_with_source_);
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -3806,19 +3821,21 @@ TEST_P(QuicNetworkTransactionTest,
 
   // The alternative service shouldhave been marked as broken under
   // kNetworkIsolationKey1 but not kNetworkIsolationKey2.
-  ExpectBrokenAlternateProtocolMapping(kNetworkIsolationKey1);
-  ExpectQuicAlternateProtocolMapping(kNetworkIsolationKey2);
+  ExpectBrokenAlternateProtocolMapping(kNetworkAnonymizationKey1);
+  ExpectQuicAlternateProtocolMapping(kNetworkAnonymizationKey2);
 
   // Subsequent requests using kNetworkIsolationKey1 should not use QUIC.
   AddHttpDataAndRunRequest();
   // Requests using other NetworkIsolationKeys can still use QUIC.
   request_.network_isolation_key = kNetworkIsolationKey2;
+  request_.network_anonymization_key = kNetworkAnonymizationKey2;
+
   AddQuicDataAndRunRequest();
 
   // The last two requests should not have changed the alternative service
   // mappings.
-  ExpectBrokenAlternateProtocolMapping(kNetworkIsolationKey1);
-  ExpectQuicAlternateProtocolMapping(kNetworkIsolationKey2);
+  ExpectBrokenAlternateProtocolMapping(kNetworkAnonymizationKey1);
+  ExpectQuicAlternateProtocolMapping(kNetworkAnonymizationKey2);
 }
 
 // Verify that with retry_without_alt_svc_on_quic_errors enabled, if a QUIC
@@ -3990,11 +4007,11 @@ TEST_P(QuicNetworkTransactionTest, RemoteAltSvcWorkingWhileLocalAltSvcBroken) {
           remote_alternative, expiration,
           context_.params()->supported_versions));
   http_server_properties_->SetAlternativeServices(url::SchemeHostPort(origin1),
-                                                  NetworkIsolationKey(),
+                                                  NetworkAnonymizationKey(),
                                                   alternative_services);
 
-  http_server_properties_->MarkAlternativeServiceBroken(local_alternative,
-                                                        NetworkIsolationKey());
+  http_server_properties_->MarkAlternativeServiceBroken(
+      local_alternative, NetworkAnonymizationKey());
 
   SendRequestAndExpectQuicResponse("hello!");
 }
@@ -4046,11 +4063,11 @@ TEST_P(QuicNetworkTransactionTest, BrokenAlternativeOnlyRecordedOnce) {
           local_alternative, expiration,
           context_.params()->supported_versions));
   http_server_properties_->SetAlternativeServices(url::SchemeHostPort(origin1),
-                                                  NetworkIsolationKey(),
+                                                  NetworkAnonymizationKey(),
                                                   alternative_services);
 
-  http_server_properties_->MarkAlternativeServiceBroken(local_alternative,
-                                                        NetworkIsolationKey());
+  http_server_properties_->MarkAlternativeServiceBroken(
+      local_alternative, NetworkAnonymizationKey());
 
   SendRequestAndExpectHttpResponse("hello world");
 
@@ -4174,13 +4191,13 @@ TEST_P(QuicNetworkTransactionTest,
   base::Time expiration = base::Time::Now() + base::Days(1);
   AlternativeService alternative1(kProtoQUIC, origin1.host(), 443);
   http_server_properties_->SetQuicAlternativeService(
-      url::SchemeHostPort(origin1), NetworkIsolationKey(), alternative1,
+      url::SchemeHostPort(origin1), NetworkAnonymizationKey(), alternative1,
       expiration, supported_versions_);
 
   // Set up alternative service for |origin2|.
   AlternativeService alternative2(kProtoQUIC, origin2.host(), 443);
   http_server_properties_->SetQuicAlternativeService(
-      url::SchemeHostPort(origin2), NetworkIsolationKey(), alternative2,
+      url::SchemeHostPort(origin2), NetworkAnonymizationKey(), alternative2,
       expiration, supported_versions_);
 
   // First request opens connection to |destination1|
@@ -4193,10 +4210,10 @@ TEST_P(QuicNetworkTransactionTest,
   request_.url = origin2;
   SendRequestAndExpectHttpResponse("hello world");
   EXPECT_FALSE(http_server_properties_->IsAlternativeServiceBroken(
-      alternative1, NetworkIsolationKey()))
+      alternative1, NetworkAnonymizationKey()))
       << alternative1.ToString();
   EXPECT_TRUE(http_server_properties_->IsAlternativeServiceBroken(
-      alternative2, NetworkIsolationKey()))
+      alternative2, NetworkAnonymizationKey()))
       << alternative2.ToString();
 
   // The third request should use a new TCP connection, not the broken
@@ -4390,7 +4407,7 @@ TEST_P(QuicNetworkTransactionTest, PoolByOrigin) {
   AlternativeService alternative_service(kProtoQUIC, destination1, 443);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties_->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       supported_versions_);
   // First request opens connection to |destination1|
   // with quic::QuicServerId.host() == kDefaultServerHostName.
@@ -4399,7 +4416,7 @@ TEST_P(QuicNetworkTransactionTest, PoolByOrigin) {
   // Set up alternative service entry to a different destination.
   alternative_service = AlternativeService(kProtoQUIC, destination2, 443);
   http_server_properties_->SetQuicAlternativeService(
-      server, NetworkIsolationKey(), alternative_service, expiration,
+      server, NetworkAnonymizationKey(), alternative_service, expiration,
       supported_versions_);
   // Second request pools to existing connection with same quic::QuicServerId,
   // even though alternative service destination is different.
@@ -4486,8 +4503,8 @@ TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
   AlternativeService alternative_service1(kProtoQUIC, destination1, 443);
   base::Time expiration = base::Time::Now() + base::Days(1);
   http_server_properties_->SetQuicAlternativeService(
-      url::SchemeHostPort(origin1), NetworkIsolationKey(), alternative_service1,
-      expiration, supported_versions_);
+      url::SchemeHostPort(origin1), NetworkAnonymizationKey(),
+      alternative_service1, expiration, supported_versions_);
 
   // Set up multiple alternative service entries for |origin2|,
   // the first one with a different destination as for |origin1|,
@@ -4504,7 +4521,7 @@ TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
           alternative_service1, expiration,
           context_.params()->supported_versions));
   http_server_properties_->SetAlternativeServices(url::SchemeHostPort(origin2),
-                                                  NetworkIsolationKey(),
+                                                  NetworkAnonymizationKey(),
                                                   alternative_services);
   // First request opens connection to |destination1|
   // with quic::QuicServerId.host() == origin1.host().
@@ -4659,7 +4676,7 @@ TEST_P(QuicNetworkTransactionTest, AlternativeServiceDifferentPort) {
   url::SchemeHostPort http_server("https", kDefaultServerHostName, 443);
   AlternativeServiceInfoVector alternative_service_info_vector =
       http_server_properties_->GetAlternativeServiceInfos(
-          http_server, NetworkIsolationKey());
+          http_server, NetworkAnonymizationKey());
   ASSERT_EQ(1u, alternative_service_info_vector.size());
   const AlternativeService alternative_service =
       alternative_service_info_vector[0].alternative_service();
@@ -4716,9 +4733,9 @@ TEST_P(QuicNetworkTransactionTest, ConfirmAlternativeService) {
   AlternativeService alternative_service(kProtoQUIC,
                                          HostPortPair::FromURL(request_.url));
   http_server_properties_->MarkAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey());
+      alternative_service, NetworkAnonymizationKey());
   EXPECT_TRUE(http_server_properties_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
 
   SendRequestAndExpectHttpResponse("hello world");
   SendRequestAndExpectQuicResponse("hello!");
@@ -4726,10 +4743,10 @@ TEST_P(QuicNetworkTransactionTest, ConfirmAlternativeService) {
   mock_quic_data.Resume();
 
   EXPECT_FALSE(http_server_properties_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, NetworkIsolationKey()));
+      alternative_service, NetworkAnonymizationKey()));
   EXPECT_NE(nullptr, http_server_properties_->GetServerNetworkStats(
                          url::SchemeHostPort("https", request_.url.host(), 443),
-                         NetworkIsolationKey()));
+                         NetworkAnonymizationKey()));
 }
 
 TEST_P(QuicNetworkTransactionTest,
@@ -4740,8 +4757,10 @@ TEST_P(QuicNetworkTransactionTest,
   }
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
@@ -4796,30 +4815,31 @@ TEST_P(QuicNetworkTransactionTest,
   AlternativeService alternative_service(kProtoQUIC,
                                          HostPortPair::FromURL(request_.url));
   http_server_properties_->MarkAlternativeServiceRecentlyBroken(
-      alternative_service, kNetworkIsolationKey1);
+      alternative_service, kNetworkAnonymizationKey1);
   http_server_properties_->MarkAlternativeServiceRecentlyBroken(
-      alternative_service, kNetworkIsolationKey2);
+      alternative_service, kNetworkAnonymizationKey2);
   EXPECT_TRUE(http_server_properties_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, kNetworkIsolationKey1));
+      alternative_service, kNetworkAnonymizationKey1));
   EXPECT_TRUE(http_server_properties_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, kNetworkIsolationKey2));
+      alternative_service, kNetworkAnonymizationKey2));
 
   request_.network_isolation_key = kNetworkIsolationKey1;
+  request_.network_anonymization_key = kNetworkAnonymizationKey1;
   SendRequestAndExpectHttpResponse("hello world");
   SendRequestAndExpectQuicResponse("hello!");
 
   mock_quic_data.Resume();
 
   EXPECT_FALSE(http_server_properties_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, kNetworkIsolationKey1));
+      alternative_service, kNetworkAnonymizationKey1));
   EXPECT_NE(nullptr, http_server_properties_->GetServerNetworkStats(
                          url::SchemeHostPort("https", request_.url.host(), 443),
-                         kNetworkIsolationKey1));
+                         kNetworkAnonymizationKey1));
   EXPECT_TRUE(http_server_properties_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, kNetworkIsolationKey2));
+      alternative_service, kNetworkAnonymizationKey2));
   EXPECT_EQ(nullptr, http_server_properties_->GetServerNetworkStats(
                          url::SchemeHostPort("https", request_.url.host(), 443),
-                         kNetworkIsolationKey2));
+                         kNetworkAnonymizationKey2));
 }
 
 TEST_P(QuicNetworkTransactionTest, UseAlternativeServiceForQuicForHttps) {
@@ -4982,7 +5002,7 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithHttpRace) {
 
   EXPECT_EQ(nullptr, http_server_properties_->GetServerNetworkStats(
                          url::SchemeHostPort("https", request_.url.host(), 443),
-                         NetworkIsolationKey()));
+                         NetworkAnonymizationKey()));
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithNoHttpRace) {
@@ -5647,8 +5667,10 @@ TEST_P(QuicNetworkTransactionTest,
        BrokenAlternateProtocolWithNetworkIsolationKey) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
@@ -5684,14 +5706,17 @@ TEST_P(QuicNetworkTransactionTest,
 
   CreateSession();
   AddQuicAlternateProtocolMapping(
-      MockCryptoClientStream::COLD_START_WITH_CHLO_SENT, kNetworkIsolationKey1);
+      MockCryptoClientStream::COLD_START_WITH_CHLO_SENT,
+      kNetworkAnonymizationKey1);
   AddQuicAlternateProtocolMapping(
-      MockCryptoClientStream::COLD_START_WITH_CHLO_SENT, kNetworkIsolationKey2);
+      MockCryptoClientStream::COLD_START_WITH_CHLO_SENT,
+      kNetworkAnonymizationKey2);
   request_.network_isolation_key = kNetworkIsolationKey1;
+  request_.network_anonymization_key = kNetworkAnonymizationKey1;
   SendRequestAndExpectHttpResponse("hello from http");
 
-  ExpectBrokenAlternateProtocolMapping(kNetworkIsolationKey1);
-  ExpectQuicAlternateProtocolMapping(kNetworkIsolationKey2);
+  ExpectBrokenAlternateProtocolMapping(kNetworkAnonymizationKey1);
+  ExpectQuicAlternateProtocolMapping(kNetworkAnonymizationKey2);
 }
 
 TEST_P(QuicNetworkTransactionTest, BrokenAlternateProtocolReadError) {
@@ -5983,8 +6008,10 @@ TEST_P(QuicNetworkTransactionTest,
 
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   // Alternate-protocol job
   MockRead quic_reads[] = {
@@ -6010,28 +6037,31 @@ TEST_P(QuicNetworkTransactionTest,
   CreateSession();
 
   AddQuicAlternateProtocolMapping(MockCryptoClientStream::ZERO_RTT,
-                                  kNetworkIsolationKey1);
+                                  kNetworkAnonymizationKey1);
   AddQuicAlternateProtocolMapping(MockCryptoClientStream::ZERO_RTT,
-                                  kNetworkIsolationKey2);
+                                  kNetworkAnonymizationKey2);
 
   request_.network_isolation_key = kNetworkIsolationKey1;
+  request_.network_anonymization_key = kNetworkAnonymizationKey1;
   SendRequestAndExpectHttpResponse("hello from http");
   EXPECT_TRUE(quic_data.AllReadDataConsumed());
   EXPECT_TRUE(quic_data.AllWriteDataConsumed());
 
-  ExpectBrokenAlternateProtocolMapping(kNetworkIsolationKey1);
-  ExpectQuicAlternateProtocolMapping(kNetworkIsolationKey2);
+  ExpectBrokenAlternateProtocolMapping(kNetworkAnonymizationKey1);
+  ExpectQuicAlternateProtocolMapping(kNetworkAnonymizationKey2);
 
   // Subsequent requests using kNetworkIsolationKey1 should not use QUIC.
   AddHttpDataAndRunRequest();
   // Requests using other NetworkIsolationKeys can still use QUIC.
   request_.network_isolation_key = kNetworkIsolationKey2;
+  request_.network_anonymization_key = kNetworkAnonymizationKey2;
+
   AddQuicDataAndRunRequest();
 
   // The last two requests should not have changed the alternative service
   // mappings.
-  ExpectBrokenAlternateProtocolMapping(kNetworkIsolationKey1);
-  ExpectQuicAlternateProtocolMapping(kNetworkIsolationKey2);
+  ExpectBrokenAlternateProtocolMapping(kNetworkAnonymizationKey1);
+  ExpectQuicAlternateProtocolMapping(kNetworkAnonymizationKey2);
 }
 
 TEST_P(QuicNetworkTransactionTest, BrokenAlternateProtocolOnConnectFailure) {
@@ -6766,14 +6796,23 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushRespectsNetworkIsolationKey) {
       NetworkIsolationKey::CreateTransient();
   NetworkIsolationKey network_isolation_key2 =
       NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key1 =
+      net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+          network_isolation_key1);
+  NetworkAnonymizationKey network_anonymization_key2 =
+      net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+          network_isolation_key2);
 
   // Creates the first QUIC session, and triggers the first push.
   request_.network_isolation_key = network_isolation_key1;
+  request_.network_anonymization_key = network_anonymization_key1;
+
   SendRequestAndExpectQuicResponse("hello1");
 
   // Use a different NIK, which creates another QUIC session, triggering a
   // second push,
   request_.network_isolation_key = network_isolation_key2;
+  request_.network_anonymization_key = network_anonymization_key2;
   SendRequestAndExpectQuicResponse("hello2");
 
   // Use the second NIK again, should receive the push body from the second
@@ -6784,6 +6823,7 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushRespectsNetworkIsolationKey) {
   // Use the first NIK again, should receive the push body from the first
   // session.
   request_.network_isolation_key = network_isolation_key1;
+  request_.network_anonymization_key = network_anonymization_key1;
   SendRequestAndExpectQuicResponse("and hello1");
 }
 
@@ -7100,7 +7140,7 @@ class QuicNetworkTransactionWithDestinationTest
     AlternativeService alternative_service(kProtoQUIC, destination);
     base::Time expiration = base::Time::Now() + base::Days(1);
     http_server_properties_.SetQuicAlternativeService(
-        url::SchemeHostPort("https", origin, 443), NetworkIsolationKey(),
+        url::SchemeHostPort("https", origin, 443), NetworkAnonymizationKey(),
         alternative_service, expiration, supported_versions_);
   }
 
@@ -8945,13 +8985,15 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushUpdatesPriority) {
   EXPECT_TRUE(mock_quic_data.AllWriteDataConsumed());
 }
 
-// Test that NetworkIsolationKey is respected by QUIC connections, when
+// Test that NetworkAnonymizationKey is respected by QUIC connections, when
 // kPartitionConnectionsByNetworkIsolationKey is enabled.
 TEST_P(QuicNetworkTransactionTest, NetworkIsolation) {
   const SchemefulSite kSite1(GURL("http://origin1/"));
   const SchemefulSite kSite2(GURL("http://origin2/"));
   NetworkIsolationKey network_isolation_key1(kSite1, kSite1);
   NetworkIsolationKey network_isolation_key2(kSite2, kSite2);
+  NetworkAnonymizationKey network_anonymization_key1(kSite1, kSite1);
+  NetworkAnonymizationKey network_anonymization_key2(kSite2, kSite2);
 
   context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
@@ -9199,6 +9241,7 @@ TEST_P(QuicNetworkTransactionTest, NetworkIsolation) {
       request1.traffic_annotation =
           net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
       request1.network_isolation_key = network_isolation_key1;
+      request1.network_anonymization_key = network_anonymization_key1;
       HttpNetworkTransaction trans1(LOWEST, session_.get());
       int rv = trans1.Start(&request1, callback.callback(), NetLogWithSource());
       EXPECT_THAT(callback.GetResult(rv), IsOk());
@@ -9212,6 +9255,7 @@ TEST_P(QuicNetworkTransactionTest, NetworkIsolation) {
       request2.traffic_annotation =
           net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
       request2.network_isolation_key = network_isolation_key2;
+      request2.network_anonymization_key = network_anonymization_key2;
       HttpNetworkTransaction trans2(LOWEST, session_.get());
       rv = trans2.Start(&request2, callback.callback(), NetLogWithSource());
       EXPECT_THAT(callback.GetResult(rv), IsOk());
@@ -9225,6 +9269,8 @@ TEST_P(QuicNetworkTransactionTest, NetworkIsolation) {
       request3.traffic_annotation =
           net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
       request3.network_isolation_key = network_isolation_key1;
+      request3.network_anonymization_key = network_anonymization_key1;
+
       HttpNetworkTransaction trans3(LOWEST, session_.get());
       rv = trans3.Start(&request3, callback.callback(), NetLogWithSource());
       EXPECT_THAT(callback.GetResult(rv), IsOk());
@@ -9341,6 +9387,7 @@ TEST_P(QuicNetworkTransactionTest, NetworkIsolationTunnel) {
   HttpRequestInfo request2;
   const SchemefulSite kSite1(GURL("http://origin1/"));
   request_.network_isolation_key = NetworkIsolationKey(kSite1, kSite1);
+  request_.network_anonymization_key = NetworkAnonymizationKey(kSite1, kSite1);
   HttpNetworkTransaction trans2(DEFAULT_PRIORITY, session_.get());
   RunTransaction(&trans2);
   CheckResponseData(&trans2, "0123456789");
@@ -9551,7 +9598,7 @@ TEST_P(QuicNetworkTransactionTest,
   ServerNetworkStats stats1;
   stats1.srtt = base::Microseconds(10);
   http_server_properties_->SetServerNetworkStats(
-      url::SchemeHostPort(request_.url), NetworkIsolationKey(), stats1);
+      url::SchemeHostPort(request_.url), NetworkAnonymizationKey(), stats1);
 
   // Set up request.
   request_.method = "POST";
diff --git a/chromium/net/quic/quic_proxy_client_socket.cc b/chromium/net/quic/quic_proxy_client_socket.cc
index 8ca0ef8d5a9..3c8e30ff472 100644
--- a/chromium/net/quic/quic_proxy_client_socket.cc
+++ b/chromium/net/quic/quic_proxy_client_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_proxy_client_socket.h b/chromium/net/quic/quic_proxy_client_socket.h
index f1b0e23ac8c..365aa365ee4 100644
--- a/chromium/net/quic/quic_proxy_client_socket.h
+++ b/chromium/net/quic/quic_proxy_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_proxy_client_socket_unittest.cc b/chromium/net/quic/quic_proxy_client_socket_unittest.cc
index 9dd9c00de60..db797f570fb 100644
--- a/chromium/net/quic/quic_proxy_client_socket_unittest.cc
+++ b/chromium/net/quic/quic_proxy_client_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -53,6 +53,7 @@
 #include "net/third_party/quiche/src/quiche/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/mock_clock.h"
+#include "net/third_party/quiche/src/quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/mock_random.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.h"
@@ -187,7 +188,7 @@ class QuicProxyClientSocketTest : public ::testing::TestWithParam<TestParams>,
         proxy_endpoint_(url::kHttpsScheme, kProxyHost, kProxyPort),
         destination_endpoint_(url::kHttpsScheme, kOriginHost, kOriginPort),
         http_auth_cache_(
-            false /* key_server_entries_by_network_isolation_key */),
+            false /* key_server_entries_by_network_anonymization_key */),
         host_resolver_(std::make_unique<MockCachingHostResolver>()),
         http_auth_handler_factory_(HttpAuthHandlerFactory::CreateDefault()) {
     FLAGS_quic_enable_http3_grease_randomness = false;
@@ -241,7 +242,8 @@ class QuicProxyClientSocketTest : public ::testing::TestWithParam<TestParams>,
         connection_id_, quic::QuicSocketAddress(),
         net::ToQuicSocketAddress(peer_addr_), helper_.get(),
         alarm_factory_.get(), writer, true /* owns_writer */,
-        quic::Perspective::IS_CLIENT, quic::test::SupportedVersions(version_));
+        quic::Perspective::IS_CLIENT, quic::test::SupportedVersions(version_),
+        connection_id_generator_);
     connection->set_visitor(&visitor_);
     quic::test::QuicConnectionPeer::SetSendAlgorithm(connection,
                                                      send_algorithm_);
@@ -264,7 +266,7 @@ class QuicProxyClientSocketTest : public ::testing::TestWithParam<TestParams>,
         &transport_security_state_, /*ssl_config_service=*/nullptr,
         base::WrapUnique(static_cast<QuicServerInfo*>(nullptr)),
         QuicSessionKey("mail.example.org", 80, PRIVACY_MODE_DISABLED,
-                       SocketTag(), NetworkIsolationKey(),
+                       SocketTag(), NetworkAnonymizationKey(),
                        SecureDnsPolicy::kAllow,
                        /*require_dns_https_alpn=*/false),
         /*require_confirmation=*/false,
@@ -325,7 +327,7 @@ class QuicProxyClientSocketTest : public ::testing::TestWithParam<TestParams>,
         NetLogWithSource::Make(NetLogSourceType::NONE),
         base::MakeRefCounted<HttpAuthController>(
             HttpAuth::AUTH_PROXY, proxy_endpoint_.GetURL(),
-            NetworkIsolationKey(), &http_auth_cache_,
+            NetworkAnonymizationKey(), &http_auth_cache_,
             http_auth_handler_factory_.get(), host_resolver_.get()),
         proxy_delegate_.get());
 
@@ -638,6 +640,7 @@ class QuicProxyClientSocketTest : public ::testing::TestWithParam<TestParams>,
   quic::test::MockRandom random_generator_{0};
   ProofVerifyDetailsChromium verify_details_;
   MockCryptoClientStreamFactory crypto_client_stream_factory_;
+  quic::test::MockConnectionIdGenerator connection_id_generator_;
 
   std::string user_agent_;
   url::SchemeHostPort proxy_endpoint_;
@@ -774,7 +777,7 @@ TEST_P(QuicProxyClientSocketTest, ConnectWithAuthCredentials) {
   const std::u16string kBar(u"bar");
   http_auth_cache_.Add(
       url::SchemeHostPort(GURL(kProxyUrl)), HttpAuth::AUTH_PROXY, "MyRealm1",
-      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+      HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
       "Basic realm=MyRealm1", AuthCredentials(kFoo, kBar), "/");
 
   AssertConnectSucceeds();
diff --git a/chromium/net/quic/quic_server_info.cc b/chromium/net/quic/quic_server_info.cc
index bbf722884d0..627b2fd0888 100644
--- a/chromium/net/quic/quic_server_info.cc
+++ b/chromium/net/quic/quic_server_info.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_server_info.h b/chromium/net/quic/quic_server_info.h
index 5c02634ba23..d43162c6283 100644
--- a/chromium/net/quic/quic_server_info.h
+++ b/chromium/net/quic/quic_server_info.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_session_key.cc b/chromium/net/quic/quic_session_key.cc
index c67ec6df526..d3f6c224610 100644
--- a/chromium/net/quic/quic_session_key.cc
+++ b/chromium/net/quic/quic_session_key.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -12,62 +12,65 @@ namespace net {
 
 QuicSessionKey::QuicSessionKey() = default;
 
-QuicSessionKey::QuicSessionKey(const HostPortPair& host_port_pair,
-                               PrivacyMode privacy_mode,
-                               const SocketTag& socket_tag,
-                               const NetworkIsolationKey& network_isolation_key,
-                               SecureDnsPolicy secure_dns_policy,
-                               bool require_dns_https_alpn)
+QuicSessionKey::QuicSessionKey(
+    const HostPortPair& host_port_pair,
+    PrivacyMode privacy_mode,
+    const SocketTag& socket_tag,
+    const NetworkAnonymizationKey& network_anonymization_key,
+    SecureDnsPolicy secure_dns_policy,
+    bool require_dns_https_alpn)
     : QuicSessionKey(host_port_pair.host(),
                      host_port_pair.port(),
                      privacy_mode,
                      socket_tag,
-                     network_isolation_key,
+                     network_anonymization_key,
                      secure_dns_policy,
                      require_dns_https_alpn) {}
 
-QuicSessionKey::QuicSessionKey(const std::string& host,
-                               uint16_t port,
-                               PrivacyMode privacy_mode,
-                               const SocketTag& socket_tag,
-                               const NetworkIsolationKey& network_isolation_key,
-                               SecureDnsPolicy secure_dns_policy,
-                               bool require_dns_https_alpn)
+QuicSessionKey::QuicSessionKey(
+    const std::string& host,
+    uint16_t port,
+    PrivacyMode privacy_mode,
+    const SocketTag& socket_tag,
+    const NetworkAnonymizationKey& network_anonymization_key,
+    SecureDnsPolicy secure_dns_policy,
+    bool require_dns_https_alpn)
     : QuicSessionKey(
           // TODO(crbug.com/1103350): Handle non-boolean privacy modes.
           quic::QuicServerId(host, port, privacy_mode != PRIVACY_MODE_DISABLED),
           socket_tag,
-          network_isolation_key,
+          network_anonymization_key,
           secure_dns_policy,
           require_dns_https_alpn) {}
 
-QuicSessionKey::QuicSessionKey(const quic::QuicServerId& server_id,
-                               const SocketTag& socket_tag,
-                               const NetworkIsolationKey& network_isolation_key,
-                               SecureDnsPolicy secure_dns_policy,
-                               bool require_dns_https_alpn)
+QuicSessionKey::QuicSessionKey(
+    const quic::QuicServerId& server_id,
+    const SocketTag& socket_tag,
+    const NetworkAnonymizationKey& network_anonymization_key,
+    SecureDnsPolicy secure_dns_policy,
+    bool require_dns_https_alpn)
     : server_id_(server_id),
       socket_tag_(socket_tag),
-      network_isolation_key_(
+      network_anonymization_key_(
           base::FeatureList::IsEnabled(
               features::kPartitionConnectionsByNetworkIsolationKey)
-              ? network_isolation_key
-              : NetworkIsolationKey()),
+              ? network_anonymization_key
+              : NetworkAnonymizationKey()),
       secure_dns_policy_(secure_dns_policy),
       require_dns_https_alpn_(require_dns_https_alpn) {}
 
 QuicSessionKey::QuicSessionKey(const QuicSessionKey& other) = default;
 
 bool QuicSessionKey::operator<(const QuicSessionKey& other) const {
-  return std::tie(server_id_, socket_tag_, network_isolation_key_,
+  return std::tie(server_id_, socket_tag_, network_anonymization_key_,
                   secure_dns_policy_, require_dns_https_alpn_) <
          std::tie(other.server_id_, other.socket_tag_,
-                  other.network_isolation_key_, other.secure_dns_policy_,
+                  other.network_anonymization_key_, other.secure_dns_policy_,
                   other.require_dns_https_alpn_);
 }
 bool QuicSessionKey::operator==(const QuicSessionKey& other) const {
   return server_id_ == other.server_id_ && socket_tag_ == other.socket_tag_ &&
-         network_isolation_key_ == other.network_isolation_key_ &&
+         network_anonymization_key_ == other.network_anonymization_key_ &&
          secure_dns_policy_ == other.secure_dns_policy_ &&
          require_dns_https_alpn_ == other.require_dns_https_alpn_;
 }
@@ -76,7 +79,7 @@ bool QuicSessionKey::CanUseForAliasing(const QuicSessionKey& other) const {
   return server_id_.privacy_mode_enabled() ==
              other.server_id_.privacy_mode_enabled() &&
          socket_tag_ == other.socket_tag_ &&
-         network_isolation_key_ == other.network_isolation_key_ &&
+         network_anonymization_key_ == other.network_anonymization_key_ &&
          secure_dns_policy_ == other.secure_dns_policy_ &&
          require_dns_https_alpn_ == other.require_dns_https_alpn_;
 }
diff --git a/chromium/net/quic/quic_session_key.h b/chromium/net/quic/quic_session_key.h
index 09a2c8608e1..c8ce63b34d8 100644
--- a/chromium/net/quic/quic_session_key.h
+++ b/chromium/net/quic/quic_session_key.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,7 +6,7 @@
 #define NET_QUIC_QUIC_SESSION_KEY_H_
 
 #include "net/base/host_port_pair.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/socket/socket_tag.h"
@@ -22,19 +22,19 @@ class NET_EXPORT_PRIVATE QuicSessionKey {
   QuicSessionKey(const HostPortPair& host_port_pair,
                  PrivacyMode privacy_mode,
                  const SocketTag& socket_tag,
-                 const NetworkIsolationKey& network_isolation_key,
+                 const NetworkAnonymizationKey& network_anonymization_key,
                  SecureDnsPolicy secure_dns_policy,
                  bool require_dns_https_alpn);
   QuicSessionKey(const std::string& host,
                  uint16_t port,
                  PrivacyMode privacy_mode,
                  const SocketTag& socket_tag,
-                 const NetworkIsolationKey& network_isolation_key,
+                 const NetworkAnonymizationKey& network_anonymization_key,
                  SecureDnsPolicy secure_dns_policy,
                  bool require_dns_https_alpn);
   QuicSessionKey(const quic::QuicServerId& server_id,
                  const SocketTag& socket_tag,
-                 const NetworkIsolationKey& network_isolation_key,
+                 const NetworkAnonymizationKey& network_anonymization_key,
                  SecureDnsPolicy secure_dns_policy,
                  bool require_dns_https_alpn);
   QuicSessionKey(const QuicSessionKey& other);
@@ -65,8 +65,8 @@ class NET_EXPORT_PRIVATE QuicSessionKey {
 
   SocketTag socket_tag() const { return socket_tag_; }
 
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
   }
 
   SecureDnsPolicy secure_dns_policy() const { return secure_dns_policy_; }
@@ -77,7 +77,7 @@ class NET_EXPORT_PRIVATE QuicSessionKey {
   quic::QuicServerId server_id_;
   SocketTag socket_tag_;
   // Used to separate requests made in different contexts.
-  NetworkIsolationKey network_isolation_key_;
+  NetworkAnonymizationKey network_anonymization_key_;
   SecureDnsPolicy secure_dns_policy_;
   bool require_dns_https_alpn_ = false;
 };
diff --git a/chromium/net/quic/quic_stream_factory.cc b/chromium/net/quic/quic_stream_factory.cc
index 4dae80305ba..cfe01eedcf1 100644
--- a/chromium/net/quic/quic_stream_factory.cc
+++ b/chromium/net/quic/quic_stream_factory.cc
@@ -1,10 +1,9 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/quic/quic_stream_factory.h"
 
-#include <algorithm>
 #include <memory>
 #include <set>
 #include <tuple>
@@ -38,7 +37,6 @@
 #include "net/base/net_errors.h"
 #include "net/base/trace_constants.h"
 #include "net/cert/cert_verifier.h"
-#include "net/dns/dns_alias_utility.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/log/net_log.h"
@@ -126,8 +124,8 @@ base::Value NetLogQuicStreamFactoryJobParams(
   dict.Set("port", key->server_id().port());
   dict.Set("privacy_mode",
            PrivacyModeToDebugString(key->session_key().privacy_mode()));
-  dict.Set("network_isolation_key",
-           key->session_key().network_isolation_key().ToDebugString());
+  dict.Set("network_anonymization_key",
+           key->session_key().network_anonymization_key().ToDebugString());
   return base::Value(std::move(dict));
 }
 
@@ -475,11 +473,7 @@ class QuicStreamFactory::Job {
     IPEndPoint stale_address =
         resolve_host_request_->GetAddressResults()->front();
 
-    if (std::find(endpoints.begin(), endpoints.end(), stale_address) !=
-        endpoints.end()) {
-      return true;
-    }
-    return false;
+    return base::Contains(endpoints, stale_address);
   }
 
   void LogStaleHostRacing(bool used) {
@@ -662,8 +656,14 @@ void QuicStreamFactory::Job::OnResolveHostComplete(int rv) {
       resolve_host_request_ = std::move(fresh_resolve_host_request_);
       io_state_ = STATE_RESOLVE_HOST_COMPLETE;
     } else if (factory_->HasMatchingIpSession(
-                   key_, *fresh_resolve_host_request_->GetAddressResults(),
+                   key_,
+                   HostResolver::GetNonProtocolEndpoints(
+                       *fresh_resolve_host_request_->GetEndpointResults()),
+                   *fresh_resolve_host_request_->GetDnsAliasResults(),
                    use_dns_aliases_)) {
+      // TODO(crbug.com/1264933): Consider dealing with the other
+      // endpoints with protocol metadata.
+
       // Session with resolved IP has already existed, so close racing
       // connection, run callback, and return.
       LogRacingStatus(ConnectionStateAfterDNS::kIpPooled);
@@ -750,8 +750,8 @@ int QuicStreamFactory::Job::DoResolveHost() {
   }
   parameters.secure_dns_policy = key_.session_key().secure_dns_policy();
   resolve_host_request_ = host_resolver_->CreateRequest(
-      key_.destination(), key_.session_key().network_isolation_key(), net_log_,
-      parameters);
+      key_.destination(), key_.session_key().network_anonymization_key(),
+      net_log_, parameters);
   // Unretained is safe because |this| owns the request, ensuring cancellation
   // on destruction.
   // When race_stale_dns_on_connection_ is on, this request will query for stale
@@ -777,8 +777,8 @@ int QuicStreamFactory::Job::DoResolveHost() {
   parameters.cache_usage =
       HostResolver::ResolveHostParameters::CacheUsage::DISALLOWED;
   fresh_resolve_host_request_ = host_resolver_->CreateRequest(
-      key_.destination(), key_.session_key().network_isolation_key(), net_log_,
-      parameters);
+      key_.destination(), key_.session_key().network_anonymization_key(),
+      net_log_, parameters);
   // Unretained is safe because |this| owns the request, ensuring cancellation
   // on destruction.
   // This request will only query fresh host resolution.
@@ -828,9 +828,13 @@ int QuicStreamFactory::Job::DoResolveHostComplete(int rv) {
 
   // Inform the factory of this resolution, which will set up
   // a session alias, if possible.
+  // TODO(crbug.com/1264933): Consider dealing with the other endpoints
+  // with protocol metadata.
   if (factory_->HasMatchingIpSession(
-          key_, *resolve_host_request_->GetAddressResults(),
-          use_dns_aliases_)) {
+          key_,
+          HostResolver::GetNonProtocolEndpoints(
+              *resolve_host_request_->GetEndpointResults()),
+          *resolve_host_request_->GetDnsAliasResults(), use_dns_aliases_)) {
     LogConnectionIpPooling(true);
     return OK;
   }
@@ -1005,8 +1009,9 @@ int QuicStreamFactory::Job::DoConfirmConnection(int rv) {
   DCHECK(!factory_->HasActiveSession(key_.session_key()));
   // There may well now be an active session for this IP.  If so, use the
   // existing session instead.
-  AddressList address(ToIPEndPoint(session_->connection()->peer_address()));
-  if (factory_->HasMatchingIpSession(key_, address, use_dns_aliases_)) {
+  if (factory_->HasMatchingIpSession(
+          key_, {ToIPEndPoint(session_->connection()->peer_address())},
+          /*aliases=*/{}, use_dns_aliases_)) {
     LogConnectionIpPooling(true);
     session_->connection()->CloseConnection(
         quic::QUIC_CONNECTION_IP_POOLED,
@@ -1040,7 +1045,7 @@ int QuicStreamRequest::Request(
     PrivacyMode privacy_mode,
     RequestPriority priority,
     const SocketTag& socket_tag,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     SecureDnsPolicy secure_dns_policy,
     bool use_dns_aliases,
     bool require_dns_https_alpn,
@@ -1061,7 +1066,7 @@ int QuicStreamRequest::Request(
       std::move(failed_on_default_network_callback);
 
   session_key_ = QuicSessionKey(HostPortPair::FromURL(url), privacy_mode,
-                                socket_tag, network_isolation_key,
+                                socket_tag, network_anonymization_key,
                                 secure_dns_policy, require_dns_https_alpn);
 
   int rv = factory_->Create(session_key_, std::move(destination), quic_version,
@@ -1138,13 +1143,13 @@ bool QuicStreamRequest::CanUseExistingSession(
     const GURL& url,
     PrivacyMode privacy_mode,
     const SocketTag& socket_tag,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     SecureDnsPolicy secure_dns_policy,
     bool require_dns_https_alpn,
     const url::SchemeHostPort& destination) const {
   return factory_->CanUseExistingSession(
       QuicSessionKey(HostPortPair::FromURL(url), privacy_mode, socket_tag,
-                     network_isolation_key, secure_dns_policy,
+                     network_anonymization_key, secure_dns_policy,
                      require_dns_https_alpn),
       destination);
 }
@@ -1210,13 +1215,13 @@ QuicStreamFactory::QuicStreamFactory(
       default_network_(handles::kInvalidNetworkHandle),
       connectivity_monitor_(default_network_),
       ssl_config_service_(ssl_config_service),
-      use_network_isolation_key_for_crypto_configs_(
+      use_network_anonymization_key_for_crypto_configs_(
           base::FeatureList::IsEnabled(
               features::kPartitionHttpServerPropertiesByNetworkIsolationKey)) {
   DCHECK(transport_security_state_);
   DCHECK(http_server_properties_);
   if (params_.disable_tls_zero_rtt)
-    SetQuicFlag(FLAGS_quic_disable_client_tls_zero_rtt, true);
+    SetQuicFlag(quic_disable_client_tls_zero_rtt, true);
   InitializeMigrationOptions();
 }
 
@@ -1338,7 +1343,7 @@ int QuicStreamFactory::Create(const QuicSessionKey& session_key,
   QuicSessionAliasKey key(destination, session_key);
   std::unique_ptr<Job> job = std::make_unique<Job>(
       this, quic_version, host_resolver_, key,
-      CreateCryptoConfigHandle(session_key.network_isolation_key()),
+      CreateCryptoConfigHandle(session_key.network_anonymization_key()),
       WasQuicRecentlyBroken(session_key),
       params_.retry_on_alternate_network_before_handshake,
       params_.race_stale_dns_on_connection, priority, use_dns_aliases,
@@ -1711,9 +1716,9 @@ base::TimeDelta QuicStreamFactory::GetTimeDelayForWaitingJob(
     return base::TimeDelta();
   }
 
-  int64_t srtt =
-      1.5 * GetServerNetworkStatsSmoothedRttInMicroseconds(
-                session_key.server_id(), session_key.network_isolation_key());
+  int64_t srtt = 1.5 * GetServerNetworkStatsSmoothedRttInMicroseconds(
+                           session_key.server_id(),
+                           session_key.network_anonymization_key());
   // Picked 300ms based on mean time from
   // Net.QuicSession.HostResolution.HandshakeConfirmedTime histogram.
   const int kDefaultRTT = 300 * quic::kNumMicrosPerMilli;
@@ -1734,12 +1739,14 @@ const std::set<std::string>& QuicStreamFactory::GetDnsAliasesForSessionKey(
   return it->second;
 }
 
-bool QuicStreamFactory::HasMatchingIpSession(const QuicSessionAliasKey& key,
-                                             const AddressList& address_list,
-                                             bool use_dns_aliases) {
+bool QuicStreamFactory::HasMatchingIpSession(
+    const QuicSessionAliasKey& key,
+    const std::vector<IPEndPoint>& ip_endpoints,
+    const std::set<std::string>& aliases,
+    bool use_dns_aliases) {
   const quic::QuicServerId& server_id(key.server_id());
   DCHECK(!HasActiveSession(key.session_key()));
-  for (const IPEndPoint& address : address_list) {
+  for (const auto& address : ip_endpoints) {
     if (!base::Contains(ip_aliases_, address))
       continue;
 
@@ -1751,9 +1758,7 @@ bool QuicStreamFactory::HasMatchingIpSession(const QuicSessionAliasKey& key,
 
       std::set<std::string> dns_aliases;
       if (use_dns_aliases) {
-        base::ranges::copy(address_list.dns_aliases(),
-                           std::inserter(dns_aliases, dns_aliases.end()));
-        dns_aliases = dns_alias_utility::FixUpDnsAliases(dns_aliases);
+        dns_aliases = aliases;
       }
 
       MapSessionToAliasKey(session, key, std::move(dns_aliases));
@@ -1852,11 +1857,11 @@ int QuicStreamFactory::CreateSession(const QuicSessionAliasKey& key,
   std::unique_ptr<QuicServerInfo> server_info;
   if (params_.max_server_configs_stored_in_properties > 0) {
     server_info = std::make_unique<PropertiesBasedQuicServerInfo>(
-        server_id, key.session_key().network_isolation_key(),
+        server_id, key.session_key().network_anonymization_key(),
         http_server_properties_);
   }
   std::unique_ptr<CryptoClientConfigHandle> crypto_config_handle =
-      CreateCryptoConfigHandle(key.session_key().network_isolation_key());
+      CreateCryptoConfigHandle(key.session_key().network_anonymization_key());
   InitializeCachedStateInCryptoConfig(*crypto_config_handle, server_id,
                                       server_info);
 
@@ -1865,13 +1870,13 @@ int QuicStreamFactory::CreateSession(const QuicSessionAliasKey& key,
   quic::QuicConnection* connection = new quic::QuicConnection(
       connection_id, quic::QuicSocketAddress(), ToQuicSocketAddress(addr),
       helper_.get(), alarm_factory_.get(), writer, true /* owns_writer */,
-      quic::Perspective::IS_CLIENT, {quic_version});
+      quic::Perspective::IS_CLIENT, {quic_version}, connection_id_generator_);
   connection->set_keep_alive_ping_timeout(ping_timeout_);
   connection->SetMaxPacketLength(params_.max_packet_length);
 
   quic::QuicConfig config = config_;
   ConfigureInitialRttEstimate(
-      server_id, key.session_key().network_isolation_key(), &config);
+      server_id, key.session_key().network_anonymization_key(), &config);
   // QUIC versions that use the IETF invariant header all have NSTP
   // enabled by default, so we only need to add it for those that don't.
   if (!quic_version.HasIetfInvariantHeader() &&
@@ -1963,10 +1968,10 @@ void QuicStreamFactory::MarkAllActiveSessionsGoingAway(
 
 void QuicStreamFactory::ConfigureInitialRttEstimate(
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     quic::QuicConfig* config) {
   const base::TimeDelta* srtt =
-      GetServerNetworkStatsSmoothedRtt(server_id, network_isolation_key);
+      GetServerNetworkStatsSmoothedRtt(server_id, network_anonymization_key);
   // Sometimes *srtt is negative. See https://crbug.com/1225616.
   // TODO(ricea): When the root cause of the negative value is fixed, change the
   // non-negative assertion to a DCHECK.
@@ -1999,19 +2004,19 @@ void QuicStreamFactory::ConfigureInitialRttEstimate(
 
 int64_t QuicStreamFactory::GetServerNetworkStatsSmoothedRttInMicroseconds(
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key) const {
+    const NetworkAnonymizationKey& network_anonymization_key) const {
   const base::TimeDelta* srtt =
-      GetServerNetworkStatsSmoothedRtt(server_id, network_isolation_key);
+      GetServerNetworkStatsSmoothedRtt(server_id, network_anonymization_key);
   return srtt == nullptr ? 0 : srtt->InMicroseconds();
 }
 
 const base::TimeDelta* QuicStreamFactory::GetServerNetworkStatsSmoothedRtt(
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key) const {
+    const NetworkAnonymizationKey& network_anonymization_key) const {
   url::SchemeHostPort server("https", server_id.host(), server_id.port());
   const ServerNetworkStats* stats =
       http_server_properties_->GetServerNetworkStats(server,
-                                                     network_isolation_key);
+                                                     network_anonymization_key);
   if (stats == nullptr)
     return nullptr;
   return &(stats->srtt);
@@ -2023,7 +2028,7 @@ bool QuicStreamFactory::WasQuicRecentlyBroken(
       kProtoQUIC, HostPortPair(session_key.server_id().host(),
                                session_key.server_id().port()));
   return http_server_properties_->WasAlternativeServiceRecentlyBroken(
-      alternative_service, session_key.network_isolation_key());
+      alternative_service, session_key.network_anonymization_key());
 }
 
 void QuicStreamFactory::InitializeMigrationOptions() {
@@ -2140,25 +2145,25 @@ void QuicStreamFactory::ProcessGoingAwaySession(
   // Do nothing if QUIC is currently marked as broken.
   if (http_server_properties_->IsAlternativeServiceBroken(
           alternative_service,
-          session->quic_session_key().network_isolation_key())) {
+          session->quic_session_key().network_anonymization_key())) {
     return;
   }
 
   if (session->OneRttKeysAvailable()) {
     http_server_properties_->ConfirmAlternativeService(
         alternative_service,
-        session->quic_session_key().network_isolation_key());
+        session->quic_session_key().network_anonymization_key());
     ServerNetworkStats network_stats;
     network_stats.srtt = base::Microseconds(stats.srtt_us);
     network_stats.bandwidth_estimate = stats.estimated_bandwidth;
     http_server_properties_->SetServerNetworkStats(
-        server, session->quic_session_key().network_isolation_key(),
+        server, session->quic_session_key().network_anonymization_key(),
         network_stats);
     return;
   }
 
   http_server_properties_->ClearServerNetworkStats(
-      server, session->quic_session_key().network_isolation_key());
+      server, session->quic_session_key().network_anonymization_key());
 
   UMA_HISTOGRAM_COUNTS_1M("Net.QuicHandshakeNotConfirmedNumPacketsReceived",
                           stats.packets_received);
@@ -2178,7 +2183,8 @@ void QuicStreamFactory::ProcessGoingAwaySession(
   // avoid not using QUIC when we otherwise could, we mark it as recently
   // broken, which means that 0-RTT will be disabled but we'll still race.
   http_server_properties_->MarkAlternativeServiceRecentlyBroken(
-      alternative_service, session->quic_session_key().network_isolation_key());
+      alternative_service,
+      session->quic_session_key().network_anonymization_key());
 }
 
 void QuicStreamFactory::MapSessionToAliasKey(
@@ -2198,21 +2204,22 @@ void QuicStreamFactory::UnmapSessionFromSessionAliases(
 
 std::unique_ptr<QuicStreamFactory::CryptoClientConfigHandle>
 QuicStreamFactory::CreateCryptoConfigHandle(
-    const NetworkIsolationKey& network_isolation_key) {
-  NetworkIsolationKey actual_network_isolation_key =
-      use_network_isolation_key_for_crypto_configs_ ? network_isolation_key
-                                                    : NetworkIsolationKey();
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  NetworkAnonymizationKey actual_network_anonymization_key =
+      use_network_anonymization_key_for_crypto_configs_
+          ? network_anonymization_key
+          : NetworkAnonymizationKey();
 
   // If there's a matching entry in |active_crypto_config_map_|, create a
   // CryptoClientConfigHandle for it.
   auto map_iterator =
-      active_crypto_config_map_.find(actual_network_isolation_key);
+      active_crypto_config_map_.find(actual_network_anonymization_key);
   if (map_iterator != active_crypto_config_map_.end()) {
     DCHECK_GT(map_iterator->second->num_refs(), 0);
 
     // If there's an active matching crypto config, there shouldn't also be an
     // inactive matching crypto config.
-    DCHECK(recent_crypto_config_map_.Peek(actual_network_isolation_key) ==
+    DCHECK(recent_crypto_config_map_.Peek(actual_network_anonymization_key) ==
            recent_crypto_config_map_.end());
 
     return std::make_unique<CryptoClientConfigHandle>(map_iterator);
@@ -2221,12 +2228,12 @@ QuicStreamFactory::CreateCryptoConfigHandle(
   // If there's a matching entry in |recent_crypto_config_map_|, move it to
   // |active_crypto_config_map_| and create a CryptoClientConfigHandle for it.
   auto mru_iterator =
-      recent_crypto_config_map_.Peek(actual_network_isolation_key);
+      recent_crypto_config_map_.Peek(actual_network_anonymization_key);
   if (mru_iterator != recent_crypto_config_map_.end()) {
     DCHECK_EQ(mru_iterator->second->num_refs(), 0);
 
     map_iterator = active_crypto_config_map_
-                       .emplace(std::make_pair(actual_network_isolation_key,
+                       .emplace(std::make_pair(actual_network_anonymization_key,
                                                std::move(mru_iterator->second)))
                        .first;
     recent_crypto_config_map_.Erase(mru_iterator);
@@ -2241,7 +2248,7 @@ QuicStreamFactory::CreateCryptoConfigHandle(
               cert_verifier_, ct_policy_enforcer_, transport_security_state_,
               sct_auditing_delegate_,
               HostsFromOrigins(params_.origins_to_force_quic_on),
-              actual_network_isolation_key),
+              actual_network_anonymization_key),
           std::make_unique<quic::QuicClientSessionCache>(), this);
 
   quic::QuicCryptoClientConfig* crypto_config = crypto_config_owner->config();
@@ -2266,7 +2273,7 @@ QuicStreamFactory::CreateCryptoConfigHandle(
   }
 
   map_iterator = active_crypto_config_map_
-                     .emplace(std::make_pair(actual_network_isolation_key,
+                     .emplace(std::make_pair(actual_network_anonymization_key,
                                              std::move(crypto_config_owner)))
                      .first;
   return std::make_unique<CryptoClientConfigHandle>(map_iterator);
@@ -2291,24 +2298,25 @@ void QuicStreamFactory::CollectDataOnPlatformNotification(
 
 std::unique_ptr<QuicCryptoClientConfigHandle>
 QuicStreamFactory::GetCryptoConfigForTesting(
-    const NetworkIsolationKey& network_isolation_key) {
-  return CreateCryptoConfigHandle(network_isolation_key);
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  return CreateCryptoConfigHandle(network_anonymization_key);
 }
 
 bool QuicStreamFactory::CryptoConfigCacheIsEmptyForTesting(
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   quic::QuicCryptoClientConfig::CachedState* cached = nullptr;
-  NetworkIsolationKey actual_network_isolation_key =
-      use_network_isolation_key_for_crypto_configs_ ? network_isolation_key
-                                                    : NetworkIsolationKey();
+  NetworkAnonymizationKey actual_network_anonymization_key =
+      use_network_anonymization_key_for_crypto_configs_
+          ? network_anonymization_key
+          : NetworkAnonymizationKey();
   auto map_iterator =
-      active_crypto_config_map_.find(actual_network_isolation_key);
+      active_crypto_config_map_.find(actual_network_anonymization_key);
   if (map_iterator != active_crypto_config_map_.end()) {
     cached = map_iterator->second->config()->LookupOrCreate(server_id);
   } else {
     auto mru_iterator =
-        recent_crypto_config_map_.Peek(actual_network_isolation_key);
+        recent_crypto_config_map_.Peek(actual_network_anonymization_key);
     if (mru_iterator != recent_crypto_config_map_.end()) {
       cached = mru_iterator->second->config()->LookupOrCreate(server_id);
     }
diff --git a/chromium/net/quic/quic_stream_factory.h b/chromium/net/quic/quic_stream_factory.h
index c19c053629a..c7d074ad37f 100644
--- a/chromium/net/quic/quic_stream_factory.h
+++ b/chromium/net/quic/quic_stream_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -23,6 +23,7 @@
 #include "net/base/address_list.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/host_port_pair.h"
+#include "net/base/ip_endpoint.h"
 #include "net/base/net_export.h"
 #include "net/base/network_change_notifier.h"
 #include "net/base/network_handle.h"
@@ -41,7 +42,9 @@
 #include "net/quic/quic_session_key.h"
 #include "net/socket/client_socket_pool.h"
 #include "net/ssl/ssl_config_service.h"
+#include "net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_config.h"
+#include "net/third_party/quiche/src/quiche/quic/core/quic_connection_id.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_crypto_stream.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_server_id.h"
@@ -54,9 +57,12 @@ class Value;
 namespace quic {
 class QuicAlarmFactory;
 class QuicClock;
-class QuicRandom;
 }  // namespace quic
 
+namespace quiche {
+class QuicRandom;
+}  // namespace quiche
+
 namespace net {
 
 class CTPolicyEnforcer;
@@ -65,7 +71,7 @@ class ClientSocketFactory;
 class HostResolver;
 class HttpServerProperties;
 class NetLog;
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class QuicChromiumConnectionHelper;
 class QuicCryptoClientStreamFactory;
 class QuicServerInfo;
@@ -85,8 +91,8 @@ class QuicStreamFactoryPeer;
 //
 // TODO(mmenke): Should figure out a reasonable value of this, using field
 // trials. The optimal value may increase over time, as QUIC becomes more
-// prevalent. Whether or not NetworkIsolationKeys end up including subframe URLs
-// will also influence the ideal value.
+// prevalent. Whether or not NetworkAnonymizationKeys end up including subframe
+// URLs will also influence the ideal value.
 const int kMaxRecentCryptoConfigs = 100;
 
 enum QuicPlatformNotification {
@@ -129,7 +135,7 @@ class NET_EXPORT_PRIVATE QuicStreamRequest {
               PrivacyMode privacy_mode,
               RequestPriority priority,
               const SocketTag& socket_tag,
-              const NetworkIsolationKey& network_isolation_key,
+              const NetworkAnonymizationKey& network_anonymization_key,
               SecureDnsPolicy secure_dns_policy,
               bool use_dns_aliases,
               bool require_dns_https_alpn,
@@ -184,13 +190,14 @@ class NET_EXPORT_PRIVATE QuicStreamRequest {
 
   const NetLogWithSource& net_log() const { return net_log_; }
 
-  bool CanUseExistingSession(const GURL& url,
-                             PrivacyMode privacy_mode,
-                             const SocketTag& socket_tag,
-                             const NetworkIsolationKey& network_isolation_key,
-                             SecureDnsPolicy secure_dns_policy,
-                             bool require_dns_https_alpn,
-                             const url::SchemeHostPort& destination) const;
+  bool CanUseExistingSession(
+      const GURL& url,
+      PrivacyMode privacy_mode,
+      const SocketTag& socket_tag,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      SecureDnsPolicy secure_dns_policy,
+      bool require_dns_https_alpn,
+      const url::SchemeHostPort& destination) const;
 
  private:
   raw_ptr<QuicStreamFactory> factory_;
@@ -401,11 +408,12 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   using DnsAliasesBySessionKeyMap =
       std::map<QuicSessionKey, std::set<std::string>>;
   using QuicCryptoClientConfigMap =
-      std::map<NetworkIsolationKey,
+      std::map<NetworkAnonymizationKey,
                std::unique_ptr<QuicCryptoClientConfigOwner>>;
 
   bool HasMatchingIpSession(const QuicSessionAliasKey& key,
-                            const AddressList& address_list,
+                            const std::vector<IPEndPoint>& ip_endpoints,
+                            const std::set<std::string>& aliases,
                             bool use_dns_aliases);
   void OnJobComplete(Job* job, int rv);
   bool HasActiveSession(const QuicSessionKey& session_key) const;
@@ -429,7 +437,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
 
   void ConfigureInitialRttEstimate(
       const quic::QuicServerId& server_id,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       quic::QuicConfig* config);
 
   // Returns |srtt| in micro seconds from ServerNetworkStats. Returns 0 if there
@@ -437,14 +445,14 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   // have ServerNetworkStats for the given |server_id|.
   int64_t GetServerNetworkStatsSmoothedRttInMicroseconds(
       const quic::QuicServerId& server_id,
-      const NetworkIsolationKey& network_isolation_key) const;
+      const NetworkAnonymizationKey& network_anonymization_key) const;
 
   // Returns |srtt| from ServerNetworkStats. Returns null if there
   // is no |http_server_properties_| or if |http_server_properties_| doesn't
   // have ServerNetworkStats for the given |server_id|.
   const base::TimeDelta* GetServerNetworkStatsSmoothedRtt(
       const quic::QuicServerId& server_id,
-      const NetworkIsolationKey& network_isolation_key) const;
+      const NetworkAnonymizationKey& network_anonymization_key) const;
 
   // Helper methods.
   bool WasQuicRecentlyBroken(const QuicSessionKey& session_key) const;
@@ -481,13 +489,14 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   // `session` from `session_aliases_`.
   void UnmapSessionFromSessionAliases(QuicChromiumClientSession* session);
 
-  // Creates a CreateCryptoConfigHandle for the specified NetworkIsolationKey.
-  // If there's already a corresponding entry in |active_crypto_config_map_|,
-  // reuses it. If there's a corresponding entry in |recent_crypto_config_map_|,
-  // promotes it to |active_crypto_config_map_| and then reuses it. Otherwise,
-  // creates a new entry in |active_crypto_config_map_|.
+  // Creates a CreateCryptoConfigHandle for the specified
+  // NetworkAnonymizationKey. If there's already a corresponding entry in
+  // |active_crypto_config_map_|, reuses it. If there's a corresponding entry in
+  // |recent_crypto_config_map_|, promotes it to |active_crypto_config_map_| and
+  // then reuses it. Otherwise, creates a new entry in
+  // |active_crypto_config_map_|.
   std::unique_ptr<CryptoClientConfigHandle> CreateCryptoConfigHandle(
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Salled when the indicated member of |active_crypto_config_map_| has no
   // outstanding references. The QuicCryptoClientConfigOwner is then moved to
@@ -504,11 +513,11 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
       handles::NetworkHandle affected_network) const;
 
   std::unique_ptr<QuicCryptoClientConfigHandle> GetCryptoConfigForTesting(
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   bool CryptoConfigCacheIsEmptyForTesting(
       const quic::QuicServerId& server_id,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   const quic::ParsedQuicVersionVector& supported_versions() const {
     return params_.supported_versions;
@@ -570,9 +579,9 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   // |recent_crypto_config_map_|. If reused before it is evicted from LRUCache,
   // it will be removed from the cache and return to the active config map.
   // These two maps should never both have entries with the same
-  // NetworkIsolationKey.
+  // NetworkAnonymizationKey.
   QuicCryptoClientConfigMap active_crypto_config_map_;
-  base::LRUCache<NetworkIsolationKey,
+  base::LRUCache<NetworkAnonymizationKey,
                  std::unique_ptr<QuicCryptoClientConfigOwner>>
       recent_crypto_config_map_;
 
@@ -617,15 +626,18 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
 
   const raw_ptr<SSLConfigService> ssl_config_service_;
 
-  // Whether NetworkIsolationKeys should be used for
+  // Whether NetworkAnonymizationKeys should be used for
   // |active_crypto_config_map_|. If false, there will just be one config with
-  // an empty NetworkIsolationKey. Whether QuicSessionAliasKeys all have an
+  // an empty NetworkAnonymizationKey. Whether QuicSessionAliasKeys all have an
   // empty NIK is based on whether socket pools are respecting NIKs, but whether
   // those NIKs are also used when accessing |active_crypto_config_map_| is also
   // gated this, which is set based on whether HttpServerProperties is
   // respecting NIKs, as that data is fed into the crypto config map using the
   // corresponding NIK.
-  const bool use_network_isolation_key_for_crypto_configs_;
+  const bool use_network_anonymization_key_for_crypto_configs_;
+
+  quic::DeterministicConnectionIdGenerator connection_id_generator_{
+      quic::kQuicDefaultConnectionIdLength};
 
   base::WeakPtrFactory<QuicStreamFactory> weak_factory_{this};
 };
diff --git a/chromium/net/quic/quic_stream_factory_fuzzer.cc b/chromium/net/quic/quic_stream_factory_fuzzer.cc
index c5c56bd7af4..0534ed43bcf 100644
--- a/chromium/net/quic/quic_stream_factory_fuzzer.cc
+++ b/chromium/net/quic/quic_stream_factory_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,7 +7,9 @@
 #include <fuzzer/FuzzedDataProvider.h>
 
 #include "base/cxx17_backports.h"
-#include "net/base/network_isolation_key.h"
+#include "base/no_destructor.h"
+#include "base/threading/sequenced_task_runner_handle.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/do_nothing_ct_verifier.h"
@@ -15,6 +17,7 @@
 #include "net/cert/x509_certificate.h"
 #include "net/dns/context_host_resolver.h"
 #include "net/dns/fuzzed_host_resolver_util.h"
+#include "net/dns/host_resolver_system_task.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/http/http_server_properties.h"
 #include "net/http/transport_security_state.h"
@@ -53,9 +56,14 @@ const char kMethod[] = "GET";
 const size_t kBufferSize = 4096;
 const int kCertVerifyFlags = 0;
 
-// Static initialization for persistent factory data
-struct Env {
-  Env() : scheme_host_port(url::kHttpsScheme, kServerHostName, kServerPort) {
+// Persistent factory data, statically initialized on the first time
+// LLVMFuzzerTestOneInput is called.
+struct FuzzerEnvironment {
+  FuzzerEnvironment()
+      : scheme_host_port(url::kHttpsScheme, kServerHostName, kServerPort) {
+    net::SetSystemDnsResolutionTaskRunnerForTesting(  // IN-TEST
+        base::SequencedTaskRunnerHandle::Get());
+
     quic_context.AdvanceTime(quic::QuicTime::Delta::FromSeconds(1));
     ssl_config_service = std::make_unique<SSLConfigServiceDefaults>();
     crypto_client_stream_factory.set_use_mock_crypter(true);
@@ -65,6 +73,7 @@ struct Env {
     CHECK(verify_details.cert_verify_result.verified_cert);
     verify_details.cert_verify_result.is_issued_by_known_root = true;
   }
+  ~FuzzerEnvironment() = default;
 
   std::unique_ptr<SSLConfigService> ssl_config_service;
   ProofVerifyDetailsChromium verify_details;
@@ -79,11 +88,16 @@ struct Env {
   MockQuicContext quic_context;
 };
 
-static struct Env* env = new Env();
+FuzzerEnvironment* GetFuzzerEnvironment() {
+  static base::NoDestructor<FuzzerEnvironment> fuzzer_environment;
+  return &*fuzzer_environment;
+}
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   FuzzedDataProvider data_provider(data, size);
 
+  FuzzerEnvironment* env = GetFuzzerEnvironment();
+
   std::unique_ptr<ContextHostResolver> host_resolver =
       CreateFuzzedContextHostResolver(HostResolver::ManagerOptions(), nullptr,
                                       &data_provider,
@@ -145,7 +159,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
   request.Request(
       env->scheme_host_port, version, PRIVACY_MODE_DISABLED, DEFAULT_PRIORITY,
-      SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       true /* use_dns_aliases */, false /* require_dns_https_alpn */,
       kCertVerifyFlags, GURL(kUrl), env->net_log, &net_error_details,
       /*failed_on_default_network_callback=*/CompletionOnceCallback(),
diff --git a/chromium/net/quic/quic_stream_factory_peer.cc b/chromium/net/quic/quic_stream_factory_peer.cc
index 8774aee82fb..fda889205e3 100644
--- a/chromium/net/quic/quic_stream_factory_peer.cc
+++ b/chromium/net/quic/quic_stream_factory_peer.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -31,24 +31,26 @@ const quic::QuicConfig* QuicStreamFactoryPeer::GetConfig(
 std::unique_ptr<QuicCryptoClientConfigHandle>
 QuicStreamFactoryPeer::GetCryptoConfig(
     QuicStreamFactory* factory,
-    const NetworkIsolationKey& network_isolation_key) {
-  return factory->GetCryptoConfigForTesting(network_isolation_key);
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  return factory->GetCryptoConfigForTesting(network_anonymization_key);
 }
 
 bool QuicStreamFactoryPeer::HasActiveSession(
     QuicStreamFactory* factory,
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key) {
-  return factory->HasActiveSession(QuicSessionKey(
-      server_id, SocketTag(), network_isolation_key, SecureDnsPolicy::kAllow,
-      /*require_dns_https_alpn=*/false));
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  return factory->HasActiveSession(
+      QuicSessionKey(server_id, SocketTag(), network_anonymization_key,
+                     SecureDnsPolicy::kAllow,
+                     /*require_dns_https_alpn=*/false));
 }
 
 bool QuicStreamFactoryPeer::HasActiveJob(QuicStreamFactory* factory,
                                          const quic::QuicServerId& server_id) {
-  return factory->HasActiveJob(QuicSessionKey(
-      server_id, SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
-      /*require_dns_https_alpn=*/false));
+  return factory->HasActiveJob(
+      QuicSessionKey(server_id, SocketTag(), NetworkAnonymizationKey(),
+                     SecureDnsPolicy::kAllow,
+                     /*require_dns_https_alpn=*/false));
 }
 
 // static
@@ -56,7 +58,7 @@ QuicChromiumClientSession* QuicStreamFactoryPeer::GetPendingSession(
     QuicStreamFactory* factory,
     const quic::QuicServerId& server_id,
     url::SchemeHostPort destination) {
-  QuicSessionKey session_key(server_id, SocketTag(), NetworkIsolationKey(),
+  QuicSessionKey session_key(server_id, SocketTag(), NetworkAnonymizationKey(),
                              SecureDnsPolicy::kAllow,
                              /*require_dns_https_alpn=*/false);
   QuicStreamFactory::QuicSessionAliasKey key(std::move(destination),
@@ -70,8 +72,8 @@ QuicChromiumClientSession* QuicStreamFactoryPeer::GetPendingSession(
 QuicChromiumClientSession* QuicStreamFactoryPeer::GetActiveSession(
     QuicStreamFactory* factory,
     const quic::QuicServerId& server_id,
-    const NetworkIsolationKey& network_isolation_key) {
-  QuicSessionKey session_key(server_id, SocketTag(), network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  QuicSessionKey session_key(server_id, SocketTag(), network_anonymization_key,
                              SecureDnsPolicy::kAllow,
                              /*require_dns_https_alpn=*/false);
   DCHECK(factory->HasActiveSession(session_key));
@@ -83,7 +85,7 @@ bool QuicStreamFactoryPeer::HasLiveSession(
     url::SchemeHostPort destination,
     const quic::QuicServerId& server_id) {
   QuicSessionKey session_key =
-      QuicSessionKey(server_id, SocketTag(), NetworkIsolationKey(),
+      QuicSessionKey(server_id, SocketTag(), NetworkAnonymizationKey(),
                      SecureDnsPolicy::kAllow, /*require_dns_https_alpn=*/false);
   QuicStreamFactory::QuicSessionAliasKey alias_key(std::move(destination),
                                                    session_key);
@@ -133,15 +135,15 @@ void QuicStreamFactoryPeer::SetYieldAfterDuration(
 bool QuicStreamFactoryPeer::CryptoConfigCacheIsEmpty(
     QuicStreamFactory* factory,
     const quic::QuicServerId& quic_server_id,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   return factory->CryptoConfigCacheIsEmptyForTesting(quic_server_id,
-                                                     network_isolation_key);
+                                                     network_anonymization_key);
 }
 
 void QuicStreamFactoryPeer::CacheDummyServerConfig(
     QuicStreamFactory* factory,
     const quic::QuicServerId& quic_server_id,
-    const NetworkIsolationKey& network_isolation_key) {
+    const NetworkAnonymizationKey& network_anonymization_key) {
   // Minimum SCFG that passes config validation checks.
   const char scfg[] = {// SCFG
                        0x53, 0x43, 0x46, 0x47,
@@ -168,7 +170,7 @@ void QuicStreamFactoryPeer::CacheDummyServerConfig(
   certs.emplace_back(x509_util::CryptoBufferAsStringPiece(cert->cert_buffer()));
 
   std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle =
-      GetCryptoConfig(factory, network_isolation_key);
+      GetCryptoConfig(factory, network_anonymization_key);
   quic::QuicCryptoClientConfig::CachedState* cached =
       crypto_config_handle->GetConfig()->LookupOrCreate(quic_server_id);
   quic::QuicChromiumClock clock;
diff --git a/chromium/net/quic/quic_stream_factory_peer.h b/chromium/net/quic/quic_stream_factory_peer.h
index 418f45a345e..1d8e45a5b24 100644
--- a/chromium/net/quic/quic_stream_factory_peer.h
+++ b/chromium/net/quic/quic_stream_factory_peer.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -13,7 +13,7 @@
 #include "base/task/sequenced_task_runner.h"
 #include "base/time/tick_clock.h"
 #include "net/base/host_port_pair.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_server_id.h"
@@ -43,12 +43,13 @@ class QuicStreamFactoryPeer {
 
   static std::unique_ptr<QuicCryptoClientConfigHandle> GetCryptoConfig(
       QuicStreamFactory* factory,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   static bool HasActiveSession(
       QuicStreamFactory* factory,
       const quic::QuicServerId& server_id,
-      const NetworkIsolationKey& network_isolation_key = NetworkIsolationKey());
+      const NetworkAnonymizationKey& network_anonymization_key =
+          NetworkAnonymizationKey());
 
   static bool HasActiveJob(QuicStreamFactory* factory,
                            const quic::QuicServerId& server_id);
@@ -61,7 +62,8 @@ class QuicStreamFactoryPeer {
   static QuicChromiumClientSession* GetActiveSession(
       QuicStreamFactory* factory,
       const quic::QuicServerId& server_id,
-      const NetworkIsolationKey& network_isolation_key = NetworkIsolationKey());
+      const NetworkAnonymizationKey& network_anonymization_key =
+          NetworkAnonymizationKey());
 
   static bool HasLiveSession(QuicStreamFactory* factory,
                              url::SchemeHostPort destination,
@@ -90,15 +92,15 @@ class QuicStreamFactoryPeer {
   static bool CryptoConfigCacheIsEmpty(
       QuicStreamFactory* factory,
       const quic::QuicServerId& quic_server_id,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   // Creates a dummy QUIC server config and caches it. Caller must be holding
   // onto a QuicCryptoClientConfigHandle for the corresponding
-  // |network_isolation_key|.
+  // |network_anonymization_key|.
   static void CacheDummyServerConfig(
       QuicStreamFactory* factory,
       const quic::QuicServerId& quic_server_id,
-      const NetworkIsolationKey& network_isolation_key);
+      const NetworkAnonymizationKey& network_anonymization_key);
 
   static int GetNumPushStreamsCreated(QuicStreamFactory* factory);
 
diff --git a/chromium/net/quic/quic_stream_factory_test.cc b/chromium/net/quic/quic_stream_factory_test.cc
index 7058c78fa4b..70c1595d763 100644
--- a/chromium/net/quic/quic_stream_factory_test.cc
+++ b/chromium/net/quic/quic_stream_factory_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -25,7 +25,7 @@
 #include "net/base/features.h"
 #include "net/base/load_flags.h"
 #include "net/base/mock_network_change_notifier.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/mock_cert_verifier.h"
@@ -306,13 +306,14 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
                                             std::move(dns_aliases));
   }
 
-  bool HasActiveSession(const url::SchemeHostPort& scheme_host_port,
-                        const NetworkIsolationKey& network_isolation_key =
-                            NetworkIsolationKey()) {
+  bool HasActiveSession(
+      const url::SchemeHostPort& scheme_host_port,
+      const NetworkAnonymizationKey& network_anonymization_key =
+          NetworkAnonymizationKey()) {
     quic::QuicServerId server_id(scheme_host_port.host(),
                                  scheme_host_port.port(), false);
     return QuicStreamFactoryPeer::HasActiveSession(factory_.get(), server_id,
-                                                   network_isolation_key);
+                                                   network_anonymization_key);
   }
 
   bool HasLiveSession(const url::SchemeHostPort& scheme_host_port) {
@@ -341,12 +342,12 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
 
   QuicChromiumClientSession* GetActiveSession(
       const url::SchemeHostPort& scheme_host_port,
-      const NetworkIsolationKey& network_isolation_key =
-          NetworkIsolationKey()) {
+      const NetworkAnonymizationKey& network_anonymization_key =
+          NetworkAnonymizationKey()) {
     quic::QuicServerId server_id(scheme_host_port.host(),
                                  scheme_host_port.port(), false);
     return QuicStreamFactoryPeer::GetActiveSession(factory_.get(), server_id,
-                                                   network_isolation_key);
+                                                   network_anonymization_key);
   }
 
   int GetSourcePortForNewSession(const url::SchemeHostPort& destination) {
@@ -372,13 +373,14 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
 
     QuicStreamRequest request(factory_.get());
     GURL url("https://" + destination.host() + "/");
-    EXPECT_EQ(ERR_IO_PENDING,
-              request.Request(
-                  destination, version_, privacy_mode_, DEFAULT_PRIORITY,
-                  SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
-                  /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
-                  /*cert_verify_flags=*/0, url, net_log_, &net_error_details_,
-                  failed_on_default_network_callback_, callback_.callback()));
+    EXPECT_EQ(
+        ERR_IO_PENDING,
+        request.Request(
+            destination, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
+            NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
+            /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
+            /*cert_verify_flags=*/0, url, net_log_, &net_error_details_,
+            failed_on_default_network_callback_, callback_.callback()));
 
     EXPECT_THAT(callback_.WaitForResult(), IsOk());
     std::unique_ptr<HttpStream> stream = CreateStream(&request);
@@ -538,13 +540,14 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
 
     // Create request and QuicHttpStream.
     QuicStreamRequest request(factory_.get());
-    EXPECT_EQ(ERR_IO_PENDING,
-              request.Request(
-                  scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                  SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
-                  /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
-                  /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
-                  failed_on_default_network_callback_, callback_.callback()));
+    EXPECT_EQ(
+        ERR_IO_PENDING,
+        request.Request(
+            scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
+            SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
+            /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
+            /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+            failed_on_default_network_callback_, callback_.callback()));
 
     EXPECT_EQ(OK, callback_.WaitForResult());
 
@@ -584,25 +587,25 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
   }
 
   // Verifies that the QUIC stream factory is initialized correctly.
-  // If |vary_network_isolation_key| is true, stores data for two different
-  // NetworkIsolationKeys, but the same server. If false, stores data for two
-  // different servers, using the same NetworkIsolationKey.
-  void VerifyInitialization(bool vary_network_isolation_key) {
+  // If |vary_network_anonymization_key| is true, stores data for two different
+  // NetworkAnonymizationKeys, but the same server. If false, stores data for
+  // two different servers, using the same NetworkAnonymizationKey.
+  void VerifyInitialization(bool vary_network_anonymization_key) {
     const SchemefulSite kSite1(GURL("https://foo.test/"));
     const SchemefulSite kSite2(GURL("https://bar.test/"));
 
-    NetworkIsolationKey network_isolation_key1(kSite1, kSite1);
+    NetworkAnonymizationKey network_anonymization_key1(kSite1, kSite1);
     quic::QuicServerId quic_server_id1(
         kDefaultServerHostName, kDefaultServerPort, PRIVACY_MODE_DISABLED);
 
-    NetworkIsolationKey network_isolation_key2;
+    NetworkAnonymizationKey network_anonymization_key2;
     quic::QuicServerId quic_server_id2;
 
-    if (vary_network_isolation_key) {
-      network_isolation_key2 = NetworkIsolationKey(kSite2, kSite2);
+    if (vary_network_anonymization_key) {
+      network_anonymization_key2 = NetworkAnonymizationKey(kSite2, kSite2);
       quic_server_id2 = quic_server_id1;
     } else {
-      network_isolation_key2 = network_isolation_key1;
+      network_anonymization_key2 = network_anonymization_key1;
       quic_server_id2 = quic::QuicServerId(kServer2HostName, kDefaultServerPort,
                                            PRIVACY_MODE_DISABLED);
     }
@@ -632,7 +635,7 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
     http_server_properties_->SetAlternativeServices(
         url::SchemeHostPort("https", quic_server_id1.host(),
                             quic_server_id1.port()),
-        network_isolation_key1, alternative_service_info_vector);
+        network_anonymization_key1, alternative_service_info_vector);
 
     const AlternativeService alternative_service2(
         kProtoQUIC, quic_server_id2.host(), quic_server_id2.port());
@@ -644,7 +647,7 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
     http_server_properties_->SetAlternativeServices(
         url::SchemeHostPort("https", quic_server_id2.host(),
                             quic_server_id2.port()),
-        network_isolation_key2, alternative_service_info_vector2);
+        network_anonymization_key2, alternative_service_info_vector2);
     // Verify that the properties of both QUIC servers are stored in the
     // HTTP properties map.
     EXPECT_EQ(2U,
@@ -655,7 +658,7 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
 
     std::unique_ptr<QuicServerInfo> quic_server_info =
         std::make_unique<PropertiesBasedQuicServerInfo>(
-            quic_server_id1, network_isolation_key1,
+            quic_server_id1, network_anonymization_key1,
             http_server_properties_.get());
 
     // Update quic_server_info's server_config and persist it.
@@ -694,7 +697,7 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
 
     std::unique_ptr<QuicServerInfo> quic_server_info2 =
         std::make_unique<PropertiesBasedQuicServerInfo>(
-            quic_server_id2, network_isolation_key2,
+            quic_server_id2, network_anonymization_key2,
             http_server_properties_.get());
     // Update quic_server_info2's server_config and persist it.
     QuicServerInfo::State* state2 = quic_server_info2->mutable_state();
@@ -758,18 +761,18 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
                   url::SchemeHostPort(url::kHttpsScheme, quic_server_id1.host(),
                                       quic_server_id1.port()),
                   version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                  network_isolation_key1, SecureDnsPolicy::kAllow,
+                  network_anonymization_key1, SecureDnsPolicy::kAllow,
                   /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                   /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                   failed_on_default_network_callback_, callback_.callback()));
     EXPECT_THAT(callback_.WaitForResult(), IsOk());
 
     EXPECT_FALSE(QuicStreamFactoryPeer::CryptoConfigCacheIsEmpty(
-        factory_.get(), quic_server_id1, network_isolation_key1));
+        factory_.get(), quic_server_id1, network_anonymization_key1));
 
     std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle1 =
         QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                               network_isolation_key1);
+                                               network_anonymization_key1);
     quic::QuicCryptoClientConfig::CachedState* cached =
         crypto_config_handle1->GetConfig()->LookupOrCreate(quic_server_id1);
     EXPECT_FALSE(cached->server_config().empty());
@@ -803,20 +806,20 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
             url::SchemeHostPort(url::kHttpsScheme, quic_server_id2.host(),
                                 quic_server_id2.port()),
             version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-            network_isolation_key2, SecureDnsPolicy::kAllow,
+            network_anonymization_key2, SecureDnsPolicy::kAllow,
             /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
             /*cert_verify_flags=*/0,
-            vary_network_isolation_key ? url_
-                                       : GURL("https://mail.example.org/"),
+            vary_network_anonymization_key ? url_
+                                           : GURL("https://mail.example.org/"),
             net_log_, &net_error_details_, failed_on_default_network_callback_,
             callback_.callback()));
     EXPECT_THAT(callback_.WaitForResult(), IsOk());
 
     EXPECT_FALSE(QuicStreamFactoryPeer::CryptoConfigCacheIsEmpty(
-        factory_.get(), quic_server_id2, network_isolation_key2));
+        factory_.get(), quic_server_id2, network_anonymization_key2));
     std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle2 =
         QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                               network_isolation_key2);
+                                               network_anonymization_key2);
     quic::QuicCryptoClientConfig::CachedState* cached2 =
         crypto_config_handle2->GetConfig()->LookupOrCreate(quic_server_id2);
     EXPECT_FALSE(cached2->server_config().empty());
@@ -995,7 +998,7 @@ TEST_P(QuicStreamFactoryTest, Create) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1010,7 +1013,7 @@ TEST_P(QuicStreamFactoryTest, Create) {
   EXPECT_EQ(OK,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1025,7 +1028,7 @@ TEST_P(QuicStreamFactoryTest, Create) {
   EXPECT_EQ(OK,
             request3.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1059,7 +1062,7 @@ TEST_P(QuicStreamFactoryTest, CreateZeroRtt) {
   EXPECT_EQ(OK,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1098,7 +1101,7 @@ TEST_P(QuicStreamFactoryTest, AsyncZeroRtt) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1131,7 +1134,7 @@ TEST_P(QuicStreamFactoryTest, DefaultInitialRtt) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1161,7 +1164,7 @@ TEST_P(QuicStreamFactoryTest, FactoryDestroyedWhenJobPending) {
   EXPECT_EQ(ERR_IO_PENDING,
             request->Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1194,7 +1197,7 @@ TEST_P(QuicStreamFactoryTest, RequireConfirmation) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1236,13 +1239,14 @@ TEST_P(QuicStreamFactoryTest, DontRequireConfirmationFromSameIP) {
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_THAT(request.Request(
-                  scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                  SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
-                  /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
-                  /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
-                  failed_on_default_network_callback_, callback_.callback()),
-              IsOk());
+  EXPECT_THAT(
+      request.Request(
+          scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
+          SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
+          /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
+          /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+          failed_on_default_network_callback_, callback_.callback()),
+      IsOk());
 
   EXPECT_FALSE(http_server_properties_->HasLastLocalAddressWhenQuicWorked());
 
@@ -1261,8 +1265,8 @@ TEST_P(QuicStreamFactoryTest, DontRequireConfirmationFromSameIP) {
 TEST_P(QuicStreamFactoryTest, CachedInitialRtt) {
   ServerNetworkStats stats;
   stats.srtt = base::Milliseconds(10);
-  http_server_properties_->SetServerNetworkStats(url::SchemeHostPort(url_),
-                                                 NetworkIsolationKey(), stats);
+  http_server_properties_->SetServerNetworkStats(
+      url::SchemeHostPort(url_), NetworkAnonymizationKey(), stats);
   quic_params_->estimate_initial_rtt = true;
 
   Initialize();
@@ -1279,7 +1283,7 @@ TEST_P(QuicStreamFactoryTest, CachedInitialRtt) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1295,19 +1299,19 @@ TEST_P(QuicStreamFactoryTest, CachedInitialRtt) {
 }
 
 // Test that QUIC sessions use the cached RTT from HttpServerProperties for the
-// correct NetworkIsolationKey.
-TEST_P(QuicStreamFactoryTest, CachedInitialRttWithNetworkIsolationKey) {
+// correct NetworkAnonymizationKey.
+TEST_P(QuicStreamFactoryTest, CachedInitialRttWithNetworkAnonymizationKey) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // QuicSessionAliasKey to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // QuicSessionAliasKey to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -1317,14 +1321,15 @@ TEST_P(QuicStreamFactoryTest, CachedInitialRttWithNetworkIsolationKey) {
 
   ServerNetworkStats stats;
   stats.srtt = base::Milliseconds(10);
-  http_server_properties_->SetServerNetworkStats(url::SchemeHostPort(url_),
-                                                 kNetworkIsolationKey1, stats);
+  http_server_properties_->SetServerNetworkStats(
+      url::SchemeHostPort(url_), kNetworkAnonymizationKey1, stats);
   quic_params_->estimate_initial_rtt = true;
   Initialize();
 
-  for (const auto& network_isolation_key :
-       {kNetworkIsolationKey1, kNetworkIsolationKey2, NetworkIsolationKey()}) {
-    SCOPED_TRACE(network_isolation_key.ToDebugString());
+  for (const auto& network_anonymization_key :
+       {kNetworkAnonymizationKey1, kNetworkAnonymizationKey2,
+        NetworkAnonymizationKey()}) {
+    SCOPED_TRACE(network_anonymization_key.ToDebugString());
 
     ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
     crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -1344,21 +1349,22 @@ TEST_P(QuicStreamFactoryTest, CachedInitialRttWithNetworkIsolationKey) {
     socket_data.AddSocketDataToFactory(socket_factory_.get());
 
     QuicStreamRequest request(factory_.get());
-    EXPECT_EQ(ERR_IO_PENDING,
-              request.Request(
-                  scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                  SocketTag(), network_isolation_key, SecureDnsPolicy::kAllow,
-                  /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
-                  /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
-                  failed_on_default_network_callback_, callback_.callback()));
+    EXPECT_EQ(
+        ERR_IO_PENDING,
+        request.Request(
+            scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
+            SocketTag(), network_anonymization_key, SecureDnsPolicy::kAllow,
+            /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
+            /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+            failed_on_default_network_callback_, callback_.callback()));
 
     EXPECT_THAT(callback_.WaitForResult(), IsOk());
     std::unique_ptr<HttpStream> stream = CreateStream(&request);
     EXPECT_TRUE(stream.get());
 
     QuicChromiumClientSession* session =
-        GetActiveSession(scheme_host_port_, network_isolation_key);
-    if (network_isolation_key == kNetworkIsolationKey1) {
+        GetActiveSession(scheme_host_port_, network_anonymization_key);
+    if (network_anonymization_key == kNetworkAnonymizationKey1) {
       EXPECT_EQ(10000, session->connection()->GetStats().srtt_us);
       ASSERT_TRUE(session->config()->HasInitialRoundTripTimeUsToSend());
       EXPECT_EQ(10000u, session->config()->GetInitialRoundTripTimeUsToSend());
@@ -1390,7 +1396,7 @@ TEST_P(QuicStreamFactoryTest, 2gInitialRtt) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1425,7 +1431,7 @@ TEST_P(QuicStreamFactoryTest, 3gInitialRtt) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1455,7 +1461,7 @@ TEST_P(QuicStreamFactoryTest, GoAway) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1498,7 +1504,7 @@ TEST_P(QuicStreamFactoryTest, GoAwayForConnectionMigrationWithPortOnly) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1527,22 +1533,23 @@ TEST_P(QuicStreamFactoryTest, GoAwayForConnectionMigrationWithPortOnly) {
 }
 
 // Makes sure that setting and clearing ServerNetworkStats respects the
-// NetworkIsolationKey.
-TEST_P(QuicStreamFactoryTest, ServerNetworkStatsWithNetworkIsolationKey) {
+// NetworkAnonymizationKey.
+TEST_P(QuicStreamFactoryTest, ServerNetworkStatsWithNetworkAnonymizationKey) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
-  const NetworkIsolationKey kNetworkIsolationKeys[] = {
-      kNetworkIsolationKey1, kNetworkIsolationKey2, NetworkIsolationKey()};
+  const NetworkAnonymizationKey kNetworkAnonymizationKeys[] = {
+      kNetworkAnonymizationKey1, kNetworkAnonymizationKey2,
+      NetworkAnonymizationKey()};
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // QuicSessionAliasKey to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // QuicSessionAliasKey to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -1553,8 +1560,8 @@ TEST_P(QuicStreamFactoryTest, ServerNetworkStatsWithNetworkIsolationKey) {
 
   // For each server, set up and tear down a QUIC session cleanly, and check
   // that stats have been added to HttpServerProperties using the correct
-  // NetworkIsolationKey.
-  for (size_t i = 0; i < std::size(kNetworkIsolationKeys); ++i) {
+  // NetworkAnonymizationKey.
+  for (size_t i = 0; i < std::size(kNetworkAnonymizationKeys); ++i) {
     SCOPED_TRACE(i);
 
     ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -1579,7 +1586,7 @@ TEST_P(QuicStreamFactoryTest, ServerNetworkStatsWithNetworkIsolationKey) {
         ERR_IO_PENDING,
         request.Request(
             scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-            SocketTag(), kNetworkIsolationKeys[i], SecureDnsPolicy::kAllow,
+            SocketTag(), kNetworkAnonymizationKeys[i], SecureDnsPolicy::kAllow,
             /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
             /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
             failed_on_default_network_callback_, callback_.callback()));
@@ -1589,7 +1596,7 @@ TEST_P(QuicStreamFactoryTest, ServerNetworkStatsWithNetworkIsolationKey) {
     EXPECT_TRUE(stream.get());
 
     QuicChromiumClientSession* session =
-        GetActiveSession(scheme_host_port_, kNetworkIsolationKeys[i]);
+        GetActiveSession(scheme_host_port_, kNetworkAnonymizationKeys[i]);
 
     if (version_.UsesHttp3()) {
       session->OnHttp3GoAway(0);
@@ -1597,20 +1604,21 @@ TEST_P(QuicStreamFactoryTest, ServerNetworkStatsWithNetworkIsolationKey) {
       session->OnGoAway(quic::QuicGoAwayFrame());
     }
 
-    EXPECT_FALSE(HasActiveSession(scheme_host_port_, kNetworkIsolationKeys[i]));
+    EXPECT_FALSE(
+        HasActiveSession(scheme_host_port_, kNetworkAnonymizationKeys[i]));
 
     EXPECT_TRUE(socket_data.AllReadDataConsumed());
     EXPECT_TRUE(socket_data.AllWriteDataConsumed());
 
-    for (size_t j = 0; j < std::size(kNetworkIsolationKeys); ++j) {
-      // Stats up to kNetworkIsolationKeys[j] should have been populated, all
-      // others should remain empty.
+    for (size_t j = 0; j < std::size(kNetworkAnonymizationKeys); ++j) {
+      // Stats up to kNetworkAnonymizationKeys[j] should have been populated,
+      // all others should remain empty.
       if (j <= i) {
         EXPECT_TRUE(http_server_properties_->GetServerNetworkStats(
-            url::SchemeHostPort(url_), kNetworkIsolationKeys[j]));
+            url::SchemeHostPort(url_), kNetworkAnonymizationKeys[j]));
       } else {
         EXPECT_FALSE(http_server_properties_->GetServerNetworkStats(
-            url::SchemeHostPort(url_), kNetworkIsolationKeys[j]));
+            url::SchemeHostPort(url_), kNetworkAnonymizationKeys[j]));
       }
     }
   }
@@ -1622,8 +1630,8 @@ TEST_P(QuicStreamFactoryTest, ServerNetworkStatsWithNetworkIsolationKey) {
 
   // For each server, simulate an error during session creation, and check that
   // stats have been deleted from HttpServerProperties using the correct
-  // NetworkIsolationKey.
-  for (size_t i = 0; i < std::size(kNetworkIsolationKeys); ++i) {
+  // NetworkAnonymizationKey.
+  for (size_t i = 0; i < std::size(kNetworkAnonymizationKeys); ++i) {
     SCOPED_TRACE(i);
 
     MockQuicData socket_data(version_);
@@ -1637,24 +1645,25 @@ TEST_P(QuicStreamFactoryTest, ServerNetworkStatsWithNetworkIsolationKey) {
         ERR_IO_PENDING,
         request.Request(
             scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-            SocketTag(), kNetworkIsolationKeys[i], SecureDnsPolicy::kAllow,
+            SocketTag(), kNetworkAnonymizationKeys[i], SecureDnsPolicy::kAllow,
             /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
             /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
             failed_on_default_network_callback_, callback_.callback()));
 
     EXPECT_THAT(callback_.WaitForResult(), IsError(ERR_QUIC_HANDSHAKE_FAILED));
 
-    EXPECT_FALSE(HasActiveSession(scheme_host_port_, kNetworkIsolationKeys[i]));
+    EXPECT_FALSE(
+        HasActiveSession(scheme_host_port_, kNetworkAnonymizationKeys[i]));
 
-    for (size_t j = 0; j < std::size(kNetworkIsolationKeys); ++j) {
-      // Stats up to kNetworkIsolationKeys[j] should have been deleted, all
+    for (size_t j = 0; j < std::size(kNetworkAnonymizationKeys); ++j) {
+      // Stats up to kNetworkAnonymizationKeys[j] should have been deleted, all
       // others should still be populated.
       if (j <= i) {
         EXPECT_FALSE(http_server_properties_->GetServerNetworkStats(
-            url::SchemeHostPort(url_), kNetworkIsolationKeys[j]));
+            url::SchemeHostPort(url_), kNetworkAnonymizationKeys[j]));
       } else {
         EXPECT_TRUE(http_server_properties_->GetServerNetworkStats(
-            url::SchemeHostPort(url_), kNetworkIsolationKeys[j]));
+            url::SchemeHostPort(url_), kNetworkAnonymizationKeys[j]));
       }
     }
   }
@@ -1682,7 +1691,7 @@ TEST_P(QuicStreamFactoryTest, Pooling) {
   EXPECT_EQ(OK,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1694,7 +1703,7 @@ TEST_P(QuicStreamFactoryTest, Pooling) {
   EXPECT_EQ(OK,
             request2.Request(
                 server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback.callback()));
@@ -1758,7 +1767,7 @@ TEST_P(QuicStreamFactoryTest, PoolingWithServerMigration) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback.callback()));
@@ -1804,7 +1813,7 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) {
   EXPECT_EQ(OK,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1816,7 +1825,7 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) {
   EXPECT_EQ(OK,
             request2.Request(
                 server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback.callback()));
@@ -1832,7 +1841,7 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) {
   EXPECT_EQ(OK,
             request3.Request(
                 server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback3.callback()));
@@ -1870,7 +1879,7 @@ TEST_P(QuicStreamFactoryTest, HttpsPooling) {
   EXPECT_EQ(OK,
             request.Request(
                 server1, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1882,7 +1891,7 @@ TEST_P(QuicStreamFactoryTest, HttpsPooling) {
   EXPECT_EQ(OK,
             request2.Request(
                 server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1923,7 +1932,7 @@ TEST_P(QuicStreamFactoryTest, HttpsPoolingWithMatchingPins) {
   EXPECT_EQ(OK,
             request.Request(
                 server1, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1935,7 +1944,7 @@ TEST_P(QuicStreamFactoryTest, HttpsPoolingWithMatchingPins) {
   EXPECT_EQ(OK,
             request2.Request(
                 server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -1993,7 +2002,7 @@ TEST_P(QuicStreamFactoryTest, NoHttpsPoolingWithDifferentPins) {
   EXPECT_EQ(OK,
             request.Request(
                 server1, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2005,7 +2014,7 @@ TEST_P(QuicStreamFactoryTest, NoHttpsPoolingWithDifferentPins) {
   EXPECT_EQ(OK,
             request2.Request(
                 server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2042,7 +2051,7 @@ TEST_P(QuicStreamFactoryTest, Goaway) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2065,7 +2074,7 @@ TEST_P(QuicStreamFactoryTest, Goaway) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2139,7 +2148,7 @@ TEST_P(QuicStreamFactoryTest, MaxOpenStream) {
     QuicStreamRequest request(factory_.get());
     int rv = request.Request(
         scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-        SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+        SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
         /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
         /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
         failed_on_default_network_callback_, callback_.callback());
@@ -2161,7 +2170,7 @@ TEST_P(QuicStreamFactoryTest, MaxOpenStream) {
   EXPECT_EQ(OK,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, CompletionOnceCallback()));
@@ -2202,7 +2211,7 @@ TEST_P(QuicStreamFactoryTest, ResolutionErrorInCreate) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2224,7 +2233,7 @@ TEST_P(QuicStreamFactoryTest, ConnectErrorInCreate) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2244,13 +2253,14 @@ TEST_P(QuicStreamFactoryTest, CancelCreate) {
   socket_data.AddSocketDataToFactory(socket_factory_.get());
   {
     QuicStreamRequest request(factory_.get());
-    EXPECT_EQ(ERR_IO_PENDING,
-              request.Request(
-                  scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                  SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
-                  /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
-                  /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
-                  failed_on_default_network_callback_, callback_.callback()));
+    EXPECT_EQ(
+        ERR_IO_PENDING,
+        request.Request(
+            scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
+            SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
+            /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
+            /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+            failed_on_default_network_callback_, callback_.callback()));
   }
 
   base::RunLoop().RunUntilIdle();
@@ -2259,7 +2269,7 @@ TEST_P(QuicStreamFactoryTest, CancelCreate) {
   EXPECT_EQ(OK,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2302,7 +2312,7 @@ TEST_P(QuicStreamFactoryTest, CloseAllSessions) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2329,7 +2339,7 @@ TEST_P(QuicStreamFactoryTest, CloseAllSessions) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2366,7 +2376,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2390,7 +2400,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2436,7 +2446,7 @@ TEST_P(QuicStreamFactoryTest, WriteErrorInCryptoConnectWithSyncHostResolution) {
   EXPECT_EQ(ERR_QUIC_HANDSHAKE_FAILED,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2460,7 +2470,7 @@ TEST_P(QuicStreamFactoryTest, WriteErrorInCryptoConnectWithSyncHostResolution) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2515,7 +2525,7 @@ TEST_P(QuicStreamFactoryTest, CloseSessionsOnIPAddressChanged) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2551,7 +2561,7 @@ TEST_P(QuicStreamFactoryTest, CloseSessionsOnIPAddressChanged) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2613,7 +2623,7 @@ TEST_P(QuicStreamFactoryTest, GoAwaySessionsOnIPAddressChanged) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2661,7 +2671,7 @@ TEST_P(QuicStreamFactoryTest, GoAwaySessionsOnIPAddressChanged) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2710,7 +2720,7 @@ TEST_P(QuicStreamFactoryTest, OnIPAddressChangedWithConnectionMigration) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2736,7 +2746,7 @@ TEST_P(QuicStreamFactoryTest, OnIPAddressChangedWithConnectionMigration) {
   EXPECT_EQ(OK,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2828,7 +2838,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnNetworkMadeDefault(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -2992,7 +3002,7 @@ TEST_P(QuicStreamFactoryTest, MigratedToBlockedSocketAfterProbing) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -3103,7 +3113,7 @@ TEST_P(QuicStreamFactoryTest, MigrationTimeoutWithNoNewNetwork) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -3235,7 +3245,7 @@ void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNonMigratableStream(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -3314,7 +3324,7 @@ TEST_P(QuicStreamFactoryTest, OnNetworkMadeDefaultConnectionMigrationDisabled) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -3435,7 +3445,7 @@ void QuicStreamFactoryTestBase::TestOnNetworkDisconnectedNonMigratableStream(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -3504,7 +3514,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -3606,7 +3616,7 @@ void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNoOpenStreams(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -3690,7 +3700,7 @@ void QuicStreamFactoryTestBase::TestOnNetworkDisconnectedNoOpenStreams(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -3766,7 +3776,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnNetworkDisconnected(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -3906,7 +3916,7 @@ TEST_P(QuicStreamFactoryTest, NewNetworkConnectedAfterNoNetwork) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -4100,7 +4110,7 @@ TEST_P(QuicStreamFactoryTest, MigrateToProbingSocket) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -4269,7 +4279,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnPathDegrading(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -4425,7 +4435,7 @@ TEST_P(QuicStreamFactoryTest, MigrateSessionEarlyProbingWriterError) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -4566,7 +4576,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -4695,7 +4705,7 @@ TEST_P(QuicStreamFactoryTest, PortMigrationDisabledOnPathDegrading) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -4819,7 +4829,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -5011,7 +5021,7 @@ void QuicStreamFactoryTestBase::TestSimplePortMigrationOnPathDegrading() {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -5151,7 +5161,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -5378,7 +5388,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -5532,7 +5542,7 @@ TEST_P(QuicStreamFactoryTest, DoNotMigrateToBadSocketOnPathDegrading) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -5681,7 +5691,7 @@ void QuicStreamFactoryTestBase::TestMigrateSessionWithDrainingStream(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -5834,7 +5844,7 @@ TEST_P(QuicStreamFactoryTest, MigrateOnNewNetworkConnectAfterPathDegrading) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -5966,7 +5976,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(OK,
             request1.Request(
                 server1, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -5978,7 +5988,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(OK,
             request2.Request(
                 server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -6100,7 +6110,7 @@ TEST_P(QuicStreamFactoryTest, MigrateOnPathDegradingWithNoNewNetwork) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -6241,7 +6251,7 @@ void QuicStreamFactoryTestBase::TestMigrateSessionEarlyNonMigratableStream(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -6321,7 +6331,7 @@ TEST_P(QuicStreamFactoryTest, MigrateSessionEarlyConnectionMigrationDisabled) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -6458,7 +6468,7 @@ TEST_P(QuicStreamFactoryTest, MigrateSessionOnAsyncWriteError) {
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -6481,7 +6491,7 @@ TEST_P(QuicStreamFactoryTest, MigrateSessionOnAsyncWriteError) {
   EXPECT_EQ(OK,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
@@ -6625,7 +6635,7 @@ TEST_P(QuicStreamFactoryTest, MigrateBackToDefaultPostMigrationOnWriteError) {
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -6767,7 +6777,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -6834,7 +6844,7 @@ void QuicStreamFactoryTestBase::TestNoAlternateNetworkBeforeHandshake(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -6978,7 +6988,7 @@ void QuicStreamFactoryTestBase::
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -7090,7 +7100,7 @@ TEST_P(QuicStreamFactoryTest, MigrationOnWriteErrorBeforeHandshakeConfirmed) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -7114,7 +7124,7 @@ TEST_P(QuicStreamFactoryTest, MigrationOnWriteErrorBeforeHandshakeConfirmed) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -7204,7 +7214,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -7279,7 +7289,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteError(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -7405,7 +7415,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorNoNewNetwork(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -7577,7 +7587,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorWithMultipleRequests(
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -7600,7 +7610,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorWithMultipleRequests(
   EXPECT_EQ(OK,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
@@ -7737,7 +7747,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams(
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -7760,7 +7770,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams(
   EXPECT_EQ(OK,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
@@ -7905,7 +7915,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams2(
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -7928,7 +7938,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMixedStreams2(
   EXPECT_EQ(OK,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
@@ -8054,7 +8064,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorNonMigratableStream(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -8145,7 +8155,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorMigrationDisabled(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -8255,7 +8265,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnMultipleWriteErrors(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -8349,7 +8359,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -8392,7 +8402,7 @@ void QuicStreamFactoryTestBase::
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -8557,7 +8567,7 @@ void QuicStreamFactoryTestBase::
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -8728,7 +8738,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorPauseBeforeConnected(
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -8889,7 +8899,7 @@ TEST_P(QuicStreamFactoryTest, IgnoreWriteErrorFromOldWriterAfterMigration) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -9013,7 +9023,7 @@ TEST_P(QuicStreamFactoryTest, IgnoreReadErrorFromOldReaderAfterMigration) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -9150,7 +9160,7 @@ TEST_P(QuicStreamFactoryTest, IgnoreReadErrorOnOldReaderDuringMigration) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -9358,7 +9368,7 @@ TEST_P(QuicStreamFactoryTest, DefaultRetransmittableOnWireTimeoutForMigration) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -9527,7 +9537,7 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -9665,7 +9675,7 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeout) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -9734,8 +9744,8 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
   // default value of retransmittable-on-wire-ping timeout.
   ServerNetworkStats stats;
   stats.srtt = base::Milliseconds(200);
-  http_server_properties_->SetServerNetworkStats(url::SchemeHostPort(url_),
-                                                 NetworkIsolationKey(), stats);
+  http_server_properties_->SetServerNetworkStats(
+      url::SchemeHostPort(url_), NetworkAnonymizationKey(), stats);
   quic_params_->estimate_initial_rtt = true;
 
   Initialize();
@@ -9798,7 +9808,7 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -9931,7 +9941,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -10003,8 +10013,8 @@ TEST_P(QuicStreamFactoryTest,
   // default value of retransmittable-on-wire-ping timeout.
   ServerNetworkStats stats;
   stats.srtt = base::Milliseconds(200);
-  http_server_properties_->SetServerNetworkStats(url::SchemeHostPort(url_),
-                                                 NetworkIsolationKey(), stats);
+  http_server_properties_->SetServerNetworkStats(
+      url::SchemeHostPort(url_), NetworkAnonymizationKey(), stats);
   quic_params_->estimate_initial_rtt = true;
   quic_params_->migrate_sessions_on_network_change_v2 = true;
   Initialize();
@@ -10064,7 +10074,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -10158,7 +10168,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -10315,7 +10325,7 @@ void QuicStreamFactoryTestBase::
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -10433,7 +10443,7 @@ void QuicStreamFactoryTestBase::
   EXPECT_EQ(OK,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -10620,7 +10630,7 @@ TEST_P(QuicStreamFactoryTest, DefaultIdleMigrationPeriod) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -10816,7 +10826,7 @@ TEST_P(QuicStreamFactoryTest, CustomIdleMigrationPeriod) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -10906,7 +10916,7 @@ TEST_P(QuicStreamFactoryTest, ServerMigration) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -11068,7 +11078,7 @@ TEST_P(QuicStreamFactoryTest, ServerMigrationNonMigratableStream) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -11226,7 +11236,7 @@ TEST_P(QuicStreamFactoryTest, ServerMigrationIPv6ToIPv4Fails) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -11310,7 +11320,7 @@ TEST_P(QuicStreamFactoryTest, ServerMigrationIPv4ToIPv6Fails) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -11372,7 +11382,7 @@ TEST_P(QuicStreamFactoryTest, OnCertDBChanged) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -11396,7 +11406,7 @@ TEST_P(QuicStreamFactoryTest, OnCertDBChanged) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -11437,7 +11447,7 @@ TEST_P(QuicStreamFactoryTest, SharedCryptoConfig) {
     // QuicCryptoClientConfig alive.
     std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle =
         QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                               NetworkIsolationKey());
+                                               NetworkAnonymizationKey());
     quic::QuicServerId server_id1(scheme_host_port1.host(),
                                   scheme_host_port1.port(), privacy_mode_);
     quic::QuicCryptoClientConfig::CachedState* cached1 =
@@ -11477,7 +11487,7 @@ TEST_P(QuicStreamFactoryTest, CryptoConfigWhenProofIsInvalid) {
     // QuicCryptoClientConfig alive.
     std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle =
         QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                               NetworkIsolationKey());
+                                               NetworkAnonymizationKey());
     quic::QuicServerId server_id1(scheme_host_port1.host(),
                                   scheme_host_port1.port(), privacy_mode_);
     quic::QuicCryptoClientConfig::CachedState* cached1 =
@@ -11526,7 +11536,7 @@ TEST_P(QuicStreamFactoryTest, EnableNotLoadFromDiskCache) {
   EXPECT_EQ(OK,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -11581,7 +11591,7 @@ TEST_P(QuicStreamFactoryTest, ReducePingTimeoutOnConnectionTimeOutOpenStreams) {
   EXPECT_EQ(OK,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -11619,7 +11629,7 @@ TEST_P(QuicStreamFactoryTest, ReducePingTimeoutOnConnectionTimeOutOpenStreams) {
   EXPECT_EQ(OK,
             request2.Request(
                 server2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
@@ -11646,16 +11656,16 @@ TEST_P(QuicStreamFactoryTest, ReducePingTimeoutOnConnectionTimeOutOpenStreams) {
 
 // Verifies that the QUIC stream factory is initialized correctly.
 TEST_P(QuicStreamFactoryTest, MaybeInitialize) {
-  VerifyInitialization(false /* vary_network_isolation_key */);
+  VerifyInitialization(false /* vary_network_anonymization_key */);
 }
 
-TEST_P(QuicStreamFactoryTest, MaybeInitializeWithNetworkIsolationKey) {
+TEST_P(QuicStreamFactoryTest, MaybeInitializeWithNetworkAnonymizationKey) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // QuicSessionAliasKey to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // QuicSessionAliasKey to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -11663,11 +11673,11 @@ TEST_P(QuicStreamFactoryTest, MaybeInitializeWithNetworkIsolationKey) {
   // one.
   http_server_properties_ = std::make_unique<HttpServerProperties>();
 
-  VerifyInitialization(true /* vary_network_isolation_key */);
+  VerifyInitialization(true /* vary_network_anonymization_key */);
 }
 
-// Without NetworkIsolationKeys enabled for HttpServerProperties, there should
-// only be one global CryptoCache.
+// Without NetworkAnonymizationKeys enabled for HttpServerProperties, there
+// should only be one global CryptoCache.
 TEST_P(QuicStreamFactoryTest, CryptoConfigCache) {
   const char kUserAgentId[] = "spoon";
 
@@ -11679,48 +11689,48 @@ TEST_P(QuicStreamFactoryTest, CryptoConfigCache) {
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey});
 
   const SchemefulSite kSite1(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
 
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   const SchemefulSite kSite3(GURL("https://baz.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey3(kSite3, kSite3);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey3(kSite3, kSite3);
 
   Initialize();
 
-  // Create a QuicCryptoClientConfigHandle for kNetworkIsolationKey1, and set
-  // the user agent.
+  // Create a QuicCryptoClientConfigHandle for kNetworkAnonymizationKey1, and
+  // set the user agent.
   std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle1 =
       QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                             kNetworkIsolationKey1);
+                                             kNetworkAnonymizationKey1);
   crypto_config_handle1->GetConfig()->set_user_agent_id(kUserAgentId);
   EXPECT_EQ(kUserAgentId, crypto_config_handle1->GetConfig()->user_agent_id());
 
-  // Create another crypto config handle using a different NetworkIsolationKey
-  // while the first one is still alive should return the same config, with the
-  // user agent that was just set.
+  // Create another crypto config handle using a different
+  // NetworkAnonymizationKey while the first one is still alive should return
+  // the same config, with the user agent that was just set.
   std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle2 =
       QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                             kNetworkIsolationKey2);
+                                             kNetworkAnonymizationKey2);
   EXPECT_EQ(kUserAgentId, crypto_config_handle2->GetConfig()->user_agent_id());
 
   // Destroying both handles and creating a new one with yet another
-  // NetworkIsolationKey should again return the same config.
+  // NetworkAnonymizationKey should again return the same config.
   crypto_config_handle1.reset();
   crypto_config_handle2.reset();
 
   std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle3 =
       QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                             kNetworkIsolationKey3);
+                                             kNetworkAnonymizationKey3);
   EXPECT_EQ(kUserAgentId, crypto_config_handle3->GetConfig()->user_agent_id());
 }
 
-// With different NetworkIsolationKeys enabled for HttpServerProperties, there
-// should only be one global CryptoCache per NetworkIsolationKey.
+// With different NetworkAnonymizationKeys enabled for HttpServerProperties,
+// there should only be one global CryptoCache per NetworkAnonymizationKey.
 // TODO(https://crbug.com/1335453): The test is flaky.
 TEST_P(QuicStreamFactoryTest,
-       DISABLED_CryptoConfigCacheWithNetworkIsolationKey) {
+       DISABLED_CryptoConfigCacheWithNetworkAnonymizationKey) {
   const char kUserAgentId1[] = "spoon";
   const char kUserAgentId2[] = "fork";
   const char kUserAgentId3[] = "another spoon";
@@ -11729,36 +11739,37 @@ TEST_P(QuicStreamFactoryTest,
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // QuicSessionAliasKey to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // QuicSessionAliasKey to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
 
   const SchemefulSite kSite1(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
 
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
 
   const SchemefulSite kSite3(GURL("https://baz.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey3(kSite3, kSite3);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey3(kSite3, kSite3);
 
   Initialize();
 
-  // Create a QuicCryptoClientConfigHandle for kNetworkIsolationKey1, and set
-  // the user agent.
+  // Create a QuicCryptoClientConfigHandle for kNetworkAnonymizationKey1, and
+  // set the user agent.
   std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle1 =
       QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                             kNetworkIsolationKey1);
+                                             kNetworkAnonymizationKey1);
   crypto_config_handle1->GetConfig()->set_user_agent_id(kUserAgentId1);
   EXPECT_EQ(kUserAgentId1, crypto_config_handle1->GetConfig()->user_agent_id());
 
-  // Create another crypto config handle using a different NetworkIsolationKey
-  // while the first one is still alive should return a different config.
+  // Create another crypto config handle using a different
+  // NetworkAnonymizationKey while the first one is still alive should return a
+  // different config.
   std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle2 =
       QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                             kNetworkIsolationKey2);
+                                             kNetworkAnonymizationKey2);
   EXPECT_EQ("", crypto_config_handle2->GetConfig()->user_agent_id());
   crypto_config_handle2->GetConfig()->set_user_agent_id(kUserAgentId2);
   EXPECT_EQ(kUserAgentId1, crypto_config_handle1->GetConfig()->user_agent_id());
@@ -11768,17 +11779,17 @@ TEST_P(QuicStreamFactoryTest,
   // should result in getting the same CryptoConfigs.
   std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle1_2 =
       QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                             kNetworkIsolationKey1);
+                                             kNetworkAnonymizationKey1);
   std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle2_2 =
       QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                             kNetworkIsolationKey2);
+                                             kNetworkAnonymizationKey2);
   EXPECT_EQ(kUserAgentId1,
             crypto_config_handle1_2->GetConfig()->user_agent_id());
   EXPECT_EQ(kUserAgentId2,
             crypto_config_handle2_2->GetConfig()->user_agent_id());
 
   // Destroying all handles and creating a new one with yet another
-  // NetworkIsolationKey return yet another config.
+  // NetworkAnonymizationKey return yet another config.
   crypto_config_handle1.reset();
   crypto_config_handle2.reset();
   crypto_config_handle1_2.reset();
@@ -11786,7 +11797,7 @@ TEST_P(QuicStreamFactoryTest,
 
   std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle3 =
       QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                             kNetworkIsolationKey3);
+                                             kNetworkAnonymizationKey3);
   EXPECT_EQ("", crypto_config_handle3->GetConfig()->user_agent_id());
   crypto_config_handle3->GetConfig()->set_user_agent_id(kUserAgentId3);
   EXPECT_EQ(kUserAgentId3, crypto_config_handle3->GetConfig()->user_agent_id());
@@ -11795,26 +11806,26 @@ TEST_P(QuicStreamFactoryTest,
   // The old CryptoConfigs should be recovered when creating handles with the
   // same NIKs as before.
   crypto_config_handle2 = QuicStreamFactoryPeer::GetCryptoConfig(
-      factory_.get(), kNetworkIsolationKey2);
+      factory_.get(), kNetworkAnonymizationKey2);
   crypto_config_handle1 = QuicStreamFactoryPeer::GetCryptoConfig(
-      factory_.get(), kNetworkIsolationKey1);
+      factory_.get(), kNetworkAnonymizationKey1);
   crypto_config_handle3 = QuicStreamFactoryPeer::GetCryptoConfig(
-      factory_.get(), kNetworkIsolationKey3);
+      factory_.get(), kNetworkAnonymizationKey3);
   EXPECT_EQ(kUserAgentId1, crypto_config_handle1->GetConfig()->user_agent_id());
   EXPECT_EQ(kUserAgentId2, crypto_config_handle2->GetConfig()->user_agent_id());
   EXPECT_EQ(kUserAgentId3, crypto_config_handle3->GetConfig()->user_agent_id());
 }
 
 // Makes Verifies MRU behavior of the crypto config caches. Without
-// NetworkIsolationKeys enabled, behavior is uninteresting, since there's only
-// one cache, so nothing is ever evicted.
-TEST_P(QuicStreamFactoryTest, CryptoConfigCacheMRUWithNetworkIsolationKey) {
+// NetworkAnonymizationKeys enabled, behavior is uninteresting, since there's
+// only one cache, so nothing is ever evicted.
+TEST_P(QuicStreamFactoryTest, CryptoConfigCacheMRUWithNetworkAnonymizationKey) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // QuicSessionAliasKey to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // QuicSessionAliasKey to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -11827,14 +11838,14 @@ TEST_P(QuicStreamFactoryTest, CryptoConfigCacheMRUWithNetworkIsolationKey) {
   // and keeping the handles alives.
   std::vector<std::unique_ptr<QuicCryptoClientConfigHandle>>
       crypto_config_handles;
-  std::vector<NetworkIsolationKey> network_isolation_keys;
+  std::vector<NetworkAnonymizationKey> network_anonymization_keys;
   for (int i = 0; i < kNumSessionsToMake; ++i) {
     SchemefulSite site(GURL(base::StringPrintf("https://foo%i.test/", i)));
-    network_isolation_keys.emplace_back(site, site);
+    network_anonymization_keys.emplace_back(site, site);
 
     std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle =
         QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                               network_isolation_keys[i]);
+                                               network_anonymization_keys[i]);
     crypto_config_handle->GetConfig()->set_user_agent_id(
         base::NumberToString(i));
     crypto_config_handles.emplace_back(std::move(crypto_config_handle));
@@ -11849,7 +11860,7 @@ TEST_P(QuicStreamFactoryTest, CryptoConfigCacheMRUWithNetworkIsolationKey) {
     // A new handle for the same NIK returns the same crypto config.
     std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle =
         QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                               network_isolation_keys[i]);
+                                               network_anonymization_keys[i]);
     EXPECT_EQ(base::NumberToString(i),
               crypto_config_handle->GetConfig()->user_agent_id());
   }
@@ -11867,7 +11878,7 @@ TEST_P(QuicStreamFactoryTest, CryptoConfigCacheMRUWithNetworkIsolationKey) {
     // evicted. Otherwise, it will return the same one.
     std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle =
         QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                               network_isolation_keys[i]);
+                                               network_anonymization_keys[i]);
     if (kNumSessionsToMake - i > kNumSessionsToMake) {
       EXPECT_EQ("", crypto_config_handle->GetConfig()->user_agent_id());
     } else {
@@ -11880,15 +11891,15 @@ TEST_P(QuicStreamFactoryTest, CryptoConfigCacheMRUWithNetworkIsolationKey) {
 // Similar to above test, but uses real requests, and doesn't keep Handles
 // around, so evictions happen immediately.
 TEST_P(QuicStreamFactoryTest,
-       CryptoConfigCacheMRUWithRealRequestsAndWithNetworkIsolationKey) {
+       CryptoConfigCacheMRUWithRealRequestsAndWithNetworkAnonymizationKey) {
   const int kNumSessionsToMake = kMaxRecentCryptoConfigs + 5;
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // QuicSessionAliasKey to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // QuicSessionAliasKey to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -11896,10 +11907,10 @@ TEST_P(QuicStreamFactoryTest,
   // one.
   http_server_properties_ = std::make_unique<HttpServerProperties>();
 
-  std::vector<NetworkIsolationKey> network_isolation_keys;
+  std::vector<NetworkAnonymizationKey> network_anonymization_keys;
   for (int i = 0; i < kNumSessionsToMake; ++i) {
     SchemefulSite site(GURL(base::StringPrintf("https://foo%i.test/", i)));
-    network_isolation_keys.emplace_back(site, site);
+    network_anonymization_keys.emplace_back(site, site);
   }
 
   const quic::QuicServerId kQuicServerId(
@@ -11930,7 +11941,7 @@ TEST_P(QuicStreamFactoryTest,
         AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
             alternative_service1, expiration, {version_}));
     http_server_properties_->SetAlternativeServices(
-        url::SchemeHostPort(url_), network_isolation_keys[i],
+        url::SchemeHostPort(url_), network_anonymization_keys[i],
         alternative_service_info_vector);
 
     http_server_properties_->SetMaxServerConfigsStoredInProperties(
@@ -11938,7 +11949,7 @@ TEST_P(QuicStreamFactoryTest,
 
     std::unique_ptr<QuicServerInfo> quic_server_info =
         std::make_unique<PropertiesBasedQuicServerInfo>(
-            kQuicServerId, network_isolation_keys[i],
+            kQuicServerId, network_anonymization_keys[i],
             http_server_properties_.get());
 
     // Update quic_server_info's server_config and persist it.
@@ -11991,7 +12002,7 @@ TEST_P(QuicStreamFactoryTest,
         url::SchemeHostPort(url::kHttpsScheme, kDefaultServerHostName,
                             kDefaultServerPort),
         version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-        network_isolation_keys[i], SecureDnsPolicy::kAllow,
+        network_anonymization_keys[i], SecureDnsPolicy::kAllow,
         /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
         /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
         failed_on_default_network_callback_, callback_.callback());
@@ -12002,9 +12013,10 @@ TEST_P(QuicStreamFactoryTest,
     // don't count towards the limit.
     for (int j = 0; j < kNumSessionsToMake; ++j) {
       SCOPED_TRACE(j);
-      EXPECT_EQ(i - (kMaxRecentCryptoConfigs + 1) < j && j <= i,
-                !QuicStreamFactoryPeer::CryptoConfigCacheIsEmpty(
-                    factory_.get(), kQuicServerId, network_isolation_keys[j]));
+      EXPECT_EQ(
+          i - (kMaxRecentCryptoConfigs + 1) < j && j <= i,
+          !QuicStreamFactoryPeer::CryptoConfigCacheIsEmpty(
+              factory_.get(), kQuicServerId, network_anonymization_keys[j]));
     }
 
     // Close the sessions, which should cause its CryptoConfigCache to be moved
@@ -12015,9 +12027,10 @@ TEST_P(QuicStreamFactoryTest,
     // CryptoConfigCaches
     for (int j = 0; j < kNumSessionsToMake; ++j) {
       SCOPED_TRACE(j);
-      EXPECT_EQ(i - kMaxRecentCryptoConfigs < j && j <= i,
-                !QuicStreamFactoryPeer::CryptoConfigCacheIsEmpty(
-                    factory_.get(), kQuicServerId, network_isolation_keys[j]));
+      EXPECT_EQ(
+          i - kMaxRecentCryptoConfigs < j && j <= i,
+          !QuicStreamFactoryPeer::CryptoConfigCacheIsEmpty(
+              factory_.get(), kQuicServerId, network_anonymization_keys[j]));
     }
   }
 }
@@ -12053,7 +12066,7 @@ TEST_P(QuicStreamFactoryTest, YieldAfterPackets) {
   EXPECT_EQ(OK,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12106,7 +12119,7 @@ TEST_P(QuicStreamFactoryTest, YieldAfterDuration) {
   EXPECT_EQ(OK,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12142,7 +12155,7 @@ TEST_P(QuicStreamFactoryTest, ServerPushSessionAffinity) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12165,7 +12178,7 @@ TEST_P(QuicStreamFactoryTest, ServerPushSessionAffinity) {
   EXPECT_EQ(OK,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12197,7 +12210,7 @@ TEST_P(QuicStreamFactoryTest, ServerPushPrivacyModeMismatch) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12226,7 +12239,7 @@ TEST_P(QuicStreamFactoryTest, ServerPushPrivacyModeMismatch) {
       ERR_IO_PENDING,
       request2.Request(
           scheme_host_port_, version_, PRIVACY_MODE_ENABLED, DEFAULT_PRIORITY,
-          SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+          SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
           /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
           /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
           failed_on_default_network_callback_, callback_.callback()));
@@ -12245,13 +12258,13 @@ TEST_P(QuicStreamFactoryTest, ServerPushPrivacyModeMismatch) {
   EXPECT_TRUE(socket_data2.AllWriteDataConsumed());
 }
 
-TEST_P(QuicStreamFactoryTest, ServerPushNetworkIsolationKeyMismatch) {
+TEST_P(QuicStreamFactoryTest, ServerPushNetworkAnonymizationKeyMismatch) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // QuicSessionAliasKey to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // QuicSessionAliasKey to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -12279,7 +12292,7 @@ TEST_P(QuicStreamFactoryTest, ServerPushNetworkIsolationKeyMismatch) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12302,16 +12315,17 @@ TEST_P(QuicStreamFactoryTest, ServerPushNetworkIsolationKeyMismatch) {
   EXPECT_EQ(index->GetPromised(kDefaultUrl), &promised);
 
   // Sending the request should not use the push stream, since the
-  // NetworkIsolationKey is different.
+  // NetworkAnonymizationKey is different.
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(ERR_IO_PENDING,
-            request2.Request(
-                scheme_host_port_, version_, PRIVACY_MODE_DISABLED,
-                DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey::CreateTransient(), SecureDnsPolicy::kAllow,
-                /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
-                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
-                failed_on_default_network_callback_, callback_.callback()));
+  EXPECT_EQ(
+      ERR_IO_PENDING,
+      request2.Request(
+          scheme_host_port_, version_, PRIVACY_MODE_DISABLED, DEFAULT_PRIORITY,
+          SocketTag(), NetworkAnonymizationKey::CreateTransient(),
+          SecureDnsPolicy::kAllow,
+          /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
+          /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+          failed_on_default_network_callback_, callback_.callback()));
 
   EXPECT_EQ(0, QuicStreamFactoryPeer::GetNumPushStreamsCreated(factory_.get()));
   EXPECT_EQ(&promised, index->GetPromised(kDefaultUrl));
@@ -12348,7 +12362,7 @@ TEST_P(QuicStreamFactoryTest, PoolByOrigin) {
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
                 destination1, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12363,7 +12377,7 @@ TEST_P(QuicStreamFactoryTest, PoolByOrigin) {
   EXPECT_EQ(OK,
             request2.Request(
                 destination2, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
@@ -12527,7 +12541,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, InvalidCertificate) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 destination, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12569,7 +12583,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, SharedCertificate) {
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
                 destination, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url1, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12585,7 +12599,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, SharedCertificate) {
   EXPECT_EQ(OK,
             request2.Request(
                 destination, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
@@ -12649,7 +12663,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DifferentPrivacyMode) {
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
                 destination, version_, PRIVACY_MODE_DISABLED, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url1, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12663,7 +12677,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DifferentPrivacyMode) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 destination, version_, PRIVACY_MODE_ENABLED, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
@@ -12734,7 +12748,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DifferentSecureDnsPolicy) {
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
                 destination, version_, PRIVACY_MODE_DISABLED, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url1, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12745,13 +12759,14 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DifferentSecureDnsPolicy) {
 
   TestCompletionCallback callback2;
   QuicStreamRequest request2(factory_.get());
-  EXPECT_EQ(ERR_IO_PENDING,
-            request2.Request(
-                destination, version_, PRIVACY_MODE_DISABLED, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kDisable,
-                /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
-                /*cert_verify_flags=*/0, url2, net_log_, &net_error_details_,
-                failed_on_default_network_callback_, callback2.callback()));
+  EXPECT_EQ(
+      ERR_IO_PENDING,
+      request2.Request(
+          destination, version_, PRIVACY_MODE_DISABLED, DEFAULT_PRIORITY,
+          SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kDisable,
+          /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
+          /*cert_verify_flags=*/0, url2, net_log_, &net_error_details_,
+          failed_on_default_network_callback_, callback2.callback()));
   EXPECT_EQ(OK, callback2.WaitForResult());
   std::unique_ptr<HttpStream> stream2 = CreateStream(&request2);
   EXPECT_TRUE(stream2.get());
@@ -12818,7 +12833,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DisjointCertificate) {
   EXPECT_EQ(ERR_IO_PENDING,
             request1.Request(
                 destination, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url1, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12832,7 +12847,7 @@ TEST_P(QuicStreamFactoryWithDestinationTest, DisjointCertificate) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 destination, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback2.callback()));
@@ -12871,7 +12886,7 @@ TEST_P(QuicStreamFactoryTest, ClearCachedStatesInCryptoConfig) {
   // alive.
   std::unique_ptr<QuicCryptoClientConfigHandle> crypto_config_handle =
       QuicStreamFactoryPeer::GetCryptoConfig(factory_.get(),
-                                             NetworkIsolationKey());
+                                             NetworkAnonymizationKey());
 
   struct TestCase {
     TestCase(const std::string& host,
@@ -12954,7 +12969,7 @@ TEST_P(QuicStreamFactoryTest, HostResolverUsesRequestPriority) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, MAXIMUM_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12984,7 +12999,7 @@ TEST_P(QuicStreamFactoryTest, HostResolverRequestReprioritizedOnSetPriority) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, MAXIMUM_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -12996,7 +13011,7 @@ TEST_P(QuicStreamFactoryTest, HostResolverRequestReprioritizedOnSetPriority) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url2_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13009,11 +13024,11 @@ TEST_P(QuicStreamFactoryTest, HostResolverRequestReprioritizedOnSetPriority) {
 }
 
 // Verifies that the host resolver uses the disable secure DNS setting and
-// NetworkIsolationKey passed to QuicStreamRequest::Request().
+// NetworkAnonymizationKey passed to QuicStreamRequest::Request().
 TEST_P(QuicStreamFactoryTest, HostResolverUsesParams) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey(kSite1, kSite1);
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
@@ -13033,13 +13048,14 @@ TEST_P(QuicStreamFactoryTest, HostResolverUsesParams) {
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_EQ(ERR_IO_PENDING,
-            request.Request(
-                scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), kNetworkIsolationKey, SecureDnsPolicy::kDisable,
-                /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
-                /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
-                failed_on_default_network_callback_, callback_.callback()));
+  EXPECT_EQ(
+      ERR_IO_PENDING,
+      request.Request(
+          scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
+          SocketTag(), kNetworkAnonymizationKey, SecureDnsPolicy::kDisable,
+          /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
+          /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+          failed_on_default_network_callback_, callback_.callback()));
 
   EXPECT_THAT(callback_.WaitForResult(), IsOk());
   std::unique_ptr<HttpStream> stream = CreateStream(&request);
@@ -13047,9 +13063,10 @@ TEST_P(QuicStreamFactoryTest, HostResolverUsesParams) {
 
   EXPECT_EQ(net::SecureDnsPolicy::kDisable,
             host_resolver_->last_secure_dns_policy());
-  ASSERT_TRUE(host_resolver_->last_request_network_isolation_key().has_value());
-  EXPECT_EQ(kNetworkIsolationKey,
-            host_resolver_->last_request_network_isolation_key().value());
+  ASSERT_TRUE(
+      host_resolver_->last_request_network_anonymization_key().has_value());
+  EXPECT_EQ(kNetworkAnonymizationKey,
+            host_resolver_->last_request_network_anonymization_key().value());
 
   EXPECT_TRUE(socket_data.AllReadDataConsumed());
   EXPECT_TRUE(socket_data.AllWriteDataConsumed());
@@ -13089,7 +13106,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackAsyncSync) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13144,7 +13161,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackAsyncAsync) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13196,7 +13213,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackSyncSync) {
   EXPECT_EQ(ERR_QUIC_PROTOCOL_ERROR,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13235,7 +13252,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackSyncAsync) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13270,7 +13287,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackFailSync) {
   EXPECT_EQ(ERR_NAME_NOT_RESOLVED,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13297,7 +13314,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackFailAsync) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13330,7 +13347,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionSync) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_synchronous_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -13348,13 +13365,14 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionSync) {
   quic_data.AddSocketDataToFactory(socket_factory_.get());
 
   QuicStreamRequest request(factory_.get());
-  EXPECT_THAT(request.Request(
-                  scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                  SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
-                  /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
-                  /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
-                  failed_on_default_network_callback_, callback_.callback()),
-              IsOk());
+  EXPECT_THAT(
+      request.Request(
+          scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
+          SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
+          /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
+          /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+          failed_on_default_network_callback_, callback_.callback()),
+      IsOk());
   std::unique_ptr<HttpStream> stream = CreateStream(&request);
   EXPECT_TRUE(stream.get());
   QuicChromiumClientSession* session = GetActiveSession(scheme_host_port_);
@@ -13388,7 +13406,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionAsync) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13425,7 +13443,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncStaleMatch) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -13441,7 +13459,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncStaleMatch) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13477,7 +13495,7 @@ TEST_P(QuicStreamFactoryTest,
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -13498,7 +13516,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13540,7 +13558,7 @@ TEST_P(QuicStreamFactoryTest,
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -13561,7 +13579,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13599,7 +13617,7 @@ TEST_P(QuicStreamFactoryTest,
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -13636,7 +13654,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13674,7 +13692,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleAsyncResolveAsyncNoMatch) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -13717,7 +13735,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleAsyncResolveAsyncNoMatch) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13757,7 +13775,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncStaleAsyncNoMatch) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -13796,7 +13814,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncStaleAsyncNoMatch) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13839,7 +13857,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveError) {
   EXPECT_EQ(ERR_NAME_NOT_RESOLVED,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13865,7 +13883,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncError) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13887,7 +13905,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleSyncHostResolveError) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -13916,7 +13934,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleSyncHostResolveError) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13946,7 +13964,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSMatches) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -13965,7 +13983,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSMatches) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -13988,7 +14006,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatch) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -14015,7 +14033,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatch) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14051,7 +14069,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatchError) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -14076,7 +14094,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatchError) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14102,7 +14120,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncErrorStaleAsync) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -14133,7 +14151,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncErrorStaleAsync) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14159,7 +14177,7 @@ TEST_P(QuicStreamFactoryTest,
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -14189,7 +14207,7 @@ TEST_P(QuicStreamFactoryTest,
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14226,7 +14244,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsync) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14265,7 +14283,7 @@ TEST_P(QuicStreamFactoryTest, StaleNetworkFailedAfterHandshake) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -14294,7 +14312,7 @@ TEST_P(QuicStreamFactoryTest, StaleNetworkFailedAfterHandshake) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14338,7 +14356,7 @@ TEST_P(QuicStreamFactoryTest, StaleNetworkFailedBeforeHandshake) {
   // Set up an address in stale resolver cache.
   host_resolver_->set_ondemand_mode(true);
   host_resolver_->rules()->AddRule(scheme_host_port_.host(), kCachedIPAddress);
-  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkIsolationKey(),
+  host_resolver_->LoadIntoCache(scheme_host_port_, NetworkAnonymizationKey(),
                                 /*optional_parameters=*/absl::nullopt);
 
   // Expire the cache
@@ -14371,7 +14389,7 @@ TEST_P(QuicStreamFactoryTest, StaleNetworkFailedBeforeHandshake) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14440,7 +14458,7 @@ TEST_P(QuicStreamFactoryTest, ConfigInitialRttForHandshake) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14509,7 +14527,7 @@ TEST_P(QuicStreamFactoryTest, Tag) {
   QuicStreamRequest request1(factory_.get());
   int rv = request1.Request(
       scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY, tag1,
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
       /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
       failed_on_default_network_callback_, callback_.callback());
@@ -14526,7 +14544,7 @@ TEST_P(QuicStreamFactoryTest, Tag) {
   QuicStreamRequest request2(factory_.get());
   rv = request2.Request(
       scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY, tag1,
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
       /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
       failed_on_default_network_callback_, callback_.callback());
@@ -14541,7 +14559,7 @@ TEST_P(QuicStreamFactoryTest, Tag) {
   QuicStreamRequest request3(factory_.get());
   rv = request3.Request(
       scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY, tag2,
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
       /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
       failed_on_default_network_callback_, callback_.callback());
@@ -14579,7 +14597,7 @@ TEST_P(QuicStreamFactoryTest, ReadErrorClosesConnection) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14616,7 +14634,7 @@ TEST_P(QuicStreamFactoryTest, MessageTooBigReadErrorDoesNotCloseConnection) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14653,7 +14671,7 @@ TEST_P(QuicStreamFactoryTest, ZeroLengthReadDoesNotCloseConnection) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14692,7 +14710,7 @@ TEST_P(QuicStreamFactoryTest, DnsAliasesCanBeAccessedFromStream) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14730,7 +14748,7 @@ TEST_P(QuicStreamFactoryTest, NoAdditionalDnsAliases) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14767,7 +14785,7 @@ TEST_P(QuicStreamFactoryTest, DoNotUseDnsAliases) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/false, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14801,7 +14819,7 @@ TEST_P(QuicStreamFactoryTest, ConnectErrorInCreateWithDnsAliases) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(
                 scheme_host_port_, version_, privacy_mode_, DEFAULT_PRIORITY,
-                SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/false,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -14874,7 +14892,7 @@ void QuicStreamFactoryTestBase::TestRequireDnsHttpsAlpn(
             request.Request(
                 scheme_host_port_, quic::ParsedQuicVersion::Unsupported(),
                 privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-                NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
                 /*use_dns_aliases=*/true, /*require_dns_https_alpn=*/true,
                 /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
                 failed_on_default_network_callback_, callback_.callback()));
@@ -15059,7 +15077,7 @@ TEST_P(QuicStreamFactoryDnsAliasPoolingTest, IPPooling) {
       ERR_IO_PENDING,
       request1.Request(
           kOrigin1, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-          NetworkIsolationKey(), SecureDnsPolicy::kAllow, use_dns_aliases_,
+          NetworkAnonymizationKey(), SecureDnsPolicy::kAllow, use_dns_aliases_,
           /*require_dns_https_alpn=*/false, /*cert_verify_flags=*/0, kUrl1,
           net_log_, &net_error_details_, failed_on_default_network_callback_,
           callback_.callback()));
@@ -15075,7 +15093,7 @@ TEST_P(QuicStreamFactoryDnsAliasPoolingTest, IPPooling) {
       ERR_IO_PENDING,
       request2.Request(
           kOrigin2, version_, privacy_mode_, DEFAULT_PRIORITY, SocketTag(),
-          NetworkIsolationKey(), SecureDnsPolicy::kAllow, use_dns_aliases_,
+          NetworkAnonymizationKey(), SecureDnsPolicy::kAllow, use_dns_aliases_,
           /*require_dns_https_alpn=*/false, /*cert_verify_flags=*/0, kUrl2,
           net_log_, &net_error_details_, failed_on_default_network_callback_,
           callback2.callback()));
diff --git a/chromium/net/quic/quic_test_packet_maker.cc b/chromium/net/quic/quic_test_packet_maker.cc
index 373c1f17bcb..45ccf57b83c 100644
--- a/chromium/net/quic/quic_test_packet_maker.cc
+++ b/chromium/net/quic/quic_test_packet_maker.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_test_packet_maker.h b/chromium/net/quic/quic_test_packet_maker.h
index 5f58a37d7d8..33603fc9b04 100644
--- a/chromium/net/quic/quic_test_packet_maker.h
+++ b/chromium/net/quic/quic_test_packet_maker.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/quic/quic_test_packet_printer.cc b/chromium/net/quic/quic_test_packet_printer.cc
index 8ab76692d31..c93a8e9d092 100644
--- a/chromium/net/quic/quic_test_packet_printer.cc
+++ b/chromium/net/quic/quic_test_packet_printer.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_test_packet_printer.h b/chromium/net/quic/quic_test_packet_printer.h
index d1d1bd5e948..9ae574eb443 100644
--- a/chromium/net/quic/quic_test_packet_printer.h
+++ b/chromium/net/quic/quic_test_packet_printer.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/quic_transport_parameters_fuzzer.cc b/chromium/net/quic/quic_transport_parameters_fuzzer.cc
index 600adad737c..1537f534a35 100644
--- a/chromium/net/quic/quic_transport_parameters_fuzzer.cc
+++ b/chromium/net/quic/quic_transport_parameters_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/set_quic_flag.cc b/chromium/net/quic/set_quic_flag.cc
index 960f11593a4..3c9c4cc4a38 100644
--- a/chromium/net/quic/set_quic_flag.cc
+++ b/chromium/net/quic/set_quic_flag.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/set_quic_flag.h b/chromium/net/quic/set_quic_flag.h
index d968f1a4605..f4f699b69bb 100644
--- a/chromium/net/quic/set_quic_flag.h
+++ b/chromium/net/quic/set_quic_flag.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/set_quic_flag_test.cc b/chromium/net/quic/set_quic_flag_test.cc
index fedee9b14fa..e929adaade0 100644
--- a/chromium/net/quic/set_quic_flag_test.cc
+++ b/chromium/net/quic/set_quic_flag_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/test_quic_crypto_client_config_handle.cc b/chromium/net/quic/test_quic_crypto_client_config_handle.cc
index ad9dbd09fdd..0e98955056d 100644
--- a/chromium/net/quic/test_quic_crypto_client_config_handle.cc
+++ b/chromium/net/quic/test_quic_crypto_client_config_handle.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/test_quic_crypto_client_config_handle.h b/chromium/net/quic/test_quic_crypto_client_config_handle.h
index a4145663d81..fc0e86a435c 100644
--- a/chromium/net/quic/test_quic_crypto_client_config_handle.h
+++ b/chromium/net/quic/test_quic_crypto_client_config_handle.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/test_task_runner.cc b/chromium/net/quic/test_task_runner.cc
index b35e7b7184f..42486b0d4ae 100644
--- a/chromium/net/quic/test_task_runner.cc
+++ b/chromium/net/quic/test_task_runner.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/test_task_runner.h b/chromium/net/quic/test_task_runner.h
index 291423e023f..5309a8dabd9 100644
--- a/chromium/net/quic/test_task_runner.h
+++ b/chromium/net/quic/test_task_runner.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/quic/web_transport_client.cc b/chromium/net/quic/web_transport_client.cc
index 9cbd9bc02a2..ee9b5f67af8 100644
--- a/chromium/net/quic/web_transport_client.cc
+++ b/chromium/net/quic/web_transport_client.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -78,7 +78,7 @@ std::unique_ptr<WebTransportClient> CreateWebTransportClient(
     const GURL& url,
     const url::Origin& origin,
     WebTransportClientVisitor* visitor,
-    const NetworkIsolationKey& isolation_key,
+    const NetworkAnonymizationKey& anonymization_key,
     URLRequestContext* context,
     const WebTransportParameters& parameters) {
   if (url.scheme() == url::kHttpsScheme) {
@@ -87,7 +87,7 @@ std::unique_ptr<WebTransportClient> CreateWebTransportClient(
           ERR_DISALLOWED_URL_SCHEME, visitor);
     }
     return std::make_unique<DedicatedWebTransportHttp3Client>(
-        url, origin, visitor, isolation_key, context, parameters);
+        url, origin, visitor, anonymization_key, context, parameters);
   }
 
   return std::make_unique<FailedWebTransportClient>(ERR_UNKNOWN_URL_SCHEME,
diff --git a/chromium/net/quic/web_transport_client.h b/chromium/net/quic/web_transport_client.h
index 977be9463b3..af1941a77ca 100644
--- a/chromium/net/quic/web_transport_client.h
+++ b/chromium/net/quic/web_transport_client.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,7 +9,7 @@
 
 #include "base/memory/scoped_refptr.h"
 #include "base/strings/string_piece.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/quic/web_transport_error.h"
 #include "net/third_party/quiche/src/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_types.h"
@@ -134,15 +134,15 @@ class NET_EXPORT WebTransportClient {
 };
 
 // Creates a WebTransport client for |url| accessed from |origin| with the
-// provided |isolation_key|; |visitor| is associated with the resulting object.
-// This method never returns nullptr; in case of error, the resulting client
-// will be in the error state.
+// provided |anonymization_key|; |visitor| is associated with the resulting
+// object. This method never returns nullptr; in case of error, the resulting
+// client will be in the error state.
 NET_EXPORT
 std::unique_ptr<WebTransportClient> CreateWebTransportClient(
     const GURL& url,
     const url::Origin& origin,
     WebTransportClientVisitor* visitor,
-    const NetworkIsolationKey& isolation_key,
+    const NetworkAnonymizationKey& anonymization_key,
     URLRequestContext* context,
     const WebTransportParameters& parameters);
 
diff --git a/chromium/net/quic/web_transport_error.cc b/chromium/net/quic/web_transport_error.cc
index 4f156548f1d..e7dc49d3aca 100644
--- a/chromium/net/quic/web_transport_error.cc
+++ b/chromium/net/quic/web_transport_error.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/quic/web_transport_error.h b/chromium/net/quic/web_transport_error.h
index e72e0b99c71..a976bd7952e 100644
--- a/chromium/net/quic/web_transport_error.h
+++ b/chromium/net/quic/web_transport_error.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/OWNERS b/chromium/net/reporting/OWNERS
index acbf93af41e..4392ef47220 100644
--- a/chromium/net/reporting/OWNERS
+++ b/chromium/net/reporting/OWNERS
@@ -1 +1 @@
-yhirano@chromium.org
+ricea@chromium.org
diff --git a/chromium/net/reporting/README.md b/chromium/net/reporting/README.md
index 7ad6beb8b92..34eea76936d 100644
--- a/chromium/net/reporting/README.md
+++ b/chromium/net/reporting/README.md
@@ -73,7 +73,7 @@ by non-browser embedders as well as by Chromium.
 
 * The `ReportingService` is set up in a `URLRequestContext` by passing a
   `ReportingPolicy` to the `URLRequestContextBuilder`. This creates a
-  `ReportingService` which is owned by the `URLRequestContextStorage`.
+  `ReportingService` which is owned by the `URLRequestContext`.
 
 * `Report-To:` headers are processed by an `HttpNetworkTransaction` when they
   are received, and passed on to the `ReportingService` to be added to the
@@ -107,7 +107,7 @@ by non-browser embedders as well as by Chromium.
 
     * It queues reports via the `NetworkContext` using a
       `blink::mojom::ReportingServiceProxy` (implemented [in
-      `//content/browser/net/`][2]), which can queue Intervention, Deprecation,
+      `//content/browser/network/`][2]), which can queue Intervention, Deprecation,
       CSP Violation, and Permissions Policy Violation reports.
 
 * The `ChromeNetworkDelegate` [in `//chrome/browser/net/`][3] checks permissions
@@ -169,6 +169,6 @@ To support both mechanisms simultaneously, we do the following:
   group.
 
 [1]: https://chromium.googlesource.com/chromium/src/+/HEAD/third_party/blink/renderer/core/frame/reporting_observer.h
-[2]: https://chromium.googlesource.com/chromium/src/+/HEAD/content/browser/net/reporting_service_proxy.cc
+[2]: https://chromium.googlesource.com/chromium/src/+/HEAD/content/browser/network/reporting_service_proxy.cc
 [3]: https://chromium.googlesource.com/chromium/src/+/HEAD/chrome/browser/net/chrome_network_delegate.h
 [4]: https://chromium.googlesource.com/chromium/src/+/HEAD/components/cronet/android/test/javatests/src/org/chromium/net/NetworkErrorLoggingTest.java
diff --git a/chromium/net/reporting/mock_persistent_reporting_store.cc b/chromium/net/reporting/mock_persistent_reporting_store.cc
index eed7ef31cf2..8a11e1d4f66 100644
--- a/chromium/net/reporting/mock_persistent_reporting_store.cc
+++ b/chromium/net/reporting/mock_persistent_reporting_store.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -102,52 +102,59 @@ std::ostream& operator<<(std::ostream& out,
       return out << "FLUSH()";
     case MockPersistentReportingStore::Command::Type::ADD_REPORTING_ENDPOINT:
       return out << "ADD_REPORTING_ENDPOINT("
-                 << "NIK="
-                 << cmd.group_key.network_isolation_key.ToDebugString() << ", "
+                 << "NAK="
+                 << cmd.group_key.network_anonymization_key.ToDebugString()
+                 << ", "
                  << "origin=" << cmd.group_key.origin << ", "
                  << "group=" << cmd.group_key.group_name << ", "
                  << "endpoint=" << cmd.url << ")";
     case MockPersistentReportingStore::Command::Type::
         UPDATE_REPORTING_ENDPOINT_DETAILS:
       return out << "UPDATE_REPORTING_ENDPOINT_DETAILS("
-                 << "NIK="
-                 << cmd.group_key.network_isolation_key.ToDebugString() << ", "
+                 << "NAK="
+                 << cmd.group_key.network_anonymization_key.ToDebugString()
+                 << ", "
                  << "origin=" << cmd.group_key.origin << ", "
                  << "group=" << cmd.group_key.group_name << ", "
                  << "endpoint=" << cmd.url << ")";
     case MockPersistentReportingStore::Command::Type::DELETE_REPORTING_ENDPOINT:
       return out << "DELETE_REPORTING_ENDPOINT("
-                 << "NIK="
-                 << cmd.group_key.network_isolation_key.ToDebugString() << ", "
+                 << "NAK="
+                 << cmd.group_key.network_anonymization_key.ToDebugString()
+                 << ", "
                  << "origin=" << cmd.group_key.origin << ", "
                  << "group=" << cmd.group_key.group_name << ", "
                  << "endpoint=" << cmd.url << ")";
     case MockPersistentReportingStore::Command::Type::
         ADD_REPORTING_ENDPOINT_GROUP:
       return out << "ADD_REPORTING_ENDPOINT_GROUP("
-                 << "NIK="
-                 << cmd.group_key.network_isolation_key.ToDebugString() << ", "
+                 << "NAK="
+                 << cmd.group_key.network_anonymization_key.ToDebugString()
+                 << ", "
                  << "origin=" << cmd.group_key.origin << ", "
                  << "group=" << cmd.group_key.group_name << ")";
     case MockPersistentReportingStore::Command::Type::
         UPDATE_REPORTING_ENDPOINT_GROUP_ACCESS_TIME:
       return out << "UPDATE_REPORTING_ENDPOINT_GROUP_ACCESS_TIME("
-                 << "NIK="
-                 << cmd.group_key.network_isolation_key.ToDebugString() << ", "
+                 << "NAK="
+                 << cmd.group_key.network_anonymization_key.ToDebugString()
+                 << ", "
                  << "origin=" << cmd.group_key.origin << ", "
                  << "group=" << cmd.group_key.group_name << ")";
     case MockPersistentReportingStore::Command::Type::
         UPDATE_REPORTING_ENDPOINT_GROUP_DETAILS:
       return out << "UPDATE_REPORTING_ENDPOINT_GROUP_DETAILS("
-                 << "NIK="
-                 << cmd.group_key.network_isolation_key.ToDebugString() << ", "
+                 << "NAK="
+                 << cmd.group_key.network_anonymization_key.ToDebugString()
+                 << ", "
                  << "origin=" << cmd.group_key.origin << ", "
                  << "group=" << cmd.group_key.group_name << ")";
     case MockPersistentReportingStore::Command::Type::
         DELETE_REPORTING_ENDPOINT_GROUP:
       return out << "DELETE_REPORTING_ENDPOINT_GROUP("
-                 << "NIK="
-                 << cmd.group_key.network_isolation_key.ToDebugString() << ", "
+                 << "NAK="
+                 << cmd.group_key.network_anonymization_key.ToDebugString()
+                 << ", "
                  << "origin=" << cmd.group_key.origin << ", "
                  << "group=" << cmd.group_key.group_name << ")";
   }
diff --git a/chromium/net/reporting/mock_persistent_reporting_store.h b/chromium/net/reporting/mock_persistent_reporting_store.h
index 41e06ab5b1e..4642a56fe33 100644
--- a/chromium/net/reporting/mock_persistent_reporting_store.h
+++ b/chromium/net/reporting/mock_persistent_reporting_store.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,7 +8,7 @@
 #include <vector>
 
 #include "base/callback.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_endpoint.h"
 #include "url/origin.h"
diff --git a/chromium/net/reporting/mock_persistent_reporting_store_unittest.cc b/chromium/net/reporting/mock_persistent_reporting_store_unittest.cc
index bbf58ba90b7..99920c7134f 100644
--- a/chromium/net/reporting/mock_persistent_reporting_store_unittest.cc
+++ b/chromium/net/reporting/mock_persistent_reporting_store_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,7 +9,7 @@
 #include "base/location.h"
 #include "base/test/bind.h"
 #include "base/time/time.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/reporting/reporting_endpoint.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
@@ -30,7 +30,7 @@ ReportingData GetReportingData() {
   const url::Origin kOrigin =
       url::Origin::Create(GURL("https://example.test/"));
   const char kGroupName[] = "groupname";
-  const ReportingEndpointGroupKey kGroupKey(NetworkIsolationKey(), kOrigin,
+  const ReportingEndpointGroupKey kGroupKey(NetworkAnonymizationKey(), kOrigin,
                                             kGroupName);
   const ReportingEndpoint kEndpoint(kGroupKey,
                                     {GURL("https://endpoint.test/reports")});
diff --git a/chromium/net/reporting/reporting_browsing_data_remover.cc b/chromium/net/reporting/reporting_browsing_data_remover.cc
index 58849576036..25037466318 100644
--- a/chromium/net/reporting/reporting_browsing_data_remover.cc
+++ b/chromium/net/reporting/reporting_browsing_data_remover.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_browsing_data_remover.h b/chromium/net/reporting/reporting_browsing_data_remover.h
index 93ce6b27cf6..f1445d9e30b 100644
--- a/chromium/net/reporting/reporting_browsing_data_remover.h
+++ b/chromium/net/reporting/reporting_browsing_data_remover.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_browsing_data_remover_unittest.cc b/chromium/net/reporting/reporting_browsing_data_remover_unittest.cc
index 05832c2a1d5..5d96fb69785 100644
--- a/chromium/net/reporting/reporting_browsing_data_remover_unittest.cc
+++ b/chromium/net/reporting/reporting_browsing_data_remover_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,7 +9,7 @@
 
 #include "base/bind.h"
 #include "base/test/simple_test_tick_clock.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_context.h"
 #include "net/reporting/reporting_report.h"
@@ -43,15 +43,15 @@ class ReportingBrowsingDataRemoverTest : public ReportingTestBase {
 
   // TODO(chlily): Take NIK.
   void AddReport(const GURL& url) {
-    cache()->AddReport(absl::nullopt, NetworkIsolationKey(), url, kUserAgent_,
-                       kGroup_, kType_, base::Value::Dict(), 0,
+    cache()->AddReport(absl::nullopt, NetworkAnonymizationKey(), url,
+                       kUserAgent_, kGroup_, kType_, base::Value::Dict(), 0,
                        tick_clock()->NowTicks(), 0);
   }
 
   // TODO(chlily): Take NIK.
   void SetEndpoint(const url::Origin& origin) {
     SetEndpointInCache(
-        ReportingEndpointGroupKey(NetworkIsolationKey(), origin, kGroup_),
+        ReportingEndpointGroupKey(NetworkAnonymizationKey(), origin, kGroup_),
         kEndpoint_, base::Time::Now() + base::Days(7));
   }
 
@@ -155,10 +155,10 @@ TEST_F(ReportingBrowsingDataRemoverTest, RemoveSomeClients) {
                      /* host= */ kUrl1_.host());
   EXPECT_EQ(2u, report_count());
   EXPECT_FALSE(FindEndpointInCache(
-      ReportingEndpointGroupKey(NetworkIsolationKey(), kOrigin1_, kGroup_),
+      ReportingEndpointGroupKey(NetworkAnonymizationKey(), kOrigin1_, kGroup_),
       kEndpoint_));
   EXPECT_TRUE(FindEndpointInCache(
-      ReportingEndpointGroupKey(NetworkIsolationKey(), kOrigin2_, kGroup_),
+      ReportingEndpointGroupKey(NetworkAnonymizationKey(), kOrigin2_, kGroup_),
       kEndpoint_));
 }
 
diff --git a/chromium/net/reporting/reporting_cache.cc b/chromium/net/reporting/reporting_cache.cc
index 8773122dab3..f28ec35593e 100644
--- a/chromium/net/reporting/reporting_cache.cc
+++ b/chromium/net/reporting/reporting_cache.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_cache.h b/chromium/net/reporting/reporting_cache.h
index ba4bf5e4c24..b9e7017c247 100644
--- a/chromium/net/reporting/reporting_cache.h
+++ b/chromium/net/reporting/reporting_cache.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -59,7 +59,7 @@ class NET_EXPORT ReportingCache {
 
   // Adds a report to the cache.
   //
-  // |reporting_source| and |network_isolation_key| will be used when the
+  // |reporting_source| and |network_anonymization_key| will be used when the
   // report is delivered, to determine which endpoints are eligible to receive
   // this report, and which other reports this report can be batched with.
   //
@@ -67,7 +67,7 @@ class NET_EXPORT ReportingCache {
   // fields in ReportingReport.
   virtual void AddReport(
       const absl::optional<base::UnguessableToken>& reporting_source,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const GURL& url,
       const std::string& user_agent,
       const std::string& group_name,
@@ -166,7 +166,7 @@ class NET_EXPORT ReportingCache {
   // to match the new header. All values are assumed to be valid as they have
   // passed through the ReportingHeaderParser.
   virtual void OnParsedHeader(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       std::vector<ReportingEndpointGroup> parsed_header) = 0;
 
@@ -186,8 +186,9 @@ class NET_EXPORT ReportingCache {
 
   // Remove client for the given (NIK, origin) pair, if it exists in the cache.
   // All endpoint groups and endpoints for that client are also removed.
-  virtual void RemoveClient(const NetworkIsolationKey& network_isolation_key,
-                            const url::Origin& origin) = 0;
+  virtual void RemoveClient(
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const url::Origin& origin) = 0;
 
   // Remove all clients for the given |origin|, if any exists in the cache.
   // All endpoint groups and endpoints for |origin| are also removed.
@@ -282,7 +283,7 @@ class NET_EXPORT ReportingCache {
 
   // Returns whether a client for the given (NIK, Origin) exists.
   virtual bool ClientExistsForTesting(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin) const = 0;
 
   // Returns number of endpoint groups.
diff --git a/chromium/net/reporting/reporting_cache_impl.cc b/chromium/net/reporting/reporting_cache_impl.cc
index c9765152f14..6efc2507cba 100644
--- a/chromium/net/reporting/reporting_cache_impl.cc
+++ b/chromium/net/reporting/reporting_cache_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -29,7 +29,7 @@ ReportingCacheImpl::~ReportingCacheImpl() = default;
 
 void ReportingCacheImpl::AddReport(
     const absl::optional<base::UnguessableToken>& reporting_source,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const GURL& url,
     const std::string& user_agent,
     const std::string& group_name,
@@ -50,9 +50,8 @@ void ReportingCacheImpl::AddReport(
   }
 
   auto report = std::make_unique<ReportingReport>(
-      reporting_source, network_isolation_key, url, user_agent, group_name,
-      type, std::make_unique<base::Value>(std::move(body)), depth, queued,
-      attempts);
+      reporting_source, network_anonymization_key, url, user_agent, group_name,
+      type, std::move(body), depth, queued, attempts);
 
   auto inserted = reports_.insert(std::move(report));
   DCHECK(inserted.second);
@@ -103,17 +102,15 @@ base::Value ReportingCacheImpl::GetReportsAsValue() const {
   base::Value::List report_list;
   for (const ReportingReport* report : sorted_reports) {
     base::Value::Dict report_dict;
-    report_dict.Set("network_isolation_key",
-                    report->network_isolation_key.ToDebugString());
+    report_dict.Set("network_anonymization_key",
+                    report->network_anonymization_key.ToDebugString());
     report_dict.Set("url", report->url.spec());
     report_dict.Set("group", report->group);
     report_dict.Set("type", report->type);
     report_dict.Set("depth", report->depth);
     report_dict.Set("queued", NetLog::TickCountToString(report->queued));
     report_dict.Set("attempts", report->attempts);
-    if (report->body) {
-      report_dict.Set("body", report->body->Clone());
-    }
+    report_dict.Set("body", report->body.Clone());
     switch (report->status) {
       case ReportingReport::Status::DOOMED:
         report_dict.Set("status", "doomed");
@@ -249,10 +246,8 @@ ReportingEndpoint::Statistics* ReportingCacheImpl::GetEndpointStats(
     if (document_endpoints_source_it == document_endpoints_.end())
       return nullptr;
     const auto document_endpoint_it =
-        base::ranges::find_if(document_endpoints_source_it->second,
-                              [&group_key](ReportingEndpoint endpoint) {
-                                return endpoint.group_key == group_key;
-                              });
+        base::ranges::find(document_endpoints_source_it->second, group_key,
+                           &ReportingEndpoint::group_key);
     // The endpoint may have been removed while the upload was in progress. In
     // that case, we no longer care about the stats for the removed endpoint.
     if (document_endpoint_it == document_endpoints_source_it->second.end())
@@ -369,12 +364,12 @@ bool ReportingCacheImpl::IsReportDoomedForTesting(
 }
 
 void ReportingCacheImpl::OnParsedHeader(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin,
     std::vector<ReportingEndpointGroup> parsed_header) {
   ConsistencyCheckClients();
 
-  Client new_client(network_isolation_key, origin);
+  Client new_client(network_anonymization_key, origin);
   base::Time now = clock().Now();
   new_client.last_used = now;
 
@@ -389,8 +384,8 @@ void ReportingCacheImpl::OnParsedHeader(
 
     // Consistency check: the new client should have the same NIK and origin as
     // all groups parsed from this header.
-    DCHECK(new_group.group_key.network_isolation_key ==
-           new_client.network_isolation_key);
+    DCHECK(new_group.group_key.network_anonymization_key ==
+           new_client.network_anonymization_key);
     DCHECK_EQ(new_group.group_key.origin, new_client.origin);
 
     for (const auto& parsed_endpoint_info : parsed_endpoint_group.endpoints) {
@@ -422,7 +417,7 @@ void ReportingCacheImpl::OnParsedHeader(
 
   // Remove endpoint groups that may have been configured for an existing client
   // for |origin|, but which are not specified in the current header.
-  RemoveEndpointGroupsForClientOtherThan(network_isolation_key, origin,
+  RemoveEndpointGroupsForClientOtherThan(network_anonymization_key, origin,
                                          new_client.endpoint_group_names);
 
   EnforcePerClientAndGlobalEndpointLimits(
@@ -481,10 +476,11 @@ std::set<url::Origin> ReportingCacheImpl::GetAllOrigins() const {
 }
 
 void ReportingCacheImpl::RemoveClient(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin) {
   ConsistencyCheckClients();
-  ClientMap::iterator client_it = FindClientIt(network_isolation_key, origin);
+  ClientMap::iterator client_it =
+      FindClientIt(network_anonymization_key, origin);
   if (client_it == clients_.end())
     return;
   RemoveClientInternal(client_it);
@@ -646,7 +642,8 @@ void ReportingCacheImpl::AddClientsLoadedFromStore(
     }
 
     if (!client ||
-        client->network_isolation_key != group_key.network_isolation_key ||
+        client->network_anonymization_key !=
+            group_key.network_anonymization_key ||
         client->origin != group_key.origin) {
       // Store the old client and start a new one.
       if (client) {
@@ -656,7 +653,7 @@ void ReportingCacheImpl::AddClientsLoadedFromStore(
       }
       DCHECK(FindClientIt(group_key) == clients_.end());
       client = absl::make_optional(
-          Client(group_key.network_isolation_key, group_key.origin));
+          Client(group_key.network_anonymization_key, group_key.origin));
     }
     DCHECK(client.has_value());
     client->endpoint_group_names.insert(group_key.group_name);
@@ -669,7 +666,7 @@ void ReportingCacheImpl::AddClientsLoadedFromStore(
   }
 
   if (client) {
-    DCHECK(FindClientIt(client->network_isolation_key, client->origin) ==
+    DCHECK(FindClientIt(client->network_anonymization_key, client->origin) ==
            clients_.end());
     ClientMap::iterator client_it = clients_.insert(
         std::make_pair(client->origin.host(), std::move(*client)));
@@ -720,7 +717,8 @@ ReportingCacheImpl::GetCandidateEndpointsForDelivery(
   // We need to clear out the |reporting_source| field to get a group key which
   // can be compared to any V0 endpoint groups.
   ReportingEndpointGroupKey v0_lookup_group_key(
-      group_key.network_isolation_key, group_key.origin, group_key.group_name);
+      group_key.network_anonymization_key, group_key.origin,
+      group_key.group_name);
 
   // Look for an exact origin match for |origin| and |group|.
   EndpointGroupMap::iterator group_it =
@@ -743,12 +741,12 @@ ReportingCacheImpl::GetCandidateEndpointsForDelivery(
          ++client_it) {
       // Client for a superdomain of |origin|
       const Client& client = client_it->second;
-      if (client.network_isolation_key !=
-          v0_lookup_group_key.network_isolation_key) {
+      if (client.network_anonymization_key !=
+          v0_lookup_group_key.network_anonymization_key) {
         continue;
       }
       ReportingEndpointGroupKey superdomain_lookup_group_key(
-          v0_lookup_group_key.network_isolation_key, client.origin,
+          v0_lookup_group_key.network_anonymization_key, client.origin,
           v0_lookup_group_key.group_name);
       group_it = FindEndpointGroupIt(superdomain_lookup_group_key);
 
@@ -833,13 +831,13 @@ bool ReportingCacheImpl::EndpointGroupExistsForTesting(
 }
 
 bool ReportingCacheImpl::ClientExistsForTesting(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin) const {
   ConsistencyCheckClients();
   for (const auto& domain_and_client : clients_) {
     const Client& client = domain_and_client.second;
     DCHECK_EQ(client.origin.host(), domain_and_client.first);
-    if (client.network_isolation_key == network_isolation_key &&
+    if (client.network_anonymization_key == network_anonymization_key &&
         client.origin == origin) {
       return true;
     }
@@ -867,8 +865,8 @@ void ReportingCacheImpl::SetV1EndpointForTesting(
   DCHECK(!reporting_source.is_empty());
   DCHECK(group_key.IsDocumentEndpoint());
   DCHECK_EQ(reporting_source, group_key.reporting_source.value());
-  DCHECK(group_key.network_isolation_key ==
-         isolation_info.network_isolation_key());
+  DCHECK(group_key.network_anonymization_key ==
+         isolation_info.network_anonymization_key());
 
   ReportingEndpoint::EndpointInfo info;
   info.url = url;
@@ -906,7 +904,7 @@ void ReportingCacheImpl::SetEndpointForTesting(
   ClientMap::iterator client_it = FindClientIt(group_key);
   // If the client doesn't yet exist, add it.
   if (client_it == clients_.end()) {
-    Client new_client(group_key.network_isolation_key, group_key.origin);
+    Client new_client(group_key.network_anonymization_key, group_key.origin);
     std::string domain = group_key.origin.host();
     client_it = clients_.insert(std::make_pair(domain, std::move(new_client)));
   }
@@ -958,9 +956,10 @@ IsolationInfo ReportingCacheImpl::GetIsolationInfoForEndpoint(
     const ReportingEndpoint& endpoint) const {
   // V0 endpoint groups do not support credentials.
   if (!endpoint.group_key.reporting_source.has_value()) {
-    return IsolationInfo::CreatePartial(
-        IsolationInfo::RequestType::kOther,
-        endpoint.group_key.network_isolation_key);
+    // TODO(crbug/1372769): Remove this and have a better way to get an correct
+    // IsolationInfo here.
+    return IsolationInfo::DoNotUseCreatePartialFromNak(
+        endpoint.group_key.network_anonymization_key);
   }
   const auto it =
       isolation_info_.find(endpoint.group_key.reporting_source.value());
@@ -969,9 +968,9 @@ IsolationInfo ReportingCacheImpl::GetIsolationInfoForEndpoint(
 }
 
 ReportingCacheImpl::Client::Client(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin)
-    : network_isolation_key(network_isolation_key), origin(origin) {}
+    : network_anonymization_key(network_anonymization_key), origin(origin) {}
 
 ReportingCacheImpl::Client::Client(const Client& other) = default;
 
@@ -1010,7 +1009,7 @@ void ReportingCacheImpl::ConsistencyCheckClients() const {
 
   size_t total_endpoint_count = 0;
   size_t total_endpoint_group_count = 0;
-  std::set<std::pair<NetworkIsolationKey, url::Origin>>
+  std::set<std::pair<NetworkAnonymizationKey, url::Origin>>
       nik_origin_pairs_in_cache;
 
   for (const auto& domain_and_client : clients_) {
@@ -1020,7 +1019,7 @@ void ReportingCacheImpl::ConsistencyCheckClients() const {
     total_endpoint_group_count += ConsistencyCheckClient(domain, client);
 
     auto inserted = nik_origin_pairs_in_cache.insert(
-        std::make_pair(client.network_isolation_key, client.origin));
+        std::make_pair(client.network_anonymization_key, client.origin));
     // We have not seen a duplicate client with the same NIK and origin.
     DCHECK(inserted.second);
   }
@@ -1060,7 +1059,7 @@ size_t ReportingCacheImpl::ConsistencyCheckClient(const std::string& domain,
       // group.
       DCHECK(!key_and_group.first.IsDocumentEndpoint());
       if (key.origin == client.origin &&
-          key.network_isolation_key == client.network_isolation_key &&
+          key.network_anonymization_key == client.network_anonymization_key &&
           key.group_name == group_name) {
         ++endpoint_group_count_in_client;
         ++groups_with_name;
@@ -1138,14 +1137,14 @@ void ReportingCacheImpl::ConsistencyCheckEndpoint(
 }
 
 ReportingCacheImpl::ClientMap::iterator ReportingCacheImpl::FindClientIt(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin) {
   // TODO(chlily): Limit the number of clients per domain to prevent an attacker
   // from installing many Reporting policies for different port numbers on the
   // same host.
   const auto domain_range = clients_.equal_range(origin.host());
   for (auto it = domain_range.first; it != domain_range.second; ++it) {
-    if (it->second.network_isolation_key == network_isolation_key &&
+    if (it->second.network_anonymization_key == network_anonymization_key &&
         it->second.origin == origin) {
       return it;
     }
@@ -1155,7 +1154,7 @@ ReportingCacheImpl::ClientMap::iterator ReportingCacheImpl::FindClientIt(
 
 ReportingCacheImpl::ClientMap::iterator ReportingCacheImpl::FindClientIt(
     const ReportingEndpointGroupKey& group_key) {
-  return FindClientIt(group_key.network_isolation_key, group_key.origin);
+  return FindClientIt(group_key.network_anonymization_key, group_key.origin);
 }
 
 ReportingCacheImpl::EndpointGroupMap::iterator
@@ -1178,7 +1177,7 @@ ReportingCacheImpl::EndpointMap::iterator ReportingCacheImpl::FindEndpointIt(
 ReportingCacheImpl::ClientMap::iterator ReportingCacheImpl::AddOrUpdateClient(
     Client new_client) {
   ClientMap::iterator client_it =
-      FindClientIt(new_client.network_isolation_key, new_client.origin);
+      FindClientIt(new_client.network_anonymization_key, new_client.origin);
 
   // Add a new client for this NIK and origin.
   if (client_it == clients_.end()) {
@@ -1293,10 +1292,11 @@ void ReportingCacheImpl::RemoveEndpointsInGroupOtherThan(
 }
 
 void ReportingCacheImpl::RemoveEndpointGroupsForClientOtherThan(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin,
     const std::set<std::string>& groups_to_keep_names) {
-  ClientMap::iterator client_it = FindClientIt(network_isolation_key, origin);
+  ClientMap::iterator client_it =
+      FindClientIt(network_anonymization_key, origin);
   if (client_it == clients_.end())
     return;
 
@@ -1307,8 +1307,9 @@ void ReportingCacheImpl::RemoveEndpointGroupsForClientOtherThan(
                                                        groups_to_keep_names);
 
   for (const std::string& group_name : groups_to_remove_names) {
-    EndpointGroupMap::iterator group_it = FindEndpointGroupIt(
-        ReportingEndpointGroupKey(network_isolation_key, origin, group_name));
+    EndpointGroupMap::iterator group_it =
+        FindEndpointGroupIt(ReportingEndpointGroupKey(network_anonymization_key,
+                                                      origin, group_name));
     RemoveEndpointGroupInternal(client_it, group_it);
   }
 }
@@ -1419,7 +1420,7 @@ ReportingCacheImpl::RemoveClientInternal(ClientMap::iterator client_it) {
 
   // Erase all groups in this client, and all endpoints in those groups.
   for (const std::string& group_name : client.endpoint_group_names) {
-    ReportingEndpointGroupKey group_key(client.network_isolation_key,
+    ReportingEndpointGroupKey group_key(client.network_anonymization_key,
                                         client.origin, group_name);
     EndpointGroupMap::iterator group_it = FindEndpointGroupIt(group_key);
     if (context_->IsClientDataPersisted())
@@ -1480,8 +1481,8 @@ void ReportingCacheImpl::EvictEndpointsFromClient(ClientMap::iterator client_it,
   const Client& client = client_it->second;
   // Cache this value as |client| may be deleted.
   size_t client_endpoint_count = client.endpoint_count;
-  const NetworkIsolationKey& network_isolation_key =
-      client.network_isolation_key;
+  const NetworkAnonymizationKey& network_anonymization_key =
+      client.network_anonymization_key;
   const url::Origin& origin = client.origin;
 
   DCHECK_GE(client_endpoint_count, endpoints_to_evict);
@@ -1507,7 +1508,7 @@ void ReportingCacheImpl::EvictEndpointsFromClient(ClientMap::iterator client_it,
     EndpointGroupMap::iterator stalest_group_it = endpoint_groups_.end();
     size_t stalest_group_endpoint_count = 0;
     for (const std::string& group_name : client.endpoint_group_names) {
-      ReportingEndpointGroupKey group_key(network_isolation_key, origin,
+      ReportingEndpointGroupKey group_key(network_anonymization_key, origin,
                                           group_name);
       EndpointGroupMap::iterator group_it = FindEndpointGroupIt(group_key);
       size_t group_endpoint_count = GetEndpointCountInGroup(group_key);
@@ -1560,7 +1561,7 @@ bool ReportingCacheImpl::RemoveExpiredOrStaleGroups(
 
   for (const std::string& group_name : groups_in_client_names) {
     EndpointGroupMap::iterator group_it = FindEndpointGroupIt(
-        ReportingEndpointGroupKey(client_it->second.network_isolation_key,
+        ReportingEndpointGroupKey(client_it->second.network_anonymization_key,
                                   client_it->second.origin, group_name));
     DCHECK(group_it != endpoint_groups_.end());
     const CachedReportingEndpointGroup& group = group_it->second;
@@ -1599,13 +1600,13 @@ void ReportingCacheImpl::RemoveEndpointItFromIndex(
 
 base::Value ReportingCacheImpl::GetClientAsValue(const Client& client) const {
   base::Value::Dict client_dict;
-  client_dict.Set("network_isolation_key",
-                  client.network_isolation_key.ToDebugString());
+  client_dict.Set("network_anonymization_key",
+                  client.network_anonymization_key.ToDebugString());
   client_dict.Set("origin", client.origin.Serialize());
 
   base::Value::List group_list;
   for (const std::string& group_name : client.endpoint_group_names) {
-    ReportingEndpointGroupKey group_key(client.network_isolation_key,
+    ReportingEndpointGroupKey group_key(client.network_anonymization_key,
                                         client.origin, group_name);
     const CachedReportingEndpointGroup& group = endpoint_groups_.at(group_key);
     group_list.Append(GetEndpointGroupAsValue(group));
diff --git a/chromium/net/reporting/reporting_cache_impl.h b/chromium/net/reporting/reporting_cache_impl.h
index 4ffac185bb5..63949558f79 100644
--- a/chromium/net/reporting/reporting_cache_impl.h
+++ b/chromium/net/reporting/reporting_cache_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -44,7 +44,7 @@ class ReportingCacheImpl : public ReportingCache {
 
   // ReportingCache implementation
   void AddReport(const absl::optional<base::UnguessableToken>& reporting_source,
-                 const NetworkIsolationKey& network_isolation_key,
+                 const NetworkAnonymizationKey& network_anonymization_key,
                  const GURL& url,
                  const std::string& user_agent,
                  const std::string& group_name,
@@ -84,7 +84,7 @@ class ReportingCacheImpl : public ReportingCache {
   bool IsReportPendingForTesting(const ReportingReport* report) const override;
   bool IsReportDoomedForTesting(const ReportingReport* report) const override;
   void OnParsedHeader(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       std::vector<ReportingEndpointGroup> parsed_header) override;
   void OnParsedReportingEndpointsHeader(
@@ -92,7 +92,7 @@ class ReportingCacheImpl : public ReportingCache {
       const IsolationInfo& isolation_info,
       std::vector<ReportingEndpoint> parsed_header) override;
   std::set<url::Origin> GetAllOrigins() const override;
-  void RemoveClient(const NetworkIsolationKey& network_isolation_key,
+  void RemoveClient(const NetworkAnonymizationKey& network_anonymization_key,
                     const url::Origin& origin) override;
   void RemoveClientsForOrigin(const url::Origin& origin) override;
   void RemoveAllClients() override;
@@ -118,8 +118,9 @@ class ReportingCacheImpl : public ReportingCache {
   bool EndpointGroupExistsForTesting(const ReportingEndpointGroupKey& group_key,
                                      OriginSubdomains include_subdomains,
                                      base::Time expires) const override;
-  bool ClientExistsForTesting(const NetworkIsolationKey& network_isolation_key,
-                              const url::Origin& origin) const override;
+  bool ClientExistsForTesting(
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const url::Origin& origin) const override;
   size_t GetEndpointGroupCountForTesting() const override;
   size_t GetClientCountForTesting() const override;
   size_t GetReportingSourceCountForTesting() const override;
@@ -139,7 +140,7 @@ class ReportingCacheImpl : public ReportingCache {
  private:
   // Represents the entire Report-To configuration for a (NIK, origin) pair.
   struct Client {
-    Client(const NetworkIsolationKey& network_isolation_key,
+    Client(const NetworkAnonymizationKey& network_anonymization_key,
            const url::Origin& origin);
 
     Client(const Client& other);
@@ -152,7 +153,7 @@ class ReportingCacheImpl : public ReportingCache {
 
     // NIK of the context associated with this client. Needed to prevent leaking
     // third party contexts across sites.
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
 
     // Origin that configured this client.
     url::Origin origin;
@@ -204,10 +205,10 @@ class ReportingCacheImpl : public ReportingCache {
                                 EndpointMap::const_iterator endpoint_it) const;
 #endif  // DCHECK_IS_ON()
 
-  // Finds iterator to the client with the given |network_isolation_key| and
+  // Finds iterator to the client with the given |network_anonymization_key| and
   // |origin|, if one exists. Returns |clients_.end()| if none is found.
   ClientMap::iterator FindClientIt(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin);
 
   // Overload that takes a ReportingEndpointGroupKey and finds the client
@@ -245,7 +246,7 @@ class ReportingCacheImpl : public ReportingCache {
   // in |groups_to_keep_names|. Does not guarantee that all the groups in
   // |groups_to_keep_names| exist in the cache for that client.
   void RemoveEndpointGroupsForClientOtherThan(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       const std::set<std::string>& groups_to_keep_names);
 
diff --git a/chromium/net/reporting/reporting_cache_observer.cc b/chromium/net/reporting/reporting_cache_observer.cc
index 4bbf45ffc35..edc3a0483a1 100644
--- a/chromium/net/reporting/reporting_cache_observer.cc
+++ b/chromium/net/reporting/reporting_cache_observer.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_cache_observer.h b/chromium/net/reporting/reporting_cache_observer.h
index 13853742698..7368d814fbf 100644
--- a/chromium/net/reporting/reporting_cache_observer.h
+++ b/chromium/net/reporting/reporting_cache_observer.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_cache_unittest.cc b/chromium/net/reporting/reporting_cache_unittest.cc
index d7669ca5a40..69e9fc13b69 100644
--- a/chromium/net/reporting/reporting_cache_unittest.cc
+++ b/chromium/net/reporting/reporting_cache_unittest.cc
@@ -1,14 +1,14 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/reporting/reporting_cache.h"
 
-#include <algorithm>
 #include <string>
 #include <utility>
 
 #include "base/bind.h"
+#include "base/containers/contains.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 #include "base/test/scoped_feature_list.h"
@@ -17,7 +17,7 @@
 #include "base/time/time.h"
 #include "base/values.h"
 #include "net/base/features.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/reporting/mock_persistent_reporting_store.h"
 #include "net/reporting/reporting_cache_impl.h"
@@ -105,7 +105,7 @@ class ReportingCacheTest : public ReportingTestBase,
 
   // Adds a new report to the cache, and returns it.
   const ReportingReport* AddAndReturnReport(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const GURL& url,
       const std::string& user_agent,
       const std::string& group,
@@ -114,7 +114,7 @@ class ReportingCacheTest : public ReportingTestBase,
       int depth,
       base::TimeTicks queued,
       int attempts) {
-    const base::Value body_clone(body.Clone());
+    const base::Value::Dict body_clone(body.Clone());
 
     // The public API will only give us the (unordered) full list of reports in
     // the cache.  So we need to grab the list before we add, and the list after
@@ -122,20 +122,21 @@ class ReportingCacheTest : public ReportingTestBase,
     // in test cases, so I've optimized for readability over execution speed.
     std::vector<const ReportingReport*> before;
     cache()->GetReports(&before);
-    cache()->AddReport(absl::nullopt, network_isolation_key, url, user_agent,
-                       group, type, std::move(body), depth, queued, attempts);
+    cache()->AddReport(absl::nullopt, network_anonymization_key, url,
+                       user_agent, group, type, std::move(body), depth, queued,
+                       attempts);
     std::vector<const ReportingReport*> after;
     cache()->GetReports(&after);
 
     for (const ReportingReport* report : after) {
       // If report isn't in before, we've found the new instance.
       if (std::find(before.begin(), before.end(), report) == before.end()) {
-        EXPECT_EQ(network_isolation_key, report->network_isolation_key);
+        EXPECT_EQ(network_anonymization_key, report->network_anonymization_key);
         EXPECT_EQ(url, report->url);
         EXPECT_EQ(user_agent, report->user_agent);
         EXPECT_EQ(group, report->group);
         EXPECT_EQ(type, report->type);
-        EXPECT_EQ(body_clone, *report->body);
+        EXPECT_EQ(body_clone, report->body);
         EXPECT_EQ(depth, report->depth);
         EXPECT_EQ(queued, report->queued);
         EXPECT_EQ(attempts, report->attempts);
@@ -168,8 +169,8 @@ class ReportingCacheTest : public ReportingTestBase,
     if (exist) {
       EXPECT_EQ(endpoint1.group_key, group);
       EXPECT_EQ(endpoint2.group_key, group);
-      EXPECT_TRUE(cache()->ClientExistsForTesting(group.network_isolation_key,
-                                                  group.origin));
+      EXPECT_TRUE(cache()->ClientExistsForTesting(
+          group.network_anonymization_key, group.origin));
     }
     EXPECT_EQ(exist,
               EndpointGroupExistsInCache(group, OriginSubdomains::DEFAULT));
@@ -183,9 +184,10 @@ class ReportingCacheTest : public ReportingTestBase,
   const url::Origin kOrigin2_ = url::Origin::Create(GURL("https://origin2/"));
   const absl::optional<base::UnguessableToken> kReportingSource_ =
       base::UnguessableToken::Create();
-  const NetworkIsolationKey kNik_;
-  const NetworkIsolationKey kOtherNik_ =
-      NetworkIsolationKey(SchemefulSite(kOrigin1_), SchemefulSite(kOrigin2_));
+  const NetworkAnonymizationKey kNak_;
+  const NetworkAnonymizationKey kOtherNak_ =
+      NetworkAnonymizationKey(SchemefulSite(kOrigin1_),
+                              SchemefulSite(kOrigin2_));
   const IsolationInfo kIsolationInfo1_ =
       IsolationInfo::Create(IsolationInfo::RequestType::kOther,
                             kOrigin1_,
@@ -209,23 +211,23 @@ class ReportingCacheTest : public ReportingTestBase,
   const base::Time kExpires1_ = kNow_ + base::Days(7);
   const base::Time kExpires2_ = kExpires1_ + base::Days(7);
   // There are 2^3 = 8 of these to test the different combinations of matching
-  // vs mismatching NIK, origin, and group.
+  // vs mismatching NAK, origin, and group.
   const ReportingEndpointGroupKey kGroupKey11_ =
-      ReportingEndpointGroupKey(kNik_, kOrigin1_, kGroup1_);
+      ReportingEndpointGroupKey(kNak_, kOrigin1_, kGroup1_);
   const ReportingEndpointGroupKey kGroupKey21_ =
-      ReportingEndpointGroupKey(kNik_, kOrigin2_, kGroup1_);
+      ReportingEndpointGroupKey(kNak_, kOrigin2_, kGroup1_);
   const ReportingEndpointGroupKey kGroupKey12_ =
-      ReportingEndpointGroupKey(kNik_, kOrigin1_, kGroup2_);
+      ReportingEndpointGroupKey(kNak_, kOrigin1_, kGroup2_);
   const ReportingEndpointGroupKey kGroupKey22_ =
-      ReportingEndpointGroupKey(kNik_, kOrigin2_, kGroup2_);
+      ReportingEndpointGroupKey(kNak_, kOrigin2_, kGroup2_);
   const ReportingEndpointGroupKey kOtherGroupKey11_ =
-      ReportingEndpointGroupKey(kOtherNik_, kOrigin1_, kGroup1_);
+      ReportingEndpointGroupKey(kOtherNak_, kOrigin1_, kGroup1_);
   const ReportingEndpointGroupKey kOtherGroupKey21_ =
-      ReportingEndpointGroupKey(kOtherNik_, kOrigin2_, kGroup1_);
+      ReportingEndpointGroupKey(kOtherNak_, kOrigin2_, kGroup1_);
   const ReportingEndpointGroupKey kOtherGroupKey12_ =
-      ReportingEndpointGroupKey(kOtherNik_, kOrigin1_, kGroup2_);
+      ReportingEndpointGroupKey(kOtherNak_, kOrigin1_, kGroup2_);
   const ReportingEndpointGroupKey kOtherGroupKey22_ =
-      ReportingEndpointGroupKey(kOtherNik_, kOrigin2_, kGroup2_);
+      ReportingEndpointGroupKey(kOtherNak_, kOrigin2_, kGroup2_);
 
   TestReportingCacheObserver observer_;
   std::unique_ptr<MockPersistentReportingStore> store_;
@@ -243,7 +245,7 @@ TEST_P(ReportingCacheTest, Reports) {
   cache()->GetReports(&reports);
   EXPECT_TRUE(reports.empty());
 
-  cache()->AddReport(kReportingSource_, kNik_, kUrl1_, kUserAgent_, kGroup1_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl1_, kUserAgent_, kGroup1_,
                      kType_, base::Value::Dict(), 0, kNowTicks_, 0);
   EXPECT_EQ(1, observer()->cached_reports_update_count());
 
@@ -251,7 +253,7 @@ TEST_P(ReportingCacheTest, Reports) {
   ASSERT_EQ(1u, reports.size());
   const ReportingReport* report = reports[0];
   ASSERT_TRUE(report);
-  EXPECT_EQ(kNik_, report->network_isolation_key);
+  EXPECT_EQ(kNak_, report->network_anonymization_key);
   EXPECT_EQ(kUrl1_, report->url);
   EXPECT_EQ(kUserAgent_, report->user_agent);
   EXPECT_EQ(kGroup1_, report->group);
@@ -281,9 +283,9 @@ TEST_P(ReportingCacheTest, Reports) {
 TEST_P(ReportingCacheTest, RemoveAllReports) {
   LoadReportingClients();
 
-  cache()->AddReport(kReportingSource_, kNik_, kUrl1_, kUserAgent_, kGroup1_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl1_, kUserAgent_, kGroup1_,
                      kType_, base::Value::Dict(), 0, kNowTicks_, 0);
-  cache()->AddReport(kReportingSource_, kNik_, kUrl1_, kUserAgent_, kGroup1_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl1_, kUserAgent_, kGroup1_,
                      kType_, base::Value::Dict(), 0, kNowTicks_, 0);
   EXPECT_EQ(2, observer()->cached_reports_update_count());
 
@@ -301,7 +303,7 @@ TEST_P(ReportingCacheTest, RemoveAllReports) {
 TEST_P(ReportingCacheTest, RemovePendingReports) {
   LoadReportingClients();
 
-  cache()->AddReport(kReportingSource_, kNik_, kUrl1_, kUserAgent_, kGroup1_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl1_, kUserAgent_, kGroup1_,
                      kType_, base::Value::Dict(), 0, kNowTicks_, 0);
   EXPECT_EQ(1, observer()->cached_reports_update_count());
 
@@ -338,7 +340,7 @@ TEST_P(ReportingCacheTest, RemovePendingReports) {
 TEST_P(ReportingCacheTest, RemoveAllPendingReports) {
   LoadReportingClients();
 
-  cache()->AddReport(kReportingSource_, kNik_, kUrl1_, kUserAgent_, kGroup1_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl1_, kUserAgent_, kGroup1_,
                      kType_, base::Value::Dict(), 0, kNowTicks_, 0);
   EXPECT_EQ(1, observer()->cached_reports_update_count());
 
@@ -378,10 +380,10 @@ TEST_P(ReportingCacheTest, GetReportsAsValue) {
   // We need a reproducible expiry timestamp for this test case.
   const base::TimeTicks now = base::TimeTicks();
   const ReportingReport* report1 =
-      AddAndReturnReport(kNik_, kUrl1_, kUserAgent_, kGroup1_, kType_,
+      AddAndReturnReport(kNak_, kUrl1_, kUserAgent_, kGroup1_, kType_,
                          base::Value::Dict(), 0, now + base::Seconds(200), 0);
   const ReportingReport* report2 =
-      AddAndReturnReport(kOtherNik_, kUrl1_, kUserAgent_, kGroup2_, kType_,
+      AddAndReturnReport(kOtherNak_, kUrl1_, kUserAgent_, kGroup2_, kType_,
                          base::Value::Dict(), 0, now + base::Seconds(100), 1);
   // Mark report1 and report2 as pending.
   EXPECT_THAT(cache()->GetReportsToDeliver(),
@@ -396,7 +398,7 @@ TEST_P(ReportingCacheTest, GetReportsAsValue) {
         {
           "url": "https://origin1/path",
           "group": "group2",
-          "network_isolation_key": "%s",
+          "network_anonymization_key": "%s",
           "type": "default",
           "status": "doomed",
           "body": {},
@@ -407,7 +409,7 @@ TEST_P(ReportingCacheTest, GetReportsAsValue) {
         {
           "url": "https://origin1/path",
           "group": "group1",
-          "network_isolation_key": "%s",
+          "network_anonymization_key": "%s",
           "type": "default",
           "status": "pending",
           "body": {},
@@ -417,15 +419,15 @@ TEST_P(ReportingCacheTest, GetReportsAsValue) {
         },
       ]
       )json",
-      kOtherNik_.ToDebugString().c_str(), kNik_.ToDebugString().c_str()));
+      kOtherNak_.ToDebugString().c_str(), kNak_.ToDebugString().c_str()));
   EXPECT_EQ(expected, actual);
 
   // Add two new reports that will show up as "queued".
   const ReportingReport* report3 =
-      AddAndReturnReport(kNik_, kUrl2_, kUserAgent_, kGroup1_, kType_,
+      AddAndReturnReport(kNak_, kUrl2_, kUserAgent_, kGroup1_, kType_,
                          base::Value::Dict(), 2, now + base::Seconds(200), 0);
   const ReportingReport* report4 =
-      AddAndReturnReport(kOtherNik_, kUrl1_, kUserAgent_, kGroup1_, kType_,
+      AddAndReturnReport(kOtherNak_, kUrl1_, kUserAgent_, kGroup1_, kType_,
                          base::Value::Dict(), 0, now + base::Seconds(300), 0);
   actual = cache()->GetReportsAsValue();
   expected = base::test::ParseJson(base::StringPrintf(
@@ -434,7 +436,7 @@ TEST_P(ReportingCacheTest, GetReportsAsValue) {
         {
           "url": "https://origin1/path",
           "group": "group2",
-          "network_isolation_key": "%s",
+          "network_anonymization_key": "%s",
           "type": "default",
           "status": "doomed",
           "body": {},
@@ -445,7 +447,7 @@ TEST_P(ReportingCacheTest, GetReportsAsValue) {
         {
           "url": "https://origin1/path",
           "group": "group1",
-          "network_isolation_key": "%s",
+          "network_anonymization_key": "%s",
           "type": "default",
           "status": "pending",
           "body": {},
@@ -456,7 +458,7 @@ TEST_P(ReportingCacheTest, GetReportsAsValue) {
         {
           "url": "https://origin2/path",
           "group": "group1",
-          "network_isolation_key": "%s",
+          "network_anonymization_key": "%s",
           "type": "default",
           "status": "queued",
           "body": {},
@@ -467,7 +469,7 @@ TEST_P(ReportingCacheTest, GetReportsAsValue) {
         {
           "url": "https://origin1/path",
           "group": "group1",
-          "network_isolation_key": "%s",
+          "network_anonymization_key": "%s",
           "type": "default",
           "status": "queued",
           "body": {},
@@ -477,8 +479,8 @@ TEST_P(ReportingCacheTest, GetReportsAsValue) {
         },
       ]
       )json",
-      kOtherNik_.ToDebugString().c_str(), kNik_.ToDebugString().c_str(),
-      kNik_.ToDebugString().c_str(), kOtherNik_.ToDebugString().c_str()));
+      kOtherNak_.ToDebugString().c_str(), kNak_.ToDebugString().c_str(),
+      kNak_.ToDebugString().c_str(), kOtherNak_.ToDebugString().c_str()));
   EXPECT_EQ(expected, actual);
 
   // GetReportsToDeliver only returns the non-pending reports.
@@ -494,11 +496,11 @@ TEST_P(ReportingCacheTest, GetReportsToDeliverForSource) {
 
   // Queue a V1 report for each of these sources, and a V0 report (with a null
   // source) for the same URL.
-  cache()->AddReport(source1, kNik_, kUrl1_, kUserAgent_, kGroup1_, kType_,
+  cache()->AddReport(source1, kNak_, kUrl1_, kUserAgent_, kGroup1_, kType_,
                      base::Value::Dict(), 0, kNowTicks_, 0);
-  cache()->AddReport(source2, kNik_, kUrl1_, kUserAgent_, kGroup1_, kType_,
+  cache()->AddReport(source2, kNak_, kUrl1_, kUserAgent_, kGroup1_, kType_,
                      base::Value::Dict(), 0, kNowTicks_, 0);
-  cache()->AddReport(absl::nullopt, kNik_, kUrl1_, kUserAgent_, kGroup1_,
+  cache()->AddReport(absl::nullopt, kNak_, kUrl1_, kUserAgent_, kGroup1_,
                      kType_, base::Value::Dict(), 0, kNowTicks_, 0);
   EXPECT_EQ(3, observer()->cached_reports_update_count());
 
@@ -655,13 +657,13 @@ TEST_P(ReportingCacheTest, ClientsKeyedByEndpointGroupKey) {
   size_t client_count = 4u;
   EXPECT_EQ(client_count, cache()->GetClientCountForTesting());
 
-  // Test that Clients with different NIKs are considered different, and test
+  // Test that Clients with different NAKs are considered different, and test
   // RemoveEndpointGroup() and RemoveClient().
-  const std::pair<NetworkIsolationKey, url::Origin> kNikOriginPairs[] = {
-      {kNik_, kOrigin1_},
-      {kNik_, kOrigin2_},
-      {kOtherNik_, kOrigin1_},
-      {kOtherNik_, kOrigin2_},
+  const std::pair<NetworkAnonymizationKey, url::Origin> kNakOriginPairs[] = {
+      {kNak_, kOrigin1_},
+      {kNak_, kOrigin2_},
+      {kOtherNak_, kOrigin1_},
+      {kOtherNak_, kOrigin2_},
   };
 
   // SetEndpointInCache doesn't update store counts, which is why we start from
@@ -674,7 +676,7 @@ TEST_P(ReportingCacheTest, ClientsKeyedByEndpointGroupKey) {
   int store_remove_group_count = 0;
   int store_remove_endpoint_count = 0;
 
-  for (const auto& pair : kNikOriginPairs) {
+  for (const auto& pair : kNakOriginPairs) {
     EXPECT_TRUE(cache()->ClientExistsForTesting(pair.first, pair.second));
     ReportingEndpointGroupKey group1(pair.first, pair.second, kGroup1_);
     ReportingEndpointGroupKey group2(pair.first, pair.second, kGroup2_);
@@ -952,21 +954,21 @@ TEST_P(ReportingCacheTest, RemoveSourceAndEndpoints) {
       base::UnguessableToken::Create();
   LoadReportingClients();
 
-  NetworkIsolationKey network_isolation_key_1 =
-      kIsolationInfo1_.network_isolation_key();
-  NetworkIsolationKey network_isolation_key_2 =
-      kIsolationInfo2_.network_isolation_key();
+  NetworkAnonymizationKey network_anonymization_key_1 =
+      kIsolationInfo1_.network_anonymization_key();
+  NetworkAnonymizationKey network_anonymization_key_2 =
+      kIsolationInfo2_.network_anonymization_key();
 
   cache()->SetV1EndpointForTesting(
-      ReportingEndpointGroupKey(network_isolation_key_1, *kReportingSource_,
+      ReportingEndpointGroupKey(network_anonymization_key_1, *kReportingSource_,
                                 kOrigin1_, kGroup1_),
       *kReportingSource_, kIsolationInfo1_, kUrl1_);
   cache()->SetV1EndpointForTesting(
-      ReportingEndpointGroupKey(network_isolation_key_1, *kReportingSource_,
+      ReportingEndpointGroupKey(network_anonymization_key_1, *kReportingSource_,
                                 kOrigin1_, kGroup2_),
       *kReportingSource_, kIsolationInfo1_, kUrl2_);
   cache()->SetV1EndpointForTesting(
-      ReportingEndpointGroupKey(network_isolation_key_2, reporting_source_2,
+      ReportingEndpointGroupKey(network_anonymization_key_2, reporting_source_2,
                                 kOrigin2_, kGroup1_),
       reporting_source_2, kIsolationInfo2_, kUrl2_);
 
@@ -1019,7 +1021,7 @@ TEST_P(ReportingCacheTest, GetClientsAsValue) {
       R"json(
       [
         {
-          "network_isolation_key": "%s",
+          "network_anonymization_key": "%s",
           "origin": "https://origin1",
           "groups": [
             {
@@ -1035,7 +1037,7 @@ TEST_P(ReportingCacheTest, GetClientsAsValue) {
           ],
         },
         {
-          "network_isolation_key": "%s",
+          "network_anonymization_key": "%s",
           "origin": "https://origin2",
           "groups": [
             {
@@ -1052,7 +1054,7 @@ TEST_P(ReportingCacheTest, GetClientsAsValue) {
         },
       ]
       )json",
-      kNik_.ToDebugString().c_str(), kOtherNik_.ToDebugString().c_str()));
+      kNak_.ToDebugString().c_str(), kOtherNak_.ToDebugString().c_str()));
 
   // Compare disregarding order.
   base::Value::List& expected_list = expected.GetList();
@@ -1086,16 +1088,16 @@ TEST_P(ReportingCacheTest, GetCandidateEndpointsFromDocumentForDelivery) {
   const base::UnguessableToken reporting_source_2 =
       base::UnguessableToken::Create();
 
-  NetworkIsolationKey network_isolation_key =
-      kIsolationInfo1_.network_isolation_key();
+  NetworkAnonymizationKey network_anonymization_key =
+      kIsolationInfo1_.network_anonymization_key();
   const ReportingEndpointGroupKey document_group_key_1 =
-      ReportingEndpointGroupKey(network_isolation_key, reporting_source_1,
+      ReportingEndpointGroupKey(network_anonymization_key, reporting_source_1,
                                 kOrigin1_, kGroup1_);
   const ReportingEndpointGroupKey document_group_key_2 =
-      ReportingEndpointGroupKey(network_isolation_key, reporting_source_1,
+      ReportingEndpointGroupKey(network_anonymization_key, reporting_source_1,
                                 kOrigin1_, kGroup2_);
   const ReportingEndpointGroupKey document_group_key_3 =
-      ReportingEndpointGroupKey(network_isolation_key, reporting_source_2,
+      ReportingEndpointGroupKey(network_anonymization_key, reporting_source_2,
                                 kOrigin1_, kGroup1_);
 
   SetV1EndpointInCache(document_group_key_1, reporting_source_1,
@@ -1105,7 +1107,7 @@ TEST_P(ReportingCacheTest, GetCandidateEndpointsFromDocumentForDelivery) {
   SetV1EndpointInCache(document_group_key_3, reporting_source_2,
                        kIsolationInfo1_, kEndpoint1_);
   const ReportingEndpointGroupKey kReportGroupKey = ReportingEndpointGroupKey(
-      network_isolation_key, reporting_source_1, kOrigin1_, kGroup1_);
+      network_anonymization_key, reporting_source_1, kOrigin1_, kGroup1_);
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(kReportGroupKey);
   ASSERT_EQ(1u, candidate_endpoints.size());
@@ -1118,17 +1120,17 @@ TEST_P(ReportingCacheTest, GetCandidateEndpointsFromDocumentForNetworkReports) {
   const base::UnguessableToken reporting_source =
       base::UnguessableToken::Create();
 
-  NetworkIsolationKey network_isolation_key =
-      kIsolationInfo1_.network_isolation_key();
+  NetworkAnonymizationKey network_anonymization_key =
+      kIsolationInfo1_.network_anonymization_key();
 
   const ReportingEndpointGroupKey kDocumentGroupKey = ReportingEndpointGroupKey(
-      network_isolation_key, reporting_source, kOrigin1_, kGroup1_);
+      network_anonymization_key, reporting_source, kOrigin1_, kGroup1_);
 
   SetV1EndpointInCache(kDocumentGroupKey, reporting_source, kIsolationInfo1_,
                        kEndpoint1_);
   const ReportingEndpointGroupKey kNetworkReportGroupKey =
-      ReportingEndpointGroupKey(network_isolation_key, absl::nullopt, kOrigin1_,
-                                kGroup1_);
+      ReportingEndpointGroupKey(network_anonymization_key, absl::nullopt,
+                                kOrigin1_, kGroup1_);
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(kNetworkReportGroupKey);
   ASSERT_EQ(0u, candidate_endpoints.size());
@@ -1140,16 +1142,16 @@ TEST_P(ReportingCacheTest, GetCandidateEndpointsFromDifferentDocument) {
   const base::UnguessableToken reporting_source =
       base::UnguessableToken::Create();
 
-  NetworkIsolationKey network_isolation_key =
-      kIsolationInfo1_.network_isolation_key();
+  NetworkAnonymizationKey network_anonymization_key =
+      kIsolationInfo1_.network_anonymization_key();
 
   const ReportingEndpointGroupKey kDocumentGroupKey = ReportingEndpointGroupKey(
-      network_isolation_key, reporting_source, kOrigin1_, kGroup1_);
+      network_anonymization_key, reporting_source, kOrigin1_, kGroup1_);
 
   SetV1EndpointInCache(kDocumentGroupKey, reporting_source, kIsolationInfo1_,
                        kEndpoint1_);
   const ReportingEndpointGroupKey kOtherGroupKey = ReportingEndpointGroupKey(
-      network_isolation_key, base::UnguessableToken::Create(), kOrigin1_,
+      network_anonymization_key, base::UnguessableToken::Create(), kOrigin1_,
       kGroup1_);
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(kOtherGroupKey);
@@ -1163,12 +1165,12 @@ TEST_P(ReportingCacheTest, GetCandidateEndpointsFromDifferentDocument) {
 TEST_P(ReportingCacheTest, GetMixedCandidateEndpointsForDelivery) {
   LoadReportingClients();
 
-  // This test relies on proper NIKs being used, so set those up, and endpoint
+  // This test relies on proper NAKs being used, so set those up, and endpoint
   // group keys to go with them.
-  NetworkIsolationKey network_isolation_key1 =
-      kIsolationInfo1_.network_isolation_key();
-  NetworkIsolationKey network_isolation_key2 =
-      kIsolationInfo2_.network_isolation_key();
+  NetworkAnonymizationKey network_isolation_key1 =
+      kIsolationInfo1_.network_anonymization_key();
+  NetworkAnonymizationKey network_isolation_key2 =
+      kIsolationInfo2_.network_anonymization_key();
   ReportingEndpointGroupKey group_key_11 =
       ReportingEndpointGroupKey(network_isolation_key1, kOrigin1_, kGroup1_);
   ReportingEndpointGroupKey group_key_12 =
@@ -1183,8 +1185,8 @@ TEST_P(ReportingCacheTest, GetMixedCandidateEndpointsForDelivery) {
   ASSERT_TRUE(SetEndpointInCache(group_key_21, kEndpoint1_, kExpires1_));
 
   // Set up a V1 endpoint for a document at the same origin.
-  NetworkIsolationKey network_isolation_key =
-      kIsolationInfo1_.network_isolation_key();
+  NetworkAnonymizationKey network_anonymization_key =
+      kIsolationInfo1_.network_anonymization_key();
   const base::UnguessableToken reporting_source =
       base::UnguessableToken::Create();
   const ReportingEndpointGroupKey document_group_key =
@@ -1219,11 +1221,11 @@ TEST_P(ReportingCacheTest, GetMixedCandidateEndpointsForDelivery) {
   EXPECT_EQ(group_key_12, candidate_endpoints[0].group_key);
 }
 
-TEST_P(ReportingCacheTest, GetCandidateEndpointsDifferentNik) {
+TEST_P(ReportingCacheTest, GetCandidateEndpointsDifferentNak) {
   LoadReportingClients();
 
-  // Test that NIKs are respected by using 2 groups with the same origin and
-  // group name but different NIKs.
+  // Test that NAKs are respected by using 2 groups with the same origin and
+  // group name but different NAKs.
   ASSERT_TRUE(SetEndpointInCache(kGroupKey11_, kEndpoint1_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kGroupKey11_, kEndpoint2_, kExpires1_));
   ASSERT_TRUE(SetEndpointInCache(kOtherGroupKey11_, kEndpoint1_, kExpires1_));
@@ -1274,12 +1276,12 @@ TEST_P(ReportingCacheTest, ExcludeSubdomainsDifferentPort) {
       url::Origin::Create(GURL("https://example:444/"));
 
   ASSERT_TRUE(SetEndpointInCache(
-      ReportingEndpointGroupKey(kNik_, kDifferentPortOrigin, kGroup1_),
+      ReportingEndpointGroupKey(kNak_, kDifferentPortOrigin, kGroup1_),
       kEndpoint1_, kExpires1_, OriginSubdomains::EXCLUDE));
 
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(
-          ReportingEndpointGroupKey(kNik_, kOrigin, kGroup1_));
+          ReportingEndpointGroupKey(kNak_, kOrigin, kGroup1_));
   ASSERT_EQ(0u, candidate_endpoints.size());
 }
 
@@ -1291,12 +1293,12 @@ TEST_P(ReportingCacheTest, ExcludeSubdomainsSuperdomain) {
       url::Origin::Create(GURL("https://example/"));
 
   ASSERT_TRUE(SetEndpointInCache(
-      ReportingEndpointGroupKey(kNik_, kSuperOrigin, kGroup1_), kEndpoint1_,
+      ReportingEndpointGroupKey(kNak_, kSuperOrigin, kGroup1_), kEndpoint1_,
       kExpires1_, OriginSubdomains::EXCLUDE));
 
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(
-          ReportingEndpointGroupKey(kNik_, kOrigin, kGroup1_));
+          ReportingEndpointGroupKey(kNak_, kOrigin, kGroup1_));
   ASSERT_EQ(0u, candidate_endpoints.size());
 }
 
@@ -1308,12 +1310,12 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsDifferentPort) {
       url::Origin::Create(GURL("https://example:444/"));
 
   ASSERT_TRUE(SetEndpointInCache(
-      ReportingEndpointGroupKey(kNik_, kDifferentPortOrigin, kGroup1_),
+      ReportingEndpointGroupKey(kNak_, kDifferentPortOrigin, kGroup1_),
       kEndpoint1_, kExpires1_, OriginSubdomains::INCLUDE));
 
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(
-          ReportingEndpointGroupKey(kNik_, kOrigin, kGroup1_));
+          ReportingEndpointGroupKey(kNak_, kOrigin, kGroup1_));
   ASSERT_EQ(1u, candidate_endpoints.size());
   EXPECT_EQ(kDifferentPortOrigin, candidate_endpoints[0].group_key.origin);
 }
@@ -1326,12 +1328,12 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsSuperdomain) {
       url::Origin::Create(GURL("https://example/"));
 
   ASSERT_TRUE(SetEndpointInCache(
-      ReportingEndpointGroupKey(kNik_, kSuperOrigin, kGroup1_), kEndpoint1_,
+      ReportingEndpointGroupKey(kNak_, kSuperOrigin, kGroup1_), kEndpoint1_,
       kExpires1_, OriginSubdomains::INCLUDE));
 
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(
-          ReportingEndpointGroupKey(kNik_, kOrigin, kGroup1_));
+          ReportingEndpointGroupKey(kNak_, kOrigin, kGroup1_));
   ASSERT_EQ(1u, candidate_endpoints.size());
   EXPECT_EQ(kSuperOrigin, candidate_endpoints[0].group_key.origin);
 }
@@ -1344,15 +1346,15 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsPreferOriginToDifferentPort) {
       url::Origin::Create(GURL("https://example:444/"));
 
   ASSERT_TRUE(
-      SetEndpointInCache(ReportingEndpointGroupKey(kNik_, kOrigin, kGroup1_),
+      SetEndpointInCache(ReportingEndpointGroupKey(kNak_, kOrigin, kGroup1_),
                          kEndpoint1_, kExpires1_, OriginSubdomains::INCLUDE));
   ASSERT_TRUE(SetEndpointInCache(
-      ReportingEndpointGroupKey(kNik_, kDifferentPortOrigin, kGroup1_),
+      ReportingEndpointGroupKey(kNak_, kDifferentPortOrigin, kGroup1_),
       kEndpoint1_, kExpires1_, OriginSubdomains::INCLUDE));
 
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(
-          ReportingEndpointGroupKey(kNik_, kOrigin, kGroup1_));
+          ReportingEndpointGroupKey(kNak_, kOrigin, kGroup1_));
   ASSERT_EQ(1u, candidate_endpoints.size());
   EXPECT_EQ(kOrigin, candidate_endpoints[0].group_key.origin);
 }
@@ -1365,15 +1367,15 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsPreferOriginToSuperdomain) {
       url::Origin::Create(GURL("https://example/"));
 
   ASSERT_TRUE(
-      SetEndpointInCache(ReportingEndpointGroupKey(kNik_, kOrigin, kGroup1_),
+      SetEndpointInCache(ReportingEndpointGroupKey(kNak_, kOrigin, kGroup1_),
                          kEndpoint1_, kExpires1_, OriginSubdomains::INCLUDE));
   ASSERT_TRUE(SetEndpointInCache(
-      ReportingEndpointGroupKey(kNik_, kSuperOrigin, kGroup1_), kEndpoint1_,
+      ReportingEndpointGroupKey(kNak_, kSuperOrigin, kGroup1_), kEndpoint1_,
       kExpires1_, OriginSubdomains::INCLUDE));
 
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(
-          ReportingEndpointGroupKey(kNik_, kOrigin, kGroup1_));
+          ReportingEndpointGroupKey(kNak_, kOrigin, kGroup1_));
   ASSERT_EQ(1u, candidate_endpoints.size());
   EXPECT_EQ(kOrigin, candidate_endpoints[0].group_key.origin);
 }
@@ -1389,20 +1391,20 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsPreferMoreSpecificSuperdomain) {
       url::Origin::Create(GURL("https://example/"));
 
   ASSERT_TRUE(SetEndpointInCache(
-      ReportingEndpointGroupKey(kNik_, kSuperOrigin, kGroup1_), kEndpoint1_,
+      ReportingEndpointGroupKey(kNak_, kSuperOrigin, kGroup1_), kEndpoint1_,
       kExpires1_, OriginSubdomains::INCLUDE));
   ASSERT_TRUE(SetEndpointInCache(
-      ReportingEndpointGroupKey(kNik_, kSuperSuperOrigin, kGroup1_),
+      ReportingEndpointGroupKey(kNak_, kSuperSuperOrigin, kGroup1_),
       kEndpoint1_, kExpires1_, OriginSubdomains::INCLUDE));
 
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(
-          ReportingEndpointGroupKey(kNik_, kOrigin, kGroup1_));
+          ReportingEndpointGroupKey(kNak_, kOrigin, kGroup1_));
   ASSERT_EQ(1u, candidate_endpoints.size());
   EXPECT_EQ(kSuperOrigin, candidate_endpoints[0].group_key.origin);
 }
 
-TEST_P(ReportingCacheTest, IncludeSubdomainsPreserveNik) {
+TEST_P(ReportingCacheTest, IncludeSubdomainsPreserveNak) {
   LoadReportingClients();
 
   const url::Origin kOrigin = url::Origin::Create(GURL("https://foo.example/"));
@@ -1410,17 +1412,18 @@ TEST_P(ReportingCacheTest, IncludeSubdomainsPreserveNik) {
       url::Origin::Create(GURL("https://example/"));
 
   ASSERT_TRUE(SetEndpointInCache(
-      ReportingEndpointGroupKey(kNik_, kSuperOrigin, kGroup1_), kEndpoint1_,
+      ReportingEndpointGroupKey(kNak_, kSuperOrigin, kGroup1_), kEndpoint1_,
       kExpires1_, OriginSubdomains::INCLUDE));
   ASSERT_TRUE(SetEndpointInCache(
-      ReportingEndpointGroupKey(kOtherNik_, kSuperOrigin, kGroup1_),
+      ReportingEndpointGroupKey(kOtherNak_, kSuperOrigin, kGroup1_),
       kEndpoint1_, kExpires1_, OriginSubdomains::INCLUDE));
 
   std::vector<ReportingEndpoint> candidate_endpoints =
       cache()->GetCandidateEndpointsForDelivery(
-          ReportingEndpointGroupKey(kOtherNik_, kOrigin, kGroup1_));
+          ReportingEndpointGroupKey(kOtherNak_, kOrigin, kGroup1_));
   ASSERT_EQ(1u, candidate_endpoints.size());
-  EXPECT_EQ(kOtherNik_, candidate_endpoints[0].group_key.network_isolation_key);
+  EXPECT_EQ(kOtherNak_,
+            candidate_endpoints[0].group_key.network_anonymization_key);
 }
 
 TEST_P(ReportingCacheTest, EvictOldestReport) {
@@ -1435,7 +1438,7 @@ TEST_P(ReportingCacheTest, EvictOldestReport) {
 
   // Enqueue the maximum number of reports, spaced apart in time.
   for (size_t i = 0; i < max_report_count; ++i) {
-    cache()->AddReport(kReportingSource_, kNik_, kUrl1_, kUserAgent_, kGroup1_,
+    cache()->AddReport(kReportingSource_, kNak_, kUrl1_, kUserAgent_, kGroup1_,
                        kType_, base::Value::Dict(), 0, tick_clock()->NowTicks(),
                        0);
     tick_clock()->Advance(base::Minutes(1));
@@ -1443,7 +1446,7 @@ TEST_P(ReportingCacheTest, EvictOldestReport) {
   EXPECT_EQ(max_report_count, report_count());
 
   // Add one more report to force the cache to evict one.
-  cache()->AddReport(kReportingSource_, kNik_, kUrl1_, kUserAgent_, kGroup1_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl1_, kUserAgent_, kGroup1_,
                      kType_, base::Value::Dict(), 0, tick_clock()->NowTicks(),
                      0);
 
@@ -1467,7 +1470,7 @@ TEST_P(ReportingCacheTest, DontEvictPendingReports) {
   // Enqueue the maximum number of reports, spaced apart in time.
   std::vector<const ReportingReport*> reports;
   for (size_t i = 0; i < max_report_count; ++i) {
-    reports.push_back(AddAndReturnReport(kNik_, kUrl1_, kUserAgent_, kGroup1_,
+    reports.push_back(AddAndReturnReport(kNak_, kUrl1_, kUserAgent_, kGroup1_,
                                          kType_, base::Value::Dict(), 0,
                                          tick_clock()->NowTicks(), 0));
     tick_clock()->Advance(base::Minutes(1));
@@ -1480,7 +1483,7 @@ TEST_P(ReportingCacheTest, DontEvictPendingReports) {
 
   // Add one more report to force the cache to evict one. Since the cache has
   // only pending reports, it will be forced to evict the *new* report!
-  cache()->AddReport(kReportingSource_, kNik_, kUrl1_, kUserAgent_, kGroup1_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl1_, kUserAgent_, kGroup1_,
                      kType_, base::Value::Dict(), 0, kNowTicks_, 0);
 
   // Make sure the cache evicted a report, and make sure the report evicted was
@@ -1562,7 +1565,7 @@ TEST_P(ReportingCacheTest, EvictFromStalestGroup) {
   LoadReportingClients();
 
   for (size_t i = 0; i < policy().max_endpoints_per_origin; ++i) {
-    ReportingEndpointGroupKey group_key(kNik_, kOrigin1_,
+    ReportingEndpointGroupKey group_key(kNak_, kOrigin1_,
                                         base::NumberToString(i));
     ASSERT_TRUE(SetEndpointInCache(group_key, MakeURL(i), kExpires1_));
     EXPECT_EQ(i + 1, cache()->GetEndpointCount());
@@ -1581,12 +1584,12 @@ TEST_P(ReportingCacheTest, EvictFromStalestGroup) {
   EXPECT_GE(policy().max_endpoints_per_origin, cache()->GetEndpointCount());
   EXPECT_TRUE(ClientExistsInCacheForOrigin(kOrigin1_));
   EXPECT_FALSE(EndpointGroupExistsInCache(
-      ReportingEndpointGroupKey(kNik_, kOrigin1_, "0"),
+      ReportingEndpointGroupKey(kNak_, kOrigin1_, "0"),
       OriginSubdomains::DEFAULT));
   EXPECT_TRUE(
       EndpointGroupExistsInCache(kGroupKey12_, OriginSubdomains::DEFAULT));
   for (size_t i = 1; i < policy().max_endpoints_per_origin; ++i) {
-    ReportingEndpointGroupKey group_key(kNik_, kOrigin1_,
+    ReportingEndpointGroupKey group_key(kNak_, kOrigin1_,
                                         base::NumberToString(i));
     EXPECT_TRUE(
         EndpointGroupExistsInCache(group_key, OriginSubdomains::DEFAULT));
@@ -1606,7 +1609,7 @@ TEST_P(ReportingCacheTest, EvictFromLargestGroup) {
 
   // Insert one more endpoint in a different group; eviction should be
   // triggered.
-  SetEndpointInCache(ReportingEndpointGroupKey(kNik_, kOrigin1_, "default"),
+  SetEndpointInCache(ReportingEndpointGroupKey(kNak_, kOrigin1_, "default"),
                      kEndpoint1_, kExpires1_);
   EXPECT_EQ(policy().max_endpoints_per_origin, cache()->GetEndpointCount());
 
@@ -1649,12 +1652,21 @@ TEST_P(ReportingCacheTest, EvictLeastImportantEndpoint) {
   EXPECT_TRUE(FindEndpointInCache(kGroupKey12_, kEndpoint1_));
 }
 
-TEST_P(ReportingCacheTest, EvictEndpointsOverGlobalLimitFromStalestClient) {
+// Test is flaky on Linux (https://crbug.com/1358967)
+#if BUILDFLAG(IS_LINUX)
+#define MAYBE_EvictEndpointsOverGlobalLimitFromStalestClient \
+  DISABLED_EvictEndpointsOverGlobalLimitFromStalestClient
+#else
+#define MAYBE_EvictEndpointsOverGlobalLimitFromStalestClient \
+  EvictEndpointsOverGlobalLimitFromStalestClient
+#endif
+TEST_P(ReportingCacheTest,
+       MAYBE_EvictEndpointsOverGlobalLimitFromStalestClient) {
   LoadReportingClients();
 
   // Set enough endpoints to reach the global endpoint limit.
   for (size_t i = 0; i < policy().max_endpoint_count; ++i) {
-    ReportingEndpointGroupKey group_key(kNik_, url::Origin::Create(MakeURL(i)),
+    ReportingEndpointGroupKey group_key(kNak_, url::Origin::Create(MakeURL(i)),
                                         kGroup1_);
     ASSERT_TRUE(SetEndpointInCache(group_key, MakeURL(i), kExpires1_));
     EXPECT_EQ(i + 1, cache()->GetEndpointCount());
@@ -1719,13 +1731,14 @@ TEST_P(ReportingCacheTest, AddClientsLoadedFromStore) {
   EXPECT_TRUE(ClientExistsInCacheForOrigin(kOrigin2_));
 }
 
-TEST_P(ReportingCacheTest, AddStoredClientsWithDifferentNetworkIsolationKeys) {
+TEST_P(ReportingCacheTest,
+       AddStoredClientsWithDifferentNetworkAnonymizationKeys) {
   if (!store())
     return;
 
   base::Time now = clock()->Now();
 
-  // This should create 4 different clients, for (2 origins) x (2 NIKs).
+  // This should create 4 different clients, for (2 origins) x (2 NAKs).
   // Intentionally in a weird order to check sorting.
   std::vector<ReportingEndpoint> endpoints;
   endpoints.emplace_back(kGroupKey11_,
@@ -1766,13 +1779,13 @@ TEST_P(ReportingCacheTest, AddStoredClientsWithDifferentNetworkIsolationKeys) {
   EXPECT_TRUE(
       EndpointGroupExistsInCache(kOtherGroupKey21_, OriginSubdomains::DEFAULT));
   EXPECT_TRUE(cache()->ClientExistsForTesting(
-      kGroupKey11_.network_isolation_key, kGroupKey11_.origin));
+      kGroupKey11_.network_anonymization_key, kGroupKey11_.origin));
   EXPECT_TRUE(cache()->ClientExistsForTesting(
-      kGroupKey21_.network_isolation_key, kGroupKey21_.origin));
+      kGroupKey21_.network_anonymization_key, kGroupKey21_.origin));
   EXPECT_TRUE(cache()->ClientExistsForTesting(
-      kOtherGroupKey11_.network_isolation_key, kOtherGroupKey11_.origin));
+      kOtherGroupKey11_.network_anonymization_key, kOtherGroupKey11_.origin));
   EXPECT_TRUE(cache()->ClientExistsForTesting(
-      kOtherGroupKey21_.network_isolation_key, kOtherGroupKey21_.origin));
+      kOtherGroupKey21_.network_anonymization_key, kOtherGroupKey21_.origin));
 }
 
 TEST_P(ReportingCacheTest, DoNotStoreMoreThanLimits) {
@@ -1840,7 +1853,7 @@ TEST_P(ReportingCacheTest, DoNotLoadMismatchedGroupsAndEndpoints) {
   groups.emplace_back(kGroupKey21_, OriginSubdomains::DEFAULT,
                       now /* expires */, now /* last_used */);
   // This endpoint group has no corresponding endpoint
-  groups.emplace_back(ReportingEndpointGroupKey(kNik_, kOrigin2_, "last_group"),
+  groups.emplace_back(ReportingEndpointGroupKey(kNak_, kOrigin2_, "last_group"),
                       OriginSubdomains::DEFAULT, now /* expires */,
                       now /* last_used */);
   store()->SetPrestoredClients(endpoints, groups);
@@ -1874,10 +1887,10 @@ TEST_P(ReportingCacheTest, StoreLastUsedProperly) {
 
   // We need more than three endpoints to trigger eviction.
   std::vector<ReportingEndpoint> endpoints;
-  ReportingEndpointGroupKey group1(kNik_, kOrigin1_, "1");
-  ReportingEndpointGroupKey group2(kNik_, kOrigin1_, "2");
-  ReportingEndpointGroupKey group3(kNik_, kOrigin1_, "3");
-  ReportingEndpointGroupKey group4(kNik_, kOrigin1_, "4");
+  ReportingEndpointGroupKey group1(kNak_, kOrigin1_, "1");
+  ReportingEndpointGroupKey group2(kNak_, kOrigin1_, "2");
+  ReportingEndpointGroupKey group3(kNak_, kOrigin1_, "3");
+  ReportingEndpointGroupKey group4(kNak_, kOrigin1_, "4");
   endpoints.emplace_back(group1, ReportingEndpoint::EndpointInfo{kEndpoint1_});
   endpoints.emplace_back(group2, ReportingEndpoint::EndpointInfo{kEndpoint1_});
   endpoints.emplace_back(group3, ReportingEndpoint::EndpointInfo{kEndpoint1_});
@@ -1942,8 +1955,8 @@ TEST_P(ReportingCacheTest, DoNotAddDuplicatedEntriesFromStore) {
 TEST_P(ReportingCacheTest, GetIsolationInfoForEndpoint) {
   LoadReportingClients();
 
-  NetworkIsolationKey network_isolation_key1 =
-      kIsolationInfo1_.network_isolation_key();
+  NetworkAnonymizationKey network_isolation_key1 =
+      kIsolationInfo1_.network_anonymization_key();
 
   // Set up a V1 endpoint for this origin.
   cache()->SetV1EndpointForTesting(
@@ -1967,7 +1980,7 @@ TEST_P(ReportingCacheTest, GetIsolationInfoForEndpoint) {
   EXPECT_EQ(isolation_info_for_document.request_type(),
             IsolationInfo::RequestType::kOther);
 
-  // For a V0 endpoint, ensure that site_for_cookies is null and that the NIK
+  // For a V0 endpoint, ensure that site_for_cookies is null and that the NAK
   // matches the cached endpoint.
   ReportingEndpoint network_endpoint =
       cache()->GetEndpointForTesting(group_key_11, kEndpoint1_);
@@ -1976,8 +1989,8 @@ TEST_P(ReportingCacheTest, GetIsolationInfoForEndpoint) {
       cache()->GetIsolationInfoForEndpoint(network_endpoint);
   EXPECT_EQ(isolation_info_for_network.request_type(),
             IsolationInfo::RequestType::kOther);
-  EXPECT_EQ(isolation_info_for_network.network_isolation_key(),
-            network_endpoint.group_key.network_isolation_key);
+  EXPECT_EQ(isolation_info_for_network.network_anonymization_key(),
+            network_endpoint.group_key.network_anonymization_key);
   EXPECT_TRUE(isolation_info_for_network.site_for_cookies().IsNull());
 }
 
@@ -1986,22 +1999,22 @@ TEST_P(ReportingCacheTest, GetV1ReportingEndpointsForOrigin) {
       base::UnguessableToken::Create();
   LoadReportingClients();
 
-  NetworkIsolationKey network_isolation_key_1 =
-      kIsolationInfo1_.network_isolation_key();
-  NetworkIsolationKey network_isolation_key_2 =
-      kIsolationInfo2_.network_isolation_key();
+  NetworkAnonymizationKey network_anonymization_key_1 =
+      kIsolationInfo1_.network_anonymization_key();
+  NetworkAnonymizationKey network_anonymization_key_2 =
+      kIsolationInfo2_.network_anonymization_key();
 
   // Store endpoints from different origins in cache
   cache()->SetV1EndpointForTesting(
-      ReportingEndpointGroupKey(network_isolation_key_1, *kReportingSource_,
+      ReportingEndpointGroupKey(network_anonymization_key_1, *kReportingSource_,
                                 kOrigin1_, kGroup1_),
       *kReportingSource_, kIsolationInfo1_, kUrl1_);
   cache()->SetV1EndpointForTesting(
-      ReportingEndpointGroupKey(network_isolation_key_1, *kReportingSource_,
+      ReportingEndpointGroupKey(network_anonymization_key_1, *kReportingSource_,
                                 kOrigin1_, kGroup2_),
       *kReportingSource_, kIsolationInfo1_, kUrl2_);
   cache()->SetV1EndpointForTesting(
-      ReportingEndpointGroupKey(network_isolation_key_2, reporting_source_2,
+      ReportingEndpointGroupKey(network_anonymization_key_2, reporting_source_2,
                                 kOrigin2_, kGroup1_),
       reporting_source_2, kIsolationInfo2_, kUrl2_);
 
@@ -2010,17 +2023,17 @@ TEST_P(ReportingCacheTest, GetV1ReportingEndpointsForOrigin) {
   EXPECT_EQ(2u, endpoints.size());
   auto origin_1_endpoints = endpoints.at(kOrigin1_);
   EXPECT_EQ(2u, origin_1_endpoints.size());
-  EXPECT_EQ(ReportingEndpointGroupKey(network_isolation_key_1,
+  EXPECT_EQ(ReportingEndpointGroupKey(network_anonymization_key_1,
                                       *kReportingSource_, kOrigin1_, kGroup1_),
             origin_1_endpoints[0].group_key);
   EXPECT_EQ(kUrl1_, origin_1_endpoints[0].info.url);
-  EXPECT_EQ(ReportingEndpointGroupKey(network_isolation_key_1,
+  EXPECT_EQ(ReportingEndpointGroupKey(network_anonymization_key_1,
                                       *kReportingSource_, kOrigin1_, kGroup2_),
             origin_1_endpoints[1].group_key);
   EXPECT_EQ(kUrl2_, origin_1_endpoints[1].info.url);
   auto origin_2_endpoints = endpoints.at(kOrigin2_);
   EXPECT_EQ(1u, origin_2_endpoints.size());
-  EXPECT_EQ(ReportingEndpointGroupKey(network_isolation_key_2,
+  EXPECT_EQ(ReportingEndpointGroupKey(network_anonymization_key_2,
                                       reporting_source_2, kOrigin2_, kGroup1_),
             origin_2_endpoints[0].group_key);
   EXPECT_EQ(kUrl2_, origin_2_endpoints[0].info.url);
diff --git a/chromium/net/reporting/reporting_context.cc b/chromium/net/reporting/reporting_context.cc
index c33b42dda94..1867ac1c9e9 100644
--- a/chromium/net/reporting/reporting_context.cc
+++ b/chromium/net/reporting/reporting_context.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_context.h b/chromium/net/reporting/reporting_context.h
index 7ec3eb5f241..3f8eb962013 100644
--- a/chromium/net/reporting/reporting_context.h
+++ b/chromium/net/reporting/reporting_context.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_delegate.cc b/chromium/net/reporting/reporting_delegate.cc
index e2f676d4b6c..1b828cac578 100644
--- a/chromium/net/reporting/reporting_delegate.cc
+++ b/chromium/net/reporting/reporting_delegate.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_delegate.h b/chromium/net/reporting/reporting_delegate.h
index 1a2ff9e67eb..665f1c63e88 100644
--- a/chromium/net/reporting/reporting_delegate.h
+++ b/chromium/net/reporting/reporting_delegate.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_delivery_agent.cc b/chromium/net/reporting/reporting_delivery_agent.cc
index 149681a8949..529653bfdc5 100644
--- a/chromium/net/reporting/reporting_delivery_agent.cc
+++ b/chromium/net/reporting/reporting_delivery_agent.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -22,7 +22,7 @@
 #include "base/timer/timer.h"
 #include "base/values.h"
 #include "net/base/isolation_info.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/url_util.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_cache_observer.h"
@@ -57,7 +57,7 @@ std::string SerializeReports(const ReportList& reports, base::TimeTicks now) {
     report_value.Set("type", report->type);
     report_value.Set("url", report->url.spec());
     report_value.Set("user_agent", report->user_agent);
-    report_value.Set("body", report->body->Clone());
+    report_value.Set("body", report->body.Clone());
 
     reports_value.Append(std::move(report_value));
   }
@@ -86,23 +86,24 @@ class Delivery {
   // to the same endpoint URL.
   // |isolation_info| is the IsolationInfo struct associated with the reporting
   // endpoint, and is used to determine appropriate credentials for the upload.
-  // |network_isolation_key| is the NIK from the ReportingEndpoint, which may
-  // have been cleared in the ReportingService if reports are not being
+  // |network_anonymization_key| is the NIK from the ReportingEndpoint, which
+  // may have been cleared in the ReportingService if reports are not being
   // partitioned by NIK. (This is why a separate parameter is used here, rather
   // than simply using the computed NIK from |isolation_info|.)
   struct Target {
     Target(const IsolationInfo& isolation_info,
-           const NetworkIsolationKey& network_isolation_key,
+           const NetworkAnonymizationKey& network_anonymization_key,
            const url::Origin& origin,
            const GURL& endpoint_url,
            const absl::optional<base::UnguessableToken> reporting_source)
         : isolation_info(isolation_info),
-          network_isolation_key(network_isolation_key),
+          network_anonymization_key(network_anonymization_key),
           origin(origin),
           endpoint_url(endpoint_url),
           reporting_source(reporting_source) {
-      DCHECK(network_isolation_key.IsEmpty() ||
-             network_isolation_key == isolation_info.network_isolation_key());
+      DCHECK(network_anonymization_key.IsEmpty() ||
+             network_anonymization_key ==
+                 isolation_info.network_anonymization_key());
     }
 
     ~Target() = default;
@@ -111,14 +112,14 @@ class Delivery {
       // Note that sorting by NIK here is required for V0 reports; V1 reports
       // should not need this (but it doesn't hurt). We can remove that as a
       // comparison key when V0 reporting endpoints are removed.
-      return std::tie(network_isolation_key, origin, endpoint_url,
+      return std::tie(network_anonymization_key, origin, endpoint_url,
                       reporting_source) <
-             std::tie(other.network_isolation_key, other.origin,
+             std::tie(other.network_anonymization_key, other.origin,
                       other.endpoint_url, other.reporting_source);
     }
 
     IsolationInfo isolation_info;
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
     url::Origin origin;
     GURL endpoint_url;
     absl::optional<base::UnguessableToken> reporting_source;
@@ -135,12 +136,13 @@ class Delivery {
                   const ReportList::const_iterator reports_begin,
                   const ReportList::const_iterator reports_end) {
     DCHECK(reports_begin != reports_end);
-    DCHECK(endpoint.group_key.network_isolation_key == network_isolation_key());
+    DCHECK(endpoint.group_key.network_anonymization_key ==
+           network_anonymization_key());
     DCHECK(IsSubdomainOf(target_.origin.host() /* subdomain */,
                          endpoint.group_key.origin.host() /* superdomain */));
     for (auto it = reports_begin; it != reports_end; ++it) {
       DCHECK_EQ((*reports_begin)->GetGroupKey(), (*it)->GetGroupKey());
-      DCHECK((*it)->network_isolation_key == network_isolation_key());
+      DCHECK((*it)->network_anonymization_key == network_anonymization_key());
       DCHECK_EQ(url::Origin::Create((*it)->url), target_.origin);
       DCHECK_EQ((*it)->group, endpoint.group_key.group_name);
       // Report origin is equal to, or a subdomain of, the endpoint
@@ -177,8 +179,8 @@ class Delivery {
     }
   }
 
-  const NetworkIsolationKey& network_isolation_key() const {
-    return target_.network_isolation_key;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return target_.network_anonymization_key;
   }
   const GURL& endpoint_url() const { return target_.endpoint_url; }
   const ReportList& reports() const { return reports_; }
@@ -321,7 +323,7 @@ class ReportingDeliveryAgentImpl : public ReportingDeliveryAgent,
 
       // Add the reports to the appropriate delivery.
       Delivery::Target target(isolation_info,
-                              report_group_key.network_isolation_key,
+                              report_group_key.network_anonymization_key,
                               report_group_key.origin, endpoint.info.url,
                               endpoint.group_key.reporting_source);
       auto delivery_it = deliveries.find(target);
@@ -373,7 +375,8 @@ class ReportingDeliveryAgentImpl : public ReportingDeliveryAgent,
     delivery->ProcessOutcome(cache(), success);
 
     endpoint_manager_->InformOfEndpointRequest(
-        delivery->network_isolation_key(), delivery->endpoint_url(), success);
+        delivery->network_anonymization_key(), delivery->endpoint_url(),
+        success);
 
     // TODO(chlily): This leaks information across NIKs. If the endpoint URL is
     // configured for both NIK1 and NIK2, and it responds with a 410 on a NIK1
diff --git a/chromium/net/reporting/reporting_delivery_agent.h b/chromium/net/reporting/reporting_delivery_agent.h
index 613219374e0..470be91c08a 100644
--- a/chromium/net/reporting/reporting_delivery_agent.h
+++ b/chromium/net/reporting/reporting_delivery_agent.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_delivery_agent_unittest.cc b/chromium/net/reporting/reporting_delivery_agent_unittest.cc
index 5042b35284f..14c0649feb7 100644
--- a/chromium/net/reporting/reporting_delivery_agent_unittest.cc
+++ b/chromium/net/reporting/reporting_delivery_agent_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,7 +18,7 @@
 #include "net/base/backoff_entry.h"
 #include "net/base/features.h"
 #include "net/base/isolation_info.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_report.h"
@@ -56,12 +56,12 @@ class ReportingDeliveryAgentTest : public ReportingTestBase {
   }
 
   void AddReport(const absl::optional<base::UnguessableToken>& reporting_source,
-                 const NetworkIsolationKey& network_isolation_key,
+                 const NetworkAnonymizationKey& network_anonymization_key,
                  const GURL& url,
                  const std::string& group) {
     base::Value::Dict report_body;
     report_body.Set("key", "value");
-    cache()->AddReport(reporting_source, network_isolation_key, url,
+    cache()->AddReport(reporting_source, network_anonymization_key, url,
                        kUserAgent_, group, kType_, std::move(report_body),
                        0 /* depth */, tick_clock()->NowTicks() /* queued */,
                        0 /* attempts */);
@@ -73,11 +73,11 @@ class ReportingDeliveryAgentTest : public ReportingTestBase {
   // immediately resolve a dummy report to prime the delivery timer.
   void UploadFirstReportAndStartTimer() {
     ReportingEndpointGroupKey dummy_group(
-        NetworkIsolationKey(), url::Origin::Create(GURL("https://dummy.test")),
-        "dummy");
+        NetworkAnonymizationKey(),
+        url::Origin::Create(GURL("https://dummy.test")), "dummy");
     ASSERT_TRUE(SetEndpointInCache(
         dummy_group, GURL("https://dummy.test/upload"), kExpires_));
-    AddReport(absl::nullopt, dummy_group.network_isolation_key,
+    AddReport(absl::nullopt, dummy_group.network_anonymization_key,
               dummy_group.origin.GetURL(), dummy_group.group_name);
 
     ASSERT_EQ(1u, pending_uploads().size());
@@ -94,7 +94,7 @@ class ReportingDeliveryAgentTest : public ReportingTestBase {
         url::Origin::Create(GURL("https://dummy.test")), "dummy");
     SetV1EndpointInCache(dummy_group, kDocumentReportingSource_,
                          kIsolationInfo_, GURL("https://dummy.test/upload"));
-    AddReport(kDocumentReportingSource_, dummy_group.network_isolation_key,
+    AddReport(kDocumentReportingSource_, dummy_group.network_anonymization_key,
               dummy_group.origin.GetURL(), dummy_group.group_name);
 
     ASSERT_EQ(1u, pending_uploads().size());
@@ -119,11 +119,11 @@ class ReportingDeliveryAgentTest : public ReportingTestBase {
       absl::nullopt;
   const base::UnguessableToken kDocumentReportingSource_ =
       base::UnguessableToken::Create();
-  const NetworkIsolationKey kNik_ =
-      NetworkIsolationKey(SchemefulSite(kOrigin_), SchemefulSite(kOrigin_));
-  const NetworkIsolationKey kOtherNik_ =
-      NetworkIsolationKey(SchemefulSite(kOtherOrigin_),
-                          SchemefulSite(kOtherOrigin_));
+  const NetworkAnonymizationKey kNik_ =
+      NetworkAnonymizationKey(SchemefulSite(kOrigin_), SchemefulSite(kOrigin_));
+  const NetworkAnonymizationKey kOtherNik_ =
+      NetworkAnonymizationKey(SchemefulSite(kOtherOrigin_),
+                              SchemefulSite(kOtherOrigin_));
   const IsolationInfo kIsolationInfo_ =
       IsolationInfo::Create(IsolationInfo::RequestType::kOther,
                             kOrigin_,
diff --git a/chromium/net/reporting/reporting_endpoint.cc b/chromium/net/reporting/reporting_endpoint.cc
index 187c0c7db3d..1405aff51d7 100644
--- a/chromium/net/reporting/reporting_endpoint.cc
+++ b/chromium/net/reporting/reporting_endpoint.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -16,20 +16,20 @@ namespace net {
 ReportingEndpointGroupKey::ReportingEndpointGroupKey() = default;
 
 ReportingEndpointGroupKey::ReportingEndpointGroupKey(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin,
     const std::string& group_name)
-    : ReportingEndpointGroupKey(network_isolation_key,
+    : ReportingEndpointGroupKey(network_anonymization_key,
                                 absl::nullopt,
                                 origin,
                                 group_name) {}
 
 ReportingEndpointGroupKey::ReportingEndpointGroupKey(
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     absl::optional<base::UnguessableToken> reporting_source,
     const url::Origin& origin,
     const std::string& group_name)
-    : network_isolation_key(network_isolation_key),
+    : network_anonymization_key(network_anonymization_key),
       reporting_source(std::move(reporting_source)),
       origin(origin),
       group_name(group_name) {
@@ -41,7 +41,7 @@ ReportingEndpointGroupKey::ReportingEndpointGroupKey(
 ReportingEndpointGroupKey::ReportingEndpointGroupKey(
     const ReportingEndpointGroupKey& other,
     const absl::optional<base::UnguessableToken>& reporting_source)
-    : ReportingEndpointGroupKey(other.network_isolation_key,
+    : ReportingEndpointGroupKey(other.network_anonymization_key,
                                 reporting_source,
                                 other.origin,
                                 other.group_name) {}
@@ -60,10 +60,10 @@ ReportingEndpointGroupKey::~ReportingEndpointGroupKey() = default;
 
 bool operator==(const ReportingEndpointGroupKey& lhs,
                 const ReportingEndpointGroupKey& rhs) {
-  return std::tie(lhs.reporting_source, lhs.network_isolation_key, lhs.origin,
-                  lhs.group_name) == std::tie(rhs.reporting_source,
-                                              rhs.network_isolation_key,
-                                              rhs.origin, rhs.group_name);
+  return std::tie(lhs.reporting_source, lhs.network_anonymization_key,
+                  lhs.origin, lhs.group_name) ==
+         std::tie(rhs.reporting_source, rhs.network_anonymization_key,
+                  rhs.origin, rhs.group_name);
 }
 
 bool operator!=(const ReportingEndpointGroupKey& lhs,
@@ -73,24 +73,24 @@ bool operator!=(const ReportingEndpointGroupKey& lhs,
 
 bool operator<(const ReportingEndpointGroupKey& lhs,
                const ReportingEndpointGroupKey& rhs) {
-  return std::tie(lhs.reporting_source, lhs.network_isolation_key, lhs.origin,
-                  lhs.group_name) < std::tie(rhs.reporting_source,
-                                             rhs.network_isolation_key,
-                                             rhs.origin, rhs.group_name);
+  return std::tie(lhs.reporting_source, lhs.network_anonymization_key,
+                  lhs.origin, lhs.group_name) <
+         std::tie(rhs.reporting_source, rhs.network_anonymization_key,
+                  rhs.origin, rhs.group_name);
 }
 
 bool operator>(const ReportingEndpointGroupKey& lhs,
                const ReportingEndpointGroupKey& rhs) {
-  return std::tie(lhs.reporting_source, lhs.network_isolation_key, lhs.origin,
-                  lhs.group_name) > std::tie(rhs.reporting_source,
-                                             rhs.network_isolation_key,
-                                             rhs.origin, rhs.group_name);
+  return std::tie(lhs.reporting_source, lhs.network_anonymization_key,
+                  lhs.origin, lhs.group_name) >
+         std::tie(rhs.reporting_source, rhs.network_anonymization_key,
+                  rhs.origin, rhs.group_name);
 }
 
 std::string ReportingEndpointGroupKey::ToString() const {
   return "Source: " +
          (reporting_source ? reporting_source->ToString() : "null") +
-         "; NIK: " + network_isolation_key.ToDebugString() +
+         "; NIK: " + network_anonymization_key.ToDebugString() +
          "; Origin: " + origin.Serialize() + "; Group name: " + group_name;
 }
 
diff --git a/chromium/net/reporting/reporting_endpoint.h b/chromium/net/reporting/reporting_endpoint.h
index ef5e3901cd5..1b99c0c83dc 100644
--- a/chromium/net/reporting/reporting_endpoint.h
+++ b/chromium/net/reporting/reporting_endpoint.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 #include "base/time/time.h"
 #include "base/unguessable_token.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/gurl.h"
 #include "url/origin.h"
@@ -22,12 +22,13 @@ namespace net {
 struct NET_EXPORT ReportingEndpointGroupKey {
   ReportingEndpointGroupKey();
 
-  ReportingEndpointGroupKey(const NetworkIsolationKey& network_isolation_key,
-                            const url::Origin& origin,
-                            const std::string& group_name);
+  ReportingEndpointGroupKey(
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const url::Origin& origin,
+      const std::string& group_name);
 
   ReportingEndpointGroupKey(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       absl::optional<base::UnguessableToken> reporting_source,
       const url::Origin& origin,
       const std::string& group_name);
@@ -50,9 +51,9 @@ struct NET_EXPORT ReportingEndpointGroupKey {
   // V1 document endpoint.
   bool IsDocumentEndpoint() const { return reporting_source.has_value(); }
 
-  // The NetworkIsolationKey the group is scoped to. Needed to prevent leaking
-  // third party contexts across sites.
-  NetworkIsolationKey network_isolation_key;
+  // The NetworkAnonymizationKey the group is scoped to. Needed to prevent
+  // leaking third party contexts across sites.
+  NetworkAnonymizationKey network_anonymization_key;
 
   // Source token for the document or worker which configured this endpoint, if
   // this was configured with the Reporting-Endpoints header. For endpoint
diff --git a/chromium/net/reporting/reporting_endpoint_manager.cc b/chromium/net/reporting/reporting_endpoint_manager.cc
index 12a2a549cfd..46d48b96e85 100644
--- a/chromium/net/reporting/reporting_endpoint_manager.cc
+++ b/chromium/net/reporting/reporting_endpoint_manager.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -17,7 +17,7 @@
 #include "base/rand_util.h"
 #include "base/time/tick_clock.h"
 #include "net/base/backoff_entry.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/rand_callback.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_delegate.h"
@@ -83,7 +83,7 @@ class ReportingEndpointManagerImpl : public ReportingEndpointManager {
       // This brings each match to the front of the MRU cache, so if an entry
       // frequently matches requests, it's more likely to stay in the cache.
       auto endpoint_backoff_it = endpoint_backoff_.Get(EndpointBackoffKey(
-          group_key.network_isolation_key, endpoint.info.url));
+          group_key.network_anonymization_key, endpoint.info.url));
       if (endpoint_backoff_it != endpoint_backoff_.end() &&
           endpoint_backoff_it->second->ShouldRejectRequest()) {
         continue;
@@ -124,10 +124,12 @@ class ReportingEndpointManagerImpl : public ReportingEndpointManager {
     return ReportingEndpoint();
   }
 
-  void InformOfEndpointRequest(const NetworkIsolationKey& network_isolation_key,
-                               const GURL& endpoint,
-                               bool succeeded) override {
-    EndpointBackoffKey endpoint_backoff_key(network_isolation_key, endpoint);
+  void InformOfEndpointRequest(
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const GURL& endpoint,
+      bool succeeded) override {
+    EndpointBackoffKey endpoint_backoff_key(network_anonymization_key,
+                                            endpoint);
     // This will bring the entry to the front of the cache, if it exists.
     auto endpoint_backoff_it = endpoint_backoff_.Get(endpoint_backoff_key);
     if (endpoint_backoff_it == endpoint_backoff_.end()) {
@@ -140,7 +142,7 @@ class ReportingEndpointManagerImpl : public ReportingEndpointManager {
   }
 
  private:
-  using EndpointBackoffKey = std::pair<NetworkIsolationKey, GURL>;
+  using EndpointBackoffKey = std::pair<NetworkAnonymizationKey, GURL>;
 
   const raw_ptr<const ReportingPolicy> policy_;
   const raw_ptr<const base::TickClock> tick_clock_;
diff --git a/chromium/net/reporting/reporting_endpoint_manager.h b/chromium/net/reporting/reporting_endpoint_manager.h
index 1a23771081f..c6e6eea82bb 100644
--- a/chromium/net/reporting/reporting_endpoint_manager.h
+++ b/chromium/net/reporting/reporting_endpoint_manager.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -19,7 +19,7 @@ class TickClock;
 
 namespace net {
 
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class ReportingCache;
 class ReportingDelegate;
 struct ReportingEndpoint;
@@ -59,7 +59,7 @@ class NET_EXPORT ReportingEndpointManager {
   // Informs the EndpointManager of a successful or unsuccessful request made to
   // |endpoint| so it can manage exponential backoff of failing endpoints.
   virtual void InformOfEndpointRequest(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const GURL& endpoint,
       bool succeeded) = 0;
 };
diff --git a/chromium/net/reporting/reporting_endpoint_manager_unittest.cc b/chromium/net/reporting/reporting_endpoint_manager_unittest.cc
index 67d2d5a4ee8..02c8d9fa553 100644
--- a/chromium/net/reporting/reporting_endpoint_manager_unittest.cc
+++ b/chromium/net/reporting/reporting_endpoint_manager_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -12,7 +12,7 @@
 #include "base/unguessable_token.h"
 #include "net/base/backoff_entry.h"
 #include "net/base/isolation_info.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_endpoint.h"
@@ -41,7 +41,7 @@ class TestReportingCache : public ReportingCache {
   ~TestReportingCache() override = default;
 
   void SetEndpoint(const ReportingEndpoint& reporting_endpoint) {
-    reporting_endpoints_[reporting_endpoint.group_key.network_isolation_key]
+    reporting_endpoints_[reporting_endpoint.group_key.network_anonymization_key]
         .push_back(reporting_endpoint);
   }
 
@@ -51,12 +51,12 @@ class TestReportingCache : public ReportingCache {
       const ReportingEndpointGroupKey& group_key) override {
     EXPECT_EQ(expected_origin_, group_key.origin);
     EXPECT_EQ(expected_group_, group_key.group_name);
-    return reporting_endpoints_[group_key.network_isolation_key];
+    return reporting_endpoints_[group_key.network_anonymization_key];
   }
 
   // Everything below is NOTREACHED.
   void AddReport(const absl::optional<base::UnguessableToken>& reporting_source,
-                 const NetworkIsolationKey& network_isolation_key,
+                 const NetworkAnonymizationKey& network_anonymization_key,
                  const GURL& url,
                  const std::string& user_agent,
                  const std::string& group_name,
@@ -139,7 +139,7 @@ class TestReportingCache : public ReportingCache {
     return false;
   }
   void OnParsedHeader(
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       std::vector<ReportingEndpointGroup> parsed_header) override {
     NOTREACHED();
@@ -154,7 +154,7 @@ class TestReportingCache : public ReportingCache {
     NOTREACHED();
     return std::set<url::Origin>();
   }
-  void RemoveClient(const NetworkIsolationKey& network_isolation_key,
+  void RemoveClient(const NetworkAnonymizationKey& network_anonymization_key,
                     const url::Origin& origin) override {
     NOTREACHED();
   }
@@ -204,8 +204,9 @@ class TestReportingCache : public ReportingCache {
     NOTREACHED();
     return false;
   }
-  bool ClientExistsForTesting(const NetworkIsolationKey& network_isolation_key,
-                              const url::Origin& origin) const override {
+  bool ClientExistsForTesting(
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const url::Origin& origin) const override {
     NOTREACHED();
     return false;
   }
@@ -245,7 +246,7 @@ class TestReportingCache : public ReportingCache {
   const url::Origin expected_origin_;
   const std::string expected_group_;
 
-  std::map<NetworkIsolationKey, std::vector<ReportingEndpoint>>
+  std::map<NetworkAnonymizationKey, std::vector<ReportingEndpoint>>
       reporting_endpoints_;
   base::flat_set<base::UnguessableToken> expired_sources_;
 };
@@ -272,16 +273,16 @@ class ReportingEndpointManagerTest : public testing::Test {
       const GURL& endpoint,
       int priority = ReportingEndpoint::EndpointInfo::kDefaultPriority,
       int weight = ReportingEndpoint::EndpointInfo::kDefaultWeight,
-      const NetworkIsolationKey& network_isolation_key =
-          NetworkIsolationKey()) {
+      const NetworkAnonymizationKey& network_anonymization_key =
+          NetworkAnonymizationKey()) {
     ReportingEndpointGroupKey group_key(kGroupKey);
-    group_key.network_isolation_key = network_isolation_key;
+    group_key.network_anonymization_key = network_anonymization_key;
     cache_.SetEndpoint(ReportingEndpoint(
         group_key,
         ReportingEndpoint::EndpointInfo{endpoint, priority, weight}));
   }
 
-  const NetworkIsolationKey kNik;
+  const NetworkAnonymizationKey kNik;
   const url::Origin kOrigin = url::Origin::Create(GURL("https://origin/"));
   const SchemefulSite kSite = SchemefulSite(kOrigin);
   const std::string kGroup = "group";
@@ -319,8 +320,8 @@ TEST_F(ReportingEndpointManagerTest, BackedOffEndpoint) {
 
   SetEndpoint(kEndpoint);
 
-  endpoint_manager_->InformOfEndpointRequest(NetworkIsolationKey(), kEndpoint,
-                                             false);
+  endpoint_manager_->InformOfEndpointRequest(NetworkAnonymizationKey(),
+                                             kEndpoint, false);
 
   // After one failure, endpoint is in exponential backoff.
   ReportingEndpoint endpoint =
@@ -335,8 +336,8 @@ TEST_F(ReportingEndpointManagerTest, BackedOffEndpoint) {
   ASSERT_TRUE(endpoint2);
   EXPECT_EQ(kEndpoint, endpoint2.info.url);
 
-  endpoint_manager_->InformOfEndpointRequest(NetworkIsolationKey(), kEndpoint,
-                                             false);
+  endpoint_manager_->InformOfEndpointRequest(NetworkAnonymizationKey(),
+                                             kEndpoint, false);
 
   // After a second failure, endpoint is backed off again.
   ReportingEndpoint endpoint3 =
@@ -358,15 +359,15 @@ TEST_F(ReportingEndpointManagerTest, BackedOffEndpoint) {
   ASSERT_TRUE(endpoint5);
   EXPECT_EQ(kEndpoint, endpoint5.info.url);
 
-  endpoint_manager_->InformOfEndpointRequest(NetworkIsolationKey(), kEndpoint,
-                                             true);
-  endpoint_manager_->InformOfEndpointRequest(NetworkIsolationKey(), kEndpoint,
-                                             true);
+  endpoint_manager_->InformOfEndpointRequest(NetworkAnonymizationKey(),
+                                             kEndpoint, true);
+  endpoint_manager_->InformOfEndpointRequest(NetworkAnonymizationKey(),
+                                             kEndpoint, true);
 
   // Two more successful requests should reset the backoff to the initial delay
   // again.
-  endpoint_manager_->InformOfEndpointRequest(NetworkIsolationKey(), kEndpoint,
-                                             false);
+  endpoint_manager_->InformOfEndpointRequest(NetworkAnonymizationKey(),
+                                             kEndpoint, false);
 
   ReportingEndpoint endpoint6 =
       endpoint_manager_->FindEndpointForDelivery(kGroupKey);
@@ -429,7 +430,7 @@ TEST_F(ReportingEndpointManagerTest, Priority) {
   // The backoff policy we set up in the constructor means that a single failed
   // upload will take the primary endpoint out of contention.  This should cause
   // us to choose the backend endpoint.
-  endpoint_manager_->InformOfEndpointRequest(NetworkIsolationKey(),
+  endpoint_manager_->InformOfEndpointRequest(NetworkAnonymizationKey(),
                                              kPrimaryEndpoint, false);
   ReportingEndpoint endpoint2 =
       endpoint_manager_->FindEndpointForDelivery(kGroupKey);
@@ -510,21 +511,21 @@ TEST_F(ReportingEndpointManagerTest, ZeroWeights) {
   EXPECT_EQ(5, endpoint2_count);
 }
 
-// Check that ReportingEndpointManager distinguishes NetworkIsolationKeys.
-TEST_F(ReportingEndpointManagerTest, NetworkIsolationKey) {
+// Check that ReportingEndpointManager distinguishes NetworkAnonymizationKeys.
+TEST_F(ReportingEndpointManagerTest, NetworkAnonymizationKey) {
   const SchemefulSite kSite2(GURL("https://origin2/"));
 
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite, kSite);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
-  const ReportingEndpointGroupKey kGroupKey1(kNetworkIsolationKey1, kOrigin,
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite, kSite);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
+  const ReportingEndpointGroupKey kGroupKey1(kNetworkAnonymizationKey1, kOrigin,
                                              kGroup);
-  const ReportingEndpointGroupKey kGroupKey2(kNetworkIsolationKey2, kOrigin,
+  const ReportingEndpointGroupKey kGroupKey2(kNetworkAnonymizationKey2, kOrigin,
                                              kGroup);
 
-  // An Endpoint set for kNetworkIsolationKey1 should not affect
-  // kNetworkIsolationKey2.
+  // An Endpoint set for kNetworkAnonymizationKey1 should not affect
+  // kNetworkAnonymizationKey2.
   SetEndpoint(kEndpoint, ReportingEndpoint::EndpointInfo::kDefaultPriority,
-              0 /* weight */, kNetworkIsolationKey1);
+              0 /* weight */, kNetworkAnonymizationKey1);
   ReportingEndpoint endpoint =
       endpoint_manager_->FindEndpointForDelivery(kGroupKey1);
   ASSERT_TRUE(endpoint);
@@ -532,10 +533,10 @@ TEST_F(ReportingEndpointManagerTest, NetworkIsolationKey) {
   EXPECT_FALSE(endpoint_manager_->FindEndpointForDelivery(kGroupKey2));
   EXPECT_FALSE(endpoint_manager_->FindEndpointForDelivery(kGroupKey));
 
-  // Set the same Endpoint for kNetworkIsolationKey2, so both should be
+  // Set the same Endpoint for kNetworkAnonymizationKey2, so both should be
   // reporting to the same URL.
   SetEndpoint(kEndpoint, ReportingEndpoint::EndpointInfo::kDefaultPriority,
-              0 /* weight */, kNetworkIsolationKey2);
+              0 /* weight */, kNetworkAnonymizationKey2);
   endpoint = endpoint_manager_->FindEndpointForDelivery(kGroupKey1);
   ASSERT_TRUE(endpoint);
   EXPECT_EQ(kEndpoint, endpoint.info.url);
@@ -544,11 +545,11 @@ TEST_F(ReportingEndpointManagerTest, NetworkIsolationKey) {
   EXPECT_EQ(kEndpoint, endpoint.info.url);
   EXPECT_FALSE(endpoint_manager_->FindEndpointForDelivery(kGroupKey));
 
-  // An error reporting to that URL in the context of kNetworkIsolationKey1
+  // An error reporting to that URL in the context of kNetworkAnonymizationKey1
   // should only affect the Endpoint retrieved in the context of
-  // kNetworkIsolationKey1.
-  endpoint_manager_->InformOfEndpointRequest(kNetworkIsolationKey1, kEndpoint,
-                                             false);
+  // kNetworkAnonymizationKey1.
+  endpoint_manager_->InformOfEndpointRequest(kNetworkAnonymizationKey1,
+                                             kEndpoint, false);
   EXPECT_FALSE(endpoint_manager_->FindEndpointForDelivery(kGroupKey1));
   endpoint = endpoint_manager_->FindEndpointForDelivery(kGroupKey2);
   ASSERT_TRUE(endpoint);
@@ -556,14 +557,15 @@ TEST_F(ReportingEndpointManagerTest, NetworkIsolationKey) {
   EXPECT_FALSE(endpoint_manager_->FindEndpointForDelivery(kGroupKey));
 }
 
-TEST_F(ReportingEndpointManagerTest, NetworkIsolationKeyWithMultipleEndpoints) {
+TEST_F(ReportingEndpointManagerTest,
+       NetworkAnonymizationKeyWithMultipleEndpoints) {
   const SchemefulSite kSite2(GURL("https://origin2/"));
 
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite, kSite);
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
-  const ReportingEndpointGroupKey kGroupKey1(kNetworkIsolationKey1, kOrigin,
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite, kSite);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
+  const ReportingEndpointGroupKey kGroupKey1(kNetworkAnonymizationKey1, kOrigin,
                                              kGroup);
-  const ReportingEndpointGroupKey kGroupKey2(kNetworkIsolationKey2, kOrigin,
+  const ReportingEndpointGroupKey kGroupKey2(kNetworkAnonymizationKey2, kOrigin,
                                              kGroup);
 
   const GURL kEndpoint1("https://endpoint1/");
@@ -571,23 +573,24 @@ TEST_F(ReportingEndpointManagerTest, NetworkIsolationKeyWithMultipleEndpoints) {
   const GURL kEndpoint3("https://endpoint3/");
   const int kMaxAttempts = 20;
 
-  // Add two Endpoints for kNetworkIsolationKey1, and a different one for
-  // kNetworkIsolationKey2.
+  // Add two Endpoints for kNetworkAnonymizationKey1, and a different one for
+  // kNetworkAnonymizationKey2.
   SetEndpoint(kEndpoint1, ReportingEndpoint::EndpointInfo::kDefaultPriority,
               ReportingEndpoint::EndpointInfo::kDefaultWeight,
-              kNetworkIsolationKey1);
+              kNetworkAnonymizationKey1);
   SetEndpoint(kEndpoint2, ReportingEndpoint::EndpointInfo::kDefaultPriority,
               ReportingEndpoint::EndpointInfo::kDefaultWeight,
-              kNetworkIsolationKey1);
+              kNetworkAnonymizationKey1);
   SetEndpoint(kEndpoint3, ReportingEndpoint::EndpointInfo::kDefaultPriority,
               ReportingEndpoint::EndpointInfo::kDefaultWeight,
-              kNetworkIsolationKey2);
+              kNetworkAnonymizationKey2);
 
   bool endpoint1_seen = false;
   bool endpoint2_seen = false;
 
-  // Make sure that calling FindEndpointForDelivery() with kNetworkIsolationKey1
-  // can return both of its endpoints, but not kNetworkIsolationKey2's endpoint.
+  // Make sure that calling FindEndpointForDelivery() with
+  // kNetworkAnonymizationKey1 can return both of its endpoints, but not
+  // kNetworkAnonymizationKey2's endpoint.
   for (int i = 0; i < kMaxAttempts; ++i) {
     ReportingEndpoint endpoint =
         endpoint_manager_->FindEndpointForDelivery(kGroupKey1);
@@ -629,40 +632,40 @@ TEST_F(ReportingEndpointManagerTest, CacheEviction) {
     EXPECT_TRUE(endpoint);
     EXPECT_FALSE(seen_endpoints.count(endpoint.info.url));
     seen_endpoints.insert(endpoint.info.url);
-    endpoint_manager_->InformOfEndpointRequest(NetworkIsolationKey(),
+    endpoint_manager_->InformOfEndpointRequest(NetworkAnonymizationKey(),
                                                endpoint.info.url, false);
   }
   // All endpoints should now be marked as bad.
   EXPECT_FALSE(endpoint_manager_->FindEndpointForDelivery(kGroupKey));
 
-  // Add another endpoint with a different NetworkIsolationKey;
-  const NetworkIsolationKey kDifferentNetworkIsolationKey(kSite, kSite);
+  // Add another endpoint with a different NetworkAnonymizationKey;
+  const NetworkAnonymizationKey kDifferentNetworkAnonymizationKey(kSite, kSite);
   const ReportingEndpointGroupKey kDifferentGroupKey(
-      kDifferentNetworkIsolationKey, kOrigin, kGroup);
+      kDifferentNetworkAnonymizationKey, kOrigin, kGroup);
   SetEndpoint(kEndpoint, ReportingEndpoint::EndpointInfo::kDefaultPriority,
               ReportingEndpoint::EndpointInfo::kDefaultWeight,
-              kDifferentNetworkIsolationKey);
-  // All endpoints associated with the empty NetworkIsolationKey should still be
-  // marked as bad.
+              kDifferentNetworkAnonymizationKey);
+  // All endpoints associated with the empty NetworkAnonymizationKey should
+  // still be marked as bad.
   EXPECT_FALSE(endpoint_manager_->FindEndpointForDelivery(kGroupKey));
 
-  // Make the endpoint added for the kDifferentNetworkIsolationKey as bad.
-  endpoint_manager_->InformOfEndpointRequest(kDifferentNetworkIsolationKey,
+  // Make the endpoint added for the kDifferentNetworkAnonymizationKey as bad.
+  endpoint_manager_->InformOfEndpointRequest(kDifferentNetworkAnonymizationKey,
                                              kEndpoint, false);
-  // The only endpoint for kDifferentNetworkIsolationKey should still be marked
-  // as bad.
+  // The only endpoint for kDifferentNetworkAnonymizationKey should still be
+  // marked as bad.
   EXPECT_FALSE(endpoint_manager_->FindEndpointForDelivery(kDifferentGroupKey));
-  // One of the endpoints for the empty NetworkIsolationKey should no longer be
-  // marked as bad, due to eviction.
+  // One of the endpoints for the empty NetworkAnonymizationKey should no longer
+  // be marked as bad, due to eviction.
   ReportingEndpoint endpoint =
       endpoint_manager_->FindEndpointForDelivery(kGroupKey);
   EXPECT_TRUE(endpoint);
 
   // Reporting a success for the (only) good endpoint for the empty
-  // NetworkIsolationKey should evict the entry for kNetworkIsolationKey, since
-  // the most recent FindEndpointForDelivery() call visited all of the empty
-  // NetworkIsolationKey's cached bad entries.
-  endpoint_manager_->InformOfEndpointRequest(NetworkIsolationKey(),
+  // NetworkAnonymizationKey should evict the entry for
+  // kNetworkAnonymizationKey, since the most recent FindEndpointForDelivery()
+  // call visited all of the empty NetworkAnonymizationKey's cached bad entries.
+  endpoint_manager_->InformOfEndpointRequest(NetworkAnonymizationKey(),
                                              endpoint.info.url, true);
 
   EXPECT_TRUE(endpoint_manager_->FindEndpointForDelivery(kDifferentGroupKey));
diff --git a/chromium/net/reporting/reporting_garbage_collector.cc b/chromium/net/reporting/reporting_garbage_collector.cc
index b7b3809de6a..4db08e04f9e 100644
--- a/chromium/net/reporting/reporting_garbage_collector.cc
+++ b/chromium/net/reporting/reporting_garbage_collector.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_garbage_collector.h b/chromium/net/reporting/reporting_garbage_collector.h
index b56d4d512fc..3a658902a3c 100644
--- a/chromium/net/reporting/reporting_garbage_collector.h
+++ b/chromium/net/reporting/reporting_garbage_collector.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_garbage_collector_unittest.cc b/chromium/net/reporting/reporting_garbage_collector_unittest.cc
index 6f4cf28af2f..baeb01a5a18 100644
--- a/chromium/net/reporting/reporting_garbage_collector_unittest.cc
+++ b/chromium/net/reporting/reporting_garbage_collector_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,7 @@
 #include "base/time/time.h"
 #include "base/timer/mock_timer.h"
 #include "net/base/isolation_info.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_policy.h"
 #include "net/reporting/reporting_report.h"
@@ -31,7 +31,7 @@ class ReportingGarbageCollectorTest : public ReportingTestBase {
 
   const absl::optional<base::UnguessableToken> kReportingSource_ =
       base::UnguessableToken::Create();
-  const NetworkIsolationKey kNik_;
+  const NetworkAnonymizationKey kNik_;
   const IsolationInfo kIsolationInfo_;
   const GURL kUrl_ = GURL("https://origin/path");
   const std::string kUserAgent_ = "Mozilla/1.0";
diff --git a/chromium/net/reporting/reporting_header_parser.cc b/chromium/net/reporting/reporting_header_parser.cc
index 1dfd5e6d8a8..9bc7d46e766 100644
--- a/chromium/net/reporting/reporting_header_parser.cc
+++ b/chromium/net/reporting/reporting_header_parser.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,7 +18,7 @@
 #include "base/values.h"
 #include "net/base/features.h"
 #include "net/base/isolation_info.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_context.h"
@@ -118,12 +118,13 @@ bool ProcessEndpoint(ReportingDelegate* delegate,
 // |value| is the parsed JSON value of the endpoint group tuple.
 // Returns true on successfully adding a non-empty group, or false if endpoint
 // group was discarded or processed as a deletion.
-bool ProcessEndpointGroup(ReportingDelegate* delegate,
-                          ReportingCache* cache,
-                          const NetworkIsolationKey& network_isolation_key,
-                          const url::Origin& origin,
-                          const base::Value& value,
-                          ReportingEndpointGroup* parsed_endpoint_group_out) {
+bool ProcessEndpointGroup(
+    ReportingDelegate* delegate,
+    ReportingCache* cache,
+    const NetworkAnonymizationKey& network_anonymization_key,
+    const url::Origin& origin,
+    const base::Value& value,
+    ReportingEndpointGroup* parsed_endpoint_group_out) {
   const base::Value::Dict* dict = value.GetIfDict();
   if (!dict)
     return false;
@@ -134,7 +135,7 @@ bool ProcessEndpointGroup(ReportingDelegate* delegate,
       return false;
     group_name = maybe_group_name->GetString();
   }
-  ReportingEndpointGroupKey group_key(network_isolation_key, origin,
+  ReportingEndpointGroupKey group_key(network_anonymization_key, origin,
                                       group_name);
   parsed_endpoint_group_out->group_key = group_key;
 
@@ -216,14 +217,14 @@ bool ProcessEndpoint(ReportingDelegate* delegate,
 bool ProcessV1Endpoint(ReportingDelegate* delegate,
                        ReportingCache* cache,
                        const base::UnguessableToken& reporting_source,
-                       const NetworkIsolationKey& network_isolation_key,
+                       const NetworkAnonymizationKey& network_anonymization_key,
                        const url::Origin& origin,
                        const std::string& endpoint_name,
                        const std::string& endpoint_url_string,
                        ReportingEndpoint& parsed_endpoint_out) {
   DCHECK(!reporting_source.is_empty());
-  ReportingEndpointGroupKey group_key(network_isolation_key, reporting_source,
-                                      origin, endpoint_name);
+  ReportingEndpointGroupKey group_key(network_anonymization_key,
+                                      reporting_source, origin, endpoint_name);
   parsed_endpoint_out.group_key = group_key;
 
   ReportingEndpoint::EndpointInfo parsed_endpoint;
@@ -276,7 +277,7 @@ void ReportingHeaderParser::RecordReportingHeaderType(
 // static
 void ReportingHeaderParser::ParseReportToHeader(
     ReportingContext* context,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin,
     const base::Value::List& list) {
   DCHECK(GURL::SchemeIsCryptographic(origin.scheme()));
@@ -288,7 +289,7 @@ void ReportingHeaderParser::ParseReportToHeader(
 
   for (const auto& group_value : list) {
     ReportingEndpointGroup parsed_endpoint_group;
-    if (ProcessEndpointGroup(delegate, cache, network_isolation_key, origin,
+    if (ProcessEndpointGroup(delegate, cache, network_anonymization_key, origin,
                              group_value, &parsed_endpoint_group)) {
       parsed_header.push_back(std::move(parsed_endpoint_group));
     }
@@ -300,13 +301,13 @@ void ReportingHeaderParser::ParseReportToHeader(
 
   // Remove the client if it has no valid endpoint groups.
   if (parsed_header.empty()) {
-    cache->RemoveClient(network_isolation_key, origin);
+    cache->RemoveClient(network_anonymization_key, origin);
     return;
   }
 
   RecordReportingHeaderType(ReportingHeaderType::kReportTo);
 
-  cache->OnParsedHeader(network_isolation_key, origin,
+  cache->OnParsedHeader(network_anonymization_key, origin,
                         std::move(parsed_header));
 }
 
@@ -315,14 +316,15 @@ void ReportingHeaderParser::ProcessParsedReportingEndpointsHeader(
     ReportingContext* context,
     const base::UnguessableToken& reporting_source,
     const IsolationInfo& isolation_info,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const url::Origin& origin,
     base::flat_map<std::string, std::string> header) {
   DCHECK(base::FeatureList::IsEnabled(net::features::kDocumentReporting));
   DCHECK(GURL::SchemeIsCryptographic(origin.scheme()));
   DCHECK(!reporting_source.is_empty());
-  DCHECK(network_isolation_key.IsEmpty() ||
-         network_isolation_key == isolation_info.network_isolation_key());
+  DCHECK(network_anonymization_key.IsEmpty() ||
+         network_anonymization_key ==
+             isolation_info.network_anonymization_key());
 
   ReportingDelegate* delegate = context->delegate();
   ReportingCache* cache = context->cache();
@@ -332,7 +334,7 @@ void ReportingHeaderParser::ProcessParsedReportingEndpointsHeader(
   for (const auto& member : header) {
     ReportingEndpoint parsed_endpoint;
     if (ProcessV1Endpoint(delegate, cache, reporting_source,
-                          network_isolation_key, origin, member.first,
+                          network_anonymization_key, origin, member.first,
                           member.second, parsed_endpoint)) {
       parsed_header.push_back(std::move(parsed_endpoint));
     }
diff --git a/chromium/net/reporting/reporting_header_parser.h b/chromium/net/reporting/reporting_header_parser.h
index f2cb81598d7..98b1cc8ab9d 100644
--- a/chromium/net/reporting/reporting_header_parser.h
+++ b/chromium/net/reporting/reporting_header_parser.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,7 +18,7 @@
 namespace net {
 
 class IsolationInfo;
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class ReportingContext;
 
 // Tries to parse a Reporting-Endpoints header. Returns base::nullopt if parsing
@@ -48,12 +48,12 @@ class NET_EXPORT ReportingHeaderParser {
 
   static void ParseReportToHeader(
       ReportingContext* context,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       const base::Value::List& list);
 
   // `isolation_info` here will be stored in the cache, associated with the
-  // `reporting_source`. `network_isolation_key` is the NIK which will be
+  // `reporting_source`. `network_anonymization_key` is the NIK which will be
   // passed in with reports to be queued. This must match the NIK from
   // `isolation_source`, unless it is empty (which will be the case if the
   // kPartitionNelAndReportingByNetworkIsolationKey feature is disabled.)
@@ -61,7 +61,7 @@ class NET_EXPORT ReportingHeaderParser {
       ReportingContext* context,
       const base::UnguessableToken& reporting_source,
       const IsolationInfo& isolation_info,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       base::flat_map<std::string, std::string> parsed_header);
 
diff --git a/chromium/net/reporting/reporting_header_parser_fuzzer.cc b/chromium/net/reporting/reporting_header_parser_fuzzer.cc
index 1b7ece7cd1d..b8e728e4517 100644
--- a/chromium/net/reporting/reporting_header_parser_fuzzer.cc
+++ b/chromium/net/reporting/reporting_header_parser_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,7 @@
 #include "base/time/default_tick_clock.h"
 #include "base/time/time.h"
 #include "base/values.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_header_parser.h"
 #include "net/reporting/reporting_policy.pb.h"
@@ -42,7 +42,7 @@ void FuzzReportingHeaderParser(const std::string& data_json,
   // TODO: consider including proto definition for URL after moving that to
   // testing/libfuzzer/proto and creating a separate converter.
   net::ReportingHeaderParser::ParseReportToHeader(
-      &context, net::NetworkIsolationKey(),
+      &context, net::NetworkAnonymizationKey(),
       url::Origin::Create(GURL("https://origin/")), data_value->GetList());
   if (context.cache()->GetEndpointCount() == 0) {
     return;
diff --git a/chromium/net/reporting/reporting_header_parser_unittest.cc b/chromium/net/reporting/reporting_header_parser_unittest.cc
index 80260ea7f6e..3d617e7d3b0 100644
--- a/chromium/net/reporting/reporting_header_parser_unittest.cc
+++ b/chromium/net/reporting/reporting_header_parser_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -72,10 +72,12 @@ class ReportingHeaderParserTestBase
   const url::Origin kOrigin1_ = url::Origin::Create(kUrl1_);
   const GURL kUrl2_ = GURL("https://origin2.test/path");
   const url::Origin kOrigin2_ = url::Origin::Create(kUrl2_);
-  const NetworkIsolationKey kNik_ =
-      NetworkIsolationKey(SchemefulSite(kOrigin1_), SchemefulSite(kOrigin1_));
-  const NetworkIsolationKey kOtherNik_ =
-      NetworkIsolationKey(SchemefulSite(kOrigin2_), SchemefulSite(kOrigin2_));
+  const NetworkAnonymizationKey kNik_ =
+      NetworkAnonymizationKey(SchemefulSite(kOrigin1_),
+                              SchemefulSite(kOrigin1_));
+  const NetworkAnonymizationKey kOtherNik_ =
+      NetworkAnonymizationKey(SchemefulSite(kOrigin2_),
+                              SchemefulSite(kOrigin2_));
   const IsolationInfo kIsolationInfo_ =
       IsolationInfo::Create(IsolationInfo::RequestType::kOther,
                             kOrigin1_,
@@ -184,14 +186,14 @@ class ReportingHeaderParserTest : public ReportingHeaderParserTestBase {
     return s.str();
   }
 
-  void ParseHeader(const NetworkIsolationKey& network_isolation_key,
+  void ParseHeader(const NetworkAnonymizationKey& network_anonymization_key,
                    const url::Origin& origin,
                    const std::string& json) {
     absl::optional<base::Value> value =
         base::JSONReader::Read("[" + json + "]");
     if (value) {
       ReportingHeaderParser::ParseReportToHeader(
-          context(), network_isolation_key, origin, value->GetList());
+          context(), network_anonymization_key, origin, value->GetList());
     }
   }
 };
@@ -785,7 +787,7 @@ TEST_P(ReportingHeaderParserTest, EndpointGroupKey) {
       ReportingEndpointGroupKey(kOtherNik_, kOrigin2_, kGroup2_);
 
   const struct {
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
     GURL url;
     ReportingEndpointGroupKey group1_key;
     ReportingEndpointGroupKey group2_key;
@@ -813,8 +815,8 @@ TEST_P(ReportingHeaderParserTest, EndpointGroupKey) {
     EXPECT_FALSE(EndpointGroupExistsInCache(source.group2_key,
                                             OriginSubdomains::DEFAULT));
 
-    ParseHeader(source.network_isolation_key, url::Origin::Create(source.url),
-                header1);
+    ParseHeader(source.network_anonymization_key,
+                url::Origin::Create(source.url), header1);
     endpoint_group_count += 2u;
     endpoint_count += 4u;
     EXPECT_EQ(endpoint_group_count, cache()->GetEndpointGroupCountForTesting());
@@ -864,7 +866,7 @@ TEST_P(ReportingHeaderParserTest, EndpointGroupKey) {
     EXPECT_TRUE(EndpointGroupExistsInCache(source.group2_key,
                                            OriginSubdomains::DEFAULT));
     EXPECT_TRUE(cache()->ClientExistsForTesting(
-        source.network_isolation_key, url::Origin::Create(source.url)));
+        source.network_anonymization_key, url::Origin::Create(source.url)));
   }
 
   // Test updating existing configurations
@@ -891,8 +893,8 @@ TEST_P(ReportingHeaderParserTest, EndpointGroupKey) {
               endpoint.info.priority);
     EXPECT_FALSE(FindEndpointInCache(source.group2_key, kEndpoint3_));
 
-    ParseHeader(source.network_isolation_key, url::Origin::Create(source.url),
-                header2);
+    ParseHeader(source.network_anonymization_key,
+                url::Origin::Create(source.url), header2);
     endpoint_group_count--;
     endpoint_count -= 2;
     EXPECT_EQ(endpoint_group_count, cache()->GetEndpointGroupCountForTesting());
@@ -948,7 +950,7 @@ TEST_P(ReportingHeaderParserTest, EndpointGroupKey) {
     EXPECT_TRUE(EndpointGroupExistsInCache(source.group2_key,
                                            OriginSubdomains::INCLUDE));
     EXPECT_TRUE(cache()->ClientExistsForTesting(
-        source.network_isolation_key, url::Origin::Create(source.url)));
+        source.network_anonymization_key, url::Origin::Create(source.url)));
   }
 }
 
@@ -1789,7 +1791,7 @@ class ReportingHeaderParserStructuredHeaderTest
     if (header_map) {
       ReportingHeaderParser::ProcessParsedReportingEndpointsHeader(
           context(), reporting_source, isolation_info,
-          isolation_info.network_isolation_key(), origin, *header_map);
+          isolation_info.network_anonymization_key(), origin, *header_map);
     }
   }
   void ProcessParsedHeader(
@@ -1800,7 +1802,7 @@ class ReportingHeaderParserStructuredHeaderTest
           header_map) {
     ReportingHeaderParser::ProcessParsedReportingEndpointsHeader(
         context(), reporting_source, isolation_info,
-        isolation_info.network_isolation_key(), origin, *header_map);
+        isolation_info.network_anonymization_key(), origin, *header_map);
   }
 
   const base::UnguessableToken kReportingSource_ =
@@ -1897,7 +1899,6 @@ TEST_P(ReportingHeaderParserStructuredHeaderTest, Basic) {
 
   IsolationInfo isolation_info = cache()->GetIsolationInfoForEndpoint(endpoint);
   EXPECT_TRUE(isolation_info.IsEqualForTesting(kIsolationInfo_));
-
   EXPECT_EQ(kOrigin1_, endpoint.group_key.origin);
   EXPECT_EQ(kGroup1_, endpoint.group_key.group_name);
   EXPECT_EQ(kEndpoint1_, endpoint.info.url);
diff --git a/chromium/net/reporting/reporting_network_change_observer.cc b/chromium/net/reporting/reporting_network_change_observer.cc
index f77dee50e6f..276bdf4ab86 100644
--- a/chromium/net/reporting/reporting_network_change_observer.cc
+++ b/chromium/net/reporting/reporting_network_change_observer.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_network_change_observer.h b/chromium/net/reporting/reporting_network_change_observer.h
index 941133d339e..2bbd2c529a5 100644
--- a/chromium/net/reporting/reporting_network_change_observer.h
+++ b/chromium/net/reporting/reporting_network_change_observer.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_network_change_observer_unittest.cc b/chromium/net/reporting/reporting_network_change_observer_unittest.cc
index d73388989a6..bb5edcee7e9 100644
--- a/chromium/net/reporting/reporting_network_change_observer_unittest.cc
+++ b/chromium/net/reporting/reporting_network_change_observer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -46,7 +46,7 @@ class ReportingNetworkChangeObserverTest : public ReportingTestBase {
 
   const absl::optional<base::UnguessableToken> kReportingSource_ =
       absl::nullopt;
-  const NetworkIsolationKey kNik_;
+  const NetworkAnonymizationKey kNak_;
   const GURL kUrl_ = GURL("https://origin/path");
   const url::Origin kOrigin_ = url::Origin::Create(kUrl_);
   const GURL kEndpoint_ = GURL("https://endpoint/");
@@ -54,7 +54,7 @@ class ReportingNetworkChangeObserverTest : public ReportingTestBase {
   const std::string kGroup_ = "group";
   const std::string kType_ = "default";
   const ReportingEndpointGroupKey kGroupKey_ =
-      ReportingEndpointGroupKey(NetworkIsolationKey(), kOrigin_, kGroup_);
+      ReportingEndpointGroupKey(NetworkAnonymizationKey(), kOrigin_, kGroup_);
 };
 
 TEST_F(ReportingNetworkChangeObserverTest, ClearNothing) {
@@ -63,7 +63,7 @@ TEST_F(ReportingNetworkChangeObserverTest, ClearNothing) {
   new_policy.persist_clients_across_network_changes = true;
   UsePolicy(new_policy);
 
-  cache()->AddReport(kReportingSource_, kNik_, kUrl_, kUserAgent_, kGroup_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl_, kUserAgent_, kGroup_,
                      kType_, base::Value::Dict(), 0, tick_clock()->NowTicks(),
                      0);
   SetEndpoint();
@@ -82,7 +82,7 @@ TEST_F(ReportingNetworkChangeObserverTest, ClearReports) {
   new_policy.persist_clients_across_network_changes = true;
   UsePolicy(new_policy);
 
-  cache()->AddReport(kReportingSource_, kNik_, kUrl_, kUserAgent_, kGroup_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl_, kUserAgent_, kGroup_,
                      kType_, base::Value::Dict(), 0, tick_clock()->NowTicks(),
                      0);
   SetEndpoint();
@@ -101,7 +101,7 @@ TEST_F(ReportingNetworkChangeObserverTest, ClearClients) {
   new_policy.persist_clients_across_network_changes = false;
   UsePolicy(new_policy);
 
-  cache()->AddReport(kReportingSource_, kNik_, kUrl_, kUserAgent_, kGroup_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl_, kUserAgent_, kGroup_,
                      kType_, base::Value::Dict(), 0, tick_clock()->NowTicks(),
                      0);
   SetEndpoint();
@@ -120,7 +120,7 @@ TEST_F(ReportingNetworkChangeObserverTest, ClearReportsAndClients) {
   new_policy.persist_clients_across_network_changes = false;
   UsePolicy(new_policy);
 
-  cache()->AddReport(kReportingSource_, kNik_, kUrl_, kUserAgent_, kGroup_,
+  cache()->AddReport(kReportingSource_, kNak_, kUrl_, kUserAgent_, kGroup_,
                      kType_, base::Value::Dict(), 0, tick_clock()->NowTicks(),
                      0);
   SetEndpoint();
diff --git a/chromium/net/reporting/reporting_policy.cc b/chromium/net/reporting/reporting_policy.cc
index bb895c5122d..e348299f707 100644
--- a/chromium/net/reporting/reporting_policy.cc
+++ b/chromium/net/reporting/reporting_policy.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_policy.h b/chromium/net/reporting/reporting_policy.h
index 4edf578121d..a3e41f224df 100644
--- a/chromium/net/reporting/reporting_policy.h
+++ b/chromium/net/reporting/reporting_policy.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_policy.proto b/chromium/net/reporting/reporting_policy.proto
index 235101833de..6a386835b5d 100644
--- a/chromium/net/reporting/reporting_policy.proto
+++ b/chromium/net/reporting/reporting_policy.proto
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_report.cc b/chromium/net/reporting/reporting_report.cc
index d19a3485dfb..b0da461ae56 100644
--- a/chromium/net/reporting/reporting_report.cc
+++ b/chromium/net/reporting/reporting_report.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -16,17 +16,17 @@ namespace net {
 
 ReportingReport::ReportingReport(
     const absl::optional<base::UnguessableToken>& reporting_source,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const GURL& url,
     const std::string& user_agent,
     const std::string& group,
     const std::string& type,
-    std::unique_ptr<const base::Value> body,
+    base::Value::Dict body,
     int depth,
     base::TimeTicks queued,
     int attempts)
     : reporting_source(reporting_source),
-      network_isolation_key(network_isolation_key),
+      network_anonymization_key(network_anonymization_key),
       id(base::UnguessableToken::Create()),
       url(url),
       user_agent(user_agent),
@@ -46,7 +46,7 @@ ReportingReport& ReportingReport::operator=(ReportingReport&& other) = default;
 ReportingReport::~ReportingReport() = default;
 
 ReportingEndpointGroupKey ReportingReport::GetGroupKey() const {
-  return ReportingEndpointGroupKey(network_isolation_key, reporting_source,
+  return ReportingEndpointGroupKey(network_anonymization_key, reporting_source,
                                    url::Origin::Create(url), group);
 }
 
diff --git a/chromium/net/reporting/reporting_report.h b/chromium/net/reporting/reporting_report.h
index 3ed13a4508e..79a1248f37a 100644
--- a/chromium/net/reporting/reporting_report.h
+++ b/chromium/net/reporting/reporting_report.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,16 +10,13 @@
 
 #include "base/time/time.h"
 #include "base/unguessable_token.h"
+#include "base/values.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/reporting/reporting_endpoint.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/gurl.h"
 
-namespace base {
-class Value;
-}  // namespace base
-
 namespace net {
 
 // An undelivered report.
@@ -45,12 +42,12 @@ struct NET_EXPORT ReportingReport {
   // TODO(chlily): Remove |attempts| argument as it is (almost?) always 0.
   ReportingReport(
       const absl::optional<base::UnguessableToken>& reporting_source,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const GURL& url,
       const std::string& user_agent,
       const std::string& group,
       const std::string& type,
-      std::unique_ptr<const base::Value> body,
+      base::Value::Dict body,
       int depth,
       base::TimeTicks queued,
       int attempts);
@@ -87,9 +84,9 @@ struct NET_EXPORT ReportingReport {
   // (Not included in the delivered report.)
   absl::optional<base::UnguessableToken> reporting_source;
 
-  // The NIK of the request that triggered this report. (Not included in the
+  // The NAK of the request that triggered this report. (Not included in the
   // delivered report.)
-  NetworkIsolationKey network_isolation_key;
+  NetworkAnonymizationKey network_anonymization_key;
 
   // The id of the report, used by DevTools to identify and tell apart
   // individual reports.
@@ -110,7 +107,7 @@ struct NET_EXPORT ReportingReport {
   std::string type;
 
   // The body of the report. (Included in the delivered report.)
-  std::unique_ptr<const base::Value> body;
+  base::Value::Dict body;
 
   // How many uploads deep the related request was: 0 if the related request was
   // not an upload (or there was no related request), or n+1 if it was an upload
diff --git a/chromium/net/reporting/reporting_service.cc b/chromium/net/reporting/reporting_service.cc
index 02ed98a99b4..4c4fa2ccc85 100644
--- a/chromium/net/reporting/reporting_service.cc
+++ b/chromium/net/reporting/reporting_service.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -63,11 +63,12 @@ class ReportingServiceImpl : public ReportingService {
       const IsolationInfo& isolation_info,
       const base::flat_map<std::string, std::string>& endpoints) override {
     DCHECK(!reporting_source.is_empty());
-    DoOrBacklogTask(base::BindOnce(
-        &ReportingServiceImpl::DoSetDocumentReportingEndpoints,
-        base::Unretained(this), reporting_source, isolation_info,
-        FixupNetworkIsolationKey(isolation_info.network_isolation_key()),
-        origin, std::move(endpoints)));
+    DoOrBacklogTask(
+        base::BindOnce(&ReportingServiceImpl::DoSetDocumentReportingEndpoints,
+                       base::Unretained(this), reporting_source, isolation_info,
+                       FixupNetworkAnonymizationKey(
+                           isolation_info.network_anonymization_key()),
+                       origin, std::move(endpoints)));
   }
 
   void SendReportsAndRemoveSource(
@@ -80,7 +81,7 @@ class ReportingServiceImpl : public ReportingService {
   void QueueReport(
       const GURL& url,
       const absl::optional<base::UnguessableToken>& reporting_source,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const std::string& user_agent,
       const std::string& group,
       const std::string& type,
@@ -103,16 +104,18 @@ class ReportingServiceImpl : public ReportingService {
 
     // base::Unretained is safe because the callback is stored in
     // |task_backlog_| which will not outlive |this|.
-    DoOrBacklogTask(base::BindOnce(
-        &ReportingServiceImpl::DoQueueReport, base::Unretained(this),
-        reporting_source, FixupNetworkIsolationKey(network_isolation_key),
-        std::move(sanitized_url), user_agent, group, type, std::move(body),
-        depth, queued_ticks));
+    DoOrBacklogTask(
+        base::BindOnce(&ReportingServiceImpl::DoQueueReport,
+                       base::Unretained(this), reporting_source,
+                       FixupNetworkAnonymizationKey(network_anonymization_key),
+                       std::move(sanitized_url), user_agent, group, type,
+                       std::move(body), depth, queued_ticks));
   }
 
-  void ProcessReportToHeader(const url::Origin& origin,
-                             const NetworkIsolationKey& network_isolation_key,
-                             const std::string& header_string) override {
+  void ProcessReportToHeader(
+      const url::Origin& origin,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const std::string& header_string) override {
     if (header_string.size() > kMaxJsonSize)
       return;
 
@@ -124,7 +127,7 @@ class ReportingServiceImpl : public ReportingService {
     DVLOG(1) << "Received Reporting policy for " << origin;
     DoOrBacklogTask(base::BindOnce(
         &ReportingServiceImpl::DoProcessReportToHeader, base::Unretained(this),
-        FixupNetworkIsolationKey(network_isolation_key), origin,
+        FixupNetworkAnonymizationKey(network_anonymization_key), origin,
         std::move(header_value).value()));
   }
 
@@ -200,7 +203,7 @@ class ReportingServiceImpl : public ReportingService {
 
   void DoQueueReport(
       const absl::optional<base::UnguessableToken>& reporting_source,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       GURL sanitized_url,
       const std::string& user_agent,
       const std::string& group,
@@ -210,29 +213,31 @@ class ReportingServiceImpl : public ReportingService {
       base::TimeTicks queued_ticks) {
     DCHECK(initialized_);
     context_->cache()->AddReport(
-        reporting_source, network_isolation_key, sanitized_url, user_agent,
+        reporting_source, network_anonymization_key, sanitized_url, user_agent,
         group, type, std::move(body), depth, queued_ticks, 0 /* attempts */);
   }
 
-  void DoProcessReportToHeader(const NetworkIsolationKey& network_isolation_key,
-                               const url::Origin& origin,
-                               const base::Value& header_value) {
+  void DoProcessReportToHeader(
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const url::Origin& origin,
+      const base::Value& header_value) {
     DCHECK(initialized_);
     DCHECK(header_value.is_list());
-    ReportingHeaderParser::ParseReportToHeader(
-        context_.get(), network_isolation_key, origin, header_value.GetList());
+    ReportingHeaderParser::ParseReportToHeader(context_.get(),
+                                               network_anonymization_key,
+                                               origin, header_value.GetList());
   }
 
   void DoSetDocumentReportingEndpoints(
       const base::UnguessableToken& reporting_source,
       const IsolationInfo& isolation_info,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const url::Origin& origin,
       base::flat_map<std::string, std::string> header_value) {
     DCHECK(initialized_);
     ReportingHeaderParser::ProcessParsedReportingEndpointsHeader(
-        context_.get(), reporting_source, isolation_info, network_isolation_key,
-        origin, std::move(header_value));
+        context_.get(), reporting_source, isolation_info,
+        network_anonymization_key, origin, std::move(header_value));
   }
 
   void DoRemoveBrowsingData(
@@ -287,14 +292,15 @@ class ReportingServiceImpl : public ReportingService {
     ExecuteBacklog();
   }
 
-  // Returns either |network_isolation_key| or an empty NetworkIsolationKey,
-  // based on |respect_network_isolation_key_|. Should be used on all
-  // NetworkIsolationKeys passed in through public API calls.
-  const NetworkIsolationKey& FixupNetworkIsolationKey(
-      const NetworkIsolationKey& network_isolation_key) {
-    if (respect_network_isolation_key_)
-      return network_isolation_key;
-    return empty_nik_;
+  // Returns either |network_anonymization_key| or an empty
+  // NetworkAnonymizationKey, based on |respect_network_anonymization_key_|.
+  // Should be used on all NetworkAnonymizationKeys passed in through public API
+  // calls.
+  const NetworkAnonymizationKey& FixupNetworkAnonymizationKey(
+      const NetworkAnonymizationKey& network_anonymization_key) {
+    if (respect_network_anonymization_key_)
+      return network_anonymization_key;
+    return empty_nak_;
   }
 
   std::unique_ptr<ReportingContext> context_;
@@ -303,12 +309,12 @@ class ReportingServiceImpl : public ReportingService {
   bool initialized_ = false;
   std::vector<base::OnceClosure> task_backlog_;
 
-  bool respect_network_isolation_key_ = base::FeatureList::IsEnabled(
+  bool respect_network_anonymization_key_ = base::FeatureList::IsEnabled(
       features::kPartitionNelAndReportingByNetworkIsolationKey);
 
-  // Allows returning a NetworkIsolationKey by reference when
-  // |respect_network_isolation_key_| is false.
-  NetworkIsolationKey empty_nik_;
+  // Allows returning a NetworkAnonymizationKey by reference when
+  // |respect_network_anonymization_key_| is false.
+  NetworkAnonymizationKey empty_nak_;
 
   base::WeakPtrFactory<ReportingServiceImpl> weak_factory_{this};
 };
diff --git a/chromium/net/reporting/reporting_service.h b/chromium/net/reporting/reporting_service.h
index a473073a5bb..7bdae367612 100644
--- a/chromium/net/reporting/reporting_service.h
+++ b/chromium/net/reporting/reporting_service.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -29,7 +29,7 @@ class Origin;
 namespace net {
 
 class IsolationInfo;
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class ReportingContext;
 struct ReportingPolicy;
 class URLRequestContext;
@@ -62,7 +62,7 @@ class NET_EXPORT ReportingService {
   // |reporting_source| is the reporting source token for the document or
   // worker which triggered this report, if it can be associated with one, or
   // nullopt otherwise. If present, it may not be empty.
-  // Along with |network_isolation_key|, it is used to restrict what reports
+  // Along with |network_anonymization_key|, it is used to restrict what reports
   // can be merged, and for sending the report.
   // |user_agent| is the User-Agent header that was used for the request.
   // |group| is the endpoint group to which the report should be delivered.
@@ -73,7 +73,7 @@ class NET_EXPORT ReportingService {
   virtual void QueueReport(
       const GURL& url,
       const absl::optional<base::UnguessableToken>& reporting_source,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const std::string& user_agent,
       const std::string& group,
       const std::string& type,
@@ -85,7 +85,7 @@ class NET_EXPORT ReportingService {
   // header.
   virtual void ProcessReportToHeader(
       const url::Origin& origin,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const std::string& header_value) = 0;
 
   // Configures reporting endpoints set by the Reporting-Endpoints header, once
diff --git a/chromium/net/reporting/reporting_service_unittest.cc b/chromium/net/reporting/reporting_service_unittest.cc
index 4307df3fbfa..1901b3897c7 100644
--- a/chromium/net/reporting/reporting_service_unittest.cc
+++ b/chromium/net/reporting/reporting_service_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,7 +15,7 @@
 #include "base/values.h"
 #include "net/base/features.h"
 #include "net/base/isolation_info.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/reporting/mock_persistent_reporting_store.h"
 #include "net/reporting/reporting_browsing_data_remover.h"
@@ -55,10 +55,11 @@ class ReportingServiceTest : public ::testing::TestWithParam<bool>,
   const std::string kType_ = "type";
   const absl::optional<base::UnguessableToken> kReportingSource_ =
       base::UnguessableToken::Create();
-  const NetworkIsolationKey kNik_ =
-      NetworkIsolationKey(SchemefulSite(kOrigin_), SchemefulSite(kOrigin_));
-  const NetworkIsolationKey kNik2_ =
-      NetworkIsolationKey(SchemefulSite(kOrigin2_), SchemefulSite(kOrigin2_));
+  const NetworkAnonymizationKey kNik_ =
+      NetworkAnonymizationKey(SchemefulSite(kOrigin_), SchemefulSite(kOrigin_));
+  const NetworkAnonymizationKey kNik2_ =
+      NetworkAnonymizationKey(SchemefulSite(kOrigin2_),
+                              SchemefulSite(kOrigin2_));
   const ReportingEndpointGroupKey kGroupKey_ =
       ReportingEndpointGroupKey(kNik_, kOrigin_, kGroup_);
   const ReportingEndpointGroupKey kGroupKey2_ =
@@ -120,7 +121,7 @@ TEST_P(ReportingServiceTest, QueueReport) {
   context()->cache()->GetReports(&reports);
   ASSERT_EQ(1u, reports.size());
   EXPECT_EQ(kUrl_, reports[0]->url);
-  EXPECT_EQ(kNik_, reports[0]->network_isolation_key);
+  EXPECT_EQ(kNik_, reports[0]->network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports[0]->user_agent);
   EXPECT_EQ(kGroup_, reports[0]->group);
   EXPECT_EQ(kType_, reports[0]->type);
@@ -137,7 +138,7 @@ TEST_P(ReportingServiceTest, QueueReportSanitizeUrl) {
   context()->cache()->GetReports(&reports);
   ASSERT_EQ(1u, reports.size());
   EXPECT_EQ(kUrl_, reports[0]->url);
-  EXPECT_EQ(kNik_, reports[0]->network_isolation_key);
+  EXPECT_EQ(kNik_, reports[0]->network_anonymization_key);
   EXPECT_EQ(kUserAgent_, reports[0]->user_agent);
   EXPECT_EQ(kGroup_, reports[0]->group);
   EXPECT_EQ(kType_, reports[0]->type);
@@ -171,9 +172,9 @@ TEST_P(ReportingServiceTest, QueueReportNetworkIsolationKeyDisabled) {
   context()->cache()->GetReports(&reports);
   ASSERT_EQ(1u, reports.size());
 
-  // NetworkIsolationKey should be empty, instead of kNik_;
-  EXPECT_EQ(NetworkIsolationKey(), reports[0]->network_isolation_key);
-  EXPECT_NE(kNik_, reports[0]->network_isolation_key);
+  // NetworkAnonymizationKey should be empty, instead of kNik_;
+  EXPECT_EQ(NetworkAnonymizationKey(), reports[0]->network_anonymization_key);
+  EXPECT_NE(kNik_, reports[0]->network_anonymization_key);
 
   EXPECT_EQ(kUrl_, reports[0]->url);
   EXPECT_EQ(kUserAgent_, reports[0]->user_agent);
@@ -215,7 +216,7 @@ TEST_P(ReportingServiceTest, ProcessReportingEndpointsHeader) {
   EXPECT_TRUE(cached_endpoint);
 
   // Ensure that the NIK is stored properly with the endpoint group.
-  EXPECT_FALSE(cached_endpoint.group_key.network_isolation_key.IsEmpty());
+  EXPECT_FALSE(cached_endpoint.group_key.network_anonymization_key.IsEmpty());
 }
 
 TEST_P(ReportingServiceTest,
@@ -243,7 +244,7 @@ TEST_P(ReportingServiceTest,
   EXPECT_TRUE(cached_endpoint);
 
   // When isolation is disabled, cached endpoints should have a null NIK.
-  EXPECT_TRUE(cached_endpoint.group_key.network_isolation_key.IsEmpty());
+  EXPECT_TRUE(cached_endpoint.group_key.network_anonymization_key.IsEmpty());
 }
 
 TEST_P(ReportingServiceTest, SendReportsAndRemoveSource) {
@@ -281,7 +282,16 @@ TEST_P(ReportingServiceTest, SendReportsAndRemoveSource) {
       context()->cache()->GetExpiredSources().contains(*kReportingSource_));
 }
 
-TEST_P(ReportingServiceTest, SendReportsAndRemoveSourceWithPendingReports) {
+// Flaky in ChromeOS: crbug.com/1356127
+#if BUILDFLAG(IS_CHROMEOS)
+#define MAYBE_SendReportsAndRemoveSourceWithPendingReports \
+  DISABLED_SendReportsAndRemoveSourceWithPendingReports
+#else
+#define MAYBE_SendReportsAndRemoveSourceWithPendingReports \
+  SendReportsAndRemoveSourceWithPendingReports
+#endif
+TEST_P(ReportingServiceTest,
+       MAYBE_SendReportsAndRemoveSourceWithPendingReports) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(net::features::kDocumentReporting);
   auto parsed_header =
@@ -416,7 +426,7 @@ TEST_P(ReportingServiceTest, ProcessReportToHeaderNetworkIsolationKeyDisabled) {
   EXPECT_FALSE(context()->cache()->GetEndpointForTesting(
       ReportingEndpointGroupKey(kNik_, kOrigin_, kGroup_), kEndpoint_));
   EXPECT_TRUE(context()->cache()->GetEndpointForTesting(
-      ReportingEndpointGroupKey(NetworkIsolationKey(), kOrigin_, kGroup_),
+      ReportingEndpointGroupKey(NetworkAnonymizationKey(), kOrigin_, kGroup_),
       kEndpoint_));
 }
 
diff --git a/chromium/net/reporting/reporting_test_util.cc b/chromium/net/reporting/reporting_test_util.cc
index f39c2820f46..bfe50890a65 100644
--- a/chromium/net/reporting/reporting_test_util.cc
+++ b/chromium/net/reporting/reporting_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,7 +18,7 @@
 #include "base/test/simple_test_tick_clock.h"
 #include "base/timer/mock_timer.h"
 #include "net/base/isolation_info.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_context.h"
 #include "net/reporting/reporting_delegate.h"
@@ -313,14 +313,14 @@ TestReportingService::Report::Report(Report&& other) = default;
 
 TestReportingService::Report::Report(
     const GURL& url,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const std::string& user_agent,
     const std::string& group,
     const std::string& type,
     std::unique_ptr<const base::Value> body,
     int depth)
     : url(url),
-      network_isolation_key(network_isolation_key),
+      network_anonymization_key(network_anonymization_key),
       user_agent(user_agent),
       group(group),
       type(type),
@@ -336,20 +336,20 @@ TestReportingService::~TestReportingService() = default;
 void TestReportingService::QueueReport(
     const GURL& url,
     const absl::optional<base::UnguessableToken>& reporting_source,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const std::string& user_agent,
     const std::string& group,
     const std::string& type,
     base::Value::Dict body,
     int depth) {
   reports_.emplace_back(
-      Report(url, network_isolation_key, user_agent, group, type,
+      Report(url, network_anonymization_key, user_agent, group, type,
              std::make_unique<base::Value>(std::move(body)), depth));
 }
 
 void TestReportingService::ProcessReportToHeader(
     const url::Origin& origin,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const std::string& header_value) {
   NOTREACHED();
 }
diff --git a/chromium/net/reporting/reporting_test_util.h b/chromium/net/reporting/reporting_test_util.h
index f25577d3cee..61296c3dfcb 100644
--- a/chromium/net/reporting/reporting_test_util.h
+++ b/chromium/net/reporting/reporting_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,7 +14,7 @@
 #include "base/test/simple_test_clock.h"
 #include "base/test/simple_test_tick_clock.h"
 #include "base/unguessable_token.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/rand_callback.h"
 #include "net/reporting/reporting_cache.h"
 #include "net/reporting/reporting_context.h"
@@ -303,7 +303,7 @@ class TestReportingService : public ReportingService {
     Report(Report&& other);
 
     Report(const GURL& url,
-           const NetworkIsolationKey& network_isolation_key,
+           const NetworkAnonymizationKey& network_anonymization_key,
            const std::string& user_agent,
            const std::string& group,
            const std::string& type,
@@ -313,7 +313,7 @@ class TestReportingService : public ReportingService {
     ~Report();
 
     GURL url;
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
     std::string user_agent;
     std::string group;
     std::string type;
@@ -344,16 +344,17 @@ class TestReportingService : public ReportingService {
   void QueueReport(
       const GURL& url,
       const absl::optional<base::UnguessableToken>& reporting_source,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       const std::string& user_agent,
       const std::string& group,
       const std::string& type,
       base::Value::Dict body,
       int depth) override;
 
-  void ProcessReportToHeader(const url::Origin& url,
-                             const NetworkIsolationKey& network_isolation_key,
-                             const std::string& header_value) override;
+  void ProcessReportToHeader(
+      const url::Origin& url,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const std::string& header_value) override;
 
   void RemoveBrowsingData(
       uint64_t data_type_mask,
diff --git a/chromium/net/reporting/reporting_uploader.cc b/chromium/net/reporting/reporting_uploader.cc
index 3aa46ce7a8e..d7df44ded23 100644
--- a/chromium/net/reporting/reporting_uploader.cc
+++ b/chromium/net/reporting/reporting_uploader.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,7 +15,7 @@
 #include "net/base/elements_upload_data_stream.h"
 #include "net/base/isolation_info.h"
 #include "net/base/load_flags.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/upload_bytes_element_reader.h"
 #include "net/http/http_response_headers.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
@@ -200,11 +200,12 @@ class ReportingUploaderImpl : public ReportingUploader, URLRequest::Delegate {
     upload->request->set_site_for_cookies(
         upload->isolation_info.site_for_cookies());
     // Prior to using `isolation_info` directly here we built the
-    // `upload->network_isolation_key` to create the set the `isolation_info`.
-    // As experiments roll out to determine whether network partitions should be
-    // double or triple keyed the isolation_info might have a null value for
-    // `frame_origin`. Thus we should again get it from `network_isolation_key`
-    // until we can trust `isolation_info::frame_origin`.
+    // `upload->network_anonymization_key` to create the set the
+    // `isolation_info`. As experiments roll out to determine whether network
+    // partitions should be double or triple keyed the isolation_info might have
+    // a null value for `frame_origin`. Thus we should again get it from
+    // `network_anonymization_key` until we can trust
+    // `isolation_info::frame_origin`.
     upload->request->set_initiator(upload->report_origin);
     upload->request->set_isolation_info(upload->isolation_info);
 
diff --git a/chromium/net/reporting/reporting_uploader.h b/chromium/net/reporting/reporting_uploader.h
index 7749cd54e69..5466773d9b9 100644
--- a/chromium/net/reporting/reporting_uploader.h
+++ b/chromium/net/reporting/reporting_uploader.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/reporting/reporting_uploader_unittest.cc b/chromium/net/reporting/reporting_uploader_unittest.cc
index c4147003914..b8b4ed4ac6f 100644
--- a/chromium/net/reporting/reporting_uploader_unittest.cc
+++ b/chromium/net/reporting/reporting_uploader_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -13,7 +13,7 @@
 #include "base/run_loop.h"
 #include "base/test/scoped_feature_list.h"
 #include "net/base/features.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/cookies/cookie_access_result.h"
 #include "net/cookies/cookie_store.h"
@@ -621,14 +621,14 @@ TEST_F(ReportingUploaderTest, DontCacheResponse) {
   EXPECT_EQ(2, request_count);
 }
 
-// Create two requests with the same NetworkIsolationKey, and one request with a
-// different one, and make sure only the requests with the same
-// NetworkIsolationKey share a socket.
-TEST_F(ReportingUploaderTest, RespectsNetworkIsolationKey) {
+// Create two requests with the same NetworkAnonymizationKey, and one request
+// with a different one, and make sure only the requests with the same
+// NetworkAnonymizationKey share a socket.
+TEST_F(ReportingUploaderTest, RespectsNetworkAnonymizationKey) {
   // While features::kPartitionConnectionsByNetworkIsolationKey is not needed
-  // for reporting code to respect NetworkIsolationKeys, this test works by
-  // ensuring that Reporting's NetworkIsolationKey makes it to the socket pool
-  // layer and is respected there, so this test needs to enable
+  // for reporting code to respect NetworkAnonymizationKey, this test works by
+  // ensuring that Reporting's NetworkAnonymizationKey makes it to the socket
+  // pool layer and is respected there, so this test needs to enable
   // kPartitionConnectionsByNetworkIsolationKey.
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
@@ -720,8 +720,8 @@ TEST_F(ReportingUploaderTest, RespectsNetworkIsolationKey) {
   EXPECT_EQ(ReportingUploader::Outcome::SUCCESS, callback1.outcome());
 
   // Start two more requests in parallel. The first started uses a different
-  // NetworkIsolationKey, so should create a new socket, while the second one
-  // gets the other socket. Start in parallel to make sure that a new socket
+  // NetworkAnonymizationKey, so should create a new socket, while the second
+  // one gets the other socket. Start in parallel to make sure that a new socket
   // isn't created just because the first is returned to the socket pool
   // asynchronously.
   TestUploadCallback callback2;
diff --git a/chromium/net/server/BUILD.gn b/chromium/net/server/BUILD.gn
index fb3d3ffb55e..5fb821885a5 100644
--- a/chromium/net/server/BUILD.gn
+++ b/chromium/net/server/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2018 The Chromium Authors. All rights reserved.
+# Copyright 2018 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/server/http_connection.cc b/chromium/net/server/http_connection.cc
index b57e1a357fc..0fee0cc7003 100644
--- a/chromium/net/server/http_connection.cc
+++ b/chromium/net/server/http_connection.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_connection.h b/chromium/net/server/http_connection.h
index 9167f82effd..af20e3898d4 100644
--- a/chromium/net/server/http_connection.h
+++ b/chromium/net/server/http_connection.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_connection_unittest.cc b/chromium/net/server/http_connection_unittest.cc
index d1eb56147b1..4077bc45088 100644
--- a/chromium/net/server/http_connection_unittest.cc
+++ b/chromium/net/server/http_connection_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_server.cc b/chromium/net/server/http_server.cc
index b9a556ee1d6..110e8f537c4 100644
--- a/chromium/net/server/http_server.cc
+++ b/chromium/net/server/http_server.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_server.h b/chromium/net/server/http_server.h
index 4aece408326..dc5d323924f 100644
--- a/chromium/net/server/http_server.h
+++ b/chromium/net/server/http_server.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_server_fuzzer.cc b/chromium/net/server/http_server_fuzzer.cc
index b091cc7c193..8495842d8c5 100644
--- a/chromium/net/server/http_server_fuzzer.cc
+++ b/chromium/net/server/http_server_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_server_request_info.cc b/chromium/net/server/http_server_request_info.cc
index 3274b3928b4..3bbdba0e5b6 100644
--- a/chromium/net/server/http_server_request_info.cc
+++ b/chromium/net/server/http_server_request_info.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_server_request_info.h b/chromium/net/server/http_server_request_info.h
index 9eeb10d70ca..1d221de03a8 100644
--- a/chromium/net/server/http_server_request_info.h
+++ b/chromium/net/server/http_server_request_info.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_server_response_info.cc b/chromium/net/server/http_server_response_info.cc
index 5d8d4512d31..db39bf092d1 100644
--- a/chromium/net/server/http_server_response_info.cc
+++ b/chromium/net/server/http_server_response_info.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_server_response_info.h b/chromium/net/server/http_server_response_info.h
index c2451e8d91e..d20b7496762 100644
--- a/chromium/net/server/http_server_response_info.h
+++ b/chromium/net/server/http_server_response_info.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_server_response_info_unittest.cc b/chromium/net/server/http_server_response_info_unittest.cc
index f7b8e251d34..de6e783955a 100644
--- a/chromium/net/server/http_server_response_info_unittest.cc
+++ b/chromium/net/server/http_server_response_info_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/http_server_unittest.cc b/chromium/net/server/http_server_unittest.cc
index 3e1fdc6c9e1..8717513aa79 100644
--- a/chromium/net/server/http_server_unittest.cc
+++ b/chromium/net/server/http_server_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/web_socket.cc b/chromium/net/server/web_socket.cc
index c4155cb7c8b..fc3d78d97cf 100644
--- a/chromium/net/server/web_socket.cc
+++ b/chromium/net/server/web_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/web_socket.h b/chromium/net/server/web_socket.h
index ce53804e642..d1a05eb6d0f 100644
--- a/chromium/net/server/web_socket.h
+++ b/chromium/net/server/web_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/web_socket_encoder.cc b/chromium/net/server/web_socket_encoder.cc
index a70e587861a..ed8179d0554 100644
--- a/chromium/net/server/web_socket_encoder.cc
+++ b/chromium/net/server/web_socket_encoder.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/web_socket_encoder.h b/chromium/net/server/web_socket_encoder.h
index 66b3d7a51eb..f385cbd525e 100644
--- a/chromium/net/server/web_socket_encoder.h
+++ b/chromium/net/server/web_socket_encoder.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/server/web_socket_encoder_unittest.cc b/chromium/net/server/web_socket_encoder_unittest.cc
index 0120ea319ac..202564531c2 100644
--- a/chromium/net/server/web_socket_encoder_unittest.cc
+++ b/chromium/net/server/web_socket_encoder_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -403,7 +403,7 @@ TEST_F(WebSocketEncoderCompressionTest, LongFrame) {
   frame.reserve(length);
   for (int i = 0; i < length; ++i) {
     int64_t j = i;
-    frame += temp.data()[(j * j) % length];
+    frame += temp[(j * j) % length];
   }
 
   int mask = 0;
diff --git a/chromium/net/socket/client_socket_factory.cc b/chromium/net/socket/client_socket_factory.cc
index 02d58f67c44..89a154fd682 100644
--- a/chromium/net/socket/client_socket_factory.cc
+++ b/chromium/net/socket/client_socket_factory.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/client_socket_factory.h b/chromium/net/socket/client_socket_factory.h
index 1eb8214e89f..bae3308784a 100644
--- a/chromium/net/socket/client_socket_factory.h
+++ b/chromium/net/socket/client_socket_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/client_socket_handle.cc b/chromium/net/socket/client_socket_handle.cc
index 3204f6ea077..e0534344c61 100644
--- a/chromium/net/socket/client_socket_handle.cc
+++ b/chromium/net/socket/client_socket_handle.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/client_socket_handle.h b/chromium/net/socket/client_socket_handle.h
index eeb969249b8..a035cb5039f 100644
--- a/chromium/net/socket/client_socket_handle.h
+++ b/chromium/net/socket/client_socket_handle.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/client_socket_pool.cc b/chromium/net/socket/client_socket_pool.cc
index 2bf7964a8a0..85310958853 100644
--- a/chromium/net/socket/client_socket_pool.cc
+++ b/chromium/net/socket/client_socket_pool.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -46,14 +46,15 @@ OnHostResolutionCallbackResult OnHostResolution(
     const SpdySessionKey& spdy_session_key,
     bool is_for_websockets,
     const HostPortPair& host_port_pair,
-    const AddressList& addresses) {
+    const std::vector<HostResolverEndpointResult>& endpoint_results,
+    const std::set<std::string>& aliases) {
   DCHECK(host_port_pair == spdy_session_key.host_port_pair());
 
   // It is OK to dereference spdy_session_pool, because the
   // ClientSocketPoolManager will be destroyed in the same callback that
   // destroys the SpdySessionPool.
   return spdy_session_pool->OnHostResolutionComplete(
-      spdy_session_key, is_for_websockets, addresses);
+      spdy_session_key, is_for_websockets, endpoint_results, aliases);
 }
 
 }  // namespace
@@ -75,17 +76,18 @@ ClientSocketPool::SocketParams::CreateForHttpForTesting() {
 ClientSocketPool::GroupId::GroupId()
     : privacy_mode_(PrivacyMode::PRIVACY_MODE_DISABLED) {}
 
-ClientSocketPool::GroupId::GroupId(url::SchemeHostPort destination,
-                                   PrivacyMode privacy_mode,
-                                   NetworkIsolationKey network_isolation_key,
-                                   SecureDnsPolicy secure_dns_policy)
+ClientSocketPool::GroupId::GroupId(
+    url::SchemeHostPort destination,
+    PrivacyMode privacy_mode,
+    NetworkAnonymizationKey network_anonymization_key,
+    SecureDnsPolicy secure_dns_policy)
     : destination_(std::move(destination)),
       privacy_mode_(privacy_mode),
-      network_isolation_key_(
+      network_anonymization_key_(
           base::FeatureList::IsEnabled(
               features::kPartitionConnectionsByNetworkIsolationKey)
-              ? std::move(network_isolation_key)
-              : NetworkIsolationKey()),
+              ? std::move(network_anonymization_key)
+              : NetworkAnonymizationKey()),
       secure_dns_policy_(secure_dns_policy) {
   DCHECK(destination_.IsValid());
 
@@ -114,7 +116,7 @@ std::string ClientSocketPool::GroupId::ToString() const {
   if (base::FeatureList::IsEnabled(
           features::kPartitionConnectionsByNetworkIsolationKey)) {
     result += " <";
-    result += network_isolation_key_.ToDebugString();
+    result += network_anonymization_key_.ToDebugString();
     result += ">";
   }
 
@@ -187,7 +189,7 @@ std::unique_ptr<ConnectJob> ClientSocketPool::CreateConnectJob(
         SpdySessionKey(HostPortPair::FromSchemeHostPort(group_id.destination()),
                        proxy_server, group_id.privacy_mode(),
                        SpdySessionKey::IsProxySession::kFalse, socket_tag,
-                       group_id.network_isolation_key(),
+                       group_id.network_anonymization_key(),
                        group_id.secure_dns_policy()),
         is_for_websockets_);
   } else if (proxy_server.is_https()) {
@@ -196,7 +198,7 @@ std::unique_ptr<ConnectJob> ClientSocketPool::CreateConnectJob(
         SpdySessionKey(proxy_server.host_port_pair(), ProxyServer::Direct(),
                        group_id.privacy_mode(),
                        SpdySessionKey::IsProxySession::kTrue, socket_tag,
-                       group_id.network_isolation_key(),
+                       group_id.network_anonymization_key(),
                        group_id.secure_dns_policy()),
         is_for_websockets_);
   }
@@ -206,7 +208,7 @@ std::unique_ptr<ConnectJob> ClientSocketPool::CreateConnectJob(
       socket_params->ssl_config_for_origin(),
       socket_params->ssl_config_for_proxy(), is_for_websockets_,
       group_id.privacy_mode(), resolution_callback, request_priority,
-      socket_tag, group_id.network_isolation_key(),
+      socket_tag, group_id.network_anonymization_key(),
       group_id.secure_dns_policy(), common_connect_job_params_, delegate);
 }
 
diff --git a/chromium/net/socket/client_socket_pool.h b/chromium/net/socket/client_socket_pool.h
index d91478a45d7..4fa42456511 100644
--- a/chromium/net/socket/client_socket_pool.h
+++ b/chromium/net/socket/client_socket_pool.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,7 +15,7 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/load_states.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/request_priority.h"
 #include "net/dns/host_resolver.h"
@@ -99,7 +99,7 @@ class NET_EXPORT ClientSocketPool : public LowerLayeredPool {
     GroupId();
     GroupId(url::SchemeHostPort destination,
             PrivacyMode privacy_mode,
-            NetworkIsolationKey network_isolation_key,
+            NetworkAnonymizationKey network_anonymization_key,
             SecureDnsPolicy secure_dns_policy);
     GroupId(const GroupId& group_id);
 
@@ -112,8 +112,8 @@ class NET_EXPORT ClientSocketPool : public LowerLayeredPool {
 
     PrivacyMode privacy_mode() const { return privacy_mode_; }
 
-    const NetworkIsolationKey& network_isolation_key() const {
-      return network_isolation_key_;
+    const NetworkAnonymizationKey& network_anonymization_key() const {
+      return network_anonymization_key_;
     }
 
     SecureDnsPolicy secure_dns_policy() const { return secure_dns_policy_; }
@@ -122,17 +122,19 @@ class NET_EXPORT ClientSocketPool : public LowerLayeredPool {
     std::string ToString() const;
 
     bool operator==(const GroupId& other) const {
-      return std::tie(destination_, privacy_mode_, network_isolation_key_,
+      return std::tie(destination_, privacy_mode_, network_anonymization_key_,
                       secure_dns_policy_) ==
              std::tie(other.destination_, other.privacy_mode_,
-                      other.network_isolation_key_, other.secure_dns_policy_);
+                      other.network_anonymization_key_,
+                      other.secure_dns_policy_);
     }
 
     bool operator<(const GroupId& other) const {
-      return std::tie(destination_, privacy_mode_, network_isolation_key_,
+      return std::tie(destination_, privacy_mode_, network_anonymization_key_,
                       secure_dns_policy_) <
              std::tie(other.destination_, other.privacy_mode_,
-                      other.network_isolation_key_, other.secure_dns_policy_);
+                      other.network_anonymization_key_,
+                      other.secure_dns_policy_);
     }
 
    private:
@@ -143,7 +145,7 @@ class NET_EXPORT ClientSocketPool : public LowerLayeredPool {
     PrivacyMode privacy_mode_;
 
     // Used to separate requests made in different contexts.
-    NetworkIsolationKey network_isolation_key_;
+    NetworkAnonymizationKey network_anonymization_key_;
 
     // Controls the Secure DNS behavior to use when creating this socket.
     SecureDnsPolicy secure_dns_policy_;
diff --git a/chromium/net/socket/client_socket_pool_base_unittest.cc b/chromium/net/socket/client_socket_pool_base_unittest.cc
index b41b2daeeb1..1b780a7d5c9 100644
--- a/chromium/net/socket/client_socket_pool_base_unittest.cc
+++ b/chromium/net/socket/client_socket_pool_base_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -30,7 +30,7 @@
 #include "net/base/load_timing_info.h"
 #include "net/base/load_timing_info_test_util.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/proxy_server.h"
 #include "net/base/proxy_string_util.h"
@@ -88,9 +88,10 @@ ClientSocketPool::GroupId TestGroupId(
     int port = 80,
     base::StringPiece scheme = url::kHttpScheme,
     PrivacyMode privacy_mode = PrivacyMode::PRIVACY_MODE_DISABLED,
-    NetworkIsolationKey network_isolation_key = NetworkIsolationKey()) {
+    NetworkAnonymizationKey network_anonymization_key =
+        NetworkAnonymizationKey()) {
   return ClientSocketPool::GroupId(url::SchemeHostPort(scheme, host, port),
-                                   privacy_mode, network_isolation_key,
+                                   privacy_mode, network_anonymization_key,
                                    SecureDnsPolicy::kAllow);
 }
 
@@ -552,7 +553,7 @@ class TestConnectJobFactory : public ConnectJobFactory {
       const OnHostResolutionCallback& resolution_callback,
       RequestPriority request_priority,
       SocketTag socket_tag,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       SecureDnsPolicy secure_dns_policy,
       const CommonConnectJobParams* common_connect_job_params,
       ConnectJob::Delegate* delegate) const override {
@@ -856,9 +857,9 @@ TEST_F(ClientSocketPoolBaseTest, GroupSeparation) {
 
   const SchemefulSite kSiteA(GURL("http://a.test/"));
   const SchemefulSite kSiteB(GURL("http://b.test/"));
-  const NetworkIsolationKey kNetworkIsolationKeys[] = {
-      NetworkIsolationKey(kSiteA, kSiteA),
-      NetworkIsolationKey(kSiteB, kSiteB),
+  const NetworkAnonymizationKey kNetworkAnonymizationKeys[] = {
+      NetworkAnonymizationKey(kSiteA, kSiteA, /*is_cross_site=*/false),
+      NetworkAnonymizationKey(kSiteB, kSiteB, /*is_cross_site=*/false),
   };
 
   const SecureDnsPolicy kSecureDnsPolicys[] = {SecureDnsPolicy::kAllow,
@@ -874,8 +875,9 @@ TEST_F(ClientSocketPoolBaseTest, GroupSeparation) {
       SCOPED_TRACE(scheme);
       for (const auto& privacy_mode : kPrivacyModes) {
         SCOPED_TRACE(privacy_mode);
-        for (const auto& network_isolation_key : kNetworkIsolationKeys) {
-          SCOPED_TRACE(network_isolation_key.ToDebugString());
+        for (const auto& network_anonymization_key :
+             kNetworkAnonymizationKeys) {
+          SCOPED_TRACE(network_anonymization_key.ToDebugString());
           for (const auto& secure_dns_policy : kSecureDnsPolicys) {
             SCOPED_TRACE(static_cast<int>(secure_dns_policy));
 
@@ -884,7 +886,7 @@ TEST_F(ClientSocketPoolBaseTest, GroupSeparation) {
             ClientSocketPool::GroupId group_id(
                 url::SchemeHostPort(scheme, host_port_pair.host(),
                                     host_port_pair.port()),
-                privacy_mode, network_isolation_key, secure_dns_policy);
+                privacy_mode, network_anonymization_key, secure_dns_policy);
 
             EXPECT_FALSE(pool_->HasGroupForTesting(group_id));
 
@@ -5738,12 +5740,13 @@ class ClientSocketPoolBaseRefreshTest
 
   static ClientSocketPool::GroupId GetGroupIdInPartition() {
     // Note this GroupId will match GetGroupId() unless
-    // kPartitionConnectionsByNetworkIsolationKey is enabled.
+    // kPartitionConnectionsByNetworkAnonymizationKey is enabled.
     const SchemefulSite kSite(GURL("https://b/"));
-    const NetworkIsolationKey kNetworkIsolationKey(kSite, kSite);
+    const NetworkAnonymizationKey kNetworkAnonymizationKey(
+        kSite, kSite, /*is_cross_site=*/false);
     return TestGroupId("a", 443, url::kHttpsScheme,
                        PrivacyMode::PRIVACY_MODE_DISABLED,
-                       kNetworkIsolationKey);
+                       kNetworkAnonymizationKey);
   }
 
   void OnSSLConfigForServerChanged() {
diff --git a/chromium/net/socket/client_socket_pool_manager.cc b/chromium/net/socket/client_socket_pool_manager.cc
index 3d896b83a56..521ebc8f502 100644
--- a/chromium/net/socket/client_socket_pool_manager.cc
+++ b/chromium/net/socket/client_socket_pool_manager.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -94,7 +94,7 @@ int InitSocketPoolHelper(
     const SSLConfig& ssl_config_for_proxy,
     bool is_for_websockets,
     PrivacyMode privacy_mode,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     SecureDnsPolicy secure_dns_policy,
     const SocketTag& socket_tag,
     const NetLogWithSource& net_log,
@@ -114,9 +114,9 @@ int InitSocketPoolHelper(
                                    session->params().testing_fixed_https_port);
   }
 
-  ClientSocketPool::GroupId connection_group(std::move(endpoint), privacy_mode,
-                                             std::move(network_isolation_key),
-                                             secure_dns_policy);
+  ClientSocketPool::GroupId connection_group(
+      std::move(endpoint), privacy_mode, std::move(network_anonymization_key),
+      secure_dns_policy);
   scoped_refptr<ClientSocketPool::SocketParams> socket_params =
       CreateSocketParams(connection_group, proxy_info.proxy_server(),
                          ssl_config_for_origin, ssl_config_for_proxy);
@@ -228,7 +228,7 @@ int InitSocketHandleForHttpRequest(
     const SSLConfig& ssl_config_for_origin,
     const SSLConfig& ssl_config_for_proxy,
     PrivacyMode privacy_mode,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     SecureDnsPolicy secure_dns_policy,
     const SocketTag& socket_tag,
     const NetLogWithSource& net_log,
@@ -240,8 +240,8 @@ int InitSocketHandleForHttpRequest(
       std::move(endpoint), request_load_flags, request_priority, session,
       proxy_info, ssl_config_for_origin, ssl_config_for_proxy,
       false /* is_for_websockets */, privacy_mode,
-      std::move(network_isolation_key), secure_dns_policy, socket_tag, net_log,
-      0, socket_handle, HttpNetworkSession::NORMAL_SOCKET_POOL,
+      std::move(network_anonymization_key), secure_dns_policy, socket_tag,
+      net_log, 0, socket_handle, HttpNetworkSession::NORMAL_SOCKET_POOL,
       std::move(callback), proxy_auth_callback);
 }
 
@@ -254,7 +254,7 @@ int InitSocketHandleForWebSocketRequest(
     const SSLConfig& ssl_config_for_origin,
     const SSLConfig& ssl_config_for_proxy,
     PrivacyMode privacy_mode,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     const NetLogWithSource& net_log,
     ClientSocketHandle* socket_handle,
     CompletionOnceCallback callback,
@@ -273,24 +273,26 @@ int InitSocketHandleForWebSocketRequest(
       std::move(endpoint), request_load_flags, request_priority, session,
       proxy_info, ssl_config_for_origin, ssl_config_for_proxy,
       true /* is_for_websockets */, privacy_mode,
-      std::move(network_isolation_key), SecureDnsPolicy::kAllow, SocketTag(),
-      net_log, 0, socket_handle, HttpNetworkSession::WEBSOCKET_SOCKET_POOL,
-      std::move(callback), proxy_auth_callback);
+      std::move(network_anonymization_key), SecureDnsPolicy::kAllow,
+      SocketTag(), net_log, 0, socket_handle,
+      HttpNetworkSession::WEBSOCKET_SOCKET_POOL, std::move(callback),
+      proxy_auth_callback);
 }
 
-int PreconnectSocketsForHttpRequest(url::SchemeHostPort endpoint,
-                                    int request_load_flags,
-                                    RequestPriority request_priority,
-                                    HttpNetworkSession* session,
-                                    const ProxyInfo& proxy_info,
-                                    const SSLConfig& ssl_config_for_origin,
-                                    const SSLConfig& ssl_config_for_proxy,
-                                    PrivacyMode privacy_mode,
-                                    NetworkIsolationKey network_isolation_key,
-                                    SecureDnsPolicy secure_dns_policy,
-                                    const NetLogWithSource& net_log,
-                                    int num_preconnect_streams,
-                                    CompletionOnceCallback callback) {
+int PreconnectSocketsForHttpRequest(
+    url::SchemeHostPort endpoint,
+    int request_load_flags,
+    RequestPriority request_priority,
+    HttpNetworkSession* session,
+    const ProxyInfo& proxy_info,
+    const SSLConfig& ssl_config_for_origin,
+    const SSLConfig& ssl_config_for_proxy,
+    PrivacyMode privacy_mode,
+    NetworkAnonymizationKey network_anonymization_key,
+    SecureDnsPolicy secure_dns_policy,
+    const NetLogWithSource& net_log,
+    int num_preconnect_streams,
+    CompletionOnceCallback callback) {
   // QUIC proxies are currently not supported through this method.
   DCHECK(!proxy_info.is_quic());
 
@@ -302,8 +304,9 @@ int PreconnectSocketsForHttpRequest(url::SchemeHostPort endpoint,
   return InitSocketPoolHelper(
       std::move(endpoint), request_load_flags, request_priority, session,
       proxy_info, ssl_config_for_origin, ssl_config_for_proxy,
-      false /* force_tunnel */, privacy_mode, std::move(network_isolation_key),
-      secure_dns_policy, SocketTag(), net_log, num_preconnect_streams, nullptr,
+      false /* force_tunnel */, privacy_mode,
+      std::move(network_anonymization_key), secure_dns_policy, SocketTag(),
+      net_log, num_preconnect_streams, nullptr,
       HttpNetworkSession::NORMAL_SOCKET_POOL, std::move(callback),
       ClientSocketPool::ProxyAuthCallback());
 }
diff --git a/chromium/net/socket/client_socket_pool_manager.h b/chromium/net/socket/client_socket_pool_manager.h
index 8ce5d566466..cb0f0e9eaf2 100644
--- a/chromium/net/socket/client_socket_pool_manager.h
+++ b/chromium/net/socket/client_socket_pool_manager.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
@@ -22,7 +22,7 @@ namespace net {
 
 class ClientSocketHandle;
 class NetLogWithSource;
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class ProxyInfo;
 class ProxyServer;
 
@@ -88,7 +88,7 @@ int InitSocketHandleForHttpRequest(
     const SSLConfig& ssl_config_for_origin,
     const SSLConfig& ssl_config_for_proxy,
     PrivacyMode privacy_mode,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     SecureDnsPolicy secure_dns_policy,
     const SocketTag& socket_tag,
     const NetLogWithSource& net_log,
@@ -114,7 +114,7 @@ int InitSocketHandleForWebSocketRequest(
     const SSLConfig& ssl_config_for_origin,
     const SSLConfig& ssl_config_for_proxy,
     PrivacyMode privacy_mode,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     const NetLogWithSource& net_log,
     ClientSocketHandle* socket_handle,
     CompletionOnceCallback callback,
@@ -122,19 +122,20 @@ int InitSocketHandleForWebSocketRequest(
 
 // Similar to InitSocketHandleForHttpRequest except that it initiates the
 // desired number of preconnect streams from the relevant socket pool.
-int PreconnectSocketsForHttpRequest(url::SchemeHostPort endpoint,
-                                    int request_load_flags,
-                                    RequestPriority request_priority,
-                                    HttpNetworkSession* session,
-                                    const ProxyInfo& proxy_info,
-                                    const SSLConfig& ssl_config_for_origin,
-                                    const SSLConfig& ssl_config_for_proxy,
-                                    PrivacyMode privacy_mode,
-                                    NetworkIsolationKey network_isolation_key,
-                                    SecureDnsPolicy secure_dns_policy,
-                                    const NetLogWithSource& net_log,
-                                    int num_preconnect_streams,
-                                    CompletionOnceCallback callback);
+int PreconnectSocketsForHttpRequest(
+    url::SchemeHostPort endpoint,
+    int request_load_flags,
+    RequestPriority request_priority,
+    HttpNetworkSession* session,
+    const ProxyInfo& proxy_info,
+    const SSLConfig& ssl_config_for_origin,
+    const SSLConfig& ssl_config_for_proxy,
+    PrivacyMode privacy_mode,
+    NetworkAnonymizationKey network_anonymization_key,
+    SecureDnsPolicy secure_dns_policy,
+    const NetLogWithSource& net_log,
+    int num_preconnect_streams,
+    CompletionOnceCallback callback);
 
 }  // namespace net
 
diff --git a/chromium/net/socket/client_socket_pool_manager_impl.cc b/chromium/net/socket/client_socket_pool_manager_impl.cc
index 4ba9a0532cb..530f49cd221 100644
--- a/chromium/net/socket/client_socket_pool_manager_impl.cc
+++ b/chromium/net/socket/client_socket_pool_manager_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/client_socket_pool_manager_impl.h b/chromium/net/socket/client_socket_pool_manager_impl.h
index 925e16c53ce..0ed1c75a8e7 100644
--- a/chromium/net/socket/client_socket_pool_manager_impl.h
+++ b/chromium/net/socket/client_socket_pool_manager_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/client_socket_pool_unittest.cc b/chromium/net/socket/client_socket_pool_unittest.cc
index 462467a8518..421b781aa54 100644
--- a/chromium/net/socket/client_socket_pool_unittest.cc
+++ b/chromium/net/socket/client_socket_pool_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,7 @@
 #include "base/test/scoped_feature_list.h"
 #include "net/base/features.h"
 #include "net/base/host_port_pair.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/schemeful_site.h"
 #include "net/dns/public/secure_dns_policy.h"
@@ -55,9 +55,9 @@ TEST(ClientSocketPool, GroupIdOperators) {
 
   const SchemefulSite kSiteA(GURL("http://a.test/"));
   const SchemefulSite kSiteB(GURL("http://b.test/"));
-  const NetworkIsolationKey kNetworkIsolationKeys[] = {
-      NetworkIsolationKey(kSiteA, kSiteA),
-      NetworkIsolationKey(kSiteB, kSiteB),
+  const NetworkAnonymizationKey kNetworkAnonymizationKeys[] = {
+      NetworkAnonymizationKey(kSiteA, kSiteA, /*is_cross_site=*/false),
+      NetworkAnonymizationKey(kSiteB, kSiteB, /*is_cross_site=*/false),
   };
 
   const SecureDnsPolicy kDisableSecureDnsValues[] = {SecureDnsPolicy::kAllow,
@@ -76,12 +76,13 @@ TEST(ClientSocketPool, GroupIdOperators) {
         SCOPED_TRACE(host);
         for (const auto& privacy_mode : kPrivacyModes) {
           SCOPED_TRACE(privacy_mode);
-          for (const auto& network_isolation_key : kNetworkIsolationKeys) {
-            SCOPED_TRACE(network_isolation_key.ToDebugString());
+          for (const auto& network_anonymization_key :
+               kNetworkAnonymizationKeys) {
+            SCOPED_TRACE(network_anonymization_key.ToDebugString());
             for (const auto& secure_dns_policy : kDisableSecureDnsValues) {
               ClientSocketPool::GroupId group_id(
                   url::SchemeHostPort(scheme, host, port), privacy_mode,
-                  network_isolation_key, secure_dns_policy);
+                  network_anonymization_key, secure_dns_policy);
               for (const auto& lower_group_id : group_ids) {
                 EXPECT_FALSE(lower_group_id == group_id);
                 EXPECT_TRUE(lower_group_id < group_id);
@@ -112,38 +113,38 @@ TEST(ClientSocketPool, GroupIdToString) {
   EXPECT_EQ("http://foo <null null>",
             ClientSocketPool::GroupId(
                 url::SchemeHostPort(url::kHttpScheme, "foo", 80),
-                PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+                PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
                 SecureDnsPolicy::kAllow)
                 .ToString());
   EXPECT_EQ("http://bar:443 <null null>",
             ClientSocketPool::GroupId(
                 url::SchemeHostPort(url::kHttpScheme, "bar", 443),
-                PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+                PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
                 SecureDnsPolicy::kAllow)
                 .ToString());
   EXPECT_EQ("pm/http://bar <null null>",
             ClientSocketPool::GroupId(
                 url::SchemeHostPort(url::kHttpScheme, "bar", 80),
-                PrivacyMode::PRIVACY_MODE_ENABLED, NetworkIsolationKey(),
+                PrivacyMode::PRIVACY_MODE_ENABLED, NetworkAnonymizationKey(),
                 SecureDnsPolicy::kAllow)
                 .ToString());
 
   EXPECT_EQ("https://foo:80 <null null>",
             ClientSocketPool::GroupId(
                 url::SchemeHostPort(url::kHttpsScheme, "foo", 80),
-                PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+                PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
                 SecureDnsPolicy::kAllow)
                 .ToString());
   EXPECT_EQ("https://bar <null null>",
             ClientSocketPool::GroupId(
                 url::SchemeHostPort(url::kHttpsScheme, "bar", 443),
-                PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+                PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
                 SecureDnsPolicy::kAllow)
                 .ToString());
   EXPECT_EQ("pm/https://bar:80 <null null>",
             ClientSocketPool::GroupId(
                 url::SchemeHostPort(url::kHttpsScheme, "bar", 80),
-                PrivacyMode::PRIVACY_MODE_ENABLED, NetworkIsolationKey(),
+                PrivacyMode::PRIVACY_MODE_ENABLED, NetworkAnonymizationKey(),
                 SecureDnsPolicy::kAllow)
                 .ToString());
 
@@ -151,15 +152,16 @@ TEST(ClientSocketPool, GroupIdToString) {
             ClientSocketPool::GroupId(
                 url::SchemeHostPort(url::kHttpsScheme, "foo", 443),
                 PrivacyMode::PRIVACY_MODE_DISABLED,
-                NetworkIsolationKey(SchemefulSite(GURL("https://foo.test")),
-                                    SchemefulSite(GURL("https://bar.test"))),
+                NetworkAnonymizationKey(SchemefulSite(GURL("https://foo.test")),
+                                        SchemefulSite(GURL("https://bar.test")),
+                                        /*is_cross_site=*/true),
                 SecureDnsPolicy::kAllow)
                 .ToString());
 
   EXPECT_EQ("dsd/pm/https://bar:80 <null null>",
             ClientSocketPool::GroupId(
                 url::SchemeHostPort(url::kHttpsScheme, "bar", 80),
-                PrivacyMode::PRIVACY_MODE_ENABLED, NetworkIsolationKey(),
+                PrivacyMode::PRIVACY_MODE_ENABLED, NetworkAnonymizationKey(),
                 SecureDnsPolicy::kDisable)
                 .ToString());
 }
@@ -174,17 +176,19 @@ TEST(ClientSocketPool, PartitionConnectionsByNetworkIsolationKeyDisabled) {
   ClientSocketPool::GroupId group_id1(
       url::SchemeHostPort(url::kHttpsScheme, "foo", 443),
       PrivacyMode::PRIVACY_MODE_DISABLED,
-      NetworkIsolationKey(kSiteFoo, kSiteFoo), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(kSiteFoo, kSiteFoo, /*is_cross_site=*/false),
+      SecureDnsPolicy::kAllow);
 
   ClientSocketPool::GroupId group_id2(
       url::SchemeHostPort(url::kHttpsScheme, "foo", 443),
       PrivacyMode::PRIVACY_MODE_DISABLED,
-      NetworkIsolationKey(kSiteBar, kSiteBar), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(kSiteBar, kSiteBar, /*is_cross_site=*/false),
+      SecureDnsPolicy::kAllow);
 
-  EXPECT_FALSE(group_id1.network_isolation_key().IsFullyPopulated());
-  EXPECT_FALSE(group_id2.network_isolation_key().IsFullyPopulated());
-  EXPECT_EQ(group_id1.network_isolation_key(),
-            group_id2.network_isolation_key());
+  EXPECT_FALSE(group_id1.network_anonymization_key().IsFullyPopulated());
+  EXPECT_FALSE(group_id2.network_anonymization_key().IsFullyPopulated());
+  EXPECT_EQ(group_id1.network_anonymization_key(),
+            group_id2.network_anonymization_key());
   EXPECT_EQ(group_id1, group_id2);
 
   EXPECT_EQ("https://foo", group_id1.ToString());
diff --git a/chromium/net/socket/connect_job.cc b/chromium/net/socket/connect_job.cc
index 44cb6546825..20bdfb1158e 100644
--- a/chromium/net/socket/connect_job.cc
+++ b/chromium/net/socket/connect_job.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 #include "net/base/connection_endpoint_metadata.h"
 #include "net/base/net_errors.h"
 #include "net/base/trace_constants.h"
-#include "net/dns/host_resolver_results.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/http/http_auth_controller.h"
 #include "net/http/http_proxy_connect_job.h"
@@ -148,7 +148,8 @@ ConnectJob::GetHostResolverEndpointResult() const {
 void ConnectJob::SetSocket(std::unique_ptr<StreamSocket> socket,
                            absl::optional<std::set<std::string>> dns_aliases) {
   if (socket) {
-    net_log().AddEvent(NetLogEventType::CONNECT_JOB_SET_SOCKET);
+    net_log().AddEventReferencingSource(NetLogEventType::CONNECT_JOB_SET_SOCKET,
+                                        socket->NetLog().source());
     if (dns_aliases)
       socket->SetDnsAliases(std::move(dns_aliases.value()));
   }
diff --git a/chromium/net/socket/connect_job.h b/chromium/net/socket/connect_job.h
index 3a4657cb32a..a728d18ac04 100644
--- a/chromium/net/socket/connect_job.h
+++ b/chromium/net/socket/connect_job.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -15,11 +15,11 @@
 #include "base/memory/ref_counted.h"
 #include "base/time/time.h"
 #include "base/timer/timer.h"
-#include "net/base/address_list.h"
 #include "net/base/load_states.h"
 #include "net/base/load_timing_info.h"
 #include "net/base/net_export.h"
 #include "net/base/request_priority.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/resolve_error_info.h"
 #include "net/log/net_log_with_source.h"
 #include "net/socket/connection_attempts.h"
@@ -115,7 +115,8 @@ enum class OnHostResolutionCallbackResult {
 using OnHostResolutionCallback =
     base::RepeatingCallback<OnHostResolutionCallbackResult(
         const HostPortPair& host_port_pair,
-        const AddressList& address_list)>;
+        const std::vector<HostResolverEndpointResult>& endpoint_results,
+        const std::set<std::string>& aliases)>;
 
 // ConnectJob provides an abstract interface for "connecting" a socket.
 // The connection may involve host resolution, tcp connection, ssl connection,
diff --git a/chromium/net/socket/connect_job_factory.cc b/chromium/net/socket/connect_job_factory.cc
index 2288f51f340..778faf5c004 100644
--- a/chromium/net/socket/connect_job_factory.cc
+++ b/chromium/net/socket/connect_job_factory.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,7 +11,7 @@
 #include "base/containers/flat_set.h"
 #include "base/memory/scoped_refptr.h"
 #include "net/base/host_port_pair.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/proxy_server.h"
 #include "net/base/request_priority.h"
@@ -114,15 +114,16 @@ std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
     const OnHostResolutionCallback& resolution_callback,
     RequestPriority request_priority,
     SocketTag socket_tag,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     SecureDnsPolicy secure_dns_policy,
     const CommonConnectJobParams* common_connect_job_params,
     ConnectJob::Delegate* delegate) const {
-  return CreateConnectJob(
-      Endpoint(std::move(endpoint)), proxy_server, proxy_annotation_tag,
-      ssl_config_for_origin, ssl_config_for_proxy, force_tunnel, privacy_mode,
-      resolution_callback, request_priority, socket_tag, network_isolation_key,
-      secure_dns_policy, common_connect_job_params, delegate);
+  return CreateConnectJob(Endpoint(std::move(endpoint)), proxy_server,
+                          proxy_annotation_tag, ssl_config_for_origin,
+                          ssl_config_for_proxy, force_tunnel, privacy_mode,
+                          resolution_callback, request_priority, socket_tag,
+                          network_anonymization_key, secure_dns_policy,
+                          common_connect_job_params, delegate);
 }
 
 std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
@@ -137,16 +138,17 @@ std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
     const OnHostResolutionCallback& resolution_callback,
     RequestPriority request_priority,
     SocketTag socket_tag,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     SecureDnsPolicy secure_dns_policy,
     const CommonConnectJobParams* common_connect_job_params,
     ConnectJob::Delegate* delegate) const {
   SchemelessEndpoint schemeless_endpoint{using_ssl, std::move(endpoint)};
-  return CreateConnectJob(
-      std::move(schemeless_endpoint), proxy_server, proxy_annotation_tag,
-      ssl_config_for_origin, ssl_config_for_proxy, force_tunnel, privacy_mode,
-      resolution_callback, request_priority, socket_tag, network_isolation_key,
-      secure_dns_policy, common_connect_job_params, delegate);
+  return CreateConnectJob(std::move(schemeless_endpoint), proxy_server,
+                          proxy_annotation_tag, ssl_config_for_origin,
+                          ssl_config_for_proxy, force_tunnel, privacy_mode,
+                          resolution_callback, request_priority, socket_tag,
+                          network_anonymization_key, secure_dns_policy,
+                          common_connect_job_params, delegate);
 }
 
 std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
@@ -160,7 +162,7 @@ std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
     const OnHostResolutionCallback& resolution_callback,
     RequestPriority request_priority,
     SocketTag socket_tag,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     SecureDnsPolicy secure_dns_policy,
     const CommonConnectJobParams* common_connect_job_params,
     ConnectJob::Delegate* delegate) const {
@@ -173,7 +175,7 @@ std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
     // `SchemeHostPort`, so proxies can participate in ECH? Note doing so with
     // `SCHEME_HTTP` requires handling the HTTPS record upgrade.
     auto proxy_tcp_params = base::MakeRefCounted<TransportSocketParams>(
-        proxy_server.host_port_pair(), proxy_dns_network_isolation_key_,
+        proxy_server.host_port_pair(), proxy_dns_network_anonymization_key_,
         secure_dns_policy, resolution_callback,
         proxy_server.is_secure_http_like()
             ? SupportedProtocolsFromSSLConfig(*ssl_config_for_proxy)
@@ -187,7 +189,7 @@ std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
         ssl_params = base::MakeRefCounted<SSLSocketParams>(
             std::move(proxy_tcp_params), nullptr, nullptr,
             proxy_server.host_port_pair(), *ssl_config_for_proxy,
-            PRIVACY_MODE_DISABLED, network_isolation_key);
+            PRIVACY_MODE_DISABLED, network_anonymization_key);
         proxy_tcp_params = nullptr;
       }
 
@@ -197,7 +199,7 @@ std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
           std::move(proxy_tcp_params), std::move(ssl_params),
           proxy_server.is_quic(), ToHostPortPair(endpoint),
           force_tunnel || UsingSsl(endpoint), *proxy_annotation_tag,
-          network_isolation_key);
+          network_anonymization_key);
     } else {
       DCHECK(proxy_server.is_socks());
       // TODO(crbug.com/1206799): Pass `endpoint` directly (preserving scheme
@@ -205,7 +207,7 @@ std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
       socks_params = base::MakeRefCounted<SOCKSSocketParams>(
           std::move(proxy_tcp_params),
           proxy_server.scheme() == ProxyServer::SCHEME_SOCKS5,
-          ToHostPortPair(endpoint), network_isolation_key,
+          ToHostPortPair(endpoint), network_anonymization_key,
           *proxy_annotation_tag);
     }
   }
@@ -216,7 +218,7 @@ std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
     scoped_refptr<TransportSocketParams> ssl_tcp_params;
     if (proxy_server.is_direct()) {
       ssl_tcp_params = base::MakeRefCounted<TransportSocketParams>(
-          ToTransportEndpoint(endpoint), network_isolation_key,
+          ToTransportEndpoint(endpoint), network_anonymization_key,
           secure_dns_policy, resolution_callback,
           SupportedProtocolsFromSSLConfig(*ssl_config_for_origin));
     }
@@ -225,7 +227,7 @@ std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
     auto ssl_params = base::MakeRefCounted<SSLSocketParams>(
         std::move(ssl_tcp_params), std::move(socks_params),
         std::move(http_proxy_params), ToHostPortPair(endpoint),
-        *ssl_config_for_origin, privacy_mode, network_isolation_key);
+        *ssl_config_for_origin, privacy_mode, network_anonymization_key);
     return ssl_connect_job_factory_->Create(
         request_priority, socket_tag, common_connect_job_params,
         std::move(ssl_params), delegate, /*net_log=*/nullptr);
@@ -246,8 +248,8 @@ std::unique_ptr<ConnectJob> ConnectJobFactory::CreateConnectJob(
   // Only SSL/TLS-based endpoints have ALPN protocols.
   DCHECK(proxy_server.is_direct());
   auto tcp_params = base::MakeRefCounted<TransportSocketParams>(
-      ToTransportEndpoint(endpoint), network_isolation_key, secure_dns_policy,
-      resolution_callback, no_alpn_protocols);
+      ToTransportEndpoint(endpoint), network_anonymization_key,
+      secure_dns_policy, resolution_callback, no_alpn_protocols);
   return transport_connect_job_factory_->Create(
       request_priority, socket_tag, common_connect_job_params, tcp_params,
       delegate, /*net_log=*/nullptr);
diff --git a/chromium/net/socket/connect_job_factory.h b/chromium/net/socket/connect_job_factory.h
index 3c8b1a0b872..6ea30912cd3 100644
--- a/chromium/net/socket/connect_job_factory.h
+++ b/chromium/net/socket/connect_job_factory.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,7 +8,7 @@
 #include <memory>
 
 #include "net/base/host_port_pair.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/request_priority.h"
 #include "net/dns/public/secure_dns_policy.h"
@@ -24,7 +24,7 @@
 
 namespace net {
 
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 struct NetworkTrafficAnnotationTag;
 class ProxyServer;
 struct SSLConfig;
@@ -73,7 +73,7 @@ class NET_EXPORT_PRIVATE ConnectJobFactory {
       const OnHostResolutionCallback& resolution_callback,
       RequestPriority request_priority,
       SocketTag socket_tag,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       SecureDnsPolicy secure_dns_policy,
       const CommonConnectJobParams* common_connect_job_params,
       ConnectJob::Delegate* delegate) const;
@@ -92,7 +92,7 @@ class NET_EXPORT_PRIVATE ConnectJobFactory {
       const OnHostResolutionCallback& resolution_callback,
       RequestPriority request_priority,
       SocketTag socket_tag,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       SecureDnsPolicy secure_dns_policy,
       const CommonConnectJobParams* common_connect_job_params,
       ConnectJob::Delegate* delegate) const;
@@ -109,7 +109,7 @@ class NET_EXPORT_PRIVATE ConnectJobFactory {
       const OnHostResolutionCallback& resolution_callback,
       RequestPriority request_priority,
       SocketTag socket_tag,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       SecureDnsPolicy secure_dns_policy,
       const CommonConnectJobParams* common_connect_job_params,
       ConnectJob::Delegate* delegate) const;
@@ -119,12 +119,12 @@ class NET_EXPORT_PRIVATE ConnectJobFactory {
   std::unique_ptr<SSLConnectJob::Factory> ssl_connect_job_factory_;
   std::unique_ptr<TransportConnectJob::Factory> transport_connect_job_factory_;
 
-  // Use a single NetworkIsolationKey for looking up proxy hostnames. Proxies
-  // are typically used across sites, but cached proxy IP addresses don't
-  // really expose useful information to destination sites, and not caching
-  // them has a performance cost.
-  net::NetworkIsolationKey proxy_dns_network_isolation_key_ =
-      net::NetworkIsolationKey::CreateTransient();
+  // Use a single NetworkAnonymizationKey for looking up proxy hostnames.
+  // Proxies are typically used across sites, but cached proxy IP addresses
+  // don't really expose useful information to destination sites, and not
+  // caching them has a performance cost.
+  net::NetworkAnonymizationKey proxy_dns_network_anonymization_key_ =
+      net::NetworkAnonymizationKey::CreateTransient();
 };
 
 }  // namespace net
diff --git a/chromium/net/socket/connect_job_factory_unittest.cc b/chromium/net/socket/connect_job_factory_unittest.cc
index 60bc865e830..45d599223e7 100644
--- a/chromium/net/socket/connect_job_factory_unittest.cc
+++ b/chromium/net/socket/connect_job_factory_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -203,7 +203,7 @@ TEST_F(ConnectJobFactoryTest, CreateConnectJob) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -224,7 +224,7 @@ TEST_F(ConnectJobFactoryTest, CreateConnectJobWithoutScheme) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -247,7 +247,7 @@ TEST_F(ConnectJobFactoryTest, CreateHttpsConnectJob) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -276,7 +276,7 @@ TEST_F(ConnectJobFactoryTest, CreateHttpsConnectJobWithoutScheme) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -302,7 +302,7 @@ TEST_F(ConnectJobFactoryTest, CreateHttpProxyConnectJob) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -329,7 +329,7 @@ TEST_F(ConnectJobFactoryTest, CreateHttpProxyConnectJobWithoutScheme) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -357,7 +357,7 @@ TEST_F(ConnectJobFactoryTest, CreateHttpProxyConnectJobForHttps) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -392,7 +392,7 @@ TEST_F(ConnectJobFactoryTest, CreateHttpProxyConnectJobForHttpsWithoutScheme) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -425,7 +425,7 @@ TEST_F(ConnectJobFactoryTest, CreateHttpsProxyConnectJob) {
       /*ssl_config_for_proxy=*/&ssl_config,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -458,7 +458,7 @@ TEST_F(ConnectJobFactoryTest, CreateHttpsProxyConnectJobWithoutScheme) {
       /*ssl_config_for_proxy=*/&ssl_config,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -490,7 +490,7 @@ TEST_F(ConnectJobFactoryTest, CreateSocksProxyConnectJob) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -515,7 +515,7 @@ TEST_F(ConnectJobFactoryTest, CreateSocksProxyConnectJobWithoutScheme) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params_, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -544,7 +544,7 @@ TEST_F(ConnectJobFactoryTest, CreateWebsocketConnectJob) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
@@ -570,7 +570,7 @@ TEST_F(ConnectJobFactoryTest, CreateWebsocketConnectJobWithoutScheme) {
       /*ssl_config_for_proxy=*/nullptr,
       /*force_tunnel=*/false, PrivacyMode::PRIVACY_MODE_DISABLED,
       OnHostResolutionCallback(), DEFAULT_PRIORITY, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       &common_connect_job_params, &delegate_);
   EXPECT_EQ(GetCreationCount(), 1u);
 
diff --git a/chromium/net/socket/connect_job_test_util.cc b/chromium/net/socket/connect_job_test_util.cc
index 12f3ae24313..48e5cb914e3 100644
--- a/chromium/net/socket/connect_job_test_util.cc
+++ b/chromium/net/socket/connect_job_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/connect_job_test_util.h b/chromium/net/socket/connect_job_test_util.h
index 25d915664c9..a792a22540e 100644
--- a/chromium/net/socket/connect_job_test_util.h
+++ b/chromium/net/socket/connect_job_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/connect_job_unittest.cc b/chromium/net/socket/connect_job_unittest.cc
index a413457f391..54cbb9bbbaa 100644
--- a/chromium/net/socket/connect_job_unittest.cc
+++ b/chromium/net/socket/connect_job_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/connection_attempts.h b/chromium/net/socket/connection_attempts.h
index 6be283083a6..63579bbf423 100644
--- a/chromium/net/socket/connection_attempts.h
+++ b/chromium/net/socket/connection_attempts.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/datagram_client_socket.h b/chromium/net/socket/datagram_client_socket.h
index 3342e1effd5..ee21b719887 100644
--- a/chromium/net/socket/datagram_client_socket.h
+++ b/chromium/net/socket/datagram_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -23,6 +23,7 @@ class NET_EXPORT_PRIVATE DatagramClientSocket : public DatagramSocket,
 
   // Initialize this socket as a client socket to server at |address|.
   // Returns a network error code.
+  // TODO(liza): Remove this method once consumers have been updated.
   virtual int Connect(const IPEndPoint& address) = 0;
 
   // Binds this socket to |network| and initializes socket as a client socket
@@ -30,13 +31,37 @@ class NET_EXPORT_PRIVATE DatagramClientSocket : public DatagramSocket,
   // received via |network|. This call will fail if |network| has disconnected.
   // Communication using this socket will fail if |network| disconnects.
   // Returns a net error code.
+  // TODO(liza): Remove this method once consumers have been updated.
   virtual int ConnectUsingNetwork(handles::NetworkHandle network,
                                   const IPEndPoint& address) = 0;
 
   // Same as ConnectUsingNetwork, except that the current default network is
   // used. Returns a net error code.
+  // TODO(liza): Remove this method once consumers have been updated.
   virtual int ConnectUsingDefaultNetwork(const IPEndPoint& address) = 0;
 
+  // Same as Connect, but it can run asynchronously or synchronously. Returns a
+  // network error code.
+  // TODO(liza): Rename this to Connect once consumers have been updated.
+  virtual int ConnectAsync(const IPEndPoint& address,
+                           CompletionOnceCallback callback) = 0;
+
+  // Same as ConnectUsingNetwork, but it can run asynchronously or
+  // synchronously. Returns a network error code.
+  // TODO(liza): Rename this to ConnectUsingNetwork once consumers have been
+  // updated.
+  virtual int ConnectUsingNetworkAsync(handles::NetworkHandle network,
+                                       const IPEndPoint& address,
+                                       CompletionOnceCallback callback) = 0;
+
+  // Same as ConnectUsConnectUsingDefaultNetworkingNetwork, but it can run
+  // asynchronously or synchronously. Returns a network error code.
+  // TODO(liza): Rename this to ConnectUsingDefaultNetwork once consumers have
+  // been updated.
+  virtual int ConnectUsingDefaultNetworkAsync(
+      const IPEndPoint& address,
+      CompletionOnceCallback callback) = 0;
+
   // Returns the network that either ConnectUsingNetwork() or
   // ConnectUsingDefaultNetwork() bound this socket to. Returns
   // handles::kInvalidNetworkHandle if not explicitly bound via
diff --git a/chromium/net/socket/datagram_server_socket.h b/chromium/net/socket/datagram_server_socket.h
index bd5f2330140..32f71942ae3 100644
--- a/chromium/net/socket/datagram_server_socket.h
+++ b/chromium/net/socket/datagram_server_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/datagram_socket.h b/chromium/net/socket/datagram_socket.h
index e6758a75aca..acb991217aa 100644
--- a/chromium/net/socket/datagram_socket.h
+++ b/chromium/net/socket/datagram_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/diff_serv_code_point.h b/chromium/net/socket/diff_serv_code_point.h
index 5fcd9122946..cf52ee182dd 100644
--- a/chromium/net/socket/diff_serv_code_point.h
+++ b/chromium/net/socket/diff_serv_code_point.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/fuzzed_datagram_client_socket.cc b/chromium/net/socket/fuzzed_datagram_client_socket.cc
index a4c71aba822..3cd45f4431f 100644
--- a/chromium/net/socket/fuzzed_datagram_client_socket.cc
+++ b/chromium/net/socket/fuzzed_datagram_client_socket.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -62,6 +62,34 @@ int FuzzedDatagramClientSocket::FuzzedDatagramClientSocket::
   return ERR_NOT_IMPLEMENTED;
 }
 
+int FuzzedDatagramClientSocket::ConnectAsync(const IPEndPoint& address,
+                                             CompletionOnceCallback callback) {
+  CHECK(!connected_);
+  int rv = Connect(address);
+  DCHECK_NE(rv, ERR_IO_PENDING);
+  if (data_provider_->ConsumeBool()) {
+    base::ThreadTaskRunnerHandle::Get()->PostTask(
+        FROM_HERE, base::BindOnce(std::move(callback), rv));
+    return ERR_IO_PENDING;
+  }
+  return rv;
+}
+
+int FuzzedDatagramClientSocket::ConnectUsingNetworkAsync(
+    handles::NetworkHandle network,
+    const IPEndPoint& address,
+    CompletionOnceCallback callback) {
+  CHECK(!connected_);
+  return ERR_NOT_IMPLEMENTED;
+}
+
+int FuzzedDatagramClientSocket::ConnectUsingDefaultNetworkAsync(
+    const IPEndPoint& address,
+    CompletionOnceCallback callback) {
+  CHECK(!connected_);
+  return ERR_NOT_IMPLEMENTED;
+}
+
 handles::NetworkHandle FuzzedDatagramClientSocket::GetBoundNetwork() const {
   return handles::kInvalidNetworkHandle;
 }
diff --git a/chromium/net/socket/fuzzed_datagram_client_socket.h b/chromium/net/socket/fuzzed_datagram_client_socket.h
index 3bf0e4b6056..0daf24ddcff 100644
--- a/chromium/net/socket/fuzzed_datagram_client_socket.h
+++ b/chromium/net/socket/fuzzed_datagram_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -41,6 +41,13 @@ class FuzzedDatagramClientSocket : public DatagramClientSocket {
   int ConnectUsingNetwork(handles::NetworkHandle network,
                           const IPEndPoint& address) override;
   int ConnectUsingDefaultNetwork(const IPEndPoint& address) override;
+  int ConnectAsync(const IPEndPoint& address,
+                   CompletionOnceCallback callback) override;
+  int ConnectUsingNetworkAsync(handles::NetworkHandle network,
+                               const IPEndPoint& address,
+                               CompletionOnceCallback callback) override;
+  int ConnectUsingDefaultNetworkAsync(const IPEndPoint& address,
+                                      CompletionOnceCallback callback) override;
   handles::NetworkHandle GetBoundNetwork() const override;
   void ApplySocketTag(const SocketTag& tag) override;
 
diff --git a/chromium/net/socket/fuzzed_server_socket.cc b/chromium/net/socket/fuzzed_server_socket.cc
index 82f41470331..8a7f2a28c00 100644
--- a/chromium/net/socket/fuzzed_server_socket.cc
+++ b/chromium/net/socket/fuzzed_server_socket.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/fuzzed_server_socket.h b/chromium/net/socket/fuzzed_server_socket.h
index e4ef32140c4..5d5a0484d57 100644
--- a/chromium/net/socket/fuzzed_server_socket.h
+++ b/chromium/net/socket/fuzzed_server_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/fuzzed_socket.cc b/chromium/net/socket/fuzzed_socket.cc
index 58133abe950..a7bca7f9de5 100644
--- a/chromium/net/socket/fuzzed_socket.cc
+++ b/chromium/net/socket/fuzzed_socket.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/fuzzed_socket.h b/chromium/net/socket/fuzzed_socket.h
index 10875fe476c..6287a74c5a4 100644
--- a/chromium/net/socket/fuzzed_socket.h
+++ b/chromium/net/socket/fuzzed_socket.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/fuzzed_socket_factory.cc b/chromium/net/socket/fuzzed_socket_factory.cc
index e13059813b6..914d48b0cff 100644
--- a/chromium/net/socket/fuzzed_socket_factory.cc
+++ b/chromium/net/socket/fuzzed_socket_factory.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/fuzzed_socket_factory.h b/chromium/net/socket/fuzzed_socket_factory.h
index 25526d67fe8..1124eec4370 100644
--- a/chromium/net/socket/fuzzed_socket_factory.h
+++ b/chromium/net/socket/fuzzed_socket_factory.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/mock_client_socket_pool_manager.cc b/chromium/net/socket/mock_client_socket_pool_manager.cc
index 23ae107b7bd..05ee416533e 100644
--- a/chromium/net/socket/mock_client_socket_pool_manager.cc
+++ b/chromium/net/socket/mock_client_socket_pool_manager.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/mock_client_socket_pool_manager.h b/chromium/net/socket/mock_client_socket_pool_manager.h
index 967ae19f8fd..def60f5c7f4 100644
--- a/chromium/net/socket/mock_client_socket_pool_manager.h
+++ b/chromium/net/socket/mock_client_socket_pool_manager.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/network_binding_client_socket_factory.cc b/chromium/net/socket/network_binding_client_socket_factory.cc
index af2e0cd9d01..ba24d158bdb 100644
--- a/chromium/net/socket/network_binding_client_socket_factory.cc
+++ b/chromium/net/socket/network_binding_client_socket_factory.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/network_binding_client_socket_factory.h b/chromium/net/socket/network_binding_client_socket_factory.h
index 8a49e2c5298..2fca57e9aa5 100644
--- a/chromium/net/socket/network_binding_client_socket_factory.h
+++ b/chromium/net/socket/network_binding_client_socket_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/next_proto.cc b/chromium/net/socket/next_proto.cc
index 96ce80e09f3..0581b661424 100644
--- a/chromium/net/socket/next_proto.cc
+++ b/chromium/net/socket/next_proto.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/next_proto.h b/chromium/net/socket/next_proto.h
index b340dab38fc..abc21ca079b 100644
--- a/chromium/net/socket/next_proto.h
+++ b/chromium/net/socket/next_proto.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/read_buffering_stream_socket.cc b/chromium/net/socket/read_buffering_stream_socket.cc
index b56d55430ac..d16dbb018d3 100644
--- a/chromium/net/socket/read_buffering_stream_socket.cc
+++ b/chromium/net/socket/read_buffering_stream_socket.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/read_buffering_stream_socket.h b/chromium/net/socket/read_buffering_stream_socket.h
index bd71169d254..e42ded7b3d5 100644
--- a/chromium/net/socket/read_buffering_stream_socket.h
+++ b/chromium/net/socket/read_buffering_stream_socket.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/sequenced_socket_data_unittest.cc b/chromium/net/socket/sequenced_socket_data_unittest.cc
index 41843e86536..caea8e05247 100644
--- a/chromium/net/socket/sequenced_socket_data_unittest.cc
+++ b/chromium/net/socket/sequenced_socket_data_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/server_socket.cc b/chromium/net/socket/server_socket.cc
index 1c470905f2c..1cbfdfd28e1 100644
--- a/chromium/net/socket/server_socket.cc
+++ b/chromium/net/socket/server_socket.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/server_socket.h b/chromium/net/socket/server_socket.h
index cc200e2f9b3..937aa780599 100644
--- a/chromium/net/socket/server_socket.h
+++ b/chromium/net/socket/server_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket.cc b/chromium/net/socket/socket.cc
index 70b12ce1cde..143516c572e 100644
--- a/chromium/net/socket/socket.cc
+++ b/chromium/net/socket/socket.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket.h b/chromium/net/socket/socket.h
index bb451516d67..64e08182d66 100644
--- a/chromium/net/socket/socket.h
+++ b/chromium/net/socket/socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_bio_adapter.cc b/chromium/net/socket/socket_bio_adapter.cc
index 3842354503e..014be2d2de0 100644
--- a/chromium/net/socket/socket_bio_adapter.cc
+++ b/chromium/net/socket/socket_bio_adapter.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_bio_adapter.h b/chromium/net/socket/socket_bio_adapter.h
index 4aee476796e..0b5601a034d 100644
--- a/chromium/net/socket/socket_bio_adapter.h
+++ b/chromium/net/socket/socket_bio_adapter.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_bio_adapter_unittest.cc b/chromium/net/socket/socket_bio_adapter_unittest.cc
index bf99850f138..bc2169b2d3d 100644
--- a/chromium/net/socket/socket_bio_adapter_unittest.cc
+++ b/chromium/net/socket/socket_bio_adapter_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_descriptor.cc b/chromium/net/socket/socket_descriptor.cc
index 465fa3f9530..f6db3d82e8c 100644
--- a/chromium/net/socket/socket_descriptor.cc
+++ b/chromium/net/socket/socket_descriptor.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_descriptor.h b/chromium/net/socket/socket_descriptor.h
index 0516dcecab3..9188b8e9eb0 100644
--- a/chromium/net/socket/socket_descriptor.h
+++ b/chromium/net/socket/socket_descriptor.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_net_log_params.cc b/chromium/net/socket/socket_net_log_params.cc
index f2360b17392..fccaa4e6c21 100644
--- a/chromium/net/socket/socket_net_log_params.cc
+++ b/chromium/net/socket/socket_net_log_params.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_net_log_params.h b/chromium/net/socket/socket_net_log_params.h
index 0497ec6f758..ced0d4114ac 100644
--- a/chromium/net/socket/socket_net_log_params.h
+++ b/chromium/net/socket/socket_net_log_params.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_options.cc b/chromium/net/socket/socket_options.cc
index 83f0511397c..4b880c5a660 100644
--- a/chromium/net/socket/socket_options.cc
+++ b/chromium/net/socket/socket_options.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_options.h b/chromium/net/socket/socket_options.h
index 2a8ac6c7afb..7ace024d548 100644
--- a/chromium/net/socket/socket_options.h
+++ b/chromium/net/socket/socket_options.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_performance_watcher.h b/chromium/net/socket/socket_performance_watcher.h
index 38b5b9db691..084b44fbf22 100644
--- a/chromium/net/socket/socket_performance_watcher.h
+++ b/chromium/net/socket/socket_performance_watcher.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_performance_watcher_factory.h b/chromium/net/socket/socket_performance_watcher_factory.h
index 992aab8d68e..eb6537f6f12 100644
--- a/chromium/net/socket/socket_performance_watcher_factory.h
+++ b/chromium/net/socket/socket_performance_watcher_factory.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_posix.cc b/chromium/net/socket/socket_posix.cc
index 92ffb1ec5a5..3f458f78a2a 100644
--- a/chromium/net/socket/socket_posix.cc
+++ b/chromium/net/socket/socket_posix.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_posix.h b/chromium/net/socket/socket_posix.h
index 02d1600b263..da26d1dee99 100644
--- a/chromium/net/socket/socket_posix.h
+++ b/chromium/net/socket/socket_posix.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_tag.cc b/chromium/net/socket/socket_tag.cc
index 14c50022ae9..e95c464e7d8 100644
--- a/chromium/net/socket/socket_tag.cc
+++ b/chromium/net/socket/socket_tag.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_tag.h b/chromium/net/socket/socket_tag.h
index 47bc9d7cffc..af7650d4f30 100644
--- a/chromium/net/socket/socket_tag.h
+++ b/chromium/net/socket/socket_tag.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_tag_unittest.cc b/chromium/net/socket/socket_tag_unittest.cc
index 164d09993d0..91e129acd77 100644
--- a/chromium/net/socket/socket_tag_unittest.cc
+++ b/chromium/net/socket/socket_tag_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socket_test_util.cc b/chromium/net/socket/socket_test_util.cc
index f1c52adaf44..1e3053462d4 100644
--- a/chromium/net/socket/socket_test_util.cc
+++ b/chromium/net/socket/socket_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -834,9 +834,9 @@ std::unique_ptr<SSLClientSocket> MockClientSocketFactory::CreateSSLClientSocket(
   if (next_ssl_data->expected_host_and_port) {
     EXPECT_EQ(*next_ssl_data->expected_host_and_port, host_and_port);
   }
-  if (next_ssl_data->expected_network_isolation_key) {
-    EXPECT_EQ(*next_ssl_data->expected_network_isolation_key,
-              ssl_config.network_isolation_key);
+  if (next_ssl_data->expected_network_anonymization_key) {
+    EXPECT_EQ(*next_ssl_data->expected_network_anonymization_key,
+              ssl_config.network_anonymization_key);
   }
   if (next_ssl_data->expected_disable_legacy_crypto) {
     EXPECT_EQ(*next_ssl_data->expected_disable_legacy_crypto,
@@ -1613,6 +1613,7 @@ const NetLogWithSource& MockUDPClientSocket::NetLog() const {
 int MockUDPClientSocket::Connect(const IPEndPoint& address) {
   if (!data_)
     return ERR_UNEXPECTED;
+  DCHECK_NE(data_->connect_data().result, ERR_IO_PENDING);
   connected_ = true;
   peer_addr_ = address;
   return data_->connect_data().result;
@@ -1623,6 +1624,7 @@ int MockUDPClientSocket::ConnectUsingNetwork(handles::NetworkHandle network,
   DCHECK(!connected_);
   if (!data_)
     return ERR_UNEXPECTED;
+  DCHECK_NE(data_->connect_data().result, ERR_IO_PENDING);
   network_ = network;
   connected_ = true;
   peer_addr_ = address;
@@ -1633,12 +1635,68 @@ int MockUDPClientSocket::ConnectUsingDefaultNetwork(const IPEndPoint& address) {
   DCHECK(!connected_);
   if (!data_)
     return ERR_UNEXPECTED;
+  DCHECK_NE(data_->connect_data().result, ERR_IO_PENDING);
   network_ = kDefaultNetworkForTests;
   connected_ = true;
   peer_addr_ = address;
   return data_->connect_data().result;
 }
 
+int MockUDPClientSocket::ConnectAsync(const IPEndPoint& address,
+                                      CompletionOnceCallback callback) {
+  DCHECK(callback);
+  if (!data_) {
+    return ERR_UNEXPECTED;
+  }
+  connected_ = true;
+  peer_addr_ = address;
+  int result = data_->connect_data().result;
+  IoMode mode = data_->connect_data().mode;
+  if (mode == SYNCHRONOUS) {
+    return result;
+  }
+  RunCallbackAsync(std::move(callback), result);
+  return ERR_IO_PENDING;
+}
+
+int MockUDPClientSocket::ConnectUsingNetworkAsync(
+    handles::NetworkHandle network,
+    const IPEndPoint& address,
+    CompletionOnceCallback callback) {
+  DCHECK(callback);
+  DCHECK(!connected_);
+  if (!data_)
+    return ERR_UNEXPECTED;
+  network_ = network;
+  connected_ = true;
+  peer_addr_ = address;
+  int result = data_->connect_data().result;
+  IoMode mode = data_->connect_data().mode;
+  if (mode == SYNCHRONOUS) {
+    return result;
+  }
+  RunCallbackAsync(std::move(callback), result);
+  return ERR_IO_PENDING;
+}
+
+int MockUDPClientSocket::ConnectUsingDefaultNetworkAsync(
+    const IPEndPoint& address,
+    CompletionOnceCallback callback) {
+  DCHECK(!connected_);
+  if (!data_)
+    return ERR_UNEXPECTED;
+  network_ = kDefaultNetworkForTests;
+  connected_ = true;
+  peer_addr_ = address;
+  int result = data_->connect_data().result;
+  IoMode mode = data_->connect_data().mode;
+  if (mode == SYNCHRONOUS) {
+    return result;
+  }
+  RunCallbackAsync(std::move(callback), result);
+  return ERR_IO_PENDING;
+}
+
 handles::NetworkHandle MockUDPClientSocket::GetBoundNetwork() const {
   return network_;
 }
@@ -1840,8 +1898,8 @@ void MockTransportClientSocketPool::MockConnectJob::OnConnect(int rv) {
     // sockets.
     LoadTimingInfo::ConnectTiming connect_timing;
     base::TimeTicks now = base::TimeTicks::Now();
-    connect_timing.dns_start = now;
-    connect_timing.dns_end = now;
+    connect_timing.domain_lookup_start = now;
+    connect_timing.domain_lookup_end = now;
     connect_timing.connect_start = now;
     connect_timing.connect_end = now;
     handle_->set_connect_timing(connect_timing);
diff --git a/chromium/net/socket/socket_test_util.h b/chromium/net/socket/socket_test_util.h
index 1db07eefef6..227e6d4bfa2 100644
--- a/chromium/net/socket/socket_test_util.h
+++ b/chromium/net/socket/socket_test_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -504,7 +504,7 @@ struct SSLSocketDataProvider {
   absl::optional<bool> expected_send_client_cert;
   scoped_refptr<X509Certificate> expected_client_cert;
   absl::optional<HostPortPair> expected_host_and_port;
-  absl::optional<NetworkIsolationKey> expected_network_isolation_key;
+  absl::optional<NetworkAnonymizationKey> expected_network_anonymization_key;
   absl::optional<bool> expected_disable_legacy_crypto;
   absl::optional<std::vector<uint8_t>> expected_ech_config_list;
 
@@ -987,6 +987,13 @@ class MockUDPClientSocket : public DatagramClientSocket, public AsyncSocket {
   int ConnectUsingNetwork(handles::NetworkHandle network,
                           const IPEndPoint& address) override;
   int ConnectUsingDefaultNetwork(const IPEndPoint& address) override;
+  int ConnectAsync(const IPEndPoint& address,
+                   CompletionOnceCallback callback) override;
+  int ConnectUsingNetworkAsync(handles::NetworkHandle network,
+                               const IPEndPoint& address,
+                               CompletionOnceCallback callback) override;
+  int ConnectUsingDefaultNetworkAsync(const IPEndPoint& address,
+                                      CompletionOnceCallback callback) override;
   handles::NetworkHandle GetBoundNetwork() const override;
   void ApplySocketTag(const SocketTag& tag) override;
   void SetMsgConfirm(bool confirm) override {}
@@ -1389,7 +1396,7 @@ int64_t CountWriteBytes(base::span<const MockWrite> writes);
 bool CanGetTaggedBytes();
 
 // Query the system to find out how many bytes were received with tag
-// |expected_tag| for our UID.  Return the count of recieved bytes.
+// |expected_tag| for our UID.  Return the count of received bytes.
 uint64_t GetTaggedBytes(int32_t expected_tag);
 #endif
 
diff --git a/chromium/net/socket/socks5_client_socket.cc b/chromium/net/socket/socks5_client_socket.cc
index cc8dd8a0cf4..a3f842e6cdc 100644
--- a/chromium/net/socket/socks5_client_socket.cc
+++ b/chromium/net/socket/socks5_client_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socks5_client_socket.h b/chromium/net/socket/socks5_client_socket.h
index 5612be06774..f6cfbe45c36 100644
--- a/chromium/net/socket/socks5_client_socket.h
+++ b/chromium/net/socket/socks5_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socks5_client_socket_fuzzer.cc b/chromium/net/socket/socks5_client_socket_fuzzer.cc
index ed3ae4ed98f..112a4063d79 100644
--- a/chromium/net/socket/socks5_client_socket_fuzzer.cc
+++ b/chromium/net/socket/socks5_client_socket_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socks5_client_socket_unittest.cc b/chromium/net/socket/socks5_client_socket_unittest.cc
index e0db5b90cc0..768a50f8c7f 100644
--- a/chromium/net/socket/socks5_client_socket_unittest.cc
+++ b/chromium/net/socket/socks5_client_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/socks_client_socket.cc b/chromium/net/socket/socks_client_socket.cc
index 1355a5d0b9c..5c1db1ea032 100644
--- a/chromium/net/socket/socks_client_socket.cc
+++ b/chromium/net/socket/socks_client_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -63,7 +63,7 @@ static_assert(sizeof(SOCKS4ServerResponse) == kReadHeaderSize,
 SOCKSClientSocket::SOCKSClientSocket(
     std::unique_ptr<StreamSocket> transport_socket,
     const HostPortPair& destination,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     RequestPriority priority,
     HostResolver* host_resolver,
     SecureDnsPolicy secure_dns_policy,
@@ -72,7 +72,7 @@ SOCKSClientSocket::SOCKSClientSocket(
       host_resolver_(host_resolver),
       secure_dns_policy_(secure_dns_policy),
       destination_(destination),
-      network_isolation_key_(network_isolation_key),
+      network_anonymization_key_(network_anonymization_key),
       priority_(priority),
       net_log_(transport_socket_->NetLog()),
       traffic_annotation_(traffic_annotation) {}
@@ -303,7 +303,7 @@ int SOCKSClientSocket::DoResolveHost() {
   parameters.initial_priority = priority_;
   parameters.secure_dns_policy = secure_dns_policy_;
   resolve_host_request_ = host_resolver_->CreateRequest(
-      destination_, network_isolation_key_, net_log_, parameters);
+      destination_, network_anonymization_key_, net_log_, parameters);
 
   return resolve_host_request_->Start(
       base::BindOnce(&SOCKSClientSocket::OnIOComplete, base::Unretained(this)));
diff --git a/chromium/net/socket/socks_client_socket.h b/chromium/net/socket/socks_client_socket.h
index 1f30a219693..a2dd0fa5094 100644
--- a/chromium/net/socket/socks_client_socket.h
+++ b/chromium/net/socket/socks_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -33,10 +33,10 @@ class NET_EXPORT_PRIVATE SOCKSClientSocket : public StreamSocket {
  public:
   // |destination| contains the hostname and port to which the socket above will
   // communicate to via the socks layer. For testing the referrer is optional.
-  // |network_isolation_key| is used for host resolution.
+  // |network_anonymization_key| is used for host resolution.
   SOCKSClientSocket(std::unique_ptr<StreamSocket> transport_socket,
                     const HostPortPair& destination,
-                    const NetworkIsolationKey& network_isolation_key,
+                    const NetworkAnonymizationKey& network_anonymization_key,
                     RequestPriority priority,
                     HostResolver* host_resolver,
                     SecureDnsPolicy secure_dns_policy,
@@ -147,7 +147,7 @@ class NET_EXPORT_PRIVATE SOCKSClientSocket : public StreamSocket {
   SecureDnsPolicy secure_dns_policy_;
   std::unique_ptr<HostResolver::ResolveHostRequest> resolve_host_request_;
   const HostPortPair destination_;
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
   RequestPriority priority_;
   ResolveErrorInfo resolve_error_info_;
 
diff --git a/chromium/net/socket/socks_client_socket_fuzzer.cc b/chromium/net/socket/socks_client_socket_fuzzer.cc
index 76650a40daf..5147d0caa34 100644
--- a/chromium/net/socket/socks_client_socket_fuzzer.cc
+++ b/chromium/net/socket/socks_client_socket_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -12,7 +12,7 @@
 #include "base/check_op.h"
 #include "net/base/address_list.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/mock_host_resolver.h"
@@ -52,8 +52,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
   net::SOCKSClientSocket socket(
       std::move(fuzzed_socket), net::HostPortPair("foo", 80),
-      net::NetworkIsolationKey(), net::DEFAULT_PRIORITY, &mock_host_resolver,
-      net::SecureDnsPolicy::kAllow, TRAFFIC_ANNOTATION_FOR_TESTS);
+      net::NetworkAnonymizationKey(), net::DEFAULT_PRIORITY,
+      &mock_host_resolver, net::SecureDnsPolicy::kAllow,
+      TRAFFIC_ANNOTATION_FOR_TESTS);
   int result = socket.Connect(callback.callback());
   callback.GetResult(result);
   return 0;
diff --git a/chromium/net/socket/socks_client_socket_unittest.cc b/chromium/net/socket/socks_client_socket_unittest.cc
index 4ecade09887..5dca0040c8d 100644
--- a/chromium/net/socket/socks_client_socket_unittest.cc
+++ b/chromium/net/socket/socks_client_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -93,9 +93,9 @@ std::unique_ptr<SOCKSClientSocket> SOCKSClientSocketTest::BuildMockSocket(
   // non-owning pointer to it.
   tcp_sock_ = socket.get();
   return std::make_unique<SOCKSClientSocket>(
-      std::move(socket), HostPortPair(hostname, port), NetworkIsolationKey(),
-      DEFAULT_PRIORITY, host_resolver, SecureDnsPolicy::kAllow,
-      TRAFFIC_ANNOTATION_FOR_TESTS);
+      std::move(socket), HostPortPair(hostname, port),
+      NetworkAnonymizationKey(), DEFAULT_PRIORITY, host_resolver,
+      SecureDnsPolicy::kAllow, TRAFFIC_ANNOTATION_FOR_TESTS);
 }
 
 // Tests a complete handshake and the disconnection.
@@ -437,7 +437,7 @@ TEST_F(SOCKSClientSocketTest, Tag) {
   MockHostResolver host_resolver;
   SOCKSClientSocket socket(
       std::move(tagging_sock), HostPortPair("localhost", 80),
-      NetworkIsolationKey(), DEFAULT_PRIORITY, &host_resolver,
+      NetworkAnonymizationKey(), DEFAULT_PRIORITY, &host_resolver,
       SecureDnsPolicy::kAllow, TRAFFIC_ANNOTATION_FOR_TESTS);
 
   EXPECT_EQ(tagging_sock_ptr->tag(), SocketTag());
@@ -454,11 +454,12 @@ TEST_F(SOCKSClientSocketTest, SetSecureDnsPolicy) {
     StaticSocketDataProvider data;
     MockHostResolver host_resolver;
     host_resolver.rules()->AddRule("doh.test", "127.0.0.1");
-    SOCKSClientSocket socket(
-        std::make_unique<MockTCPClientSocket>(address_list_, NetLog::Get(),
-                                              &data),
-        HostPortPair("doh.test", 80), NetworkIsolationKey(), DEFAULT_PRIORITY,
-        &host_resolver, secure_dns_policy, TRAFFIC_ANNOTATION_FOR_TESTS);
+    SOCKSClientSocket socket(std::make_unique<MockTCPClientSocket>(
+                                 address_list_, NetLog::Get(), &data),
+                             HostPortPair("doh.test", 80),
+                             NetworkAnonymizationKey(), DEFAULT_PRIORITY,
+                             &host_resolver, secure_dns_policy,
+                             TRAFFIC_ANNOTATION_FOR_TESTS);
 
     EXPECT_EQ(ERR_IO_PENDING, socket.Connect(callback_.callback()));
     EXPECT_EQ(secure_dns_policy, host_resolver.last_secure_dns_policy());
diff --git a/chromium/net/socket/socks_connect_job.cc b/chromium/net/socket/socks_connect_job.cc
index 5bcecc50dce..faca28c1df5 100644
--- a/chromium/net/socket/socks_connect_job.cc
+++ b/chromium/net/socket/socks_connect_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -26,12 +26,12 @@ SOCKSSocketParams::SOCKSSocketParams(
     scoped_refptr<TransportSocketParams> proxy_server_params,
     bool socks_v5,
     const HostPortPair& host_port_pair,
-    const NetworkIsolationKey& network_isolation_key,
+    const NetworkAnonymizationKey& network_anonymization_key,
     const NetworkTrafficAnnotationTag& traffic_annotation)
     : transport_params_(std::move(proxy_server_params)),
       destination_(host_port_pair),
       socks_v5_(socks_v5),
-      network_isolation_key_(network_isolation_key),
+      network_anonymization_key_(network_anonymization_key),
       traffic_annotation_(traffic_annotation) {}
 
 SOCKSSocketParams::~SOCKSSocketParams() = default;
diff --git a/chromium/net/socket/socks_connect_job.h b/chromium/net/socket/socks_connect_job.h
index 1d6e7db4c42..142284a6893 100644
--- a/chromium/net/socket/socks_connect_job.h
+++ b/chromium/net/socket/socks_connect_job.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -32,7 +32,7 @@ class NET_EXPORT_PRIVATE SOCKSSocketParams
   SOCKSSocketParams(scoped_refptr<TransportSocketParams> proxy_server_params,
                     bool socks_v5,
                     const HostPortPair& host_port_pair,
-                    const NetworkIsolationKey& network_isolation_key,
+                    const NetworkAnonymizationKey& network_anonymization_key,
                     const NetworkTrafficAnnotationTag& traffic_annotation);
 
   SOCKSSocketParams(const SOCKSSocketParams&) = delete;
@@ -43,8 +43,8 @@ class NET_EXPORT_PRIVATE SOCKSSocketParams
   }
   const HostPortPair& destination() const { return destination_; }
   bool is_socks_v5() const { return socks_v5_; }
-  const NetworkIsolationKey& network_isolation_key() {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_isolation_key() {
+    return network_anonymization_key_;
   }
 
   const NetworkTrafficAnnotationTag traffic_annotation() {
@@ -60,7 +60,7 @@ class NET_EXPORT_PRIVATE SOCKSSocketParams
   // This is the HTTP destination.
   const HostPortPair destination_;
   const bool socks_v5_;
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
 
   NetworkTrafficAnnotationTag traffic_annotation_;
 };
diff --git a/chromium/net/socket/socks_connect_job_unittest.cc b/chromium/net/socket/socks_connect_job_unittest.cc
index deafcc0398a..e38b66bddbd 100644
--- a/chromium/net/socket/socks_connect_job_unittest.cc
+++ b/chromium/net/socket/socks_connect_job_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -73,14 +73,14 @@ class SOCKSConnectJobTest : public testing::Test, public WithTaskEnvironment {
       SecureDnsPolicy secure_dns_policy = SecureDnsPolicy::kAllow) {
     return base::MakeRefCounted<SOCKSSocketParams>(
         base::MakeRefCounted<TransportSocketParams>(
-            HostPortPair(kProxyHostName, kProxyPort), NetworkIsolationKey(),
+            HostPortPair(kProxyHostName, kProxyPort), NetworkAnonymizationKey(),
             secure_dns_policy, OnHostResolutionCallback(),
             /*supported_alpns=*/base::flat_set<std::string>()),
         socks_version == SOCKSVersion::V5,
         socks_version == SOCKSVersion::V4
             ? HostPortPair(kSOCKS4TestHost, kSOCKS4TestPort)
             : HostPortPair(kSOCKS5TestHost, kSOCKS5TestPort),
-        NetworkIsolationKey(), TRAFFIC_ANNOTATION_FOR_TESTS);
+        NetworkAnonymizationKey(), TRAFFIC_ANNOTATION_FOR_TESTS);
   }
 
  protected:
@@ -122,11 +122,12 @@ TEST_F(SOCKSConnectJobTest, HostResolutionFailureSOCKS4Endpoint) {
     scoped_refptr<SOCKSSocketParams> socket_params =
         base::MakeRefCounted<SOCKSSocketParams>(
             base::MakeRefCounted<TransportSocketParams>(
-                HostPortPair(kProxyHostName, kProxyPort), NetworkIsolationKey(),
-                SecureDnsPolicy::kAllow, OnHostResolutionCallback(),
+                HostPortPair(kProxyHostName, kProxyPort),
+                NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
+                OnHostResolutionCallback(),
                 /*supported_alpns=*/base::flat_set<std::string>()),
             false /* socks_v5 */, HostPortPair(hostname, kSOCKS4TestPort),
-            NetworkIsolationKey(), TRAFFIC_ANNOTATION_FOR_TESTS);
+            NetworkAnonymizationKey(), TRAFFIC_ANNOTATION_FOR_TESTS);
 
     TestConnectJobDelegate test_delegate;
     SOCKSConnectJob socks_connect_job(
@@ -450,8 +451,10 @@ TEST_F(SOCKSConnectJobTest, ConnectTiming) {
   // Proxy name resolution is not considered resolving the host name for
   // ConnectionInfo. For SOCKS4, where the host name is also looked up via DNS,
   // the resolution time is not currently reported.
-  EXPECT_EQ(base::TimeTicks(), socks_connect_job.connect_timing().dns_start);
-  EXPECT_EQ(base::TimeTicks(), socks_connect_job.connect_timing().dns_end);
+  EXPECT_EQ(base::TimeTicks(),
+            socks_connect_job.connect_timing().domain_lookup_start);
+  EXPECT_EQ(base::TimeTicks(),
+            socks_connect_job.connect_timing().domain_lookup_end);
 
   // The "connect" time for socks proxies includes DNS resolution time.
   EXPECT_EQ(start, socks_connect_job.connect_timing().connect_start);
diff --git a/chromium/net/socket/ssl_client_socket.cc b/chromium/net/socket/ssl_client_socket.cc
index 1df26854ca8..057e8294390 100644
--- a/chromium/net/socket/ssl_client_socket.cc
+++ b/chromium/net/socket/ssl_client_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/ssl_client_socket.h b/chromium/net/socket/ssl_client_socket.h
index d9da9917f3f..8aade61aee8 100644
--- a/chromium/net/socket/ssl_client_socket.h
+++ b/chromium/net/socket/ssl_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/ssl_client_socket_impl.cc b/chromium/net/socket/ssl_client_socket_impl.cc
index e140cb7ad51..a8e0aebcb18 100644
--- a/chromium/net/socket/ssl_client_socket_impl.cc
+++ b/chromium/net/socket/ssl_client_socket_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -602,9 +602,8 @@ bool SSLClientSocketImpl::GetSSLInfo(SSLInfo* ssl_info) {
   ssl_info->peer_signature_algorithm =
       SSL_get_peer_signature_algorithm(ssl_.get());
 
-  SSLConnectionStatusSetCipherSuite(
-      static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)),
-      &ssl_info->connection_status);
+  SSLConnectionStatusSetCipherSuite(SSL_CIPHER_get_protocol_id(cipher),
+                                    &ssl_info->connection_status);
   SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_.get()),
                                 &ssl_info->connection_status);
 
@@ -1254,9 +1253,8 @@ ssl_verify_result_t SSLClientSocketImpl::HandleVerifyResult() {
   // Enforce keyUsage extension for RSA leaf certificates chaining up to known
   // roots.
   // TODO(crbug.com/795089): Enforce this unconditionally.
-  if (server_cert_verify_result_.is_issued_by_known_root) {
-    SSL_set_enforce_rsa_key_usage(ssl_.get(), 1);
-  }
+  SSL_set_enforce_rsa_key_usage(
+      ssl_.get(), server_cert_verify_result_.is_issued_by_known_root);
 
   // If the connection was good, check HPKP and CT status simultaneously,
   // but prefer to treat the HPKP error as more serious, if there was one.
@@ -1268,7 +1266,7 @@ ssl_verify_result_t SSLClientSocketImpl::HandleVerifyResult() {
             server_cert_verify_result_.public_key_hashes, server_cert_.get(),
             server_cert_verify_result_.verified_cert.get(),
             TransportSecurityState::ENABLE_PIN_REPORTS,
-            ssl_config_.network_isolation_key, &pinning_failure_log_);
+             ssl_config_.network_anonymization_key, &pinning_failure_log_);
     switch (pin_validity) {
       case TransportSecurityState::PKPStatus::VIOLATED:
         server_cert_verify_result_.cert_status |=
@@ -1341,7 +1339,7 @@ int SSLClientSocketImpl::CheckCTCompliance() {
           server_cert_verify_result_.scts,
           TransportSecurityState::ENABLE_EXPECT_CT_REPORTS,
           server_cert_verify_result_.policy_compliance,
-          ssl_config_.network_isolation_key);
+          ssl_config_.network_anonymization_key);
 
   if (context_->sct_auditing_delegate()) {
     context_->sct_auditing_delegate()->MaybeEnqueueReport(
@@ -1729,7 +1727,7 @@ SSLClientSessionCache::Key SSLClientSocketImpl::GetSessionCacheKey(
   key.dest_ip_addr = dest_ip_addr;
   if (base::FeatureList::IsEnabled(
           features::kPartitionSSLSessionsByNetworkIsolationKey)) {
-    key.network_isolation_key = ssl_config_.network_isolation_key;
+    key.network_anonymization_key = ssl_config_.network_anonymization_key;
   }
   key.privacy_mode = ssl_config_.privacy_mode;
   key.disable_legacy_crypto = ssl_config_.disable_legacy_crypto;
diff --git a/chromium/net/socket/ssl_client_socket_impl.h b/chromium/net/socket/ssl_client_socket_impl.h
index e8c93487881..9f38ffa7a8a 100644
--- a/chromium/net/socket/ssl_client_socket_impl.h
+++ b/chromium/net/socket/ssl_client_socket_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/ssl_client_socket_unittest.cc b/chromium/net/socket/ssl_client_socket_unittest.cc
index 3b022704ed4..926804d8a1c 100644
--- a/chromium/net/socket/ssl_client_socket_unittest.cc
+++ b/chromium/net/socket/ssl_client_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -39,7 +39,7 @@
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "net/base/test_completion_callback.h"
 #include "net/cert/asn1_util.h"
@@ -602,14 +602,14 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
       const X509Certificate* served_certificate_chain,
       const SignedCertificateTimestampAndStatusList&
           signed_certificate_timestamps,
-      const NetworkIsolationKey& network_isolation_key) override {
+      const NetworkAnonymizationKey& network_anonymization_key) override {
     num_failures_++;
     host_port_pair_ = host_port_pair;
     report_uri_ = report_uri;
     served_certificate_chain_ = served_certificate_chain;
     validated_certificate_chain_ = validated_certificate_chain;
     signed_certificate_timestamps_ = signed_certificate_timestamps;
-    network_isolation_key_ = network_isolation_key;
+    network_anonymization_key_ = network_anonymization_key;
   }
 
   const HostPortPair& host_port_pair() const { return host_port_pair_; }
@@ -625,8 +625,8 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
       const {
     return signed_certificate_timestamps_;
   }
-  const NetworkIsolationKey network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key() const {
+    return network_anonymization_key_;
   }
 
  private:
@@ -636,7 +636,7 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
   raw_ptr<const X509Certificate> served_certificate_chain_;
   raw_ptr<const X509Certificate> validated_certificate_chain_;
   SignedCertificateTimestampAndStatusList signed_certificate_timestamps_;
-  NetworkIsolationKey network_isolation_key_;
+  NetworkAnonymizationKey network_anonymization_key_;
 };
 
 // A mock CTVerifier that records every call to Verify but doesn't verify
@@ -3152,7 +3152,7 @@ TEST_F(SSLClientSocketTest, SessionResumptionAlpn) {
   EXPECT_EQ(kProtoHTTP11, sock_->GetNegotiatedProtocol());
 }
 
-// Tests that the session cache is not sharded by NetworkIsolationKey if the
+// Tests that the session cache is not sharded by NetworkAnonymizationKey if the
 // feature is disabled.
 TEST_P(SSLClientSocketVersionTest,
        SessionResumptionNetworkIsolationKeyDisabled) {
@@ -3185,10 +3185,11 @@ TEST_P(SSLClientSocketVersionTest,
   EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 
-  // Using a different NetworkIsolationKey shares session cache key because
+  // Using a different NetworkAnonymizationKey shares session cache key because
   // sharding is disabled.
   const SchemefulSite kSiteA(GURL("https://a.test"));
-  ssl_config.network_isolation_key = NetworkIsolationKey(kSiteA, kSiteA);
+  ssl_config.network_anonymization_key =
+      NetworkAnonymizationKey(kSiteA, kSiteA, /*is_cross_site=*/false);
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
@@ -3197,7 +3198,8 @@ TEST_P(SSLClientSocketVersionTest,
   sock_.reset();
 
   const SchemefulSite kSiteB(GURL("https://a.test"));
-  ssl_config.network_isolation_key = NetworkIsolationKey(kSiteB, kSiteB);
+  ssl_config.network_anonymization_key =
+      NetworkAnonymizationKey(kSiteB, kSiteB, /*is_cross_site=*/false);
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
@@ -3206,7 +3208,7 @@ TEST_P(SSLClientSocketVersionTest,
   sock_.reset();
 }
 
-// Tests that the session cache is sharded by NetworkIsolationKey if the
+// Tests that the session cache is sharded by NetworkAnonymizationKey if the
 // feature is enabled.
 TEST_P(SSLClientSocketVersionTest,
        SessionResumptionNetworkIsolationKeyEnabled) {
@@ -3216,8 +3218,10 @@ TEST_P(SSLClientSocketVersionTest,
 
   const SchemefulSite kSiteA(GURL("https://a.test"));
   const SchemefulSite kSiteB(GURL("https://b.test"));
-  const NetworkIsolationKey kNetworkIsolationKeyA(kSiteA, kSiteA);
-  const NetworkIsolationKey kNetworkIsolationKeyB(kSiteB, kSiteB);
+  const NetworkAnonymizationKey kNetworkAnonymizationKeyA(
+      kSiteA, kSiteA, /*is_cross_site=*/false);
+  const NetworkAnonymizationKey kNetworkAnonymizationKeyB(
+      kSiteB, kSiteB, /*is_cross_site=*/false);
 
   ASSERT_TRUE(
       StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
@@ -3244,8 +3248,9 @@ TEST_P(SSLClientSocketVersionTest,
   EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 
-  // Using a different NetworkIsolationKey uses a different session cache key.
-  ssl_config.network_isolation_key = kNetworkIsolationKeyA;
+  // Using a different NetworkAnonymizationKey uses a different session cache
+  // key.
+  ssl_config.network_anonymization_key = kNetworkAnonymizationKeyA;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
@@ -3262,7 +3267,7 @@ TEST_P(SSLClientSocketVersionTest,
   sock_.reset();
 
   // Repeat with another non-null key.
-  ssl_config.network_isolation_key = kNetworkIsolationKeyB;
+  ssl_config.network_anonymization_key = kNetworkAnonymizationKeyB;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
@@ -3278,7 +3283,7 @@ TEST_P(SSLClientSocketVersionTest,
   sock_.reset();
 
   // b.test does not evict a.test's session.
-  ssl_config.network_isolation_key = kNetworkIsolationKeyA;
+  ssl_config.network_anonymization_key = kNetworkAnonymizationKeyA;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
@@ -4015,8 +4020,7 @@ TEST_P(SSLClientSocketVersionTest, IgnoreCertificateErrorsBypassesRequiredCT) {
 // absence of CT information is a socket error.
 TEST_P(SSLClientSocketVersionTest, CTIsRequiredByExpectCT) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   ASSERT_TRUE(
       StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
@@ -4032,13 +4036,13 @@ TEST_P(SSLClientSocketVersionTest, CTIsRequiredByExpectCT) {
   cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
 
   // Set up the Expect-CT opt-in.
-  NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::Seconds(1000);
   transport_security_state_->AddExpectCT(
       host_port_pair().host(), expiry, true /* enforce */,
-      GURL("https://example-report.test"), network_isolation_key);
+      GURL("https://example-report.test"), network_anonymization_key);
   MockExpectCTReporter reporter;
   transport_security_state_->SetExpectCTReporter(&reporter);
 
@@ -4047,7 +4051,7 @@ TEST_P(SSLClientSocketVersionTest, CTIsRequiredByExpectCT) {
           Return(ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS));
 
   SSLConfig ssl_config;
-  ssl_config.network_isolation_key = network_isolation_key;
+  ssl_config.network_anonymization_key = network_anonymization_key;
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   SSLInfo ssl_info;
@@ -4064,7 +4068,7 @@ TEST_P(SSLClientSocketVersionTest, CTIsRequiredByExpectCT) {
             reporter.served_certificate_chain());
   EXPECT_EQ(ssl_info.cert.get(), reporter.validated_certificate_chain());
   EXPECT_EQ(0u, reporter.signed_certificate_timestamps().size());
-  EXPECT_EQ(network_isolation_key, reporter.network_isolation_key());
+  EXPECT_EQ(network_anonymization_key, reporter.network_anonymization_key());
 
   transport_security_state_->ClearReportCachesForTesting();
   EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
@@ -4084,7 +4088,7 @@ TEST_P(SSLClientSocketVersionTest, CTIsRequiredByExpectCT) {
             reporter.served_certificate_chain());
   EXPECT_EQ(ssl_info.cert.get(), reporter.validated_certificate_chain());
   EXPECT_EQ(0u, reporter.signed_certificate_timestamps().size());
-  EXPECT_EQ(network_isolation_key, reporter.network_isolation_key());
+  EXPECT_EQ(network_anonymization_key, reporter.network_anonymization_key());
 
   // If the connection is CT compliant, then there should be no socket error nor
   // a report.
diff --git a/chromium/net/socket/ssl_connect_job.cc b/chromium/net/socket/ssl_connect_job.cc
index 7c26c38069c..027f21c297d 100644
--- a/chromium/net/socket/ssl_connect_job.cc
+++ b/chromium/net/socket/ssl_connect_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -53,14 +53,14 @@ SSLSocketParams::SSLSocketParams(
     const HostPortPair& host_and_port,
     const SSLConfig& ssl_config,
     PrivacyMode privacy_mode,
-    NetworkIsolationKey network_isolation_key)
+    NetworkAnonymizationKey network_anonymization_key)
     : direct_params_(std::move(direct_params)),
       socks_proxy_params_(std::move(socks_proxy_params)),
       http_proxy_params_(std::move(http_proxy_params)),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       privacy_mode_(privacy_mode),
-      network_isolation_key_(network_isolation_key) {
+      network_anonymization_key_(network_anonymization_key) {
   // Only one set of lower level ConnectJob params should be non-NULL.
   DCHECK((direct_params_ && !socks_proxy_params_ && !http_proxy_params_) ||
          (!direct_params_ && socks_proxy_params_ && !http_proxy_params_) ||
@@ -376,8 +376,9 @@ int SSLConnectJob::DoSSLConnect() {
   // |connect_start| doesn't include dns times, and it adjusts the time so
   // as not to include time spent waiting for an idle socket.
   connect_timing_.connect_start = socket_connect_timing.connect_start;
-  connect_timing_.dns_start = socket_connect_timing.dns_start;
-  connect_timing_.dns_end = socket_connect_timing.dns_end;
+  connect_timing_.domain_lookup_start =
+      socket_connect_timing.domain_lookup_start;
+  connect_timing_.domain_lookup_end = socket_connect_timing.domain_lookup_end;
 
   ssl_negotiation_started_ = true;
   connect_timing_.ssl_start = base::TimeTicks::Now();
@@ -387,7 +388,7 @@ int SSLConnectJob::DoSSLConnect() {
   endpoint_result_ = nested_connect_job_->GetHostResolverEndpointResult();
 
   SSLConfig ssl_config = params_->ssl_config();
-  ssl_config.network_isolation_key = params_->network_isolation_key();
+  ssl_config.network_anonymization_key = params_->network_anonymization_key();
   ssl_config.privacy_mode = params_->privacy_mode();
   ssl_config.disable_legacy_crypto = disable_legacy_crypto_with_fallback_;
 
diff --git a/chromium/net/socket/ssl_connect_job.h b/chromium/net/socket/ssl_connect_job.h
index 7d4c3c21cc2..fd799b40c68 100644
--- a/chromium/net/socket/ssl_connect_job.h
+++ b/chromium/net/socket/ssl_connect_job.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -17,9 +17,9 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/completion_repeating_callback.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
-#include "net/dns/host_resolver_results.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/resolve_error_info.h"
 #include "net/socket/connect_job.h"
 #include "net/socket/connection_attempts.h"
@@ -49,7 +49,7 @@ class NET_EXPORT_PRIVATE SSLSocketParams
                   const HostPortPair& host_and_port,
                   const SSLConfig& ssl_config,
                   PrivacyMode privacy_mode,
-                  NetworkIsolationKey network_isolation_key);
+                  NetworkAnonymizationKey network_anonymization_key);
 
   SSLSocketParams(const SSLSocketParams&) = delete;
   SSLSocketParams& operator=(const SSLSocketParams&) = delete;
@@ -70,8 +70,8 @@ class NET_EXPORT_PRIVATE SSLSocketParams
   const HostPortPair& host_and_port() const { return host_and_port_; }
   const SSLConfig& ssl_config() const { return ssl_config_; }
   PrivacyMode privacy_mode() const { return privacy_mode_; }
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
   }
 
  private:
@@ -84,7 +84,7 @@ class NET_EXPORT_PRIVATE SSLSocketParams
   const HostPortPair host_and_port_;
   const SSLConfig ssl_config_;
   const PrivacyMode privacy_mode_;
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
 };
 
 // SSLConnectJob establishes a connection, through a proxy if needed, and then
diff --git a/chromium/net/socket/ssl_connect_job_unittest.cc b/chromium/net/socket/ssl_connect_job_unittest.cc
index cb327a5139d..a0ad43fdac9 100644
--- a/chromium/net/socket/ssl_connect_job_unittest.cc
+++ b/chromium/net/socket/ssl_connect_job_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -70,8 +70,8 @@ IPAddress ParseIP(const std::string& ip) {
 // Just check that all connect times are set to base::TimeTicks::Now(), for
 // tests that don't update the mocked out time.
 void CheckConnectTimesSet(const LoadTimingInfo::ConnectTiming& connect_timing) {
-  EXPECT_EQ(base::TimeTicks::Now(), connect_timing.dns_start);
-  EXPECT_EQ(base::TimeTicks::Now(), connect_timing.dns_end);
+  EXPECT_EQ(base::TimeTicks::Now(), connect_timing.domain_lookup_start);
+  EXPECT_EQ(base::TimeTicks::Now(), connect_timing.domain_lookup_end);
   EXPECT_EQ(base::TimeTicks::Now(), connect_timing.connect_start);
   EXPECT_EQ(base::TimeTicks::Now(), connect_timing.ssl_start);
   EXPECT_EQ(base::TimeTicks::Now(), connect_timing.ssl_end);
@@ -83,8 +83,8 @@ void CheckConnectTimesSet(const LoadTimingInfo::ConnectTiming& connect_timing) {
 // proxy.
 void CheckConnectTimesExceptDnsSet(
     const LoadTimingInfo::ConnectTiming& connect_timing) {
-  EXPECT_TRUE(connect_timing.dns_start.is_null());
-  EXPECT_TRUE(connect_timing.dns_end.is_null());
+  EXPECT_TRUE(connect_timing.domain_lookup_start.is_null());
+  EXPECT_TRUE(connect_timing.domain_lookup_end.is_null());
   EXPECT_EQ(base::TimeTicks::Now(), connect_timing.connect_start);
   EXPECT_EQ(base::TimeTicks::Now(), connect_timing.ssl_start);
   EXPECT_EQ(base::TimeTicks::Now(), connect_timing.ssl_end);
@@ -103,7 +103,7 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
         direct_transport_socket_params_(
             base::MakeRefCounted<TransportSocketParams>(
                 url::SchemeHostPort(url::kHttpsScheme, "host", 443),
-                NetworkIsolationKey(),
+                NetworkAnonymizationKey(),
                 SecureDnsPolicy::kAllow,
                 OnHostResolutionCallback(),
                 /*supported_alpns=*/
@@ -111,7 +111,7 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
         proxy_transport_socket_params_(
             base::MakeRefCounted<TransportSocketParams>(
                 HostPortPair("proxy", 443),
-                NetworkIsolationKey(),
+                NetworkAnonymizationKey(),
                 SecureDnsPolicy::kAllow,
                 OnHostResolutionCallback(),
                 /*supported_alpns=*/base::flat_set<std::string>({}))),
@@ -119,7 +119,7 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
             proxy_transport_socket_params_,
             true,
             HostPortPair("sockshost", 443),
-            NetworkIsolationKey(),
+            NetworkAnonymizationKey(),
             TRAFFIC_ANNOTATION_FOR_TESTS)),
         http_proxy_socket_params_(base::MakeRefCounted<HttpProxySocketParams>(
             proxy_transport_socket_params_,
@@ -128,7 +128,7 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
             HostPortPair("host", 80),
             /*tunnel=*/true,
             TRAFFIC_ANNOTATION_FOR_TESTS,
-            NetworkIsolationKey())),
+            NetworkAnonymizationKey())),
         common_connect_job_params_(session_->CreateCommonConnectJobParams()) {}
 
   ~SSLConnectJobTest() override = default;
@@ -149,7 +149,7 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
         proxy == ProxyServer::SCHEME_SOCKS5 ? socks_socket_params_ : nullptr,
         proxy == ProxyServer::SCHEME_HTTP ? http_proxy_socket_params_ : nullptr,
         HostPortPair("host", 443), SSLConfig(), PRIVACY_MODE_DISABLED,
-        NetworkIsolationKey());
+        NetworkAnonymizationKey());
   }
 
   void AddAuthToCache() {
@@ -157,7 +157,7 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
     const std::u16string kBar(u"bar");
     session_->http_auth_cache()->Add(
         url::SchemeHostPort(GURL("http://proxy:443/")), HttpAuth::AUTH_PROXY,
-        "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+        "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
         "Basic realm=MyRealm1", AuthCredentials(kFoo, kBar), "/");
   }
 
@@ -365,8 +365,9 @@ TEST_F(SSLConnectJobTest, BasicDirectAsync) {
   // |dns_start|, which is the only one recorded before the FastForwardBy()
   // call. The test classes don't allow any other phases to be triggered on
   // demand, or delayed by a set interval.
-  EXPECT_EQ(start_time, ssl_connect_job->connect_timing().dns_start);
-  EXPECT_EQ(resolve_complete_time, ssl_connect_job->connect_timing().dns_end);
+  EXPECT_EQ(start_time, ssl_connect_job->connect_timing().domain_lookup_start);
+  EXPECT_EQ(resolve_complete_time,
+            ssl_connect_job->connect_timing().domain_lookup_end);
   EXPECT_EQ(resolve_complete_time,
             ssl_connect_job->connect_timing().connect_start);
   EXPECT_EQ(resolve_complete_time, ssl_connect_job->connect_timing().ssl_start);
@@ -446,7 +447,7 @@ TEST_F(SSLConnectJobTest, SecureDnsPolicy) {
     direct_transport_socket_params_ =
         base::MakeRefCounted<TransportSocketParams>(
             url::SchemeHostPort(url::kHttpsScheme, "host", 443),
-            NetworkIsolationKey(), secure_dns_policy,
+            NetworkAnonymizationKey(), secure_dns_policy,
             OnHostResolutionCallback(),
             /*supported_alpns=*/base::flat_set<std::string>{"h2", "http/1.1"});
     auto common_connect_job_params = session_->CreateCommonConnectJobParams();
diff --git a/chromium/net/socket/ssl_server_socket.h b/chromium/net/socket/ssl_server_socket.h
index 4b1dcc97d07..74fe0f1e956 100644
--- a/chromium/net/socket/ssl_server_socket.h
+++ b/chromium/net/socket/ssl_server_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/socket/ssl_server_socket_impl.cc b/chromium/net/socket/ssl_server_socket_impl.cc
index 5b6598c79cd..5ead995848c 100644
--- a/chromium/net/socket/ssl_server_socket_impl.cc
+++ b/chromium/net/socket/ssl_server_socket_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -571,9 +571,8 @@ bool SSLServerContextImpl::SocketImpl::GetSSLInfo(SSLInfo* ssl_info) {
   const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl_.get());
   CHECK(cipher);
 
-  SSLConnectionStatusSetCipherSuite(
-      static_cast<uint16_t>(SSL_CIPHER_get_id(cipher)),
-      &ssl_info->connection_status);
+  SSLConnectionStatusSetCipherSuite(SSL_CIPHER_get_protocol_id(cipher),
+                                    &ssl_info->connection_status);
   SSLConnectionStatusSetVersion(GetNetSSLVersion(ssl_.get()),
                                 &ssl_info->connection_status);
 
diff --git a/chromium/net/socket/ssl_server_socket_impl.h b/chromium/net/socket/ssl_server_socket_impl.h
index 5db94303d9f..41a7cd42f25 100644
--- a/chromium/net/socket/ssl_server_socket_impl.h
+++ b/chromium/net/socket/ssl_server_socket_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/ssl_server_socket_unittest.cc b/chromium/net/socket/ssl_server_socket_unittest.cc
index 71b37bfa882..a74735f7ae3 100644
--- a/chromium/net/socket/ssl_server_socket_unittest.cc
+++ b/chromium/net/socket/ssl_server_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -37,9 +37,7 @@
 #include "base/test/task_environment.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "build/build_config.h"
-#include "crypto/nss_util.h"
 #include "crypto/rsa_private_key.h"
-#include "crypto/signature_creator.h"
 #include "net/base/address_list.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/host_port_pair.h"
diff --git a/chromium/net/socket/ssl_socket.h b/chromium/net/socket/ssl_socket.h
index 301807e523d..38f429ba05a 100644
--- a/chromium/net/socket/ssl_socket.h
+++ b/chromium/net/socket/ssl_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/stream_socket.cc b/chromium/net/socket/stream_socket.cc
index 611369d50d2..a8cf99a1206 100644
--- a/chromium/net/socket/stream_socket.cc
+++ b/chromium/net/socket/stream_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/stream_socket.h b/chromium/net/socket/stream_socket.h
index f3eb4fc254e..d097325ec2f 100644
--- a/chromium/net/socket/stream_socket.h
+++ b/chromium/net/socket/stream_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/tcp_client_socket.cc b/chromium/net/socket/tcp_client_socket.cc
index 3f921f41b9c..b411312d9a3 100644
--- a/chromium/net/socket/tcp_client_socket.cc
+++ b/chromium/net/socket/tcp_client_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -28,6 +28,14 @@
 
 namespace net {
 
+namespace {
+
+void LogReadSize(int read_size) {
+  UMA_HISTOGRAM_COUNTS_10M("Net.TCPClientSocketReadSize", read_size);
+}
+
+}  // namespace
+
 class NetLogWithSource;
 
 TCPClientSocket::TCPClientSocket(
@@ -200,6 +208,7 @@ int TCPClientSocket::ReadCommon(IOBuffer* buf,
   } else if (result > 0) {
     was_ever_used_ = true;
     total_received_bytes_ += result;
+    LogReadSize(result);
   }
 
   return result;
@@ -433,6 +442,8 @@ int TCPClientSocket::Write(
   if (was_disconnected_on_suspend_)
     return ERR_NETWORK_IO_SUSPENDED;
 
+  UMA_HISTOGRAM_COUNTS_10M("Net.TCPClientSocketWriteSize", buf_len);
+
   // |socket_| is owned by this class and the callback won't be run once
   // |socket_| is gone. Therefore, it is safe to use base::Unretained() here.
   CompletionOnceCallback complete_write_callback = base::BindOnce(
@@ -525,8 +536,10 @@ void TCPClientSocket::DidCompleteConnect(int result) {
 void TCPClientSocket::DidCompleteRead(int result) {
   DCHECK(!read_callback_.is_null());
 
-  if (result > 0)
+  if (result > 0) {
     total_received_bytes_ += result;
+    LogReadSize(result);
+  }
   DidCompleteReadWrite(std::move(read_callback_), result);
 }
 
diff --git a/chromium/net/socket/tcp_client_socket.h b/chromium/net/socket/tcp_client_socket.h
index b8508252db4..b761849ae08 100644
--- a/chromium/net/socket/tcp_client_socket.h
+++ b/chromium/net/socket/tcp_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/tcp_client_socket_unittest.cc b/chromium/net/socket/tcp_client_socket_unittest.cc
index 0dd88c4b995..57051affaf3 100644
--- a/chromium/net/socket/tcp_client_socket_unittest.cc
+++ b/chromium/net/socket/tcp_client_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/tcp_server_socket.cc b/chromium/net/socket/tcp_server_socket.cc
index ea14a44e8b8..31461540319 100644
--- a/chromium/net/socket/tcp_server_socket.cc
+++ b/chromium/net/socket/tcp_server_socket.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/tcp_server_socket.h b/chromium/net/socket/tcp_server_socket.h
index ae883b35c3c..d556541fe09 100644
--- a/chromium/net/socket/tcp_server_socket.h
+++ b/chromium/net/socket/tcp_server_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/tcp_server_socket_unittest.cc b/chromium/net/socket/tcp_server_socket_unittest.cc
index 05b25282afb..da275064acb 100644
--- a/chromium/net/socket/tcp_server_socket_unittest.cc
+++ b/chromium/net/socket/tcp_server_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/tcp_socket.h b/chromium/net/socket/tcp_socket.h
index f2c6c6441c3..cef60f9237d 100644
--- a/chromium/net/socket/tcp_socket.h
+++ b/chromium/net/socket/tcp_socket.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/tcp_socket_posix.cc b/chromium/net/socket/tcp_socket_posix.cc
index ac53c0f3705..4e7a6edd9c0 100644
--- a/chromium/net/socket/tcp_socket_posix.cc
+++ b/chromium/net/socket/tcp_socket_posix.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/tcp_socket_posix.h b/chromium/net/socket/tcp_socket_posix.h
index 6cad47a82e7..5cd967010cb 100644
--- a/chromium/net/socket/tcp_socket_posix.h
+++ b/chromium/net/socket/tcp_socket_posix.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/tcp_socket_unittest.cc b/chromium/net/socket/tcp_socket_unittest.cc
index be9ab1b5982..1cb50d2ecfd 100644
--- a/chromium/net/socket/tcp_socket_unittest.cc
+++ b/chromium/net/socket/tcp_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -1024,12 +1024,11 @@ TEST_F(TCPSocketTest, BindToNetwork) {
   // Try binding to this IP to trigger the underlying BindToNetwork call.
   const IPEndPoint ip(IPAddress::IPv4Localhost(), 0);
   // TestCompletionCallback connect_callback;
-  TCPClientSocket connecting_socket(local_address_list(), nullptr, nullptr,
-                                    nullptr, NetLogSource(),
-                                    wrong_network_handle);
+  TCPClientSocket wrong_socket(local_address_list(), nullptr, nullptr, nullptr,
+                               NetLogSource(), wrong_network_handle);
   // Different Android versions might report different errors. Hence, just check
   // what shouldn't happen.
-  int rv = connecting_socket.Bind(ip);
+  int rv = wrong_socket.Bind(ip);
   EXPECT_NE(OK, rv);
   EXPECT_NE(ERR_NOT_IMPLEMENTED, rv);
 
@@ -1037,10 +1036,9 @@ TEST_F(TCPSocketTest, BindToNetwork) {
   const handles::NetworkHandle network_handle =
       NetworkChangeNotifier::GetDefaultNetwork();
   if (network_handle != handles::kInvalidNetworkHandle) {
-    TCPClientSocket connecting_socket(local_address_list(), nullptr, nullptr,
-                                      nullptr, NetLogSource(),
-                                      wrong_network_handle);
-    EXPECT_EQ(OK, connecting_socket.Bind(ip));
+    TCPClientSocket correct_socket(local_address_list(), nullptr, nullptr,
+                                   nullptr, NetLogSource(), network_handle);
+    EXPECT_EQ(OK, correct_socket.Bind(ip));
   }
 }
 
diff --git a/chromium/net/socket/tcp_socket_win.cc b/chromium/net/socket/tcp_socket_win.cc
index f8ddee0f0a0..72933683aa9 100644
--- a/chromium/net/socket/tcp_socket_win.cc
+++ b/chromium/net/socket/tcp_socket_win.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/tcp_socket_win.h b/chromium/net/socket/tcp_socket_win.h
index 36fcb08f330..a5fa3c3c7df 100644
--- a/chromium/net/socket/tcp_socket_win.h
+++ b/chromium/net/socket/tcp_socket_win.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/transport_client_socket.cc b/chromium/net/socket/transport_client_socket.cc
index 76e4514725a..cc701b07c03 100644
--- a/chromium/net/socket/transport_client_socket.cc
+++ b/chromium/net/socket/transport_client_socket.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/transport_client_socket.h b/chromium/net/socket/transport_client_socket.h
index 4bb5ec1c8f5..7cf44a499dd 100644
--- a/chromium/net/socket/transport_client_socket.h
+++ b/chromium/net/socket/transport_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/transport_client_socket_pool.cc b/chromium/net/socket/transport_client_socket_pool.cc
index 39e6f11064f..26312c6885a 100644
--- a/chromium/net/socket/transport_client_socket_pool.cc
+++ b/chromium/net/socket/transport_client_socket_pool.cc
@@ -1,10 +1,9 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/transport_client_socket_pool.h"
 
-#include <algorithm>
 #include <utility>
 
 #include "base/auto_reset.h"
@@ -19,6 +18,7 @@
 #include "base/memory/ptr_util.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/notreached.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/task/single_thread_task_runner.h"
@@ -1391,7 +1391,8 @@ void TransportClientSocketPool::InvokeUserCallbackLater(
   }
   base::ThreadTaskRunnerHandle::Get()->PostTask(
       FROM_HERE, base::BindOnce(&TransportClientSocketPool::InvokeUserCallback,
-                                weak_factory_.GetWeakPtr(), handle));
+                                weak_factory_.GetWeakPtr(),
+                                base::UnsafeDanglingUntriaged(handle)));
 }
 
 void TransportClientSocketPool::InvokeUserCallback(ClientSocketHandle* handle) {
@@ -1510,14 +1511,11 @@ std::unique_ptr<ConnectJob> TransportClientSocketPool::Group::RemoveUnboundJob(
   SanityCheck();
 
   // Check that |job| is in the list.
-  auto it = std::find_if(jobs_.begin(), jobs_.end(),
-                         [job](const std::unique_ptr<ConnectJob>& ptr) {
-                           return ptr.get() == job;
-                         });
+  auto it = base::ranges::find(jobs_, job, &std::unique_ptr<ConnectJob>::get);
   DCHECK(it != jobs_.end());
 
   // Check if |job| is in the unassigned jobs list. If so, remove it.
-  auto it2 = std::find(unassigned_jobs_.begin(), unassigned_jobs_.end(), job);
+  auto it2 = base::ranges::find(unassigned_jobs_, job);
   if (it2 != unassigned_jobs_.end()) {
     unassigned_jobs_.erase(it2);
   } else {
@@ -1625,13 +1623,9 @@ void TransportClientSocketPool::Group::SanityCheck() const {
       ConnectJob* job = pointer.value()->job();
       DCHECK(job);
       // The request's job is not in |unassigned_jobs_|
-      DCHECK(std::find(unassigned_jobs_.begin(), unassigned_jobs_.end(), job) ==
-             unassigned_jobs_.end());
+      DCHECK(!base::Contains(unassigned_jobs_, job));
       // The request's job is in |jobs_|
-      DCHECK(std::find_if(jobs_.begin(), jobs_.end(),
-                          [job](const std::unique_ptr<ConnectJob>& ptr) {
-                            return ptr.get() == job;
-                          }) != jobs_.end());
+      DCHECK(base::Contains(jobs_, job, &std::unique_ptr<ConnectJob>::get));
       // The same job is not assigned to any other request with a job.
       RequestQueue::Pointer pointer2 =
           unbound_requests_.GetNextTowardsLastMin(pointer);
@@ -1652,20 +1646,17 @@ void TransportClientSocketPool::Group::SanityCheck() const {
   for (auto it = unassigned_jobs_.begin(); it != unassigned_jobs_.end(); ++it) {
     // Check that all unassigned jobs are in |jobs_|
     ConnectJob* job = *it;
-    DCHECK(std::find_if(jobs_.begin(), jobs_.end(),
-                        [job](const std::unique_ptr<ConnectJob>& ptr) {
-                          return ptr.get() == job;
-                        }) != jobs_.end());
+    DCHECK(base::Contains(jobs_, job, &std::unique_ptr<ConnectJob>::get));
     // Check that there are no duplicated entries in |unassigned_jobs_|
     for (auto it2 = std::next(it); it2 != unassigned_jobs_.end(); ++it2) {
       DCHECK_NE(job, *it2);
     }
 
     // Check that no |unassigned_jobs_| are in |bound_requests_|.
-    DCHECK(std::find_if(bound_requests_.begin(), bound_requests_.end(),
-                        [job](const BoundRequest& bound_request) {
-                          return bound_request.connect_job.get() == job;
-                        }) == bound_requests_.end());
+    DCHECK(!base::Contains(bound_requests_, job,
+                           [](const BoundRequest& bound_request) {
+                             return bound_request.connect_job.get();
+                           }));
   }
 #endif
 }
@@ -1935,8 +1926,7 @@ TransportClientSocketPool::Group::FindUnboundRequestWithJob(
       return pointer;
   }
   // If a request with the job was not found, it must be in |unassigned_jobs_|.
-  DCHECK(std::find(unassigned_jobs_.begin(), unassigned_jobs_.end(), job) !=
-         unassigned_jobs_.end());
+  DCHECK(base::Contains(unassigned_jobs_, job));
   return RequestQueue::Pointer();
 }
 
diff --git a/chromium/net/socket/transport_client_socket_pool.h b/chromium/net/socket/transport_client_socket_pool.h
index 724c8c0fd30..2118991c2c5 100644
--- a/chromium/net/socket/transport_client_socket_pool.h
+++ b/chromium/net/socket/transport_client_socket_pool.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/transport_client_socket_pool_test_util.cc b/chromium/net/socket/transport_client_socket_pool_test_util.cc
index 184f21ab1dc..8cc40b654da 100644
--- a/chromium/net/socket/transport_client_socket_pool_test_util.cc
+++ b/chromium/net/socket/transport_client_socket_pool_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/transport_client_socket_pool_test_util.h b/chromium/net/socket/transport_client_socket_pool_test_util.h
index 01b73b7bb32..d208d757d9e 100644
--- a/chromium/net/socket/transport_client_socket_pool_test_util.h
+++ b/chromium/net/socket/transport_client_socket_pool_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/transport_client_socket_pool_unittest.cc b/chromium/net/socket/transport_client_socket_pool_unittest.cc
index ab55ba4de07..1ef2149f652 100644
--- a/chromium/net/socket/transport_client_socket_pool_unittest.cc
+++ b/chromium/net/socket/transport_client_socket_pool_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -115,7 +115,7 @@ class TransportClientSocketPoolTest : public ::testing::Test,
             TransportClientSocketPool::set_connect_backup_jobs_enabled(true)),
         group_id_(url::SchemeHostPort(url::kHttpScheme, "www.google.com", 80),
                   PrivacyMode::PRIVACY_MODE_DISABLED,
-                  NetworkIsolationKey(),
+                  NetworkAnonymizationKey(),
                   SecureDnsPolicy::kAllow),
         params_(ClientSocketPool::SocketParams::CreateForHttpForTesting()),
         client_socket_factory_(NetLog::Get()) {
@@ -164,7 +164,7 @@ class TransportClientSocketPoolTest : public ::testing::Test,
   int StartRequest(const std::string& host_name, RequestPriority priority) {
     ClientSocketPool::GroupId group_id(
         url::SchemeHostPort(url::kHttpScheme, host_name, 80),
-        PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+        PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
         SecureDnsPolicy::kAllow);
     return test_base_.StartRequestUsingPool(
         pool_.get(), group_id, priority,
@@ -267,7 +267,7 @@ TEST_F(TransportClientSocketPoolTest, SetSecureDnsPolicy) {
     ClientSocketHandle handle;
     ClientSocketPool::GroupId group_id(
         url::SchemeHostPort(url::kHttpScheme, "www.google.com", 80),
-        PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+        PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
         secure_dns_policy);
     EXPECT_EQ(
         ERR_IO_PENDING,
@@ -1060,7 +1060,7 @@ TEST(TransportClientSocketPoolStandaloneTest, DontCleanupOnIPAddressChange) {
       false /* cleanup_on_ip_address_change */);
   const ClientSocketPool::GroupId group_id(
       url::SchemeHostPort(url::kHttpScheme, "www.google.com", 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
   TestCompletionCallback callback;
   ClientSocketHandle handle;
@@ -1108,13 +1108,14 @@ TEST_F(TransportClientSocketPoolTest, SSLCertError) {
 
   ClientSocketHandle handle;
   TestCompletionCallback callback;
-  int rv = handle.Init(
-      ClientSocketPool::GroupId(kEndpoint, PrivacyMode::PRIVACY_MODE_DISABLED,
-                                NetworkIsolationKey(), SecureDnsPolicy::kAllow),
-      socket_params, absl::nullopt /* proxy_annotation_tag */, MEDIUM,
-      SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
-      callback.callback(), ClientSocketPool::ProxyAuthCallback(),
-      tagging_pool_.get(), NetLogWithSource());
+  int rv =
+      handle.Init(ClientSocketPool::GroupId(
+                      kEndpoint, PrivacyMode::PRIVACY_MODE_DISABLED,
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow),
+                  socket_params, absl::nullopt /* proxy_annotation_tag */,
+                  MEDIUM, SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
+                  callback.callback(), ClientSocketPool::ProxyAuthCallback(),
+                  tagging_pool_.get(), NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   EXPECT_FALSE(handle.is_initialized());
   EXPECT_FALSE(handle.socket());
@@ -1393,7 +1394,7 @@ TEST_F(TransportClientSocketPoolTest, SOCKS) {
     int rv = handle.Init(
         ClientSocketPool::GroupId(
             kDestination, PrivacyMode::PRIVACY_MODE_DISABLED,
-            NetworkIsolationKey(), SecureDnsPolicy::kAllow),
+            NetworkAnonymizationKey(), SecureDnsPolicy::kAllow),
         socket_params, TRAFFIC_ANNOTATION_FOR_TESTS, LOW, SocketTag(),
         ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
         ClientSocketPool::ProxyAuthCallback(), &proxy_pool, NetLogWithSource());
@@ -1460,7 +1461,7 @@ TEST_F(TransportClientSocketPoolTest, SpdyOneConnectJobTwoRequestsError) {
           std::make_unique<SSLConfig>() /* ssl_config_for_proxy */);
 
   ClientSocketPool::GroupId group_id(
-      kEndpoint, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      kEndpoint, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
 
   // Start the first connection attempt.
@@ -1565,7 +1566,7 @@ TEST_F(TransportClientSocketPoolTest, SpdyAuthOneConnectJobTwoRequests) {
           std::make_unique<SSLConfig>() /* ssl_config_for_proxy */);
 
   ClientSocketPool::GroupId group_id(
-      kEndpoint, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      kEndpoint, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
 
   // Start the first connection attempt.
@@ -1663,7 +1664,7 @@ TEST_F(TransportClientSocketPoolTest, HttpTunnelSetupRedirect) {
       int rv = handle.Init(
           ClientSocketPool::GroupId(
               kEndpoint, PrivacyMode::PRIVACY_MODE_DISABLED,
-              NetworkIsolationKey(), SecureDnsPolicy::kAllow),
+              NetworkAnonymizationKey(), SecureDnsPolicy::kAllow),
           socket_params, TRAFFIC_ANNOTATION_FOR_TESTS, LOW, SocketTag(),
           ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
           ClientSocketPool::ProxyAuthCallback(), &proxy_pool,
@@ -1677,9 +1678,10 @@ TEST_F(TransportClientSocketPoolTest, HttpTunnelSetupRedirect) {
   }
 }
 
-TEST_F(TransportClientSocketPoolTest, NetworkIsolationKey) {
+TEST_F(TransportClientSocketPoolTest, NetworkAnonymizationKey) {
   const SchemefulSite kSite(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey(kSite, kSite);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey(
+      kSite, kSite, /*is_cross_site=*/false);
   const char kHost[] = "bar.test";
 
   base::test::ScopedFeatureList scoped_feature_list;
@@ -1694,7 +1696,7 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKey) {
 
   TransportClientSocketPool::GroupId group_id(
       url::SchemeHostPort(url::kHttpScheme, kHost, 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey,
       SecureDnsPolicy::kAllow);
   ClientSocketHandle handle;
   TestCompletionCallback callback;
@@ -1711,13 +1713,14 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKey) {
 
   ASSERT_EQ(1u, session_deps_.host_resolver->last_id());
   EXPECT_EQ(kHost, session_deps_.host_resolver->request_host(1));
-  EXPECT_EQ(kNetworkIsolationKey,
-            session_deps_.host_resolver->request_network_isolation_key(1));
+  EXPECT_EQ(kNetworkAnonymizationKey,
+            session_deps_.host_resolver->request_network_anonymization_key(1));
 }
 
 TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySsl) {
   const SchemefulSite kSite(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey(kSite, kSite);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey(
+      kSite, kSite, /*is_cross_site=*/false);
   const char kHost[] = "bar.test";
 
   base::test::ScopedFeatureList scoped_feature_list;
@@ -1732,7 +1735,7 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySsl) {
 
   TransportClientSocketPool::GroupId group_id(
       url::SchemeHostPort(url::kHttpsScheme, kHost, 443),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey,
       SecureDnsPolicy::kAllow);
   auto ssl_config_for_origin = std::make_unique<SSLConfig>();
   ssl_config_for_origin->alpn_protos = {kProtoHTTP2, kProtoHTTP11};
@@ -1751,18 +1754,20 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySsl) {
 
   ASSERT_EQ(1u, session_deps_.host_resolver->last_id());
   EXPECT_EQ(kHost, session_deps_.host_resolver->request_host(1));
-  EXPECT_EQ(kNetworkIsolationKey,
-            session_deps_.host_resolver->request_network_isolation_key(1));
+  EXPECT_EQ(kNetworkAnonymizationKey,
+            session_deps_.host_resolver->request_network_anonymization_key(1));
 }
 
 // Test that, in the case of an HTTP proxy, the same transient
-// NetworkIsolationKey is reused for resolving the proxy's host, regardless of
-// input NIK.
+// NetworkAnonymizationKey is reused for resolving the proxy's host, regardless
+// of input NIK.
 TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeyHttpProxy) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(
+      kSite1, kSite1, /*is_cross_site=*/false);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(
+      kSite2, kSite2, /*is_cross_site=*/false);
   const char kHost[] = "bar.test";
   const ProxyServer kProxyServer = ProxyUriToProxyServer(
       "http://proxy.test", ProxyServer::SCHEME_HTTP /* default_scheme */);
@@ -1783,7 +1788,7 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeyHttpProxy) {
 
   TransportClientSocketPool::GroupId group_id1(
       url::SchemeHostPort(url::kHttpScheme, kHost, 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey1,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey1,
       SecureDnsPolicy::kAllow);
   ClientSocketHandle handle1;
   TestCompletionCallback callback1;
@@ -1800,7 +1805,7 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeyHttpProxy) {
 
   TransportClientSocketPool::GroupId group_id2(
       url::SchemeHostPort(url::kHttpScheme, kHost, 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey2,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey2,
       SecureDnsPolicy::kAllow);
   ClientSocketHandle handle2;
   TestCompletionCallback callback2;
@@ -1820,20 +1825,22 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeyHttpProxy) {
             session_deps_.host_resolver->request_host(1));
   EXPECT_EQ(kProxyServer.host_port_pair().host(),
             session_deps_.host_resolver->request_host(2));
-  EXPECT_TRUE(session_deps_.host_resolver->request_network_isolation_key(1)
+  EXPECT_TRUE(session_deps_.host_resolver->request_network_anonymization_key(1)
                   .IsTransient());
-  EXPECT_EQ(session_deps_.host_resolver->request_network_isolation_key(1),
-            session_deps_.host_resolver->request_network_isolation_key(2));
+  EXPECT_EQ(session_deps_.host_resolver->request_network_anonymization_key(1),
+            session_deps_.host_resolver->request_network_anonymization_key(2));
 }
 
 // Test that, in the case of an HTTPS proxy, the same transient
-// NetworkIsolationKey is reused for resolving the proxy's host, regardless of
-// input NIK.
+// NetworkAnonymizationKey is reused for resolving the proxy's host, regardless
+// of input NIK.
 TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeyHttpsProxy) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(
+      kSite1, kSite1, /*is_cross_site=*/false);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(
+      kSite2, kSite2, /*is_cross_site=*/false);
   const char kHost[] = "bar.test";
   const ProxyServer kProxyServer = ProxyUriToProxyServer(
       "https://proxy.test", ProxyServer::SCHEME_HTTP /* default_scheme */);
@@ -1854,7 +1861,7 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeyHttpsProxy) {
 
   TransportClientSocketPool::GroupId group_id1(
       url::SchemeHostPort(url::kHttpScheme, kHost, 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey1,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey1,
       SecureDnsPolicy::kAllow);
   ClientSocketHandle handle1;
   TestCompletionCallback callback1;
@@ -1871,7 +1878,7 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeyHttpsProxy) {
 
   TransportClientSocketPool::GroupId group_id2(
       url::SchemeHostPort(url::kHttpScheme, kHost, 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey2,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey2,
       SecureDnsPolicy::kAllow);
   ClientSocketHandle handle2;
   TestCompletionCallback callback2;
@@ -1891,21 +1898,23 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeyHttpsProxy) {
             session_deps_.host_resolver->request_host(1));
   EXPECT_EQ(kProxyServer.host_port_pair().host(),
             session_deps_.host_resolver->request_host(2));
-  EXPECT_TRUE(session_deps_.host_resolver->request_network_isolation_key(1)
+  EXPECT_TRUE(session_deps_.host_resolver->request_network_anonymization_key(1)
                   .IsTransient());
-  EXPECT_EQ(session_deps_.host_resolver->request_network_isolation_key(1),
-            session_deps_.host_resolver->request_network_isolation_key(2));
+  EXPECT_EQ(session_deps_.host_resolver->request_network_anonymization_key(1),
+            session_deps_.host_resolver->request_network_anonymization_key(2));
 }
 
-// Test that, in the case of a SOCKS5 proxy, the passed in NetworkIsolationKey
-// is used for the destination DNS lookup, and the same transient
-// NetworkIsolationKey is reused for resolving the proxy's host, regardless of
-// input NIK.
+// Test that, in the case of a SOCKS5 proxy, the passed in
+// NetworkAnonymizationKey is used for the destination DNS lookup, and the same
+// transient NetworkAnonymizationKey is reused for resolving the proxy's host,
+// regardless of input NIK.
 TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks4Proxy) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(
+      kSite1, kSite1, /*is_cross_site=*/false);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(
+      kSite2, kSite2, /*is_cross_site=*/false);
   const char kHost[] = "bar.test";
   const ProxyServer kProxyServer = ProxyUriToProxyServer(
       "socks4://proxy.test", ProxyServer::SCHEME_HTTP /* default_scheme */);
@@ -1935,7 +1944,7 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks4Proxy) {
 
   TransportClientSocketPool::GroupId group_id1(
       url::SchemeHostPort(url::kHttpScheme, kHost, 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey1,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey1,
       SecureDnsPolicy::kAllow);
   ClientSocketHandle handle1;
   TestCompletionCallback callback1;
@@ -1952,7 +1961,7 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks4Proxy) {
 
   TransportClientSocketPool::GroupId group_id2(
       url::SchemeHostPort(url::kHttpScheme, kHost, 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey2,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey2,
       SecureDnsPolicy::kAllow);
   ClientSocketHandle handle2;
   TestCompletionCallback callback2;
@@ -1974,10 +1983,10 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks4Proxy) {
             session_deps_.host_resolver->request_host(1));
   EXPECT_EQ(kProxyServer.host_port_pair().host(),
             session_deps_.host_resolver->request_host(2));
-  EXPECT_TRUE(session_deps_.host_resolver->request_network_isolation_key(1)
+  EXPECT_TRUE(session_deps_.host_resolver->request_network_anonymization_key(1)
                   .IsTransient());
-  EXPECT_EQ(session_deps_.host_resolver->request_network_isolation_key(1),
-            session_deps_.host_resolver->request_network_isolation_key(2));
+  EXPECT_EQ(session_deps_.host_resolver->request_network_anonymization_key(1),
+            session_deps_.host_resolver->request_network_anonymization_key(2));
 
   // First two lookups completes, starting the next two, which should be for the
   // destination's hostname, and should use the passed in NIKs.
@@ -1985,21 +1994,23 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks4Proxy) {
   session_deps_.host_resolver->ResolveNow(2);
   ASSERT_EQ(4u, session_deps_.host_resolver->last_id());
   EXPECT_EQ(kHost, session_deps_.host_resolver->request_host(3));
-  EXPECT_EQ(kNetworkIsolationKey1,
-            session_deps_.host_resolver->request_network_isolation_key(3));
+  EXPECT_EQ(kNetworkAnonymizationKey1,
+            session_deps_.host_resolver->request_network_anonymization_key(3));
   EXPECT_EQ(kHost, session_deps_.host_resolver->request_host(4));
-  EXPECT_EQ(kNetworkIsolationKey2,
-            session_deps_.host_resolver->request_network_isolation_key(4));
+  EXPECT_EQ(kNetworkAnonymizationKey2,
+            session_deps_.host_resolver->request_network_anonymization_key(4));
 }
 
 // Test that, in the case of a SOCKS5 proxy, the same transient
-// NetworkIsolationKey is reused for resolving the proxy's host, regardless of
-// input NIK.
+// NetworkAnonymizationKey is reused for resolving the proxy's host, regardless
+// of input NIK.
 TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks5Proxy) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(
+      kSite1, kSite1, /*is_cross_site=*/false);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(
+      kSite2, kSite2, /*is_cross_site=*/false);
   const char kHost[] = "bar.test";
   const ProxyServer kProxyServer = ProxyUriToProxyServer(
       "socks5://proxy.test", ProxyServer::SCHEME_HTTP /* default_scheme */);
@@ -2020,7 +2031,7 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks5Proxy) {
 
   TransportClientSocketPool::GroupId group_id1(
       url::SchemeHostPort(url::kHttpScheme, kHost, 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey1,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey1,
       SecureDnsPolicy::kAllow);
   ClientSocketHandle handle1;
   TestCompletionCallback callback1;
@@ -2037,7 +2048,7 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks5Proxy) {
 
   TransportClientSocketPool::GroupId group_id2(
       url::SchemeHostPort(url::kHttpScheme, kHost, 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey2,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey2,
       SecureDnsPolicy::kAllow);
   ClientSocketHandle handle2;
   TestCompletionCallback callback2;
@@ -2057,10 +2068,10 @@ TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks5Proxy) {
             session_deps_.host_resolver->request_host(1));
   EXPECT_EQ(kProxyServer.host_port_pair().host(),
             session_deps_.host_resolver->request_host(2));
-  EXPECT_TRUE(session_deps_.host_resolver->request_network_isolation_key(1)
+  EXPECT_TRUE(session_deps_.host_resolver->request_network_anonymization_key(1)
                   .IsTransient());
-  EXPECT_EQ(session_deps_.host_resolver->request_network_isolation_key(1),
-            session_deps_.host_resolver->request_network_isolation_key(2));
+  EXPECT_EQ(session_deps_.host_resolver->request_network_anonymization_key(1),
+            session_deps_.host_resolver->request_network_anonymization_key(2));
 }
 
 TEST_F(TransportClientSocketPoolTest, HasActiveSocket) {
@@ -2069,10 +2080,10 @@ TEST_F(TransportClientSocketPoolTest, HasActiveSocket) {
 
   ClientSocketHandle handle;
   ClientSocketPool::GroupId group_id1(
-      kEndpoint1, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      kEndpoint1, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
   ClientSocketPool::GroupId group_id2(
-      kEndpoint2, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      kEndpoint2, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
 
   // HasActiveSocket() must return false before creating a socket.
@@ -2154,7 +2165,7 @@ TEST_F(TransportClientSocketPoolTest, Tag) {
   uint64_t old_traffic = GetTaggedBytes(tag_val1);
   const ClientSocketPool::GroupId kGroupId(
       url::SchemeHostPort(test_server.base_url()),
-      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
   scoped_refptr<ClientSocketPool::SocketParams> params =
       ClientSocketPool::SocketParams::CreateForHttpForTesting();
@@ -2280,8 +2291,8 @@ TEST_F(TransportClientSocketPoolTest, TagSOCKSProxy) {
   SocketTag tag2(getuid(), 0x87654321);
   const url::SchemeHostPort kDestination(url::kHttpScheme, "host", 80);
   const ClientSocketPool::GroupId kGroupId(
-      kDestination, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
-      SecureDnsPolicy::kAllow);
+      kDestination, PrivacyMode::PRIVACY_MODE_DISABLED,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   scoped_refptr<ClientSocketPool::SocketParams> socks_params =
       base::MakeRefCounted<ClientSocketPool::SocketParams>(
           nullptr /* ssl_config_for_origin */,
@@ -2374,7 +2385,7 @@ TEST_F(TransportClientSocketPoolTest, TagSSLDirect) {
   SocketTag tag2(getuid(), tag_val2);
   const ClientSocketPool::GroupId kGroupId(
       url::SchemeHostPort(test_server.base_url()),
-      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
 
   auto ssl_config_for_origin = std::make_unique<SSLConfig>();
@@ -2447,7 +2458,7 @@ TEST_F(TransportClientSocketPoolTest, TagSSLDirectTwoSockets) {
   SocketTag tag2(getuid(), tag_val2);
   const ClientSocketPool::GroupId kGroupId(
       url::SchemeHostPort(test_server.base_url()),
-      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
   auto ssl_config_for_origin = std::make_unique<SSLConfig>();
   ssl_config_for_origin->alpn_protos = {kProtoHTTP2, kProtoHTTP11};
@@ -2513,7 +2524,7 @@ TEST_F(TransportClientSocketPoolTest, TagSSLDirectTwoSocketsFullPool) {
   SocketTag tag2(getuid(), tag_val2);
   const ClientSocketPool::GroupId kGroupId(
       url::SchemeHostPort(test_server.base_url()),
-      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+      PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow);
   auto ssl_config_for_origin = std::make_unique<SSLConfig>();
   ssl_config_for_origin->alpn_protos = {kProtoHTTP2, kProtoHTTP11};
@@ -2595,8 +2606,8 @@ TEST_F(TransportClientSocketPoolTest, TagHttpProxyNoTunnel) {
   const url::SchemeHostPort kDestination(url::kHttpScheme, "www.google.com",
                                          80);
   const ClientSocketPool::GroupId kGroupId(
-      kDestination, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
-      SecureDnsPolicy::kAllow);
+      kDestination, PrivacyMode::PRIVACY_MODE_DISABLED,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   scoped_refptr<ClientSocketPool::SocketParams> socket_params =
       base::MakeRefCounted<ClientSocketPool::SocketParams>(
           nullptr /* ssl_config_for_origin */,
@@ -2668,8 +2679,8 @@ TEST_F(TransportClientSocketPoolTest, TagHttpProxyTunnel) {
   const url::SchemeHostPort kDestination(url::kHttpsScheme, "www.google.com",
                                          443);
   const ClientSocketPool::GroupId kGroupId(
-      kDestination, PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
-      SecureDnsPolicy::kAllow);
+      kDestination, PrivacyMode::PRIVACY_MODE_DISABLED,
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
 
   auto ssl_config_for_origin = std::make_unique<SSLConfig>();
   ssl_config_for_origin->alpn_protos = {kProtoHTTP2, kProtoHTTP11};
@@ -2795,7 +2806,7 @@ TEST_F(TransportClientSocketPoolMockNowSourceTest, IdleUnusedSocketTimeout) {
       int rv = connection.Init(
           ClientSocketPool::GroupId(
               kSchemeHostPort1, PrivacyMode::PRIVACY_MODE_DISABLED,
-              NetworkIsolationKey(), SecureDnsPolicy::kAllow),
+              NetworkAnonymizationKey(), SecureDnsPolicy::kAllow),
           ClientSocketPool::SocketParams::CreateForHttpForTesting(),
           absl::nullopt /* proxy_annotation_tag */, MEDIUM, SocketTag(),
           ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
@@ -2843,7 +2854,7 @@ TEST_F(TransportClientSocketPoolMockNowSourceTest, IdleUnusedSocketTimeout) {
       int rv = connection.Init(
           ClientSocketPool::GroupId(
               kSchemeHostPort2, PrivacyMode::PRIVACY_MODE_DISABLED,
-              NetworkIsolationKey(), SecureDnsPolicy::kAllow),
+              NetworkAnonymizationKey(), SecureDnsPolicy::kAllow),
           socket_params, absl::nullopt /* proxy_annotation_tag */, MEDIUM,
           SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
           callback.callback(), ClientSocketPool::ProxyAuthCallback(),
diff --git a/chromium/net/socket/transport_client_socket_test_util.cc b/chromium/net/socket/transport_client_socket_test_util.cc
index 9904c1871b8..a93b97ac834 100644
--- a/chromium/net/socket/transport_client_socket_test_util.cc
+++ b/chromium/net/socket/transport_client_socket_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/transport_client_socket_test_util.h b/chromium/net/socket/transport_client_socket_test_util.h
index 5f1ac677c96..97f1a393d25 100644
--- a/chromium/net/socket/transport_client_socket_test_util.h
+++ b/chromium/net/socket/transport_client_socket_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/transport_client_socket_unittest.cc b/chromium/net/socket/transport_client_socket_unittest.cc
index 10ee954f0bf..1a192e2c85d 100644
--- a/chromium/net/socket/transport_client_socket_unittest.cc
+++ b/chromium/net/socket/transport_client_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/transport_connect_job.cc b/chromium/net/socket/transport_connect_job.cc
index 8361b39a1a3..75397d9b868 100644
--- a/chromium/net/socket/transport_connect_job.cc
+++ b/chromium/net/socket/transport_connect_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,26 +9,22 @@
 
 #include "base/bind.h"
 #include "base/check_op.h"
-#include "base/containers/contains.h"
 #include "base/feature_list.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/notreached.h"
-#include "base/stl_util.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/time.h"
 #include "base/trace_event/trace_event.h"
-#include "base/values.h"
 #include "net/base/features.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
 #include "net/base/trace_constants.h"
-#include "net/dns/host_resolver_results.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/log/net_log_event_type.h"
-#include "net/log/net_log_source.h"
 #include "net/socket/socket_tag.h"
 #include "net/socket/transport_connect_sub_job.h"
 #include "third_party/abseil-cpp/absl/types/variant.h"
@@ -56,12 +52,12 @@ HostPortPair ToLegacyDestinationEndpoint(
 
 TransportSocketParams::TransportSocketParams(
     Endpoint destination,
-    NetworkIsolationKey network_isolation_key,
+    NetworkAnonymizationKey network_anonymization_key,
     SecureDnsPolicy secure_dns_policy,
     OnHostResolutionCallback host_resolution_callback,
     base::flat_set<std::string> supported_alpns)
     : destination_(std::move(destination)),
-      network_isolation_key_(std::move(network_isolation_key)),
+      network_anonymization_key_(std::move(network_anonymization_key)),
       secure_dns_policy_(secure_dns_policy),
       host_resolution_callback_(std::move(host_resolution_callback)),
       supported_alpns_(std::move(supported_alpns)) {
@@ -246,11 +242,11 @@ int TransportConnectJob::DoLoop(int result) {
 }
 
 int TransportConnectJob::DoResolveHost() {
-  connect_timing_.dns_start = base::TimeTicks::Now();
+  connect_timing_.domain_lookup_start = base::TimeTicks::Now();
 
   if (has_dns_override_) {
     DCHECK_EQ(1u, endpoint_results_.size());
-    connect_timing_.dns_end = connect_timing_.dns_start;
+    connect_timing_.domain_lookup_end = connect_timing_.domain_lookup_start;
     next_state_ = STATE_TRANSPORT_CONNECT;
     return OK;
   }
@@ -263,11 +259,11 @@ int TransportConnectJob::DoResolveHost() {
   if (absl::holds_alternative<url::SchemeHostPort>(params_->destination())) {
     request_ = host_resolver()->CreateRequest(
         absl::get<url::SchemeHostPort>(params_->destination()),
-        params_->network_isolation_key(), net_log(), parameters);
+        params_->network_anonymization_key(), net_log(), parameters);
   } else {
     request_ = host_resolver()->CreateRequest(
         absl::get<HostPortPair>(params_->destination()),
-        params_->network_isolation_key(), net_log(), parameters);
+        params_->network_anonymization_key(), net_log(), parameters);
   }
 
   return request_->Start(base::BindOnce(&TransportConnectJob::OnIOComplete,
@@ -277,10 +273,10 @@ int TransportConnectJob::DoResolveHost() {
 int TransportConnectJob::DoResolveHostComplete(int result) {
   TRACE_EVENT0(NetTracingCategory(),
                "TransportConnectJob::DoResolveHostComplete");
-  connect_timing_.dns_end = base::TimeTicks::Now();
+  connect_timing_.domain_lookup_end = base::TimeTicks::Now();
   // Overwrite connection start time, since for connections that do not go
   // through proxies, |connect_start| should not include dns lookup time.
-  connect_timing_.connect_start = connect_timing_.dns_end;
+  connect_timing_.connect_start = connect_timing_.domain_lookup_end;
   resolve_error_info_ = request_->GetResolveErrorInfo();
 
   if (result != OK) {
@@ -297,12 +293,10 @@ int TransportConnectJob::DoResolveHostComplete(int result) {
   // only continue after a PostTask.
   next_state_ = STATE_RESOLVE_HOST_CALLBACK_COMPLETE;
   if (!params_->host_resolution_callback().is_null()) {
-    // TODO(https://crbug.com/1287240): Switch `OnHostResolutionCallbackResult`
-    // to `request_->GetEndpointResults()` and `request_->GetDnsAliasResults()`.
     OnHostResolutionCallbackResult callback_result =
         params_->host_resolution_callback().Run(
             ToLegacyDestinationEndpoint(params_->destination()),
-            *request_->GetAddressResults());
+            *request_->GetEndpointResults(), *request_->GetDnsAliasResults());
     if (callback_result == OnHostResolutionCallbackResult::kMayBeDeletedAsync) {
       base::ThreadTaskRunnerHandle::Get()->PostTask(
           FROM_HERE, base::BindOnce(&TransportConnectJob::OnIOComplete,
@@ -417,11 +411,11 @@ int TransportConnectJob::DoTransportConnectComplete(int result) {
 
   if (result == OK) {
     DCHECK(!connect_timing_.connect_start.is_null());
-    DCHECK(!connect_timing_.dns_start.is_null());
+    DCHECK(!connect_timing_.domain_lookup_start.is_null());
     // `HandleSubJobComplete` should have called `SetSocket`.
     DCHECK(socket());
     base::TimeTicks now = base::TimeTicks::Now();
-    base::TimeDelta total_duration = now - connect_timing_.dns_start;
+    base::TimeDelta total_duration = now - connect_timing_.domain_lookup_start;
     UMA_HISTOGRAM_CUSTOM_TIMES("Net.DNS_Resolution_And_TCP_Connection_Latency2",
                                total_duration, base::Milliseconds(1),
                                base::Minutes(10), 100);
@@ -493,6 +487,7 @@ void TransportConnectJob::OnSubJobComplete(int result,
 
 void TransportConnectJob::StartIPv4JobAsync() {
   DCHECK(ipv4_job_);
+  net_log().AddEvent(NetLogEventType::TRANSPORT_CONNECT_JOB_IPV6_FALLBACK);
   int result = ipv4_job_->Start();
   if (result != ERR_IO_PENDING)
     OnSubJobComplete(result, ipv4_job_.get());
diff --git a/chromium/net/socket/transport_connect_job.h b/chromium/net/socket/transport_connect_job.h
index 029320656a9..46268377af0 100644
--- a/chromium/net/socket/transport_connect_job.h
+++ b/chromium/net/socket/transport_connect_job.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,9 +18,9 @@
 #include "base/timer/timer.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/dns/host_resolver.h"
-#include "net/dns/host_resolver_results.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/resolve_error_info.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/socket/connect_job.h"
@@ -45,13 +45,14 @@ class NET_EXPORT_PRIVATE TransportSocketParams
   using Endpoint = absl::variant<url::SchemeHostPort, HostPortPair>;
 
   // |host_resolution_callback| will be invoked after the the hostname is
-  // resolved. |network_isolation_key| is passed to the HostResolver to prevent
-  // cross-NIK leaks. If |host_resolution_callback| does not return OK, then the
-  // connection will be aborted with that value. |supported_alpns| specifies
-  // ALPN protocols for selecting HTTPS/SVCB records. If empty, addresses from
-  // HTTPS/SVCB records will be ignored and only A/AAAA will be used.
+  // resolved. |network_anonymization_key| is passed to the HostResolver to
+  // prevent cross-NIK leaks. If |host_resolution_callback| does not return OK,
+  // then the connection will be aborted with that value. |supported_alpns|
+  // specifies ALPN protocols for selecting HTTPS/SVCB records. If empty,
+  // addresses from HTTPS/SVCB records will be ignored and only A/AAAA will be
+  // used.
   TransportSocketParams(Endpoint destination,
-                        NetworkIsolationKey network_isolation_key,
+                        NetworkAnonymizationKey network_anonymization_key,
                         SecureDnsPolicy secure_dns_policy,
                         OnHostResolutionCallback host_resolution_callback,
                         base::flat_set<std::string> supported_alpns);
@@ -60,8 +61,8 @@ class NET_EXPORT_PRIVATE TransportSocketParams
   TransportSocketParams& operator=(const TransportSocketParams&) = delete;
 
   const Endpoint& destination() const { return destination_; }
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
   }
   SecureDnsPolicy secure_dns_policy() const { return secure_dns_policy_; }
   const OnHostResolutionCallback& host_resolution_callback() const {
@@ -76,7 +77,7 @@ class NET_EXPORT_PRIVATE TransportSocketParams
   ~TransportSocketParams();
 
   const Endpoint destination_;
-  const NetworkIsolationKey network_isolation_key_;
+  const NetworkAnonymizationKey network_anonymization_key_;
   const SecureDnsPolicy secure_dns_policy_;
   const OnHostResolutionCallback host_resolution_callback_;
   const base::flat_set<std::string> supported_alpns_;
diff --git a/chromium/net/socket/transport_connect_job_unittest.cc b/chromium/net/socket/transport_connect_job_unittest.cc
index 449e3f0aafd..0bdb54f5be7 100644
--- a/chromium/net/socket/transport_connect_job_unittest.cc
+++ b/chromium/net/socket/transport_connect_job_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -70,7 +70,7 @@ class TransportConnectJobTest : public WithTaskEnvironment,
   static scoped_refptr<TransportSocketParams> DefaultParams() {
     return base::MakeRefCounted<TransportSocketParams>(
         url::SchemeHostPort(url::kHttpScheme, kHostName, 80),
-        NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+        NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
         OnHostResolutionCallback(),
         /*supported_alpns=*/base::flat_set<std::string>());
   }
@@ -78,7 +78,7 @@ class TransportConnectJobTest : public WithTaskEnvironment,
   static scoped_refptr<TransportSocketParams> DefaultHttpsParams() {
     return base::MakeRefCounted<TransportSocketParams>(
         url::SchemeHostPort(url::kHttpsScheme, kHostName, 443),
-        NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+        NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
         OnHostResolutionCallback(),
         /*supported_alpns=*/base::flat_set<std::string>{"h2", "http/1.1"});
   }
@@ -248,7 +248,7 @@ TEST_F(TransportConnectJobTest, HandlesHttpsEndpoint) {
       DEFAULT_PRIORITY, SocketTag(), &common_connect_job_params_,
       base::MakeRefCounted<TransportSocketParams>(
           url::SchemeHostPort(url::kHttpsScheme, kHostName, 80),
-          NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+          NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
           OnHostResolutionCallback(),
           /*supported_alpns=*/base::flat_set<std::string>{"h2", "http/1.1"}),
       &test_delegate, nullptr /* net_log */);
@@ -263,7 +263,7 @@ TEST_F(TransportConnectJobTest, HandlesNonStandardEndpoint) {
   TransportConnectJob transport_connect_job(
       DEFAULT_PRIORITY, SocketTag(), &common_connect_job_params_,
       base::MakeRefCounted<TransportSocketParams>(
-          HostPortPair(kHostName, 80), NetworkIsolationKey(),
+          HostPortPair(kHostName, 80), NetworkAnonymizationKey(),
           SecureDnsPolicy::kAllow, OnHostResolutionCallback(),
           /*supported_alpns=*/base::flat_set<std::string>()),
       &test_delegate, nullptr /* net_log */);
@@ -279,7 +279,7 @@ TEST_F(TransportConnectJobTest, SecureDnsPolicy) {
         DEFAULT_PRIORITY, SocketTag(), &common_connect_job_params_,
         base::MakeRefCounted<TransportSocketParams>(
             url::SchemeHostPort(url::kHttpScheme, kHostName, 80),
-            NetworkIsolationKey(), secure_dns_policy,
+            NetworkAnonymizationKey(), secure_dns_policy,
             OnHostResolutionCallback(),
             /*supported_alpns=*/base::flat_set<std::string>{}),
         &test_delegate, nullptr /* net_log */);
diff --git a/chromium/net/socket/transport_connect_sub_job.cc b/chromium/net/socket/transport_connect_sub_job.cc
index 0de0bbae6b6..674a2e691ca 100644
--- a/chromium/net/socket/transport_connect_sub_job.cc
+++ b/chromium/net/socket/transport_connect_sub_job.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -222,6 +222,13 @@ int TransportConnectSubJob::DoEndpointLockComplete() {
           parent_job_->network_quality_estimator(), net_log.net_log(),
           net_log.source());
 
+  net_log.AddEvent(NetLogEventType::TRANSPORT_CONNECT_JOB_CONNECT_ATTEMPT, [&] {
+    base::Value::Dict dict;
+    dict.Set("address", CurrentAddress().ToString());
+    transport_socket_->NetLog().source().AddToEventParameters(dict);
+    return base::Value(std::move(dict));
+  });
+
   // If `websocket_endpoint_lock_manager_` is non-null, this class now owns an
   // endpoint lock. Wrap `socket` in a `WebSocketStreamSocket` to take ownership
   // of the lock and release it when the socket goes out of scope. This must
diff --git a/chromium/net/socket/transport_connect_sub_job.h b/chromium/net/socket/transport_connect_sub_job.h
index 807635a9654..ffe16be470b 100644
--- a/chromium/net/socket/transport_connect_sub_job.h
+++ b/chromium/net/socket/transport_connect_sub_job.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_client_socket.cc b/chromium/net/socket/udp_client_socket.cc
index 9bb4f198bb8..8bb3c315fdb 100644
--- a/chromium/net/socket/udp_client_socket.cc
+++ b/chromium/net/socket/udp_client_socket.cc
@@ -1,9 +1,12 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/socket/udp_client_socket.h"
 
+#include "base/metrics/histogram_macros.h"
+#include "base/task/single_thread_task_runner.h"
+#include "base/threading/thread_task_runner_handle.h"
 #include "build/build_config.h"
 #include "net/base/net_errors.h"
 #include "net/base/network_change_notifier.h"
@@ -11,6 +14,17 @@
 
 namespace net {
 
+namespace {
+
+int LogReadSize(int result) {
+  if (result > 0) {
+    UMA_HISTOGRAM_COUNTS_10M("Net.UDPClientSocketReadSize", result);
+  }
+  return result;
+}
+
+}  // namespace
+
 UDPClientSocket::UDPClientSocket(DatagramSocket::BindType bind_type,
                                  net::NetLog* net_log,
                                  const net::NetLogSource& source,
@@ -75,6 +89,26 @@ int UDPClientSocket::ConnectUsingDefaultNetwork(const IPEndPoint& address) {
   return socket_.Connect(address);
 }
 
+int UDPClientSocket::ConnectAsync(const IPEndPoint& address,
+                                  CompletionOnceCallback callback) {
+  DCHECK(callback);
+  return Connect(address);
+}
+
+int UDPClientSocket::ConnectUsingNetworkAsync(handles::NetworkHandle network,
+                                              const IPEndPoint& address,
+                                              CompletionOnceCallback callback) {
+  DCHECK(callback);
+  return ConnectUsingNetwork(network, address);
+}
+
+int UDPClientSocket::ConnectUsingDefaultNetworkAsync(
+    const IPEndPoint& address,
+    CompletionOnceCallback callback) {
+  DCHECK(callback);
+  return ConnectUsingDefaultNetwork(address);
+}
+
 handles::NetworkHandle UDPClientSocket::GetBoundNetwork() const {
   return network_;
 }
@@ -86,7 +120,8 @@ void UDPClientSocket::ApplySocketTag(const SocketTag& tag) {
 int UDPClientSocket::Read(IOBuffer* buf,
                           int buf_len,
                           CompletionOnceCallback callback) {
-  return socket_.Read(buf, buf_len, std::move(callback));
+  return socket_.Read(buf, buf_len,
+                      base::BindOnce(&LogReadSize).Then(std::move(callback)));
 }
 
 int UDPClientSocket::Write(
@@ -94,6 +129,7 @@ int UDPClientSocket::Write(
     int buf_len,
     CompletionOnceCallback callback,
     const NetworkTrafficAnnotationTag& traffic_annotation) {
+  UMA_HISTOGRAM_COUNTS_10M("Net.UDPClientSocketWriteSize", buf_len);
   return socket_.Write(buf, buf_len, std::move(callback), traffic_annotation);
 }
 
diff --git a/chromium/net/socket/udp_client_socket.h b/chromium/net/socket/udp_client_socket.h
index c55150dc2a2..8b1e6ea3e88 100644
--- a/chromium/net/socket/udp_client_socket.h
+++ b/chromium/net/socket/udp_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -39,6 +39,14 @@ class NET_EXPORT_PRIVATE UDPClientSocket : public DatagramClientSocket {
   int ConnectUsingNetwork(handles::NetworkHandle network,
                           const IPEndPoint& address) override;
   int ConnectUsingDefaultNetwork(const IPEndPoint& address) override;
+  int ConnectAsync(const IPEndPoint& address,
+                   CompletionOnceCallback callback) override;
+  int ConnectUsingNetworkAsync(handles::NetworkHandle network,
+                               const IPEndPoint& address,
+                               CompletionOnceCallback callback) override;
+  int ConnectUsingDefaultNetworkAsync(const IPEndPoint& address,
+                                      CompletionOnceCallback callback) override;
+
   handles::NetworkHandle GetBoundNetwork() const override;
   void ApplySocketTag(const SocketTag& tag) override;
   int Read(IOBuffer* buf,
diff --git a/chromium/net/socket/udp_net_log_parameters.cc b/chromium/net/socket/udp_net_log_parameters.cc
index b58ab71b2ed..7c432ab0811 100644
--- a/chromium/net/socket/udp_net_log_parameters.cc
+++ b/chromium/net/socket/udp_net_log_parameters.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_net_log_parameters.h b/chromium/net/socket/udp_net_log_parameters.h
index 310361e90f3..155986bcbb2 100644
--- a/chromium/net/socket/udp_net_log_parameters.h
+++ b/chromium/net/socket/udp_net_log_parameters.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_server_socket.cc b/chromium/net/socket/udp_server_socket.cc
index e16084b62cc..0e8715d5342 100644
--- a/chromium/net/socket/udp_server_socket.cc
+++ b/chromium/net/socket/udp_server_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_server_socket.h b/chromium/net/socket/udp_server_socket.h
index 1e51ccddd0a..fb7ca9ca5f5 100644
--- a/chromium/net/socket/udp_server_socket.h
+++ b/chromium/net/socket/udp_server_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_socket.h b/chromium/net/socket/udp_socket.h
index 8a308bd6933..add26fa4f7f 100644
--- a/chromium/net/socket/udp_socket.h
+++ b/chromium/net/socket/udp_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_socket_global_limits.cc b/chromium/net/socket/udp_socket_global_limits.cc
index 419d6a07a5c..4039c8d4520 100644
--- a/chromium/net/socket/udp_socket_global_limits.cc
+++ b/chromium/net/socket/udp_socket_global_limits.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_socket_global_limits.h b/chromium/net/socket/udp_socket_global_limits.h
index 2102ad34c62..d28bf565a88 100644
--- a/chromium/net/socket/udp_socket_global_limits.h
+++ b/chromium/net/socket/udp_socket_global_limits.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_socket_perftest.cc b/chromium/net/socket/udp_socket_perftest.cc
index 2a878e3025f..2e3a147adbc 100644
--- a/chromium/net/socket/udp_socket_perftest.cc
+++ b/chromium/net/socket/udp_socket_perftest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_socket_posix.cc b/chromium/net/socket/udp_socket_posix.cc
index 65356fcf974..d924fe6433f 100644
--- a/chromium/net/socket/udp_socket_posix.cc
+++ b/chromium/net/socket/udp_socket_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -33,7 +33,6 @@
 #include "base/posix/eintr_wrapper.h"
 #include "base/rand_util.h"
 #include "base/task/current_thread.h"
-#include "base/task/task_runner_util.h"
 #include "base/task/thread_pool.h"
 #include "base/trace_event/typed_macros.h"
 #include "build/chromeos_buildflags.h"
diff --git a/chromium/net/socket/udp_socket_posix.h b/chromium/net/socket/udp_socket_posix.h
index 770acb3e0e4..8ae4710368c 100644
--- a/chromium/net/socket/udp_socket_posix.h
+++ b/chromium/net/socket/udp_socket_posix.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_socket_unittest.cc b/chromium/net/socket/udp_socket_unittest.cc
index 854b4763d22..a88f25f3ae0 100644
--- a/chromium/net/socket/udp_socket_unittest.cc
+++ b/chromium/net/socket/udp_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -155,7 +155,7 @@ class UDPSocketTest : public PlatformTest, public WithTaskEnvironment {
   // Run unit test for a connection test.
   // |use_nonblocking_io| is used to switch between overlapped and non-blocking
   // IO on Windows. It has no effect in other ports.
-  void ConnectTest(bool use_nonblocking_io);
+  void ConnectTest(bool use_nonblocking_io, bool use_async);
 
  protected:
   static const int kMaxRead = 1024;
@@ -172,7 +172,7 @@ void ReadCompleteCallback(int* result_out,
   std::move(callback).Run();
 }
 
-void UDPSocketTest::ConnectTest(bool use_nonblocking_io) {
+void UDPSocketTest::ConnectTest(bool use_nonblocking_io, bool use_async) {
   std::string simple_message("hello world!");
   RecordingNetLogObserver net_log_observer;
   // Setup the server to listen.
@@ -192,8 +192,19 @@ void UDPSocketTest::ConnectTest(bool use_nonblocking_io) {
   if (use_nonblocking_io)
     client->UseNonBlockingIO();
 
-  EXPECT_THAT(client->Connect(server_address), IsOk());
-
+  if (!use_async) {
+    EXPECT_THAT(client->Connect(server_address), IsOk());
+  } else {
+    TestCompletionCallback callback;
+    int rv = client->ConnectAsync(server_address, callback.callback());
+    if (rv != OK) {
+      ASSERT_EQ(rv, ERR_IO_PENDING);
+      rv = callback.WaitForResult();
+      EXPECT_EQ(rv, OK);
+    } else {
+      EXPECT_EQ(rv, OK);
+    }
+  }
   // Client sends to the server.
   EXPECT_EQ(simple_message.length(),
             static_cast<size_t>(WriteSocket(client.get(), simple_message)));
@@ -280,12 +291,15 @@ void UDPSocketTest::ConnectTest(bool use_nonblocking_io) {
 
 TEST_F(UDPSocketTest, Connect) {
   // The variable |use_nonblocking_io| has no effect in non-Windows ports.
-  ConnectTest(false);
+  // Run ConnectTest once with sync connect and once with async connect
+  ConnectTest(false, false);
+  ConnectTest(false, true);
 }
 
 #if BUILDFLAG(IS_WIN)
 TEST_F(UDPSocketTest, ConnectNonBlocking) {
-  ConnectTest(true);
+  ConnectTest(true, false);
+  ConnectTest(true, true);
 }
 #endif
 
@@ -846,6 +860,64 @@ TEST_F(UDPSocketTest, ConnectUsingNetwork) {
 #endif  // BUILDFLAG(IS_ANDROID)
 }
 
+TEST_F(UDPSocketTest, ConnectUsingNetworkAsync) {
+  // The specific value of this address doesn't really matter, and no
+  // server needs to be running here. The test only needs to call
+  // ConnectUsingNetwork() and won't send any datagrams.
+  const IPEndPoint fake_server_address(IPAddress::IPv4Localhost(), 8080);
+  const handles::NetworkHandle wrong_network_handle = 65536;
+#if BUILDFLAG(IS_ANDROID)
+  NetworkChangeNotifierFactoryAndroid ncn_factory;
+  NetworkChangeNotifier::DisableForTest ncn_disable_for_test;
+  std::unique_ptr<NetworkChangeNotifier> ncn(ncn_factory.CreateInstance());
+  if (!NetworkChangeNotifier::AreNetworkHandlesSupported())
+    GTEST_SKIP() << "Network handles are required to test BindToNetwork.";
+
+  {
+    // Connecting using a not existing network should fail but not report
+    // ERR_NOT_IMPLEMENTED when network handles are supported.
+    UDPClientSocket socket(DatagramSocket::RANDOM_BIND, nullptr,
+                           NetLogSource());
+    TestCompletionCallback callback;
+    int rv = socket.ConnectUsingNetworkAsync(
+        wrong_network_handle, fake_server_address, callback.callback());
+
+    if (rv == ERR_IO_PENDING) {
+      rv = callback.WaitForResult();
+    }
+    EXPECT_NE(ERR_NOT_IMPLEMENTED, rv);
+    EXPECT_NE(OK, rv);
+    EXPECT_NE(NetworkChangeNotifier::GetDefaultNetwork(),
+              socket.GetBoundNetwork());
+  }
+
+  {
+    // Connecting using an existing network should succeed when
+    // NetworkChangeNotifier returns a valid default network.
+    UDPClientSocket socket(DatagramSocket::RANDOM_BIND, nullptr,
+                           NetLogSource());
+    TestCompletionCallback callback;
+    const handles::NetworkHandle network_handle =
+        NetworkChangeNotifier::GetDefaultNetwork();
+    if (network_handle != handles::kInvalidNetworkHandle) {
+      int rv = socket.ConnectUsingNetworkAsync(
+          network_handle, fake_server_address, callback.callback());
+      if (rv == ERR_IO_PENDING) {
+        rv = callback.WaitForResult();
+      }
+      EXPECT_EQ(OK, rv);
+      EXPECT_EQ(network_handle, socket.GetBoundNetwork());
+    }
+  }
+#else
+  UDPClientSocket socket(DatagramSocket::RANDOM_BIND, nullptr, NetLogSource());
+  TestCompletionCallback callback;
+  EXPECT_EQ(ERR_NOT_IMPLEMENTED, socket.ConnectUsingNetworkAsync(
+                                     wrong_network_handle, fake_server_address,
+                                     callback.callback()));
+#endif  // BUILDFLAG(IS_ANDROID)
+}
+
 }  // namespace
 
 #if BUILDFLAG(IS_WIN)
@@ -1418,7 +1490,7 @@ TEST_F(UDPSocketTest, RecordRadioWakeUpTrigger) {
   android::RadioActivityTracker::GetInstance().OverrideRadioTypeForTesting(
       base::android::RadioConnectionType::kCell);
 
-  ConnectTest(/*use_nonblocking_io=*/false);
+  ConnectTest(/*use_nonblocking_io=*/false, false);
 
   // Check the write is recorded as a possible radio wake-up trigger.
   histograms.ExpectTotalCount(
@@ -1438,23 +1510,23 @@ TEST_F(UDPSocketTest, BindToNetwork) {
 
   // Binding the socket to a not existing network should fail at connect time.
   const handles::NetworkHandle wrong_network_handle = 65536;
-  UDPClientSocket socket(DatagramSocket::RANDOM_BIND, nullptr, NetLogSource(),
-                         wrong_network_handle);
+  UDPClientSocket wrong_socket(DatagramSocket::RANDOM_BIND, nullptr,
+                               NetLogSource(), wrong_network_handle);
   // Different Android versions might report different errors. Hence, just check
   // what shouldn't happen.
-  int rv = socket.Connect(fake_server_address);
+  int rv = wrong_socket.Connect(fake_server_address);
   EXPECT_NE(OK, rv);
   EXPECT_NE(ERR_NOT_IMPLEMENTED, rv);
-  EXPECT_NE(wrong_network_handle, socket.GetBoundNetwork());
+  EXPECT_NE(wrong_network_handle, wrong_socket.GetBoundNetwork());
 
   // Binding the socket to an existing network should succeed.
   const handles::NetworkHandle network_handle =
       NetworkChangeNotifier::GetDefaultNetwork();
   if (network_handle != handles::kInvalidNetworkHandle) {
-    UDPClientSocket socket(DatagramSocket::RANDOM_BIND, nullptr, NetLogSource(),
-                           network_handle);
-    EXPECT_EQ(OK, socket.Connect(fake_server_address));
-    EXPECT_EQ(network_handle, socket.GetBoundNetwork());
+    UDPClientSocket correct_socket(DatagramSocket::RANDOM_BIND, nullptr,
+                                   NetLogSource(), network_handle);
+    EXPECT_EQ(OK, correct_socket.Connect(fake_server_address));
+    EXPECT_EQ(network_handle, correct_socket.GetBoundNetwork());
   }
 }
 
diff --git a/chromium/net/socket/udp_socket_win.cc b/chromium/net/socket/udp_socket_win.cc
index df4cf61eda4..f22c1e123d4 100644
--- a/chromium/net/socket/udp_socket_win.cc
+++ b/chromium/net/socket/udp_socket_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/udp_socket_win.h b/chromium/net/socket/udp_socket_win.h
index 99d2982c1d6..b4a897c767e 100644
--- a/chromium/net/socket/udp_socket_win.h
+++ b/chromium/net/socket/udp_socket_win.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/unix_domain_client_socket_posix.cc b/chromium/net/socket/unix_domain_client_socket_posix.cc
index d7ddb53e613..94294567ad7 100644
--- a/chromium/net/socket/unix_domain_client_socket_posix.cc
+++ b/chromium/net/socket/unix_domain_client_socket_posix.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/unix_domain_client_socket_posix.h b/chromium/net/socket/unix_domain_client_socket_posix.h
index 96ff3f8dd30..5f4f63f8842 100644
--- a/chromium/net/socket/unix_domain_client_socket_posix.h
+++ b/chromium/net/socket/unix_domain_client_socket_posix.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/unix_domain_client_socket_posix_unittest.cc b/chromium/net/socket/unix_domain_client_socket_posix_unittest.cc
index 756fa048ed6..61041a30564 100644
--- a/chromium/net/socket/unix_domain_client_socket_posix_unittest.cc
+++ b/chromium/net/socket/unix_domain_client_socket_posix_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/unix_domain_server_socket_posix.cc b/chromium/net/socket/unix_domain_server_socket_posix.cc
index 9e69fa922a8..60f58942f2e 100644
--- a/chromium/net/socket/unix_domain_server_socket_posix.cc
+++ b/chromium/net/socket/unix_domain_server_socket_posix.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/unix_domain_server_socket_posix.h b/chromium/net/socket/unix_domain_server_socket_posix.h
index 6b8cf779aca..e03f4479c46 100644
--- a/chromium/net/socket/unix_domain_server_socket_posix.h
+++ b/chromium/net/socket/unix_domain_server_socket_posix.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/unix_domain_server_socket_posix_unittest.cc b/chromium/net/socket/unix_domain_server_socket_posix_unittest.cc
index 94a35056321..104a1f9570f 100644
--- a/chromium/net/socket/unix_domain_server_socket_posix_unittest.cc
+++ b/chromium/net/socket/unix_domain_server_socket_posix_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/websocket_endpoint_lock_manager.cc b/chromium/net/socket/websocket_endpoint_lock_manager.cc
index 172bf9e96c7..909aa956b0f 100644
--- a/chromium/net/socket/websocket_endpoint_lock_manager.cc
+++ b/chromium/net/socket/websocket_endpoint_lock_manager.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/websocket_endpoint_lock_manager.h b/chromium/net/socket/websocket_endpoint_lock_manager.h
index 1d9719bad0e..9f856e195eb 100644
--- a/chromium/net/socket/websocket_endpoint_lock_manager.h
+++ b/chromium/net/socket/websocket_endpoint_lock_manager.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/websocket_endpoint_lock_manager_unittest.cc b/chromium/net/socket/websocket_endpoint_lock_manager_unittest.cc
index ccfe1a09bd1..42b897fca5d 100644
--- a/chromium/net/socket/websocket_endpoint_lock_manager_unittest.cc
+++ b/chromium/net/socket/websocket_endpoint_lock_manager_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/websocket_transport_client_socket_pool.cc b/chromium/net/socket/websocket_transport_client_socket_pool.cc
index 78ee11d3293..b96221e8f71 100644
--- a/chromium/net/socket/websocket_transport_client_socket_pool.cc
+++ b/chromium/net/socket/websocket_transport_client_socket_pool.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/websocket_transport_client_socket_pool.h b/chromium/net/socket/websocket_transport_client_socket_pool.h
index 64d2cc5c3d5..805ef717692 100644
--- a/chromium/net/socket/websocket_transport_client_socket_pool.h
+++ b/chromium/net/socket/websocket_transport_client_socket_pool.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc b/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc
index 2ec79710e30..355b4b5c162 100644
--- a/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc
+++ b/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -81,7 +81,7 @@ class WebSocketTransportClientSocketPoolTest : public TestWithTaskEnvironment {
   WebSocketTransportClientSocketPoolTest()
       : group_id_(url::SchemeHostPort(url::kHttpScheme, "www.google.com", 80),
                   PrivacyMode::PRIVACY_MODE_DISABLED,
-                  NetworkIsolationKey(),
+                  NetworkAnonymizationKey(),
                   SecureDnsPolicy::kAllow),
         params_(ClientSocketPool::SocketParams::CreateForHttpForTesting()),
         host_resolver_(std::make_unique<
@@ -208,7 +208,7 @@ TEST_F(WebSocketTransportClientSocketPoolTest, InitHostResolutionFailure) {
       ERR_IO_PENDING,
       handle.Init(ClientSocketPool::GroupId(
                       std::move(endpoint), PRIVACY_MODE_DISABLED,
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow),
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow),
                   ClientSocketPool::SocketParams::CreateForHttpForTesting(),
                   absl::nullopt /* proxy_annotation_tag */, kDefaultPriority,
                   SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
@@ -1240,10 +1240,11 @@ TEST_F(WebSocketTransportClientSocketPoolTest, EndpointLockIsOnlyReleasedOnce) {
             request(2)->handle()->GetLoadState());
 }
 
-// Make sure that WebSocket requests use the correct NetworkIsolationKey.
-TEST_F(WebSocketTransportClientSocketPoolTest, NetworkIsolationKey) {
+// Make sure that WebSocket requests use the correct NetworkAnonymizationKey.
+TEST_F(WebSocketTransportClientSocketPoolTest, NetworkAnonymizationKey) {
   const SchemefulSite kSite(GURL("https://foo.test/"));
-  const NetworkIsolationKey kNetworkIsolationKey(kSite, kSite);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey(
+      kSite, kSite, /*is_cross_site=*/false);
 
   base::test::ScopedFeatureList scoped_feature_list;
   scoped_feature_list.InitWithFeatures(
@@ -1259,7 +1260,7 @@ TEST_F(WebSocketTransportClientSocketPoolTest, NetworkIsolationKey) {
   ClientSocketHandle handle;
   ClientSocketPool::GroupId group_id(
       url::SchemeHostPort(url::kHttpScheme, "www.google.com", 80),
-      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkAnonymizationKey,
       SecureDnsPolicy::kAllow);
   EXPECT_THAT(
       handle.Init(group_id, params_, absl::nullopt /* proxy_annotation_tag */,
@@ -1270,8 +1271,8 @@ TEST_F(WebSocketTransportClientSocketPoolTest, NetworkIsolationKey) {
       IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, host_resolver_->last_id());
-  EXPECT_EQ(kNetworkIsolationKey,
-            host_resolver_->request_network_isolation_key(1));
+  EXPECT_EQ(kNetworkAnonymizationKey,
+            host_resolver_->request_network_anonymization_key(1));
 }
 
 TEST_F(WebSocketTransportClientSocketPoolTest,
@@ -1289,7 +1290,7 @@ TEST_F(WebSocketTransportClientSocketPoolTest,
   TestConnectJobDelegate test_delegate;
   scoped_refptr<TransportSocketParams> params =
       base::MakeRefCounted<TransportSocketParams>(
-          HostPortPair(kHostName, 80), NetworkIsolationKey(),
+          HostPortPair(kHostName, 80), NetworkAnonymizationKey(),
           SecureDnsPolicy::kAllow, OnHostResolutionCallback(),
           /*supported_alpns=*/base::flat_set<std::string>());
 
@@ -1322,7 +1323,7 @@ TEST_F(WebSocketTransportClientSocketPoolTest,
   TestConnectJobDelegate test_delegate;
   scoped_refptr<TransportSocketParams> params =
       base::MakeRefCounted<TransportSocketParams>(
-          HostPortPair(kHostName, 80), NetworkIsolationKey(),
+          HostPortPair(kHostName, 80), NetworkAnonymizationKey(),
           SecureDnsPolicy::kAllow, OnHostResolutionCallback(),
           /*supported_alpns=*/base::flat_set<std::string>());
 
@@ -1347,11 +1348,11 @@ TEST_F(WebSocketTransportClientSocketPoolTest, LoadState) {
       MockTransportClientSocketFactory::Type::kDelayedFailing);
 
   auto params_v6_only = base::MakeRefCounted<TransportSocketParams>(
-      HostPortPair("v6-only.test", 80), NetworkIsolationKey(),
+      HostPortPair("v6-only.test", 80), NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow, OnHostResolutionCallback(),
       /*supported_alpns=*/base::flat_set<std::string>());
   auto params_v6_and_v4 = base::MakeRefCounted<TransportSocketParams>(
-      HostPortPair("v6-and-v4.test", 80), NetworkIsolationKey(),
+      HostPortPair("v6-and-v4.test", 80), NetworkAnonymizationKey(),
       SecureDnsPolicy::kAllow, OnHostResolutionCallback(),
       /*supported_alpns=*/base::flat_set<std::string>());
 
diff --git a/chromium/net/spdy/OWNERS b/chromium/net/spdy/OWNERS
index 3499310aff1..6afd7be6085 100644
--- a/chromium/net/spdy/OWNERS
+++ b/chromium/net/spdy/OWNERS
@@ -1,4 +1,2 @@
-birenroy@chromium.org
 bnc@chromium.org
-diannahu@chromium.org
 rch@chromium.org
diff --git a/chromium/net/spdy/alps_decoder.cc b/chromium/net/spdy/alps_decoder.cc
index 69c8b710387..908d42fc535 100644
--- a/chromium/net/spdy/alps_decoder.cc
+++ b/chromium/net/spdy/alps_decoder.cc
@@ -1,9 +1,13 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/spdy/alps_decoder.h"
 
+#include "base/feature_list.h"
+#include "base/metrics/histogram_functions.h"
+#include "net/base/features.h"
+
 namespace net {
 namespace {
 
@@ -101,23 +105,34 @@ bool AlpsDecoder::AcceptChParser::OnFrameHeader(spdy::SpdyStreamId stream_id,
                                                 size_t length,
                                                 uint8_t type,
                                                 uint8_t flags) {
-  if (type != static_cast<uint8_t>(spdy::SpdyFrameType::ACCEPT_CH) ||
-      error_ != Error::kNoError) {
-    // Ignore every frame except for ACCEPT_CH.
-    // Ignore data after an error has occurred.
-    // Returning false causes Http2DecoderAdapter not to call OnFramePayload().
-    return false;
-  }
-  if (stream_id != 0) {
-    error_ = Error::kAcceptChInvalidStream;
+  // Ignore data after an error has occurred.
+  if (error_ != Error::kNoError)
     return false;
-  }
-  if (flags != 0) {
-    error_ = Error::kAcceptChWithFlags;
+  // Stop all alps parsing if it's disabled.
+  if (!base::FeatureList::IsEnabled(features::kAlpsParsing))
     return false;
+  // Handle per-type parsing.
+  switch (type) {
+    case static_cast<uint8_t>(spdy::SpdyFrameType::ACCEPT_CH): {
+      // Stop alps client hint parsing if it's disabled.
+      if (!base::FeatureList::IsEnabled(features::kAlpsClientHintParsing))
+        return false;
+      // Check for issues with the frame.
+      if (stream_id != 0) {
+        error_ = Error::kAcceptChInvalidStream;
+        return false;
+      }
+      if (flags != 0) {
+        error_ = Error::kAcceptChWithFlags;
+        return false;
+      }
+      // This frame can be parsed in OnFramePayload.
+      return true;
+    }
+    default:
+      // Ignore all other types.
+      return false;
   }
-
-  return true;
 }
 
 void AlpsDecoder::AcceptChParser::OnFramePayload(const char* data, size_t len) {
@@ -130,8 +145,18 @@ void AlpsDecoder::AcceptChParser::OnFramePayload(const char* data, size_t len) {
     base::StringPiece value;
     if (!ReadUint16PrefixedStringPiece(&payload, &origin) ||
         !ReadUint16PrefixedStringPiece(&payload, &value)) {
-      error_ = Error::kAcceptChMalformed;
-      return;
+      if (base::FeatureList::IsEnabled(
+              features::kShouldKillSessionOnAcceptChMalformed)) {
+        // This causes a session termination.
+        error_ = Error::kAcceptChMalformed;
+        return;
+      } else {
+        // This logs that a session termination was bypassed.
+        base::UmaHistogramEnumeration(
+            "Net.SpdySession.AlpsDecoderStatus.Bypassed",
+            Error::kAcceptChMalformed);
+        return;
+      }
     }
     accept_ch_.push_back(
         spdy::AcceptChOriginValuePair{std::string(origin), std::string(value)});
diff --git a/chromium/net/spdy/alps_decoder.h b/chromium/net/spdy/alps_decoder.h
index cced44695bf..67bb7d84fd9 100644
--- a/chromium/net/spdy/alps_decoder.h
+++ b/chromium/net/spdy/alps_decoder.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/alps_decoder_test.cc b/chromium/net/spdy/alps_decoder_test.cc
index 80c98c3a424..5b9edce7098 100644
--- a/chromium/net/spdy/alps_decoder_test.cc
+++ b/chromium/net/spdy/alps_decoder_test.cc
@@ -1,9 +1,12 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/spdy/alps_decoder.h"
 
+#include "base/test/metrics/histogram_tester.h"
+#include "base/test/scoped_feature_list.h"
+#include "net/base/features.h"
 #include "net/base/hex_utils.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -123,6 +126,58 @@ TEST(AlpsDecoderTest, ParseLargeAcceptChFrame) {
                                                   accept_ch_tokens}));
 }
 
+TEST(AlpsDecoderTest, DisableAlpsParsing) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(features::kAlpsParsing);
+  AlpsDecoder decoder;
+  AlpsDecoder::Error error = decoder.Decode(HexDecode(
+      // ACCEPT_CH frame
+      "00003d"                    // length
+      "89"                        // type ACCEPT_CH
+      "00"                        // flags
+      "00000000"                  // stream ID
+      "0017"                      // origin length
+      "68747470733a2f2f7777772e"  //
+      "6578616d706c652e636f6d"    // origin "https://www.example.com"
+      "0003"                      // value length
+      "666f6f"                    // value "foo"
+      "0018"                      // origin length
+      "68747470733a2f2f6d61696c"  //
+      "2e6578616d706c652e636f6d"  // origin "https://mail.example.com"
+      "0003"                      // value length
+      "626172"                    // value "bar"
+      ));
+
+  EXPECT_EQ(AlpsDecoder::Error::kNoError, error);
+  EXPECT_THAT(decoder.GetAcceptCh(), IsEmpty());
+}
+
+TEST(AlpsDecoderTest, DisableAlpsClientHintParsing) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(features::kAlpsClientHintParsing);
+  AlpsDecoder decoder;
+  AlpsDecoder::Error error = decoder.Decode(HexDecode(
+      // ACCEPT_CH frame
+      "00003d"                    // length
+      "89"                        // type ACCEPT_CH
+      "00"                        // flags
+      "00000000"                  // stream ID
+      "0017"                      // origin length
+      "68747470733a2f2f7777772e"  //
+      "6578616d706c652e636f6d"    // origin "https://www.example.com"
+      "0003"                      // value length
+      "666f6f"                    // value "foo"
+      "0018"                      // origin length
+      "68747470733a2f2f6d61696c"  //
+      "2e6578616d706c652e636f6d"  // origin "https://mail.example.com"
+      "0003"                      // value length
+      "626172"                    // value "bar"
+      ));
+
+  EXPECT_EQ(AlpsDecoder::Error::kNoError, error);
+  EXPECT_THAT(decoder.GetAcceptCh(), IsEmpty());
+}
+
 TEST(AlpsDecoderTest, IncompleteFrame) {
   AlpsDecoder decoder;
   AlpsDecoder::Error error =
@@ -262,7 +317,23 @@ TEST(AlpsDecoderTest, UnknownFrame) {
   EXPECT_EQ(0, decoder.settings_frame_count());
 }
 
-TEST(AlpsDecoderTest, MalformedAcceptChFrame) {
+class AlpsDecoderTestWithFeature : public ::testing::TestWithParam<bool> {
+ public:
+  bool ShouldKillSessionOnAcceptChMalformed() { return GetParam(); }
+
+ private:
+  void SetUp() override {
+    feature_list_.InitWithFeatureState(
+        features::kShouldKillSessionOnAcceptChMalformed,
+        ShouldKillSessionOnAcceptChMalformed());
+  }
+
+  base::test::ScopedFeatureList feature_list_;
+};
+
+INSTANTIATE_TEST_SUITE_P(All, AlpsDecoderTestWithFeature, testing::Bool());
+
+TEST_P(AlpsDecoderTestWithFeature, MalformedAcceptChFrame) {
   // Correct, complete payload.
   std::string payload = HexDecode(
       "0017"  // origin length
@@ -273,6 +344,7 @@ TEST(AlpsDecoderTest, MalformedAcceptChFrame) {
 
   for (uint8_t payload_length = 1; payload_length < payload.length();
        payload_length++) {
+    base::HistogramTester histogram_tester;
     // First two bytes of length.
     std::string frame = HexDecode("0000");
     // Last byte of length.
@@ -287,8 +359,16 @@ TEST(AlpsDecoderTest, MalformedAcceptChFrame) {
 
     AlpsDecoder decoder;
     AlpsDecoder::Error error = decoder.Decode(frame);
-
-    EXPECT_EQ(AlpsDecoder::Error::kAcceptChMalformed, error);
+    if (ShouldKillSessionOnAcceptChMalformed()) {
+      EXPECT_EQ(AlpsDecoder::Error::kAcceptChMalformed, error);
+      histogram_tester.ExpectTotalCount(
+          "Net.SpdySession.AlpsDecoderStatus.Bypassed", 0);
+    } else {
+      EXPECT_EQ(AlpsDecoder::Error::kNoError, error);
+      histogram_tester.ExpectUniqueSample(
+          "Net.SpdySession.AlpsDecoderStatus.Bypassed",
+          static_cast<int>(AlpsDecoder::Error::kAcceptChMalformed), 1);
+    }
   }
 }
 
diff --git a/chromium/net/spdy/bidirectional_stream_spdy_impl.cc b/chromium/net/spdy/bidirectional_stream_spdy_impl.cc
index c95eede92cc..f4d163e5fb4 100644
--- a/chromium/net/spdy/bidirectional_stream_spdy_impl.cc
+++ b/chromium/net/spdy/bidirectional_stream_spdy_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/bidirectional_stream_spdy_impl.h b/chromium/net/spdy/bidirectional_stream_spdy_impl.h
index f99fb1842ac..d01be08c601 100644
--- a/chromium/net/spdy/bidirectional_stream_spdy_impl.h
+++ b/chromium/net/spdy/bidirectional_stream_spdy_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc b/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc
index eb6c34001ab..ca6eb43db9e 100644
--- a/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc
+++ b/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -242,7 +242,7 @@ class BidirectionalStreamSpdyImplTest : public testing::TestWithParam<bool>,
              PRIVACY_MODE_DISABLED,
              SpdySessionKey::IsProxySession::kFalse,
              SocketTag(),
-             NetworkIsolationKey(),
+             NetworkAnonymizationKey(),
              SecureDnsPolicy::kAllow),
         ssl_data_(SSLSocketDataProvider(ASYNC, OK)) {
     ssl_data_.next_proto = kProtoHTTP2;
diff --git a/chromium/net/spdy/buffered_spdy_framer.cc b/chromium/net/spdy/buffered_spdy_framer.cc
index 27b94efd0e9..be021a4ba7c 100644
--- a/chromium/net/spdy/buffered_spdy_framer.cc
+++ b/chromium/net/spdy/buffered_spdy_framer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/buffered_spdy_framer.h b/chromium/net/spdy/buffered_spdy_framer.h
index 52469fac537..ecb5bd1fdc0 100644
--- a/chromium/net/spdy/buffered_spdy_framer.h
+++ b/chromium/net/spdy/buffered_spdy_framer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/buffered_spdy_framer_unittest.cc b/chromium/net/spdy/buffered_spdy_framer_unittest.cc
index 55615f4aa06..c4aaca7f4c6 100644
--- a/chromium/net/spdy/buffered_spdy_framer_unittest.cc
+++ b/chromium/net/spdy/buffered_spdy_framer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/header_coalescer.cc b/chromium/net/spdy/header_coalescer.cc
index e76c3e4b2aa..0244993e70d 100644
--- a/chromium/net/spdy/header_coalescer.cc
+++ b/chromium/net/spdy/header_coalescer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,6 +8,7 @@
 #include <string>
 #include <utility>
 
+#include "base/ranges/algorithm.h"
 #include "base/strings/abseil_string_conversions.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
@@ -39,7 +40,7 @@ void NetLogInvalidHeader(const NetLogWithSource& net_log,
 }
 
 bool ContainsUppercaseAscii(base::StringPiece str) {
-  return std::any_of(str.begin(), str.end(), base::IsAsciiUpper<char>);
+  return base::ranges::any_of(str, base::IsAsciiUpper<char>);
 }
 
 }  // namespace
diff --git a/chromium/net/spdy/header_coalescer.h b/chromium/net/spdy/header_coalescer.h
index a6334e45c6d..7965906a3bf 100644
--- a/chromium/net/spdy/header_coalescer.h
+++ b/chromium/net/spdy/header_coalescer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/header_coalescer_test.cc b/chromium/net/spdy/header_coalescer_test.cc
index 129e98b44af..94ca09d4022 100644
--- a/chromium/net/spdy/header_coalescer_test.cc
+++ b/chromium/net/spdy/header_coalescer_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/http2_priority_dependencies.cc b/chromium/net/spdy/http2_priority_dependencies.cc
index 40d3da04a22..60a919f30a2 100644
--- a/chromium/net/spdy/http2_priority_dependencies.cc
+++ b/chromium/net/spdy/http2_priority_dependencies.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/http2_priority_dependencies.h b/chromium/net/spdy/http2_priority_dependencies.h
index a6d7cb7c63c..a7322531d37 100644
--- a/chromium/net/spdy/http2_priority_dependencies.h
+++ b/chromium/net/spdy/http2_priority_dependencies.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/http2_priority_dependencies_unittest.cc b/chromium/net/spdy/http2_priority_dependencies_unittest.cc
index 5f511a7f6af..a1fa4f705da 100644
--- a/chromium/net/spdy/http2_priority_dependencies_unittest.cc
+++ b/chromium/net/spdy/http2_priority_dependencies_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/http2_push_promise_index.cc b/chromium/net/spdy/http2_push_promise_index.cc
index af6dac3938c..e3e2e92c512 100644
--- a/chromium/net/spdy/http2_push_promise_index.cc
+++ b/chromium/net/spdy/http2_push_promise_index.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/http2_push_promise_index.h b/chromium/net/spdy/http2_push_promise_index.h
index 1b92274622f..70b3fee2ed5 100644
--- a/chromium/net/spdy/http2_push_promise_index.h
+++ b/chromium/net/spdy/http2_push_promise_index.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/http2_push_promise_index_test.cc b/chromium/net/spdy/http2_push_promise_index_test.cc
index 7525584b20a..2e4291159ac 100644
--- a/chromium/net/spdy/http2_push_promise_index_test.cc
+++ b/chromium/net/spdy/http2_push_promise_index_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -62,14 +62,14 @@ class Http2PushPromiseIndexTest : public testing::Test {
               PRIVACY_MODE_ENABLED,
               SpdySessionKey::IsProxySession::kFalse,
               SocketTag(),
-              NetworkIsolationKey(),
+              NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow),
         key2_(HostPortPair::FromURL(url2_),
               ProxyServer::Direct(),
               PRIVACY_MODE_ENABLED,
               SpdySessionKey::IsProxySession::kFalse,
               SocketTag(),
-              NetworkIsolationKey(),
+              NetworkAnonymizationKey(),
               SecureDnsPolicy::kAllow) {}
 
   const GURL url1_;
diff --git a/chromium/net/spdy/multiplexed_http_stream.cc b/chromium/net/spdy/multiplexed_http_stream.cc
index 9a48e45bc81..34a5bd1aaae 100644
--- a/chromium/net/spdy/multiplexed_http_stream.cc
+++ b/chromium/net/spdy/multiplexed_http_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/multiplexed_http_stream.h b/chromium/net/spdy/multiplexed_http_stream.h
index 5e0700501a0..e2a99f70ca8 100644
--- a/chromium/net/spdy/multiplexed_http_stream.h
+++ b/chromium/net/spdy/multiplexed_http_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/multiplexed_session.cc b/chromium/net/spdy/multiplexed_session.cc
index f51ccde2952..45919978ffc 100644
--- a/chromium/net/spdy/multiplexed_session.cc
+++ b/chromium/net/spdy/multiplexed_session.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/multiplexed_session.h b/chromium/net/spdy/multiplexed_session.h
index 86de0ced627..4993ee51ea8 100644
--- a/chromium/net/spdy/multiplexed_session.h
+++ b/chromium/net/spdy/multiplexed_session.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/server_push_delegate.h b/chromium/net/spdy/server_push_delegate.h
index 16341091374..4631fddb39f 100644
--- a/chromium/net/spdy/server_push_delegate.h
+++ b/chromium/net/spdy/server_push_delegate.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -28,8 +28,8 @@ class NET_EXPORT_PRIVATE ServerPushDelegate {
     // Gets the URL of the pushed request.
     virtual const GURL& GetURL() const = 0;
 
-    // Gets the network isolation key for the pushed request.
-    virtual NetworkIsolationKey GetNetworkIsolationKey() const = 0;
+    // Gets the network anonymization key for the pushed request.
+    virtual NetworkAnonymizationKey GetNetworkAnonymizationKey() const = 0;
   };
 
   virtual ~ServerPushDelegate() = default;
diff --git a/chromium/net/spdy/spdy_buffer.cc b/chromium/net/spdy/spdy_buffer.cc
index 319a8bca260..110c95a3ca3 100644
--- a/chromium/net/spdy/spdy_buffer.cc
+++ b/chromium/net/spdy/spdy_buffer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_buffer.h b/chromium/net/spdy/spdy_buffer.h
index 4b8337c41f5..85d77be4502 100644
--- a/chromium/net/spdy/spdy_buffer.h
+++ b/chromium/net/spdy/spdy_buffer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_buffer_producer.cc b/chromium/net/spdy/spdy_buffer_producer.cc
index 87cabc9ba0a..4b31f9aeab2 100644
--- a/chromium/net/spdy/spdy_buffer_producer.cc
+++ b/chromium/net/spdy/spdy_buffer_producer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_buffer_producer.h b/chromium/net/spdy/spdy_buffer_producer.h
index 9710081b84f..77f0a849a3f 100644
--- a/chromium/net/spdy/spdy_buffer_producer.h
+++ b/chromium/net/spdy/spdy_buffer_producer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_buffer_unittest.cc b/chromium/net/spdy/spdy_buffer_unittest.cc
index 5605d8e7acd..7f0e00c5b2f 100644
--- a/chromium/net/spdy/spdy_buffer_unittest.cc
+++ b/chromium/net/spdy/spdy_buffer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_http_stream.cc b/chromium/net/spdy/spdy_http_stream.cc
index a58e9666035..96adc6f2174 100644
--- a/chromium/net/spdy/spdy_http_stream.cc
+++ b/chromium/net/spdy/spdy_http_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_http_stream.h b/chromium/net/spdy/spdy_http_stream.h
index 761271b1186..9c3ef165e56 100644
--- a/chromium/net/spdy/spdy_http_stream.h
+++ b/chromium/net/spdy/spdy_http_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_http_stream_unittest.cc b/chromium/net/spdy/spdy_http_stream_unittest.cc
index 46f61ac2820..1fc54895129 100644
--- a/chromium/net/spdy/spdy_http_stream_unittest.cc
+++ b/chromium/net/spdy/spdy_http_stream_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -134,7 +134,7 @@ class SpdyHttpStreamTest : public TestWithTaskEnvironment {
              PRIVACY_MODE_DISABLED,
              SpdySessionKey::IsProxySession::kFalse,
              SocketTag(),
-             NetworkIsolationKey(),
+             NetworkAnonymizationKey(),
              SecureDnsPolicy::kAllow),
         ssl_(SYNCHRONOUS, OK) {
     session_deps_.net_log = NetLog::Get();
diff --git a/chromium/net/spdy/spdy_http_utils.cc b/chromium/net/spdy/spdy_http_utils.cc
index 147d9fc85c4..59f05037861 100644
--- a/chromium/net/spdy/spdy_http_utils.cc
+++ b/chromium/net/spdy/spdy_http_utils.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_http_utils.h b/chromium/net/spdy/spdy_http_utils.h
index 2a3a4b66994..41de046b350 100644
--- a/chromium/net/spdy/spdy_http_utils.h
+++ b/chromium/net/spdy/spdy_http_utils.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_http_utils_unittest.cc b/chromium/net/spdy/spdy_http_utils_unittest.cc
index 53558b8b6d1..0a1b875e4f6 100644
--- a/chromium/net/spdy/spdy_http_utils_unittest.cc
+++ b/chromium/net/spdy/spdy_http_utils_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_log_util.cc b/chromium/net/spdy/spdy_log_util.cc
index 2ca19f30d2e..313aac6e6b6 100644
--- a/chromium/net/spdy/spdy_log_util.cc
+++ b/chromium/net/spdy/spdy_log_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_log_util.h b/chromium/net/spdy/spdy_log_util.h
index 2fd7d480d44..d9c650b793c 100644
--- a/chromium/net/spdy/spdy_log_util.h
+++ b/chromium/net/spdy/spdy_log_util.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_log_util_unittest.cc b/chromium/net/spdy/spdy_log_util_unittest.cc
index 4186734bcd3..9db4636e2d9 100644
--- a/chromium/net/spdy/spdy_log_util_unittest.cc
+++ b/chromium/net/spdy/spdy_log_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_network_transaction_unittest.cc b/chromium/net/spdy/spdy_network_transaction_unittest.cc
index 78deefbad8c..6eedb15f4b7 100644
--- a/chromium/net/spdy/spdy_network_transaction_unittest.cc
+++ b/chromium/net/spdy/spdy_network_transaction_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -25,7 +25,7 @@
 #include "net/base/elements_upload_data_stream.h"
 #include "net/base/features.h"
 #include "net/base/ip_endpoint.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/proxy_delegate.h"
 #include "net/base/proxy_server.h"
 #include "net/base/proxy_string_util.h"
@@ -427,7 +427,8 @@ class SpdyNetworkTransactionTest : public TestWithTaskEnvironment {
     SpdySessionKey key(HostPortPair::FromURL(request_.url),
                        ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                        SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                       request_.network_isolation_key, SecureDnsPolicy::kAllow);
+                       request_.network_anonymization_key,
+                       SecureDnsPolicy::kAllow);
     HttpNetworkSession* session = helper.session();
     base::WeakPtr<SpdySession> spdy_session =
         session->spdy_session_pool()->FindAvailableSession(
@@ -781,7 +782,7 @@ TEST_F(SpdyNetworkTransactionTest, RequestsOrderedByPriority) {
   SpdySessionKey key(HostPortPair("www.example.org", 443),
                      ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   auto spdy_session = CreateSpdySession(helper.session(), key, log_);
   EXPECT_TRUE(spdy_session);
 
@@ -3655,7 +3656,7 @@ TEST_F(SpdyNetworkTransactionTest, ServerCancelsPush) {
   SpdySessionKey key(host_port_pair_, ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session =
       spdy_session_pool->FindAvailableSession(
           key, /* enable_ip_based_pooling = */ true,
@@ -3773,7 +3774,7 @@ TEST_F(SpdyNetworkTransactionTest, ServerCancelsCrossOriginPush) {
   SpdySessionKey key1(HostPortPair::FromURL(GURL(kUrl1)), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session1 =
       spdy_session_pool->FindAvailableSession(
           key1, /* enable_ip_based_pooling = */ true,
@@ -3786,7 +3787,7 @@ TEST_F(SpdyNetworkTransactionTest, ServerCancelsCrossOriginPush) {
   SpdySessionKey key2(HostPortPair::FromURL(GURL(kUrl2)), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_FALSE(spdy_session_pool->FindAvailableSession(
       key2, /* enable_ip_based_pooling = */ true,
       /* is_websocket = */ false, log_));
@@ -3873,7 +3874,7 @@ TEST_F(SpdyNetworkTransactionTest, NoConnectionPoolingOverTunnel) {
                       PacResultElementToProxyServer(kPacString),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session1 =
       helper.session()->spdy_session_pool()->FindAvailableSession(
           key1, true /* enable_ip_based_pooling */, false /* is_websocket */,
@@ -3935,7 +3936,7 @@ TEST_F(SpdyNetworkTransactionTest, NoConnectionPoolingOverTunnel) {
                       PacResultElementToProxyServer(kPacString),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session2 =
       helper.session()->spdy_session_pool()->FindAvailableSession(
           key2, true /* enable_ip_based_pooling */, false /* is_websocket */,
@@ -3978,7 +3979,7 @@ TEST_F(SpdyNetworkTransactionTest, ConnectionPoolingSessionClosedBeforeUse) {
   SpdySessionKey key1(HostPortPair("www.example.org", 443),
                       ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_TRUE(helper.session()->spdy_session_pool()->FindAvailableSession(
       key1, true /* enable_ip_based_pooling */, false /* is_websocket */,
       NetLogWithSource()));
@@ -4025,7 +4026,7 @@ TEST_F(SpdyNetworkTransactionTest, ConnectionPoolingSessionClosedBeforeUse) {
   SpdySessionKey key2(HostPortPair("example.test", 443), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session1 =
       helper.session()->spdy_session_pool()->FindAvailableSession(
           key2, true /* enable_ip_based_pooling */, false /* is_websocket */,
@@ -4134,7 +4135,7 @@ TEST_F(SpdyNetworkTransactionTest, ConnectionPoolingMultipleSocketTags) {
   SpdySessionKey key1(HostPortPair("www.example.org", 443),
                       ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_TRUE(helper.session()->spdy_session_pool()->FindAvailableSession(
       key1, true /* enable_ip_based_pooling */, false /* is_websocket */,
       NetLogWithSource()));
@@ -4181,7 +4182,7 @@ TEST_F(SpdyNetworkTransactionTest, ConnectionPoolingMultipleSocketTags) {
   SpdySessionKey key2(HostPortPair("example.test", 443), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, kSocketTag2,
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
 
   // Complete the third requests's DNS lookup now, which should hijack the
   // SpdySession from the second request.
@@ -4189,7 +4190,7 @@ TEST_F(SpdyNetworkTransactionTest, ConnectionPoolingMultipleSocketTags) {
   SpdySessionKey key3(HostPortPair("example.test", 443), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, kSocketTag3,
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
 
   // Wait for the second request to get headers.  It should create a new H2
   // session to do so.
@@ -4278,7 +4279,7 @@ TEST_F(SpdyNetworkTransactionTest, SocketTagChangeSessionTagWithDnsAliases) {
   SpdySessionKey key1(HostPortPair(url.host(), 443), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, socket_tag_1,
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_TRUE(helper.session()->spdy_session_pool()->FindAvailableSession(
       key1, true /* enable_ip_based_pooling */, false /* is_websocket */,
       NetLogWithSource()));
@@ -4300,7 +4301,7 @@ TEST_F(SpdyNetworkTransactionTest, SocketTagChangeSessionTagWithDnsAliases) {
   SpdySessionKey key2(HostPortPair(url.host(), 443), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, socket_tag_2,
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   auto trans2 = std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY,
                                                          helper.session());
   TestCompletionCallback callback2;
@@ -4421,7 +4422,7 @@ TEST_F(SpdyNetworkTransactionTest,
   SpdySessionKey key1(HostPortPair(url1.host(), 443), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, socket_tag_1,
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_TRUE(helper.session()->spdy_session_pool()->FindAvailableSession(
       key1, true /* enable_ip_based_pooling */, false /* is_websocket */,
       NetLogWithSource()));
@@ -4439,7 +4440,7 @@ TEST_F(SpdyNetworkTransactionTest,
   SpdySessionKey key2(HostPortPair(url2.host(), 443), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, socket_tag_1,
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   auto trans2 = std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY,
                                                          helper.session());
   TestCompletionCallback callback2;
@@ -4484,7 +4485,7 @@ TEST_F(SpdyNetworkTransactionTest,
   SpdySessionKey key3(HostPortPair(url2.host(), 443), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, socket_tag_2,
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   auto trans3 = std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY,
                                                          helper.session());
   TestCompletionCallback callback3;
@@ -4532,7 +4533,7 @@ TEST_F(SpdyNetworkTransactionTest,
   SpdySessionKey key4(HostPortPair(url1.host(), 443), ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, socket_tag_2,
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   auto trans4 = std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY,
                                                          helper.session());
   TestCompletionCallback callback4;
@@ -5457,7 +5458,7 @@ TEST_F(SpdyNetworkTransactionTest, GracefulGoaway) {
   SpdySessionKey key(host_port_pair_, ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_TRUE(
       spdy_session_pool->HasAvailableSession(key, /* is_websocket = */ false));
   base::WeakPtr<SpdySession> spdy_session =
@@ -5606,14 +5607,14 @@ TEST_F(SpdyNetworkTransactionTest, HTTP11RequiredRetry) {
   HttpServerProperties* http_server_properties =
       helper.session()->spdy_session_pool()->http_server_properties();
   EXPECT_FALSE(http_server_properties->RequiresHTTP11(
-      url::SchemeHostPort(request_.url), NetworkIsolationKey()));
+      url::SchemeHostPort(request_.url), NetworkAnonymizationKey()));
 
   helper.RunPreTestSetup();
   helper.StartDefaultTest();
   helper.FinishDefaultTestWithoutVerification();
   helper.VerifyDataConsumed();
   EXPECT_TRUE(http_server_properties->RequiresHTTP11(
-      url::SchemeHostPort(request_.url), NetworkIsolationKey()));
+      url::SchemeHostPort(request_.url), NetworkAnonymizationKey()));
 
   const HttpResponseInfo* response = helper.trans()->GetResponseInfo();
   ASSERT_TRUE(response);
@@ -5631,8 +5632,9 @@ TEST_F(SpdyNetworkTransactionTest, HTTP11RequiredRetry) {
   EXPECT_EQ("hello", response_data);
 }
 
-// Same as above test, but checks that NetworkIsolationKeys are respected.
-TEST_F(SpdyNetworkTransactionTest, HTTP11RequiredRetryWithNetworkIsolationKey) {
+// Same as above test, but checks that NetworkAnonymizationKeys are respected.
+TEST_F(SpdyNetworkTransactionTest,
+       HTTP11RequiredRetryWithNetworkAnonymizationKey) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const SchemefulSite kSite2(GURL("https://bar.test/"));
   const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
@@ -5645,8 +5647,8 @@ TEST_F(SpdyNetworkTransactionTest, HTTP11RequiredRetryWithNetworkIsolationKey) {
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // SpdySessionKeys to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // SpdySessionKeys to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -5656,12 +5658,15 @@ TEST_F(SpdyNetworkTransactionTest, HTTP11RequiredRetryWithNetworkIsolationKey) {
 
   // For each server, set up and tear down a QUIC session cleanly, and check
   // that stats have been added to HttpServerProperties using the correct
-  // NetworkIsolationKey.
+  // NetworkAnonymizationKey.
   for (size_t i = 0; i < std::size(kNetworkIsolationKeys); ++i) {
     SCOPED_TRACE(i);
 
     request_.method = "GET";
     request_.network_isolation_key = kNetworkIsolationKeys[i];
+    request_.network_anonymization_key =
+        net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+            kNetworkIsolationKeys[i]);
 
     // First socket: HTTP/2 request rejected with HTTP_1_1_REQUIRED.
     SpdyTestUtil spdy_util;
@@ -5705,7 +5710,9 @@ TEST_F(SpdyNetworkTransactionTest, HTTP11RequiredRetryWithNetworkIsolationKey) {
     HttpServerProperties* http_server_properties =
         helper.session()->spdy_session_pool()->http_server_properties();
     EXPECT_FALSE(http_server_properties->RequiresHTTP11(
-        url::SchemeHostPort(request_.url), kNetworkIsolationKeys[i]));
+        url::SchemeHostPort(request_.url),
+        net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+            kNetworkIsolationKeys[i])));
 
     HttpNetworkTransaction trans(DEFAULT_PRIORITY, helper.session());
 
@@ -5729,14 +5736,18 @@ TEST_F(SpdyNetworkTransactionTest, HTTP11RequiredRetryWithNetworkIsolationKey) {
     EXPECT_EQ("hello", response_data);
 
     for (size_t j = 0; j < std::size(kNetworkIsolationKeys); ++j) {
-      // NetworkIsolationKeys up to kNetworkIsolationKeys[j] are known to
-      // require HTTP/1.1, others are not.
+      // NetworkAnonymizationKeys up to kNetworkIsolationKeys[j] are known
+      // to require HTTP/1.1, others are not.
       if (j <= i) {
         EXPECT_TRUE(http_server_properties->RequiresHTTP11(
-            url::SchemeHostPort(request_.url), kNetworkIsolationKeys[j]));
+            url::SchemeHostPort(request_.url),
+            net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+                kNetworkIsolationKeys[j])));
       } else {
         EXPECT_FALSE(http_server_properties->RequiresHTTP11(
-            url::SchemeHostPort(request_.url), kNetworkIsolationKeys[j]));
+            url::SchemeHostPort(request_.url),
+            net::NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+                kNetworkIsolationKeys[j])));
       }
     }
   }
@@ -5809,15 +5820,15 @@ TEST_F(SpdyNetworkTransactionTest, HTTP11RequiredProxyRetry) {
   HttpServerProperties* http_server_properties =
       helper.session()->spdy_session_pool()->http_server_properties();
   url::SchemeHostPort proxy_scheme_host_port(url::kHttpsScheme, "myproxy", 70);
-  EXPECT_FALSE(http_server_properties->RequiresHTTP11(proxy_scheme_host_port,
-                                                      NetworkIsolationKey()));
+  EXPECT_FALSE(http_server_properties->RequiresHTTP11(
+      proxy_scheme_host_port, NetworkAnonymizationKey()));
 
   helper.RunPreTestSetup();
   helper.StartDefaultTest();
   helper.FinishDefaultTestWithoutVerification();
   helper.VerifyDataConsumed();
-  EXPECT_TRUE(http_server_properties->RequiresHTTP11(proxy_scheme_host_port,
-                                                     NetworkIsolationKey()));
+  EXPECT_TRUE(http_server_properties->RequiresHTTP11(
+      proxy_scheme_host_port, NetworkAnonymizationKey()));
 
   const HttpResponseInfo* response = helper.trans()->GetResponseInfo();
   ASSERT_TRUE(response);
@@ -5835,14 +5846,19 @@ TEST_F(SpdyNetworkTransactionTest, HTTP11RequiredProxyRetry) {
   EXPECT_EQ("hello", response_data);
 }
 
-// Same as above, but also test that NetworkIsolationKeys are respected.
+// Same as above, but also test that NetworkAnonymizationKeys are respected.
 TEST_F(SpdyNetworkTransactionTest,
-       HTTP11RequiredProxyRetryWithNetworkIsolationKey) {
+       HTTP11RequiredProxyRetryWithNetworkAnonymizationKey) {
   const SchemefulSite kSite1(GURL("https://foo.test/"));
   const SchemefulSite kSite2(GURL("https://bar.test/"));
+  const NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
+  const NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
   const NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
   const NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
 
+  const NetworkAnonymizationKey kNetworkAnonymizationKeys[] = {
+      kNetworkAnonymizationKey1, kNetworkAnonymizationKey2,
+      NetworkAnonymizationKey()};
   const NetworkIsolationKey kNetworkIsolationKeys[] = {
       kNetworkIsolationKey1, kNetworkIsolationKey2, NetworkIsolationKey()};
 
@@ -5850,8 +5866,8 @@ TEST_F(SpdyNetworkTransactionTest,
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // SpdySessionKeys to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // SpdySessionKeys to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -5865,7 +5881,7 @@ TEST_F(SpdyNetworkTransactionTest,
                                      std::move(session_deps));
   helper.RunPreTestSetup();
 
-  for (size_t i = 0; i < std::size(kNetworkIsolationKeys); ++i) {
+  for (size_t i = 0; i < std::size(kNetworkAnonymizationKeys); ++i) {
     // First socket: HTTP/2 CONNECT rejected with HTTP_1_1_REQUIRED.
 
     SpdyTestUtil spdy_util;
@@ -5925,9 +5941,10 @@ TEST_F(SpdyNetworkTransactionTest,
     url::SchemeHostPort proxy_scheme_host_port(url::kHttpsScheme, "myproxy",
                                                70);
     EXPECT_FALSE(http_server_properties->RequiresHTTP11(
-        proxy_scheme_host_port, kNetworkIsolationKeys[i]));
+        proxy_scheme_host_port, kNetworkAnonymizationKeys[i]));
 
     request_.network_isolation_key = kNetworkIsolationKeys[i];
+    request_.network_anonymization_key = kNetworkAnonymizationKeys[i];
     HttpNetworkTransaction trans(DEFAULT_PRIORITY, helper.session());
     TestCompletionCallback callback;
     int rv = trans.Start(&request_, callback.callback(), log_);
@@ -5949,23 +5966,23 @@ TEST_F(SpdyNetworkTransactionTest,
     ASSERT_THAT(ReadTransaction(&trans, &response_data), IsOk());
     EXPECT_EQ("hello", response_data);
 
-    for (size_t j = 0; j < std::size(kNetworkIsolationKeys); ++j) {
+    for (size_t j = 0; j < std::size(kNetworkAnonymizationKeys); ++j) {
       // The proxy SchemeHostPort URL should not be marked as requiring HTTP/1.1
-      // using the current NetworkIsolationKey, and the state of others should
-      // be unchanged since the last loop iteration..
+      // using the current NetworkAnonymizationKey, and the state of others
+      // should be unchanged since the last loop iteration..
       if (j <= i) {
         EXPECT_TRUE(http_server_properties->RequiresHTTP11(
-            proxy_scheme_host_port, kNetworkIsolationKeys[j]));
+            proxy_scheme_host_port, kNetworkAnonymizationKeys[j]));
       } else {
         EXPECT_FALSE(http_server_properties->RequiresHTTP11(
-            proxy_scheme_host_port, kNetworkIsolationKeys[j]));
+            proxy_scheme_host_port, kNetworkAnonymizationKeys[j]));
       }
     }
 
     // The destination SchemeHostPort should not be marked as requiring
     // HTTP/1.1.
     EXPECT_FALSE(http_server_properties->RequiresHTTP11(
-        url::SchemeHostPort(request_.url), kNetworkIsolationKeys[i]));
+        url::SchemeHostPort(request_.url), kNetworkAnonymizationKeys[i]));
   }
 }
 
@@ -6080,13 +6097,13 @@ TEST_F(SpdyNetworkTransactionTest, DirectConnectProxyReconnect) {
   SpdySessionKey session_pool_key_direct(
       host_port_pair_, ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_TRUE(HasSpdySession(spdy_session_pool, session_pool_key_direct));
   SpdySessionKey session_pool_key_proxy(
       host_port_pair_,
       ProxyUriToProxyServer("www.foo.com", ProxyServer::SCHEME_HTTP),
       PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-      SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_FALSE(HasSpdySession(spdy_session_pool, session_pool_key_proxy));
 
   // New SpdyTestUtil instance for the session that will be used for the
@@ -6653,13 +6670,13 @@ class SpdyNetworkTransactionPushUrlTest
  public:
   SpdyNetworkTransactionPushUrlTest() {
     // Set features needed for the |expect_ct_error| case, where it's important
-    // to check that NetworkIsolationKeys are respected.
+    // to check that NetworkAnonymizationKeys are respected.
     feature_list_.InitWithFeatures(
         /* enabled_features */
-        {TransportSecurityState::kDynamicExpectCTFeature,
+        {kDynamicExpectCTFeature,
          features::kPartitionExpectCTStateByNetworkIsolationKey,
          features::kPartitionConnectionsByNetworkIsolationKey,
-         features::kPartitionSSLSessionsByNetworkIsolationKey},
+         features::kPartitionHttpServerPropertiesByNetworkIsolationKey},
         /* disabled_features */
         {});
   }
@@ -6706,9 +6723,12 @@ class SpdyNetworkTransactionPushUrlTest
     SequencedSocketData data(reads, writes);
 
     request_.url = GURL(GetParam().url_to_fetch);
-    // Set a NetworkIsolationKey for the |expect_ct_error| case, to make sure
-    // NetworkIsolationKeys are respected.
+    // Set a NetworkAnonymizationKey for the |expect_ct_error| case, to make
+    // sure NetworkAnonymizationKeys are respected.
     request_.network_isolation_key = NetworkIsolationKey::CreateTransient();
+    request_.network_anonymization_key =
+        NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+            request_.network_isolation_key);
 
     auto ssl_provider = std::make_unique<SSLSocketDataProvider>(ASYNC, OK);
     ssl_provider->ssl_info.client_cert_sent = GetParam().client_cert_sent;
@@ -6722,7 +6742,7 @@ class SpdyNetworkTransactionPushUrlTest
 
       session_deps->transport_security_state->AddExpectCT(
           "mail.example.org", base::Time::Now() + base::Days(1) /* expiry */,
-          true, GURL(), request_.network_isolation_key);
+          true, GURL(), request_.network_anonymization_key);
     }
     session_deps->http2_settings[spdy::SETTINGS_ENABLE_PUSH] = 1;
     NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_,
@@ -6837,7 +6857,7 @@ TEST_F(SpdyNetworkTransactionTest, ServerPushValidCrossOrigin) {
   SpdySessionKey key(host_port_pair_, ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session =
       spdy_session_pool->FindAvailableSession(
           key, /* enable_ip_based_pooling = */ true,
@@ -6881,16 +6901,16 @@ TEST_F(SpdyNetworkTransactionTest, ServerPushValidCrossOrigin) {
   VerifyStreamsClosed(helper);
 }
 
-// Verify that push does not work cross origin when NetworkIsolationKeys don't
-// match.
+// Verify that push does not work cross origin when NetworkAnonymizationKeys
+// don't match.
 TEST_F(SpdyNetworkTransactionTest,
-       ServerPushCrossOriginNetworkIsolationKeyMistmatch) {
+       ServerPushCrossOriginNetworkAnonymizationKeyMistmatch) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // SpdySessionKeys to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // SpdySessionKeys to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -6949,7 +6969,7 @@ TEST_F(SpdyNetworkTransactionTest,
   SpdySessionKey key(host_port_pair_, ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session =
       spdy_session_pool->FindAvailableSession(
           key, /* enable_ip_based_pooling = */ true,
@@ -6961,9 +6981,12 @@ TEST_F(SpdyNetworkTransactionTest,
 
   HttpNetworkTransaction trans1(DEFAULT_PRIORITY, helper.session());
   HttpRequestInfo push_request;
-  // Use a different NetworkIsolationKey than |spdy_session| (which uses an
+  // Use a different NetworkAnonymizationKey than |spdy_session| (which uses an
   // empty one).
   push_request.network_isolation_key = NetworkIsolationKey::CreateTransient();
+  push_request.network_anonymization_key =
+      NetworkAnonymizationKey::CreateFromNetworkIsolationKey(
+          push_request.network_isolation_key);
   push_request.method = "GET";
   push_request.url = GURL(url_to_push);
   push_request.traffic_annotation =
@@ -6976,10 +6999,11 @@ TEST_F(SpdyNetworkTransactionTest,
   // The pushed stream should still be pending.
   EXPECT_EQ(1u, num_unclaimed_pushed_streams(spdy_session));
 
-  // Try again, this time with an empty NetworkIsolationKey, matching the
+  // Try again, this time with an empty NetworkAnonymizationKey, matching the
   // SpdySession's. This request should successfully get the pushed stream.
   HttpNetworkTransaction trans2(DEFAULT_PRIORITY, helper.session());
   push_request.network_isolation_key = NetworkIsolationKey();
+  push_request.network_anonymization_key = NetworkAnonymizationKey();
   TestCompletionCallback callback2;
   rv = trans1.Start(&push_request, callback2.callback(), log_);
   EXPECT_THAT(callback2.GetResult(rv), IsOk());
@@ -7171,7 +7195,7 @@ TEST_F(SpdyNetworkTransactionTest, ServerPushValidCrossOriginWithOpenSession) {
   SpdySessionKey key0(host_port_pair0, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session0 =
       spdy_session_pool->FindAvailableSession(
           key0, /* enable_ip_based_pooling = */ true,
@@ -7183,7 +7207,7 @@ TEST_F(SpdyNetworkTransactionTest, ServerPushValidCrossOriginWithOpenSession) {
   SpdySessionKey key1(host_port_pair1, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session1 =
       spdy_session_pool->FindAvailableSession(
           key1, /* enable_ip_based_pooling = */ true,
@@ -8745,7 +8769,7 @@ TEST_F(SpdyNetworkTransactionTest, PushCanceledByServerAfterClaimed) {
   SpdySessionKey key(HostPortPair::FromURL(request_.url), ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   HttpNetworkSession* session = helper.session();
   base::WeakPtr<SpdySession> spdy_session =
       session->spdy_session_pool()->FindAvailableSession(
@@ -8865,7 +8889,7 @@ TEST_F(SpdyNetworkTransactionTest, WebSocketOpensNewConnection) {
   SpdySessionKey key(HostPortPair::FromURL(request_.url), ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session =
       helper.session()->spdy_session_pool()->FindAvailableSession(
           key, /* enable_ip_based_pooling = */ true,
@@ -9012,7 +9036,7 @@ TEST_F(SpdyNetworkTransactionTest,
   SpdySessionKey key(HostPortPair::FromURL(request_.url), ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
 
   base::WeakPtr<SpdySession> spdy_session =
       helper.session()->spdy_session_pool()->FindAvailableSession(
@@ -9092,7 +9116,7 @@ TEST_F(SpdyNetworkTransactionTest, WebSocketOverHTTP2) {
   SpdySessionKey key(HostPortPair::FromURL(request_.url), ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session =
       helper.session()->spdy_session_pool()->FindAvailableSession(
           key, /* enable_ip_based_pooling = */ true,
@@ -9282,7 +9306,7 @@ TEST_F(SpdyNetworkTransactionTest,
       HostPortPair::FromURL(request_.url),
       ProxyUriToProxyServer("https://proxy:70", ProxyServer::SCHEME_HTTPS),
       PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-      SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
 
   base::WeakPtr<SpdySession> spdy_session =
       helper.session()->spdy_session_pool()->FindAvailableSession(
@@ -9394,7 +9418,7 @@ TEST_F(SpdyNetworkTransactionTest,
   SpdySessionKey key1(HostPortPair::FromURL(request_.url),
                       ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_TRUE(helper.session()->spdy_session_pool()->HasAvailableSession(
       key1, /* is_websocket = */ false));
   base::WeakPtr<SpdySession> spdy_session1 =
@@ -9411,7 +9435,7 @@ TEST_F(SpdyNetworkTransactionTest,
   SpdySessionKey key2(HostPortPair::FromURL(request2.url),
                       ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_TRUE(helper.session()->spdy_session_pool()->HasAvailableSession(
       key2, /* is_websocket = */ true));
   base::WeakPtr<SpdySession> spdy_session2 =
@@ -9551,7 +9575,7 @@ TEST_F(SpdyNetworkTransactionTest,
   SpdySessionKey key1(HostPortPair::FromURL(request_.url),
                       ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session1 =
       helper.session()->spdy_session_pool()->FindAvailableSession(
           key1, /* enable_ip_based_pooling = */ true,
@@ -9567,7 +9591,7 @@ TEST_F(SpdyNetworkTransactionTest,
   SpdySessionKey key2(HostPortPair::FromURL(request2.url),
                       ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session2 =
       helper.session()->spdy_session_pool()->FindAvailableSession(
           key1, /* enable_ip_based_pooling = */ true,
@@ -9714,7 +9738,7 @@ TEST_F(SpdyNetworkTransactionTest, WebSocketHttp11Required) {
   SpdySessionKey key(HostPortPair::FromURL(request_.url), ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> spdy_session =
       helper.session()->spdy_session_pool()->FindAvailableSession(
           key, /* enable_ip_based_pooling = */ true,
diff --git a/chromium/net/spdy/spdy_proxy_client_socket.cc b/chromium/net/spdy/spdy_proxy_client_socket.cc
index a915d31a00f..5984ecedb3a 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket.cc
+++ b/chromium/net/spdy/spdy_proxy_client_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -285,7 +285,7 @@ void SpdyProxyClientSocket::RunWriteCallback(CompletionOnceCallback callback,
   if (end_stream_state_ == EndStreamState::kEndStreamReceived) {
     base::ThreadTaskRunnerHandle::Get()->PostTask(
         FROM_HERE, base::BindOnce(&SpdyProxyClientSocket::MaybeSendEndStream,
-                                  weak_factory_.GetWeakPtr()));
+                                  weak_factory_.GetMutableWeakPtr()));
   }
 }
 
diff --git a/chromium/net/spdy/spdy_proxy_client_socket.h b/chromium/net/spdy/spdy_proxy_client_socket.h
index 5b5852511ef..cbb961a68c9 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket.h
+++ b/chromium/net/spdy/spdy_proxy_client_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc b/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc
index 001b79c2312..335d427f16e 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc
+++ b/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -99,7 +99,7 @@ base::WeakPtr<SpdySession> CreateSpdyProxySession(
       NetLogWithSource()));
 
   auto transport_params = base::MakeRefCounted<TransportSocketParams>(
-      destination, NetworkIsolationKey(), SecureDnsPolicy::kAllow,
+      destination, NetworkAnonymizationKey(), SecureDnsPolicy::kAllow,
       OnHostResolutionCallback(),
       /*supported_alpns=*/base::flat_set<std::string>{"h2", "http/1.1"});
 
@@ -107,7 +107,7 @@ base::WeakPtr<SpdySession> CreateSpdyProxySession(
   auto ssl_params = base::MakeRefCounted<SSLSocketParams>(
       transport_params, nullptr, nullptr,
       HostPortPair::FromSchemeHostPort(destination), ssl_config,
-      key.privacy_mode(), key.network_isolation_key());
+      key.privacy_mode(), key.network_anonymization_key());
   TestConnectJobDelegate connect_job_delegate;
   SSLConnectJob connect_job(MEDIUM, SocketTag(), common_connect_job_params,
                             ssl_params, &connect_job_delegate,
@@ -175,7 +175,7 @@ class SpdyProxyClientSocketTest : public PlatformTest,
     const std::u16string kBar(u"bar");
     session_->http_auth_cache()->Add(
         url::SchemeHostPort{GURL(kProxyUrl)}, HttpAuth::AUTH_PROXY, "MyRealm1",
-        HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+        HttpAuth::AUTH_SCHEME_BASIC, NetworkAnonymizationKey(),
         "Basic realm=MyRealm1", AuthCredentials(kFoo, kBar), "/");
   }
 
@@ -230,7 +230,7 @@ SpdyProxyClientSocketTest::SpdyProxyClientSocketTest()
                                  PRIVACY_MODE_DISABLED,
                                  SpdySessionKey::IsProxySession::kFalse,
                                  SocketTag(),
-                                 NetworkIsolationKey(),
+                                 NetworkAnonymizationKey(),
                                  SecureDnsPolicy::kAllow),
       ssl_(SYNCHRONOUS, OK) {
   session_deps_.net_log = NetLog::Get();
@@ -284,7 +284,7 @@ void SpdyProxyClientSocketTest::Initialize(base::span<const MockRead> reads,
       user_agent_, endpoint_host_port_pair_, net_log_with_source_,
       base::MakeRefCounted<HttpAuthController>(
           HttpAuth::AUTH_PROXY, GURL("https://" + proxy_host_port_.ToString()),
-          NetworkIsolationKey(), session_->http_auth_cache(),
+          NetworkAnonymizationKey(), session_->http_auth_cache(),
           session_->http_auth_handler_factory(), session_->host_resolver()),
       // Testing with the proxy delegate is in HttpProxyConnectJobTest.
       nullptr);
diff --git a/chromium/net/spdy/spdy_read_queue.cc b/chromium/net/spdy/spdy_read_queue.cc
index 81d93baef26..5cdbaf35287 100644
--- a/chromium/net/spdy/spdy_read_queue.cc
+++ b/chromium/net/spdy/spdy_read_queue.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_read_queue.h b/chromium/net/spdy/spdy_read_queue.h
index 41d73fcfc5c..ef2c3d7f13c 100644
--- a/chromium/net/spdy/spdy_read_queue.h
+++ b/chromium/net/spdy/spdy_read_queue.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_read_queue_unittest.cc b/chromium/net/spdy/spdy_read_queue_unittest.cc
index aac9c792a2f..e97fbe99823 100644
--- a/chromium/net/spdy/spdy_read_queue_unittest.cc
+++ b/chromium/net/spdy/spdy_read_queue_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_session.cc b/chromium/net/spdy/spdy_session.cc
index 1466f53afdd..5d6354ac2a4 100644
--- a/chromium/net/spdy/spdy_session.cc
+++ b/chromium/net/spdy/spdy_session.cc
@@ -1,10 +1,9 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/spdy/spdy_session.h"
 
-#include <algorithm>
 #include <limits>
 #include <map>
 #include <string>
@@ -19,6 +18,7 @@
 #include "base/metrics/histogram_functions.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/rand_util.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/abseil_string_conversions.h"
 #include "base/strings/strcat.h"
 #include "base/strings/string_number_conversions.h"
@@ -474,21 +474,6 @@ size_t GetTotalSize(const T (&arr)[N]) {
   return total_size;
 }
 
-// Helper class for std:find_if on STL container containing
-// SpdyStreamRequest weak pointers.
-class RequestEquals {
- public:
-  explicit RequestEquals(const base::WeakPtr<SpdyStreamRequest>& request)
-      : request_(request) {}
-
-  bool operator()(const base::WeakPtr<SpdyStreamRequest>& request) const {
-    return request_.get() == request.get();
-  }
-
- private:
-  const base::WeakPtr<SpdyStreamRequest> request_;
-};
-
 // The maximum number of concurrent streams we will ever create.  Even if
 // the server permits more, we will never exceed this limit.
 const size_t kMaxConcurrentStreamLimit = 256;
@@ -506,11 +491,11 @@ class SpdyServerPushHelper : public ServerPushDelegate::ServerPushHelper {
 
   const GURL& GetURL() const override { return request_url_; }
 
-  NetworkIsolationKey GetNetworkIsolationKey() const override {
+  NetworkAnonymizationKey GetNetworkAnonymizationKey() const override {
     if (session_) {
-      return session_->spdy_session_key().network_isolation_key();
+      return session_->spdy_session_key().network_anonymization_key();
     }
-    return NetworkIsolationKey();
+    return NetworkAnonymizationKey();
   }
 
  private:
@@ -865,7 +850,7 @@ bool SpdySession::CanPool(
     const SSLConfigService& ssl_config_service,
     const std::string& old_hostname,
     const std::string& new_hostname,
-    const net::NetworkIsolationKey& network_isolation_key) {
+    const net::NetworkAnonymizationKey& network_anonymization_key) {
   // Pooling is prohibited if the server cert is not valid for the new domain,
   // and for connections on which client certs were sent. It is also prohibited
   // when channel ID was sent if the hosts are from different eTLDs+1.
@@ -889,7 +874,7 @@ bool SpdySession::CanPool(
           HostPortPair(new_hostname, 0), ssl_info.is_issued_by_known_root,
           ssl_info.public_key_hashes, ssl_info.unverified_cert.get(),
           ssl_info.cert.get(), TransportSecurityState::DISABLE_PIN_REPORTS,
-          network_isolation_key, &pinning_failure_log) ==
+          network_anonymization_key, &pinning_failure_log) ==
       TransportSecurityState::PKPStatus::VIOLATED) {
     return false;
   }
@@ -900,7 +885,7 @@ bool SpdySession::CanPool(
       ssl_info.public_key_hashes, ssl_info.cert.get(),
       ssl_info.unverified_cert.get(), ssl_info.signed_certificate_timestamps,
       TransportSecurityState::DISABLE_EXPECT_CT_REPORTS,
-      ssl_info.ct_policy_compliance, network_isolation_key)) {
+      ssl_info.ct_policy_compliance, network_anonymization_key)) {
     case TransportSecurityState::CT_REQUIREMENTS_NOT_MET:
       return false;
     case TransportSecurityState::CT_REQUIREMENTS_MET:
@@ -1171,7 +1156,7 @@ bool SpdySession::VerifyDomainAuthentication(const std::string& domain) const {
 
   return CanPool(transport_security_state_, ssl_info, *ssl_config_service_,
                  host_port_pair().host(), domain,
-                 spdy_session_key_.network_isolation_key());
+                 spdy_session_key_.network_anonymization_key());
 }
 
 void SpdySession::EnqueueStreamWrite(
@@ -1589,8 +1574,8 @@ base::Value SpdySession::GetInfoAsValue() const {
     dict.Set("aliases", std::move(alias_list));
   }
   dict.Set("proxy", ProxyServerToProxyUri(host_port_proxy_pair().second));
-  dict.Set("network_isolation_key",
-           spdy_session_key_.network_isolation_key().ToDebugString());
+  dict.Set("network_anonymization_key",
+           spdy_session_key_.network_anonymization_key().ToDebugString());
 
   dict.Set("active_streams", static_cast<int>(active_streams_.size()));
 
@@ -1767,7 +1752,7 @@ bool SpdySession::ChangeSocketTag(const SocketTag& new_tag) {
   SpdySessionKey new_key(
       spdy_session_key_.host_port_pair(), spdy_session_key_.proxy_server(),
       spdy_session_key_.privacy_mode(), spdy_session_key_.is_proxy_session(),
-      new_tag, spdy_session_key_.network_isolation_key(),
+      new_tag, spdy_session_key_.network_anonymization_key(),
       spdy_session_key_.secure_dns_policy());
   spdy_session_key_ = new_key;
 
@@ -1913,24 +1898,24 @@ bool SpdySession::CancelStreamRequest(
   for (int i = MINIMUM_PRIORITY; i <= MAXIMUM_PRIORITY; ++i) {
     if (priority == i)
       continue;
-    PendingStreamRequestQueue* queue = &pending_create_stream_queues_[i];
-    DCHECK(std::find_if(queue->begin(), queue->end(), RequestEquals(request)) ==
-           queue->end());
+    DCHECK(!base::Contains(pending_create_stream_queues_[i], request.get(),
+                           &base::WeakPtr<SpdyStreamRequest>::get));
   }
 #endif
 
   PendingStreamRequestQueue* queue = &pending_create_stream_queues_[priority];
   // Remove |request| from |queue| while preserving the order of the
   // other elements.
-  PendingStreamRequestQueue::iterator it =
-      std::find_if(queue->begin(), queue->end(), RequestEquals(request));
+  PendingStreamRequestQueue::iterator it = base::ranges::find(
+      *queue, request.get(), &base::WeakPtr<SpdyStreamRequest>::get);
   // The request may already be removed if there's a
   // CompleteStreamRequest() in flight.
   if (it != queue->end()) {
     it = queue->erase(it);
     // |request| should be in the queue at most once, and if it is
     // present, should not be pending completion.
-    DCHECK(std::find_if(it, queue->end(), RequestEquals(request)) ==
+    DCHECK(base::ranges::find(it, queue->end(), request.get(),
+                              &base::WeakPtr<SpdyStreamRequest>::get) ==
            queue->end());
     return true;
   }
@@ -2102,7 +2087,7 @@ void SpdySession::TryCreatePushStream(spdy::SpdyStreamId stream_id,
     CHECK(GetSSLInfo(&ssl_info));
     if (!CanPool(transport_security_state_, ssl_info, *ssl_config_service_,
                  associated_url.host(), gurl.host(),
-                 spdy_session_key_.network_isolation_key())) {
+                 spdy_session_key_.network_anonymization_key())) {
       RecordSpdyPushedStreamFateHistogram(
           SpdyPushedStreamFate::kCertificateMismatch);
       EnqueueResetStreamFrame(stream_id, request_priority,
@@ -3065,7 +3050,7 @@ void SpdySession::DoDrainSession(Error err, const std::string& description) {
     http_server_properties_->SetHTTP11Required(
         url::SchemeHostPort(url::kHttpsScheme, host_port_pair().host(),
                             host_port_pair().port()),
-        spdy_session_key_.network_isolation_key());
+        spdy_session_key_.network_anonymization_key());
   }
 
   // If |err| indicates an error occurred, inform the peer that we're closing
@@ -3550,7 +3535,7 @@ void SpdySession::OnAltSvc(
       return;
     if (!CanPool(transport_security_state_, ssl_info, *ssl_config_service_,
                  host_port_pair().host(), gurl.host(),
-                 spdy_session_key_.network_isolation_key())) {
+                 spdy_session_key_.network_anonymization_key())) {
       return;
     }
     scheme_host_port = url::SchemeHostPort(gurl);
@@ -3567,7 +3552,7 @@ void SpdySession::OnAltSvc(
   }
 
   http_server_properties_->SetAlternativeServices(
-      scheme_host_port, spdy_session_key_.network_isolation_key(),
+      scheme_host_port, spdy_session_key_.network_anonymization_key(),
       ProcessAlternativeServices(altsvc_vector, is_http2_enabled_,
                                  is_quic_enabled_, quic_supported_versions_));
 }
diff --git a/chromium/net/spdy/spdy_session.h b/chromium/net/spdy/spdy_session.h
index e52a7b918c7..a26496561d8 100644
--- a/chromium/net/spdy/spdy_session.h
+++ b/chromium/net/spdy/spdy_session.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -339,12 +339,13 @@ class NET_EXPORT SpdySession
 
   // Returns true if |new_hostname| can be pooled into an existing connection to
   // |old_hostname| associated with |ssl_info|.
-  static bool CanPool(TransportSecurityState* transport_security_state,
-                      const SSLInfo& ssl_info,
-                      const SSLConfigService& ssl_config_service,
-                      const std::string& old_hostname,
-                      const std::string& new_hostname,
-                      const net::NetworkIsolationKey& network_isolation_key);
+  static bool CanPool(
+      TransportSecurityState* transport_security_state,
+      const SSLInfo& ssl_info,
+      const SSLConfigService& ssl_config_service,
+      const std::string& old_hostname,
+      const std::string& new_hostname,
+      const net::NetworkAnonymizationKey& network_anonymization_key);
 
   // Create a new SpdySession.
   // |spdy_session_key| is the host/port that this session connects to, privacy
diff --git a/chromium/net/spdy/spdy_session_fuzzer.cc b/chromium/net/spdy/spdy_session_fuzzer.cc
index 9599a27a45a..52efd090a6a 100644
--- a/chromium/net/spdy/spdy_session_fuzzer.cc
+++ b/chromium/net/spdy/spdy_session_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -127,11 +127,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
           &deps, &socket_factory));
 
   net::ProxyServer direct_connect(net::ProxyServer::Direct());
-  net::SpdySessionKey session_key(net::HostPortPair("127.0.0.1", 80),
-                                  direct_connect, net::PRIVACY_MODE_DISABLED,
-                                  net::SpdySessionKey::IsProxySession::kFalse,
-                                  net::SocketTag(), net::NetworkIsolationKey(),
-                                  net::SecureDnsPolicy::kAllow);
+  net::SpdySessionKey session_key(
+      net::HostPortPair("127.0.0.1", 80), direct_connect,
+      net::PRIVACY_MODE_DISABLED, net::SpdySessionKey::IsProxySession::kFalse,
+      net::SocketTag(), net::NetworkAnonymizationKey(),
+      net::SecureDnsPolicy::kAllow);
   base::WeakPtr<net::SpdySession> spdy_session(net::CreateSpdySession(
       http_session.get(), session_key, net_log_with_source));
 
diff --git a/chromium/net/spdy/spdy_session_key.cc b/chromium/net/spdy/spdy_session_key.cc
index 9a3c337bd50..19e80aca159 100644
--- a/chromium/net/spdy/spdy_session_key.cc
+++ b/chromium/net/spdy/spdy_session_key.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -14,27 +14,30 @@
 #include "net/base/proxy_server.h"
 #include "net/base/proxy_string_util.h"
 #include "net/dns/public/secure_dns_policy.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace net {
 
 SpdySessionKey::SpdySessionKey() = default;
 
-SpdySessionKey::SpdySessionKey(const HostPortPair& host_port_pair,
-                               const ProxyServer& proxy_server,
-                               PrivacyMode privacy_mode,
-                               IsProxySession is_proxy_session,
-                               const SocketTag& socket_tag,
-                               const NetworkIsolationKey& network_isolation_key,
-                               SecureDnsPolicy secure_dns_policy)
+SpdySessionKey::SpdySessionKey(
+    const HostPortPair& host_port_pair,
+    const ProxyServer& proxy_server,
+    PrivacyMode privacy_mode,
+    IsProxySession is_proxy_session,
+    const SocketTag& socket_tag,
+    const NetworkAnonymizationKey& network_anonymization_key,
+    SecureDnsPolicy secure_dns_policy)
     : host_port_proxy_pair_(host_port_pair, proxy_server),
       privacy_mode_(privacy_mode),
       is_proxy_session_(is_proxy_session),
       socket_tag_(socket_tag),
-      network_isolation_key_(
-          base::FeatureList::IsEnabled(
+      network_anonymization_key_(
+          !base::FeatureList::IsEnabled(
               features::kPartitionConnectionsByNetworkIsolationKey)
-              ? network_isolation_key
-              : NetworkIsolationKey()),
+              ? NetworkAnonymizationKey()
+              : network_anonymization_key),
+
       secure_dns_policy_(secure_dns_policy) {
   // IsProxySession::kTrue should only be used with direct connections, since
   // using multiple layers of proxies on top of each other isn't supported.
@@ -51,10 +54,10 @@ SpdySessionKey::~SpdySessionKey() = default;
 bool SpdySessionKey::operator<(const SpdySessionKey& other) const {
   return std::tie(privacy_mode_, host_port_proxy_pair_.first,
                   host_port_proxy_pair_.second, is_proxy_session_,
-                  network_isolation_key_, secure_dns_policy_, socket_tag_) <
+                  network_anonymization_key_, secure_dns_policy_, socket_tag_) <
          std::tie(other.privacy_mode_, other.host_port_proxy_pair_.first,
                   other.host_port_proxy_pair_.second, other.is_proxy_session_,
-                  other.network_isolation_key_, other.secure_dns_policy_,
+                  other.network_anonymization_key_, other.secure_dns_policy_,
                   other.socket_tag_);
 }
 
@@ -64,7 +67,7 @@ bool SpdySessionKey::operator==(const SpdySessionKey& other) const {
              other.host_port_proxy_pair_.first) &&
          host_port_proxy_pair_.second == other.host_port_proxy_pair_.second &&
          is_proxy_session_ == other.is_proxy_session_ &&
-         network_isolation_key_ == other.network_isolation_key_ &&
+         network_anonymization_key_ == other.network_anonymization_key_ &&
          secure_dns_policy_ == other.secure_dns_policy_ &&
          socket_tag_ == other.socket_tag_;
 }
@@ -80,7 +83,7 @@ SpdySessionKey::CompareForAliasingResult SpdySessionKey::CompareForAliasing(
       (privacy_mode_ == other.privacy_mode_ &&
        host_port_proxy_pair_.second == other.host_port_proxy_pair_.second &&
        is_proxy_session_ == other.is_proxy_session_ &&
-       network_isolation_key_ == other.network_isolation_key_ &&
+       network_anonymization_key_ == other.network_anonymization_key_ &&
        secure_dns_policy_ == other.secure_dns_policy_);
   result.is_socket_tag_match = (socket_tag_ == other.socket_tag_);
   return result;
diff --git a/chromium/net/spdy/spdy_session_key.h b/chromium/net/spdy/spdy_session_key.h
index f47736a8b77..2f29a71bde1 100644
--- a/chromium/net/spdy/spdy_session_key.h
+++ b/chromium/net/spdy/spdy_session_key.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,12 +6,13 @@
 #define NET_SPDY_SPDY_SESSION_KEY_H_
 
 #include "net/base/net_export.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/network_isolation_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/proxy_server.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/socket/socket_tag.h"
-
+#include "third_party/abseil-cpp/absl/types/optional.h"
 namespace net {
 
 // SpdySessionKey is used as unique index for SpdySessionPool.
@@ -35,7 +36,7 @@ class NET_EXPORT_PRIVATE SpdySessionKey {
                  PrivacyMode privacy_mode,
                  IsProxySession is_proxy_session,
                  const SocketTag& socket_tag,
-                 const NetworkIsolationKey& network_isolation_key,
+                 const NetworkAnonymizationKey& network_anonymization_key,
                  SecureDnsPolicy secure_dns_policy);
 
   SpdySessionKey(const SpdySessionKey& other);
@@ -89,8 +90,8 @@ class NET_EXPORT_PRIVATE SpdySessionKey {
 
   const SocketTag& socket_tag() const { return socket_tag_; }
 
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
   }
 
   SecureDnsPolicy secure_dns_policy() const { return secure_dns_policy_; }
@@ -101,8 +102,10 @@ class NET_EXPORT_PRIVATE SpdySessionKey {
   PrivacyMode privacy_mode_ = PRIVACY_MODE_DISABLED;
   IsProxySession is_proxy_session_;
   SocketTag socket_tag_;
-  // Used to separate requests made in different contexts.
-  NetworkIsolationKey network_isolation_key_;
+  // Used to separate requests made in different contexts. If
+  // `kPartitionConnectionsByNetworkIsolationKey` is disabled this will be set
+  // to an empty key.
+  NetworkAnonymizationKey network_anonymization_key_;
   SecureDnsPolicy secure_dns_policy_;
 };
 
diff --git a/chromium/net/spdy/spdy_session_pool.cc b/chromium/net/spdy/spdy_session_pool.cc
index 57be3158529..f44346a0cb9 100644
--- a/chromium/net/spdy/spdy_session_pool.cc
+++ b/chromium/net/spdy/spdy_session_pool.cc
@@ -1,10 +1,9 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/spdy/spdy_session_pool.h"
 
-#include <algorithm>
 #include <set>
 #include <utility>
 
@@ -12,14 +11,14 @@
 #include "base/check_op.h"
 #include "base/containers/contains.h"
 #include "base/metrics/histogram_macros.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/stringprintf.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/trace_event/trace_event.h"
 #include "base/values.h"
 #include "build/build_config.h"
-#include "net/base/address_list.h"
+#include "net/base/ip_endpoint.h"
 #include "net/base/trace_constants.h"
-#include "net/dns/dns_alias_utility.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/public/host_resolver_source.h"
 #include "net/http/http_network_session.h"
@@ -278,7 +277,8 @@ base::WeakPtr<SpdySession> SpdySessionPool::RequestSession(
 OnHostResolutionCallbackResult SpdySessionPool::OnHostResolutionComplete(
     const SpdySessionKey& key,
     bool is_websocket,
-    const AddressList& addresses) {
+    const std::vector<HostResolverEndpointResult>& endpoint_results,
+    const std::set<std::string>& aliases) {
   // If there are no pending requests for that alias, nothing to do.
   if (spdy_session_request_map_.find(key) == spdy_session_request_map_.end())
     return OnHostResolutionCallbackResult::kContinue;
@@ -296,7 +296,12 @@ OnHostResolutionCallbackResult SpdySessionPool::OnHostResolutionComplete(
 
     return OnHostResolutionCallbackResult::kMayBeDeletedAsync;
   }
-  for (const auto& address : addresses) {
+
+  // TODO(crbug.com/1264933): Consider dealing with the other endpoints
+  // with protocol metadata.
+  const auto ip_endpoints =
+      HostResolver::GetNonProtocolEndpoints(endpoint_results);
+  for (const auto& address : ip_endpoints) {
     auto range = aliases_.equal_range(address);
     for (auto alias_it = range.first; alias_it != range.second; ++alias_it) {
       // We found a potential alias.
@@ -337,7 +342,7 @@ OnHostResolutionCallbackResult SpdySessionPool::OnHostResolutionComplete(
         SpdySessionKey new_key(old_key.host_port_pair(), old_key.proxy_server(),
                                old_key.privacy_mode(),
                                old_key.is_proxy_session(), key.socket_tag(),
-                               old_key.network_isolation_key(),
+                               old_key.network_anonymization_key(),
                                old_key.secure_dns_policy());
 
         // If there is already a session with |new_key|, skip this one.
@@ -368,8 +373,8 @@ OnHostResolutionCallbackResult SpdySessionPool::OnHostResolutionComplete(
         aliases_.erase(alias_it);
 
         // Remap pooled session keys.
-        const auto& aliases = available_session->pooled_aliases();
-        for (auto it = aliases.begin(); it != aliases.end();) {
+        const auto& pooled_aliases = available_session->pooled_aliases();
+        for (auto it = pooled_aliases.begin(); it != pooled_aliases.end();) {
           // Ignore aliases this loop is inserting.
           if (it->socket_tag() == key.socket_tag()) {
             ++it;
@@ -382,7 +387,7 @@ OnHostResolutionCallbackResult SpdySessionPool::OnHostResolutionComplete(
           SpdySessionKey new_pool_alias_key = SpdySessionKey(
               it->host_port_pair(), it->proxy_server(), it->privacy_mode(),
               it->is_proxy_session(), key.socket_tag(),
-              it->network_isolation_key(), it->secure_dns_policy());
+              it->network_anonymization_key(), it->secure_dns_policy());
           MapKeyToAvailableSession(new_pool_alias_key, available_session,
                                    std::move(pooled_alias_old_dns_aliases));
           auto old_it = it;
@@ -398,15 +403,8 @@ OnHostResolutionCallbackResult SpdySessionPool::OnHostResolutionComplete(
       }
 
       if (adding_pooled_alias) {
-        // Sanitize DNS aliases so that they can be added to the DNS alias map.
-        std::set<std::string> fixed_dns_aliases =
-            dns_alias_utility::FixUpDnsAliases(
-                std::set<std::string>(addresses.dns_aliases().begin(),
-                                      addresses.dns_aliases().end()));
-
         // Add this session to the map so that we can find it next time.
-        MapKeyToAvailableSession(key, available_session,
-                                 std::move(fixed_dns_aliases));
+        MapKeyToAvailableSession(key, available_session, aliases);
         available_session->AddPooledAlias(key);
       }
 
@@ -469,7 +467,7 @@ void SpdySessionPool::CloseCurrentIdleSessions(const std::string& description) {
 void SpdySessionPool::CloseAllSessions() {
   auto is_draining = [](const SpdySession* s) { return s->IsDraining(); };
   // Repeat until every SpdySession owned by |this| is draining.
-  while (!std::all_of(sessions_.begin(), sessions_.end(), is_draining)) {
+  while (!base::ranges::all_of(sessions_, is_draining)) {
     CloseCurrentSessionsHelper(ERR_ABORTED, "Closing all sessions.",
                                false /* idle_only */);
   }
diff --git a/chromium/net/spdy/spdy_session_pool.h b/chromium/net/spdy/spdy_session_pool.h
index dd45acded8b..520583f323f 100644
--- a/chromium/net/spdy/spdy_session_pool.h
+++ b/chromium/net/spdy/spdy_session_pool.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -24,6 +24,7 @@
 #include "net/base/net_export.h"
 #include "net/base/network_change_notifier.h"
 #include "net/base/proxy_server.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/log/net_log_source.h"
 #include "net/proxy_resolution/proxy_config.h"
 #include "net/socket/connect_job.h"
@@ -248,7 +249,8 @@ class NET_EXPORT SpdySessionPool
   OnHostResolutionCallbackResult OnHostResolutionComplete(
       const SpdySessionKey& key,
       bool is_websocket,
-      const AddressList& addresses);
+      const std::vector<HostResolverEndpointResult>& endpoint_results,
+      const std::set<std::string>& aliases);
 
   // Remove all mappings and aliases for the given session, which must
   // still be available. Except for in tests, this must be called by
diff --git a/chromium/net/spdy/spdy_session_pool_unittest.cc b/chromium/net/spdy/spdy_session_pool_unittest.cc
index 0716a16c397..bda4d307db7 100644
--- a/chromium/net/spdy/spdy_session_pool_unittest.cc
+++ b/chromium/net/spdy/spdy_session_pool_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -22,6 +22,7 @@
 #include "net/base/proxy_string_util.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/host_cache.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/http/http_network_session.h"
 #include "net/log/net_log_with_source.h"
@@ -147,14 +148,16 @@ bool TryCreateAliasedSpdySession(SpdySessionPool* pool,
   EXPECT_TRUE(request);
   EXPECT_TRUE(is_blocking_request_for_session);
 
-  AddressList address_list;
-  EXPECT_THAT(ParseAddressList(ip_address_list, &address_list.endpoints()),
-              IsOk());
-  address_list = AddressList::CopyWithPort(address_list, 443);
+  std::vector<IPEndPoint> ip_endpoints;
+  EXPECT_THAT(ParseAddressList(ip_address_list, &ip_endpoints), IsOk());
+  HostResolverEndpointResult endpoint;
+  for (auto& ip_endpoint : ip_endpoints) {
+    endpoint.ip_endpoints.emplace_back(ip_endpoint.address(), 443);
+  }
 
   // Simulate a host resolution completing.
-  OnHostResolutionCallbackResult result =
-      pool->OnHostResolutionComplete(key, is_websocket, address_list);
+  OnHostResolutionCallbackResult result = pool->OnHostResolutionComplete(
+      key, is_websocket, {endpoint}, /*aliases=*/{});
 
   // Spin the message loop and see if it creates an H2 session.
   base::RunLoop().RunUntilIdle();
@@ -225,7 +228,7 @@ TEST_F(SpdySessionPoolTest, CloseCurrentSessions) {
   SpdySessionKey test_key = SpdySessionKey(
       test_host_port_pair, ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
 
   MockConnect connect_data(SYNCHRONOUS, OK);
   MockRead reads[] = {
@@ -287,7 +290,7 @@ TEST_F(SpdySessionPoolTest, CloseCurrentIdleSessions) {
   SpdySessionKey key1(test_host_port_pair1, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session1 =
       CreateSpdySession(http_session_.get(), key1, NetLogWithSource());
   base::WeakPtr<SpdyStream> spdy_stream1 = CreateStreamSynchronously(
@@ -302,7 +305,7 @@ TEST_F(SpdySessionPoolTest, CloseCurrentIdleSessions) {
   SpdySessionKey key2(test_host_port_pair2, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session2 =
       CreateSpdySession(http_session_.get(), key2, NetLogWithSource());
   base::WeakPtr<SpdyStream> spdy_stream2 = CreateStreamSynchronously(
@@ -318,7 +321,7 @@ TEST_F(SpdySessionPoolTest, CloseCurrentIdleSessions) {
   SpdySessionKey key3(test_host_port_pair3, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session3 =
       CreateSpdySession(http_session_.get(), key3, NetLogWithSource());
   base::WeakPtr<SpdyStream> spdy_stream3 = CreateStreamSynchronously(
@@ -396,7 +399,7 @@ TEST_F(SpdySessionPoolTest, CloseAllSessions) {
   SpdySessionKey test_key = SpdySessionKey(
       test_host_port_pair, ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
 
   MockConnect connect_data(SYNCHRONOUS, OK);
   MockRead reads[] = {
@@ -451,7 +454,7 @@ class SpdySessionPoolOnIPAddressChangeTest : public SpdySessionPoolTest {
                                  PRIVACY_MODE_DISABLED,
                                  SpdySessionKey::IsProxySession::kFalse,
                                  SocketTag(),
-                                 NetworkIsolationKey(),
+                                 NetworkAnonymizationKey(),
                                  SecureDnsPolicy::kAllow)),
         connect_data_(SYNCHRONOUS, OK),
         data_(reads_, base::span<MockWrite>()),
@@ -542,7 +545,7 @@ void SpdySessionPoolTest::RunIPPoolingTest(
     test_host.key = SpdySessionKey(
         HostPortPair(test_host.name, kTestPort), ProxyServer::Direct(),
         PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-        SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+        SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   }
 
   MockConnect connect_data(SYNCHRONOUS, OK);
@@ -587,7 +590,7 @@ void SpdySessionPoolTest::RunIPPoolingTest(
       test_hosts[1].key.host_port_pair(),
       PacResultElementToProxyServer("HTTP http://proxy.foo.com/"),
       PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-      SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_FALSE(TryCreateAliasedSpdySession(spdy_session_pool_, proxy_key,
                                            test_hosts[1].iplist));
 
@@ -596,7 +599,7 @@ void SpdySessionPoolTest::RunIPPoolingTest(
   SpdySessionKey disable_secure_dns_key(
       test_hosts[1].key.host_port_pair(), ProxyServer::Direct(),
       PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-      SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kDisable);
+      SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kDisable);
   EXPECT_FALSE(TryCreateAliasedSpdySession(
       spdy_session_pool_, disable_secure_dns_key, test_hosts[1].iplist));
 
@@ -726,7 +729,7 @@ void SpdySessionPoolTest::RunIPPoolingDisabledTest(SSLSocketDataProvider* ssl) {
     test_host.key = SpdySessionKey(
         HostPortPair(test_host.name, kTestPort), ProxyServer::Direct(),
         PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-        SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+        SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   }
 
   MockRead reads[] = {
@@ -782,7 +785,7 @@ TEST_F(SpdySessionPoolTest, IPPoolingNetLog) {
     test_host.key = SpdySessionKey(
         HostPortPair(test_host.name, kTestPort), ProxyServer::Direct(),
         PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-        SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+        SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   }
 
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING)};
@@ -849,7 +852,7 @@ TEST_F(SpdySessionPoolTest, IPPoolingDisabled) {
     test_host.key = SpdySessionKey(
         HostPortPair(test_host.name, kTestPort), ProxyServer::Direct(),
         PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-        SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+        SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   }
 
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING)};
@@ -943,7 +946,7 @@ TEST_F(SpdySessionPoolTest, GoAwayOnIPAddressChanged) {
   SpdySessionKey keyA(test_host_port_pairA, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> sessionA =
       CreateSpdySession(http_session_.get(), keyA, NetLogWithSource());
 
@@ -976,7 +979,7 @@ TEST_F(SpdySessionPoolTest, GoAwayOnIPAddressChanged) {
   SpdySessionKey keyB(test_host_port_pairB, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> sessionB =
       CreateSpdySession(http_session_.get(), keyB, NetLogWithSource());
   EXPECT_TRUE(sessionB->IsAvailable());
@@ -999,7 +1002,7 @@ TEST_F(SpdySessionPoolTest, GoAwayOnIPAddressChanged) {
   SpdySessionKey keyC(test_host_port_pairC, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> sessionC =
       CreateSpdySession(http_session_.get(), keyC, NetLogWithSource());
 
@@ -1061,7 +1064,7 @@ TEST_F(SpdySessionPoolTest, CloseOnIPAddressChanged) {
   SpdySessionKey keyA(test_host_port_pairA, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> sessionA =
       CreateSpdySession(http_session_.get(), keyA, NetLogWithSource());
 
@@ -1094,7 +1097,7 @@ TEST_F(SpdySessionPoolTest, CloseOnIPAddressChanged) {
   SpdySessionKey keyB(test_host_port_pairB, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> sessionB =
       CreateSpdySession(http_session_.get(), keyB, NetLogWithSource());
   EXPECT_TRUE(sessionB->IsAvailable());
@@ -1117,7 +1120,7 @@ TEST_F(SpdySessionPoolTest, CloseOnIPAddressChanged) {
   SpdySessionKey keyC(test_host_port_pairC, ProxyServer::Direct(),
                       PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> sessionC =
       CreateSpdySession(http_session_.get(), keyC, NetLogWithSource());
 
@@ -1158,7 +1161,7 @@ TEST_F(SpdySessionPoolTest, HandleIPAddressChangeThenShutdown) {
   SpdySessionKey key(HostPortPair::FromURL(url), ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session =
       CreateSpdySession(http_session_.get(), key, NetLogWithSource());
 
@@ -1216,7 +1219,7 @@ TEST_F(SpdySessionPoolTest, HandleGracefulGoawayThenShutdown) {
   SpdySessionKey key(HostPortPair::FromURL(url), ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session =
       CreateSpdySession(http_session_.get(), key, NetLogWithSource());
 
@@ -1270,7 +1273,7 @@ TEST_F(SpdySessionPoolTest, IPConnectionPoolingWithWebSockets) {
     test_host.key = SpdySessionKey(
         HostPortPair(test_host.name, kTestPort), ProxyServer::Direct(),
         PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-        SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+        SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   }
 
   SpdyTestUtil spdy_util;
@@ -1432,7 +1435,7 @@ TEST_F(SpdySessionPoolTest, RequestSessionWithNoSessions) {
   const SpdySessionKey kSessionKey(
       HostPortPair("foo.test", 443), ProxyServer::Direct(),
       PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-      SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
 
   CreateNetworkSession();
 
@@ -1494,7 +1497,7 @@ TEST_F(SpdySessionPoolTest, RequestSessionDuringNotification) {
   const SpdySessionKey kSessionKey(
       HostPortPair("foo.test", 443), ProxyServer::Direct(),
       PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-      SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
 
   CreateNetworkSession();
 
@@ -1623,7 +1626,7 @@ TEST_F(SpdySessionPoolTest, SSLConfigForServerChanged) {
         HostPortPair::FromURL(GURL(kSSLServerTests[i].url)),
         PacResultElementToProxyServer(kSSLServerTests[i].proxy_pac_string),
         PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-        SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+        SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
     sessions.push_back(
         CreateSpdySession(http_session_.get(), key, NetLogWithSource()));
   }
@@ -1683,7 +1686,7 @@ TEST_F(SpdySessionPoolTest, SSLConfigForServerChangedWithStreams) {
   SpdySessionKey key(HostPortPair::FromURL(url), ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session =
       CreateSpdySession(http_session_.get(), key, NetLogWithSource());
 
@@ -1777,7 +1780,7 @@ TEST_F(SpdySessionPoolTest, SSLConfigForServerChangedWithOnlyPendingStreams) {
   SpdySessionKey key(HostPortPair::FromURL(url), ProxyServer::Direct(),
                      PRIVACY_MODE_DISABLED,
                      SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                     NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                     NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session =
       CreateSpdySession(http_session_.get(), key, NetLogWithSource());
 
diff --git a/chromium/net/spdy/spdy_session_test_util.cc b/chromium/net/spdy/spdy_session_test_util.cc
index 7bd58130676..00d067dd490 100644
--- a/chromium/net/spdy/spdy_session_test_util.cc
+++ b/chromium/net/spdy/spdy_session_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_session_test_util.h b/chromium/net/spdy/spdy_session_test_util.h
index fe80eddcdba..c80ab928cb3 100644
--- a/chromium/net/spdy/spdy_session_test_util.h
+++ b/chromium/net/spdy/spdy_session_test_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_session_unittest.cc b/chromium/net/spdy/spdy_session_unittest.cc
index 33654439dfd..7ccc3c069cb 100644
--- a/chromium/net/spdy/spdy_session_unittest.cc
+++ b/chromium/net/spdy/spdy_session_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -26,7 +26,7 @@
 #include "net/base/host_port_pair.h"
 #include "net/base/io_buffer.h"
 #include "net/base/ip_endpoint.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/proxy_delegate.h"
 #include "net/base/proxy_server.h"
@@ -35,6 +35,7 @@
 #include "net/base/test_completion_callback.h"
 #include "net/base/test_data_stream.h"
 #include "net/cert/ct_policy_status.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/http/http_request_info.h"
 #include "net/http/transport_security_state_test_util.h"
@@ -183,7 +184,7 @@ class SpdySessionTest : public PlatformTest, public WithTaskEnvironment {
              PRIVACY_MODE_DISABLED,
              SpdySessionKey::IsProxySession::kFalse,
              SocketTag(),
-             NetworkIsolationKey(),
+             NetworkAnonymizationKey(),
              SecureDnsPolicy::kAllow),
         ssl_(SYNCHRONOUS, OK) {}
 
@@ -2936,12 +2937,12 @@ TEST_F(SpdySessionTest, VerifyDomainAuthentication) {
 }
 
 // Check that VerifyDomainAuthentication respects Expect-CT failures, and uses
-// the correct NetworkIsolationKey.
+// the correct NetworkAnonymizationKey.
 TEST_F(SpdySessionTest, VerifyDomainAuthenticationExpectCT) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       /* enabled_features */
-      {TransportSecurityState::kDynamicExpectCTFeature,
+      {kDynamicExpectCTFeature,
        features::kPartitionExpectCTStateByNetworkIsolationKey,
        features::kPartitionConnectionsByNetworkIsolationKey,
        features::kPartitionSSLSessionsByNetworkIsolationKey},
@@ -2951,7 +2952,7 @@ TEST_F(SpdySessionTest, VerifyDomainAuthenticationExpectCT) {
   key_ = SpdySessionKey(HostPortPair::FromURL(test_url_), ProxyServer::Direct(),
                         PRIVACY_MODE_DISABLED,
                         SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                        NetworkIsolationKey::CreateTransient(),
+                        NetworkAnonymizationKey::CreateTransient(),
                         SecureDnsPolicy::kAllow);
   ssl_.ssl_info.ct_policy_compliance =
       ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
@@ -2975,15 +2976,16 @@ TEST_F(SpdySessionTest, VerifyDomainAuthenticationExpectCT) {
   EXPECT_FALSE(session_->VerifyDomainAuthentication("mail.google.com"));
 
   // Add Expect-CT data for all three hosts that passed the above checks, using
-  // different NetworkIsolationKeys.
+  // different NetworkAnonymizationKeys.
   const base::Time expiry = base::Time::Now() + base::Days(1);
   session_deps_.transport_security_state->AddExpectCT(
-      "www.example.org", expiry, true, GURL(), NetworkIsolationKey());
+      "www.example.org", expiry, true, GURL(), NetworkAnonymizationKey());
   session_deps_.transport_security_state->AddExpectCT(
-      "mail.example.org", expiry, true, GURL(), key_.network_isolation_key());
+      "mail.example.org", expiry, true, GURL(),
+      key_.network_anonymization_key());
   session_deps_.transport_security_state->AddExpectCT(
       "mail.example.com", expiry, true, GURL(),
-      NetworkIsolationKey::CreateTransient());
+      NetworkAnonymizationKey::CreateTransient());
 
   // The host with the Expect-CT data that matches the SpdySession's should fail
   // the check now.
@@ -3746,8 +3748,8 @@ TEST_F(SpdySessionTest, CloseOneIdleConnection) {
             connection2->Init(
                 ClientSocketPool::GroupId(
                     url::SchemeHostPort(url::kHttpScheme, "2.com", 80),
-                    PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
-                    SecureDnsPolicy::kAllow),
+                    PrivacyMode::PRIVACY_MODE_DISABLED,
+                    NetworkAnonymizationKey(), SecureDnsPolicy::kAllow),
                 ClientSocketPool::SocketParams::CreateForHttpForTesting(),
                 absl::nullopt /* proxy_annotation_tag */, DEFAULT_PRIORITY,
                 SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
@@ -3792,7 +3794,7 @@ TEST_F(SpdySessionTest, CloseOneIdleConnectionWithAlias) {
   SpdySessionKey key1(HostPortPair("www.example.org", 80),
                       ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   base::WeakPtr<SpdySession> session1 =
       ::net::CreateSpdySession(http_session_.get(), key1, NetLogWithSource());
   EXPECT_FALSE(pool->IsStalled());
@@ -3801,7 +3803,7 @@ TEST_F(SpdySessionTest, CloseOneIdleConnectionWithAlias) {
   SpdySessionKey key2(HostPortPair("mail.example.org", 80),
                       ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
                       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   std::unique_ptr<SpdySessionPool::SpdySessionRequest> request;
   bool is_blocking_request_for_session = false;
   SpdySessionRequestDelegate request_delegate;
@@ -3812,11 +3814,13 @@ TEST_F(SpdySessionTest, CloseOneIdleConnectionWithAlias) {
       &request_delegate, &request, &is_blocking_request_for_session));
   EXPECT_TRUE(request);
 
+  HostResolverEndpointResult endpoint;
+  endpoint.ip_endpoints = {IPEndPoint(IPAddress(192, 168, 0, 2), 80)};
   // Simulate DNS resolution completing, which should set up an alias.
   EXPECT_EQ(OnHostResolutionCallbackResult::kMayBeDeletedAsync,
             spdy_session_pool_->OnHostResolutionComplete(
-                key2, /* is_websocket = */ false,
-                AddressList(IPEndPoint(IPAddress(192, 168, 0, 2), 80))));
+                key2, /* is_websocket = */ false, {endpoint},
+                /*aliases=*/{}));
 
   // Get a session for |key2|, which should return the session created earlier.
   base::WeakPtr<SpdySession> session2 =
@@ -3835,8 +3839,8 @@ TEST_F(SpdySessionTest, CloseOneIdleConnectionWithAlias) {
             connection3->Init(
                 ClientSocketPool::GroupId(
                     url::SchemeHostPort(url::kHttpScheme, "3.com", 80),
-                    PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
-                    SecureDnsPolicy::kAllow),
+                    PrivacyMode::PRIVACY_MODE_DISABLED,
+                    NetworkAnonymizationKey(), SecureDnsPolicy::kAllow),
                 ClientSocketPool::SocketParams::CreateForHttpForTesting(),
                 absl::nullopt /* proxy_annotation_tag */, DEFAULT_PRIORITY,
                 SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
@@ -3915,8 +3919,8 @@ TEST_F(SpdySessionTest, CloseSessionOnIdleWhenPoolStalled) {
             connection2->Init(
                 ClientSocketPool::GroupId(
                     url::SchemeHostPort(url::kHttpScheme, "2.com", 80),
-                    PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
-                    SecureDnsPolicy::kAllow),
+                    PrivacyMode::PRIVACY_MODE_DISABLED,
+                    NetworkAnonymizationKey(), SecureDnsPolicy::kAllow),
                 ClientSocketPool::SocketParams::CreateForHttpForTesting(),
                 absl::nullopt /* proxy_annotation_tag */, DEFAULT_PRIORITY,
                 SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
@@ -3949,11 +3953,11 @@ TEST_F(SpdySessionTest, SpdySessionKeyPrivacyMode) {
   SpdySessionKey key_privacy_enabled(
       host_port_pair, ProxyServer::Direct(), PRIVACY_MODE_ENABLED,
       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   SpdySessionKey key_privacy_disabled(
       host_port_pair, ProxyServer::Direct(), PRIVACY_MODE_DISABLED,
       SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
 
   EXPECT_FALSE(HasSpdySession(spdy_session_pool_, key_privacy_enabled));
   EXPECT_FALSE(HasSpdySession(spdy_session_pool_, key_privacy_disabled));
@@ -6676,12 +6680,12 @@ TEST_F(AltSvcFrameTest, ProcessAltSvcFrame) {
                                            test_url_.EffectiveIntPort());
   AlternativeServiceInfoVector altsvc_info_vector =
       spdy_session_pool_->http_server_properties()->GetAlternativeServiceInfos(
-          session_origin, NetworkIsolationKey());
+          session_origin, NetworkAnonymizationKey());
   ASSERT_TRUE(altsvc_info_vector.empty());
 
   altsvc_info_vector =
       spdy_session_pool_->http_server_properties()->GetAlternativeServiceInfos(
-          url::SchemeHostPort(GURL(origin)), NetworkIsolationKey());
+          url::SchemeHostPort(GURL(origin)), NetworkAnonymizationKey());
   ASSERT_EQ(1u, altsvc_info_vector.size());
   AlternativeService alternative_service(kProtoQUIC, "alternative.example.org",
                                          443u);
@@ -6713,12 +6717,12 @@ TEST_F(AltSvcFrameTest, IgnoreQuicAltSvcWithUnsupportedVersion) {
                                            test_url_.EffectiveIntPort());
   AlternativeServiceInfoVector altsvc_info_vector =
       spdy_session_pool_->http_server_properties()->GetAlternativeServiceInfos(
-          session_origin, NetworkIsolationKey());
+          session_origin, NetworkAnonymizationKey());
   ASSERT_TRUE(altsvc_info_vector.empty());
 
   altsvc_info_vector =
       spdy_session_pool_->http_server_properties()->GetAlternativeServiceInfos(
-          url::SchemeHostPort(GURL(origin)), NetworkIsolationKey());
+          url::SchemeHostPort(GURL(origin)), NetworkAnonymizationKey());
   ASSERT_EQ(0u, altsvc_info_vector.size());
 }
 
@@ -6728,7 +6732,7 @@ TEST_F(AltSvcFrameTest, DoNotProcessAltSvcFrameWithExpectCTError) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       /* enabled_features */
-      {TransportSecurityState::kDynamicExpectCTFeature,
+      {kDynamicExpectCTFeature,
        features::kPartitionExpectCTStateByNetworkIsolationKey,
        features::kPartitionConnectionsByNetworkIsolationKey,
        features::kPartitionSSLSessionsByNetworkIsolationKey},
@@ -6738,7 +6742,7 @@ TEST_F(AltSvcFrameTest, DoNotProcessAltSvcFrameWithExpectCTError) {
   key_ = SpdySessionKey(HostPortPair::FromURL(test_url_), ProxyServer::Direct(),
                         PRIVACY_MODE_DISABLED,
                         SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                        NetworkIsolationKey::CreateTransient(),
+                        NetworkAnonymizationKey::CreateTransient(),
                         SecureDnsPolicy::kAllow);
   ssl_.ssl_info.ct_policy_compliance =
       ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
@@ -6749,7 +6753,7 @@ TEST_F(AltSvcFrameTest, DoNotProcessAltSvcFrameWithExpectCTError) {
       std::make_unique<TransportSecurityState>();
   session_deps_.transport_security_state->AddExpectCT(
       GURL(origin).host(), base::Time::Now() + base::Days(1) /* expiry */, true,
-      GURL(), key_.network_isolation_key());
+      GURL(), key_.network_anonymization_key());
 
   spdy::SpdyAltSvcIR altsvc_ir(/* stream_id = */ 0);
   altsvc_ir.add_altsvc(alternative_service_);
@@ -6766,13 +6770,13 @@ TEST_F(AltSvcFrameTest, DoNotProcessAltSvcFrameWithExpectCTError) {
                                            test_url_.EffectiveIntPort());
   ASSERT_TRUE(spdy_session_pool_->http_server_properties()
                   ->GetAlternativeServiceInfos(session_origin,
-                                               key_.network_isolation_key())
+                                               key_.network_anonymization_key())
                   .empty());
 
   ASSERT_TRUE(
       spdy_session_pool_->http_server_properties()
           ->GetAlternativeServiceInfos(url::SchemeHostPort(GURL(origin)),
-                                       key_.network_isolation_key())
+                                       key_.network_anonymization_key())
           .empty());
 }
 
@@ -6793,15 +6797,16 @@ TEST_F(AltSvcFrameTest, DoNotProcessAltSvcFrameForOriginNotCoveredByCert) {
 
   const url::SchemeHostPort session_origin("https", test_url_.host(),
                                            test_url_.EffectiveIntPort());
+  ASSERT_TRUE(spdy_session_pool_->http_server_properties()
+                  ->GetAlternativeServiceInfos(session_origin,
+                                               NetworkAnonymizationKey())
+                  .empty());
+
   ASSERT_TRUE(
       spdy_session_pool_->http_server_properties()
-          ->GetAlternativeServiceInfos(session_origin, NetworkIsolationKey())
+          ->GetAlternativeServiceInfos(url::SchemeHostPort(GURL(origin)),
+                                       NetworkAnonymizationKey())
           .empty());
-
-  ASSERT_TRUE(spdy_session_pool_->http_server_properties()
-                  ->GetAlternativeServiceInfos(
-                      url::SchemeHostPort(GURL(origin)), NetworkIsolationKey())
-                  .empty());
 }
 
 // An ALTSVC frame on stream 0 with empty origin MUST be ignored.
@@ -6819,10 +6824,10 @@ TEST_F(AltSvcFrameTest, DoNotProcessAltSvcFrameWithEmptyOriginOnStreamZero) {
 
   const url::SchemeHostPort session_origin("https", test_url_.host(),
                                            test_url_.EffectiveIntPort());
-  ASSERT_TRUE(
-      spdy_session_pool_->http_server_properties()
-          ->GetAlternativeServiceInfos(session_origin, NetworkIsolationKey())
-          .empty());
+  ASSERT_TRUE(spdy_session_pool_->http_server_properties()
+                  ->GetAlternativeServiceInfos(session_origin,
+                                               NetworkAnonymizationKey())
+                  .empty());
 }
 
 // An ALTSVC frame on a stream other than stream 0 with non-empty origin MUST be
@@ -6842,10 +6847,10 @@ TEST_F(AltSvcFrameTest,
 
   const url::SchemeHostPort session_origin("https", test_url_.host(),
                                            test_url_.EffectiveIntPort());
-  ASSERT_TRUE(
-      spdy_session_pool_->http_server_properties()
-          ->GetAlternativeServiceInfos(session_origin, NetworkIsolationKey())
-          .empty());
+  ASSERT_TRUE(spdy_session_pool_->http_server_properties()
+                  ->GetAlternativeServiceInfos(session_origin,
+                                               NetworkAnonymizationKey())
+                  .empty());
 }
 
 TEST_F(AltSvcFrameTest, ProcessAltSvcFrameOnActiveStream) {
@@ -6889,14 +6894,14 @@ TEST_F(AltSvcFrameTest, ProcessAltSvcFrameOnActiveStream) {
 
   const url::SchemeHostPort session_origin("https", test_url_.host(),
                                            test_url_.EffectiveIntPort());
-  ASSERT_TRUE(
-      spdy_session_pool_->http_server_properties()
-          ->GetAlternativeServiceInfos(session_origin, NetworkIsolationKey())
-          .empty());
+  ASSERT_TRUE(spdy_session_pool_->http_server_properties()
+                  ->GetAlternativeServiceInfos(session_origin,
+                                               NetworkAnonymizationKey())
+                  .empty());
 
   AlternativeServiceInfoVector altsvc_info_vector =
       spdy_session_pool_->http_server_properties()->GetAlternativeServiceInfos(
-          url::SchemeHostPort(GURL(request_origin)), NetworkIsolationKey());
+          url::SchemeHostPort(GURL(request_origin)), NetworkAnonymizationKey());
   ASSERT_EQ(1u, altsvc_info_vector.size());
   EXPECT_EQ(kProtoQUIC, altsvc_info_vector[0].alternative_service().protocol);
   EXPECT_EQ("alternative.example.org",
@@ -6905,13 +6910,13 @@ TEST_F(AltSvcFrameTest, ProcessAltSvcFrameOnActiveStream) {
 }
 
 TEST_F(AltSvcFrameTest,
-       ProcessAltSvcFrameOnActiveStreamWithNetworkIsolationKey) {
+       ProcessAltSvcFrameOnActiveStreamWithNetworkAnonymizationKey) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
       {features::kPartitionHttpServerPropertiesByNetworkIsolationKey,
-       // Need to partition connections by NetworkIsolationKey for
-       // SpdySessionKeys to include NetworkIsolationKeys.
+       // Need to partition connections by NetworkAnonymizationKey for
+       // SpdySessionKeys to include NetworkAnonymizationKeys.
        features::kPartitionConnectionsByNetworkIsolationKey},
       // disabled_features
       {});
@@ -6921,13 +6926,13 @@ TEST_F(AltSvcFrameTest,
       std::make_unique<HttpServerProperties>();
 
   const SchemefulSite kSite1(GURL("https://foo.test/"));
-  const net::NetworkIsolationKey kNetworkIsolationKey1(kSite1, kSite1);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey1(kSite1, kSite1);
   const SchemefulSite kSite2(GURL("https://bar.test/"));
-  const net::NetworkIsolationKey kNetworkIsolationKey2(kSite2, kSite2);
+  const net::NetworkAnonymizationKey kNetworkAnonymizationKey2(kSite2, kSite2);
   key_ = SpdySessionKey(HostPortPair::FromURL(test_url_), ProxyServer::Direct(),
                         PRIVACY_MODE_DISABLED,
                         SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                        kNetworkIsolationKey1, SecureDnsPolicy::kAllow);
+                        kNetworkAnonymizationKey1, SecureDnsPolicy::kAllow);
 
   spdy::SpdyAltSvcIR altsvc_ir(/* stream_id = */ 1);
   altsvc_ir.add_altsvc(alternative_service_);
@@ -6969,14 +6974,14 @@ TEST_F(AltSvcFrameTest,
 
   const url::SchemeHostPort session_origin("https", test_url_.host(),
                                            test_url_.EffectiveIntPort());
-  ASSERT_TRUE(
-      spdy_session_pool_->http_server_properties()
-          ->GetAlternativeServiceInfos(session_origin, NetworkIsolationKey())
-          .empty());
+  ASSERT_TRUE(spdy_session_pool_->http_server_properties()
+                  ->GetAlternativeServiceInfos(session_origin,
+                                               NetworkAnonymizationKey())
+                  .empty());
 
   AlternativeServiceInfoVector altsvc_info_vector =
       spdy_session_pool_->http_server_properties()->GetAlternativeServiceInfos(
-          url::SchemeHostPort(GURL(request_origin)), kNetworkIsolationKey1);
+          url::SchemeHostPort(GURL(request_origin)), kNetworkAnonymizationKey1);
   ASSERT_EQ(1u, altsvc_info_vector.size());
   EXPECT_EQ(kProtoQUIC, altsvc_info_vector[0].alternative_service().protocol);
   EXPECT_EQ("alternative.example.org",
@@ -6984,17 +6989,17 @@ TEST_F(AltSvcFrameTest,
   EXPECT_EQ(443u, altsvc_info_vector[0].alternative_service().port);
 
   // Make sure the alternative service information is only associated with
-  // kNetworkIsolationKey1.
-  EXPECT_TRUE(
-      spdy_session_pool_->http_server_properties()
-          ->GetAlternativeServiceInfos(
-              url::SchemeHostPort(GURL(request_origin)), kNetworkIsolationKey2)
-          .empty());
-  EXPECT_TRUE(
-      spdy_session_pool_->http_server_properties()
-          ->GetAlternativeServiceInfos(
-              url::SchemeHostPort(GURL(request_origin)), NetworkIsolationKey())
-          .empty());
+  // kNetworkAnonymizationKey1.
+  EXPECT_TRUE(spdy_session_pool_->http_server_properties()
+                  ->GetAlternativeServiceInfos(
+                      url::SchemeHostPort(GURL(request_origin)),
+                      kNetworkAnonymizationKey2)
+                  .empty());
+  EXPECT_TRUE(spdy_session_pool_->http_server_properties()
+                  ->GetAlternativeServiceInfos(
+                      url::SchemeHostPort(GURL(request_origin)),
+                      NetworkAnonymizationKey())
+                  .empty());
 }
 
 TEST_F(AltSvcFrameTest, DoNotProcessAltSvcFrameOnStreamWithInsecureOrigin) {
@@ -7038,16 +7043,16 @@ TEST_F(AltSvcFrameTest, DoNotProcessAltSvcFrameOnStreamWithInsecureOrigin) {
 
   const url::SchemeHostPort session_origin("https", test_url_.host(),
                                            test_url_.EffectiveIntPort());
-  ASSERT_TRUE(
-      spdy_session_pool_->http_server_properties()
-          ->GetAlternativeServiceInfos(session_origin, NetworkIsolationKey())
-          .empty());
+  ASSERT_TRUE(spdy_session_pool_->http_server_properties()
+                  ->GetAlternativeServiceInfos(session_origin,
+                                               NetworkAnonymizationKey())
+                  .empty());
 
-  ASSERT_TRUE(
-      spdy_session_pool_->http_server_properties()
-          ->GetAlternativeServiceInfos(
-              url::SchemeHostPort(GURL(request_origin)), NetworkIsolationKey())
-          .empty());
+  ASSERT_TRUE(spdy_session_pool_->http_server_properties()
+                  ->GetAlternativeServiceInfos(
+                      url::SchemeHostPort(GURL(request_origin)),
+                      NetworkAnonymizationKey())
+                  .empty());
 }
 
 TEST_F(AltSvcFrameTest, DoNotProcessAltSvcFrameOnNonExistentStream) {
@@ -7063,10 +7068,10 @@ TEST_F(AltSvcFrameTest, DoNotProcessAltSvcFrameOnNonExistentStream) {
 
   const url::SchemeHostPort session_origin("https", test_url_.host(),
                                            test_url_.EffectiveIntPort());
-  ASSERT_TRUE(
-      spdy_session_pool_->http_server_properties()
-          ->GetAlternativeServiceInfos(session_origin, NetworkIsolationKey())
-          .empty());
+  ASSERT_TRUE(spdy_session_pool_->http_server_properties()
+                  ->GetAlternativeServiceInfos(session_origin,
+                                               NetworkAnonymizationKey())
+                  .empty());
 }
 
 // Regression test for https://crbug.com/810404.
@@ -7093,7 +7098,7 @@ TEST_F(AltSvcFrameTest, InvalidOrigin) {
                                            test_url_.EffectiveIntPort());
   AlternativeServiceInfoVector altsvc_info_vector =
       spdy_session_pool_->http_server_properties()->GetAlternativeServiceInfos(
-          session_origin, NetworkIsolationKey());
+          session_origin, NetworkAnonymizationKey());
   EXPECT_TRUE(altsvc_info_vector.empty());
 }
 
@@ -7205,23 +7210,23 @@ TEST(CanPoolTest, CanPool) {
 
   EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                    "www.example.org", "www.example.org",
-                                   NetworkIsolationKey()));
+                                   NetworkAnonymizationKey()));
   EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                    "www.example.org", "mail.example.org",
-                                   NetworkIsolationKey()));
+                                   NetworkAnonymizationKey()));
   EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                    "www.example.org", "mail.example.com",
-                                   NetworkIsolationKey()));
+                                   NetworkAnonymizationKey()));
   EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                     "www.example.org", "mail.google.com",
-                                    NetworkIsolationKey()));
+                                    NetworkAnonymizationKey()));
 }
 
 TEST(CanPoolTest, CanPoolExpectCT) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       /* enabled_features */
-      {TransportSecurityState::kDynamicExpectCTFeature,
+      {kDynamicExpectCTFeature,
        features::kPartitionExpectCTStateByNetworkIsolationKey},
       /* disabled_features */
       {});
@@ -7240,11 +7245,11 @@ TEST(CanPoolTest, CanPoolExpectCT) {
       ct::CTPolicyCompliance::CT_POLICY_NOT_ENOUGH_SCTS;
   ssl_info.is_issued_by_known_root = true;
 
-  net::NetworkIsolationKey network_isolation_key =
-      NetworkIsolationKey::CreateTransient();
+  net::NetworkAnonymizationKey network_anonymization_key =
+      NetworkAnonymizationKey::CreateTransient();
   EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                    "www.example.org", "www.example.org",
-                                   network_isolation_key));
+                                   network_anonymization_key));
 
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::Seconds(1000);
@@ -7253,30 +7258,30 @@ TEST(CanPoolTest, CanPoolExpectCT) {
 
   // A different Expect-CT enabled host should not be allowed to pool.
   tss.AddExpectCT("mail.example.org", expiry, true, GURL(),
-                  network_isolation_key);
+                  network_anonymization_key);
   EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                     "www.example.org", "mail.example.org",
-                                    network_isolation_key));
+                                    network_anonymization_key));
   // A report-only Expect-CT configuration should not prevent pooling.
   tss.AddExpectCT("mail.example.org", expiry, false,
-                  GURL("https://report.test"), network_isolation_key);
+                  GURL("https://report.test"), network_anonymization_key);
   EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                    "www.example.org", "mail.example.org",
-                                   network_isolation_key));
+                                   network_anonymization_key));
   // If Expect-CT becomes enabled for the same host for which the connection was
   // already made, subsequent connections to that host should not be allowed to
   // pool.
   tss.AddExpectCT("www.example.org", expiry, true, GURL(),
-                  network_isolation_key);
+                  network_anonymization_key);
   EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                     "www.example.org", "www.example.org",
-                                    network_isolation_key));
+                                    network_anonymization_key));
 
-  // With a different NetworkIsolationKey, CanPool() should still return true,
-  // as CT information is scoped to a single NetworkIsolationKey.
+  // With a different NetworkAnonymizationKey, CanPool() should still return
+  // true, as CT information is scoped to a single NetworkAnonymizationKey.
   EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                    "www.example.org", "www.example.org",
-                                   NetworkIsolationKey::CreateTransient()));
+                                   NetworkAnonymizationKey::CreateTransient()));
 }
 
 TEST(CanPoolTest, CanNotPoolWithCertErrors) {
@@ -7294,7 +7299,7 @@ TEST(CanPoolTest, CanNotPoolWithCertErrors) {
 
   EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                     "www.example.org", "mail.example.org",
-                                    NetworkIsolationKey()));
+                                    NetworkAnonymizationKey()));
 }
 
 TEST(CanPoolTest, CanNotPoolWithClientCerts) {
@@ -7312,7 +7317,7 @@ TEST(CanPoolTest, CanNotPoolWithClientCerts) {
 
   EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                     "www.example.org", "mail.example.org",
-                                    NetworkIsolationKey()));
+                                    NetworkAnonymizationKey()));
 }
 
 TEST(CanPoolTest, CanNotPoolWithBadPins) {
@@ -7334,7 +7339,7 @@ TEST(CanPoolTest, CanNotPoolWithBadPins) {
 
   EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                     "www.example.org", "example.test",
-                                    NetworkIsolationKey()));
+                                    NetworkAnonymizationKey()));
 }
 
 TEST(CanPoolTest, CanNotPoolWithBadCTWhenCTRequired) {
@@ -7363,7 +7368,7 @@ TEST(CanPoolTest, CanNotPoolWithBadCTWhenCTRequired) {
 
   EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                     "www.example.org", "mail.example.org",
-                                    NetworkIsolationKey()));
+                                    NetworkAnonymizationKey()));
 }
 
 TEST(CanPoolTest, CanPoolWithBadCTWhenCTNotRequired) {
@@ -7392,7 +7397,7 @@ TEST(CanPoolTest, CanPoolWithBadCTWhenCTNotRequired) {
 
   EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                    "www.example.org", "mail.example.org",
-                                   NetworkIsolationKey()));
+                                   NetworkAnonymizationKey()));
 }
 
 TEST(CanPoolTest, CanPoolWithGoodCTWhenCTRequired) {
@@ -7421,7 +7426,7 @@ TEST(CanPoolTest, CanPoolWithGoodCTWhenCTRequired) {
 
   EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                    "www.example.org", "mail.example.org",
-                                   NetworkIsolationKey()));
+                                   NetworkAnonymizationKey()));
 }
 
 TEST(CanPoolTest, CanPoolWithAcceptablePins) {
@@ -7443,7 +7448,7 @@ TEST(CanPoolTest, CanPoolWithAcceptablePins) {
 
   EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                    "www.example.org", "mail.example.org",
-                                   NetworkIsolationKey()));
+                                   NetworkAnonymizationKey()));
 }
 
 TEST(CanPoolTest, CanPoolWithClientCertsAndPolicy) {
@@ -7464,13 +7469,13 @@ TEST(CanPoolTest, CanPoolWithClientCertsAndPolicy) {
   // just one hostname.
   EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                    "www.example.org", "mail.example.org",
-                                   NetworkIsolationKey()));
+                                   NetworkAnonymizationKey()));
   EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                     "www.example.org", "mail.example.com",
-                                    NetworkIsolationKey()));
+                                    NetworkAnonymizationKey()));
   EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, ssl_config_service,
                                     "mail.example.com", "www.example.org",
-                                    NetworkIsolationKey()));
+                                    NetworkAnonymizationKey()));
 }
 
 TEST(RecordPushedStreamHistogramTest, VaryResponseHeader) {
diff --git a/chromium/net/spdy/spdy_stream.cc b/chromium/net/spdy/spdy_stream.cc
index c437d83d3e3..59c5ce35413 100644
--- a/chromium/net/spdy/spdy_stream.cc
+++ b/chromium/net/spdy/spdy_stream.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_stream.h b/chromium/net/spdy/spdy_stream.h
index 7b453723e23..d34a7608f55 100644
--- a/chromium/net/spdy/spdy_stream.h
+++ b/chromium/net/spdy/spdy_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_stream_test_util.cc b/chromium/net/spdy/spdy_stream_test_util.cc
index 2f63970fbb2..4ca98a68694 100644
--- a/chromium/net/spdy/spdy_stream_test_util.cc
+++ b/chromium/net/spdy/spdy_stream_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_stream_test_util.h b/chromium/net/spdy/spdy_stream_test_util.h
index 70b2c5c9f58..fb9cda8380b 100644
--- a/chromium/net/spdy/spdy_stream_test_util.h
+++ b/chromium/net/spdy/spdy_stream_test_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_stream_unittest.cc b/chromium/net/spdy/spdy_stream_unittest.cc
index ebbeae913ff..33c773cfb1a 100644
--- a/chromium/net/spdy/spdy_stream_unittest.cc
+++ b/chromium/net/spdy/spdy_stream_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -93,7 +93,7 @@ class SpdyStreamTest : public ::testing::Test, public WithTaskEnvironment {
     SpdySessionKey key(HostPortPair::FromURL(url_), ProxyServer::Direct(),
                        PRIVACY_MODE_DISABLED,
                        SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                       NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                       NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
     return CreateSpdySession(session_.get(), key, NetLogWithSource());
   }
 
@@ -431,7 +431,7 @@ TEST_F(SpdyStreamPushTest, PushedStream) {
   const SpdySessionKey key(HostPortPair::FromURL(url_), ProxyServer::Direct(),
                            PRIVACY_MODE_DISABLED,
                            SpdySessionKey::IsProxySession::kFalse, SocketTag(),
-                           NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+                           NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   const GURL pushed_url(kPushUrl);
   HttpRequestInfo push_request;
   push_request.url = pushed_url;
diff --git a/chromium/net/spdy/spdy_test_util_common.cc b/chromium/net/spdy/spdy_test_util_common.cc
index 365ae00e4ef..c0b359a0aa0 100644
--- a/chromium/net/spdy/spdy_test_util_common.cc
+++ b/chromium/net/spdy/spdy_test_util_common.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -370,8 +370,8 @@ HttpNetworkSessionParams SpdySessionDependencies::CreateSessionParams(
   params.disable_idle_sockets_close_on_memory_pressure =
       session_deps->disable_idle_sockets_close_on_memory_pressure;
   params.enable_early_data = session_deps->enable_early_data;
-  params.key_auth_cache_server_entries_by_network_isolation_key =
-      session_deps->key_auth_cache_server_entries_by_network_isolation_key;
+  params.key_auth_cache_server_entries_by_network_anonymization_key =
+      session_deps->key_auth_cache_server_entries_by_network_anonymization_key;
   params.enable_priority_update = session_deps->enable_priority_update;
   params.spdy_go_away_on_ip_change = session_deps->go_away_on_ip_change;
   params.ignore_ip_address_changes = session_deps->ignore_ip_address_changes;
@@ -454,7 +454,8 @@ base::WeakPtr<SpdySession> CreateSpdySessionHelper(
           url::SchemeHostPort(url::kHttpsScheme,
                               key.host_port_pair().HostForURL(),
                               key.host_port_pair().port()),
-          key.privacy_mode(), NetworkIsolationKey(), SecureDnsPolicy::kAllow),
+          key.privacy_mode(), NetworkAnonymizationKey(),
+          SecureDnsPolicy::kAllow),
       socket_params, /*proxy_annotation_tag=*/absl::nullopt, MEDIUM,
       key.socket_tag(), ClientSocketPool::RespectLimits::ENABLED,
       callback.callback(), ClientSocketPool::ProxyAuthCallback(),
diff --git a/chromium/net/spdy/spdy_test_util_common.h b/chromium/net/spdy/spdy_test_util_common.h
index 8b3af77357d..fe64b693344 100644
--- a/chromium/net/spdy/spdy_test_util_common.h
+++ b/chromium/net/spdy/spdy_test_util_common.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -211,7 +211,7 @@ struct SpdySessionDependencies {
   raw_ptr<NetLog> net_log = nullptr;
   bool disable_idle_sockets_close_on_memory_pressure = false;
   bool enable_early_data = false;
-  bool key_auth_cache_server_entries_by_network_isolation_key = false;
+  bool key_auth_cache_server_entries_by_network_anonymization_key = false;
   bool enable_priority_update = false;
 #if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_WIN) || BUILDFLAG(IS_IOS)
   bool go_away_on_ip_change = true;
diff --git a/chromium/net/spdy/spdy_write_queue.cc b/chromium/net/spdy/spdy_write_queue.cc
index 30ec66aefac..b8e54f464f5 100644
--- a/chromium/net/spdy/spdy_write_queue.cc
+++ b/chromium/net/spdy/spdy_write_queue.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_write_queue.h b/chromium/net/spdy/spdy_write_queue.h
index b353f175ef7..28e5411f872 100644
--- a/chromium/net/spdy/spdy_write_queue.h
+++ b/chromium/net/spdy/spdy_write_queue.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/spdy/spdy_write_queue_unittest.cc b/chromium/net/spdy/spdy_write_queue_unittest.cc
index 4bbd5a3fef1..a2626c10218 100644
--- a/chromium/net/spdy/spdy_write_queue_unittest.cc
+++ b/chromium/net/spdy/spdy_write_queue_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/cert_compression.cc b/chromium/net/ssl/cert_compression.cc
index 8d38d77e0dd..2016c88da68 100644
--- a/chromium/net/ssl/cert_compression.cc
+++ b/chromium/net/ssl/cert_compression.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/cert_compression.h b/chromium/net/ssl/cert_compression.h
index 32d1a1a3071..c1e95895bea 100644
--- a/chromium/net/ssl/cert_compression.h
+++ b/chromium/net/ssl/cert_compression.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_identity.cc b/chromium/net/ssl/client_cert_identity.cc
index fcb9f13afdb..e431f847cde 100644
--- a/chromium/net/ssl/client_cert_identity.cc
+++ b/chromium/net/ssl/client_cert_identity.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_identity.h b/chromium/net/ssl/client_cert_identity.h
index e400b2c5e02..b584809018c 100644
--- a/chromium/net/ssl/client_cert_identity.h
+++ b/chromium/net/ssl/client_cert_identity.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_identity_mac.cc b/chromium/net/ssl/client_cert_identity_mac.cc
index 143297ca4de..6cdbec17781 100644
--- a/chromium/net/ssl/client_cert_identity_mac.cc
+++ b/chromium/net/ssl/client_cert_identity_mac.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_identity_mac.h b/chromium/net/ssl/client_cert_identity_mac.h
index 8d4cdf48882..ccc9c933e30 100644
--- a/chromium/net/ssl/client_cert_identity_mac.h
+++ b/chromium/net/ssl/client_cert_identity_mac.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_identity_test_util.cc b/chromium/net/ssl/client_cert_identity_test_util.cc
index 43491222db3..3edb8878ae4 100644
--- a/chromium/net/ssl/client_cert_identity_test_util.cc
+++ b/chromium/net/ssl/client_cert_identity_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_identity_test_util.h b/chromium/net/ssl/client_cert_identity_test_util.h
index 2f402a410b0..7ea198eb65e 100644
--- a/chromium/net/ssl/client_cert_identity_test_util.h
+++ b/chromium/net/ssl/client_cert_identity_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_identity_unittest.cc b/chromium/net/ssl/client_cert_identity_unittest.cc
index 8c2fe0d23f1..fa836b56c24 100644
--- a/chromium/net/ssl/client_cert_identity_unittest.cc
+++ b/chromium/net/ssl/client_cert_identity_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_store.h b/chromium/net/ssl/client_cert_store.h
index 1e49f2ff708..3c9d10f61c3 100644
--- a/chromium/net/ssl/client_cert_store.h
+++ b/chromium/net/ssl/client_cert_store.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_store_mac.cc b/chromium/net/ssl/client_cert_store_mac.cc
index ec6134c55f1..9fd0aa76768 100644
--- a/chromium/net/ssl/client_cert_store_mac.cc
+++ b/chromium/net/ssl/client_cert_store_mac.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,6 @@
 #include <Security/SecBase.h>
 #include <Security/Security.h>
 
-#include <algorithm>
 #include <functional>
 #include <memory>
 #include <string>
@@ -23,6 +22,7 @@
 #include "base/logging.h"
 #include "base/mac/mac_logging.h"
 #include "base/mac/scoped_cftyperef.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/synchronization/lock.h"
 #include "base/task/task_runner_util.h"
@@ -228,16 +228,16 @@ void GetClientCertsImpl(
     }
 
     // Skip duplicates (a cert may be in multiple keychains).
-    auto cert_iter = std::find_if(
-        selected_identities->begin(), selected_identities->end(),
-        [&cert](
-            const std::unique_ptr<ClientCertIdentity>& other_cert_identity) {
-          return x509_util::CryptoBufferEqual(
-              cert->certificate()->cert_buffer(),
-              other_cert_identity->certificate()->cert_buffer());
-        });
-    if (cert_iter != selected_identities->end())
+    if (base::ranges::any_of(
+            *selected_identities,
+            [&cert](const std::unique_ptr<ClientCertIdentity>&
+                        other_cert_identity) {
+              return x509_util::CryptoBufferEqual(
+                  cert->certificate()->cert_buffer(),
+                  other_cert_identity->certificate()->cert_buffer());
+            })) {
       continue;
+    }
 
     // Check if the certificate issuer is allowed by the server.
     if (request.cert_authorities.empty() ||
diff --git a/chromium/net/ssl/client_cert_store_mac.h b/chromium/net/ssl/client_cert_store_mac.h
index 2bacae1af2e..073b685653d 100644
--- a/chromium/net/ssl/client_cert_store_mac.h
+++ b/chromium/net/ssl/client_cert_store_mac.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_store_mac_unittest.cc b/chromium/net/ssl/client_cert_store_mac_unittest.cc
index bd3d860e12c..8cf3e31a299 100644
--- a/chromium/net/ssl/client_cert_store_mac_unittest.cc
+++ b/chromium/net/ssl/client_cert_store_mac_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_store_nss.cc b/chromium/net/ssl/client_cert_store_nss.cc
index 40d86c5afcb..314c74001e2 100644
--- a/chromium/net/ssl/client_cert_store_nss.cc
+++ b/chromium/net/ssl/client_cert_store_nss.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_store_nss.h b/chromium/net/ssl/client_cert_store_nss.h
index edafebfae5c..5ab6e12bad0 100644
--- a/chromium/net/ssl/client_cert_store_nss.h
+++ b/chromium/net/ssl/client_cert_store_nss.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_store_nss_unittest.cc b/chromium/net/ssl/client_cert_store_nss_unittest.cc
index 54d13f0684f..b70b4d1097c 100644
--- a/chromium/net/ssl/client_cert_store_nss_unittest.cc
+++ b/chromium/net/ssl/client_cert_store_nss_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_store_unittest-inl.h b/chromium/net/ssl/client_cert_store_unittest-inl.h
index 83ce480c790..b9e6f5cc187 100644
--- a/chromium/net/ssl/client_cert_store_unittest-inl.h
+++ b/chromium/net/ssl/client_cert_store_unittest-inl.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_store_win.cc b/chromium/net/ssl/client_cert_store_win.cc
index 11d3cfb5297..a3e6a2963e3 100644
--- a/chromium/net/ssl/client_cert_store_win.cc
+++ b/chromium/net/ssl/client_cert_store_win.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_store_win.h b/chromium/net/ssl/client_cert_store_win.h
index 2cf6e2d3ae7..a31b1aef20d 100644
--- a/chromium/net/ssl/client_cert_store_win.h
+++ b/chromium/net/ssl/client_cert_store_win.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/client_cert_store_win_unittest.cc b/chromium/net/ssl/client_cert_store_win_unittest.cc
index aa3618f5725..92bce267ca3 100644
--- a/chromium/net/ssl/client_cert_store_win_unittest.cc
+++ b/chromium/net/ssl/client_cert_store_win_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/openssl_ssl_util.cc b/chromium/net/ssl/openssl_ssl_util.cc
index 2e8e2cdb962..ab2316dab84 100644
--- a/chromium/net/ssl/openssl_ssl_util.cc
+++ b/chromium/net/ssl/openssl_ssl_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/openssl_ssl_util.h b/chromium/net/ssl/openssl_ssl_util.h
index 5cce27468ca..8c038043902 100644
--- a/chromium/net/ssl/openssl_ssl_util.h
+++ b/chromium/net/ssl/openssl_ssl_util.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_cert_request_info.cc b/chromium/net/ssl/ssl_cert_request_info.cc
index 39f6d8f97aa..c2fb10ce38a 100644
--- a/chromium/net/ssl/ssl_cert_request_info.cc
+++ b/chromium/net/ssl/ssl_cert_request_info.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_cert_request_info.h b/chromium/net/ssl/ssl_cert_request_info.h
index 9eaffe6dd02..b2f277fe5e9 100644
--- a/chromium/net/ssl/ssl_cert_request_info.h
+++ b/chromium/net/ssl/ssl_cert_request_info.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_cipher_suite_names.cc b/chromium/net/ssl/ssl_cipher_suite_names.cc
index 8a539db77d6..fb50193ea51 100644
--- a/chromium/net/ssl/ssl_cipher_suite_names.cc
+++ b/chromium/net/ssl/ssl_cipher_suite_names.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_cipher_suite_names.h b/chromium/net/ssl/ssl_cipher_suite_names.h
index 222974b87c5..a8d6f4d2d2c 100644
--- a/chromium/net/ssl/ssl_cipher_suite_names.h
+++ b/chromium/net/ssl/ssl_cipher_suite_names.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_cipher_suite_names_unittest.cc b/chromium/net/ssl/ssl_cipher_suite_names_unittest.cc
index 5e190846f6c..236ba48b7f5 100644
--- a/chromium/net/ssl/ssl_cipher_suite_names_unittest.cc
+++ b/chromium/net/ssl/ssl_cipher_suite_names_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_client_auth_cache.cc b/chromium/net/ssl/ssl_client_auth_cache.cc
index 60ade55d9a0..2a6377c0cc6 100644
--- a/chromium/net/ssl/ssl_client_auth_cache.cc
+++ b/chromium/net/ssl/ssl_client_auth_cache.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_client_auth_cache.h b/chromium/net/ssl/ssl_client_auth_cache.h
index facbc5f997f..03c2dcbecfd 100644
--- a/chromium/net/ssl/ssl_client_auth_cache.h
+++ b/chromium/net/ssl/ssl_client_auth_cache.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_client_auth_cache_unittest.cc b/chromium/net/ssl/ssl_client_auth_cache_unittest.cc
index d8ede3b58fd..bbdc9ae7f65 100644
--- a/chromium/net/ssl/ssl_client_auth_cache_unittest.cc
+++ b/chromium/net/ssl/ssl_client_auth_cache_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright 2009 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_client_cert_type.h b/chromium/net/ssl/ssl_client_cert_type.h
index d15d06d5c28..540c6d75e00 100644
--- a/chromium/net/ssl/ssl_client_cert_type.h
+++ b/chromium/net/ssl/ssl_client_cert_type.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_client_session_cache.cc b/chromium/net/ssl/ssl_client_session_cache.cc
index dab00af27e3..9ece418443a 100644
--- a/chromium/net/ssl/ssl_client_session_cache.cc
+++ b/chromium/net/ssl/ssl_client_session_cache.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,7 +18,7 @@ namespace {
 
 // Returns a tuple of references to fields of |key|, for comparison purposes.
 auto TieKeyFields(const SSLClientSessionCache::Key& key) {
-  return std::tie(key.server, key.dest_ip_addr, key.network_isolation_key,
+  return std::tie(key.server, key.dest_ip_addr, key.network_anonymization_key,
                   key.privacy_mode, key.disable_legacy_crypto);
 }
 
diff --git a/chromium/net/ssl/ssl_client_session_cache.h b/chromium/net/ssl/ssl_client_session_cache.h
index 271427e67b3..ed3fe22b6bb 100644
--- a/chromium/net/ssl/ssl_client_session_cache.h
+++ b/chromium/net/ssl/ssl_client_session_cache.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,7 +18,7 @@
 #include "net/base/host_port_pair.h"
 #include "net/base/ip_address.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 #include "third_party/boringssl/src/include/openssl/base.h"
@@ -51,7 +51,7 @@ class NET_EXPORT SSLClientSessionCache {
 
     HostPortPair server;
     absl::optional<IPAddress> dest_ip_addr;
-    NetworkIsolationKey network_isolation_key;
+    NetworkAnonymizationKey network_anonymization_key;
     PrivacyMode privacy_mode = PRIVACY_MODE_DISABLED;
     bool disable_legacy_crypto = false;
   };
diff --git a/chromium/net/ssl/ssl_client_session_cache_unittest.cc b/chromium/net/ssl/ssl_client_session_cache_unittest.cc
index af745c6b1df..963f7fa368c 100644
--- a/chromium/net/ssl/ssl_client_session_cache_unittest.cc
+++ b/chromium/net/ssl/ssl_client_session_cache_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -12,7 +12,7 @@
 #include "base/trace_event/memory_allocator_dump.h"
 #include "base/trace_event/process_memory_dump.h"
 #include "base/trace_event/traced_value.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/schemeful_site.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -428,7 +428,8 @@ TEST_F(SSLClientSessionCacheTest, FlushForServer) {
   SSLClientSessionCache::Key key2;
   key2.server = HostPortPair("a.test", 443);
   key2.dest_ip_addr = IPAddress::IPv4Localhost();
-  key2.network_isolation_key = NetworkIsolationKey(kSiteB, kSiteB);
+  key2.network_anonymization_key =
+      NetworkAnonymizationKey(kSiteB, kSiteB, /*is_cross_site=*/false);
   key2.privacy_mode = PRIVACY_MODE_ENABLED;
   auto session2 = NewSSLSession();
   cache.Insert(key2, bssl::UpRef(session2));
@@ -445,7 +446,8 @@ TEST_F(SSLClientSessionCacheTest, FlushForServer) {
 
   SSLClientSessionCache::Key key5;
   key5.server = HostPortPair("b.test", 443);
-  key5.network_isolation_key = NetworkIsolationKey(kSiteA, kSiteA);
+  key5.network_anonymization_key =
+      NetworkAnonymizationKey(kSiteA, kSiteA, /*is_cross_site=*/false);
   auto session5 = NewSSLSession();
   cache.Insert(key5, bssl::UpRef(session5));
 
diff --git a/chromium/net/ssl/ssl_config.cc b/chromium/net/ssl/ssl_config.cc
index 603de2c26d4..5c8a3ef6660 100644
--- a/chromium/net/ssl/ssl_config.cc
+++ b/chromium/net/ssl/ssl_config.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_config.h b/chromium/net/ssl/ssl_config.h
index bf04cd75902..111614cd53f 100644
--- a/chromium/net/ssl/ssl_config.h
+++ b/chromium/net/ssl/ssl_config.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -10,7 +10,7 @@
 #include "base/containers/flat_map.h"
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/privacy_mode.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/x509_certificate.h"
@@ -133,7 +133,7 @@ struct NET_EXPORT SSLConfig {
 
   // If the PartitionSSLSessionsByNetworkIsolationKey feature is enabled, the
   // session cache is partitioned by this value.
-  NetworkIsolationKey network_isolation_key;
+  NetworkAnonymizationKey network_anonymization_key;
 
   // If non-empty, a serialized ECHConfigList to use to encrypt the ClientHello.
   // If this field is non-empty, callers should handle |ERR_ECH_NOT_NEGOTIATED|
diff --git a/chromium/net/ssl/ssl_config_service.cc b/chromium/net/ssl/ssl_config_service.cc
index 7fbe9d64746..c9ea7122f28 100644
--- a/chromium/net/ssl/ssl_config_service.cc
+++ b/chromium/net/ssl/ssl_config_service.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_config_service.h b/chromium/net/ssl/ssl_config_service.h
index 723d8ec50c7..0ffa9522782 100644
--- a/chromium/net/ssl/ssl_config_service.h
+++ b/chromium/net/ssl/ssl_config_service.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_config_service_defaults.cc b/chromium/net/ssl/ssl_config_service_defaults.cc
index 9348bb16489..c48064549ce 100644
--- a/chromium/net/ssl/ssl_config_service_defaults.cc
+++ b/chromium/net/ssl/ssl_config_service_defaults.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_config_service_defaults.h b/chromium/net/ssl/ssl_config_service_defaults.h
index c77a29140df..4bf47d05b52 100644
--- a/chromium/net/ssl/ssl_config_service_defaults.h
+++ b/chromium/net/ssl/ssl_config_service_defaults.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_config_service_unittest.cc b/chromium/net/ssl/ssl_config_service_unittest.cc
index 15d06cc5678..7eab75384f1 100644
--- a/chromium/net/ssl/ssl_config_service_unittest.cc
+++ b/chromium/net/ssl/ssl_config_service_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_config_unittest.cc b/chromium/net/ssl/ssl_config_unittest.cc
index 9dde2242898..f60be7c03d9 100644
--- a/chromium/net/ssl/ssl_config_unittest.cc
+++ b/chromium/net/ssl/ssl_config_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_connection_status_flags.h b/chromium/net/ssl/ssl_connection_status_flags.h
index b4dd8299dae..d3c43e646dc 100644
--- a/chromium/net/ssl/ssl_connection_status_flags.h
+++ b/chromium/net/ssl/ssl_connection_status_flags.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_connection_status_flags_unittest.cc b/chromium/net/ssl/ssl_connection_status_flags_unittest.cc
index 9827605557e..a9e3808abc0 100644
--- a/chromium/net/ssl/ssl_connection_status_flags_unittest.cc
+++ b/chromium/net/ssl/ssl_connection_status_flags_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_handshake_details.h b/chromium/net/ssl/ssl_handshake_details.h
index f34f429f71e..d0b73984051 100644
--- a/chromium/net/ssl/ssl_handshake_details.h
+++ b/chromium/net/ssl/ssl_handshake_details.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_info.cc b/chromium/net/ssl/ssl_info.cc
index 744b285f934..3b885a94ab7 100644
--- a/chromium/net/ssl/ssl_info.cc
+++ b/chromium/net/ssl/ssl_info.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_info.h b/chromium/net/ssl/ssl_info.h
index a5d8540a6b4..78c94559224 100644
--- a/chromium/net/ssl/ssl_info.h
+++ b/chromium/net/ssl/ssl_info.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_key_logger.cc b/chromium/net/ssl/ssl_key_logger.cc
index 2173a8223dd..5d37601b9f6 100644
--- a/chromium/net/ssl/ssl_key_logger.cc
+++ b/chromium/net/ssl/ssl_key_logger.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_key_logger.h b/chromium/net/ssl/ssl_key_logger.h
index a1c808b8e0e..a7534ed6c26 100644
--- a/chromium/net/ssl/ssl_key_logger.h
+++ b/chromium/net/ssl/ssl_key_logger.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_key_logger_impl.cc b/chromium/net/ssl/ssl_key_logger_impl.cc
index 9d6dfaef625..9f0f1a3fb2f 100644
--- a/chromium/net/ssl/ssl_key_logger_impl.cc
+++ b/chromium/net/ssl/ssl_key_logger_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_key_logger_impl.h b/chromium/net/ssl/ssl_key_logger_impl.h
index bf5bd8f9e7c..fb1821ba8b8 100644
--- a/chromium/net/ssl/ssl_key_logger_impl.h
+++ b/chromium/net/ssl/ssl_key_logger_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_legacy_crypto_fallback.h b/chromium/net/ssl/ssl_legacy_crypto_fallback.h
index 485238b90ae..61e54183d17 100644
--- a/chromium/net/ssl/ssl_legacy_crypto_fallback.h
+++ b/chromium/net/ssl/ssl_legacy_crypto_fallback.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_android.cc b/chromium/net/ssl/ssl_platform_key_android.cc
index aaa9c95e3f9..dcd846807c0 100644
--- a/chromium/net/ssl/ssl_platform_key_android.cc
+++ b/chromium/net/ssl/ssl_platform_key_android.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_android.h b/chromium/net/ssl/ssl_platform_key_android.h
index c025955a95e..0fe56fd2af3 100644
--- a/chromium/net/ssl/ssl_platform_key_android.h
+++ b/chromium/net/ssl/ssl_platform_key_android.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_android_unittest.cc b/chromium/net/ssl/ssl_platform_key_android_unittest.cc
index 745a63c69a3..9a1292f4645 100644
--- a/chromium/net/ssl/ssl_platform_key_android_unittest.cc
+++ b/chromium/net/ssl/ssl_platform_key_android_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_mac.cc b/chromium/net/ssl/ssl_platform_key_mac.cc
index baf30bdf0d1..ca6a6c5bd07 100644
--- a/chromium/net/ssl/ssl_platform_key_mac.cc
+++ b/chromium/net/ssl/ssl_platform_key_mac.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_mac.h b/chromium/net/ssl/ssl_platform_key_mac.h
index 4967a808851..33ebcd0d53a 100644
--- a/chromium/net/ssl/ssl_platform_key_mac.h
+++ b/chromium/net/ssl/ssl_platform_key_mac.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_mac_unittest.cc b/chromium/net/ssl/ssl_platform_key_mac_unittest.cc
index a479e269235..cf1a21b6c5f 100644
--- a/chromium/net/ssl/ssl_platform_key_mac_unittest.cc
+++ b/chromium/net/ssl/ssl_platform_key_mac_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_nss.cc b/chromium/net/ssl/ssl_platform_key_nss.cc
index 622515a4311..266c3d09f51 100644
--- a/chromium/net/ssl/ssl_platform_key_nss.cc
+++ b/chromium/net/ssl/ssl_platform_key_nss.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_nss.h b/chromium/net/ssl/ssl_platform_key_nss.h
index 726b7d1e0bf..30ddd9fc0e4 100644
--- a/chromium/net/ssl/ssl_platform_key_nss.h
+++ b/chromium/net/ssl/ssl_platform_key_nss.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_nss_unittest.cc b/chromium/net/ssl/ssl_platform_key_nss_unittest.cc
index d0fc8aec640..94a2ba562b8 100644
--- a/chromium/net/ssl/ssl_platform_key_nss_unittest.cc
+++ b/chromium/net/ssl/ssl_platform_key_nss_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_util.cc b/chromium/net/ssl/ssl_platform_key_util.cc
index 38a8741a589..59611c9e4bf 100644
--- a/chromium/net/ssl/ssl_platform_key_util.cc
+++ b/chromium/net/ssl/ssl_platform_key_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_util.h b/chromium/net/ssl/ssl_platform_key_util.h
index fcefd7f0178..3ca7d1d0f1b 100644
--- a/chromium/net/ssl/ssl_platform_key_util.h
+++ b/chromium/net/ssl/ssl_platform_key_util.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_util_unittest.cc b/chromium/net/ssl/ssl_platform_key_util_unittest.cc
index e8c2a02aa56..b31e70802e1 100644
--- a/chromium/net/ssl/ssl_platform_key_util_unittest.cc
+++ b/chromium/net/ssl/ssl_platform_key_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_win.cc b/chromium/net/ssl/ssl_platform_key_win.cc
index 42e23853ba4..c6fb00d0fea 100644
--- a/chromium/net/ssl/ssl_platform_key_win.cc
+++ b/chromium/net/ssl/ssl_platform_key_win.cc
@@ -1,16 +1,16 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/ssl/ssl_platform_key_win.h"
 
-#include <algorithm>
 #include <memory>
 #include <string>
 #include <utility>
 #include <vector>
 
 #include "base/logging.h"
+#include "base/ranges/algorithm.h"
 #include "base/strings/utf_string_conversions.h"
 #include "crypto/openssl_util.h"
 #include "crypto/scoped_capi_types.h"
@@ -39,7 +39,7 @@ std::string GetCAPIProviderName(HCRYPTPROV provider) {
   }
   // Per Microsoft's documentation, PP_NAME is NUL-terminated. However,
   // smartcard drivers are notoriously buggy, so check this.
-  auto nul = std::find(name.begin(), name.end(), 0);
+  auto nul = base::ranges::find(name, 0);
   if (nul != name.end()) {
     name_len = nul - name.begin();
   }
@@ -204,7 +204,7 @@ std::wstring GetCNGProviderName(NCRYPT_KEY_HANDLE key) {
 
   // Per Microsoft's documentation, the name is NUL-terminated. However,
   // smartcard drivers are notoriously buggy, so check this.
-  auto nul = std::find(name.begin(), name.end(), 0);
+  auto nul = base::ranges::find(name, 0);
   if (nul != name.end()) {
     name.erase(nul, name.end());
   }
diff --git a/chromium/net/ssl/ssl_platform_key_win.h b/chromium/net/ssl/ssl_platform_key_win.h
index 299ac853535..b47d542828e 100644
--- a/chromium/net/ssl/ssl_platform_key_win.h
+++ b/chromium/net/ssl/ssl_platform_key_win.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_platform_key_win_unittest.cc b/chromium/net/ssl/ssl_platform_key_win_unittest.cc
index 2a92a090c86..be753584ad7 100644
--- a/chromium/net/ssl/ssl_platform_key_win_unittest.cc
+++ b/chromium/net/ssl/ssl_platform_key_win_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_private_key.cc b/chromium/net/ssl/ssl_private_key.cc
index fe71104c2f8..7ca82e52f36 100644
--- a/chromium/net/ssl/ssl_private_key.cc
+++ b/chromium/net/ssl/ssl_private_key.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_private_key.h b/chromium/net/ssl/ssl_private_key.h
index 7a34b46e964..97ed9ebaed9 100644
--- a/chromium/net/ssl/ssl_private_key.h
+++ b/chromium/net/ssl/ssl_private_key.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_private_key_test_util.cc b/chromium/net/ssl/ssl_private_key_test_util.cc
index f62a2e5abe8..23fd22d6a49 100644
--- a/chromium/net/ssl/ssl_private_key_test_util.cc
+++ b/chromium/net/ssl/ssl_private_key_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_private_key_test_util.h b/chromium/net/ssl/ssl_private_key_test_util.h
index 454bbd9c65c..6fb35fece28 100644
--- a/chromium/net/ssl/ssl_private_key_test_util.h
+++ b/chromium/net/ssl/ssl_private_key_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_server_config.cc b/chromium/net/ssl/ssl_server_config.cc
index b712c0fdb0e..ee7465cfaaf 100644
--- a/chromium/net/ssl/ssl_server_config.cc
+++ b/chromium/net/ssl/ssl_server_config.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/ssl_server_config.h b/chromium/net/ssl/ssl_server_config.h
index f47269176d9..8dcabab2ac1 100644
--- a/chromium/net/ssl/ssl_server_config.h
+++ b/chromium/net/ssl/ssl_server_config.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/test_ssl_config_service.cc b/chromium/net/ssl/test_ssl_config_service.cc
index 1d11fe7c9ec..dec8f97864b 100644
--- a/chromium/net/ssl/test_ssl_config_service.cc
+++ b/chromium/net/ssl/test_ssl_config_service.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/test_ssl_config_service.h b/chromium/net/ssl/test_ssl_config_service.h
index cd7b04e5d32..822895a9729 100644
--- a/chromium/net/ssl/test_ssl_config_service.h
+++ b/chromium/net/ssl/test_ssl_config_service.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/test_ssl_private_key.cc b/chromium/net/ssl/test_ssl_private_key.cc
index 293b8f47aa0..53cb8190add 100644
--- a/chromium/net/ssl/test_ssl_private_key.cc
+++ b/chromium/net/ssl/test_ssl_private_key.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/test_ssl_private_key.h b/chromium/net/ssl/test_ssl_private_key.h
index 2201594885c..fd2c6ec4301 100644
--- a/chromium/net/ssl/test_ssl_private_key.h
+++ b/chromium/net/ssl/test_ssl_private_key.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/threaded_ssl_private_key.cc b/chromium/net/ssl/threaded_ssl_private_key.cc
index 55c82c4231a..0fe7c8aa2c2 100644
--- a/chromium/net/ssl/threaded_ssl_private_key.cc
+++ b/chromium/net/ssl/threaded_ssl_private_key.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/ssl/threaded_ssl_private_key.h b/chromium/net/ssl/threaded_ssl_private_key.h
index 8306b833b5b..ca655787c2a 100644
--- a/chromium/net/ssl/threaded_ssl_private_key.h
+++ b/chromium/net/ssl/threaded_ssl_private_key.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/AndroidManifest.xml b/chromium/net/test/android/javatests/AndroidManifest.xml
index 4ecac838435..830392b2c7b 100644
--- a/chromium/net/test/android/javatests/AndroidManifest.xml
+++ b/chromium/net/test/android/javatests/AndroidManifest.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright 2015 The Chromium Authors. All rights reserved.
+<!-- Copyright 2015 The Chromium Authors
      Use of this source code is governed by a BSD-style license that can be
      found in the LICENSE file. -->
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/AndroidNetworkLibraryTestUtil.java b/chromium/net/test/android/javatests/src/org/chromium/net/AndroidNetworkLibraryTestUtil.java
index 77f5b4ac647..fbcc2f8cc59 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/AndroidNetworkLibraryTestUtil.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/AndroidNetworkLibraryTestUtil.java
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/DummySpnegoAuthenticator.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/DummySpnegoAuthenticator.java
index 48ac6c004d8..52c48223e58 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/DummySpnegoAuthenticator.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/DummySpnegoAuthenticator.java
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/DummySpnegoAuthenticatorService.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/DummySpnegoAuthenticatorService.java
index 42e4ab39d29..deb85ea5efa 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/DummySpnegoAuthenticatorService.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/DummySpnegoAuthenticatorService.java
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServer.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServer.java
index 639c35187c4..1b560e5f727 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServer.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServer.java
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerImpl.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerImpl.java
index efa73217fe6..af78d7895e5 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerImpl.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerImpl.java
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerRule.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerRule.java
index a6e84ccd334..9845f2c3d23 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerRule.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerRule.java
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerService.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerService.java
index 1390b8c0cf7..476f6ca104f 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerService.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerService.java
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/IConnectionListener.aidl b/chromium/net/test/android/javatests/src/org/chromium/net/test/IConnectionListener.aidl
index 7725d71c902..8d3b04b3e61 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/IConnectionListener.aidl
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/IConnectionListener.aidl
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/IEmbeddedTestServerImpl.aidl b/chromium/net/test/android/javatests/src/org/chromium/net/test/IEmbeddedTestServerImpl.aidl
index 6112b99eb32..81c40535a02 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/IEmbeddedTestServerImpl.aidl
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/IEmbeddedTestServerImpl.aidl
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/IEmbeddedTestServerInterface.aidl b/chromium/net/test/android/javatests/src/org/chromium/net/test/IEmbeddedTestServerInterface.aidl
index f50efde192a..fa1c420302e 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/IEmbeddedTestServerInterface.aidl
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/IEmbeddedTestServerInterface.aidl
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/util/CertTestUtil.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/util/CertTestUtil.java
index 9994da921ff..eb65a7be505 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/util/CertTestUtil.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/util/CertTestUtil.java
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/util/NetworkChangeNotifierTestUtil.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/util/NetworkChangeNotifierTestUtil.java
index 3a03f1a0782..c0236203cac 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/util/NetworkChangeNotifierTestUtil.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/util/NetworkChangeNotifierTestUtil.java
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/util/TestWebServer.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/util/TestWebServer.java
index 79595faa9e5..a80ffe0e3e0 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/util/TestWebServer.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/util/TestWebServer.java
@@ -1,4 +1,4 @@
-// Copyright 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/util/WebServer.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/util/WebServer.java
index 7e318d7690a..5b86fb17821 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/util/WebServer.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/util/WebServer.java
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/net_test_entry_point.cc b/chromium/net/test/android/net_test_entry_point.cc
index 1c030af4500..3f2759e678e 100644
--- a/chromium/net/test/android/net_test_entry_point.cc
+++ b/chromium/net/test/android/net_test_entry_point.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/net_test_jni_onload.cc b/chromium/net/test/android/net_test_jni_onload.cc
index c9b45485ccf..d3291194f66 100644
--- a/chromium/net/test/android/net_test_jni_onload.cc
+++ b/chromium/net/test/android/net_test_jni_onload.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/android/net_test_jni_onload.h b/chromium/net/test/android/net_test_jni_onload.h
index e16d2f924ab..ad878a6733b 100644
--- a/chromium/net/test/android/net_test_jni_onload.h
+++ b/chromium/net/test/android/net_test_jni_onload.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/cert_builder.cc b/chromium/net/test/cert_builder.cc
index c1ec29e1d5b..c133d0c669c 100644
--- a/chromium/net/test/cert_builder.cc
+++ b/chromium/net/test/cert_builder.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -7,10 +7,13 @@
 #include "base/files/file_path.h"
 #include "base/memory/ptr_util.h"
 #include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
+#include "base/time/time.h"
 #include "crypto/ec_private_key.h"
 #include "crypto/openssl_util.h"
 #include "crypto/rsa_private_key.h"
 #include "net/cert/asn1_util.h"
+#include "net/cert/pki/parse_certificate.h"
 #include "net/cert/pki/verify_signed_data.h"
 #include "net/cert/x509_util.h"
 #include "net/der/encode_values.h"
@@ -29,14 +32,6 @@ namespace net {
 
 namespace {
 
-std::string MakeRandomHexString(size_t num_bytes) {
-  std::vector<char> rand_bytes;
-  rand_bytes.resize(num_bytes);
-
-  base::RandBytes(rand_bytes.data(), rand_bytes.size());
-  return base::HexEncode(rand_bytes.data(), rand_bytes.size());
-}
-
 std::string Sha256WithRSAEncryption() {
   const uint8_t kSha256WithRSAEncryption[] = {0x30, 0x0D, 0x06, 0x09, 0x2a,
                                               0x86, 0x48, 0x86, 0xf7, 0x0d,
@@ -53,14 +48,6 @@ std::string Sha1WithRSAEncryption() {
                      std::end(kSha1WithRSAEncryption));
 }
 
-std::string Md5WithRSAEncryption() {
-  const uint8_t kMd5WithRSAEncryption[] = {0x30, 0x0d, 0x06, 0x09, 0x2a,
-                                           0x86, 0x48, 0x86, 0xf7, 0x0d,
-                                           0x01, 0x01, 0x04, 0x05, 0x00};
-  return std::string(std::begin(kMd5WithRSAEncryption),
-                     std::end(kMd5WithRSAEncryption));
-}
-
 std::string EcdsaWithSha256() {
   const uint8_t kDer[] = {0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86,
                           0x48, 0xce, 0x3d, 0x04, 0x03, 0x02};
@@ -101,6 +88,20 @@ std::string FinishCBB(CBB* cbb) {
   return std::string(reinterpret_cast<char*>(cbb_bytes), cbb_len);
 }
 
+// Finalizes the CBB to a std::vector.
+std::vector<uint8_t> FinishCBBToVector(CBB* cbb) {
+  size_t cbb_len;
+  uint8_t* cbb_bytes;
+
+  if (!CBB_finish(cbb, &cbb_bytes, &cbb_len)) {
+    ADD_FAILURE() << "CBB_finish() failed";
+    return {};
+  }
+
+  bssl::UniquePtr<uint8_t> delete_bytes(cbb_bytes);
+  return std::vector<uint8_t>(cbb_bytes, cbb_bytes + cbb_len);
+}
+
 }  // namespace
 
 CertBuilder::CertBuilder(CRYPTO_BUFFER* orig_cert, CertBuilder* issuer)
@@ -190,14 +191,20 @@ void CertBuilder::CreateSimpleChain(
       certs_dir, "chain.pem", X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(3U, orig_certs.size());
 
+  // Set a default validity.
+  base::Time not_before = base::Time::Now() - base::Days(7);
+  base::Time not_after = base::Time::Now() + base::Days(7);
+
   // Build slightly modified variants of |orig_certs|.
   *out_root =
       std::make_unique<CertBuilder>(orig_certs[2]->cert_buffer(), nullptr);
+  (*out_root)->SetValidity(not_before, not_after);
   (*out_root)->SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
   (*out_root)->GenerateECKey();
 
   *out_intermediate = std::make_unique<CertBuilder>(
       orig_certs[1]->cert_buffer(), out_root->get());
+  (*out_intermediate)->SetValidity(not_before, not_after);
   (*out_intermediate)->EraseExtension(der::Input(kCrlDistributionPointsOid));
   (*out_intermediate)->EraseExtension(der::Input(kAuthorityInfoAccessOid));
   (*out_intermediate)->SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
@@ -205,6 +212,7 @@ void CertBuilder::CreateSimpleChain(
 
   *out_leaf = std::make_unique<CertBuilder>(orig_certs[0]->cert_buffer(),
                                             out_intermediate->get());
+  (*out_leaf)->SetValidity(not_before, not_after);
   (*out_leaf)->SetSubjectAltName(kHostname);
   (*out_leaf)->EraseExtension(der::Input(kCrlDistributionPointsOid));
   (*out_leaf)->EraseExtension(der::Input(kAuthorityInfoAccessOid));
@@ -223,13 +231,19 @@ void CertBuilder::CreateSimpleChain(std::unique_ptr<CertBuilder>* out_leaf,
   auto orig_leaf = ImportCertFromFile(certs_dir, "ok_cert.pem");
   ASSERT_TRUE(orig_leaf);
 
+  // Set a default validity.
+  base::Time not_before = base::Time::Now() - base::Days(7);
+  base::Time not_after = base::Time::Now() + base::Days(7);
+
   // Build slightly modified variants of |orig_certs|.
   *out_root = std::make_unique<CertBuilder>(orig_root->cert_buffer(), nullptr);
+  (*out_root)->SetValidity(not_before, not_after);
   (*out_root)->SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
   (*out_root)->GenerateECKey();
 
   *out_leaf =
       std::make_unique<CertBuilder>(orig_leaf->cert_buffer(), out_root->get());
+  (*out_leaf)->SetValidity(not_before, not_after);
   (*out_leaf)->SetSubjectAltName(kHostname);
   (*out_leaf)->SetSignatureAlgorithm(SignatureAlgorithm::kEcdsaSha256);
   (*out_leaf)->GenerateECKey();
@@ -255,12 +269,7 @@ bool CertBuilder::SignData(SignatureAlgorithm signature_algorithm,
 
   int expected_pkey_id = 1;
   const EVP_MD* digest;
-
   switch (signature_algorithm) {
-    case SignatureAlgorithm::kRsaPkcs1Md5:
-      expected_pkey_id = EVP_PKEY_RSA;
-      digest = EVP_md5();
-      break;
     case SignatureAlgorithm::kRsaPkcs1Sha1:
       expected_pkey_id = EVP_PKEY_RSA;
       digest = EVP_sha1();
@@ -298,21 +307,25 @@ bool CertBuilder::SignData(SignatureAlgorithm signature_algorithm,
     case SignatureAlgorithm::kRsaPssSha256:
     case SignatureAlgorithm::kRsaPssSha384:
     case SignatureAlgorithm::kRsaPssSha512:
-    case SignatureAlgorithm::kRsaPkcs1Md2:
-    case SignatureAlgorithm::kRsaPkcs1Md4:
-    case SignatureAlgorithm::kDsaSha1:
-    case SignatureAlgorithm::kDsaSha256:
       // Unsupported algorithms.
       return false;
   }
 
+  return expected_pkey_id == EVP_PKEY_id(key) &&
+         SignDataWithDigest(digest, tbs_data, key, out_signature);
+}
+
+// static
+bool CertBuilder::SignDataWithDigest(const EVP_MD* digest,
+                                     base::StringPiece tbs_data,
+                                     EVP_PKEY* key,
+                                     CBB* out_signature) {
   const uint8_t* tbs_bytes = reinterpret_cast<const uint8_t*>(tbs_data.data());
   bssl::ScopedEVP_MD_CTX ctx;
   uint8_t* sig_out;
   size_t sig_len;
 
-  return expected_pkey_id == EVP_PKEY_id(key) &&
-         EVP_DigestSignInit(ctx.get(), nullptr, digest, nullptr, key) &&
+  return EVP_DigestSignInit(ctx.get(), nullptr, digest, nullptr, key) &&
          EVP_DigestSign(ctx.get(), nullptr, &sig_len, tbs_bytes,
                         tbs_data.size()) &&
          CBB_reserve(out_signature, &sig_out, sig_len) &&
@@ -325,8 +338,6 @@ bool CertBuilder::SignData(SignatureAlgorithm signature_algorithm,
 std::string CertBuilder::SignatureAlgorithmToDer(
     SignatureAlgorithm signature_algorithm) {
   switch (signature_algorithm) {
-    case SignatureAlgorithm::kRsaPkcs1Md5:
-      return Md5WithRSAEncryption();
     case SignatureAlgorithm::kRsaPkcs1Sha1:
       return Sha1WithRSAEncryption();
     case SignatureAlgorithm::kRsaPkcs1Sha256:
@@ -341,6 +352,40 @@ std::string CertBuilder::SignatureAlgorithmToDer(
   }
 }
 
+// static
+std::string CertBuilder::MakeRandomHexString(size_t num_bytes) {
+  std::vector<char> rand_bytes;
+  rand_bytes.resize(num_bytes);
+
+  base::RandBytes(rand_bytes.data(), rand_bytes.size());
+  return base::HexEncode(rand_bytes.data(), rand_bytes.size());
+}
+
+// static
+std::vector<uint8_t> CertBuilder::BuildNameWithCommonNameOfType(
+    base::StringPiece common_name,
+    unsigned common_name_tag) {
+  // See RFC 4519.
+  static const uint8_t kCommonName[] = {0x55, 0x04, 0x03};
+
+  // See RFC 5280, section 4.1.2.4.
+  bssl::ScopedCBB cbb;
+  CBB rdns, rdn, attr, type, value;
+  if (!CBB_init(cbb.get(), 64) ||
+      !CBB_add_asn1(cbb.get(), &rdns, CBS_ASN1_SEQUENCE) ||
+      !CBB_add_asn1(&rdns, &rdn, CBS_ASN1_SET) ||
+      !CBB_add_asn1(&rdn, &attr, CBS_ASN1_SEQUENCE) ||
+      !CBB_add_asn1(&attr, &type, CBS_ASN1_OBJECT) ||
+      !CBBAddBytes(&type, kCommonName) ||
+      !CBB_add_asn1(&attr, &value, common_name_tag) ||
+      !CBBAddBytes(&value, common_name)) {
+    ADD_FAILURE();
+    return {};
+  }
+
+  return FinishCBBToVector(cbb.get());
+}
+
 void CertBuilder::SetExtension(const der::Input& oid,
                                std::string value,
                                bool critical) {
@@ -388,7 +433,11 @@ void CertBuilder::SetCaIssuersAndOCSPUrls(
     entries.emplace_back(der::Input(kAdCaIssuersOid), url);
   for (const auto& url : ocsp_urls)
     entries.emplace_back(der::Input(kAdOcspOid), url);
-  ASSERT_GT(entries.size(), 0U);
+
+  if (entries.empty()) {
+    EraseExtension(der::Input(kAuthorityInfoAccessOid));
+    return;
+  }
 
   // From RFC 5280:
   //
@@ -459,33 +508,27 @@ void CertBuilder::SetCrlDistributionPointUrls(const std::vector<GURL>& urls) {
   SetExtension(der::Input(kCrlDistributionPointsOid), FinishCBB(cbb.get()));
 }
 
-void CertBuilder::SetSubjectCommonName(base::StringPiece common_name) {
-  // See RFC 4519.
-  static const uint8_t kCommonName[] = {0x55, 0x04, 0x03};
+void CertBuilder::SetIssuerTLV(base::span<const uint8_t> issuer_tlv) {
+  if (issuer_tlv.empty())
+    issuer_tlv_ = absl::nullopt;
+  else
+    issuer_tlv_ = std::string(issuer_tlv.begin(), issuer_tlv.end());
+  Invalidate();
+}
 
-  // See RFC 5280, section 4.1.2.4.
-  bssl::ScopedCBB cbb;
-  CBB rdns, rdn, attr, type, value;
-  ASSERT_TRUE(CBB_init(cbb.get(), 64));
-  ASSERT_TRUE(CBB_add_asn1(cbb.get(), &rdns, CBS_ASN1_SEQUENCE));
-  ASSERT_TRUE(CBB_add_asn1(&rdns, &rdn, CBS_ASN1_SET));
-  ASSERT_TRUE(CBB_add_asn1(&rdn, &attr, CBS_ASN1_SEQUENCE));
-  ASSERT_TRUE(CBB_add_asn1(&attr, &type, CBS_ASN1_OBJECT));
-  ASSERT_TRUE(CBBAddBytes(&type, kCommonName));
-  ASSERT_TRUE(CBB_add_asn1(&attr, &value, CBS_ASN1_UTF8STRING));
-  ASSERT_TRUE(CBBAddBytes(&value, common_name));
-
-  subject_tlv_ = FinishCBB(cbb.get());
+void CertBuilder::SetSubjectCommonName(base::StringPiece common_name) {
+  SetSubjectTLV(
+      BuildNameWithCommonNameOfType(common_name, CBS_ASN1_UTF8STRING));
   Invalidate();
 }
 
-void CertBuilder::SetSubject(base::span<const uint8_t> subject_tlv) {
+void CertBuilder::SetSubjectTLV(base::span<const uint8_t> subject_tlv) {
   subject_tlv_.assign(subject_tlv.begin(), subject_tlv.end());
   Invalidate();
 }
 
-void CertBuilder::SetSubjectAltName(const std::string& dns_name) {
-  SetSubjectAltNames({dns_name}, {});
+void CertBuilder::SetSubjectAltName(base::StringPiece dns_name) {
+  SetSubjectAltNames({std::string(dns_name)}, {});
 }
 
 void CertBuilder::SetSubjectAltNames(
@@ -619,6 +662,39 @@ void CertBuilder::SetCertificatePolicies(
   SetExtension(der::Input(kCertificatePoliciesOid), FinishCBB(cbb.get()));
 }
 
+void CertBuilder::SetPolicyConstraints(
+    absl::optional<uint64_t> require_explicit_policy,
+    absl::optional<uint64_t> inhibit_policy_mapping) {
+  if (!require_explicit_policy.has_value() &&
+      !inhibit_policy_mapping.has_value()) {
+    EraseExtension(der::Input(kPolicyConstraintsOid));
+    return;
+  }
+
+  // From RFC 5280:
+  //   PolicyConstraints ::= SEQUENCE {
+  //        requireExplicitPolicy           [0] SkipCerts OPTIONAL,
+  //        inhibitPolicyMapping            [1] SkipCerts OPTIONAL }
+  //
+  //   SkipCerts ::= INTEGER (0..MAX)
+  bssl::ScopedCBB cbb;
+  CBB policy_constraints;
+  ASSERT_TRUE(CBB_init(cbb.get(), 64));
+  ASSERT_TRUE(CBB_add_asn1(cbb.get(), &policy_constraints, CBS_ASN1_SEQUENCE));
+  if (require_explicit_policy.has_value()) {
+    ASSERT_TRUE(CBB_add_asn1_uint64_with_tag(&policy_constraints,
+                                             *require_explicit_policy,
+                                             der::ContextSpecificPrimitive(0)));
+  }
+  if (inhibit_policy_mapping.has_value()) {
+    ASSERT_TRUE(CBB_add_asn1_uint64_with_tag(&policy_constraints,
+                                             *inhibit_policy_mapping,
+                                             der::ContextSpecificPrimitive(1)));
+  }
+
+  SetExtension(der::Input(kPolicyConstraintsOid), FinishCBB(cbb.get()));
+}
+
 void CertBuilder::SetValidity(base::Time not_before, base::Time not_after) {
   // From RFC 5280:
   //   Validity ::= SEQUENCE {
@@ -796,10 +872,40 @@ scoped_refptr<X509Certificate> CertBuilder::GetX509CertificateChain() {
                                            std::move(intermediates));
 }
 
+scoped_refptr<X509Certificate> CertBuilder::GetX509CertificateFullChain() {
+  std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
+  // Add intermediates and the self-signed root.
+  for (CertBuilder* cert = issuer_; cert; cert = cert->issuer_) {
+    intermediates.push_back(cert->DupCertBuffer());
+    if (cert == cert->issuer_)
+      break;
+  }
+  return X509Certificate::CreateFromBuffer(DupCertBuffer(),
+                                           std::move(intermediates));
+}
+
 std::string CertBuilder::GetDER() {
   return std::string(x509_util::CryptoBufferAsStringPiece(GetCertBuffer()));
 }
 
+std::string CertBuilder::GetPEM() {
+  std::string pem_encoded;
+  EXPECT_TRUE(X509Certificate::GetPEMEncoded(GetCertBuffer(), &pem_encoded));
+  return pem_encoded;
+}
+
+std::string CertBuilder::GetPEMFullChain() {
+  std::vector<std::string> pems;
+  CertBuilder* cert = this;
+  while (cert) {
+    pems.push_back(cert->GetPEM());
+    if (cert == cert->issuer_)
+      break;
+    cert = cert->issuer_;
+  }
+  return base::JoinString(pems, "\n");
+}
+
 CertBuilder::CertBuilder(CRYPTO_BUFFER* orig_cert,
                          CertBuilder* issuer,
                          bool unique_subject_key_identifier)
@@ -833,6 +939,15 @@ void CertBuilder::GenerateRSAKey() {
   Invalidate();
 }
 
+bool CertBuilder::UseKeyFromFile(const base::FilePath& key_file) {
+  bssl::UniquePtr<EVP_PKEY> private_key(LoadPrivateKeyFromFile(key_file));
+  if (!private_key)
+    return false;
+  key_ = std::move(private_key);
+  Invalidate();
+  return true;
+}
+
 void CertBuilder::GenerateSubjectKeyIdentifier() {
   // 20 bytes are chosen here for no other reason than it's compatible with
   // systems that assume the SKI is SHA-1(SPKI), which RFC 5280 notes as one
@@ -952,7 +1067,9 @@ void CertBuilder::BuildTBSCertificate(base::StringPiece signature_algorithm_tlv,
   ASSERT_TRUE(CBB_add_asn1_uint64(&version, 2));
   ASSERT_TRUE(CBB_add_asn1_uint64(&tbs_cert, GetSerialNumber()));
   ASSERT_TRUE(CBBAddBytes(&tbs_cert, signature_algorithm_tlv));
-  ASSERT_TRUE(CBBAddBytes(&tbs_cert, issuer_->GetSubject()));
+  ASSERT_TRUE(CBBAddBytes(&tbs_cert, issuer_tlv_.has_value()
+                                         ? *issuer_tlv_
+                                         : issuer_->GetSubject()));
   ASSERT_TRUE(CBBAddBytes(&tbs_cert, validity_tlv_));
   ASSERT_TRUE(CBBAddBytes(&tbs_cert, GetSubject()));
   ASSERT_TRUE(GetKey());
diff --git a/chromium/net/test/cert_builder.h b/chromium/net/test/cert_builder.h
index abd94577f46..670aa9feb6f 100644
--- a/chromium/net/test/cert_builder.h
+++ b/chromium/net/test/cert_builder.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -99,11 +99,26 @@ class CertBuilder {
                        EVP_PKEY* key,
                        CBB* out_signature);
 
+  static bool SignDataWithDigest(const EVP_MD* digest,
+                                 base::StringPiece tbs_data,
+                                 EVP_PKEY* key,
+                                 CBB* out_signature);
+
   // Returns a DER encoded AlgorithmIdentifier TLV for |signature_algorithm|
   // empty string on error.
   static std::string SignatureAlgorithmToDer(
       SignatureAlgorithm signature_algorithm);
 
+  // Generates |num_bytes| random bytes, and then returns the hex encoding of
+  // those bytes.
+  static std::string MakeRandomHexString(size_t num_bytes);
+
+  // Builds a DER encoded X.501 Name TLV containing a commonName of
+  // |common_name| with type |common_name_tag|.
+  static std::vector<uint8_t> BuildNameWithCommonNameOfType(
+      base::StringPiece common_name,
+      unsigned common_name_tag);
+
   // Sets a value for the indicated X.509 (v3) extension.
   void SetExtension(const der::Input& oid,
                     std::string value,
@@ -120,8 +135,8 @@ class CertBuilder {
   void SetCaIssuersUrl(const GURL& url);
 
   // Sets an AIA extension with the specified caIssuers and OCSP urls. Either
-  // list can have 0 or more URLs, but it is an error for both lists to be
-  // empty.
+  // list can have 0 or more URLs. If both are empty, the AIA extension is
+  // removed.
   void SetCaIssuersAndOCSPUrls(const std::vector<GURL>& ca_issuers_urls,
                                const std::vector<GURL>& ocsp_urls);
 
@@ -133,15 +148,20 @@ class CertBuilder {
   // with |urls| in distributionPoints.fullName.
   void SetCrlDistributionPointUrls(const std::vector<GURL>& urls);
 
+  // Sets the issuer bytes that will be encoded into the generated certificate.
+  // If this is not called, or |issuer_tlv| is empty, the subject field from
+  // the issuer CertBuilder will be used.
+  void SetIssuerTLV(base::span<const uint8_t> issuer_tlv);
+
   // Sets the subject to a Name with a single commonName attribute with
   // the value |common_name| tagged as a UTF8String.
   void SetSubjectCommonName(base::StringPiece common_name);
 
   // Sets the subject to |subject_tlv|.
-  void SetSubject(base::span<const uint8_t> subject_tlv);
+  void SetSubjectTLV(base::span<const uint8_t> subject_tlv);
 
   // Sets the SAN for the certificate to a single dNSName.
-  void SetSubjectAltName(const std::string& dns_name);
+  void SetSubjectAltName(base::StringPiece dns_name);
 
   // Sets the SAN for the certificate to the given dns names and ip addresses.
   void SetSubjectAltNames(const std::vector<std::string>& dns_names,
@@ -159,6 +179,12 @@ class CertBuilder {
   // OIDs, which must be specified in dotted string notation (e.g. "1.2.3.4").
   void SetCertificatePolicies(const std::vector<std::string>& policy_oids);
 
+  // Sets the PolicyConstraints extension. If both |require_explicit_policy|
+  // and |inhibit_policy_mapping| are nullopt, the PolicyConstraints extension
+  // will removed.
+  void SetPolicyConstraints(absl::optional<uint64_t> require_explicit_policy,
+                            absl::optional<uint64_t> inhibit_policy_mapping);
+
   void SetValidity(base::Time not_before, base::Time not_after);
 
   // Sets the Subject Key Identifier (SKI) extension to the specified string.
@@ -217,6 +243,9 @@ class CertBuilder {
   // key is specifically needed. If a key was already set, it will be replaced.
   void GenerateRSAKey();
 
+  // Loads the private key for the generated certificate from |key_file|.
+  bool UseKeyFromFile(const base::FilePath& key_file);
+
   // Returns the CertBuilder that issues this certificate. (Will be |this| if
   // certificate is self-signed.)
   CertBuilder* issuer() { return issuer_; }
@@ -250,12 +279,26 @@ class CertBuilder {
   scoped_refptr<X509Certificate> GetX509Certificate();
 
   // Returns an X509Certificate for the generated certificate, including
-  // intermediate certificates.
+  // intermediate certificates (not including the self-signed root).
   scoped_refptr<X509Certificate> GetX509CertificateChain();
 
+  // Returns an X509Certificate for the generated certificate, including
+  // intermediate certificates and the self-signed root.
+  scoped_refptr<X509Certificate> GetX509CertificateFullChain();
+
   // Returns a copy of the certificate's DER.
   std::string GetDER();
 
+  // Returns a copy of the certificate as PEM encoded DER.
+  // Convenience method for debugging, to more easily log what cert is being
+  // created.
+  std::string GetPEM();
+
+  // Returns the full chain (including root) as PEM.
+  // Convenience method for debugging, to more easily log what certs are being
+  // created.
+  std::string GetPEMFullChain();
+
  private:
   // Initializes the CertBuilder, if |orig_cert| is non-null it will be used as
   // a template. If |issuer| is null then the generated certificate will be
@@ -306,6 +349,7 @@ class CertBuilder {
   };
 
   std::string validity_tlv_;
+  absl::optional<std::string> issuer_tlv_;
   std::string subject_tlv_;
   absl::optional<SignatureAlgorithm> signature_algorithm_;
   std::string outer_signature_algorithm_tlv_;
diff --git a/chromium/net/test/cert_test_util.cc b/chromium/net/test/cert_test_util.cc
index da16d54edc5..2fc758fb628 100644
--- a/chromium/net/test/cert_test_util.cc
+++ b/chromium/net/test/cert_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/cert_test_util.h b/chromium/net/test/cert_test_util.h
index a9e45b1b70b..2c90166791b 100644
--- a/chromium/net/test/cert_test_util.h
+++ b/chromium/net/test/cert_test_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/cert_test_util_nss.cc b/chromium/net/test/cert_test_util_nss.cc
index 466363ab8b0..477efc1ce52 100644
--- a/chromium/net/test/cert_test_util_nss.cc
+++ b/chromium/net/test/cert_test_util_nss.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/ct_test_util.cc b/chromium/net/test/ct_test_util.cc
index ea6da8a1147..1b3809542fd 100644
--- a/chromium/net/test/ct_test_util.cc
+++ b/chromium/net/test/ct_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/ct_test_util.h b/chromium/net/test/ct_test_util.h
index cad3fee90fb..48982974701 100644
--- a/chromium/net/test/ct_test_util.h
+++ b/chromium/net/test/ct_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/DEPS b/chromium/net/test/embedded_test_server/DEPS
deleted file mode 100644
index f2b76e93385..00000000000
--- a/chromium/net/test/embedded_test_server/DEPS
+++ /dev/null
@@ -1,3 +0,0 @@
-include_rules = [
-  "+third_party/abseil-cpp/absl/strings/escaping.h"
-]
diff --git a/chromium/net/test/embedded_test_server/android/embedded_test_server_android.cc b/chromium/net/test/embedded_test_server/android/embedded_test_server_android.cc
index 97085e3c4e6..08a9c45384f 100644
--- a/chromium/net/test/embedded_test_server/android/embedded_test_server_android.cc
+++ b/chromium/net/test/embedded_test_server/android/embedded_test_server_android.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/android/embedded_test_server_android.h b/chromium/net/test/embedded_test_server/android/embedded_test_server_android.h
index edb819f16da..58a91ac7cbd 100644
--- a/chromium/net/test/embedded_test_server/android/embedded_test_server_android.h
+++ b/chromium/net/test/embedded_test_server/android/embedded_test_server_android.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/connection_tracker.cc b/chromium/net/test/embedded_test_server/connection_tracker.cc
index 09f1a059baa..b92b721e75e 100644
--- a/chromium/net/test/embedded_test_server/connection_tracker.cc
+++ b/chromium/net/test/embedded_test_server/connection_tracker.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/connection_tracker.h b/chromium/net/test/embedded_test_server/connection_tracker.h
index 7131d21cc7b..c31a1320519 100644
--- a/chromium/net/test/embedded_test_server/connection_tracker.h
+++ b/chromium/net/test/embedded_test_server/connection_tracker.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/controllable_http_response.cc b/chromium/net/test/embedded_test_server/controllable_http_response.cc
index 06eec7020c0..04980e10f6a 100644
--- a/chromium/net/test/embedded_test_server/controllable_http_response.cc
+++ b/chromium/net/test/embedded_test_server/controllable_http_response.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/controllable_http_response.h b/chromium/net/test/embedded_test_server/controllable_http_response.h
index f9db7c89847..001db883c6b 100644
--- a/chromium/net/test/embedded_test_server/controllable_http_response.h
+++ b/chromium/net/test/embedded_test_server/controllable_http_response.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/default_handlers.cc b/chromium/net/test/embedded_test_server/default_handlers.cc
index 76150efe828..17c4f59157a 100644
--- a/chromium/net/test/embedded_test_server/default_handlers.cc
+++ b/chromium/net/test/embedded_test_server/default_handlers.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/default_handlers.h b/chromium/net/test/embedded_test_server/default_handlers.h
index 76b7d3e82b3..bdc50a25c91 100644
--- a/chromium/net/test/embedded_test_server/default_handlers.h
+++ b/chromium/net/test/embedded_test_server/default_handlers.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server.cc b/chromium/net/test/embedded_test_server/embedded_test_server.cc
index ed5b06c6f56..cbb2e334028 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server.cc
+++ b/chromium/net/test/embedded_test_server/embedded_test_server.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server.h b/chromium/net/test/embedded_test_server/embedded_test_server.h
index 218eb6859f1..3a8f538aed8 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server.h
+++ b/chromium/net/test/embedded_test_server/embedded_test_server.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server_connection_listener.cc b/chromium/net/test/embedded_test_server/embedded_test_server_connection_listener.cc
index d6d13e25478..1d7af2a93e2 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server_connection_listener.cc
+++ b/chromium/net/test/embedded_test_server/embedded_test_server_connection_listener.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server_connection_listener.h b/chromium/net/test/embedded_test_server/embedded_test_server_connection_listener.h
index 541ae50882f..e1f624394a9 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server_connection_listener.h
+++ b/chromium/net/test/embedded_test_server/embedded_test_server_connection_listener.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc b/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc
index ea10a5df987..7a7a1e7f822 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc
+++ b/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http1_connection.cc b/chromium/net/test/embedded_test_server/http1_connection.cc
index a75d8764664..ace1573cdb5 100644
--- a/chromium/net/test/embedded_test_server/http1_connection.cc
+++ b/chromium/net/test/embedded_test_server/http1_connection.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http1_connection.h b/chromium/net/test/embedded_test_server/http1_connection.h
index 25aca7e2b54..d3a65e705a1 100644
--- a/chromium/net/test/embedded_test_server/http1_connection.h
+++ b/chromium/net/test/embedded_test_server/http1_connection.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http2_connection.cc b/chromium/net/test/embedded_test_server/http2_connection.cc
index 6c26af3271e..e0345af1e13 100644
--- a/chromium/net/test/embedded_test_server/http2_connection.cc
+++ b/chromium/net/test/embedded_test_server/http2_connection.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -11,6 +11,9 @@
 #include "base/debug/stack_trace.h"
 #include "base/format_macros.h"
 #include "base/memory/raw_ptr.h"
+#include "base/strings/abseil_string_conversions.h"
+#include "base/strings/strcat.h"
+#include "base/strings/string_piece.h"
 #include "base/strings/stringprintf.h"
 #include "base/threading/sequenced_task_runner_handle.h"
 #include "net/http/http_response_headers.h"
@@ -19,7 +22,6 @@
 #include "net/ssl/ssl_info.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
-#include "third_party/abseil-cpp/absl/strings/escaping.h"
 
 namespace net {
 
@@ -70,7 +72,8 @@ class Http2Connection::DataFrameSource
 
   bool Send(absl::string_view frame_header, size_t payload_length) override {
     std::string concatenated =
-        absl::StrCat(frame_header, chunks_.front().substr(0, payload_length));
+        base::StrCat({base::StringViewToStringPiece(frame_header),
+                      chunks_.front().substr(0, payload_length)});
     const int64_t result = connection_->OnReadyToSend(concatenated);
     // Write encountered error.
     if (result < 0) {
diff --git a/chromium/net/test/embedded_test_server/http2_connection.h b/chromium/net/test/embedded_test_server/http2_connection.h
index a24ead03d31..b7bf585713c 100644
--- a/chromium/net/test/embedded_test_server/http2_connection.h
+++ b/chromium/net/test/embedded_test_server/http2_connection.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http_connection.cc b/chromium/net/test/embedded_test_server/http_connection.cc
index 851f5cf8fe8..07c31cd5d4a 100644
--- a/chromium/net/test/embedded_test_server/http_connection.cc
+++ b/chromium/net/test/embedded_test_server/http_connection.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http_connection.h b/chromium/net/test/embedded_test_server/http_connection.h
index 2fa9ea10d09..a92e03ffb7d 100644
--- a/chromium/net/test/embedded_test_server/http_connection.h
+++ b/chromium/net/test/embedded_test_server/http_connection.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http_request.cc b/chromium/net/test/embedded_test_server/http_request.cc
index 1d51e873999..b627b2dea5d 100644
--- a/chromium/net/test/embedded_test_server/http_request.cc
+++ b/chromium/net/test/embedded_test_server/http_request.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http_request.h b/chromium/net/test/embedded_test_server/http_request.h
index 91cdaedc075..4dcab267e8a 100644
--- a/chromium/net/test/embedded_test_server/http_request.h
+++ b/chromium/net/test/embedded_test_server/http_request.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http_request_unittest.cc b/chromium/net/test/embedded_test_server/http_request_unittest.cc
index 73ba6d0c845..d0d2b57ffa0 100644
--- a/chromium/net/test/embedded_test_server/http_request_unittest.cc
+++ b/chromium/net/test/embedded_test_server/http_request_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http_response.cc b/chromium/net/test/embedded_test_server/http_response.cc
index d88555d562b..8ca234cd612 100644
--- a/chromium/net/test/embedded_test_server/http_response.cc
+++ b/chromium/net/test/embedded_test_server/http_response.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http_response.h b/chromium/net/test/embedded_test_server/http_response.h
index 1d3f762198a..f9b8112d649 100644
--- a/chromium/net/test/embedded_test_server/http_response.h
+++ b/chromium/net/test/embedded_test_server/http_response.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/http_response_unittest.cc b/chromium/net/test/embedded_test_server/http_response_unittest.cc
index e79a7494d03..d531fb0cb3f 100644
--- a/chromium/net/test/embedded_test_server/http_response_unittest.cc
+++ b/chromium/net/test/embedded_test_server/http_response_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/request_handler_util.cc b/chromium/net/test/embedded_test_server/request_handler_util.cc
index f5a8e2e799d..570dae40eda 100644
--- a/chromium/net/test/embedded_test_server/request_handler_util.cc
+++ b/chromium/net/test/embedded_test_server/request_handler_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/request_handler_util.h b/chromium/net/test/embedded_test_server/request_handler_util.h
index 7ce988059c1..2128e2e1895 100644
--- a/chromium/net/test/embedded_test_server/request_handler_util.h
+++ b/chromium/net/test/embedded_test_server/request_handler_util.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/simple_connection_listener.cc b/chromium/net/test/embedded_test_server/simple_connection_listener.cc
index 8191439e1db..835b843d4bb 100644
--- a/chromium/net/test/embedded_test_server/simple_connection_listener.cc
+++ b/chromium/net/test/embedded_test_server/simple_connection_listener.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/embedded_test_server/simple_connection_listener.h b/chromium/net/test/embedded_test_server/simple_connection_listener.h
index 37693b9acc0..177df1c4334 100644
--- a/chromium/net/test/embedded_test_server/simple_connection_listener.h
+++ b/chromium/net/test/embedded_test_server/simple_connection_listener.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/event_waiter.h b/chromium/net/test/event_waiter.h
index 7d150e222f6..6ac1d33e925 100644
--- a/chromium/net/test/event_waiter.h
+++ b/chromium/net/test/event_waiter.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/gtest_util.h b/chromium/net/test/gtest_util.h
index 7f474bfa48b..98cb374ec8d 100644
--- a/chromium/net/test/gtest_util.h
+++ b/chromium/net/test/gtest_util.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/test/key_util.cc b/chromium/net/test/key_util.cc
index 49dbc696e80..b3a50e355fa 100644
--- a/chromium/net/test/key_util.cc
+++ b/chromium/net/test/key_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/key_util.h b/chromium/net/test/key_util.h
index edef8be86d8..fdad8160744 100644
--- a/chromium/net/test/key_util.h
+++ b/chromium/net/test/key_util.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/keychain_test_util_mac.cc b/chromium/net/test/keychain_test_util_mac.cc
index c43d6461b37..48b50db14cb 100644
--- a/chromium/net/test/keychain_test_util_mac.cc
+++ b/chromium/net/test/keychain_test_util_mac.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/keychain_test_util_mac.h b/chromium/net/test/keychain_test_util_mac.h
index c2a2dd671bf..6e4994753dc 100644
--- a/chromium/net/test/keychain_test_util_mac.h
+++ b/chromium/net/test/keychain_test_util_mac.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/net_test_suite.cc b/chromium/net/test/net_test_suite.cc
index b27889acb84..e2860b72ea3 100644
--- a/chromium/net/test/net_test_suite.cc
+++ b/chromium/net/test/net_test_suite.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/net_test_suite.h b/chromium/net/test/net_test_suite.h
index 006b921d5c1..d4526513808 100644
--- a/chromium/net/test/net_test_suite.h
+++ b/chromium/net/test/net_test_suite.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/python_utils.cc b/chromium/net/test/python_utils.cc
index 73e4fd4804e..2cdc07dad99 100644
--- a/chromium/net/test/python_utils.cc
+++ b/chromium/net/test/python_utils.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,14 +6,9 @@
 
 #include <memory>
 
-#include "base/base_paths.h"
 #include "base/command_line.h"
 #include "base/environment.h"
 #include "base/files/file_path.h"
-#include "base/files/file_util.h"
-#include "base/logging.h"
-#include "base/path_service.h"
-#include "base/process/launch.h"
 #include "build/build_config.h"
 
 namespace {
@@ -45,23 +40,6 @@ void SetPythonPathInEnvironment(const std::vector<base::FilePath>& python_path,
   (*map)[kVPythonClearPathEnv] = base::NativeEnvironmentString();
 }
 
-bool GetPythonCommand(base::CommandLine* python_cmd) {
-  DCHECK(python_cmd);
-
-// Use vpython to pick up src.git's vpython VirtualEnv spec.
-#if BUILDFLAG(IS_WIN)
-  python_cmd->SetProgram(base::FilePath(FILE_PATH_LITERAL("vpython.bat")));
-#else
-  python_cmd->SetProgram(base::FilePath(FILE_PATH_LITERAL("vpython")));
-#endif
-
-  // Launch python in unbuffered mode, so that python output doesn't mix with
-  // gtest output in buildbot log files. See http://crbug.com/147368.
-  python_cmd->AppendArg("-u");
-
-  return true;
-}
-
 bool GetPython3Command(base::CommandLine* python_cmd) {
   DCHECK(python_cmd);
 
diff --git a/chromium/net/test/python_utils.h b/chromium/net/test/python_utils.h
index ea27aa5618d..fab8e4120b3 100644
--- a/chromium/net/test/python_utils.h
+++ b/chromium/net/test/python_utils.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright 2010 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,12 +18,6 @@ class FilePath;
 void SetPythonPathInEnvironment(const std::vector<base::FilePath>& python_path,
                                 base::EnvironmentMap* map);
 
-// Returns if a virtualenv is currently active.
-bool IsInPythonVirtualEnv();
-
-// Returns the command that should be used to launch Python.
-[[nodiscard]] bool GetPythonCommand(base::CommandLine* python_cmd);
-
 // Returns the command that should be used to launch Python 3.
 [[nodiscard]] bool GetPython3Command(base::CommandLine* python_cmd);
 
diff --git a/chromium/net/test/python_utils_unittest.cc b/chromium/net/test/python_utils_unittest.cc
index 6dabf61f5f8..6edabe8d032 100644
--- a/chromium/net/test/python_utils_unittest.cc
+++ b/chromium/net/test/python_utils_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -32,22 +32,6 @@ TEST(PythonUtils, SetPythonPathInEnvironment) {
             env[FILE_PATH_LITERAL("VPYTHON_CLEAR_PYTHONPATH")]);
 }
 
-TEST(PythonUtils, PythonRunTime) {
-  base::CommandLine cmd_line(base::CommandLine::NO_PROGRAM);
-  EXPECT_TRUE(GetPythonCommand(&cmd_line));
-
-  // Run a python command to print a string and make sure the output is what
-  // we want.
-  cmd_line.AppendArg("-c");
-  std::string input("PythonUtilsTest");
-  std::string python_cmd = base::StringPrintf("print('%s');", input.c_str());
-  cmd_line.AppendArg(python_cmd);
-  std::string output;
-  EXPECT_TRUE(base::GetAppOutput(cmd_line, &output));
-  base::TrimWhitespaceASCII(output, base::TRIM_TRAILING, &output);
-  EXPECT_EQ(input, output);
-}
-
 TEST(PythonUtils, Python3RunTime) {
   base::CommandLine cmd_line(base::CommandLine::NO_PROGRAM);
   EXPECT_TRUE(GetPython3Command(&cmd_line));
diff --git a/chromium/net/test/quic_simple_test_server.cc b/chromium/net/test/quic_simple_test_server.cc
index e18c59e22f8..25c79b174e6 100644
--- a/chromium/net/test/quic_simple_test_server.cc
+++ b/chromium/net/test/quic_simple_test_server.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/quic_simple_test_server.h b/chromium/net/test/quic_simple_test_server.h
index 5e78d8b2f27..eea1db0103e 100644
--- a/chromium/net/test/quic_simple_test_server.h
+++ b/chromium/net/test/quic_simple_test_server.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/revocation_builder.cc b/chromium/net/test/revocation_builder.cc
index 01f9d3adeba..20aa7be63b5 100644
--- a/chromium/net/test/revocation_builder.cc
+++ b/chromium/net/test/revocation_builder.cc
@@ -1,12 +1,14 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/test/revocation_builder.h"
 
+#include "base/functional/callback.h"
 #include "base/hash/sha1.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
+#include "base/test/bind.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/x509_util.h"
 #include "net/der/encode_values.h"
@@ -378,27 +380,16 @@ std::string BuildOCSPResponseWithResponseData(
                             FinishCBB(basic_ocsp_response_cbb.get()));
 }
 
-std::string BuildCrl(const std::string& crl_issuer_subject,
-                     EVP_PKEY* crl_issuer_key,
-                     const std::vector<uint64_t>& revoked_serials,
-                     absl::optional<SignatureAlgorithm> signature_algorithm) {
+std::string BuildCrlWithSigner(
+    const std::string& crl_issuer_subject,
+    EVP_PKEY* crl_issuer_key,
+    const std::vector<uint64_t>& revoked_serials,
+    const std::string& signature_algorithm_tlv,
+    base::OnceCallback<bool(std::string, CBB*)> signer) {
   if (!crl_issuer_key) {
     ADD_FAILURE();
     return std::string();
   }
-  if (!signature_algorithm)
-    signature_algorithm =
-        CertBuilder::DefaultSignatureAlgorithmForKey(crl_issuer_key);
-  if (!signature_algorithm) {
-    ADD_FAILURE();
-    return std::string();
-  }
-  std::string signature_algorithm_tlv =
-      CertBuilder::SignatureAlgorithmToDer(*signature_algorithm);
-  if (signature_algorithm_tlv.empty()) {
-    ADD_FAILURE();
-    return std::string();
-  }
   //    TBSCertList  ::=  SEQUENCE  {
   //         version                 Version OPTIONAL,
   //                                      -- if present, MUST be v2
@@ -463,11 +454,54 @@ std::string BuildCrl(const std::string& crl_issuer_subject,
       !CBBAddBytes(&cert_list, signature_algorithm_tlv) ||
       !CBB_add_asn1(&cert_list, &signature, CBS_ASN1_BITSTRING) ||
       !CBB_add_u8(&signature, 0 /* no unused bits */) ||
-      !CertBuilder::SignData(*signature_algorithm, tbs_tlv, crl_issuer_key,
-                             &signature)) {
+      !std::move(signer).Run(tbs_tlv, &signature)) {
     ADD_FAILURE();
     return std::string();
   }
   return FinishCBB(crl_cbb.get());
 }
+
+std::string BuildCrl(const std::string& crl_issuer_subject,
+                     EVP_PKEY* crl_issuer_key,
+                     const std::vector<uint64_t>& revoked_serials,
+                     absl::optional<SignatureAlgorithm> signature_algorithm) {
+  if (!signature_algorithm) {
+    signature_algorithm =
+        CertBuilder::DefaultSignatureAlgorithmForKey(crl_issuer_key);
+  }
+  if (!signature_algorithm) {
+    ADD_FAILURE();
+    return std::string();
+  }
+  std::string signature_algorithm_tlv =
+      CertBuilder::SignatureAlgorithmToDer(*signature_algorithm);
+  if (signature_algorithm_tlv.empty()) {
+    ADD_FAILURE();
+    return std::string();
+  }
+
+  auto signer =
+      base::BindLambdaForTesting([&](std::string tbs_tlv, CBB* signature) {
+        return CertBuilder::SignData(*signature_algorithm, tbs_tlv,
+                                     crl_issuer_key, signature);
+      });
+  return BuildCrlWithSigner(crl_issuer_subject, crl_issuer_key, revoked_serials,
+                            signature_algorithm_tlv, signer);
+}
+
+std::string BuildCrlWithAlgorithmTlvAndDigest(
+    const std::string& crl_issuer_subject,
+    EVP_PKEY* crl_issuer_key,
+    const std::vector<uint64_t>& revoked_serials,
+    const std::string& signature_algorithm_tlv,
+    const EVP_MD* digest) {
+  auto signer =
+      base::BindLambdaForTesting([&](std::string tbs_tlv, CBB* signature) {
+        return CertBuilder::SignDataWithDigest(digest, tbs_tlv, crl_issuer_key,
+                                               signature);
+      });
+  return BuildCrlWithSigner(crl_issuer_subject, crl_issuer_key, revoked_serials,
+                            signature_algorithm_tlv, signer);
+}
+
 }  // namespace net
diff --git a/chromium/net/test/revocation_builder.h b/chromium/net/test/revocation_builder.h
index e98d47572b7..c4443be133c 100644
--- a/chromium/net/test/revocation_builder.h
+++ b/chromium/net/test/revocation_builder.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -65,6 +65,13 @@ std::string BuildCrl(
     const std::vector<uint64_t>& revoked_serials,
     absl::optional<SignatureAlgorithm> signature_algorithm = absl::nullopt);
 
+std::string BuildCrlWithAlgorithmTlvAndDigest(
+    const std::string& crl_issuer_subject,
+    EVP_PKEY* crl_issuer_key,
+    const std::vector<uint64_t>& revoked_serials,
+    const std::string& signature_algorithm_tlv,
+    const EVP_MD* digest);
+
 }  // namespace net
 
 #endif  // NET_TEST_REVOCATION_BUILDER_H_
diff --git a/chromium/net/test/run_all_unittests.cc b/chromium/net/test/run_all_unittests.cc
index 53f833838bf..d1c2c98e229 100644
--- a/chromium/net/test/run_all_unittests.cc
+++ b/chromium/net/test/run_all_unittests.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,7 +8,6 @@
 #include "base/build_time.h"
 #include "base/test/launcher/unit_test_launcher.h"
 #include "build/build_config.h"
-#include "crypto/nss_util.h"
 #include "net/socket/transport_client_socket_pool.h"
 #include "net/test/net_test_suite.h"
 #include "url/buildflags.h"
diff --git a/chromium/net/test/scoped_disable_exit_on_dfatal.cc b/chromium/net/test/scoped_disable_exit_on_dfatal.cc
index 6e81cab2187..b78464705a4 100644
--- a/chromium/net/test/scoped_disable_exit_on_dfatal.cc
+++ b/chromium/net/test/scoped_disable_exit_on_dfatal.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/scoped_disable_exit_on_dfatal.h b/chromium/net/test/scoped_disable_exit_on_dfatal.h
index 5e8712b3a7d..8e90bb0ec66 100644
--- a/chromium/net/test/scoped_disable_exit_on_dfatal.h
+++ b/chromium/net/test/scoped_disable_exit_on_dfatal.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/spawned_test_server/base_test_server.cc b/chromium/net/test/spawned_test_server/base_test_server.cc
index 83a35eda450..a2ebd3edf46 100644
--- a/chromium/net/test/spawned_test_server/base_test_server.cc
+++ b/chromium/net/test/spawned_test_server/base_test_server.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -225,12 +225,10 @@ bool BaseTestServer::GetFilePathWithReplacements(
 }
 
 ScopedTestRoot BaseTestServer::RegisterTestCerts() {
-  auto root1 =
-      ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem");
-  auto root2 = ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
-  if (!root1 || !root2)
+  auto root = ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
+  if (!root)
     return ScopedTestRoot();
-  return ScopedTestRoot(CertificateList{root1, root2});
+  return ScopedTestRoot(CertificateList{root});
 }
 
 bool BaseTestServer::LoadTestRootCert() {
diff --git a/chromium/net/test/spawned_test_server/base_test_server.h b/chromium/net/test/spawned_test_server/base_test_server.h
index 3475e324c7c..6f3fc6b4b69 100644
--- a/chromium/net/test/spawned_test_server/base_test_server.h
+++ b/chromium/net/test/spawned_test_server/base_test_server.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/spawned_test_server/local_test_server.cc b/chromium/net/test/spawned_test_server/local_test_server.cc
index 657b260f14d..908afff9b1a 100644
--- a/chromium/net/test/spawned_test_server/local_test_server.cc
+++ b/chromium/net/test/spawned_test_server/local_test_server.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -194,9 +194,9 @@ bool LocalTestServer::AddCommandLineArguments(
 
     // Add arguments from a list.
     if (value.is_list()) {
-      if (value.GetListDeprecated().empty())
+      if (value.GetList().empty())
         return false;
-      for (const auto& entry : value.GetListDeprecated()) {
+      for (const auto& entry : value.GetList()) {
         if (!AppendArgumentFromJSONValue(key, entry, command_line))
           return false;
       }
diff --git a/chromium/net/test/spawned_test_server/local_test_server.h b/chromium/net/test/spawned_test_server/local_test_server.h
index 97834df6582..0ca80b0a114 100644
--- a/chromium/net/test/spawned_test_server/local_test_server.h
+++ b/chromium/net/test/spawned_test_server/local_test_server.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/spawned_test_server/local_test_server_posix.cc b/chromium/net/test/spawned_test_server/local_test_server_posix.cc
index 3b1d1dccccd..bfc13b6a6cb 100644
--- a/chromium/net/test/spawned_test_server/local_test_server_posix.cc
+++ b/chromium/net/test/spawned_test_server/local_test_server_posix.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/spawned_test_server/local_test_server_win.cc b/chromium/net/test/spawned_test_server/local_test_server_win.cc
index 529a0f2cd48..e18e0a202f2 100644
--- a/chromium/net/test/spawned_test_server/local_test_server_win.cc
+++ b/chromium/net/test/spawned_test_server/local_test_server_win.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/spawned_test_server/remote_test_server.cc b/chromium/net/test/spawned_test_server/remote_test_server.cc
index cdb39de7a74..ad78e293312 100644
--- a/chromium/net/test/spawned_test_server/remote_test_server.cc
+++ b/chromium/net/test/spawned_test_server/remote_test_server.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/spawned_test_server/remote_test_server.h b/chromium/net/test/spawned_test_server/remote_test_server.h
index e1a70f3cfa6..08fdec3c56e 100644
--- a/chromium/net/test/spawned_test_server/remote_test_server.h
+++ b/chromium/net/test/spawned_test_server/remote_test_server.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc b/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc
index f56dd4c4b12..e3f192430ff 100644
--- a/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc
+++ b/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.h b/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.h
index c1d3bc7fcd2..b5a30d1032a 100644
--- a/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.h
+++ b/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/spawned_test_server/spawned_test_server.h b/chromium/net/test/spawned_test_server/spawned_test_server.h
index 662a9467df3..0213b023b00 100644
--- a/chromium/net/test/spawned_test_server/spawned_test_server.h
+++ b/chromium/net/test/spawned_test_server/spawned_test_server.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/ssl_test_util.cc b/chromium/net/test/ssl_test_util.cc
index a02cdc94f1d..5268ad9d4f5 100644
--- a/chromium/net/test/ssl_test_util.cc
+++ b/chromium/net/test/ssl_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/ssl_test_util.h b/chromium/net/test/ssl_test_util.h
index e983ad3c25b..c78bef954c5 100644
--- a/chromium/net/test/ssl_test_util.h
+++ b/chromium/net/test/ssl_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/test_certificate_data.h b/chromium/net/test/test_certificate_data.h
index 625102d947f..7e35b37a59b 100644
--- a/chromium/net/test/test_certificate_data.h
+++ b/chromium/net/test/test_certificate_data.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/test_connection_cost_observer.cc b/chromium/net/test/test_connection_cost_observer.cc
new file mode 100644
index 00000000000..7967e63e6cf
--- /dev/null
+++ b/chromium/net/test/test_connection_cost_observer.cc
@@ -0,0 +1,51 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/test/test_connection_cost_observer.h"
+
+namespace net {
+
+TestConnectionCostObserver::TestConnectionCostObserver() = default;
+
+TestConnectionCostObserver::~TestConnectionCostObserver() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+}
+
+void TestConnectionCostObserver::OnConnectionCostChanged(
+    NetworkChangeNotifier::ConnectionCost cost) {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  cost_changed_inputs_.push_back(cost);
+
+  if (run_loop_) {
+    run_loop_->Quit();
+  }
+}
+
+void TestConnectionCostObserver::WaitForConnectionCostChanged() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  run_loop_ = std::make_unique<base::RunLoop>();
+  run_loop_->Run();
+  run_loop_.reset();
+}
+
+size_t TestConnectionCostObserver::cost_changed_calls() const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  return cost_changed_inputs_.size();
+}
+
+std::vector<NetworkChangeNotifier::ConnectionCost>
+TestConnectionCostObserver::cost_changed_inputs() const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  return cost_changed_inputs_;
+}
+
+NetworkChangeNotifier::ConnectionCost
+TestConnectionCostObserver::last_cost_changed_input() const {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  CHECK_GT(cost_changed_inputs_.size(), 0u);
+  return cost_changed_inputs_.back();
+}
+
+}  // namespace net
diff --git a/chromium/net/test/test_connection_cost_observer.h b/chromium/net/test/test_connection_cost_observer.h
new file mode 100644
index 00000000000..913368a28af
--- /dev/null
+++ b/chromium/net/test/test_connection_cost_observer.h
@@ -0,0 +1,47 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_TEST_TEST_CONNECTION_COST_OBSERVER_H_
+#define NET_TEST_TEST_CONNECTION_COST_OBSERVER_H_
+
+#include "base/run_loop.h"
+#include "base/sequence_checker.h"
+#include "net/base/network_change_notifier.h"
+
+namespace net {
+
+class TestConnectionCostObserver final
+    : public NetworkChangeNotifier::ConnectionCostObserver {
+ public:
+  TestConnectionCostObserver();
+  ~TestConnectionCostObserver() final;
+
+  void OnConnectionCostChanged(
+      NetworkChangeNotifier::ConnectionCost cost) final;
+
+  void WaitForConnectionCostChanged();
+
+  size_t cost_changed_calls() const;
+  std::vector<NetworkChangeNotifier::ConnectionCost> cost_changed_inputs()
+      const;
+  NetworkChangeNotifier::ConnectionCost last_cost_changed_input() const;
+
+  TestConnectionCostObserver(const TestConnectionCostObserver&) = delete;
+  TestConnectionCostObserver& operator=(const TestConnectionCostObserver&) =
+      delete;
+
+ private:
+  SEQUENCE_CHECKER(sequence_checker_);
+
+  // Set and used to block in `WaitForConnectionCostChanged()` until the next
+  // cost changed event occurs.
+  std::unique_ptr<base::RunLoop> run_loop_;
+
+  // Record each `OnConnectionCostChanged()` call.
+  std::vector<NetworkChangeNotifier::ConnectionCost> cost_changed_inputs_;
+};
+
+}  // namespace net
+
+#endif  // NET_TEST_TEST_CONNECTION_COST_OBSERVER_H_
diff --git a/chromium/net/test/test_data_directory.cc b/chromium/net/test/test_data_directory.cc
index 80540f3c1ae..efde4ca3fed 100644
--- a/chromium/net/test/test_data_directory.cc
+++ b/chromium/net/test/test_data_directory.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/test_data_directory.h b/chromium/net/test/test_data_directory.h
index 7d5711cbf15..b5b59415fa3 100644
--- a/chromium/net/test/test_data_directory.h
+++ b/chromium/net/test/test_data_directory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/test_doh_server.cc b/chromium/net/test/test_doh_server.cc
index cb3a1dc22f3..d00fa029be4 100644
--- a/chromium/net/test/test_doh_server.cc
+++ b/chromium/net/test/test_doh_server.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/test_doh_server.h b/chromium/net/test/test_doh_server.h
index 64d2554bdf9..0b00dea9d6a 100644
--- a/chromium/net/test/test_doh_server.h
+++ b/chromium/net/test/test_doh_server.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/test_with_task_environment.h b/chromium/net/test/test_with_task_environment.h
index 3e038e35559..6ab45fa7542 100644
--- a/chromium/net/test/test_with_task_environment.h
+++ b/chromium/net/test/test_with_task_environment.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/ssl_certificate_error_job.cc b/chromium/net/test/url_request/ssl_certificate_error_job.cc
index 216eb9089ef..e6b53200e9b 100644
--- a/chromium/net/test/url_request/ssl_certificate_error_job.cc
+++ b/chromium/net/test/url_request/ssl_certificate_error_job.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/ssl_certificate_error_job.h b/chromium/net/test/url_request/ssl_certificate_error_job.h
index d61140c44f7..23eadd4e461 100644
--- a/chromium/net/test/url_request/ssl_certificate_error_job.h
+++ b/chromium/net/test/url_request/ssl_certificate_error_job.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/url_request_failed_job.cc b/chromium/net/test/url_request/url_request_failed_job.cc
index 4bc5769bb6f..10a283e040b 100644
--- a/chromium/net/test/url_request/url_request_failed_job.cc
+++ b/chromium/net/test/url_request/url_request_failed_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/url_request_failed_job.h b/chromium/net/test/url_request/url_request_failed_job.h
index 82f91ba05f1..1fa71f635e8 100644
--- a/chromium/net/test/url_request/url_request_failed_job.h
+++ b/chromium/net/test/url_request/url_request_failed_job.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/url_request_hanging_read_job.cc b/chromium/net/test/url_request/url_request_hanging_read_job.cc
index b03430abf16..03459e05658 100644
--- a/chromium/net/test/url_request/url_request_hanging_read_job.cc
+++ b/chromium/net/test/url_request/url_request_hanging_read_job.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/url_request_hanging_read_job.h b/chromium/net/test/url_request/url_request_hanging_read_job.h
index 3350e5596f5..e6e838c30ef 100644
--- a/chromium/net/test/url_request/url_request_hanging_read_job.h
+++ b/chromium/net/test/url_request/url_request_hanging_read_job.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/url_request_mock_data_job.cc b/chromium/net/test/url_request/url_request_mock_data_job.cc
index 72cbaeb8d92..72678b43dcf 100644
--- a/chromium/net/test/url_request/url_request_mock_data_job.cc
+++ b/chromium/net/test/url_request/url_request_mock_data_job.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/url_request_mock_data_job.h b/chromium/net/test/url_request/url_request_mock_data_job.h
index 1d207bc3449..d0d1620a4aa 100644
--- a/chromium/net/test/url_request/url_request_mock_data_job.h
+++ b/chromium/net/test/url_request/url_request_mock_data_job.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/url_request_mock_http_job.cc b/chromium/net/test/url_request/url_request_mock_http_job.cc
index dd726cef871..449afaa181f 100644
--- a/chromium/net/test/url_request/url_request_mock_http_job.cc
+++ b/chromium/net/test/url_request/url_request_mock_http_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/url_request_mock_http_job.h b/chromium/net/test/url_request/url_request_mock_http_job.h
index 254f6bf5106..4433f5b5867 100644
--- a/chromium/net/test/url_request/url_request_mock_http_job.h
+++ b/chromium/net/test/url_request/url_request_mock_http_job.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/test/url_request/url_request_test_job_backed_by_file.cc b/chromium/net/test/url_request/url_request_test_job_backed_by_file.cc
index fb8aef4faf2..182eb77af81 100644
--- a/chromium/net/test/url_request/url_request_test_job_backed_by_file.cc
+++ b/chromium/net/test/url_request/url_request_test_job_backed_by_file.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/url_request_test_job_backed_by_file.h b/chromium/net/test/url_request/url_request_test_job_backed_by_file.h
index e0b01b72733..15eec93882f 100644
--- a/chromium/net/test/url_request/url_request_test_job_backed_by_file.h
+++ b/chromium/net/test/url_request/url_request_test_job_backed_by_file.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/url_request/url_request_test_job_backed_by_file_unittest.cc b/chromium/net/test/url_request/url_request_test_job_backed_by_file_unittest.cc
index 74613d2b37b..5f811f93e13 100644
--- a/chromium/net/test/url_request/url_request_test_job_backed_by_file_unittest.cc
+++ b/chromium/net/test/url_request/url_request_test_job_backed_by_file_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/test/win/fake_network_cost_manager.cc b/chromium/net/test/win/fake_network_cost_manager.cc
new file mode 100644
index 00000000000..7c053ff561b
--- /dev/null
+++ b/chromium/net/test/win/fake_network_cost_manager.cc
@@ -0,0 +1,309 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/test/win/fake_network_cost_manager.h"
+
+#include <netlistmgr.h>
+#include <wrl/implements.h>
+
+#include <map>
+
+#include "net/base/network_cost_change_notifier_win.h"
+
+using Microsoft::WRL::ClassicCom;
+using Microsoft::WRL::ComPtr;
+using Microsoft::WRL::RuntimeClass;
+using Microsoft::WRL::RuntimeClassFlags;
+
+namespace net {
+
+namespace {
+
+DWORD NlmConnectionCostFlagsFromConnectionCost(
+    NetworkChangeNotifier::ConnectionCost source_cost) {
+  switch (source_cost) {
+    case NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNMETERED:
+      return (NLM_CONNECTION_COST_UNRESTRICTED | NLM_CONNECTION_COST_CONGESTED);
+    case NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_METERED:
+      return (NLM_CONNECTION_COST_VARIABLE | NLM_CONNECTION_COST_ROAMING |
+              NLM_CONNECTION_COST_APPROACHINGDATALIMIT);
+    case NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNKNOWN:
+    default:
+      return NLM_CONNECTION_COST_UNKNOWN;
+  }
+}
+
+void DispatchCostChangedEvent(ComPtr<INetworkCostManagerEvents> event_target,
+                              DWORD cost) {
+  std::ignore =
+      event_target->CostChanged(cost, /*destination_address=*/nullptr);
+}
+
+}  // namespace
+
+// A fake implementation of INetworkCostManager that can simulate costs, changed
+// costs and errors.
+class FakeNetworkCostManager final
+    : public RuntimeClass<RuntimeClassFlags<ClassicCom>,
+                          INetworkCostManager,
+                          IConnectionPointContainer,
+                          IConnectionPoint> {
+ public:
+  FakeNetworkCostManager(NetworkChangeNotifier::ConnectionCost connection_cost,
+                         NetworkCostManagerStatus error_status)
+      : error_status_(error_status), connection_cost_(connection_cost) {}
+
+  // For each event sink in `event_sinks_`, call
+  // `INetworkCostManagerEvents::CostChanged` with `changed_cost` on the event
+  // sink's task runner.
+  void PostCostChangedEvents(
+      NetworkChangeNotifier::ConnectionCost changed_cost) {
+    DWORD cost_for_changed_event;
+    std::map</*event_sink_cookie=*/DWORD, EventSinkRegistration>
+        event_sinks_for_changed_event;
+    {
+      base::AutoLock auto_lock(member_lock_);
+      connection_cost_ = changed_cost;
+      cost_for_changed_event =
+          NlmConnectionCostFlagsFromConnectionCost(changed_cost);
+
+      // Get the snapshot of event sinks to notify.  The snapshot collection
+      // creates a new ComPtr for each event sink, which increments each the
+      // event sink's reference count, ensuring that each event sink
+      // remains alive to receive the cost changed event notification.
+      event_sinks_for_changed_event = event_sinks_;
+    }
+
+    for (const auto& pair : event_sinks_for_changed_event) {
+      const auto& registration = pair.second;
+      registration.event_sink_task_runner_->PostTask(
+          FROM_HERE,
+          base::BindOnce(&DispatchCostChangedEvent, registration.event_sink_,
+                         cost_for_changed_event));
+    }
+  }
+
+  // Implement the INetworkCostManager interface.
+  HRESULT
+  __stdcall GetCost(DWORD* cost,
+                    NLM_SOCKADDR* destination_ip_address) override {
+    if (error_status_ == NetworkCostManagerStatus::kErrorGetCostFailed) {
+      return E_FAIL;
+    }
+
+    if (destination_ip_address != nullptr) {
+      NOTIMPLEMENTED();
+      return E_NOTIMPL;
+    }
+
+    {
+      base::AutoLock auto_lock(member_lock_);
+      *cost = NlmConnectionCostFlagsFromConnectionCost(connection_cost_);
+    }
+    return S_OK;
+  }
+
+  HRESULT __stdcall GetDataPlanStatus(
+      NLM_DATAPLAN_STATUS* data_plan_status,
+      NLM_SOCKADDR* destination_ip_address) override {
+    NOTIMPLEMENTED();
+    return E_NOTIMPL;
+  }
+
+  HRESULT __stdcall SetDestinationAddresses(
+      UINT32 length,
+      NLM_SOCKADDR* destination_ip_address_list,
+      VARIANT_BOOL append) override {
+    NOTIMPLEMENTED();
+    return E_NOTIMPL;
+  }
+
+  // Implement the IConnectionPointContainer interface.
+  HRESULT __stdcall FindConnectionPoint(REFIID connection_point_id,
+                                        IConnectionPoint** result) override {
+    if (error_status_ ==
+        NetworkCostManagerStatus::kErrorFindConnectionPointFailed) {
+      return E_ABORT;
+    }
+
+    if (connection_point_id != IID_INetworkCostManagerEvents) {
+      return E_NOINTERFACE;
+    }
+
+    *result = static_cast<IConnectionPoint*>(this);
+    AddRef();
+    return S_OK;
+  }
+
+  HRESULT __stdcall EnumConnectionPoints(
+      IEnumConnectionPoints** results) override {
+    NOTIMPLEMENTED();
+    return E_NOTIMPL;
+  }
+
+  // Implement the IConnectionPoint interface.
+  HRESULT __stdcall Advise(IUnknown* event_sink,
+                           DWORD* event_sink_cookie) override {
+    if (error_status_ == NetworkCostManagerStatus::kErrorAdviseFailed) {
+      return E_NOT_VALID_STATE;
+    }
+
+    ComPtr<INetworkCostManagerEvents> cost_manager_event_sink;
+    HRESULT hr =
+        event_sink->QueryInterface(IID_PPV_ARGS(&cost_manager_event_sink));
+    if (hr != S_OK) {
+      return hr;
+    }
+
+    base::AutoLock auto_lock(member_lock_);
+
+    event_sinks_[next_event_sink_cookie_] = {
+        cost_manager_event_sink, base::SequencedTaskRunnerHandle::Get()};
+
+    *event_sink_cookie = next_event_sink_cookie_;
+    ++next_event_sink_cookie_;
+
+    return S_OK;
+  }
+
+  HRESULT __stdcall Unadvise(DWORD event_sink_cookie) override {
+    base::AutoLock auto_lock(member_lock_);
+
+    auto it = event_sinks_.find(event_sink_cookie);
+    if (it == event_sinks_.end()) {
+      return ERROR_NOT_FOUND;
+    }
+
+    event_sinks_.erase(it);
+    return S_OK;
+  }
+
+  HRESULT __stdcall GetConnectionInterface(IID* result) override {
+    NOTIMPLEMENTED();
+    return E_NOTIMPL;
+  }
+
+  HRESULT __stdcall GetConnectionPointContainer(
+      IConnectionPointContainer** result) override {
+    NOTIMPLEMENTED();
+    return E_NOTIMPL;
+  }
+
+  HRESULT __stdcall EnumConnections(IEnumConnections** result) override {
+    NOTIMPLEMENTED();
+    return E_NOTIMPL;
+  }
+
+  // Implement the IUnknown interface.
+  HRESULT __stdcall QueryInterface(REFIID interface_id,
+                                   void** result) override {
+    if (error_status_ == NetworkCostManagerStatus::kErrorQueryInterfaceFailed) {
+      return E_NOINTERFACE;
+    }
+    return RuntimeClass<RuntimeClassFlags<ClassicCom>, INetworkCostManager,
+                        IConnectionPointContainer,
+                        IConnectionPoint>::QueryInterface(interface_id, result);
+  }
+
+  FakeNetworkCostManager(const FakeNetworkCostManager&) = delete;
+  FakeNetworkCostManager& operator=(const FakeNetworkCostManager&) = delete;
+
+ private:
+  // The error state for this FakeNetworkCostManager to simulate.  Cannot be
+  // changed.
+  const NetworkCostManagerStatus error_status_;
+
+  // Synchronizes access to all members below.
+  base::Lock member_lock_;
+
+  NetworkChangeNotifier::ConnectionCost connection_cost_
+      GUARDED_BY(member_lock_);
+
+  DWORD next_event_sink_cookie_ GUARDED_BY(member_lock_) = 0;
+
+  struct EventSinkRegistration {
+    ComPtr<INetworkCostManagerEvents> event_sink_;
+    scoped_refptr<base::SequencedTaskRunner> event_sink_task_runner_;
+  };
+  std::map</*event_sink_cookie=*/DWORD, EventSinkRegistration> event_sinks_
+      GUARDED_BY(member_lock_);
+};
+
+FakeNetworkCostManagerEnvironment::FakeNetworkCostManagerEnvironment() {
+  // Set up NetworkCostChangeNotifierWin to use the fake OS APIs.
+  NetworkCostChangeNotifierWin::OverrideCoCreateInstanceForTesting(
+      base::BindRepeating(
+          &FakeNetworkCostManagerEnvironment::FakeCoCreateInstance,
+          base::Unretained(this)));
+}
+
+FakeNetworkCostManagerEnvironment::~FakeNetworkCostManagerEnvironment() {
+  // Restore NetworkCostChangeNotifierWin to use the real OS APIs.
+  NetworkCostChangeNotifierWin::OverrideCoCreateInstanceForTesting(
+      NetworkCostChangeNotifierWin::CoCreateInstanceCallback());
+}
+
+HRESULT FakeNetworkCostManagerEnvironment::FakeCoCreateInstance(
+    REFCLSID class_id,
+    LPUNKNOWN outer_aggregate,
+    DWORD context_flags,
+    REFIID interface_id,
+    LPVOID* result) {
+  NetworkChangeNotifier::ConnectionCost connection_cost_for_new_instance;
+  NetworkCostManagerStatus error_status_for_new_instance;
+  {
+    base::AutoLock auto_lock(member_lock_);
+    connection_cost_for_new_instance = connection_cost_;
+    error_status_for_new_instance = error_status_;
+  }
+
+  if (error_status_for_new_instance ==
+      NetworkCostManagerStatus::kErrorCoCreateInstanceFailed) {
+    return E_ACCESSDENIED;
+  }
+
+  if (class_id != CLSID_NetworkListManager) {
+    return E_NOINTERFACE;
+  }
+
+  if (interface_id != IID_INetworkCostManager) {
+    return E_NOINTERFACE;
+  }
+
+  ComPtr<FakeNetworkCostManager> instance =
+      Microsoft::WRL::Make<FakeNetworkCostManager>(
+          connection_cost_for_new_instance, error_status_for_new_instance);
+  {
+    base::AutoLock auto_lock(member_lock_);
+    fake_network_cost_managers_.push_back(instance);
+  }
+  *result = instance.Detach();
+  return S_OK;
+}
+
+void FakeNetworkCostManagerEnvironment::SetCost(
+    NetworkChangeNotifier::ConnectionCost value) {
+  // Update the cost for each `INetworkCostManager` instance in
+  // `fake_network_cost_managers_`.
+  std::vector<Microsoft::WRL::ComPtr<FakeNetworkCostManager>>
+      fake_network_cost_managers_for_change_event;
+  {
+    base::AutoLock auto_lock(member_lock_);
+    connection_cost_ = value;
+    fake_network_cost_managers_for_change_event = fake_network_cost_managers_;
+  }
+
+  for (const auto& network_cost_manager :
+       fake_network_cost_managers_for_change_event) {
+    network_cost_manager->PostCostChangedEvents(/*connection_cost=*/value);
+  }
+}
+
+void FakeNetworkCostManagerEnvironment::SimulateError(
+    NetworkCostManagerStatus error_status) {
+  base::AutoLock auto_lock(member_lock_);
+  error_status_ = error_status;
+}
+
+}  // namespace net
diff --git a/chromium/net/test/win/fake_network_cost_manager.h b/chromium/net/test/win/fake_network_cost_manager.h
new file mode 100644
index 00000000000..fd6348e6bc3
--- /dev/null
+++ b/chromium/net/test/win/fake_network_cost_manager.h
@@ -0,0 +1,84 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_TEST_WIN_FAKE_NETWORK_COST_MANAGER_H_
+#define NET_TEST_WIN_FAKE_NETWORK_COST_MANAGER_H_
+
+#include <windows.h>
+#include <wrl/client.h>
+
+#include <vector>
+
+#include "base/synchronization/lock.h"
+#include "base/thread_annotations.h"
+#include "net/base/network_change_notifier.h"
+
+namespace net {
+class FakeNetworkCostManager;
+
+// Each value represents a different Windows OS API that can fail when
+// monitoring the cost of network connections.  Use with
+// `FakeNetworkCostManagerEnvironment::SimulateError` to simulate Windows OS API
+// failures that return error HRESULTS.
+enum class NetworkCostManagerStatus {
+  kOk,
+  kErrorCoCreateInstanceFailed,
+  kErrorQueryInterfaceFailed,
+  kErrorFindConnectionPointFailed,
+  kErrorAdviseFailed,
+  kErrorGetCostFailed,
+};
+
+// Provides a fake implementation of the INetworkCostManager Windows OS API for
+// NetworkCostChangeNotifierWin.  Must be constructed before any
+// NetworkCostChangeNotifierWin instances exist.  Sets up the fake OS API in the
+// constructor and restores the real OS API in the destructor.  Tests should use
+// this class to simulate different network costs, cost changed events and
+// errors without depending on the actual OS APIs or current network
+// environment.
+class FakeNetworkCostManagerEnvironment {
+ public:
+  FakeNetworkCostManagerEnvironment();
+  ~FakeNetworkCostManagerEnvironment();
+
+  void SetCost(NetworkChangeNotifier::ConnectionCost value);
+  void SimulateError(NetworkCostManagerStatus error_status);
+
+  FakeNetworkCostManagerEnvironment(const FakeNetworkCostManagerEnvironment&) =
+      delete;
+  FakeNetworkCostManagerEnvironment& operator=(
+      const FakeNetworkCostManagerEnvironment&) = delete;
+
+ private:
+  // Creates a fake implementation of INetworkCostManager.
+  HRESULT FakeCoCreateInstance(REFCLSID class_id,
+                               LPUNKNOWN outer_aggregate,
+                               DWORD context_flags,
+                               REFIID interface_id,
+                               LPVOID* result);
+
+  // Members must be accessed while holding this lock to support the creation
+  // and use of `FakeNetworkCostManager` instances on any thread.
+  base::Lock member_lock_;
+
+  // The connection cost to simulate.
+  NetworkChangeNotifier::ConnectionCost connection_cost_
+      GUARDED_BY(member_lock_) =
+          NetworkChangeNotifier::ConnectionCost::CONNECTION_COST_UNKNOWN;
+
+  // When FakeNetworkCostManagerEnvironment creates a new
+  // FakeNetworkCostManager, the new FakeNetworkCostManager will simulate this
+  // error.
+  NetworkCostManagerStatus error_status_ GUARDED_BY(member_lock_) =
+      NetworkCostManagerStatus::kOk;
+
+  // Holds the fake implementations of INetworkCostManager constructed through
+  // FakeCoCreateInstance.
+  std::vector<Microsoft::WRL::ComPtr<FakeNetworkCostManager>>
+      fake_network_cost_managers_ GUARDED_BY(member_lock_);
+};
+
+}  // namespace net
+
+#endif  // NET_TEST_WIN_FAKE_NETWORK_COST_MANAGER_H_
diff --git a/chromium/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp b/chromium/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
index 39e9a6267d3..c2801c6c53a 100644
--- a/chromium/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
+++ b/chromium/net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp
@@ -64,12 +64,17 @@ bool ImportCACerts(PK11SlotInfo* slot,
   // Mozilla had some code here to check if a perm version of the cert exists
   // already and use that, but CERT_NewTempCertificate actually does that
   // itself, so we skip it here.
+  PRBool root_is_perm;
+  if (net::x509_util::GetCertIsPerm(root, &root_is_perm) != SECSuccess) {
+    LOG(ERROR) << "CERT_GetCertIsPerm failed with error " << PORT_GetError();
+    return false;
+  }
 
   if (!CERT_IsCACert(root, NULL)) {
     not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
         net::x509_util::DupCERTCertificate(root),
         net::ERR_IMPORT_CA_CERT_NOT_CA));
-  } else if (root->isperm) {
+  } else if (root_is_perm) {
     // Mozilla just returns here, but we continue in case there are other certs
     // in the list which aren't already imported.
     // TODO(mattm): should we set/add trust if it differs from the present
@@ -118,7 +123,12 @@ bool ImportCACerts(PK11SlotInfo* slot,
       continue;
     }
 
-    if (cert->isperm) {
+    PRBool cert_is_perm;
+    if (net::x509_util::GetCertIsPerm(cert, &cert_is_perm) != SECSuccess) {
+      LOG(ERROR) << "CERT_GetCertIsPerm failed with error " << PORT_GetError();
+      return false;
+    }
+    if (cert_is_perm) {
       not_imported->push_back(net::NSSCertDatabase::ImportCertFailure(
           net::x509_util::DupCERTCertificate(cert),
           net::ERR_IMPORT_CERT_ALREADY_EXISTS));
diff --git a/chromium/net/third_party/nist-pkits/BUILD.gn b/chromium/net/third_party/nist-pkits/BUILD.gn
index a1d8b3f6c95..95678407a14 100644
--- a/chromium/net/third_party/nist-pkits/BUILD.gn
+++ b/chromium/net/third_party/nist-pkits/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/third_party/nist-pkits/generate_tests.py b/chromium/net/third_party/nist-pkits/generate_tests.py
index 2da0c120d7f..2711d233d1b 100644
--- a/chromium/net/third_party/nist-pkits/generate_tests.py
+++ b/chromium/net/third_party/nist-pkits/generate_tests.py
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -22,7 +22,7 @@ import tempfile
 
 
 def sanitize_name(s):
-  return s.translate(None, ' -')
+  return s.translate(str.maketrans('', '', ' -'))
 
 
 def finalize_test_case(test_case_name, sanitized_test_names, output):
@@ -107,9 +107,9 @@ WRAPPED_TYPED_TEST_P(%(test_case_name)s, %(sanitized_test_name)s) {
 
 
 # Matches a section header, ex: "4.1 Signature Verification"
-SECTION_MATCHER = re.compile('^\s*(\d+\.\d+)\s+(.+)\s*$')
+SECTION_MATCHER = re.compile('^\s*(\d+\.\d+)\s+(.+?)\s*\ufffd?$')
 # Matches a test header, ex: "4.1.1 Valid Signatures Test1"
-TEST_MATCHER = re.compile('^\s*(\d+\.\d+.\d+)\s+(.+)\s*$')
+TEST_MATCHER = re.compile('^\s*(\d+\.\d+.\d+)\s+(.+?)\s*\ufffd?$')
 
 # Matches the various headers in a test specification.
 EXPECTED_HEADER_MATCHER = re.compile('^\s*Expected Result:')
@@ -131,7 +131,7 @@ TEST_RESULT_MATCHER = re.compile(
 
 # Matches a line in the certification path, ex:
 #    "\u2022 Good CA Cert, Good CA CRL"
-PATH_MATCHER = re.compile('^\s*\xe2\x80\xa2\s*(.+)\s*$')
+PATH_MATCHER = re.compile('^\s*\u2022\s*(.+)\s*$')
 # Matches a page number. These may appear in the middle of multi-line fields and
 # thus need to be ignored.
 PAGE_NUMBER_MATCHER = re.compile('^\s*\d+\s*$')
@@ -1174,7 +1174,7 @@ def main():
   subprocess.check_call(['pdftotext', '-layout', '-nopgbrk', '-eol', 'unix',
                          pkits_pdf_path, pkits_txt_file.name])
 
-  test_descriptions = pkits_txt_file.read()
+  test_descriptions = pkits_txt_file.read().decode('utf-8')
 
   # Extract section 4 of the text, which is the part that contains the tests.
   test_descriptions = test_descriptions.split(
diff --git a/chromium/net/third_party/quiche/BUILD.gn b/chromium/net/third_party/quiche/BUILD.gn
index d88fb52de74..e8afd81e9e8 100644
--- a/chromium/net/third_party/quiche/BUILD.gn
+++ b/chromium/net/third_party/quiche/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright (c) 2020 The Chromium Authors. All rights reserved.
+# Copyright 2020 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -35,6 +35,7 @@ config("quiche_internal_config") {
   if (is_clang) {
     cflags += [
       "-Wno-unused-private-field",
+      "-Wno-shadow",
       "-Wno-sign-compare",
     ]
   }
@@ -48,8 +49,6 @@ config("quiche_config") {
     "src/quiche/common/platform/default",
     "src",
   ]
-
-  cflags = [ "-Wno-shadow" ]
 }
 
 component("quiche") {
@@ -101,14 +100,22 @@ component("quiche") {
     "src/quiche/common/quiche_buffer_allocator.cc",
     "src/quiche/common/quiche_buffer_allocator.h",
     "src/quiche/common/quiche_circular_deque.h",
+    "src/quiche/common/quiche_crypto_logging.cc",
+    "src/quiche/common/quiche_crypto_logging.h",
     "src/quiche/common/quiche_data_reader.cc",
     "src/quiche/common/quiche_data_reader.h",
     "src/quiche/common/quiche_data_writer.cc",
     "src/quiche/common/quiche_data_writer.h",
     "src/quiche/common/quiche_endian.h",
+    "src/quiche/common/quiche_ip_address.cc",
+    "src/quiche/common/quiche_ip_address.h",
+    "src/quiche/common/quiche_ip_address_family.cc",
+    "src/quiche/common/quiche_ip_address_family.h",
     "src/quiche/common/quiche_linked_hash_map.h",
     "src/quiche/common/quiche_mem_slice_storage.cc",
     "src/quiche/common/quiche_mem_slice_storage.h",
+    "src/quiche/common/quiche_random.cc",
+    "src/quiche/common/quiche_random.h",
     "src/quiche/common/quiche_text_utils.cc",
     "src/quiche/common/quiche_text_utils.h",
     "src/quiche/common/simple_buffer_allocator.cc",
@@ -262,6 +269,7 @@ component("quiche") {
     "src/quiche/quic/core/congestion_control/uber_loss_algorithm.cc",
     "src/quiche/quic/core/congestion_control/uber_loss_algorithm.h",
     "src/quiche/quic/core/congestion_control/windowed_filter.h",
+    "src/quiche/quic/core/connection_id_generator.h",
     "src/quiche/quic/core/crypto/aead_base_decrypter.cc",
     "src/quiche/quic/core/crypto/aead_base_decrypter.h",
     "src/quiche/quic/core/crypto/aead_base_encrypter.cc",
@@ -350,8 +358,6 @@ component("quiche") {
     "src/quiche/quic/core/crypto/quic_encrypter.h",
     "src/quiche/quic/core/crypto/quic_hkdf.cc",
     "src/quiche/quic/core/crypto/quic_hkdf.h",
-    "src/quiche/quic/core/crypto/quic_random.cc",
-    "src/quiche/quic/core/crypto/quic_random.h",
     "src/quiche/quic/core/crypto/tls_client_connection.cc",
     "src/quiche/quic/core/crypto/tls_client_connection.h",
     "src/quiche/quic/core/crypto/tls_connection.cc",
@@ -362,6 +368,8 @@ component("quiche") {
     "src/quiche/quic/core/crypto/transport_parameters.h",
     "src/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.cc",
     "src/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier.h",
+    "src/quiche/quic/core/deterministic_connection_id_generator.cc",
+    "src/quiche/quic/core/deterministic_connection_id_generator.h",
     "src/quiche/quic/core/frames/quic_ack_frame.cc",
     "src/quiche/quic/core/frames/quic_ack_frame.h",
     "src/quiche/quic/core/frames/quic_ack_frequency_frame.cc",
@@ -645,10 +653,6 @@ component("quiche") {
     "src/quiche/quic/platform/api/quic_flag_utils.h",
     "src/quiche/quic/platform/api/quic_flags.h",
     "src/quiche/quic/platform/api/quic_hostname_utils.h",
-    "src/quiche/quic/platform/api/quic_ip_address.cc",
-    "src/quiche/quic/platform/api/quic_ip_address.h",
-    "src/quiche/quic/platform/api/quic_ip_address_family.cc",
-    "src/quiche/quic/platform/api/quic_ip_address_family.h",
     "src/quiche/quic/platform/api/quic_logging.h",
     "src/quiche/quic/platform/api/quic_mutex.h",
     "src/quiche/quic/platform/api/quic_server_stats.h",
@@ -767,19 +771,14 @@ if (build_epoll_based_tools) {
       "overrides/quiche_platform_impl/epoll_logging_impl.h",
       "overrides/quiche_platform_impl/epoll_thread_impl.h",
       "overrides/quiche_platform_impl/quiche_udp_socket_platform_impl.h",
-      "src/quiche/common/platform/api/quiche_epoll.h",
-      "src/quiche/common/platform/api/quiche_stream_buffer_allocator.h",
       "src/quiche/common/platform/api/quiche_udp_socket_platform_api.h",
       "src/quiche/common/platform/default/quiche_platform_impl/quiche_stream_buffer_allocator_impl.h",
-      "src/quiche/epoll_server/platform/api/epoll_bug.h",
-      "src/quiche/epoll_server/platform/api/epoll_logging.h",
-      "src/quiche/epoll_server/platform/api/epoll_thread.h",
-      "src/quiche/epoll_server/simple_epoll_server.cc",
-      "src/quiche/epoll_server/simple_epoll_server.h",
+      "src/quiche/common/quiche_ip_address_family.cc",
+      "src/quiche/common/quiche_ip_address_family.h",
+      "src/quiche/quic/core/io/event_loop_connecting_client_socket.cc",
+      "src/quiche/quic/core/io/event_loop_connecting_client_socket.h",
       "src/quiche/quic/core/io/event_loop_socket_factory.cc",
       "src/quiche/quic/core/io/event_loop_socket_factory.h",
-      "src/quiche/quic/core/io/event_loop_tcp_client_socket.cc",
-      "src/quiche/quic/core/io/event_loop_tcp_client_socket.h",
       "src/quiche/quic/core/io/quic_default_event_loop.cc",
       "src/quiche/quic/core/io/quic_default_event_loop.h",
       "src/quiche/quic/core/io/quic_poll_event_loop.cc",
@@ -790,50 +789,39 @@ if (build_epoll_based_tools) {
       "src/quiche/quic/core/quic_default_clock.h",
       "src/quiche/quic/core/quic_default_packet_writer.cc",
       "src/quiche/quic/core/quic_default_packet_writer.h",
-      "src/quiche/quic/core/quic_epoll_alarm_factory.cc",
-      "src/quiche/quic/core/quic_epoll_alarm_factory.h",
-      "src/quiche/quic/core/quic_epoll_clock.cc",
-      "src/quiche/quic/core/quic_epoll_clock.h",
-      "src/quiche/quic/core/quic_epoll_connection_helper.cc",
-      "src/quiche/quic/core/quic_epoll_connection_helper.h",
       "src/quiche/quic/core/quic_packet_reader.cc",
       "src/quiche/quic/core/quic_packet_reader.h",
       "src/quiche/quic/core/quic_udp_socket.h",
       "src/quiche/quic/core/quic_udp_socket_posix.cc",
+      "src/quiche/quic/masque/masque_client.cc",
+      "src/quiche/quic/masque/masque_client.h",
       "src/quiche/quic/masque/masque_client_session.cc",
       "src/quiche/quic/masque/masque_client_session.h",
       "src/quiche/quic/masque/masque_client_tools.cc",
       "src/quiche/quic/masque/masque_client_tools.h",
       "src/quiche/quic/masque/masque_dispatcher.cc",
       "src/quiche/quic/masque/masque_dispatcher.h",
+      "src/quiche/quic/masque/masque_encapsulated_client.cc",
+      "src/quiche/quic/masque/masque_encapsulated_client.h",
       "src/quiche/quic/masque/masque_encapsulated_client_session.cc",
       "src/quiche/quic/masque/masque_encapsulated_client_session.h",
-      "src/quiche/quic/masque/masque_encapsulated_epoll_client.cc",
-      "src/quiche/quic/masque/masque_encapsulated_epoll_client.h",
-      "src/quiche/quic/masque/masque_epoll_client.cc",
-      "src/quiche/quic/masque/masque_epoll_client.h",
-      "src/quiche/quic/masque/masque_epoll_server.cc",
-      "src/quiche/quic/masque/masque_epoll_server.h",
+      "src/quiche/quic/masque/masque_server.cc",
+      "src/quiche/quic/masque/masque_server.h",
       "src/quiche/quic/masque/masque_server_backend.cc",
       "src/quiche/quic/masque/masque_server_backend.h",
       "src/quiche/quic/masque/masque_server_session.cc",
       "src/quiche/quic/masque/masque_server_session.h",
       "src/quiche/quic/masque/masque_utils.cc",
       "src/quiche/quic/masque/masque_utils.h",
-      "src/quiche/quic/platform/api/quic_epoll.h",
-      "src/quiche/quic/platform/api/quic_ip_address_family.cc",
-      "src/quiche/quic/platform/api/quic_ip_address_family.h",
       "src/quiche/quic/platform/api/quic_udp_socket_platform_api.h",
       "src/quiche/quic/tools/connect_tunnel.cc",
       "src/quiche/quic/tools/connect_tunnel.h",
-      "src/quiche/quic/tools/quic_client.cc",
-      "src/quiche/quic/tools/quic_client.h",
       "src/quiche/quic/tools/quic_client_default_network_helper.cc",
       "src/quiche/quic/tools/quic_client_default_network_helper.h",
-      "src/quiche/quic/tools/quic_client_epoll_network_helper.cc",
-      "src/quiche/quic/tools/quic_client_epoll_network_helper.h",
       "src/quiche/quic/tools/quic_default_client.cc",
       "src/quiche/quic/tools/quic_default_client.h",
+      "src/quiche/quic/tools/quic_name_lookup.cc",
+      "src/quiche/quic/tools/quic_name_lookup.h",
       "src/quiche/quic/tools/quic_server.cc",
       "src/quiche/quic/tools/quic_server.h",
     ]
@@ -945,14 +933,6 @@ if (build_epoll_based_tools) {
       "overrides/quiche_platform_impl/epoll_expect_bug_impl.h",
       "overrides/quiche_platform_impl/epoll_test_impl.h",
       "overrides/quiche_platform_impl/quiche_epoll_test_tools_impl.h",
-      "src/quiche/common/platform/api/quiche_epoll_test_tools.h",
-      "src/quiche/epoll_server/fake_simple_epoll_server.cc",
-      "src/quiche/epoll_server/fake_simple_epoll_server.h",
-      "src/quiche/epoll_server/platform/api/epoll_address_test_utils.h",
-      "src/quiche/epoll_server/platform/api/epoll_expect_bug.h",
-      "src/quiche/epoll_server/platform/api/epoll_test.h",
-      "src/quiche/quic/test_tools/quic_client_peer.cc",
-      "src/quiche/quic/test_tools/quic_client_peer.h",
       "src/quiche/quic/test_tools/quic_server_peer.cc",
       "src/quiche/quic/test_tools/quic_server_peer.h",
       "src/quiche/quic/test_tools/quic_test_client.cc",
@@ -1407,8 +1387,10 @@ source_set("quiche_tests") {
     "src/quiche/common/quiche_data_reader_test.cc",
     "src/quiche/common/quiche_data_writer_test.cc",
     "src/quiche/common/quiche_endian_test.cc",
+    "src/quiche/common/quiche_ip_address_test.cc",
     "src/quiche/common/quiche_linked_hash_map_test.cc",
     "src/quiche/common/quiche_mem_slice_storage_test.cc",
+    "src/quiche/common/quiche_random_test.cc",
     "src/quiche/common/quiche_text_utils_test.cc",
     "src/quiche/common/simple_buffer_allocator_test.cc",
     "src/quiche/common/structured_headers_generated_test.cc",
@@ -1502,7 +1484,6 @@ source_set("quiche_tests") {
     "src/quiche/quic/core/crypto/quic_crypto_client_config_test.cc",
     "src/quiche/quic/core/crypto/quic_crypto_server_config_test.cc",
     "src/quiche/quic/core/crypto/quic_hkdf_test.cc",
-    "src/quiche/quic/core/crypto/quic_random_test.cc",
     "src/quiche/quic/core/crypto/transport_parameters_test.cc",
     "src/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier_test.cc",
     "src/quiche/quic/core/frames/quic_frames_test.cc",
@@ -1602,7 +1583,6 @@ source_set("quiche_tests") {
     "src/quiche/quic/core/tls_client_handshaker_test.cc",
     "src/quiche/quic/core/uber_quic_stream_id_manager_test.cc",
     "src/quiche/quic/core/uber_received_packet_manager_test.cc",
-    "src/quiche/quic/platform/api/quic_ip_address_test.cc",
     "src/quiche/quic/platform/api/quic_socket_address_test.cc",
     "src/quiche/quic/test_tools/crypto_test_utils_test.cc",
     "src/quiche/quic/test_tools/quic_test_utils_test.cc",
@@ -1653,16 +1633,11 @@ source_set("quiche_tests") {
   if (build_epoll_based_tools) {
     sources += [
       "overrides/quiche_platform_impl/quiche_command_line_flags_test.cc",
-      "src/quiche/epoll_server/simple_epoll_server_test.cc",
       "src/quiche/quic/core/chlo_extractor_test.cc",
       "src/quiche/quic/core/http/end_to_end_test.cc",
       "src/quiche/quic/core/http/quic_spdy_client_session_test.cc",
       "src/quiche/quic/core/http/quic_spdy_client_stream_test.cc",
       "src/quiche/quic/core/http/quic_spdy_server_stream_base_test.cc",
-      "src/quiche/quic/core/quic_epoll_alarm_factory_test.cc",
-      "src/quiche/quic/core/quic_epoll_clock_test.cc",
-      "src/quiche/quic/core/quic_epoll_connection_helper_test.cc",
-      "src/quiche/quic/tools/quic_client_test.cc",
       "src/quiche/quic/tools/quic_default_client_test.cc",
       "src/quiche/quic/tools/quic_server_test.cc",
       "src/quiche/quic/tools/quic_simple_server_session_test.cc",
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_address_test_utils_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_address_test_utils_impl.h
index fe5a323d289..50229416b6b 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_address_test_utils_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_address_test_utils_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_bug_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_bug_impl.h
index b9ce5cf8709..e39e92e93e1 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_bug_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_bug_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_expect_bug_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_expect_bug_impl.h
index 1662b3c001f..32938d68076 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_expect_bug_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_expect_bug_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_logging_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_logging_impl.h
index 53bd7d662c8..55b3f014ea9 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_logging_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_logging_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_test_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_test_impl.h
index 7823d970fb1..20915212d84 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_test_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_test_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_thread_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_thread_impl.h
index 8d4efc02966..1741297dc73 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_thread_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/epoll_thread_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_bug_tracker_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_bug_tracker_impl.h
index 9212fda68e1..06751e4781b 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_bug_tracker_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_bug_tracker_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #ifndef NET_THIRD_PARTY_QUICHE_OVERRIDES_QUICHE_PLATFORM_IMPL_QUICHE_BUG_TRACKER_IMPL_H_
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_client_stats_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_client_stats_impl.h
index 52abf9ff2a3..ed28da18f69 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_client_stats_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_client_stats_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_impl.cc b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_impl.cc
index 4459227ecca..9a4c55fc4d4 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_impl.cc
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_impl.h
index 4e7425c5e6b..809c9d63b1e 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_test.cc b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_test.cc
index 81f8d04431f..caccad35cf7 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_test.cc
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_command_line_flags_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -56,9 +56,9 @@ class QuicheCommandLineFlagTest : public QuicheTest {
 };
 
 TEST_F(QuicheCommandLineFlagTest, DefaultValues) {
-  EXPECT_EQ(false, GetQuicheFlag(FLAGS_foo));
-  EXPECT_EQ(123, GetQuicheFlag(FLAGS_bar));
-  EXPECT_EQ("splash!", GetQuicheFlag(FLAGS_baz));
+  EXPECT_EQ(false, GetQuicheFlag(foo));
+  EXPECT_EQ(123, GetQuicheFlag(bar));
+  EXPECT_EQ("splash!", GetQuicheFlag(baz));
 }
 
 TEST_F(QuicheCommandLineFlagTest, NotSpecified) {
@@ -69,36 +69,36 @@ TEST_F(QuicheCommandLineFlagTest, NotSpecified) {
   std::vector<std::string> expected_args{"two", "three"};
   EXPECT_EQ(expected_args, parse_result.non_flag_args);
 
-  EXPECT_EQ(false, GetQuicheFlag(FLAGS_foo));
-  EXPECT_EQ(123, GetQuicheFlag(FLAGS_bar));
-  EXPECT_EQ("splash!", GetQuicheFlag(FLAGS_baz));
+  EXPECT_EQ(false, GetQuicheFlag(foo));
+  EXPECT_EQ(123, GetQuicheFlag(bar));
+  EXPECT_EQ("splash!", GetQuicheFlag(baz));
 }
 
 TEST_F(QuicheCommandLineFlagTest, BoolFlag) {
   for (const char* s :
        {"--foo", "--foo=1", "--foo=t", "--foo=True", "--foo=Y", "--foo=yes"}) {
-    SetQuicheFlag(FLAGS_foo, false);
+    SetQuicheFlag(foo, false);
     const char* argv[]{"argv0", s};
     auto parse_result = QuicheParseCommandLineFlagsForTest(
         "usage message", std::size(argv), argv);
     EXPECT_FALSE(parse_result.exit_status.has_value());
     EXPECT_TRUE(parse_result.non_flag_args.empty());
-    EXPECT_TRUE(GetQuicheFlag(FLAGS_foo));
+    EXPECT_TRUE(GetQuicheFlag(foo));
   }
 
   for (const char* s :
        {"--foo=0", "--foo=f", "--foo=False", "--foo=N", "--foo=no"}) {
-    SetQuicheFlag(FLAGS_foo, true);
+    SetQuicheFlag(foo, true);
     const char* argv[]{"argv0", s};
     auto parse_result = QuicheParseCommandLineFlagsForTest(
         "usage message", std::size(argv), argv);
     EXPECT_FALSE(parse_result.exit_status.has_value());
     EXPECT_TRUE(parse_result.non_flag_args.empty());
-    EXPECT_FALSE(GetQuicheFlag(FLAGS_foo));
+    EXPECT_FALSE(GetQuicheFlag(foo));
   }
 
   for (const char* s : {"--foo=7", "--foo=abc", "--foo=trueish"}) {
-    SetQuicheFlag(FLAGS_foo, false);
+    SetQuicheFlag(foo, false);
     const char* argv[]{"argv0", s};
 
     testing::internal::CaptureStderr();
@@ -111,24 +111,24 @@ TEST_F(QuicheCommandLineFlagTest, BoolFlag) {
     EXPECT_THAT(captured_stderr,
                 testing::ContainsRegex("Invalid value.*for flag --foo"));
     EXPECT_TRUE(parse_result.non_flag_args.empty());
-    EXPECT_FALSE(GetQuicheFlag(FLAGS_foo));
+    EXPECT_FALSE(GetQuicheFlag(foo));
   }
 }
 
 TEST_F(QuicheCommandLineFlagTest, Int32Flag) {
   for (const int i : {-1, 0, 100, 38239832}) {
-    SetQuicheFlag(FLAGS_bar, 0);
+    SetQuicheFlag(bar, 0);
     std::string flag_str = base::StringPrintf("--bar=%d", i);
     const char* argv[]{"argv0", flag_str.c_str()};
     auto parse_result = QuicheParseCommandLineFlagsForTest(
         "usage message", std::size(argv), argv);
     EXPECT_FALSE(parse_result.exit_status.has_value());
     EXPECT_TRUE(parse_result.non_flag_args.empty());
-    EXPECT_EQ(i, GetQuicheFlag(FLAGS_bar));
+    EXPECT_EQ(i, GetQuicheFlag(bar));
   }
 
   for (const char* s : {"--bar", "--bar=a", "--bar=9999999999999"}) {
-    SetQuicheFlag(FLAGS_bar, 0);
+    SetQuicheFlag(bar, 0);
     const char* argv[]{"argv0", s};
 
     testing::internal::CaptureStderr();
@@ -141,30 +141,30 @@ TEST_F(QuicheCommandLineFlagTest, Int32Flag) {
     EXPECT_THAT(captured_stderr,
                 testing::ContainsRegex("Invalid value.*for flag --bar"));
     EXPECT_TRUE(parse_result.non_flag_args.empty());
-    EXPECT_EQ(0, GetQuicheFlag(FLAGS_bar));
+    EXPECT_EQ(0, GetQuicheFlag(bar));
   }
 }
 
 TEST_F(QuicheCommandLineFlagTest, StringFlag) {
   {
-    SetQuicheFlag(FLAGS_baz, "whee");
+    SetQuicheFlag(baz, "whee");
     const char* argv[]{"argv0", "--baz"};
     auto parse_result = QuicheParseCommandLineFlagsForTest(
         "usage message", std::size(argv), argv);
     EXPECT_FALSE(parse_result.exit_status.has_value());
     EXPECT_TRUE(parse_result.non_flag_args.empty());
-    EXPECT_EQ("", GetQuicheFlag(FLAGS_baz));
+    EXPECT_EQ("", GetQuicheFlag(baz));
   }
 
   for (const char* s : {"", "12345", "abcdefg"}) {
-    SetQuicheFlag(FLAGS_baz, "qux");
+    SetQuicheFlag(baz, "qux");
     std::string flag_str = base::StrCat({"--baz=", s});
     const char* argv[]{"argv0", flag_str.c_str()};
     auto parse_result = QuicheParseCommandLineFlagsForTest(
         "usage message", std::size(argv), argv);
     EXPECT_FALSE(parse_result.exit_status.has_value());
     EXPECT_TRUE(parse_result.non_flag_args.empty());
-    EXPECT_EQ(s, GetQuicheFlag(FLAGS_baz));
+    EXPECT_EQ(s, GetQuicheFlag(baz));
   }
 }
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_containers_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_containers_impl.h
index 47a1c16ea67..62e60ad9743 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_containers_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_containers_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_default_proof_providers_impl.cc b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_default_proof_providers_impl.cc
index ada6baa8f5f..9de5c4d53bf 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_default_proof_providers_impl.cc
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_default_proof_providers_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -45,7 +45,7 @@ namespace quiche {
 namespace {
 
 std::set<std::string> UnknownRootAllowlistForHost(std::string host) {
-  if (!GetQuicFlag(FLAGS_allow_unknown_root_cert)) {
+  if (!GetQuicFlag(allow_unknown_root_cert)) {
     return std::set<std::string>();
   }
   return {host};
@@ -58,14 +58,15 @@ class ProofVerifierChromiumWithOwnership : public net::ProofVerifierChromium {
   ProofVerifierChromiumWithOwnership(
       std::unique_ptr<net::CertVerifier> cert_verifier,
       std::string host)
-      : net::ProofVerifierChromium(cert_verifier.get(),
-                                   &ct_policy_enforcer_,
-                                   &transport_security_state_,
-                                   /*sct_auditing_delegate=*/nullptr,
-                                   UnknownRootAllowlistForHost(host),
-                                   // Fine to use an empty NetworkIsolationKey
-                                   // here, since this isn't used in Chromium.
-                                   net::NetworkIsolationKey()),
+      : net::ProofVerifierChromium(
+            cert_verifier.get(),
+            &ct_policy_enforcer_,
+            &transport_security_state_,
+            /*sct_auditing_delegate=*/nullptr,
+            UnknownRootAllowlistForHost(host),
+            // Fine to use an empty NetworkAnonymizationKey
+            // here, since this isn't used in Chromium.
+            net::NetworkAnonymizationKey()),
         cert_verifier_(std::move(cert_verifier)) {}
 
  private:
@@ -88,12 +89,12 @@ std::unique_ptr<quic::ProofSource> CreateDefaultProofSourceImpl() {
       quic::QuicChromiumClock::GetInstance()));
   CHECK(proof_source->Initialize(
 #if BUILDFLAG(IS_WIN)
-      base::FilePath(base::UTF8ToWide(GetQuicFlag(FLAGS_certificate_file))),
-      base::FilePath(base::UTF8ToWide(GetQuicFlag(FLAGS_key_file))),
+      base::FilePath(base::UTF8ToWide(GetQuicFlag(certificate_file))),
+      base::FilePath(base::UTF8ToWide(GetQuicFlag(key_file))),
       base::FilePath()));
 #else
-      base::FilePath(GetQuicFlag(FLAGS_certificate_file)),
-      base::FilePath(GetQuicFlag(FLAGS_key_file)), base::FilePath()));
+      base::FilePath(GetQuicFlag(certificate_file)),
+      base::FilePath(GetQuicFlag(key_file)), base::FilePath()));
 #endif
   return std::move(proof_source);
 }
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_default_proof_providers_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_default_proof_providers_impl.h
index ea57d1e5ed6..9a32c1bbdb5 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_default_proof_providers_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_default_proof_providers_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_epoll_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_epoll_impl.h
index 23fc2357bb0..a604c60d9ed 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_epoll_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_epoll_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_epoll_test_tools_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_epoll_test_tools_impl.h
index b0e7d99c079..a27c1d2db83 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_epoll_test_tools_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_epoll_test_tools_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_expect_bug_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_expect_bug_impl.h
index 74c8222cffc..bc263339221 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_expect_bug_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_expect_bug_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_export_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_export_impl.h
index 164aa996541..5e9d34728eb 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_export_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_export_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_iovec_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_iovec_impl.h
index 2eaa90bfc0d..8765b142c5f 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_iovec_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_iovec_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_logging_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_logging_impl.h
index a1e15c63088..bc36ffcce32 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_logging_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_logging_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mock_log_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mock_log_impl.h
index fe5071afb94..af109e529d5 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mock_log_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mock_log_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mutex_impl.cc b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mutex_impl.cc
index 1c569606728..62b1cdccc03 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mutex_impl.cc
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mutex_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mutex_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mutex_impl.h
index 371d863f06b..537c2210a0c 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mutex_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_mutex_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_reference_counted_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_reference_counted_impl.h
index 54acdff1b0f..35d90a365b4 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_reference_counted_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_reference_counted_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_server_stats_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_server_stats_impl.h
index e56d15cd9c5..aa771f58c28 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_server_stats_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_server_stats_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_stack_trace_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_stack_trace_impl.h
index 0d4c9ae5a22..b9150a9d0d1 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_stack_trace_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_stack_trace_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_system_event_loop_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_system_event_loop_impl.h
index 9f487555676..7639cee241a 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_system_event_loop_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_system_event_loop_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_helpers_impl.cc b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_helpers_impl.cc
index a4909c1185c..32da1e2151b 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_helpers_impl.cc
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_helpers_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
+// Copyright 2022 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_helpers_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_helpers_impl.h
index 0433ee6547c..e7a57cd67ee 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_helpers_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_helpers_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_impl.cc b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_impl.cc
index 45f46c9d9ba..c3d28626bf6 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_impl.cc
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_impl.h
index 983109e2937..17a6efbdb1b 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_output_impl.cc b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_output_impl.cc
index e0dfeda3cbe..a99584ce0e6 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_output_impl.cc
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_output_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_output_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_output_impl.h
index abdc496afe2..952278b487f 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_output_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_test_output_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_thread_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_thread_impl.h
index 70238c90081..de8b1a5e3e9 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_thread_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_thread_impl.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_thread_local_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_thread_local_impl.h
index 8be2972e5b6..a5e052ca9af 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_thread_local_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_thread_local_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_time_utils_impl.cc b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_time_utils_impl.cc
index c28a3d1746d..2840a84bd63 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_time_utils_impl.cc
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_time_utils_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_time_utils_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_time_utils_impl.h
index 52f3f2bad1f..133a4a9812c 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_time_utils_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_time_utils_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_udp_socket_platform_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_udp_socket_platform_impl.h
index f71d982906b..f3edd7c9ee5 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_udp_socket_platform_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_udp_socket_platform_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_url_utils_impl.cc b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_url_utils_impl.cc
index e41c9efed3d..c43785c7ddf 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_url_utils_impl.cc
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_url_utils_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_url_utils_impl.h b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_url_utils_impl.h
index 47cea0007ec..4157e65748a 100644
--- a/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_url_utils_impl.h
+++ b/chromium/net/third_party/quiche/overrides/quiche_platform_impl/quiche_url_utils_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/third_party/quiche/src/build/source_list.bzl b/chromium/net/third_party/quiche/src/build/source_list.bzl
index 90dd052da5e..9ab0ba3432f 100644
--- a/chromium/net/third_party/quiche/src/build/source_list.bzl
+++ b/chromium/net/third_party/quiche/src/build/source_list.bzl
@@ -20,6 +20,7 @@ quiche_core_hdrs = [
     "balsa/noop_balsa_visitor.h",
     "balsa/simple_buffer.h",
     "balsa/standard_header_map.h",
+    "common/masque/connect_udp_datagram_payload.h",
     "common/platform/api/quiche_bug_tracker.h",
     "common/platform/api/quiche_client_stats.h",
     "common/platform/api/quiche_containers.h",
@@ -45,12 +46,16 @@ quiche_core_hdrs = [
     "common/print_elements.h",
     "common/quiche_buffer_allocator.h",
     "common/quiche_circular_deque.h",
+    "common/quiche_crypto_logging.h",
     "common/quiche_data_reader.h",
     "common/quiche_data_writer.h",
     "common/quiche_endian.h",
+    "common/quiche_ip_address.h",
+    "common/quiche_ip_address_family.h",
     "common/quiche_linked_hash_map.h",
     "common/quiche_mem_slice_storage.h",
     "common/quiche_protocol_flags_list.h",
+    "common/quiche_random.h",
     "common/quiche_text_utils.h",
     "common/simple_buffer_allocator.h",
     "common/structured_headers.h",
@@ -133,6 +138,7 @@ quiche_core_hdrs = [
     "quic/core/congestion_control/tcp_cubic_sender_bytes.h",
     "quic/core/congestion_control/uber_loss_algorithm.h",
     "quic/core/congestion_control/windowed_filter.h",
+    "quic/core/connecting_client_socket.h",
     "quic/core/connection_id_generator.h",
     "quic/core/crypto/aead_base_decrypter.h",
     "quic/core/crypto/aead_base_encrypter.h",
@@ -340,6 +346,7 @@ quiche_core_hdrs = [
     "quic/core/quic_versions.h",
     "quic/core/quic_write_blocked_list.h",
     "quic/core/session_notifier_interface.h",
+    "quic/core/socket_factory.h",
     "quic/core/stream_delegate_interface.h",
     "quic/core/tls_chlo_extractor.h",
     "quic/core/tls_client_handshaker.h",
@@ -401,12 +408,17 @@ quiche_core_srcs = [
     "balsa/http_validation_policy.cc",
     "balsa/simple_buffer.cc",
     "balsa/standard_header_map.cc",
+    "common/masque/connect_udp_datagram_payload.cc",
     "common/platform/api/quiche_hostname_utils.cc",
     "common/platform/api/quiche_mutex.cc",
     "common/quiche_buffer_allocator.cc",
+    "common/quiche_crypto_logging.cc",
     "common/quiche_data_reader.cc",
     "common/quiche_data_writer.cc",
+    "common/quiche_ip_address.cc",
+    "common/quiche_ip_address_family.cc",
     "common/quiche_mem_slice_storage.cc",
+    "common/quiche_random.cc",
     "common/quiche_text_utils.cc",
     "common/simple_buffer_allocator.cc",
     "common/structured_headers.cc",
@@ -522,7 +534,6 @@ quiche_core_srcs = [
     "quic/core/crypto/quic_decrypter.cc",
     "quic/core/crypto/quic_encrypter.cc",
     "quic/core/crypto/quic_hkdf.cc",
-    "quic/core/crypto/quic_random.cc",
     "quic/core/crypto/tls_client_connection.cc",
     "quic/core/crypto/tls_connection.cc",
     "quic/core/crypto/tls_server_connection.cc",
@@ -662,8 +673,6 @@ quiche_core_srcs = [
     "quic/core/tls_server_handshaker.cc",
     "quic/core/uber_quic_stream_id_manager.cc",
     "quic/core/uber_received_packet_manager.cc",
-    "quic/platform/api/quic_ip_address.cc",
-    "quic/platform/api/quic_ip_address_family.cc",
     "quic/platform/api/quic_socket_address.cc",
     "spdy/core/array_output_buffer.cc",
     "spdy/core/hpack/hpack_constants.cc",
@@ -695,13 +704,12 @@ quiche_tool_support_hdrs = [
     "quic/platform/api/quic_default_proof_providers.h",
     "quic/tools/connect_server_backend.h",
     "quic/tools/connect_tunnel.h",
+    "quic/tools/connect_udp_tunnel.h",
     "quic/tools/fake_proof_verifier.h",
     "quic/tools/quic_backend_response.h",
     "quic/tools/quic_client_base.h",
-    "quic/tools/quic_client_default_network_helper.h",
-    "quic/tools/quic_default_client.h",
     "quic/tools/quic_memory_cache_backend.h",
-    "quic/tools/quic_server_factory.h",
+    "quic/tools/quic_name_lookup.h",
     "quic/tools/quic_simple_client_session.h",
     "quic/tools/quic_simple_client_stream.h",
     "quic/tools/quic_simple_crypto_server_stream_helper.h",
@@ -720,12 +728,11 @@ quiche_tool_support_srcs = [
     "common/platform/api/quiche_file_utils.cc",
     "quic/tools/connect_server_backend.cc",
     "quic/tools/connect_tunnel.cc",
+    "quic/tools/connect_udp_tunnel.cc",
     "quic/tools/quic_backend_response.cc",
     "quic/tools/quic_client_base.cc",
-    "quic/tools/quic_client_default_network_helper.cc",
-    "quic/tools/quic_default_client.cc",
     "quic/tools/quic_memory_cache_backend.cc",
-    "quic/tools/quic_server_factory.cc",
+    "quic/tools/quic_name_lookup.cc",
     "quic/tools/quic_simple_client_session.cc",
     "quic/tools/quic_simple_client_stream.cc",
     "quic/tools/quic_simple_crypto_server_stream_helper.cc",
@@ -778,6 +785,7 @@ quiche_test_support_hdrs = [
     "quic/test_tools/first_flight.h",
     "quic/test_tools/limited_mtu_test_writer.h",
     "quic/test_tools/mock_clock.h",
+    "quic/test_tools/mock_connection_id_generator.h",
     "quic/test_tools/mock_quic_client_promised_info.h",
     "quic/test_tools/mock_quic_dispatcher.h",
     "quic/test_tools/mock_quic_session_visitor.h",
@@ -937,103 +945,66 @@ quiche_test_support_srcs = [
     "spdy/test_tools/mock_spdy_framer_visitor.cc",
     "spdy/test_tools/spdy_test_utils.cc",
 ]
-epoll_tool_support_hdrs = [
-    "common/platform/api/quiche_epoll.h",
+io_tool_support_hdrs = [
     "common/platform/api/quiche_event_loop.h",
-    "common/platform/api/quiche_stream_buffer_allocator.h",
     "common/platform/api/quiche_udp_socket_platform_api.h",
-    "epoll_server/platform/api/epoll_bug.h",
-    "epoll_server/platform/api/epoll_logging.h",
-    "epoll_server/platform/api/epoll_thread.h",
-    "epoll_server/simple_epoll_server.h",
-    "quic/core/batch_writer/quic_batch_writer_base.h",
-    "quic/core/batch_writer/quic_batch_writer_buffer.h",
-    "quic/core/batch_writer/quic_batch_writer_test.h",
-    "quic/core/batch_writer/quic_gso_batch_writer.h",
-    "quic/core/batch_writer/quic_sendmmsg_batch_writer.h",
+    "quic/core/io/event_loop_connecting_client_socket.h",
     "quic/core/io/event_loop_socket_factory.h",
-    "quic/core/io/event_loop_tcp_client_socket.h",
     "quic/core/io/quic_default_event_loop.h",
     "quic/core/io/quic_event_loop.h",
     "quic/core/io/quic_poll_event_loop.h",
     "quic/core/io/socket.h",
-    "quic/core/io/socket_factory.h",
-    "quic/core/io/stream_client_socket.h",
     "quic/core/quic_default_packet_writer.h",
-    "quic/core/quic_epoll_alarm_factory.h",
-    "quic/core/quic_epoll_clock.h",
-    "quic/core/quic_epoll_connection_helper.h",
-    "quic/core/quic_linux_socket_utils.h",
     "quic/core/quic_packet_reader.h",
     "quic/core/quic_syscall_wrapper.h",
     "quic/core/quic_udp_socket.h",
+    "quic/masque/masque_client.h",
     "quic/masque/masque_client_session.h",
     "quic/masque/masque_client_tools.h",
     "quic/masque/masque_dispatcher.h",
+    "quic/masque/masque_encapsulated_client.h",
     "quic/masque/masque_encapsulated_client_session.h",
-    "quic/masque/masque_encapsulated_epoll_client.h",
-    "quic/masque/masque_epoll_client.h",
-    "quic/masque/masque_epoll_server.h",
+    "quic/masque/masque_server.h",
     "quic/masque/masque_server_backend.h",
     "quic/masque/masque_server_session.h",
     "quic/masque/masque_utils.h",
-    "quic/platform/api/quic_epoll.h",
     "quic/platform/api/quic_udp_socket_platform_api.h",
-    "quic/tools/quic_client.h",
-    "quic/tools/quic_client_epoll_network_helper.h",
+    "quic/tools/quic_client_default_network_helper.h",
+    "quic/tools/quic_default_client.h",
     "quic/tools/quic_server.h",
 ]
-epoll_tool_support_srcs = [
-    "epoll_server/simple_epoll_server.cc",
-    "quic/core/batch_writer/quic_batch_writer_base.cc",
-    "quic/core/batch_writer/quic_batch_writer_buffer.cc",
-    "quic/core/batch_writer/quic_gso_batch_writer.cc",
-    "quic/core/batch_writer/quic_sendmmsg_batch_writer.cc",
+io_tool_support_srcs = [
+    "quic/core/io/event_loop_connecting_client_socket.cc",
     "quic/core/io/event_loop_socket_factory.cc",
-    "quic/core/io/event_loop_tcp_client_socket.cc",
     "quic/core/io/quic_default_event_loop.cc",
     "quic/core/io/quic_poll_event_loop.cc",
     "quic/core/io/socket_posix.cc",
     "quic/core/quic_default_packet_writer.cc",
-    "quic/core/quic_epoll_alarm_factory.cc",
-    "quic/core/quic_epoll_clock.cc",
-    "quic/core/quic_epoll_connection_helper.cc",
-    "quic/core/quic_linux_socket_utils.cc",
     "quic/core/quic_packet_reader.cc",
     "quic/core/quic_syscall_wrapper.cc",
     "quic/core/quic_udp_socket_posix.cc",
+    "quic/masque/masque_client.cc",
     "quic/masque/masque_client_session.cc",
     "quic/masque/masque_client_tools.cc",
     "quic/masque/masque_dispatcher.cc",
+    "quic/masque/masque_encapsulated_client.cc",
     "quic/masque/masque_encapsulated_client_session.cc",
-    "quic/masque/masque_encapsulated_epoll_client.cc",
-    "quic/masque/masque_epoll_client.cc",
-    "quic/masque/masque_epoll_server.cc",
+    "quic/masque/masque_server.cc",
     "quic/masque/masque_server_backend.cc",
     "quic/masque/masque_server_session.cc",
     "quic/masque/masque_utils.cc",
-    "quic/tools/quic_client.cc",
-    "quic/tools/quic_client_epoll_network_helper.cc",
+    "quic/tools/quic_client_default_network_helper.cc",
+    "quic/tools/quic_default_client.cc",
     "quic/tools/quic_server.cc",
 ]
-epoll_test_support_hdrs = [
-    "common/platform/api/quiche_epoll_test_tools.h",
-    "epoll_server/fake_simple_epoll_server.h",
-    "epoll_server/platform/api/epoll_address_test_utils.h",
-    "epoll_server/platform/api/epoll_expect_bug.h",
-    "epoll_server/platform/api/epoll_test.h",
-    "quic/bindings/quic_libevent.h",
-    "quic/test_tools/quic_client_peer.h",
+io_test_support_hdrs = [
     "quic/test_tools/quic_mock_syscall_wrapper.h",
     "quic/test_tools/quic_server_peer.h",
     "quic/test_tools/quic_test_client.h",
     "quic/test_tools/quic_test_server.h",
     "quic/test_tools/server_thread.h",
 ]
-epoll_test_support_srcs = [
-    "epoll_server/fake_simple_epoll_server.cc",
-    "quic/bindings/quic_libevent.cc",
-    "quic/test_tools/quic_client_peer.cc",
+io_test_support_srcs = [
     "quic/test_tools/quic_mock_syscall_wrapper.cc",
     "quic/test_tools/quic_server_peer.cc",
     "quic/test_tools/quic_test_client.cc",
@@ -1048,6 +1019,8 @@ quiche_tests_srcs = [
     "balsa/balsa_headers_test.cc",
     "balsa/header_properties_test.cc",
     "balsa/simple_buffer_test.cc",
+    "binary_http/binary_http_message_test.cc",
+    "common/masque/connect_udp_datagram_payload_test.cc",
     "common/platform/api/quiche_file_utils_test.cc",
     "common/platform/api/quiche_hostname_utils_test.cc",
     "common/platform/api/quiche_lower_case_string_test.cc",
@@ -1062,8 +1035,10 @@ quiche_tests_srcs = [
     "common/quiche_data_reader_test.cc",
     "common/quiche_data_writer_test.cc",
     "common/quiche_endian_test.cc",
+    "common/quiche_ip_address_test.cc",
     "common/quiche_linked_hash_map_test.cc",
     "common/quiche_mem_slice_storage_test.cc",
+    "common/quiche_random_test.cc",
     "common/quiche_text_utils_test.cc",
     "common/simple_buffer_allocator_test.cc",
     "common/structured_headers_generated_test.cc",
@@ -1120,7 +1095,6 @@ quiche_tests_srcs = [
     "http2/test_tools/http2_frame_builder_test.cc",
     "http2/test_tools/http2_random_test.cc",
     "http2/test_tools/random_decoder_test_base_test.cc",
-    "quic/bindings/quic_libevent_test.cc",
     "quic/core/congestion_control/bandwidth_sampler_test.cc",
     "quic/core/congestion_control/bbr2_simulator_test.cc",
     "quic/core/congestion_control/bbr_sender_test.cc",
@@ -1164,7 +1138,6 @@ quiche_tests_srcs = [
     "quic/core/crypto/quic_crypto_client_config_test.cc",
     "quic/core/crypto/quic_crypto_server_config_test.cc",
     "quic/core/crypto/quic_hkdf_test.cc",
-    "quic/core/crypto/quic_random_test.cc",
     "quic/core/crypto/transport_parameters_test.cc",
     "quic/core/crypto/web_transport_fingerprint_proof_verifier_test.cc",
     "quic/core/deterministic_connection_id_generator_test.cc",
@@ -1267,7 +1240,6 @@ quiche_tests_srcs = [
     "quic/core/tls_server_handshaker_test.cc",
     "quic/core/uber_quic_stream_id_manager_test.cc",
     "quic/core/uber_received_packet_manager_test.cc",
-    "quic/platform/api/quic_ip_address_test.cc",
     "quic/platform/api/quic_socket_address_test.cc",
     "quic/test_tools/crypto_test_utils_test.cc",
     "quic/test_tools/quic_test_utils_test.cc",
@@ -1275,7 +1247,7 @@ quiche_tests_srcs = [
     "quic/test_tools/simulator/quic_endpoint_test.cc",
     "quic/test_tools/simulator/simulator_test.cc",
     "quic/tools/connect_tunnel_test.cc",
-    "quic/tools/quic_default_client_test.cc",
+    "quic/tools/connect_udp_tunnel_test.cc",
     "quic/tools/quic_memory_cache_backend_test.cc",
     "quic/tools/quic_tcp_like_trace_converter_test.cc",
     "quic/tools/simple_ticket_crypter_test.cc",
@@ -1299,29 +1271,20 @@ quiche_tests_srcs = [
     "spdy/core/spdy_protocol_test.cc",
     "spdy/core/spdy_simple_arena_test.cc",
 ]
-epoll_tests_hdrs = [
+io_tests_hdrs = [
 
 ]
-epoll_tests_srcs = [
-    "epoll_server/simple_epoll_server_test.cc",
-    "quic/core/batch_writer/quic_batch_writer_buffer_test.cc",
-    "quic/core/batch_writer/quic_batch_writer_test.cc",
-    "quic/core/batch_writer/quic_gso_batch_writer_test.cc",
-    "quic/core/batch_writer/quic_sendmmsg_batch_writer_test.cc",
+io_tests_srcs = [
     "quic/core/chlo_extractor_test.cc",
     "quic/core/http/end_to_end_test.cc",
     "quic/core/http/quic_spdy_client_session_test.cc",
     "quic/core/http/quic_spdy_client_stream_test.cc",
     "quic/core/http/quic_spdy_server_stream_base_test.cc",
-    "quic/core/io/event_loop_tcp_client_socket_test.cc",
+    "quic/core/io/event_loop_connecting_client_socket_test.cc",
     "quic/core/io/quic_all_event_loops_test.cc",
     "quic/core/io/quic_poll_event_loop_test.cc",
     "quic/core/io/socket_test.cc",
-    "quic/core/quic_epoll_alarm_factory_test.cc",
-    "quic/core/quic_epoll_clock_test.cc",
-    "quic/core/quic_epoll_connection_helper_test.cc",
-    "quic/core/quic_linux_socket_utils_test.cc",
-    "quic/tools/quic_client_test.cc",
+    "quic/tools/quic_default_client_test.cc",
     "quic/tools/quic_server_test.cc",
     "quic/tools/quic_simple_server_session_test.cc",
     "quic/tools/quic_simple_server_stream_test.cc",
@@ -1345,6 +1308,7 @@ fuzzers_srcs = [
 ]
 cli_tools_hdrs = [
     "quic/tools/quic_epoll_client_factory.h",
+    "quic/tools/quic_server_factory.h",
     "quic/tools/quic_toy_client.h",
     "quic/tools/quic_toy_server.h",
 ]
@@ -1359,6 +1323,7 @@ cli_tools_srcs = [
     "quic/tools/quic_packet_printer_bin.cc",
     "quic/tools/quic_reject_reason_decoder_bin.cc",
     "quic/tools/quic_server_bin.cc",
+    "quic/tools/quic_server_factory.cc",
     "quic/tools/quic_toy_client.cc",
     "quic/tools/quic_toy_server.cc",
 ]
@@ -1403,6 +1368,8 @@ default_platform_impl_hdrs = [
     "common/platform/default/quiche_platform_impl/quiche_bug_tracker_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_client_stats_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_containers_impl.h",
+    "common/platform/default/quiche_platform_impl/quiche_default_proof_providers_impl.h",
+    "common/platform/default/quiche_platform_impl/quiche_event_loop_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_export_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_flag_utils_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_flags_impl.h",
@@ -1419,6 +1386,7 @@ default_platform_impl_hdrs = [
     "common/platform/default/quiche_platform_impl/quiche_testvalue_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_thread_local_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_time_utils_impl.h",
+    "common/platform/default/quiche_platform_impl/quiche_udp_socket_platform_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_url_utils_impl.h",
 ]
 default_platform_impl_srcs = [
@@ -1430,7 +1398,6 @@ default_platform_impl_srcs = [
 ]
 default_platform_impl_tool_support_hdrs = [
     "common/platform/default/quiche_platform_impl/quiche_command_line_flags_impl.h",
-    "common/platform/default/quiche_platform_impl/quiche_event_loop_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_file_utils_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_stream_buffer_allocator_impl.h",
     "common/platform/default/quiche_platform_impl/quiche_system_event_loop_impl.h",
@@ -1468,6 +1435,12 @@ load_balancer_srcs = [
     "quic/load_balancer/load_balancer_server_id_map_test.cc",
     "quic/load_balancer/load_balancer_server_id_test.cc",
 ]
+binary_http_hdrs = [
+    "binary_http/binary_http_message.h",
+]
+binary_http_srcs = [
+    "binary_http/binary_http_message.cc",
+]
 qbone_hdrs = [
     "quic/qbone/bonnet/icmp_reachable.h",
     "quic/qbone/bonnet/icmp_reachable_interface.h",
@@ -1548,3 +1521,35 @@ qbone_srcs = [
     "quic/qbone/qbone_stream.cc",
     "quic/qbone/qbone_stream_test.cc",
 ]
+libevent_hdrs = [
+    "quic/bindings/quic_libevent.h",
+]
+libevent_srcs = [
+    "quic/bindings/quic_libevent.cc",
+    "quic/bindings/quic_libevent_test.cc",
+]
+linux_only_hdrs = [
+    "quic/core/batch_writer/quic_batch_writer_base.h",
+    "quic/core/batch_writer/quic_batch_writer_buffer.h",
+    "quic/core/batch_writer/quic_batch_writer_test.h",
+    "quic/core/batch_writer/quic_gso_batch_writer.h",
+    "quic/core/batch_writer/quic_sendmmsg_batch_writer.h",
+    "quic/core/quic_linux_socket_utils.h",
+]
+linux_only_srcs = [
+    "quic/core/batch_writer/quic_batch_writer_base.cc",
+    "quic/core/batch_writer/quic_batch_writer_buffer.cc",
+    "quic/core/batch_writer/quic_gso_batch_writer.cc",
+    "quic/core/batch_writer/quic_sendmmsg_batch_writer.cc",
+    "quic/core/quic_linux_socket_utils.cc",
+]
+linux_only_tests_hdrs = [
+
+]
+linux_only_tests_srcs = [
+    "quic/core/batch_writer/quic_batch_writer_buffer_test.cc",
+    "quic/core/batch_writer/quic_batch_writer_test.cc",
+    "quic/core/batch_writer/quic_gso_batch_writer_test.cc",
+    "quic/core/batch_writer/quic_sendmmsg_batch_writer_test.cc",
+    "quic/core/quic_linux_socket_utils_test.cc",
+]
diff --git a/chromium/net/third_party/quiche/src/build/source_list.gni b/chromium/net/third_party/quiche/src/build/source_list.gni
index 842512d49e6..35107f05dc5 100644
--- a/chromium/net/third_party/quiche/src/build/source_list.gni
+++ b/chromium/net/third_party/quiche/src/build/source_list.gni
@@ -20,6 +20,7 @@ quiche_core_hdrs = [
     "src/quiche/balsa/noop_balsa_visitor.h",
     "src/quiche/balsa/simple_buffer.h",
     "src/quiche/balsa/standard_header_map.h",
+    "src/quiche/common/masque/connect_udp_datagram_payload.h",
     "src/quiche/common/platform/api/quiche_bug_tracker.h",
     "src/quiche/common/platform/api/quiche_client_stats.h",
     "src/quiche/common/platform/api/quiche_containers.h",
@@ -45,12 +46,16 @@ quiche_core_hdrs = [
     "src/quiche/common/print_elements.h",
     "src/quiche/common/quiche_buffer_allocator.h",
     "src/quiche/common/quiche_circular_deque.h",
+    "src/quiche/common/quiche_crypto_logging.h",
     "src/quiche/common/quiche_data_reader.h",
     "src/quiche/common/quiche_data_writer.h",
     "src/quiche/common/quiche_endian.h",
+    "src/quiche/common/quiche_ip_address.h",
+    "src/quiche/common/quiche_ip_address_family.h",
     "src/quiche/common/quiche_linked_hash_map.h",
     "src/quiche/common/quiche_mem_slice_storage.h",
     "src/quiche/common/quiche_protocol_flags_list.h",
+    "src/quiche/common/quiche_random.h",
     "src/quiche/common/quiche_text_utils.h",
     "src/quiche/common/simple_buffer_allocator.h",
     "src/quiche/common/structured_headers.h",
@@ -133,6 +138,7 @@ quiche_core_hdrs = [
     "src/quiche/quic/core/congestion_control/tcp_cubic_sender_bytes.h",
     "src/quiche/quic/core/congestion_control/uber_loss_algorithm.h",
     "src/quiche/quic/core/congestion_control/windowed_filter.h",
+    "src/quiche/quic/core/connecting_client_socket.h",
     "src/quiche/quic/core/connection_id_generator.h",
     "src/quiche/quic/core/crypto/aead_base_decrypter.h",
     "src/quiche/quic/core/crypto/aead_base_encrypter.h",
@@ -340,6 +346,7 @@ quiche_core_hdrs = [
     "src/quiche/quic/core/quic_versions.h",
     "src/quiche/quic/core/quic_write_blocked_list.h",
     "src/quiche/quic/core/session_notifier_interface.h",
+    "src/quiche/quic/core/socket_factory.h",
     "src/quiche/quic/core/stream_delegate_interface.h",
     "src/quiche/quic/core/tls_chlo_extractor.h",
     "src/quiche/quic/core/tls_client_handshaker.h",
@@ -401,12 +408,17 @@ quiche_core_srcs = [
     "src/quiche/balsa/http_validation_policy.cc",
     "src/quiche/balsa/simple_buffer.cc",
     "src/quiche/balsa/standard_header_map.cc",
+    "src/quiche/common/masque/connect_udp_datagram_payload.cc",
     "src/quiche/common/platform/api/quiche_hostname_utils.cc",
     "src/quiche/common/platform/api/quiche_mutex.cc",
     "src/quiche/common/quiche_buffer_allocator.cc",
+    "src/quiche/common/quiche_crypto_logging.cc",
     "src/quiche/common/quiche_data_reader.cc",
     "src/quiche/common/quiche_data_writer.cc",
+    "src/quiche/common/quiche_ip_address.cc",
+    "src/quiche/common/quiche_ip_address_family.cc",
     "src/quiche/common/quiche_mem_slice_storage.cc",
+    "src/quiche/common/quiche_random.cc",
     "src/quiche/common/quiche_text_utils.cc",
     "src/quiche/common/simple_buffer_allocator.cc",
     "src/quiche/common/structured_headers.cc",
@@ -522,7 +534,6 @@ quiche_core_srcs = [
     "src/quiche/quic/core/crypto/quic_decrypter.cc",
     "src/quiche/quic/core/crypto/quic_encrypter.cc",
     "src/quiche/quic/core/crypto/quic_hkdf.cc",
-    "src/quiche/quic/core/crypto/quic_random.cc",
     "src/quiche/quic/core/crypto/tls_client_connection.cc",
     "src/quiche/quic/core/crypto/tls_connection.cc",
     "src/quiche/quic/core/crypto/tls_server_connection.cc",
@@ -662,8 +673,6 @@ quiche_core_srcs = [
     "src/quiche/quic/core/tls_server_handshaker.cc",
     "src/quiche/quic/core/uber_quic_stream_id_manager.cc",
     "src/quiche/quic/core/uber_received_packet_manager.cc",
-    "src/quiche/quic/platform/api/quic_ip_address.cc",
-    "src/quiche/quic/platform/api/quic_ip_address_family.cc",
     "src/quiche/quic/platform/api/quic_socket_address.cc",
     "src/quiche/spdy/core/array_output_buffer.cc",
     "src/quiche/spdy/core/hpack/hpack_constants.cc",
@@ -695,13 +704,12 @@ quiche_tool_support_hdrs = [
     "src/quiche/quic/platform/api/quic_default_proof_providers.h",
     "src/quiche/quic/tools/connect_server_backend.h",
     "src/quiche/quic/tools/connect_tunnel.h",
+    "src/quiche/quic/tools/connect_udp_tunnel.h",
     "src/quiche/quic/tools/fake_proof_verifier.h",
     "src/quiche/quic/tools/quic_backend_response.h",
     "src/quiche/quic/tools/quic_client_base.h",
-    "src/quiche/quic/tools/quic_client_default_network_helper.h",
-    "src/quiche/quic/tools/quic_default_client.h",
     "src/quiche/quic/tools/quic_memory_cache_backend.h",
-    "src/quiche/quic/tools/quic_server_factory.h",
+    "src/quiche/quic/tools/quic_name_lookup.h",
     "src/quiche/quic/tools/quic_simple_client_session.h",
     "src/quiche/quic/tools/quic_simple_client_stream.h",
     "src/quiche/quic/tools/quic_simple_crypto_server_stream_helper.h",
@@ -720,12 +728,11 @@ quiche_tool_support_srcs = [
     "src/quiche/common/platform/api/quiche_file_utils.cc",
     "src/quiche/quic/tools/connect_server_backend.cc",
     "src/quiche/quic/tools/connect_tunnel.cc",
+    "src/quiche/quic/tools/connect_udp_tunnel.cc",
     "src/quiche/quic/tools/quic_backend_response.cc",
     "src/quiche/quic/tools/quic_client_base.cc",
-    "src/quiche/quic/tools/quic_client_default_network_helper.cc",
-    "src/quiche/quic/tools/quic_default_client.cc",
     "src/quiche/quic/tools/quic_memory_cache_backend.cc",
-    "src/quiche/quic/tools/quic_server_factory.cc",
+    "src/quiche/quic/tools/quic_name_lookup.cc",
     "src/quiche/quic/tools/quic_simple_client_session.cc",
     "src/quiche/quic/tools/quic_simple_client_stream.cc",
     "src/quiche/quic/tools/quic_simple_crypto_server_stream_helper.cc",
@@ -778,6 +785,7 @@ quiche_test_support_hdrs = [
     "src/quiche/quic/test_tools/first_flight.h",
     "src/quiche/quic/test_tools/limited_mtu_test_writer.h",
     "src/quiche/quic/test_tools/mock_clock.h",
+    "src/quiche/quic/test_tools/mock_connection_id_generator.h",
     "src/quiche/quic/test_tools/mock_quic_client_promised_info.h",
     "src/quiche/quic/test_tools/mock_quic_dispatcher.h",
     "src/quiche/quic/test_tools/mock_quic_session_visitor.h",
@@ -937,103 +945,66 @@ quiche_test_support_srcs = [
     "src/quiche/spdy/test_tools/mock_spdy_framer_visitor.cc",
     "src/quiche/spdy/test_tools/spdy_test_utils.cc",
 ]
-epoll_tool_support_hdrs = [
-    "src/quiche/common/platform/api/quiche_epoll.h",
+io_tool_support_hdrs = [
     "src/quiche/common/platform/api/quiche_event_loop.h",
-    "src/quiche/common/platform/api/quiche_stream_buffer_allocator.h",
     "src/quiche/common/platform/api/quiche_udp_socket_platform_api.h",
-    "src/quiche/epoll_server/platform/api/epoll_bug.h",
-    "src/quiche/epoll_server/platform/api/epoll_logging.h",
-    "src/quiche/epoll_server/platform/api/epoll_thread.h",
-    "src/quiche/epoll_server/simple_epoll_server.h",
-    "src/quiche/quic/core/batch_writer/quic_batch_writer_base.h",
-    "src/quiche/quic/core/batch_writer/quic_batch_writer_buffer.h",
-    "src/quiche/quic/core/batch_writer/quic_batch_writer_test.h",
-    "src/quiche/quic/core/batch_writer/quic_gso_batch_writer.h",
-    "src/quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer.h",
+    "src/quiche/quic/core/io/event_loop_connecting_client_socket.h",
     "src/quiche/quic/core/io/event_loop_socket_factory.h",
-    "src/quiche/quic/core/io/event_loop_tcp_client_socket.h",
     "src/quiche/quic/core/io/quic_default_event_loop.h",
     "src/quiche/quic/core/io/quic_event_loop.h",
     "src/quiche/quic/core/io/quic_poll_event_loop.h",
     "src/quiche/quic/core/io/socket.h",
-    "src/quiche/quic/core/io/socket_factory.h",
-    "src/quiche/quic/core/io/stream_client_socket.h",
     "src/quiche/quic/core/quic_default_packet_writer.h",
-    "src/quiche/quic/core/quic_epoll_alarm_factory.h",
-    "src/quiche/quic/core/quic_epoll_clock.h",
-    "src/quiche/quic/core/quic_epoll_connection_helper.h",
-    "src/quiche/quic/core/quic_linux_socket_utils.h",
     "src/quiche/quic/core/quic_packet_reader.h",
     "src/quiche/quic/core/quic_syscall_wrapper.h",
     "src/quiche/quic/core/quic_udp_socket.h",
+    "src/quiche/quic/masque/masque_client.h",
     "src/quiche/quic/masque/masque_client_session.h",
     "src/quiche/quic/masque/masque_client_tools.h",
     "src/quiche/quic/masque/masque_dispatcher.h",
+    "src/quiche/quic/masque/masque_encapsulated_client.h",
     "src/quiche/quic/masque/masque_encapsulated_client_session.h",
-    "src/quiche/quic/masque/masque_encapsulated_epoll_client.h",
-    "src/quiche/quic/masque/masque_epoll_client.h",
-    "src/quiche/quic/masque/masque_epoll_server.h",
+    "src/quiche/quic/masque/masque_server.h",
     "src/quiche/quic/masque/masque_server_backend.h",
     "src/quiche/quic/masque/masque_server_session.h",
     "src/quiche/quic/masque/masque_utils.h",
-    "src/quiche/quic/platform/api/quic_epoll.h",
     "src/quiche/quic/platform/api/quic_udp_socket_platform_api.h",
-    "src/quiche/quic/tools/quic_client.h",
-    "src/quiche/quic/tools/quic_client_epoll_network_helper.h",
+    "src/quiche/quic/tools/quic_client_default_network_helper.h",
+    "src/quiche/quic/tools/quic_default_client.h",
     "src/quiche/quic/tools/quic_server.h",
 ]
-epoll_tool_support_srcs = [
-    "src/quiche/epoll_server/simple_epoll_server.cc",
-    "src/quiche/quic/core/batch_writer/quic_batch_writer_base.cc",
-    "src/quiche/quic/core/batch_writer/quic_batch_writer_buffer.cc",
-    "src/quiche/quic/core/batch_writer/quic_gso_batch_writer.cc",
-    "src/quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer.cc",
+io_tool_support_srcs = [
+    "src/quiche/quic/core/io/event_loop_connecting_client_socket.cc",
     "src/quiche/quic/core/io/event_loop_socket_factory.cc",
-    "src/quiche/quic/core/io/event_loop_tcp_client_socket.cc",
     "src/quiche/quic/core/io/quic_default_event_loop.cc",
     "src/quiche/quic/core/io/quic_poll_event_loop.cc",
     "src/quiche/quic/core/io/socket_posix.cc",
     "src/quiche/quic/core/quic_default_packet_writer.cc",
-    "src/quiche/quic/core/quic_epoll_alarm_factory.cc",
-    "src/quiche/quic/core/quic_epoll_clock.cc",
-    "src/quiche/quic/core/quic_epoll_connection_helper.cc",
-    "src/quiche/quic/core/quic_linux_socket_utils.cc",
     "src/quiche/quic/core/quic_packet_reader.cc",
     "src/quiche/quic/core/quic_syscall_wrapper.cc",
     "src/quiche/quic/core/quic_udp_socket_posix.cc",
+    "src/quiche/quic/masque/masque_client.cc",
     "src/quiche/quic/masque/masque_client_session.cc",
     "src/quiche/quic/masque/masque_client_tools.cc",
     "src/quiche/quic/masque/masque_dispatcher.cc",
+    "src/quiche/quic/masque/masque_encapsulated_client.cc",
     "src/quiche/quic/masque/masque_encapsulated_client_session.cc",
-    "src/quiche/quic/masque/masque_encapsulated_epoll_client.cc",
-    "src/quiche/quic/masque/masque_epoll_client.cc",
-    "src/quiche/quic/masque/masque_epoll_server.cc",
+    "src/quiche/quic/masque/masque_server.cc",
     "src/quiche/quic/masque/masque_server_backend.cc",
     "src/quiche/quic/masque/masque_server_session.cc",
     "src/quiche/quic/masque/masque_utils.cc",
-    "src/quiche/quic/tools/quic_client.cc",
-    "src/quiche/quic/tools/quic_client_epoll_network_helper.cc",
+    "src/quiche/quic/tools/quic_client_default_network_helper.cc",
+    "src/quiche/quic/tools/quic_default_client.cc",
     "src/quiche/quic/tools/quic_server.cc",
 ]
-epoll_test_support_hdrs = [
-    "src/quiche/common/platform/api/quiche_epoll_test_tools.h",
-    "src/quiche/epoll_server/fake_simple_epoll_server.h",
-    "src/quiche/epoll_server/platform/api/epoll_address_test_utils.h",
-    "src/quiche/epoll_server/platform/api/epoll_expect_bug.h",
-    "src/quiche/epoll_server/platform/api/epoll_test.h",
-    "src/quiche/quic/bindings/quic_libevent.h",
-    "src/quiche/quic/test_tools/quic_client_peer.h",
+io_test_support_hdrs = [
     "src/quiche/quic/test_tools/quic_mock_syscall_wrapper.h",
     "src/quiche/quic/test_tools/quic_server_peer.h",
     "src/quiche/quic/test_tools/quic_test_client.h",
     "src/quiche/quic/test_tools/quic_test_server.h",
     "src/quiche/quic/test_tools/server_thread.h",
 ]
-epoll_test_support_srcs = [
-    "src/quiche/epoll_server/fake_simple_epoll_server.cc",
-    "src/quiche/quic/bindings/quic_libevent.cc",
-    "src/quiche/quic/test_tools/quic_client_peer.cc",
+io_test_support_srcs = [
     "src/quiche/quic/test_tools/quic_mock_syscall_wrapper.cc",
     "src/quiche/quic/test_tools/quic_server_peer.cc",
     "src/quiche/quic/test_tools/quic_test_client.cc",
@@ -1048,6 +1019,8 @@ quiche_tests_srcs = [
     "src/quiche/balsa/balsa_headers_test.cc",
     "src/quiche/balsa/header_properties_test.cc",
     "src/quiche/balsa/simple_buffer_test.cc",
+    "src/quiche/binary_http/binary_http_message_test.cc",
+    "src/quiche/common/masque/connect_udp_datagram_payload_test.cc",
     "src/quiche/common/platform/api/quiche_file_utils_test.cc",
     "src/quiche/common/platform/api/quiche_hostname_utils_test.cc",
     "src/quiche/common/platform/api/quiche_lower_case_string_test.cc",
@@ -1062,8 +1035,10 @@ quiche_tests_srcs = [
     "src/quiche/common/quiche_data_reader_test.cc",
     "src/quiche/common/quiche_data_writer_test.cc",
     "src/quiche/common/quiche_endian_test.cc",
+    "src/quiche/common/quiche_ip_address_test.cc",
     "src/quiche/common/quiche_linked_hash_map_test.cc",
     "src/quiche/common/quiche_mem_slice_storage_test.cc",
+    "src/quiche/common/quiche_random_test.cc",
     "src/quiche/common/quiche_text_utils_test.cc",
     "src/quiche/common/simple_buffer_allocator_test.cc",
     "src/quiche/common/structured_headers_generated_test.cc",
@@ -1120,7 +1095,6 @@ quiche_tests_srcs = [
     "src/quiche/http2/test_tools/http2_frame_builder_test.cc",
     "src/quiche/http2/test_tools/http2_random_test.cc",
     "src/quiche/http2/test_tools/random_decoder_test_base_test.cc",
-    "src/quiche/quic/bindings/quic_libevent_test.cc",
     "src/quiche/quic/core/congestion_control/bandwidth_sampler_test.cc",
     "src/quiche/quic/core/congestion_control/bbr2_simulator_test.cc",
     "src/quiche/quic/core/congestion_control/bbr_sender_test.cc",
@@ -1164,7 +1138,6 @@ quiche_tests_srcs = [
     "src/quiche/quic/core/crypto/quic_crypto_client_config_test.cc",
     "src/quiche/quic/core/crypto/quic_crypto_server_config_test.cc",
     "src/quiche/quic/core/crypto/quic_hkdf_test.cc",
-    "src/quiche/quic/core/crypto/quic_random_test.cc",
     "src/quiche/quic/core/crypto/transport_parameters_test.cc",
     "src/quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier_test.cc",
     "src/quiche/quic/core/deterministic_connection_id_generator_test.cc",
@@ -1267,7 +1240,6 @@ quiche_tests_srcs = [
     "src/quiche/quic/core/tls_server_handshaker_test.cc",
     "src/quiche/quic/core/uber_quic_stream_id_manager_test.cc",
     "src/quiche/quic/core/uber_received_packet_manager_test.cc",
-    "src/quiche/quic/platform/api/quic_ip_address_test.cc",
     "src/quiche/quic/platform/api/quic_socket_address_test.cc",
     "src/quiche/quic/test_tools/crypto_test_utils_test.cc",
     "src/quiche/quic/test_tools/quic_test_utils_test.cc",
@@ -1275,7 +1247,7 @@ quiche_tests_srcs = [
     "src/quiche/quic/test_tools/simulator/quic_endpoint_test.cc",
     "src/quiche/quic/test_tools/simulator/simulator_test.cc",
     "src/quiche/quic/tools/connect_tunnel_test.cc",
-    "src/quiche/quic/tools/quic_default_client_test.cc",
+    "src/quiche/quic/tools/connect_udp_tunnel_test.cc",
     "src/quiche/quic/tools/quic_memory_cache_backend_test.cc",
     "src/quiche/quic/tools/quic_tcp_like_trace_converter_test.cc",
     "src/quiche/quic/tools/simple_ticket_crypter_test.cc",
@@ -1299,29 +1271,20 @@ quiche_tests_srcs = [
     "src/quiche/spdy/core/spdy_protocol_test.cc",
     "src/quiche/spdy/core/spdy_simple_arena_test.cc",
 ]
-epoll_tests_hdrs = [
+io_tests_hdrs = [
 
 ]
-epoll_tests_srcs = [
-    "src/quiche/epoll_server/simple_epoll_server_test.cc",
-    "src/quiche/quic/core/batch_writer/quic_batch_writer_buffer_test.cc",
-    "src/quiche/quic/core/batch_writer/quic_batch_writer_test.cc",
-    "src/quiche/quic/core/batch_writer/quic_gso_batch_writer_test.cc",
-    "src/quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer_test.cc",
+io_tests_srcs = [
     "src/quiche/quic/core/chlo_extractor_test.cc",
     "src/quiche/quic/core/http/end_to_end_test.cc",
     "src/quiche/quic/core/http/quic_spdy_client_session_test.cc",
     "src/quiche/quic/core/http/quic_spdy_client_stream_test.cc",
     "src/quiche/quic/core/http/quic_spdy_server_stream_base_test.cc",
-    "src/quiche/quic/core/io/event_loop_tcp_client_socket_test.cc",
+    "src/quiche/quic/core/io/event_loop_connecting_client_socket_test.cc",
     "src/quiche/quic/core/io/quic_all_event_loops_test.cc",
     "src/quiche/quic/core/io/quic_poll_event_loop_test.cc",
     "src/quiche/quic/core/io/socket_test.cc",
-    "src/quiche/quic/core/quic_epoll_alarm_factory_test.cc",
-    "src/quiche/quic/core/quic_epoll_clock_test.cc",
-    "src/quiche/quic/core/quic_epoll_connection_helper_test.cc",
-    "src/quiche/quic/core/quic_linux_socket_utils_test.cc",
-    "src/quiche/quic/tools/quic_client_test.cc",
+    "src/quiche/quic/tools/quic_default_client_test.cc",
     "src/quiche/quic/tools/quic_server_test.cc",
     "src/quiche/quic/tools/quic_simple_server_session_test.cc",
     "src/quiche/quic/tools/quic_simple_server_stream_test.cc",
@@ -1345,6 +1308,7 @@ fuzzers_srcs = [
 ]
 cli_tools_hdrs = [
     "src/quiche/quic/tools/quic_epoll_client_factory.h",
+    "src/quiche/quic/tools/quic_server_factory.h",
     "src/quiche/quic/tools/quic_toy_client.h",
     "src/quiche/quic/tools/quic_toy_server.h",
 ]
@@ -1359,6 +1323,7 @@ cli_tools_srcs = [
     "src/quiche/quic/tools/quic_packet_printer_bin.cc",
     "src/quiche/quic/tools/quic_reject_reason_decoder_bin.cc",
     "src/quiche/quic/tools/quic_server_bin.cc",
+    "src/quiche/quic/tools/quic_server_factory.cc",
     "src/quiche/quic/tools/quic_toy_client.cc",
     "src/quiche/quic/tools/quic_toy_server.cc",
 ]
@@ -1403,6 +1368,8 @@ default_platform_impl_hdrs = [
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_bug_tracker_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_client_stats_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_containers_impl.h",
+    "src/quiche/common/platform/default/quiche_platform_impl/quiche_default_proof_providers_impl.h",
+    "src/quiche/common/platform/default/quiche_platform_impl/quiche_event_loop_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_export_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_flag_utils_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_flags_impl.h",
@@ -1419,6 +1386,7 @@ default_platform_impl_hdrs = [
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_testvalue_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_thread_local_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_time_utils_impl.h",
+    "src/quiche/common/platform/default/quiche_platform_impl/quiche_udp_socket_platform_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_url_utils_impl.h",
 ]
 default_platform_impl_srcs = [
@@ -1430,7 +1398,6 @@ default_platform_impl_srcs = [
 ]
 default_platform_impl_tool_support_hdrs = [
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_command_line_flags_impl.h",
-    "src/quiche/common/platform/default/quiche_platform_impl/quiche_event_loop_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_file_utils_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_stream_buffer_allocator_impl.h",
     "src/quiche/common/platform/default/quiche_platform_impl/quiche_system_event_loop_impl.h",
@@ -1468,6 +1435,12 @@ load_balancer_srcs = [
     "src/quiche/quic/load_balancer/load_balancer_server_id_map_test.cc",
     "src/quiche/quic/load_balancer/load_balancer_server_id_test.cc",
 ]
+binary_http_hdrs = [
+    "src/quiche/binary_http/binary_http_message.h",
+]
+binary_http_srcs = [
+    "src/quiche/binary_http/binary_http_message.cc",
+]
 qbone_hdrs = [
     "src/quiche/quic/qbone/bonnet/icmp_reachable.h",
     "src/quiche/quic/qbone/bonnet/icmp_reachable_interface.h",
@@ -1548,3 +1521,35 @@ qbone_srcs = [
     "src/quiche/quic/qbone/qbone_stream.cc",
     "src/quiche/quic/qbone/qbone_stream_test.cc",
 ]
+libevent_hdrs = [
+    "src/quiche/quic/bindings/quic_libevent.h",
+]
+libevent_srcs = [
+    "src/quiche/quic/bindings/quic_libevent.cc",
+    "src/quiche/quic/bindings/quic_libevent_test.cc",
+]
+linux_only_hdrs = [
+    "src/quiche/quic/core/batch_writer/quic_batch_writer_base.h",
+    "src/quiche/quic/core/batch_writer/quic_batch_writer_buffer.h",
+    "src/quiche/quic/core/batch_writer/quic_batch_writer_test.h",
+    "src/quiche/quic/core/batch_writer/quic_gso_batch_writer.h",
+    "src/quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer.h",
+    "src/quiche/quic/core/quic_linux_socket_utils.h",
+]
+linux_only_srcs = [
+    "src/quiche/quic/core/batch_writer/quic_batch_writer_base.cc",
+    "src/quiche/quic/core/batch_writer/quic_batch_writer_buffer.cc",
+    "src/quiche/quic/core/batch_writer/quic_gso_batch_writer.cc",
+    "src/quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer.cc",
+    "src/quiche/quic/core/quic_linux_socket_utils.cc",
+]
+linux_only_tests_hdrs = [
+
+]
+linux_only_tests_srcs = [
+    "src/quiche/quic/core/batch_writer/quic_batch_writer_buffer_test.cc",
+    "src/quiche/quic/core/batch_writer/quic_batch_writer_test.cc",
+    "src/quiche/quic/core/batch_writer/quic_gso_batch_writer_test.cc",
+    "src/quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer_test.cc",
+    "src/quiche/quic/core/quic_linux_socket_utils_test.cc",
+]
diff --git a/chromium/net/third_party/quiche/src/build/source_list.json b/chromium/net/third_party/quiche/src/build/source_list.json
index 6d14856e77a..a4394c8d005 100644
--- a/chromium/net/third_party/quiche/src/build/source_list.json
+++ b/chromium/net/third_party/quiche/src/build/source_list.json
@@ -19,6 +19,7 @@
     "quiche/balsa/noop_balsa_visitor.h",
     "quiche/balsa/simple_buffer.h",
     "quiche/balsa/standard_header_map.h",
+    "quiche/common/masque/connect_udp_datagram_payload.h",
     "quiche/common/platform/api/quiche_bug_tracker.h",
     "quiche/common/platform/api/quiche_client_stats.h",
     "quiche/common/platform/api/quiche_containers.h",
@@ -44,12 +45,16 @@
     "quiche/common/print_elements.h",
     "quiche/common/quiche_buffer_allocator.h",
     "quiche/common/quiche_circular_deque.h",
+    "quiche/common/quiche_crypto_logging.h",
     "quiche/common/quiche_data_reader.h",
     "quiche/common/quiche_data_writer.h",
     "quiche/common/quiche_endian.h",
+    "quiche/common/quiche_ip_address.h",
+    "quiche/common/quiche_ip_address_family.h",
     "quiche/common/quiche_linked_hash_map.h",
     "quiche/common/quiche_mem_slice_storage.h",
     "quiche/common/quiche_protocol_flags_list.h",
+    "quiche/common/quiche_random.h",
     "quiche/common/quiche_text_utils.h",
     "quiche/common/simple_buffer_allocator.h",
     "quiche/common/structured_headers.h",
@@ -132,6 +137,7 @@
     "quiche/quic/core/congestion_control/tcp_cubic_sender_bytes.h",
     "quiche/quic/core/congestion_control/uber_loss_algorithm.h",
     "quiche/quic/core/congestion_control/windowed_filter.h",
+    "quiche/quic/core/connecting_client_socket.h",
     "quiche/quic/core/connection_id_generator.h",
     "quiche/quic/core/crypto/aead_base_decrypter.h",
     "quiche/quic/core/crypto/aead_base_encrypter.h",
@@ -339,6 +345,7 @@
     "quiche/quic/core/quic_versions.h",
     "quiche/quic/core/quic_write_blocked_list.h",
     "quiche/quic/core/session_notifier_interface.h",
+    "quiche/quic/core/socket_factory.h",
     "quiche/quic/core/stream_delegate_interface.h",
     "quiche/quic/core/tls_chlo_extractor.h",
     "quiche/quic/core/tls_client_handshaker.h",
@@ -400,12 +407,17 @@
     "quiche/balsa/http_validation_policy.cc",
     "quiche/balsa/simple_buffer.cc",
     "quiche/balsa/standard_header_map.cc",
+    "quiche/common/masque/connect_udp_datagram_payload.cc",
     "quiche/common/platform/api/quiche_hostname_utils.cc",
     "quiche/common/platform/api/quiche_mutex.cc",
     "quiche/common/quiche_buffer_allocator.cc",
+    "quiche/common/quiche_crypto_logging.cc",
     "quiche/common/quiche_data_reader.cc",
     "quiche/common/quiche_data_writer.cc",
+    "quiche/common/quiche_ip_address.cc",
+    "quiche/common/quiche_ip_address_family.cc",
     "quiche/common/quiche_mem_slice_storage.cc",
+    "quiche/common/quiche_random.cc",
     "quiche/common/quiche_text_utils.cc",
     "quiche/common/simple_buffer_allocator.cc",
     "quiche/common/structured_headers.cc",
@@ -521,7 +533,6 @@
     "quiche/quic/core/crypto/quic_decrypter.cc",
     "quiche/quic/core/crypto/quic_encrypter.cc",
     "quiche/quic/core/crypto/quic_hkdf.cc",
-    "quiche/quic/core/crypto/quic_random.cc",
     "quiche/quic/core/crypto/tls_client_connection.cc",
     "quiche/quic/core/crypto/tls_connection.cc",
     "quiche/quic/core/crypto/tls_server_connection.cc",
@@ -661,8 +672,6 @@
     "quiche/quic/core/tls_server_handshaker.cc",
     "quiche/quic/core/uber_quic_stream_id_manager.cc",
     "quiche/quic/core/uber_received_packet_manager.cc",
-    "quiche/quic/platform/api/quic_ip_address.cc",
-    "quiche/quic/platform/api/quic_ip_address_family.cc",
     "quiche/quic/platform/api/quic_socket_address.cc",
     "quiche/spdy/core/array_output_buffer.cc",
     "quiche/spdy/core/hpack/hpack_constants.cc",
@@ -694,13 +703,12 @@
     "quiche/quic/platform/api/quic_default_proof_providers.h",
     "quiche/quic/tools/connect_server_backend.h",
     "quiche/quic/tools/connect_tunnel.h",
+    "quiche/quic/tools/connect_udp_tunnel.h",
     "quiche/quic/tools/fake_proof_verifier.h",
     "quiche/quic/tools/quic_backend_response.h",
     "quiche/quic/tools/quic_client_base.h",
-    "quiche/quic/tools/quic_client_default_network_helper.h",
-    "quiche/quic/tools/quic_default_client.h",
     "quiche/quic/tools/quic_memory_cache_backend.h",
-    "quiche/quic/tools/quic_server_factory.h",
+    "quiche/quic/tools/quic_name_lookup.h",
     "quiche/quic/tools/quic_simple_client_session.h",
     "quiche/quic/tools/quic_simple_client_stream.h",
     "quiche/quic/tools/quic_simple_crypto_server_stream_helper.h",
@@ -719,12 +727,11 @@
     "quiche/common/platform/api/quiche_file_utils.cc",
     "quiche/quic/tools/connect_server_backend.cc",
     "quiche/quic/tools/connect_tunnel.cc",
+    "quiche/quic/tools/connect_udp_tunnel.cc",
     "quiche/quic/tools/quic_backend_response.cc",
     "quiche/quic/tools/quic_client_base.cc",
-    "quiche/quic/tools/quic_client_default_network_helper.cc",
-    "quiche/quic/tools/quic_default_client.cc",
     "quiche/quic/tools/quic_memory_cache_backend.cc",
-    "quiche/quic/tools/quic_server_factory.cc",
+    "quiche/quic/tools/quic_name_lookup.cc",
     "quiche/quic/tools/quic_simple_client_session.cc",
     "quiche/quic/tools/quic_simple_client_stream.cc",
     "quiche/quic/tools/quic_simple_crypto_server_stream_helper.cc",
@@ -777,6 +784,7 @@
     "quiche/quic/test_tools/first_flight.h",
     "quiche/quic/test_tools/limited_mtu_test_writer.h",
     "quiche/quic/test_tools/mock_clock.h",
+    "quiche/quic/test_tools/mock_connection_id_generator.h",
     "quiche/quic/test_tools/mock_quic_client_promised_info.h",
     "quiche/quic/test_tools/mock_quic_dispatcher.h",
     "quiche/quic/test_tools/mock_quic_session_visitor.h",
@@ -936,103 +944,66 @@
     "quiche/spdy/test_tools/mock_spdy_framer_visitor.cc",
     "quiche/spdy/test_tools/spdy_test_utils.cc"
   ],
-  "epoll_tool_support_hdrs": [
-    "quiche/common/platform/api/quiche_epoll.h",
+  "io_tool_support_hdrs": [
     "quiche/common/platform/api/quiche_event_loop.h",
-    "quiche/common/platform/api/quiche_stream_buffer_allocator.h",
     "quiche/common/platform/api/quiche_udp_socket_platform_api.h",
-    "quiche/epoll_server/platform/api/epoll_bug.h",
-    "quiche/epoll_server/platform/api/epoll_logging.h",
-    "quiche/epoll_server/platform/api/epoll_thread.h",
-    "quiche/epoll_server/simple_epoll_server.h",
-    "quiche/quic/core/batch_writer/quic_batch_writer_base.h",
-    "quiche/quic/core/batch_writer/quic_batch_writer_buffer.h",
-    "quiche/quic/core/batch_writer/quic_batch_writer_test.h",
-    "quiche/quic/core/batch_writer/quic_gso_batch_writer.h",
-    "quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer.h",
+    "quiche/quic/core/io/event_loop_connecting_client_socket.h",
     "quiche/quic/core/io/event_loop_socket_factory.h",
-    "quiche/quic/core/io/event_loop_tcp_client_socket.h",
     "quiche/quic/core/io/quic_default_event_loop.h",
     "quiche/quic/core/io/quic_event_loop.h",
     "quiche/quic/core/io/quic_poll_event_loop.h",
     "quiche/quic/core/io/socket.h",
-    "quiche/quic/core/io/socket_factory.h",
-    "quiche/quic/core/io/stream_client_socket.h",
     "quiche/quic/core/quic_default_packet_writer.h",
-    "quiche/quic/core/quic_epoll_alarm_factory.h",
-    "quiche/quic/core/quic_epoll_clock.h",
-    "quiche/quic/core/quic_epoll_connection_helper.h",
-    "quiche/quic/core/quic_linux_socket_utils.h",
     "quiche/quic/core/quic_packet_reader.h",
     "quiche/quic/core/quic_syscall_wrapper.h",
     "quiche/quic/core/quic_udp_socket.h",
+    "quiche/quic/masque/masque_client.h",
     "quiche/quic/masque/masque_client_session.h",
     "quiche/quic/masque/masque_client_tools.h",
     "quiche/quic/masque/masque_dispatcher.h",
+    "quiche/quic/masque/masque_encapsulated_client.h",
     "quiche/quic/masque/masque_encapsulated_client_session.h",
-    "quiche/quic/masque/masque_encapsulated_epoll_client.h",
-    "quiche/quic/masque/masque_epoll_client.h",
-    "quiche/quic/masque/masque_epoll_server.h",
+    "quiche/quic/masque/masque_server.h",
     "quiche/quic/masque/masque_server_backend.h",
     "quiche/quic/masque/masque_server_session.h",
     "quiche/quic/masque/masque_utils.h",
-    "quiche/quic/platform/api/quic_epoll.h",
     "quiche/quic/platform/api/quic_udp_socket_platform_api.h",
-    "quiche/quic/tools/quic_client.h",
-    "quiche/quic/tools/quic_client_epoll_network_helper.h",
+    "quiche/quic/tools/quic_client_default_network_helper.h",
+    "quiche/quic/tools/quic_default_client.h",
     "quiche/quic/tools/quic_server.h"
   ],
-  "epoll_tool_support_srcs": [
-    "quiche/epoll_server/simple_epoll_server.cc",
-    "quiche/quic/core/batch_writer/quic_batch_writer_base.cc",
-    "quiche/quic/core/batch_writer/quic_batch_writer_buffer.cc",
-    "quiche/quic/core/batch_writer/quic_gso_batch_writer.cc",
-    "quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer.cc",
+  "io_tool_support_srcs": [
+    "quiche/quic/core/io/event_loop_connecting_client_socket.cc",
     "quiche/quic/core/io/event_loop_socket_factory.cc",
-    "quiche/quic/core/io/event_loop_tcp_client_socket.cc",
     "quiche/quic/core/io/quic_default_event_loop.cc",
     "quiche/quic/core/io/quic_poll_event_loop.cc",
     "quiche/quic/core/io/socket_posix.cc",
     "quiche/quic/core/quic_default_packet_writer.cc",
-    "quiche/quic/core/quic_epoll_alarm_factory.cc",
-    "quiche/quic/core/quic_epoll_clock.cc",
-    "quiche/quic/core/quic_epoll_connection_helper.cc",
-    "quiche/quic/core/quic_linux_socket_utils.cc",
     "quiche/quic/core/quic_packet_reader.cc",
     "quiche/quic/core/quic_syscall_wrapper.cc",
     "quiche/quic/core/quic_udp_socket_posix.cc",
+    "quiche/quic/masque/masque_client.cc",
     "quiche/quic/masque/masque_client_session.cc",
     "quiche/quic/masque/masque_client_tools.cc",
     "quiche/quic/masque/masque_dispatcher.cc",
+    "quiche/quic/masque/masque_encapsulated_client.cc",
     "quiche/quic/masque/masque_encapsulated_client_session.cc",
-    "quiche/quic/masque/masque_encapsulated_epoll_client.cc",
-    "quiche/quic/masque/masque_epoll_client.cc",
-    "quiche/quic/masque/masque_epoll_server.cc",
+    "quiche/quic/masque/masque_server.cc",
     "quiche/quic/masque/masque_server_backend.cc",
     "quiche/quic/masque/masque_server_session.cc",
     "quiche/quic/masque/masque_utils.cc",
-    "quiche/quic/tools/quic_client.cc",
-    "quiche/quic/tools/quic_client_epoll_network_helper.cc",
+    "quiche/quic/tools/quic_client_default_network_helper.cc",
+    "quiche/quic/tools/quic_default_client.cc",
     "quiche/quic/tools/quic_server.cc"
   ],
-  "epoll_test_support_hdrs": [
-    "quiche/common/platform/api/quiche_epoll_test_tools.h",
-    "quiche/epoll_server/fake_simple_epoll_server.h",
-    "quiche/epoll_server/platform/api/epoll_address_test_utils.h",
-    "quiche/epoll_server/platform/api/epoll_expect_bug.h",
-    "quiche/epoll_server/platform/api/epoll_test.h",
-    "quiche/quic/bindings/quic_libevent.h",
-    "quiche/quic/test_tools/quic_client_peer.h",
+  "io_test_support_hdrs": [
     "quiche/quic/test_tools/quic_mock_syscall_wrapper.h",
     "quiche/quic/test_tools/quic_server_peer.h",
     "quiche/quic/test_tools/quic_test_client.h",
     "quiche/quic/test_tools/quic_test_server.h",
     "quiche/quic/test_tools/server_thread.h"
   ],
-  "epoll_test_support_srcs": [
-    "quiche/epoll_server/fake_simple_epoll_server.cc",
-    "quiche/quic/bindings/quic_libevent.cc",
-    "quiche/quic/test_tools/quic_client_peer.cc",
+  "io_test_support_srcs": [
     "quiche/quic/test_tools/quic_mock_syscall_wrapper.cc",
     "quiche/quic/test_tools/quic_server_peer.cc",
     "quiche/quic/test_tools/quic_test_client.cc",
@@ -1047,6 +1018,8 @@
     "quiche/balsa/balsa_headers_test.cc",
     "quiche/balsa/header_properties_test.cc",
     "quiche/balsa/simple_buffer_test.cc",
+    "quiche/binary_http/binary_http_message_test.cc",
+    "quiche/common/masque/connect_udp_datagram_payload_test.cc",
     "quiche/common/platform/api/quiche_file_utils_test.cc",
     "quiche/common/platform/api/quiche_hostname_utils_test.cc",
     "quiche/common/platform/api/quiche_lower_case_string_test.cc",
@@ -1061,8 +1034,10 @@
     "quiche/common/quiche_data_reader_test.cc",
     "quiche/common/quiche_data_writer_test.cc",
     "quiche/common/quiche_endian_test.cc",
+    "quiche/common/quiche_ip_address_test.cc",
     "quiche/common/quiche_linked_hash_map_test.cc",
     "quiche/common/quiche_mem_slice_storage_test.cc",
+    "quiche/common/quiche_random_test.cc",
     "quiche/common/quiche_text_utils_test.cc",
     "quiche/common/simple_buffer_allocator_test.cc",
     "quiche/common/structured_headers_generated_test.cc",
@@ -1119,7 +1094,6 @@
     "quiche/http2/test_tools/http2_frame_builder_test.cc",
     "quiche/http2/test_tools/http2_random_test.cc",
     "quiche/http2/test_tools/random_decoder_test_base_test.cc",
-    "quiche/quic/bindings/quic_libevent_test.cc",
     "quiche/quic/core/congestion_control/bandwidth_sampler_test.cc",
     "quiche/quic/core/congestion_control/bbr2_simulator_test.cc",
     "quiche/quic/core/congestion_control/bbr_sender_test.cc",
@@ -1163,7 +1137,6 @@
     "quiche/quic/core/crypto/quic_crypto_client_config_test.cc",
     "quiche/quic/core/crypto/quic_crypto_server_config_test.cc",
     "quiche/quic/core/crypto/quic_hkdf_test.cc",
-    "quiche/quic/core/crypto/quic_random_test.cc",
     "quiche/quic/core/crypto/transport_parameters_test.cc",
     "quiche/quic/core/crypto/web_transport_fingerprint_proof_verifier_test.cc",
     "quiche/quic/core/deterministic_connection_id_generator_test.cc",
@@ -1266,7 +1239,6 @@
     "quiche/quic/core/tls_server_handshaker_test.cc",
     "quiche/quic/core/uber_quic_stream_id_manager_test.cc",
     "quiche/quic/core/uber_received_packet_manager_test.cc",
-    "quiche/quic/platform/api/quic_ip_address_test.cc",
     "quiche/quic/platform/api/quic_socket_address_test.cc",
     "quiche/quic/test_tools/crypto_test_utils_test.cc",
     "quiche/quic/test_tools/quic_test_utils_test.cc",
@@ -1274,7 +1246,7 @@
     "quiche/quic/test_tools/simulator/quic_endpoint_test.cc",
     "quiche/quic/test_tools/simulator/simulator_test.cc",
     "quiche/quic/tools/connect_tunnel_test.cc",
-    "quiche/quic/tools/quic_default_client_test.cc",
+    "quiche/quic/tools/connect_udp_tunnel_test.cc",
     "quiche/quic/tools/quic_memory_cache_backend_test.cc",
     "quiche/quic/tools/quic_tcp_like_trace_converter_test.cc",
     "quiche/quic/tools/simple_ticket_crypter_test.cc",
@@ -1298,29 +1270,20 @@
     "quiche/spdy/core/spdy_protocol_test.cc",
     "quiche/spdy/core/spdy_simple_arena_test.cc"
   ],
-  "epoll_tests_hdrs": [
+  "io_tests_hdrs": [
 
   ],
-  "epoll_tests_srcs": [
-    "quiche/epoll_server/simple_epoll_server_test.cc",
-    "quiche/quic/core/batch_writer/quic_batch_writer_buffer_test.cc",
-    "quiche/quic/core/batch_writer/quic_batch_writer_test.cc",
-    "quiche/quic/core/batch_writer/quic_gso_batch_writer_test.cc",
-    "quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer_test.cc",
+  "io_tests_srcs": [
     "quiche/quic/core/chlo_extractor_test.cc",
     "quiche/quic/core/http/end_to_end_test.cc",
     "quiche/quic/core/http/quic_spdy_client_session_test.cc",
     "quiche/quic/core/http/quic_spdy_client_stream_test.cc",
     "quiche/quic/core/http/quic_spdy_server_stream_base_test.cc",
-    "quiche/quic/core/io/event_loop_tcp_client_socket_test.cc",
+    "quiche/quic/core/io/event_loop_connecting_client_socket_test.cc",
     "quiche/quic/core/io/quic_all_event_loops_test.cc",
     "quiche/quic/core/io/quic_poll_event_loop_test.cc",
     "quiche/quic/core/io/socket_test.cc",
-    "quiche/quic/core/quic_epoll_alarm_factory_test.cc",
-    "quiche/quic/core/quic_epoll_clock_test.cc",
-    "quiche/quic/core/quic_epoll_connection_helper_test.cc",
-    "quiche/quic/core/quic_linux_socket_utils_test.cc",
-    "quiche/quic/tools/quic_client_test.cc",
+    "quiche/quic/tools/quic_default_client_test.cc",
     "quiche/quic/tools/quic_server_test.cc",
     "quiche/quic/tools/quic_simple_server_session_test.cc",
     "quiche/quic/tools/quic_simple_server_stream_test.cc",
@@ -1344,6 +1307,7 @@
   ],
   "cli_tools_hdrs": [
     "quiche/quic/tools/quic_epoll_client_factory.h",
+    "quiche/quic/tools/quic_server_factory.h",
     "quiche/quic/tools/quic_toy_client.h",
     "quiche/quic/tools/quic_toy_server.h"
   ],
@@ -1358,6 +1322,7 @@
     "quiche/quic/tools/quic_packet_printer_bin.cc",
     "quiche/quic/tools/quic_reject_reason_decoder_bin.cc",
     "quiche/quic/tools/quic_server_bin.cc",
+    "quiche/quic/tools/quic_server_factory.cc",
     "quiche/quic/tools/quic_toy_client.cc",
     "quiche/quic/tools/quic_toy_server.cc"
   ],
@@ -1402,6 +1367,8 @@
     "quiche/common/platform/default/quiche_platform_impl/quiche_bug_tracker_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_client_stats_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_containers_impl.h",
+    "quiche/common/platform/default/quiche_platform_impl/quiche_default_proof_providers_impl.h",
+    "quiche/common/platform/default/quiche_platform_impl/quiche_event_loop_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_export_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_flag_utils_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_flags_impl.h",
@@ -1418,6 +1385,7 @@
     "quiche/common/platform/default/quiche_platform_impl/quiche_testvalue_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_thread_local_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_time_utils_impl.h",
+    "quiche/common/platform/default/quiche_platform_impl/quiche_udp_socket_platform_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_url_utils_impl.h"
   ],
   "default_platform_impl_srcs": [
@@ -1429,7 +1397,6 @@
   ],
   "default_platform_impl_tool_support_hdrs": [
     "quiche/common/platform/default/quiche_platform_impl/quiche_command_line_flags_impl.h",
-    "quiche/common/platform/default/quiche_platform_impl/quiche_event_loop_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_file_utils_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_stream_buffer_allocator_impl.h",
     "quiche/common/platform/default/quiche_platform_impl/quiche_system_event_loop_impl.h"
@@ -1467,6 +1434,12 @@
     "quiche/quic/load_balancer/load_balancer_server_id_map_test.cc",
     "quiche/quic/load_balancer/load_balancer_server_id_test.cc"
   ],
+  "binary_http_hdrs": [
+    "quiche/binary_http/binary_http_message.h"
+  ],
+  "binary_http_srcs": [
+    "quiche/binary_http/binary_http_message.cc"
+  ],
   "qbone_hdrs": [
     "quiche/quic/qbone/bonnet/icmp_reachable.h",
     "quiche/quic/qbone/bonnet/icmp_reachable_interface.h",
@@ -1546,5 +1519,37 @@
     "quiche/quic/qbone/qbone_session_test.cc",
     "quiche/quic/qbone/qbone_stream.cc",
     "quiche/quic/qbone/qbone_stream_test.cc"
+  ],
+  "libevent_hdrs": [
+    "quiche/quic/bindings/quic_libevent.h"
+  ],
+  "libevent_srcs": [
+    "quiche/quic/bindings/quic_libevent.cc",
+    "quiche/quic/bindings/quic_libevent_test.cc"
+  ],
+  "linux_only_hdrs": [
+    "quiche/quic/core/batch_writer/quic_batch_writer_base.h",
+    "quiche/quic/core/batch_writer/quic_batch_writer_buffer.h",
+    "quiche/quic/core/batch_writer/quic_batch_writer_test.h",
+    "quiche/quic/core/batch_writer/quic_gso_batch_writer.h",
+    "quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer.h",
+    "quiche/quic/core/quic_linux_socket_utils.h"
+  ],
+  "linux_only_srcs": [
+    "quiche/quic/core/batch_writer/quic_batch_writer_base.cc",
+    "quiche/quic/core/batch_writer/quic_batch_writer_buffer.cc",
+    "quiche/quic/core/batch_writer/quic_gso_batch_writer.cc",
+    "quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer.cc",
+    "quiche/quic/core/quic_linux_socket_utils.cc"
+  ],
+  "linux_only_tests_hdrs": [
+
+  ],
+  "linux_only_tests_srcs": [
+    "quiche/quic/core/batch_writer/quic_batch_writer_buffer_test.cc",
+    "quiche/quic/core/batch_writer/quic_batch_writer_test.cc",
+    "quiche/quic/core/batch_writer/quic_gso_batch_writer_test.cc",
+    "quiche/quic/core/batch_writer/quic_sendmmsg_batch_writer_test.cc",
+    "quiche/quic/core/quic_linux_socket_utils_test.cc"
   ]
 }
\ No newline at end of file
diff --git a/chromium/net/third_party/quiche/src/build/test.bzl b/chromium/net/third_party/quiche/src/build/test.bzl
index 9beb0ca3bf1..33bef08aa24 100644
--- a/chromium/net/third_party/quiche/src/build/test.bzl
+++ b/chromium/net/third_party/quiche/src/build/test.bzl
@@ -1,5 +1,6 @@
 """Tools for building QUICHE tests."""
 
+load("@bazel_skylib//lib:dicts.bzl", "dicts")
 load("@bazel_skylib//lib:paths.bzl", "paths")
 
 def test_suite_from_source_list(name, srcs, **kwargs):
@@ -17,10 +18,13 @@ def test_suite_from_source_list(name, srcs, **kwargs):
         if not sourcefile.endswith("_test.cc"):
             fail("All source files passed to test_suite_from_source_list() must end with _test.cc")
         test_name, _ = paths.split_extension(paths.basename(sourcefile))
+        extra_kwargs = {}
+        if test_name == "end_to_end_test":
+            extra_kwargs["shard_count"] = 16
         native.cc_test(
             name = test_name,
             srcs = [sourcefile],
-            **kwargs
+            **dicts.add(kwargs, extra_kwargs)
         )
         tests.append(test_name)
     native.test_suite(name = name, tests = tests)
diff --git a/chromium/net/third_party/quiche/src/quiche/BUILD.bazel b/chromium/net/third_party/quiche/src/quiche/BUILD.bazel
index f372de77d57..bcc50f67ac8 100644
--- a/chromium/net/third_party/quiche/src/quiche/BUILD.bazel
+++ b/chromium/net/third_party/quiche/src/quiche/BUILD.bazel
@@ -4,12 +4,19 @@
 
 load(
     "//build:source_list.bzl",
+    "binary_http_hdrs",
+    "binary_http_srcs",
     "default_platform_impl_hdrs",
     "default_platform_impl_srcs",
     "default_platform_impl_test_support_hdrs",
     "default_platform_impl_test_support_srcs",
     "default_platform_impl_tool_support_hdrs",
     "default_platform_impl_tool_support_srcs",
+    "io_test_support_hdrs",
+    "io_test_support_srcs",
+    "io_tests_srcs",
+    "io_tool_support_hdrs",
+    "io_tool_support_srcs",
     "quiche_core_hdrs",
     "quiche_core_srcs",
     "quiche_test_support_hdrs",
@@ -31,6 +38,13 @@ package(
 )
 
 cc_library(
+    name = "quiche_flags_list",
+    textual_hdrs = [
+        "common/quiche_protocol_flags_list.h",
+    ],
+)
+
+cc_library(
     name = "quic_flags_list",
     textual_hdrs = [
         "quic/core/quic_flags_list.h",
@@ -38,6 +52,20 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "binary_http",
+    srcs = binary_http_srcs,
+    hdrs = binary_http_hdrs,
+    deps = [
+        ":quiche_core",
+        "@com_google_absl//absl/base:core_headers",
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@com_google_absl//absl/status",
+        "@com_google_absl//absl/status:statusor",
+        "@com_google_absl//absl/strings",
+    ],
+)
+
 # QUICHE_EXPORT is used by all platform definitions, and thus needs to be handled separately.
 cc_library(
     name = "quiche_platform_default_quiche_export",
@@ -62,6 +90,7 @@ cc_library(
     strip_include_prefix = "common/platform/default",
     deps = [
         ":quic_flags_list",
+        ":quiche_flags_list",
         ":quiche_platform_quiche_export",
         "@com_google_absl//absl/base:core_headers",
         "@com_google_absl//absl/container:flat_hash_map",
@@ -146,6 +175,7 @@ cc_library(
         "@boringssl//:ssl",
         "@com_google_absl//absl/algorithm:container",
         "@com_google_absl//absl/base:core_headers",
+        "@com_google_absl//absl/cleanup",
         "@com_google_absl//absl/container:btree",
         "@com_google_absl//absl/container:flat_hash_map",
         "@com_google_absl//absl/container:flat_hash_set",
@@ -154,6 +184,8 @@ cc_library(
         "@com_google_absl//absl/hash",
         "@com_google_absl//absl/memory",
         "@com_google_absl//absl/numeric:int128",
+        "@com_google_absl//absl/status",
+        "@com_google_absl//absl/status:statusor",
         "@com_google_absl//absl/strings",
         "@com_google_absl//absl/strings:str_format",
         "@com_google_absl//absl/time",
@@ -177,9 +209,12 @@ cc_library(
         "@com_google_absl//absl/container:flat_hash_map",
         "@com_google_absl//absl/container:flat_hash_set",
         "@com_google_absl//absl/memory",
+        "@com_google_absl//absl/status",
+        "@com_google_absl//absl/status:statusor",
         "@com_google_absl//absl/strings",
         "@com_google_absl//absl/strings:str_format",
         "@com_google_absl//absl/types:optional",
+        "@com_google_absl//absl/types:span",
         "@com_google_googletest//:gtest",
         "@com_google_googleurl//url",
     ],
@@ -191,6 +226,7 @@ cc_library(
     srcs = quiche_test_support_srcs,
     hdrs = quiche_test_support_hdrs,
     deps = [
+        ":binary_http",
         ":quiche_core",
         ":quiche_platform_default_testonly",
         ":quiche_protobufs_testonly_cc_proto",
@@ -216,6 +252,100 @@ test_suite_from_source_list(
         "quic/test_tools/quic_http_response_cache_data/**",
     ]),
     deps = [
+        ":binary_http",
+        ":quiche_core",
+        ":quiche_platform_default_testonly",
+        ":quiche_protobufs_testonly_cc_proto",
+        ":quiche_test_support",
+        ":quiche_tool_support",
+        "@boringssl//:crypto",
+        "@boringssl//:ssl",
+        "@com_google_absl//absl/algorithm:container",
+        "@com_google_absl//absl/base:core_headers",
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@com_google_absl//absl/container:flat_hash_set",
+        "@com_google_absl//absl/container:node_hash_map",
+        "@com_google_absl//absl/functional:bind_front",
+        "@com_google_absl//absl/hash",
+        "@com_google_absl//absl/memory",
+        "@com_google_absl//absl/numeric:int128",
+        "@com_google_absl//absl/status",
+        "@com_google_absl//absl/status:statusor",
+        "@com_google_absl//absl/strings",
+        "@com_google_absl//absl/strings:str_format",
+        "@com_google_absl//absl/types:optional",
+        "@com_google_googletest//:gtest_main",
+        "@com_google_googleurl//url",
+    ],
+)
+
+cc_library(
+    name = "io_tool_support",
+    srcs = io_tool_support_srcs,
+    hdrs = io_tool_support_hdrs,
+    deps = [
+        ":quiche_core",
+        ":quiche_platform_default_tools",
+        ":quiche_tool_support",
+        "@boringssl//:crypto",
+        "@com_google_absl//absl/algorithm:container",
+        "@com_google_absl//absl/base:core_headers",
+        "@com_google_absl//absl/cleanup",
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@com_google_absl//absl/container:flat_hash_set",
+        "@com_google_absl//absl/memory",
+        "@com_google_absl//absl/status",
+        "@com_google_absl//absl/status:statusor",
+        "@com_google_absl//absl/strings",
+        "@com_google_absl//absl/strings:str_format",
+        "@com_google_absl//absl/types:optional",
+        "@com_google_absl//absl/types:span",
+        "@com_google_absl//absl/types:variant",
+        "@com_google_googleurl//url",
+    ],
+)
+
+cc_library(
+    name = "io_test_support",
+    testonly = 1,
+    srcs = io_test_support_srcs,
+    hdrs = io_test_support_hdrs,
+    deps = [
+        ":io_tool_support",
+        ":quiche_core",
+        ":quiche_platform_default_tools",
+        ":quiche_test_support",
+        ":quiche_tool_support",
+        "@boringssl//:crypto",
+        "@com_google_absl//absl/algorithm:container",
+        "@com_google_absl//absl/base:core_headers",
+        "@com_google_absl//absl/cleanup",
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@com_google_absl//absl/container:flat_hash_set",
+        "@com_google_absl//absl/memory",
+        "@com_google_absl//absl/status",
+        "@com_google_absl//absl/status:statusor",
+        "@com_google_absl//absl/strings",
+        "@com_google_absl//absl/strings:str_format",
+        "@com_google_absl//absl/types:optional",
+        "@com_google_absl//absl/types:span",
+        "@com_google_absl//absl/types:variant",
+        "@com_google_googletest//:gtest",
+        "@com_google_googleurl//url",
+    ],
+)
+
+test_suite_from_source_list(
+    name = "io_tests",
+    srcs = io_tests_srcs,
+    data = glob([
+        "common/platform/api/testdir/**",
+        "quic/test_tools/quic_http_response_cache_data/**",
+    ]),
+    deps = [
+        ":binary_http",
+        ":io_test_support",
+        ":io_tool_support",
         ":quiche_core",
         ":quiche_platform_default_testonly",
         ":quiche_protobufs_testonly_cc_proto",
@@ -225,6 +355,7 @@ test_suite_from_source_list(
         "@boringssl//:ssl",
         "@com_google_absl//absl/algorithm:container",
         "@com_google_absl//absl/base:core_headers",
+        "@com_google_absl//absl/cleanup",
         "@com_google_absl//absl/container:flat_hash_map",
         "@com_google_absl//absl/container:flat_hash_set",
         "@com_google_absl//absl/container:node_hash_map",
@@ -232,10 +363,17 @@ test_suite_from_source_list(
         "@com_google_absl//absl/hash",
         "@com_google_absl//absl/memory",
         "@com_google_absl//absl/numeric:int128",
+        "@com_google_absl//absl/status",
+        "@com_google_absl//absl/status:statusor",
         "@com_google_absl//absl/strings",
         "@com_google_absl//absl/strings:str_format",
+        "@com_google_absl//absl/time",
         "@com_google_absl//absl/types:optional",
+        "@com_google_absl//absl/types:span",
+        "@com_google_absl//absl/types:variant",
+        "@com_google_googletest//:gtest",
         "@com_google_googletest//:gtest_main",
+        "@com_google_googleurl//url",
     ],
 )
 
@@ -259,6 +397,12 @@ alias(
 )
 
 alias(
+    name = "binary_http_unstable_api",
+    actual = ":binary_http",
+    visibility = ["//visibility:public"],
+)
+
+alias(
     name = "quiche_unstable_api_tool_support",
     actual = ":quiche_tool_support",
     visibility = ["//visibility:public"],
diff --git a/chromium/net/third_party/quiche/src/quiche/binary_http/binary_http_message.cc b/chromium/net/third_party/quiche/src/quiche/binary_http/binary_http_message.cc
new file mode 100644
index 00000000000..93d25bf48d3
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/binary_http/binary_http_message.cc
@@ -0,0 +1,436 @@
+#include "quiche/binary_http/binary_http_message.h"
+
+#include <cstdint>
+#include <functional>
+#include <iterator>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "absl/container/flat_hash_map.h"
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/ascii.h"
+#include "absl/strings/str_cat.h"
+#include "absl/strings/str_join.h"
+#include "absl/strings/string_view.h"
+#include "quiche/common/quiche_data_reader.h"
+#include "quiche/common/quiche_data_writer.h"
+
+namespace quiche {
+namespace {
+
+constexpr uint8_t kKnownLengthRequestFraming = 0;
+constexpr uint8_t kKnownLengthResponseFraming = 1;
+
+bool ReadStringValue(quiche::QuicheDataReader& reader, std::string& data) {
+  absl::string_view data_view;
+  if (!reader.ReadStringPieceVarInt62(&data_view)) {
+    return false;
+  }
+  data = std::string(data_view);
+  return true;
+}
+
+absl::StatusOr<BinaryHttpRequest::ControlData> DecodeControlData(
+    quiche::QuicheDataReader& reader) {
+  BinaryHttpRequest::ControlData control_data;
+  if (!ReadStringValue(reader, control_data.method)) {
+    return absl::InvalidArgumentError("Failed to read method.");
+  }
+  if (!ReadStringValue(reader, control_data.scheme)) {
+    return absl::InvalidArgumentError("Failed to read scheme.");
+  }
+  if (!ReadStringValue(reader, control_data.authority)) {
+    return absl::InvalidArgumentError("Failed to read authority.");
+  }
+  if (!ReadStringValue(reader, control_data.path)) {
+    return absl::InvalidArgumentError("Failed to read path.");
+  }
+  return control_data;
+}
+
+absl::Status DecodeFields(
+    quiche::QuicheDataReader& reader,
+    const std::function<void(absl::string_view name, absl::string_view value)>&
+        callback) {
+  absl::string_view fields;
+  if (!reader.ReadStringPieceVarInt62(&fields)) {
+    return absl::InvalidArgumentError("Failed to read fields.");
+  }
+  quiche::QuicheDataReader fields_reader(fields);
+  while (!fields_reader.IsDoneReading()) {
+    absl::string_view name;
+    if (!fields_reader.ReadStringPieceVarInt62(&name)) {
+      return absl::InvalidArgumentError("Failed to read field name.");
+    }
+    absl::string_view value;
+    if (!fields_reader.ReadStringPieceVarInt62(&value)) {
+      return absl::InvalidArgumentError("Failed to read field value.");
+    }
+    callback(name, value);
+  }
+  return absl::OkStatus();
+}
+
+absl::Status DecodeFieldsAndBody(quiche::QuicheDataReader& reader,
+                                 BinaryHttpMessage& message) {
+  if (const absl::Status status = DecodeFields(
+          reader,
+          [&message](absl::string_view name, absl::string_view value) {
+            message.AddHeaderField({std::string(name), std::string(value)});
+          });
+      !status.ok()) {
+    return status;
+  }
+  // TODO(bschneider): Handle case where remaining message is truncated.
+  // Skip it on encode as well.
+  // https://www.ietf.org/archive/id/draft-ietf-httpbis-binary-message-06.html#name-padding-and-truncation
+  absl::string_view body;
+  if (!reader.ReadStringPieceVarInt62(&body)) {
+    return absl::InvalidArgumentError("Failed to read body.");
+  }
+  message.set_body(std::string(body));
+  // TODO(bschneider): Check for / read-in any trailer-fields
+  return absl::OkStatus();
+}
+
+absl::StatusOr<BinaryHttpRequest> DecodeKnownLengthRequest(
+    quiche::QuicheDataReader& reader) {
+  const auto control_data = DecodeControlData(reader);
+  if (!control_data.ok()) {
+    return control_data.status();
+  }
+  BinaryHttpRequest request(std::move(*control_data));
+  if (const absl::Status status = DecodeFieldsAndBody(reader, request);
+      !status.ok()) {
+    return status;
+  }
+  return request;
+}
+
+absl::StatusOr<BinaryHttpResponse> DecodeKnownLengthResponse(
+    quiche::QuicheDataReader& reader) {
+  std::vector<std::pair<uint16_t, std::vector<BinaryHttpMessage::Field>>>
+      informational_responses;
+  uint64_t status_code;
+  bool reading_response_control_data = true;
+  while (reading_response_control_data) {
+    if (!reader.ReadVarInt62(&status_code)) {
+      return absl::InvalidArgumentError("Failed to read status code.");
+    }
+    if (status_code >= 100 && status_code <= 199) {
+      std::vector<BinaryHttpMessage::Field> fields;
+      if (const absl::Status status = DecodeFields(
+              reader,
+              [&fields](absl::string_view name, absl::string_view value) {
+                fields.push_back({std::string(name), std::string(value)});
+              });
+          !status.ok()) {
+        return status;
+      }
+      informational_responses.emplace_back(status_code, std::move(fields));
+    } else {
+      reading_response_control_data = false;
+    }
+  }
+  BinaryHttpResponse response(status_code);
+  for (const auto& informational_response : informational_responses) {
+    if (const absl::Status status = response.AddInformationalResponse(
+            informational_response.first,
+            std::move(informational_response.second));
+        !status.ok()) {
+      return status;
+    }
+  }
+  if (const absl::Status status = DecodeFieldsAndBody(reader, response);
+      !status.ok()) {
+    return status;
+  }
+  return response;
+}
+
+uint64_t StringPieceVarInt62Len(absl::string_view s) {
+  return quiche::QuicheDataWriter::GetVarInt62Len(s.length()) + s.length();
+}
+
+}  // namespace
+
+void BinaryHttpMessage::Fields::AddField(BinaryHttpMessage::Field field) {
+  fields_.push_back(std::move(field));
+}
+
+// Encode fields in the order they were initially inserted.
+// Updates do not change order.
+absl::Status BinaryHttpMessage::Fields::Encode(
+    quiche::QuicheDataWriter& writer) const {
+  if (!writer.WriteVarInt62(EncodedFieldsSize())) {
+    return absl::InvalidArgumentError("Failed to write encoded field size.");
+  }
+  for (const BinaryHttpMessage::Field& field : fields_) {
+    if (!writer.WriteStringPieceVarInt62(field.name)) {
+      return absl::InvalidArgumentError("Failed to write field name.");
+    }
+    if (!writer.WriteStringPieceVarInt62(field.value)) {
+      return absl::InvalidArgumentError("Failed to write field value.");
+    }
+  }
+  return absl::OkStatus();
+}
+
+uint64_t BinaryHttpMessage::Fields::EncodedSize() const {
+  uint64_t size = EncodedFieldsSize();
+  return size + quiche::QuicheDataWriter::GetVarInt62Len(size);
+}
+
+uint64_t BinaryHttpMessage::Fields::EncodedFieldsSize() const {
+  uint64_t size = 0;
+  for (const BinaryHttpMessage::Field& field : fields_) {
+    size += StringPieceVarInt62Len(field.name) +
+            StringPieceVarInt62Len(field.value);
+  }
+  return size;
+}
+
+BinaryHttpMessage* BinaryHttpMessage::AddHeaderField(
+    BinaryHttpMessage::Field field) {
+  const std::string lower_name = absl::AsciiStrToLower(field.name);
+  if (lower_name == "host") {
+    has_host_ = true;
+  }
+  header_fields_.AddField({std::move(lower_name), std::move(field.value)});
+  return this;
+}
+
+// Appends the encoded fields and body to data.
+absl::Status BinaryHttpMessage::EncodeKnownLengthFieldsAndBody(
+    quiche::QuicheDataWriter& writer) const {
+  if (const absl::Status status = header_fields_.Encode(writer); !status.ok()) {
+    return status;
+  }
+  if (!writer.WriteStringPieceVarInt62(body_)) {
+    return absl::InvalidArgumentError("Failed to encode body.");
+  }
+  // TODO(bschneider): Consider support for trailer fields on known-length
+  // requests. Trailers are atypical for a known-length request.
+  return absl::OkStatus();
+}
+
+uint64_t BinaryHttpMessage::EncodedKnownLengthFieldsAndBodySize() const {
+  return header_fields_.EncodedSize() + StringPieceVarInt62Len(body_);
+}
+
+absl::Status BinaryHttpResponse::AddInformationalResponse(
+    uint16_t status_code, std::vector<Field> header_fields) {
+  if (status_code < 100) {
+    return absl::InvalidArgumentError("status code < 100");
+  }
+  if (status_code > 199) {
+    return absl::InvalidArgumentError("status code > 199");
+  }
+  InformationalResponse data(status_code);
+  for (Field& header : header_fields) {
+    data.AddField(header.name, std::move(header.value));
+  }
+  informational_response_control_data_.push_back(std::move(data));
+  return absl::OkStatus();
+}
+
+absl::StatusOr<std::string> BinaryHttpResponse::Serialize() const {
+  // Only supporting known length requests so far.
+  return EncodeAsKnownLength();
+}
+
+absl::StatusOr<std::string> BinaryHttpResponse::EncodeAsKnownLength() const {
+  std::string data;
+  data.resize(EncodedSize());
+  quiche::QuicheDataWriter writer(data.size(), data.data());
+  if (!writer.WriteUInt8(kKnownLengthResponseFraming)) {
+    return absl::InvalidArgumentError("Failed to write framing indicator");
+  }
+  // Informational response
+  for (const auto& informational : informational_response_control_data_) {
+    if (const absl::Status status = informational.Encode(writer);
+        !status.ok()) {
+      return status;
+    }
+  }
+  if (!writer.WriteVarInt62(status_code_)) {
+    return absl::InvalidArgumentError("Failed to write status code");
+  }
+  if (const absl::Status status = EncodeKnownLengthFieldsAndBody(writer);
+      !status.ok()) {
+    return status;
+  }
+  QUICHE_DCHECK_EQ(writer.remaining(), 0u);
+  return data;
+}
+
+uint64_t BinaryHttpResponse::EncodedSize() const {
+  uint64_t size = sizeof(kKnownLengthResponseFraming);
+  for (const auto& informational : informational_response_control_data_) {
+    size += informational.EncodedSize();
+  }
+  return size + quiche::QuicheDataWriter::GetVarInt62Len(status_code_) +
+         EncodedKnownLengthFieldsAndBodySize();
+}
+
+void BinaryHttpResponse::InformationalResponse::AddField(absl::string_view name,
+                                                         std::string value) {
+  fields_.AddField({absl::AsciiStrToLower(name), std::move(value)});
+}
+
+// Appends the encoded fields and body to data.
+absl::Status BinaryHttpResponse::InformationalResponse::Encode(
+    quiche::QuicheDataWriter& writer) const {
+  writer.WriteVarInt62(status_code_);
+  return fields_.Encode(writer);
+}
+
+uint64_t BinaryHttpResponse::InformationalResponse::EncodedSize() const {
+  return quiche::QuicheDataWriter::GetVarInt62Len(status_code_) +
+         fields_.EncodedSize();
+}
+
+absl::StatusOr<std::string> BinaryHttpRequest::Serialize() const {
+  // Only supporting known length requests so far.
+  return EncodeAsKnownLength();
+}
+
+// https://www.ietf.org/archive/id/draft-ietf-httpbis-binary-message-06.html#name-request-control-data
+absl::Status BinaryHttpRequest::EncodeControlData(
+    quiche::QuicheDataWriter& writer) const {
+  if (!writer.WriteStringPieceVarInt62(control_data_.method)) {
+    return absl::InvalidArgumentError("Failed to encode method.");
+  }
+  if (!writer.WriteStringPieceVarInt62(control_data_.scheme)) {
+    return absl::InvalidArgumentError("Failed to encode scheme.");
+  }
+  // the Host header field is not replicated in the :authority field, as is
+  // required for ensuring that the request is reproduced accurately; see
+  // Section 8.1.2.3 of [H2].
+  if (!has_host()) {
+    if (!writer.WriteStringPieceVarInt62(control_data_.authority)) {
+      return absl::InvalidArgumentError("Failed to encode authority.");
+    }
+  } else {
+    if (!writer.WriteStringPieceVarInt62("")) {
+      return absl::InvalidArgumentError("Failed to encode authority.");
+    }
+  }
+  if (!writer.WriteStringPieceVarInt62(control_data_.path)) {
+    return absl::InvalidArgumentError("Failed to encode path.");
+  }
+  return absl::OkStatus();
+}
+
+uint64_t BinaryHttpRequest::EncodedControlDataSize() const {
+  uint64_t size = StringPieceVarInt62Len(control_data_.method) +
+                  StringPieceVarInt62Len(control_data_.scheme) +
+                  StringPieceVarInt62Len(control_data_.path);
+  if (!has_host()) {
+    size += StringPieceVarInt62Len(control_data_.authority);
+  } else {
+    size += StringPieceVarInt62Len("");
+  }
+  return size;
+}
+
+uint64_t BinaryHttpRequest::EncodedSize() const {
+  return sizeof(kKnownLengthRequestFraming) + EncodedControlDataSize() +
+         EncodedKnownLengthFieldsAndBodySize();
+}
+
+// https://www.ietf.org/archive/id/draft-ietf-httpbis-binary-message-06.html#name-known-length-messages
+absl::StatusOr<std::string> BinaryHttpRequest::EncodeAsKnownLength() const {
+  std::string data;
+  data.resize(EncodedSize());
+  quiche::QuicheDataWriter writer(data.size(), data.data());
+  if (!writer.WriteUInt8(kKnownLengthRequestFraming)) {
+    return absl::InvalidArgumentError("Failed to encode framing indicator.");
+  }
+  if (const absl::Status status = EncodeControlData(writer); !status.ok()) {
+    return status;
+  }
+  if (const absl::Status status = EncodeKnownLengthFieldsAndBody(writer);
+      !status.ok()) {
+    return status;
+  }
+  QUICHE_DCHECK_EQ(writer.remaining(), 0u);
+  return data;
+}
+
+absl::StatusOr<BinaryHttpRequest> BinaryHttpRequest::Create(
+    absl::string_view data) {
+  quiche::QuicheDataReader reader(data);
+  uint8_t framing;
+  if (!reader.ReadUInt8(&framing)) {
+    return absl::InvalidArgumentError("Missing framing indicator.");
+  }
+  if (framing == kKnownLengthRequestFraming) {
+    return DecodeKnownLengthRequest(reader);
+  }
+  return absl::UnimplementedError(
+      absl::StrCat("Unsupported framing type ", framing));
+}
+
+absl::StatusOr<BinaryHttpResponse> BinaryHttpResponse::Create(
+    absl::string_view data) {
+  quiche::QuicheDataReader reader(data);
+  uint8_t framing;
+  if (!reader.ReadUInt8(&framing)) {
+    return absl::InvalidArgumentError("Missing framing indicator.");
+  }
+  if (framing == kKnownLengthResponseFraming) {
+    return DecodeKnownLengthResponse(reader);
+  }
+  return absl::UnimplementedError(
+      absl::StrCat("Unsupported framing type ", framing));
+}
+
+std::string BinaryHttpMessage::DebugString() const {
+  std::vector<std::string> headers;
+  for (const auto& field : GetHeaderFields()) {
+    headers.emplace_back(field.DebugString());
+  }
+  return absl::StrCat("BinaryHttpMessage{Headers{",
+                      absl::StrJoin(headers, ";;"), "}Body{", body(), "}}");
+}
+
+std::string BinaryHttpMessage::Field::DebugString() const {
+  return absl::StrCat(name, "=", value);
+}
+
+std::string BinaryHttpResponse::InformationalResponse::DebugString() const {
+  std::vector<std::string> fs;
+  for (const auto& field : fields()) {
+    fs.emplace_back(field.DebugString());
+  }
+  return absl::StrCat("InformationalResponse{", absl::StrJoin(fs, ";;"), "}");
+}
+
+std::string BinaryHttpResponse::DebugString() const {
+  std::vector<std::string> irs;
+  for (const auto& ir : informational_responses()) {
+    irs.emplace_back(ir.DebugString());
+  }
+  return absl::StrCat("BinaryHttpResponse(", status_code_, "){",
+                      BinaryHttpMessage::DebugString(),
+                      absl::StrJoin(irs, ";;"), "}");
+}
+
+std::string BinaryHttpRequest::DebugString() const {
+  return absl::StrCat("BinaryHttpRequest{", BinaryHttpMessage::DebugString(),
+                      "}");
+}
+
+void PrintTo(const BinaryHttpRequest& msg, std::ostream* os) {
+  *os << msg.DebugString();
+}
+
+void PrintTo(const BinaryHttpResponse& msg, std::ostream* os) {
+  *os << msg.DebugString();
+}
+
+}  // namespace quiche
diff --git a/chromium/net/third_party/quiche/src/quiche/binary_http/binary_http_message.h b/chromium/net/third_party/quiche/src/quiche/binary_http/binary_http_message.h
new file mode 100644
index 00000000000..852df937c36
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/binary_http/binary_http_message.h
@@ -0,0 +1,264 @@
+#ifndef QUICHE_BINARY_HTTP_BINARY_HTTP_MESSAGE_H_
+#define QUICHE_BINARY_HTTP_BINARY_HTTP_MESSAGE_H_
+
+#include <cstdint>
+#include <functional>
+#include <memory>
+#include <ostream>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "absl/container/flat_hash_map.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "quiche/common/platform/api/quiche_export.h"
+#include "quiche/common/quiche_data_writer.h"
+
+namespace quiche {
+
+// Supports encoding and decoding Binary Http messages.
+// Currently limited to known-length messages.
+// https://www.ietf.org/archive/id/draft-ietf-httpbis-binary-message-06.html
+class QUICHE_EXPORT_PRIVATE BinaryHttpMessage {
+ public:
+  // Name value pair of either a header or trailer field.
+  struct Field {
+    std::string name;
+    std::string value;
+    bool operator==(const BinaryHttpMessage::Field& rhs) const {
+      return name == rhs.name && value == rhs.value;
+    }
+
+    bool operator!=(const BinaryHttpMessage::Field& rhs) const {
+      return !(*this == rhs);
+    }
+
+    std::string DebugString() const;
+  };
+  virtual ~BinaryHttpMessage() = default;
+
+  // TODO(bschneider): Switch to use existing Http2HeaderBlock
+  BinaryHttpMessage* AddHeaderField(Field header_field);
+
+  const std::vector<Field>& GetHeaderFields() const {
+    return header_fields_.fields();
+  }
+
+  BinaryHttpMessage* set_body(std::string body) {
+    body_ = std::move(body);
+    return this;
+  }
+
+  void swap_body(std::string& body) { body_.swap(body); }
+
+  absl::string_view body() const { return body_; }
+
+  // Returns the Binary Http formatted message.
+  virtual absl::StatusOr<std::string> Serialize() const = 0;
+  // TODO(bschneider): Add AddTrailerField for chunked messages
+  // TODO(bschneider): Add SetBodyCallback() for chunked messages
+
+  virtual std::string DebugString() const;
+
+ protected:
+  class Fields {
+   public:
+    // Appends `field` to list of fields.  Can contain duplicates.
+    void AddField(BinaryHttpMessage::Field field);
+
+    const std::vector<BinaryHttpMessage::Field>& fields() const {
+      return fields_;
+    }
+
+    bool operator==(const BinaryHttpMessage::Fields& rhs) const {
+      return fields_ == rhs.fields_;
+    }
+
+    // Encode fields in insertion order.
+    // https://www.ietf.org/archive/id/draft-ietf-httpbis-binary-message-06.html#name-header-and-trailer-field-li
+    absl::Status Encode(quiche::QuicheDataWriter& writer) const;
+
+    // The number of returned by EncodedFieldsSize
+    // plus the number of bytes used in the varint holding that value.
+    uint64_t EncodedSize() const;
+
+   private:
+    // Number of bytes of just the set of fields.
+    uint64_t EncodedFieldsSize() const;
+
+    // Fields in insertion order.
+    std::vector<BinaryHttpMessage::Field> fields_;
+  };
+
+  bool operator==(const BinaryHttpMessage& rhs) const {
+    // `has_host_` is derived from `header_fields_` so it doesn't need to be
+    // tested directly.
+    return body_ == rhs.body_ && header_fields_ == rhs.header_fields_;
+  }
+
+  absl::Status EncodeKnownLengthFieldsAndBody(
+      quiche::QuicheDataWriter& writer) const;
+  uint64_t EncodedKnownLengthFieldsAndBodySize() const;
+  bool has_host() const { return has_host_; }
+
+ private:
+  std::string body_;
+  Fields header_fields_;
+  bool has_host_ = false;
+};
+
+class QUICHE_EXPORT_PRIVATE BinaryHttpRequest : public BinaryHttpMessage {
+ public:
+  // HTTP request must have all of the following fields.
+  // Some examples are:
+  //   scheme: HTTP
+  //   authority: www.example.com
+  //   path: /index.html
+  struct ControlData {
+    std::string method;
+    std::string scheme;
+    std::string authority;
+    std::string path;
+    bool operator==(const BinaryHttpRequest::ControlData& rhs) const {
+      return method == rhs.method && scheme == rhs.scheme &&
+             authority == rhs.authority && path == rhs.path;
+    }
+    bool operator!=(const BinaryHttpRequest::ControlData& rhs) const {
+      return !(*this == rhs);
+    }
+  };
+  explicit BinaryHttpRequest(ControlData control_data)
+      : control_data_(std::move(control_data)) {}
+
+  // Deserialize
+  static absl::StatusOr<BinaryHttpRequest> Create(absl::string_view data);
+
+  absl::StatusOr<std::string> Serialize() const override;
+  const ControlData& control_data() const { return control_data_; }
+
+  virtual std::string DebugString() const override;
+
+  bool operator==(const BinaryHttpRequest& rhs) const {
+    return control_data_ == rhs.control_data_ &&
+           BinaryHttpMessage::operator==(rhs);
+  }
+
+  bool operator!=(const BinaryHttpRequest& rhs) const {
+    return !(*this == rhs);
+  }
+
+ private:
+  absl::Status EncodeControlData(quiche::QuicheDataWriter& writer) const;
+
+  uint64_t EncodedControlDataSize() const;
+
+  uint64_t EncodedSize() const;
+
+  // Returns Binary Http known length request formatted request.
+  absl::StatusOr<std::string> EncodeAsKnownLength() const;
+
+  const ControlData control_data_;
+};
+
+void PrintTo(const BinaryHttpRequest& msg, std::ostream* os);
+
+class QUICHE_EXPORT_PRIVATE BinaryHttpResponse : public BinaryHttpMessage {
+ public:
+  // https://www.ietf.org/archive/id/draft-ietf-httpbis-binary-message-06.html#name-response-control-data
+  // A response can contain 0 to N informational responses.  Each informational
+  // response contains a status code followed by a header field. Valid status
+  // codes are [100,199].
+  class InformationalResponse {
+   public:
+    explicit InformationalResponse(uint16_t status_code)
+        : status_code_(status_code) {}
+    InformationalResponse(uint16_t status_code,
+                          const std::vector<BinaryHttpMessage::Field>& fields)
+        : status_code_(status_code) {
+      for (const BinaryHttpMessage::Field& field : fields) {
+        AddField(field.name, field.value);
+      }
+    }
+
+    bool operator==(
+        const BinaryHttpResponse::InformationalResponse& rhs) const {
+      return status_code_ == rhs.status_code_ && fields_ == rhs.fields_;
+    }
+
+    bool operator!=(
+        const BinaryHttpResponse::InformationalResponse& rhs) const {
+      return !(*this == rhs);
+    }
+
+    // Adds a field with the provided name, converted to lower case.
+    // Fields are in the order they are added.
+    void AddField(absl::string_view name, std::string value);
+
+    const std::vector<BinaryHttpMessage::Field>& fields() const {
+      return fields_.fields();
+    }
+
+    uint16_t status_code() const { return status_code_; }
+
+    std::string DebugString() const;
+
+   private:
+    // Give BinaryHttpResponse access to Encoding functionality.
+    friend class BinaryHttpResponse;
+
+    uint64_t EncodedSize() const;
+
+    // Appends the encoded fields and body to `writer`.
+    absl::Status Encode(quiche::QuicheDataWriter& writer) const;
+
+    const uint16_t status_code_;
+    BinaryHttpMessage::Fields fields_;
+  };
+
+  explicit BinaryHttpResponse(uint16_t status_code)
+      : status_code_(status_code) {}
+
+  // Deserialize
+  static absl::StatusOr<BinaryHttpResponse> Create(absl::string_view data);
+
+  absl::StatusOr<std::string> Serialize() const override;
+
+  // Informational status codes must be between 100 and 199 inclusive.
+  absl::Status AddInformationalResponse(uint16_t status_code,
+                                        std::vector<Field> header_fields);
+
+  uint16_t status_code() const { return status_code_; }
+
+  // References in the returned `ResponseControlData` are invalidated on
+  // `BinaryHttpResponse` object mutations.
+  const std::vector<InformationalResponse>& informational_responses() const {
+    return informational_response_control_data_;
+  }
+
+  virtual std::string DebugString() const override;
+
+  bool operator==(const BinaryHttpResponse& rhs) const {
+    return informational_response_control_data_ ==
+               rhs.informational_response_control_data_ &&
+           status_code_ == rhs.status_code_ &&
+           BinaryHttpMessage::operator==(rhs);
+  }
+  bool operator!=(const BinaryHttpResponse& rhs) const {
+    return !(*this == rhs);
+  }
+
+ private:
+  // Returns Binary Http known length request formatted response.
+  absl::StatusOr<std::string> EncodeAsKnownLength() const;
+
+  uint64_t EncodedSize() const;
+
+  std::vector<InformationalResponse> informational_response_control_data_;
+  const uint16_t status_code_;
+};
+
+void PrintTo(const BinaryHttpResponse& msg, std::ostream* os);
+}  // namespace quiche
+
+#endif  // QUICHE_BINARY_HTTP_BINARY_HTTP_MESSAGE_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/binary_http/binary_http_message_test.cc b/chromium/net/third_party/quiche/src/quiche/binary_http/binary_http_message_test.cc
new file mode 100644
index 00000000000..dc6b279386d
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/binary_http/binary_http_message_test.cc
@@ -0,0 +1,692 @@
+#include "quiche/binary_http/binary_http_message.h"
+
+#include <cstdint>
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "absl/container/flat_hash_map.h"
+#include "quiche/common/platform/api/quiche_test.h"
+
+using ::testing::ContainerEq;
+using ::testing::FieldsAre;
+using ::testing::StrEq;
+
+namespace quiche {
+namespace {
+
+std::string WordToBytes(uint32_t word) {
+  return std::string({static_cast<char>(word >> 24),
+                      static_cast<char>(word >> 16),
+                      static_cast<char>(word >> 8), static_cast<char>(word)});
+}
+
+template <class T>
+void TestPrintTo(const T& resp) {
+  std::ostringstream os;
+  PrintTo(resp, &os);
+  EXPECT_EQ(os.str(), resp.DebugString());
+}
+}  // namespace
+// Test examples from
+// https://www.ietf.org/archive/id/draft-ietf-httpbis-binary-message-06.html
+
+TEST(BinaryHttpRequest, EncodeGetNoBody) {
+  /*
+    GET /hello.txt HTTP/1.1
+    User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
+    Host: www.example.com
+    Accept-Language: en, mi
+  */
+  BinaryHttpRequest request({"GET", "https", "www.example.com", "/hello.txt"});
+  request
+      .AddHeaderField({"User-Agent",
+                       "curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3"})
+      ->AddHeaderField({"Host", "www.example.com"})
+      ->AddHeaderField({"Accept-Language", "en, mi"});
+  /*
+      00000000: 00034745 54056874 74707300 0a2f6865  ..GET.https../he
+      00000010: 6c6c6f2e 74787440 6c0a7573 65722d61  llo.txt@l.user-a
+      00000020: 67656e74 34637572 6c2f372e 31362e33  gent4curl/7.16.3
+      00000030: 206c6962 6375726c 2f372e31 362e3320   libcurl/7.16.3
+      00000040: 4f70656e 53534c2f 302e392e 376c207a  OpenSSL/0.9.7l z
+      00000050: 6c69622f 312e322e 3304686f 73740f77  lib/1.2.3.host.w
+      00000060: 77772e65 78616d70 6c652e63 6f6d0f61  ww.example.com.a
+      00000070: 63636570 742d6c61 6e677561 67650665  ccept-language.e
+      00000080: 6e2c206d 6900                        n, mi..
+  */
+  const uint32_t expected_words[] = {
+      0x00034745, 0x54056874, 0x74707300, 0x0a2f6865, 0x6c6c6f2e, 0x74787440,
+      0x6c0a7573, 0x65722d61, 0x67656e74, 0x34637572, 0x6c2f372e, 0x31362e33,
+      0x206c6962, 0x6375726c, 0x2f372e31, 0x362e3320, 0x4f70656e, 0x53534c2f,
+      0x302e392e, 0x376c207a, 0x6c69622f, 0x312e322e, 0x3304686f, 0x73740f77,
+      0x77772e65, 0x78616d70, 0x6c652e63, 0x6f6d0f61, 0x63636570, 0x742d6c61,
+      0x6e677561, 0x67650665, 0x6e2c206d, 0x69000000};
+  std::string expected;
+  for (const auto& word : expected_words) {
+    expected += WordToBytes(word);
+  }
+  // Remove padding.
+  expected.resize(expected.size() - 2);
+
+  const auto result = request.Serialize();
+  ASSERT_TRUE(result.ok());
+  ASSERT_EQ(*result, expected);
+  EXPECT_THAT(
+      request.DebugString(),
+      StrEq(
+          "BinaryHttpRequest{BinaryHttpMessage{Headers{user-agent=curl/7.16.3 "
+          "libcurl/7.16.3 OpenSSL/0.9.7l "
+          "zlib/1.2.3;;host=www.example.com;;accept-language=en, mi}Body{}}}"));
+  TestPrintTo(request);
+}
+
+TEST(BinaryHttpRequest, DecodeGetNoBody) {
+  const uint32_t words[] = {
+      0x00034745, 0x54056874, 0x74707300, 0x0a2f6865, 0x6c6c6f2e, 0x74787440,
+      0x6c0a7573, 0x65722d61, 0x67656e74, 0x34637572, 0x6c2f372e, 0x31362e33,
+      0x206c6962, 0x6375726c, 0x2f372e31, 0x362e3320, 0x4f70656e, 0x53534c2f,
+      0x302e392e, 0x376c207a, 0x6c69622f, 0x312e322e, 0x3304686f, 0x73740f77,
+      0x77772e65, 0x78616d70, 0x6c652e63, 0x6f6d0f61, 0x63636570, 0x742d6c61,
+      0x6e677561, 0x67650665, 0x6e2c206d, 0x69000000};
+  std::string data;
+  for (const auto& word : words) {
+    data += WordToBytes(word);
+  }
+  const auto request_so = BinaryHttpRequest::Create(data);
+  ASSERT_TRUE(request_so.ok());
+  const BinaryHttpRequest request = *request_so;
+  ASSERT_THAT(request.control_data(),
+              FieldsAre("GET", "https", "", "/hello.txt"));
+  std::vector<BinaryHttpMessage::Field> expected_fields = {
+      {"user-agent", "curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3"},
+      {"host", "www.example.com"},
+      {"accept-language", "en, mi"}};
+  ASSERT_THAT(request.GetHeaderFields(), ContainerEq(expected_fields));
+  ASSERT_EQ(request.body(), "");
+  EXPECT_THAT(
+      request.DebugString(),
+      StrEq(
+          "BinaryHttpRequest{BinaryHttpMessage{Headers{user-agent=curl/7.16.3 "
+          "libcurl/7.16.3 OpenSSL/0.9.7l "
+          "zlib/1.2.3;;host=www.example.com;;accept-language=en, mi}Body{}}}"));
+  TestPrintTo(request);
+}
+
+TEST(BinaryHttpRequest, EncodeGetWithAuthority) {
+  /*
+    GET https://www.example.com/hello.txt HTTP/1.1
+    User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
+    Accept-Language: en, mi
+  */
+  BinaryHttpRequest request({"GET", "https", "www.example.com", "/hello.txt"});
+  request
+      .AddHeaderField({"User-Agent",
+                       "curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3"})
+      ->AddHeaderField({"Accept-Language", "en, mi"});
+  /*
+    00000000: 00034745 54056874 7470730f 7777772e  ..GET.https.www.
+    00000010: 6578616d 706c652e 636f6d0a 2f68656c  example.com./hel
+    00000020: 6c6f2e74 78744057 0a757365 722d6167  lo.txt@W.user-ag
+    00000030: 656e7434 6375726c 2f372e31 362e3320  ent4curl/7.16.3
+    00000040: 6c696263 75726c2f 372e3136 2e33204f  libcurl/7.16.3 O
+    00000050: 70656e53 534c2f30 2e392e37 6c207a6c  penSSL/0.9.7l zl
+    00000060: 69622f31 2e322e33 0f616363 6570742d  ib/1.2.3.accept-
+    00000070: 6c616e67 75616765 06656e2c 206d6900  language.en, mi.
+  */
+
+  const uint32_t expected_words[] = {
+      0x00034745, 0x54056874, 0x7470730f, 0x7777772e, 0x6578616d, 0x706c652e,
+      0x636f6d0a, 0x2f68656c, 0x6c6f2e74, 0x78744057, 0x0a757365, 0x722d6167,
+      0x656e7434, 0x6375726c, 0x2f372e31, 0x362e3320, 0x6c696263, 0x75726c2f,
+      0x372e3136, 0x2e33204f, 0x70656e53, 0x534c2f30, 0x2e392e37, 0x6c207a6c,
+      0x69622f31, 0x2e322e33, 0x0f616363, 0x6570742d, 0x6c616e67, 0x75616765,
+      0x06656e2c, 0x206d6900};
+  std::string expected;
+  for (const auto& word : expected_words) {
+    expected += WordToBytes(word);
+  }
+  const auto result = request.Serialize();
+  ASSERT_TRUE(result.ok());
+  ASSERT_EQ(*result, expected);
+  EXPECT_THAT(
+      request.DebugString(),
+      StrEq("BinaryHttpRequest{BinaryHttpMessage{Headers{user-agent=curl/"
+            "7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l "
+            "zlib/1.2.3;;accept-language=en, mi}Body{}}}"));
+}
+
+TEST(BinaryHttpRequest, DecodeGetWithAuthority) {
+  const uint32_t words[] = {
+      0x00034745, 0x54056874, 0x7470730f, 0x7777772e, 0x6578616d, 0x706c652e,
+      0x636f6d0a, 0x2f68656c, 0x6c6f2e74, 0x78744057, 0x0a757365, 0x722d6167,
+      0x656e7434, 0x6375726c, 0x2f372e31, 0x362e3320, 0x6c696263, 0x75726c2f,
+      0x372e3136, 0x2e33204f, 0x70656e53, 0x534c2f30, 0x2e392e37, 0x6c207a6c,
+      0x69622f31, 0x2e322e33, 0x0f616363, 0x6570742d, 0x6c616e67, 0x75616765,
+      0x06656e2c, 0x206d6900, 0x00};
+  std::string data;
+  for (const auto& word : words) {
+    data += WordToBytes(word);
+  }
+  const auto request_so = BinaryHttpRequest::Create(data);
+  ASSERT_TRUE(request_so.ok());
+  const BinaryHttpRequest request = *request_so;
+  ASSERT_THAT(request.control_data(),
+              FieldsAre("GET", "https", "www.example.com", "/hello.txt"));
+  std::vector<BinaryHttpMessage::Field> expected_fields = {
+      {"user-agent", "curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3"},
+      {"accept-language", "en, mi"}};
+  ASSERT_THAT(request.GetHeaderFields(), ContainerEq(expected_fields));
+  ASSERT_EQ(request.body(), "");
+  EXPECT_THAT(
+      request.DebugString(),
+      StrEq("BinaryHttpRequest{BinaryHttpMessage{Headers{user-agent=curl/"
+            "7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l "
+            "zlib/1.2.3;;accept-language=en, mi}Body{}}}"));
+}
+
+TEST(BinaryHttpRequest, EncodePostBody) {
+  /*
+  POST /hello.txt HTTP/1.1
+  User-Agent: not/telling
+  Host: www.example.com
+  Accept-Language: en
+
+  Some body that I used to post.
+  */
+  BinaryHttpRequest request({"POST", "https", "www.example.com", "/hello.txt"});
+  request.AddHeaderField({"User-Agent", "not/telling"})
+      ->AddHeaderField({"Host", "www.example.com"})
+      ->AddHeaderField({"Accept-Language", "en"})
+      ->set_body({"Some body that I used to post.\r\n"});
+  /*
+    00000000: 0004504f 53540568 74747073 000a2f68  ..POST.https../h
+    00000010: 656c6c6f 2e747874 3f0a7573 65722d61  ello.txt?.user-a
+    00000020: 67656e74 0b6e6f74 2f74656c 6c696e67  gent.not/telling
+    00000030: 04686f73 740f7777 772e6578 616d706c  .host.www.exampl
+    00000040: 652e636f 6d0f6163 63657074 2d6c616e  e.com.accept-lan
+    00000050: 67756167 6502656e 20536f6d 6520626f  guage.en Some bo
+    00000060: 64792074 68617420 49207573 65642074  dy that I used t
+    00000070: 6f20706f 73742e0d 0a                 o post....
+  */
+  const uint32_t expected_words[] = {
+      0x0004504f, 0x53540568, 0x74747073, 0x000a2f68, 0x656c6c6f, 0x2e747874,
+      0x3f0a7573, 0x65722d61, 0x67656e74, 0x0b6e6f74, 0x2f74656c, 0x6c696e67,
+      0x04686f73, 0x740f7777, 0x772e6578, 0x616d706c, 0x652e636f, 0x6d0f6163,
+      0x63657074, 0x2d6c616e, 0x67756167, 0x6502656e, 0x20536f6d, 0x6520626f,
+      0x64792074, 0x68617420, 0x49207573, 0x65642074, 0x6f20706f, 0x73742e0d,
+      0x0a000000};
+  std::string expected;
+  for (const auto& word : expected_words) {
+    expected += WordToBytes(word);
+  }
+  // Remove padding.
+  expected.resize(expected.size() - 3);
+  const auto result = request.Serialize();
+  ASSERT_TRUE(result.ok());
+  ASSERT_EQ(*result, expected);
+  EXPECT_THAT(
+      request.DebugString(),
+      StrEq("BinaryHttpRequest{BinaryHttpMessage{Headers{user-agent=not/"
+            "telling;;host=www.example.com;;accept-language=en}Body{Some "
+            "body that I used to post.\r\n}}}"));
+}
+
+TEST(BinaryHttpRequest, DecodePostBody) {
+  const uint32_t words[] = {
+      0x0004504f, 0x53540568, 0x74747073, 0x000a2f68, 0x656c6c6f, 0x2e747874,
+      0x3f0a7573, 0x65722d61, 0x67656e74, 0x0b6e6f74, 0x2f74656c, 0x6c696e67,
+      0x04686f73, 0x740f7777, 0x772e6578, 0x616d706c, 0x652e636f, 0x6d0f6163,
+      0x63657074, 0x2d6c616e, 0x67756167, 0x6502656e, 0x20536f6d, 0x6520626f,
+      0x64792074, 0x68617420, 0x49207573, 0x65642074, 0x6f20706f, 0x73742e0d,
+      0x0a000000};
+  std::string data;
+  for (const auto& word : words) {
+    data += WordToBytes(word);
+  }
+  const auto request_so = BinaryHttpRequest::Create(data);
+  ASSERT_TRUE(request_so.ok());
+  BinaryHttpRequest request = *request_so;
+  ASSERT_THAT(request.control_data(),
+              FieldsAre("POST", "https", "", "/hello.txt"));
+  std::vector<BinaryHttpMessage::Field> expected_fields = {
+      {"user-agent", "not/telling"},
+      {"host", "www.example.com"},
+      {"accept-language", "en"}};
+  ASSERT_THAT(request.GetHeaderFields(), ContainerEq(expected_fields));
+  ASSERT_EQ(request.body(), "Some body that I used to post.\r\n");
+  EXPECT_THAT(
+      request.DebugString(),
+      StrEq("BinaryHttpRequest{BinaryHttpMessage{Headers{user-agent=not/"
+            "telling;;host=www.example.com;;accept-language=en}Body{Some "
+            "body that I used to post.\r\n}}}"));
+}
+
+TEST(BinaryHttpRequest, Equality) {
+  BinaryHttpRequest request({"POST", "https", "www.example.com", "/hello.txt"});
+  request.AddHeaderField({"User-Agent", "not/telling"})
+      ->set_body({"hello, world!\r\n"});
+
+  BinaryHttpRequest same({"POST", "https", "www.example.com", "/hello.txt"});
+  same.AddHeaderField({"User-Agent", "not/telling"})
+      ->set_body({"hello, world!\r\n"});
+  EXPECT_EQ(request, same);
+}
+
+TEST(BinaryHttpRequest, Inequality) {
+  BinaryHttpRequest request({"POST", "https", "www.example.com", "/hello.txt"});
+  request.AddHeaderField({"User-Agent", "not/telling"})
+      ->set_body({"hello, world!\r\n"});
+
+  BinaryHttpRequest different_control(
+      {"PUT", "https", "www.example.com", "/hello.txt"});
+  different_control.AddHeaderField({"User-Agent", "not/telling"})
+      ->set_body({"hello, world!\r\n"});
+  EXPECT_NE(request, different_control);
+
+  BinaryHttpRequest different_header(
+      {"PUT", "https", "www.example.com", "/hello.txt"});
+  different_header.AddHeaderField({"User-Agent", "told/you"})
+      ->set_body({"hello, world!\r\n"});
+  EXPECT_NE(request, different_header);
+
+  BinaryHttpRequest no_header(
+      {"PUT", "https", "www.example.com", "/hello.txt"});
+  no_header.set_body({"hello, world!\r\n"});
+  EXPECT_NE(request, no_header);
+
+  BinaryHttpRequest different_body(
+      {"POST", "https", "www.example.com", "/hello.txt"});
+  different_body.AddHeaderField({"User-Agent", "not/telling"})
+      ->set_body({"goodbye, world!\r\n"});
+  EXPECT_NE(request, different_body);
+
+  BinaryHttpRequest no_body({"POST", "https", "www.example.com", "/hello.txt"});
+  no_body.AddHeaderField({"User-Agent", "not/telling"});
+  EXPECT_NE(request, no_body);
+}
+
+TEST(BinaryHttpResponse, EncodeNoBody) {
+  /*
+    HTTP/1.1 404 Not Found
+    Server: Apache
+  */
+  BinaryHttpResponse response(404);
+  response.AddHeaderField({"Server", "Apache"});
+  /*
+    0141940e 06736572 76657206 41706163  .A...server.Apac
+    686500                               he..
+  */
+  const uint32_t expected_words[] = {0x0141940e, 0x06736572, 0x76657206,
+                                     0x41706163, 0x68650000};
+  std::string expected;
+  for (const auto& word : expected_words) {
+    expected += WordToBytes(word);
+  }
+  // Remove padding.
+  expected.resize(expected.size() - 1);
+  const auto result = response.Serialize();
+  ASSERT_TRUE(result.ok());
+  ASSERT_EQ(*result, expected);
+  EXPECT_THAT(response.DebugString(),
+              StrEq("BinaryHttpResponse(404){BinaryHttpMessage{Headers{server="
+                    "Apache}Body{}}}"));
+}
+
+TEST(BinaryHttpResponse, DecodeNoBody) {
+  /*
+    HTTP/1.1 404 Not Found
+    Server: Apache
+  */
+  const uint32_t words[] = {0x0141940e, 0x06736572, 0x76657206, 0x41706163,
+                            0x68650000};
+  std::string data;
+  for (const auto& word : words) {
+    data += WordToBytes(word);
+  }
+  const auto response_so = BinaryHttpResponse::Create(data);
+  ASSERT_TRUE(response_so.ok());
+  const BinaryHttpResponse response = *response_so;
+  ASSERT_EQ(response.status_code(), 404);
+  std::vector<BinaryHttpMessage::Field> expected_fields = {
+      {"server", "Apache"}};
+  ASSERT_THAT(response.GetHeaderFields(), ContainerEq(expected_fields));
+  ASSERT_EQ(response.body(), "");
+  ASSERT_TRUE(response.informational_responses().empty());
+  EXPECT_THAT(response.DebugString(),
+              StrEq("BinaryHttpResponse(404){BinaryHttpMessage{Headers{server="
+                    "Apache}Body{}}}"));
+}
+
+TEST(BinaryHttpResponse, EncodeBody) {
+  /*
+    HTTP/1.1 200 OK
+    Server: Apache
+
+    Hello, world!
+  */
+  BinaryHttpResponse response(200);
+  response.AddHeaderField({"Server", "Apache"});
+  response.set_body("Hello, world!\r\n");
+  /*
+    0140c80e 06736572 76657206 41706163  .@...server.Apac
+    68650f48 656c6c6f 2c20776f 726c6421  he.Hello, world!
+    0d0a                                 ....
+  */
+  const uint32_t expected_words[] = {0x0140c80e, 0x06736572, 0x76657206,
+                                     0x41706163, 0x68650f48, 0x656c6c6f,
+                                     0x2c20776f, 0x726c6421, 0x0d0a0000};
+  std::string expected;
+  for (const auto& word : expected_words) {
+    expected += WordToBytes(word);
+  }
+  // Remove padding.
+  expected.resize(expected.size() - 2);
+
+  const auto result = response.Serialize();
+  ASSERT_TRUE(result.ok());
+  ASSERT_EQ(*result, expected);
+  EXPECT_THAT(response.DebugString(),
+              StrEq("BinaryHttpResponse(200){BinaryHttpMessage{Headers{server="
+                    "Apache}Body{Hello, world!\r\n}}}"));
+}
+
+TEST(BinaryHttpResponse, DecodeBody) {
+  /*
+    HTTP/1.1 200 OK
+
+    Hello, world!
+  */
+  const uint32_t words[] = {0x0140c80e, 0x06736572, 0x76657206,
+                            0x41706163, 0x68650f48, 0x656c6c6f,
+                            0x2c20776f, 0x726c6421, 0x0d0a0000};
+  std::string data;
+  for (const auto& word : words) {
+    data += WordToBytes(word);
+  }
+  const auto response_so = BinaryHttpResponse::Create(data);
+  ASSERT_TRUE(response_so.ok());
+  const BinaryHttpResponse response = *response_so;
+  ASSERT_EQ(response.status_code(), 200);
+  std::vector<BinaryHttpMessage::Field> expected_fields = {
+      {"server", "Apache"}};
+  ASSERT_THAT(response.GetHeaderFields(), ContainerEq(expected_fields));
+  ASSERT_EQ(response.body(), "Hello, world!\r\n");
+  ASSERT_TRUE(response.informational_responses().empty());
+  EXPECT_THAT(response.DebugString(),
+              StrEq("BinaryHttpResponse(200){BinaryHttpMessage{Headers{server="
+                    "Apache}Body{Hello, world!\r\n}}}"));
+}
+
+TEST(BHttpResponse, AddBadInformationalResponseCode) {
+  BinaryHttpResponse response(200);
+  ASSERT_FALSE(response.AddInformationalResponse(50, {}).ok());
+  ASSERT_FALSE(response.AddInformationalResponse(300, {}).ok());
+}
+
+TEST(BinaryHttpResponse, EncodeMultiInformationalWithBody) {
+  /*
+    HTTP/1.1 102 Processing
+    Running: "sleep 15"
+
+    HTTP/1.1 103 Early Hints
+    Link: </style.css>; rel=preload; as=style
+    Link: </script.js>; rel=preload; as=script
+
+    HTTP/1.1 200 OK
+    Date: Mon, 27 Jul 2009 12:28:53 GMT
+    Server: Apache
+    Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
+    ETag: "34aa387-d-1568eb00"
+    Accept-Ranges: bytes
+    Content-Length: 51
+    Vary: Accept-Encoding
+    Content-Type: text/plain
+
+    Hello World! My content includes a trailing CRLF.
+  */
+  BinaryHttpResponse response(200);
+  response.AddHeaderField({"Date", "Mon, 27 Jul 2009 12:28:53 GMT"})
+      ->AddHeaderField({"Server", "Apache"})
+      ->AddHeaderField({"Last-Modified", "Wed, 22 Jul 2009 19:15:56 GMT"})
+      ->AddHeaderField({"ETag", "\"34aa387-d-1568eb00\""})
+      ->AddHeaderField({"Accept-Ranges", "bytes"})
+      ->AddHeaderField({"Content-Length", "51"})
+      ->AddHeaderField({"Vary", "Accept-Encoding"})
+      ->AddHeaderField({"Content-Type", "text/plain"});
+  response.set_body("Hello World! My content includes a trailing CRLF.\r\n");
+  ASSERT_TRUE(
+      response.AddInformationalResponse(102, {{"Running", "\"sleep 15\""}})
+          .ok());
+  ASSERT_TRUE(response
+                  .AddInformationalResponse(
+                      103, {{"Link", "</style.css>; rel=preload; as=style"},
+                            {"Link", "</script.js>; rel=preload; as=script"}})
+                  .ok());
+
+  /*
+      01406613 0772756e 6e696e67 0a22736c  .@f..running."sl
+      65657020 31352240 67405304 6c696e6b  eep 15"@g@S.link
+      233c2f73 74796c65 2e637373 3e3b2072  #</style.css>; r
+      656c3d70 72656c6f 61643b20 61733d73  el=preload; as=s
+      74796c65 046c696e 6b243c2f 73637269  tyle.link$</scri
+      70742e6a 733e3b20 72656c3d 7072656c  pt.js>; rel=prel
+      6f61643b 2061733d 73637269 707440c8  oad; as=script@.
+      40ca0464 6174651d 4d6f6e2c 20323720  @..date.Mon, 27
+      4a756c20 32303039 2031323a 32383a35  Jul 2009 12:28:5
+      3320474d 54067365 72766572 06417061  3 GMT.server.Apa
+      6368650d 6c617374 2d6d6f64 69666965  che.last-modifie
+      641d5765 642c2032 32204a75 6c203230  d.Wed, 22 Jul 20
+      30392031 393a3135 3a353620 474d5404  09 19:15:56 GMT.
+      65746167 14223334 61613338 372d642d  etag."34aa387-d-
+      31353638 65623030 220d6163 63657074  1568eb00".accept
+      2d72616e 67657305 62797465 730e636f  -ranges.bytes.co
+      6e74656e 742d6c65 6e677468 02353104  ntent-length.51.
+      76617279 0f416363 6570742d 456e636f  vary.Accept-Enco
+      64696e67 0c636f6e 74656e74 2d747970  ding.content-typ
+      650a7465 78742f70 6c61696e 3348656c  e.text/plain3Hel
+      6c6f2057 6f726c64 21204d79 20636f6e  lo World! My con
+      74656e74 20696e63 6c756465 73206120  tent includes a
+      74726169 6c696e67 2043524c 462e0d0a  trailing CRLF...
+  */
+  const uint32_t expected_words[] = {
+      0x01406613, 0x0772756e, 0x6e696e67, 0x0a22736c, 0x65657020, 0x31352240,
+      0x67405304, 0x6c696e6b, 0x233c2f73, 0x74796c65, 0x2e637373, 0x3e3b2072,
+      0x656c3d70, 0x72656c6f, 0x61643b20, 0x61733d73, 0x74796c65, 0x046c696e,
+      0x6b243c2f, 0x73637269, 0x70742e6a, 0x733e3b20, 0x72656c3d, 0x7072656c,
+      0x6f61643b, 0x2061733d, 0x73637269, 0x707440c8, 0x40ca0464, 0x6174651d,
+      0x4d6f6e2c, 0x20323720, 0x4a756c20, 0x32303039, 0x2031323a, 0x32383a35,
+      0x3320474d, 0x54067365, 0x72766572, 0x06417061, 0x6368650d, 0x6c617374,
+      0x2d6d6f64, 0x69666965, 0x641d5765, 0x642c2032, 0x32204a75, 0x6c203230,
+      0x30392031, 0x393a3135, 0x3a353620, 0x474d5404, 0x65746167, 0x14223334,
+      0x61613338, 0x372d642d, 0x31353638, 0x65623030, 0x220d6163, 0x63657074,
+      0x2d72616e, 0x67657305, 0x62797465, 0x730e636f, 0x6e74656e, 0x742d6c65,
+      0x6e677468, 0x02353104, 0x76617279, 0x0f416363, 0x6570742d, 0x456e636f,
+      0x64696e67, 0x0c636f6e, 0x74656e74, 0x2d747970, 0x650a7465, 0x78742f70,
+      0x6c61696e, 0x3348656c, 0x6c6f2057, 0x6f726c64, 0x21204d79, 0x20636f6e,
+      0x74656e74, 0x20696e63, 0x6c756465, 0x73206120, 0x74726169, 0x6c696e67,
+      0x2043524c, 0x462e0d0a};
+  std::string expected;
+  for (const auto& word : expected_words) {
+    expected += WordToBytes(word);
+  }
+  const auto result = response.Serialize();
+  ASSERT_TRUE(result.ok());
+  ASSERT_EQ(*result, expected);
+  EXPECT_THAT(
+      response.DebugString(),
+      StrEq("BinaryHttpResponse(200){BinaryHttpMessage{Headers{date=Mon, "
+            "27 Jul 2009 12:28:53 GMT;;server=Apache;;last-modified=Wed, "
+            "22 Jul 2009 19:15:56 "
+            "GMT;;etag=\"34aa387-d-1568eb00\";;accept-ranges=bytes;;"
+            "content-length=51;;vary=Accept-Encoding;;content-type=text/"
+            "plain}Body{Hello World! My content includes a trailing "
+            "CRLF.\r\n}}InformationalResponse{running=\"sleep "
+            "15\"};;InformationalResponse{link=</style.css>; rel=preload; "
+            "as=style;;link=</script.js>; rel=preload; as=script}}"));
+  TestPrintTo(response);
+}
+
+TEST(BinaryHttpResponse, DecodeMultiInformationalWithBody) {
+  /*
+    HTTP/1.1 102 Processing
+    Running: "sleep 15"
+
+    HTTP/1.1 103 Early Hints
+    Link: </style.css>; rel=preload; as=style
+    Link: </script.js>; rel=preload; as=script
+
+    HTTP/1.1 200 OK
+    Date: Mon, 27 Jul 2009 12:28:53 GMT
+    Server: Apache
+    Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
+    ETag: "34aa387-d-1568eb00"
+    Accept-Ranges: bytes
+    Content-Length: 51
+    Vary: Accept-Encoding
+    Content-Type: text/plain
+
+    Hello World! My content includes a trailing CRLF.
+  */
+  const uint32_t words[] = {
+      0x01406613, 0x0772756e, 0x6e696e67, 0x0a22736c, 0x65657020, 0x31352240,
+      0x67405304, 0x6c696e6b, 0x233c2f73, 0x74796c65, 0x2e637373, 0x3e3b2072,
+      0x656c3d70, 0x72656c6f, 0x61643b20, 0x61733d73, 0x74796c65, 0x046c696e,
+      0x6b243c2f, 0x73637269, 0x70742e6a, 0x733e3b20, 0x72656c3d, 0x7072656c,
+      0x6f61643b, 0x2061733d, 0x73637269, 0x707440c8, 0x40ca0464, 0x6174651d,
+      0x4d6f6e2c, 0x20323720, 0x4a756c20, 0x32303039, 0x2031323a, 0x32383a35,
+      0x3320474d, 0x54067365, 0x72766572, 0x06417061, 0x6368650d, 0x6c617374,
+      0x2d6d6f64, 0x69666965, 0x641d5765, 0x642c2032, 0x32204a75, 0x6c203230,
+      0x30392031, 0x393a3135, 0x3a353620, 0x474d5404, 0x65746167, 0x14223334,
+      0x61613338, 0x372d642d, 0x31353638, 0x65623030, 0x220d6163, 0x63657074,
+      0x2d72616e, 0x67657305, 0x62797465, 0x730e636f, 0x6e74656e, 0x742d6c65,
+      0x6e677468, 0x02353104, 0x76617279, 0x0f416363, 0x6570742d, 0x456e636f,
+      0x64696e67, 0x0c636f6e, 0x74656e74, 0x2d747970, 0x650a7465, 0x78742f70,
+      0x6c61696e, 0x3348656c, 0x6c6f2057, 0x6f726c64, 0x21204d79, 0x20636f6e,
+      0x74656e74, 0x20696e63, 0x6c756465, 0x73206120, 0x74726169, 0x6c696e67,
+      0x2043524c, 0x462e0d0a, 0x00000000};
+  std::string data;
+  for (const auto& word : words) {
+    data += WordToBytes(word);
+  }
+  const auto response_so = BinaryHttpResponse::Create(data);
+  ASSERT_TRUE(response_so.ok());
+  const BinaryHttpResponse response = *response_so;
+  std::vector<BinaryHttpMessage::Field> expected_fields = {
+      {"date", "Mon, 27 Jul 2009 12:28:53 GMT"},
+      {"server", "Apache"},
+      {"last-modified", "Wed, 22 Jul 2009 19:15:56 GMT"},
+      {"etag", "\"34aa387-d-1568eb00\""},
+      {"accept-ranges", "bytes"},
+      {"content-length", "51"},
+      {"vary", "Accept-Encoding"},
+      {"content-type", "text/plain"}};
+  ASSERT_THAT(response.GetHeaderFields(), ContainerEq(expected_fields));
+  ASSERT_EQ(response.body(),
+            "Hello World! My content includes a trailing CRLF.\r\n");
+  std::vector<BinaryHttpMessage::Field> header102 = {
+      {"running", "\"sleep 15\""}};
+  std::vector<BinaryHttpMessage::Field> header103 = {
+      {"link", "</style.css>; rel=preload; as=style"},
+      {"link", "</script.js>; rel=preload; as=script"}};
+  std::vector<BinaryHttpResponse::InformationalResponse> expected_control = {
+      {102, header102}, {103, header103}};
+  ASSERT_THAT(response.informational_responses(),
+              ContainerEq(expected_control));
+  EXPECT_THAT(
+      response.DebugString(),
+      StrEq("BinaryHttpResponse(200){BinaryHttpMessage{Headers{date=Mon, "
+            "27 Jul 2009 12:28:53 GMT;;server=Apache;;last-modified=Wed, "
+            "22 Jul 2009 19:15:56 "
+            "GMT;;etag=\"34aa387-d-1568eb00\";;accept-ranges=bytes;;"
+            "content-length=51;;vary=Accept-Encoding;;content-type=text/"
+            "plain}Body{Hello World! My content includes a trailing "
+            "CRLF.\r\n}}InformationalResponse{running=\"sleep "
+            "15\"};;InformationalResponse{link=</style.css>; rel=preload; "
+            "as=style;;link=</script.js>; rel=preload; as=script}}"));
+  TestPrintTo(response);
+}
+
+TEST(BinaryHttpMessage, SwapBody) {
+  BinaryHttpRequest request({});
+  request.set_body("hello, world!");
+  std::string other = "goodbye, world!";
+  request.swap_body(other);
+  EXPECT_EQ(request.body(), "goodbye, world!");
+  EXPECT_EQ(other, "hello, world!");
+}
+
+TEST(BinaryHttpResponse, Equality) {
+  BinaryHttpResponse response(200);
+  response.AddHeaderField({"Server", "Apache"})->set_body("Hello, world!\r\n");
+  ASSERT_TRUE(
+      response.AddInformationalResponse(102, {{"Running", "\"sleep 15\""}})
+          .ok());
+
+  BinaryHttpResponse same(200);
+  same.AddHeaderField({"Server", "Apache"})->set_body("Hello, world!\r\n");
+  ASSERT_TRUE(
+      same.AddInformationalResponse(102, {{"Running", "\"sleep 15\""}}).ok());
+  ASSERT_EQ(response, same);
+}
+
+TEST(BinaryHttpResponse, Inequality) {
+  BinaryHttpResponse response(200);
+  response.AddHeaderField({"Server", "Apache"})->set_body("Hello, world!\r\n");
+  ASSERT_TRUE(
+      response.AddInformationalResponse(102, {{"Running", "\"sleep 15\""}})
+          .ok());
+
+  BinaryHttpResponse different_status(201);
+  different_status.AddHeaderField({"Server", "Apache"})
+      ->set_body("Hello, world!\r\n");
+  EXPECT_TRUE(different_status
+                  .AddInformationalResponse(102, {{"Running", "\"sleep 15\""}})
+                  .ok());
+  EXPECT_NE(response, different_status);
+
+  BinaryHttpResponse different_header(200);
+  different_header.AddHeaderField({"Server", "python3"})
+      ->set_body("Hello, world!\r\n");
+  EXPECT_TRUE(different_header
+                  .AddInformationalResponse(102, {{"Running", "\"sleep 15\""}})
+                  .ok());
+  EXPECT_NE(response, different_header);
+
+  BinaryHttpResponse no_header(200);
+  no_header.set_body("Hello, world!\r\n");
+  EXPECT_TRUE(
+      no_header.AddInformationalResponse(102, {{"Running", "\"sleep 15\""}})
+          .ok());
+  EXPECT_NE(response, no_header);
+
+  BinaryHttpResponse different_body(200);
+  different_body.AddHeaderField({"Server", "Apache"})
+      ->set_body("Goodbye, world!\r\n");
+  EXPECT_TRUE(different_body
+                  .AddInformationalResponse(102, {{"Running", "\"sleep 15\""}})
+                  .ok());
+  EXPECT_NE(response, different_body);
+
+  BinaryHttpResponse no_body(200);
+  no_body.AddHeaderField({"Server", "Apache"});
+  EXPECT_TRUE(
+      no_body.AddInformationalResponse(102, {{"Running", "\"sleep 15\""}})
+          .ok());
+  EXPECT_NE(response, no_body);
+
+  BinaryHttpResponse different_informational(200);
+  different_informational.AddHeaderField({"Server", "Apache"})
+      ->set_body("Hello, world!\r\n");
+  EXPECT_TRUE(different_informational
+                  .AddInformationalResponse(198, {{"Running", "\"sleep 15\""}})
+                  .ok());
+  EXPECT_NE(response, different_informational);
+
+  BinaryHttpResponse no_informational(200);
+  no_informational.AddHeaderField({"Server", "Apache"})
+      ->set_body("Hello, world!\r\n");
+  EXPECT_NE(response, no_informational);
+}
+
+}  // namespace quiche
diff --git a/chromium/net/third_party/quiche/src/quiche/common/masque/connect_udp_datagram_payload.cc b/chromium/net/third_party/quiche/src/quiche/common/masque/connect_udp_datagram_payload.cc
new file mode 100644
index 00000000000..ae01817eeaf
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/common/masque/connect_udp_datagram_payload.cc
@@ -0,0 +1,130 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "quiche/common/masque/connect_udp_datagram_payload.h"
+
+#include <cstdint>
+#include <memory>
+#include <utility>
+
+#include "absl/strings/string_view.h"
+#include "quiche/common/platform/api/quiche_bug_tracker.h"
+#include "quiche/common/platform/api/quiche_logging.h"
+#include "quiche/common/quiche_data_reader.h"
+#include "quiche/common/quiche_data_writer.h"
+
+namespace quiche {
+
+// static
+std::unique_ptr<ConnectUdpDatagramPayload> ConnectUdpDatagramPayload::Parse(
+    absl::string_view datagram_payload) {
+  QuicheDataReader data_reader(datagram_payload);
+
+  uint64_t context_id;
+  if (!data_reader.ReadVarInt62(&context_id)) {
+    QUICHE_DVLOG(1) << "Could not parse malformed UDP proxy payload";
+    return nullptr;
+  }
+
+  if (ContextId{context_id} == ConnectUdpDatagramUdpPacketPayload::kContextId) {
+    return std::make_unique<ConnectUdpDatagramUdpPacketPayload>(
+        data_reader.ReadRemainingPayload());
+  } else {
+    return std::make_unique<ConnectUdpDatagramUnknownPayload>(
+        ContextId{context_id}, data_reader.ReadRemainingPayload());
+  }
+}
+
+std::string ConnectUdpDatagramPayload::Serialize() const {
+  std::string buffer(SerializedLength(), '\0');
+  QuicheDataWriter writer(buffer.size(), buffer.data());
+
+  bool result = SerializeTo(writer);
+  QUICHE_DCHECK(result);
+  QUICHE_DCHECK_EQ(writer.remaining(), 0u);
+
+  return buffer;
+}
+
+ConnectUdpDatagramUdpPacketPayload::ConnectUdpDatagramUdpPacketPayload(
+    absl::string_view udp_packet)
+    : udp_packet_(udp_packet) {}
+
+ConnectUdpDatagramPayload::ContextId
+ConnectUdpDatagramUdpPacketPayload::GetContextId() const {
+  return kContextId;
+}
+
+ConnectUdpDatagramPayload::Type ConnectUdpDatagramUdpPacketPayload::GetType()
+    const {
+  return Type::kUdpPacket;
+}
+
+absl::string_view ConnectUdpDatagramUdpPacketPayload::GetUdpProxyingPayload()
+    const {
+  return udp_packet_;
+}
+
+size_t ConnectUdpDatagramUdpPacketPayload::SerializedLength() const {
+  return udp_packet_.size() +
+         QuicheDataWriter::GetVarInt62Len(uint64_t{kContextId});
+}
+
+bool ConnectUdpDatagramUdpPacketPayload::SerializeTo(
+    QuicheDataWriter& writer) const {
+  if (!writer.WriteVarInt62(uint64_t{kContextId})) {
+    return false;
+  }
+
+  if (!writer.WriteStringPiece(udp_packet_)) {
+    return false;
+  }
+
+  return true;
+}
+
+ConnectUdpDatagramUnknownPayload::ConnectUdpDatagramUnknownPayload(
+    ContextId context_id, absl::string_view udp_proxying_payload)
+    : context_id_(context_id), udp_proxying_payload_(udp_proxying_payload) {
+  if (context_id == ConnectUdpDatagramUdpPacketPayload::kContextId) {
+    QUICHE_BUG(udp_proxy_unknown_payload_udp_context)
+        << "ConnectUdpDatagramUnknownPayload created with UDP packet context "
+           "type (0). Should instead create a "
+           "ConnectUdpDatagramUdpPacketPayload.";
+  }
+}
+
+ConnectUdpDatagramPayload::ContextId
+ConnectUdpDatagramUnknownPayload::GetContextId() const {
+  return context_id_;
+}
+
+ConnectUdpDatagramPayload::Type ConnectUdpDatagramUnknownPayload::GetType()
+    const {
+  return Type::kUnknown;
+}
+absl::string_view ConnectUdpDatagramUnknownPayload::GetUdpProxyingPayload()
+    const {
+  return udp_proxying_payload_;
+}
+
+size_t ConnectUdpDatagramUnknownPayload::SerializedLength() const {
+  return udp_proxying_payload_.size() +
+         QuicheDataWriter::GetVarInt62Len(uint64_t{context_id_});
+}
+
+bool ConnectUdpDatagramUnknownPayload::SerializeTo(
+    QuicheDataWriter& writer) const {
+  if (!writer.WriteVarInt62(uint64_t{context_id_})) {
+    return false;
+  }
+
+  if (!writer.WriteStringPiece(udp_proxying_payload_)) {
+    return false;
+  }
+
+  return true;
+}
+
+}  // namespace quiche
diff --git a/chromium/net/third_party/quiche/src/quiche/common/masque/connect_udp_datagram_payload.h b/chromium/net/third_party/quiche/src/quiche/common/masque/connect_udp_datagram_payload.h
new file mode 100644
index 00000000000..809167017a9
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/common/masque/connect_udp_datagram_payload.h
@@ -0,0 +1,100 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_COMMON_MASQUE_CONNECT_UDP_DATAGRAM_PAYLOAD_H_
+#define QUICHE_COMMON_MASQUE_CONNECT_UDP_DATAGRAM_PAYLOAD_H_
+
+#include <cstdint>
+#include <memory>
+#include <string>
+
+#include "absl/strings/string_view.h"
+#include "quiche/common/platform/api/quiche_export.h"
+#include "quiche/common/quiche_data_writer.h"
+
+namespace quiche {
+
+// UDP-proxying HTTP Datagram payload for use with CONNECT-UDP. See RFC 9298,
+// Section 5.
+class QUICHE_EXPORT_PRIVATE ConnectUdpDatagramPayload {
+ public:
+  using ContextId = uint64_t;
+  enum class Type { kUdpPacket, kUnknown };
+
+  // Parse from `datagram_payload` (a wire-format UDP-proxying HTTP datagram
+  // payload). Returns nullptr on error. The created ConnectUdpDatagramPayload
+  // object may use absl::string_views pointing into `datagram_payload`, so the
+  // data pointed to by `datagram_payload` must outlive the created
+  // ConnectUdpDatagramPayload object.
+  static std::unique_ptr<ConnectUdpDatagramPayload> Parse(
+      absl::string_view datagram_payload);
+
+  ConnectUdpDatagramPayload() = default;
+
+  ConnectUdpDatagramPayload(const ConnectUdpDatagramPayload&) = delete;
+  ConnectUdpDatagramPayload& operator=(const ConnectUdpDatagramPayload&) =
+      delete;
+
+  virtual ~ConnectUdpDatagramPayload() = default;
+
+  virtual ContextId GetContextId() const = 0;
+  virtual Type GetType() const = 0;
+  // Get the inner payload (the UDP Proxying Payload).
+  virtual absl::string_view GetUdpProxyingPayload() const = 0;
+
+  // Length of this UDP-proxying HTTP datagram payload in wire format.
+  virtual size_t SerializedLength() const = 0;
+  // Write a wire-format buffer for the payload. Returns false on write failure
+  // (typically due to `writer` buffer being full).
+  virtual bool SerializeTo(QuicheDataWriter& writer) const = 0;
+
+  // Write a wire-format buffer.
+  std::string Serialize() const;
+};
+
+// UDP-proxying HTTP Datagram payload that encodes a UDP packet.
+class QUICHE_EXPORT_PRIVATE ConnectUdpDatagramUdpPacketPayload final
+    : public ConnectUdpDatagramPayload {
+ public:
+  static constexpr ContextId kContextId = 0;
+
+  // The string pointed to by `udp_packet` must outlive the created
+  // ConnectUdpDatagramUdpPacketPayload.
+  explicit ConnectUdpDatagramUdpPacketPayload(absl::string_view udp_packet);
+
+  ContextId GetContextId() const override;
+  Type GetType() const override;
+  absl::string_view GetUdpProxyingPayload() const override;
+  size_t SerializedLength() const override;
+  bool SerializeTo(QuicheDataWriter& writer) const override;
+
+  absl::string_view udp_packet() const { return udp_packet_; }
+
+ private:
+  absl::string_view udp_packet_;
+};
+
+class QUICHE_EXPORT_PRIVATE ConnectUdpDatagramUnknownPayload final
+    : public ConnectUdpDatagramPayload {
+ public:
+  // `udp_proxying_payload` represents the inner payload contained by the UDP-
+  // proxying HTTP datagram payload. The string pointed to by `inner_payload`
+  // must outlive the created ConnectUdpDatagramUnknownPayload.
+  ConnectUdpDatagramUnknownPayload(ContextId context_id,
+                                   absl::string_view udp_proxying_payload);
+
+  ContextId GetContextId() const override;
+  Type GetType() const override;
+  absl::string_view GetUdpProxyingPayload() const override;
+  size_t SerializedLength() const override;
+  bool SerializeTo(QuicheDataWriter& writer) const override;
+
+ private:
+  ContextId context_id_;
+  absl::string_view udp_proxying_payload_;  // The inner payload.
+};
+
+}  // namespace quiche
+
+#endif  // QUICHE_COMMON_MASQUE_CONNECT_UDP_DATAGRAM_PAYLOAD_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/common/masque/connect_udp_datagram_payload_test.cc b/chromium/net/third_party/quiche/src/quiche/common/masque/connect_udp_datagram_payload_test.cc
new file mode 100644
index 00000000000..52503e3739e
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/common/masque/connect_udp_datagram_payload_test.cc
@@ -0,0 +1,61 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "quiche/common/masque/connect_udp_datagram_payload.h"
+
+#include <memory>
+
+#include "absl/strings/string_view.h"
+#include "quiche/common/platform/api/quiche_test.h"
+
+namespace quiche::test {
+namespace {
+
+TEST(ConnectUdpDatagramPayloadTest, ParseUdpPacket) {
+  static constexpr char kDatagramPayload[] = "\x00packet";
+
+  std::unique_ptr<ConnectUdpDatagramPayload> parsed =
+      ConnectUdpDatagramPayload::Parse(
+          absl::string_view(kDatagramPayload, sizeof(kDatagramPayload) - 1));
+  ASSERT_TRUE(parsed);
+
+  EXPECT_EQ(parsed->GetContextId(),
+            ConnectUdpDatagramUdpPacketPayload::kContextId);
+  EXPECT_EQ(parsed->GetType(), ConnectUdpDatagramPayload::Type::kUdpPacket);
+  EXPECT_EQ(parsed->GetUdpProxyingPayload(), "packet");
+}
+
+TEST(ConnectUdpDatagramPayloadTest, SerializeUdpPacket) {
+  static constexpr absl::string_view kUdpPacket = "packet";
+
+  ConnectUdpDatagramUdpPacketPayload payload(kUdpPacket);
+  EXPECT_EQ(payload.GetUdpProxyingPayload(), kUdpPacket);
+
+  EXPECT_EQ(payload.Serialize(), std::string("\x00packet", 7));
+}
+
+TEST(ConnectUdpDatagramPayloadTest, ParseUnknownPacket) {
+  static constexpr char kDatagramPayload[] = "\x05packet";
+
+  std::unique_ptr<ConnectUdpDatagramPayload> parsed =
+      ConnectUdpDatagramPayload::Parse(
+          absl::string_view(kDatagramPayload, sizeof(kDatagramPayload) - 1));
+  ASSERT_TRUE(parsed);
+
+  EXPECT_EQ(parsed->GetContextId(), 5);
+  EXPECT_EQ(parsed->GetType(), ConnectUdpDatagramPayload::Type::kUnknown);
+  EXPECT_EQ(parsed->GetUdpProxyingPayload(), "packet");
+}
+
+TEST(ConnectUdpDatagramPayloadTest, SerializeUnknownPacket) {
+  static constexpr absl::string_view kInnerUdpProxyingPayload = "packet";
+
+  ConnectUdpDatagramUnknownPayload payload(4u, kInnerUdpProxyingPayload);
+  EXPECT_EQ(payload.GetUdpProxyingPayload(), kInnerUdpProxyingPayload);
+
+  EXPECT_EQ(payload.Serialize(), std::string("\x04packet", 7));
+}
+
+}  // namespace
+}  // namespace quiche::test
diff --git a/chromium/net/third_party/quiche/src/quiche/common/platform/api/quiche_epoll.h b/chromium/net/third_party/quiche/src/quiche/common/platform/api/quiche_epoll.h
deleted file mode 100644
index 5fd470c8100..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/common/platform/api/quiche_epoll.h
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_COMMON_PLATFORM_API_QUICHE_EPOLL_H_
-#define QUICHE_COMMON_PLATFORM_API_QUICHE_EPOLL_H_
-
-#include "quiche_platform_impl/quiche_epoll_impl.h"
-
-namespace quiche {
-
-using QuicheEpollServer = QuicheEpollServerImpl;
-using QuicheEpollEvent = QuicheEpollEventImpl;
-using QuicheEpollAlarmBase = QuicheEpollAlarmBaseImpl;
-using QuicheEpollCallbackInterface = QuicheEpollCallbackInterfaceImpl;
-
-}  // namespace quiche
-
-#endif  // QUICHE_COMMON_PLATFORM_API_QUICHE_EPOLL_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/common/platform/api/quiche_epoll_test_tools.h b/chromium/net/third_party/quiche/src/quiche/common/platform/api/quiche_epoll_test_tools.h
deleted file mode 100644
index 998ed83321f..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/common/platform/api/quiche_epoll_test_tools.h
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_COMMON_PLATFORM_API_QUICHE_EPOLL_TEST_TOOLS_H_
-#define QUICHE_COMMON_PLATFORM_API_QUICHE_EPOLL_TEST_TOOLS_H_
-
-#include "quiche_platform_impl/quiche_epoll_test_tools_impl.h"
-
-namespace quiche {
-
-using QuicheFakeEpollServer = QuicheFakeEpollServerImpl;
-
-}  // namespace quiche
-
-#endif  // QUICHE_COMMON_PLATFORM_API_QUICHE_EPOLL_TEST_TOOLS_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/common/platform/api/quiche_stream_buffer_allocator.h b/chromium/net/third_party/quiche/src/quiche/common/platform/api/quiche_stream_buffer_allocator.h
deleted file mode 100644
index 16e5e7c7f55..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/common/platform/api/quiche_stream_buffer_allocator.h
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_COMMON_PLATFORM_API_QUICHE_STREAM_BUFFER_ALLOCATOR_H_
-#define QUICHE_COMMON_PLATFORM_API_QUICHE_STREAM_BUFFER_ALLOCATOR_H_
-
-#include "quiche_platform_impl/quiche_stream_buffer_allocator_impl.h"
-
-namespace quiche {
-
-using QuicheStreamBufferAllocator = QuicheStreamBufferAllocatorImpl;
-
-}
-
-#endif  // QUICHE_COMMON_PLATFORM_API_QUICHE_STREAM_BUFFER_ALLOCATOR_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_command_line_flags_impl.h b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_command_line_flags_impl.h
index d9f7bac4315..79d91d2aa2f 100644
--- a/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_command_line_flags_impl.h
+++ b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_command_line_flags_impl.h
@@ -26,7 +26,7 @@ void QuichePrintCommandLineFlagHelpImpl(const char* usage);
 }  // namespace quiche
 
 template <typename T>
-T GetQuicheFlagImpl(const absl::Flag<T>& flag) {
+T GetQuicheFlagImplImpl(const absl::Flag<T>& flag) {
   return absl::GetFlag(flag);
 }
 
diff --git a/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_default_proof_providers_impl.h b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_default_proof_providers_impl.h
new file mode 100644
index 00000000000..6727f652e94
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_default_proof_providers_impl.h
@@ -0,0 +1,26 @@
+// Copyright 2022 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_COMMON_PLATFORM_DEFAULT_QUICHE_PLATFORM_IMPL_QUICHE_DEFAULT_PROOF_PROVIDERS_IMPL_H_
+#define QUICHE_COMMON_PLATFORM_DEFAULT_QUICHE_PLATFORM_IMPL_QUICHE_DEFAULT_PROOF_PROVIDERS_IMPL_H_
+
+#include <memory>
+
+#include "quiche/quic/core/crypto/proof_source.h"
+#include "quiche/quic/core/crypto/proof_verifier.h"
+
+namespace quiche {
+
+// TODO(vasilvv): implement those in order for the CLI tools to work.
+inline std::unique_ptr<quic::ProofVerifier> CreateDefaultProofVerifierImpl(
+    const std::string& /*host*/) {
+  return nullptr;
+}
+inline std::unique_ptr<quic::ProofSource> CreateDefaultProofSourceImpl() {
+  return nullptr;
+}
+
+}  // namespace quiche
+
+#endif  // QUICHE_COMMON_PLATFORM_DEFAULT_QUICHE_PLATFORM_IMPL_QUICHE_DEFAULT_PROOF_PROVIDERS_IMPL_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_flags_impl.h b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_flags_impl.h
index df14e0f2cd5..9e97b263bbb 100644
--- a/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_flags_impl.h
+++ b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_flags_impl.h
@@ -29,19 +29,22 @@
 #include "quiche/common/quiche_protocol_flags_list.h"
 #undef QUICHE_PROTOCOL_FLAG
 
-inline bool GetQuicheFlagImpl(bool flag) { return flag; }
-inline int32_t GetQuicheFlagImpl(int32_t flag) { return flag; }
-inline int64_t GetQuicheFlagImpl(int64_t flag) { return flag; }
-inline uint64_t GetQuicheFlagImpl(uint64_t flag) { return flag; }
-inline double GetQuicheFlagImpl(double flag) { return flag; }
-inline std::string GetQuicheFlagImpl(const std::string& flag) { return flag; }
-#define SetQuicheFlagImpl(flag, value) ((flag) = (value))
+#define GetQuicheFlagImpl(flag) GetQuicheFlagImplImpl(FLAGS_##flag)
+inline bool GetQuicheFlagImplImpl(bool flag) { return flag; }
+inline int32_t GetQuicheFlagImplImpl(int32_t flag) { return flag; }
+inline int64_t GetQuicheFlagImplImpl(int64_t flag) { return flag; }
+inline uint64_t GetQuicheFlagImplImpl(uint64_t flag) { return flag; }
+inline double GetQuicheFlagImplImpl(double flag) { return flag; }
+inline std::string GetQuicheFlagImplImpl(const std::string& flag) {
+  return flag;
+}
+#define SetQuicheFlagImpl(flag, value) ((FLAGS_##flag) = (value))
 
 // ------------------------------------------------------------------------
 // QUICHE feature flags implementation.
 // ------------------------------------------------------------------------
-#define QUICHE_RELOADABLE_FLAG(flag) FLAGS_quic_reloadable_flag_##flag
-#define QUICHE_RESTART_FLAG(flag) FLAGS_quic_restart_flag_##flag
+#define QUICHE_RELOADABLE_FLAG(flag) quic_reloadable_flag_##flag
+#define QUICHE_RESTART_FLAG(flag) quic_restart_flag_##flag
 #define GetQuicheReloadableFlagImpl(module, flag) \
   GetQuicheFlag(QUICHE_RELOADABLE_FLAG(flag))
 #define SetQuicheReloadableFlagImpl(module, flag, value) \
diff --git a/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_logging_impl.h b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_logging_impl.h
index 4ad42b19c79..c2372cab45b 100644
--- a/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_logging_impl.h
+++ b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_logging_impl.h
@@ -137,6 +137,8 @@ class QUICHE_EXPORT_PRIVATE CheckLogSink : public NoopLogSink {
   ::quiche::CheckLogSink((val1) >= (val2)).stream()
 #define QUICHE_CHECK_GT_IMPL(val1, val2) \
   ::quiche::CheckLogSink((val1) > (val2)).stream()
+#define QUICHE_CHECK_OK_IMPL(status) \
+  QUICHE_CHECK_EQ_IMPL(absl::OkStatus(), (status))
 
 #ifdef NDEBUG
 #define QUICHE_DCHECK_IMPL(condition) \
diff --git a/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_test_loopback_impl.h b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_test_loopback_impl.h
index 228bbb85b4e..6c377c86683 100644
--- a/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_test_loopback_impl.h
+++ b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_test_loopback_impl.h
@@ -6,6 +6,7 @@
 #define QUICHE_COMMON_PLATFORM_DEFAULT_QUICHE_PLATFORM_IMPL_QUICHE_TEST_LOOPBACK_IMPL_H_
 
 #include "quiche/quic/platform/api/quic_ip_address.h"
+#include "quiche/quic/platform/api/quic_ip_address_family.h"
 
 namespace quiche {
 
diff --git a/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_udp_socket_platform_impl.h b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_udp_socket_platform_impl.h
new file mode 100644
index 00000000000..b42cfcc7308
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/common/platform/default/quiche_platform_impl/quiche_udp_socket_platform_impl.h
@@ -0,0 +1,28 @@
+// Copyright 2022 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_COMMON_PLATFORM_DEFAULT_QUICHE_PLATFORM_IMPL_QUICHE_UDP_SOCKET_PLATFORM_IMPL_H_
+#define QUICHE_COMMON_PLATFORM_DEFAULT_QUICHE_PLATFORM_IMPL_QUICHE_UDP_SOCKET_PLATFORM_IMPL_H_
+
+#include <sys/socket.h>
+#include <unistd.h>
+
+#include <cstddef>
+#include <cstdint>
+
+namespace quiche {
+
+constexpr size_t kCmsgSpaceForGooglePacketHeaderImpl = 0;
+
+inline bool GetGooglePacketHeadersFromControlMessageImpl(
+    struct ::cmsghdr* /*cmsg*/, char** /*packet_headers*/,
+    size_t* /*packet_headers_len*/) {
+  return false;
+}
+
+inline void SetGoogleSocketOptionsImpl(int /*fd*/) {}
+
+}  // namespace quiche
+
+#endif  // QUICHE_COMMON_PLATFORM_DEFAULT_QUICHE_PLATFORM_IMPL_QUICHE_UDP_SOCKET_PLATFORM_IMPL_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/common/quiche_crypto_logging.cc b/chromium/net/third_party/quiche/src/quiche/common/quiche_crypto_logging.cc
new file mode 100644
index 00000000000..7f3eb2a5070
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_crypto_logging.cc
@@ -0,0 +1,42 @@
+// Copyright 2022 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "quiche/common/quiche_crypto_logging.h"
+
+#include "absl/status/status.h"
+#include "absl/strings/string_view.h"
+#include "openssl/err.h"
+#include "quiche/common/platform/api/quiche_logging.h"
+
+namespace quiche {
+void DLogOpenSslErrors() {
+#ifdef NDEBUG
+  // Clear OpenSSL error stack.
+  ClearOpenSslErrors();
+#else
+  while (uint32_t error = ERR_get_error()) {
+    char buf[120];
+    ERR_error_string_n(error, buf, ABSL_ARRAYSIZE(buf));
+    QUICHE_DLOG(ERROR) << "OpenSSL error: " << buf;
+  }
+#endif
+}
+
+void ClearOpenSslErrors() {
+  while (ERR_get_error()) {
+  }
+}
+
+absl::Status SslErrorAsStatus(absl::string_view msg) {
+  std::string message;
+  absl::StrAppend(&message, msg, "OpenSSL error: ");
+  while (uint32_t error = ERR_get_error()) {
+    char buf[120];
+    ERR_error_string_n(error, buf, ABSL_ARRAYSIZE(buf));
+    absl::StrAppend(&message, buf);
+  }
+  return absl::InternalError(message);
+}
+
+}  // namespace quiche
diff --git a/chromium/net/third_party/quiche/src/quiche/common/quiche_crypto_logging.h b/chromium/net/third_party/quiche/src/quiche/common/quiche_crypto_logging.h
new file mode 100644
index 00000000000..709694da8a2
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_crypto_logging.h
@@ -0,0 +1,25 @@
+// Copyright 2022 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_COMMON_QUICHE_CRYPTO_LOGGING_H_
+#define QUICHE_COMMON_QUICHE_CRYPTO_LOGGING_H_
+
+#include "absl/status/status.h"
+
+namespace quiche {
+
+// In debug builds only, log OpenSSL error stack. Then clear OpenSSL error
+// stack.
+void DLogOpenSslErrors();
+
+// Clears OpenSSL error stack.
+void ClearOpenSslErrors();
+
+// Include OpenSSL error stack in Status msg so that callers could choose to
+// only log it in debug builds if required.
+absl::Status SslErrorAsStatus(absl::string_view msg);
+
+}  // namespace quiche
+
+#endif  // QUICHE_COMMON_QUICHE_CRYPTO_LOGGING_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/common/quiche_data_reader.cc b/chromium/net/third_party/quiche/src/quiche/common/quiche_data_reader.cc
index 080431c0b6b..84eca4d2dcc 100644
--- a/chromium/net/third_party/quiche/src/quiche/common/quiche_data_reader.cc
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_data_reader.cc
@@ -276,7 +276,14 @@ bool QuicheDataReader::Seek(size_t size) {
 
 bool QuicheDataReader::IsDoneReading() const { return len_ == pos_; }
 
-size_t QuicheDataReader::BytesRemaining() const { return len_ - pos_; }
+size_t QuicheDataReader::BytesRemaining() const {
+  if (pos_ > len_) {
+    QUICHE_BUG(quiche_reader_pos_out_of_bound)
+        << "QUIC reader pos out of bound: " << pos_ << ", len: " << len_;
+    return 0;
+  }
+  return len_ - pos_;
+}
 
 bool QuicheDataReader::TruncateRemaining(size_t truncation_length) {
   if (truncation_length > BytesRemaining()) {
diff --git a/chromium/net/third_party/quiche/src/quiche/common/quiche_endian.h b/chromium/net/third_party/quiche/src/quiche/common/quiche_endian.h
index 834f7433c47..5af28af05fa 100644
--- a/chromium/net/third_party/quiche/src/quiche/common/quiche_endian.h
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_endian.h
@@ -49,7 +49,7 @@ class QUICHE_EXPORT_PRIVATE QuicheEndian {
       char bytes[sizeof(T)];
     } value;
     value.number = input;
-    std::reverse(std::begin(value.bytes), std::end(value.bytes));
+    std::reverse(&value.bytes[0], &value.bytes[sizeof(T)]);
     return value.number;
   }
 };
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address.cc b/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address.cc
index ba7f6af6b56..342597bfab3 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address.cc
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address.cc
@@ -2,21 +2,22 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "quiche/quic/platform/api/quic_ip_address.h"
+#include "quiche/common/quiche_ip_address.h"
 
 #include <algorithm>
 #include <cstdint>
 #include <cstring>
 #include <string>
 
-#include "quiche/quic/platform/api/quic_bug_tracker.h"
-#include "quiche/quic/platform/api/quic_ip_address_family.h"
-#include "quiche/quic/platform/api/quic_logging.h"
+#include "absl/strings/str_cat.h"
+#include "quiche/common/platform/api/quiche_bug_tracker.h"
+#include "quiche/common/platform/api/quiche_logging.h"
+#include "quiche/common/quiche_ip_address_family.h"
 
-namespace quic {
+namespace quiche {
 
-QuicIpAddress QuicIpAddress::Loopback4() {
-  QuicIpAddress result;
+QuicheIpAddress QuicheIpAddress::Loopback4() {
+  QuicheIpAddress result;
   result.family_ = IpAddressFamily::IP_V4;
   result.address_.bytes[0] = 127;
   result.address_.bytes[1] = 0;
@@ -25,8 +26,8 @@ QuicIpAddress QuicIpAddress::Loopback4() {
   return result;
 }
 
-QuicIpAddress QuicIpAddress::Loopback6() {
-  QuicIpAddress result;
+QuicheIpAddress QuicheIpAddress::Loopback6() {
+  QuicheIpAddress result;
   result.family_ = IpAddressFamily::IP_V6;
   uint8_t* bytes = result.address_.bytes;
   memset(bytes, 0, 15);
@@ -34,63 +35,65 @@ QuicIpAddress QuicIpAddress::Loopback6() {
   return result;
 }
 
-QuicIpAddress QuicIpAddress::Any4() {
+QuicheIpAddress QuicheIpAddress::Any4() {
   in_addr address;
   memset(&address, 0, sizeof(address));
-  return QuicIpAddress(address);
+  return QuicheIpAddress(address);
 }
 
-QuicIpAddress QuicIpAddress::Any6() {
+QuicheIpAddress QuicheIpAddress::Any6() {
   in6_addr address;
   memset(&address, 0, sizeof(address));
-  return QuicIpAddress(address);
+  return QuicheIpAddress(address);
 }
 
-QuicIpAddress::QuicIpAddress() : family_(IpAddressFamily::IP_UNSPEC) {}
+QuicheIpAddress::QuicheIpAddress() : family_(IpAddressFamily::IP_UNSPEC) {}
 
-QuicIpAddress::QuicIpAddress(const in_addr& ipv4_address)
+QuicheIpAddress::QuicheIpAddress(const in_addr& ipv4_address)
     : family_(IpAddressFamily::IP_V4) {
   address_.v4 = ipv4_address;
 }
-QuicIpAddress::QuicIpAddress(const in6_addr& ipv6_address)
+QuicheIpAddress::QuicheIpAddress(const in6_addr& ipv6_address)
     : family_(IpAddressFamily::IP_V6) {
   address_.v6 = ipv6_address;
 }
 
-bool operator==(QuicIpAddress lhs, QuicIpAddress rhs) {
+bool operator==(QuicheIpAddress lhs, QuicheIpAddress rhs) {
   if (lhs.family_ != rhs.family_) {
     return false;
   }
   switch (lhs.family_) {
     case IpAddressFamily::IP_V4:
       return std::equal(lhs.address_.bytes,
-                        lhs.address_.bytes + QuicIpAddress::kIPv4AddressSize,
+                        lhs.address_.bytes + QuicheIpAddress::kIPv4AddressSize,
                         rhs.address_.bytes);
     case IpAddressFamily::IP_V6:
       return std::equal(lhs.address_.bytes,
-                        lhs.address_.bytes + QuicIpAddress::kIPv6AddressSize,
+                        lhs.address_.bytes + QuicheIpAddress::kIPv6AddressSize,
                         rhs.address_.bytes);
     case IpAddressFamily::IP_UNSPEC:
       return true;
   }
-  QUIC_BUG(quic_bug_10126_2)
+  QUICHE_BUG(quiche_bug_10126_2)
       << "Invalid IpAddressFamily " << static_cast<int32_t>(lhs.family_);
   return false;
 }
 
-bool operator!=(QuicIpAddress lhs, QuicIpAddress rhs) { return !(lhs == rhs); }
+bool operator!=(QuicheIpAddress lhs, QuicheIpAddress rhs) {
+  return !(lhs == rhs);
+}
 
-bool QuicIpAddress::IsInitialized() const {
+bool QuicheIpAddress::IsInitialized() const {
   return family_ != IpAddressFamily::IP_UNSPEC;
 }
 
-IpAddressFamily QuicIpAddress::address_family() const { return family_; }
+IpAddressFamily QuicheIpAddress::address_family() const { return family_; }
 
-int QuicIpAddress::AddressFamilyToInt() const {
+int QuicheIpAddress::AddressFamilyToInt() const {
   return ToPlatformAddressFamily(family_);
 }
 
-std::string QuicIpAddress::ToPackedString() const {
+std::string QuicheIpAddress::ToPackedString() const {
   switch (family_) {
     case IpAddressFamily::IP_V4:
       return std::string(address_.chars, sizeof(address_.v4));
@@ -99,12 +102,12 @@ std::string QuicIpAddress::ToPackedString() const {
     case IpAddressFamily::IP_UNSPEC:
       return "";
   }
-  QUIC_BUG(quic_bug_10126_3)
+  QUICHE_BUG(quiche_bug_10126_3)
       << "Invalid IpAddressFamily " << static_cast<int32_t>(family_);
   return "";
 }
 
-std::string QuicIpAddress::ToString() const {
+std::string QuicheIpAddress::ToString() const {
   if (!IsInitialized()) {
     return "";
   }
@@ -112,7 +115,7 @@ std::string QuicIpAddress::ToString() const {
   char buffer[INET6_ADDRSTRLEN] = {0};
   const char* result =
       inet_ntop(AddressFamilyToInt(), address_.bytes, buffer, sizeof(buffer));
-  QUIC_BUG_IF(quic_bug_10126_4, result == nullptr)
+  QUICHE_BUG_IF(quiche_bug_10126_4, result == nullptr)
       << "Failed to convert an IP address to string";
   return buffer;
 }
@@ -121,7 +124,7 @@ static const uint8_t kMappedAddressPrefix[] = {
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
 };
 
-QuicIpAddress QuicIpAddress::Normalized() const {
+QuicheIpAddress QuicheIpAddress::Normalized() const {
   if (!IsIPv6()) {
     return *this;
   }
@@ -132,15 +135,15 @@ QuicIpAddress QuicIpAddress::Normalized() const {
 
   in_addr result;
   memcpy(&result, &address_.bytes[12], sizeof(result));
-  return QuicIpAddress(result);
+  return QuicheIpAddress(result);
 }
 
-QuicIpAddress QuicIpAddress::DualStacked() const {
+QuicheIpAddress QuicheIpAddress::DualStacked() const {
   if (!IsIPv4()) {
     return *this;
   }
 
-  QuicIpAddress result;
+  QuicheIpAddress result;
   result.family_ = IpAddressFamily::IP_V6;
   memcpy(result.address_.bytes, kMappedAddressPrefix,
          sizeof(kMappedAddressPrefix));
@@ -148,7 +151,7 @@ QuicIpAddress QuicIpAddress::DualStacked() const {
   return result;
 }
 
-bool QuicIpAddress::FromPackedString(const char* data, size_t length) {
+bool QuicheIpAddress::FromPackedString(const char* data, size_t length) {
   switch (length) {
     case kIPv4AddressSize:
       family_ = IpAddressFamily::IP_V4;
@@ -163,7 +166,7 @@ bool QuicIpAddress::FromPackedString(const char* data, size_t length) {
   return true;
 }
 
-bool QuicIpAddress::FromString(std::string str) {
+bool QuicheIpAddress::FromString(std::string str) {
   for (IpAddressFamily family :
        {IpAddressFamily::IP_V6, IpAddressFamily::IP_V4}) {
     int result =
@@ -176,19 +179,23 @@ bool QuicIpAddress::FromString(std::string str) {
   return false;
 }
 
-bool QuicIpAddress::IsIPv4() const { return family_ == IpAddressFamily::IP_V4; }
+bool QuicheIpAddress::IsIPv4() const {
+  return family_ == IpAddressFamily::IP_V4;
+}
 
-bool QuicIpAddress::IsIPv6() const { return family_ == IpAddressFamily::IP_V6; }
+bool QuicheIpAddress::IsIPv6() const {
+  return family_ == IpAddressFamily::IP_V6;
+}
 
-bool QuicIpAddress::InSameSubnet(const QuicIpAddress& other,
-                                 int subnet_length) {
+bool QuicheIpAddress::InSameSubnet(const QuicheIpAddress& other,
+                                   int subnet_length) {
   if (!IsInitialized()) {
-    QUIC_BUG(quic_bug_10126_5)
+    QUICHE_BUG(quiche_bug_10126_5)
         << "Attempting to do subnet matching on undefined address";
     return false;
   }
   if ((IsIPv4() && subnet_length > 32) || (IsIPv6() && subnet_length > 128)) {
-    QUIC_BUG(quic_bug_10126_6) << "Subnet mask is out of bounds";
+    QUICHE_BUG(quiche_bug_10126_6) << "Subnet mask is out of bounds";
     return false;
   }
 
@@ -207,14 +214,45 @@ bool QuicIpAddress::InSameSubnet(const QuicIpAddress& other,
   return (lhs[bytes_to_check] & mask) == (rhs[bytes_to_check] & mask);
 }
 
-in_addr QuicIpAddress::GetIPv4() const {
+in_addr QuicheIpAddress::GetIPv4() const {
   QUICHE_DCHECK(IsIPv4());
   return address_.v4;
 }
 
-in6_addr QuicIpAddress::GetIPv6() const {
+in6_addr QuicheIpAddress::GetIPv6() const {
   QUICHE_DCHECK(IsIPv6());
   return address_.v6;
 }
 
-}  // namespace quic
+QuicheIpPrefix::QuicheIpPrefix() : prefix_length_(0) {}
+QuicheIpPrefix::QuicheIpPrefix(const QuicheIpAddress& address)
+    : address_(address) {
+  if (address_.IsIPv6()) {
+    prefix_length_ = QuicheIpAddress::kIPv6AddressSize * 8;
+  } else if (address_.IsIPv4()) {
+    prefix_length_ = QuicheIpAddress::kIPv4AddressSize * 8;
+  } else {
+    prefix_length_ = 0;
+  }
+}
+QuicheIpPrefix::QuicheIpPrefix(const QuicheIpAddress& address,
+                               uint8_t prefix_length)
+    : address_(address), prefix_length_(prefix_length) {
+  QUICHE_DCHECK(prefix_length <= QuicheIpPrefix(address).prefix_length())
+      << "prefix_length cannot be longer than the size of the IP address";
+}
+
+std::string QuicheIpPrefix::ToString() const {
+  return absl::StrCat(address_.ToString(), "/", prefix_length_);
+}
+
+bool operator==(const QuicheIpPrefix& lhs, const QuicheIpPrefix& rhs) {
+  return lhs.address_ == rhs.address_ &&
+         lhs.prefix_length_ == rhs.prefix_length_;
+}
+
+bool operator!=(const QuicheIpPrefix& lhs, const QuicheIpPrefix& rhs) {
+  return !(lhs == rhs);
+}
+
+}  // namespace quiche
diff --git a/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address.h b/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address.h
new file mode 100644
index 00000000000..9267922e924
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address.h
@@ -0,0 +1,130 @@
+// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_COMMON_QUICHE_IP_ADDRESS_H_
+#define QUICHE_COMMON_QUICHE_IP_ADDRESS_H_
+
+#include <cstdint>
+#if defined(_WIN32)
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#else
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#endif
+
+#include <ostream>
+#include <string>
+
+#include "quiche/common/platform/api/quiche_export.h"
+#include "quiche/common/quiche_ip_address_family.h"
+
+namespace quiche {
+
+// Represents an IP address.
+class QUICHE_EXPORT_PRIVATE QuicheIpAddress {
+ public:
+  // Sizes of IP addresses of different types, in bytes.
+  enum : size_t {
+    kIPv4AddressSize = 32 / 8,
+    kIPv6AddressSize = 128 / 8,
+    kMaxAddressSize = kIPv6AddressSize,
+  };
+
+  // TODO(fayang): Remove Loopback*() and use TestLoopback*() in tests.
+  static QuicheIpAddress Loopback4();
+  static QuicheIpAddress Loopback6();
+  static QuicheIpAddress Any4();
+  static QuicheIpAddress Any6();
+
+  QuicheIpAddress();
+  QuicheIpAddress(const QuicheIpAddress& other) = default;
+  explicit QuicheIpAddress(const in_addr& ipv4_address);
+  explicit QuicheIpAddress(const in6_addr& ipv6_address);
+  QuicheIpAddress& operator=(const QuicheIpAddress& other) = default;
+  QuicheIpAddress& operator=(QuicheIpAddress&& other) = default;
+  QUICHE_EXPORT_PRIVATE friend bool operator==(QuicheIpAddress lhs,
+                                               QuicheIpAddress rhs);
+  QUICHE_EXPORT_PRIVATE friend bool operator!=(QuicheIpAddress lhs,
+                                               QuicheIpAddress rhs);
+
+  bool IsInitialized() const;
+  IpAddressFamily address_family() const;
+  int AddressFamilyToInt() const;
+  // Returns the address as a sequence of bytes in network-byte-order. IPv4 will
+  // be 4 bytes. IPv6 will be 16 bytes.
+  std::string ToPackedString() const;
+  // Returns string representation of the address.
+  std::string ToString() const;
+  // Normalizes the address representation with respect to IPv4 addresses, i.e,
+  // mapped IPv4 addresses ("::ffff:X.Y.Z.Q") are converted to pure IPv4
+  // addresses.  All other IPv4, IPv6, and empty values are left unchanged.
+  QuicheIpAddress Normalized() const;
+  // Returns an address suitable for use in IPv6-aware contexts.  This is the
+  // opposite of NormalizeIPAddress() above.  IPv4 addresses are converted into
+  // their IPv4-mapped address equivalents (e.g. 192.0.2.1 becomes
+  // ::ffff:192.0.2.1).  IPv6 addresses are a noop (they are returned
+  // unchanged).
+  QuicheIpAddress DualStacked() const;
+  bool FromPackedString(const char* data, size_t length);
+  bool FromString(std::string str);
+  bool IsIPv4() const;
+  bool IsIPv6() const;
+  bool InSameSubnet(const QuicheIpAddress& other, int subnet_length);
+
+  in_addr GetIPv4() const;
+  in6_addr GetIPv6() const;
+
+ private:
+  union {
+    in_addr v4;
+    in6_addr v6;
+    uint8_t bytes[kMaxAddressSize];
+    char chars[kMaxAddressSize];
+  } address_;
+  IpAddressFamily family_;
+};
+
+inline std::ostream& operator<<(std::ostream& os,
+                                const QuicheIpAddress address) {
+  os << address.ToString();
+  return os;
+}
+
+// Represents an IP prefix, which is an IP address and a prefix length in bits.
+class QUICHE_EXPORT_PRIVATE QuicheIpPrefix {
+ public:
+  QuicheIpPrefix();
+  explicit QuicheIpPrefix(const QuicheIpAddress& address);
+  explicit QuicheIpPrefix(const QuicheIpAddress& address,
+                          uint8_t prefix_length);
+
+  QuicheIpAddress address() const { return address_; }
+  uint8_t prefix_length() const { return prefix_length_; }
+  // Human-readable string representation of the prefix suitable for logging.
+  std::string ToString() const;
+
+  QuicheIpPrefix(const QuicheIpPrefix& other) = default;
+  QuicheIpPrefix& operator=(const QuicheIpPrefix& other) = default;
+  QuicheIpPrefix& operator=(QuicheIpPrefix&& other) = default;
+  QUICHE_EXPORT_PRIVATE friend bool operator==(const QuicheIpPrefix& lhs,
+                                               const QuicheIpPrefix& rhs);
+  QUICHE_EXPORT_PRIVATE friend bool operator!=(const QuicheIpPrefix& lhs,
+                                               const QuicheIpPrefix& rhs);
+
+ private:
+  QuicheIpAddress address_;
+  uint8_t prefix_length_;
+};
+
+inline std::ostream& operator<<(std::ostream& os, const QuicheIpPrefix prefix) {
+  os << prefix.ToString();
+  return os;
+}
+
+}  // namespace quiche
+
+#endif  // QUICHE_COMMON_QUICHE_IP_ADDRESS_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address_family.cc b/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address_family.cc
index c78abf2adac..885ddb6393a 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address_family.cc
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address_family.cc
@@ -2,9 +2,9 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "quiche/quic/platform/api/quic_ip_address_family.h"
+#include "quiche/common/quiche_ip_address_family.h"
 
-#include "quiche/quic/platform/api/quic_bug_tracker.h"
+#include "quiche/common/platform/api/quiche_bug_tracker.h"
 
 #if defined(_WIN32)
 #include <winsock2.h>
@@ -12,7 +12,7 @@
 #include <sys/socket.h>
 #endif  // defined(_WIN32)
 
-namespace quic {
+namespace quiche {
 
 int ToPlatformAddressFamily(IpAddressFamily family) {
   switch (family) {
@@ -23,7 +23,7 @@ int ToPlatformAddressFamily(IpAddressFamily family) {
     case IpAddressFamily::IP_UNSPEC:
       return AF_UNSPEC;
     default:
-      QUIC_BUG(quic_bug_10126_1)
+      QUICHE_BUG(quic_bug_10126_1)
           << "Invalid IpAddressFamily " << static_cast<int32_t>(family);
       return AF_UNSPEC;
   }
@@ -38,10 +38,10 @@ IpAddressFamily FromPlatformAddressFamily(int family) {
     case AF_UNSPEC:
       return IpAddressFamily::IP_UNSPEC;
     default:
-      QUIC_BUG(quic_FromPlatformAddressFamily_unrecognized_family)
+      QUICHE_BUG(quic_FromPlatformAddressFamily_unrecognized_family)
           << "Invalid platform address family int " << family;
       return IpAddressFamily::IP_UNSPEC;
   }
 }
 
-}  // namespace quic
+}  // namespace quiche
diff --git a/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address_family.h b/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address_family.h
new file mode 100644
index 00000000000..1fbec53b8ac
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address_family.h
@@ -0,0 +1,23 @@
+// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_COMMON_QUICHE_IP_ADDRESS_FAMILY_H_
+#define QUICHE_COMMON_QUICHE_IP_ADDRESS_FAMILY_H_
+
+namespace quiche {
+
+// IP address family type used in QUIC. This hides platform dependant IP address
+// family types.
+enum class IpAddressFamily {
+  IP_V4,
+  IP_V6,
+  IP_UNSPEC,
+};
+
+int ToPlatformAddressFamily(IpAddressFamily family);
+IpAddressFamily FromPlatformAddressFamily(int family);
+
+}  // namespace quiche
+
+#endif  // QUICHE_COMMON_QUICHE_IP_ADDRESS_FAMILY_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address_test.cc b/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address_test.cc
index cc06917ccce..609b6b250fd 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_ip_address_test.cc
@@ -2,19 +2,19 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "quiche/quic/platform/api/quic_ip_address.h"
+#include "quiche/common/quiche_ip_address.h"
 
 #include <cstdint>
 
-#include "quiche/quic/platform/api/quic_ip_address_family.h"
-#include "quiche/quic/platform/api/quic_test.h"
+#include "quiche/common/platform/api/quiche_test.h"
+#include "quiche/common/quiche_ip_address_family.h"
 
-namespace quic {
+namespace quiche {
 namespace test {
 namespace {
 
-TEST(QuicIpAddressTest, IPv4) {
-  QuicIpAddress ip_address;
+TEST(QuicheIpAddressTest, IPv4) {
+  QuicheIpAddress ip_address;
   EXPECT_FALSE(ip_address.IsInitialized());
 
   EXPECT_TRUE(ip_address.FromString("127.0.52.223"));
@@ -34,8 +34,8 @@ TEST(QuicIpAddressTest, IPv4) {
   EXPECT_EQ(223u, *(v4_address_ptr + 3));
 }
 
-TEST(QuicIpAddressTest, IPv6) {
-  QuicIpAddress ip_address;
+TEST(QuicheIpAddressTest, IPv6) {
+  QuicheIpAddress ip_address;
   EXPECT_FALSE(ip_address.IsInitialized());
 
   EXPECT_TRUE(ip_address.FromString("fe80::1ff:fe23:4567"));
@@ -62,19 +62,19 @@ TEST(QuicIpAddressTest, IPv6) {
   EXPECT_EQ(ip_address, ip_address.DualStacked());
 }
 
-TEST(QuicIpAddressTest, FromPackedString) {
-  QuicIpAddress loopback4, loopback6;
+TEST(QuicheIpAddressTest, FromPackedString) {
+  QuicheIpAddress loopback4, loopback6;
   const char loopback4_packed[] = "\x7f\0\0\x01";
   const char loopback6_packed[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01";
   EXPECT_TRUE(loopback4.FromPackedString(loopback4_packed, 4));
   EXPECT_TRUE(loopback6.FromPackedString(loopback6_packed, 16));
-  EXPECT_EQ(loopback4, QuicIpAddress::Loopback4());
-  EXPECT_EQ(loopback6, QuicIpAddress::Loopback6());
+  EXPECT_EQ(loopback4, QuicheIpAddress::Loopback4());
+  EXPECT_EQ(loopback6, QuicheIpAddress::Loopback6());
 }
 
-TEST(QuicIpAddressTest, MappedAddress) {
-  QuicIpAddress ipv4_address;
-  QuicIpAddress mapped_address;
+TEST(QuicheIpAddressTest, MappedAddress) {
+  QuicheIpAddress ipv4_address;
+  QuicheIpAddress mapped_address;
 
   EXPECT_TRUE(ipv4_address.FromString("127.0.0.1"));
   EXPECT_TRUE(mapped_address.FromString("::ffff:7f00:1"));
@@ -83,7 +83,7 @@ TEST(QuicIpAddressTest, MappedAddress) {
   EXPECT_EQ(ipv4_address, mapped_address.Normalized());
 }
 
-TEST(QuicIpAddressTest, Subnets) {
+TEST(QuicheIpAddressTest, Subnets) {
   struct {
     const char* address1;
     const char* address2;
@@ -118,7 +118,7 @@ TEST(QuicIpAddressTest, Subnets) {
   };
 
   for (const auto& test_case : test_cases) {
-    QuicIpAddress address1, address2;
+    QuicheIpAddress address1, address2;
     ASSERT_TRUE(address1.FromString(test_case.address1));
     ASSERT_TRUE(address2.FromString(test_case.address2));
     EXPECT_EQ(test_case.same_subnet,
@@ -128,15 +128,15 @@ TEST(QuicIpAddressTest, Subnets) {
   }
 }
 
-TEST(QuicIpAddress, LoopbackAddresses) {
-  QuicIpAddress loopback4;
-  QuicIpAddress loopback6;
+TEST(QuicheIpAddress, LoopbackAddresses) {
+  QuicheIpAddress loopback4;
+  QuicheIpAddress loopback6;
   ASSERT_TRUE(loopback4.FromString("127.0.0.1"));
   ASSERT_TRUE(loopback6.FromString("::1"));
-  EXPECT_EQ(loopback4, QuicIpAddress::Loopback4());
-  EXPECT_EQ(loopback6, QuicIpAddress::Loopback6());
+  EXPECT_EQ(loopback4, QuicheIpAddress::Loopback4());
+  EXPECT_EQ(loopback6, QuicheIpAddress::Loopback6());
 }
 
 }  // namespace
 }  // namespace test
-}  // namespace quic
+}  // namespace quiche
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_random.cc b/chromium/net/third_party/quiche/src/quiche/common/quiche_random.cc
index bd0dc5b534e..12eeac20378 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_random.cc
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_random.cc
@@ -1,18 +1,11 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/core/crypto/quic_random.h"
+#include "quiche/common/quiche_random.h"
 
 #include <cstdint>
 #include <cstring>
 
 #include "openssl/rand.h"
-#include "quiche/quic/platform/api/quic_bug_tracker.h"
-#include "quiche/quic/platform/api/quic_logging.h"
 #include "quiche/common/platform/api/quiche_logging.h"
-
-namespace quic {
+namespace quiche {
 
 namespace {
 
@@ -48,12 +41,12 @@ uint64_t Xoshiro256PlusPlus() {
   return result;
 }
 
-class DefaultRandom : public QuicRandom {
+class DefaultQuicheRandom : public QuicheRandom {
  public:
-  DefaultRandom() {}
-  DefaultRandom(const DefaultRandom&) = delete;
-  DefaultRandom& operator=(const DefaultRandom&) = delete;
-  ~DefaultRandom() override {}
+  DefaultQuicheRandom() {}
+  DefaultQuicheRandom(const DefaultQuicheRandom&) = delete;
+  DefaultQuicheRandom& operator=(const DefaultQuicheRandom&) = delete;
+  ~DefaultQuicheRandom() override {}
 
   // QuicRandom implementation
   void RandBytes(void* data, size_t len) override;
@@ -62,17 +55,17 @@ class DefaultRandom : public QuicRandom {
   uint64_t InsecureRandUint64() override;
 };
 
-void DefaultRandom::RandBytes(void* data, size_t len) {
+void DefaultQuicheRandom::RandBytes(void* data, size_t len) {
   RAND_bytes(reinterpret_cast<uint8_t*>(data), len);
 }
 
-uint64_t DefaultRandom::RandUint64() {
+uint64_t DefaultQuicheRandom::RandUint64() {
   uint64_t value;
   RandBytes(&value, sizeof(value));
   return value;
 }
 
-void DefaultRandom::InsecureRandBytes(void* data, size_t len) {
+void DefaultQuicheRandom::InsecureRandBytes(void* data, size_t len) {
   while (len >= sizeof(uint64_t)) {
     uint64_t random_bytes64 = Xoshiro256PlusPlus();
     memcpy(data, &random_bytes64, sizeof(uint64_t));
@@ -86,14 +79,15 @@ void DefaultRandom::InsecureRandBytes(void* data, size_t len) {
   }
 }
 
-uint64_t DefaultRandom::InsecureRandUint64() { return Xoshiro256PlusPlus(); }
+uint64_t DefaultQuicheRandom::InsecureRandUint64() {
+  return Xoshiro256PlusPlus();
+}
 
 }  // namespace
 
 // static
-QuicRandom* QuicRandom::GetInstance() {
-  static DefaultRandom* random = new DefaultRandom();
+QuicheRandom* QuicheRandom::GetInstance() {
+  static DefaultQuicheRandom* random = new DefaultQuicheRandom();
   return random;
 }
-
-}  // namespace quic
+}  // namespace quiche
diff --git a/chromium/net/third_party/quiche/src/quiche/common/quiche_random.h b/chromium/net/third_party/quiche/src/quiche/common/quiche_random.h
new file mode 100644
index 00000000000..7ee29957c12
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_random.h
@@ -0,0 +1,37 @@
+#ifndef QUICHE_COMMON_QUICHE_RANDOM_H_
+#define QUICHE_COMMON_QUICHE_RANDOM_H_
+
+#include <cstddef>
+#include <cstdint>
+
+#include "quiche/common/platform/api/quiche_export.h"
+
+namespace quiche {
+
+// The interface for a random number generator.
+class QUICHE_EXPORT_PRIVATE QuicheRandom {
+ public:
+  virtual ~QuicheRandom() {}
+
+  // Returns the default random number generator, which is cryptographically
+  // secure and thread-safe.
+  static QuicheRandom* GetInstance();
+
+  // Generates |len| random bytes in the |data| buffer.
+  virtual void RandBytes(void* data, size_t len) = 0;
+
+  // Returns a random number in the range [0, kuint64max].
+  virtual uint64_t RandUint64() = 0;
+
+  // Generates |len| random bytes in the |data| buffer. This MUST NOT be used
+  // for any application that requires cryptographically-secure randomness.
+  virtual void InsecureRandBytes(void* data, size_t len) = 0;
+
+  // Returns a random number in the range [0, kuint64max]. This MUST NOT be used
+  // for any application that requires cryptographically-secure randomness.
+  virtual uint64_t InsecureRandUint64() = 0;
+};
+
+}  // namespace quiche
+
+#endif  // QUICHE_COMMON_QUICHE_RANDOM_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_random_test.cc b/chromium/net/third_party/quiche/src/quiche/common/quiche_random_test.cc
index 2a43c291dd6..2f1aacc4f4d 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_random_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/common/quiche_random_test.cc
@@ -1,53 +1,47 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
+#include "quiche/common/quiche_random.h"
 
-#include "quiche/quic/core/crypto/quic_random.h"
+#include "quiche/common/platform/api/quiche_test.h"
 
-#include "quiche/quic/platform/api/quic_test.h"
+namespace quiche {
+namespace {
 
-namespace quic {
-namespace test {
-
-class QuicRandomTest : public QuicTest {};
-
-TEST_F(QuicRandomTest, RandBytes) {
+TEST(QuicheRandom, RandBytes) {
   unsigned char buf1[16];
   unsigned char buf2[16];
   memset(buf1, 0xaf, sizeof(buf1));
   memset(buf2, 0xaf, sizeof(buf2));
   ASSERT_EQ(0, memcmp(buf1, buf2, sizeof(buf1)));
 
-  QuicRandom* rng = QuicRandom::GetInstance();
+  auto rng = QuicheRandom::GetInstance();
   rng->RandBytes(buf1, sizeof(buf1));
   EXPECT_NE(0, memcmp(buf1, buf2, sizeof(buf1)));
 }
 
-TEST_F(QuicRandomTest, RandUint64) {
-  QuicRandom* rng = QuicRandom::GetInstance();
+TEST(QuicheRandom, RandUint64) {
+  auto rng = QuicheRandom::GetInstance();
   uint64_t value1 = rng->RandUint64();
   uint64_t value2 = rng->RandUint64();
   EXPECT_NE(value1, value2);
 }
 
-TEST_F(QuicRandomTest, InsecureRandBytes) {
+TEST(QuicheRandom, InsecureRandBytes) {
   unsigned char buf1[16];
   unsigned char buf2[16];
   memset(buf1, 0xaf, sizeof(buf1));
   memset(buf2, 0xaf, sizeof(buf2));
   ASSERT_EQ(0, memcmp(buf1, buf2, sizeof(buf1)));
 
-  QuicRandom* rng = QuicRandom::GetInstance();
+  auto rng = QuicheRandom::GetInstance();
   rng->InsecureRandBytes(buf1, sizeof(buf1));
   EXPECT_NE(0, memcmp(buf1, buf2, sizeof(buf1)));
 }
 
-TEST_F(QuicRandomTest, InsecureRandUint64) {
-  QuicRandom* rng = QuicRandom::GetInstance();
+TEST(QuicheRandom, InsecureRandUint64) {
+  auto rng = QuicheRandom::GetInstance();
   uint64_t value1 = rng->InsecureRandUint64();
   uint64_t value2 = rng->InsecureRandUint64();
   EXPECT_NE(value1, value2);
 }
 
-}  // namespace test
-}  // namespace quic
+}  // namespace
+}  // namespace quiche
diff --git a/chromium/net/third_party/quiche/src/quiche/common/structured_headers.cc b/chromium/net/third_party/quiche/src/quiche/common/structured_headers.cc
index b348c2232e9..3ab005898d6 100644
--- a/chromium/net/third_party/quiche/src/quiche/common/structured_headers.cc
+++ b/chromium/net/third_party/quiche/src/quiche/common/structured_headers.cc
@@ -720,37 +720,30 @@ class StructuredHeaderSerializer {
 }  // namespace
 
 Item::Item() {}
-Item::Item(const std::string& value, Item::ItemType type)
-    : type_(type), string_value_(value) {}
-Item::Item(std::string&& value, Item::ItemType type)
-    : type_(type), string_value_(std::move(value)) {
-  QUICHE_CHECK(type_ == kStringType || type_ == kTokenType ||
-               type_ == kByteSequenceType);
+Item::Item(std::string value, Item::ItemType type) {
+  switch (type) {
+    case kStringType:
+      value_.emplace<kStringType>(std::move(value));
+      break;
+    case kTokenType:
+      value_.emplace<kTokenType>(std::move(value));
+      break;
+    case kByteSequenceType:
+      value_.emplace<kByteSequenceType>(std::move(value));
+      break;
+    default:
+      QUICHE_CHECK(false);
+      break;
+  }
 }
 Item::Item(const char* value, Item::ItemType type)
     : Item(std::string(value), type) {}
-Item::Item(int64_t value) : type_(kIntegerType), integer_value_(value) {}
-Item::Item(double value) : type_(kDecimalType), decimal_value_(value) {}
-Item::Item(bool value) : type_(kBooleanType), boolean_value_(value) {}
+Item::Item(int64_t value) : value_(value) {}
+Item::Item(double value) : value_(value) {}
+Item::Item(bool value) : value_(value) {}
 
 bool operator==(const Item& lhs, const Item& rhs) {
-  if (lhs.type_ != rhs.type_) return false;
-  switch (lhs.type_) {
-    case Item::kNullType:
-      return true;
-    case Item::kStringType:
-    case Item::kTokenType:
-    case Item::kByteSequenceType:
-      return lhs.string_value_ == rhs.string_value_;
-    case Item::kIntegerType:
-      return lhs.integer_value_ == rhs.integer_value_;
-    case Item::kDecimalType:
-      return lhs.decimal_value_ == rhs.decimal_value_;
-    case Item::kBooleanType:
-      return lhs.boolean_value_ == rhs.boolean_value_;
-  }
-  QUICHE_NOTREACHED();
-  return false;
+  return lhs.value_ == rhs.value_;
 }
 
 ParameterizedItem::ParameterizedItem(const ParameterizedItem&) = default;
diff --git a/chromium/net/third_party/quiche/src/quiche/common/structured_headers.h b/chromium/net/third_party/quiche/src/quiche/common/structured_headers.h
index f0eda840695..844f6730d27 100644
--- a/chromium/net/third_party/quiche/src/quiche/common/structured_headers.h
+++ b/chromium/net/third_party/quiche/src/quiche/common/structured_headers.h
@@ -13,6 +13,7 @@
 
 #include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
+#include "absl/types/variant.h"
 #include "quiche/common/platform/api/quiche_export.h"
 #include "quiche/common/platform/api/quiche_logging.h"
 
@@ -73,8 +74,7 @@ class QUICHE_EXPORT_PRIVATE Item {
 
   // Constructors for string-like items: Strings, Tokens and Byte Sequences.
   Item(const char* value, Item::ItemType type = kStringType);
-  Item(const std::string& value, Item::ItemType type = kStringType);
-  Item(std::string&& value, Item::ItemType type = kStringType);
+  Item(std::string value, Item::ItemType type = kStringType);
 
   QUICHE_EXPORT_PRIVATE friend bool operator==(const Item& lhs,
                                                const Item& rhs);
@@ -82,43 +82,49 @@ class QUICHE_EXPORT_PRIVATE Item {
     return !(lhs == rhs);
   }
 
-  bool is_null() const { return type_ == kNullType; }
-  bool is_integer() const { return type_ == kIntegerType; }
-  bool is_decimal() const { return type_ == kDecimalType; }
-  bool is_string() const { return type_ == kStringType; }
-  bool is_token() const { return type_ == kTokenType; }
-  bool is_byte_sequence() const { return type_ == kByteSequenceType; }
-  bool is_boolean() const { return type_ == kBooleanType; }
+  bool is_null() const { return Type() == kNullType; }
+  bool is_integer() const { return Type() == kIntegerType; }
+  bool is_decimal() const { return Type() == kDecimalType; }
+  bool is_string() const { return Type() == kStringType; }
+  bool is_token() const { return Type() == kTokenType; }
+  bool is_byte_sequence() const { return Type() == kByteSequenceType; }
+  bool is_boolean() const { return Type() == kBooleanType; }
 
   int64_t GetInteger() const {
-    QUICHE_CHECK_EQ(type_, kIntegerType);
-    return integer_value_;
+    const auto* value = absl::get_if<int64_t>(&value_);
+    QUICHE_CHECK(value);
+    return *value;
   }
   double GetDecimal() const {
-    QUICHE_CHECK_EQ(type_, kDecimalType);
-    return decimal_value_;
+    const auto* value = absl::get_if<double>(&value_);
+    QUICHE_CHECK(value);
+    return *value;
   }
   bool GetBoolean() const {
-    QUICHE_CHECK_EQ(type_, kBooleanType);
-    return boolean_value_;
+    const auto* value = absl::get_if<bool>(&value_);
+    QUICHE_CHECK(value);
+    return *value;
   }
   // TODO(iclelland): Split up accessors for String, Token and Byte Sequence.
   const std::string& GetString() const {
-    QUICHE_CHECK(type_ == kStringType || type_ == kTokenType ||
-                 type_ == kByteSequenceType);
-    return string_value_;
+    struct Visitor {
+      const std::string* operator()(const absl::monostate&) { return nullptr; }
+      const std::string* operator()(const int64_t&) { return nullptr; }
+      const std::string* operator()(const double&) { return nullptr; }
+      const std::string* operator()(const std::string& value) { return &value; }
+      const std::string* operator()(const bool&) { return nullptr; }
+    };
+    const std::string* value = absl::visit(Visitor(), value_);
+    QUICHE_CHECK(value);
+    return *value;
   }
 
-  ItemType Type() const { return type_; }
+  ItemType Type() const { return static_cast<ItemType>(value_.index()); }
 
  private:
-  ItemType type_ = kNullType;
-  // TODO(iclelland): Make this class more memory-efficient, replacing the
-  // values here with a union or std::variant (when available).
-  int64_t integer_value_ = 0;
-  std::string string_value_;
-  double decimal_value_;
-  bool boolean_value_;
+  absl::variant<absl::monostate, int64_t, double, std::string, std::string,
+                std::string, bool>
+      value_;
 };
 
 // Holds a ParameterizedIdentifier (draft 9 only). The contained Item must be a
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/fake_simple_epoll_server.cc b/chromium/net/third_party/quiche/src/quiche/epoll_server/fake_simple_epoll_server.cc
deleted file mode 100644
index f21ae1cfef1..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/fake_simple_epoll_server.cc
+++ /dev/null
@@ -1,57 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/epoll_server/fake_simple_epoll_server.h"
-
-namespace epoll_server {
-namespace test {
-
-FakeTimeSimpleEpollServer::FakeTimeSimpleEpollServer() : now_in_usec_(0) {}
-
-FakeTimeSimpleEpollServer::~FakeTimeSimpleEpollServer() = default;
-
-int64_t FakeTimeSimpleEpollServer::NowInUsec() const { return now_in_usec_; }
-
-FakeSimpleEpollServer::FakeSimpleEpollServer() : until_in_usec_(-1) {}
-
-FakeSimpleEpollServer::~FakeSimpleEpollServer() = default;
-
-int FakeSimpleEpollServer::epoll_wait_impl(int /*epfd*/,
-                                           struct epoll_event* events,
-                                           int max_events, int timeout_in_ms) {
-  int num_events = 0;
-  while (!event_queue_.empty() && num_events < max_events &&
-         event_queue_.begin()->first <= NowInUsec() &&
-         ((until_in_usec_ == -1) ||
-          (event_queue_.begin()->first < until_in_usec_))) {
-    int64_t event_time_in_usec = event_queue_.begin()->first;
-    events[num_events] = event_queue_.begin()->second;
-    if (event_time_in_usec > NowInUsec()) {
-      set_now_in_usec(event_time_in_usec);
-    }
-    event_queue_.erase(event_queue_.begin());
-    ++num_events;
-  }
-  if (num_events == 0) {       // then we'd have waited 'till the timeout.
-    if (until_in_usec_ < 0) {  // then we don't care what the final time is.
-      if (timeout_in_ms > 0) {
-        AdvanceBy(timeout_in_ms * 1000);
-      }
-    } else {  // except we assume that we don't wait for the timeout
-      // period if until_in_usec_ is a positive number.
-      set_now_in_usec(until_in_usec_);
-      // And reset until_in_usec_ to signal no waiting (as
-      // the AdvanceByExactly* stuff is meant to be one-shot,
-      // as are all similar net::EpollServer functions)
-      until_in_usec_ = -1;
-    }
-  }
-  if (until_in_usec_ >= 0) {
-    CHECK(until_in_usec_ >= NowInUsec());
-  }
-  return num_events;
-}
-
-}  // namespace test
-}  // namespace epoll_server
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/fake_simple_epoll_server.h b/chromium/net/third_party/quiche/src/quiche/epoll_server/fake_simple_epoll_server.h
deleted file mode 100644
index 62c9dd1de62..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/fake_simple_epoll_server.h
+++ /dev/null
@@ -1,112 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_EPOLL_SERVER_FAKE_SIMPLE_EPOLL_SERVER_H_
-#define QUICHE_EPOLL_SERVER_FAKE_SIMPLE_EPOLL_SERVER_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <map>
-
-#include "quiche/epoll_server/simple_epoll_server.h"
-
-namespace epoll_server {
-namespace test {
-
-// Unlike the full FakeEpollServer, this only lies about the time but lets
-// fd events operate normally.  Usefully when interacting with real backends
-// but wanting to skip forward in time to trigger timeouts.
-class FakeTimeSimpleEpollServer : public SimpleEpollServer {
- public:
-  FakeTimeSimpleEpollServer();
-  FakeTimeSimpleEpollServer(const FakeTimeSimpleEpollServer&) = delete;
-  FakeTimeSimpleEpollServer operator=(const FakeTimeSimpleEpollServer&) =
-      delete;
-
-  ~FakeTimeSimpleEpollServer() override;
-
-  // Replaces the net::EpollServer NowInUsec.
-  int64_t NowInUsec() const override;
-
-  void set_now_in_usec(int64_t nius) { now_in_usec_ = nius; }
-
-  // Advances the virtual 'now' by advancement_usec.
-  void AdvanceBy(int64_t advancement_usec) {
-    set_now_in_usec(NowInUsec() + advancement_usec);
-  }
-
-  // Advances the virtual 'now' by advancement_usec, and
-  // calls WaitForEventAndExecteCallbacks.
-  // Note that the WaitForEventsAndExecuteCallbacks invocation
-  // may cause NowInUs to advance beyond what was specified here.
-  // If that is not desired, use the AdvanceByExactly calls.
-  void AdvanceByAndWaitForEventsAndExecuteCallbacks(int64_t advancement_usec) {
-    AdvanceBy(advancement_usec);
-    WaitForEventsAndExecuteCallbacks();
-  }
-
- private:
-  int64_t now_in_usec_;
-};
-
-class FakeSimpleEpollServer : public FakeTimeSimpleEpollServer {
- public:  // type definitions
-  using EventQueue = std::multimap<int64_t, struct epoll_event>;
-
-  FakeSimpleEpollServer();
-  FakeSimpleEpollServer(const FakeSimpleEpollServer&) = delete;
-  FakeSimpleEpollServer operator=(const FakeSimpleEpollServer&) = delete;
-
-  ~FakeSimpleEpollServer() override;
-
-  // time_in_usec is the time at which the event specified
-  // by 'ee' will be delivered. Note that it -is- possible
-  // to add an event for a time which has already been passed..
-  // .. upon the next time that the callbacks are invoked,
-  // all events which are in the 'past' will be delivered.
-  void AddEvent(int64_t time_in_usec, const struct epoll_event& ee) {
-    event_queue_.insert(std::make_pair(time_in_usec, ee));
-  }
-
-  // Advances the virtual 'now' by advancement_usec,
-  // and ensure that the next invocation of
-  // WaitForEventsAndExecuteCallbacks goes no farther than
-  // advancement_usec from the current time.
-  void AdvanceByExactly(int64_t advancement_usec) {
-    until_in_usec_ = NowInUsec() + advancement_usec;
-    set_now_in_usec(NowInUsec() + advancement_usec);
-  }
-
-  // As above, except calls WaitForEventsAndExecuteCallbacks.
-  void AdvanceByExactlyAndCallCallbacks(int64_t advancement_usec) {
-    AdvanceByExactly(advancement_usec);
-    WaitForEventsAndExecuteCallbacks();
-  }
-
-  std::unordered_set<AlarmCB*>::size_type NumberOfAlarms() const {
-    return all_alarms_.size();
-  }
-
- protected:  // functions
-  // These functions do nothing here, as we're not actually
-  // using the epoll_* syscalls.
-  void DelFD(int /*fd*/) const override {}
-  void AddFD(int /*fd*/, int /*event_mask*/) const override {}
-  void ModFD(int /*fd*/, int /*event_mask*/) const override {}
-
-  // Replaces the epoll_server's epoll_wait_impl.
-  int epoll_wait_impl(int epfd, struct epoll_event* events, int max_events,
-                      int timeout_in_ms) override;
-  void SetNonblocking(int /*fd*/) override {}
-
- private:  // members
-  EventQueue event_queue_;
-  int64_t until_in_usec_;
-};
-
-}  // namespace test
-}  // namespace epoll_server
-
-#endif  // QUICHE_EPOLL_SERVER_FAKE_SIMPLE_EPOLL_SERVER_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_address_test_utils.h b/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_address_test_utils.h
deleted file mode 100644
index 883d5107c18..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_address_test_utils.h
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_ADDRESS_TEST_UTILS_H_
-#define QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_ADDRESS_TEST_UTILS_H_
-
-#include "quiche_platform_impl/epoll_address_test_utils_impl.h"
-
-namespace epoll_server {
-
-inline int AddressFamilyUnderTest() { return AddressFamilyUnderTestImpl(); }
-
-}  // namespace epoll_server
-
-#endif  // QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_ADDRESS_TEST_UTILS_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_bug.h b/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_bug.h
deleted file mode 100644
index eeb707adf08..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_bug.h
+++ /dev/null
@@ -1,12 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_BUG_H_
-#define QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_BUG_H_
-
-#include "quiche_platform_impl/epoll_bug_impl.h"
-
-#define EPOLL_BUG EPOLL_BUG_IMPL
-
-#endif  // QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_BUG_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_expect_bug.h b/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_expect_bug.h
deleted file mode 100644
index 36ebd970b01..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_expect_bug.h
+++ /dev/null
@@ -1,12 +0,0 @@
-// Copyright (c) 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_EXPECT_BUG_H_
-#define QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_EXPECT_BUG_H_
-
-#include "quiche_platform_impl/epoll_expect_bug_impl.h"
-
-#define EXPECT_EPOLL_BUG EXPECT_EPOLL_BUG_IMPL
-
-#endif  // QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_EXPECT_BUG_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_logging.h b/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_logging.h
deleted file mode 100644
index 2d5a0f4646a..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_logging.h
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_LOGGING_H_
-#define QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_LOGGING_H_
-
-#include "quiche_platform_impl/epoll_logging_impl.h"
-
-namespace epoll_server {
-
-#define EPOLL_LOG(severity) EPOLL_LOG_IMPL(severity)
-#define EPOLL_VLOG(verbosity) EPOLL_VLOG_IMPL(verbosity)
-#define EPOLL_DVLOG(verbosity) EPOLL_DVLOG_IMPL(verbosity)
-#define EPOLL_PLOG(severity) EPOLL_PLOG_IMPL(severity)
-
-}  // namespace epoll_server
-
-#endif  // QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_LOGGING_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_test.h b/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_test.h
deleted file mode 100644
index c7f0eea9ec8..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_test.h
+++ /dev/null
@@ -1,11 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_TEST_H_
-#define QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_TEST_H_
-
-#include "quiche_platform_impl/epoll_test_impl.h"
-#define EpollTest EpollTestImpl
-
-#endif  // QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_TEST_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_thread.h b/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_thread.h
deleted file mode 100644
index 5b159cbca9b..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/platform/api/epoll_thread.h
+++ /dev/null
@@ -1,27 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_THREAD_H_
-#define QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_THREAD_H_
-
-#include <string>
-
-#include "quiche_platform_impl/epoll_thread_impl.h"
-
-namespace epoll_server {
-
-// A class representing a thread of execution in QUIC.
-class EpollThread : public EpollThreadImpl {
- public:
-  EpollThread(const std::string& string) : EpollThreadImpl(string) {}
-  EpollThread(const EpollThread&) = delete;
-  EpollThread& operator=(const EpollThread&) = delete;
-
-  // Impl defines a virtual void Run() method which subclasses
-  // must implement.
-};
-
-}  // namespace epoll_server
-
-#endif  // QUICHE_EPOLL_SERVER_PLATFORM_API_EPOLL_THREAD_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/simple_epoll_server.cc b/chromium/net/third_party/quiche/src/quiche/epoll_server/simple_epoll_server.cc
deleted file mode 100644
index eb9d6c444c7..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/simple_epoll_server.cc
+++ /dev/null
@@ -1,815 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/epoll_server/simple_epoll_server.h"
-
-#include <errno.h>   // for errno
-#include <stdlib.h>  // for abort
-#include <string.h>  // for strerror_r
-#include <unistd.h>  // For read, pipe, close and write.
-
-#include <algorithm>
-#include <utility>
-
-#include "absl/time/clock.h"
-#include "quiche/epoll_server/platform/api/epoll_bug.h"
-
-// Design notes: An efficient implementation of ready list has the following
-// desirable properties:
-//
-// A. O(1) insertion into/removal from the list in any location.
-// B. Once the callback is found by hash lookup using the fd, the lookup of
-//    corresponding entry in the list is O(1).
-// C. Safe insertion into/removal from the list during list iteration. (The
-//    ready list's purpose is to enable completely event driven I/O model.
-//    Thus, all the interesting bits happen in the callback. It is critical
-//    to not place any restriction on the API during list iteration.
-//
-// The current implementation achieves these goals with the following design:
-//
-// - The ready list is constructed as a doubly linked list to enable O(1)
-//   insertion/removal (see man 3 queue).
-// - The forward and backward links are directly embedded inside the
-//   CBAndEventMask struct. This enables O(1) lookup in the list for a given
-//   callback. (Techincally, we could've used std::list of hash_set::iterator,
-//   and keep a list::iterator in CBAndEventMask to achieve the same effect.
-//   However, iterators have two problems: no way to portably invalidate them,
-//   and no way to tell whether an iterator is singular or not. The only way to
-//   overcome these issues is to keep bools in both places, but that throws off
-//   memory alignment (up to 7 wasted bytes for each bool). The extra level of
-//   indirection will also likely be less cache friendly. Direct manipulation
-//   of link pointers makes it easier to retrieve the CBAndEventMask from the
-//   list, easier to check whether an CBAndEventMask is in the list, uses less
-//   memory (save 32 bytes/fd), and does not affect cache usage (we need to
-//   read in the struct to use the callback anyway).)
-// - Embed the fd directly into CBAndEventMask and switch to using hash_set.
-//   This removes the need to store hash_map::iterator in the list just so that
-//   we can get both the fd and the callback.
-// - The ready list is "one shot": each entry is removed before OnEvent is
-//   called. This removes the mutation-while-iterating problem.
-// - Use two lists to keep track of callbacks. The ready_list_ is the one used
-//   for registration. Before iteration, the ready_list_ is swapped into the
-//   tmp_list_. Once iteration is done, tmp_list_ will be empty, and
-//   ready_list_ will have all the new ready fds.
-
-// The size we use for buffers passed to strerror_r
-static const int kErrorBufferSize = 256;
-
-namespace epoll_server {
-
-template <typename T>
-class AutoReset {
- public:
-  AutoReset(T* scoped_variable, T new_value)
-      : scoped_variable_(scoped_variable),
-        original_value_(std::move(*scoped_variable)) {
-    *scoped_variable_ = std::move(new_value);
-  }
-  AutoReset(const AutoReset&) = delete;
-  AutoReset& operator=(const AutoReset&) = delete;
-
-  ~AutoReset() { *scoped_variable_ = std::move(original_value_); }
-
- private:
-  T* scoped_variable_;
-  T original_value_;
-};
-
-// Clears the pipe and returns.  Used for waking the epoll server up.
-class ReadPipeCallback : public EpollCallbackInterface {
- public:
-  void OnEvent(int fd, EpollEvent* event) override {
-    DCHECK(event->in_events == EPOLLIN);
-    int data;
-    int data_read = 1;
-    // Read until the pipe is empty.
-    while (data_read > 0) {
-      data_read = read(fd, &data, sizeof(data));
-    }
-  }
-  void OnShutdown(SimpleEpollServer* /*eps*/, int /*fd*/) override {}
-  void OnRegistration(SimpleEpollServer*, int, int) override {}
-  void OnModification(int, int) override {}     // COV_NF_LINE
-  void OnUnregistration(int, bool) override {}  // COV_NF_LINE
-  std::string Name() const override { return "ReadPipeCallback"; }
-};
-
-////////////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////////////////////////////////
-
-SimpleEpollServer::SimpleEpollServer()
-    : epoll_fd_(epoll_create(1024)),
-      timeout_in_us_(0),
-      recorded_now_in_us_(0),
-      ready_list_size_(0),
-      wake_cb_(new ReadPipeCallback),
-      read_fd_(-1),
-      write_fd_(-1),
-      in_wait_for_events_and_execute_callbacks_(false),
-      in_shutdown_(false),
-      last_delay_in_usec_(0) {
-  // ensure that the epoll_fd_ is valid.
-  CHECK_NE(epoll_fd_, -1);
-  LIST_INIT(&ready_list_);
-  LIST_INIT(&tmp_list_);
-
-  int pipe_fds[2];
-  if (pipe(pipe_fds) < 0) {
-    // Unfortunately, it is impossible to test any such initialization in
-    // a constructor (as virtual methods do not yet work).
-    // This -could- be solved by moving initialization to an outside
-    // call...
-    int saved_errno = errno;
-    char buf[kErrorBufferSize];
-    EPOLL_LOG(FATAL) << "Error " << saved_errno << " in pipe(): "
-                     << strerror_r(saved_errno, buf, sizeof(buf));
-  }
-  read_fd_ = pipe_fds[0];
-  write_fd_ = pipe_fds[1];
-  RegisterFD(read_fd_, wake_cb_.get(), EPOLLIN);
-}
-
-void SimpleEpollServer::CleanupFDToCBMap() {
-  auto cb_iter = cb_map_.begin();
-  while (cb_iter != cb_map_.end()) {
-    int fd = cb_iter->fd;
-    CB* cb = cb_iter->cb;
-
-    cb_iter->in_use = true;
-    if (cb) {
-      cb->OnShutdown(this, fd);
-    }
-
-    cb_map_.erase(cb_iter);
-    cb_iter = cb_map_.begin();
-  }
-}
-
-void SimpleEpollServer::CleanupTimeToAlarmCBMap() {
-  TimeToAlarmCBMap::iterator erase_it;
-
-  // Call OnShutdown() on alarms. Note that the structure of the loop
-  // is similar to the structure of loop in the function HandleAlarms()
-  for (auto i = alarm_map_.begin(); i != alarm_map_.end();) {
-    // Note that OnShutdown() can call UnregisterAlarm() on
-    // other iterators. OnShutdown() should not call UnregisterAlarm()
-    // on self because by definition the iterator is not valid any more.
-    i->second->OnShutdown(this);
-    erase_it = i;
-    ++i;
-    alarm_map_.erase(erase_it);
-  }
-}
-
-SimpleEpollServer::~SimpleEpollServer() {
-  DCHECK_EQ(in_shutdown_, false);
-  in_shutdown_ = true;
-#ifdef EPOLL_SERVER_EVENT_TRACING
-  EPOLL_LOG(INFO) << "\n" << event_recorder_;
-#endif
-  EPOLL_VLOG(2) << "Shutting down epoll server ";
-  CleanupFDToCBMap();
-
-  LIST_INIT(&ready_list_);
-  LIST_INIT(&tmp_list_);
-
-  CleanupTimeToAlarmCBMap();
-
-  close(read_fd_);
-  close(write_fd_);
-  close(epoll_fd_);
-}
-
-// Whether a CBAandEventMask is on the ready list is determined by a non-NULL
-// le_prev pointer (le_next being NULL indicates end of list).
-inline void SimpleEpollServer::AddToReadyList(CBAndEventMask* cb_and_mask) {
-  if (cb_and_mask->entry.le_prev == NULL) {
-    LIST_INSERT_HEAD(&ready_list_, cb_and_mask, entry);
-    ++ready_list_size_;
-  }
-}
-
-inline void SimpleEpollServer::RemoveFromReadyList(
-    const CBAndEventMask& cb_and_mask) {
-  if (cb_and_mask.entry.le_prev != NULL) {
-    LIST_REMOVE(&cb_and_mask, entry);
-    // Clean up all the ready list states. Don't bother with the other fields
-    // as they are initialized when the CBAandEventMask is added to the ready
-    // list. This saves a few cycles in the inner loop.
-    cb_and_mask.entry.le_prev = NULL;
-    --ready_list_size_;
-    if (ready_list_size_ == 0) {
-      DCHECK(ready_list_.lh_first == NULL);
-      DCHECK(tmp_list_.lh_first == NULL);
-    }
-  }
-}
-
-void SimpleEpollServer::RegisterFD(int fd, CB* cb, int event_mask) {
-  CHECK(cb);
-  EPOLL_VLOG(3) << "RegisterFD fd=" << fd << " event_mask=" << event_mask;
-  auto fd_i = cb_map_.find(CBAndEventMask(NULL, 0, fd));
-  if (cb_map_.end() != fd_i) {
-    // do we just abort, or do we just unregister the other callback?
-    // for now, lets just unregister the other callback.
-
-    // unregister any callback that may already be registered for this FD.
-    CB* other_cb = fd_i->cb;
-    if (other_cb) {
-      // Must remove from the ready list before erasing.
-      RemoveFromReadyList(*fd_i);
-      other_cb->OnUnregistration(fd, true);
-      ModFD(fd, event_mask);
-    } else {
-      // already unregistered, so just recycle the node.
-      AddFD(fd, event_mask);
-    }
-    fd_i->cb = cb;
-    fd_i->event_mask = event_mask;
-    fd_i->events_to_fake = 0;
-  } else {
-    AddFD(fd, event_mask);
-    cb_map_.insert(CBAndEventMask(cb, event_mask, fd));
-  }
-
-  // set the FD to be non-blocking.
-  SetNonblocking(fd);
-
-  cb->OnRegistration(this, fd, event_mask);
-}
-
-void SimpleEpollServer::SetNonblocking(int fd) {
-  int flags = fcntl(fd, F_GETFL, 0);
-  if (flags == -1) {
-    int saved_errno = errno;
-    char buf[kErrorBufferSize];
-    EPOLL_LOG(FATAL) << "Error " << saved_errno << " doing fcntl(" << fd
-                     << ", F_GETFL, 0): "
-                     << strerror_r(saved_errno, buf, sizeof(buf));
-  }
-  if (!(flags & O_NONBLOCK)) {
-    int saved_flags = flags;
-    flags = fcntl(fd, F_SETFL, flags | O_NONBLOCK);
-    if (flags == -1) {
-      // bad.
-      int saved_errno = errno;
-      char buf[kErrorBufferSize];
-      EPOLL_LOG(FATAL) << "Error " << saved_errno << " doing fcntl(" << fd
-                       << ", F_SETFL, " << saved_flags
-                       << "): " << strerror_r(saved_errno, buf, sizeof(buf));
-    }
-  }
-}
-
-int SimpleEpollServer::epoll_wait_impl(int epfd, struct epoll_event* events,
-                                       int max_events, int timeout_in_ms) {
-  return epoll_wait(epfd, events, max_events, timeout_in_ms);
-}
-
-void SimpleEpollServer::RegisterFDForWrite(int fd, CB* cb) {
-  RegisterFD(fd, cb, EPOLLOUT);
-}
-
-void SimpleEpollServer::RegisterFDForReadWrite(int fd, CB* cb) {
-  RegisterFD(fd, cb, EPOLLIN | EPOLLOUT);
-}
-
-void SimpleEpollServer::RegisterFDForRead(int fd, CB* cb) {
-  RegisterFD(fd, cb, EPOLLIN);
-}
-
-void SimpleEpollServer::UnregisterFD(int fd) {
-  auto fd_i = cb_map_.find(CBAndEventMask(NULL, 0, fd));
-  if (cb_map_.end() == fd_i || fd_i->cb == NULL) {
-    // Doesn't exist in server, or has gone through UnregisterFD once and still
-    // inside the callchain of OnEvent.
-    return;
-  }
-#ifdef EPOLL_SERVER_EVENT_TRACING
-  event_recorder_.RecordUnregistration(fd);
-#endif
-  CB* cb = fd_i->cb;
-  // Since the links are embedded within the struct, we must remove it from the
-  // list before erasing it from the hash_set.
-  RemoveFromReadyList(*fd_i);
-  DelFD(fd);
-  cb->OnUnregistration(fd, false);
-  // fd_i->cb is NULL if that fd is unregistered inside the callchain of
-  // OnEvent. Since the SimpleEpollServer needs a valid CBAndEventMask after
-  // OnEvent returns in order to add it to the ready list, we cannot have
-  // UnregisterFD erase the entry if it is in use. Thus, a NULL fd_i->cb is used
-  // as a condition that tells the SimpleEpollServer that this entry is unused
-  // at a later point.
-  if (!fd_i->in_use) {
-    cb_map_.erase(fd_i);
-  } else {
-    // Remove all trace of the registration, and just keep the node alive long
-    // enough so the code that calls OnEvent doesn't have to worry about
-    // figuring out whether the CBAndEventMask is valid or not.
-    fd_i->cb = NULL;
-    fd_i->event_mask = 0;
-    fd_i->events_to_fake = 0;
-  }
-}
-
-void SimpleEpollServer::ModifyCallback(int fd, int event_mask) {
-  ModifyFD(fd, ~0, event_mask);
-}
-
-void SimpleEpollServer::StopRead(int fd) { ModifyFD(fd, EPOLLIN, 0); }
-
-void SimpleEpollServer::StartRead(int fd) { ModifyFD(fd, 0, EPOLLIN); }
-
-void SimpleEpollServer::StopWrite(int fd) { ModifyFD(fd, EPOLLOUT, 0); }
-
-void SimpleEpollServer::StartWrite(int fd) { ModifyFD(fd, 0, EPOLLOUT); }
-
-void SimpleEpollServer::HandleEvent(int fd, int event_mask) {
-#ifdef EPOLL_SERVER_EVENT_TRACING
-  event_recorder_.RecordEpollEvent(fd, event_mask);
-#endif
-  auto fd_i = cb_map_.find(CBAndEventMask(NULL, 0, fd));
-  if (fd_i == cb_map_.end() || fd_i->cb == NULL) {
-    // Ignore the event.
-    // This could occur if epoll() returns a set of events, and
-    // while processing event A (earlier) we removed the callback
-    // for event B (and are now processing event B).
-    return;
-  }
-  fd_i->events_asserted = event_mask;
-  CBAndEventMask* cb_and_mask = const_cast<CBAndEventMask*>(&*fd_i);
-  AddToReadyList(cb_and_mask);
-}
-
-void SimpleEpollServer::WaitForEventsAndExecuteCallbacks() {
-  if (in_wait_for_events_and_execute_callbacks_) {
-    EPOLL_LOG(DFATAL) << "Attempting to call WaitForEventsAndExecuteCallbacks"
-                         " when an ancestor to the current function is already"
-                         " WaitForEventsAndExecuteCallbacks!";
-    // The line below is actually tested, but in coverage mode,
-    // we never see it.
-    return;  // COV_NF_LINE
-  }
-  AutoReset<bool> recursion_guard(&in_wait_for_events_and_execute_callbacks_,
-                                  true);
-  if (alarm_map_.empty()) {
-    // no alarms, this is business as usual.
-    WaitForEventsAndCallHandleEvents(timeout_in_us_, events_, events_size_);
-    recorded_now_in_us_ = 0;
-    return;
-  }
-
-  // store the 'now'. If we recomputed 'now' every iteration
-  // down below, then we might never exit that loop-- any
-  // long-running alarms might install other long-running
-  // alarms, etc. By storing it here now, we ensure that
-  // a more reasonable amount of work is done here.
-  int64_t now_in_us = NowInUsec();
-
-  // Get the first timeout from the alarm_map where it is
-  // stored in absolute time.
-  int64_t next_alarm_time_in_us = alarm_map_.begin()->first;
-  EPOLL_VLOG(4) << "next_alarm_time = " << next_alarm_time_in_us
-                << " now             = " << now_in_us
-                << " timeout_in_us = " << timeout_in_us_;
-
-  int64_t wait_time_in_us;
-  int64_t alarm_timeout_in_us = next_alarm_time_in_us - now_in_us;
-
-  // If the next alarm is sooner than the default timeout, or if there is no
-  // timeout (timeout_in_us_ == -1), wake up when the alarm should fire.
-  // Otherwise use the default timeout.
-  if (alarm_timeout_in_us < timeout_in_us_ || timeout_in_us_ < 0) {
-    wait_time_in_us = std::max(alarm_timeout_in_us, static_cast<int64_t>(0));
-  } else {
-    wait_time_in_us = timeout_in_us_;
-  }
-
-  EPOLL_VLOG(4) << "wait_time_in_us = " << wait_time_in_us;
-
-  // wait for events.
-
-  WaitForEventsAndCallHandleEvents(wait_time_in_us, events_, events_size_);
-  CallAndReregisterAlarmEvents();
-  recorded_now_in_us_ = 0;
-}
-
-void SimpleEpollServer::SetFDReady(int fd, int events_to_fake) {
-  auto fd_i = cb_map_.find(CBAndEventMask(NULL, 0, fd));
-  if (cb_map_.end() != fd_i && fd_i->cb != NULL) {
-    // This const_cast is necessary for LIST_HEAD_INSERT to work. Declaring
-    // entry mutable is insufficient because LIST_HEAD_INSERT assigns the
-    // forward pointer of the list head to the current cb_and_mask, and the
-    // compiler complains that it can't assign a const T* to a T*.
-    CBAndEventMask* cb_and_mask = const_cast<CBAndEventMask*>(&*fd_i);
-    // Note that there is no clearly correct behavior here when
-    // cb_and_mask->events_to_fake != 0 and this function is called.
-    // Of the two operations:
-    //      cb_and_mask->events_to_fake = events_to_fake
-    //      cb_and_mask->events_to_fake |= events_to_fake
-    // the first was picked because it discourages users from calling
-    // SetFDReady repeatedly to build up the correct event set as it is more
-    // efficient to call SetFDReady once with the correct, final mask.
-    cb_and_mask->events_to_fake = events_to_fake;
-    AddToReadyList(cb_and_mask);
-  }
-}
-
-void SimpleEpollServer::SetFDNotReady(int fd) {
-  auto fd_i = cb_map_.find(CBAndEventMask(NULL, 0, fd));
-  if (cb_map_.end() != fd_i) {
-    RemoveFromReadyList(*fd_i);
-  }
-}
-
-bool SimpleEpollServer::IsFDReady(int fd) const {
-  auto fd_i = cb_map_.find(CBAndEventMask(NULL, 0, fd));
-  return (cb_map_.end() != fd_i && fd_i->cb != NULL &&
-          fd_i->entry.le_prev != NULL);
-}
-
-void SimpleEpollServer::VerifyReadyList() const {
-  int count = 0;
-  CBAndEventMask* cur = ready_list_.lh_first;
-  for (; cur; cur = cur->entry.le_next) {
-    ++count;
-  }
-  for (cur = tmp_list_.lh_first; cur; cur = cur->entry.le_next) {
-    ++count;
-  }
-  CHECK_EQ(ready_list_size_, count) << "Ready list size does not match count";
-}
-
-void SimpleEpollServer::RegisterAlarm(int64_t timeout_time_in_us, AlarmCB* ac) {
-  EPOLL_VLOG(4) << "RegisteringAlarm " << ac << " at : " << timeout_time_in_us;
-  CHECK(ac);
-  if (all_alarms_.find(ac) != all_alarms_.end()) {
-    EPOLL_BUG(epoll_bug_1_1) << "Alarm already exists";
-  }
-
-  auto alarm_iter = alarm_map_.insert(std::make_pair(timeout_time_in_us, ac));
-
-  all_alarms_.insert(ac);
-  // Pass the iterator to the EpollAlarmCallbackInterface.
-  ac->OnRegistration(alarm_iter, this);
-}
-
-// Unregister a specific alarm callback: iterator_token must be a
-//  valid iterator. The caller must ensure the validity of the iterator.
-void SimpleEpollServer::UnregisterAlarm(const AlarmRegToken& iterator_token) {
-  AlarmCB* cb = iterator_token->second;
-  EPOLL_VLOG(4) << "UnregisteringAlarm " << cb;
-  alarm_map_.erase(iterator_token);
-  all_alarms_.erase(cb);
-  cb->OnUnregistration();
-}
-
-SimpleEpollServer::AlarmRegToken SimpleEpollServer::ReregisterAlarm(
-    SimpleEpollServer::AlarmRegToken iterator_token,
-    int64_t timeout_time_in_us) {
-  AlarmCB* cb = iterator_token->second;
-  alarm_map_.erase(iterator_token);
-  return alarm_map_.emplace(timeout_time_in_us, cb);
-}
-
-int SimpleEpollServer::NumFDsRegistered() const {
-  DCHECK_GE(cb_map_.size(), 1u);
-  // Omit the internal FD (read_fd_)
-  return cb_map_.size() - 1;
-}
-
-void SimpleEpollServer::Wake() {
-  char data = 'd';  // 'd' is for data.  It's good enough for me.
-  int rv = write(write_fd_, &data, 1);
-  DCHECK_EQ(rv, 1);
-}
-
-int64_t SimpleEpollServer::NowInUsec() const {
-  return absl::GetCurrentTimeNanos() / 1000;
-}
-
-int64_t SimpleEpollServer::ApproximateNowInUsec() const {
-  if (recorded_now_in_us_ != 0) {
-    return recorded_now_in_us_;
-  }
-  return this->NowInUsec();
-}
-
-std::string SimpleEpollServer::EventMaskToString(int event_mask) {
-  std::string s;
-  if (event_mask & EPOLLIN) s += "EPOLLIN ";
-  if (event_mask & EPOLLPRI) s += "EPOLLPRI ";
-  if (event_mask & EPOLLOUT) s += "EPOLLOUT ";
-  if (event_mask & EPOLLRDNORM) s += "EPOLLRDNORM ";
-  if (event_mask & EPOLLRDBAND) s += "EPOLLRDBAND ";
-  if (event_mask & EPOLLWRNORM) s += "EPOLLWRNORM ";
-  if (event_mask & EPOLLWRBAND) s += "EPOLLWRBAND ";
-  if (event_mask & EPOLLMSG) s += "EPOLLMSG ";
-  if (event_mask & EPOLLERR) s += "EPOLLERR ";
-  if (event_mask & EPOLLHUP) s += "EPOLLHUP ";
-  if (event_mask & EPOLLONESHOT) s += "EPOLLONESHOT ";
-  if (event_mask & EPOLLET) s += "EPOLLET ";
-  return s;
-}
-
-void SimpleEpollServer::LogStateOnCrash() {
-  EPOLL_LOG(ERROR)
-      << "-------------------Epoll Server-------------------------";
-  EPOLL_LOG(ERROR) << "Epoll server " << this << " polling on fd " << epoll_fd_;
-  EPOLL_LOG(ERROR) << "timeout_in_us_: " << timeout_in_us_;
-
-  // Log sessions with alarms.
-  EPOLL_LOG(ERROR) << alarm_map_.size() << " alarms registered.";
-  for (auto it = alarm_map_.begin(); it != alarm_map_.end(); ++it) {
-    const bool skipped =
-        alarms_reregistered_and_should_be_skipped_.find(it->second) !=
-        alarms_reregistered_and_should_be_skipped_.end();
-    EPOLL_LOG(ERROR) << "Alarm " << it->second << " registered at time "
-                     << it->first << " and should be skipped = " << skipped;
-  }
-
-  EPOLL_LOG(ERROR) << cb_map_.size() << " fd callbacks registered.";
-  for (auto it = cb_map_.begin(); it != cb_map_.end(); ++it) {
-    EPOLL_LOG(ERROR) << "fd: " << it->fd << " with mask " << it->event_mask
-                     << " registered with cb: " << it->cb;
-  }
-  EPOLL_LOG(ERROR)
-      << "-------------------/Epoll Server------------------------";
-}
-
-////////////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////////////////////////////////
-
-void SimpleEpollServer::DelFD(int fd) const {
-  struct epoll_event ee;
-  memset(&ee, 0, sizeof(ee));
-#ifdef EPOLL_SERVER_EVENT_TRACING
-  event_recorder_.RecordFDMaskEvent(fd, 0, "DelFD");
-#endif
-  if (epoll_ctl(epoll_fd_, EPOLL_CTL_DEL, fd, &ee)) {
-    int saved_errno = errno;
-    char buf[kErrorBufferSize];
-    EPOLL_LOG(FATAL) << "Epoll set removal error for fd " << fd << ": "
-                     << strerror_r(saved_errno, buf, sizeof(buf));
-  }
-}
-
-////////////////////////////////////////
-
-void SimpleEpollServer::AddFD(int fd, int event_mask) const {
-  struct epoll_event ee;
-  memset(&ee, 0, sizeof(ee));
-  ee.events = event_mask | EPOLLERR | EPOLLHUP;
-  ee.data.fd = fd;
-#ifdef EPOLL_SERVER_EVENT_TRACING
-  event_recorder_.RecordFDMaskEvent(fd, ee.events, "AddFD");
-#endif
-  if (epoll_ctl(epoll_fd_, EPOLL_CTL_ADD, fd, &ee)) {
-    int saved_errno = errno;
-    char buf[kErrorBufferSize];
-    EPOLL_LOG(FATAL) << "Epoll set insertion error for fd " << fd << ": "
-                     << strerror_r(saved_errno, buf, sizeof(buf));
-  }
-}
-
-////////////////////////////////////////
-
-void SimpleEpollServer::ModFD(int fd, int event_mask) const {
-  struct epoll_event ee;
-  memset(&ee, 0, sizeof(ee));
-  ee.events = event_mask | EPOLLERR | EPOLLHUP;
-  ee.data.fd = fd;
-#ifdef EPOLL_SERVER_EVENT_TRACING
-  event_recorder_.RecordFDMaskEvent(fd, ee.events, "ModFD");
-#endif
-  EPOLL_VLOG(3) << "modifying fd= " << fd << " "
-                << EventMaskToString(ee.events);
-  if (epoll_ctl(epoll_fd_, EPOLL_CTL_MOD, fd, &ee)) {
-    int saved_errno = errno;
-    char buf[kErrorBufferSize];
-    EPOLL_LOG(FATAL) << "Epoll set modification error for fd " << fd << ": "
-                     << strerror_r(saved_errno, buf, sizeof(buf));
-  }
-}
-
-////////////////////////////////////////
-
-void SimpleEpollServer::ModifyFD(int fd, int remove_event, int add_event) {
-  auto fd_i = cb_map_.find(CBAndEventMask(NULL, 0, fd));
-  if (cb_map_.end() == fd_i) {
-    EPOLL_VLOG(2) << "Didn't find the fd " << fd << "in internal structures";
-    return;
-  }
-
-  if (fd_i->cb != NULL) {
-    int& event_mask = fd_i->event_mask;
-    EPOLL_VLOG(3) << "fd= " << fd
-                  << " event_mask before: " << EventMaskToString(event_mask);
-    event_mask &= ~remove_event;
-    event_mask |= add_event;
-
-    EPOLL_VLOG(3) << " event_mask after: " << EventMaskToString(event_mask);
-
-    ModFD(fd, event_mask);
-
-    fd_i->cb->OnModification(fd, event_mask);
-  }
-}
-
-void SimpleEpollServer::WaitForEventsAndCallHandleEvents(
-    int64_t timeout_in_us, struct epoll_event events[], int events_size) {
-  if (timeout_in_us == 0 || ready_list_.lh_first != NULL) {
-    // If ready list is not empty, then don't sleep at all.
-    timeout_in_us = 0;
-  } else if (timeout_in_us < 0) {
-    EPOLL_LOG(INFO) << "Negative epoll timeout: " << timeout_in_us
-                    << "us; epoll will wait forever for events.";
-    // If timeout_in_us is < 0 we are supposed to Wait forever.  This means we
-    // should set timeout_in_us to -1000 so we will
-    // Wait(-1000/1000) == Wait(-1) == Wait forever.
-    timeout_in_us = -1000;
-  } else {
-    // If timeout is specified, and the ready list is empty.
-    if (timeout_in_us < 1000) {
-      timeout_in_us = 1000;
-    }
-  }
-  const int timeout_in_ms = timeout_in_us / 1000;
-  int64_t expected_wakeup_us = NowInUsec() + timeout_in_us;
-
-  int nfds = epoll_wait_impl(epoll_fd_, events, events_size, timeout_in_ms);
-  EPOLL_VLOG(3) << "nfds=" << nfds;
-
-#ifdef EPOLL_SERVER_EVENT_TRACING
-  event_recorder_.RecordEpollWaitEvent(timeout_in_ms, nfds);
-#endif
-
-  // If you're wondering why the NowInUsec() is recorded here, the answer is
-  // simple: If we did it before the epoll_wait_impl, then the max error for
-  // the ApproximateNowInUs() call would be as large as the maximum length of
-  // epoll_wait, which can be arbitrarily long. Since this would make
-  // ApproximateNowInUs() worthless, we instead record the time -after- we've
-  // done epoll_wait, which guarantees that the maximum error is the amount of
-  // time it takes to process all the events generated by epoll_wait.
-  recorded_now_in_us_ = NowInUsec();
-
-  if (timeout_in_us > 0) {
-    int64_t delta = NowInUsec() - expected_wakeup_us;
-    last_delay_in_usec_ = delta > 0 ? delta : 0;
-  } else {
-    // timeout_in_us < 0 means we waited forever until an event;
-    // timeout_in_us == 0 means there was no kernel delay to track.
-    last_delay_in_usec_ = 0;
-  }
-
-  if (nfds > 0) {
-    for (int i = 0; i < nfds; ++i) {
-      int event_mask = events[i].events;
-      int fd = events[i].data.fd;
-      HandleEvent(fd, event_mask);
-    }
-  } else if (nfds < 0) {
-    // Catch interrupted syscall and just ignore it and move on.
-    if (errno != EINTR && errno != 0) {
-      int saved_errno = errno;
-      char buf[kErrorBufferSize];
-      EPOLL_LOG(FATAL) << "Error " << saved_errno << " in epoll_wait: "
-                       << strerror_r(saved_errno, buf, sizeof(buf));
-    }
-  }
-
-  // Now run through the ready list.
-  if (ready_list_.lh_first) {
-    CallReadyListCallbacks();
-  }
-}
-
-void SimpleEpollServer::CallReadyListCallbacks() {
-  // Check pre-conditions.
-  DCHECK(tmp_list_.lh_first == NULL);
-  // Swap out the ready_list_ into the tmp_list_ before traversing the list to
-  // enable SetFDReady() to just push new items into the ready_list_.
-  std::swap(ready_list_.lh_first, tmp_list_.lh_first);
-  if (tmp_list_.lh_first) {
-    tmp_list_.lh_first->entry.le_prev = &tmp_list_.lh_first;
-    EpollEvent event(0);
-    while (tmp_list_.lh_first != NULL) {
-      DCHECK_GT(ready_list_size_, 0);
-      CBAndEventMask* cb_and_mask = tmp_list_.lh_first;
-      RemoveFromReadyList(*cb_and_mask);
-
-      event.out_ready_mask = 0;
-      event.in_events =
-          cb_and_mask->events_asserted | cb_and_mask->events_to_fake;
-      // TODO(fenix): get rid of the two separate fields in cb_and_mask.
-      cb_and_mask->events_asserted = 0;
-      cb_and_mask->events_to_fake = 0;
-      {
-        // OnEvent() may call UnRegister, so we set in_use, here. Any
-        // UnRegister call will now simply set the cb to NULL instead of
-        // invalidating the cb_and_mask object (by deleting the object in the
-        // map to which cb_and_mask refers)
-        AutoReset<bool> in_use_guard(&(cb_and_mask->in_use), true);
-        cb_and_mask->cb->OnEvent(cb_and_mask->fd, &event);
-      }
-
-      // Since OnEvent may have called UnregisterFD, we must check here that
-      // the callback is still valid. If it isn't, then UnregisterFD *was*
-      // called, and we should now get rid of the object.
-      if (cb_and_mask->cb == NULL) {
-        cb_map_.erase(*cb_and_mask);
-      } else if (event.out_ready_mask != 0) {
-        cb_and_mask->events_to_fake = event.out_ready_mask;
-        AddToReadyList(cb_and_mask);
-      }
-    }
-  }
-  DCHECK(tmp_list_.lh_first == NULL);
-}
-
-void SimpleEpollServer::CallAndReregisterAlarmEvents() {
-  int64_t now_in_us = recorded_now_in_us_;
-  DCHECK_NE(0, recorded_now_in_us_);
-
-  TimeToAlarmCBMap::iterator erase_it;
-
-  // execute alarms.
-  for (auto i = alarm_map_.begin(); i != alarm_map_.end();) {
-    if (i->first > now_in_us) {
-      break;
-    }
-    AlarmCB* cb = i->second;
-    // Execute the OnAlarm() only if we did not register
-    // it in this loop itself.
-    const bool added_in_this_round =
-        alarms_reregistered_and_should_be_skipped_.find(cb) !=
-        alarms_reregistered_and_should_be_skipped_.end();
-    if (added_in_this_round) {
-      ++i;
-      continue;
-    }
-    all_alarms_.erase(cb);
-    const int64_t new_timeout_time_in_us = cb->OnAlarm();
-
-    erase_it = i;
-    ++i;
-    alarm_map_.erase(erase_it);
-
-    if (new_timeout_time_in_us > 0) {
-      // We add to hash_set only if the new timeout is <= now_in_us.
-      // if timeout is > now_in_us then we have no fear that this alarm
-      // can be reexecuted in this loop, and hence we do not need to
-      // worry about a recursive loop.
-      EPOLL_DVLOG(3) << "Reregistering alarm "
-                     << " " << cb << " " << new_timeout_time_in_us << " "
-                     << now_in_us;
-      if (new_timeout_time_in_us <= now_in_us) {
-        alarms_reregistered_and_should_be_skipped_.insert(cb);
-      }
-      RegisterAlarm(new_timeout_time_in_us, cb);
-    }
-  }
-  alarms_reregistered_and_should_be_skipped_.clear();
-}
-
-EpollAlarm::EpollAlarm() : eps_(NULL), registered_(false) {}
-
-EpollAlarm::~EpollAlarm() { UnregisterIfRegistered(); }
-
-int64_t EpollAlarm::OnAlarm() {
-  registered_ = false;
-  return 0;
-}
-
-void EpollAlarm::OnRegistration(const SimpleEpollServer::AlarmRegToken& token,
-                                SimpleEpollServer* eps) {
-  DCHECK_EQ(false, registered_);
-
-  token_ = token;
-  eps_ = eps;
-  registered_ = true;
-}
-
-void EpollAlarm::OnUnregistration() { registered_ = false; }
-
-void EpollAlarm::OnShutdown(SimpleEpollServer* /*eps*/) {
-  registered_ = false;
-  eps_ = NULL;
-}
-
-// If the alarm was registered, unregister it.
-void EpollAlarm::UnregisterIfRegistered() {
-  if (!registered_) {
-    return;
-  }
-
-  eps_->UnregisterAlarm(token_);
-}
-
-void EpollAlarm::ReregisterAlarm(int64_t timeout_time_in_us) {
-  DCHECK(registered_);
-  token_ = eps_->ReregisterAlarm(token_, timeout_time_in_us);
-}
-
-}  // namespace epoll_server
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/simple_epoll_server.h b/chromium/net/third_party/quiche/src/quiche/epoll_server/simple_epoll_server.h
deleted file mode 100644
index 405e30654f2..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/simple_epoll_server.h
+++ /dev/null
@@ -1,1051 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_EPOLL_SERVER_SIMPLE_EPOLL_SERVER_H_
-#define QUICHE_EPOLL_SERVER_SIMPLE_EPOLL_SERVER_H_
-
-#include <fcntl.h>
-#include <stddef.h>
-#include <stdint.h>
-#include <sys/queue.h>
-
-#include <map>
-#include <memory>
-#include <string>
-#include <unordered_map>
-#include <unordered_set>
-#include <vector>
-
-// #define EPOLL_SERVER_EVENT_TRACING 1
-//
-// Defining EPOLL_SERVER_EVENT_TRACING
-// causes code to exist which didn't before.
-// This code tracks each event generated by the epollserver,
-// as well as providing a per-fd-registered summary of
-// events. Note that enabling this code vastly slows
-// down operations, and uses substantially more
-// memory. For these reasons, it should only be enabled by developers doing
-// development at their workstations.
-//
-// A structure called 'EventRecorder' will exist when
-// the macro is defined. See the EventRecorder class interface
-// within the SimpleEpollServer class for more details.
-#ifdef EPOLL_SERVER_EVENT_TRACING
-#include <ostream>
-#endif
-
-#include <sys/epoll.h>
-
-#include "quiche/epoll_server/platform/api/epoll_logging.h"
-
-namespace epoll_server {
-
-class SimpleEpollServer;
-class EpollAlarmCallbackInterface;
-class ReadPipeCallback;
-
-struct EpollEvent {
-  EpollEvent(int events) : in_events(events), out_ready_mask(0) {}
-
-  int in_events;       // incoming events
-  int out_ready_mask;  // the new event mask for ready list (0 means don't
-                       // get on the ready list). This field is always
-                       // initialized to 0 when the event is passed to
-                       // OnEvent.
-};
-
-// Callbacks which go into SimpleEpollServers are expected to derive from this
-// class.
-class EpollCallbackInterface {
- public:
-  // Summary:
-  //   Called when the callback is registered into a SimpleEpollServer.
-  // Args:
-  //   eps - the poll server into which this callback was registered
-  //   fd - the file descriptor which was registered
-  //   event_mask - the event mask (composed of EPOLLIN, EPOLLOUT, etc)
-  //                which was registered (and will initially be used
-  //                in the epoll() calls)
-  virtual void OnRegistration(SimpleEpollServer* eps, int fd,
-                              int event_mask) = 0;
-
-  // Summary:
-  //   Called when the event_mask is modified (for a file-descriptor)
-  // Args:
-  //   fd - the file descriptor which was registered
-  //   event_mask - the event mask (composed of EPOLLIN, EPOLLOUT, etc)
-  //                which was is now curren (and will be used
-  //                in subsequent epoll() calls)
-  virtual void OnModification(int fd, int event_mask) = 0;
-
-  // Summary:
-  //   Called whenever an event occurs on the file-descriptor.
-  //   This is where the bulk of processing is expected to occur.
-  // Args:
-  //   fd - the file descriptor which was registered
-  //   event - a struct that contains the event mask (composed of EPOLLIN,
-  //           EPOLLOUT, etc), a flag that indicates whether this is a true
-  //           epoll_wait event vs one from the ready list, and an output
-  //           parameter for OnEvent to inform the SimpleEpollServer whether to
-  //           put this fd on the ready list.
-  virtual void OnEvent(int fd, EpollEvent* event) = 0;
-
-  // Summary:
-  //   Called when the file-descriptor is unregistered from the poll-server.
-  // Args:
-  //   fd - the file descriptor which was registered, and of this call, is now
-  //        unregistered.
-  //   replaced - If true, this callback is being replaced by another, otherwise
-  //              it is simply being removed.
-  virtual void OnUnregistration(int fd, bool replaced) = 0;
-
-  // Summary:
-  //   Called when the epoll server is shutting down.  This is different from
-  //   OnUnregistration because the subclass may want to clean up memory.
-  //   This is called in leiu of OnUnregistration.
-  // Args:
-  //  fd - the file descriptor which was registered.
-  virtual void OnShutdown(SimpleEpollServer* eps, int fd) = 0;
-
-  // Summary:
-  //   Returns a name describing the class for use in debug/error reporting.
-  virtual std::string Name() const = 0;
-
-  virtual ~EpollCallbackInterface() {}
-
- protected:
-  EpollCallbackInterface() {}
-};
-
-////////////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////////////////////////////////
-
-class SimpleEpollServer {
- public:
-  typedef EpollAlarmCallbackInterface AlarmCB;
-  typedef EpollCallbackInterface CB;
-
-  typedef std::multimap<int64_t, AlarmCB*> TimeToAlarmCBMap;
-  typedef TimeToAlarmCBMap::iterator AlarmRegToken;
-
-  // Summary:
-  //   Constructor:
-  //    By default, we don't wait any amount of time for events, and
-  //    we suggest to the epoll-system that we're going to use on-the-order
-  //    of 1024 FDs.
-  SimpleEpollServer();
-
-  SimpleEpollServer(const SimpleEpollServer&) = delete;
-  SimpleEpollServer operator=(const SimpleEpollServer&) = delete;
-
-  ////////////////////////////////////////
-
-  // Destructor
-  virtual ~SimpleEpollServer();
-
-  ////////////////////////////////////////
-
-  // Summary
-  //   Register a callback to be called whenever an event contained
-  //   in the set of events included in event_mask occurs on the
-  //   file-descriptor 'fd'
-  //
-  //   Note that only one callback is allowed to be registered for
-  //   any specific file-decriptor.
-  //
-  //   If a callback is registered for a file-descriptor which has already
-  //   been registered, then the previous callback is unregistered with
-  //   the 'replaced' flag set to true. I.e. the previous callback's
-  //   OnUnregistration() function is called like so:
-  //      OnUnregistration(fd, true);
-  //
-  //  The epoll server does NOT take on ownership of the callback: the callback
-  //  creator is responsible for managing that memory.
-  //
-  // Args:
-  //   fd - a valid file-descriptor
-  //   cb - an instance of a subclass of EpollCallbackInterface
-  //   event_mask - a combination of (EPOLLOUT, EPOLLIN.. etc) indicating
-  //                the events for which the callback would like to be
-  //                called.
-  virtual void RegisterFD(int fd, CB* cb, int event_mask);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   A shortcut for RegisterFD which sets things up such that the
-  //   callback is called when 'fd' is available for writing.
-  // Args:
-  //   fd - a valid file-descriptor
-  //   cb - an instance of a subclass of EpollCallbackInterface
-  virtual void RegisterFDForWrite(int fd, CB* cb);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   A shortcut for RegisterFD which sets things up such that the
-  //   callback is called when 'fd' is available for reading or writing.
-  // Args:
-  //   fd - a valid file-descriptor
-  //   cb - an instance of a subclass of EpollCallbackInterface
-  virtual void RegisterFDForReadWrite(int fd, CB* cb);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   A shortcut for RegisterFD which sets things up such that the
-  //   callback is called when 'fd' is available for reading.
-  // Args:
-  //   fd - a valid file-descriptor
-  //   cb - an instance of a subclass of EpollCallbackInterface
-  virtual void RegisterFDForRead(int fd, CB* cb);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Removes the FD and the associated callback from the pollserver.
-  //   If the callback is registered with other FDs, they will continue
-  //   to be processed using the callback without modification.
-  //   If the file-descriptor specified is not registered in the
-  //   epoll_server, then nothing happens as a result of this call.
-  // Args:
-  //   fd - the file-descriptor which should no-longer be monitored.
-  virtual void UnregisterFD(int fd);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Modifies the event mask for the file-descriptor, replacing
-  //   the old event_mask with the new one specified here.
-  //   If the file-descriptor specified is not registered in the
-  //   epoll_server, then nothing happens as a result of this call.
-  // Args:
-  //   fd - the fd whose event mask should be modified.
-  //   event_mask - the new event mask.
-  virtual void ModifyCallback(int fd, int event_mask);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Modifies the event mask for the file-descriptor such that we
-  //   no longer request events when 'fd' is readable.
-  //   If the file-descriptor specified is not registered in the
-  //   epoll_server, then nothing happens as a result of this call.
-  // Args:
-  //   fd - the fd whose event mask should be modified.
-  virtual void StopRead(int fd);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Modifies the event mask for the file-descriptor such that we
-  //   request events when 'fd' is readable.
-  //   If the file-descriptor specified is not registered in the
-  //   epoll_server, then nothing happens as a result of this call.
-  // Args:
-  //   fd - the fd whose event mask should be modified.
-  virtual void StartRead(int fd);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Modifies the event mask for the file-descriptor such that we
-  //   no longer request events when 'fd' is writable.
-  //   If the file-descriptor specified is not registered in the
-  //   epoll_server, then nothing happens as a result of this call.
-  // Args:
-  //   fd - the fd whose event mask should be modified.
-  virtual void StopWrite(int fd);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Modifies the event mask for the file-descriptor such that we
-  //   request events when 'fd' is writable.
-  //   If the file-descriptor specified is not registered in the
-  //   epoll_server, then nothing happens as a result of this call.
-  // Args:
-  //   fd - the fd whose event mask should be modified.
-  virtual void StartWrite(int fd);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Looks up the callback associated with the file-descriptor 'fd'.
-  //   If a callback is associated with this file-descriptor, then
-  //   it's OnEvent() method is called with the file-descriptor 'fd',
-  //   and event_mask 'event_mask'
-  //
-  //   If no callback is registered for this file-descriptor, nothing
-  //   will happen as a result of this call.
-  //
-  //   This function is used internally by the SimpleEpollServer, but is
-  //   available publicly so that events might be 'faked'. Calling
-  //   this function with an fd and event_mask is equivalent (as far
-  //   as the callback is concerned) to having a real event generated
-  //   by epoll (except, of course, that read(), etc won't necessarily
-  //   be able to read anything)
-  // Args:
-  //   fd - the file-descriptor on which an event has occurred.
-  //   event_mask - a bitmask representing the events which have occurred
-  //                on/for this fd. This bitmask is composed of
-  //                POLLIN, POLLOUT, etc.
-  //
-  void HandleEvent(int fd, int event_mask);
-
-  // Summary:
-  //   Call this when you want the pollserver to
-  //   wait for events and execute the callbacks associated with
-  //   the file-descriptors on which those events have occurred.
-  //   Depending on the value of timeout_in_us_, this may or may
-  //   not return immediately. Please reference the set_timeout()
-  //   function for the specific behaviour.
-  virtual void WaitForEventsAndExecuteCallbacks();
-
-  // Summary:
-  //   When an fd is registered to use edge trigger notification, the ready
-  //   list can be used to simulate level trigger semantics. Edge trigger
-  //   registration doesn't send an initial event, and only rising edge (going
-  //   from blocked to unblocked) events are sent. A callback can put itself on
-  //   the ready list by calling SetFDReady() after calling RegisterFD(). The
-  //   OnEvent method of all callbacks associated with the fds on the ready
-  //   list will be called immediately after processing the events returned by
-  //   epoll_wait(). The fd is removed from the ready list before the
-  //   callback's OnEvent() method is invoked. To stay on the ready list, the
-  //   OnEvent() (or some function in that call chain) must call SetFDReady
-  //   again. When a fd is unregistered using UnregisterFD(), the fd is
-  //   automatically removed from the ready list.
-  //
-  //   When the callback for a edge triggered fd hits the falling edge (about
-  //   to block, either because of it got an EAGAIN, or had a short read/write
-  //   operation), it should remove itself from the ready list using
-  //   SetFDNotReady() (since OnEvent cannot distinguish between invocation
-  //   from the ready list vs from a normal epoll event). All four ready list
-  //   methods are safe to be called  within the context of the callbacks.
-  //
-  //   Since the ready list invokes EpollCallbackInterface::OnEvent, only fds
-  //   that are registered with the SimpleEpollServer will be put on the ready
-  //   list. SetFDReady() and SetFDNotReady() will do nothing if the
-  //   SimpleEpollServer doesn't know about the fd passed in.
-  //
-  //   Since the ready list cannot reliably determine proper set of events
-  //   which should be sent to the callback, SetFDReady() requests the caller
-  //   to provide the ready list with the event mask, which will be used later
-  //   when OnEvent() is invoked by the ready list. Hence, the event_mask
-  //   passedto SetFDReady() does not affect the actual epoll registration of
-  //   the fd with the kernel. If a fd is already put on the ready list, and
-  //   SetFDReady() is called again for that fd with a different event_mask,
-  //   the event_mask will be updated.
-  virtual void SetFDReady(int fd, int events_to_fake);
-
-  virtual void SetFDNotReady(int fd);
-
-  // Summary:
-  //   IsFDReady(), ReadyListSize(), and VerifyReadyList are intended as
-  //   debugging tools and for writing unit tests.
-  //   ISFDReady() returns whether a fd is in the ready list.
-  //   ReadyListSize() returns the number of fds on the ready list.
-  //   VerifyReadyList() checks the consistency of internal data structure. It
-  //   will CHECK if it finds an error.
-  virtual bool IsFDReady(int fd) const;
-
-  size_t ReadyListSize() const { return ready_list_size_; }
-
-  void VerifyReadyList() const;
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Registers an alarm 'ac' to go off at time 'timeout_time_in_us'.
-  //   If the callback returns a positive number from its OnAlarm() function,
-  //   then the callback will be re-registered at that time, else the alarm
-  //   owner is responsible for freeing up memory.
-  //
-  //   Important: A give AlarmCB* can not be registered again if it is already
-  //    registered. If a user wants to register a callback again it should first
-  //    unregister the previous callback before calling RegisterAlarm again.
-  // Args:
-  //   timeout_time_in_us - the absolute time at which the alarm should go off
-  //   ac - the alarm which will be called.
-  virtual void RegisterAlarm(int64_t timeout_time_in_us, AlarmCB* ac);
-
-  // Summary:
-  //   Registers an alarm 'ac' to go off at time: (ApproximateNowInUs() +
-  //   delta_in_us). While this is somewhat less accurate (see the description
-  //   for ApproximateNowInUs() to see how 'approximate'), the error is never
-  //   worse than the amount of time it takes to process all events in one
-  //   WaitForEvents.  As with 'RegisterAlarm()', if the callback returns a
-  //   positive number from its OnAlarm() function, then the callback will be
-  //   re-registered at that time, else the alarm owner is responsible for
-  //   freeing up memory.
-  //   Note that this function is purely a convienence. The
-  //   same thing may be accomplished by using RegisterAlarm with
-  //   ApproximateNowInUs() directly.
-  //
-  //   Important: A give AlarmCB* can not be registered again if it is already
-  //    registered. If a user wants to register a callback again it should first
-  //    unregister the previous callback before calling RegisterAlarm again.
-  // Args:
-  //   delta_in_us - the delta in microseconds from the ApproximateTimeInUs() at
-  //                 which point the alarm should go off.
-  //   ac - the alarm which will be called.
-  void RegisterAlarmApproximateDelta(int64_t delta_in_us, AlarmCB* ac) {
-    RegisterAlarm(ApproximateNowInUsec() + delta_in_us, ac);
-  }
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Unregister  the alarm referred to by iterator_token; Callers should
-  //   be warned that a token may have become already invalid when OnAlarm()
-  //   is called, was unregistered, or OnShutdown was called on that alarm.
-  // Args:
-  //    iterator_token - iterator to the alarm callback to unregister.
-  virtual void UnregisterAlarm(
-      const SimpleEpollServer::AlarmRegToken& iterator_token);
-
-  virtual SimpleEpollServer::AlarmRegToken ReregisterAlarm(
-      SimpleEpollServer::AlarmRegToken iterator_token,
-      int64_t timeout_time_in_us);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   returns the number of file-descriptors registered in this
-  //   SimpleEpollServer.
-  // Returns:
-  //   number of FDs registered (discounting the internal pipe used for Wake)
-  virtual int NumFDsRegistered() const;
-
-  // Summary:
-  //   Force the epoll server to wake up (by writing to an internal pipe).
-  virtual void Wake();
-
-  // Summary:
-  //   Wrapper around WallTimer's NowInUsec.  We do this so that we can test
-  //   SimpleEpollServer without using the system clock (and can avoid the
-  //   flakiness that would ensue)
-  // Returns:
-  //   the current time as number of microseconds since the Unix epoch.
-  virtual int64_t NowInUsec() const;
-
-  // Summary:
-  //   Since calling NowInUsec() many thousands of times per
-  //   WaitForEventsAndExecuteCallbacks function call is, to say the least,
-  //   inefficient, we allow users to use an approximate time instead. The
-  //   time returned from this function is as accurate as NowInUsec() when
-  //   WaitForEventsAndExecuteCallbacks is not an ancestor of the caller's
-  //   callstack.
-  //   However, when WaitForEventsAndExecuteCallbacks -is- an ancestor, then
-  //   this function returns the time at which the
-  //   WaitForEventsAndExecuteCallbacks function started to process events or
-  //   alarms.
-  //
-  //   Essentially, this function makes available a fast and mostly accurate
-  //   mechanism for getting the time for any function handling an event or
-  //   alarm. When functions which are not handling callbacks or alarms call
-  //   this function, they get the slow and "absolutely" accurate time.
-  //
-  //   Users should be encouraged to use this function.
-  // Returns:
-  //   the "approximate" current time as number of microseconds since the Unix
-  //   epoch.
-  virtual int64_t ApproximateNowInUsec() const;
-
-  static std::string EventMaskToString(int event_mask);
-
-  // Summary:
-  //   Logs the state of the epoll server with EPOLL_LOG(ERROR).
-  void LogStateOnCrash();
-
-  // Summary:
-  //   Set the timeout to the value specified.
-  //   If the timeout is set to a negative number,
-  //      WaitForEventsAndExecuteCallbacks() will only return when an event has
-  //      occurred
-  //   If the timeout is set to zero,
-  //      WaitForEventsAndExecuteCallbacks() will return immediately
-  //   If the timeout is set to a positive number,
-  //      WaitForEventsAndExecuteCallbacks() will return when an event has
-  //      occurred, or when timeout_in_us microseconds has elapsed, whichever
-  //      is first.
-  //  Args:
-  //    timeout_in_us - value specified depending on behaviour desired.
-  //                    See above.
-  void set_timeout_in_us(int64_t timeout_in_us) {
-    timeout_in_us_ = timeout_in_us;
-  }
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Accessor for the current value of timeout_in_us.
-  int timeout_in_us_for_test() const { return timeout_in_us_; }
-
-  // Summary:
-  // Returns true when the SimpleEpollServer() is being destroyed.
-  bool in_shutdown() const { return in_shutdown_; }
-  bool ShutdownCalled() const { return in_shutdown(); }
-
-  // Compatibility stub.
-  void Shutdown() {}
-
-  // Summary:
-  //   A function for implementing the ready list. It invokes OnEvent for each
-  //   of the fd in the ready list, and takes care of adding them back to the
-  //   ready list if the callback requests it (by checking that out_ready_mask
-  //   is non-zero).
-  void CallReadyListCallbacks();
-
-  int64_t LastDelayInUsec() const { return last_delay_in_usec_; }
-
- protected:
-  virtual void SetNonblocking(int fd);
-
-  // This exists here so that we can override this function in unittests
-  // in order to make effective mock SimpleEpollServer objects.
-  virtual int epoll_wait_impl(int epfd, struct epoll_event* events,
-                              int max_events, int timeout_in_ms);
-
-  // this struct is used internally, and is never used by anything external
-  // to this class. Some of its members are declared mutable to get around the
-  // restriction imposed by hash_set. Since hash_set knows nothing about the
-  // objects it stores, it has to assume that every bit of the object is used
-  // in the hash function and equal_to comparison. Thus hash_set::iterator is a
-  // const iterator. In this case, the only thing that must stay constant is
-  // fd. Everything else are just along for the ride and changing them doesn't
-  // compromise the hash_set integrity.
-  struct CBAndEventMask {
-    CBAndEventMask()
-        : cb(NULL),
-          fd(-1),
-          event_mask(0),
-          events_asserted(0),
-          events_to_fake(0),
-          in_use(false) {
-      entry.le_next = NULL;
-      entry.le_prev = NULL;
-    }
-
-    CBAndEventMask(EpollCallbackInterface* cb, int event_mask, int fd)
-        : cb(cb),
-          fd(fd),
-          event_mask(event_mask),
-          events_asserted(0),
-          events_to_fake(0),
-          in_use(false) {
-      entry.le_next = NULL;
-      entry.le_prev = NULL;
-    }
-
-    // Required operator for hash_set. Normally operator== should be a free
-    // standing function. However, since CBAndEventMask is a protected type and
-    // it will never be a base class, it makes no difference.
-    bool operator==(const CBAndEventMask& cb_and_mask) const {
-      return fd == cb_and_mask.fd;
-    }
-    // A callback. If the fd is unregistered inside the callchain of OnEvent,
-    // the cb will be set to NULL.
-    mutable EpollCallbackInterface* cb;
-
-    mutable LIST_ENTRY(CBAndEventMask) entry;
-    // file descriptor registered with the epoll server.
-    int fd;
-    // the current event_mask registered for this callback.
-    mutable int event_mask;
-    // the event_mask that was returned by epoll
-    mutable int events_asserted;
-    // the event_mask for the ready list to use to call OnEvent.
-    mutable int events_to_fake;
-    // toggle around calls to OnEvent to tell UnregisterFD to not erase the
-    // iterator because HandleEvent is using it.
-    mutable bool in_use;
-  };
-
-  // Custom hash function to be used by hash_set.
-  struct CBAndEventMaskHash {
-    size_t operator()(const CBAndEventMask& cb_and_eventmask) const {
-      return static_cast<size_t>(cb_and_eventmask.fd);
-    }
-  };
-
-  using FDToCBMap = std::unordered_set<CBAndEventMask, CBAndEventMaskHash>;
-
-  // the following four functions are OS-specific, and are likely
-  // to be changed in a subclass if the poll/select method is changed
-  // from epoll.
-
-  // Summary:
-  //   Deletes a file-descriptor from the set of FDs that should be
-  //   monitored with epoll.
-  //   Note that this only deals with modifying data relating -directly-
-  //   with the epoll call-- it does not modify any data within the
-  //   epoll_server.
-  // Args:
-  //   fd - the file descriptor to-be-removed from the monitoring set
-  virtual void DelFD(int fd) const;
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Adds a file-descriptor to the set of FDs that should be
-  //   monitored with epoll.
-  //   Note that this only deals with modifying data relating -directly-
-  //   with the epoll call.
-  // Args:
-  //   fd - the file descriptor to-be-added to the monitoring set
-  //   event_mask - the event mask (consisting of EPOLLIN, EPOLLOUT, etc
-  //                 OR'd together) which will be associated with this
-  //                 FD initially.
-  virtual void AddFD(int fd, int event_mask) const;
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Modifies a file-descriptor in the set of FDs that should be
-  //   monitored with epoll.
-  //   Note that this only deals with modifying data relating -directly-
-  //   with the epoll call.
-  // Args:
-  //   fd - the file descriptor to-be-added to the monitoring set
-  //   event_mask - the event mask (consisting of EPOLLIN, EPOLLOUT, etc
-  //                 OR'd together) which will be associated with this
-  //                 FD after this call.
-  virtual void ModFD(int fd, int event_mask) const;
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Modified the event mask associated with an FD in the set of
-  //   data needed by epoll.
-  //   Events are removed before they are added, thus, if ~0 is put
-  //   in 'remove_event', whatever is put in 'add_event' will be
-  //   the new event mask.
-  //   If the file-descriptor specified is not registered in the
-  //   epoll_server, then nothing happens as a result of this call.
-  // Args:
-  //   fd - the file descriptor whose event mask is to be modified
-  //   remove_event - the events which are to be removed from the current
-  //                  event_mask
-  //   add_event - the events which are to be added to the current event_mask
-  //
-  //
-  virtual void ModifyFD(int fd, int remove_event, int add_event);
-
-  ////////////////////////////////////////
-
-  // Summary:
-  //   Waits for events, and calls HandleEvents() for each
-  //   fd, event pair discovered to possibly have an event.
-  //   Note that a callback (B) may get a spurious event if
-  //   another callback (A) has closed a file-descriptor N, and
-  //   the callback (B) has a newly opened file-descriptor, which
-  //   also happens to be N.
-  virtual void WaitForEventsAndCallHandleEvents(int64_t timeout_in_us,
-                                                struct epoll_event events[],
-                                                int events_size);
-
-  // Summary:
-  //   An internal function for implementing the ready list. It adds a fd's
-  //   CBAndEventMask to the ready list. If the fd is already on the ready
-  //   list, it is a no-op.
-  void AddToReadyList(CBAndEventMask* cb_and_mask);
-
-  // Summary:
-  //   An internal function for implementing the ready list. It remove a fd's
-  //   CBAndEventMask from the ready list. If the fd is not on the ready list,
-  //   it is a no-op.
-  void RemoveFromReadyList(const CBAndEventMask& cb_and_mask);
-
-  // Summary:
-  // Calls any pending alarms that should go off and reregisters them if they
-  // were recurring.
-  virtual void CallAndReregisterAlarmEvents();
-
-  // The file-descriptor created for epolling
-  int epoll_fd_;
-
-  // The mapping of file-descriptor to CBAndEventMasks
-  FDToCBMap cb_map_;
-
-  // Custom hash function to be used by hash_set.
-  struct AlarmCBHash {
-    size_t operator()(AlarmCB* const& p) const {
-      return reinterpret_cast<size_t>(p);
-    }
-  };
-
-  // TODO(sushantj): Having this hash_set is avoidable. We currently have it
-  // only so that we can enforce stringent checks that a caller can not register
-  // the same alarm twice. One option is to have an implementation in which
-  // this hash_set is used only in the debug mode.
-  using AlarmCBMap = std::unordered_set<AlarmCB*, AlarmCBHash>;
-  AlarmCBMap all_alarms_;
-
-  TimeToAlarmCBMap alarm_map_;
-
-  // The amount of time in microseconds that we'll wait before returning
-  // from the WaitForEventsAndExecuteCallbacks() function.
-  // If this is positive, wait that many microseconds.
-  // If this is negative, wait forever, or for the first event that occurs
-  // If this is zero, never wait for an event.
-  int64_t timeout_in_us_;
-
-  // This is nonzero only after the invocation of epoll_wait_impl within
-  // WaitForEventsAndCallHandleEvents and before the function
-  // WaitForEventsAndExecuteCallbacks returns.  At all other times, this is
-  // zero. This enables us to have relatively accurate time returned from the
-  // ApproximateNowInUs() function. See that function for more details.
-  int64_t recorded_now_in_us_;
-
-  // This is used to implement CallAndReregisterAlarmEvents. This stores
-  // all alarms that were reregistered because OnAlarm() returned a
-  // value > 0 and the time at which they should be executed is less that
-  // the current time.  By storing such alarms in this map we ensure
-  // that while calling CallAndReregisterAlarmEvents we do not call
-  // OnAlarm on any alarm in this set. This ensures that we do not
-  // go in an infinite loop.
-  AlarmCBMap alarms_reregistered_and_should_be_skipped_;
-
-  LIST_HEAD(ReadyList, CBAndEventMask) ready_list_;
-  LIST_HEAD(TmpList, CBAndEventMask) tmp_list_;
-  int ready_list_size_;
-  // TODO(alyssar): make this into something that scales up.
-  static const int events_size_ = 256;
-  struct epoll_event events_[256];
-
-#ifdef EPOLL_SERVER_EVENT_TRACING
-  struct EventRecorder {
-   public:
-    EventRecorder() : num_records_(0), record_threshold_(10000) {}
-
-    ~EventRecorder() { Clear(); }
-
-    // When a number of events equals the record threshold,
-    // the collected data summary for all FDs will be written
-    // to EPOLL_LOG(INFO). Note that this does not include the
-    // individual events (if you'reinterested in those, you'll
-    // have to get at them programmatically).
-    // After any such flushing to EPOLL_LOG(INFO) all events will
-    // be cleared.
-    // Note that the definition of an 'event' is a bit 'hazy',
-    // as it includes the 'Unregistration' event, and perhaps
-    // others.
-    void set_record_threshold(int64_t new_threshold) {
-      record_threshold_ = new_threshold;
-    }
-
-    void Clear() {
-      for (int i = 0; i < debug_events_.size(); ++i) {
-        delete debug_events_[i];
-      }
-      debug_events_.clear();
-      unregistered_fds_.clear();
-      event_counts_.clear();
-    }
-
-    void MaybeRecordAndClear() {
-      ++num_records_;
-      if ((num_records_ > record_threshold_) && (record_threshold_ > 0)) {
-        EPOLL_LOG(INFO) << "\n" << *this;
-        num_records_ = 0;
-        Clear();
-      }
-    }
-
-    void RecordFDMaskEvent(int fd, int mask, const char* function) {
-      FDMaskOutput* fdmo = new FDMaskOutput(fd, mask, function);
-      debug_events_.push_back(fdmo);
-      MaybeRecordAndClear();
-    }
-
-    void RecordEpollWaitEvent(int timeout_in_ms, int num_events_generated) {
-      EpollWaitOutput* ewo =
-          new EpollWaitOutput(timeout_in_ms, num_events_generated);
-      debug_events_.push_back(ewo);
-      MaybeRecordAndClear();
-    }
-
-    void RecordEpollEvent(int fd, int event_mask) {
-      Events& events_for_fd = event_counts_[fd];
-      events_for_fd.AssignFromMask(event_mask);
-      MaybeRecordAndClear();
-    }
-
-    friend ostream& operator<<(ostream& os, const EventRecorder& er) {
-      for (int i = 0; i < er.unregistered_fds_.size(); ++i) {
-        os << "fd: " << er.unregistered_fds_[i] << "\n";
-        os << er.unregistered_fds_[i];
-      }
-      for (EventCountsMap::const_iterator i = er.event_counts_.begin();
-           i != er.event_counts_.end(); ++i) {
-        os << "fd: " << i->first << "\n";
-        os << i->second;
-      }
-      for (int i = 0; i < er.debug_events_.size(); ++i) {
-        os << *(er.debug_events_[i]) << "\n";
-      }
-      return os;
-    }
-
-    void RecordUnregistration(int fd) {
-      EventCountsMap::iterator i = event_counts_.find(fd);
-      if (i != event_counts_.end()) {
-        unregistered_fds_.push_back(i->second);
-        event_counts_.erase(i);
-      }
-      MaybeRecordAndClear();
-    }
-
-   protected:
-    class DebugOutput {
-     public:
-      friend ostream& operator<<(ostream& os, const DebugOutput& debug_output) {
-        debug_output.OutputToStream(os);
-        return os;
-      }
-      virtual void OutputToStream(ostream* os) const = 0;
-      virtual ~DebugOutput() {}
-    };
-
-    class FDMaskOutput : public DebugOutput {
-     public:
-      FDMaskOutput(int fd, int mask, const char* function)
-          : fd_(fd), mask_(mask), function_(function) {}
-      virtual void OutputToStream(ostream* os) const {
-        (*os) << "func: " << function_ << "\tfd: " << fd_;
-        if (mask_ != 0) {
-          (*os) << "\tmask: " << EventMaskToString(mask_);
-        }
-      }
-      int fd_;
-      int mask_;
-      const char* function_;
-    };
-
-    class EpollWaitOutput : public DebugOutput {
-     public:
-      EpollWaitOutput(int timeout_in_ms, int num_events_generated)
-          : timeout_in_ms_(timeout_in_ms),
-            num_events_generated_(num_events_generated) {}
-      virtual void OutputToStream(ostream* os) const {
-        (*os) << "timeout_in_ms: " << timeout_in_ms_
-              << "\tnum_events_generated: " << num_events_generated_;
-      }
-
-     protected:
-      int timeout_in_ms_;
-      int num_events_generated_;
-    };
-
-    struct Events {
-      Events()
-          : epoll_in(0),
-            epoll_pri(0),
-            epoll_out(0),
-            epoll_rdnorm(0),
-            epoll_rdband(0),
-            epoll_wrnorm(0),
-            epoll_wrband(0),
-            epoll_msg(0),
-            epoll_err(0),
-            epoll_hup(0),
-            epoll_oneshot(0),
-            epoll_et(0) {}
-
-      void AssignFromMask(int event_mask) {
-        if (event_mask & EPOLLIN) ++epoll_in;
-        if (event_mask & EPOLLPRI) ++epoll_pri;
-        if (event_mask & EPOLLOUT) ++epoll_out;
-        if (event_mask & EPOLLRDNORM) ++epoll_rdnorm;
-        if (event_mask & EPOLLRDBAND) ++epoll_rdband;
-        if (event_mask & EPOLLWRNORM) ++epoll_wrnorm;
-        if (event_mask & EPOLLWRBAND) ++epoll_wrband;
-        if (event_mask & EPOLLMSG) ++epoll_msg;
-        if (event_mask & EPOLLERR) ++epoll_err;
-        if (event_mask & EPOLLHUP) ++epoll_hup;
-        if (event_mask & EPOLLONESHOT) ++epoll_oneshot;
-        if (event_mask & EPOLLET) ++epoll_et;
-      }
-
-      friend ostream& operator<<(ostream& os, const Events& ev) {
-        if (ev.epoll_in) {
-          os << "\t      EPOLLIN: " << ev.epoll_in << "\n";
-        }
-        if (ev.epoll_pri) {
-          os << "\t     EPOLLPRI: " << ev.epoll_pri << "\n";
-        }
-        if (ev.epoll_out) {
-          os << "\t     EPOLLOUT: " << ev.epoll_out << "\n";
-        }
-        if (ev.epoll_rdnorm) {
-          os << "\t  EPOLLRDNORM: " << ev.epoll_rdnorm << "\n";
-        }
-        if (ev.epoll_rdband) {
-          os << "\t  EPOLLRDBAND: " << ev.epoll_rdband << "\n";
-        }
-        if (ev.epoll_wrnorm) {
-          os << "\t  EPOLLWRNORM: " << ev.epoll_wrnorm << "\n";
-        }
-        if (ev.epoll_wrband) {
-          os << "\t  EPOLLWRBAND: " << ev.epoll_wrband << "\n";
-        }
-        if (ev.epoll_msg) {
-          os << "\t     EPOLLMSG: " << ev.epoll_msg << "\n";
-        }
-        if (ev.epoll_err) {
-          os << "\t     EPOLLERR: " << ev.epoll_err << "\n";
-        }
-        if (ev.epoll_hup) {
-          os << "\t     EPOLLHUP: " << ev.epoll_hup << "\n";
-        }
-        if (ev.epoll_oneshot) {
-          os << "\t EPOLLONESHOT: " << ev.epoll_oneshot << "\n";
-        }
-        if (ev.epoll_et) {
-          os << "\t      EPOLLET: " << ev.epoll_et << "\n";
-        }
-        return os;
-      }
-
-      unsigned int epoll_in;
-      unsigned int epoll_pri;
-      unsigned int epoll_out;
-      unsigned int epoll_rdnorm;
-      unsigned int epoll_rdband;
-      unsigned int epoll_wrnorm;
-      unsigned int epoll_wrband;
-      unsigned int epoll_msg;
-      unsigned int epoll_err;
-      unsigned int epoll_hup;
-      unsigned int epoll_oneshot;
-      unsigned int epoll_et;
-    };
-
-    std::vector<DebugOutput*> debug_events_;
-    std::vector<Events> unregistered_fds_;
-    using EventCountsMap = std::unordered_map<int, Events>;
-    EventCountsMap event_counts_;
-    int64_t num_records_;
-    int64_t record_threshold_;
-  };
-
-  void ClearEventRecords() { event_recorder_.Clear(); }
-  void WriteEventRecords(ostream* os) const { (*os) << event_recorder_; }
-
-  mutable EventRecorder event_recorder_;
-
-#endif
-
- private:
-  // Helper functions used in the destructor.
-  void CleanupFDToCBMap();
-  void CleanupTimeToAlarmCBMap();
-
-  // The callback registered to the fds below.  As the purpose of their
-  // registration is to wake the epoll server it just clears the pipe and
-  // returns.
-  std::unique_ptr<ReadPipeCallback> wake_cb_;
-
-  // A pipe owned by the epoll server.  The server will be registered to listen
-  // on read_fd_ and can be woken by Wake() which writes to write_fd_.
-  int read_fd_;
-  int write_fd_;
-
-  // This boolean is checked to see if it is false at the top of the
-  // WaitForEventsAndExecuteCallbacks function. If not, then it either returns
-  // without doing work, and logs to ERROR, or aborts the program (in
-  // DEBUG mode). If so, then it sets the bool to true, does work, and
-  // sets it back to false when done. This catches unwanted recursion.
-  bool in_wait_for_events_and_execute_callbacks_;
-
-  // Returns true when the SimpleEpollServer() is being destroyed.
-  bool in_shutdown_;
-  int64_t last_delay_in_usec_;
-};
-
-class EpollAlarmCallbackInterface {
- public:
-  // Summary:
-  //   Called when an alarm times out. Invalidates an AlarmRegToken.
-  //   WARNING: If a token was saved to refer to an alarm callback, OnAlarm must
-  //   delete it, as the reference is no longer valid.
-  // Returns:
-  //   the unix time (in microseconds) at which this alarm should be signaled
-  //   again, or 0 if the alarm should be removed.
-  virtual int64_t OnAlarm() = 0;
-
-  // Summary:
-  //   Called when the an alarm is registered. Invalidates an AlarmRegToken.
-  // Args:
-  //   token: the iterator to the alarm registered in the alarm map.
-  //   WARNING: this token becomes invalid when the alarm fires, is
-  //   unregistered, or OnShutdown is called on that alarm.
-  //   eps: the epoll server the alarm is registered with.
-  virtual void OnRegistration(const SimpleEpollServer::AlarmRegToken& token,
-                              SimpleEpollServer* eps) = 0;
-
-  // Summary:
-  //   Called when the an alarm is unregistered.
-  //   WARNING: It is not valid to unregister a callback and then use the token
-  //   that was saved to refer to the callback.
-  virtual void OnUnregistration() = 0;
-
-  // Summary:
-  //   Called when the epoll server is shutting down.
-  //   Invalidates the AlarmRegToken that was given when this alarm was
-  //   registered.
-  virtual void OnShutdown(SimpleEpollServer* eps) = 0;
-
-  virtual ~EpollAlarmCallbackInterface() {}
-
- protected:
-  EpollAlarmCallbackInterface() {}
-};
-
-// A simple alarm which unregisters itself on destruction.
-//
-// PLEASE NOTE:
-// Any classes overriding these functions must either call the implementation
-// of the parent class, or is must otherwise make sure that the 'registered_'
-// boolean and the token, 'token_', are updated appropriately.
-class EpollAlarm : public EpollAlarmCallbackInterface {
- public:
-  EpollAlarm();
-
-  ~EpollAlarm() override;
-
-  // Marks the alarm as unregistered and returns 0.  The return value may be
-  // safely ignored by subclasses.
-  int64_t OnAlarm() override;
-
-  // Marks the alarm as registered, and stores the token.
-  void OnRegistration(const SimpleEpollServer::AlarmRegToken& token,
-                      SimpleEpollServer* eps) override;
-
-  // Marks the alarm as unregistered.
-  void OnUnregistration() override;
-
-  // Marks the alarm as unregistered.
-  void OnShutdown(SimpleEpollServer* eps) override;
-
-  // If the alarm was registered, unregister it.
-  void UnregisterIfRegistered();
-
-  // Reregisters the alarm at specified time.
-  void ReregisterAlarm(int64_t timeout_time_in_us);
-
-  bool registered() const { return registered_; }
-
-  const SimpleEpollServer* eps() const { return eps_; }
-
- private:
-  SimpleEpollServer::AlarmRegToken token_;
-  SimpleEpollServer* eps_;
-  bool registered_;
-};
-
-}  // namespace epoll_server
-
-#endif  // QUICHE_EPOLL_SERVER_SIMPLE_EPOLL_SERVER_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/epoll_server/simple_epoll_server_test.cc b/chromium/net/third_party/quiche/src/quiche/epoll_server/simple_epoll_server_test.cc
deleted file mode 100644
index ba85038a60f..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/epoll_server/simple_epoll_server_test.cc
+++ /dev/null
@@ -1,2494 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Epoll tests which determine that the right things happen in the right order.
-// Also lots of testing of individual functions.
-
-#include "quiche/epoll_server/simple_epoll_server.h"
-
-#include <errno.h>
-#include <fcntl.h>
-#include <netinet/in.h>
-#include <sys/epoll.h>
-#include <sys/socket.h>
-#include <unistd.h>
-
-#include <algorithm>
-#include <cstddef>
-#include <cstdlib>
-#include <cstring>
-#include <memory>
-#include <string>
-#include <unordered_map>
-#include <utility>
-#include <vector>
-
-#include "absl/time/clock.h"
-#include "quiche/epoll_server/fake_simple_epoll_server.h"
-#include "quiche/epoll_server/platform/api/epoll_address_test_utils.h"
-#include "quiche/epoll_server/platform/api/epoll_expect_bug.h"
-#include "quiche/epoll_server/platform/api/epoll_test.h"
-#include "quiche/epoll_server/platform/api/epoll_thread.h"
-
-namespace epoll_server {
-
-namespace test {
-
-namespace {
-
-const int kPageSize = 4096;
-const int kMaxBufLen = 10000;
-
-// These are used to record what is happening.
-enum {
-  CREATION,
-  REGISTRATION,
-  MODIFICATION,
-  EVENT,
-  UNREGISTRATION,
-  SHUTDOWN,
-  DESTRUCTION
-};
-
-////////////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////////////////////////////////
-
-int64_t WallTimeNowInUsec() { return absl::GetCurrentTimeNanos() / 1000; }
-
-////////////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////////////////////////////////
-
-struct RecordEntry {
-  RecordEntry() : time(0), instance(nullptr), event_type(0), fd(0), data(0) {}
-
-  RecordEntry(int64_t time, void* instance, int event_type, int fd, int data)
-      : time(time),
-        instance(instance),
-        event_type(event_type),
-        fd(fd),
-        data(data) {}
-
-  int64_t time;
-  void* instance;
-  int event_type;
-  int fd;
-  int data;
-
-  bool IsEqual(const RecordEntry* entry) const {
-    bool retval = true;
-
-    if (instance != entry->instance) {
-      retval = false;
-      EPOLL_LOG(INFO) << " instance (" << instance << ") != entry->instance("
-                      << entry->instance << ")";
-    }
-    if (event_type != entry->event_type) {
-      retval = false;
-      EPOLL_LOG(INFO) << " event_type (" << event_type
-                      << ") != entry->event_type(" << entry->event_type << ")";
-    }
-    if (fd != entry->fd) {
-      retval = false;
-      EPOLL_LOG(INFO) << " fd (" << fd << ") != entry->fd (" << entry->fd
-                      << ")";
-    }
-    if (data != entry->data) {
-      retval = false;
-      EPOLL_LOG(INFO) << " data (" << data << ") != entry->data(" << entry->data
-                      << ")";
-    }
-    return retval;
-  }
-};
-
-////////////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////////////////////////////////
-
-class Recorder {
- public:
-  void Record(void* instance, int event_type, int fd, int data) {
-    records_.push_back(
-        RecordEntry(WallTimeNowInUsec(), instance, event_type, fd, data));
-  }
-
-  const std::vector<RecordEntry>* records() const { return &records_; }
-
-  bool IsEqual(const Recorder* recorder) const {
-    const std::vector<RecordEntry>* records = recorder->records();
-
-    if (records_.size() != records->size()) {
-      EPOLL_LOG(INFO) << "records_.size() (" << records_.size()
-                      << ") != records->size() (" << records->size() << ")";
-      return false;
-    }
-    for (size_t i = 0; i < std::min(records_.size(), records->size()); ++i) {
-      if (!records_[i].IsEqual(&(*records)[i])) {
-        EPOLL_LOG(INFO) << "entry in index: " << i << " differs from recorder.";
-        return false;
-      }
-    }
-    return true;
-  }
-
- private:
-  std::vector<RecordEntry> records_;
-};
-
-////////////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////////////////////////////////
-
-class RecordingCB : public EpollCallbackInterface {
- public:
-  RecordingCB() : recorder_(new Recorder()) {
-    recorder_->Record(this, CREATION, 0, 0);
-  }
-
-  ~RecordingCB() override {
-    recorder_->Record(this, DESTRUCTION, 0, 0);
-    delete recorder_;
-  }
-
-  void OnRegistration(SimpleEpollServer* /*eps*/, int fd,
-                      int event_mask) override {
-    recorder_->Record(this, REGISTRATION, fd, event_mask);
-  }
-
-  void OnModification(int fd, int event_mask) override {
-    recorder_->Record(this, MODIFICATION, fd, event_mask);
-  }
-
-  void OnEvent(int fd, EpollEvent* event) override {
-    recorder_->Record(this, EVENT, fd, event->in_events);
-    if (event->in_events & EPOLLIN) {
-      const int kLength = 1024;
-      char buf[kLength];
-      int data_read;
-      do {
-        data_read = read(fd, &buf, kLength);
-      } while (data_read > 0);
-    }
-  }
-
-  void OnUnregistration(int fd, bool replaced) override {
-    recorder_->Record(this, UNREGISTRATION, fd, replaced);
-  }
-
-  void OnShutdown(SimpleEpollServer* eps, int fd) override {
-    if (fd >= 0) {
-      eps->UnregisterFD(fd);
-    }
-    recorder_->Record(this, SHUTDOWN, fd, 0);
-  }
-
-  std::string Name() const override { return "RecordingCB"; }
-
-  const Recorder* recorder() const { return recorder_; }
-
- protected:
-  Recorder* recorder_;
-};
-
-////////////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////////////////////////////////
-
-// A simple test server that adds some test functions to SimpleEpollServer as
-// well as allowing access to protected functions.
-class EpollTestServer : public SimpleEpollServer {
- public:
-  EpollTestServer() : SimpleEpollServer() {}
-
-  ~EpollTestServer() override {}
-
-  void CheckMapping(int fd, CB* cb) {
-    CBAndEventMask tmp;
-    tmp.fd = fd;
-    FDToCBMap::iterator fd_i = cb_map_.find(tmp);
-    CHECK(fd_i != cb_map_.end());  // Chokes CHECK_NE.
-    CHECK(fd_i->cb == cb);
-  }
-
-  void CheckNotMapped(int fd) {
-    CBAndEventMask tmp;
-    tmp.fd = fd;
-    FDToCBMap::iterator fd_i = cb_map_.find(tmp);
-    CHECK(fd_i == cb_map_.end());  // Chokes CHECK_EQ.
-  }
-
-  void CheckEventMask(int fd, int event_mask) {
-    CBAndEventMask tmp;
-    tmp.fd = fd;
-    FDToCBMap::iterator fd_i = cb_map_.find(tmp);
-    CHECK(cb_map_.end() != fd_i);  // Chokes CHECK_NE.
-    CHECK_EQ(fd_i->event_mask, event_mask);
-  }
-
-  void CheckNotRegistered(int fd) {
-    struct epoll_event ee;
-    memset(&ee, 0, sizeof(ee));
-    // If the fd is registered, the epoll_ctl call would succeed (return 0) and
-    // the CHECK would fail.
-    CHECK(epoll_ctl(epoll_fd_, EPOLL_CTL_DEL, fd, &ee));
-  }
-
-  size_t GetNumPendingAlarmsForTest() const { return alarm_map_.size(); }
-
-  bool ContainsAlarm(AlarmCB* ac) {
-    return all_alarms_.find(ac) != all_alarms_.end();
-  }
-
-  using SimpleEpollServer::WaitForEventsAndCallHandleEvents;
-};
-
-class EpollFunctionTest : public EpollTest {
- public:
-  EpollFunctionTest()
-      : fd_(-1), fd2_(-1), recorder_(nullptr), cb_(nullptr), ep_(nullptr) {}
-
-  ~EpollFunctionTest() override {
-    delete ep_;
-    delete cb_;
-  }
-
-  void SetUp() override {
-    ep_ = new EpollTestServer();
-    cb_ = new RecordingCB();
-    // recorder_ is safe to use directly as we know it has the same scope as
-    // cb_
-    recorder_ = cb_->recorder();
-
-    int pipe_fds[2];
-    if (pipe(pipe_fds) < 0) {
-      EPOLL_PLOG(FATAL) << "pipe() failed";
-    }
-    fd_ = pipe_fds[0];
-    fd2_ = pipe_fds[1];
-  }
-
-  void TearDown() override {
-    close(fd_);
-    close(fd2_);
-  }
-
-  void DeleteSimpleEpollServer() {
-    delete ep_;
-    ep_ = nullptr;
-  }
-
-  int fd() { return fd_; }
-  int fd2() { return fd2_; }
-  EpollTestServer* ep() { return ep_; }
-  EpollCallbackInterface* cb() { return cb_; }
-  const Recorder* recorder() { return recorder_; }
-
- private:
-  int fd_;
-  int fd2_;
-  const Recorder* recorder_;
-  RecordingCB* cb_;
-  EpollTestServer* ep_;
-};
-
-TEST_F(EpollFunctionTest, TestUnconnectedSocket) {
-  int fd = socket(AddressFamilyUnderTest(), SOCK_STREAM, IPPROTO_TCP);
-  ep()->RegisterFD(fd, cb(), EPOLLIN | EPOLLOUT);
-  ep()->WaitForEventsAndExecuteCallbacks();
-
-  Recorder tmp;
-  tmp.Record(cb(), CREATION, 0, 0);
-  tmp.Record(cb(), REGISTRATION, fd, EPOLLIN | EPOLLOUT);
-  tmp.Record(cb(), EVENT, fd, EPOLLOUT | EPOLLHUP);
-  EXPECT_TRUE(recorder()->IsEqual(&tmp));
-}
-
-TEST_F(EpollFunctionTest, TestRegisterFD) {
-  // Check that the basic register works.
-  ep()->RegisterFD(fd(), cb(), EPOLLIN);
-
-  // Make sure that the fd-CB mapping is there.
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN);
-
-  // Now make sure that if we register again, we stomp the old callback.
-  // Also make sure we handle O_NONBLOCK correctly
-  RecordingCB cb2;
-  ep()->RegisterFD(fd(), &cb2, EPOLLOUT | O_NONBLOCK);
-  ep()->CheckMapping(fd(), &cb2);
-  ep()->CheckEventMask(fd(), EPOLLOUT | O_NONBLOCK);
-
-  // Clean up.
-  ep()->UnregisterFD(fd());
-}
-
-TEST_F(EpollFunctionTest, TestRegisterFDForWrite) {
-  ep()->RegisterFDForWrite(fd(), cb());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLOUT);
-
-  // Clean up.
-  ep()->UnregisterFD(fd());
-}
-
-TEST_F(EpollFunctionTest, TestRegisterFDForReadWrite) {
-  ep()->RegisterFDForReadWrite(fd(), cb());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN | EPOLLOUT);
-
-  // Clean up.
-  ep()->UnregisterFD(fd());
-}
-
-TEST_F(EpollFunctionTest, TestRegisterFDForRead) {
-  ep()->RegisterFDForRead(fd(), cb());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN);
-
-  ep()->UnregisterFD(fd());
-}
-
-TEST_F(EpollFunctionTest, TestUnregisterFD) {
-  ep()->RegisterFDForRead(fd(), cb());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN);
-
-  // Unregister and make sure that it's gone.
-  ep()->UnregisterFD(fd());
-  ep()->CheckNotMapped(fd());
-  ep()->CheckNotRegistered(fd());
-
-  // And make sure that unregistering something a second time doesn't cause
-  // crashes.
-  ep()->UnregisterFD(fd());
-  ep()->CheckNotMapped(fd());
-  ep()->CheckNotRegistered(fd());
-}
-
-TEST_F(EpollFunctionTest, TestModifyCallback) {
-  // Check that nothing terrible happens if we modify an unregistered fd.
-  ep()->ModifyCallback(fd(), EPOLLOUT);
-  ep()->CheckNotMapped(fd());
-  ep()->CheckNotRegistered(fd());
-
-  // Check that the basic register works.
-  ep()->RegisterFD(fd(), cb(), EPOLLIN);
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN);
-
-  // Check that adding a signal swaps it out for the first.
-  ep()->ModifyCallback(fd(), EPOLLOUT);
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLOUT);
-
-  // Check that modifying from X to X works correctly.
-  ep()->ModifyCallback(fd(), EPOLLOUT);
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLOUT);
-
-  // Check that modifying from something to nothing works.
-  ep()->ModifyCallback(fd(), 0);
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), 0);
-
-  ep()->UnregisterFD(fd());
-}
-
-TEST_F(EpollFunctionTest, TestStopRead) {
-  ep()->RegisterFDForReadWrite(fd(), cb());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN | EPOLLOUT);
-
-  // Unregister and make sure you only lose the read event.
-  ep()->StopRead(fd());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLOUT);
-
-  ep()->UnregisterFD(fd());
-}
-
-TEST_F(EpollFunctionTest, TestStartRead) {
-  ep()->RegisterFDForWrite(fd(), cb());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLOUT);
-
-  // Make sure that StartRead adds EPOLLIN and doesn't remove other signals.
-  ep()->StartRead(fd());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN | EPOLLOUT);
-
-  // Clean up.
-  ep()->UnregisterFD(fd());
-}
-
-TEST_F(EpollFunctionTest, TestStopWrite) {
-  ep()->RegisterFDForReadWrite(fd(), cb());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN | EPOLLOUT);
-
-  // Unregister write and make sure you only lose the write event.
-  ep()->StopWrite(fd());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN);
-
-  ep()->UnregisterFD(fd());
-}
-
-TEST_F(EpollFunctionTest, TestStartWrite) {
-  ep()->RegisterFDForRead(fd(), cb());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN);
-
-  // Make sure that StartWrite adds EPOLLOUT and doesn't remove other
-  // signals.
-  ep()->StartWrite(fd());
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), EPOLLIN | EPOLLOUT);
-
-  // Clean up.
-  ep()->UnregisterFD(fd());
-}
-
-TEST_F(EpollFunctionTest, TestSet_timeout_in_us) {
-  // Check that set works with various values.  There's a separate test below
-  // to make sure the values are used properly.
-  ep()->set_timeout_in_us(10);
-  EXPECT_EQ(10, ep()->timeout_in_us_for_test());
-
-  ep()->set_timeout_in_us(-1);
-  EXPECT_EQ(-1, ep()->timeout_in_us_for_test());
-}
-
-TEST_F(EpollFunctionTest, TestHandleEvent) {
-  const std::vector<RecordEntry>* records = recorder()->records();
-
-  // Test that nothing bad happens if the FD is not in the map.
-  ep()->HandleEvent(fd(), EPOLLOUT);
-  ep()->CallReadyListCallbacks();
-
-  ep()->RegisterFD(fd(), cb(), 0);
-  ep()->CheckMapping(fd(), cb());
-  ep()->CheckEventMask(fd(), 0);
-
-  // At this point we should have creation and registration recorded.
-  EXPECT_EQ(2u, records->size());
-
-  // Call handle event and make sure something was recorded.
-  ep()->HandleEvent(fd(), EPOLLOUT);
-  ep()->CallReadyListCallbacks();
-  EXPECT_EQ(3u, records->size());
-
-  // Call handle event and make sure something was recorded.
-  ep()->HandleEvent(fd(), EPOLLIN | O_NONBLOCK);
-  ep()->CallReadyListCallbacks();
-  EXPECT_EQ(4u, records->size());
-
-  Recorder tmp;
-  tmp.Record(cb(), CREATION, 0, 0);
-  tmp.Record(cb(), REGISTRATION, fd(), 0);
-  tmp.Record(cb(), EVENT, fd(), EPOLLOUT);
-  tmp.Record(cb(), EVENT, fd(), EPOLLIN | O_NONBLOCK);
-
-  EXPECT_TRUE(recorder()->IsEqual(&tmp));
-  ep()->UnregisterFD(fd());
-}
-
-TEST_F(EpollFunctionTest, TestNumFDsRegistered) {
-  EXPECT_EQ(0, ep()->NumFDsRegistered());
-
-  ep()->RegisterFD(fd(), cb(), 0);
-  EXPECT_EQ(1, ep()->NumFDsRegistered());
-
-  ep()->RegisterFD(fd2(), cb(), 0);
-  EXPECT_EQ(2, ep()->NumFDsRegistered());
-
-  ep()->RegisterFD(fd2(), cb(), 0);
-  EXPECT_EQ(2, ep()->NumFDsRegistered());
-
-  ep()->UnregisterFD(fd2());
-  EXPECT_EQ(1, ep()->NumFDsRegistered());
-
-  ep()->UnregisterFD(fd());
-  EXPECT_EQ(0, ep()->NumFDsRegistered());
-}
-
-// Check all of the individual signals and 1-2 combinations.
-TEST_F(EpollFunctionTest, TestEventMaskToString) {
-  std::string test;
-
-  test = SimpleEpollServer::EventMaskToString(EPOLLIN);
-  EXPECT_EQ(test, "EPOLLIN ");
-
-  test = SimpleEpollServer::EventMaskToString(EPOLLOUT);
-  EXPECT_EQ(test, "EPOLLOUT ");
-
-  test = SimpleEpollServer::EventMaskToString(EPOLLPRI);
-  EXPECT_EQ(test, "EPOLLPRI ");
-
-  test = SimpleEpollServer::EventMaskToString(EPOLLERR);
-  EXPECT_EQ(test, "EPOLLERR ");
-
-  test = SimpleEpollServer::EventMaskToString(EPOLLHUP);
-  EXPECT_EQ(test, "EPOLLHUP ");
-
-  test = SimpleEpollServer::EventMaskToString(EPOLLHUP | EPOLLIN);
-  EXPECT_EQ(test, "EPOLLIN EPOLLHUP ");
-
-  test = SimpleEpollServer::EventMaskToString(EPOLLIN | EPOLLOUT);
-  EXPECT_EQ(test, "EPOLLIN EPOLLOUT ");
-}
-
-class TestAlarm : public EpollAlarmCallbackInterface {
- public:
-  TestAlarm()
-      : time_before_next_alarm_(-1),
-        was_called_(false),
-        num_called_(0),
-        absolute_time_(false),
-        onshutdown_called_(false),
-        has_token_(false),
-        eps_(nullptr) {}
-  ~TestAlarm() override {}
-  int64_t OnAlarm() override {
-    has_token_ = false;
-    was_called_ = true;
-    ++num_called_;
-    if (time_before_next_alarm_ < 0) {
-      return 0;
-    }
-    if (absolute_time_) {
-      return time_before_next_alarm_;
-    } else {
-      return WallTimeNowInUsec() + time_before_next_alarm_;
-    }
-  }
-
-  void OnShutdown(SimpleEpollServer* /*eps*/) override {
-    onshutdown_called_ = true;
-    has_token_ = false;
-  }
-  void OnRegistration(const SimpleEpollServer::AlarmRegToken& token,
-                      SimpleEpollServer* eps) override {
-    has_token_ = true;
-    last_token_ = token;
-    eps_ = eps;
-  }
-  void OnUnregistration() override { has_token_ = false; }
-
-  void UnregisterIfRegistered(SimpleEpollServer* eps) {
-    if (has_token_) {
-      eps->UnregisterAlarm(last_token_);
-    }
-  }
-
-  void ReregisterAlarm(int64_t timeout_in_us) {
-    CHECK(has_token_);
-    eps_->ReregisterAlarm(last_token_, timeout_in_us);
-  }
-
-  void Reset() {
-    time_before_next_alarm_ = -1;
-    was_called_ = false;
-    absolute_time_ = false;
-  }
-
-  bool was_called() const { return was_called_; }
-  int num_called() const { return num_called_; }
-
-  void set_time_before_next_alarm(int64_t time) {
-    time_before_next_alarm_ = time;
-  }
-  void set_absolute_time(bool absolute) { absolute_time_ = absolute; }
-  bool onshutdown_called() { return onshutdown_called_; }
-
- protected:
-  int64_t time_before_next_alarm_;
-  bool was_called_;
-  int num_called_;
-  // Is time_before_next_alarm relative to the current time or absolute?
-  bool absolute_time_;
-  bool onshutdown_called_;
-  bool has_token_;
-  SimpleEpollServer::AlarmRegToken last_token_;
-  SimpleEpollServer* eps_;
-};
-
-class TestChildAlarm;
-
-// This node unregister all other alarms when it receives
-// OnShutdown() from any one child.
-class TestParentAlarm {
- public:
-  void OnShutdown(TestChildAlarm* child, SimpleEpollServer* eps) {
-    // Unregister
-    for (ChildTokenMap::const_iterator it = child_tokens_.begin();
-         it != child_tokens_.end(); ++it) {
-      if (it->first != child) {
-        eps->UnregisterAlarm(it->second);
-      }
-    }
-    child_tokens_.clear();
-  }
-
-  void OnRegistration(TestChildAlarm* child,
-                      const SimpleEpollServer::AlarmRegToken& token) {
-    child_tokens_[child] = token;
-  }
-
- protected:
-  typedef std::unordered_map<TestChildAlarm*, SimpleEpollServer::AlarmRegToken>
-      ChildTokenMap;
-
-  ChildTokenMap child_tokens_;
-};
-
-class TestChildAlarm : public TestAlarm {
- public:
-  void set_parent(TestParentAlarm* tp) { parent_ = tp; }
-  void OnShutdown(SimpleEpollServer* eps) override {
-    onshutdown_called_ = true;
-    // Inform parent of shutdown
-    parent_->OnShutdown(this, eps);
-  }
-  void OnRegistration(const SimpleEpollServer::AlarmRegToken& token,
-                      SimpleEpollServer* /*eps*/) override {
-    parent_->OnRegistration(this, token);
-  }
-
- protected:
-  TestParentAlarm* parent_;
-};
-
-class TestAlarmThatRegistersAnotherAlarm : public TestAlarm {
- public:
-  TestAlarmThatRegistersAnotherAlarm()
-      : alarm_(nullptr),
-        reg_time_delta_usec_(0),
-        eps_to_register_(nullptr),
-        has_reg_alarm_(false) {}
-  void SetRegisterAlarm(TestAlarm* alarm, int64_t time_delta_usec,
-                        SimpleEpollServer* eps) {
-    alarm_ = alarm;
-    reg_time_delta_usec_ = time_delta_usec;
-    has_reg_alarm_ = true;
-    eps_to_register_ = eps;
-  }
-  int64_t OnAlarm() override {
-    if (has_reg_alarm_) {
-      eps_to_register_->RegisterAlarm(
-          eps_to_register_->ApproximateNowInUsec() + reg_time_delta_usec_,
-          alarm_);
-      has_reg_alarm_ = false;
-    }
-    return TestAlarm::OnAlarm();
-  }
-
- protected:
-  TestAlarm* alarm_;
-  int64_t reg_time_delta_usec_;
-  SimpleEpollServer* eps_to_register_;
-  bool has_reg_alarm_;
-};
-
-class TestAlarmThatRegistersAndReregistersAnotherAlarm : public TestAlarm {
- public:
-  TestAlarmThatRegistersAndReregistersAnotherAlarm()
-      : alarm_(nullptr),
-        reg_time_delta_usec_(0),
-        reregister_time_delta_usec_(0),
-        eps_to_register_(nullptr),
-        has_reg_alarm_(false) {}
-  void SetRegisterAndReregisterAlarm(TestAlarm* alarm, int64_t time_delta_usec,
-                                     int64_t reregister_delta_usec,
-                                     SimpleEpollServer* eps) {
-    alarm_ = alarm;
-    reg_time_delta_usec_ = time_delta_usec;
-    reregister_time_delta_usec_ = reregister_delta_usec;
-    has_reg_alarm_ = true;
-    eps_to_register_ = eps;
-  }
-  int64_t OnAlarm() override {
-    if (has_reg_alarm_) {
-      eps_to_register_->RegisterAlarm(
-          eps_to_register_->ApproximateNowInUsec() + reg_time_delta_usec_,
-          alarm_);
-      alarm_->ReregisterAlarm(eps_to_register_->ApproximateNowInUsec() +
-                              reregister_time_delta_usec_);
-      has_reg_alarm_ = false;
-    }
-    return TestAlarm::OnAlarm();
-  }
-
- protected:
-  TestAlarm* alarm_;
-  int64_t reg_time_delta_usec_;
-  int64_t reregister_time_delta_usec_;
-  SimpleEpollServer* eps_to_register_;
-  bool has_reg_alarm_;
-};
-
-class TestAlarmThatUnregistersAnotherAlarm : public TestAlarm {
- public:
-  TestAlarmThatUnregistersAnotherAlarm()
-      : alarm_(nullptr), eps_to_register_(nullptr), has_unreg_alarm_(false) {}
-  void SetUnregisterAlarm(TestAlarm* alarm, SimpleEpollServer* eps) {
-    alarm_ = alarm;
-    has_unreg_alarm_ = true;
-    eps_to_register_ = eps;
-  }
-  int64_t OnAlarm() override {
-    if (has_unreg_alarm_) {
-      has_unreg_alarm_ = false;
-      alarm_->UnregisterIfRegistered(eps_to_register_);
-    }
-    return TestAlarm::OnAlarm();
-  }
-
- protected:
-  TestAlarm* alarm_;
-  SimpleEpollServer* eps_to_register_;
-  bool has_unreg_alarm_;
-};
-
-class TestAlarmUnregister : public TestAlarm {
- public:
-  TestAlarmUnregister()
-      : onunregistration_called_(false), iterator_token_(nullptr) {}
-  ~TestAlarmUnregister() override { delete iterator_token_; }
-
-  void OnShutdown(SimpleEpollServer* /*eps*/) override {
-    onshutdown_called_ = true;
-  }
-
-  int64_t OnAlarm() override {
-    delete iterator_token_;
-    iterator_token_ = nullptr;
-
-    return TestAlarm::OnAlarm();
-  }
-
-  void OnRegistration(const SimpleEpollServer::AlarmRegToken& token,
-                      SimpleEpollServer* /*eps*/) override {
-    // Multiple iterator tokens are not maintained by this code,
-    // so we should have reset the iterator_token in OnAlarm or
-    // OnUnregistration.
-    CHECK(iterator_token_ == nullptr);
-    iterator_token_ = new SimpleEpollServer::AlarmRegToken(token);
-  }
-  void OnUnregistration() override {
-    delete iterator_token_;
-    iterator_token_ = nullptr;
-    // Make sure that this alarm was not already unregistered.
-    CHECK(onunregistration_called_ == false);
-    onunregistration_called_ = true;
-  }
-
-  bool onunregistration_called() { return onunregistration_called_; }
-  // Returns true if the token has been filled in with the saved iterator
-  // and false if it has not.
-  bool get_token(SimpleEpollServer::AlarmRegToken* token) {
-    if (iterator_token_ != nullptr) {
-      *token = *iterator_token_;
-      return true;
-    } else {
-      return false;
-    }
-  }
-
- protected:
-  bool onunregistration_called_;
-  SimpleEpollServer::AlarmRegToken* iterator_token_;
-};
-
-void WaitForAlarm(SimpleEpollServer* eps, const TestAlarm& alarm) {
-  for (int i = 0; i < 5; ++i) {
-    // Ideally we would only have to call this once but it could wake up a bit
-    // early and so not call the alarm.  If it wakes up early several times
-    // there is something wrong.
-    eps->WaitForEventsAndExecuteCallbacks();
-    if (alarm.was_called()) {
-      break;
-    }
-  }
-}
-
-// Check a couple of alarm times to make sure they're falling within a
-// reasonable range.
-TEST(SimpleEpollServerTest, TestAlarms) {
-  EpollTestServer ep;
-  TestAlarm alarm;
-
-  int alarm_time = 10;
-
-  // Register an alarm and make sure we wait long enough to hit it.
-  ep.set_timeout_in_us(alarm_time * 1000 * 2);
-  ep.RegisterAlarm(WallTimeNowInUsec() + alarm_time, &alarm);
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  WaitForAlarm(&ep, alarm);
-  EXPECT_TRUE(alarm.was_called());
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-  alarm.Reset();
-
-  // Test a different time just to be careful.
-  alarm_time = 20;
-  ep.set_timeout_in_us(alarm_time * 1000 * 2);
-  ep.RegisterAlarm(WallTimeNowInUsec() + alarm_time, &alarm);
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  WaitForAlarm(&ep, alarm);
-  EXPECT_TRUE(alarm.was_called());
-  alarm.Reset();
-
-  // The alarm was a one-time thing.  Make sure that we don't hit it again.
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_FALSE(alarm.was_called());
-  alarm.Reset();
-}
-
-// Same as above, but using RegisterAlarmApproximateDelta.
-TEST(SimpleEpollServerTest, TestRegisterAlarmApproximateDelta) {
-  EpollTestServer ep;
-  TestAlarm alarm;
-
-  int alarm_time = 10;
-
-  // Register an alarm and make sure we wait long enough to hit it.
-  ep.set_timeout_in_us(alarm_time * 1000 * 2);
-  ep.RegisterAlarmApproximateDelta(alarm_time * 1000, &alarm);
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  WaitForAlarm(&ep, alarm);
-  EXPECT_TRUE(alarm.was_called());
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-  alarm.Reset();
-  int64_t first_now = ep.ApproximateNowInUsec();
-  EXPECT_LT(0u, first_now);
-
-  // Test a different time just to be careful.
-  alarm_time = 20;
-  ep.set_timeout_in_us(alarm_time * 1000 * 2);
-  ep.RegisterAlarmApproximateDelta(alarm_time * 1000, &alarm);
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  WaitForAlarm(&ep, alarm);
-  EXPECT_TRUE(alarm.was_called());
-  alarm.Reset();
-  int64_t second_now = ep.ApproximateNowInUsec();
-
-  EXPECT_LT(first_now, second_now);
-
-  // The alarm was a one-time thing.  Make sure that we don't hit it again.
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_FALSE(alarm.was_called());
-  alarm.Reset();
-}
-
-TEST(SimpleEpollServerTest, TestAlarmsWithInfiniteWait) {
-  EpollTestServer ep;
-  TestAlarm alarm;
-
-  int alarm_time = 10;
-
-  // Register an alarm and make sure we wait long enough to hit it.
-  ep.set_timeout_in_us(-1);
-  ep.RegisterAlarm(WallTimeNowInUsec() + alarm_time, &alarm);
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  WaitForAlarm(&ep, alarm);
-  EXPECT_TRUE(alarm.was_called());
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-  alarm.Reset();
-}
-
-// In this test we have an alarm that when fires gets re-registered
-// at almost the same time at which it fires. Here, we want to make
-// sure that when the alarm gets re-registered we do not call OnAlarm()
-// on the same Alarm object again, until we have called
-// WaitForEventsAndExecuteCallbacks(). A poor implementation of epoll
-// server alarm handling can potentially cause OnAlarm() to be called
-// multiple times. We make sure that the epoll server is not going in
-// an infinite loop by checking that OnAlarm() is called exactly once
-// on the alarm object that got registered again.
-TEST(SimpleEpollServerTest, TestAlarmsThatGetReRegisteredAreNotCalledTwice) {
-  // This alarm would get registered again
-  TestAlarm alarm;
-  TestAlarm alarm2;
-  EpollTestServer ep;
-  ep.set_timeout_in_us(-1);
-
-  int64_t alarm_time = 10;
-  int64_t abs_time = WallTimeNowInUsec() + alarm_time * 1000;
-
-  // This will make the alarm re-register when OnAlarm is called.
-  alarm.set_absolute_time(true);
-  alarm.set_time_before_next_alarm(abs_time + 2);
-
-  // Register two alarms and make sure we wait long enough to hit it.
-  ep.RegisterAlarm(abs_time, &alarm);
-  ep.RegisterAlarm(abs_time, &alarm2);
-  EXPECT_EQ(2u, ep.GetNumPendingAlarmsForTest());
-
-  WaitForAlarm(&ep, alarm);
-
-  EXPECT_TRUE(alarm.was_called());
-  // Make sure that alarm is called only once.
-  EXPECT_EQ(1, alarm.num_called());
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  alarm.Reset();
-}
-
-// Here we make sure that when one alarm unregisters another alarm
-// (that is supposed to be registered again because its OnAlarm
-// returned > 0), the alarm thats supposed to be unregistered does
-// actually gets unregistered.
-TEST(SimpleEpollServerTest, TestAlarmsOneOnAlarmUnRegistersAnotherAlarm) {
-  TestAlarm alarm;
-  TestAlarmThatUnregistersAnotherAlarm alarm2;
-  EpollTestServer ep;
-  ep.set_timeout_in_us(-1);
-
-  int64_t alarm_time = 1;
-  int64_t abs_time = WallTimeNowInUsec() + alarm_time * 1000;
-
-  // This will make the alarm re-register when OnAlarm is called.
-  alarm.set_absolute_time(true);
-  alarm.set_time_before_next_alarm(abs_time + 2);
-
-  // Register two alarms and make sure we wait long enough to hit it.
-  ep.RegisterAlarm(abs_time, &alarm);
-  // This would cause us to unregister alarm when OnAlarm is called
-  // on alarm2.
-  alarm2.SetUnregisterAlarm(&alarm, &ep);
-  ep.RegisterAlarm(abs_time + 1, &alarm2);
-  EXPECT_EQ(2u, ep.GetNumPendingAlarmsForTest());
-
-  WaitForAlarm(&ep, alarm);
-
-  EXPECT_TRUE(alarm.was_called());
-  // Make sure that alarm is called only once.
-  EXPECT_EQ(1, alarm.num_called());
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-  alarm.Reset();
-}
-
-// Check a couple of alarm times to make sure they're falling within a
-// reasonable range.
-TEST(SimpleEpollServerTest, TestRepeatAlarms) {
-  EpollTestServer ep;
-  TestAlarm alarm;
-
-  int alarm_time = 20;
-
-  // Register an alarm and make sure we wait long enough to hit it.
-  ep.set_timeout_in_us(alarm_time * 1000 * 2);
-  alarm.set_time_before_next_alarm(1000 * alarm_time);
-  ep.RegisterAlarm(WallTimeNowInUsec() + alarm_time, &alarm);
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-
-  WaitForAlarm(&ep, alarm);
-  // When we wake up it should be because the Alarm has been called, and has
-  // registered itself to be called again.
-
-  // Make sure the first alarm was called properly.
-  EXPECT_TRUE(alarm.was_called());
-
-  // Resetting means that the alarm is no longer a recurring alarm.  It will be
-  // called once more and then stop.
-  alarm.Reset();
-
-  // Make sure the alarm is called one final time.
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  ep.set_timeout_in_us(alarm_time * 1000 * 2);
-  WaitForAlarm(&ep, alarm);
-
-  EXPECT_TRUE(alarm.was_called());
-  alarm.Reset();
-
-  // The alarm was a one-time thing.  Make sure that we don't hit it again.
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_FALSE(alarm.was_called());
-}
-
-// Verify that an alarm that repeats itself in the past works properly.
-TEST(SimpleEpollServerTest, TestRepeatAlarmInPast) {
-  EpollTestServer ep;
-  TestAlarm alarm;
-
-  int64_t alarm_time = 20;
-  int64_t abs_time = WallTimeNowInUsec() + alarm_time * 1000;
-
-  // Make the alarm re-register in the past when OnAlarm is called.
-  alarm.set_absolute_time(true);
-  alarm.set_time_before_next_alarm(abs_time - 1000);
-
-  // Register the alarm and make sure we wait long enough to hit it.
-  ep.set_timeout_in_us(alarm_time * 1000 * 2);
-  ep.RegisterAlarm(abs_time, &alarm);
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-
-  WaitForAlarm(&ep, alarm);
-  // When we wake up it should be because the Alarm has been called, and has
-  // registered itself to be called again.
-
-  // Make sure the first alarm was called properly.
-  EXPECT_TRUE(alarm.was_called());
-
-  // Resetting means that the alarm is no longer a recurring alarm.  It will be
-  // called once more and then stop.
-  alarm.Reset();
-
-  // Make sure the alarm is called one final time.
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  ep.set_timeout_in_us(alarm_time * 1000 * 2);
-  WaitForAlarm(&ep, alarm);
-
-  EXPECT_TRUE(alarm.was_called());
-  alarm.Reset();
-
-  // The alarm was a one-time thing.  Make sure that we don't hit it again.
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_FALSE(alarm.was_called());
-}
-
-class EpollTestAlarms : public SimpleEpollServer {
- public:
-  EpollTestAlarms() : SimpleEpollServer() {}
-
-  inline int64_t NowInUsec() const override { return time_; }
-
-  void CallAndReregisterAlarmEvents() override {
-    recorded_now_in_us_ = NowInUsec();
-    SimpleEpollServer::CallAndReregisterAlarmEvents();
-  }
-
-  void set_time(int64_t time) { time_ = time; }
-
-  size_t GetNumPendingAlarmsForTest() const { return alarm_map_.size(); }
-
- private:
-  int64_t time_;
-};
-
-// Test multiple interleaving alarms to make sure they work right.
-// Pattern is roughly:
-// time:   15    20    30    40
-// alarm:   A     B     A'    C
-TEST(SimpleEpollServerTest, TestMultipleAlarms) {
-  EpollTestAlarms ep;
-  TestAlarm alarmA;
-  TestAlarm alarmB;
-  TestAlarm alarmC;
-
-  ep.set_timeout_in_us(50 * 1000 * 2);
-  alarmA.set_time_before_next_alarm(1000 * 30);
-  alarmA.set_absolute_time(true);
-  ep.RegisterAlarm(15 * 1000, &alarmA);
-  ep.RegisterAlarm(20 * 1000, &alarmB);
-  ep.RegisterAlarm(40 * 1000, &alarmC);
-
-  ep.set_time(15 * 1000);
-  ep.CallAndReregisterAlarmEvents();  // A
-  EXPECT_TRUE(alarmA.was_called());
-  EXPECT_FALSE(alarmB.was_called());
-  EXPECT_FALSE(alarmC.was_called());
-  alarmA.Reset();  // Unregister A in the future.
-
-  ep.set_time(20 * 1000);
-  ep.CallAndReregisterAlarmEvents();  // B
-  EXPECT_FALSE(alarmA.was_called());
-  EXPECT_TRUE(alarmB.was_called());
-  EXPECT_FALSE(alarmC.was_called());
-  alarmB.Reset();
-
-  ep.set_time(30 * 1000);
-  ep.CallAndReregisterAlarmEvents();  // A
-  EXPECT_TRUE(alarmA.was_called());
-  EXPECT_FALSE(alarmB.was_called());
-  EXPECT_FALSE(alarmC.was_called());
-  alarmA.Reset();
-
-  ep.set_time(40 * 1000);
-  ep.CallAndReregisterAlarmEvents();  // C
-  EXPECT_FALSE(alarmA.was_called());
-  EXPECT_FALSE(alarmB.was_called());
-  EXPECT_TRUE(alarmC.was_called());
-  alarmC.Reset();
-
-  ep.CallAndReregisterAlarmEvents();  // None.
-  EXPECT_FALSE(alarmA.was_called());
-  EXPECT_FALSE(alarmB.was_called());
-  EXPECT_FALSE(alarmC.was_called());
-}
-
-TEST(SimpleEpollServerTest, TestAlarmOnShutdown) {
-  TestAlarm alarm1;
-  {
-    EpollTestServer ep;
-    const int64_t now = WallTimeNowInUsec();
-    ep.RegisterAlarm(now + 5000, &alarm1);
-  }
-
-  EXPECT_TRUE(alarm1.onshutdown_called());
-}
-
-// Tests that if we have multiple alarms
-// OnShutdown then we handle them properly.
-TEST(SimpleEpollServerTest, TestMultipleAlarmOnShutdown) {
-  TestAlarm alarm1;
-  TestAlarm alarm2;
-  TestAlarm alarm3;
-  {
-    EpollTestServer ep;
-    const int64_t now = WallTimeNowInUsec();
-    ep.RegisterAlarm(now + 5000, &alarm1);
-    ep.RegisterAlarm(now + 9000, &alarm2);
-    ep.RegisterAlarm(now + 9000, &alarm3);
-  }
-
-  EXPECT_TRUE(alarm1.onshutdown_called());
-  EXPECT_TRUE(alarm2.onshutdown_called());
-  EXPECT_TRUE(alarm3.onshutdown_called());
-}
-TEST(SimpleEpollServerTest, TestMultipleAlarmUnregistrationOnShutdown) {
-  TestParentAlarm tp;
-  TestChildAlarm alarm1;
-  TestChildAlarm alarm2;
-  alarm1.set_parent(&tp);
-  alarm2.set_parent(&tp);
-  {
-    EpollTestServer ep;
-    const int64_t now = WallTimeNowInUsec();
-    ep.RegisterAlarm(now + 5000, &alarm1);
-    ep.RegisterAlarm(now + 9000, &alarm2);
-  }
-
-  EXPECT_TRUE(alarm1.onshutdown_called());
-  EXPECT_FALSE(alarm2.onshutdown_called());
-}
-
-// Check an alarm set in the past runs right away.
-TEST(SimpleEpollServerTest, TestPastAlarm) {
-  EpollTestServer ep;
-  TestAlarm alarm;
-
-  // Register the alarm and make sure we wait long enough to hit it.
-  ep.set_timeout_in_us(1000 * 2);
-  ep.RegisterAlarm(WallTimeNowInUsec() - 1000, &alarm);
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_TRUE(alarm.was_called());
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-  alarm.Reset();
-}
-
-// Test Unregistering of Alarms
-TEST(SimpleEpollServerTest, TestUnregisterAlarm) {
-  EpollTestServer ep;
-  SimpleEpollServer::AlarmRegToken temptok;
-
-  TestAlarmUnregister alarm1;
-  TestAlarmUnregister alarm2;
-
-  ep.RegisterAlarm(WallTimeNowInUsec() + 5 * 1000, &alarm1);
-  ep.RegisterAlarm(WallTimeNowInUsec() + 13 * 1000, &alarm2);
-
-  // Unregister an alarm.
-  if (alarm2.get_token(&temptok)) {
-    ep.UnregisterAlarm(temptok);
-  }
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  EXPECT_TRUE(alarm2.onunregistration_called());
-
-  if (alarm1.get_token(&temptok)) {
-    ep.UnregisterAlarm(temptok);
-  }
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-  EXPECT_TRUE(alarm1.onunregistration_called());
-}
-
-// Test Reregistering of Alarms
-TEST(SimpleEpollServerTest, TestReregisterAlarm) {
-  EpollTestAlarms ep;
-  SimpleEpollServer::AlarmRegToken token;
-
-  TestAlarmUnregister alarm;
-  ep.set_time(1000);
-  ep.RegisterAlarm(5000, &alarm);
-
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  ASSERT_TRUE(alarm.get_token(&token));
-  ep.ReregisterAlarm(token, 6000);
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-
-  ep.set_time(5000);
-  ep.set_timeout_in_us(0);
-  ep.CallAndReregisterAlarmEvents();
-  EXPECT_FALSE(alarm.was_called());
-
-  ep.set_time(6000);
-  ep.CallAndReregisterAlarmEvents();
-  EXPECT_TRUE(alarm.was_called());
-}
-
-TEST(SimpleEpollServerTest, TestReregisterDeferredAlarm) {
-  EpollTestAlarms ep;
-  ep.set_timeout_in_us(0);
-
-  TestAlarm alarm;
-  TestAlarmThatRegistersAndReregistersAnotherAlarm register_alarm;
-  // Register the alarm in the past so it is added as a deferred alarm.
-  register_alarm.SetRegisterAndReregisterAlarm(&alarm, -500, 500, &ep);
-  ep.set_time(1000);
-  ep.RegisterAlarm(1000, &register_alarm);
-  // Call reregister twice, first to run register_alarm and second to run any
-  // scheduled deferred alarms.
-  ep.CallAndReregisterAlarmEvents();
-  ep.CallAndReregisterAlarmEvents();
-
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  EXPECT_FALSE(alarm.was_called());
-
-  ep.set_time(1500);
-  ep.CallAndReregisterAlarmEvents();
-  EXPECT_TRUE(alarm.was_called());
-}
-
-// Check if an alarm fired and got reregistered, you are able to
-// unregister the second registration.
-TEST(SimpleEpollServerTest, TestFiredReregisteredAlarm) {
-  EpollTestAlarms ep;
-  TestAlarmUnregister alarmA;
-
-  SimpleEpollServer::AlarmRegToken first_token;
-  SimpleEpollServer::AlarmRegToken second_token;
-  bool found;
-
-  ep.set_timeout_in_us(50 * 1000 * 2);
-  alarmA.set_time_before_next_alarm(1000 * 30);
-  alarmA.set_absolute_time(true);
-
-  // Alarm A first fires at 15, then 30
-  ep.RegisterAlarm(15 * 1000, &alarmA);
-
-  found = alarmA.get_token(&first_token);
-  EXPECT_TRUE(found);
-
-  ep.set_time(15 * 1000);
-  ep.CallAndReregisterAlarmEvents();  // A
-  EXPECT_TRUE(alarmA.was_called());
-
-  alarmA.Reset();
-
-  found = alarmA.get_token(&second_token);
-  EXPECT_TRUE(found);
-  if (found) {
-    ep.UnregisterAlarm(second_token);
-  }
-
-  ep.set_time(30 * 1000);
-  ep.CallAndReregisterAlarmEvents();  // A
-
-  alarmA.Reset();
-}
-
-// Here we make sure that one alarm can unregister another alarm
-// in OnShutdown().
-TEST(SimpleEpollServerTest, TestAlarmCanUnregistersAnotherAlarmOnShutdown) {
-  TestAlarmThatUnregistersAnotherAlarm alarm1;
-  TestAlarm alarm2;
-  {
-    EpollTestServer ep;
-    // Register two alarms and make alarm1 is placed in queue in front of alarm2
-    // so that when the queue is cleared, alarm1 is processed first.
-    const int64_t now = WallTimeNowInUsec();
-    ep.RegisterAlarm(now + 5000, &alarm1);
-    ep.RegisterAlarm(now + 9000, &alarm2);
-    alarm1.SetUnregisterAlarm(&alarm2, &ep);
-    EXPECT_EQ(2u, ep.GetNumPendingAlarmsForTest());
-  }
-}
-
-class TestAlarmRegisterAnotherAlarmShutdown : public TestAlarmUnregister {
- public:
-  TestAlarmRegisterAnotherAlarmShutdown(EpollAlarmCallbackInterface* alarm2,
-                                        int64_t when)
-      : alarm2_(alarm2), when_(when) {}
-  void OnShutdown(SimpleEpollServer* eps) override {
-    TestAlarmUnregister::OnShutdown(eps);
-    eps->RegisterAlarm(when_, alarm2_);
-  }
-
- private:
-  EpollAlarmCallbackInterface* alarm2_;
-  int64_t when_;
-};
-
-// This tests that alarm registers another alarm when shutting down.
-// The two cases are: new alarm comes before and after the alarm being
-// notified by OnShutdown()
-TEST(SimpleEpollServerTest, AlarmRegistersAnotherAlarmOnShutdownBeforeSelf) {
-  TestAlarm alarm2;
-  int64_t alarm_time = WallTimeNowInUsec() + 5000;
-  TestAlarmRegisterAnotherAlarmShutdown alarm1(&alarm2, alarm_time - 1000);
-  {
-    EpollTestAlarms ep;
-    ep.RegisterAlarm(alarm_time, &alarm1);
-  }
-  EXPECT_TRUE(alarm1.onshutdown_called());
-  EXPECT_FALSE(alarm2.onshutdown_called());
-}
-
-TEST(SimpleEpollServerTest, AlarmRegistersAnotherAlarmOnShutdownAfterSelf) {
-  TestAlarm alarm2;
-  int64_t alarm_time = WallTimeNowInUsec() + 5000;
-  TestAlarmRegisterAnotherAlarmShutdown alarm1(&alarm2, alarm_time + 1000);
-  {
-    EpollTestAlarms ep;
-    ep.RegisterAlarm(alarm_time, &alarm1);
-  }
-  EXPECT_TRUE(alarm1.onshutdown_called());
-  EXPECT_TRUE(alarm2.onshutdown_called());
-}
-
-TEST(SimpleEpollServerTest, TestWrite) {
-  SimpleEpollServer ep;
-  ep.set_timeout_in_us(1);
-  char data[kPageSize] = {0};
-
-  int pipe_fds[2];
-  if (pipe(pipe_fds) < 0) {
-    EPOLL_PLOG(FATAL) << "pipe() failed";
-  }
-  int read_fd = pipe_fds[0];
-  int write_fd = pipe_fds[1];
-
-  RecordingCB recording_cb;
-  const Recorder* recorder = recording_cb.recorder();
-  const std::vector<RecordEntry>* records = recorder->records();
-
-  // Register to listen to write events.
-  ep.RegisterFD(write_fd, &recording_cb, EPOLLOUT | O_NONBLOCK);
-  // At this point the recorder should have the creation and registration
-  // events.
-  EXPECT_EQ(2u, records->size());
-
-  // Fill up the pipe.
-  int written = 1;
-  for (int i = 0; i < 17 && written > 0; ++i) {
-    written = write(write_fd, &data, kPageSize);
-  }
-  EXPECT_LT(written, 0);
-
-  // There should be no new events as the pipe is not available for writing.
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_EQ(2u, records->size());
-
-  // Now read data from the pipe to make it writable again.  This time the
-  // we should get an EPOLLOUT event.
-  int size = read(read_fd, &data, kPageSize);
-  EXPECT_EQ(kPageSize, size);
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_EQ(3u, records->size());
-
-  // Now unsubscribe from writable events (which adds a modification record)
-  // and wait to verify that no event records are added.
-  ep.StopWrite(write_fd);
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_EQ(4u, records->size());
-
-  // We had the right number of events all along. Make sure they were actually
-  // the right events.
-  Recorder tmp;
-  tmp.Record(&recording_cb, CREATION, 0, 0);
-  tmp.Record(&recording_cb, REGISTRATION, write_fd, EPOLLOUT | O_NONBLOCK);
-  tmp.Record(&recording_cb, EVENT, write_fd, EPOLLOUT);
-  tmp.Record(&recording_cb, MODIFICATION, write_fd, O_NONBLOCK);
-
-  EXPECT_TRUE(recorder->IsEqual(&tmp));
-  ep.UnregisterFD(write_fd);
-
-  close(read_fd);
-  close(write_fd);
-}
-
-TEST(SimpleEpollServerTest, TestReadWrite) {
-  SimpleEpollServer ep;
-  ep.set_timeout_in_us(1);
-  char data[kPageSize] = {0};
-
-  int pipe_fds[2];
-  if (pipe(pipe_fds) < 0) {
-    EPOLL_PLOG(FATAL) << "pipe() failed";
-  }
-  int read_fd = pipe_fds[0];
-  int write_fd = pipe_fds[1];
-
-  RecordingCB recording_cb;
-  const Recorder* recorder = recording_cb.recorder();
-  const std::vector<RecordEntry>* records = recorder->records();
-
-  // Register to listen to read and write events.
-  ep.RegisterFDForReadWrite(read_fd, &recording_cb);
-  // At this point the recorder should have the creation and registration
-  // events.
-  EXPECT_EQ(2u, records->size());
-
-  int written = write(write_fd, &data, kPageSize);
-  EXPECT_EQ(kPageSize, written);
-
-  ep.WaitForEventsAndExecuteCallbacks();
-  ep.UnregisterFD(read_fd);
-
-  close(read_fd);
-  close(write_fd);
-}
-
-TEST(SimpleEpollServerTest, TestMultipleFDs) {
-  SimpleEpollServer ep;
-  ep.set_timeout_in_us(1);
-  char data = 'x';
-
-  int pipe_one[2];
-  if (pipe(pipe_one) < 0) {
-    EPOLL_PLOG(FATAL) << "pipe() failed";
-  }
-  int pipe_two[2];
-  if (pipe(pipe_two) < 0) {
-    EPOLL_PLOG(FATAL) << "pipe() failed";
-  }
-
-  RecordingCB recording_cb_one;
-  const Recorder* recorder_one = recording_cb_one.recorder();
-  const std::vector<RecordEntry>* records_one = recorder_one->records();
-
-  RecordingCB recording_cb_two;
-  const Recorder* recorder_two = recording_cb_two.recorder();
-  const std::vector<RecordEntry>* records_two = recorder_two->records();
-
-  // Register to listen to read events for both pipes
-  ep.RegisterFDForRead(pipe_one[0], &recording_cb_one);
-  ep.RegisterFDForRead(pipe_two[0], &recording_cb_two);
-
-  EXPECT_EQ(2u, records_one->size());
-  EXPECT_EQ(2u, records_two->size());
-
-  EXPECT_EQ(1, write(pipe_one[1], &data, 1));
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_EQ(3u, records_one->size());
-  EXPECT_EQ(2u, records_two->size());
-
-  EXPECT_EQ(1, write(pipe_two[1], &data, 1));
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_EQ(3u, records_one->size());
-  EXPECT_EQ(3u, records_two->size());
-
-  EXPECT_EQ(1, write(pipe_one[1], &data, 1));
-  EXPECT_EQ(1, write(pipe_two[1], &data, 1));
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_EQ(4u, records_one->size());
-  EXPECT_EQ(4u, records_two->size());
-
-  ep.WaitForEventsAndExecuteCallbacks();
-  ep.UnregisterFD(pipe_one[0]);
-  ep.UnregisterFD(pipe_two[0]);
-  close(pipe_one[0]);
-  close(pipe_one[1]);
-  close(pipe_two[0]);
-  close(pipe_two[1]);
-}
-
-// Check that the SimpleEpollServer calls OnShutdown for any registered FDs.
-TEST(SimpleEpollServerTest, TestFDOnShutdown) {
-  int pipe_fds[2];
-  if (pipe(pipe_fds) < 0) {
-    EPOLL_PLOG(FATAL) << "pipe() failed";
-  }
-  int read_fd = pipe_fds[0];
-  int write_fd = pipe_fds[1];
-
-  RecordingCB recording_cb1;
-  RecordingCB recording_cb2;
-  const Recorder* recorder1 = recording_cb1.recorder();
-  const Recorder* recorder2 = recording_cb2.recorder();
-
-  {
-    SimpleEpollServer ep;
-    ep.set_timeout_in_us(1);
-
-    // Register to listen to write events.
-    ep.RegisterFD(write_fd, &recording_cb1, EPOLLOUT | O_NONBLOCK);
-    ep.RegisterFD(read_fd, &recording_cb2, EPOLLIN | O_NONBLOCK);
-  }
-
-  // Make sure OnShutdown was called for both callbacks.
-  Recorder write_recorder;
-  write_recorder.Record(&recording_cb1, CREATION, 0, 0);
-  write_recorder.Record(&recording_cb1, REGISTRATION, write_fd,
-                        EPOLLOUT | O_NONBLOCK);
-  write_recorder.Record(&recording_cb1, UNREGISTRATION, write_fd, false);
-  write_recorder.Record(&recording_cb1, SHUTDOWN, write_fd, 0);
-  EXPECT_TRUE(recorder1->IsEqual(&write_recorder));
-
-  Recorder read_recorder;
-  read_recorder.Record(&recording_cb2, CREATION, 0, 0);
-  read_recorder.Record(&recording_cb2, REGISTRATION, read_fd,
-                       EPOLLIN | O_NONBLOCK);
-  read_recorder.Record(&recording_cb2, UNREGISTRATION, read_fd, false);
-  read_recorder.Record(&recording_cb2, SHUTDOWN, read_fd, 0);
-  EXPECT_TRUE(recorder2->IsEqual(&read_recorder));
-
-  close(read_fd);
-  close(write_fd);
-}
-
-class UnregisterCB : public EpollCallbackInterface {
- public:
-  explicit UnregisterCB(int fd)
-      : eps_(nullptr), fd_(fd), onshutdown_called_(false) {}
-
-  ~UnregisterCB() override {}
-
-  void OnShutdown(SimpleEpollServer* /*eps*/, int fd) override {
-    eps_->UnregisterFD(fd_);
-    eps_->UnregisterFD(fd);
-    onshutdown_called_ = true;
-    eps_ = nullptr;
-  }
-
-  void set_epollserver(SimpleEpollServer* eps) { eps_ = eps; }
-  bool onshutdown_called() { return onshutdown_called_; }
-
-  void OnRegistration(SimpleEpollServer* /*eps*/, int /*fd*/,
-                      int /*event_mask*/) override {}
-  void OnModification(int /*fd*/, int /*event_mask*/) override {}
-  void OnEvent(int /*fd*/, EpollEvent* /*event*/) override {}
-  void OnUnregistration(int /*fd*/, bool /*replaced*/) override {}
-
-  std::string Name() const override { return "UnregisterCB"; }
-
- protected:
-  SimpleEpollServer* eps_;
-  int fd_;
-  bool onshutdown_called_;
-};
-
-// Check that unregistering fds in OnShutdown works cleanly.
-TEST(SimpleEpollServerTest, TestUnregisteringFDsOnShutdown) {
-  int pipe_fds[2];
-  if (pipe(pipe_fds) < 0) {
-    EPOLL_PLOG(FATAL) << "pipe() failed";
-  }
-  int read_fd = pipe_fds[0];
-  int write_fd = pipe_fds[1];
-
-  UnregisterCB unreg_cb1(read_fd);
-  UnregisterCB unreg_cb2(write_fd);
-
-  {
-    SimpleEpollServer ep;
-    ep.set_timeout_in_us(1);
-
-    unreg_cb1.set_epollserver(&ep);
-    unreg_cb2.set_epollserver(&ep);
-
-    // Register to listen to write events.
-    ep.RegisterFD(write_fd, &unreg_cb1, EPOLLOUT | O_NONBLOCK);
-    ep.RegisterFD(read_fd, &unreg_cb2, EPOLLIN | O_NONBLOCK);
-  }
-
-  // Make sure at least one onshutdown was called.
-  EXPECT_TRUE(unreg_cb1.onshutdown_called() || unreg_cb2.onshutdown_called());
-  // Make sure that both onshutdowns were not called.
-  EXPECT_TRUE(
-      !(unreg_cb1.onshutdown_called() && unreg_cb2.onshutdown_called()));
-
-  close(read_fd);
-  close(write_fd);
-}
-
-TEST(SimpleEpollServerTest, TestFDsAndAlarms) {
-  SimpleEpollServer ep;
-  ep.set_timeout_in_us(5);
-  char data = 'x';
-
-  int pipe_fds[2];
-  if (pipe(pipe_fds) < 0) {
-    EPOLL_PLOG(FATAL) << "pipe() failed";
-  }
-
-  RecordingCB recording_cb;
-  const Recorder* recorder = recording_cb.recorder();
-  const std::vector<RecordEntry>* records = recorder->records();
-
-  TestAlarm alarm;
-
-  ep.RegisterFDForRead(pipe_fds[0], &recording_cb);
-
-  EXPECT_EQ(2u, records->size());
-  EXPECT_FALSE(alarm.was_called());
-
-  // Write to the pipe and set a longish alarm so we get a read event followed
-  // by an alarm event.
-  int written = write(pipe_fds[1], &data, 1);
-  EXPECT_EQ(1, written);
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_EQ(3u, records->size());
-  EXPECT_FALSE(alarm.was_called());
-  ep.RegisterAlarm(WallTimeNowInUsec() + 1000, &alarm);
-  WaitForAlarm(&ep, alarm);
-  EXPECT_EQ(3u, records->size());
-  EXPECT_TRUE(alarm.was_called());
-  alarm.Reset();
-
-  // Now set a short alarm so the alarm and the read event are called together.
-  ep.RegisterAlarm(WallTimeNowInUsec(), &alarm);
-  written = write(pipe_fds[1], &data, 1);
-  EXPECT_EQ(1, written);
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_TRUE(alarm.was_called());
-  EXPECT_EQ(4u, records->size());
-
-  ep.UnregisterFD(pipe_fds[0]);
-
-  close(pipe_fds[0]);
-  close(pipe_fds[1]);
-}
-
-class EpollReader : public EpollCallbackInterface {
- public:
-  explicit EpollReader(int len)
-      : len_(0), expected_len_(len), done_reading_(false) {
-    memset(&buf_, 0, kMaxBufLen);
-  }
-
-  ~EpollReader() override {}
-
-  void OnRegistration(SimpleEpollServer* /*eps*/, int /*fd*/,
-                      int /*event_mask*/) override {}
-
-  void OnModification(int /*fd*/, int /*event_mask*/) override {}
-
-  void OnEvent(int fd, EpollEvent* event) override {
-    if (event->in_events & EPOLLIN) {
-      len_ += read(fd, &buf_ + len_, kMaxBufLen - len_);
-    }
-
-    // If we have finished reading...
-    if (event->in_events & EPOLLHUP) {
-      CHECK_EQ(len_, expected_len_);
-      done_reading_ = true;
-    }
-  }
-
-  void OnUnregistration(int /*fd*/, bool /*replaced*/) override {}
-
-  void OnShutdown(SimpleEpollServer* /*eps*/, int /*fd*/) override {
-    // None of the current tests involve having active callbacks when the
-    // server shuts down.
-    EPOLL_LOG(FATAL);
-  }
-
-  std::string Name() const override { return "EpollReader"; }
-
-  // Returns true if the data in buf is the same as buf_, false otherwise.
-  bool CheckOutput(char* buf, int len) {
-    if (len != len_) {
-      return false;
-    }
-    return !memcmp(buf, buf_, len);
-  }
-
-  bool done_reading() { return done_reading_; }
-
- protected:
-  int len_;
-  int expected_len_;
-  char buf_[kMaxBufLen];
-  bool done_reading_;
-};
-
-void TestPipe(char* test_message, int len) {
-  int pipe_fds[2];
-  if (pipe(pipe_fds) < 0) {
-    EPOLL_PLOG(FATAL) << "pipe failed()";
-  }
-  int reader_pipe = pipe_fds[0];
-  int writer_pipe = pipe_fds[1];
-  int child_pid;
-  memset(test_message, 'x', len);
-
-  switch (child_pid = fork()) {
-    case 0: {  // Child will send message.
-      const char* message = test_message;
-      int size;
-      close(reader_pipe);
-      while ((size = write(writer_pipe, message, len)) > 0) {
-        message += size;
-        len -= size;
-        if (len == 0) {
-          break;
-        }
-      }
-      if (len > 0) {
-        EPOLL_PLOG(FATAL) << "write() failed";
-      }
-      close(writer_pipe);
-
-      _exit(0);
-    }
-    case -1:
-      EPOLL_PLOG(FATAL) << "fork() failed";
-      break;
-    default: {  // Parent will receive message.
-      close(writer_pipe);
-      auto ep = std::make_unique<SimpleEpollServer>();
-      ep->set_timeout_in_us(1);
-      EpollReader reader(len);
-      ep->RegisterFD(reader_pipe, &reader, EPOLLIN);
-
-      int64_t start_ms = WallTimeNowInUsec() / 1000;
-      // Loop until we're either done reading, or have waited ~10 us.
-      while (!reader.done_reading() &&
-             (WallTimeNowInUsec() / 1000 - start_ms) < 10000) {
-        ep->WaitForEventsAndExecuteCallbacks();
-      }
-      ep->UnregisterFD(reader_pipe);
-      CHECK(reader.CheckOutput(test_message, len));
-      break;
-    }
-  }
-
-  close(reader_pipe);
-  close(writer_pipe);
-}
-
-TEST(SimpleEpollServerTest, TestSmallPipe) {
-  char buf[kMaxBufLen];
-  TestPipe(buf, 10);
-}
-
-TEST(SimpleEpollServerTest, TestLargePipe) {
-  char buf[kMaxBufLen];
-  TestPipe(buf, kMaxBufLen);
-}
-
-// Tests RegisterFDForRead as well as StopRead.
-TEST(SimpleEpollServerTest, TestRead) {
-  SimpleEpollServer ep;
-  ep.set_timeout_in_us(1);
-  int len = 1;
-
-  int pipe_fds[2];
-  if (pipe(pipe_fds) < 0) {
-    EPOLL_PLOG(FATAL) << "pipe() failed";
-  }
-  int read_fd = pipe_fds[0];
-  int write_fd = pipe_fds[1];
-
-  auto reader = std::make_unique<EpollReader>(len);
-
-  // Check that registering a FD for read alerts us when there is data to be
-  // read.
-  ep.RegisterFDForRead(read_fd, reader.get());
-  char data = 'a';
-  int size = write(write_fd, &data, 1);
-  EXPECT_EQ(1, size);
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_TRUE(reader->CheckOutput(&data, len));
-
-  // Remove the callback for read events, write to the pipe and make sure that
-  // we did not read more data.
-  ep.StopRead(read_fd);
-  size = write(write_fd, &data, len);
-  EXPECT_EQ(1, size);
-  // The wait will return after timeout.
-  ep.WaitForEventsAndExecuteCallbacks();
-  EXPECT_TRUE(reader->CheckOutput(&data, len));
-  ep.UnregisterFD(read_fd);
-
-  close(read_fd);
-  close(write_fd);
-}
-
-class EdgeTriggerCB : public EpollCallbackInterface {
- public:
-  EdgeTriggerCB(int read_size, int write_size, char write_char, char peer_char)
-      : eps_(nullptr),
-        read_buf_(read_size),
-        write_buf_(write_size, write_char),
-        peer_char_(peer_char) {
-    Reset();
-  }
-
-  ~EdgeTriggerCB() override {}
-
-  void Reset() {
-    CHECK(eps_ == nullptr);
-    bytes_read_ = 0;
-    bytes_written_ = 0;
-    can_read_ = false;
-    will_read_ = false;
-    can_write_ = false;
-    will_write_ = false;
-    read_closed_ = false;
-    write_closed_ = false;
-  }
-
-  void ResetByteCounts() { bytes_read_ = bytes_written_ = 0; }
-
-  void set_will_read(bool will_read) { will_read_ = will_read; }
-
-  void set_will_write(bool will_write) { will_write_ = will_write; }
-
-  bool can_write() const { return can_write_; }
-
-  int bytes_read() const { return bytes_read_; }
-
-  int bytes_written() const { return bytes_written_; }
-
-  void OnRegistration(SimpleEpollServer* eps, int fd, int event_mask) override {
-    EXPECT_TRUE(eps_ == nullptr);
-    eps_ = eps;
-    Initialize(fd, event_mask);
-  }
-
-  void OnModification(int fd, int event_mask) override {
-    EXPECT_TRUE(eps_ != nullptr);
-    if (event_mask & EPOLLET) {
-      Initialize(fd, event_mask);
-    } else {
-      eps_->SetFDNotReady(fd);
-    }
-  }
-
-  void OnEvent(int fd, EpollEvent* event) override {
-    const int event_mask = event->in_events;
-    if (event_mask & (EPOLLHUP | EPOLLERR)) {
-      write_closed_ = true;
-      return;
-    }
-    if (will_read_ && event_mask & EPOLLIN) {
-      EXPECT_FALSE(read_closed_);
-      int read_size = read_buf_.size();
-      memset(&read_buf_[0], 0, read_size);
-      int len = recv(fd, &read_buf_[0], read_size, MSG_DONTWAIT);
-      // Update the readiness states
-      can_read_ = (len == read_size);
-
-      if (len > 0) {
-        bytes_read_ += len;
-        EPOLL_VLOG(1) << "fd: " << fd << ", read " << len
-                      << ", total: " << bytes_read_;
-        // Now check the bytes read
-        EXPECT_TRUE(CheckReadBuffer(len));
-      } else if (len < 0) {
-        EPOLL_VLOG(1) << "fd: " << fd << " read hit EAGAIN";
-        EXPECT_EQ(EAGAIN, errno) << strerror(errno);
-        can_read_ = false;
-      } else {
-        read_closed_ = true;
-      }
-    }
-    if (will_write_ && event_mask & EPOLLOUT) {
-      // Write side close/full close can only detected by EPOLLHUP, which is
-      // caused by EPIPE.
-      EXPECT_FALSE(write_closed_);
-      int write_size = write_buf_.size();
-      int len = send(fd, &write_buf_[0], write_size, MSG_DONTWAIT);
-      can_write_ = (len == write_size);
-      if (len > 0) {
-        bytes_written_ += len;
-        EPOLL_VLOG(1) << "fd: " << fd << ", write " << len
-                      << ", total: " << bytes_written_;
-      } else {
-        EPOLL_VLOG(1) << "fd: " << fd << " write hit EAGAIN";
-        EXPECT_EQ(EAGAIN, errno) << strerror(errno);
-        can_write_ = false;
-      }
-    }
-    // Since we can only get on the ready list once, wait till we confirm both
-    // read and write side continuation state and set the correct event mask
-    // for the ready list.
-    event->out_ready_mask = can_read_ ? static_cast<int>(EPOLLIN) : 0;
-    if (can_write_) {
-      event->out_ready_mask |= EPOLLOUT;
-    }
-  }
-
-  void OnUnregistration(int /*fd*/, bool /*replaced*/) override {
-    EXPECT_TRUE(eps_ != nullptr);
-    eps_ = nullptr;
-  }
-
-  void OnShutdown(SimpleEpollServer* /*eps*/, int /*fd*/) override {
-    // None of the current tests involve having active callbacks when the
-    // server shuts down.
-    EPOLL_LOG(FATAL);
-  }
-
-  std::string Name() const override { return "EdgeTriggerCB"; }
-
- private:
-  SimpleEpollServer* eps_;
-  std::vector<char> read_buf_;
-  int bytes_read_;
-  std::vector<char> write_buf_;
-  int bytes_written_;
-  char peer_char_;  // The char we expected to read.
-  bool can_read_;
-  bool will_read_;
-  bool can_write_;
-  bool will_write_;
-  bool read_closed_;
-  bool write_closed_;
-
-  void Initialize(int fd, int event_mask) {
-    CHECK(eps_);
-    can_read_ = can_write_ = false;
-    if (event_mask & EPOLLET) {
-      int events = 0;
-      if (event_mask & EPOLLIN) {
-        events |= EPOLLIN;
-        can_read_ = true;
-      }
-      if (event_mask & EPOLLOUT) {
-        events |= EPOLLOUT;
-        can_write_ = true;
-      }
-      eps_->SetFDReady(fd, events);
-    }
-  }
-
-  bool CheckReadBuffer(int len) const {
-    for (int i = 0; i < len; ++i) {
-      if (peer_char_ != read_buf_[i]) {
-        return false;
-      }
-    }
-    return true;
-  }
-};
-
-// Test adding and removing from the ready list.
-TEST(SimpleEpollServerTest, TestReadyList) {
-  SimpleEpollServer ep;
-  int pipe_fds[2];
-  if (pipe(pipe_fds) < 0) {
-    EPOLL_PLOG(FATAL) << "pipe() failed";
-  }
-
-  // Just use any CB will do, since we never wait on epoll events.
-  EdgeTriggerCB reader1(0, 0, 0, 0);
-  EdgeTriggerCB reader2(0, 0, 0, 0);
-
-  ep.RegisterFD(pipe_fds[0], &reader1, EPOLLIN);
-  ep.RegisterFD(pipe_fds[1], &reader2, EPOLLOUT);
-
-  // Adding fds that are registered with eps
-  EXPECT_FALSE(ep.IsFDReady(pipe_fds[0]));
-  EXPECT_FALSE(ep.IsFDReady(pipe_fds[1]));
-
-  ep.SetFDReady(pipe_fds[0], EPOLLIN);
-  EXPECT_TRUE(ep.IsFDReady(pipe_fds[0]));
-  EXPECT_FALSE(ep.IsFDReady(pipe_fds[1]));
-  EXPECT_EQ(1u, ep.ReadyListSize());
-  ep.SetFDReady(pipe_fds[1], EPOLLOUT);
-  EXPECT_TRUE(ep.IsFDReady(pipe_fds[0]));
-  EXPECT_TRUE(ep.IsFDReady(pipe_fds[1]));
-  EXPECT_EQ(2u, ep.ReadyListSize());
-
-  // Now check that SetFDNotReady doesn't affect other fds
-  ep.SetFDNotReady(pipe_fds[0]);
-  EXPECT_FALSE(ep.IsFDReady(pipe_fds[0]));
-  EXPECT_TRUE(ep.IsFDReady(pipe_fds[1]));
-  EXPECT_EQ(1u, ep.ReadyListSize());
-
-  ep.UnregisterFD(pipe_fds[0]);
-  ep.UnregisterFD(pipe_fds[1]);
-  EXPECT_EQ(0u, ep.ReadyListSize());
-
-  // Now try adding them when they are not registered, and it shouldn't work.
-  ep.SetFDReady(pipe_fds[0], EPOLLIN);
-  EXPECT_FALSE(ep.IsFDReady(pipe_fds[0]));
-  EXPECT_EQ(0u, ep.ReadyListSize());
-
-  close(pipe_fds[0]);
-  close(pipe_fds[1]);
-}
-
-class EPSWaitThread : public EpollThread {
- public:
-  explicit EPSWaitThread(SimpleEpollServer* eps)
-      : EpollThread("EPSWait"), eps_(eps), done_(false) {}
-
-  void Run() override { eps_->WaitForEventsAndExecuteCallbacks(); }
-
-  bool done() { return done_; }
-
- private:
-  SimpleEpollServer* eps_;
-  bool done_;
-};
-
-TEST(EpollServerTest, TestWake) {
-  SimpleEpollServer eps;
-  eps.set_timeout_in_us(-1);
-  EPSWaitThread eps_thread(&eps);
-  eps_thread.Start();
-
-  EXPECT_FALSE(eps_thread.done());
-  eps.Wake();
-  eps_thread.Join();
-}
-
-class UnRegisterWhileProcessingCB : public EpollCallbackInterface {
- public:
-  explicit UnRegisterWhileProcessingCB(int fd) : eps_(nullptr), fd_(fd) {}
-
-  ~UnRegisterWhileProcessingCB() override {}
-
-  void OnShutdown(SimpleEpollServer* /*eps*/, int /*fd*/) override {}
-
-  void set_epoll_server(SimpleEpollServer* eps) { eps_ = eps; }
-  void OnRegistration(SimpleEpollServer* /*eps*/, int /*fd*/,
-                      int /*event_mask*/) override {}
-  void OnModification(int /*fd*/, int /*event_mask*/) override {}
-  void OnEvent(int /*fd*/, EpollEvent* /*event*/) override {
-    // This should cause no problems.
-    eps_->UnregisterFD(fd_);
-  }
-  void OnUnregistration(int /*fd*/, bool /*replaced*/) override {}
-  std::string Name() const override { return "UnRegisterWhileProcessingCB"; }
-
- protected:
-  SimpleEpollServer* eps_;
-  int fd_;
-};
-
-class RegisterWhileProcessingCB : public EpollCallbackInterface {
- public:
-  RegisterWhileProcessingCB(int fd, EpollCallbackInterface* cb)
-      : eps_(nullptr), fd_(fd), cb_(cb) {}
-
-  ~RegisterWhileProcessingCB() override {}
-
-  void OnShutdown(SimpleEpollServer* /*eps*/, int /*fd*/) override {}
-
-  void set_epoll_server(SimpleEpollServer* eps) { eps_ = eps; }
-  void OnRegistration(SimpleEpollServer* /*eps*/, int /*fd*/,
-                      int /*event_mask*/) override {}
-  void OnModification(int /*fd*/, int /*event_mask*/) override {}
-  void OnEvent(int /*fd*/, EpollEvent* /*event*/) override {
-    // This should cause no problems.
-    eps_->RegisterFDForReadWrite(fd_, cb_);
-  }
-  void OnUnregistration(int /*fd*/, bool /*replaced*/) override {}
-  std::string Name() const override { return "RegisterWhileProcessingCB"; }
-
- protected:
-  SimpleEpollServer* eps_;
-  int fd_;
-  EpollCallbackInterface* cb_;
-};
-
-// Nothing bad should happen when we do this. We're -only-
-// testing that nothing bad occurs in this test.
-TEST(SimpleEpollServerTest, NothingBadWhenUnRegisteringFDWhileProcessingIt) {
-  UnRegisterWhileProcessingCB cb(0);
-  {
-    FakeSimpleEpollServer epoll_server;
-    cb.set_epoll_server(&epoll_server);
-    epoll_server.RegisterFDForReadWrite(0, &cb);
-    epoll_event ee;
-    ee.data.fd = 0;
-    epoll_server.AddEvent(0, ee);
-    epoll_server.AdvanceBy(1);
-    epoll_server.WaitForEventsAndExecuteCallbacks();
-  }
-}
-
-//
-// testing that nothing bad occurs in this test.
-TEST(SimpleEpollServerTest,
-     NoEventsDeliveredForFdsOfUnregisteredCBsWithReRegdFD) {
-  // events: fd0, fd1, fd2
-  // fd0 -> unreg fd2
-  // fd1 -> reg fd2
-  // fd2 -> no event should be seen
-  RecordingCB recorder_cb;
-  UnRegisterWhileProcessingCB unreg_cb(-3);
-  RegisterWhileProcessingCB reg_other_cb(-3, &recorder_cb);
-  {
-    FakeSimpleEpollServer epoll_server;
-    unreg_cb.set_epoll_server(&epoll_server);
-    reg_other_cb.set_epoll_server(&epoll_server);
-    epoll_server.RegisterFDForReadWrite(-1, &unreg_cb);
-    epoll_server.RegisterFDForReadWrite(-2, &reg_other_cb);
-    epoll_server.RegisterFDForReadWrite(-3, &recorder_cb);
-
-    epoll_event ee;
-    ee.events = EPOLLIN;  // asserted for all events for this test.
-
-    // Note that these events are in 'backwards' order in terms of time.
-    // Currently, the SimpleEpollServer code invokes the CBs from last delivered
-    // to first delivered, so this is to be sure that we invoke the CB for -1
-    // before -2, before -3.
-    ee.data.fd = -1;
-    epoll_server.AddEvent(2, ee);
-    ee.data.fd = -2;
-    epoll_server.AddEvent(1, ee);
-    ee.data.fd = -3;
-    epoll_server.AddEvent(0, ee);
-
-    epoll_server.AdvanceBy(5);
-    epoll_server.WaitForEventsAndExecuteCallbacks();
-  }
-
-  Recorder correct_recorder;
-  correct_recorder.Record(&recorder_cb, CREATION, 0, 0);
-  correct_recorder.Record(&recorder_cb, REGISTRATION, -3, EPOLLIN | EPOLLOUT);
-  correct_recorder.Record(&recorder_cb, UNREGISTRATION, -3, 0);
-  correct_recorder.Record(&recorder_cb, REGISTRATION, -3, EPOLLIN | EPOLLOUT);
-  correct_recorder.Record(&recorder_cb, SHUTDOWN, -3, 0);
-
-  EXPECT_TRUE(correct_recorder.IsEqual(recorder_cb.recorder()));
-}
-
-class ReRegWhileReadyListOnEvent : public EpollCallbackInterface {
- public:
-  explicit ReRegWhileReadyListOnEvent(int /*fd*/) : eps_(nullptr) {}
-
-  void OnShutdown(SimpleEpollServer* /*eps*/, int /*fd*/) override {}
-
-  void set_epoll_server(SimpleEpollServer* eps) { eps_ = eps; }
-  void OnRegistration(SimpleEpollServer* /*eps*/, int /*fd*/,
-                      int /*event_mask*/) override {}
-  void OnModification(int /*fd*/, int /*event_mask*/) override {}
-  void OnEvent(int fd, EpollEvent* /*event_mask*/) override {
-    // This should cause no problems.
-    eps_->UnregisterFD(fd);
-    eps_->RegisterFDForReadWrite(fd, this);
-    eps_->UnregisterFD(fd);
-  }
-  void OnUnregistration(int /*fd*/, bool /*replaced*/) override {}
-  std::string Name() const override { return "ReRegWhileReadyListOnEvent"; }
-
- protected:
-  SimpleEpollServer* eps_;
-};
-
-// Nothing bad should happen when we do this. We're -only-
-// testing that nothing bad occurs in this test.
-TEST(SimpleEpollServerTest,
-     NothingBadWhenReRegisteringFDWhileProcessingFromReadyList) {
-  ReRegWhileReadyListOnEvent cb(0);
-  {
-    FakeSimpleEpollServer epoll_server;
-    cb.set_epoll_server(&epoll_server);
-    epoll_server.RegisterFDForReadWrite(0, &cb);
-    epoll_event ee;
-    ee.data.fd = 0;
-    epoll_server.AddEvent(0, ee);
-    epoll_server.AdvanceBy(1);
-    epoll_server.WaitForEventsAndExecuteCallbacks();
-  }
-}
-
-class UnRegEverythingReadyListOnEvent : public EpollCallbackInterface {
- public:
-  UnRegEverythingReadyListOnEvent() : eps_(nullptr), fd_(0), fd_range_(0) {}
-
-  void set_fd(int fd) { fd_ = fd; }
-  void set_fd_range(int fd_range) { fd_range_ = fd_range; }
-  void set_num_called(int* num_called) { num_called_ = num_called; }
-
-  void OnShutdown(SimpleEpollServer* /*eps*/, int /*fd*/) override {}
-
-  void set_epoll_server(SimpleEpollServer* eps) { eps_ = eps; }
-  void OnRegistration(SimpleEpollServer* eps, int fd,
-                      int /*event_mask*/) override {
-    eps->SetFDReady(fd, EPOLLIN);
-  }
-  void OnModification(int /*fd*/, int /*event_mask*/) override {}
-  void OnEvent(int /*fd*/, EpollEvent* /*event*/) override {
-    // This should cause no problems.
-    CHECK(num_called_ != nullptr);
-    ++(*num_called_);
-    // Note that we're iterating from -fd_range + 1 -> 0.
-    // We do this because there is an FD installed into the
-    // epollserver somewhere in the low numbers.
-    // Using negative FD numbers (which are guaranteed to not
-    // exist in the epoll-server) ensures that we will not
-    // come in conflict with the preexisting FD.
-    for (int i = -fd_range_ + 1; i <= 0; ++i) {
-      eps_->UnregisterFD(i);
-    }
-  }
-  void OnUnregistration(int /*fd*/, bool /*replaced*/) override {}
-  std::string Name() const override {
-    return "UnRegEverythingReadyListOnEvent";
-  }
-
- protected:
-  SimpleEpollServer* eps_;
-  int fd_;
-  int fd_range_;
-  int* num_called_;
-};
-
-TEST(SimpleEpollServerTest,
-     NothingBadWhenUnRegisteredWhileProcessingFromReadyList) {
-  const size_t kNumCallbacks = 32u;
-  UnRegEverythingReadyListOnEvent callbacks[kNumCallbacks];
-  int num_called = 0;
-  {
-    FakeSimpleEpollServer epoll_server;
-    for (size_t i = 0; i < kNumCallbacks; ++i) {
-      callbacks[i].set_fd(-i);
-      callbacks[i].set_fd_range(kNumCallbacks);
-      callbacks[i].set_num_called(&num_called);
-      callbacks[i].set_epoll_server(&epoll_server);
-      epoll_server.RegisterFDForReadWrite(0, &callbacks[i]);
-      epoll_event ee;
-      ee.data.fd = -i;
-      epoll_server.AddEvent(0, ee);
-    }
-    epoll_server.AdvanceBy(1);
-    epoll_server.WaitForEventsAndExecuteCallbacks();
-    epoll_server.WaitForEventsAndExecuteCallbacks();
-  }
-  EXPECT_EQ(1, num_called);
-}
-
-TEST(SimpleEpollServerTest, TestThatVerifyReadyListWorksWithNothingInList) {
-  FakeSimpleEpollServer epoll_server;
-  epoll_server.VerifyReadyList();
-}
-
-TEST(SimpleEpollServerTest, TestThatVerifyReadyListWorksWithStuffInLists) {
-  FakeSimpleEpollServer epoll_server;
-  epoll_server.VerifyReadyList();
-}
-
-TEST(SimpleEpollServerTest,
-     ApproximateNowInUsAccurateOutideOfWaitForEventsAndExecuteCallbacks) {
-  FakeSimpleEpollServer epoll_server;
-  epoll_server.AdvanceBy(1232);
-  EXPECT_EQ(epoll_server.ApproximateNowInUsec(), epoll_server.NowInUsec());
-  epoll_server.AdvanceBy(1111);
-  EXPECT_EQ(epoll_server.ApproximateNowInUsec(), epoll_server.NowInUsec());
-}
-
-class ApproximateNowInUsecTestCB : public EpollCallbackInterface {
- public:
-  ApproximateNowInUsecTestCB() : feps_(nullptr), called_(false) {}
-
-  void OnRegistration(SimpleEpollServer* /*eps*/, int /*fd*/,
-                      int /*event_mask*/) override {}
-  void OnModification(int /*fd*/, int /*event_mask*/) override {}
-  void OnEvent(int /*fd*/, EpollEvent* /*event*/) override {
-    EXPECT_EQ(feps_->ApproximateNowInUsec(), feps_->NowInUsec());
-    feps_->AdvanceBy(1111);
-    EXPECT_EQ(1 * 1111 + feps_->ApproximateNowInUsec(), feps_->NowInUsec());
-    feps_->AdvanceBy(1111);
-    EXPECT_EQ(2 * 1111 + feps_->ApproximateNowInUsec(), feps_->NowInUsec());
-    called_ = true;
-  }
-  void OnUnregistration(int /*fd*/, bool /*replaced*/) override {}
-  void OnShutdown(SimpleEpollServer* /*eps*/, int /*fd*/) override {}
-  std::string Name() const override { return "ApproximateNowInUsecTestCB"; }
-
-  void set_fakeepollserver(FakeSimpleEpollServer* feps) { feps_ = feps; }
-  bool called() const { return called_; }
-
- protected:
-  FakeSimpleEpollServer* feps_;
-  bool called_;
-};
-
-TEST(SimpleEpollServerTest,
-     ApproximateNowInUsApproximateInsideOfWaitForEventsAndExecuteCallbacks) {
-  int dummy_fd = 11111;
-  ApproximateNowInUsecTestCB aniutcb;
-  {
-    FakeSimpleEpollServer epoll_server;
-    aniutcb.set_fakeepollserver(&epoll_server);
-
-    epoll_server.RegisterFD(dummy_fd, &aniutcb, EPOLLIN);
-    epoll_event ee;
-    ee.data.fd = dummy_fd;
-    ee.events = EPOLLIN;
-    epoll_server.AddEvent(10242, ee);
-    epoll_server.set_timeout_in_us(-1);
-    epoll_server.AdvanceByAndWaitForEventsAndExecuteCallbacks(20000);
-    EXPECT_TRUE(aniutcb.called());
-  }
-}
-
-// A mock epoll server that also simulates kernel delay in scheduling epoll
-// events.
-class FakeEpollServerWithDelay : public FakeSimpleEpollServer {
- public:
-  FakeEpollServerWithDelay() : FakeSimpleEpollServer(), delay(0) {}
-
-  int delay;
-
- protected:
-  int epoll_wait_impl(int epfd, struct epoll_event* events, int max_events,
-                      int timeout_in_ms) override {
-    int out = FakeSimpleEpollServer::epoll_wait_impl(epfd, events, max_events,
-                                                     timeout_in_ms);
-    AdvanceBy(delay);
-    return out;
-  }
-};
-
-// A callback that records the epoll event's delay.
-class RecordDelayOnEvent : public EpollCallbackInterface {
- public:
-  RecordDelayOnEvent() : last_delay(-1), eps_(nullptr) {}
-
-  ~RecordDelayOnEvent() override {}
-
-  void OnShutdown(SimpleEpollServer* /*eps*/, int /*fd*/) override {}
-
-  std::string Name() const override { return "RecordDelayOnEvent"; }
-
-  void set_epoll_server(SimpleEpollServer* eps) { eps_ = eps; }
-  void OnRegistration(SimpleEpollServer* /*eps*/, int /*fd*/,
-                      int /*event_mask*/) override {}
-  void OnModification(int /*fd*/, int /*event_mask*/) override {}
-  void OnEvent(int /*fd*/, EpollEvent* /*event*/) override {
-    last_delay = eps_->LastDelayInUsec();
-  }
-  void OnUnregistration(int /*fd*/, bool /*replaced*/) override {}
-
-  int64_t last_delay;
-
- protected:
-  SimpleEpollServer* eps_;
-};
-
-// Tests that an epoll callback sees the correct delay for its event when it
-// calls LastDelayInUsec().
-TEST(EpollServerTest, TestLastDelay) {
-  RecordDelayOnEvent cb;
-  FakeEpollServerWithDelay epoll_server;
-
-  cb.set_epoll_server(&epoll_server);
-
-  epoll_server.RegisterFDForReadWrite(0, &cb);
-  epoll_event ee;
-  ee.data.fd = 0;
-
-  // Inject delay, and confirm that it's reported.
-  epoll_server.set_timeout_in_us(5000);
-  epoll_server.delay = 6000;
-  epoll_server.AddEvent(0, ee);
-  epoll_server.AdvanceBy(1);
-  epoll_server.WaitForEventsAndExecuteCallbacks();
-  EXPECT_EQ(cb.last_delay, 1000);
-
-  // Fire an event before the timeout ends, and confirm that reported delay
-  // isn't negative.
-  epoll_server.set_timeout_in_us(5000);
-  epoll_server.delay = 0;
-  epoll_server.AddEvent(0, ee);
-  epoll_server.AdvanceBy(1);
-  epoll_server.WaitForEventsAndExecuteCallbacks();
-  EXPECT_EQ(cb.last_delay, 0);
-
-  // Wait forever until an event fires, and confirm there's no reported delay.
-  epoll_server.set_timeout_in_us(-1);
-  epoll_server.delay = 6000;
-  epoll_server.AddEvent(0, ee);
-  epoll_server.AdvanceBy(1);
-  epoll_server.WaitForEventsAndExecuteCallbacks();
-  EXPECT_EQ(cb.last_delay, 0);
-}
-
-TEST(SimpleEpollServerAlarmTest, TestShutdown) {
-  std::unique_ptr<SimpleEpollServer> eps(new SimpleEpollServer);
-  EpollAlarm alarm1;
-  EpollAlarm alarm2;
-
-  eps->RegisterAlarmApproximateDelta(10000000, &alarm1);
-  eps->RegisterAlarmApproximateDelta(10000000, &alarm2);
-
-  alarm2.UnregisterIfRegistered();
-  EXPECT_FALSE(alarm2.registered());
-  eps = nullptr;
-
-  EXPECT_FALSE(alarm1.registered());
-}
-
-TEST(SimpleEpollServerAlarmTest, TestUnregister) {
-  SimpleEpollServer eps;
-  EpollAlarm alarm;
-
-  eps.RegisterAlarmApproximateDelta(10000000, &alarm);
-  EXPECT_TRUE(alarm.registered());
-
-  alarm.UnregisterIfRegistered();
-  EXPECT_FALSE(alarm.registered());
-
-  alarm.UnregisterIfRegistered();
-  EXPECT_FALSE(alarm.registered());
-}
-
-TEST(SimpleEpollServerAlarmTest, TestUnregisterOnDestruction) {
-  EpollTestServer eps;
-  std::unique_ptr<EpollAlarm> alarm(new EpollAlarm());
-  EpollAlarm* alarm_ptr = alarm.get();
-
-  eps.RegisterAlarmApproximateDelta(10000000, alarm.get());
-  EXPECT_TRUE(eps.ContainsAlarm(alarm_ptr));
-  alarm = nullptr;
-  EXPECT_EQ(0u, eps.GetNumPendingAlarmsForTest());
-}
-
-TEST(SimpleEpollServerAlarmTest, TestUnregisterOnAlarm) {
-  EpollTestServer eps;
-  EpollAlarm alarm;
-
-  eps.RegisterAlarmApproximateDelta(1, &alarm);
-  EXPECT_TRUE(eps.ContainsAlarm(&alarm));
-
-  while (alarm.registered()) {
-    eps.WaitForEventsAndExecuteCallbacks();
-  }
-  EXPECT_FALSE(eps.ContainsAlarm(&alarm));
-}
-
-TEST(SimpleEpollServerAlarmTest, TestReregisterAlarm) {
-  EpollTestAlarms ep;
-
-  EpollAlarm alarm;
-  ep.set_time(1000);
-  ep.RegisterAlarm(5000, &alarm);
-
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-  alarm.ReregisterAlarm(6000);
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-
-  ep.set_time(5000);
-  ep.set_timeout_in_us(0);
-  ep.CallAndReregisterAlarmEvents();
-  EXPECT_EQ(1u, ep.GetNumPendingAlarmsForTest());
-
-  ep.set_time(6000);
-  ep.CallAndReregisterAlarmEvents();
-  EXPECT_EQ(0u, ep.GetNumPendingAlarmsForTest());
-}
-
-TEST(SimpleEpollServerAlarmTest, TestThatSameAlarmCanNotBeRegisteredTwice) {
-  TestAlarm alarm;
-  SimpleEpollServer epoll_server;
-  epoll_server.RegisterAlarm(1, &alarm);
-  EXPECT_EPOLL_BUG(epoll_server.RegisterAlarm(1, &alarm),
-                   "Alarm already exists");
-}
-
-}  // namespace
-
-}  // namespace test
-
-}  // namespace epoll_server
diff --git a/chromium/net/third_party/quiche/src/quiche/http2/adapter/oghttp2_session.cc b/chromium/net/third_party/quiche/src/quiche/http2/adapter/oghttp2_session.cc
index 73f4e96fce8..44ec7391816 100644
--- a/chromium/net/third_party/quiche/src/quiche/http2/adapter/oghttp2_session.cc
+++ b/chromium/net/third_party/quiche/src/quiche/http2/adapter/oghttp2_session.cc
@@ -335,13 +335,15 @@ OgHttp2Session::OgHttp2Session(Http2VisitorInterface& visitor, Options options)
       event_forwarder_([this]() { return !latched_error_; }, *this),
       receive_logger_(
           &event_forwarder_, TracePerspectiveAsString(options.perspective),
-          [logging_enabled = GetQuicheFlag(
-               FLAGS_quiche_oghttp2_debug_trace)]() { return logging_enabled; },
+          [logging_enabled = GetQuicheFlag(quiche_oghttp2_debug_trace)]() {
+            return logging_enabled;
+          },
           this),
       send_logger_(
           TracePerspectiveAsString(options.perspective),
-          [logging_enabled = GetQuicheFlag(
-               FLAGS_quiche_oghttp2_debug_trace)]() { return logging_enabled; },
+          [logging_enabled = GetQuicheFlag(quiche_oghttp2_debug_trace)]() {
+            return logging_enabled;
+          },
           this),
       headers_handler_(*this, visitor),
       noop_headers_handler_(/*listener=*/nullptr),
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/bindings/quic_libevent.h b/chromium/net/third_party/quiche/src/quiche/quic/bindings/quic_libevent.h
index d8aa49370cd..b06ab4ec2d5 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/bindings/quic_libevent.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/bindings/quic_libevent.h
@@ -36,6 +36,7 @@ class QUICHE_EXPORT_PRIVATE LibeventQuicEventLoop : public QuicEventLoop {
   bool ArtificiallyNotifyEvent(QuicUdpSocketFd fd,
                                QuicSocketEventMask events) override;
   void RunEventLoopOnce(QuicTime::Delta default_timeout) override;
+  const QuicClock* GetClock() override { return clock_; }
 
   // Can be called from another thread to wake up the event loop from a blocking
   // RunEventLoopOnce() call.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bandwidth_sampler.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bandwidth_sampler.cc
index e216d09ba60..fe42e083e58 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bandwidth_sampler.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bandwidth_sampler.cc
@@ -142,7 +142,7 @@ BandwidthSampler::BandwidthSampler(
       last_acked_packet_ack_time_(QuicTime::Zero()),
       is_app_limited_(true),
       connection_state_map_(),
-      max_tracked_packets_(GetQuicFlag(FLAGS_quic_max_tracked_packet_count)),
+      max_tracked_packets_(GetQuicFlag(quic_max_tracked_packet_count)),
       unacked_packet_map_(unacked_packet_map),
       max_ack_height_tracker_(max_height_tracker_window_length),
       total_bytes_acked_after_last_ack_event_(0),
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bandwidth_sampler.h b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bandwidth_sampler.h
index 75851e9b09b..3ca09d1c578 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bandwidth_sampler.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bandwidth_sampler.h
@@ -177,7 +177,7 @@ class QUIC_EXPORT_PRIVATE MaxAckHeightTracker {
   // one. Stats only.
   uint64_t num_ack_aggregation_epochs_ = 0;
   double ack_aggregation_bandwidth_threshold_ =
-      GetQuicFlag(FLAGS_quic_ack_aggregation_bandwidth_threshold);
+      GetQuicFlag(quic_ack_aggregation_bandwidth_threshold);
   bool start_new_aggregation_epoch_after_full_round_ = false;
   bool reduce_extra_acked_on_bandwidth_increase_ = false;
 };
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_misc.h b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_misc.h
index 3c85e85ec12..078c049105f 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_misc.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_misc.h
@@ -89,7 +89,7 @@ struct QUIC_EXPORT_PRIVATE Bbr2Params {
 
   // The minimum number of loss marking events to exit STARTUP.
   int64_t startup_full_loss_count =
-      GetQuicFlag(FLAGS_quic_bbr2_default_startup_full_loss_count);
+      GetQuicFlag(quic_bbr2_default_startup_full_loss_count);
 
   // If true, always exit STARTUP on loss, even if bandwidth exceeds threshold.
   // If false, exit STARTUP on loss only if bandwidth is below threshold.
@@ -125,16 +125,16 @@ struct QUIC_EXPORT_PRIVATE Bbr2Params {
   // Minimum duration for BBR-native probes.
   QuicTime::Delta probe_bw_probe_base_duration =
       QuicTime::Delta::FromMilliseconds(
-          GetQuicFlag(FLAGS_quic_bbr2_default_probe_bw_base_duration_ms));
+          GetQuicFlag(quic_bbr2_default_probe_bw_base_duration_ms));
 
   // The upper bound of the random amount of BBR-native probes.
   QuicTime::Delta probe_bw_probe_max_rand_duration =
       QuicTime::Delta::FromMilliseconds(
-          GetQuicFlag(FLAGS_quic_bbr2_default_probe_bw_max_rand_duration_ms));
+          GetQuicFlag(quic_bbr2_default_probe_bw_max_rand_duration_ms));
 
   // The minimum number of loss marking events to exit the PROBE_UP phase.
   int64_t probe_bw_full_loss_count =
-      GetQuicFlag(FLAGS_quic_bbr2_default_probe_bw_full_loss_count);
+      GetQuicFlag(quic_bbr2_default_probe_bw_full_loss_count);
 
   // Multiplier to get target inflight (as multiple of BDP) for PROBE_UP phase.
   float probe_bw_probe_inflight_gain = 1.25;
@@ -163,7 +163,7 @@ struct QUIC_EXPORT_PRIVATE Bbr2Params {
    */
   float probe_rtt_inflight_target_bdp_fraction = 0.5;
   QuicTime::Delta probe_rtt_period = QuicTime::Delta::FromMilliseconds(
-      GetQuicFlag(FLAGS_quic_bbr2_default_probe_rtt_period_ms));
+      GetQuicFlag(quic_bbr2_default_probe_rtt_period_ms));
   QuicTime::Delta probe_rtt_duration = QuicTime::Delta::FromMilliseconds(200);
 
   /*
@@ -172,14 +172,14 @@ struct QUIC_EXPORT_PRIVATE Bbr2Params {
 
   // The initial value of the max ack height filter's window length.
   QuicRoundTripCount initial_max_ack_height_filter_window =
-      GetQuicFlag(FLAGS_quic_bbr2_default_initial_ack_height_filter_window);
+      GetQuicFlag(quic_bbr2_default_initial_ack_height_filter_window);
 
   // Fraction of unutilized headroom to try to leave in path upon high loss.
   float inflight_hi_headroom =
-      GetQuicFlag(FLAGS_quic_bbr2_default_inflight_hi_headroom);
+      GetQuicFlag(quic_bbr2_default_inflight_hi_headroom);
 
   // Estimate startup/bw probing has gone too far if loss rate exceeds this.
-  float loss_threshold = GetQuicFlag(FLAGS_quic_bbr2_default_loss_threshold);
+  float loss_threshold = GetQuicFlag(quic_bbr2_default_loss_threshold);
 
   // A common factor for multiplicative decreases. Used for adjusting
   // bandwidth_lo, inflight_lo and inflight_hi upon losses.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_probe_bw.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_probe_bw.cc
index a06b7d11622..88e87b67d11 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_probe_bw.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_probe_bw.cc
@@ -202,8 +202,6 @@ Bbr2ProbeBwMode::AdaptUpperBoundsResult Bbr2ProbeBwMode::MaybeAdaptUpperBounds(
         if (send_state.is_app_limited) {
           // If there's excess loss or a queue is building, exit even if the
           // last sample was app limited.
-          QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr2_no_probe_up_exit_if_no_queue,
-                                       2, 2);
         }
         const QuicByteCount inflight_target =
             sender_->GetTargetBytesInflight() * (1.0 - Params().beta);
@@ -483,8 +481,6 @@ void Bbr2ProbeBwMode::UpdateProbeUp(
     //   HasPhaseLasted(model_->MinRtt(), congestion_event)
   } else if (cycle_.rounds_in_phase > 0) {
     if (Params().probe_up_dont_exit_if_no_queue_) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr2_no_probe_up_exit_if_no_queue, 1,
-                                   2);
       is_queuing = congestion_event.end_of_round_trip &&
                    model_->CheckPersistentQueue(
                        congestion_event, Params().probe_bw_probe_inflight_gain);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_sender.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_sender.cc
index c6fab64782b..880ea356a96 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_sender.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_sender.cc
@@ -127,10 +127,7 @@ void Bbr2Sender::ApplyConnectionOptions(
     QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr2_extra_acked_window, 2, 2);
     model_.SetMaxAckHeightTrackerWindowLength(40);
   }
-  if (GetQuicReloadableFlag(quic_bbr2_support_new_startup_pacing_gain) &&
-      ContainsQuicTag(connection_options, kBBQ1)) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr2_support_new_startup_pacing_gain, 2,
-                                 2);
+  if (ContainsQuicTag(connection_options, kBBQ1)) {
     params_.startup_pacing_gain = 2.773;
     params_.drain_pacing_gain = 1.0 / params_.drain_cwnd_gain;
   }
@@ -175,27 +172,19 @@ void Bbr2Sender::ApplyConnectionOptions(
   if (ContainsQuicTag(connection_options, kB201)) {
     params_.probe_bw_check_cwnd_limited_before_aggregation_epoch = true;
   }
-  if (GetQuicReloadableFlag(quic_bbr2_no_probe_up_exit_if_no_queue) &&
-      ContainsQuicTag(connection_options, kB202)) {
+  if (ContainsQuicTag(connection_options, kB202)) {
     params_.probe_up_dont_exit_if_no_queue_ = true;
   }
-  if (GetQuicReloadableFlag(quic_bbr2_ignore_inflight_hi_in_probe_up) &&
-      ContainsQuicTag(connection_options, kB203)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_bbr2_ignore_inflight_hi_in_probe_up);
+  if (ContainsQuicTag(connection_options, kB203)) {
     params_.probe_up_ignore_inflight_hi = true;
   }
-  if (GetQuicReloadableFlag(quic_bbr2_startup_extra_acked) &&
-      ContainsQuicTag(connection_options, kB204)) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr2_startup_extra_acked, 1, 2);
+  if (ContainsQuicTag(connection_options, kB204)) {
     model_.SetReduceExtraAckedOnBandwidthIncrease(true);
   }
-  if (GetQuicReloadableFlag(quic_bbr2_startup_extra_acked) &&
-      ContainsQuicTag(connection_options, kB205)) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr2_startup_extra_acked, 2, 2);
+  if (ContainsQuicTag(connection_options, kB205)) {
     params_.startup_include_extra_acked = true;
   }
-  if (GetQuicReloadableFlag(quic_bbr2_exit_startup_on_persistent_queue2) &&
-      ContainsQuicTag(connection_options, kB207)) {
+  if (ContainsQuicTag(connection_options, kB207)) {
     params_.exit_startup_on_persistent_queue = true;
   }
 
@@ -209,9 +198,7 @@ void Bbr2Sender::ApplyConnectionOptions(
     params_.probe_up_includes_acks_after_cwnd_limited = true;
   }
 
-  if (GetQuicReloadableFlag(quic_bbr2_startup_probe_up_loss_events) &&
-      ContainsQuicTag(connection_options, kB206)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_bbr2_startup_probe_up_loss_events);
+  if (ContainsQuicTag(connection_options, kB206)) {
     params_.startup_full_loss_count = params_.probe_bw_full_loss_count;
   }
 }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_simulator_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_simulator_test.cc
index 43645e335cb..f807f020838 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_simulator_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_simulator_test.cc
@@ -123,7 +123,7 @@ class Bbr2SimulatorTest : public QuicTest {
   Bbr2SimulatorTest() : simulator_(&random_) {
     // Prevent the server(receiver), which only sends acks, from closing
     // connection due to too many outstanding packets.
-    SetQuicFlag(FLAGS_quic_max_tracked_packet_count, 1000000);
+    SetQuicFlag(quic_max_tracked_packet_count, 1000000);
   }
 
   void SetUp() override {
@@ -193,7 +193,7 @@ class Bbr2DefaultTopologyTest : public Bbr2SimulatorTest {
         endpoint->connection()->clock()->Now(),
         endpoint->connection()->sent_packet_manager().GetRttStats(),
         GetUnackedMap(endpoint->connection()), kDefaultInitialCwndPackets,
-        GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
+        GetQuicFlag(quic_max_congestion_window), &random_,
         QuicConnectionPeer::GetStats(endpoint->connection()), old_sender);
     QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
     const int kTestMaxPacketSize = 1350;
@@ -385,7 +385,6 @@ TEST_F(Bbr2DefaultTopologyTest, NormalStartup) {
 }
 
 TEST_F(Bbr2DefaultTopologyTest, NormalStartupB207) {
-  SetQuicReloadableFlag(quic_bbr2_exit_startup_on_persistent_queue2, true);
   SetConnectionOption(kB207);
   DefaultTopologyParams params;
   CreateNetwork(params);
@@ -416,8 +415,6 @@ TEST_F(Bbr2DefaultTopologyTest, NormalStartupB207) {
 
 // Add extra_acked to CWND in STARTUP and exit STARTUP on a persistent queue.
 TEST_F(Bbr2DefaultTopologyTest, NormalStartupB207andB205) {
-  SetQuicReloadableFlag(quic_bbr2_startup_extra_acked, true);
-  SetQuicReloadableFlag(quic_bbr2_exit_startup_on_persistent_queue2, true);
   SetConnectionOption(kB205);
   SetConnectionOption(kB207);
   DefaultTopologyParams params;
@@ -519,7 +516,6 @@ TEST_F(Bbr2DefaultTopologyTest, SimpleTransferB201) {
 }
 
 TEST_F(Bbr2DefaultTopologyTest, SimpleTransferB206) {
-  SetQuicReloadableFlag(quic_bbr2_startup_probe_up_loss_events, true);
   SetConnectionOption(kB206);
   DefaultTopologyParams params;
   CreateNetwork(params);
@@ -539,7 +535,6 @@ TEST_F(Bbr2DefaultTopologyTest, SimpleTransferB206) {
 }
 
 TEST_F(Bbr2DefaultTopologyTest, SimpleTransferB207) {
-  SetQuicReloadableFlag(quic_bbr2_exit_startup_on_persistent_queue2, true);
   SetConnectionOption(kB207);
   DefaultTopologyParams params;
   CreateNetwork(params);
@@ -618,7 +613,6 @@ TEST_F(Bbr2DefaultTopologyTest, SimpleTransferBBR5) {
 }
 
 TEST_F(Bbr2DefaultTopologyTest, SimpleTransferBBQ1) {
-  SetQuicReloadableFlag(quic_bbr2_support_new_startup_pacing_gain, true);
   SetConnectionOption(kBBQ1);
   DefaultTopologyParams params;
   CreateNetwork(params);
@@ -678,11 +672,7 @@ TEST_F(Bbr2DefaultTopologyTest, SimpleTransfer2RTTAggregationBytes) {
   EXPECT_APPROX_EQ(params.BottleneckBandwidth(),
                    sender_->ExportDebugState().bandwidth_hi, 0.01f);
 
-  if (GetQuicReloadableFlag(quic_fix_pacing_sender_bursts)) {
-    EXPECT_EQ(sender_loss_rate_in_packets(), 0);
-  } else {
-    EXPECT_LE(sender_loss_rate_in_packets(), 0.05);
-  }
+  EXPECT_EQ(sender_loss_rate_in_packets(), 0);
   // The margin here is high, because both link level aggregation and ack
   // decimation can greatly increase smoothed rtt.
   EXPECT_GE(params.RTT() * 5, rtt_stats()->smoothed_rtt());
@@ -704,11 +694,7 @@ TEST_F(Bbr2DefaultTopologyTest, SimpleTransfer2RTTAggregationBytesB201) {
   EXPECT_APPROX_EQ(params.BottleneckBandwidth(),
                    sender_->ExportDebugState().bandwidth_hi, 0.5f);
 
-  if (GetQuicReloadableFlag(quic_fix_pacing_sender_bursts)) {
-    EXPECT_LE(sender_loss_rate_in_packets(), 0.01);
-  } else {
-    EXPECT_LE(sender_loss_rate_in_packets(), 0.05);
-  }
+  EXPECT_LE(sender_loss_rate_in_packets(), 0.01);
   // The margin here is high, because both link level aggregation and ack
   // decimation can greatly increase smoothed rtt.
   EXPECT_GE(params.RTT() * 5, rtt_stats()->smoothed_rtt());
@@ -867,7 +853,6 @@ TEST_F(Bbr2DefaultTopologyTest,
 
 // Test Bbr2's reaction to a 100x bandwidth increase during a transfer with B202
 TEST_F(Bbr2DefaultTopologyTest, QUIC_SLOW_TEST(BandwidthIncreaseB202)) {
-  SetQuicReloadableFlag(quic_bbr2_no_probe_up_exit_if_no_queue, true);
   SetConnectionOption(kB202);
   DefaultTopologyParams params;
   params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
@@ -901,7 +886,6 @@ TEST_F(Bbr2DefaultTopologyTest, QUIC_SLOW_TEST(BandwidthIncreaseB202)) {
 // in the presence of ACK aggregation.
 TEST_F(Bbr2DefaultTopologyTest,
        QUIC_SLOW_TEST(BandwidthIncreaseB202Aggregation)) {
-  SetQuicReloadableFlag(quic_bbr2_no_probe_up_exit_if_no_queue, true);
   SetConnectionOption(kB202);
   DefaultTopologyParams params;
   params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
@@ -939,7 +923,6 @@ TEST_F(Bbr2DefaultTopologyTest,
 
 // Test Bbr2's reaction to a 100x bandwidth increase during a transfer with B203
 TEST_F(Bbr2DefaultTopologyTest, QUIC_SLOW_TEST(BandwidthIncreaseB203)) {
-  SetQuicReloadableFlag(quic_bbr2_ignore_inflight_hi_in_probe_up, true);
   SetConnectionOption(kB203);
   DefaultTopologyParams params;
   params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
@@ -973,7 +956,6 @@ TEST_F(Bbr2DefaultTopologyTest, QUIC_SLOW_TEST(BandwidthIncreaseB203)) {
 // in the presence of ACK aggregation.
 TEST_F(Bbr2DefaultTopologyTest,
        QUIC_SLOW_TEST(BandwidthIncreaseB203Aggregation)) {
-  SetQuicReloadableFlag(quic_bbr2_ignore_inflight_hi_in_probe_up, true);
   SetConnectionOption(kB203);
   DefaultTopologyParams params;
   params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
@@ -1011,7 +993,6 @@ TEST_F(Bbr2DefaultTopologyTest,
 
 // Test Bbr2's reaction to a 100x bandwidth increase during a transfer with B204
 TEST_F(Bbr2DefaultTopologyTest, QUIC_SLOW_TEST(BandwidthIncreaseB204)) {
-  SetQuicReloadableFlag(quic_bbr2_startup_extra_acked, true);
   SetConnectionOption(kB204);
   DefaultTopologyParams params;
   params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
@@ -1046,7 +1027,6 @@ TEST_F(Bbr2DefaultTopologyTest, QUIC_SLOW_TEST(BandwidthIncreaseB204)) {
 // in the presence of ACK aggregation.
 TEST_F(Bbr2DefaultTopologyTest,
        QUIC_SLOW_TEST(BandwidthIncreaseB204Aggregation)) {
-  SetQuicReloadableFlag(quic_bbr2_startup_extra_acked, true);
   SetConnectionOption(kB204);
   DefaultTopologyParams params;
   params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
@@ -1086,7 +1066,6 @@ TEST_F(Bbr2DefaultTopologyTest,
 
 // Test Bbr2's reaction to a 100x bandwidth increase during a transfer with B205
 TEST_F(Bbr2DefaultTopologyTest, QUIC_SLOW_TEST(BandwidthIncreaseB205)) {
-  SetQuicReloadableFlag(quic_bbr2_startup_extra_acked, true);
   SetConnectionOption(kB205);
   DefaultTopologyParams params;
   params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
@@ -1120,7 +1099,6 @@ TEST_F(Bbr2DefaultTopologyTest, QUIC_SLOW_TEST(BandwidthIncreaseB205)) {
 // in the presence of ACK aggregation.
 TEST_F(Bbr2DefaultTopologyTest,
        QUIC_SLOW_TEST(BandwidthIncreaseB205Aggregation)) {
-  SetQuicReloadableFlag(quic_bbr2_startup_extra_acked, true);
   SetConnectionOption(kB205);
   DefaultTopologyParams params;
   params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
@@ -1443,8 +1421,8 @@ TEST_F(Bbr2DefaultTopologyTest, ExitStartupDueToLossB2SL) {
 // STARTUP at the end of the round even if there's enough bandwidth growth.
 TEST_F(Bbr2DefaultTopologyTest, ExitStartupDueToLossB2NE) {
   // Set up flags such that any loss will be considered "too high".
-  SetQuicFlag(FLAGS_quic_bbr2_default_startup_full_loss_count, 0);
-  SetQuicFlag(FLAGS_quic_bbr2_default_loss_threshold, 0.0);
+  SetQuicFlag(quic_bbr2_default_startup_full_loss_count, 0);
+  SetQuicFlag(quic_bbr2_default_loss_threshold, 0.0);
 
   sender_ = SetupBbr2Sender(&sender_endpoint_, /*old_sender=*/nullptr);
 
@@ -1683,7 +1661,7 @@ TEST_F(Bbr2DefaultTopologyTest, SwitchToBbr2MidConnection) {
                        sender_connection()->sent_packet_manager().GetRttStats(),
                        GetUnackedMap(sender_connection()),
                        kDefaultInitialCwndPackets + 1,
-                       GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
+                       GetQuicFlag(quic_max_congestion_window), &random_,
                        QuicConnectionPeer::GetStats(sender_connection()));
 
   QuicPacketNumber next_packet_number(1);
@@ -1973,9 +1951,9 @@ class Bbr2MultiSenderTest : public Bbr2SimulatorTest {
         endpoint->connection()->sent_packet_manager().GetRttStats(),
         QuicSentPacketManagerPeer::GetUnackedPacketMap(
             QuicConnectionPeer::GetSentPacketManager(endpoint->connection())),
-        kDefaultInitialCwndPackets,
-        GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
-        QuicConnectionPeer::GetStats(endpoint->connection()), nullptr);
+        kDefaultInitialCwndPackets, GetQuicFlag(quic_max_congestion_window),
+        &random_, QuicConnectionPeer::GetStats(endpoint->connection()),
+        nullptr);
     // TODO(ianswett): Add dedicated tests for this option until it becomes
     // the default behavior.
     SetConnectionOption(sender, kBBRA);
@@ -1992,9 +1970,8 @@ class Bbr2MultiSenderTest : public Bbr2SimulatorTest {
         endpoint->connection()->sent_packet_manager().GetRttStats(),
         QuicSentPacketManagerPeer::GetUnackedPacketMap(
             QuicConnectionPeer::GetSentPacketManager(endpoint->connection())),
-        kDefaultInitialCwndPackets,
-        GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
-        QuicConnectionPeer::GetStats(endpoint->connection()));
+        kDefaultInitialCwndPackets, GetQuicFlag(quic_max_congestion_window),
+        &random_, QuicConnectionPeer::GetStats(endpoint->connection()));
     QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
     endpoint->RecordTrace();
     return sender;
@@ -2007,8 +1984,7 @@ class Bbr2MultiSenderTest : public Bbr2SimulatorTest {
     TcpCubicSenderBytes* sender = new TcpCubicSenderBytes(
         endpoint->connection()->clock(),
         endpoint->connection()->sent_packet_manager().GetRttStats(), reno,
-        kDefaultInitialCwndPackets,
-        GetQuicFlag(FLAGS_quic_max_congestion_window),
+        kDefaultInitialCwndPackets, GetQuicFlag(quic_max_congestion_window),
         QuicConnectionPeer::GetStats(endpoint->connection()));
     QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
     endpoint->RecordTrace();
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_startup.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_startup.cc
index 6910cb0f0d5..addf64b14ac 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_startup.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr2_startup.cc
@@ -54,7 +54,6 @@ Bbr2Mode Bbr2StartupMode::OnCongestionEvent(
   }
   bool has_bandwidth_growth = model_->HasBandwidthGrowth(congestion_event);
   if (Params().exit_startup_on_persistent_queue && !has_bandwidth_growth) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_bbr2_exit_startup_on_persistent_queue2);
     model_->CheckPersistentQueue(congestion_event, Params().startup_cwnd_gain);
   }
   // TCP BBR always exits upon excessive losses. QUIC BBRv1 does not exit
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr_sender.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr_sender.cc
index 99b6a047e49..7abba24aeec 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr_sender.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr_sender.cc
@@ -98,7 +98,7 @@ BbrSender::BbrSender(QuicTime now, const RttStats* rtt_stats,
       pacing_gain_(1),
       congestion_window_gain_(1),
       congestion_window_gain_constant_(
-          static_cast<float>(GetQuicFlag(FLAGS_quic_bbr_cwnd_gain))),
+          static_cast<float>(GetQuicFlag(quic_bbr_cwnd_gain))),
       num_startup_rtts_(kRoundTripsWithoutGrowthBeforeExitingStartup),
       cycle_current_offset_(0),
       last_cycle_start_(QuicTime::Zero()),
@@ -230,13 +230,7 @@ void BbrSender::SetFromConfig(const QuicConfig& config,
   if (config.HasClientRequestedIndependentOption(kBBQ1, perspective)) {
     set_high_gain(kDerivedHighGain);
     set_high_cwnd_gain(kDerivedHighGain);
-    if (GetQuicReloadableFlag(quic_bbr2_support_new_startup_pacing_gain)) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr2_support_new_startup_pacing_gain, 1,
-                                   2);
-      set_drain_gain(1.0 / kDerivedHighCWNDGain);
-    } else {
-      set_drain_gain(1.f / kDerivedHighGain);
-    }
+    set_drain_gain(1.0 / kDerivedHighCWNDGain);
   }
   if (config.HasClientRequestedIndependentOption(kBBQ3, perspective)) {
     enable_ack_aggregation_during_startup_ = true;
@@ -609,7 +603,7 @@ void BbrSender::OnExitStartup(QuicTime now) {
 bool BbrSender::ShouldExitStartupDueToLoss(
     const SendTimeState& last_packet_send_state) const {
   if (num_loss_events_in_round_ <
-          GetQuicFlag(FLAGS_quic_bbr2_default_startup_full_loss_count) ||
+          GetQuicFlag(quic_bbr2_default_startup_full_loss_count) ||
       !last_packet_send_state.is_valid) {
     return false;
   }
@@ -618,8 +612,7 @@ bool BbrSender::ShouldExitStartupDueToLoss(
 
   if (inflight_at_send > 0 && bytes_lost_in_round_ > 0) {
     if (bytes_lost_in_round_ >
-        inflight_at_send *
-            GetQuicFlag(FLAGS_quic_bbr2_default_loss_threshold)) {
+        inflight_at_send * GetQuicFlag(quic_bbr2_default_loss_threshold)) {
       stats_->bbr_exit_startup_due_to_loss = true;
       return true;
     }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr_sender_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr_sender_test.cc
index bbdbee6fc6f..3a04ccdf3c7 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr_sender_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/bbr_sender_test.cc
@@ -161,7 +161,7 @@ class BbrSenderTest : public QuicTest {
         QuicSentPacketManagerPeer::GetUnackedPacketMap(
             QuicConnectionPeer::GetSentPacketManager(endpoint->connection())),
         kInitialCongestionWindowPackets,
-        GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
+        GetQuicFlag(quic_max_congestion_window), &random_,
         QuicConnectionPeer::GetStats(endpoint->connection()));
     QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
     endpoint->RecordTrace();
@@ -433,14 +433,13 @@ TEST_F(BbrSenderTest, SimpleTransfer2RTTAggregationBytes) {
 TEST_F(BbrSenderTest, SimpleTransferAckDecimation) {
   SetConnectionOption(kBSAO);
   // Decrease the CWND gain so extra CWND is required with stretch acks.
-  SetQuicFlag(FLAGS_quic_bbr_cwnd_gain, 1.0);
+  SetQuicFlag(quic_bbr_cwnd_gain, 1.0);
   sender_ = new BbrSender(
       bbr_sender_.connection()->clock()->Now(), rtt_stats_,
       QuicSentPacketManagerPeer::GetUnackedPacketMap(
           QuicConnectionPeer::GetSentPacketManager(bbr_sender_.connection())),
-      kInitialCongestionWindowPackets,
-      GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
-      QuicConnectionPeer::GetStats(bbr_sender_.connection()));
+      kInitialCongestionWindowPackets, GetQuicFlag(quic_max_congestion_window),
+      &random_, QuicConnectionPeer::GetStats(bbr_sender_.connection()));
   QuicConnectionPeer::SetSendAlgorithm(bbr_sender_.connection(), sender_);
   CreateDefaultSetup();
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/pacing_sender.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/pacing_sender.cc
index fb3f514fe30..46ba8a1c9a6 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/pacing_sender.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/pacing_sender.cc
@@ -26,11 +26,7 @@ PacingSender::PacingSender()
       initial_burst_size_(kInitialUnpacedBurst),
       lumpy_tokens_(0),
       alarm_granularity_(kAlarmGranularity),
-      pacing_limited_(false) {
-  if (GetQuicReloadableFlag(quic_donot_reset_ideal_next_packet_send_time)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_donot_reset_ideal_next_packet_send_time);
-  }
-}
+      pacing_limited_(false) {}
 
 PacingSender::~PacingSender() {}
 
@@ -74,9 +70,7 @@ void PacingSender::OnPacketSent(
   }
   if (burst_tokens_ > 0) {
     --burst_tokens_;
-    if (!GetQuicReloadableFlag(quic_donot_reset_ideal_next_packet_send_time)) {
-      ideal_next_packet_send_time_ = QuicTime::Zero();
-    }
+    ideal_next_packet_send_time_ = QuicTime::Zero();
     pacing_limited_ = false;
     return;
   }
@@ -88,22 +82,19 @@ void PacingSender::OnPacketSent(
     // Reset lumpy_tokens_ if either application or cwnd throttles sending or
     // token runs out.
     lumpy_tokens_ = std::max(
-        1u, std::min(static_cast<uint32_t>(
-                         GetQuicFlag(FLAGS_quic_lumpy_pacing_size)),
+        1u, std::min(static_cast<uint32_t>(GetQuicFlag(quic_lumpy_pacing_size)),
                      static_cast<uint32_t>(
                          (sender_->GetCongestionWindow() *
-                          GetQuicFlag(FLAGS_quic_lumpy_pacing_cwnd_fraction)) /
+                          GetQuicFlag(quic_lumpy_pacing_cwnd_fraction)) /
                          kDefaultTCPMSS)));
     if (sender_->BandwidthEstimate() <
         QuicBandwidth::FromKBitsPerSecond(
-            GetQuicFlag(FLAGS_quic_lumpy_pacing_min_bandwidth_kbps))) {
+            GetQuicFlag(quic_lumpy_pacing_min_bandwidth_kbps))) {
       // Below 1.2Mbps, send 1 packet at once, because one full-sized packet
       // is about 10ms of queueing.
       lumpy_tokens_ = 1u;
     }
-    if (GetQuicReloadableFlag(quic_fix_pacing_sender_bursts) &&
-        (bytes_in_flight + bytes) >= sender_->GetCongestionWindow()) {
-      QUIC_RELOADABLE_FLAG_COUNT(quic_fix_pacing_sender_bursts);
+    if ((bytes_in_flight + bytes) >= sender_->GetCongestionWindow()) {
       // Don't add lumpy_tokens if the congestion controller is CWND limited.
       lumpy_tokens_ = 1u;
     }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/pacing_sender_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/pacing_sender_test.cc
index 2bc7c94d23c..7206b4cb5f4 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/pacing_sender_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/pacing_sender_test.cc
@@ -18,7 +18,6 @@
 
 using testing::_;
 using testing::AtMost;
-using testing::IsEmpty;
 using testing::Return;
 using testing::StrictMock;
 
@@ -340,8 +339,8 @@ TEST_F(PacingSenderTest, NoBurstEnteringRecovery) {
   lost_packets.push_back(
       LostPacket(QuicPacketNumber(1), kMaxOutgoingPacketSize));
   AckedPacketVector empty_acked;
-  EXPECT_CALL(*mock_sender_,
-              OnCongestionEvent(true, kMaxOutgoingPacketSize, _, IsEmpty(), _));
+  EXPECT_CALL(*mock_sender_, OnCongestionEvent(true, kMaxOutgoingPacketSize, _,
+                                               testing::IsEmpty(), _));
   pacing_sender_->OnCongestionEvent(true, kMaxOutgoingPacketSize, clock_.Now(),
                                     empty_acked, lost_packets);
   // One packet is sent immediately, because of 1ms pacing granularity.
@@ -402,8 +401,8 @@ TEST_F(PacingSenderTest, CwndLimited) {
 
 TEST_F(PacingSenderTest, LumpyPacingWithInitialBurstToken) {
   // Set lumpy size to be 3, and cwnd faction to 0.5
-  SetQuicFlag(FLAGS_quic_lumpy_pacing_size, 3);
-  SetQuicFlag(FLAGS_quic_lumpy_pacing_cwnd_fraction, 0.5f);
+  SetQuicFlag(quic_lumpy_pacing_size, 3);
+  SetQuicFlag(quic_lumpy_pacing_cwnd_fraction, 0.5f);
   // Configure pacing rate of 1 packet per 1 ms.
   InitPacingRate(
       10, QuicBandwidth::FromBytesAndTimeDelta(
@@ -459,8 +458,8 @@ TEST_F(PacingSenderTest, LumpyPacingWithInitialBurstToken) {
 
 TEST_F(PacingSenderTest, NoLumpyPacingForLowBandwidthFlows) {
   // Set lumpy size to be 3, and cwnd fraction to 0.5
-  SetQuicFlag(FLAGS_quic_lumpy_pacing_size, 3);
-  SetQuicFlag(FLAGS_quic_lumpy_pacing_cwnd_fraction, 0.5f);
+  SetQuicFlag(quic_lumpy_pacing_size, 3);
+  SetQuicFlag(quic_lumpy_pacing_cwnd_fraction, 0.5f);
 
   // Configure pacing rate of 1 packet per 100 ms.
   QuicTime::Delta inter_packet_delay = QuicTime::Delta::FromMilliseconds(100);
@@ -501,29 +500,19 @@ TEST_F(PacingSenderTest, NoBurstsForLumpyPacingWithAckAggregation) {
   CheckPacketIsSentImmediately(HAS_RETRANSMITTABLE_DATA,
                                10 * kMaxOutgoingPacketSize, false, 10);
 
-  if (GetQuicReloadableFlag(quic_fix_pacing_sender_bursts)) {
-    // The last sent packet made the connection CWND limited, so no lumpy tokens
-    // should be available.
-    EXPECT_EQ(0u, pacing_sender_->lumpy_tokens());
-    CheckPacketIsSentImmediately(HAS_RETRANSMITTABLE_DATA,
-                                 10 * kMaxOutgoingPacketSize, false, 10);
-    EXPECT_EQ(0u, pacing_sender_->lumpy_tokens());
-    CheckPacketIsDelayed(2 * inter_packet_delay);
-  } else {
-    EXPECT_EQ(1u, pacing_sender_->lumpy_tokens());
-    // Repeatedly send single packets to make the sender CWND limited and
-    // observe that there's no pacing without the fix.
-    for (int i = 0; i < 10; ++i) {
-      CheckPacketIsSentImmediately(HAS_RETRANSMITTABLE_DATA,
-                                   10 * kMaxOutgoingPacketSize, false, 10);
-    }
-  }
+  // The last sent packet made the connection CWND limited, so no lumpy tokens
+  // should be available.
+  EXPECT_EQ(0u, pacing_sender_->lumpy_tokens());
+  CheckPacketIsSentImmediately(HAS_RETRANSMITTABLE_DATA,
+                               10 * kMaxOutgoingPacketSize, false, 10);
+  EXPECT_EQ(0u, pacing_sender_->lumpy_tokens());
+  CheckPacketIsDelayed(2 * inter_packet_delay);
 }
 
 TEST_F(PacingSenderTest, IdealNextPacketSendTimeWithLumpyPacing) {
   // Set lumpy size to be 3, and cwnd faction to 0.5
-  SetQuicFlag(FLAGS_quic_lumpy_pacing_size, 3);
-  SetQuicFlag(FLAGS_quic_lumpy_pacing_cwnd_fraction, 0.5f);
+  SetQuicFlag(quic_lumpy_pacing_size, 3);
+  SetQuicFlag(quic_lumpy_pacing_cwnd_fraction, 0.5f);
 
   // Configure pacing rate of 1 packet per millisecond.
   QuicTime::Delta inter_packet_delay = QuicTime::Delta::FromMilliseconds(1);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/send_algorithm_interface.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/send_algorithm_interface.cc
index c8c7d5b329c..89b1ce98251 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/send_algorithm_interface.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/send_algorithm_interface.cc
@@ -25,7 +25,7 @@ SendAlgorithmInterface* SendAlgorithmInterface::Create(
     QuicConnectionStats* stats, QuicPacketCount initial_congestion_window,
     SendAlgorithmInterface* old_send_algorithm) {
   QuicPacketCount max_congestion_window =
-      GetQuicFlag(FLAGS_quic_max_congestion_window);
+      GetQuicFlag(quic_max_congestion_window);
   switch (congestion_control_type) {
     case kGoogCC:  // GoogCC is not supported by quic/core, fall back to BBR.
     case kBBR:
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/tcp_cubic_sender_bytes.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/tcp_cubic_sender_bytes.cc
index af0a5a9ffc2..bc61d87ec64 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/tcp_cubic_sender_bytes.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/tcp_cubic_sender_bytes.cc
@@ -55,47 +55,18 @@ TcpCubicSenderBytes::~TcpCubicSenderBytes() {}
 
 void TcpCubicSenderBytes::SetFromConfig(const QuicConfig& config,
                                         Perspective perspective) {
-  if (perspective == Perspective::IS_SERVER) {
-    if (!GetQuicReloadableFlag(quic_unified_iw_options)) {
-      if (config.HasReceivedConnectionOptions() &&
-          ContainsQuicTag(config.ReceivedConnectionOptions(), kIW03)) {
-        // Initial window experiment.
-        SetInitialCongestionWindowInPackets(3);
-      }
-      if (config.HasReceivedConnectionOptions() &&
-          ContainsQuicTag(config.ReceivedConnectionOptions(), kIW10)) {
-        // Initial window experiment.
-        SetInitialCongestionWindowInPackets(10);
-      }
-      if (config.HasReceivedConnectionOptions() &&
-          ContainsQuicTag(config.ReceivedConnectionOptions(), kIW20)) {
-        // Initial window experiment.
-        SetInitialCongestionWindowInPackets(20);
-      }
-      if (config.HasReceivedConnectionOptions() &&
-          ContainsQuicTag(config.ReceivedConnectionOptions(), kIW50)) {
-        // Initial window experiment.
-        SetInitialCongestionWindowInPackets(50);
-      }
-      if (config.HasReceivedConnectionOptions() &&
-          ContainsQuicTag(config.ReceivedConnectionOptions(), kMIN1)) {
-        // Min CWND experiment.
-        SetMinCongestionWindowInPackets(1);
-      }
-    }
-    if (config.HasReceivedConnectionOptions() &&
-        ContainsQuicTag(config.ReceivedConnectionOptions(), kMIN4)) {
+  if (perspective == Perspective::IS_SERVER &&
+      config.HasReceivedConnectionOptions()) {
+    if (ContainsQuicTag(config.ReceivedConnectionOptions(), kMIN4)) {
       // Min CWND of 4 experiment.
       min4_mode_ = true;
       SetMinCongestionWindowInPackets(1);
     }
-    if (config.HasReceivedConnectionOptions() &&
-        ContainsQuicTag(config.ReceivedConnectionOptions(), kSSLR)) {
+    if (ContainsQuicTag(config.ReceivedConnectionOptions(), kSSLR)) {
       // Slow Start Fast Exit experiment.
       slow_start_large_reduction_ = true;
     }
-    if (config.HasReceivedConnectionOptions() &&
-        ContainsQuicTag(config.ReceivedConnectionOptions(), kNPRR)) {
+    if (ContainsQuicTag(config.ReceivedConnectionOptions(), kNPRR)) {
       // Use unity pacing instead of PRR.
       no_prr_ = true;
     }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc
index 330b24b557e..3ac1ba22666 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc
@@ -545,7 +545,6 @@ TEST_F(TcpCubicSenderBytesTest, MultipleLossesInOneWindow) {
 }
 
 TEST_F(TcpCubicSenderBytesTest, ConfigureMaxInitialWindow) {
-  SetQuicReloadableFlag(quic_unified_iw_options, false);
   QuicConfig config;
 
   // Verify that kCOPT: kIW10 forces the congestion window to the default of 10.
@@ -788,7 +787,7 @@ TEST_F(TcpCubicSenderBytesTest, DefaultMaxCwnd) {
   AckedPacketVector acked_packets;
   LostPacketVector missing_packets;
   QuicPacketCount max_congestion_window =
-      GetQuicFlag(FLAGS_quic_max_congestion_window);
+      GetQuicFlag(quic_max_congestion_window);
   for (uint64_t i = 1; i < max_congestion_window; ++i) {
     acked_packets.clear();
     acked_packets.push_back(
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/connecting_client_socket.h b/chromium/net/third_party/quiche/src/quiche/quic/core/connecting_client_socket.h
new file mode 100644
index 00000000000..d5f8ee4d06a
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/connecting_client_socket.h
@@ -0,0 +1,111 @@
+// Copyright 2022 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_CONNECTING_CLIENT_SOCKET_H_
+#define QUICHE_QUIC_CORE_CONNECTING_CLIENT_SOCKET_H_
+
+#include <string>
+
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "quiche/quic/core/quic_types.h"
+#include "quiche/quic/platform/api/quic_socket_address.h"
+#include "quiche/common/platform/api/quiche_export.h"
+#include "quiche/common/platform/api/quiche_mem_slice.h"
+
+namespace quic {
+
+// A client socket that provides connection-based send/receive. In the case of
+// protocols like UDP, may only be a pseudo-connection that doesn't actually
+// affect the underlying network protocol.
+//
+// Must not destroy a connected/connecting socket. If connected or connecting,
+// must call Disconnect() to disconnect or cancel the connection before
+// destruction.
+//
+// Warning regarding blocking calls: Code in the QUICHE library typically
+// handles IO on a single thread, so if making calls from that typical
+// environment, it would be problematic to make a blocking call and block that
+// single thread.
+class QUICHE_EXPORT_PRIVATE ConnectingClientSocket {
+ public:
+  class AsyncVisitor {
+   public:
+    virtual ~AsyncVisitor() = default;
+
+    virtual void ConnectComplete(absl::Status status) = 0;
+
+    // If the operation completed without error, `data` is set to the received
+    // data.
+    virtual void ReceiveComplete(
+        absl::StatusOr<quiche::QuicheMemSlice> data) = 0;
+
+    virtual void SendComplete(absl::Status status) = 0;
+  };
+
+  virtual ~ConnectingClientSocket() = default;
+
+  // Establishes a connection synchronously. Should not be called if socket has
+  // already been successfully connected without first calling Disconnect().
+  //
+  // After calling, the socket must not be destroyed until Disconnect() is
+  // called.
+  virtual absl::Status ConnectBlocking() = 0;
+
+  // Establishes a connection asynchronously. On completion, calls
+  // ConnectComplete() on the visitor, potentially before return from
+  // ConnectAsync(). Should not be called if socket has already been
+  // successfully connected without first calling Disconnect().
+  //
+  // After calling, the socket must not be destroyed until Disconnect() is
+  // called.
+  virtual void ConnectAsync() = 0;
+
+  // Disconnects a connected socket or cancels an in-progress ConnectAsync(),
+  // invoking the `ConnectComplete(absl::CancelledError())` on the visitor.
+  // After success, it is possible to call ConnectBlocking() or ConnectAsync()
+  // again to establish a new connection. Cancels any pending read or write
+  // operations, calling visitor completion methods with
+  // `absl::CancelledError()`.
+  //
+  // Typically implemented via a call to ::close(), which for TCP can result in
+  // either FIN or RST, depending on socket/platform state and undefined
+  // platform behavior.
+  virtual void Disconnect() = 0;
+
+  // Gets the address assigned to a connected socket.
+  virtual absl::StatusOr<QuicSocketAddress> GetLocalAddress() = 0;
+
+  // Blocking read. Receives and returns a buffer of up to `max_size` bytes from
+  // socket. Returns status on error.
+  virtual absl::StatusOr<quiche::QuicheMemSlice> ReceiveBlocking(
+      QuicByteCount max_size) = 0;
+
+  // Asynchronous read. Receives up to `max_size` bytes from socket. If
+  // no data is synchronously available to be read, waits until some data is
+  // available or the socket is closed. On completion, calls ReceiveComplete()
+  // on the visitor, potentially before return from ReceiveAsync().
+  //
+  // After calling, the socket must not be destroyed until ReceiveComplete() is
+  // called.
+  virtual void ReceiveAsync(QuicByteCount max_size) = 0;
+
+  // Blocking write. Sends all of `data` (potentially via multiple underlying
+  // socket sends).
+  virtual absl::Status SendBlocking(std::string data) = 0;
+  virtual absl::Status SendBlocking(quiche::QuicheMemSlice data) = 0;
+
+  // Asynchronous write. Sends all of `data` (potentially via multiple
+  // underlying socket sends). On completion, calls SendComplete() on the
+  // visitor, potentially before return from SendAsync().
+  //
+  // After calling, the socket must not be destroyed until SendComplete() is
+  // called.
+  virtual void SendAsync(std::string data) = 0;
+  virtual void SendAsync(quiche::QuicheMemSlice data) = 0;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_CONNECTING_CLIENT_SOCKET_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/connection_id_generator.h b/chromium/net/third_party/quiche/src/quiche/quic/core/connection_id_generator.h
index 65284d8bf34..d27b44f0643 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/connection_id_generator.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/connection_id_generator.h
@@ -23,6 +23,9 @@ class QUIC_EXPORT_PRIVATE ConnectionIdGeneratorInterface {
   // and consider replacing it. Returns empty if not replaced.
   virtual absl::optional<QuicConnectionId> MaybeReplaceConnectionId(
       const QuicConnectionId& original, const ParsedQuicVersion& version) = 0;
+  // Returns the length of a connection ID generated by this generator with the
+  // specified first byte.
+  virtual uint8_t ConnectionIdLength(uint8_t first_byte) const = 0;
   virtual ~ConnectionIdGeneratorInterface() = default;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/aead_base_decrypter.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/aead_base_decrypter.cc
index c79e74e199b..b6a3c4f68c3 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/aead_base_decrypter.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/aead_base_decrypter.cc
@@ -15,31 +15,13 @@
 #include "quiche/quic/core/quic_utils.h"
 #include "quiche/quic/platform/api/quic_bug_tracker.h"
 #include "quiche/quic/platform/api/quic_logging.h"
+#include "quiche/common/quiche_crypto_logging.h"
 
 namespace quic {
-
+using ::quiche::ClearOpenSslErrors;
+using ::quiche::DLogOpenSslErrors;
 namespace {
 
-// Clear OpenSSL error stack.
-void ClearOpenSslErrors() {
-  while (ERR_get_error()) {
-  }
-}
-
-// In debug builds only, log OpenSSL error stack. Then clear OpenSSL error
-// stack.
-void DLogOpenSslErrors() {
-#ifdef NDEBUG
-  ClearOpenSslErrors();
-#else
-  while (uint32_t error = ERR_get_error()) {
-    char buf[120];
-    ERR_error_string_n(error, buf, ABSL_ARRAYSIZE(buf));
-    QUIC_DLOG(ERROR) << "OpenSSL error: " << buf;
-  }
-#endif
-}
-
 const EVP_AEAD* InitAndCall(const EVP_AEAD* (*aead_getter)()) {
   // Ensure BoringSSL is initialized before calling |aead_getter|. In Chromium,
   // the static initializer is disabled.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/aead_base_encrypter.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/aead_base_encrypter.cc
index a2f0d5921c7..481eaa970a2 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/aead_base_encrypter.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/aead_base_encrypter.cc
@@ -12,26 +12,12 @@
 #include "quiche/quic/core/quic_utils.h"
 #include "quiche/quic/platform/api/quic_bug_tracker.h"
 #include "quiche/quic/platform/api/quic_logging.h"
+#include "quiche/common/quiche_crypto_logging.h"
 
 namespace quic {
-
+using ::quiche::DLogOpenSslErrors;
 namespace {
 
-// In debug builds only, log OpenSSL error stack. Then clear OpenSSL error
-// stack.
-void DLogOpenSslErrors() {
-#ifdef NDEBUG
-  while (ERR_get_error()) {
-  }
-#else
-  while (unsigned long error = ERR_get_error()) {
-    char buf[120];
-    ERR_error_string_n(error, buf, ABSL_ARRAYSIZE(buf));
-    QUIC_DLOG(ERROR) << "OpenSSL error: " << buf;
-  }
-#endif
-}
-
 const EVP_AEAD* InitAndCall(const EVP_AEAD* (*aead_getter)()) {
   // Ensure BoringSSL is initialized before calling |aead_getter|. In Chromium,
   // the static initializer is disabled.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_protocol.h b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_protocol.h
index 6a78b6d4428..7cfffd9f31c 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_protocol.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_protocol.h
@@ -30,7 +30,8 @@ using ServerConfigID = std::string;
 // "1CON", "BBQ4", "NCON", "RCID", "SREJ", "TBKP", "TB10", "SCLS", "SMHL",
 // "QNZR", "B2HI", "H2PR", "FIFO", "LIFO", "RRWS", "QNSP", "B2CL", "CHSP",
 // "BPTE", "ACKD", "AKD2", "AKD4", "MAD1", "MAD4", "MAD5", "ACD0", "ACKQ",
-// "TLPR", "CCS\0", "PDP4", "NCHP", "NBPE"
+// "TLPR", "CCS\0", "PDP4", "NCHP", "NBPE", "2RTO", "3RTO", "4RTO", "6RTO",
+// "PDP1", "PDP2", "PDP3", "PDP5"
 
 // clang-format off
 const QuicTag kCHLO = TAG('C', 'H', 'L', 'O');   // Client hello
@@ -198,11 +199,7 @@ const QuicTag kAFF2 = TAG('A', 'F', 'F', '2');   // Send AckFrequencyFrame upon
                                                  // handshake completion.
 const QuicTag kSSLR = TAG('S', 'S', 'L', 'R');   // Slow Start Large Reduction.
 const QuicTag kNPRR = TAG('N', 'P', 'R', 'R');   // Pace at unity instead of PRR
-const QuicTag k2RTO = TAG('2', 'R', 'T', 'O');   // Close connection on 2 RTOs
-const QuicTag k3RTO = TAG('3', 'R', 'T', 'O');   // Close connection on 3 RTOs
-const QuicTag k4RTO = TAG('4', 'R', 'T', 'O');   // Close connection on 4 RTOs
 const QuicTag k5RTO = TAG('5', 'R', 'T', 'O');   // Close connection on 5 RTOs
-const QuicTag k6RTO = TAG('6', 'R', 'T', 'O');   // Close connection on 6 RTOs
 const QuicTag kCBHD = TAG('C', 'B', 'H', 'D');   // Client only blackhole
                                                  // detection.
 const QuicTag kNBHD = TAG('N', 'B', 'H', 'D');   // No blackhole detection.
@@ -401,18 +398,6 @@ const QuicTag kXLCT = TAG('X', 'L', 'C', 'T');   // Expected leaf certificate.
 const QuicTag kQLVE = TAG('Q', 'L', 'V', 'E');   // Legacy Version
                                                  // Encapsulation.
 
-const QuicTag kPDP1 = TAG('P', 'D', 'P', '1');   // Path degrading triggered
-                                                 // at 1PTO.
-
-const QuicTag kPDP2 = TAG('P', 'D', 'P', '2');   // Path degrading triggered
-                                                 // at 2PTO.
-
-const QuicTag kPDP3 = TAG('P', 'D', 'P', '3');   // Path degrading triggered
-                                                 // at 3PTO.
-
-const QuicTag kPDP5 = TAG('P', 'D', 'P', '5');   // Path degrading triggered
-                                                 // at 5PTO.
-
 const QuicTag kQNZ2 = TAG('Q', 'N', 'Z', '2');   // Turn off QUIC crypto 0-RTT.
 
 const QuicTag kMAD  = TAG('M', 'A', 'D', 0);     // Max Ack Delay (IETF QUIC)
@@ -439,6 +424,8 @@ const QuicTag kNRES = TAG('N', 'R', 'E', 'S');   // No resumption
 const QuicTag kINVC = TAG('I', 'N', 'V', 'C');   // Send connection close for
                                                  // INVALID_VERSION
 
+const QuicTag kMPQC = TAG('M', 'P', 'Q', 'C');   // Multi-port QUIC connection
+
 // Client Hints triggers.
 const QuicTag kGWCH = TAG('G', 'W', 'C', 'H');
 const QuicTag kYTCH = TAG('Y', 'T', 'C', 'H');
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_secret_boxer.h b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_secret_boxer.h
index e1927f21ba8..5d334c3770d 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_secret_boxer.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_secret_boxer.h
@@ -11,13 +11,12 @@
 #include <vector>
 
 #include "absl/strings/string_view.h"
+#include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/platform/api/quic_export.h"
 #include "quiche/quic/platform/api/quic_mutex.h"
 
 namespace quic {
 
-class QuicRandom;
-
 // CryptoSecretBoxer encrypts small chunks of plaintext (called 'boxing') and
 // then, later, can authenticate+decrypt the resulting boxes. This object is
 // thread-safe.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_utils.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_utils.cc
index 9b33b0b1098..428edb7dd5f 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_utils.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_utils.cc
@@ -776,10 +776,11 @@ bool CryptoUtils::GetSSLCapabilities(const SSL* ssl,
                                      bssl::UniquePtr<uint8_t>* capabilities,
                                      size_t* capabilities_len) {
   uint8_t* buffer;
-  CBB cbb;
+  bssl::ScopedCBB cbb;
 
-  if (!CBB_init(&cbb, 128) || !SSL_serialize_capabilities(ssl, &cbb) ||
-      !CBB_finish(&cbb, &buffer, capabilities_len)) {
+  if (!CBB_init(cbb.get(), 128) ||
+      !SSL_serialize_capabilities(ssl, cbb.get()) ||
+      !CBB_finish(cbb.get(), &buffer, capabilities_len)) {
     return false;
   }
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_utils.h b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_utils.h
index 87bf30915b8..adc818dbda5 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_utils.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/crypto_utils.h
@@ -18,6 +18,7 @@
 #include "quiche/quic/core/crypto/crypto_handshake_message.h"
 #include "quiche/quic/core/crypto/crypto_protocol.h"
 #include "quiche/quic/core/crypto/quic_crypter.h"
+#include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/core/quic_connection_id.h"
 #include "quiche/quic/core/quic_packets.h"
 #include "quiche/quic/core/quic_time.h"
@@ -26,8 +27,6 @@
 
 namespace quic {
 
-class QuicRandom;
-
 class QUIC_EXPORT_PRIVATE CryptoUtils {
  public:
   CryptoUtils() = delete;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/curve25519_key_exchange.h b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/curve25519_key_exchange.h
index 34a49f9f2e6..b6e06f38472 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/curve25519_key_exchange.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/curve25519_key_exchange.h
@@ -10,12 +10,11 @@
 
 #include "absl/strings/string_view.h"
 #include "quiche/quic/core/crypto/key_exchange.h"
+#include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/platform/api/quic_export.h"
 
 namespace quic {
 
-class QuicRandom;
-
 // Curve25519KeyExchange implements a SynchronousKeyExchange using
 // elliptic-curve Diffie-Hellman on curve25519. See http://cr.yp.to/ecdh.html
 class QUIC_EXPORT_PRIVATE Curve25519KeyExchange
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/key_exchange.h b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/key_exchange.h
index a681bf596a2..573b289ddfa 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/key_exchange.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/key_exchange.h
@@ -10,12 +10,11 @@
 
 #include "absl/strings/string_view.h"
 #include "quiche/quic/core/crypto/crypto_protocol.h"
+#include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/platform/api/quic_export.h"
 
 namespace quic {
 
-class QuicRandom;
-
 // Interface for a Diffie-Hellman key exchange with an asynchronous interface.
 // This allows for implementations which hold the private key locally, as well
 // as ones which make an RPC to an external key-exchange service.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/proof_source.h b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/proof_source.h
index ab2a4872525..ac34ebbaf70 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/proof_source.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/proof_source.h
@@ -310,6 +310,7 @@ class QUIC_EXPORT_PRIVATE ProofSourceHandle {
   virtual QuicAsyncStatus SelectCertificate(
       const QuicSocketAddress& server_address,
       const QuicSocketAddress& client_address,
+      const QuicConnectionId& original_connection_id,
       absl::string_view ssl_capabilities, const std::string& hostname,
       absl::string_view client_hello, const std::string& alpn,
       absl::optional<std::string> alps,
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_client_config.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_client_config.cc
index caf6c77336d..c9137de70d6 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_client_config.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_client_config.cc
@@ -66,7 +66,7 @@ QuicCryptoClientConfig::QuicCryptoClientConfig(
     : proof_verifier_(std::move(proof_verifier)),
       session_cache_(std::move(session_cache)),
       ssl_ctx_(TlsClientConnection::CreateSslCtx(
-          !GetQuicFlag(FLAGS_quic_disable_client_tls_zero_rtt))) {
+          !GetQuicFlag(quic_disable_client_tls_zero_rtt))) {
   QUICHE_DCHECK(proof_verifier_.get());
   SetDefaults();
 }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_client_config.h b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_client_config.h
index f44aac1312a..546f4d13b7c 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_client_config.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_client_config.h
@@ -17,6 +17,7 @@
 #include "quiche/quic/core/crypto/client_proof_source.h"
 #include "quiche/quic/core/crypto/crypto_handshake.h"
 #include "quiche/quic/core/crypto/crypto_protocol.h"
+#include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/core/crypto/transport_parameters.h"
 #include "quiche/quic/core/quic_packets.h"
 #include "quiche/quic/core/quic_server_id.h"
@@ -28,7 +29,6 @@ namespace quic {
 class CryptoHandshakeMessage;
 class ProofVerifier;
 class ProofVerifyDetails;
-class QuicRandom;
 
 // QuicResumptionState stores the state a client needs for performing connection
 // resumption.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_server_config.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_server_config.cc
index 7a651bf81f9..e2ee0ebab8b 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_server_config.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_server_config.cc
@@ -1610,6 +1610,11 @@ QuicCryptoServerConfig::ParseConfigProtobuf(
     QUIC_LOG(WARNING) << "Server config message is missing SCID";
     return nullptr;
   }
+  if (GetQuicRestartFlag(quic_return_error_on_empty_scid) && scid.empty()) {
+    QUIC_RESTART_FLAG_COUNT(quic_return_error_on_empty_scid);
+    QUIC_LOG(WARNING) << "Server config message contains an empty SCID";
+    return nullptr;
+  }
   QUICHE_DCHECK(!scid.empty());
   config->id = std::string(scid);
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_server_config.h b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_server_config.h
index f114546fe68..77be1f470ff 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_server_config.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_server_config.h
@@ -22,6 +22,7 @@
 #include "quiche/quic/core/crypto/proof_source.h"
 #include "quiche/quic/core/crypto/quic_compressed_certs_cache.h"
 #include "quiche/quic/core/crypto/quic_crypto_proof.h"
+#include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/core/proto/cached_network_parameters_proto.h"
 #include "quiche/quic/core/proto/source_address_token_proto.h"
 #include "quiche/quic/core/quic_time.h"
@@ -35,7 +36,6 @@ namespace quic {
 class CryptoHandshakeMessage;
 class ProofSource;
 class QuicClock;
-class QuicRandom;
 class QuicServerConfigProtobuf;
 struct QuicSignedServerConfig;
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_random.h b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_random.h
index 47722cb7d2b..9f7c21626ca 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_random.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/crypto/quic_random.h
@@ -5,36 +5,11 @@
 #ifndef QUICHE_QUIC_CORE_CRYPTO_QUIC_RANDOM_H_
 #define QUICHE_QUIC_CORE_CRYPTO_QUIC_RANDOM_H_
 
-#include <cstddef>
-#include <cstdint>
-
-#include "quiche/quic/platform/api/quic_export.h"
+#include "quiche/common/quiche_random.h"
 
 namespace quic {
 
-// The interface for a random number generator.
-class QUIC_EXPORT_PRIVATE QuicRandom {
- public:
-  virtual ~QuicRandom() {}
-
-  // Returns the default random number generator, which is cryptographically
-  // secure and thread-safe.
-  static QuicRandom* GetInstance();
-
-  // Generates |len| random bytes in the |data| buffer.
-  virtual void RandBytes(void* data, size_t len) = 0;
-
-  // Returns a random number in the range [0, kuint64max].
-  virtual uint64_t RandUint64() = 0;
-
-  // Generates |len| random bytes in the |data| buffer. This MUST NOT be used
-  // for any application that requires cryptographically-secure randomness.
-  virtual void InsecureRandBytes(void* data, size_t len) = 0;
-
-  // Returns a random number in the range [0, kuint64max]. This MUST NOT be used
-  // for any application that requires cryptographically-secure randomness.
-  virtual uint64_t InsecureRandUint64() = 0;
-};
+using QuicRandom = quiche::QuicheRandom;
 
 }  // namespace quic
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator.h b/chromium/net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator.h
index cd27811e156..74d42d9159c 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator.h
@@ -27,6 +27,9 @@ class QUIC_EXPORT_PRIVATE DeterministicConnectionIdGenerator
   absl::optional<QuicConnectionId> MaybeReplaceConnectionId(
       const QuicConnectionId& original,
       const ParsedQuicVersion& version) override;
+  uint8_t ConnectionIdLength(uint8_t /*first_byte*/) const override {
+    return expected_connection_id_length_;
+  }
 
  private:
   const uint8_t expected_connection_id_length_;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator_test.cc
index 67016b58222..6c3ee21d49f 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator_test.cc
@@ -118,5 +118,9 @@ TEST_P(DeterministicConnectionIdGeneratorTest,
   }
 }
 
+TEST_P(DeterministicConnectionIdGeneratorTest, ReturnLength) {
+  EXPECT_EQ(generator_.ConnectionIdLength(0x01), connection_id_length_);
+}
+
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule.cc
index 3fba85e05af..8f653f17015 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule.cc
@@ -14,7 +14,9 @@
 #include "quiche/quic/core/quic_data_writer.h"
 #include "quiche/quic/core/quic_types.h"
 #include "quiche/quic/platform/api/quic_bug_tracker.h"
+#include "quiche/quic/platform/api/quic_ip_address.h"
 #include "quiche/common/platform/api/quiche_logging.h"
+#include "quiche/common/quiche_ip_address.h"
 
 namespace quic {
 
@@ -26,6 +28,12 @@ std::string CapsuleTypeToString(CapsuleType capsule_type) {
       return "DATAGRAM_WITHOUT_CONTEXT";
     case CapsuleType::CLOSE_WEBTRANSPORT_SESSION:
       return "CLOSE_WEBTRANSPORT_SESSION";
+    case CapsuleType::ADDRESS_REQUEST:
+      return "ADDRESS_REQUEST";
+    case CapsuleType::ADDRESS_ASSIGN:
+      return "ADDRESS_ASSIGN";
+    case CapsuleType::ROUTE_ADVERTISEMENT:
+      return "ROUTE_ADVERTISEMENT";
   }
   return absl::StrCat("Unknown(", static_cast<uint64_t>(capsule_type), ")");
 }
@@ -41,7 +49,7 @@ Capsule::Capsule(CapsuleType capsule_type) : capsule_type_(capsule_type) {
       static_assert(
           std::is_standard_layout<LegacyDatagramCapsule>::value &&
               std::is_trivially_destructible<LegacyDatagramCapsule>::value,
-          "All capsule structs must have these properties");
+          "All inline capsule structs must have these properties");
       legacy_datagram_capsule_ = LegacyDatagramCapsule();
       break;
     case CapsuleType::DATAGRAM_WITHOUT_CONTEXT:
@@ -49,7 +57,7 @@ Capsule::Capsule(CapsuleType capsule_type) : capsule_type_(capsule_type) {
           std::is_standard_layout<DatagramWithoutContextCapsule>::value &&
               std::is_trivially_destructible<
                   DatagramWithoutContextCapsule>::value,
-          "All capsule structs must have these properties");
+          "All inline capsule structs must have these properties");
       datagram_without_context_capsule_ = DatagramWithoutContextCapsule();
       break;
     case CapsuleType::CLOSE_WEBTRANSPORT_SESSION:
@@ -57,18 +65,50 @@ Capsule::Capsule(CapsuleType capsule_type) : capsule_type_(capsule_type) {
           std::is_standard_layout<CloseWebTransportSessionCapsule>::value &&
               std::is_trivially_destructible<
                   CloseWebTransportSessionCapsule>::value,
-          "All capsule structs must have these properties");
+          "All inline capsule structs must have these properties");
       close_web_transport_session_capsule_ = CloseWebTransportSessionCapsule();
       break;
+    case CapsuleType::ADDRESS_REQUEST:
+      address_request_capsule_ = new AddressRequestCapsule();
+      break;
+    case CapsuleType::ADDRESS_ASSIGN:
+      address_assign_capsule_ = new AddressAssignCapsule();
+      break;
+    case CapsuleType::ROUTE_ADVERTISEMENT:
+      route_advertisement_capsule_ = new RouteAdvertisementCapsule();
+      break;
     default:
       unknown_capsule_data_ = absl::string_view();
       break;
   }
 }
 
+void Capsule::Free() {
+  switch (capsule_type_) {
+    // Inlined capsule types.
+    case CapsuleType::LEGACY_DATAGRAM:
+    case CapsuleType::DATAGRAM_WITHOUT_CONTEXT:
+    case CapsuleType::CLOSE_WEBTRANSPORT_SESSION:
+      // Do nothing, these are guaranteed to be trivially destructible.
+      break;
+    // Out-of-line capsule types.
+    case CapsuleType::ADDRESS_REQUEST:
+      delete address_request_capsule_;
+      break;
+    case CapsuleType::ADDRESS_ASSIGN:
+      delete address_assign_capsule_;
+      break;
+    case CapsuleType::ROUTE_ADVERTISEMENT:
+      delete route_advertisement_capsule_;
+      break;
+  }
+  capsule_type_ = static_cast<CapsuleType>(0x17);  // Reserved unknown value.
+  unknown_capsule_data_ = absl::string_view();
+}
+Capsule::~Capsule() { Free(); }
+
 // static
-Capsule Capsule::LegacyDatagram(
-    absl::string_view http_datagram_payload) {
+Capsule Capsule::LegacyDatagram(absl::string_view http_datagram_payload) {
   Capsule capsule(CapsuleType::LEGACY_DATAGRAM);
   capsule.legacy_datagram_capsule().http_datagram_payload =
       http_datagram_payload;
@@ -94,6 +134,21 @@ Capsule Capsule::CloseWebTransportSession(WebTransportSessionError error_code,
 }
 
 // static
+Capsule Capsule::AddressRequest() {
+  return Capsule(CapsuleType::ADDRESS_REQUEST);
+}
+
+// static
+Capsule Capsule::AddressAssign() {
+  return Capsule(CapsuleType::ADDRESS_ASSIGN);
+}
+
+// static
+Capsule Capsule::RouteAdvertisement() {
+  return Capsule(CapsuleType::ROUTE_ADVERTISEMENT);
+}
+
+// static
 Capsule Capsule::Unknown(uint64_t capsule_type,
                          absl::string_view unknown_capsule_data) {
   Capsule capsule(static_cast<CapsuleType>(capsule_type));
@@ -102,6 +157,7 @@ Capsule Capsule::Unknown(uint64_t capsule_type,
 }
 
 Capsule& Capsule::operator=(const Capsule& other) {
+  Free();
   capsule_type_ = other.capsule_type_;
   switch (capsule_type_) {
     case CapsuleType::LEGACY_DATAGRAM:
@@ -115,6 +171,18 @@ Capsule& Capsule::operator=(const Capsule& other) {
       close_web_transport_session_capsule_ =
           other.close_web_transport_session_capsule_;
       break;
+    case CapsuleType::ADDRESS_ASSIGN:
+      address_assign_capsule_ = new AddressAssignCapsule();
+      *address_assign_capsule_ = *other.address_assign_capsule_;
+      break;
+    case CapsuleType::ADDRESS_REQUEST:
+      address_request_capsule_ = new AddressRequestCapsule();
+      *address_request_capsule_ = *other.address_request_capsule_;
+      break;
+    case CapsuleType::ROUTE_ADVERTISEMENT:
+      route_advertisement_capsule_ = new RouteAdvertisementCapsule();
+      *route_advertisement_capsule_ = *other.route_advertisement_capsule_;
+      break;
     default:
       unknown_capsule_data_ = other.unknown_capsule_data_;
       break;
@@ -142,6 +210,15 @@ bool Capsule::operator==(const Capsule& other) const {
                  other.close_web_transport_session_capsule_.error_code &&
              close_web_transport_session_capsule_.error_message ==
                  other.close_web_transport_session_capsule_.error_message;
+    case CapsuleType::ADDRESS_REQUEST:
+      return address_request_capsule_->requested_addresses ==
+             other.address_request_capsule_->requested_addresses;
+    case CapsuleType::ADDRESS_ASSIGN:
+      return address_assign_capsule_->assigned_addresses ==
+             other.address_assign_capsule_->assigned_addresses;
+    case CapsuleType::ROUTE_ADVERTISEMENT:
+      return route_advertisement_capsule_->ip_address_ranges ==
+             other.route_advertisement_capsule_->ip_address_ranges;
     default:
       return unknown_capsule_data_ == other.unknown_capsule_data_;
   }
@@ -169,6 +246,34 @@ std::string Capsule::ToString() const {
           ",error_message=\"",
           close_web_transport_session_capsule_.error_message, "\")");
       break;
+    case CapsuleType::ADDRESS_REQUEST: {
+      absl::StrAppend(&rv, "[");
+      for (auto requested_address :
+           address_request_capsule_->requested_addresses) {
+        absl::StrAppend(&rv, "(", requested_address.request_id, "-",
+                        requested_address.ip_prefix.ToString(), ")");
+      }
+      absl::StrAppend(&rv, "]");
+    } break;
+    case CapsuleType::ADDRESS_ASSIGN: {
+      absl::StrAppend(&rv, "[");
+      for (auto assigned_address :
+           address_assign_capsule_->assigned_addresses) {
+        absl::StrAppend(&rv, "(", assigned_address.request_id, "-",
+                        assigned_address.ip_prefix.ToString(), ")");
+      }
+      absl::StrAppend(&rv, "]");
+    } break;
+    case CapsuleType::ROUTE_ADVERTISEMENT: {
+      absl::StrAppend(&rv, "[");
+      for (auto ip_address_range :
+           route_advertisement_capsule_->ip_address_ranges) {
+        absl::StrAppend(&rv, "(", ip_address_range.start_ip_address.ToString(),
+                        "-", ip_address_range.end_ip_address.ToString(), "-",
+                        static_cast<int>(ip_address_range.ip_protocol), ")");
+      }
+      absl::StrAppend(&rv, "]");
+    } break;
     default:
       absl::StrAppend(&rv, "[", absl::BytesToHexString(unknown_capsule_data_),
                       "]");
@@ -205,6 +310,42 @@ quiche::QuicheBuffer SerializeCapsule(
           sizeof(WebTransportSessionError) +
           capsule.close_web_transport_session_capsule().error_message.size();
       break;
+    case CapsuleType::ADDRESS_REQUEST:
+      capsule_data_length = 0;
+      for (auto requested_address :
+           capsule.address_request_capsule().requested_addresses) {
+        capsule_data_length +=
+            QuicDataWriter::GetVarInt62Len(requested_address.request_id) + 1 +
+            (requested_address.ip_prefix.address().IsIPv4()
+                 ? QuicIpAddress::kIPv4AddressSize
+                 : QuicIpAddress::kIPv6AddressSize) +
+            1;
+      }
+      break;
+    case CapsuleType::ADDRESS_ASSIGN:
+      capsule_data_length = 0;
+      for (auto assigned_address :
+           capsule.address_assign_capsule().assigned_addresses) {
+        capsule_data_length +=
+            QuicDataWriter::GetVarInt62Len(assigned_address.request_id) + 1 +
+            (assigned_address.ip_prefix.address().IsIPv4()
+                 ? QuicIpAddress::kIPv4AddressSize
+                 : QuicIpAddress::kIPv6AddressSize) +
+            1;
+      }
+      break;
+    case CapsuleType::ROUTE_ADVERTISEMENT:
+      capsule_data_length = 0;
+      for (auto ip_address_range :
+           capsule.route_advertisement_capsule().ip_address_ranges) {
+        capsule_data_length += 1 +
+                               (ip_address_range.start_ip_address.IsIPv4()
+                                    ? QuicIpAddress::kIPv4AddressSize
+                                    : QuicIpAddress::kIPv6AddressSize) *
+                                   2 +
+                               1;
+      }
+      break;
     default:
       capsule_data_length = capsule.unknown_capsule_data().length();
       break;
@@ -254,6 +395,88 @@ quiche::QuicheBuffer SerializeCapsule(
         return {};
       }
       break;
+    case CapsuleType::ADDRESS_REQUEST:
+      for (auto requested_address :
+           capsule.address_request_capsule().requested_addresses) {
+        if (!writer.WriteVarInt62(requested_address.request_id)) {
+          QUIC_BUG(address request capsule id write fail)
+              << "Failed to write ADDRESS_REQUEST ID";
+          return {};
+        }
+        if (!writer.WriteUInt8(
+                requested_address.ip_prefix.address().IsIPv4() ? 4 : 6)) {
+          QUIC_BUG(address request capsule family write fail)
+              << "Failed to write ADDRESS_REQUEST family";
+          return {};
+        }
+        if (!writer.WriteStringPiece(
+                requested_address.ip_prefix.address().ToPackedString())) {
+          QUIC_BUG(address request capsule address write fail)
+              << "Failed to write ADDRESS_REQUEST address";
+          return {};
+        }
+        if (!writer.WriteUInt8(requested_address.ip_prefix.prefix_length())) {
+          QUIC_BUG(address request capsule prefix length write fail)
+              << "Failed to write ADDRESS_REQUEST prefix length";
+          return {};
+        }
+      }
+      break;
+    case CapsuleType::ADDRESS_ASSIGN:
+      for (auto assigned_address :
+           capsule.address_assign_capsule().assigned_addresses) {
+        if (!writer.WriteVarInt62(assigned_address.request_id)) {
+          QUIC_BUG(address request capsule id write fail)
+              << "Failed to write ADDRESS_ASSIGN ID";
+          return {};
+        }
+        if (!writer.WriteUInt8(
+                assigned_address.ip_prefix.address().IsIPv4() ? 4 : 6)) {
+          QUIC_BUG(address request capsule family write fail)
+              << "Failed to write ADDRESS_ASSIGN family";
+          return {};
+        }
+        if (!writer.WriteStringPiece(
+                assigned_address.ip_prefix.address().ToPackedString())) {
+          QUIC_BUG(address request capsule address write fail)
+              << "Failed to write ADDRESS_ASSIGN address";
+          return {};
+        }
+        if (!writer.WriteUInt8(assigned_address.ip_prefix.prefix_length())) {
+          QUIC_BUG(address request capsule prefix length write fail)
+              << "Failed to write ADDRESS_ASSIGN prefix length";
+          return {};
+        }
+      }
+      break;
+    case CapsuleType::ROUTE_ADVERTISEMENT:
+      for (auto ip_address_range :
+           capsule.route_advertisement_capsule().ip_address_ranges) {
+        if (!writer.WriteUInt8(
+                ip_address_range.start_ip_address.IsIPv4() ? 4 : 6)) {
+          QUIC_BUG(route advertisement capsule family write fail)
+              << "Failed to write ROUTE_ADVERTISEMENT family";
+          return {};
+        }
+        if (!writer.WriteStringPiece(
+                ip_address_range.start_ip_address.ToPackedString())) {
+          QUIC_BUG(route advertisement capsule start address write fail)
+              << "Failed to write ROUTE_ADVERTISEMENT start address";
+          return {};
+        }
+        if (!writer.WriteStringPiece(
+                ip_address_range.end_ip_address.ToPackedString())) {
+          QUIC_BUG(route advertisement capsule end address write fail)
+              << "Failed to write ROUTE_ADVERTISEMENT end address";
+          return {};
+        }
+        if (!writer.WriteUInt8(ip_address_range.ip_protocol)) {
+          QUIC_BUG(route advertisement capsule IP protocol write fail)
+              << "Failed to write ROUTE_ADVERTISEMENT IP protocol";
+          return {};
+        }
+      }
+      break;
     default:
       if (!writer.WriteStringPiece(capsule.unknown_capsule_data())) {
         QUIC_BUG(capsule data write fail) << "Failed to write CAPSULE data";
@@ -334,6 +557,154 @@ size_t CapsuleParser::AttemptParseCapsule() {
       capsule.close_web_transport_session_capsule().error_message =
           capsule_data_reader.ReadRemainingPayload();
       break;
+    case CapsuleType::ADDRESS_REQUEST: {
+      while (!capsule_data_reader.IsDoneReading()) {
+        PrefixWithId requested_address;
+        if (!capsule_data_reader.ReadVarInt62(&requested_address.request_id)) {
+          ReportParseFailure(
+              "Unable to parse capsule ADDRESS_REQUEST request ID");
+          return 0;
+        }
+        uint8_t address_family;
+        if (!capsule_data_reader.ReadUInt8(&address_family)) {
+          ReportParseFailure("Unable to parse capsule ADDRESS_REQUEST family");
+          return 0;
+        }
+        if (address_family != 4 && address_family != 6) {
+          ReportParseFailure("Bad ADDRESS_REQUEST family");
+          return 0;
+        }
+        absl::string_view ip_address_bytes;
+        if (!capsule_data_reader.ReadStringPiece(
+                &ip_address_bytes, address_family == 4
+                                       ? QuicIpAddress::kIPv4AddressSize
+                                       : QuicIpAddress::kIPv6AddressSize)) {
+          ReportParseFailure("Unable to read capsule ADDRESS_REQUEST address");
+          return 0;
+        }
+        quiche::QuicheIpAddress ip_address;
+        if (!ip_address.FromPackedString(ip_address_bytes.data(),
+                                         ip_address_bytes.size())) {
+          ReportParseFailure("Unable to parse capsule ADDRESS_REQUEST address");
+          return 0;
+        }
+        uint8_t ip_prefix_length;
+        if (!capsule_data_reader.ReadUInt8(&ip_prefix_length)) {
+          ReportParseFailure(
+              "Unable to parse capsule ADDRESS_REQUEST IP prefix length");
+          return 0;
+        }
+        if (ip_prefix_length >
+            quiche::QuicheIpPrefix(ip_address).prefix_length()) {
+          ReportParseFailure("Invalid IP prefix length");
+          return 0;
+        }
+        requested_address.ip_prefix =
+            quiche::QuicheIpPrefix(ip_address, ip_prefix_length);
+        capsule.address_request_capsule().requested_addresses.push_back(
+            requested_address);
+      }
+    } break;
+    case CapsuleType::ADDRESS_ASSIGN: {
+      while (!capsule_data_reader.IsDoneReading()) {
+        PrefixWithId assigned_address;
+        if (!capsule_data_reader.ReadVarInt62(&assigned_address.request_id)) {
+          ReportParseFailure(
+              "Unable to parse capsule ADDRESS_ASSIGN request ID");
+          return 0;
+        }
+        uint8_t address_family;
+        if (!capsule_data_reader.ReadUInt8(&address_family)) {
+          ReportParseFailure("Unable to parse capsule ADDRESS_ASSIGN family");
+          return 0;
+        }
+        if (address_family != 4 && address_family != 6) {
+          ReportParseFailure("Bad ADDRESS_ASSIGN family");
+          return 0;
+        }
+        absl::string_view ip_address_bytes;
+        if (!capsule_data_reader.ReadStringPiece(
+                &ip_address_bytes, address_family == 4
+                                       ? QuicIpAddress::kIPv4AddressSize
+                                       : QuicIpAddress::kIPv6AddressSize)) {
+          ReportParseFailure("Unable to read capsule ADDRESS_ASSIGN address");
+          return 0;
+        }
+        quiche::QuicheIpAddress ip_address;
+        if (!ip_address.FromPackedString(ip_address_bytes.data(),
+                                         ip_address_bytes.size())) {
+          ReportParseFailure("Unable to parse capsule ADDRESS_ASSIGN address");
+          return 0;
+        }
+        uint8_t ip_prefix_length;
+        if (!capsule_data_reader.ReadUInt8(&ip_prefix_length)) {
+          ReportParseFailure(
+              "Unable to parse capsule ADDRESS_ASSIGN IP prefix length");
+          return 0;
+        }
+        if (ip_prefix_length >
+            quiche::QuicheIpPrefix(ip_address).prefix_length()) {
+          ReportParseFailure("Invalid IP prefix length");
+          return 0;
+        }
+        assigned_address.ip_prefix =
+            quiche::QuicheIpPrefix(ip_address, ip_prefix_length);
+        capsule.address_assign_capsule().assigned_addresses.push_back(
+            assigned_address);
+      }
+    } break;
+    case CapsuleType::ROUTE_ADVERTISEMENT: {
+      while (!capsule_data_reader.IsDoneReading()) {
+        uint8_t address_family;
+        if (!capsule_data_reader.ReadUInt8(&address_family)) {
+          ReportParseFailure(
+              "Unable to parse capsule ROUTE_ADVERTISEMENT family");
+          return 0;
+        }
+        if (address_family != 4 && address_family != 6) {
+          ReportParseFailure("Bad ROUTE_ADVERTISEMENT family");
+          return 0;
+        }
+        IpAddressRange ip_address_range;
+        absl::string_view start_ip_address_bytes;
+        if (!capsule_data_reader.ReadStringPiece(
+                &start_ip_address_bytes,
+                address_family == 4 ? QuicIpAddress::kIPv4AddressSize
+                                    : QuicIpAddress::kIPv6AddressSize)) {
+          ReportParseFailure(
+              "Unable to read capsule ROUTE_ADVERTISEMENT start address");
+          return 0;
+        }
+        if (!ip_address_range.start_ip_address.FromPackedString(
+                start_ip_address_bytes.data(), start_ip_address_bytes.size())) {
+          ReportParseFailure(
+              "Unable to parse capsule ROUTE_ADVERTISEMENT start address");
+          return 0;
+        }
+        absl::string_view end_ip_address_bytes;
+        if (!capsule_data_reader.ReadStringPiece(
+                &end_ip_address_bytes, address_family == 4
+                                           ? QuicIpAddress::kIPv4AddressSize
+                                           : QuicIpAddress::kIPv6AddressSize)) {
+          ReportParseFailure(
+              "Unable to read capsule ROUTE_ADVERTISEMENT end address");
+          return 0;
+        }
+        if (!ip_address_range.end_ip_address.FromPackedString(
+                end_ip_address_bytes.data(), end_ip_address_bytes.size())) {
+          ReportParseFailure(
+              "Unable to parse capsule ROUTE_ADVERTISEMENT end address");
+          return 0;
+        }
+        if (!capsule_data_reader.ReadUInt8(&ip_address_range.ip_protocol)) {
+          ReportParseFailure(
+              "Unable to parse capsule ROUTE_ADVERTISEMENT IP protocol");
+          return 0;
+        }
+        capsule.route_advertisement_capsule().ip_address_ranges.push_back(
+            ip_address_range);
+      }
+    } break;
     default:
       capsule.unknown_capsule_data() =
           capsule_data_reader.ReadRemainingPayload();
@@ -363,4 +734,28 @@ void CapsuleParser::ErrorIfThereIsRemainingBufferedData() {
   }
 }
 
+bool PrefixWithId::operator==(const PrefixWithId& other) const {
+  return request_id == other.request_id && ip_prefix == other.ip_prefix;
+}
+
+bool IpAddressRange::operator==(const IpAddressRange& other) const {
+  return start_ip_address == other.start_ip_address &&
+         end_ip_address == other.end_ip_address &&
+         ip_protocol == other.ip_protocol;
+}
+
+bool AddressAssignCapsule::operator==(const AddressAssignCapsule& other) const {
+  return assigned_addresses == other.assigned_addresses;
+}
+
+bool AddressRequestCapsule::operator==(
+    const AddressRequestCapsule& other) const {
+  return requested_addresses == other.requested_addresses;
+}
+
+bool RouteAdvertisementCapsule::operator==(
+    const RouteAdvertisementCapsule& other) const {
+  return ip_address_ranges == other.ip_address_ranges;
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule.h b/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule.h
index 7b4cc46d16b..3d83a5580e8 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule.h
@@ -7,6 +7,7 @@
 
 #include <cstdint>
 #include <string>
+#include <vector>
 
 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
@@ -15,15 +16,20 @@
 #include "quiche/quic/core/quic_types.h"
 #include "quiche/common/platform/api/quiche_logging.h"
 #include "quiche/common/quiche_buffer_allocator.h"
+#include "quiche/common/quiche_ip_address.h"
 
 namespace quic {
 
 enum class CapsuleType : uint64_t {
-  // Casing in this enum matches the IETF specification.
+  // Casing in this enum matches the IETF specifications.
   LEGACY_DATAGRAM = 0xff37a0,  // draft-ietf-masque-h3-datagram-04.
   DATAGRAM_WITHOUT_CONTEXT =
       0xff37a5,  // draft-ietf-masque-h3-datagram-05 to -08.
   CLOSE_WEBTRANSPORT_SESSION = 0x2843,
+  // draft-ietf-masque-connect-ip-03.
+  ADDRESS_ASSIGN = 0x1ECA6A00,
+  ADDRESS_REQUEST = 0x1ECA6A01,
+  ROUTE_ADVERTISEMENT = 0x1ECA6A02,
 };
 
 QUIC_EXPORT_PRIVATE std::string CapsuleTypeToString(CapsuleType capsule_type);
@@ -40,6 +46,29 @@ struct QUIC_EXPORT_PRIVATE CloseWebTransportSessionCapsule {
   WebTransportSessionError error_code;
   absl::string_view error_message;
 };
+struct QUIC_EXPORT_PRIVATE PrefixWithId {
+  uint64_t request_id;
+  quiche::QuicheIpPrefix ip_prefix;
+  bool operator==(const PrefixWithId& other) const;
+};
+struct QUIC_EXPORT_PRIVATE IpAddressRange {
+  quiche::QuicheIpAddress start_ip_address;
+  quiche::QuicheIpAddress end_ip_address;
+  uint8_t ip_protocol;
+  bool operator==(const IpAddressRange& other) const;
+};
+struct QUIC_EXPORT_PRIVATE AddressAssignCapsule {
+  std::vector<PrefixWithId> assigned_addresses;
+  bool operator==(const AddressAssignCapsule& other) const;
+};
+struct QUIC_EXPORT_PRIVATE AddressRequestCapsule {
+  std::vector<PrefixWithId> requested_addresses;
+  bool operator==(const AddressRequestCapsule& other) const;
+};
+struct QUIC_EXPORT_PRIVATE RouteAdvertisementCapsule {
+  std::vector<IpAddressRange> ip_address_ranges;
+  bool operator==(const RouteAdvertisementCapsule& other) const;
+};
 
 // Capsule from draft-ietf-masque-h3-datagram.
 // IMPORTANT NOTE: Capsule does not own any of the absl::string_view memory it
@@ -55,11 +84,15 @@ class QUIC_EXPORT_PRIVATE Capsule {
   static Capsule CloseWebTransportSession(
       WebTransportSessionError error_code = 0,
       absl::string_view error_message = "");
+  static Capsule AddressRequest();
+  static Capsule AddressAssign();
+  static Capsule RouteAdvertisement();
   static Capsule Unknown(
       uint64_t capsule_type,
       absl::string_view unknown_capsule_data = absl::string_view());
 
   explicit Capsule(CapsuleType capsule_type);
+  ~Capsule();
   Capsule(const Capsule& other);
   Capsule& operator=(const Capsule& other);
   bool operator==(const Capsule& other) const;
@@ -96,27 +129,61 @@ class QUIC_EXPORT_PRIVATE Capsule {
     QUICHE_DCHECK_EQ(capsule_type_, CapsuleType::CLOSE_WEBTRANSPORT_SESSION);
     return close_web_transport_session_capsule_;
   }
+  AddressRequestCapsule& address_request_capsule() {
+    QUICHE_DCHECK_EQ(capsule_type_, CapsuleType::ADDRESS_REQUEST);
+    return *address_request_capsule_;
+  }
+  const AddressRequestCapsule& address_request_capsule() const {
+    QUICHE_DCHECK_EQ(capsule_type_, CapsuleType::ADDRESS_REQUEST);
+    return *address_request_capsule_;
+  }
+  AddressAssignCapsule& address_assign_capsule() {
+    QUICHE_DCHECK_EQ(capsule_type_, CapsuleType::ADDRESS_ASSIGN);
+    return *address_assign_capsule_;
+  }
+  const AddressAssignCapsule& address_assign_capsule() const {
+    QUICHE_DCHECK_EQ(capsule_type_, CapsuleType::ADDRESS_ASSIGN);
+    return *address_assign_capsule_;
+  }
+  RouteAdvertisementCapsule& route_advertisement_capsule() {
+    QUICHE_DCHECK_EQ(capsule_type_, CapsuleType::ROUTE_ADVERTISEMENT);
+    return *route_advertisement_capsule_;
+  }
+  const RouteAdvertisementCapsule& route_advertisement_capsule() const {
+    QUICHE_DCHECK_EQ(capsule_type_, CapsuleType::ROUTE_ADVERTISEMENT);
+    return *route_advertisement_capsule_;
+  }
   absl::string_view& unknown_capsule_data() {
     QUICHE_DCHECK(capsule_type_ != CapsuleType::LEGACY_DATAGRAM &&
                   capsule_type_ != CapsuleType::DATAGRAM_WITHOUT_CONTEXT &&
-                  capsule_type_ != CapsuleType::CLOSE_WEBTRANSPORT_SESSION)
+                  capsule_type_ != CapsuleType::CLOSE_WEBTRANSPORT_SESSION &&
+                  capsule_type_ != CapsuleType::ADDRESS_REQUEST &&
+                  capsule_type_ != CapsuleType::ADDRESS_ASSIGN &&
+                  capsule_type_ != CapsuleType::ROUTE_ADVERTISEMENT)
         << capsule_type_;
     return unknown_capsule_data_;
   }
   const absl::string_view& unknown_capsule_data() const {
     QUICHE_DCHECK(capsule_type_ != CapsuleType::LEGACY_DATAGRAM &&
                   capsule_type_ != CapsuleType::DATAGRAM_WITHOUT_CONTEXT &&
-                  capsule_type_ != CapsuleType::CLOSE_WEBTRANSPORT_SESSION)
+                  capsule_type_ != CapsuleType::CLOSE_WEBTRANSPORT_SESSION &&
+                  capsule_type_ != CapsuleType::ADDRESS_REQUEST &&
+                  capsule_type_ != CapsuleType::ADDRESS_ASSIGN &&
+                  capsule_type_ != CapsuleType::ROUTE_ADVERTISEMENT)
         << capsule_type_;
     return unknown_capsule_data_;
   }
 
  private:
+  void Free();
   CapsuleType capsule_type_;
   union {
     LegacyDatagramCapsule legacy_datagram_capsule_;
     DatagramWithoutContextCapsule datagram_without_context_capsule_;
     CloseWebTransportSessionCapsule close_web_transport_session_capsule_;
+    AddressRequestCapsule* address_request_capsule_;
+    AddressAssignCapsule* address_assign_capsule_;
+    RouteAdvertisementCapsule* route_advertisement_capsule_;
     absl::string_view unknown_capsule_data_;
   };
 };
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule_test.cc
index 1791bb6a504..a6860954972 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/capsule_test.cc
@@ -13,6 +13,7 @@
 #include "absl/strings/string_view.h"
 #include "quiche/quic/platform/api/quic_test.h"
 #include "quiche/quic/test_tools/quic_test_utils.h"
+#include "quiche/common/quiche_ip_address.h"
 #include "quiche/common/test_tools/quiche_test_utils.h"
 
 using ::testing::_;
@@ -116,6 +117,123 @@ TEST_F(CapsuleTest, CloseWebTransportStreamCapsule) {
   TestSerialization(expected_capsule, capsule_fragment);
 }
 
+TEST_F(CapsuleTest, AddressAssignCapsule) {
+  std::string capsule_fragment = absl::HexStringToBytes(
+      "9ECA6A00"  // ADDRESS_ASSIGN capsule type
+      "1A"        // capsule length = 26
+      // first assigned address
+      "00"        // request ID = 0
+      "04"        // IP version = 4
+      "C000022A"  // 192.0.2.42
+      "1F"        // prefix length = 31
+      // second assigned address
+      "01"                                // request ID = 1
+      "06"                                // IP version = 6
+      "20010db8123456780000000000000000"  // 2001:db8:1234:5678::
+      "40"                                // prefix length = 64
+  );
+  Capsule expected_capsule = Capsule::AddressAssign();
+  quiche::QuicheIpAddress ip_address1;
+  ip_address1.FromString("192.0.2.42");
+  PrefixWithId assigned_address1;
+  assigned_address1.request_id = 0;
+  assigned_address1.ip_prefix =
+      quiche::QuicheIpPrefix(ip_address1, /*prefix_length=*/31);
+  expected_capsule.address_assign_capsule().assigned_addresses.push_back(
+      assigned_address1);
+  quiche::QuicheIpAddress ip_address2;
+  ip_address2.FromString("2001:db8:1234:5678::");
+  PrefixWithId assigned_address2;
+  assigned_address2.request_id = 1;
+  assigned_address2.ip_prefix =
+      quiche::QuicheIpPrefix(ip_address2, /*prefix_length=*/64);
+  expected_capsule.address_assign_capsule().assigned_addresses.push_back(
+      assigned_address2);
+  {
+    EXPECT_CALL(visitor_, OnCapsule(expected_capsule));
+    ASSERT_TRUE(capsule_parser_.IngestCapsuleFragment(capsule_fragment));
+  }
+  ValidateParserIsEmpty();
+  TestSerialization(expected_capsule, capsule_fragment);
+}
+
+TEST_F(CapsuleTest, AddressRequestCapsule) {
+  std::string capsule_fragment = absl::HexStringToBytes(
+      "9ECA6A01"  // ADDRESS_REQUEST capsule type
+      "1A"        // capsule length = 26
+      // first requested address
+      "00"        // request ID = 0
+      "04"        // IP version = 4
+      "C000022A"  // 192.0.2.42
+      "1F"        // prefix length = 31
+      // second requested address
+      "01"                                // request ID = 1
+      "06"                                // IP version = 6
+      "20010db8123456780000000000000000"  // 2001:db8:1234:5678::
+      "40"                                // prefix length = 64
+  );
+  Capsule expected_capsule = Capsule::AddressRequest();
+  quiche::QuicheIpAddress ip_address1;
+  ip_address1.FromString("192.0.2.42");
+  PrefixWithId requested_address1;
+  requested_address1.request_id = 0;
+  requested_address1.ip_prefix =
+      quiche::QuicheIpPrefix(ip_address1, /*prefix_length=*/31);
+  expected_capsule.address_request_capsule().requested_addresses.push_back(
+      requested_address1);
+  quiche::QuicheIpAddress ip_address2;
+  ip_address2.FromString("2001:db8:1234:5678::");
+  PrefixWithId requested_address2;
+  requested_address2.request_id = 1;
+  requested_address2.ip_prefix =
+      quiche::QuicheIpPrefix(ip_address2, /*prefix_length=*/64);
+  expected_capsule.address_request_capsule().requested_addresses.push_back(
+      requested_address2);
+  {
+    EXPECT_CALL(visitor_, OnCapsule(expected_capsule));
+    ASSERT_TRUE(capsule_parser_.IngestCapsuleFragment(capsule_fragment));
+  }
+  ValidateParserIsEmpty();
+  TestSerialization(expected_capsule, capsule_fragment);
+}
+
+TEST_F(CapsuleTest, RouteAdvertisementCapsule) {
+  std::string capsule_fragment = absl::HexStringToBytes(
+      "9ECA6A02"  // ROUTE_ADVERTISEMENT capsule type
+      "2C"        // capsule length = 44
+      // first IP address range
+      "04"        // IP version = 4
+      "C0000218"  // 192.0.2.24
+      "C000022A"  // 192.0.2.42
+      "00"        // ip protocol = 0
+      // second IP address range
+      "06"                                // IP version = 6
+      "00000000000000000000000000000000"  // ::
+      "ffffffffffffffffffffffffffffffff"  // all ones IPv6 address
+      "01"                                // ip protocol = 1 (ICMP)
+  );
+  Capsule expected_capsule = Capsule::RouteAdvertisement();
+  IpAddressRange ip_address_range1;
+  ip_address_range1.start_ip_address.FromString("192.0.2.24");
+  ip_address_range1.end_ip_address.FromString("192.0.2.42");
+  ip_address_range1.ip_protocol = 0;
+  expected_capsule.route_advertisement_capsule().ip_address_ranges.push_back(
+      ip_address_range1);
+  IpAddressRange ip_address_range2;
+  ip_address_range2.start_ip_address.FromString("::");
+  ip_address_range2.end_ip_address.FromString(
+      "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff");
+  ip_address_range2.ip_protocol = 1;
+  expected_capsule.route_advertisement_capsule().ip_address_ranges.push_back(
+      ip_address_range2);
+  {
+    EXPECT_CALL(visitor_, OnCapsule(expected_capsule));
+    ASSERT_TRUE(capsule_parser_.IngestCapsuleFragment(capsule_fragment));
+  }
+  ValidateParserIsEmpty();
+  TestSerialization(expected_capsule, capsule_fragment);
+}
+
 TEST_F(CapsuleTest, UnknownCapsule) {
   std::string capsule_fragment = absl::HexStringToBytes(
       "33"                // unknown capsule type of 0x33
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/end_to_end_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/end_to_end_test.cc
index 713d7c52c75..af39239ee59 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/end_to_end_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/end_to_end_test.cc
@@ -47,7 +47,6 @@
 #include "quiche/quic/test_tools/packet_reordering_writer.h"
 #include "quiche/quic/test_tools/qpack/qpack_encoder_peer.h"
 #include "quiche/quic/test_tools/qpack/qpack_test_utils.h"
-#include "quiche/quic/test_tools/quic_client_peer.h"
 #include "quiche/quic/test_tools/quic_client_session_cache_peer.h"
 #include "quiche/quic/test_tools/quic_config_peer.h"
 #include "quiche/quic/test_tools/quic_connection_peer.h"
@@ -68,7 +67,6 @@
 #include "quiche/quic/test_tools/server_thread.h"
 #include "quiche/quic/test_tools/web_transport_test_tools.h"
 #include "quiche/quic/tools/quic_backend_response.h"
-#include "quiche/quic/tools/quic_client.h"
 #include "quiche/quic/tools/quic_memory_cache_backend.h"
 #include "quiche/quic/tools/quic_server.h"
 #include "quiche/quic/tools/quic_simple_client_stream.h"
@@ -2773,7 +2771,7 @@ TEST_P(
     HalfRttResponseBlocksShloRetransmissionWithoutTokenBasedAddressValidation) {
   // Turn off token based address validation to make the server get constrained
   // by amplification factor during handshake.
-  SetQuicFlag(FLAGS_quic_reject_retry_token_in_initial_packet, true);
+  SetQuicFlag(quic_reject_retry_token_in_initial_packet, true);
   ASSERT_TRUE(Initialize());
   if (!version_.SupportsAntiAmplificationLimit()) {
     return;
@@ -2866,7 +2864,7 @@ TEST_P(EndToEndTest, StreamCancelErrorTest) {
 
 TEST_P(EndToEndTest, ConnectionMigrationClientIPChanged) {
   ASSERT_TRUE(Initialize());
-  if (GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+  if (GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
   SendSynchronousFooRequestAndCheckResponse();
@@ -2910,7 +2908,7 @@ TEST_P(EndToEndTest, ConnectionMigrationClientIPChanged) {
 TEST_P(EndToEndTest, IetfConnectionMigrationClientIPChangedMultipleTimes) {
   ASSERT_TRUE(Initialize());
   if (!GetClientConnection()->connection_migration_use_new_cid() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
   SendSynchronousFooRequestAndCheckResponse();
@@ -3022,7 +3020,7 @@ TEST_P(EndToEndTest, IetfConnectionMigrationClientIPChangedMultipleTimes) {
 TEST_P(EndToEndTest,
        ConnectionMigrationWithNonZeroConnectionIDClientIPChangedMultipleTimes) {
   if (!version_.SupportsClientConnectionIds() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     ASSERT_TRUE(Initialize());
     return;
   }
@@ -3160,7 +3158,7 @@ TEST_P(EndToEndTest, ConnectionMigrationNewTokenForNewIp) {
   ASSERT_TRUE(Initialize());
   if (!version_.HasIetfQuicFrames() ||
       !client_->client()->session()->connection()->validate_client_address() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
   SendSynchronousFooRequestAndCheckResponse();
@@ -3501,7 +3499,6 @@ TEST_P(EndToEndTest, ConnectionMigrationClientPortChanged) {
 }
 
 TEST_P(EndToEndTest, NegotiatedInitialCongestionWindow) {
-  SetQuicReloadableFlag(quic_unified_iw_options, true);
   client_extra_copts_.push_back(kIW03);
 
   ASSERT_TRUE(Initialize());
@@ -4082,6 +4079,24 @@ TEST_P(EndToEndTest, ServerSendPublicResetWithDifferentConnectionId) {
   client_connection->set_debug_visitor(nullptr);
 }
 
+TEST_P(EndToEndTest, InduceStatelessResetFromServer) {
+  ASSERT_TRUE(Initialize());
+  if (!version_.HasIetfQuicFrames()) {
+    return;
+  }
+  EXPECT_TRUE(client_->client()->WaitForHandshakeConfirmed());
+  SetPacketLossPercentage(100);  // Block PEER_GOING_AWAY message from server.
+  StopServer(true);
+  server_writer_ = new PacketDroppingTestWriter();
+  StartServer();
+  SetPacketLossPercentage(0);
+  // The request should generate a public reset.
+  EXPECT_EQ("", client_->SendSynchronousRequest("/foo"));
+  EXPECT_TRUE(client_->response_headers()->empty());
+  EXPECT_THAT(client_->connection_error(), IsError(QUIC_PUBLIC_RESET));
+  EXPECT_FALSE(client_->connected());
+}
+
 // Send a public reset from the client for a different connection ID.
 // It should be ignored.
 TEST_P(EndToEndTest, ClientSendPublicResetWithDifferentConnectionId) {
@@ -4959,7 +4974,7 @@ TEST_P(EndToEndTest,
 TEST_P(EndToEndTest,
        SendStatelessResetIfServerConnectionClosedLocallyAfterHandshake) {
   // Prevent the connection from expiring in the time wait list.
-  SetQuicFlag(FLAGS_quic_time_wait_list_seconds, 10000);
+  SetQuicFlag(quic_time_wait_list_seconds, 10000);
   connect_to_server_on_initialize_ = false;
   ASSERT_TRUE(Initialize());
 
@@ -5402,6 +5417,49 @@ TEST_P(EndToEndTest, ClientValidateNewNetwork) {
   server_thread_->Resume();
 }
 
+TEST_P(EndToEndTest, ClientMultiPortConnection) {
+  client_extra_copts_.push_back(kMPQC);
+  ASSERT_TRUE(Initialize());
+  if (!GetClientConnection()->connection_migration_use_new_cid()) {
+    return;
+  }
+  client_.reset(EndToEndTest::CreateQuicClient(nullptr));
+  QuicConnection* client_connection = GetClientConnection();
+  // Increase the probing frequency to speed up this test.
+  client_connection->SetMultiPortProbingInterval(
+      QuicTime::Delta::FromMilliseconds(100));
+  SendSynchronousFooRequestAndCheckResponse();
+  EXPECT_TRUE(client_->WaitUntil(1000, [&]() {
+    return 1u == client_connection->GetStats().num_path_response_received;
+  }));
+  // Verify that the alternative path keeps sending probes periodically.
+  EXPECT_TRUE(client_->WaitUntil(1000, [&]() {
+    return 2u == client_connection->GetStats().num_path_response_received;
+  }));
+  server_thread_->Pause();
+  QuicConnection* server_connection = GetServerConnection();
+  // Verify that no migration has happened.
+  if (server_connection != nullptr) {
+    EXPECT_EQ(0u, server_connection->GetStats()
+                      .num_peer_migration_to_proactively_validated_address);
+  }
+  server_thread_->Resume();
+
+  // This will cause the next periodic probing to fail.
+  server_writer_->set_fake_packet_loss_percentage(100);
+  EXPECT_TRUE(client_->WaitUntil(
+      1000, [&]() { return client_->client()->HasPendingPathValidation(); }));
+  // Now wait for path validation to timeout.
+  EXPECT_TRUE(client_->WaitUntil(
+      2000, [&]() { return !client_->client()->HasPendingPathValidation(); }));
+  server_writer_->set_fake_packet_loss_percentage(0);
+  EXPECT_TRUE(client_->WaitUntil(1000, [&]() {
+    return 3u == client_connection->GetStats().num_path_response_received;
+  }));
+  // Verify that the previous path was retired.
+  EXPECT_EQ(1u, client_connection->GetStats().num_retire_connection_id_sent);
+}
+
 TEST_P(EndToEndPacketReorderingTest, ReorderedPathChallenge) {
   ASSERT_TRUE(Initialize());
   if (!version_.HasIetfQuicFrames()) {
@@ -6318,7 +6376,7 @@ TEST_P(EndToEndTest, KeyUpdateInitiatedByBoth) {
 }
 
 TEST_P(EndToEndTest, KeyUpdateInitiatedByConfidentialityLimit) {
-  SetQuicFlag(FLAGS_quic_key_update_confidentiality_limit, 16U);
+  SetQuicFlag(quic_key_update_confidentiality_limit, 16U);
 
   if (!version_.UsesTls()) {
     // Key Update is only supported in TLS handshake.
@@ -6344,8 +6402,8 @@ TEST_P(EndToEndTest, KeyUpdateInitiatedByConfidentialityLimit) {
       },
       QuicTime::Delta::FromSeconds(5));
 
-  for (uint64_t i = 0;
-       i < GetQuicFlag(FLAGS_quic_key_update_confidentiality_limit); ++i) {
+  for (uint64_t i = 0; i < GetQuicFlag(quic_key_update_confidentiality_limit);
+       ++i) {
     SendSynchronousFooRequestAndCheckResponse();
   }
 
@@ -6365,7 +6423,7 @@ TEST_P(EndToEndTest, KeyUpdateInitiatedByConfidentialityLimit) {
 }
 
 TEST_P(EndToEndTest, TlsResumptionEnabledOnTheFly) {
-  SetQuicFlag(FLAGS_quic_disable_server_tls_resumption, true);
+  SetQuicFlag(quic_disable_server_tls_resumption, true);
   ASSERT_TRUE(Initialize());
 
   if (!version_.UsesTls()) {
@@ -6382,7 +6440,7 @@ TEST_P(EndToEndTest, TlsResumptionEnabledOnTheFly) {
   EXPECT_FALSE(client_session->EarlyDataAccepted());
   client_->Disconnect();
 
-  SetQuicFlag(FLAGS_quic_disable_server_tls_resumption, false);
+  SetQuicFlag(quic_disable_server_tls_resumption, false);
 
   // Send the second request. Client should still have no resumption ticket, but
   // it will receive one which can be used by the next request.
@@ -6407,7 +6465,7 @@ TEST_P(EndToEndTest, TlsResumptionEnabledOnTheFly) {
 }
 
 TEST_P(EndToEndTest, TlsResumptionDisabledOnTheFly) {
-  SetQuicFlag(FLAGS_quic_disable_server_tls_resumption, false);
+  SetQuicFlag(quic_disable_server_tls_resumption, false);
   ASSERT_TRUE(Initialize());
 
   if (!version_.UsesTls()) {
@@ -6431,7 +6489,7 @@ TEST_P(EndToEndTest, TlsResumptionDisabledOnTheFly) {
   EXPECT_TRUE(client_session->EarlyDataAccepted());
   client_->Disconnect();
 
-  SetQuicFlag(FLAGS_quic_disable_server_tls_resumption, true);
+  SetQuicFlag(quic_disable_server_tls_resumption, true);
 
   // Send the third request. The client should try resumption but server should
   // decline it.
@@ -7035,7 +7093,6 @@ TEST_P(EndToEndTest, RejectRequestWithInvalidToken) {
 }
 
 TEST_P(EndToEndTest, OriginalConnectionIdClearedFromMap) {
-  SetQuicRestartFlag(quic_map_original_connection_ids2, true);
   connect_to_server_on_initialize_ = false;
   ASSERT_TRUE(Initialize());
   if (override_client_connection_id_length_ != kLongConnectionIdLength) {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_decoder.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_decoder.cc
index 2bdce8eff3e..c6be41eb76c 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_decoder.cc
@@ -670,4 +670,16 @@ QuicByteCount HttpDecoder::MaxFrameLength(uint64_t frame_type) {
   }
 }
 
+std::string HttpDecoder::DebugString() const {
+  return absl::StrCat(
+      "HttpDecoder:", "\n  state: ", state_, "\n  error: ", error_,
+      "\n  current_frame_type: ", current_frame_type_,
+      "\n  current_length_field_length: ", current_length_field_length_,
+      "\n  remaining_length_field_length: ", remaining_length_field_length_,
+      "\n  current_frame_length: ", current_frame_length_,
+      "\n  remaining_frame_length: ", remaining_frame_length_,
+      "\n  current_type_field_length: ", current_type_field_length_,
+      "\n  remaining_type_field_length: ", remaining_type_field_length_);
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_decoder.h b/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_decoder.h
index ac6827663ad..0e49c3f2381 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_decoder.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_decoder.h
@@ -146,6 +146,8 @@ class QUIC_EXPORT_PRIVATE HttpDecoder {
   // Returns true if input data processed so far ends on a frame boundary.
   bool AtFrameBoundary() const { return state_ == STATE_READING_FRAME_TYPE; }
 
+  std::string DebugString() const;
+
  private:
   friend test::HttpDecoderPeer;
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_encoder.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_encoder.cc
index e36c3f5d628..66c83730f28 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_encoder.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/http_encoder.cc
@@ -202,7 +202,7 @@ std::string HttpEncoder::SerializeGreasingFrame() {
   uint64_t frame_type;
   QuicByteCount payload_length;
   std::string payload;
-  if (!GetQuicFlag(FLAGS_quic_enable_http3_grease_randomness)) {
+  if (!GetQuicFlag(quic_enable_http3_grease_randomness)) {
     frame_type = 0x40;
     payload_length = 1;
     payload = "a";
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_send_control_stream.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_send_control_stream.cc
index 6c71740d86e..97b27b26ff9 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_send_control_stream.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_send_control_stream.cc
@@ -56,7 +56,7 @@ void QuicSendControlStream::MaybeSendSettingsFrame() {
   // https://tools.ietf.org/html/draft-ietf-quic-http-25#section-7.2.4.1
   // specifies that setting identifiers of 0x1f * N + 0x21 are reserved and
   // greasing should be attempted.
-  if (!GetQuicFlag(FLAGS_quic_enable_http3_grease_randomness)) {
+  if (!GetQuicFlag(quic_enable_http3_grease_randomness)) {
     settings.values[0x40] = 20;
   } else {
     uint32_t result;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_send_control_stream_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_send_control_stream_test.cc
index f146cee9baf..b606934a32e 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_send_control_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_send_control_stream_test.cc
@@ -107,7 +107,7 @@ INSTANTIATE_TEST_SUITE_P(Tests, QuicSendControlStreamTest,
                          ::testing::PrintToStringParamName());
 
 TEST_P(QuicSendControlStreamTest, WriteSettings) {
-  SetQuicFlag(FLAGS_quic_enable_http3_grease_randomness, false);
+  SetQuicFlag(quic_enable_http3_grease_randomness, false);
   session_.set_qpack_maximum_dynamic_table_capacity(255);
   session_.set_qpack_maximum_blocked_streams(16);
   session_.set_max_inbound_header_list_size(1024);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_server_session_base.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_server_session_base.cc
index 8057060f10c..4fc2aa90025 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_server_session_base.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_server_session_base.cc
@@ -333,7 +333,7 @@ QuicSSLConfig QuicServerSessionBase::GetSSLConfig() const {
   QuicSSLConfig ssl_config = QuicSpdySession::GetSSLConfig();
 
   ssl_config.disable_ticket_support =
-      GetQuicFlag(FLAGS_quic_disable_server_tls_resumption);
+      GetQuicFlag(quic_disable_server_tls_resumption);
 
   if (!crypto_config_ || !crypto_config_->proof_source()) {
     return ssl_config;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_client_stream.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_client_stream.cc
index 92277f916c0..1661c94bdfd 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_client_stream.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_client_stream.cc
@@ -43,6 +43,49 @@ QuicSpdyClientStream::QuicSpdyClientStream(PendingStream* pending,
 
 QuicSpdyClientStream::~QuicSpdyClientStream() = default;
 
+bool QuicSpdyClientStream::CopyAndValidateHeaders(
+    const QuicHeaderList& header_list, int64_t& content_length,
+    spdy::Http2HeaderBlock& headers) {
+  return SpdyUtils::CopyAndValidateHeaders(header_list, &content_length,
+                                           &headers);
+}
+
+bool QuicSpdyClientStream::ParseAndValidateStatusCode() {
+  if (!ParseHeaderStatusCode(response_headers_, &response_code_)) {
+    QUIC_DLOG(ERROR) << "Received invalid response code: "
+                     << response_headers_[":status"].as_string()
+                     << " on stream " << id();
+    Reset(QUIC_BAD_APPLICATION_PAYLOAD);
+    return false;
+  }
+
+  if (response_code_ == 101) {
+    // 101 "Switching Protocols" is forbidden in HTTP/3 as per the
+    // "HTTP Upgrade" section of draft-ietf-quic-http.
+    QUIC_DLOG(ERROR) << "Received forbidden 101 response code"
+                     << " on stream " << id();
+    Reset(QUIC_BAD_APPLICATION_PAYLOAD);
+    return false;
+  }
+
+  if (response_code_ >= 100 && response_code_ < 200) {
+    // These are Informational 1xx headers, not the actual response headers.
+    QUIC_DLOG(INFO) << "Received informational response code: "
+                    << response_headers_[":status"].as_string() << " on stream "
+                    << id();
+    set_headers_decompressed(false);
+    if (response_code_ == 100 && !has_preliminary_headers_) {
+      // This is 100 Continue, save it to enable "Expect: 100-continue".
+      has_preliminary_headers_ = true;
+      preliminary_headers_ = std::move(response_headers_);
+    } else {
+      response_headers_.clear();
+    }
+  }
+
+  return true;
+}
+
 void QuicSpdyClientStream::OnInitialHeadersComplete(
     bool fin, size_t frame_len, const QuicHeaderList& header_list) {
   QuicSpdyStream::OnInitialHeadersComplete(fin, frame_len, header_list);
@@ -55,8 +98,8 @@ void QuicSpdyClientStream::OnInitialHeadersComplete(
     return;
   }
 
-  if (!SpdyUtils::CopyAndValidateHeaders(header_list, &content_length_,
-                                         &response_headers_)) {
+  if (!CopyAndValidateHeaders(header_list, content_length_,
+                              response_headers_)) {
     QUIC_DLOG(ERROR) << "Failed to parse header list: "
                      << header_list.DebugString() << " on stream " << id();
     Reset(QUIC_BAD_APPLICATION_PAYLOAD);
@@ -77,38 +120,10 @@ void QuicSpdyClientStream::OnInitialHeadersComplete(
     }
   }
 
-  if (!ParseHeaderStatusCode(response_headers_, &response_code_)) {
-    QUIC_DLOG(ERROR) << "Received invalid response code: "
-                     << response_headers_[":status"].as_string()
-                     << " on stream " << id();
-    Reset(QUIC_BAD_APPLICATION_PAYLOAD);
-    return;
-  }
-
-  if (response_code_ == 101) {
-    // 101 "Switching Protocols" is forbidden in HTTP/3 as per the
-    // "HTTP Upgrade" section of draft-ietf-quic-http.
-    QUIC_DLOG(ERROR) << "Received forbidden 101 response code"
-                     << " on stream " << id();
-    Reset(QUIC_BAD_APPLICATION_PAYLOAD);
+  if (!ParseAndValidateStatusCode()) {
     return;
   }
 
-  if (response_code_ >= 100 && response_code_ < 200) {
-    // These are Informational 1xx headers, not the actual response headers.
-    QUIC_DLOG(INFO) << "Received informational response code: "
-                    << response_headers_[":status"].as_string() << " on stream "
-                    << id();
-    set_headers_decompressed(false);
-    if (response_code_ == 100 && !has_preliminary_headers_) {
-      // This is 100 Continue, save it to enable "Expect: 100-continue".
-      has_preliminary_headers_ = true;
-      preliminary_headers_ = std::move(response_headers_);
-    } else {
-      response_headers_.clear();
-    }
-  }
-
   ConsumeHeaderList();
   QUIC_DVLOG(1) << "headers complete for stream " << id();
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_client_stream.h b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_client_stream.h
index a0806d757bf..7a4f90a89a5 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_client_stream.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_client_stream.h
@@ -73,6 +73,16 @@ class QUIC_EXPORT_PRIVATE QuicSpdyClientStream : public QuicSpdyStream {
  protected:
   bool AreHeadersValid(const QuicHeaderList& header_list) const override;
 
+  // Called by OnInitialHeadersComplete to set response_header_. Returns false
+  // on error.
+  virtual bool CopyAndValidateHeaders(const QuicHeaderList& header_list,
+                                      int64_t& content_length,
+                                      spdy::Http2HeaderBlock& headers);
+
+  // Called by OnInitialHeadersComplete to set response_code_ based on
+  // response_header_. Returns false on error.
+  virtual bool ParseAndValidateStatusCode();
+
  private:
   // The parsed headers received from the server.
   spdy::Http2HeaderBlock response_headers_;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_session.h b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_session.h
index f1ef594abec..5c779c5090a 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_session.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_session.h
@@ -192,6 +192,14 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
   // This method will only be called for client sessions.
   virtual void OnAcceptChFrame(const AcceptChFrame& /*frame*/) {}
 
+  // Called when an HTTP/3 frame of unknown type has been received.
+  virtual void OnUnknownFrameStart(QuicStreamId /*stream_id*/,
+                                   uint64_t /*frame_type*/,
+                                   QuicByteCount /*header_length*/,
+                                   QuicByteCount /*payload_length*/) {}
+  virtual void OnUnknownFramePayload(QuicStreamId /*stream_id*/,
+                                     absl::string_view /*payload*/) {}
+
   // Sends contents of |iov| to h2_deframer_, returns number of bytes processed.
   size_t ProcessHeaderData(const struct iovec& iov);
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream.cc
index 056514c26eb..cd5590ece5b 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream.cc
@@ -254,22 +254,6 @@ size_t QuicSpdyStream::WriteHeaders(
   }
 
   QuicConnection::ScopedPacketFlusher flusher(spdy_session_->connection());
-  // Send stream type for server push stream
-  if (VersionUsesHttp3(transport_version()) && type() == WRITE_UNIDIRECTIONAL &&
-      send_buffer().stream_offset() == 0) {
-    char data[sizeof(kServerPushStream)];
-    QuicDataWriter writer(ABSL_ARRAYSIZE(data), data);
-    writer.WriteVarInt62(kServerPushStream);
-
-    // Similar to frame headers, stream type byte shouldn't be exposed to upper
-    // layer applications.
-    unacked_frame_headers_offsets_.Add(0, writer.length());
-
-    QUIC_LOG(INFO) << ENDPOINT << "Stream " << id()
-                   << " is writing type as server push";
-    WriteOrBufferData(absl::string_view(writer.data(), writer.length()), false,
-                      nullptr);
-  }
 
   MaybeProcessSentWebTransportHeaders(header_block);
 
@@ -308,6 +292,10 @@ size_t QuicSpdyStream::WriteHeaders(
     }
   }
 
+  if (connect_ip_visitor_ != nullptr) {
+    connect_ip_visitor_->OnHeadersWritten();
+  }
+
   return bytes_written;
 }
 
@@ -383,7 +371,7 @@ QuicConsumedData QuicSpdyStream::WritevBody(const struct iovec* iov, int count,
   quiche::QuicheMemSliceStorage storage(
       iov, count,
       session()->connection()->helper()->GetStreamSendBufferAllocator(),
-      GetQuicFlag(FLAGS_quic_send_buffer_max_data_slice_size));
+      GetQuicFlag(quic_send_buffer_max_data_slice_size));
   return WriteBodySlices(storage.ToSpan(), fin);
 }
 
@@ -625,8 +613,6 @@ void QuicSpdyStream::OnInitialHeadersComplete(
                               : header_list.empty();
   if (!AreHeaderFieldValuesValid(header_list)) {
     OnInvalidHeaders();
-    QUIC_RELOADABLE_FLAG_COUNT_N(
-        quic_validate_header_field_value_at_spdy_stream, 2, 2);
     return;
   }
   // Validate request headers if it did not exceed size limit. If it did,
@@ -828,6 +814,9 @@ void QuicSpdyStream::OnDataAvailable() {
     QuicByteCount processed_bytes = decoder_.ProcessInput(
         reinterpret_cast<const char*>(iov.iov_base), iov.iov_len);
     is_decoder_processing_input_ = false;
+    if (!session()->connection()->connected()) {
+      return;
+    }
     sequencer_offset_ += processed_bytes;
     if (blocked_on_decoding_headers_) {
       return;
@@ -1126,9 +1115,11 @@ bool QuicSpdyStream::OnUnknownFrameStart(uint64_t frame_type,
     spdy_session_->debug_visitor()->OnUnknownFrameReceived(id(), frame_type,
                                                            payload_length);
   }
+  spdy_session_->OnUnknownFrameStart(id(), frame_type, header_length,
+                                     payload_length);
 
-  // Ignore unknown frames, but consume frame header.
-  QUIC_DVLOG(1) << ENDPOINT << "Discarding " << header_length
+  // Consume the frame header.
+  QUIC_DVLOG(1) << ENDPOINT << "Consuming " << header_length
                 << " byte long frame header of frame of unknown type "
                 << frame_type << ".";
   sequencer()->MarkConsumed(body_manager_.OnNonBody(header_length));
@@ -1136,8 +1127,10 @@ bool QuicSpdyStream::OnUnknownFrameStart(uint64_t frame_type,
 }
 
 bool QuicSpdyStream::OnUnknownFramePayload(absl::string_view payload) {
-  // Ignore unknown frames, but consume frame payload.
-  QUIC_DVLOG(1) << ENDPOINT << "Discarding " << payload.size()
+  spdy_session_->OnUnknownFramePayload(id(), payload);
+
+  // Consume the frame payload.
+  QUIC_DVLOG(1) << ENDPOINT << "Consuming " << payload.size()
                 << " bytes of payload of frame of unknown type.";
   sequencer()->MarkConsumed(body_manager_.OnNonBody(payload.size()));
   return true;
@@ -1172,16 +1165,28 @@ size_t QuicSpdyStream::WriteHeadersImpl(
       send_buffer().stream_offset(),
       send_buffer().stream_offset() + headers_frame_header.length());
 
-  QUIC_DLOG(INFO) << ENDPOINT << "Stream " << id()
-                  << " is writing HEADERS frame header of length "
-                  << headers_frame_header.length();
-  WriteOrBufferData(headers_frame_header, /* fin = */ false,
-                    /* ack_listener = */ nullptr);
+  if (GetQuicReloadableFlag(quic_one_write_for_headers)) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_one_write_for_headers);
 
-  QUIC_DLOG(INFO) << ENDPOINT << "Stream " << id()
-                  << " is writing HEADERS frame payload of length "
-                  << encoded_headers.length() << " with fin " << fin;
-  WriteOrBufferData(encoded_headers, fin, nullptr);
+    QUIC_DLOG(INFO) << ENDPOINT << "Stream " << id()
+                    << " is writing HEADERS frame header of length "
+                    << headers_frame_header.length()
+                    << ", and payload of length " << encoded_headers.length()
+                    << " with fin " << fin;
+    WriteOrBufferData(absl::StrCat(headers_frame_header, encoded_headers), fin,
+                      /*ack_listener=*/nullptr);
+  } else {
+    QUIC_DLOG(INFO) << ENDPOINT << "Stream " << id()
+                    << " is writing HEADERS frame header of length "
+                    << headers_frame_header.length();
+    WriteOrBufferData(headers_frame_header, /* fin = */ false,
+                      /* ack_listener = */ nullptr);
+
+    QUIC_DLOG(INFO) << ENDPOINT << "Stream " << id()
+                    << " is writing HEADERS frame payload of length "
+                    << encoded_headers.length() << " with fin " << fin;
+    WriteOrBufferData(encoded_headers, fin, nullptr);
+  }
 
   QuicSpdySession::LogHeaderCompressionRatioHistogram(
       /* using_qpack = */ true,
@@ -1372,6 +1377,24 @@ bool QuicSpdyStream::OnCapsule(const Capsule& capsule) {
           capsule.close_web_transport_session_capsule().error_code,
           capsule.close_web_transport_session_capsule().error_message);
     } break;
+    case CapsuleType::ADDRESS_ASSIGN:
+      if (connect_ip_visitor_ == nullptr) {
+        return true;
+      }
+      return connect_ip_visitor_->OnAddressAssignCapsule(
+          capsule.address_assign_capsule());
+    case CapsuleType::ADDRESS_REQUEST:
+      if (connect_ip_visitor_ == nullptr) {
+        return true;
+      }
+      return connect_ip_visitor_->OnAddressRequestCapsule(
+          capsule.address_request_capsule());
+    case CapsuleType::ROUTE_ADVERTISEMENT:
+      if (connect_ip_visitor_ == nullptr) {
+        return true;
+      }
+      return connect_ip_visitor_->OnRouteAdvertisementCapsule(
+          capsule.route_advertisement_capsule());
   }
   return true;
 }
@@ -1452,6 +1475,43 @@ void QuicSpdyStream::ReplaceHttp3DatagramVisitor(
   datagram_visitor_ = visitor;
 }
 
+void QuicSpdyStream::RegisterConnectIpVisitor(ConnectIpVisitor* visitor) {
+  if (visitor == nullptr) {
+    QUIC_BUG(null connect - ip visitor)
+        << ENDPOINT << "Null connect-ip visitor for stream ID " << id();
+    return;
+  }
+  QUIC_DLOG(INFO) << ENDPOINT
+                  << "Registering CONNECT-IP visitor with stream ID " << id();
+
+  if (connect_ip_visitor_ != nullptr) {
+    QUIC_BUG(connect - ip double registration)
+        << ENDPOINT << "Attempted to doubly register CONNECT-IP with stream ID "
+        << id();
+    return;
+  }
+  connect_ip_visitor_ = visitor;
+}
+
+void QuicSpdyStream::UnregisterConnectIpVisitor() {
+  if (connect_ip_visitor_ == nullptr) {
+    QUIC_BUG(connect - ip visitor empty during unregistration)
+        << ENDPOINT << "Cannot unregister CONNECT-IP visitor for stream ID "
+        << id();
+    return;
+  }
+  QUIC_DLOG(INFO) << ENDPOINT
+                  << "Unregistering CONNECT-IP visitor for stream ID " << id();
+  connect_ip_visitor_ = nullptr;
+}
+
+void QuicSpdyStream::ReplaceConnectIpVisitor(ConnectIpVisitor* visitor) {
+  QUIC_BUG_IF(connect - ip unknown move, connect_ip_visitor_ == nullptr)
+      << "Attempted to move missing CONNECT-IP visitor on HTTP/3 stream ID "
+      << id();
+  connect_ip_visitor_ = visitor;
+}
+
 void QuicSpdyStream::SetMaxDatagramTimeInQueue(
     QuicTime::Delta max_time_in_queue) {
   spdy_session_->SetMaxDatagramTimeInQueueForStreamId(id(), max_time_in_queue);
@@ -1564,12 +1624,9 @@ bool QuicSpdyStream::AreHeadersValid(const QuicHeaderList& header_list) const {
 
 bool QuicSpdyStream::AreHeaderFieldValuesValid(
     const QuicHeaderList& header_list) const {
-  if (!GetQuicReloadableFlag(quic_validate_header_field_value_at_spdy_stream) ||
-      !VersionUsesHttp3(transport_version())) {
+  if (!VersionUsesHttp3(transport_version())) {
     return true;
   }
-  QUIC_RELOADABLE_FLAG_COUNT_N(quic_validate_header_field_value_at_spdy_stream,
-                               1, 2);
   // According to https://www.rfc-editor.org/rfc/rfc9114.html#section-10.3
   // "[...] HTTP/3 can transport field values that are not valid. While most
   // values that can be encoded will not alter field parsing, carriage return
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream.h b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream.h
index 62b0eea7fee..47185918d12 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream.h
@@ -254,8 +254,9 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream
   bool OnCapsule(const Capsule& capsule) override;
   void OnCapsuleParseFailure(const std::string& error_message) override;
 
-  // Sends an HTTP/3 datagram. The stream ID is not part of |payload|.
-  MessageStatus SendHttp3Datagram(absl::string_view payload);
+  // Sends an HTTP/3 datagram. The stream ID is not part of |payload|. Virtual
+  // to allow mocking in tests.
+  virtual MessageStatus SendHttp3Datagram(absl::string_view payload);
 
   class QUIC_EXPORT_PRIVATE Http3DatagramVisitor {
    public:
@@ -279,6 +280,31 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream
   // Mainly meant to be used by the visitors' move operators.
   void ReplaceHttp3DatagramVisitor(Http3DatagramVisitor* visitor);
 
+  class QUIC_EXPORT_PRIVATE ConnectIpVisitor {
+   public:
+    virtual ~ConnectIpVisitor() {}
+
+    virtual bool OnAddressAssignCapsule(
+        const AddressAssignCapsule& capsule) = 0;
+    virtual bool OnAddressRequestCapsule(
+        const AddressRequestCapsule& capsule) = 0;
+    virtual bool OnRouteAdvertisementCapsule(
+        const RouteAdvertisementCapsule& capsule) = 0;
+    virtual void OnHeadersWritten() = 0;
+  };
+
+  // Registers |visitor| to receive CONNECT-IP capsules. |visitor| must be
+  // valid until a corresponding call to UnregisterConnectIpVisitor.
+  void RegisterConnectIpVisitor(ConnectIpVisitor* visitor);
+
+  // Unregisters a CONNECT-IP visitor. Must only be called after a call to
+  // RegisterConnectIpVisitor.
+  void UnregisterConnectIpVisitor();
+
+  // Replaces the current CONNECT-IP visitor with a different visitor.
+  // Mainly meant to be used by the visitors' move operators.
+  void ReplaceConnectIpVisitor(ConnectIpVisitor* visitor);
+
   // Sets max datagram time in queue.
   void SetMaxDatagramTimeInQueue(QuicTime::Delta max_time_in_queue);
 
@@ -449,6 +475,8 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream
 
   // HTTP/3 Datagram support.
   Http3DatagramVisitor* datagram_visitor_ = nullptr;
+  // CONNECT-IP support.
+  ConnectIpVisitor* connect_ip_visitor_ = nullptr;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream_body_manager.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream_body_manager.cc
index d1ba5d28674..efb32c37494 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream_body_manager.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream_body_manager.cc
@@ -106,7 +106,13 @@ size_t QuicSpdyStreamBodyManager::ReadBody(const struct iovec* iov,
 
     const size_t bytes_to_copy =
         std::min<size_t>(body.length(), dest_remaining);
-    memcpy(dest, body.data(), bytes_to_copy);
+
+    // According to Section 7.1.4 of the C11 standard (ISO/IEC 9899:2011), null
+    // pointers should not be passed to standard library functions.
+    if (bytes_to_copy > 0) {
+      memcpy(dest, body.data(), bytes_to_copy);
+    }
+
     bytes_to_consume += bytes_to_copy;
     *total_bytes_read += bytes_to_copy;
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream_test.cc
index 6255251a879..960060e089b 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/quic_spdy_stream_test.cc
@@ -15,6 +15,7 @@
 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
 #include "quiche/quic/core/crypto/null_encrypter.h"
+#include "quiche/quic/core/http/capsule.h"
 #include "quiche/quic/core/http/http_encoder.h"
 #include "quiche/quic/core/http/quic_spdy_session.h"
 #include "quiche/quic/core/http/spdy_utils.h"
@@ -36,6 +37,7 @@
 #include "quiche/quic/test_tools/quic_spdy_stream_peer.h"
 #include "quiche/quic/test_tools/quic_stream_peer.h"
 #include "quiche/quic/test_tools/quic_test_utils.h"
+#include "quiche/common/quiche_ip_address.h"
 #include "quiche/common/quiche_mem_slice_storage.h"
 #include "quiche/common/simple_buffer_allocator.h"
 
@@ -597,7 +599,7 @@ TEST_P(QuicSpdyStreamTest, QpackProcessLargeHeaderListDiscountOverhead) {
   }
   // Setting this flag to false causes no per-entry overhead to be included
   // in the header size.
-  SetQuicFlag(FLAGS_quic_header_size_limit_includes_overhead, false);
+  SetQuicFlag(quic_header_size_limit_includes_overhead, false);
   Initialize(kShouldProcessData);
   session_->set_max_inbound_header_list_size(40);
   std::string headers =
@@ -1492,7 +1494,11 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersSendsAFin) {
     // In this case, TestStream::WriteHeadersImpl() does not prevent writes.
     // Four writes on the request stream: HEADERS frame header and payload both
     // for headers and trailers.
-    EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(4);
+    if (GetQuicReloadableFlag(quic_one_write_for_headers)) {
+      EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(2);
+    } else {
+      EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(4);
+    }
   }
 
   // Write the initial headers, without a FIN.
@@ -1518,7 +1524,11 @@ TEST_P(QuicSpdyStreamTest, DoNotSendPriorityUpdateWithDefaultUrgency) {
 
   // Four writes on the request stream: HEADERS frame header and payload both
   // for headers and trailers.
-  EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(4);
+  if (GetQuicReloadableFlag(quic_one_write_for_headers)) {
+    EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(2);
+  } else {
+    EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(4);
+  }
 
   // No PRIORITY_UPDATE frames on the control stream,
   // because the stream has default priority.
@@ -1551,7 +1561,11 @@ TEST_P(QuicSpdyStreamTest, ChangePriority) {
   session_->set_debug_visitor(&debug_visitor);
 
   // Two writes on the request stream: HEADERS frame header and payload.
-  EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(2);
+  if (GetQuicReloadableFlag(quic_one_write_for_headers)) {
+    EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(1);
+  } else {
+    EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(2);
+  }
   EXPECT_CALL(*stream_, WriteHeadersMock(false));
   EXPECT_CALL(debug_visitor, OnHeadersFrameSent(stream_->id(), _));
   stream_->WriteHeaders(Http2HeaderBlock(), /*fin=*/false, nullptr);
@@ -1585,7 +1599,11 @@ TEST_P(QuicSpdyStreamTest, ChangePriorityBeforeWritingHeaders) {
 
   // Two writes on the request stream: HEADERS frame header and payload.
   // PRIORITY_UPDATE frame is not sent this time, because one is already sent.
-  EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(2);
+  if (GetQuicReloadableFlag(quic_one_write_for_headers)) {
+    EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(1);
+  } else {
+    EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(2);
+  }
   EXPECT_CALL(*stream_, WriteHeadersMock(true));
   stream_->WriteHeaders(Http2HeaderBlock(), /*fin=*/true, nullptr);
 }
@@ -1598,7 +1616,11 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersFinalOffset) {
   if (UsesHttp3()) {
     // In this case, TestStream::WriteHeadersImpl() does not prevent writes.
     // HEADERS frame header and payload on the request stream.
-    EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(2);
+    if (GetQuicReloadableFlag(quic_one_write_for_headers)) {
+      EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(1);
+    } else {
+      EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _)).Times(2);
+    }
   }
 
   // Write the initial headers.
@@ -3000,23 +3022,35 @@ TEST_P(QuicSpdyStreamTest, WriteHeadersReturnValue) {
   EXPECT_CALL(*session_, WritevData(encoder_stream->id(), _, _, _, _, _))
       .Times(AnyNumber());
 
-  // HEADERS frame header.
-  EXPECT_CALL(*session_,
-              WritevData(stream_->id(), _, /* offset = */ 0, _, _, _));
-  // HEADERS frame payload.
-  size_t headers_frame_payload_length = 0;
-  EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _))
-      .WillOnce(
-          DoAll(SaveArg<1>(&headers_frame_payload_length),
-                Invoke(session_.get(), &MockQuicSpdySession::ConsumeData)));
+  size_t bytes_written = 0;
+  if (GetQuicReloadableFlag(quic_one_write_for_headers)) {
+    EXPECT_CALL(*session_,
+                WritevData(stream_->id(), _, /* offset = */ 0, _, _, _))
+        .WillOnce(
+            DoAll(SaveArg<1>(&bytes_written),
+                  Invoke(session_.get(), &MockQuicSpdySession::ConsumeData)));
+  } else {
+    // HEADERS frame header.
+    EXPECT_CALL(*session_,
+                WritevData(stream_->id(), _, /* offset = */ 0, _, _, _));
+    // HEADERS frame payload.
+    EXPECT_CALL(*session_, WritevData(stream_->id(), _, _, _, _, _))
+        .WillOnce(
+            DoAll(SaveArg<1>(&bytes_written),
+                  Invoke(session_.get(), &MockQuicSpdySession::ConsumeData)));
+  }
 
   Http2HeaderBlock request_headers;
   request_headers["foo"] = "bar";
   size_t write_headers_return_value =
       stream_->WriteHeaders(std::move(request_headers), /*fin=*/true, nullptr);
   EXPECT_TRUE(stream_->fin_sent());
-
-  EXPECT_EQ(headers_frame_payload_length, write_headers_return_value);
+  if (GetQuicReloadableFlag(quic_one_write_for_headers)) {
+    // bytes_written includes HEADERS frame header.
+    EXPECT_GT(bytes_written, write_headers_return_value);
+  } else {
+    EXPECT_EQ(bytes_written, write_headers_return_value);
+  }
 }
 
 // Regression test for https://crbug.com/1177662.
@@ -3161,6 +3195,64 @@ TEST_P(QuicSpdyStreamTest, GetMaxDatagramSize) {
   EXPECT_GT(stream_->GetMaxDatagramSize(), 512u);
 }
 
+TEST_P(QuicSpdyStreamTest, Capsules) {
+  if (!UsesHttp3()) {
+    return;
+  }
+  Initialize(kShouldProcessData);
+  session_->set_local_http_datagram_support(HttpDatagramSupport::kDraft09);
+  QuicSpdySessionPeer::SetHttpDatagramSupport(session_.get(),
+                                              HttpDatagramSupport::kDraft09);
+  SavingHttp3DatagramVisitor h3_datagram_visitor;
+  stream_->RegisterHttp3DatagramVisitor(&h3_datagram_visitor);
+  SavingConnectIpVisitor connect_ip_visitor;
+  stream_->RegisterConnectIpVisitor(&connect_ip_visitor);
+  headers_[":method"] = "CONNECT";
+  headers_[":protocol"] = "fake-capsule-protocol";
+  ProcessHeaders(/*fin=*/false, headers_);
+  // Datagram capsule.
+  std::string http_datagram_payload = {1, 2, 3, 4, 5, 6};
+  stream_->OnCapsule(Capsule::DatagramWithoutContext(http_datagram_payload));
+  EXPECT_THAT(h3_datagram_visitor.received_h3_datagrams(),
+              ElementsAre(SavingHttp3DatagramVisitor::SavedHttp3Datagram{
+                  stream_->id(), http_datagram_payload}));
+  // Address assign capsule.
+  PrefixWithId ip_prefix_with_id;
+  ip_prefix_with_id.request_id = 1;
+  quiche::QuicheIpAddress ip_address;
+  ip_address.FromString("::");
+  ip_prefix_with_id.ip_prefix =
+      quiche::QuicheIpPrefix(ip_address, /*prefix_length=*/96);
+  Capsule address_assign_capsule = Capsule::AddressAssign();
+  address_assign_capsule.address_assign_capsule().assigned_addresses.push_back(
+      ip_prefix_with_id);
+  stream_->OnCapsule(address_assign_capsule);
+  EXPECT_THAT(connect_ip_visitor.received_address_assign_capsules(),
+              ElementsAre(address_assign_capsule.address_assign_capsule()));
+  // Address request capsule.
+  Capsule address_request_capsule = Capsule::AddressRequest();
+  address_request_capsule.address_request_capsule()
+      .requested_addresses.push_back(ip_prefix_with_id);
+  stream_->OnCapsule(address_request_capsule);
+  EXPECT_THAT(connect_ip_visitor.received_address_request_capsules(),
+              ElementsAre(address_request_capsule.address_request_capsule()));
+  // Route advertisement capsule.
+  Capsule route_advertisement_capsule = Capsule::RouteAdvertisement();
+  IpAddressRange ip_address_range;
+  ip_address_range.start_ip_address.FromString("192.0.2.24");
+  ip_address_range.end_ip_address.FromString("192.0.2.42");
+  ip_address_range.ip_protocol = 0;
+  route_advertisement_capsule.route_advertisement_capsule()
+      .ip_address_ranges.push_back(ip_address_range);
+  stream_->OnCapsule(route_advertisement_capsule);
+  EXPECT_THAT(
+      connect_ip_visitor.received_route_advertisement_capsules(),
+      ElementsAre(route_advertisement_capsule.route_advertisement_capsule()));
+  // Cleanup.
+  stream_->UnregisterHttp3DatagramVisitor();
+  stream_->UnregisterConnectIpVisitor();
+}
+
 TEST_P(QuicSpdyStreamTest,
        QUIC_TEST_DISABLED_IN_CHROME(HeadersAccumulatorNullptr)) {
   if (!UsesHttp3()) {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/http/web_transport_http3.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/http/web_transport_http3.cc
index 888331e8e26..84f1d33b0ed 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/http/web_transport_http3.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/http/web_transport_http3.cc
@@ -300,7 +300,9 @@ WebTransportHttp3UnidirectionalStream::WebTransportHttp3UnidirectionalStream(
     : QuicStream(pending, session, /*is_static=*/false),
       session_(session),
       adapter_(session, this, sequencer()),
-      needs_to_send_preamble_(false) {}
+      needs_to_send_preamble_(false) {
+  sequencer()->set_level_triggered(true);
+}
 
 WebTransportHttp3UnidirectionalStream::WebTransportHttp3UnidirectionalStream(
     QuicStreamId id, QuicSpdySession* session, WebTransportSessionId session_id)
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_tcp_client_socket.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_connecting_client_socket.cc
index 84263bc9a82..aefa353de57 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_tcp_client_socket.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_connecting_client_socket.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "quiche/quic/core/io/event_loop_tcp_client_socket.h"
+#include "quiche/quic/core/io/event_loop_connecting_client_socket.h"
 
 #include <limits>
 #include <string>
@@ -21,12 +21,14 @@
 
 namespace quic {
 
-EventLoopTcpClientSocket::EventLoopTcpClientSocket(
+EventLoopConnectingClientSocket::EventLoopConnectingClientSocket(
+    socket_api::SocketProtocol protocol,
     const quic::QuicSocketAddress& peer_address,
     QuicByteCount receive_buffer_size, QuicByteCount send_buffer_size,
     QuicEventLoop* event_loop, quiche::QuicheBufferAllocator* buffer_allocator,
     AsyncVisitor* async_visitor)
-    : peer_address_(peer_address),
+    : protocol_(protocol),
+      peer_address_(peer_address),
       receive_buffer_size_(receive_buffer_size),
       send_buffer_size_(send_buffer_size),
       event_loop_(event_loop),
@@ -36,15 +38,15 @@ EventLoopTcpClientSocket::EventLoopTcpClientSocket(
   QUICHE_DCHECK(buffer_allocator_);
 }
 
-EventLoopTcpClientSocket::~EventLoopTcpClientSocket() {
+EventLoopConnectingClientSocket::~EventLoopConnectingClientSocket() {
   // Connected socket must be closed via Disconnect() before destruction. Cannot
   // safely recover if state indicates caller may be expecting async callbacks.
   QUICHE_DCHECK(connect_status_ != ConnectStatus::kConnecting);
   QUICHE_DCHECK(!receive_max_size_.has_value());
   QUICHE_DCHECK(absl::holds_alternative<absl::monostate>(send_data_));
   if (descriptor_ != kInvalidSocketFd) {
-    QUICHE_BUG(quic_event_loop_tcp_socket_invalid_destruction)
-        << "Must call Disconnect() on connected TCP socket before destruction.";
+    QUICHE_BUG(quic_event_loop_connecting_socket_invalid_destruction)
+        << "Must call Disconnect() on connected socket before destruction.";
     Close();
   }
 
@@ -52,7 +54,7 @@ EventLoopTcpClientSocket::~EventLoopTcpClientSocket() {
   QUICHE_DCHECK(send_remaining_.empty());
 }
 
-absl::Status EventLoopTcpClientSocket::ConnectBlocking() {
+absl::Status EventLoopConnectingClientSocket::ConnectBlocking() {
   QUICHE_DCHECK_EQ(descriptor_, kInvalidSocketFd);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kNotConnected);
   QUICHE_DCHECK(!receive_max_size_.has_value());
@@ -101,7 +103,7 @@ absl::Status EventLoopTcpClientSocket::ConnectBlocking() {
   return status;
 }
 
-void EventLoopTcpClientSocket::ConnectAsync() {
+void EventLoopConnectingClientSocket::ConnectAsync() {
   QUICHE_DCHECK(async_visitor_);
   QUICHE_DCHECK_EQ(descriptor_, kInvalidSocketFd);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kNotConnected);
@@ -117,7 +119,7 @@ void EventLoopTcpClientSocket::ConnectAsync() {
   FinishOrRearmAsyncConnect(DoInitialConnect());
 }
 
-void EventLoopTcpClientSocket::Disconnect() {
+void EventLoopConnectingClientSocket::Disconnect() {
   QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
   QUICHE_DCHECK(connect_status_ != ConnectStatus::kNotConnected);
 
@@ -148,8 +150,16 @@ void EventLoopTcpClientSocket::Disconnect() {
   }
 }
 
+absl::StatusOr<QuicSocketAddress>
+EventLoopConnectingClientSocket::GetLocalAddress() {
+  QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
+  QUICHE_DCHECK(connect_status_ == ConnectStatus::kConnected);
+
+  return socket_api::GetSocketAddress(descriptor_);
+}
+
 absl::StatusOr<quiche::QuicheMemSlice>
-EventLoopTcpClientSocket::ReceiveBlocking(QuicByteCount max_size) {
+EventLoopConnectingClientSocket::ReceiveBlocking(QuicByteCount max_size) {
   QUICHE_DCHECK_GT(max_size, 0u);
   QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kConnected);
@@ -189,7 +199,7 @@ EventLoopTcpClientSocket::ReceiveBlocking(QuicByteCount max_size) {
   return buffer;
 }
 
-void EventLoopTcpClientSocket::ReceiveAsync(QuicByteCount max_size) {
+void EventLoopConnectingClientSocket::ReceiveAsync(QuicByteCount max_size) {
   QUICHE_DCHECK(async_visitor_);
   QUICHE_DCHECK_GT(max_size, 0u);
   QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
@@ -201,7 +211,7 @@ void EventLoopTcpClientSocket::ReceiveAsync(QuicByteCount max_size) {
   FinishOrRearmAsyncReceive(ReceiveInternal());
 }
 
-absl::Status EventLoopTcpClientSocket::SendBlocking(std::string data) {
+absl::Status EventLoopConnectingClientSocket::SendBlocking(std::string data) {
   QUICHE_DCHECK(!data.empty());
   QUICHE_DCHECK(absl::holds_alternative<absl::monostate>(send_data_));
 
@@ -209,7 +219,7 @@ absl::Status EventLoopTcpClientSocket::SendBlocking(std::string data) {
   return SendBlockingInternal();
 }
 
-absl::Status EventLoopTcpClientSocket::SendBlocking(
+absl::Status EventLoopConnectingClientSocket::SendBlocking(
     quiche::QuicheMemSlice data) {
   QUICHE_DCHECK(!data.empty());
   QUICHE_DCHECK(absl::holds_alternative<absl::monostate>(send_data_));
@@ -218,7 +228,7 @@ absl::Status EventLoopTcpClientSocket::SendBlocking(
   return SendBlockingInternal();
 }
 
-void EventLoopTcpClientSocket::SendAsync(std::string data) {
+void EventLoopConnectingClientSocket::SendAsync(std::string data) {
   QUICHE_DCHECK(!data.empty());
   QUICHE_DCHECK(absl::holds_alternative<absl::monostate>(send_data_));
 
@@ -228,7 +238,7 @@ void EventLoopTcpClientSocket::SendAsync(std::string data) {
   FinishOrRearmAsyncSend(SendInternal());
 }
 
-void EventLoopTcpClientSocket::SendAsync(quiche::QuicheMemSlice data) {
+void EventLoopConnectingClientSocket::SendAsync(quiche::QuicheMemSlice data) {
   QUICHE_DCHECK(!data.empty());
   QUICHE_DCHECK(absl::holds_alternative<absl::monostate>(send_data_));
 
@@ -239,9 +249,8 @@ void EventLoopTcpClientSocket::SendAsync(quiche::QuicheMemSlice data) {
   FinishOrRearmAsyncSend(SendInternal());
 }
 
-void EventLoopTcpClientSocket::OnSocketEvent(QuicEventLoop* event_loop,
-                                             SocketFd fd,
-                                             QuicSocketEventMask events) {
+void EventLoopConnectingClientSocket::OnSocketEvent(
+    QuicEventLoop* event_loop, SocketFd fd, QuicSocketEventMask events) {
   QUICHE_DCHECK_EQ(event_loop, event_loop_);
   QUICHE_DCHECK_EQ(fd, descriptor_);
 
@@ -261,16 +270,16 @@ void EventLoopTcpClientSocket::OnSocketEvent(QuicEventLoop* event_loop,
   }
 }
 
-absl::Status EventLoopTcpClientSocket::Open() {
+absl::Status EventLoopConnectingClientSocket::Open() {
   QUICHE_DCHECK_EQ(descriptor_, kInvalidSocketFd);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kNotConnected);
   QUICHE_DCHECK(!receive_max_size_.has_value());
   QUICHE_DCHECK(absl::holds_alternative<absl::monostate>(send_data_));
   QUICHE_DCHECK(send_remaining_.empty());
 
-  absl::StatusOr<SocketFd> descriptor = socket_api::CreateSocket(
-      peer_address_.host().address_family(), socket_api::SocketProtocol::kTcp,
-      /*blocking=*/false);
+  absl::StatusOr<SocketFd> descriptor =
+      socket_api::CreateSocket(peer_address_.host().address_family(), protocol_,
+                               /*blocking=*/false);
   if (!descriptor.ok()) {
     QUICHE_DVLOG(1) << "Failed to open socket for connection to address: "
                     << peer_address_.ToString()
@@ -327,7 +336,7 @@ absl::Status EventLoopTcpClientSocket::Open() {
   return absl::OkStatus();
 }
 
-void EventLoopTcpClientSocket::Close() {
+void EventLoopConnectingClientSocket::Close() {
   QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
 
   bool unregistered = event_loop_->UnregisterSocket(descriptor_);
@@ -343,7 +352,7 @@ void EventLoopTcpClientSocket::Close() {
   descriptor_ = kInvalidSocketFd;
 }
 
-absl::Status EventLoopTcpClientSocket::DoInitialConnect() {
+absl::Status EventLoopConnectingClientSocket::DoInitialConnect() {
   QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kNotConnected);
   QUICHE_DCHECK(!receive_max_size_.has_value());
@@ -366,7 +375,7 @@ absl::Status EventLoopTcpClientSocket::DoInitialConnect() {
   return connect_result;
 }
 
-absl::Status EventLoopTcpClientSocket::GetConnectResult() {
+absl::Status EventLoopConnectingClientSocket::GetConnectResult() {
   QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kConnecting);
   QUICHE_DCHECK(!receive_max_size_.has_value());
@@ -414,7 +423,8 @@ absl::Status EventLoopTcpClientSocket::GetConnectResult() {
   return error;
 }
 
-void EventLoopTcpClientSocket::FinishOrRearmAsyncConnect(absl::Status status) {
+void EventLoopConnectingClientSocket::FinishOrRearmAsyncConnect(
+    absl::Status status) {
   if (absl::IsUnavailable(status)) {
     if (!event_loop_->SupportsEdgeTriggered()) {
       bool result = event_loop_->RearmSocket(
@@ -429,7 +439,7 @@ void EventLoopTcpClientSocket::FinishOrRearmAsyncConnect(absl::Status status) {
 }
 
 absl::StatusOr<quiche::QuicheMemSlice>
-EventLoopTcpClientSocket::ReceiveInternal() {
+EventLoopConnectingClientSocket::ReceiveInternal() {
   QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kConnected);
   QUICHE_CHECK(receive_max_size_.has_value());
@@ -473,7 +483,7 @@ EventLoopTcpClientSocket::ReceiveInternal() {
   }
 }
 
-void EventLoopTcpClientSocket::FinishOrRearmAsyncReceive(
+void EventLoopConnectingClientSocket::FinishOrRearmAsyncReceive(
     absl::StatusOr<quiche::QuicheMemSlice> buffer) {
   QUICHE_DCHECK(async_visitor_);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kConnected);
@@ -491,7 +501,7 @@ void EventLoopTcpClientSocket::FinishOrRearmAsyncReceive(
   }
 }
 
-absl::StatusOr<bool> EventLoopTcpClientSocket::OneBytePeek() {
+absl::StatusOr<bool> EventLoopConnectingClientSocket::OneBytePeek() {
   QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
 
   char peek_buffer;
@@ -504,7 +514,7 @@ absl::StatusOr<bool> EventLoopTcpClientSocket::OneBytePeek() {
   }
 }
 
-absl::Status EventLoopTcpClientSocket::SendBlockingInternal() {
+absl::Status EventLoopConnectingClientSocket::SendBlockingInternal() {
   QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kConnected);
   QUICHE_DCHECK(!absl::holds_alternative<absl::monostate>(send_data_));
@@ -552,7 +562,7 @@ absl::Status EventLoopTcpClientSocket::SendBlockingInternal() {
   return status;
 }
 
-absl::Status EventLoopTcpClientSocket::SendInternal() {
+absl::Status EventLoopConnectingClientSocket::SendInternal() {
   QUICHE_DCHECK_NE(descriptor_, kInvalidSocketFd);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kConnected);
   QUICHE_DCHECK(!absl::holds_alternative<absl::monostate>(send_data_));
@@ -588,7 +598,8 @@ absl::Status EventLoopTcpClientSocket::SendInternal() {
   return absl::OkStatus();
 }
 
-void EventLoopTcpClientSocket::FinishOrRearmAsyncSend(absl::Status status) {
+void EventLoopConnectingClientSocket::FinishOrRearmAsyncSend(
+    absl::Status status) {
   QUICHE_DCHECK(async_visitor_);
   QUICHE_DCHECK(connect_status_ == ConnectStatus::kConnected);
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_tcp_client_socket.h b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_connecting_client_socket.h
index 2d50087a5e8..c85911c865c 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_tcp_client_socket.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_connecting_client_socket.h
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_CORE_IO_EVENT_LOOP_TCP_CLIENT_SOCKET_H_
-#define QUICHE_QUIC_CORE_IO_EVENT_LOOP_TCP_CLIENT_SOCKET_H_
+#ifndef QUICHE_QUIC_CORE_IO_EVENT_LOOP_CONNECTING_CLIENT_SOCKET_H_
+#define QUICHE_QUIC_CORE_IO_EVENT_LOOP_CONNECTING_CLIENT_SOCKET_H_
 
 #include <string>
 
@@ -11,8 +11,9 @@
 #include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
 #include "absl/types/variant.h"
+#include "quiche/quic/core/connecting_client_socket.h"
 #include "quiche/quic/core/io/quic_event_loop.h"
-#include "quiche/quic/core/io/stream_client_socket.h"
+#include "quiche/quic/core/io/socket.h"
 #include "quiche/quic/core/quic_types.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/common/platform/api/quiche_export.h"
@@ -20,30 +21,31 @@
 
 namespace quic {
 
-// A TCP client socket implemented using an underlying QuicEventLoop.
-class QUICHE_EXPORT_PRIVATE EventLoopTcpClientSocket
-    : public StreamClientSocket,
+// A connection-based client socket implemented using an underlying
+// QuicEventLoop.
+class QUICHE_EXPORT_PRIVATE EventLoopConnectingClientSocket
+    : public ConnectingClientSocket,
       public QuicSocketEventListener {
  public:
   // Will use platform default buffer size if `receive_buffer_size` or
   // `send_buffer_size` is zero. `async_visitor` may be null if no async
   // operations will be  requested. `event_loop`, `buffer_allocator`, and
   // `async_visitor` (if non-null) must outlive the created socket.
-  EventLoopTcpClientSocket(const quic::QuicSocketAddress& peer_address,
-                           QuicByteCount receive_buffer_size,
-                           QuicByteCount send_buffer_size,
-                           QuicEventLoop* event_loop,
-                           quiche::QuicheBufferAllocator* buffer_allocator,
-                           AsyncVisitor* async_visitor);
+  EventLoopConnectingClientSocket(
+      socket_api::SocketProtocol protocol,
+      const quic::QuicSocketAddress& peer_address,
+      QuicByteCount receive_buffer_size, QuicByteCount send_buffer_size,
+      QuicEventLoop* event_loop,
+      quiche::QuicheBufferAllocator* buffer_allocator,
+      AsyncVisitor* async_visitor);
 
-  ~EventLoopTcpClientSocket() override;
+  ~EventLoopConnectingClientSocket() override;
 
-  // StreamClientSocket:
+  // ConnectingClientSocket:
   absl::Status ConnectBlocking() override;
   void ConnectAsync() override;
   void Disconnect() override;
-
-  // Socket:
+  absl::StatusOr<QuicSocketAddress> GetLocalAddress() override;
   absl::StatusOr<quiche::QuicheMemSlice> ReceiveBlocking(
       QuicByteCount max_size) override;
   void ReceiveAsync(QuicByteCount max_size) override;
@@ -77,6 +79,7 @@ class QUICHE_EXPORT_PRIVATE EventLoopTcpClientSocket
   absl::Status SendInternal();
   void FinishOrRearmAsyncSend(absl::Status status);
 
+  const socket_api::SocketProtocol protocol_;
   const QuicSocketAddress peer_address_;
   const QuicByteCount receive_buffer_size_;
   const QuicByteCount send_buffer_size_;
@@ -100,4 +103,4 @@ class QUICHE_EXPORT_PRIVATE EventLoopTcpClientSocket
 
 }  // namespace quic
 
-#endif  // QUICHE_QUIC_CORE_IO_EVENT_LOOP_TCP_CLIENT_SOCKET_H_
+#endif  // QUICHE_QUIC_CORE_IO_EVENT_LOOP_CONNECTING_CLIENT_SOCKET_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_connecting_client_socket_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_connecting_client_socket_test.cc
new file mode 100644
index 00000000000..37cb607fdaf
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_connecting_client_socket_test.cc
@@ -0,0 +1,700 @@
+// Copyright 2022 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "quiche/quic/core/io/event_loop_connecting_client_socket.h"
+
+#include <functional>
+#include <memory>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "absl/functional/bind_front.h"
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
+#include "absl/types/span.h"
+#include "quiche/quic/core/connecting_client_socket.h"
+#include "quiche/quic/core/io/event_loop_socket_factory.h"
+#include "quiche/quic/core/io/quic_default_event_loop.h"
+#include "quiche/quic/core/io/quic_event_loop.h"
+#include "quiche/quic/core/io/socket.h"
+#include "quiche/quic/core/quic_time.h"
+#include "quiche/quic/platform/api/quic_ip_address_family.h"
+#include "quiche/quic/platform/api/quic_socket_address.h"
+#include "quiche/quic/test_tools/mock_clock.h"
+#include "quiche/quic/test_tools/quic_test_utils.h"
+#include "quiche/common/platform/api/quiche_logging.h"
+#include "quiche/common/platform/api/quiche_mem_slice.h"
+#include "quiche/common/platform/api/quiche_mutex.h"
+#include "quiche/common/platform/api/quiche_test.h"
+#include "quiche/common/platform/api/quiche_test_loopback.h"
+#include "quiche/common/platform/api/quiche_thread.h"
+#include "quiche/common/simple_buffer_allocator.h"
+
+namespace quic::test {
+namespace {
+
+using ::testing::Combine;
+using ::testing::Values;
+using ::testing::ValuesIn;
+
+class TestServerSocketRunner : public quiche::QuicheThread {
+ public:
+  using SocketBehavior = std::function<void(
+      SocketFd connected_socket, socket_api::SocketProtocol protocol)>;
+
+  TestServerSocketRunner(SocketFd server_socket_descriptor,
+                         SocketBehavior behavior)
+      : QuicheThread("TestServerSocketRunner"),
+        server_socket_descriptor_(server_socket_descriptor),
+        behavior_(std::move(behavior)) {}
+  ~TestServerSocketRunner() override { WaitForCompletion(); }
+
+  void WaitForCompletion() { completion_notification_.WaitForNotification(); }
+
+ protected:
+  SocketFd server_socket_descriptor() const {
+    return server_socket_descriptor_;
+  }
+
+  const SocketBehavior& behavior() const { return behavior_; }
+
+  quiche::QuicheNotification& completion_notification() {
+    return completion_notification_;
+  }
+
+ private:
+  const SocketFd server_socket_descriptor_;
+  const SocketBehavior behavior_;
+
+  quiche::QuicheNotification completion_notification_;
+};
+
+class TestTcpServerSocketRunner : public TestServerSocketRunner {
+ public:
+  // On construction, spins a separate thread to accept a connection from
+  // `server_socket_descriptor`, runs `behavior` with that connection, and then
+  // closes the accepted connection socket.
+  TestTcpServerSocketRunner(SocketFd server_socket_descriptor,
+                            SocketBehavior behavior)
+      : TestServerSocketRunner(server_socket_descriptor, behavior) {
+    Start();
+  }
+
+  ~TestTcpServerSocketRunner() override { Join(); }
+
+ protected:
+  void Run() override {
+    AcceptSocket();
+    behavior()(connection_socket_descriptor_, socket_api::SocketProtocol::kTcp);
+    CloseSocket();
+
+    completion_notification().Notify();
+  }
+
+ private:
+  void AcceptSocket() {
+    absl::StatusOr<socket_api::AcceptResult> connection_socket =
+        socket_api::Accept(server_socket_descriptor(), /*blocking=*/true);
+    QUICHE_CHECK(connection_socket.ok());
+    connection_socket_descriptor_ = connection_socket.value().fd;
+  }
+
+  void CloseSocket() {
+    QUICHE_CHECK(socket_api::Close(connection_socket_descriptor_).ok());
+    QUICHE_CHECK(socket_api::Close(server_socket_descriptor()).ok());
+  }
+
+  SocketFd connection_socket_descriptor_ = kInvalidSocketFd;
+};
+
+class TestUdpServerSocketRunner : public TestServerSocketRunner {
+ public:
+  // On construction, spins a separate thread to connect
+  // `server_socket_descriptor` to `client_socket_address`, runs `behavior` with
+  // that connection, and then disconnects the socket.
+  TestUdpServerSocketRunner(SocketFd server_socket_descriptor,
+                            SocketBehavior behavior,
+                            QuicSocketAddress client_socket_address)
+      : TestServerSocketRunner(server_socket_descriptor, behavior),
+        client_socket_address_(std::move(client_socket_address)) {
+    Start();
+  }
+
+  ~TestUdpServerSocketRunner() override { Join(); }
+
+ protected:
+  void Run() override {
+    ConnectSocket();
+    behavior()(server_socket_descriptor(), socket_api::SocketProtocol::kUdp);
+    DisconnectSocket();
+
+    completion_notification().Notify();
+  }
+
+ private:
+  void ConnectSocket() {
+    QUICHE_CHECK(
+        socket_api::Connect(server_socket_descriptor(), client_socket_address_)
+            .ok());
+  }
+
+  void DisconnectSocket() {
+    QUICHE_CHECK(socket_api::Close(server_socket_descriptor()).ok());
+  }
+
+  QuicSocketAddress client_socket_address_;
+};
+
+class EventLoopConnectingClientSocketTest
+    : public quiche::test::QuicheTestWithParam<
+          std::tuple<socket_api::SocketProtocol, QuicEventLoopFactory*>>,
+      public ConnectingClientSocket::AsyncVisitor {
+ public:
+  void SetUp() override {
+    QuicEventLoopFactory* event_loop_factory;
+    std::tie(protocol_, event_loop_factory) = GetParam();
+
+    event_loop_ = event_loop_factory->Create(&clock_);
+    socket_factory_ = std::make_unique<EventLoopSocketFactory>(
+        event_loop_.get(), quiche::SimpleBufferAllocator::Get());
+
+    QUICHE_CHECK(CreateListeningServerSocket());
+  }
+
+  void TearDown() override {
+    if (server_socket_descriptor_ != kInvalidSocketFd) {
+      QUICHE_CHECK(socket_api::Close(server_socket_descriptor_).ok());
+    }
+  }
+
+  void ConnectComplete(absl::Status status) override {
+    QUICHE_CHECK(!connect_result_.has_value());
+    connect_result_ = std::move(status);
+  }
+
+  void ReceiveComplete(absl::StatusOr<quiche::QuicheMemSlice> data) override {
+    QUICHE_CHECK(!receive_result_.has_value());
+    receive_result_ = std::move(data);
+  }
+
+  void SendComplete(absl::Status status) override {
+    QUICHE_CHECK(!send_result_.has_value());
+    send_result_ = std::move(status);
+  }
+
+ protected:
+  std::unique_ptr<ConnectingClientSocket> CreateSocket(
+      const quic::QuicSocketAddress& peer_address,
+      ConnectingClientSocket::AsyncVisitor* async_visitor) {
+    switch (protocol_) {
+      case socket_api::SocketProtocol::kUdp:
+        return socket_factory_->CreateConnectingUdpClientSocket(
+            peer_address, /*receive_buffer_size=*/0, /*send_buffer_size=*/0,
+            async_visitor);
+      case socket_api::SocketProtocol::kTcp:
+        return socket_factory_->CreateTcpClientSocket(
+            peer_address, /*receive_buffer_size=*/0, /*send_buffer_size=*/0,
+            async_visitor);
+    }
+  }
+
+  std::unique_ptr<ConnectingClientSocket> CreateSocketToEncourageDelayedSend(
+      const quic::QuicSocketAddress& peer_address,
+      ConnectingClientSocket::AsyncVisitor* async_visitor) {
+    switch (protocol_) {
+      case socket_api::SocketProtocol::kUdp:
+        // Nothing special for UDP since UDP does not gaurantee packets will be
+        // sent once send buffers are full.
+        return socket_factory_->CreateConnectingUdpClientSocket(
+            peer_address, /*receive_buffer_size=*/0, /*send_buffer_size=*/0,
+            async_visitor);
+      case socket_api::SocketProtocol::kTcp:
+        // For TCP, set a very small send buffer to encourage sends to be
+        // delayed.
+        return socket_factory_->CreateTcpClientSocket(
+            peer_address, /*receive_buffer_size=*/0, /*send_buffer_size=*/4,
+            async_visitor);
+    }
+  }
+
+  bool CreateListeningServerSocket() {
+    absl::StatusOr<SocketFd> socket = socket_api::CreateSocket(
+        quiche::TestLoopback().address_family(), protocol_,
+        /*blocking=*/true);
+    QUICHE_CHECK(socket.ok());
+
+    // For TCP, set an extremely small receive buffer size to increase the odds
+    // of buffers filling up when testing asynchronous writes.
+    if (protocol_ == socket_api::SocketProtocol::kTcp) {
+      static const QuicByteCount kReceiveBufferSize = 2;
+      absl::Status result =
+          socket_api::SetReceiveBufferSize(socket.value(), kReceiveBufferSize);
+      QUICHE_CHECK(result.ok());
+    }
+
+    QuicSocketAddress bind_address(quiche::TestLoopback(), /*port=*/0);
+    absl::Status result = socket_api::Bind(socket.value(), bind_address);
+    QUICHE_CHECK(result.ok());
+
+    absl::StatusOr<QuicSocketAddress> socket_address =
+        socket_api::GetSocketAddress(socket.value());
+    QUICHE_CHECK(socket_address.ok());
+
+    // TCP sockets need to listen for connections. UDP sockets are ready to
+    // receive.
+    if (protocol_ == socket_api::SocketProtocol::kTcp) {
+      result = socket_api::Listen(socket.value(), /*backlog=*/1);
+      QUICHE_CHECK(result.ok());
+    }
+
+    server_socket_descriptor_ = socket.value();
+    server_socket_address_ = std::move(socket_address).value();
+    return true;
+  }
+
+  std::unique_ptr<TestServerSocketRunner> CreateServerSocketRunner(
+      TestServerSocketRunner::SocketBehavior behavior,
+      ConnectingClientSocket* client_socket) {
+    std::unique_ptr<TestServerSocketRunner> runner;
+    switch (protocol_) {
+      case socket_api::SocketProtocol::kUdp: {
+        absl::StatusOr<QuicSocketAddress> client_socket_address =
+            client_socket->GetLocalAddress();
+        QUICHE_CHECK(client_socket_address.ok());
+        runner = std::make_unique<TestUdpServerSocketRunner>(
+            server_socket_descriptor_, std::move(behavior),
+            std::move(client_socket_address).value());
+        break;
+      }
+      case socket_api::SocketProtocol::kTcp:
+        runner = std::make_unique<TestTcpServerSocketRunner>(
+            server_socket_descriptor_, std::move(behavior));
+        break;
+    }
+
+    // Runner takes responsibility for closing server socket.
+    server_socket_descriptor_ = kInvalidSocketFd;
+
+    return runner;
+  }
+
+  socket_api::SocketProtocol protocol_;
+
+  SocketFd server_socket_descriptor_ = kInvalidSocketFd;
+  QuicSocketAddress server_socket_address_;
+
+  MockClock clock_;
+  std::unique_ptr<QuicEventLoop> event_loop_;
+  std::unique_ptr<EventLoopSocketFactory> socket_factory_;
+
+  absl::optional<absl::Status> connect_result_;
+  absl::optional<absl::StatusOr<quiche::QuicheMemSlice>> receive_result_;
+  absl::optional<absl::Status> send_result_;
+};
+
+std::string GetTestParamName(
+    ::testing::TestParamInfo<
+        std::tuple<socket_api::SocketProtocol, QuicEventLoopFactory*>>
+        info) {
+  auto [protocol, event_loop_factory] = info.param;
+
+  return EscapeTestParamName(absl::StrCat(socket_api::GetProtocolName(protocol),
+                                          "_", event_loop_factory->GetName()));
+}
+
+INSTANTIATE_TEST_SUITE_P(EventLoopConnectingClientSocketTests,
+                         EventLoopConnectingClientSocketTest,
+                         Combine(Values(socket_api::SocketProtocol::kUdp,
+                                        socket_api::SocketProtocol::kTcp),
+                                 ValuesIn(GetAllSupportedEventLoops())),
+                         &GetTestParamName);
+
+TEST_P(EventLoopConnectingClientSocketTest, ConnectBlocking) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/nullptr);
+
+  // No socket runner to accept the connection for the server, but that is not
+  // expected to be necessary for the connection to complete from the client for
+  // TCP or UDP.
+  EXPECT_TRUE(socket->ConnectBlocking().ok());
+
+  socket->Disconnect();
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, ConnectAsync) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/this);
+
+  socket->ConnectAsync();
+
+  // TCP connection typically completes asynchronously and UDP connection
+  // typically completes before ConnectAsync returns, but there is no simple way
+  // to ensure either behaves one way or the other. If connecting is
+  // asynchronous, expect completion once signalled by the event loop.
+  if (!connect_result_.has_value()) {
+    event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
+    ASSERT_TRUE(connect_result_.has_value());
+  }
+  EXPECT_TRUE(connect_result_.value().ok());
+
+  connect_result_.reset();
+  socket->Disconnect();
+  EXPECT_FALSE(connect_result_.has_value());
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, ErrorBeforeConnectAsync) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/this);
+
+  // Close the server socket.
+  EXPECT_TRUE(socket_api::Close(server_socket_descriptor_).ok());
+  server_socket_descriptor_ = kInvalidSocketFd;
+
+  socket->ConnectAsync();
+  if (!connect_result_.has_value()) {
+    event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
+    ASSERT_TRUE(connect_result_.has_value());
+  }
+
+  switch (protocol_) {
+    case socket_api::SocketProtocol::kTcp:
+      // Expect an error because server socket was closed before connection.
+      EXPECT_FALSE(connect_result_.value().ok());
+      break;
+    case socket_api::SocketProtocol::kUdp:
+      // No error for UDP because UDP connection success does not rely on the
+      // server.
+      EXPECT_TRUE(connect_result_.value().ok());
+      socket->Disconnect();
+      break;
+  }
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, ErrorDuringConnectAsync) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/this);
+
+  socket->ConnectAsync();
+
+  if (connect_result_.has_value()) {
+    // UDP typically completes connection immediately before this test has a
+    // chance to actually attempt the error. TCP typically completes
+    // asynchronously, but no simple way to ensure that always happens.
+    EXPECT_TRUE(connect_result_.value().ok());
+    socket->Disconnect();
+    return;
+  }
+
+  // Close the server socket.
+  EXPECT_TRUE(socket_api::Close(server_socket_descriptor_).ok());
+  server_socket_descriptor_ = kInvalidSocketFd;
+
+  EXPECT_FALSE(connect_result_.has_value());
+  event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
+  ASSERT_TRUE(connect_result_.has_value());
+
+  switch (protocol_) {
+    case socket_api::SocketProtocol::kTcp:
+      EXPECT_FALSE(connect_result_.value().ok());
+      break;
+    case socket_api::SocketProtocol::kUdp:
+      // No error for UDP because UDP connection success does not rely on the
+      // server.
+      EXPECT_TRUE(connect_result_.value().ok());
+      break;
+  }
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, Disconnect) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/nullptr);
+
+  ASSERT_TRUE(socket->ConnectBlocking().ok());
+  socket->Disconnect();
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, DisconnectCancelsConnectAsync) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/this);
+
+  socket->ConnectAsync();
+
+  bool expect_canceled = true;
+  if (connect_result_.has_value()) {
+    // UDP typically completes connection immediately before this test has a
+    // chance to actually attempt the disconnect. TCP typically completes
+    // asynchronously, but no simple way to ensure that always happens.
+    EXPECT_TRUE(connect_result_.value().ok());
+    expect_canceled = false;
+  }
+
+  socket->Disconnect();
+
+  if (expect_canceled) {
+    // Expect immediate cancelled error.
+    ASSERT_TRUE(connect_result_.has_value());
+    EXPECT_TRUE(absl::IsCancelled(connect_result_.value()));
+  }
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, ConnectAndReconnect) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/nullptr);
+
+  ASSERT_TRUE(socket->ConnectBlocking().ok());
+  socket->Disconnect();
+
+  // Expect `socket` can reconnect now that it has been disconnected.
+  EXPECT_TRUE(socket->ConnectBlocking().ok());
+  socket->Disconnect();
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, GetLocalAddress) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/nullptr);
+  ASSERT_TRUE(socket->ConnectBlocking().ok());
+
+  absl::StatusOr<QuicSocketAddress> address = socket->GetLocalAddress();
+  ASSERT_TRUE(address.ok());
+  EXPECT_TRUE(address.value().IsInitialized());
+
+  socket->Disconnect();
+}
+
+void SendDataOnSocket(absl::string_view data, SocketFd connected_socket,
+                      socket_api::SocketProtocol protocol) {
+  QUICHE_CHECK(!data.empty());
+
+  // May attempt to send in pieces for TCP. For UDP, expect failure if `data`
+  // cannot be sent in a single packet.
+  do {
+    absl::StatusOr<absl::string_view> remainder =
+        socket_api::Send(connected_socket, data);
+    if (!remainder.ok()) {
+      return;
+    }
+    data = remainder.value();
+  } while (protocol == socket_api::SocketProtocol::kTcp && !data.empty());
+
+  QUICHE_CHECK(data.empty());
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, ReceiveBlocking) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/nullptr);
+  ASSERT_TRUE(socket->ConnectBlocking().ok());
+
+  std::string expected = {1, 2, 3, 4, 5, 6, 7, 8};
+  std::unique_ptr<TestServerSocketRunner> runner = CreateServerSocketRunner(
+      absl::bind_front(&SendDataOnSocket, expected), socket.get());
+
+  std::string received;
+  absl::StatusOr<quiche::QuicheMemSlice> data;
+
+  // Expect exactly one packet for UDP, and at least two receives (data + FIN)
+  // for TCP.
+  do {
+    data = socket->ReceiveBlocking(100);
+    ASSERT_TRUE(data.ok());
+    received.append(data.value().data(), data.value().length());
+  } while (protocol_ == socket_api::SocketProtocol::kTcp &&
+           !data.value().empty());
+
+  EXPECT_EQ(received, expected);
+
+  socket->Disconnect();
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, ReceiveAsync) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/this);
+  ASSERT_TRUE(socket->ConnectBlocking().ok());
+
+  // Start an async receive.  Expect no immediate results because runner not
+  // yet setup to send.
+  socket->ReceiveAsync(100);
+  EXPECT_FALSE(receive_result_.has_value());
+
+  // Send data from server.
+  std::string expected = {1, 2, 3, 4, 5, 6, 7, 8};
+  std::unique_ptr<TestServerSocketRunner> runner = CreateServerSocketRunner(
+      absl::bind_front(&SendDataOnSocket, expected), socket.get());
+
+  EXPECT_FALSE(receive_result_.has_value());
+  for (int i = 0; i < 5 && !receive_result_.has_value(); ++i) {
+    event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
+  }
+
+  // Expect to receive at least some of the sent data.
+  ASSERT_TRUE(receive_result_.has_value());
+  ASSERT_TRUE(receive_result_.value().ok());
+  EXPECT_FALSE(receive_result_.value().value().empty());
+  std::string received(receive_result_.value().value().data(),
+                       receive_result_.value().value().length());
+
+  // For TCP, expect at least one more receive for the FIN.
+  if (protocol_ == socket_api::SocketProtocol::kTcp) {
+    absl::StatusOr<quiche::QuicheMemSlice> data;
+    do {
+      data = socket->ReceiveBlocking(100);
+      ASSERT_TRUE(data.ok());
+      received.append(data.value().data(), data.value().length());
+    } while (!data.value().empty());
+  }
+
+  EXPECT_EQ(received, expected);
+
+  receive_result_.reset();
+  socket->Disconnect();
+  EXPECT_FALSE(receive_result_.has_value());
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, DisconnectCancelsReceiveAsync) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/this);
+
+  ASSERT_TRUE(socket->ConnectBlocking().ok());
+
+  // Start an asynchronous read, expecting no completion because server never
+  // sends any data.
+  socket->ReceiveAsync(100);
+  EXPECT_FALSE(receive_result_.has_value());
+
+  // Disconnect and expect an immediate cancelled error.
+  socket->Disconnect();
+  ASSERT_TRUE(receive_result_.has_value());
+  ASSERT_FALSE(receive_result_.value().ok());
+  EXPECT_TRUE(absl::IsCancelled(receive_result_.value().status()));
+}
+
+// Receive from `connected_socket` until connection is closed, writing
+// received data to `out_received`.
+void ReceiveDataFromSocket(std::string* out_received, SocketFd connected_socket,
+                           socket_api::SocketProtocol protocol) {
+  out_received->clear();
+
+  std::string buffer(100, 0);
+  absl::StatusOr<absl::Span<char>> received;
+
+  // Expect exactly one packet for UDP, and at least two receives (data + FIN)
+  // for TCP.
+  do {
+    received = socket_api::Receive(connected_socket, absl::MakeSpan(buffer));
+    QUICHE_CHECK(received.ok());
+    out_received->insert(out_received->end(), received.value().begin(),
+                         received.value().end());
+  } while (protocol == socket_api::SocketProtocol::kTcp &&
+           !received.value().empty());
+  QUICHE_CHECK(!out_received->empty());
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, SendBlocking) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocket(server_socket_address_,
+                   /*async_visitor=*/nullptr);
+  ASSERT_TRUE(socket->ConnectBlocking().ok());
+
+  std::string sent;
+  std::unique_ptr<TestServerSocketRunner> runner = CreateServerSocketRunner(
+      absl::bind_front(&ReceiveDataFromSocket, &sent), socket.get());
+
+  std::string expected = {1, 2, 3, 4, 5, 6, 7, 8};
+  EXPECT_TRUE(socket->SendBlocking(expected).ok());
+  socket->Disconnect();
+
+  runner->WaitForCompletion();
+  EXPECT_EQ(sent, expected);
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, SendAsync) {
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocketToEncourageDelayedSend(server_socket_address_,
+                                         /*async_visitor=*/this);
+  ASSERT_TRUE(socket->ConnectBlocking().ok());
+
+  std::string data = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
+  std::string expected;
+
+  std::unique_ptr<TestServerSocketRunner> runner;
+  std::string sent;
+  switch (protocol_) {
+    case socket_api::SocketProtocol::kTcp:
+      // Repeatedly write to socket until it does not complete synchronously.
+      do {
+        expected.insert(expected.end(), data.begin(), data.end());
+        send_result_.reset();
+        socket->SendAsync(data);
+        ASSERT_TRUE(!send_result_.has_value() || send_result_.value().ok());
+      } while (send_result_.has_value());
+
+      // Begin receiving from server and expect more data to send.
+      runner = CreateServerSocketRunner(
+          absl::bind_front(&ReceiveDataFromSocket, &sent), socket.get());
+      EXPECT_FALSE(send_result_.has_value());
+      for (int i = 0; i < 5 && !send_result_.has_value(); ++i) {
+        event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
+      }
+      break;
+
+    case socket_api::SocketProtocol::kUdp:
+      // Expect UDP send to always send immediately.
+      runner = CreateServerSocketRunner(
+          absl::bind_front(&ReceiveDataFromSocket, &sent), socket.get());
+      socket->SendAsync(data);
+      expected = data;
+      break;
+  }
+  ASSERT_TRUE(send_result_.has_value());
+  EXPECT_TRUE(send_result_.value().ok());
+
+  send_result_.reset();
+  socket->Disconnect();
+  EXPECT_FALSE(send_result_.has_value());
+
+  runner->WaitForCompletion();
+  EXPECT_EQ(sent, expected);
+}
+
+TEST_P(EventLoopConnectingClientSocketTest, DisconnectCancelsSendAsync) {
+  if (protocol_ == socket_api::SocketProtocol::kUdp) {
+    // UDP sends are always immediate, so cannot disconect mid-send.
+    return;
+  }
+
+  std::unique_ptr<ConnectingClientSocket> socket =
+      CreateSocketToEncourageDelayedSend(server_socket_address_,
+                                         /*async_visitor=*/this);
+  ASSERT_TRUE(socket->ConnectBlocking().ok());
+
+  std::string data = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
+
+  // Repeatedly write to socket until it does not complete synchronously.
+  do {
+    send_result_.reset();
+    socket->SendAsync(data);
+    ASSERT_TRUE(!send_result_.has_value() || send_result_.value().ok());
+  } while (send_result_.has_value());
+
+  // Disconnect and expect immediate cancelled error.
+  socket->Disconnect();
+  ASSERT_TRUE(send_result_.has_value());
+  EXPECT_TRUE(absl::IsCancelled(send_result_.value()));
+}
+
+}  // namespace
+}  // namespace quic::test
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_socket_factory.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_socket_factory.cc
index 4d2508e4f4f..b1aaec7866c 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_socket_factory.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_socket_factory.cc
@@ -6,9 +6,10 @@
 
 #include <memory>
 
-#include "quiche/quic/core/io/event_loop_tcp_client_socket.h"
+#include "quiche/quic/core/connecting_client_socket.h"
+#include "quiche/quic/core/io/event_loop_connecting_client_socket.h"
 #include "quiche/quic/core/io/quic_event_loop.h"
-#include "quiche/quic/core/io/stream_client_socket.h"
+#include "quiche/quic/core/io/socket.h"
 #include "quiche/quic/core/quic_types.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/common/platform/api/quiche_logging.h"
@@ -23,14 +24,24 @@ EventLoopSocketFactory::EventLoopSocketFactory(
   QUICHE_DCHECK(buffer_allocator_);
 }
 
-std::unique_ptr<StreamClientSocket>
+std::unique_ptr<ConnectingClientSocket>
 EventLoopSocketFactory::CreateTcpClientSocket(
     const quic::QuicSocketAddress& peer_address,
     QuicByteCount receive_buffer_size, QuicByteCount send_buffer_size,
-    StreamClientSocket::AsyncVisitor* async_visitor) {
-  return std::make_unique<EventLoopTcpClientSocket>(
-      peer_address, receive_buffer_size, send_buffer_size, event_loop_,
-      buffer_allocator_, async_visitor);
+    ConnectingClientSocket::AsyncVisitor* async_visitor) {
+  return std::make_unique<EventLoopConnectingClientSocket>(
+      socket_api::SocketProtocol::kTcp, peer_address, receive_buffer_size,
+      send_buffer_size, event_loop_, buffer_allocator_, async_visitor);
+}
+
+std::unique_ptr<ConnectingClientSocket>
+EventLoopSocketFactory::CreateConnectingUdpClientSocket(
+    const quic::QuicSocketAddress& peer_address,
+    QuicByteCount receive_buffer_size, QuicByteCount send_buffer_size,
+    ConnectingClientSocket::AsyncVisitor* async_visitor) {
+  return std::make_unique<EventLoopConnectingClientSocket>(
+      socket_api::SocketProtocol::kUdp, peer_address, receive_buffer_size,
+      send_buffer_size, event_loop_, buffer_allocator_, async_visitor);
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_socket_factory.h b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_socket_factory.h
index 6882e808797..ee9a9f39819 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_socket_factory.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_socket_factory.h
@@ -7,10 +7,10 @@
 
 #include <memory>
 
+#include "quiche/quic/core/connecting_client_socket.h"
 #include "quiche/quic/core/io/quic_event_loop.h"
-#include "quiche/quic/core/io/socket_factory.h"
-#include "quiche/quic/core/io/stream_client_socket.h"
 #include "quiche/quic/core/quic_types.h"
+#include "quiche/quic/core/socket_factory.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/common/platform/api/quiche_export.h"
 #include "quiche/common/quiche_buffer_allocator.h"
@@ -26,10 +26,14 @@ class QUICHE_EXPORT_PRIVATE EventLoopSocketFactory : public SocketFactory {
                          quiche::QuicheBufferAllocator* buffer_allocator);
 
   // SocketFactory:
-  std::unique_ptr<StreamClientSocket> CreateTcpClientSocket(
+  std::unique_ptr<ConnectingClientSocket> CreateTcpClientSocket(
       const quic::QuicSocketAddress& peer_address,
       QuicByteCount receive_buffer_size, QuicByteCount send_buffer_size,
-      StreamClientSocket::AsyncVisitor* async_visitor) override;
+      ConnectingClientSocket::AsyncVisitor* async_visitor) override;
+  std::unique_ptr<ConnectingClientSocket> CreateConnectingUdpClientSocket(
+      const quic::QuicSocketAddress& peer_address,
+      QuicByteCount receive_buffer_size, QuicByteCount send_buffer_size,
+      ConnectingClientSocket::AsyncVisitor* async_visitor) override;
 
  private:
   QuicEventLoop* const event_loop_;                  // unowned
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_tcp_client_socket_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_tcp_client_socket_test.cc
deleted file mode 100644
index f3c0800457a..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/event_loop_tcp_client_socket_test.cc
+++ /dev/null
@@ -1,523 +0,0 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/core/io/event_loop_tcp_client_socket.h"
-
-#include <functional>
-#include <memory>
-#include <utility>
-#include <vector>
-
-#include "absl/functional/bind_front.h"
-#include "absl/status/status.h"
-#include "absl/status/statusor.h"
-#include "absl/strings/string_view.h"
-#include "absl/types/optional.h"
-#include "absl/types/span.h"
-#include "quiche/quic/core/io/event_loop_socket_factory.h"
-#include "quiche/quic/core/io/quic_default_event_loop.h"
-#include "quiche/quic/core/io/quic_event_loop.h"
-#include "quiche/quic/core/io/socket.h"
-#include "quiche/quic/core/io/stream_client_socket.h"
-#include "quiche/quic/core/quic_time.h"
-#include "quiche/quic/platform/api/quic_ip_address_family.h"
-#include "quiche/quic/platform/api/quic_socket_address.h"
-#include "quiche/quic/test_tools/mock_clock.h"
-#include "quiche/quic/test_tools/quic_test_utils.h"
-#include "quiche/common/platform/api/quiche_logging.h"
-#include "quiche/common/platform/api/quiche_mem_slice.h"
-#include "quiche/common/platform/api/quiche_mutex.h"
-#include "quiche/common/platform/api/quiche_test.h"
-#include "quiche/common/platform/api/quiche_test_loopback.h"
-#include "quiche/common/platform/api/quiche_thread.h"
-#include "quiche/common/simple_buffer_allocator.h"
-
-namespace quic::test {
-namespace {
-
-bool CreateListeningServerSocket(SocketFd* out_socket_descriptor,
-                                 QuicSocketAddress* out_socket_address) {
-  QUICHE_CHECK(out_socket_descriptor);
-  QUICHE_CHECK(out_socket_address);
-
-  absl::StatusOr<SocketFd> socket = socket_api::CreateSocket(
-      quiche::TestLoopback().address_family(), socket_api::SocketProtocol::kTcp,
-      /*blocking=*/true);
-  QUICHE_CHECK(socket.ok());
-
-  // Set an extremely small receive buffer size to increase the odds of buffers
-  // filling up when testing asynchronous writes.
-  static const QuicByteCount kReceiveBufferSize = 2;
-  absl::Status result =
-      socket_api::SetReceiveBufferSize(socket.value(), kReceiveBufferSize);
-  QUICHE_CHECK(result.ok());
-
-  QuicSocketAddress bind_address(quiche::TestLoopback(), /*port=*/0);
-  result = socket_api::Bind(socket.value(), bind_address);
-  QUICHE_CHECK(result.ok());
-
-  absl::StatusOr<QuicSocketAddress> socket_address =
-      socket_api::GetSocketAddress(socket.value());
-  QUICHE_CHECK(socket_address.ok());
-
-  result = socket_api::Listen(socket.value(), /*backlog=*/1);
-  QUICHE_CHECK(result.ok());
-
-  *out_socket_descriptor = socket.value();
-  *out_socket_address = std::move(socket_address).value();
-  return true;
-}
-
-class TestTcpServerSocketRunner : public quiche::QuicheThread {
- public:
-  using SocketBehavior = std::function<void(SocketFd connected_socket)>;
-
-  // On construction, spins a separate thread to accept a connection from
-  // `server_socket_descriptor`, runs `behavior` with that connection, and then
-  // closes the accepted connection socket. If `allow_accept_failure` is true,
-  // will silently stop if an error is encountered accepting the connection.
-  TestTcpServerSocketRunner(SocketFd server_socket_descriptor,
-                            SocketBehavior behavior,
-                            bool allow_accept_failure = false)
-      : QuicheThread("TestTcpServerSocketRunner"),
-        server_socket_descriptor_(server_socket_descriptor),
-        behavior_(std::move(behavior)),
-        allow_accept_failure_(allow_accept_failure) {
-    Start();
-  }
-
-  ~TestTcpServerSocketRunner() override { WaitForCompletion(); }
-
-  void WaitForCompletion() { completion_notification_.WaitForNotification(); }
-
- protected:
-  void Run() override {
-    if (AcceptSocket()) {
-      behavior_(connection_socket_descriptor_);
-      CloseSocket();
-    } else {
-      QUICHE_CHECK(allow_accept_failure_);
-    }
-
-    completion_notification_.Notify();
-  }
-
- private:
-  bool AcceptSocket() {
-    absl::StatusOr<socket_api::AcceptResult> connection_socket =
-        socket_api::Accept(server_socket_descriptor_, /*blocking=*/true);
-    if (connection_socket.ok()) {
-      connection_socket_descriptor_ = connection_socket.value().fd;
-    }
-    return connection_socket.ok();
-  }
-
-  void CloseSocket() {
-    QUICHE_CHECK(socket_api::Close(connection_socket_descriptor_).ok());
-  }
-
-  const SocketFd server_socket_descriptor_;
-  const SocketBehavior behavior_;
-  const bool allow_accept_failure_;
-
-  SocketFd connection_socket_descriptor_;
-
-  quiche::QuicheNotification completion_notification_;
-};
-
-class EventLoopTcpClientSocketTest
-    : public quiche::test::QuicheTestWithParam<QuicEventLoopFactory*>,
-      public StreamClientSocket::AsyncVisitor {
- public:
-  void SetUp() override {
-    QUICHE_CHECK(CreateListeningServerSocket(&server_socket_descriptor_,
-                                             &server_socket_address_));
-  }
-
-  void TearDown() override {
-    if (server_socket_descriptor_ != kInvalidSocketFd) {
-      QUICHE_CHECK(socket_api::Close(server_socket_descriptor_).ok());
-    }
-  }
-
-  void ConnectComplete(absl::Status status) override {
-    QUICHE_CHECK(!connect_result_.has_value());
-    connect_result_ = std::move(status);
-  }
-
-  void ReceiveComplete(absl::StatusOr<quiche::QuicheMemSlice> data) override {
-    QUICHE_CHECK(!receive_result_.has_value());
-    receive_result_ = std::move(data);
-  }
-
-  void SendComplete(absl::Status status) override {
-    QUICHE_CHECK(!send_result_.has_value());
-    send_result_ = std::move(status);
-  }
-
- protected:
-  SocketFd server_socket_descriptor_ = kInvalidSocketFd;
-  QuicSocketAddress server_socket_address_;
-
-  MockClock clock_;
-  std::unique_ptr<QuicEventLoop> event_loop_ = GetParam()->Create(&clock_);
-  EventLoopSocketFactory socket_factory_{event_loop_.get(),
-                                         quiche::SimpleBufferAllocator::Get()};
-
-  absl::optional<absl::Status> connect_result_;
-  absl::optional<absl::StatusOr<quiche::QuicheMemSlice>> receive_result_;
-  absl::optional<absl::Status> send_result_;
-};
-
-std::string GetTestParamName(
-    ::testing::TestParamInfo<QuicEventLoopFactory*> info) {
-  return EscapeTestParamName(info.param->GetName());
-}
-
-INSTANTIATE_TEST_SUITE_P(EventLoopTcpClientSocketTests,
-                         EventLoopTcpClientSocketTest,
-                         ::testing::ValuesIn(GetAllSupportedEventLoops()),
-                         &GetTestParamName);
-
-TEST_P(EventLoopTcpClientSocketTest, Connect) {
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/nullptr);
-
-  // No socket runner to accept the connection for the server, but that is not
-  // expected to be necessary for the connection to complete from the client.
-  EXPECT_TRUE(socket->ConnectBlocking().ok());
-
-  socket->Disconnect();
-}
-
-TEST_P(EventLoopTcpClientSocketTest, ConnectAsync) {
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/this);
-
-  socket->ConnectAsync();
-
-  // Synchronous completion not normally expected, but since there is no known
-  // way to delay the server side of the connection (the OS does not wait for
-  // an accept() call), cannot be gauranteed that the connection will always
-  // complete asynchronously. If connecting asynchronously (normal behavior),
-  // expect completion once signalled by the event loop.
-  if (!connect_result_.has_value()) {
-    event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
-    ASSERT_TRUE(connect_result_.has_value());
-  }
-  EXPECT_TRUE(connect_result_.value().ok());
-
-  connect_result_.reset();
-  socket->Disconnect();
-  EXPECT_FALSE(connect_result_.has_value());
-}
-
-TEST_P(EventLoopTcpClientSocketTest, ErrorBeforeConnectAsync) {
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/this);
-
-  // Close the server socket.
-  EXPECT_TRUE(socket_api::Close(server_socket_descriptor_).ok());
-  server_socket_descriptor_ = kInvalidSocketFd;
-
-  socket->ConnectAsync();
-  if (!connect_result_.has_value()) {
-    event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
-    ASSERT_TRUE(connect_result_.has_value());
-  }
-
-  // Expect an error because server socket was closed before connection.
-  EXPECT_FALSE(connect_result_.value().ok());
-}
-
-TEST_P(EventLoopTcpClientSocketTest, ErrorDuringConnectAsync) {
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/this);
-
-  socket->ConnectAsync();
-
-  if (connect_result_.has_value()) {
-    // Not typical, but theoretically nothing to stop the connection from
-    // completing before the server socket is closed to trigger the error.
-    EXPECT_TRUE(connect_result_.value().ok());
-    return;
-  }
-
-  // Close the server socket.
-  EXPECT_TRUE(socket_api::Close(server_socket_descriptor_).ok());
-  server_socket_descriptor_ = kInvalidSocketFd;
-
-  // Expect an error once signalled.
-  EXPECT_FALSE(connect_result_.has_value());
-  event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
-  ASSERT_TRUE(connect_result_.has_value());
-  EXPECT_FALSE(connect_result_.value().ok());
-}
-
-TEST_P(EventLoopTcpClientSocketTest, Disconnect) {
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/nullptr);
-
-  ASSERT_TRUE(socket->ConnectBlocking().ok());
-  socket->Disconnect();
-}
-
-TEST_P(EventLoopTcpClientSocketTest, DisconnectCancelsConnectAsync) {
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/this);
-
-  socket->ConnectAsync();
-
-  if (connect_result_.has_value()) {
-    // Not typical, but theoretically nothing to stop the connection from
-    // completing before the server socket is closed to trigger the error.
-    EXPECT_TRUE(connect_result_.value().ok());
-    return;
-  }
-
-  socket->Disconnect();
-
-  // Expect immediate cancelled error.
-  ASSERT_TRUE(connect_result_.has_value());
-  EXPECT_TRUE(absl::IsCancelled(connect_result_.value()));
-}
-
-TEST_P(EventLoopTcpClientSocketTest, ConnectAndReconnect) {
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/nullptr);
-
-  ASSERT_TRUE(socket->ConnectBlocking().ok());
-  socket->Disconnect();
-
-  // Expect `socket` can reconnect now that it has been disconnected.
-  EXPECT_TRUE(socket->ConnectBlocking().ok());
-  socket->Disconnect();
-}
-
-void SendDataOnSocket(absl::string_view data, SocketFd connected_socket) {
-  while (!data.empty()) {
-    absl::StatusOr<absl::string_view> remainder =
-        socket_api::Send(connected_socket, data);
-    if (!remainder.ok()) {
-      return;
-    }
-    data = remainder.value();
-  }
-}
-
-TEST_P(EventLoopTcpClientSocketTest, Receive) {
-  std::string expected = {1, 2, 3, 4, 5, 6, 7, 8};
-  TestTcpServerSocketRunner runner(
-      server_socket_descriptor_, absl::bind_front(&SendDataOnSocket, expected));
-
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/nullptr);
-  ASSERT_TRUE(socket->ConnectBlocking().ok());
-
-  std::string received;
-  absl::StatusOr<quiche::QuicheMemSlice> data;
-  do {
-    data = socket->ReceiveBlocking(100);
-    ASSERT_TRUE(data.ok());
-    received.append(data.value().data(), data.value().length());
-  } while (!data.value().empty());
-  EXPECT_EQ(received, expected);
-
-  socket->Disconnect();
-}
-
-TEST_P(EventLoopTcpClientSocketTest, ReceiveAsync) {
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/this);
-  ASSERT_TRUE(socket->ConnectBlocking().ok());
-
-  // Start an async receive.  Expect no immediate results because runner not yet
-  // setup to accept and send.
-  socket->ReceiveAsync(100);
-  EXPECT_FALSE(receive_result_.has_value());
-
-  // Send data from server.
-  std::string expected = {1, 2, 3, 4, 5, 6, 7, 8};
-  TestTcpServerSocketRunner runner(
-      server_socket_descriptor_, absl::bind_front(&SendDataOnSocket, expected));
-  EXPECT_FALSE(receive_result_.has_value());
-  for (int i = 0; i < 5 && !receive_result_.has_value(); ++i) {
-    event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
-  }
-
-  // Expect to receive at least some of the sent data.
-  ASSERT_TRUE(receive_result_.has_value());
-  ASSERT_TRUE(receive_result_.value().ok());
-  EXPECT_FALSE(receive_result_.value().value().empty());
-  std::string received(receive_result_.value().value().data(),
-                       receive_result_.value().value().length());
-
-  // Get any remaining data via blocking calls.
-  absl::StatusOr<quiche::QuicheMemSlice> data;
-  do {
-    data = socket->ReceiveBlocking(100);
-    ASSERT_TRUE(data.ok());
-    received.append(data.value().data(), data.value().length());
-  } while (!data.value().empty());
-
-  EXPECT_EQ(received, expected);
-
-  receive_result_.reset();
-  socket->Disconnect();
-  EXPECT_FALSE(receive_result_.has_value());
-}
-
-TEST_P(EventLoopTcpClientSocketTest, DisconnectCancelsReceiveAsync) {
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/this);
-
-  ASSERT_TRUE(socket->ConnectBlocking().ok());
-
-  // Start an asynchronous read, expecting no completion because server never
-  // sends any data.
-  socket->ReceiveAsync(100);
-  EXPECT_FALSE(receive_result_.has_value());
-
-  // Disconnect and expect an immediate cancelled error.
-  socket->Disconnect();
-  ASSERT_TRUE(receive_result_.has_value());
-  ASSERT_FALSE(receive_result_.value().ok());
-  EXPECT_TRUE(absl::IsCancelled(receive_result_.value().status()));
-}
-
-// Receive from `connected_socket` until connection is closed, writing received
-// data to `out_received`.
-void ReceiveDataFromSocket(std::string* out_received,
-                           SocketFd connected_socket) {
-  out_received->clear();
-
-  std::string buffer(100, 0);
-  absl::StatusOr<absl::Span<char>> received;
-  do {
-    received = socket_api::Receive(connected_socket, absl::MakeSpan(buffer));
-    QUICHE_CHECK(received.ok());
-    out_received->insert(out_received->end(), received.value().begin(),
-                         received.value().end());
-  } while (!received.value().empty());
-}
-
-TEST_P(EventLoopTcpClientSocketTest, Send) {
-  std::string sent;
-  TestTcpServerSocketRunner runner(
-      server_socket_descriptor_,
-      absl::bind_front(&ReceiveDataFromSocket, &sent));
-
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/0,
-                                            /*async_visitor=*/nullptr);
-  ASSERT_TRUE(socket->ConnectBlocking().ok());
-
-  std::string expected = {1, 2, 3, 4, 5, 6, 7, 8};
-  EXPECT_TRUE(socket->SendBlocking(expected).ok());
-  socket->Disconnect();
-
-  runner.WaitForCompletion();
-  EXPECT_EQ(sent, expected);
-}
-
-TEST_P(EventLoopTcpClientSocketTest, SendAsync) {
-  // Use a small send buffer to improve chances of a send needing to be
-  // asynchronous.
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/4,
-                                            /*async_visitor=*/this);
-  ASSERT_TRUE(socket->ConnectBlocking().ok());
-
-  std::string data = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
-  std::string expected;
-
-  // Repeatedly write to socket until it does not complete synchronously.
-  do {
-    expected.insert(expected.end(), data.begin(), data.end());
-    send_result_.reset();
-    socket->SendAsync(data);
-    ASSERT_TRUE(!send_result_.has_value() || send_result_.value().ok());
-  } while (send_result_.has_value());
-
-  // Begin receiving from server and expect more data to send.
-  std::string sent;
-  TestTcpServerSocketRunner runner(
-      server_socket_descriptor_,
-      absl::bind_front(&ReceiveDataFromSocket, &sent));
-  EXPECT_FALSE(send_result_.has_value());
-  for (int i = 0; i < 5 && !send_result_.has_value(); ++i) {
-    event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
-  }
-  ASSERT_TRUE(send_result_.has_value());
-  EXPECT_TRUE(send_result_.value().ok());
-
-  send_result_.reset();
-  socket->Disconnect();
-  EXPECT_FALSE(send_result_.has_value());
-
-  runner.WaitForCompletion();
-  EXPECT_EQ(sent, expected);
-}
-
-TEST_P(EventLoopTcpClientSocketTest, DisconnectCancelsSendAsync) {
-  // Use a small send buffer to improve chances of a send needing to be
-  // asynchronous.
-  std::unique_ptr<StreamClientSocket> socket =
-      socket_factory_.CreateTcpClientSocket(server_socket_address_,
-                                            /*receive_buffer_size=*/0,
-                                            /*send_buffer_size=*/4,
-                                            /*async_visitor=*/this);
-  ASSERT_TRUE(socket->ConnectBlocking().ok());
-
-  std::string data = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
-
-  // Repeatedly write to socket until it does not complete synchronously.
-  do {
-    send_result_.reset();
-    socket->SendAsync(data);
-    ASSERT_TRUE(!send_result_.has_value() || send_result_.value().ok());
-  } while (send_result_.has_value());
-
-  // Disconnect and expect immediate cancelled error.
-  socket->Disconnect();
-  ASSERT_TRUE(send_result_.has_value());
-  EXPECT_TRUE(absl::IsCancelled(send_result_.value()));
-}
-
-}  // namespace
-}  // namespace quic::test
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_all_event_loops_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_all_event_loops_test.cc
index 16eb3443f44..ed628247626 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_all_event_loops_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_all_event_loops_test.cc
@@ -419,5 +419,22 @@ TEST_P(QuicEventLoopFactoryTest, NegativeTimeout) {
   loop_->RunEventLoopOnce(QuicTime::Delta::FromMilliseconds(-1));
 }
 
+TEST_P(QuicEventLoopFactoryTest, ScheduleAlarmInPastFromInsideAlarm) {
+  constexpr auto kAlarmTimeout = QuicTime::Delta::FromMilliseconds(20);
+  auto [alarm1_ptr, delegate1] = CreateAlarm();
+  auto [alarm2_ptr, delegate2] = CreateAlarm();
+
+  alarm1_ptr->Set(clock_.Now() - kAlarmTimeout);
+  EXPECT_CALL(*delegate1, OnAlarm())
+      .WillOnce([&, alarm2_unowned = alarm2_ptr.get()]() {
+        alarm2_unowned->Set(clock_.Now() - 2 * kAlarmTimeout);
+      });
+  bool fired = false;
+  EXPECT_CALL(*delegate2, OnAlarm()).WillOnce([&]() { fired = true; });
+
+  RunEventLoopUntil([&]() { return fired; },
+                    QuicTime::Delta::FromMilliseconds(100));
+}
+
 }  // namespace
 }  // namespace quic::test
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_event_loop.h b/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_event_loop.h
index 1b09562d8c2..e02a0f0ca95 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_event_loop.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_event_loop.h
@@ -75,6 +75,10 @@ class QUICHE_NO_EXPORT QuicEventLoop {
   // Returns an alarm factory that allows alarms to be scheduled on this event
   // loop.
   virtual std::unique_ptr<QuicAlarmFactory> CreateAlarmFactory() = 0;
+
+  // Returns the clock that is used by the alarm factory that the event loop
+  // provides.
+  virtual const QuicClock* GetClock() = 0;
 };
 
 // A factory object for the event loop. Every implementation is expected to have
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_poll_event_loop.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_poll_event_loop.cc
index 1c90be54d12..f56635f3fcf 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_poll_event_loop.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_poll_event_loop.cc
@@ -99,12 +99,9 @@ QuicTime::Delta QuicPollEventLoop::ComputePollTimeout(
   }
   QuicTime end_time = std::min(now + default_timeout, alarms_.begin()->first);
   if (end_time < now) {
-    // Since we call ProcessAlarmsUpTo() right before this, this should never
-    // happen.
-    QUIC_BUG(Newest alarm is in the past)
-        << "now " << now.ToDebuggingValue()
-        << ", end_time: " << end_time.ToDebuggingValue()
-        << ", default timeout: " << default_timeout;
+    // We only run a single pass of processing alarm callbacks per
+    // RunEventLoopOnce() call.  If an alarm schedules another alarm in the past
+    // while in the callback, this will happen.
     return QuicTime::Delta::Zero();
   }
   return end_time - now;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_poll_event_loop.h b/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_poll_event_loop.h
index 4e19ff91349..6b2ec491107 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_poll_event_loop.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/quic_poll_event_loop.h
@@ -51,6 +51,7 @@ class QUICHE_NO_EXPORT QuicPollEventLoop : public QuicEventLoop {
       QuicUdpSocketFd fd, QuicSocketEventMask events) override;
   void RunEventLoopOnce(QuicTime::Delta default_timeout) override;
   std::unique_ptr<QuicAlarmFactory> CreateAlarmFactory() override;
+  const QuicClock* GetClock() override { return clock_; }
 
  protected:
   // Allows poll(2) calls to be mocked out in unit tests.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket.h b/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket.h
index fcc6418ac49..8d32bc380af 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket.h
@@ -16,7 +16,6 @@
 #include "quiche/quic/platform/api/quic_ip_address_family.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/common/platform/api/quiche_export.h"
-#include "quiche/common/platform/api/quiche_mem_slice.h"
 
 #if defined(_WIN32)
 #include <winsock2.h>
@@ -32,57 +31,6 @@ using SocketFd = int;
 inline constexpr SocketFd kInvalidSocketFd = -1;
 #endif
 
-// A read/write socket.
-//
-// Warning regarding blocking calls: Code in the QUICHE library typically
-// handles IO on a single thread, so if making calls from that typical
-// environment, it would be problematic to make a blocking call and block that
-// single thread.
-class QUICHE_EXPORT_PRIVATE Socket {
- public:
-  class AsyncVisitor {
-   public:
-    virtual ~AsyncVisitor() = default;
-
-    // If the operation completed without error, `data` is set to the received
-    // data.
-    virtual void ReceiveComplete(
-        absl::StatusOr<quiche::QuicheMemSlice> data) = 0;
-
-    virtual void SendComplete(absl::Status status) = 0;
-  };
-
-  virtual ~Socket() = default;
-
-  // Blocking read. Receives and returns a buffer of up to `max_size` bytes from
-  // socket. Returns status on error.
-  virtual absl::StatusOr<quiche::QuicheMemSlice> ReceiveBlocking(
-      QuicByteCount max_size) = 0;
-
-  // Asynchronous read. Receives up to `max_size` bytes from socket. If
-  // no data is synchronously available to be read, waits until some data is
-  // available or the socket is closed. On completion, calls ReceiveComplete()
-  // on the visitor, potentially before return from ReceiveAsync().
-  //
-  // After calling, the socket must not be destroyed until ReceiveComplete() is
-  // called.
-  virtual void ReceiveAsync(QuicByteCount max_size) = 0;
-
-  // Blocking write. Sends all of `data` (potentially via multiple underlying
-  // socket sends).
-  virtual absl::Status SendBlocking(std::string data) = 0;
-  virtual absl::Status SendBlocking(quiche::QuicheMemSlice data) = 0;
-
-  // Asynchronous write. Sends all of `data` (potentially via multiple
-  // underlying socket sends). On completion, calls SendComplete() on the
-  // visitor, potentially before return from SendAsync().
-  //
-  // After calling, the socket must not be destroyed until SendComplete() is
-  // called.
-  virtual void SendAsync(std::string data) = 0;
-  virtual void SendAsync(quiche::QuicheMemSlice data) = 0;
-};
-
 // Low-level platform-agnostic socket operations. Closely follows the behavior
 // of basic POSIX socket APIs, diverging mostly only to convert to/from cleaner
 // and platform-agnostic types.
@@ -92,6 +40,17 @@ enum class SocketProtocol {
   kTcp,
 };
 
+inline absl::string_view GetProtocolName(SocketProtocol protocol) {
+  switch (protocol) {
+    case SocketProtocol::kUdp:
+      return "UDP";
+    case SocketProtocol::kTcp:
+      return "TCP";
+  }
+
+  return "unknown";
+}
+
 struct QUICHE_EXPORT_PRIVATE AcceptResult {
   // Socket for interacting with the accepted connection.
   SocketFd fd;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket_factory.h b/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket_factory.h
deleted file mode 100644
index 39102f1c870..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket_factory.h
+++ /dev/null
@@ -1,34 +0,0 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_CORE_IO_SOCKET_FACTORY_H_
-#define QUICHE_QUIC_CORE_IO_SOCKET_FACTORY_H_
-
-#include <memory>
-
-#include "quiche/quic/core/io/stream_client_socket.h"
-#include "quiche/quic/core/quic_types.h"
-#include "quiche/quic/platform/api/quic_socket_address.h"
-#include "quiche/common/platform/api/quiche_export.h"
-
-namespace quic {
-
-// A factory to create objects of type Socket and derived interfaces.
-class QUICHE_EXPORT_PRIVATE SocketFactory {
- public:
-  virtual ~SocketFactory() = default;
-
-  // Will use platform default buffer size if `receive_buffer_size` or
-  // `send_buffer_size` is zero. If `async_visitor` is null, async operations
-  // must not be called on the created socket. If `async_visitor` is non-null,
-  // it must outlive the created socket.
-  virtual std::unique_ptr<StreamClientSocket> CreateTcpClientSocket(
-      const quic::QuicSocketAddress& peer_address,
-      QuicByteCount receive_buffer_size, QuicByteCount send_buffer_size,
-      StreamClientSocket::AsyncVisitor* async_visitor) = 0;
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_CORE_IO_SOCKET_FACTORY_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket_posix.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket_posix.cc
index 59f286b67d7..f72b088c79e 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket_posix.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/io/socket_posix.cc
@@ -15,6 +15,13 @@
 #include "quiche/quic/platform/api/quic_ip_address_family.h"
 #include "quiche/common/platform/api/quiche_logging.h"
 
+// accept4() is a Linux-specific extension that is available in glibc 2.10+.
+#if defined(__linux__) && defined(_GNU_SOURCE) && defined(__GLIBC_PREREQ)
+#if __GLIBC_PREREQ(2, 10)
+#define HAS_ACCEPT4
+#endif
+#endif
+
 namespace quic::socket_api {
 
 namespace {
@@ -121,7 +128,7 @@ absl::StatusOr<QuicSocketAddress> ValidateAndConvertAddress(
 absl::StatusOr<SocketFd> CreateSocketWithFlags(IpAddressFamily address_family,
                                                SocketProtocol protocol,
                                                int flags) {
-  int address_family_int = ToPlatformAddressFamily(address_family);
+  int address_family_int = quiche::ToPlatformAddressFamily(address_family);
 
   int type_int = ToPlatformSocketType(protocol);
   type_int |= flags;
@@ -171,7 +178,7 @@ absl::StatusOr<AcceptResult> AcceptInternal(SocketFd fd) {
   }
 }
 
-#if defined(__linux__) && defined(SOCK_NONBLOCK)
+#if defined(HAS_ACCEPT4)
 absl::StatusOr<AcceptResult> AcceptWithFlags(SocketFd fd, int flags) {
   QUICHE_DCHECK_GE(fd, 0);
 
@@ -200,7 +207,7 @@ absl::StatusOr<AcceptResult> AcceptWithFlags(SocketFd fd, int flags) {
     return peer_address.status();
   }
 }
-#endif  // defined(__linux__) && defined(SOCK_NONBLOCK)
+#endif  // defined(HAS_ACCEPT4)
 
 socklen_t GetAddrlen(IpAddressFamily family) {
   switch (family) {
@@ -409,7 +416,7 @@ absl::Status Listen(SocketFd fd, int backlog) {
 absl::StatusOr<AcceptResult> Accept(SocketFd fd, bool blocking) {
   QUICHE_DCHECK_GE(fd, 0);
 
-#if defined(__linux__) && defined(SOCK_NONBLOCK)
+#if defined(HAS_ACCEPT4)
   if (!blocking) {
     return AcceptWithFlags(fd, SOCK_NONBLOCK);
   }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/io/stream_client_socket.h b/chromium/net/third_party/quiche/src/quiche/quic/core/io/stream_client_socket.h
deleted file mode 100644
index 00f9a42a5ad..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/io/stream_client_socket.h
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_CORE_IO_STREAM_CLIENT_SOCKET_H_
-#define QUICHE_QUIC_CORE_IO_STREAM_CLIENT_SOCKET_H_
-
-#include "absl/status/status.h"
-#include "quiche/quic/core/io/socket.h"
-#include "quiche/common/platform/api/quiche_export.h"
-
-namespace quic {
-
-// A client socket using a protocol (typically TCP) that provides
-// connection-based streams.
-//
-// Must not destroy a connected/connecting socket. If connected or connecting,
-// must call Disconnect() to disconnect or cancel the connection before
-// destruction.
-//
-// Warning regarding blocking calls: Code in the QUICHE library typically
-// handles IO on a single thread, so if making calls from that typical
-// environment, it would be problematic to make a blocking call and block that
-// single thread.
-class QUICHE_EXPORT_PRIVATE StreamClientSocket : public Socket {
- public:
-  class AsyncVisitor : public Socket::AsyncVisitor {
-   public:
-    virtual void ConnectComplete(absl::Status status) = 0;
-  };
-
-  ~StreamClientSocket() override = default;
-
-  // Establishes a connection synchronously. Should not be called if socket has
-  // already been successfully connected without first calling Disconnect().
-  virtual absl::Status ConnectBlocking() = 0;
-
-  // Establishes a connection asynchronously. On completion, calls
-  // ConnectComplete() on the visitor, potentially before return from
-  // ConnectAsync(). Should not be called if socket has already been
-  // successfully connected without first calling Disconnect().
-  //
-  // After calling, the socket must not be destroyed until Disconnect() is
-  // called.
-  virtual void ConnectAsync() = 0;
-
-  // Disconnects a connected socket or cancels an in-progress ConnectAsync(),
-  // invoking the `ConnectComplete(absl::CancelledError())` on the visitor.
-  // After success, it is possible to call ConnectBlocking() or ConnectAsync()
-  // again to establish a new connection. Cancels any pending read or write
-  // operations, calling visitor completion methods with
-  // `absl::CancelledError()`.
-  //
-  // Typically implemented via a call to ::close(), which for TCP can result in
-  // either FIN or RST, depending on socket/platform state and undefined
-  // platform behavior.
-  virtual void Disconnect() = 0;
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_CORE_IO_STREAM_CLIENT_SOCKET_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_decoded_headers_accumulator.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_decoded_headers_accumulator.cc
index b932b3daf54..41d64e7bf68 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_decoded_headers_accumulator.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_decoded_headers_accumulator.cc
@@ -41,7 +41,7 @@ void QpackDecodedHeadersAccumulator::OnHeaderDecoded(absl::string_view name,
       name.size() + value.size() + kQpackEntrySizeOverhead;
 
   const size_t uncompressed_header_bytes =
-      GetQuicFlag(FLAGS_quic_header_size_limit_includes_overhead)
+      GetQuicFlag(quic_header_size_limit_includes_overhead)
           ? uncompressed_header_bytes_including_overhead_
           : uncompressed_header_bytes_without_overhead_;
   if (uncompressed_header_bytes > max_header_list_size_) {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_decoder_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_decoder_test.cc
index ecf3a178286..5cfd9602279 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_decoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_decoder_test.cc
@@ -223,15 +223,8 @@ TEST_P(QpackDecoderTest, ValueLenExceedsLimit) {
 }
 
 TEST_P(QpackDecoderTest, LineFeedInValue) {
-  if (!GetQuicReloadableFlag(quic_validate_header_field_value_at_spdy_stream)) {
-    EXPECT_CALL(handler_,
-                OnDecodingErrorDetected(QUIC_INVALID_CHARACTER_IN_FIELD_VALUE,
-                                        "Invalid character in field value."));
-  } else {
-    EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("ba\nr")));
-    EXPECT_CALL(handler_, OnDecodingCompleted());
-  }
-
+  EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("ba\nr")));
+  EXPECT_CALL(handler_, OnDecodingCompleted());
   DecodeHeaderBlock(absl::HexStringToBytes("000023666f6f0462610a72"));
 }
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_progressive_decoder.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_progressive_decoder.cc
index feea62a007c..5dc5a68cc20 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_progressive_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/qpack/qpack_progressive_decoder.cc
@@ -339,31 +339,9 @@ bool QpackProgressiveDecoder::DoPrefixInstruction() {
   return true;
 }
 
-bool QpackProgressiveDecoder::OnHeaderDecoded(bool value_from_static_table,
+bool QpackProgressiveDecoder::OnHeaderDecoded(bool /*value_from_static_table*/,
                                               absl::string_view name,
                                               absl::string_view value) {
-  if (!GetQuicReloadableFlag(quic_validate_header_field_value_at_spdy_stream)) {
-    // Skip test for static table entries as they are all known to be valid.
-    if (!value_from_static_table) {
-      // According to Section 10.3 of
-      // https://quicwg.org/base-drafts/draft-ietf-quic-http.html,
-      // "[...] HTTP/3 can transport field values that are not valid. While most
-      // values that can be encoded will not alter field parsing, carriage
-      // return (CR, ASCII 0x0d), line feed (LF, ASCII 0x0a), and the zero
-      // character (NUL, ASCII 0x00) might be exploited by an attacker if they
-      // are translated verbatim. Any request or response that contains a
-      // character not permitted in a field value MUST be treated as malformed
-      // [...]"
-      for (const auto c : value) {
-        if (c == '\0' || c == '\n' || c == '\r') {
-          OnError(QUIC_INVALID_CHARACTER_IN_FIELD_VALUE,
-                  "Invalid character in field value.");
-          return false;
-        }
-      }
-    }
-  }
-
   handler_->OnHeaderDecoded(name, value);
   return true;
 }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_buffered_packet_store.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_buffered_packet_store.cc
index 553d835e20d..a84a2939973 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_buffered_packet_store.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_buffered_packet_store.cc
@@ -91,7 +91,7 @@ EnqueuePacketResult QuicBufferedPacketStore::EnqueuePacket(
     QuicSocketAddress peer_address, const ParsedQuicVersion& version,
     absl::optional<ParsedClientHello> parsed_chlo) {
   const bool is_chlo = parsed_chlo.has_value();
-  QUIC_BUG_IF(quic_bug_12410_1, !GetQuicFlag(FLAGS_quic_allow_chlo_buffering))
+  QUIC_BUG_IF(quic_bug_12410_1, !GetQuicFlag(quic_allow_chlo_buffering))
       << "Shouldn't buffer packets if disabled via flag.";
   QUIC_BUG_IF(quic_bug_12410_2,
               is_chlo && connections_with_chlo_.contains(connection_id))
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection.cc
index 7e780f2c24c..c37c86d6c67 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection.cc
@@ -177,9 +177,18 @@ class DiscardZeroRttDecryptionKeysAlarmDelegate
     QUICHE_DCHECK(connection_->connected());
     QUIC_DLOG(INFO) << "0-RTT discard alarm fired";
     connection_->RemoveDecrypter(ENCRYPTION_ZERO_RTT);
-    if (GetQuicRestartFlag(quic_map_original_connection_ids2)) {
-      connection_->RetireOriginalDestinationConnectionId();
-    }
+    connection_->RetireOriginalDestinationConnectionId();
+  }
+};
+
+class MultiPortProbingAlarmDelegate : public QuicConnectionAlarmDelegate {
+ public:
+  using QuicConnectionAlarmDelegate::QuicConnectionAlarmDelegate;
+
+  void OnAlarm() override {
+    QUICHE_DCHECK(connection_->connected());
+    QUIC_DLOG(INFO) << "Alternative path probing alarm fired";
+    connection_->ProbeMultiPortPath();
   }
 };
 
@@ -205,6 +214,20 @@ bool PacketCanReplaceServerConnectionId(const QuicPacketHeader& header,
           header.long_packet_type == RETRY);
 }
 
+// Due to a lost Initial packet, a Handshake packet might use a new connection
+// ID we haven't seen before. We shouldn't update the connection ID based on
+// this, but should buffer the packet in case it works out.
+bool NewServerConnectionIdMightBeValid(const QuicPacketHeader& header,
+                                       Perspective perspective,
+                                       bool connection_id_already_replaced) {
+  return perspective == Perspective::IS_CLIENT &&
+         header.form == IETF_QUIC_LONG_HEADER_PACKET &&
+         header.version.IsKnown() &&
+         header.version.AllowsVariableLengthConnectionIds() &&
+         header.long_packet_type == HANDSHAKE &&
+         !connection_id_already_replaced;
+}
+
 CongestionControlType GetDefaultCongestionControlType() {
   if (GetQuicReloadableFlag(quic_default_to_bbr_v2)) {
     return kBBRv2;
@@ -242,7 +265,8 @@ QuicConnection::QuicConnection(
     QuicSocketAddress initial_peer_address,
     QuicConnectionHelperInterface* helper, QuicAlarmFactory* alarm_factory,
     QuicPacketWriter* writer, bool owns_writer, Perspective perspective,
-    const ParsedQuicVersionVector& supported_versions)
+    const ParsedQuicVersionVector& supported_versions,
+    ConnectionIdGeneratorInterface& generator)
     : framer_(supported_versions, helper->GetClock()->ApproximateNow(),
               perspective, server_connection_id.length()),
       current_packet_content_(NO_FRAMES_RECEIVED),
@@ -268,7 +292,7 @@ QuicConnection::QuicConnection(
       current_packet_data_(nullptr),
       should_last_packet_instigate_acks_(false),
       max_undecryptable_packets_(0),
-      max_tracked_packets_(GetQuicFlag(FLAGS_quic_max_tracked_packet_count)),
+      max_tracked_packets_(GetQuicFlag(quic_max_tracked_packet_count)),
       idle_timeout_connection_close_behavior_(
           ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET),
       num_rtos_for_blackhole_detection_(0),
@@ -298,6 +322,8 @@ QuicConnection::QuicConnection(
       discard_zero_rtt_decryption_keys_alarm_(alarm_factory_->CreateAlarm(
           arena_.New<DiscardZeroRttDecryptionKeysAlarmDelegate>(this),
           &arena_)),
+      multi_port_probing_alarm_(alarm_factory_->CreateAlarm(
+          arena_.New<MultiPortProbingAlarmDelegate>(this), &arena_)),
       visitor_(nullptr),
       debug_visitor_(nullptr),
       packet_creator_(server_connection_id, &framer_, random_generator_, this),
@@ -328,7 +354,9 @@ QuicConnection::QuicConnection(
                              alarm_factory_, &context_),
       path_validator_(alarm_factory_, &arena_, this, random_generator_, clock_,
                       &context_),
-      ping_manager_(perspective, this, &arena_, alarm_factory_, &context_) {
+      ping_manager_(perspective, this, &arena_, alarm_factory_, &context_),
+      multi_port_probing_interval_(kDefaultMultiPortProbingInterval),
+      connection_id_generator_(generator) {
   QUICHE_DCHECK(perspective_ == Perspective::IS_CLIENT ||
                 default_path_.self_address.IsInitialized());
 
@@ -564,24 +592,6 @@ void QuicConnection::SetFromConfig(const QuicConfig& config) {
     if (config.HasClientSentConnectionOption(kNBHD, perspective_)) {
       blackhole_detection_disabled_ = true;
     }
-    if (!sent_packet_manager_.remove_blackhole_detection_experiments()) {
-      if (config.HasClientSentConnectionOption(k2RTO, perspective_)) {
-        QUIC_CODE_COUNT(quic_2rto_blackhole_detection);
-        num_rtos_for_blackhole_detection_ = 2;
-      }
-      if (config.HasClientSentConnectionOption(k3RTO, perspective_)) {
-        QUIC_CODE_COUNT(quic_3rto_blackhole_detection);
-        num_rtos_for_blackhole_detection_ = 3;
-      }
-      if (config.HasClientSentConnectionOption(k4RTO, perspective_)) {
-        QUIC_CODE_COUNT(quic_4rto_blackhole_detection);
-        num_rtos_for_blackhole_detection_ = 4;
-      }
-      if (config.HasClientSentConnectionOption(k6RTO, perspective_)) {
-        QUIC_CODE_COUNT(quic_6rto_blackhole_detection);
-        num_rtos_for_blackhole_detection_ = 6;
-      }
-    }
   }
 
   if (config.HasClientRequestedIndependentOption(kFIDT, perspective_)) {
@@ -679,6 +689,13 @@ void QuicConnection::SetFromConfig(const QuicConfig& config) {
   if (supports_release_time_) {
     UpdateReleaseTimeIntoFuture();
   }
+
+  multi_port_enabled_ =
+      connection_migration_use_new_cid_ &&
+      config.HasClientSentConnectionOption(kMPQC, perspective_);
+  if (multi_port_enabled_) {
+    multi_port_stats_ = std::make_unique<MultiPortStats>();
+  }
 }
 
 void QuicConnection::EnableLegacyVersionEncapsulation(
@@ -979,7 +996,6 @@ QuicConnectionId QuicConnection::GetOriginalDestinationConnectionId() const {
 void QuicConnection::RetireOriginalDestinationConnectionId() {
   if (original_destination_connection_id_.has_value()) {
     visitor_->OnServerConnectionIdRetired(*original_destination_connection_id_);
-    QUIC_RESTART_FLAG_COUNT_N(quic_map_original_connection_ids2, 3, 4);
     original_destination_connection_id_.reset();
   }
 }
@@ -1013,6 +1029,11 @@ bool QuicConnection::ValidateServerConnectionId(
     return true;
   }
 
+  if (NewServerConnectionIdMightBeValid(
+          header, perspective_, server_connection_id_replaced_by_initial_)) {
+    return true;
+  }
+
   return false;
 }
 
@@ -1047,14 +1068,7 @@ bool QuicConnection::OnUnauthenticatedPublicHeader(
     if (debug_visitor_ != nullptr) {
       debug_visitor_->OnIncorrectConnectionId(server_connection_id);
     }
-    // The only way for a connection to get a packet with an invalid connection
-    // ID is if quic_map_original_connection_ids2 is false and a packet
-    // arrives with a connection ID that is deterministically replaced with one
-    // that the connection owns, but is different from
-    // original_destination_connection_id_.
-    if (GetQuicRestartFlag(quic_map_original_connection_ids2)) {
-      QUICHE_DCHECK_NE(Perspective::IS_SERVER, perspective_);
-    }
+    QUICHE_DCHECK_NE(Perspective::IS_SERVER, perspective_);
     return false;
   }
 
@@ -1800,6 +1814,7 @@ bool QuicConnection::OnPathResponseFrame(const QuicPathResponseFrame& frame) {
       << "Processing PATH_RESPONSE frame when connection is closed. Received "
          "packet info: "
       << last_received_packet_info_;
+  ++stats_.num_path_response_received;
   if (!UpdatePacketContent(PATH_RESPONSE_FRAME)) {
     return false;
   }
@@ -2021,7 +2036,14 @@ bool QuicConnection::OnNewConnectionIdFrame(
   if (debug_visitor_ != nullptr) {
     debug_visitor_->OnNewConnectionIdFrame(frame);
   }
-  return OnNewConnectionIdFrameInner(frame);
+
+  if (!OnNewConnectionIdFrameInner(frame)) {
+    return false;
+  }
+  if (perspective_ == Perspective::IS_CLIENT && multi_port_enabled_) {
+    MaybeCreateMultiPortPath();
+  }
+  return true;
 }
 
 bool QuicConnection::OnRetireConnectionIdFrame(
@@ -2475,16 +2497,18 @@ QuicConsumedData QuicConnection::SendStreamData(QuicStreamId id,
       QuicUtils::IsCryptoStreamId(transport_version(), id)) {
     MaybeActivateLegacyVersionEncapsulation();
   }
-  if (perspective_ == Perspective::IS_SERVER &&
-      version().CanSendCoalescedPackets() && !IsHandshakeConfirmed()) {
+  if (version().CanSendCoalescedPackets() && !IsHandshakeConfirmed()) {
     if (in_on_retransmission_time_out_ &&
         coalesced_packet_.NumberOfPackets() == 0u) {
       // PTO fires while handshake is not confirmed. Do not preempt handshake
       // data with stream data.
       QUIC_CODE_COUNT(quic_try_to_send_half_rtt_data_when_pto_fires);
+      QUIC_DVLOG(1) << ENDPOINT
+                    << "Not PTOing stream data before handshake gets confirmed";
       return QuicConsumedData(0, false);
     }
-    if (coalesced_packet_.ContainsPacketOfEncryptionLevel(ENCRYPTION_INITIAL) &&
+    if (perspective_ == Perspective::IS_SERVER &&
+        coalesced_packet_.ContainsPacketOfEncryptionLevel(ENCRYPTION_INITIAL) &&
         coalesced_packet_.NumberOfPackets() == 1u) {
       // Handshake is not confirmed yet, if there is only an initial packet in
       // the coalescer, try to bundle an ENCRYPTION_HANDSHAKE packet before
@@ -3058,7 +3082,7 @@ bool QuicConnection::ProcessValidatedPacket(const QuicPacketHeader& header) {
   if (perspective_ == Perspective::IS_SERVER &&
       encryption_level_ == ENCRYPTION_INITIAL &&
       last_received_packet_info_.length > packet_creator_.max_packet_length()) {
-    if (GetQuicFlag(FLAGS_quic_use_lower_server_response_mtu_for_test)) {
+    if (GetQuicFlag(quic_use_lower_server_response_mtu_for_test)) {
       SetMaxPacketLength(
           std::min(last_received_packet_info_.length, QuicByteCount(1250)));
     } else {
@@ -3384,8 +3408,7 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
   QuicSocketAddress send_to_address = packet->peer_address;
   // Self address is always the default self address on this code path.
   const bool send_on_current_path = send_to_address == peer_address();
-  if (!send_on_current_path && only_send_probing_frames_on_alternative_path_) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_not_bundle_ack_on_alternative_path, 2, 2);
+  if (!send_on_current_path) {
     QUIC_BUG_IF(quic_send_non_probing_frames_on_alternative_path,
                 ContainsNonProbingFrame(*packet))
         << "Packet " << packet->packet_number
@@ -3745,7 +3768,7 @@ bool QuicConnection::MaybeHandleAeadConfidentialityLimits(
         confidentiality_limit - kKeyUpdateConfidentialityLimitOffset;
   }
   const QuicPacketCount key_update_limit_override =
-      GetQuicFlag(FLAGS_quic_key_update_confidentiality_limit);
+      GetQuicFlag(quic_key_update_confidentiality_limit);
   if (key_update_limit_override) {
     key_update_limit = key_update_limit_override;
   }
@@ -4006,7 +4029,7 @@ QuicConnection::MakeSelfIssuedConnectionIdManager() {
       perspective_ == Perspective::IS_CLIENT
           ? default_path_.client_connection_id
           : default_path_.server_connection_id,
-      clock_, alarm_factory_, this, context());
+      clock_, alarm_factory_, this, context(), connection_id_generator_);
 }
 
 void QuicConnection::MaybeSendConnectionIdToClient() {
@@ -4060,6 +4083,20 @@ void QuicConnection::OnHandshakeComplete() {
                      kAlarmGranularity);
 }
 
+void QuicConnection::MaybeCreateMultiPortPath() {
+  QUICHE_DCHECK_EQ(Perspective::IS_CLIENT, perspective_);
+  auto path_context = visitor_->CreateContextForMultiPortPath();
+  if (!path_context || path_validator_.HasPendingPathValidation()) {
+    return;
+  }
+  auto multi_port_validation_result_delegate =
+      std::make_unique<MultiPortPathValidationResultDelegate>(this);
+  multi_port_probing_alarm_->Cancel();
+  multi_port_path_context_ = nullptr;
+  ValidatePath(std::move(path_context),
+               std::move(multi_port_validation_result_delegate));
+}
+
 void QuicConnection::SendOrQueuePacket(SerializedPacket packet) {
   // The caller of this function is responsible for checking CanWrite().
   WritePacket(&packet);
@@ -4689,7 +4726,7 @@ void QuicConnection::SetPingAlarm() {
   if (initial_retransmittable_on_wire_timeout_.IsInfinite() ||
       sent_packet_manager_.HasInFlightPackets() ||
       retransmittable_on_wire_ping_count_ >
-          GetQuicFlag(FLAGS_quic_max_retransmittable_on_wire_ping_count)) {
+          GetQuicFlag(quic_max_retransmittable_on_wire_ping_count)) {
     if (perspective_ == Perspective::IS_CLIENT) {
       // Clients send 15s PINGs to avoid NATs from timing out.
       ping_alarm_->Update(clock_->ApproximateNow() + keep_alive_ping_timeout_,
@@ -4705,7 +4742,7 @@ void QuicConnection::SetPingAlarm() {
   QuicTime::Delta retransmittable_on_wire_timeout =
       initial_retransmittable_on_wire_timeout_;
   int max_aggressive_retransmittable_on_wire_ping_count =
-      GetQuicFlag(FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count);
+      GetQuicFlag(quic_max_aggressive_retransmittable_on_wire_ping_count);
   QUICHE_DCHECK_LE(0, max_aggressive_retransmittable_on_wire_ping_count);
   if (consecutive_retransmittable_on_wire_ping_count_ >
       max_aggressive_retransmittable_on_wire_ping_count) {
@@ -4857,14 +4894,11 @@ QuicConnection::ScopedPacketFlusher::~ScopedPacketFlusher() {
       connection_->FlushCoalescedPacket();
     }
     connection_->FlushPackets();
-    if (GetQuicReloadableFlag(
-            quic_packet_flusher_check_connected_after_flush_packets)) {
-      QUIC_RELOADABLE_FLAG_COUNT(
-          quic_packet_flusher_check_connected_after_flush_packets);
-      if (!connection_->connected()) {
-        return;
-      }
+
+    if (!connection_->connected()) {
+      return;
     }
+
     if (!handshake_packet_sent_ && connection_->handshake_packet_sent_) {
       // This would cause INITIAL key to be dropped. Drop keys here to avoid
       // missing the write keys in the middle of writing.
@@ -5714,11 +5748,10 @@ void QuicConnection::UpdateReleaseTimeIntoFuture() {
   const QuicTime::Delta prior_max_release_time = release_time_into_future_;
   release_time_into_future_ = std::max(
       QuicTime::Delta::FromMilliseconds(kMinReleaseTimeIntoFutureMs),
-      std::min(
-          QuicTime::Delta::FromMilliseconds(
-              GetQuicFlag(FLAGS_quic_max_pace_time_into_future_ms)),
-          sent_packet_manager_.GetRttStats()->SmoothedOrInitialRtt() *
-              GetQuicFlag(FLAGS_quic_pace_time_into_future_srtt_fraction)));
+      std::min(QuicTime::Delta::FromMilliseconds(
+                   GetQuicFlag(quic_max_pace_time_into_future_ms)),
+               sent_packet_manager_.GetRttStats()->SmoothedOrInitialRtt() *
+                   GetQuicFlag(quic_pace_time_into_future_srtt_fraction)));
   QUIC_DVLOG(3) << "Updated max release time delay from "
                 << prior_max_release_time << " to "
                 << release_time_into_future_;
@@ -5986,11 +6019,6 @@ bool QuicConnection::FlushCoalescedPacket() {
   }
   QUIC_DVLOG(1) << ENDPOINT << "Sending coalesced packet "
                 << coalesced_packet_.ToString(length);
-  if (GetQuicReloadableFlag(
-          quic_fix_bytes_accounting_for_buffered_coalesced_packets)) {
-    QUIC_RELOADABLE_FLAG_COUNT(
-        quic_fix_bytes_accounting_for_buffered_coalesced_packets);
-  }
   const size_t padding_size =
       length - std::min<size_t>(length, coalesced_packet_.length());
   // Buffer coalesced packet if padding + bytes_sent exceeds amplifcation limit.
@@ -6002,11 +6030,6 @@ bool QuicConnection::FlushCoalescedPacket() {
     buffered_packets_.emplace_back(
         buffer, static_cast<QuicPacketLength>(length),
         coalesced_packet_.self_address(), coalesced_packet_.peer_address());
-    if (!GetQuicReloadableFlag(
-            quic_fix_bytes_accounting_for_buffered_coalesced_packets) &&
-        !enforce_strict_amplification_factor_) {
-      return true;
-    }
   } else {
     WriteResult result = writer_->WritePacket(
         buffer, length, coalesced_packet_.self_address().host(),
@@ -6226,6 +6249,9 @@ void QuicConnection::set_client_connection_id(
 
 void QuicConnection::OnPathDegradingDetected() {
   is_path_degrading_ = true;
+  if (multi_port_stats_) {
+    multi_port_stats_->num_path_degrading++;
+  }
   visitor_->OnPathDegrading();
 }
 
@@ -6478,22 +6504,17 @@ QuicTime QuicConnection::GetNetworkBlackholeDeadline() const {
     return QuicTime::Zero();
   }
   QUICHE_DCHECK_LT(0u, num_rtos_for_blackhole_detection_);
-  if (sent_packet_manager_.remove_blackhole_detection_experiments()) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_remove_blackhole_detection_experiments);
-    const QuicTime::Delta blackhole_delay =
-        sent_packet_manager_.GetNetworkBlackholeDelay(
-            num_rtos_for_blackhole_detection_);
-    if (!ShouldDetectPathDegrading()) {
-      return clock_->ApproximateNow() + blackhole_delay;
-    }
-    return clock_->ApproximateNow() +
-           CalculateNetworkBlackholeDelay(
-               blackhole_delay, sent_packet_manager_.GetPathDegradingDelay(),
-               sent_packet_manager_.GetPtoDelay());
+
+  const QuicTime::Delta blackhole_delay =
+      sent_packet_manager_.GetNetworkBlackholeDelay(
+          num_rtos_for_blackhole_detection_);
+  if (!ShouldDetectPathDegrading()) {
+    return clock_->ApproximateNow() + blackhole_delay;
   }
   return clock_->ApproximateNow() +
-         sent_packet_manager_.GetNetworkBlackholeDelay(
-             num_rtos_for_blackhole_detection_);
+         CalculateNetworkBlackholeDelay(
+             blackhole_delay, sent_packet_manager_.GetPathDegradingDelay(),
+             sent_packet_manager_.GetPtoDelay());
 }
 
 // static
@@ -6547,34 +6568,6 @@ bool QuicConnection::SendPathChallenge(
     return connected_;
   }
   if (connection_migration_use_new_cid_) {
-    if (!only_send_probing_frames_on_alternative_path_) {
-      {
-        QuicConnectionId client_cid, server_cid;
-        FindOnPathConnectionIds(self_address, effective_peer_address,
-                                &client_cid, &server_cid);
-        QuicPacketCreator::ScopedPeerAddressContext context(
-            &packet_creator_, peer_address, client_cid, server_cid,
-            connection_migration_use_new_cid_);
-        if (writer == writer_) {
-          ScopedPacketFlusher flusher(this);
-          // It's on current path, add the PATH_CHALLENGE the same way as other
-          // frames. This may cause connection to be closed.
-          packet_creator_.AddPathChallengeFrame(data_buffer);
-        } else {
-          std::unique_ptr<SerializedPacket> probing_packet =
-              packet_creator_.SerializePathChallengeConnectivityProbingPacket(
-                  data_buffer);
-          QUICHE_DCHECK_EQ(IsRetransmittable(*probing_packet),
-                           NO_RETRANSMITTABLE_DATA);
-          QUICHE_DCHECK_EQ(self_address, alternative_path_.self_address);
-          WritePacketUsingWriter(std::move(probing_packet), writer,
-                                 self_address, peer_address,
-                                 /*measure_rtt=*/false);
-        }
-      }
-      return connected_;
-    }
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_not_bundle_ack_on_alternative_path, 1, 2);
     QuicConnectionId client_cid, server_cid;
     FindOnPathConnectionIds(self_address, effective_peer_address, &client_cid,
                             &server_cid);
@@ -6882,11 +6875,21 @@ bool QuicConnection::MigratePath(const QuicSocketAddress& self_address,
   return true;
 }
 
-void QuicConnection::OnPathValidationFailureAtClient() {
+void QuicConnection::OnPathValidationFailureAtClient(bool is_multi_port) {
   if (connection_migration_use_new_cid_) {
     QUICHE_DCHECK(perspective_ == Perspective::IS_CLIENT);
     alternative_path_.Clear();
   }
+
+  if (is_multi_port && multi_port_stats_ != nullptr) {
+    if (is_path_degrading_) {
+      multi_port_stats_->num_multi_port_probe_failures_when_path_degrading++;
+    } else {
+      multi_port_stats_
+          ->num_multi_port_probe_failures_when_path_not_degrading++;
+    }
+  }
+
   RetirePeerIssuedConnectionIdsOnPathValidationFailure();
 }
 
@@ -6921,26 +6924,15 @@ std::vector<QuicConnectionId> QuicConnection::GetActiveServerConnectionIds()
   if (!original_destination_connection_id_.has_value()) {
     return result;
   }
-  bool add_original_connection_id = false;
-  if (GetQuicRestartFlag(quic_map_original_connection_ids2)) {
-    QUIC_RESTART_FLAG_COUNT_N(quic_map_original_connection_ids2, 4, 4);
-    add_original_connection_id = true;
-  } else if (!IsHandshakeComplete()) {
-    QUIC_CODE_COUNT(quic_active_original_connection_id_pre_handshake);
-    add_original_connection_id = true;
-  }
-  if (add_original_connection_id) {
-    if (std::find(result.begin(), result.end(),
-                  original_destination_connection_id_.value()) !=
-        result.end()) {
-      QUIC_BUG(quic_unexpected_original_destination_connection_id)
-          << "original_destination_connection_id: "
-          << original_destination_connection_id_.value()
-          << " is unexpectedly in active "
-             "list";
-    } else {
-      result.insert(result.end(), original_destination_connection_id_.value());
-    }
+  // Add the original connection ID
+  if (std::find(result.begin(), result.end(),
+                original_destination_connection_id_.value()) != result.end()) {
+    QUIC_BUG(quic_unexpected_original_destination_connection_id)
+        << "original_destination_connection_id: "
+        << original_destination_connection_id_.value()
+        << " is unexpectedly in active list";
+  } else {
+    result.insert(result.end(), original_destination_connection_id_.value());
   }
   return result;
 }
@@ -7104,6 +7096,59 @@ bool QuicConnection::IsReceivedPeerAddressValidated() const {
                                          current_effective_peer_address.host());
 }
 
+void QuicConnection::OnMultiPortPathProbingSuccess(
+    std::unique_ptr<QuicPathValidationContext> context, QuicTime start_time) {
+  QUICHE_DCHECK_EQ(Perspective::IS_CLIENT, perspective());
+  alternative_path_.validated = true;
+  multi_port_path_context_ = std::move(context);
+  multi_port_probing_alarm_->Set(clock_->ApproximateNow() +
+                                 multi_port_probing_interval_);
+  if (multi_port_stats_ != nullptr) {
+    auto now = clock_->Now();
+    auto time_delta = now - start_time;
+    multi_port_stats_->rtt_stats.UpdateRtt(time_delta, QuicTime::Delta::Zero(),
+                                           now);
+    if (is_path_degrading_) {
+      multi_port_stats_->rtt_stats_when_default_path_degrading.UpdateRtt(
+          time_delta, QuicTime::Delta::Zero(), now);
+    }
+  }
+}
+
+void QuicConnection::ProbeMultiPortPath() {
+  if (!connected_ || path_validator_.HasPendingPathValidation() ||
+      !multi_port_path_context_ ||
+      alternative_path_.self_address !=
+          multi_port_path_context_->self_address() ||
+      alternative_path_.peer_address !=
+          multi_port_path_context_->peer_address()) {
+    return;
+  }
+  auto multi_port_validation_result_delegate =
+      std::make_unique<MultiPortPathValidationResultDelegate>(this);
+  path_validator_.StartPathValidation(
+      std::move(multi_port_path_context_),
+      std::move(multi_port_validation_result_delegate));
+}
+
+QuicConnection::MultiPortPathValidationResultDelegate::
+    MultiPortPathValidationResultDelegate(QuicConnection* connection)
+    : connection_(connection) {
+  QUICHE_DCHECK_EQ(Perspective::IS_CLIENT, connection->perspective());
+}
+
+void QuicConnection::MultiPortPathValidationResultDelegate::
+    OnPathValidationSuccess(std::unique_ptr<QuicPathValidationContext> context,
+                            QuicTime start_time) {
+  connection_->OnMultiPortPathProbingSuccess(std::move(context), start_time);
+}
+
+void QuicConnection::MultiPortPathValidationResultDelegate::
+    OnPathValidationFailure(
+        std::unique_ptr<QuicPathValidationContext> /*context*/) {
+  connection_->OnPathValidationFailureAtClient(/*is_multi_port=*/true);
+}
+
 QuicConnection::ReversePathValidationResultDelegate::
     ReversePathValidationResultDelegate(
         QuicConnection* connection,
@@ -7126,9 +7171,7 @@ void QuicConnection::ReversePathValidationResultDelegate::
                                  context->peer_address())) {
     QUIC_CODE_COUNT_N(quic_kick_off_client_address_validation, 3, 6);
     if (connection_->active_effective_peer_migration_type_ == NO_CHANGE) {
-      connection_->quic_bug_10511_43_timestamp_ =
-          connection_->clock_->WallNow();
-      connection_->quic_bug_10511_43_error_detail_ = absl::StrCat(
+      std::string error_detail = absl::StrCat(
           "Reverse path validation on default path from ",
           context->self_address().ToString(), " to ",
           context->peer_address().ToString(),
@@ -7147,8 +7190,7 @@ void QuicConnection::ReversePathValidationResultDelegate::
           connection_->last_received_packet_info_.header.packet_number
               .ToString(),
           " Connection is connected: ", connection_->connected_);
-      QUIC_BUG(quic_bug_10511_43)
-          << connection_->quic_bug_10511_43_error_detail_;
+      QUIC_BUG(quic_bug_10511_43) << error_detail;
     }
     connection_->OnEffectivePeerMigrationValidated();
   } else {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection.h
index 5daf2bfb75a..578de981923 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection.h
@@ -26,8 +26,10 @@
 
 #include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
+#include "quiche/quic/core/congestion_control/rtt_stats.h"
 #include "quiche/quic/core/crypto/quic_decrypter.h"
 #include "quiche/quic/core/crypto/quic_encrypter.h"
+#include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/core/crypto/transport_parameters.h"
 #include "quiche/quic/core/frames/quic_ack_frequency_frame.h"
 #include "quiche/quic/core/frames/quic_max_streams_frame.h"
@@ -66,7 +68,6 @@ namespace quic {
 class QuicClock;
 class QuicConfig;
 class QuicConnection;
-class QuicRandom;
 
 namespace test {
 class QuicConnectionPeer;
@@ -238,6 +239,10 @@ class QUIC_EXPORT_PRIVATE QuicConnectionVisitorInterface {
 
   // When bandwidth update alarms.
   virtual void OnBandwidthUpdateTimeout() = 0;
+
+  // Returns context needed for the connection to probe on the alternative path.
+  virtual std::unique_ptr<QuicPathValidationContext>
+  CreateContextForMultiPortPath() = 0;
 };
 
 // Interface which gets callbacks from the QuicConnection at interesting
@@ -471,11 +476,25 @@ class QUIC_EXPORT_PRIVATE QuicConnection
                  QuicConnectionHelperInterface* helper,
                  QuicAlarmFactory* alarm_factory, QuicPacketWriter* writer,
                  bool owns_writer, Perspective perspective,
-                 const ParsedQuicVersionVector& supported_versions);
+                 const ParsedQuicVersionVector& supported_versions,
+                 ConnectionIdGeneratorInterface& generator);
   QuicConnection(const QuicConnection&) = delete;
   QuicConnection& operator=(const QuicConnection&) = delete;
   ~QuicConnection() override;
 
+  struct MultiPortStats {
+    // general rtt stats of the multi-port path.
+    RttStats rtt_stats;
+    // rtt stats for the multi-port path when the default path is degrading.
+    RttStats rtt_stats_when_default_path_degrading;
+    // number of path degrading triggered when multi-port is enabled.
+    size_t num_path_degrading = 0;
+    // number of multi-port probe failures when path is not degrading
+    size_t num_multi_port_probe_failures_when_path_not_degrading = 0;
+    // number of multi-port probe failure when path is degrading
+    size_t num_multi_port_probe_failures_when_path_degrading = 0;
+  };
+
   // Sets connection parameters from the supplied |config|.
   void SetFromConfig(const QuicConfig& config);
 
@@ -737,6 +756,18 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // TODO(fayang): Add a guard that this only gets called once.
   void OnHandshakeComplete();
 
+  // Creates and probes an multi-port path if none exists.
+  void MaybeCreateMultiPortPath();
+
+  // Called in multi-port QUIC when the alternative path validation succeeds.
+  // Stores the path validation context and prepares for the next validation.
+  void OnMultiPortPathProbingSuccess(
+      std::unique_ptr<QuicPathValidationContext> context, QuicTime start_time);
+
+  // Probe the existing alternative path. Does not create a new alternative
+  // path. This method is the callback for |multi_port_probing_alarm_|.
+  void ProbeMultiPortPath();
+
   // Accessors
   void set_visitor(QuicConnectionVisitorInterface* visitor) {
     visitor_ = visitor;
@@ -778,6 +809,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   QuicByteCount max_packet_length() const;
   void SetMaxPacketLength(QuicByteCount length);
 
+  bool multi_port_enabled() const { return multi_port_enabled_; }
   size_t mtu_probe_count() const { return mtu_probe_count_; }
 
   bool connected() const { return connected_; }
@@ -799,6 +831,14 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   void SetNetworkTimeouts(QuicTime::Delta handshake_timeout,
                           QuicTime::Delta idle_timeout);
 
+  void SetMultiPortProbingInterval(QuicTime::Delta probing_interval) {
+    multi_port_probing_interval_ = probing_interval;
+  }
+
+  const MultiPortStats* multi_port_stats() const {
+    return multi_port_stats_.get();
+  }
+
   // Called when the ping alarm fires. Causes a ping frame to be sent only
   // if the retransmission alarm is not running.
   void OnPingTimeout();
@@ -1188,7 +1228,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
 
   // Called to clear the alternative_path_ when path validation failed on the
   // client side.
-  void OnPathValidationFailureAtClient();
+  void OnPathValidationFailureAtClient(bool is_multi_port);
 
   void SetSourceAddressTokenToSend(absl::string_view token);
 
@@ -1227,14 +1267,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
     context_.bug_listener.swap(bug_listener);
   }
 
-  absl::optional<QuicWallTime> quic_bug_10511_43_timestamp() const {
-    return quic_bug_10511_43_timestamp_;
-  }
-
-  const std::string& quic_bug_10511_43_error_detail() const {
-    return quic_bug_10511_43_error_detail_;
-  }
-
   // Ensures the network blackhole delay is longer than path degrading delay.
   static QuicTime::Delta CalculateNetworkBlackholeDelay(
       QuicTime::Delta blackhole_delay, QuicTime::Delta path_degrading_delay,
@@ -1329,6 +1361,14 @@ class QUIC_EXPORT_PRIVATE QuicConnection
     validate_client_addresses_ = value;
   }
 
+  bool defer_send_in_response_to_packets() const {
+    return defer_send_in_response_to_packets_;
+  }
+
+  ConnectionIdGeneratorInterface& connection_id_generator() const {
+    return connection_id_generator_;
+  }
+
  private:
   friend class test::QuicConnectionPeer;
 
@@ -1483,6 +1523,24 @@ class QUIC_EXPORT_PRIVATE QuicConnection
     AddressChangeType active_effective_peer_migration_type_;
   };
 
+  // Keeps an ongoing alternative path. The connection will not migrate upon
+  // validation success.
+  class MultiPortPathValidationResultDelegate
+      : public QuicPathValidator::ResultDelegate {
+   public:
+    MultiPortPathValidationResultDelegate(QuicConnection* connection);
+
+    void OnPathValidationSuccess(
+        std::unique_ptr<QuicPathValidationContext> context,
+        QuicTime start_time) override;
+
+    void OnPathValidationFailure(
+        std::unique_ptr<QuicPathValidationContext> context) override;
+
+   private:
+    QuicConnection* connection_;
+  };
+
   // A class which sets and clears in_on_retransmission_time_out_ when entering
   // and exiting OnRetransmissionTimeout, respectively.
   class QUIC_EXPORT_PRIVATE ScopedRetransmissionTimeoutIndicator {
@@ -2024,6 +2082,8 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // first 1-RTT packet has been decrypted. Only used on server connections with
   // TLS handshaker.
   QuicArenaScopedPtr<QuicAlarm> discard_zero_rtt_decryption_keys_alarm_;
+  // An alarm that fires to keep probing the multi-port path.
+  QuicArenaScopedPtr<QuicAlarm> multi_port_probing_alarm_;
   // Neither visitor is owned by this class.
   QuicConnectionVisitorInterface* visitor_;
   QuicConnectionDebugVisitor* debug_visitor_;
@@ -2175,7 +2235,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   bool fill_coalesced_packet_ = false;
 
   size_t anti_amplification_factor_ =
-      GetQuicFlag(FLAGS_quic_anti_amplification_factor);
+      GetQuicFlag(quic_anti_amplification_factor);
 
   // True if AckFrequencyFrame is supported.
   bool can_receive_ack_frequency_frame_ = false;
@@ -2238,20 +2298,22 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // Records first serialized 1-RTT packet.
   std::unique_ptr<BufferedPacket> first_serialized_one_rtt_packet_;
 
-  RetransmittableOnWireBehavior retransmittable_on_wire_behavior_ = DEFAULT;
+  std::unique_ptr<QuicPathValidationContext> multi_port_path_context_;
 
-  // TODO(b/205023946) Debug-only fields, to be deprecated after the bug is
-  // fixed.
-  absl::optional<QuicWallTime> quic_bug_10511_43_timestamp_;
-  std::string quic_bug_10511_43_error_detail_;
+  bool multi_port_enabled_ = false;
 
-  bool only_send_probing_frames_on_alternative_path_ =
-      GetQuicReloadableFlag(quic_not_bundle_ack_on_alternative_path);
+  QuicTime::Delta multi_port_probing_interval_;
+
+  std::unique_ptr<MultiPortStats> multi_port_stats_;
+
+  RetransmittableOnWireBehavior retransmittable_on_wire_behavior_ = DEFAULT;
 
   // If true, throttle sending if next created packet will exceed amplification
   // limit.
   const bool enforce_strict_amplification_factor_ =
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor);
+      GetQuicFlag(quic_enforce_strict_amplification_factor);
+
+  ConnectionIdGeneratorInterface& connection_id_generator_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_context.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_context.cc
index d8dfbac106e..01381edb8ac 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_context.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_context.cc
@@ -5,12 +5,24 @@
 #include "quiche/quic/core/quic_connection_context.h"
 
 #include "quiche/common/platform/api/quiche_thread_local.h"
+#include "quiche/common/quiche_text_utils.h"
 
 namespace quic {
 namespace {
 DEFINE_QUICHE_THREAD_LOCAL_POINTER(CurrentContext, QuicConnectionContext);
 }  // namespace
 
+std::string QuicConnectionProcessPacketContext::DebugString() const {
+  if (decrypted_payload.empty()) {
+    return "Not processing packet";
+  }
+
+  return absl::StrCat("current_frame_offset: ", current_frame_offset,
+                      ", payload size: ", decrypted_payload.size(),
+                      ", payload hexdump: ",
+                      quiche::QuicheTextUtils::HexDump(decrypted_payload));
+}
+
 // static
 QuicConnectionContext* QuicConnectionContext::Current() {
   return GET_QUICHE_THREAD_LOCAL_POINTER(CurrentContext);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_context.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_context.h
index 192002ea098..72d6b66c86e 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_context.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_context.h
@@ -61,6 +61,23 @@ class QUIC_EXPORT_PRIVATE QuicBugListener {
                          absl::string_view bug_message) = 0;
 };
 
+// QuicConnectionProcessPacketContext is a member of QuicConnectionContext that
+// contains information of the packet currently being processed by the owning
+// QuicConnection.
+struct QUIC_EXPORT_PRIVATE QuicConnectionProcessPacketContext final {
+  // If !empty(), the decrypted payload of the packet currently being processed.
+  absl::string_view decrypted_payload;
+
+  // The offset within |decrypted_payload|, if it's non-empty, that marks the
+  // start of the frame currently being processed.
+  // Should not be used when |decrypted_payload| is empty.
+  size_t current_frame_offset = 0;
+
+  // NOTE: This can be very expansive. If used in logs, make sure it is rate
+  // limited via QUIC_BUG etc.
+  std::string DebugString() const;
+};
+
 // QuicConnectionContext is a per-QuicConnection context that includes
 // facilities useable by any part of a QuicConnection. A QuicConnectionContext
 // is owned by a QuicConnection.
@@ -78,6 +95,9 @@ struct QUIC_EXPORT_PRIVATE QuicConnectionContext final {
 
   std::unique_ptr<QuicConnectionTracer> tracer;
   std::unique_ptr<QuicBugListener> bug_listener;
+
+  // Information about the packet currently being processed.
+  QuicConnectionProcessPacketContext process_packet_context;
 };
 
 // QuicConnectionContextSwitcher is a RAII object used for maintaining the
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager.cc
index 17f7a725cd3..a3909f3109b 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager.cc
@@ -11,6 +11,7 @@
 #include "quiche/quic/core/quic_error_codes.h"
 #include "quiche/quic/core/quic_utils.h"
 #include "quiche/quic/platform/api/quic_flag_utils.h"
+#include "quiche/quic/platform/api/quic_flags.h"
 #include "quiche/common/platform/api/quiche_logging.h"
 
 namespace quic {
@@ -278,7 +279,7 @@ QuicSelfIssuedConnectionIdManager::QuicSelfIssuedConnectionIdManager(
     const QuicConnectionId& initial_connection_id, const QuicClock* clock,
     QuicAlarmFactory* alarm_factory,
     QuicConnectionIdManagerVisitorInterface* visitor,
-    QuicConnectionContext* context)
+    QuicConnectionContext* context, ConnectionIdGeneratorInterface& generator)
     : active_connection_id_limit_(active_connection_id_limit),
       clock_(clock),
       visitor_(visitor),
@@ -286,7 +287,8 @@ QuicSelfIssuedConnectionIdManager::QuicSelfIssuedConnectionIdManager(
           new RetireSelfIssuedConnectionIdAlarmDelegate(this, context))),
       last_connection_id_(initial_connection_id),
       next_connection_id_sequence_number_(1u),
-      last_connection_id_consumed_by_self_sequence_number_(0u) {
+      last_connection_id_consumed_by_self_sequence_number_(0u),
+      connection_id_generator_(generator) {
   active_connection_ids_.emplace_back(initial_connection_id, 0u);
 }
 
@@ -303,18 +305,33 @@ absl::optional<QuicNewConnectionIdFrame>
 QuicSelfIssuedConnectionIdManager::MaybeIssueNewConnectionId() {
   const bool check_cid_collision_when_issue_new_cid =
       GetQuicReloadableFlag(quic_check_cid_collision_when_issue_new_cid);
-  QuicConnectionId new_cid = GenerateNewConnectionId(last_connection_id_);
+  absl::optional<QuicConnectionId> new_cid;
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator)) {
+    QUIC_RELOADABLE_FLAG_COUNT(
+        quic_connection_uses_abstract_connection_id_generator);
+    new_cid =
+        connection_id_generator_.GenerateNextConnectionId(last_connection_id_);
+  } else {
+    new_cid = GenerateNewConnectionId(last_connection_id_);
+  }
+  if (!new_cid.has_value()) {
+    QUIC_BUG_IF(quic_bug_469887433_1,
+                !GetQuicReloadableFlag(
+                    quic_connection_uses_abstract_connection_id_generator));
+    return {};
+  }
   if (check_cid_collision_when_issue_new_cid) {
     QUIC_RELOADABLE_FLAG_COUNT_N(quic_check_cid_collision_when_issue_new_cid, 1,
                                  2);
-    if (!visitor_->MaybeReserveConnectionId(new_cid)) {
+    if (!visitor_->MaybeReserveConnectionId(*new_cid)) {
       QUIC_RELOADABLE_FLAG_COUNT_N(quic_check_cid_collision_when_issue_new_cid,
                                    2, 2);
       return {};
     }
   }
   QuicNewConnectionIdFrame frame;
-  frame.connection_id = new_cid;
+  frame.connection_id = *new_cid;
   frame.sequence_number = next_connection_id_sequence_number_++;
   frame.stateless_reset_token =
       QuicUtils::GenerateStatelessResetToken(frame.connection_id);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager.h
index 7f271e20cae..1fa48e96fb8 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager.h
@@ -14,6 +14,7 @@
 #include <memory>
 
 #include "absl/types/optional.h"
+#include "quiche/quic/core/connection_id_generator.h"
 #include "quiche/quic/core/frames/quic_new_connection_id_frame.h"
 #include "quiche/quic/core/frames/quic_retire_connection_id_frame.h"
 #include "quiche/quic/core/quic_alarm.h"
@@ -126,7 +127,8 @@ class QUIC_EXPORT_PRIVATE QuicSelfIssuedConnectionIdManager {
       const QuicConnectionId& initial_connection_id, const QuicClock* clock,
       QuicAlarmFactory* alarm_factory,
       QuicConnectionIdManagerVisitorInterface* visitor,
-      QuicConnectionContext* context);
+      QuicConnectionContext* context,
+      ConnectionIdGeneratorInterface& generator);
 
   virtual ~QuicSelfIssuedConnectionIdManager();
 
@@ -159,6 +161,9 @@ class QUIC_EXPORT_PRIVATE QuicSelfIssuedConnectionIdManager {
   // tell if a received packet has a valid connection ID.
   bool IsConnectionIdInUse(const QuicConnectionId& cid) const;
 
+  // TODO(martinduke): This class will be eliminated when
+  // FLAGS_gfe2_reloadable_flag_quic_connection_uses_abstract_connection_id_generator
+  // goes away.
   virtual QuicConnectionId GenerateNewConnectionId(
       const QuicConnectionId& old_connection_id) const;
 
@@ -189,6 +194,8 @@ class QUIC_EXPORT_PRIVATE QuicSelfIssuedConnectionIdManager {
   uint64_t next_connection_id_sequence_number_;
   // The sequence number of last connection ID consumed.
   uint64_t last_connection_id_consumed_by_self_sequence_number_;
+
+  ConnectionIdGeneratorInterface& connection_id_generator_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager_test.cc
index dbd239f026d..bb85d5d5a53 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_id_manager_test.cc
@@ -10,6 +10,7 @@
 #include "quiche/quic/core/quic_error_codes.h"
 #include "quiche/quic/platform/api/quic_test.h"
 #include "quiche/quic/test_tools/mock_clock.h"
+#include "quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "quiche/quic/test_tools/quic_connection_id_manager_peer.h"
 #include "quiche/quic/test_tools/quic_test_utils.h"
 
@@ -535,7 +536,7 @@ class QuicSelfIssuedConnectionIdManagerTest : public QuicTest {
   QuicSelfIssuedConnectionIdManagerTest()
       : cid_manager_(/*active_connection_id_limit*/ 2, initial_connection_id_,
                      &clock_, &alarm_factory_, &cid_manager_visitor_,
-                     /*context=*/nullptr) {
+                     /*context=*/nullptr, connection_id_generator_) {
     clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(10));
     retire_self_issued_cid_alarm_ =
         QuicConnectionIdManagerPeer::GetRetireSelfIssuedConnectionIdAlarm(
@@ -543,6 +544,19 @@ class QuicSelfIssuedConnectionIdManagerTest : public QuicTest {
   }
 
  protected:
+  // Verify that a call to GenerateNewConnectionId() does the right thing.
+  QuicConnectionId CheckGenerate(QuicConnectionId old_cid) {
+    QuicConnectionId new_cid =
+        QuicUtils::CreateReplacementConnectionId(old_cid);
+    if (GetQuicReloadableFlag(
+            quic_connection_uses_abstract_connection_id_generator)) {
+      // Ready for the actual call.
+      EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(old_cid))
+          .WillOnce(Return(new_cid));
+    }
+    return new_cid;
+  }
+
   MockClock clock_;
   test::MockAlarmFactory alarm_factory_;
   TestSelfIssuedConnectionIdManagerVisitor cid_manager_visitor_;
@@ -551,6 +565,7 @@ class QuicSelfIssuedConnectionIdManagerTest : public QuicTest {
   QuicAlarm* retire_self_issued_cid_alarm_ = nullptr;
   std::string error_details_;
   QuicTime::Delta pto_delay_ = QuicTime::Delta::FromMilliseconds(10);
+  MockConnectionIdGenerator connection_id_generator_;
 };
 
 MATCHER_P3(ExpectedNewConnectionIdFrame, connection_id, sequence_number,
@@ -563,11 +578,11 @@ MATCHER_P3(ExpectedNewConnectionIdFrame, connection_id, sequence_number,
 TEST_F(QuicSelfIssuedConnectionIdManagerTest,
        RetireSelfIssuedConnectionIdInOrder) {
   QuicConnectionId cid0 = initial_connection_id_;
-  QuicConnectionId cid1 = cid_manager_.GenerateNewConnectionId(cid0);
-  QuicConnectionId cid2 = cid_manager_.GenerateNewConnectionId(cid1);
-  QuicConnectionId cid3 = cid_manager_.GenerateNewConnectionId(cid2);
-  QuicConnectionId cid4 = cid_manager_.GenerateNewConnectionId(cid3);
-  QuicConnectionId cid5 = cid_manager_.GenerateNewConnectionId(cid4);
+  QuicConnectionId cid1 = CheckGenerate(cid0);
+  QuicConnectionId cid2 = CheckGenerate(cid1);
+  QuicConnectionId cid3 = CheckGenerate(cid2);
+  QuicConnectionId cid4 = CheckGenerate(cid3);
+  QuicConnectionId cid5 = CheckGenerate(cid4);
 
   // Sends CID #1 to peer.
   EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(cid1))
@@ -645,10 +660,10 @@ TEST_F(QuicSelfIssuedConnectionIdManagerTest,
 TEST_F(QuicSelfIssuedConnectionIdManagerTest,
        RetireSelfIssuedConnectionIdOutOfOrder) {
   QuicConnectionId cid0 = initial_connection_id_;
-  QuicConnectionId cid1 = cid_manager_.GenerateNewConnectionId(cid0);
-  QuicConnectionId cid2 = cid_manager_.GenerateNewConnectionId(cid1);
-  QuicConnectionId cid3 = cid_manager_.GenerateNewConnectionId(cid2);
-  QuicConnectionId cid4 = cid_manager_.GenerateNewConnectionId(cid3);
+  QuicConnectionId cid1 = CheckGenerate(cid0);
+  QuicConnectionId cid2 = CheckGenerate(cid1);
+  QuicConnectionId cid3 = CheckGenerate(cid2);
+  QuicConnectionId cid4 = CheckGenerate(cid3);
 
   // Sends CID #1 to peer.
   EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(cid1))
@@ -728,9 +743,9 @@ TEST_F(QuicSelfIssuedConnectionIdManagerTest,
 TEST_F(QuicSelfIssuedConnectionIdManagerTest,
        ScheduleConnectionIdRetirementOneAtATime) {
   QuicConnectionId cid0 = initial_connection_id_;
-  QuicConnectionId cid1 = cid_manager_.GenerateNewConnectionId(cid0);
-  QuicConnectionId cid2 = cid_manager_.GenerateNewConnectionId(cid1);
-  QuicConnectionId cid3 = cid_manager_.GenerateNewConnectionId(cid2);
+  QuicConnectionId cid1 = CheckGenerate(cid0);
+  QuicConnectionId cid2 = CheckGenerate(cid1);
+  QuicConnectionId cid3 = CheckGenerate(cid2);
   EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(_))
       .Times(3)
       .WillRepeatedly(Return(true));
@@ -787,9 +802,9 @@ TEST_F(QuicSelfIssuedConnectionIdManagerTest,
 TEST_F(QuicSelfIssuedConnectionIdManagerTest,
        ScheduleMultipleConnectionIdRetirement) {
   QuicConnectionId cid0 = initial_connection_id_;
-  QuicConnectionId cid1 = cid_manager_.GenerateNewConnectionId(cid0);
-  QuicConnectionId cid2 = cid_manager_.GenerateNewConnectionId(cid1);
-  QuicConnectionId cid3 = cid_manager_.GenerateNewConnectionId(cid2);
+  QuicConnectionId cid1 = CheckGenerate(cid0);
+  QuicConnectionId cid2 = CheckGenerate(cid1);
+  QuicConnectionId cid3 = CheckGenerate(cid2);
   EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(_))
       .Times(3)
       .WillRepeatedly(Return(true));
@@ -845,9 +860,9 @@ TEST_F(QuicSelfIssuedConnectionIdManagerTest,
 TEST_F(QuicSelfIssuedConnectionIdManagerTest,
        AllExpiredConnectionIdsAreRetiredInOneBatch) {
   QuicConnectionId cid0 = initial_connection_id_;
-  QuicConnectionId cid1 = cid_manager_.GenerateNewConnectionId(cid0);
-  QuicConnectionId cid2 = cid_manager_.GenerateNewConnectionId(cid1);
-  QuicConnectionId cid3 = cid_manager_.GenerateNewConnectionId(cid2);
+  QuicConnectionId cid1 = CheckGenerate(cid0);
+  QuicConnectionId cid2 = CheckGenerate(cid1);
+  QuicConnectionId cid3 = CheckGenerate(cid2);
   QuicConnectionId cid;
   EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(_))
       .Times(3)
@@ -907,7 +922,7 @@ TEST_F(QuicSelfIssuedConnectionIdManagerTest,
 TEST_F(QuicSelfIssuedConnectionIdManagerTest,
        ErrorWhenRetireConnectionIdNeverIssued) {
   QuicConnectionId cid0 = initial_connection_id_;
-  QuicConnectionId cid1 = cid_manager_.GenerateNewConnectionId(cid0);
+  QuicConnectionId cid1 = CheckGenerate(cid0);
 
   // CID #1 is sent to peer.
   EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(_))
@@ -927,17 +942,20 @@ TEST_F(QuicSelfIssuedConnectionIdManagerTest,
 TEST_F(QuicSelfIssuedConnectionIdManagerTest,
        ErrorWhenTooManyConnectionIdWaitingToBeRetired) {
   // CID #0 & #1 are issued.
-  EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(_))
+  QuicConnectionId last_connection_id = CheckGenerate(initial_connection_id_);
+  EXPECT_CALL(cid_manager_visitor_,
+              MaybeReserveConnectionId(last_connection_id))
       .WillOnce(Return(true));
   EXPECT_CALL(cid_manager_visitor_, SendNewConnectionId(_))
       .WillOnce(Return(true));
   cid_manager_.MaybeSendNewConnectionIds();
 
   // Add 8 connection IDs to the to-be-retired list.
-  QuicConnectionId last_connection_id =
-      cid_manager_.GenerateNewConnectionId(initial_connection_id_);
+
   for (int i = 0; i < 8; ++i) {
-    EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(_))
+    last_connection_id = CheckGenerate(last_connection_id);
+    EXPECT_CALL(cid_manager_visitor_,
+                MaybeReserveConnectionId(last_connection_id))
         .WillOnce(Return(true));
     EXPECT_CALL(cid_manager_visitor_, SendNewConnectionId(_));
     QuicRetireConnectionIdFrame retire_cid_frame;
@@ -945,8 +963,6 @@ TEST_F(QuicSelfIssuedConnectionIdManagerTest,
     ASSERT_THAT(cid_manager_.OnRetireConnectionIdFrame(
                     retire_cid_frame, pto_delay_, &error_details_),
                 IsQuicNoError());
-    last_connection_id =
-        cid_manager_.GenerateNewConnectionId(last_connection_id);
   }
   QuicRetireConnectionIdFrame retire_cid_frame;
   retire_cid_frame.sequence_number = 8u;
@@ -959,7 +975,7 @@ TEST_F(QuicSelfIssuedConnectionIdManagerTest,
 
 TEST_F(QuicSelfIssuedConnectionIdManagerTest, CannotIssueNewCidDueToVisitor) {
   QuicConnectionId cid0 = initial_connection_id_;
-  QuicConnectionId cid1 = cid_manager_.GenerateNewConnectionId(cid0);
+  QuicConnectionId cid1 = CheckGenerate(cid0);
   EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(cid1))
       .WillOnce(Return(false));
   if (GetQuicReloadableFlag(quic_check_cid_collision_when_issue_new_cid)) {
@@ -973,8 +989,8 @@ TEST_F(QuicSelfIssuedConnectionIdManagerTest, CannotIssueNewCidDueToVisitor) {
 TEST_F(QuicSelfIssuedConnectionIdManagerTest,
        CannotIssueNewCidUponRetireConnectionIdDueToVisitor) {
   QuicConnectionId cid0 = initial_connection_id_;
-  QuicConnectionId cid1 = cid_manager_.GenerateNewConnectionId(cid0);
-  QuicConnectionId cid2 = cid_manager_.GenerateNewConnectionId(cid1);
+  QuicConnectionId cid1 = CheckGenerate(cid0);
+  QuicConnectionId cid2 = CheckGenerate(cid1);
   // CID #0 & #1 are issued.
   EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(cid1))
       .WillOnce(Return(true));
@@ -1000,7 +1016,7 @@ TEST_F(QuicSelfIssuedConnectionIdManagerTest,
 TEST_F(QuicSelfIssuedConnectionIdManagerTest,
        DoNotIssueConnectionIdVoluntarilyIfOneHasIssuedForPerferredAddress) {
   QuicConnectionId cid0 = initial_connection_id_;
-  QuicConnectionId cid1 = cid_manager_.GenerateNewConnectionId(cid0);
+  QuicConnectionId cid1 = CheckGenerate(cid0);
   EXPECT_CALL(cid_manager_visitor_, MaybeReserveConnectionId(cid1))
       .WillOnce(Return(true));
   absl::optional<QuicNewConnectionIdFrame> new_cid_frame =
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_stats.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_stats.cc
index bb53ca52c44..105d9579084 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_stats.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_stats.cc
@@ -48,6 +48,7 @@ std::ostream& operator<<(std::ostream& os, const QuicConnectionStats& s) {
   os << " blocked_frames_sent: " << s.blocked_frames_sent;
   os << " num_connectivity_probing_received: "
      << s.num_connectivity_probing_received;
+  os << " num_path_response_received: " << s.num_path_response_received;
   os << " retry_packet_processed: "
      << (s.retry_packet_processed ? "yes" : "no");
   os << " num_coalesced_packets_received: " << s.num_coalesced_packets_received;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_stats.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_stats.h
index 4aaf7800966..2d25495754f 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_stats.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_stats.h
@@ -143,6 +143,9 @@ struct QUIC_EXPORT_PRIVATE QuicConnectionStats {
   // Number of connectivity probing packets received by this connection.
   uint64_t num_connectivity_probing_received = 0;
 
+  // Number of PATH_RESPONSE frame received by this connection.
+  uint64_t num_path_response_received = 0;
+
   // Whether a RETRY packet was successfully processed.
   bool retry_packet_processed = false;
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_test.cc
index dca05203bf3..6ffef91ed58 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_connection_test.cc
@@ -37,10 +37,12 @@
 #include "quiche/quic/platform/api/quic_expect_bug.h"
 #include "quiche/quic/platform/api/quic_flags.h"
 #include "quiche/quic/platform/api/quic_ip_address.h"
+#include "quiche/quic/platform/api/quic_ip_address_family.h"
 #include "quiche/quic/platform/api/quic_logging.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/quic/platform/api/quic_test.h"
 #include "quiche/quic/test_tools/mock_clock.h"
+#include "quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "quiche/quic/test_tools/mock_random.h"
 #include "quiche/quic/test_tools/quic_coalesced_packet_peer.h"
 #include "quiche/quic/test_tools/quic_config_peer.h"
@@ -187,11 +189,12 @@ class TestConnection : public QuicConnection {
                  QuicSocketAddress initial_peer_address,
                  TestConnectionHelper* helper, TestAlarmFactory* alarm_factory,
                  TestPacketWriter* writer, Perspective perspective,
-                 ParsedQuicVersion version)
+                 ParsedQuicVersion version,
+                 ConnectionIdGeneratorInterface& generator)
       : QuicConnection(connection_id, initial_self_address,
                        initial_peer_address, helper, alarm_factory, writer,
                        /* owns_writer= */ false, perspective,
-                       SupportedVersions(version)),
+                       SupportedVersions(version), generator),
         notifier_(nullptr) {
     writer->set_perspective(perspective);
     SetEncrypter(ENCRYPTION_FORWARD_SECURE,
@@ -468,6 +471,11 @@ class TestConnection : public QuicConnection {
         QuicConnectionPeer::GetRetireSelfIssuedConnectionIdAlarm(this));
   }
 
+  TestAlarmFactory::TestAlarm* GetMultiPortProbingAlarm() {
+    return reinterpret_cast<TestAlarmFactory::TestAlarm*>(
+        QuicConnectionPeer::GetMultiPortProbingAlarm(this));
+  }
+
   void PathDegradingTimeout() {
     QUICHE_DCHECK(PathDegradingDetectionInProgress());
     GetBlackholeDetectorAlarm()->Fire();
@@ -606,7 +614,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
             new TestPacketWriter(version(), &clock_, Perspective::IS_CLIENT)),
         connection_(connection_id_, kSelfAddress, kPeerAddress, helper_.get(),
                     alarm_factory_.get(), writer_.get(), Perspective::IS_CLIENT,
-                    version()),
+                    version(), connection_id_generator_),
         creator_(QuicConnectionPeer::GetPacketCreator(&connection_)),
         manager_(QuicConnectionPeer::GetSentPacketManager(&connection_)),
         frame1_(0, false, 0, absl::string_view(data1)),
@@ -1488,6 +1496,7 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
 
   QuicConnectionCloseFrame saved_connection_close_frame_;
   int connection_close_frame_count_;
+  MockConnectionIdGenerator connection_id_generator_;
 };
 
 // Run all end to end tests with all supported versions.
@@ -1711,7 +1720,7 @@ TEST_P(QuicConnectionTest, PeerPortChangeAtServer) {
 TEST_P(QuicConnectionTest, PeerIpAddressChangeAtServer) {
   set_perspective(Perspective::IS_SERVER);
   if (!connection_.validate_client_address() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
@@ -1868,6 +1877,12 @@ TEST_P(QuicConnectionTest, PeerIpAddressChangeAtServerWithMissingConnectionId) {
   QuicConnectionPeer::SetAddressValidated(&connection_);
 
   // Sends new server CID to client.
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_))
       .WillOnce(Invoke([&](const QuicConnectionId& cid) {
         server_cid1 = cid;
@@ -1907,7 +1922,7 @@ TEST_P(QuicConnectionTest, PeerIpAddressChangeAtServerWithMissingConnectionId) {
 
   QuicFrames frames2;
   frames2.push_back(QuicFrame(frame2_));
-  if (GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+  if (GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     frames2.push_back(QuicFrame(QuicPaddingFrame(-1)));
   }
   ProcessFramesPacketWithAddresses(frames2, kSelfAddress, kNewPeerAddress,
@@ -1931,7 +1946,7 @@ TEST_P(QuicConnectionTest, PeerIpAddressChangeAtServerWithMissingConnectionId) {
 }
 
 TEST_P(QuicConnectionTest, EffectivePeerAddressChangeAtServer) {
-  if (GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+  if (GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
   set_perspective(Perspective::IS_SERVER);
@@ -2067,6 +2082,12 @@ TEST_P(QuicConnectionTest, ConnectionMigrationWithPendingPaddingBytes) {
 
   // Sends new server CID to client.
   QuicConnectionId new_cid;
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_))
       .WillOnce(Invoke([&](const QuicConnectionId& cid) {
         new_cid = cid;
@@ -2111,7 +2132,7 @@ TEST_P(QuicConnectionTest,
        ReversePathValidationResponseReceivedFromUnexpectedPeerAddress) {
   set_perspective(Perspective::IS_SERVER);
   if (!connection_.connection_migration_use_new_cid() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
@@ -2125,6 +2146,12 @@ TEST_P(QuicConnectionTest,
 
   // Sends new server CID to client.
   QuicConnectionId new_cid;
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_))
       .WillOnce(Invoke([&](const QuicConnectionId& cid) {
         new_cid = cid;
@@ -2193,6 +2220,12 @@ TEST_P(QuicConnectionTest, ReversePathValidationFailureAtServer) {
   QuicConnectionId server_cid0 = connection_.connection_id();
   QuicConnectionId server_cid1;
   // Sends new server CID to client.
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_))
       .WillOnce(Invoke([&](const QuicConnectionId& cid) {
         server_cid1 = cid;
@@ -2441,7 +2474,7 @@ class TestValidationResultDelegate : public QuicPathValidator::ResultDelegate {
     EXPECT_EQ(expected_self_address_, context->self_address());
     EXPECT_EQ(expected_peer_address_, context->peer_address());
     if (connection_->perspective() == Perspective::IS_CLIENT) {
-      connection_->OnPathValidationFailureAtClient();
+      connection_->OnPathValidationFailureAtClient(/*is_multi_port=*/false);
     }
     *success_ = false;
   }
@@ -2865,7 +2898,8 @@ TEST_P(QuicConnectionTest, PeerCannotRaiseMaxPacketSize) {
 TEST_P(QuicConnectionTest, SmallerServerMaxPacketSize) {
   TestConnection connection(TestConnectionId(), kSelfAddress, kPeerAddress,
                             helper_.get(), alarm_factory_.get(), writer_.get(),
-                            Perspective::IS_SERVER, version());
+                            Perspective::IS_SERVER, version(),
+                            connection_id_generator_);
   EXPECT_EQ(Perspective::IS_SERVER, connection.perspective());
   EXPECT_EQ(1000u, connection.max_packet_length());
 }
@@ -2875,7 +2909,7 @@ TEST_P(QuicConnectionTest, LowerServerResponseMtuTest) {
   connection_.SetMaxPacketLength(1000);
   EXPECT_EQ(1000u, connection_.max_packet_length());
 
-  SetQuicFlag(FLAGS_quic_use_lower_server_response_mtu_for_test, true);
+  SetQuicFlag(quic_use_lower_server_response_mtu_for_test, true);
   EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(::testing::AtMost(1));
   EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(::testing::AtMost(1));
   ProcessCryptoPacketAtLevel(1, ENCRYPTION_INITIAL);
@@ -2994,7 +3028,8 @@ TEST_P(QuicConnectionTest, LimitMaxPacketSizeByWriterForNewConnection) {
   writer_->set_max_packet_size(lower_max_packet_size);
   TestConnection connection(connection_id, kSelfAddress, kPeerAddress,
                             helper_.get(), alarm_factory_.get(), writer_.get(),
-                            Perspective::IS_CLIENT, version());
+                            Perspective::IS_CLIENT, version(),
+                            connection_id_generator_);
   EXPECT_EQ(Perspective::IS_CLIENT, connection.perspective());
   EXPECT_EQ(lower_max_packet_size, connection.max_packet_length());
 }
@@ -6921,10 +6956,12 @@ TEST_P(QuicConnectionTest, OnPacketHeaderDebugVisitor) {
 TEST_P(QuicConnectionTest, Pacing) {
   TestConnection server(connection_id_, kPeerAddress, kSelfAddress,
                         helper_.get(), alarm_factory_.get(), writer_.get(),
-                        Perspective::IS_SERVER, version());
+                        Perspective::IS_SERVER, version(),
+                        connection_id_generator_);
   TestConnection client(connection_id_, kSelfAddress, kPeerAddress,
                         helper_.get(), alarm_factory_.get(), writer_.get(),
-                        Perspective::IS_CLIENT, version());
+                        Perspective::IS_CLIENT, version(),
+                        connection_id_generator_);
   EXPECT_FALSE(QuicSentPacketManagerPeer::UsingPacing(
       static_cast<const QuicSentPacketManager*>(
           &client.sent_packet_manager())));
@@ -8071,7 +8108,7 @@ TEST_P(QuicConnectionTest, NoPingIfRetransmittablePacketSent) {
 // afterwards until it exceeds the default ping timeout.
 TEST_P(QuicConnectionTest, BackOffRetransmittableOnWireTimeout) {
   int max_aggressive_retransmittable_on_wire_ping_count = 5;
-  SetQuicFlag(FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count,
+  SetQuicFlag(quic_max_aggressive_retransmittable_on_wire_ping_count,
               max_aggressive_retransmittable_on_wire_ping_count);
   const QuicTime::Delta initial_retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(200);
@@ -8166,7 +8203,7 @@ TEST_P(QuicConnectionTest, BackOffRetransmittableOnWireTimeout) {
 // after receiving new stream data.
 TEST_P(QuicConnectionTest, ResetBackOffRetransmitableOnWireTimeout) {
   int max_aggressive_retransmittable_on_wire_ping_count = 3;
-  SetQuicFlag(FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count, 3);
+  SetQuicFlag(quic_max_aggressive_retransmittable_on_wire_ping_count, 3);
   const QuicTime::Delta initial_retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(200);
   connection_.set_initial_retransmittable_on_wire_timeout(
@@ -8281,7 +8318,7 @@ TEST_P(QuicConnectionTest, ResetBackOffRetransmitableOnWireTimeout) {
 // the limit in FLAGS_quic_max_retransmittable_on_wire_ping_count.
 TEST_P(QuicConnectionTest, RetransmittableOnWirePingLimit) {
   static constexpr int kMaxRetransmittableOnWirePingCount = 3;
-  SetQuicFlag(FLAGS_quic_max_retransmittable_on_wire_ping_count,
+  SetQuicFlag(quic_max_retransmittable_on_wire_ping_count,
               kMaxRetransmittableOnWirePingCount);
   static constexpr QuicTime::Delta initial_retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(200);
@@ -9559,7 +9596,7 @@ TEST_P(QuicConnectionTest, DeprecateHandshakeMode) {
 
 TEST_P(QuicConnectionTest, AntiAmplificationLimit) {
   if (!connection_.version().SupportsAntiAmplificationLimit() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
   EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(AnyNumber());
@@ -9577,7 +9614,7 @@ TEST_P(QuicConnectionTest, AntiAmplificationLimit) {
   ProcessCryptoPacketAtLevel(1, ENCRYPTION_INITIAL);
 
   const size_t anti_amplification_factor =
-      GetQuicFlag(FLAGS_quic_anti_amplification_factor);
+      GetQuicFlag(quic_anti_amplification_factor);
   // Verify now packets can be sent.
   for (size_t i = 1; i < anti_amplification_factor; ++i) {
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
@@ -9616,7 +9653,7 @@ TEST_P(QuicConnectionTest, AntiAmplificationLimit) {
 
 TEST_P(QuicConnectionTest, 3AntiAmplificationLimit) {
   if (!connection_.version().SupportsAntiAmplificationLimit() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
   EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(AnyNumber());
@@ -9685,7 +9722,7 @@ TEST_P(QuicConnectionTest, 3AntiAmplificationLimit) {
 
 TEST_P(QuicConnectionTest, 10AntiAmplificationLimit) {
   if (!connection_.version().SupportsAntiAmplificationLimit() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
   EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(AnyNumber());
@@ -9828,6 +9865,9 @@ TEST_P(QuicConnectionTest, PtoSkipsPacketNumber) {
   EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
   connection_.SetFromConfig(config);
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
+  EXPECT_CALL(visitor_, GetHandshakeState())
+      .WillRepeatedly(Return(HANDSHAKE_CONFIRMED));
+  connection_.OnHandshakeComplete();
 
   QuicStreamId stream_id = 2;
   QuicPacketNumber last_packet;
@@ -9891,7 +9931,7 @@ TEST_P(QuicConnectionTest, FailToCoalescePacket) {
   // EXPECT_QUIC_BUG tests are expensive so only run one instance of them.
   if (!IsDefaultTestConfiguration() ||
       !connection_.version().CanSendCoalescedPackets() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
 
@@ -9899,11 +9939,6 @@ TEST_P(QuicConnectionTest, FailToCoalescePacket) {
   use_tagging_decrypter();
 
   auto test_body = [&] {
-    if (!GetQuicReloadableFlag(
-            quic_packet_flusher_check_connected_after_flush_packets)) {
-      EXPECT_CALL(visitor_, OnHandshakePacketSent());
-    }
-
     EXPECT_CALL(visitor_,
                 OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
         .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
@@ -10673,118 +10708,6 @@ TEST_P(QuicConnectionTest, ClientOnlyBlackholeDetectionServer) {
   EXPECT_FALSE(connection_.GetBlackholeDetectorAlarm()->IsSet());
 }
 
-TEST_P(QuicConnectionTest, 2RtoBlackholeDetection) {
-  if (!GetQuicReloadableFlag(quic_default_enable_5rto_blackhole_detection2) ||
-      GetQuicReloadableFlag(quic_remove_blackhole_detection_experiments)) {
-    return;
-  }
-  QuicConfig config;
-  QuicTagVector connection_options;
-  connection_options.push_back(k2RTO);
-  config.SetConnectionOptionsToSend(connection_options);
-  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
-  connection_.SetFromConfig(config);
-  const size_t kMinRttMs = 40;
-  RttStats* rtt_stats = const_cast<RttStats*>(manager_->GetRttStats());
-  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(kMinRttMs),
-                       QuicTime::Delta::Zero(), QuicTime::Zero());
-  EXPECT_CALL(visitor_, GetHandshakeState())
-      .WillRepeatedly(Return(HANDSHAKE_COMPLETE));
-  EXPECT_FALSE(connection_.GetBlackholeDetectorAlarm()->IsSet());
-  // Send stream data.
-  SendStreamDataToPeer(
-      GetNthClientInitiatedStreamId(1, connection_.transport_version()), "foo",
-      0, FIN, nullptr);
-  // Verify blackhole delay is expected.
-  EXPECT_EQ(clock_.Now() +
-                connection_.sent_packet_manager().GetNetworkBlackholeDelay(2),
-            QuicConnectionPeer::GetBlackholeDetectionDeadline(&connection_));
-}
-
-TEST_P(QuicConnectionTest, 3RtoBlackholeDetection) {
-  if (!GetQuicReloadableFlag(quic_default_enable_5rto_blackhole_detection2) ||
-      GetQuicReloadableFlag(quic_remove_blackhole_detection_experiments)) {
-    return;
-  }
-  QuicConfig config;
-  QuicTagVector connection_options;
-  connection_options.push_back(k3RTO);
-  config.SetConnectionOptionsToSend(connection_options);
-  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
-  connection_.SetFromConfig(config);
-  const size_t kMinRttMs = 40;
-  RttStats* rtt_stats = const_cast<RttStats*>(manager_->GetRttStats());
-  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(kMinRttMs),
-                       QuicTime::Delta::Zero(), QuicTime::Zero());
-  EXPECT_CALL(visitor_, GetHandshakeState())
-      .WillRepeatedly(Return(HANDSHAKE_COMPLETE));
-  EXPECT_FALSE(connection_.GetBlackholeDetectorAlarm()->IsSet());
-  // Send stream data.
-  SendStreamDataToPeer(
-      GetNthClientInitiatedStreamId(1, connection_.transport_version()), "foo",
-      0, FIN, nullptr);
-  // Verify blackhole delay is expected.
-  EXPECT_EQ(clock_.Now() +
-                connection_.sent_packet_manager().GetNetworkBlackholeDelay(3),
-            QuicConnectionPeer::GetBlackholeDetectionDeadline(&connection_));
-}
-
-TEST_P(QuicConnectionTest, 4RtoBlackholeDetection) {
-  if (!GetQuicReloadableFlag(quic_default_enable_5rto_blackhole_detection2) ||
-      GetQuicReloadableFlag(quic_remove_blackhole_detection_experiments)) {
-    return;
-  }
-  QuicConfig config;
-  QuicTagVector connection_options;
-  connection_options.push_back(k4RTO);
-  config.SetConnectionOptionsToSend(connection_options);
-  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
-  connection_.SetFromConfig(config);
-  const size_t kMinRttMs = 40;
-  RttStats* rtt_stats = const_cast<RttStats*>(manager_->GetRttStats());
-  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(kMinRttMs),
-                       QuicTime::Delta::Zero(), QuicTime::Zero());
-  EXPECT_CALL(visitor_, GetHandshakeState())
-      .WillRepeatedly(Return(HANDSHAKE_COMPLETE));
-  EXPECT_FALSE(connection_.GetBlackholeDetectorAlarm()->IsSet());
-  // Send stream data.
-  SendStreamDataToPeer(
-      GetNthClientInitiatedStreamId(1, connection_.transport_version()), "foo",
-      0, FIN, nullptr);
-  // Verify blackhole delay is expected.
-  EXPECT_EQ(clock_.Now() +
-                connection_.sent_packet_manager().GetNetworkBlackholeDelay(4),
-            QuicConnectionPeer::GetBlackholeDetectionDeadline(&connection_));
-}
-
-TEST_P(QuicConnectionTest, 6RtoBlackholeDetection) {
-  if (!GetQuicReloadableFlag(quic_default_enable_5rto_blackhole_detection2) ||
-      GetQuicReloadableFlag(quic_remove_blackhole_detection_experiments)) {
-    return;
-  }
-  QuicConfig config;
-  QuicTagVector connection_options;
-  connection_options.push_back(k6RTO);
-  config.SetConnectionOptionsToSend(connection_options);
-  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
-  connection_.SetFromConfig(config);
-  const size_t kMinRttMs = 40;
-  RttStats* rtt_stats = const_cast<RttStats*>(manager_->GetRttStats());
-  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(kMinRttMs),
-                       QuicTime::Delta::Zero(), QuicTime::Zero());
-  EXPECT_CALL(visitor_, GetHandshakeState())
-      .WillRepeatedly(Return(HANDSHAKE_COMPLETE));
-  EXPECT_FALSE(connection_.GetBlackholeDetectorAlarm()->IsSet());
-  // Send stream data.
-  SendStreamDataToPeer(
-      GetNthClientInitiatedStreamId(1, connection_.transport_version()), "foo",
-      0, FIN, nullptr);
-  // Verify blackhole delay is expected.
-  EXPECT_EQ(clock_.Now() +
-                connection_.sent_packet_manager().GetNetworkBlackholeDelay(6),
-            QuicConnectionPeer::GetBlackholeDetectionDeadline(&connection_));
-}
-
 // Regresstion test for b/158491591.
 TEST_P(QuicConnectionTest, MadeForwardProgressOnDiscardingKeys) {
   if (!connection_.SupportsMultiplePacketNumberSpaces()) {
@@ -11120,7 +11043,7 @@ TEST_P(QuicConnectionTest, CoalscingPacketCausesInfiniteLoop) {
 
   // Set anti amplification factor to 2, such that RetransmitDataOfSpaceIfAny
   // makes no forward progress and causes infinite loop.
-  SetQuicFlag(FLAGS_quic_anti_amplification_factor, 2);
+  SetQuicFlag(quic_anti_amplification_factor, 2);
 
   ProcessCryptoPacketAtLevel(1000, ENCRYPTION_INITIAL);
   EXPECT_TRUE(connection_.HasPendingAcks());
@@ -12483,7 +12406,7 @@ TEST_P(QuicConnectionTest, InitiateKeyUpdateApproachingConfidentialityLimit) {
     return;
   }
 
-  SetQuicFlag(FLAGS_quic_key_update_confidentiality_limit, 3U);
+  SetQuicFlag(quic_key_update_confidentiality_limit, 3U);
 
   std::string error_details;
   TransportParameters params;
@@ -12577,7 +12500,7 @@ TEST_P(QuicConnectionTest,
   }
 
   // Set key update confidentiality limit to 1 packet.
-  SetQuicFlag(FLAGS_quic_key_update_confidentiality_limit, 1U);
+  SetQuicFlag(quic_key_update_confidentiality_limit, 1U);
   // Use confidentiality limit for connection close of 3 packets.
   constexpr size_t kConfidentialityLimit = 3U;
 
@@ -13070,6 +12993,89 @@ TEST_P(QuicConnectionTest, MigrateToNewPathDuringProbing) {
       &connection_, kNewSelfAddress, connection_.peer_address()));
 }
 
+TEST_P(QuicConnectionTest, MultiPortCreation) {
+  set_perspective(Perspective::IS_CLIENT);
+  QuicConfig config;
+  config.SetConnectionOptionsToSend(QuicTagVector{kMPQC, kRVCM});
+  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
+  connection_.SetFromConfig(config);
+  if (!connection_.connection_migration_use_new_cid()) {
+    return;
+  }
+  connection_.CreateConnectionIdManager();
+  connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+  connection_.OnHandshakeComplete();
+
+  EXPECT_CALL(visitor_, OnPathDegrading());
+  connection_.OnPathDegradingDetected();
+
+  auto self_address = connection_.self_address();
+  const QuicSocketAddress kNewSelfAddress(self_address.host(),
+                                          self_address.port() + 1);
+  EXPECT_NE(kNewSelfAddress, self_address);
+  TestPacketWriter new_writer(version(), &clock_, Perspective::IS_CLIENT);
+
+  QuicNewConnectionIdFrame frame;
+  frame.connection_id = TestConnectionId(1234);
+  ASSERT_NE(frame.connection_id, connection_.connection_id());
+  frame.stateless_reset_token =
+      QuicUtils::GenerateStatelessResetToken(frame.connection_id);
+  frame.retire_prior_to = 0u;
+  frame.sequence_number = 1u;
+  EXPECT_CALL(visitor_, CreateContextForMultiPortPath())
+      .WillRepeatedly(Return(
+          testing::ByMove(std::make_unique<TestQuicPathValidationContext>(
+              kNewSelfAddress, connection_.peer_address(), &new_writer))));
+  connection_.OnNewConnectionIdFrame(frame);
+  EXPECT_TRUE(connection_.HasPendingPathValidation());
+  EXPECT_TRUE(QuicConnectionPeer::IsAlternativePath(
+      &connection_, kNewSelfAddress, connection_.peer_address()));
+  auto* alt_path = QuicConnectionPeer::GetAlternativePath(&connection_);
+  EXPECT_FALSE(alt_path->validated);
+
+  // 30ms RTT.
+  const QuicTime::Delta kTestRTT = QuicTime::Delta::FromMilliseconds(30);
+  // Fake a response delay.
+  clock_.AdvanceTime(kTestRTT);
+
+  QuicFrames frames;
+  frames.push_back(QuicFrame(QuicPathResponseFrame(
+      99, new_writer.path_challenge_frames().front().data_buffer)));
+  ProcessFramesPacketWithAddresses(frames, kNewSelfAddress, kPeerAddress,
+                                   ENCRYPTION_FORWARD_SECURE);
+  // No migration should happen and the alternative path should still be alive.
+  EXPECT_FALSE(connection_.HasPendingPathValidation());
+  EXPECT_TRUE(QuicConnectionPeer::IsAlternativePath(
+      &connection_, kNewSelfAddress, connection_.peer_address()));
+  EXPECT_TRUE(alt_path->validated);
+
+  auto stats = connection_.multi_port_stats();
+  EXPECT_EQ(1, stats->num_path_degrading);
+  EXPECT_EQ(0, stats->num_multi_port_probe_failures_when_path_degrading);
+  EXPECT_EQ(kTestRTT, stats->rtt_stats.latest_rtt());
+  EXPECT_EQ(kTestRTT,
+            stats->rtt_stats_when_default_path_degrading.latest_rtt());
+
+  connection_.GetMultiPortProbingAlarm()->Fire();
+  EXPECT_TRUE(connection_.HasPendingPathValidation());
+  EXPECT_TRUE(QuicConnectionPeer::IsAlternativePath(
+      &connection_, kNewSelfAddress, connection_.peer_address()));
+  for (size_t i = 0; i < QuicPathValidator::kMaxRetryTimes + 1; ++i) {
+    clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(3 * kInitialRttMs));
+    static_cast<TestAlarmFactory::TestAlarm*>(
+        QuicPathValidatorPeer::retry_timer(
+            QuicConnectionPeer::path_validator(&connection_)))
+        ->Fire();
+  }
+
+  EXPECT_FALSE(connection_.HasPendingPathValidation());
+  EXPECT_FALSE(QuicConnectionPeer::IsAlternativePath(
+      &connection_, kNewSelfAddress, connection_.peer_address()));
+  EXPECT_EQ(1, stats->num_path_degrading);
+  EXPECT_EQ(1, stats->num_multi_port_probe_failures_when_path_degrading);
+  EXPECT_EQ(0, stats->num_multi_port_probe_failures_when_path_not_degrading);
+}
+
 TEST_P(QuicConnectionTest, SingleAckInPacket) {
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_CALL(visitor_, OnConnectionClosed(_, _));
@@ -13344,6 +13350,12 @@ TEST_P(QuicConnectionTest, PathChallengeBeforePeerIpAddressChangeAtServer) {
   QuicConnectionId client_cid1 = TestConnectionId(2);
   QuicConnectionId server_cid1;
   // Sends new server CID to client.
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_))
       .WillOnce(Invoke([&](const QuicConnectionId& cid) {
         server_cid1 = cid;
@@ -13492,6 +13504,12 @@ TEST_P(QuicConnectionTest,
   QuicConnectionId server_cid0 = connection_.connection_id();
   QuicConnectionId server_cid1;
   // Sends new server CID to client.
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_))
       .WillOnce(Invoke([&](const QuicConnectionId& cid) {
         server_cid1 = cid;
@@ -13613,6 +13631,12 @@ TEST_P(QuicConnectionTest, NoNonProbingFrameOnAlternativePath) {
   QuicConnectionId client_cid1 = TestConnectionId(2);
   QuicConnectionId server_cid1;
   // Sends new server CID to client.
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_))
       .WillOnce(Invoke([&](const QuicConnectionId& cid) {
         server_cid1 = cid;
@@ -13691,30 +13715,22 @@ TEST_P(QuicConnectionTest, NoNonProbingFrameOnAlternativePath) {
       .WillOnce(Invoke([this]() {
         connection_.SendControlFrame(QuicFrame(QuicWindowUpdateFrame(1, 0, 0)));
       }));
-  if (GetQuicReloadableFlag(quic_not_bundle_ack_on_alternative_path)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
-        .WillOnce(Invoke([&]() {
-          EXPECT_EQ(kNewPeerAddress, writer_->last_write_peer_address());
-          EXPECT_FALSE(writer_->path_challenge_frames().empty());
-          // Retry path validation shouldn't bundle ACK.
-          EXPECT_TRUE(writer_->ack_frames().empty());
-        }))
-        .WillOnce(Invoke([&]() {
-          EXPECT_EQ(kPeerAddress, writer_->last_write_peer_address());
-          EXPECT_FALSE(writer_->ack_frames().empty());
-          EXPECT_FALSE(writer_->window_update_frames().empty());
-        }));
-    static_cast<TestAlarmFactory::TestAlarm*>(
-        QuicPathValidatorPeer::retry_timer(
-            QuicConnectionPeer::path_validator(&connection_)))
-        ->Fire();
-  } else {
-    EXPECT_QUIC_BUG(static_cast<TestAlarmFactory::TestAlarm*>(
-                        QuicPathValidatorPeer::retry_timer(
-                            QuicConnectionPeer::path_validator(&connection_)))
-                        ->Fire(),
-                    "quic_bug_12645_2");
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
+      .WillOnce(Invoke([&]() {
+        EXPECT_EQ(kNewPeerAddress, writer_->last_write_peer_address());
+        EXPECT_FALSE(writer_->path_challenge_frames().empty());
+        // Retry path validation shouldn't bundle ACK.
+        EXPECT_TRUE(writer_->ack_frames().empty());
+      }))
+      .WillOnce(Invoke([&]() {
+        EXPECT_EQ(kPeerAddress, writer_->last_write_peer_address());
+        EXPECT_FALSE(writer_->ack_frames().empty());
+        EXPECT_FALSE(writer_->window_update_frames().empty());
+      }));
+  static_cast<TestAlarmFactory::TestAlarm*>(
+      QuicPathValidatorPeer::retry_timer(
+          QuicConnectionPeer::path_validator(&connection_)))
+      ->Fire();
 }
 
 TEST_P(QuicConnectionTest, DoNotIssueNewCidIfVisitorSaysNo) {
@@ -13729,6 +13745,12 @@ TEST_P(QuicConnectionTest, DoNotIssueNewCidIfVisitorSaysNo) {
   QuicConnectionId client_cid1 = TestConnectionId(2);
   QuicConnectionId server_cid1;
   // Sends new server CID to client.
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_)).WillOnce(Return(false));
   if (GetQuicReloadableFlag(quic_check_cid_collision_when_issue_new_cid)) {
     EXPECT_CALL(visitor_, SendNewConnectionId(_)).Times(0);
@@ -13862,6 +13884,11 @@ TEST_P(QuicConnectionTest,
   ASSERT_EQ(packet_creator->GetDestinationConnectionId(), server_cid0);
 
   // Client will issue a new client connection ID to server.
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator)) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, SendNewConnectionId(_))
       .WillOnce(Invoke([&](const QuicNewConnectionIdFrame& frame) {
         client_cid1 = frame.connection_id;
@@ -14020,6 +14047,11 @@ TEST_P(QuicConnectionTest,
 
   // Client will issue a new client connection ID to server.
   QuicConnectionId new_client_connection_id;
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator)) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, SendNewConnectionId(_))
       .WillOnce(Invoke([&](const QuicNewConnectionIdFrame& frame) {
         new_client_connection_id = frame.connection_id;
@@ -14273,6 +14305,12 @@ TEST_P(QuicConnectionTest, RetireConnectionIdFrameResultsInError) {
   set_perspective(Perspective::IS_SERVER);
   connection_.CreateConnectionIdManager();
 
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_));
   EXPECT_CALL(visitor_, SendNewConnectionId(_));
   connection_.MaybeSendConnectionIdToClient();
@@ -14306,6 +14344,15 @@ TEST_P(QuicConnectionTest,
   QuicRetireConnectionIdFrame frame;
   frame.sequence_number = 0u;
   if (connection_.connection_migration_use_new_cid()) {
+    if (GetQuicReloadableFlag(
+            quic_connection_uses_abstract_connection_id_generator) &&
+        !connection_.connection_id().IsEmpty()) {
+      EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(cid0))
+          .WillOnce(Return(TestConnectionId(456)));
+      EXPECT_CALL(connection_id_generator_,
+                  GenerateNextConnectionId(TestConnectionId(456)))
+          .WillOnce(Return(TestConnectionId(789)));
+    }
     EXPECT_CALL(visitor_, MaybeReserveConnectionId(_))
         .Times(2)
         .WillRepeatedly(Return(true));
@@ -14339,6 +14386,12 @@ TEST_P(QuicConnectionTest, ServerRetireSelfIssuedConnectionId) {
   EXPECT_EQ(connection_.GetOneActiveServerConnectionId(), cid0);
 
   connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_))
       .WillOnce(Invoke(cid_recorder));
   EXPECT_CALL(visitor_, SendNewConnectionId(_));
@@ -14370,6 +14423,12 @@ TEST_P(QuicConnectionTest, ServerRetireSelfIssuedConnectionId) {
 
   // Packet2 with RetireConnectionId frame trigers sending NewConnectionId
   // immediately.
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator) &&
+      !connection_.connection_id().IsEmpty()) {
+    EXPECT_CALL(connection_id_generator_, GenerateNextConnectionId(_))
+        .WillOnce(Return(TestConnectionId(456)));
+  }
   EXPECT_CALL(visitor_, MaybeReserveConnectionId(_))
       .WillOnce(Invoke(cid_recorder));
   EXPECT_CALL(visitor_, SendNewConnectionId(_));
@@ -14520,7 +14579,7 @@ TEST_P(QuicConnectionTest, ShouldGeneratePacketBlockedByMissingConnectionId) {
 TEST_P(QuicConnectionTest, LostDataThenGetAcknowledged) {
   set_perspective(Perspective::IS_SERVER);
   if (!connection_.validate_client_address() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
 
@@ -14614,6 +14673,80 @@ TEST_P(QuicConnectionTest, PtoSendStreamData) {
   EXPECT_EQ(0x02020202u, writer_->final_bytes_of_last_packet());
 }
 
+TEST_P(QuicConnectionTest, ClientPtoSendZeroRttStreamData) {
+  if (!connection_.SupportsMultiplePacketNumberSpaces()) {
+    return;
+  }
+  use_tagging_decrypter();
+  connection_.SetEncrypter(ENCRYPTION_INITIAL,
+                           std::make_unique<TaggingEncrypter>(0x01));
+  connection_.SetDefaultEncryptionLevel(ENCRYPTION_INITIAL);
+  // Send CHLO.
+  connection_.SendCryptoStreamData();
+  ASSERT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
+  // Install 0-RTT keys.
+  connection_.SetEncrypter(ENCRYPTION_ZERO_RTT,
+                           std::make_unique<TaggingEncrypter>(0x02));
+  connection_.SetDefaultEncryptionLevel(ENCRYPTION_ZERO_RTT);
+  // Send 0-RTT stream data with congestion control blocked.
+  EXPECT_CALL(*send_algorithm_, CanSend(_)).WillRepeatedly(Return(false));
+  connection_.SendStreamDataWithString(2, std::string(1500, 'a'), 0, NO_FIN);
+
+  ASSERT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
+  connection_.GetRetransmissionAlarm()->Fire();
+  // Verify INITIAL packet get retransmitted.
+  EXPECT_EQ(0x01010101u, writer_->final_bytes_of_last_packet());
+}
+
+TEST_P(QuicConnectionTest, ClientPtoSendForwardSecureStreamData) {
+  if (!connection_.SupportsMultiplePacketNumberSpaces()) {
+    return;
+  }
+  if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
+    EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(AnyNumber());
+  }
+  EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(AnyNumber());
+  use_tagging_decrypter();
+  connection_.SetEncrypter(ENCRYPTION_INITIAL,
+                           std::make_unique<TaggingEncrypter>(0x01));
+  connection_.SetDefaultEncryptionLevel(ENCRYPTION_INITIAL);
+  // Send CHLO.
+  connection_.SendCryptoDataWithString("foo", 0, ENCRYPTION_INITIAL);
+  // Receive server INITIAL + HANDSHAKE
+  QuicFrames frames1;
+  frames1.push_back(QuicFrame(&crypto_frame_));
+  QuicAckFrame ack_frame1 = InitAckFrame(1);
+  frames1.push_back(QuicFrame(&ack_frame1));
+
+  QuicFrames frames2;
+  QuicCryptoFrame crypto_frame(ENCRYPTION_HANDSHAKE, 0,
+                               absl::string_view(data1));
+  frames2.push_back(QuicFrame(&crypto_frame));
+  EXPECT_CALL(*send_algorithm_, OnCongestionEvent(_, _, _, _, _));
+  ProcessCoalescedPacket(
+      {{1, frames1, ENCRYPTION_INITIAL}, {2, frames2, ENCRYPTION_HANDSHAKE}});
+  // Send Client finished.
+  connection_.SetEncrypter(ENCRYPTION_HANDSHAKE,
+                           std::make_unique<TaggingEncrypter>(0x02));
+  connection_.SetDefaultEncryptionLevel(ENCRYPTION_HANDSHAKE);
+  EXPECT_CALL(visitor_, OnHandshakePacketSent()).Times(1);
+  connection_.SendCryptoDataWithString("foo", 0, ENCRYPTION_HANDSHAKE);
+
+  EXPECT_CALL(visitor_, GetHandshakeState())
+      .WillRepeatedly(Return(HANDSHAKE_COMPLETE));
+  connection_.SetEncrypter(ENCRYPTION_FORWARD_SECURE,
+                           std::make_unique<TaggingEncrypter>(0x03));
+  connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+  // Send 1-RTT stream data with congestion control blocked.
+  EXPECT_CALL(*send_algorithm_, CanSend(_)).WillRepeatedly(Return(false));
+  connection_.SendStreamDataWithString(2, std::string(1500, 'a'), 0, NO_FIN);
+
+  ASSERT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
+  connection_.GetRetransmissionAlarm()->Fire();
+  // Verify HANDSHAKE packet get retransmitted.
+  EXPECT_EQ(0x02020202u, writer_->final_bytes_of_last_packet());
+}
+
 TEST_P(QuicConnectionTest, SendingZeroRttPacketsDoesNotPostponePTO) {
   if (!connection_.SupportsMultiplePacketNumberSpaces()) {
     return;
@@ -14780,6 +14913,15 @@ TEST_P(QuicConnectionTest, AckElicitingFrames) {
       !connection_.connection_migration_use_new_cid()) {
     return;
   }
+  if (GetQuicReloadableFlag(
+          quic_connection_uses_abstract_connection_id_generator)) {
+    EXPECT_CALL(connection_id_generator_,
+                GenerateNextConnectionId(TestConnectionId(12)))
+        .WillOnce(Return(TestConnectionId(456)));
+    EXPECT_CALL(connection_id_generator_,
+                GenerateNextConnectionId(TestConnectionId(456)))
+        .WillOnce(Return(TestConnectionId(789)));
+  }
   EXPECT_CALL(visitor_, SendNewConnectionId(_)).Times(2);
   EXPECT_CALL(visitor_, OnRstStream(_));
   EXPECT_CALL(visitor_, OnWindowUpdateFrame(_));
@@ -14944,7 +15086,7 @@ TEST_P(QuicConnectionTest, ReceivedChloAndAck) {
 // Regression test for b/201643321.
 TEST_P(QuicConnectionTest, FailedToRetransmitShlo) {
   if (!version().HasIetfQuicFrames() ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+      GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     return;
   }
   set_perspective(Perspective::IS_SERVER);
@@ -15505,14 +15647,8 @@ TEST_P(QuicConnectionTest, FixBytesAccountingForBufferedCoalescedPackets) {
   connection_.SetDefaultEncryptionLevel(ENCRYPTION_INITIAL);
   QuicConnectionPeer::SendPing(&connection_);
   const QuicConnectionStats& stats = connection_.GetStats();
-  if (GetQuicReloadableFlag(
-          quic_fix_bytes_accounting_for_buffered_coalesced_packets) ||
-      GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
-    // Verify padding is accounted.
-    EXPECT_EQ(stats.bytes_sent, connection_.max_packet_length());
-  } else {
-    EXPECT_LT(stats.bytes_sent, connection_.max_packet_length());
-  }
+  // Verify padding is accounted.
+  EXPECT_EQ(stats.bytes_sent, connection_.max_packet_length());
 }
 
 TEST_P(QuicConnectionTest, StrictAntiAmplificationLimit) {
@@ -15533,7 +15669,7 @@ TEST_P(QuicConnectionTest, StrictAntiAmplificationLimit) {
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
 
   const size_t anti_amplification_factor =
-      GetQuicFlag(FLAGS_quic_anti_amplification_factor);
+      GetQuicFlag(quic_anti_amplification_factor);
   // Receives packet 1.
   EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(1);
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
@@ -15554,7 +15690,7 @@ TEST_P(QuicConnectionTest, StrictAntiAmplificationLimit) {
   EXPECT_LT(writer_->total_bytes_written(),
             anti_amplification_factor *
                 QuicConnectionPeer::BytesReceivedOnDefaultPath(&connection_));
-  if (GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+  if (GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     // 3 connection closes which will be buffered.
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(3);
     // Verify retransmission alarm is not set.
@@ -15575,7 +15711,7 @@ TEST_P(QuicConnectionTest, StrictAntiAmplificationLimit) {
       QUIC_INTERNAL_ERROR, "error",
       ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
   EXPECT_EQ(0u, connection_.NumQueuedPackets());
-  if (GetQuicFlag(FLAGS_quic_enforce_strict_amplification_factor)) {
+  if (GetQuicFlag(quic_enforce_strict_amplification_factor)) {
     EXPECT_LT(writer_->total_bytes_written(),
               anti_amplification_factor *
                   QuicConnectionPeer::BytesReceivedOnDefaultPath(&connection_));
@@ -15600,8 +15736,7 @@ TEST_P(QuicConnectionTest, OriginalConnectionId) {
   // Send a 1-RTT packet to start the DiscardZeroRttDecryptionKeys timer.
   EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
   ProcessDataPacketAtLevel(1, false, ENCRYPTION_FORWARD_SECURE);
-  if (GetQuicRestartFlag(quic_map_original_connection_ids2) &&
-      connection_.version().UsesTls()) {
+  if (connection_.version().UsesTls()) {
     EXPECT_TRUE(connection_.GetDiscardZeroRttDecryptionKeysAlarm()->IsSet());
     EXPECT_CALL(visitor_, OnServerConnectionIdRetired(original));
     connection_.GetDiscardZeroRttDecryptionKeysAlarm()->Fire();
@@ -15612,6 +15747,93 @@ TEST_P(QuicConnectionTest, OriginalConnectionId) {
   }
 }
 
+ACTION_P2(InstallKeys, conn, level) {
+  uint8_t crypto_input = (level == ENCRYPTION_FORWARD_SECURE) ? 0x03 : 0x02;
+  conn->SetEncrypter(level, std::make_unique<TaggingEncrypter>(crypto_input));
+  conn->InstallDecrypter(
+      level, std::make_unique<StrictTaggingDecrypter>(crypto_input));
+  conn->SetDefaultEncryptionLevel(level);
+}
+
+TEST_P(QuicConnectionTest, ServerConnectionIdChangeWithLateInitial) {
+  if (!connection_.version().HasIetfQuicFrames()) {
+    return;
+  }
+  // Call SetFromConfig so that the undecrypted packet buffer size is
+  // initialized above zero.
+  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _)).Times(1);
+  QuicConfig config;
+  connection_.SetFromConfig(config);
+  connection_.RemoveEncrypter(ENCRYPTION_FORWARD_SECURE);
+  connection_.RemoveDecrypter(ENCRYPTION_FORWARD_SECURE);
+
+  // Send Client Initial.
+  connection_.SetDefaultEncryptionLevel(ENCRYPTION_INITIAL);
+  connection_.SendCryptoStreamData();
+
+  EXPECT_EQ(1u, writer_->packets_write_attempts());
+  // Server Handshake packet with new connection ID is buffered.
+  QuicConnectionId old_id = connection_id_;
+  connection_id_ = TestConnectionId(2);
+  peer_creator_.SetEncrypter(ENCRYPTION_HANDSHAKE,
+                             std::make_unique<TaggingEncrypter>(0x02));
+  ProcessCryptoPacketAtLevel(0, ENCRYPTION_HANDSHAKE);
+  EXPECT_EQ(QuicConnectionPeer::NumUndecryptablePackets(&connection_), 1u);
+  EXPECT_EQ(connection_.connection_id(), old_id);
+
+  // Server 1-RTT Packet is buffered.
+  peer_creator_.SetEncrypter(ENCRYPTION_FORWARD_SECURE,
+                             std::make_unique<TaggingEncrypter>(0x03));
+  ProcessDataPacket(0);
+  EXPECT_EQ(QuicConnectionPeer::NumUndecryptablePackets(&connection_), 2u);
+
+  // Pretend the server Initial packet will yield the Handshake keys.
+  EXPECT_CALL(visitor_, OnCryptoFrame(_))
+      .Times(2)
+      .WillOnce(InstallKeys(&connection_, ENCRYPTION_HANDSHAKE))
+      .WillOnce(InstallKeys(&connection_, ENCRYPTION_FORWARD_SECURE));
+  EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
+  ProcessCryptoPacketAtLevel(0, ENCRYPTION_INITIAL);
+  // Two packets processed, connection ID changed.
+  EXPECT_EQ(QuicConnectionPeer::NumUndecryptablePackets(&connection_), 0u);
+  EXPECT_EQ(connection_.connection_id(), connection_id_);
+}
+
+TEST_P(QuicConnectionTest, ServerConnectionIdChangeTwiceWithLateInitial) {
+  if (!connection_.version().HasIetfQuicFrames()) {
+    return;
+  }
+  // Call SetFromConfig so that the undecrypted packet buffer size is
+  // initialized above zero.
+  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _)).Times(1);
+  QuicConfig config;
+  connection_.SetFromConfig(config);
+
+  // Send Client Initial.
+  connection_.SetDefaultEncryptionLevel(ENCRYPTION_INITIAL);
+  connection_.SendCryptoStreamData();
+
+  EXPECT_EQ(1u, writer_->packets_write_attempts());
+  // Server Handshake Packet Arrives with new connection ID.
+  QuicConnectionId old_id = connection_id_;
+  connection_id_ = TestConnectionId(2);
+  peer_creator_.SetEncrypter(ENCRYPTION_HANDSHAKE,
+                             std::make_unique<TaggingEncrypter>(0x02));
+  ProcessCryptoPacketAtLevel(0, ENCRYPTION_HANDSHAKE);
+  // Packet is buffered.
+  EXPECT_EQ(QuicConnectionPeer::NumUndecryptablePackets(&connection_), 1u);
+  EXPECT_EQ(connection_.connection_id(), old_id);
+
+  // Pretend the server Initial packet will yield the Handshake keys.
+  EXPECT_CALL(visitor_, OnCryptoFrame(_))
+      .WillOnce(InstallKeys(&connection_, ENCRYPTION_HANDSHAKE));
+  connection_id_ = TestConnectionId(1);
+  ProcessCryptoPacketAtLevel(0, ENCRYPTION_INITIAL);
+  // Handshake packet discarded because there's a different connection ID.
+  EXPECT_EQ(QuicConnectionPeer::NumUndecryptablePackets(&connection_), 0u);
+  EXPECT_EQ(connection_.connection_id(), connection_id_);
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_constants.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_constants.h
index 46af2e8fa8e..13fa28807ed 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_constants.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_constants.h
@@ -321,6 +321,9 @@ QUIC_EXPORT_PRIVATE extern const char* const kEPIDGoogleFrontEnd0;
 
 inline constexpr uint64_t kHttpDatagramStreamIdDivisor = 4;
 
+inline constexpr QuicTime::Delta kDefaultMultiPortProbingInterval =
+    QuicTime::Delta::FromSeconds(3);
+
 }  // namespace quic
 
 #endif  // QUICHE_QUIC_CORE_QUIC_CONSTANTS_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_client_handshaker.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_client_handshaker.cc
index 14f08e4a597..0f980cbd061 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_client_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_client_handshaker.cc
@@ -430,12 +430,6 @@ void QuicCryptoClientHandshaker::DoReceiveREJ(
       packed_error |= 1 << (reason - 1);
     }
     QUIC_DVLOG(1) << "Reasons for rejection: " << packed_error;
-    if (num_client_hellos_ == QuicCryptoClientStream::kMaxClientHellos) {
-      QuicClientSparseHistogram("QuicClientHelloRejectReasons.TooMany",
-                                packed_error);
-    }
-    QuicClientSparseHistogram("QuicClientHelloRejectReasons.Secure",
-                              packed_error);
   }
 
   // Receipt of a REJ message means that the server received the CHLO
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_handshaker.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_handshaker.cc
index 7ecc232b34d..07819de86bf 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_handshaker.cc
@@ -45,7 +45,7 @@ CryptoMessageParser* QuicCryptoHandshaker::crypto_message_parser() {
 }
 
 size_t QuicCryptoHandshaker::BufferSizeLimitForLevel(EncryptionLevel) const {
-  return GetQuicFlag(FLAGS_quic_max_buffered_crypto_bytes);
+  return GetQuicFlag(quic_max_buffered_crypto_bytes);
 }
 
 #undef ENDPOINT  // undef for jumbo builds
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_stream.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_stream.cc
index 45f53516743..7009920debd 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_stream.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_stream.cc
@@ -151,8 +151,7 @@ void QuicCryptoStream::WriteCryptoData(EncryptionLevel level,
 
   // Ensure this data does not cause the send buffer for this encryption level
   // to exceed its size limit.
-  if (GetQuicReloadableFlag(quic_bounded_crypto_send_buffer)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_bounded_crypto_send_buffer);
+  if (GetQuicFlag(quic_bounded_crypto_send_buffer)) {
     QUIC_BUG_IF(quic_crypto_stream_offset_lt_bytes_written,
                 offset < send_buffer->stream_bytes_written());
     uint64_t current_buffer_size =
@@ -193,7 +192,7 @@ void QuicCryptoStream::WriteCryptoData(EncryptionLevel level,
 }
 
 size_t QuicCryptoStream::BufferSizeLimitForLevel(EncryptionLevel) const {
-  return GetQuicFlag(FLAGS_quic_max_buffered_crypto_bytes);
+  return GetQuicFlag(quic_max_buffered_crypto_bytes);
 }
 
 bool QuicCryptoStream::OnCryptoFrameAcked(const QuicCryptoFrame& frame,
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_stream_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_stream_test.cc
index f5d1f2e2fdc..cd6d3cf0bef 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_crypto_stream_test.cc
@@ -17,6 +17,7 @@
 #include "quiche/quic/core/quic_types.h"
 #include "quiche/quic/core/quic_utils.h"
 #include "quiche/quic/platform/api/quic_expect_bug.h"
+#include "quiche/quic/platform/api/quic_flags.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/quic/platform/api/quic_test.h"
 #include "quiche/quic/test_tools/crypto_test_utils.h"
@@ -659,7 +660,7 @@ TEST_F(QuicCryptoStreamTest, WriteCryptoDataExceedsSendBufferLimit) {
     return;
   }
   EXPECT_EQ(ENCRYPTION_INITIAL, connection_->encryption_level());
-  int32_t buffer_limit = GetQuicFlag(FLAGS_quic_max_buffered_crypto_bytes);
+  int32_t buffer_limit = GetQuicFlag(quic_max_buffered_crypto_bytes);
 
   // Write data larger than the buffer limit, when there is no existing data in
   // the buffer. Data is sent rather than closing the connection.
@@ -688,8 +689,7 @@ TEST_F(QuicCryptoStreamTest, WriteCryptoDataExceedsSendBufferLimit) {
   EXPECT_TRUE(stream_->HasBufferedCryptoFrames());
 
   // Writing an additional byte to the send buffer closes the connection.
-  if (GetQuicReloadableFlag(quic_bounded_crypto_send_buffer)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_bounded_crypto_send_buffer);
+  if (GetQuicFlag(quic_bounded_crypto_send_buffer)) {
     EXPECT_CALL(*connection_, CloseConnection(QUIC_INTERNAL_ERROR, _, _));
     EXPECT_QUIC_BUG(
         stream_->WriteCryptoData(ENCRYPTION_INITIAL, data2),
@@ -745,8 +745,7 @@ TEST_F(QuicCryptoStreamTest, LimitBufferedCryptoData) {
 
   EXPECT_CALL(*connection_,
               CloseConnection(QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA, _, _));
-  std::string large_frame(2 * GetQuicFlag(FLAGS_quic_max_buffered_crypto_bytes),
-                          'a');
+  std::string large_frame(2 * GetQuicFlag(quic_max_buffered_crypto_bytes), 'a');
 
   // Set offset to 1 so that we guarantee the data gets buffered instead of
   // immediately processed.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_data_writer.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_data_writer.h
index c96b3b7ea40..cd2486a591f 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_data_writer.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_data_writer.h
@@ -9,6 +9,7 @@
 #include <cstdint>
 
 #include "absl/strings/string_view.h"
+#include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/core/quic_types.h"
 #include "quiche/quic/platform/api/quic_export.h"
 #include "quiche/common/quiche_data_writer.h"
@@ -16,8 +17,6 @@
 
 namespace quic {
 
-class QuicRandom;
-
 // This class provides facilities for packing QUIC data.
 //
 // The QuicDataWriter supports appending primitive values (int, string, etc)
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher.cc
index 6a0c8ec248f..63fa567eb67 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher.cc
@@ -334,7 +334,8 @@ QuicDispatcher::QuicDispatcher(
     std::unique_ptr<QuicConnectionHelperInterface> helper,
     std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
     std::unique_ptr<QuicAlarmFactory> alarm_factory,
-    uint8_t expected_server_connection_id_length)
+    uint8_t expected_server_connection_id_length,
+    ConnectionIdGeneratorInterface& connection_id_generator)
     : config_(config),
       crypto_config_(crypto_config),
       compressed_certs_cache_(
@@ -354,15 +355,12 @@ QuicDispatcher::QuicDispatcher(
           expected_server_connection_id_length),
       clear_stateless_reset_addresses_alarm_(alarm_factory_->CreateAlarm(
           new ClearStatelessResetAddressesAlarm(this))),
-      should_update_expected_server_connection_id_length_(false) {
+      should_update_expected_server_connection_id_length_(false),
+      connection_id_generator_(connection_id_generator) {
   QUIC_BUG_IF(quic_bug_12724_1, GetSupportedVersions().empty())
       << "Trying to create dispatcher without any supported versions";
   QUIC_DLOG(INFO) << "Created QuicDispatcher with versions: "
                   << ParsedQuicVersionVectorToString(GetSupportedVersions());
-  if (send_connection_close_for_tls_alerts_) {
-    QUIC_RESTART_FLAG_COUNT_N(
-        quic_dispatcher_send_connection_close_for_tls_alerts, 1, 3);
-  }
 }
 
 QuicDispatcher::~QuicDispatcher() {
@@ -446,12 +444,20 @@ void QuicDispatcher::ProcessPacket(const QuicSocketAddress& self_address,
   ProcessHeader(&packet_info);
 }
 
-QuicConnectionId QuicDispatcher::MaybeReplaceServerConnectionId(
+absl::optional<QuicConnectionId> QuicDispatcher::MaybeReplaceServerConnectionId(
     const QuicConnectionId& server_connection_id,
-    const ParsedQuicVersion& version) const {
+    const ParsedQuicVersion& version) {
+  if (GetQuicRestartFlag(quic_abstract_connection_id_generator)) {
+    // If the Dispatcher doesn't map the original connection ID, then using a
+    // connection ID generator that isn't deterministic may break the handshake
+    // and will certainly drop all 0-RTT packets.
+    QUIC_RESTART_FLAG_COUNT(quic_abstract_connection_id_generator);
+    return connection_id_generator_.MaybeReplaceConnectionId(
+        server_connection_id, version);
+  }
   const uint8_t server_connection_id_length = server_connection_id.length();
   if (server_connection_id_length == expected_server_connection_id_length_) {
-    return server_connection_id;
+    return absl::optional<QuicConnectionId>();
   }
   QUICHE_DCHECK(version.AllowsVariableLengthConnectionIds());
   QuicConnectionId new_connection_id;
@@ -615,33 +621,6 @@ bool QuicDispatcher::MaybeDispatchPacket(
                                  packet_info.peer_address, packet_info.packet);
     return true;
   }
-  if (packet_info.version.IsKnown() &&
-      !GetQuicRestartFlag(quic_map_original_connection_ids2)) {
-    // We did not find the connection ID, check if we've replaced it.
-    // This is only performed for supported versions because packets with
-    // unsupported versions can flow through this function in order to send
-    // a version negotiation packet, but we know that their connection ID
-    // did not get replaced since that is performed on connection creation,
-    // and that only happens for known verions.
-    // There is no need to perform this check if
-    // |reference_counted_session_map_| is storing original connection IDs
-    // separately. It can be counterproductive to do this check if that
-    // consumes a nonce or generates a random connection ID.
-    QuicConnectionId replaced_connection_id = MaybeReplaceServerConnectionId(
-        server_connection_id, packet_info.version);
-    if (replaced_connection_id != server_connection_id) {
-      // Search for the replacement.
-      auto it2 = reference_counted_session_map_.find(replaced_connection_id);
-      if (it2 != reference_counted_session_map_.end()) {
-        QUICHE_DCHECK(
-            !buffered_packets_.HasBufferedPackets(replaced_connection_id));
-        it2->second->ProcessUdpPacket(packet_info.self_address,
-                                      packet_info.peer_address,
-                                      packet_info.packet);
-        return true;
-      }
-    }
-  }
 
   if (buffered_packets_.HasChloForConnection(server_connection_id)) {
     BufferEarlyPacket(packet_info);
@@ -740,10 +719,7 @@ void QuicDispatcher::ProcessHeader(ReceivedPacketInfo* packet_info) {
         TryExtractChloOrBufferEarlyPacket(*packet_info);
     auto& parsed_chlo = extract_chlo_result.parsed_chlo;
 
-    if (send_connection_close_for_tls_alerts_ &&
-        extract_chlo_result.tls_alert.has_value()) {
-      QUIC_RESTART_FLAG_COUNT_N(
-          quic_dispatcher_send_connection_close_for_tls_alerts, 2, 3);
+    if (extract_chlo_result.tls_alert.has_value()) {
       QUIC_BUG_IF(quic_dispatcher_parsed_chlo_and_tls_alert_coexist_1,
                   parsed_chlo.has_value())
           << "parsed_chlo and tls_alert should not be set at the same time.";
@@ -855,9 +831,7 @@ QuicDispatcher::TryExtractChloOrBufferEarlyPacket(
       }
     }
 
-    if (send_connection_close_for_tls_alerts_ && result.tls_alert.has_value()) {
-      QUIC_RESTART_FLAG_COUNT_N(
-          quic_dispatcher_send_connection_close_for_tls_alerts, 3, 3);
+    if (result.tls_alert.has_value()) {
       QUIC_BUG_IF(quic_dispatcher_parsed_chlo_and_tls_alert_coexist_2,
                   has_full_tls_chlo)
           << "parsed_chlo and tls_alert should not be set at the same time.";
@@ -884,7 +858,7 @@ QuicDispatcher::TryExtractChloOrBufferEarlyPacket(
   }
 
   ChloAlpnSniExtractor alpn_extractor;
-  if (GetQuicFlag(FLAGS_quic_allow_chlo_buffering) &&
+  if (GetQuicFlag(quic_allow_chlo_buffering) &&
       !ChloExtractor::Extract(packet_info.packet, packet_info.version,
                               config_->create_session_tag_indicators(),
                               &alpn_extractor,
@@ -1116,6 +1090,7 @@ void QuicDispatcher::OnConnectionClosed(QuicConnectionId server_connection_id,
       << ") due to error: " << QuicErrorCodeToString(error)
       << ", with details: " << error_details;
 
+  const QuicSession* session = it->second.get();
   QuicConnection* connection = it->second->connection();
   // Set up alarm to fire immediately to bring destruction of this session
   // out of current call stack.
@@ -1125,10 +1100,38 @@ void QuicDispatcher::OnConnectionClosed(QuicConnectionId server_connection_id,
   }
   closed_session_list_.push_back(std::move(it->second));
   CleanUpSession(it->first, connection, error, error_details, source);
+  bool session_removed = false;
   for (const QuicConnectionId& cid :
        connection->GetActiveServerConnectionIds()) {
-    reference_counted_session_map_.erase(cid);
+    auto it1 = reference_counted_session_map_.find(cid);
+    if (it1 != reference_counted_session_map_.end()) {
+      const QuicSession* session2 = it1->second.get();
+      // For cid == server_connection_id, session2 is a nullptr (and hence
+      // session2 != session) now since we have std::move the session into
+      // closed_session_list_ above.
+      if (session2 == session || cid == server_connection_id) {
+        reference_counted_session_map_.erase(it1);
+        session_removed = true;
+      } else {
+        // Leave this session in the map.
+        QUIC_BUG(quic_dispatcher_session_mismatch)
+            << "Session is mismatched in the map. server_connection_id: "
+            << server_connection_id << ". Current cid: " << cid
+            << ". Cid of the other session "
+            << (session2 == nullptr
+                    ? "null"
+                    : session2->connection()->connection_id().ToString());
+      }
+    } else {
+      // GetActiveServerConnectionIds might return the original destination
+      // ID, which is not contained in the session map.
+      QUIC_BUG_IF(quic_dispatcher_session_not_found,
+                  cid != connection->GetOriginalDestinationConnectionId())
+          << "Missing session for cid " << cid
+          << ". server_connection_id: " << server_connection_id;
+    }
   }
+  QUIC_BUG_IF(quic_session_is_not_removed, !session_removed);
   --num_sessions_in_session_map_;
 }
 
@@ -1283,10 +1286,6 @@ void QuicDispatcher::ProcessBufferedChlos(size_t max_connections_to_create) {
         packets.front().self_address, packets.front().peer_address);
     if (session_ptr != nullptr) {
       DeliverPacketsToSession(packets, session_ptr.get());
-      if (server_connection_id != session_ptr->connection_id() &&
-          GetQuicRestartFlag(quic_map_original_connection_ids2)) {
-        QUIC_RESTART_FLAG_COUNT_N(quic_map_original_connection_ids2, 1, 4);
-      }
     }
   }
 }
@@ -1324,7 +1323,7 @@ void QuicDispatcher::BufferEarlyPacket(const ReceivedPacketInfo& packet_info) {
 
 void QuicDispatcher::ProcessChlo(ParsedClientHello parsed_chlo,
                                  ReceivedPacketInfo* packet_info) {
-  if (GetQuicFlag(FLAGS_quic_allow_chlo_buffering) &&
+  if (GetQuicFlag(quic_allow_chlo_buffering) &&
       new_sessions_allowed_per_event_loop_ <= 0) {
     // Can't create new session any more. Wait till next event loop.
     QUIC_BUG_IF(quic_bug_12724_7, buffered_packets_.HasChloForConnection(
@@ -1356,9 +1355,6 @@ void QuicDispatcher::ProcessChlo(ParsedClientHello parsed_chlo,
       QUIC_CODE_COUNT(
           quic_delivered_buffered_packets_to_connection_with_replaced_id);
     }
-    if (GetQuicRestartFlag(quic_map_original_connection_ids2)) {
-      QUIC_RESTART_FLAG_COUNT_N(quic_map_original_connection_ids2, 2, 4);
-    }
   }
   // Process CHLO at first.
   session_ptr->ProcessUdpPacket(packet_info->self_address,
@@ -1404,12 +1400,13 @@ std::shared_ptr<QuicSession> QuicDispatcher::CreateSessionFromChlo(
     const ParsedClientHello& parsed_chlo, const ParsedQuicVersion version,
     const QuicSocketAddress self_address,
     const QuicSocketAddress peer_address) {
-  QuicConnectionId server_connection_id =
+  absl::optional<QuicConnectionId> server_connection_id =
       MaybeReplaceServerConnectionId(original_connection_id, version);
-  const bool replaced_connection_id =
-      original_connection_id != server_connection_id;
-  if (reference_counted_session_map_.count(server_connection_id) > 0 &&
-      GetQuicRestartFlag(quic_map_original_connection_ids2)) {
+  const bool replaced_connection_id = server_connection_id.has_value();
+  if (!replaced_connection_id) {
+    server_connection_id = original_connection_id;
+  }
+  if (reference_counted_session_map_.count(*server_connection_id) > 0) {
     // The new connection ID is owned by another session. Avoid creating one
     // altogether, as this connection attempt cannot possibly succeed.
     if (replaced_connection_id) {
@@ -1427,11 +1424,11 @@ std::shared_ptr<QuicSession> QuicDispatcher::CreateSessionFromChlo(
   // Creates a new session and process all buffered packets for this connection.
   std::string alpn = SelectAlpn(parsed_chlo.alpns);
   std::unique_ptr<QuicSession> session =
-      CreateQuicSession(server_connection_id, self_address, peer_address, alpn,
+      CreateQuicSession(*server_connection_id, self_address, peer_address, alpn,
                         version, parsed_chlo);
   if (ABSL_PREDICT_FALSE(session == nullptr)) {
     QUIC_BUG(quic_bug_10287_8)
-        << "CreateQuicSession returned nullptr for " << server_connection_id
+        << "CreateQuicSession returned nullptr for " << *server_connection_id
         << " from " << peer_address << " to " << self_address << " ALPN \""
         << alpn << "\" version " << version;
     return nullptr;
@@ -1441,20 +1438,19 @@ std::shared_ptr<QuicSession> QuicDispatcher::CreateSessionFromChlo(
     session->connection()->SetOriginalDestinationConnectionId(
         original_connection_id);
   }
-  QUIC_DLOG(INFO) << "Created new session for " << server_connection_id;
+  QUIC_DLOG(INFO) << "Created new session for " << *server_connection_id;
 
   auto insertion_result = reference_counted_session_map_.insert(std::make_pair(
-      server_connection_id, std::shared_ptr<QuicSession>(std::move(session))));
+      *server_connection_id, std::shared_ptr<QuicSession>(std::move(session))));
   std::shared_ptr<QuicSession> session_ptr = insertion_result.first->second;
   if (!insertion_result.second) {
     QUIC_BUG(quic_bug_10287_9)
         << "Tried to add a session to session_map with existing "
            "connection id: "
-        << server_connection_id;
+        << *server_connection_id;
   } else {
     ++num_sessions_in_session_map_;
-    if (GetQuicRestartFlag(quic_map_original_connection_ids2) &&
-        replaced_connection_id) {
+    if (replaced_connection_id) {
       auto insertion_result2 = reference_counted_session_map_.insert(
           std::make_pair(original_connection_id, session_ptr));
       QUIC_BUG_IF(quic_460317833_02, !insertion_result2.second)
@@ -1497,15 +1493,15 @@ void QuicDispatcher::MaybeResetPacketsWithNoVersion(
   // Do not send a stateless reset if there are too many stateless reset
   // addresses.
   if (recent_stateless_reset_addresses_.size() >=
-      GetQuicFlag(FLAGS_quic_max_recent_stateless_reset_addresses)) {
+      GetQuicFlag(quic_max_recent_stateless_reset_addresses)) {
     QUIC_CODE_COUNT(quic_too_many_recent_reset_addresses);
     return;
   }
   if (recent_stateless_reset_addresses_.empty()) {
     clear_stateless_reset_addresses_alarm_->Update(
         helper()->GetClock()->ApproximateNow() +
-            QuicTime::Delta::FromMilliseconds(GetQuicFlag(
-                FLAGS_quic_recent_stateless_reset_addresses_lifetime_ms)),
+            QuicTime::Delta::FromMilliseconds(
+                GetQuicFlag(quic_recent_stateless_reset_addresses_lifetime_ms)),
         QuicTime::Delta::Zero());
   }
   recent_stateless_reset_addresses_.emplace(packet_info.peer_address);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher.h
index 813655b40b1..9cfc3b0b844 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher.h
@@ -15,6 +15,7 @@
 
 #include "absl/container/flat_hash_map.h"
 #include "absl/strings/string_view.h"
+#include "quiche/quic/core/connection_id_generator.h"
 #include "quiche/quic/core/crypto/quic_compressed_certs_cache.h"
 #include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/core/quic_blocked_writer_interface.h"
@@ -54,7 +55,8 @@ class QUIC_NO_EXPORT QuicDispatcher
       std::unique_ptr<QuicConnectionHelperInterface> helper,
       std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
       std::unique_ptr<QuicAlarmFactory> alarm_factory,
-      uint8_t expected_server_connection_id_length);
+      uint8_t expected_server_connection_id_length,
+      ConnectionIdGeneratorInterface& connection_id_generator);
   QuicDispatcher(const QuicDispatcher&) = delete;
   QuicDispatcher& operator=(const QuicDispatcher&) = delete;
 
@@ -340,19 +342,20 @@ class QUIC_NO_EXPORT QuicDispatcher
   // element of the vector is returned.
   std::string SelectAlpn(const std::vector<std::string>& alpns);
 
-  // If the connection ID length is different from what the dispatcher expects,
-  // replace the connection ID with one of the right length.
-  // Note that this MUST produce a deterministic result (calling this method
-  // with two connection IDs that are equal must produce the same result).
-  QuicConnectionId MaybeReplaceServerConnectionId(
+  // Check if the client-generated server connection ID needs to be replaced.
+  absl::optional<QuicConnectionId> MaybeReplaceServerConnectionId(
       const QuicConnectionId& server_connection_id,
-      const ParsedQuicVersion& version) const;
+      const ParsedQuicVersion& version);
 
   // Sends public/stateless reset packets with no version and unknown
   // connection ID according to the packet's size.
   virtual void MaybeResetPacketsWithNoVersion(
       const quic::ReceivedPacketInfo& packet_info);
 
+  ConnectionIdGeneratorInterface& connection_id_generator() {
+    return connection_id_generator_;
+  }
+
  private:
   friend class test::QuicDispatcherPeer;
 
@@ -476,8 +479,7 @@ class QUIC_NO_EXPORT QuicDispatcher
   // destination connection ID length of all IETF long headers.
   bool should_update_expected_server_connection_id_length_;
 
-  const bool send_connection_close_for_tls_alerts_ =
-      GetQuicRestartFlag(quic_dispatcher_send_connection_close_for_tls_alerts);
+  ConnectionIdGeneratorInterface& connection_id_generator_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher_test.cc
index 5c71e6246df..0447586a419 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_dispatcher_test.cc
@@ -33,6 +33,7 @@
 #include "quiche/quic/test_tools/crypto_test_utils.h"
 #include "quiche/quic/test_tools/fake_proof_source.h"
 #include "quiche/quic/test_tools/first_flight.h"
+#include "quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "quiche/quic/test_tools/mock_quic_time_wait_list_manager.h"
 #include "quiche/quic/test_tools/quic_buffered_packet_store_peer.h"
 #include "quiche/quic/test_tools/quic_connection_peer.h"
@@ -108,13 +109,14 @@ class TestDispatcher : public QuicDispatcher {
  public:
   TestDispatcher(const QuicConfig* config,
                  const QuicCryptoServerConfig* crypto_config,
-                 QuicVersionManager* version_manager, QuicRandom* random)
+                 QuicVersionManager* version_manager, QuicRandom* random,
+                 ConnectionIdGeneratorInterface& generator)
       : QuicDispatcher(config, crypto_config, version_manager,
                        std::make_unique<MockQuicConnectionHelper>(),
                        std::unique_ptr<QuicCryptoServerStreamBase::Helper>(
                            new QuicSimpleCryptoServerStreamHelper()),
                        std::make_unique<TestAlarmFactory>(),
-                       kQuicDefaultConnectionIdLength),
+                       kQuicDefaultConnectionIdLength, generator),
         random_(random) {}
 
   MOCK_METHOD(std::unique_ptr<QuicSession>, CreateQuicSession,
@@ -175,6 +177,11 @@ class MockServerConnection : public MockQuicConnection {
     active_connection_ids_.push_back(id);
   }
 
+  void UnconditionallyAddNewConnectionIdForTest(QuicConnectionId id) {
+    dispatcher_->TryAddNewConnectionId(active_connection_ids_.back(), id);
+    active_connection_ids_.push_back(id);
+  }
+
   void RetireConnectionId(QuicConnectionId id) {
     auto it = std::find(active_connection_ids_.begin(),
                         active_connection_ids_.end(), id);
@@ -184,9 +191,6 @@ class MockServerConnection : public MockQuicConnection {
   }
 
   std::vector<QuicConnectionId> GetActiveServerConnectionIds() const override {
-    if (!GetQuicRestartFlag(quic_map_original_connection_ids2)) {
-      return active_connection_ids_;
-    }
     std::vector<QuicConnectionId> result;
     for (const auto& cid : active_connection_ids_) {
       result.push_back(cid);
@@ -225,7 +229,7 @@ class QuicDispatcherTestBase : public QuicTestWithParam<ParsedQuicVersion> {
         server_address_(QuicIpAddress::Any4(), 5),
         dispatcher_(new NiceMock<TestDispatcher>(
             &config_, &crypto_config_, &version_manager_,
-            mock_helper_.GetRandomGenerator())),
+            mock_helper_.GetRandomGenerator(), connection_id_generator_)),
         time_wait_list_manager_(nullptr),
         session1_(nullptr),
         session2_(nullptr),
@@ -428,6 +432,15 @@ class QuicDispatcherTestBase : public QuicTestWithParam<ParsedQuicVersion> {
       const QuicConnectionId& server_connection_id,
       const QuicConnectionId& client_connection_id,
       std::unique_ptr<QuicCryptoClientConfig> client_crypto_config) {
+    if (expect_generator_is_called_ &&
+        GetQuicRestartFlag(quic_abstract_connection_id_generator)) {
+      // Can't replace the connection ID in early gQUIC versions!
+      ASSERT_TRUE(version.AllowsVariableLengthConnectionIds() ||
+                  generated_connection_id_ == absl::nullopt);
+      EXPECT_CALL(connection_id_generator_,
+                  MaybeReplaceConnectionId(server_connection_id, version))
+          .WillOnce(Return(generated_connection_id_));
+    }
     std::vector<std::unique_ptr<QuicReceivedPacket>> packets =
         GetFirstFlightOfPackets(version, DefaultQuicConfig(),
                                 server_connection_id, client_connection_id,
@@ -494,6 +507,7 @@ class QuicDispatcherTestBase : public QuicTestWithParam<ParsedQuicVersion> {
     EXPECT_CALL(*dispatcher_,
                 CreateQuicSession(connection_id, _, client_address, _, _, _))
         .Times(0);
+    expect_generator_is_called_ = false;
     ProcessFirstFlight(version, client_address, connection_id);
   }
 
@@ -516,6 +530,12 @@ class QuicDispatcherTestBase : public QuicTestWithParam<ParsedQuicVersion> {
   QuicVersionManager version_manager_;
   QuicCryptoServerConfig crypto_config_;
   QuicSocketAddress server_address_;
+  bool expect_generator_is_called_ = true;
+  absl::optional<QuicConnectionId> generated_connection_id_;
+  // Constant to set generated_connection_id to when needed.
+  QuicConnectionId return_connection_id_{
+      {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07}};
+  MockConnectionIdGenerator connection_id_generator_;
   std::unique_ptr<NiceMock<TestDispatcher>> dispatcher_;
   MockTimeWaitListManager* time_wait_list_manager_;
   TestQuicSpdyServerSession* session1_;
@@ -574,13 +594,26 @@ void QuicDispatcherTestBase::TestTlsMultiPacketClientHello(
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
   QuicConnectionId original_connection_id, new_connection_id;
   if (long_connection_id) {
-    original_connection_id = QuicConnectionId(
-        {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09});
-    new_connection_id =
-        QuicConnectionId({0x6c, 0x6b, 0x4b, 0xad, 0x8d, 0x00, 0x24, 0xd8});
+    if (GetQuicRestartFlag(quic_abstract_connection_id_generator)) {
+      original_connection_id = TestConnectionIdNineBytesLong(1);
+      new_connection_id = return_connection_id_;
+      EXPECT_CALL(connection_id_generator_,
+                  MaybeReplaceConnectionId(original_connection_id, version_))
+          .WillOnce(Return(new_connection_id));
+    } else {
+      original_connection_id = QuicConnectionId(
+          {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09});
+      new_connection_id =
+          QuicConnectionId({0x6c, 0x6b, 0x4b, 0xad, 0x8d, 0x00, 0x24, 0xd8});
+    }
   } else {
     original_connection_id = TestConnectionId();
     new_connection_id = original_connection_id;
+    if (GetQuicRestartFlag(quic_abstract_connection_id_generator)) {
+      EXPECT_CALL(connection_id_generator_,
+                  MaybeReplaceConnectionId(original_connection_id, version_))
+          .WillOnce(Return(absl::nullopt));
+    }
   }
   QuicConfig client_config = DefaultQuicConfig();
   // Add a 2000-byte custom parameter to increase the length of the CHLO.
@@ -788,6 +821,7 @@ TEST_P(QuicDispatcherTestOneVersion, StatelessVersionNegotiation) {
       *time_wait_list_manager_,
       SendVersionNegotiationPacket(TestConnectionId(1), _, _, _, _, _, _, _))
       .Times(1);
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(QuicVersionReservedForNegotiation(), client_address,
                      TestConnectionId(1));
 }
@@ -802,6 +836,7 @@ TEST_P(QuicDispatcherTestOneVersion,
   EXPECT_CALL(*time_wait_list_manager_,
               SendVersionNegotiationPacket(connection_id, _, _, _, _, _, _, _))
       .Times(1);
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(QuicVersionReservedForNegotiation(), client_address,
                      connection_id);
 }
@@ -816,6 +851,7 @@ TEST_P(QuicDispatcherTestOneVersion,
               SendVersionNegotiationPacket(
                   TestConnectionId(1), TestConnectionId(2), _, _, _, _, _, _))
       .Times(1);
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(QuicVersionReservedForNegotiation(), client_address,
                      TestConnectionId(1), TestConnectionId(2));
 }
@@ -1012,9 +1048,9 @@ TEST_P(QuicDispatcherTestAllVersions, LimitResetsToSameClientAddress) {
 
 TEST_P(QuicDispatcherTestAllVersions,
        StopSendingResetOnTooManyRecentAddresses) {
-  SetQuicFlag(FLAGS_quic_max_recent_stateless_reset_addresses, 2);
+  SetQuicFlag(quic_max_recent_stateless_reset_addresses, 2);
   const size_t kTestLifeTimeMs = 10;
-  SetQuicFlag(FLAGS_quic_recent_stateless_reset_addresses_lifetime_ms,
+  SetQuicFlag(quic_recent_stateless_reset_addresses_lifetime_ms,
               kTestLifeTimeMs);
   CreateTimeWaitListManager();
 
@@ -1068,14 +1104,16 @@ TEST_P(QuicDispatcherTestAllVersions, LongConnectionIdLengthReplaced) {
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
 
   QuicConnectionId bad_connection_id = TestConnectionIdNineBytesLong(2);
-  QuicConnectionId fixed_connection_id =
-      QuicUtils::CreateReplacementConnectionId(bad_connection_id);
+  generated_connection_id_ =
+      (GetQuicRestartFlag(quic_abstract_connection_id_generator))
+          ? return_connection_id_
+          : QuicUtils::CreateReplacementConnectionId(bad_connection_id);
 
   EXPECT_CALL(*dispatcher_,
-              CreateQuicSession(fixed_connection_id, _, client_address,
+              CreateQuicSession(*generated_connection_id_, _, client_address,
                                 Eq(ExpectedAlpn()), _, _))
       .WillOnce(Return(ByMove(CreateSession(
-          dispatcher_.get(), config_, fixed_connection_id, client_address,
+          dispatcher_.get(), config_, *generated_connection_id_, client_address,
           &mock_helper_, &mock_alarm_factory_, &crypto_config_,
           QuicDispatcherPeer::GetCache(dispatcher_.get()), &session1_))));
   EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
@@ -1097,8 +1135,10 @@ TEST_P(QuicDispatcherTestAllVersions, InvalidShortConnectionIdLengthReplaced) {
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
 
   QuicConnectionId bad_connection_id = EmptyQuicConnectionId();
-  QuicConnectionId fixed_connection_id =
-      QuicUtils::CreateReplacementConnectionId(bad_connection_id);
+  generated_connection_id_ =
+      GetQuicRestartFlag(quic_abstract_connection_id_generator)
+          ? return_connection_id_
+          : QuicUtils::CreateReplacementConnectionId(bad_connection_id);
 
   // Disable validation of invalid short connection IDs.
   dispatcher_->SetAllowShortInitialServerConnectionIds(true);
@@ -1106,10 +1146,10 @@ TEST_P(QuicDispatcherTestAllVersions, InvalidShortConnectionIdLengthReplaced) {
   // validation is still enabled.
 
   EXPECT_CALL(*dispatcher_,
-              CreateQuicSession(fixed_connection_id, _, client_address,
+              CreateQuicSession(*generated_connection_id_, _, client_address,
                                 Eq(ExpectedAlpn()), _, _))
       .WillOnce(Return(ByMove(CreateSession(
-          dispatcher_.get(), config_, fixed_connection_id, client_address,
+          dispatcher_.get(), config_, *generated_connection_id_, client_address,
           &mock_helper_, &mock_alarm_factory_, &crypto_config_,
           QuicDispatcherPeer::GetCache(dispatcher_.get()), &session1_))));
   EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session1_->connection()),
@@ -1130,8 +1170,6 @@ TEST_P(QuicDispatcherTestAllVersions, MixGoodAndBadConnectionIdLengthPackets) {
 
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
   QuicConnectionId bad_connection_id = TestConnectionIdNineBytesLong(2);
-  QuicConnectionId fixed_connection_id =
-      QuicUtils::CreateReplacementConnectionId(bad_connection_id);
 
   EXPECT_CALL(*dispatcher_,
               CreateQuicSession(TestConnectionId(1), _, client_address,
@@ -1147,11 +1185,15 @@ TEST_P(QuicDispatcherTestAllVersions, MixGoodAndBadConnectionIdLengthPackets) {
       })));
   ProcessFirstFlight(client_address, TestConnectionId(1));
 
+  generated_connection_id_ =
+      GetQuicRestartFlag(quic_abstract_connection_id_generator)
+          ? return_connection_id_
+          : QuicUtils::CreateReplacementConnectionId(bad_connection_id);
   EXPECT_CALL(*dispatcher_,
-              CreateQuicSession(fixed_connection_id, _, client_address,
+              CreateQuicSession(*generated_connection_id_, _, client_address,
                                 Eq(ExpectedAlpn()), _, _))
       .WillOnce(Return(ByMove(CreateSession(
-          dispatcher_.get(), config_, fixed_connection_id, client_address,
+          dispatcher_.get(), config_, *generated_connection_id_, client_address,
           &mock_helper_, &mock_alarm_factory_, &crypto_config_,
           QuicDispatcherPeer::GetCache(dispatcher_.get()), &session2_))));
   EXPECT_CALL(*reinterpret_cast<MockQuicConnection*>(session2_->connection()),
@@ -1239,6 +1281,7 @@ TEST_P(QuicDispatcherTestAllVersions,
       .Times(0);
   EXPECT_CALL(*time_wait_list_manager_, AddConnectionIdToTimeWait(_, _))
       .Times(0);
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(client_address, EmptyQuicConnectionId());
 }
 
@@ -1281,6 +1324,7 @@ void QuicDispatcherTestBase::
                   /*ietf_quic=*/true,
                   /*use_length_prefix=*/true, _, _, client_address, _))
       .Times(1);
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(ParsedQuicVersion::ReservedForNegotiation(),
                      client_address, server_connection_id,
                      client_connection_id);
@@ -1773,6 +1817,7 @@ TEST_P(QuicDispatcherTestAllVersions, StopAcceptingNewConnections) {
               CreateQuicSession(TestConnectionId(2), _, client_address,
                                 Eq(ExpectedAlpn()), _, _))
       .Times(0u);
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(client_address, TestConnectionId(2));
 
   // Existing connections should be able to continue.
@@ -1794,6 +1839,7 @@ TEST_P(QuicDispatcherTestAllVersions, StartAcceptingNewConnections) {
               CreateQuicSession(TestConnectionId(2), _, client_address,
                                 Eq(ExpectedAlpn()), _, _))
       .Times(0u);
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(client_address, TestConnectionId(2));
 
   dispatcher_->StartAcceptingNewConnections();
@@ -2158,7 +2204,7 @@ class QuicDispatcherSupportMultipleConnectionIdPerConnectionTest
       : QuicDispatcherTestBase(crypto_test_utils::ProofSourceForTesting()) {
     dispatcher_ = std::make_unique<NiceMock<TestDispatcher>>(
         &config_, &crypto_config_, &version_manager_,
-        mock_helper_.GetRandomGenerator());
+        mock_helper_.GetRandomGenerator(), connection_id_generator_);
   }
   void AddConnection1() {
     QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
@@ -2240,6 +2286,82 @@ TEST_P(QuicDispatcherSupportMultipleConnectionIdPerConnectionTest,
 }
 
 TEST_P(QuicDispatcherSupportMultipleConnectionIdPerConnectionTest,
+       TryAddNewConnectionIdWithCollision) {
+  AddConnection1();
+  AddConnection2();
+  ASSERT_EQ(dispatcher_->NumSessions(), 2u);
+  ASSERT_THAT(session1_, testing::NotNull());
+  ASSERT_THAT(session2_, testing::NotNull());
+  MockServerConnection* mock_server_connection1 =
+      reinterpret_cast<MockServerConnection*>(connection1());
+  MockServerConnection* mock_server_connection2 =
+      reinterpret_cast<MockServerConnection*>(connection2());
+
+  {
+    // TestConnectionId(2) is already claimed by connection2 but connection1
+    // still thinks it owns it.
+    mock_server_connection1->UnconditionallyAddNewConnectionIdForTest(
+        TestConnectionId(2));
+    EXPECT_EQ(dispatcher_->NumSessions(), 2u);
+    auto* session =
+        QuicDispatcherPeer::FindSession(dispatcher_.get(), TestConnectionId(2));
+    ASSERT_EQ(session, session2_);
+    EXPECT_THAT(mock_server_connection1->GetActiveServerConnectionIds(),
+                testing::ElementsAre(TestConnectionId(1), TestConnectionId(2)));
+  }
+
+  {
+    mock_server_connection2->AddNewConnectionId(TestConnectionId(3));
+    EXPECT_EQ(dispatcher_->NumSessions(), 2u);
+    auto* session =
+        QuicDispatcherPeer::FindSession(dispatcher_.get(), TestConnectionId(3));
+    ASSERT_EQ(session, session2_);
+    EXPECT_THAT(mock_server_connection2->GetActiveServerConnectionIds(),
+                testing::ElementsAre(TestConnectionId(2), TestConnectionId(3)));
+  }
+
+  // Connection2 removes both TestConnectionId(2) & TestConnectionId(3) from the
+  // session map.
+  dispatcher_->OnConnectionClosed(TestConnectionId(2),
+                                  QuicErrorCode::QUIC_NO_ERROR, "detail",
+                                  quic::ConnectionCloseSource::FROM_SELF);
+    // QUICHE_BUG fires when connection1 tries to remove TestConnectionId(2)
+    // again from the session_map.
+    EXPECT_QUICHE_BUG(dispatcher_->OnConnectionClosed(
+                          TestConnectionId(1), QuicErrorCode::QUIC_NO_ERROR,
+                          "detail", quic::ConnectionCloseSource::FROM_SELF),
+                      "Missing session for cid");
+}
+
+TEST_P(QuicDispatcherSupportMultipleConnectionIdPerConnectionTest,
+       MismatchedSessionAfterAddingCollidedConnectionId) {
+  AddConnection1();
+  AddConnection2();
+  MockServerConnection* mock_server_connection1 =
+      reinterpret_cast<MockServerConnection*>(connection1());
+
+  {
+    // TestConnectionId(2) is already claimed by connection2 but connection1
+    // still thinks it owns it.
+    mock_server_connection1->UnconditionallyAddNewConnectionIdForTest(
+        TestConnectionId(2));
+    EXPECT_EQ(dispatcher_->NumSessions(), 2u);
+    auto* session =
+        QuicDispatcherPeer::FindSession(dispatcher_.get(), TestConnectionId(2));
+    ASSERT_EQ(session, session2_);
+    EXPECT_THAT(mock_server_connection1->GetActiveServerConnectionIds(),
+                testing::ElementsAre(TestConnectionId(1), TestConnectionId(2)));
+  }
+
+  // Connection1 tries to remove both Cid1 & Cid2, but they point to different
+  // sessions.
+  EXPECT_QUIC_BUG(dispatcher_->OnConnectionClosed(
+                      TestConnectionId(1), QuicErrorCode::QUIC_NO_ERROR,
+                      "detail", quic::ConnectionCloseSource::FROM_SELF),
+                  "Session is mismatched in the map");
+}
+
+TEST_P(QuicDispatcherSupportMultipleConnectionIdPerConnectionTest,
        RetireConnectionIdFromSingleConnection) {
   AddConnection1();
   ASSERT_EQ(dispatcher_->NumSessions(), 1u);
@@ -2397,6 +2519,11 @@ TEST_P(BufferedPacketStoreTest, ProcessNonChloPacketBeforeChlo) {
 
   // When CHLO arrives, a new session should be created, and all packets
   // buffered should be delivered to the session.
+  if (GetQuicRestartFlag(quic_abstract_connection_id_generator)) {
+    EXPECT_CALL(connection_id_generator_,
+                MaybeReplaceConnectionId(conn_id, version_))
+        .WillOnce(Return(absl::nullopt));
+  }
   EXPECT_CALL(*dispatcher_,
               CreateQuicSession(conn_id, _, client_addr_, Eq(ExpectedAlpn()), _,
                                 Eq(ParsedClientHelloForTest())))
@@ -2413,6 +2540,7 @@ TEST_P(BufferedPacketStoreTest, ProcessNonChloPacketBeforeChlo) {
               ValidatePacket(conn_id, packet);
             }
           })));
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(conn_id);
 }
 
@@ -2429,6 +2557,11 @@ TEST_P(BufferedPacketStoreTest, ProcessNonChloPacketsUptoLimitAndProcessChlo) {
   data_connection_map_[conn_id].pop_back();
   // When CHLO arrives, a new session should be created, and all packets
   // buffered should be delivered to the session.
+  if (GetQuicRestartFlag(quic_abstract_connection_id_generator)) {
+    EXPECT_CALL(connection_id_generator_,
+                MaybeReplaceConnectionId(conn_id, version_))
+        .WillOnce(Return(absl::nullopt));
+  }
   EXPECT_CALL(*dispatcher_, CreateQuicSession(conn_id, _, client_addr_,
                                               Eq(ExpectedAlpn()), _, _))
       .WillOnce(Return(ByMove(CreateSession(
@@ -2447,6 +2580,7 @@ TEST_P(BufferedPacketStoreTest, ProcessNonChloPacketsUptoLimitAndProcessChlo) {
               ValidatePacket(conn_id, packet);
             }
           })));
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(conn_id);
 }
 
@@ -2473,6 +2607,11 @@ TEST_P(BufferedPacketStoreTest,
   for (size_t i = 1; i <= kNumConnections; ++i) {
     QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 20000 + i);
     QuicConnectionId conn_id = TestConnectionId(i);
+    if (GetQuicRestartFlag(quic_abstract_connection_id_generator)) {
+      EXPECT_CALL(connection_id_generator_,
+                  MaybeReplaceConnectionId(conn_id, version_))
+          .WillOnce(Return(absl::nullopt));
+    }
     EXPECT_CALL(*dispatcher_, CreateQuicSession(conn_id, _, client_address,
                                                 Eq(ExpectedAlpn()), _, _))
         .WillOnce(Return(ByMove(CreateSession(
@@ -2491,7 +2630,7 @@ TEST_P(BufferedPacketStoreTest,
                 ValidatePacket(conn_id, packet);
               }
             })));
-
+    expect_generator_is_called_ = false;
     ProcessFirstFlight(client_address, conn_id);
   }
 }
@@ -2519,6 +2658,11 @@ TEST_P(BufferedPacketStoreTest, ReceiveRetransmittedCHLO) {
 
   // When CHLO arrives, a new session should be created, and all packets
   // buffered should be delivered to the session.
+  if (GetQuicRestartFlag(quic_abstract_connection_id_generator)) {
+    EXPECT_CALL(connection_id_generator_,
+                MaybeReplaceConnectionId(conn_id, version_))
+        .WillOnce(Return(absl::nullopt));
+  }
   EXPECT_CALL(*dispatcher_, CreateQuicSession(conn_id, _, client_addr_,
                                               Eq(ExpectedAlpn()), _, _))
       .Times(1)  // Only triggered by 1st CHLO.
@@ -2568,6 +2712,7 @@ TEST_P(BufferedPacketStoreTest, ReceiveCHLOAfterExpiration) {
   // list.
   ASSERT_TRUE(time_wait_list_manager_->IsConnectionIdInTimeWait(conn_id));
   EXPECT_CALL(*time_wait_list_manager_, ProcessPacket(_, _, conn_id, _, _, _));
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(conn_id);
 }
 
@@ -2583,6 +2728,12 @@ TEST_P(BufferedPacketStoreTest, ProcessCHLOsUptoLimitAndBufferTheRest) {
       kMaxNumSessionsToCreate + kDefaultMaxConnectionsInStore + 1;
   for (uint64_t conn_id = 1; conn_id <= kNumCHLOs; ++conn_id) {
     if (conn_id <= kMaxNumSessionsToCreate) {
+      if (GetQuicRestartFlag(quic_abstract_connection_id_generator)) {
+        EXPECT_CALL(
+            connection_id_generator_,
+            MaybeReplaceConnectionId(TestConnectionId(conn_id), version_))
+            .WillOnce(Return(absl::nullopt));
+      }
       EXPECT_CALL(*dispatcher_,
                   CreateQuicSession(TestConnectionId(conn_id), _, client_addr_,
                                     Eq(ExpectedAlpn()), _,
@@ -2602,6 +2753,7 @@ TEST_P(BufferedPacketStoreTest, ProcessCHLOsUptoLimitAndBufferTheRest) {
                 }
               })));
     }
+    expect_generator_is_called_ = false;
     ProcessFirstFlight(TestConnectionId(conn_id));
     if (conn_id <= kMaxNumSessionsToCreate + kDefaultMaxConnectionsInStore &&
         conn_id > kMaxNumSessionsToCreate) {
@@ -2619,6 +2771,11 @@ TEST_P(BufferedPacketStoreTest, ProcessCHLOsUptoLimitAndBufferTheRest) {
   for (uint64_t conn_id = kMaxNumSessionsToCreate + 1;
        conn_id <= kMaxNumSessionsToCreate + kDefaultMaxConnectionsInStore;
        ++conn_id) {
+    if (GetQuicRestartFlag(quic_abstract_connection_id_generator)) {
+      EXPECT_CALL(connection_id_generator_,
+                  MaybeReplaceConnectionId(TestConnectionId(conn_id), version_))
+          .WillOnce(Return(absl::nullopt));
+    }
     EXPECT_CALL(*dispatcher_,
                 CreateQuicSession(TestConnectionId(conn_id), _, client_addr_,
                                   Eq(ExpectedAlpn()), _,
@@ -2636,6 +2793,9 @@ TEST_P(BufferedPacketStoreTest, ProcessCHLOsUptoLimitAndBufferTheRest) {
               }
             })));
   }
+  EXPECT_CALL(connection_id_generator_,
+              MaybeReplaceConnectionId(TestConnectionId(kNumCHLOs), version_))
+      .Times(0);
   EXPECT_CALL(*dispatcher_,
               CreateQuicSession(TestConnectionId(kNumCHLOs), _, client_addr_,
                                 Eq(ExpectedAlpn()), _, _))
@@ -2679,6 +2839,7 @@ TEST_P(BufferedPacketStoreTest, BufferDuplicatedCHLO) {
   // Retransmit CHLO on last connection should be dropped.
   QuicConnectionId last_connection =
       TestConnectionId(kMaxNumSessionsToCreate + 1);
+  expect_generator_is_called_ = false;
   ProcessFirstFlight(last_connection);
 
   size_t packets_buffered = 2;
@@ -2791,6 +2952,8 @@ TEST_P(BufferedPacketStoreTest, ReceiveCHLOForBufferedConnection) {
                   ValidatePacket(TestConnectionId(conn_id), packet);
                 }
               })));
+    } else {
+      expect_generator_is_called_ = false;
     }
     ProcessFirstFlight(TestConnectionId(conn_id));
   }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_alarm_factory.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_alarm_factory.cc
deleted file mode 100644
index 23df28bce4e..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_alarm_factory.cc
+++ /dev/null
@@ -1,89 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/core/quic_epoll_alarm_factory.h"
-
-#include <type_traits>
-
-#include "quiche/quic/core/quic_arena_scoped_ptr.h"
-
-namespace quic {
-namespace {
-
-class QuicEpollAlarm : public QuicAlarm {
- public:
-  QuicEpollAlarm(QuicEpollServer* epoll_server,
-                 QuicArenaScopedPtr<QuicAlarm::Delegate> delegate)
-      : QuicAlarm(std::move(delegate)),
-        epoll_server_(epoll_server),
-        epoll_alarm_impl_(this) {}
-
- protected:
-  void SetImpl() override {
-    QUICHE_DCHECK(deadline().IsInitialized());
-    epoll_server_->RegisterAlarm(
-        (deadline() - QuicTime::Zero()).ToMicroseconds(), &epoll_alarm_impl_);
-  }
-
-  void CancelImpl() override {
-    QUICHE_DCHECK(!deadline().IsInitialized());
-    epoll_alarm_impl_.UnregisterIfRegistered();
-  }
-
-  void UpdateImpl() override {
-    QUICHE_DCHECK(deadline().IsInitialized());
-    int64_t epoll_deadline = (deadline() - QuicTime::Zero()).ToMicroseconds();
-    if (epoll_alarm_impl_.registered()) {
-      epoll_alarm_impl_.ReregisterAlarm(epoll_deadline);
-    } else {
-      epoll_server_->RegisterAlarm(epoll_deadline, &epoll_alarm_impl_);
-    }
-  }
-
- private:
-  class EpollAlarmImpl : public QuicEpollAlarmBase {
-   public:
-    using int64_epoll = decltype(QuicEpollAlarmBase().OnAlarm());
-
-    explicit EpollAlarmImpl(QuicEpollAlarm* alarm) : alarm_(alarm) {}
-
-    // Use the same integer type as the base class.
-    int64_epoll OnAlarm() override {
-      QuicEpollAlarmBase::OnAlarm();
-      alarm_->Fire();
-      // Fire will take care of registering the alarm, if needed.
-      return 0;
-    }
-
-   private:
-    QuicEpollAlarm* alarm_;
-  };
-
-  QuicEpollServer* epoll_server_;
-  EpollAlarmImpl epoll_alarm_impl_;
-};
-
-}  // namespace
-
-QuicEpollAlarmFactory::QuicEpollAlarmFactory(QuicEpollServer* epoll_server)
-    : epoll_server_(epoll_server) {}
-
-QuicEpollAlarmFactory::~QuicEpollAlarmFactory() = default;
-
-QuicAlarm* QuicEpollAlarmFactory::CreateAlarm(QuicAlarm::Delegate* delegate) {
-  return new QuicEpollAlarm(epoll_server_,
-                            QuicArenaScopedPtr<QuicAlarm::Delegate>(delegate));
-}
-
-QuicArenaScopedPtr<QuicAlarm> QuicEpollAlarmFactory::CreateAlarm(
-    QuicArenaScopedPtr<QuicAlarm::Delegate> delegate,
-    QuicConnectionArena* arena) {
-  if (arena != nullptr) {
-    return arena->New<QuicEpollAlarm>(epoll_server_, std::move(delegate));
-  }
-  return QuicArenaScopedPtr<QuicAlarm>(
-      new QuicEpollAlarm(epoll_server_, std::move(delegate)));
-}
-
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_alarm_factory.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_alarm_factory.h
deleted file mode 100644
index 8ccc9234fe0..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_alarm_factory.h
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_CORE_QUIC_EPOLL_ALARM_FACTORY_H_
-#define QUICHE_QUIC_CORE_QUIC_EPOLL_ALARM_FACTORY_H_
-
-#include "quiche/quic/core/quic_alarm.h"
-#include "quiche/quic/core/quic_alarm_factory.h"
-#include "quiche/quic/core/quic_one_block_arena.h"
-#include "quiche/quic/platform/api/quic_epoll.h"
-
-namespace quic {
-
-// Creates alarms that use the supplied EpollServer for timing and firing.
-class QUIC_EXPORT_PRIVATE QuicEpollAlarmFactory : public QuicAlarmFactory {
- public:
-  explicit QuicEpollAlarmFactory(QuicEpollServer* epoll_server);
-  QuicEpollAlarmFactory(const QuicEpollAlarmFactory&) = delete;
-  QuicEpollAlarmFactory& operator=(const QuicEpollAlarmFactory&) = delete;
-  ~QuicEpollAlarmFactory() override;
-
-  // QuicAlarmFactory interface.
-  QuicAlarm* CreateAlarm(QuicAlarm::Delegate* delegate) override;
-  QuicArenaScopedPtr<QuicAlarm> CreateAlarm(
-      QuicArenaScopedPtr<QuicAlarm::Delegate> delegate,
-      QuicConnectionArena* arena) override;
-
- private:
-  QuicEpollServer* epoll_server_;  // Not owned.
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_CORE_QUIC_EPOLL_ALARM_FACTORY_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_alarm_factory_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_alarm_factory_test.cc
deleted file mode 100644
index 87a6da69aae..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_alarm_factory_test.cc
+++ /dev/null
@@ -1,140 +0,0 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/core/quic_epoll_alarm_factory.h"
-
-#include "quiche/quic/core/quic_epoll_clock.h"
-#include "quiche/quic/platform/api/quic_test.h"
-#include "quiche/common/platform/api/quiche_epoll_test_tools.h"
-
-namespace quic {
-namespace test {
-namespace {
-
-class TestDelegate : public QuicAlarm::DelegateWithoutContext {
- public:
-  TestDelegate() : fired_(false) {}
-
-  void OnAlarm() override { fired_ = true; }
-
-  bool fired() const { return fired_; }
-
- private:
-  bool fired_;
-};
-
-// The boolean parameter denotes whether or not to use an arena.
-class QuicEpollAlarmFactoryTest : public QuicTestWithParam<bool> {
- protected:
-  QuicEpollAlarmFactoryTest()
-      : clock_(&epoll_server_), alarm_factory_(&epoll_server_) {}
-
-  QuicConnectionArena* GetArenaParam() {
-    return GetParam() ? &arena_ : nullptr;
-  }
-
-  const QuicEpollClock clock_;
-  QuicEpollAlarmFactory alarm_factory_;
-  quiche::QuicheFakeEpollServer epoll_server_;
-  QuicConnectionArena arena_;
-};
-
-INSTANTIATE_TEST_SUITE_P(UseArena, QuicEpollAlarmFactoryTest,
-                         ::testing::ValuesIn({true, false}),
-                         ::testing::PrintToStringParamName());
-
-TEST_P(QuicEpollAlarmFactoryTest, CreateAlarm) {
-  QuicArenaScopedPtr<TestDelegate> delegate =
-      QuicArenaScopedPtr<TestDelegate>(new TestDelegate());
-  QuicArenaScopedPtr<QuicAlarm> alarm(
-      alarm_factory_.CreateAlarm(std::move(delegate), GetArenaParam()));
-
-  QuicTime start = clock_.Now();
-  QuicTime::Delta delta = QuicTime::Delta::FromMicroseconds(1);
-  alarm->Set(start + delta);
-
-  epoll_server_.AdvanceByAndWaitForEventsAndExecuteCallbacks(
-      delta.ToMicroseconds());
-  EXPECT_EQ(start + delta, clock_.Now());
-}
-
-TEST_P(QuicEpollAlarmFactoryTest, CreateAlarmAndCancel) {
-  QuicArenaScopedPtr<TestDelegate> delegate =
-      QuicArenaScopedPtr<TestDelegate>(new TestDelegate());
-  TestDelegate* unowned_delegate = delegate.get();
-  QuicArenaScopedPtr<QuicAlarm> alarm(
-      alarm_factory_.CreateAlarm(std::move(delegate), GetArenaParam()));
-
-  QuicTime start = clock_.Now();
-  QuicTime::Delta delta = QuicTime::Delta::FromMicroseconds(1);
-  alarm->Set(start + delta);
-  alarm->Cancel();
-
-  epoll_server_.AdvanceByExactlyAndCallCallbacks(delta.ToMicroseconds());
-  EXPECT_EQ(start + delta, clock_.Now());
-  EXPECT_FALSE(unowned_delegate->fired());
-}
-
-TEST_P(QuicEpollAlarmFactoryTest, CreateAlarmAndReset) {
-  QuicArenaScopedPtr<TestDelegate> delegate =
-      QuicArenaScopedPtr<TestDelegate>(new TestDelegate());
-  TestDelegate* unowned_delegate = delegate.get();
-  QuicArenaScopedPtr<QuicAlarm> alarm(
-      alarm_factory_.CreateAlarm(std::move(delegate), GetArenaParam()));
-
-  QuicTime start = clock_.Now();
-  QuicTime::Delta delta = QuicTime::Delta::FromMicroseconds(1);
-  alarm->Set(clock_.Now() + delta);
-  alarm->Cancel();
-  QuicTime::Delta new_delta = QuicTime::Delta::FromMicroseconds(3);
-  alarm->Set(clock_.Now() + new_delta);
-
-  epoll_server_.AdvanceByExactlyAndCallCallbacks(delta.ToMicroseconds());
-  EXPECT_EQ(start + delta, clock_.Now());
-  EXPECT_FALSE(unowned_delegate->fired());
-
-  epoll_server_.AdvanceByExactlyAndCallCallbacks(
-      (new_delta - delta).ToMicroseconds());
-  EXPECT_EQ(start + new_delta, clock_.Now());
-  EXPECT_TRUE(unowned_delegate->fired());
-}
-
-TEST_P(QuicEpollAlarmFactoryTest, CreateAlarmAndUpdate) {
-  QuicArenaScopedPtr<TestDelegate> delegate =
-      QuicArenaScopedPtr<TestDelegate>(new TestDelegate());
-  TestDelegate* unowned_delegate = delegate.get();
-  QuicArenaScopedPtr<QuicAlarm> alarm(
-      alarm_factory_.CreateAlarm(std::move(delegate), GetArenaParam()));
-
-  QuicTime start = clock_.Now();
-  QuicTime::Delta delta = QuicTime::Delta::FromMicroseconds(1);
-  alarm->Set(clock_.Now() + delta);
-  QuicTime::Delta new_delta = QuicTime::Delta::FromMicroseconds(3);
-  alarm->Update(clock_.Now() + new_delta, QuicTime::Delta::FromMicroseconds(1));
-
-  epoll_server_.AdvanceByExactlyAndCallCallbacks(delta.ToMicroseconds());
-  EXPECT_EQ(start + delta, clock_.Now());
-  EXPECT_FALSE(unowned_delegate->fired());
-
-  // Move the alarm forward 1us and ensure it doesn't move forward.
-  alarm->Update(clock_.Now() + new_delta, QuicTime::Delta::FromMicroseconds(2));
-
-  epoll_server_.AdvanceByExactlyAndCallCallbacks(
-      (new_delta - delta).ToMicroseconds());
-  EXPECT_EQ(start + new_delta, clock_.Now());
-  EXPECT_TRUE(unowned_delegate->fired());
-
-  // Set the alarm via an update call.
-  new_delta = QuicTime::Delta::FromMicroseconds(5);
-  alarm->Update(clock_.Now() + new_delta, QuicTime::Delta::FromMicroseconds(1));
-  EXPECT_TRUE(alarm->IsSet());
-
-  // Update it with an uninitialized time and ensure it's cancelled.
-  alarm->Update(QuicTime::Zero(), QuicTime::Delta::FromMicroseconds(1));
-  EXPECT_FALSE(alarm->IsSet());
-}
-
-}  // namespace
-}  // namespace test
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_clock.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_clock.cc
deleted file mode 100644
index a4087a02e70..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_clock.cc
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/core/quic_epoll_clock.h"
-
-#include "quiche/common/platform/api/quiche_flag_utils.h"
-
-namespace quic {
-
-QuicEpollClock::QuicEpollClock(QuicEpollServer* epoll_server)
-    : epoll_server_(epoll_server), largest_time_(QuicTime::Zero()) {}
-
-QuicEpollClock::~QuicEpollClock() {}
-
-QuicTime QuicEpollClock::ApproximateNow() const {
-  return CreateTimeFromMicroseconds(epoll_server_->ApproximateNowInUsec());
-}
-
-QuicTime QuicEpollClock::Now() const {
-  QuicTime now = CreateTimeFromMicroseconds(epoll_server_->NowInUsec());
-
-  if (now <= largest_time_) {
-    if (now < largest_time_) {
-      QUICHE_CODE_COUNT(quic_epoll_clock_step_backward);
-    }
-    // Time not increasing, return |largest_time_|.
-    return largest_time_;
-  }
-
-  largest_time_ = now;
-  return largest_time_;
-}
-
-QuicWallTime QuicEpollClock::WallNow() const {
-  return QuicWallTime::FromUNIXMicroseconds(
-      epoll_server_->ApproximateNowInUsec());
-}
-
-QuicTime QuicEpollClock::ConvertWallTimeToQuicTime(
-    const QuicWallTime& walltime) const {
-  return QuicTime::Zero() +
-         QuicTime::Delta::FromMicroseconds(walltime.ToUNIXMicroseconds());
-}
-
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_clock.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_clock.h
deleted file mode 100644
index 42bea337228..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_clock.h
+++ /dev/null
@@ -1,48 +0,0 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_CORE_QUIC_EPOLL_CLOCK_H_
-#define QUICHE_QUIC_CORE_QUIC_EPOLL_CLOCK_H_
-
-#include "quiche/quic/core/quic_clock.h"
-#include "quiche/quic/core/quic_time.h"
-#include "quiche/quic/platform/api/quic_epoll.h"
-#include "quiche/quic/platform/api/quic_export.h"
-
-namespace quic {
-
-// Clock to efficiently retrieve an approximately accurate time from an
-// EpollServer.
-class QUIC_EXPORT_PRIVATE QuicEpollClock : public QuicClock {
- public:
-  explicit QuicEpollClock(QuicEpollServer* epoll_server);
-  QuicEpollClock(const QuicEpollClock&) = delete;
-  QuicEpollClock& operator=(const QuicEpollClock&) = delete;
-  ~QuicEpollClock() override;
-
-  // Returns the approximate current time as a QuicTime object.
-  QuicTime ApproximateNow() const override;
-
-  // Returns the current time as a QuicTime object.
-  // Note: this use significant resources please use only if needed.
-  QuicTime Now() const override;
-
-  // WallNow returns the current wall-time - a time that is consistent across
-  // different clocks.
-  QuicWallTime WallNow() const override;
-
-  // Override to do less work in this implementation.  The epoll clock is
-  // already based on system (unix epoch) time, no conversion required.
-  QuicTime ConvertWallTimeToQuicTime(
-      const QuicWallTime& walltime) const override;
-
- protected:
-  QuicEpollServer* epoll_server_;
-  // Largest time returned from Now() so far.
-  mutable QuicTime largest_time_;
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_CORE_QUIC_EPOLL_CLOCK_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_clock_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_clock_test.cc
deleted file mode 100644
index 617230f9c93..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_clock_test.cc
+++ /dev/null
@@ -1,75 +0,0 @@
-// Copyright 2022 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/core/quic_epoll_clock.h"
-
-#include "quiche/quic/platform/api/quic_test.h"
-#include "quiche/common/platform/api/quiche_epoll_test_tools.h"
-
-namespace quic {
-namespace test {
-
-class QuicEpollClockTest : public QuicTest {};
-
-TEST_F(QuicEpollClockTest, ApproximateNowInUsec) {
-  quiche::QuicheFakeEpollServer epoll_server;
-  QuicEpollClock clock(&epoll_server);
-
-  epoll_server.set_now_in_usec(1000000);
-  EXPECT_EQ(1000000,
-            (clock.ApproximateNow() - QuicTime::Zero()).ToMicroseconds());
-  EXPECT_EQ(1u, clock.WallNow().ToUNIXSeconds());
-  EXPECT_EQ(1000000u, clock.WallNow().ToUNIXMicroseconds());
-
-  epoll_server.AdvanceBy(5);
-  EXPECT_EQ(1000005,
-            (clock.ApproximateNow() - QuicTime::Zero()).ToMicroseconds());
-  EXPECT_EQ(1u, clock.WallNow().ToUNIXSeconds());
-  EXPECT_EQ(1000005u, clock.WallNow().ToUNIXMicroseconds());
-
-  epoll_server.AdvanceBy(10 * 1000000);
-  EXPECT_EQ(11u, clock.WallNow().ToUNIXSeconds());
-  EXPECT_EQ(11000005u, clock.WallNow().ToUNIXMicroseconds());
-}
-
-TEST_F(QuicEpollClockTest, NowInUsec) {
-  quiche::QuicheFakeEpollServer epoll_server;
-  QuicEpollClock clock(&epoll_server);
-
-  epoll_server.set_now_in_usec(1000000);
-  EXPECT_EQ(1000000, (clock.Now() - QuicTime::Zero()).ToMicroseconds());
-
-  epoll_server.AdvanceBy(5);
-  EXPECT_EQ(1000005, (clock.Now() - QuicTime::Zero()).ToMicroseconds());
-}
-
-TEST_F(QuicEpollClockTest, MonotonicityWithRealEpollClock) {
-  QuicEpollServer epoll_server;
-  QuicEpollClock clock(&epoll_server);
-
-  QuicTime last_now = clock.Now();
-  for (int i = 0; i < 1e5; ++i) {
-    QuicTime now = clock.Now();
-
-    ASSERT_LE(last_now, now);
-
-    last_now = now;
-  }
-}
-
-TEST_F(QuicEpollClockTest, MonotonicityWithFakeEpollClock) {
-  quiche::QuicheFakeEpollServer epoll_server;
-  QuicEpollClock clock(&epoll_server);
-
-  epoll_server.set_now_in_usec(100);
-  QuicTime last_now = clock.Now();
-
-  epoll_server.set_now_in_usec(90);
-  QuicTime now = clock.Now();
-
-  ASSERT_EQ(last_now, now);
-}
-
-}  // namespace test
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_connection_helper.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_connection_helper.cc
deleted file mode 100644
index 1c2f5b7df9e..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_connection_helper.cc
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/core/quic_epoll_connection_helper.h"
-
-#include <errno.h>
-#include <sys/socket.h>
-
-#include "quiche/quic/core/crypto/quic_random.h"
-
-namespace quic {
-
-QuicEpollConnectionHelper::QuicEpollConnectionHelper(
-    QuicEpollServer* epoll_server, QuicAllocator allocator_type)
-    : clock_(epoll_server),
-      random_generator_(QuicRandom::GetInstance()),
-      allocator_type_(allocator_type) {}
-
-QuicEpollConnectionHelper::~QuicEpollConnectionHelper() = default;
-
-const QuicClock* QuicEpollConnectionHelper::GetClock() const { return &clock_; }
-
-QuicRandom* QuicEpollConnectionHelper::GetRandomGenerator() {
-  return random_generator_;
-}
-
-quiche::QuicheBufferAllocator*
-QuicEpollConnectionHelper::GetStreamSendBufferAllocator() {
-  if (allocator_type_ == QuicAllocator::BUFFER_POOL) {
-    return &stream_buffer_allocator_;
-  } else {
-    QUICHE_DCHECK(allocator_type_ == QuicAllocator::SIMPLE);
-    return &simple_buffer_allocator_;
-  }
-}
-
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_connection_helper.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_connection_helper.h
deleted file mode 100644
index dfc26491def..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_connection_helper.h
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// The epoll-specific helper for QuicConnection which uses
-// EpollAlarm for alarms, and used an int fd_ for writing data.
-
-#ifndef QUICHE_QUIC_CORE_QUIC_EPOLL_CONNECTION_HELPER_H_
-#define QUICHE_QUIC_CORE_QUIC_EPOLL_CONNECTION_HELPER_H_
-
-#include <sys/types.h>
-
-#include <set>
-
-#include "quiche/quic/core/quic_connection.h"
-#include "quiche/quic/core/quic_default_packet_writer.h"
-#include "quiche/quic/core/quic_epoll_clock.h"
-#include "quiche/quic/core/quic_packet_writer.h"
-#include "quiche/quic/core/quic_packets.h"
-#include "quiche/quic/core/quic_time.h"
-#include "quiche/quic/platform/api/quic_epoll.h"
-#include "quiche/common/platform/api/quiche_stream_buffer_allocator.h"
-#include "quiche/common/simple_buffer_allocator.h"
-
-namespace quic {
-
-class QuicRandom;
-
-enum class QuicAllocator { SIMPLE, BUFFER_POOL };
-
-class QUIC_EXPORT_PRIVATE QuicEpollConnectionHelper
-    : public QuicConnectionHelperInterface {
- public:
-  QuicEpollConnectionHelper(QuicEpollServer* epoll_server,
-                            QuicAllocator allocator_type);
-  QuicEpollConnectionHelper(const QuicEpollConnectionHelper&) = delete;
-  QuicEpollConnectionHelper& operator=(const QuicEpollConnectionHelper&) =
-      delete;
-  ~QuicEpollConnectionHelper() override;
-
-  // QuicConnectionHelperInterface
-  const QuicClock* GetClock() const override;
-  QuicRandom* GetRandomGenerator() override;
-  quiche::QuicheBufferAllocator* GetStreamSendBufferAllocator() override;
-
- private:
-  const QuicEpollClock clock_;
-  QuicRandom* random_generator_;
-  // Set up allocators.  They take up minimal memory before use.
-  // Allocator for stream send buffers.
-  quiche::QuicheStreamBufferAllocator stream_buffer_allocator_;
-  quiche::SimpleBufferAllocator simple_buffer_allocator_;
-  QuicAllocator allocator_type_;
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_CORE_QUIC_EPOLL_CONNECTION_HELPER_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_connection_helper_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_connection_helper_test.cc
deleted file mode 100644
index 4ce2f1745f3..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_epoll_connection_helper_test.cc
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/core/quic_epoll_connection_helper.h"
-
-#include "quiche/quic/core/crypto/quic_random.h"
-#include "quiche/quic/platform/api/quic_test.h"
-#include "quiche/common/platform/api/quiche_epoll_test_tools.h"
-
-namespace quic {
-namespace test {
-namespace {
-
-class QuicEpollConnectionHelperTest : public QuicTest {
- protected:
-  QuicEpollConnectionHelperTest()
-      : helper_(&epoll_server_, QuicAllocator::BUFFER_POOL) {}
-
-  quiche::QuicheFakeEpollServer epoll_server_;
-  QuicEpollConnectionHelper helper_;
-};
-
-TEST_F(QuicEpollConnectionHelperTest, GetClock) {
-  const QuicClock* clock = helper_.GetClock();
-  QuicTime start = clock->Now();
-
-  QuicTime::Delta delta = QuicTime::Delta::FromMilliseconds(5);
-  epoll_server_.AdvanceBy(delta.ToMicroseconds());
-
-  EXPECT_EQ(start + delta, clock->Now());
-}
-
-TEST_F(QuicEpollConnectionHelperTest, GetRandomGenerator) {
-  QuicRandom* random = helper_.GetRandomGenerator();
-  EXPECT_EQ(QuicRandom::GetInstance(), random);
-}
-
-}  // namespace
-}  // namespace test
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_flags_list.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_flags_list.h
index f043e97d150..d8e8cd81e3d 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_flags_list.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_flags_list.h
@@ -7,6 +7,8 @@
 #ifdef QUIC_FLAG
 
 QUIC_FLAG(quic_restart_flag_quic_offload_pacing_to_usps2, false)
+
+QUIC_FLAG(quic_restart_flag_quic_use_hash_quic_codepoint, false)
 // A testonly reloadable flag that will always default to false.
 QUIC_FLAG(quic_reloadable_flag_quic_testonly_default_false, false)
 // A testonly reloadable flag that will always default to true.
@@ -15,30 +17,24 @@ QUIC_FLAG(quic_reloadable_flag_quic_testonly_default_true, true)
 QUIC_FLAG(quic_restart_flag_quic_testonly_default_false, false)
 // A testonly restart flag that will always default to true.
 QUIC_FLAG(quic_restart_flag_quic_testonly_default_true, true)
-// If bytes in flight has dipped below 1.25*MaxBW in the last round, do not exit PROBE_UP due to excess queue buildup.
-QUIC_FLAG(quic_reloadable_flag_quic_bbr2_no_probe_up_exit_if_no_queue, true)
 // If trrue, early return before write control frame in OnCanWrite() if the connection is already closed.
 QUIC_FLAG(quic_reloadable_flag_quic_no_write_control_frame_upon_connection_close, true)
-// If true and BBQ1 connection option is set, QUIC BBR will use a pacing gain of 2.773 at startup and 0.5 at DRAIN.
-QUIC_FLAG(quic_reloadable_flag_quic_bbr2_support_new_startup_pacing_gain, true)
-// If true, 1) remove all experiments that tunes blackhole detection delay or path degrading delay, and 2) ensure network blackhole delay is at least path degrading delay plus 2 PTOs.
-QUIC_FLAG(quic_reloadable_flag_quic_remove_blackhole_detection_experiments, true)
 // If true, QUIC Legacy Version Encapsulation will be disabled.
 QUIC_FLAG(quic_restart_flag_quic_disable_legacy_version_encapsulation, true)
 // If true, QUIC will default enable MTU discovery at server, with a target of 1450 bytes.
 QUIC_FLAG(quic_reloadable_flag_quic_enable_mtu_discovery_at_server, false)
-// If true, QuicConnection::ScopedPacketFlusher::~ScopedPacketFlusher will early return if connection is disconnected after FlushPackets.
-QUIC_FLAG(quic_reloadable_flag_quic_packet_flusher_check_connected_after_flush_packets, true)
+// If true, QuicConnectionContext will track the decrypted payload and the offset of the current frame, for debugging.
+QUIC_FLAG(quic_reloadable_flag_quic_add_process_packet_context, true)
+// If true, QuicCryptoServerConfig::ParseConfigProtobuf will treat an empty SCID as the same as non-existent.
+QUIC_FLAG(quic_restart_flag_quic_return_error_on_empty_scid, false)
 // If true, QuicGsoBatchWriter will support release time if it is available and the process has the permission to do so.
 QUIC_FLAG(quic_restart_flag_quic_support_release_time_for_gso, false)
-// If true, account added padding when coalesced packets get buffered.
-QUIC_FLAG(quic_reloadable_flag_quic_fix_bytes_accounting_for_buffered_coalesced_packets, true)
 // If true, ack frequency frame can be sent from server to client.
 QUIC_FLAG(quic_reloadable_flag_quic_can_send_ack_frequency, true)
 // If true, allow client to enable BBRv2 on server via connection option \'B2ON\'.
 QUIC_FLAG(quic_reloadable_flag_quic_allow_client_enabled_bbr_v2, true)
-// If true, close the connection if a crypto send buffer exceeds its size limit.
-QUIC_FLAG(quic_reloadable_flag_quic_bounded_crypto_send_buffer, false)
+// If true, combine two WriteOrBufferData to one while writing headers.
+QUIC_FLAG(quic_reloadable_flag_quic_one_write_for_headers, true)
 // If true, default-enable 5RTO blachole detection.
 QUIC_FLAG(quic_reloadable_flag_quic_default_enable_5rto_blackhole_detection2, true)
 // If true, disable QUIC version Q043.
@@ -57,8 +53,6 @@ QUIC_FLAG(quic_reloadable_flag_quic_disable_server_blackhole_detection, false)
 QUIC_FLAG(quic_reloadable_flag_quic_enable_disable_resumption, true)
 // If true, discard INITIAL packet if the key has been dropped.
 QUIC_FLAG(quic_reloadable_flag_quic_discard_initial_packet_with_key_dropped, true)
-// If true, do not bundle ACK while sending PATH_CHALLENGE on alternative path.
-QUIC_FLAG(quic_reloadable_flag_quic_not_bundle_ack_on_alternative_path, true)
 // If true, do not issue a new connection ID that has been claimed by another connection.
 QUIC_FLAG(quic_reloadable_flag_quic_check_cid_collision_when_issue_new_cid, true)
 // If true, do not mark stream connection level write blocked if its write side has been closed.
@@ -69,8 +63,6 @@ QUIC_FLAG(quic_reloadable_flag_quic_enable_server_on_wire_ping, true)
 QUIC_FLAG(quic_reloadable_flag_quic_flush_pending_frames_and_padding_bytes_on_migration, true)
 // If true, ietf connection migration is no longer conditioned on connection option RVCM.
 QUIC_FLAG(quic_reloadable_flag_quic_remove_connection_migration_connection_option_v2, false)
-// If true, if a fatal tls alert is raised while extracting CHLO, QuicDispatcher will send a connection close.
-QUIC_FLAG(quic_restart_flag_quic_dispatcher_send_connection_close_for_tls_alerts, true)
 // If true, include stream information in idle timeout connection close detail.
 QUIC_FLAG(quic_reloadable_flag_quic_add_stream_info_to_idle_close_detail, true)
 // If true, quic server will send ENABLE_CONNECT_PROTOCOL setting and and endpoint will validate required request/response headers and extended CONNECT mechanism and update code counts of valid/invalid headers.
@@ -85,8 +77,6 @@ QUIC_FLAG(quic_reloadable_flag_quic_retire_cid_on_reverse_path_validation_failur
 QUIC_FLAG(quic_restart_flag_quic_enable_sending_bandwidth_estimate_when_network_idle_v2, true)
 // If true, set burst token to 2 in cwnd bootstrapping experiment.
 QUIC_FLAG(quic_reloadable_flag_quic_conservative_bursts, false)
-// If true, stop resetting ideal_next_packet_send_time_ in pacing sender.
-QUIC_FLAG(quic_reloadable_flag_quic_donot_reset_ideal_next_packet_send_time, false)
 // If true, use BBRv2 as the default congestion controller. Takes precedence over --quic_default_to_bbr.
 QUIC_FLAG(quic_reloadable_flag_quic_default_to_bbr_v2, false)
 // If true, use PING manager to manage the PING alarm.
@@ -95,26 +85,14 @@ QUIC_FLAG(quic_reloadable_flag_quic_use_ping_manager2, true)
 QUIC_FLAG(quic_reloadable_flag_quic_connection_migration_use_new_cid_v2, true)
 // If true, uses conservative cwnd gain and pacing gain when cwnd gets bootstrapped.
 QUIC_FLAG(quic_reloadable_flag_quic_conservative_cwnd_and_pacing_gains, false)
-// If true, validate header field character at spdy stream instead of qpack for IETF QUIC.
-QUIC_FLAG(quic_reloadable_flag_quic_validate_header_field_value_at_spdy_stream, true)
-// Store original QUIC connection IDs in the dispatcher\'s map
-QUIC_FLAG(quic_restart_flag_quic_map_original_connection_ids2, false)
-// When the flag is true, exit STARTUP after the same number of loss events as PROBE_UP.
-QUIC_FLAG(quic_reloadable_flag_quic_bbr2_startup_probe_up_loss_events, true)
+// QuicConnection uses a library to generate connection IDs
+QUIC_FLAG(quic_reloadable_flag_quic_connection_uses_abstract_connection_id_generator, true)
+// QuicDispatcher uses a library to generate connection IDs
+QUIC_FLAG(quic_restart_flag_quic_abstract_connection_id_generator, true)
 // When true, defaults to BBR congestion control instead of Cubic.
 QUIC_FLAG(quic_reloadable_flag_quic_default_to_bbr, false)
-// When true, prevents QUIC\'s PacingSender from generating bursts when the congestion controller is CWND limited and not pacing limited.
-QUIC_FLAG(quic_reloadable_flag_quic_fix_pacing_sender_bursts, true)
-// When true, set the initial congestion control window from connection options in QuicSentPacketManager rather than TcpCubicSenderBytes.
-QUIC_FLAG(quic_reloadable_flag_quic_unified_iw_options, true)
 // When true, support draft-ietf-quic-v2-01
 QUIC_FLAG(quic_reloadable_flag_quic_enable_version_2_draft_01, false)
-// When true, the B203 connection option causes the Bbr2Sender to ignore inflight_hi during PROBE_UP and increase it when the bytes delivered without loss are higher.
-QUIC_FLAG(quic_reloadable_flag_quic_bbr2_ignore_inflight_hi_in_probe_up, true)
-// When true, the B205 connection option enables extra acked in STARTUP, and B204 adds new logic to decrease it whenever max bandwidth increases.
-QUIC_FLAG(quic_reloadable_flag_quic_bbr2_startup_extra_acked, true)
-// When true, the B207 connection option causes BBR2 to exit STARTUP if a persistent queue of 2*BDP has existed for the entire round.
-QUIC_FLAG(quic_reloadable_flag_quic_bbr2_exit_startup_on_persistent_queue2, true)
 // When true, the BBR4 copt sets the extra_acked window to 20 RTTs and BBR5 sets it to 40 RTTs.
 QUIC_FLAG(quic_reloadable_flag_quic_bbr2_extra_acked_window, true)
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer.cc
index 1630a2c6f01..db7100dbac9 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer.cc
@@ -14,6 +14,7 @@
 #include "absl/base/attributes.h"
 #include "absl/base/macros.h"
 #include "absl/base/optimization.h"
+#include "absl/cleanup/cleanup.h"
 #include "absl/strings/escaping.h"
 #include "absl/strings/numbers.h"
 #include "absl/strings/str_cat.h"
@@ -30,6 +31,7 @@
 #include "quiche/quic/core/crypto/quic_encrypter.h"
 #include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/core/frames/quic_ack_frequency_frame.h"
+#include "quiche/quic/core/quic_connection_context.h"
 #include "quiche/quic/core/quic_connection_id.h"
 #include "quiche/quic/core/quic_constants.h"
 #include "quiche/quic/core/quic_data_reader.h"
@@ -1295,8 +1297,17 @@ size_t QuicFramer::GetMinStatelessResetPacketLength() {
 
 // static
 std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildIetfStatelessResetPacket(
-    QuicConnectionId /*connection_id*/, size_t received_packet_length,
+    QuicConnectionId connection_id, size_t received_packet_length,
     StatelessResetToken stateless_reset_token) {
+  return BuildIetfStatelessResetPacket(connection_id, received_packet_length,
+                                       stateless_reset_token,
+                                       QuicRandom::GetInstance());
+}
+
+// static
+std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildIetfStatelessResetPacket(
+    QuicConnectionId /*connection_id*/, size_t received_packet_length,
+    StatelessResetToken stateless_reset_token, QuicRandom* random) {
   QUIC_DVLOG(1) << "Building IETF stateless reset packet.";
   if (received_packet_length <= GetMinStatelessResetPacketLength()) {
     QUICHE_DLOG(ERROR)
@@ -1316,10 +1327,10 @@ std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildIetfStatelessResetPacket(
   // from comparing the entire packet to a known value. Therefore it has no
   // cryptographic use, and does not need a secure cryptographic pseudo-random
   // number generator. It's therefore safe to use WriteInsecureRandomBytes.
-  if (!writer.WriteInsecureRandomBytes(QuicRandom::GetInstance(),
-                                       len - kStatelessResetTokenLength)) {
+  const size_t random_bytes_size = len - kStatelessResetTokenLength;
+  if (!writer.WriteInsecureRandomBytes(random, random_bytes_size)) {
     QUIC_BUG(362045737_2) << "Failed to append random bytes of length: "
-                          << len - kStatelessResetTokenLength;
+                          << random_bytes_size;
     return nullptr;
   }
   // Change first 2 fixed bits to 01.
@@ -1364,7 +1375,7 @@ std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildVersionNegotiationPacket(
     // depends on this randomness.
     size_t version_index = 0;
     const bool disable_randomness =
-        GetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness);
+        GetQuicFlag(quic_disable_version_negotiation_grease_randomness);
     if (!disable_randomness) {
       version_index =
           QuicRandom::GetInstance()->RandUint64() % (wire_versions.size() + 1);
@@ -1894,6 +1905,23 @@ bool QuicFramer::ProcessIetfDataPacket(QuicDataReader* encrypted_reader,
   }
   QuicDataReader reader(decrypted_buffer, decrypted_length);
 
+  // Remember decrypted_payload in the current connection context until the end
+  // of this function.
+  auto* connection_context =
+      add_process_packet_context_ ? QuicConnectionContext::Current() : nullptr;
+  if (connection_context != nullptr) {
+    connection_context->process_packet_context.decrypted_payload =
+        reader.FullPayload();
+    connection_context->process_packet_context.current_frame_offset = 0;
+  }
+  auto clear_decrypted_payload = absl::MakeCleanup([&]() {
+    if (connection_context != nullptr) {
+      QUIC_RELOADABLE_FLAG_COUNT(quic_add_process_packet_context);
+      connection_context->process_packet_context.decrypted_payload =
+          absl::string_view();
+    }
+  });
+
   // Update the largest packet number after we have decrypted the packet
   // so we are confident is not attacker controlled.
   if (supports_multiple_packet_number_spaces_) {
@@ -3159,7 +3187,14 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
   }
 
   QUIC_DVLOG(2) << ENDPOINT << "Processing IETF packet with header " << header;
+  auto* connection_context =
+      add_process_packet_context_ ? QuicConnectionContext::Current() : nullptr;
   while (!reader->IsDoneReading()) {
+    if (connection_context != nullptr) {
+      connection_context->process_packet_context.current_frame_offset =
+          connection_context->process_packet_context.decrypted_payload.size() -
+          reader->BytesRemaining();
+    }
     uint64_t frame_type;
     // Will be the number of bytes into which frame_type was encoded.
     size_t encoded_bytes = reader->BytesRemaining();
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer.h
index c39ee2b4d11..694e741b703 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer.h
@@ -476,6 +476,13 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
       QuicConnectionId connection_id, size_t received_packet_length,
       StatelessResetToken stateless_reset_token);
 
+  // Returns a new IETF stateless reset packet with random bytes generated from
+  // |random|->InsecureRandBytes(). NOTE: the first two bits of the random bytes
+  // will be modified to 01b to make it look like a short header packet.
+  static std::unique_ptr<QuicEncryptedPacket> BuildIetfStatelessResetPacket(
+      QuicConnectionId connection_id, size_t received_packet_length,
+      StatelessResetToken stateless_reset_token, QuicRandom* random);
+
   // Returns a new version negotiation packet.
   static std::unique_ptr<QuicEncryptedPacket> BuildVersionNegotiationPacket(
       QuicConnectionId server_connection_id,
@@ -1165,6 +1172,9 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
   // Indicates whether received RETRY packets should be dropped.
   bool drop_incoming_retry_packets_ = false;
 
+  const bool add_process_packet_context_ =
+      GetQuicReloadableFlag(quic_add_process_packet_context);
+
   // The length in bytes of the last packet number written to an IETF-framed
   // packet.
   size_t last_written_packet_number_length_;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer_test.cc
index 08b53f87ab6..99c29dc7ca4 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_framer_test.cc
@@ -6,6 +6,7 @@
 
 #include <algorithm>
 #include <cstdint>
+#include <cstring>
 #include <map>
 #include <memory>
 #include <string>
@@ -29,6 +30,8 @@
 #include "quiche/quic/core/quic_versions.h"
 #include "quiche/quic/platform/api/quic_expect_bug.h"
 #include "quiche/quic/platform/api/quic_flags.h"
+#include "quiche/quic/platform/api/quic_ip_address.h"
+#include "quiche/quic/platform/api/quic_ip_address_family.h"
 #include "quiche/quic/platform/api/quic_logging.h"
 #include "quiche/quic/platform/api/quic_test.h"
 #include "quiche/quic/test_tools/quic_framer_peer.h"
@@ -7306,7 +7309,7 @@ TEST_P(QuicFramerTest, CryptoFrame) {
 }
 
 TEST_P(QuicFramerTest, BuildVersionNegotiationPacket) {
-  SetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness, true);
+  SetQuicFlag(quic_disable_version_negotiation_grease_randomness, true);
   // clang-format off
   unsigned char packet[] = {
       // public flags (version, 8 byte connection_id)
@@ -7372,7 +7375,7 @@ TEST_P(QuicFramerTest, BuildVersionNegotiationPacketWithClientConnectionId) {
     return;
   }
 
-  SetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness, true);
+  SetQuicFlag(quic_disable_version_negotiation_grease_randomness, true);
 
   // clang-format off
   unsigned char packet[] = {
@@ -10371,6 +10374,43 @@ TEST_P(QuicFramerTest, BuildIetfStatelessResetPacket) {
             data3->length());
 }
 
+TEST_P(QuicFramerTest, BuildIetfStatelessResetPacketCallerProvidedRandomBytes) {
+  // clang-format off
+    unsigned char packet[] = {
+      // 1st byte 01XX XXXX
+      0x7c,
+      // Random bytes
+      0x7c, 0x7c, 0x7c, 0x7c,
+      // stateless reset token
+      0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
+      0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f
+    };
+  // clang-format on
+
+  // Build the minimal stateless reset packet with caller-provided random bytes.
+  MockRandom random;
+  auto generate_random_bytes = [](void* data, size_t len) {
+    std::string bytes(len, 0x7c);
+    memcpy(data, bytes.data(), bytes.size());
+  };
+  EXPECT_CALL(random, InsecureRandBytes(_, _))
+      .WillOnce(testing::Invoke(generate_random_bytes));
+  std::unique_ptr<QuicEncryptedPacket> data(
+      framer_.BuildIetfStatelessResetPacket(
+          FramerTestConnectionId(),
+          QuicFramer::GetMinStatelessResetPacketLength() + 1,
+          kTestStatelessResetToken, &random));
+  ASSERT_TRUE(data);
+  EXPECT_EQ(QuicFramer::GetMinStatelessResetPacketLength(), data->length());
+  // Verify the first 2 bits are 01.
+  EXPECT_FALSE(data->data()[0] & FLAGS_LONG_HEADER);
+  EXPECT_TRUE(data->data()[0] & FLAGS_FIXED_BIT);
+  // Verify the entire packet.
+  quiche::test::CompareCharArraysWithHexError(
+      "constructed packet", data->data(), data->length(), AsChars(packet),
+      ABSL_ARRAYSIZE(packet));
+}
+
 TEST_P(QuicFramerTest, EncryptPacket) {
   QuicPacketNumber packet_number = kPacketNumber;
   // clang-format off
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_packet_creator.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_packet_creator.cc
index 3be9c40e0d9..d7949cec4a1 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_packet_creator.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_packet_creator.cc
@@ -324,7 +324,7 @@ bool QuicPacketCreator::ConsumeDataToFillCurrentPacket(
   }
   CreateStreamFrame(id, data_size, offset, fin, frame);
   // Explicitly disallow multi-packet CHLOs.
-  if (GetQuicFlag(FLAGS_quic_enforce_single_packet_chlo) &&
+  if (GetQuicFlag(quic_enforce_single_packet_chlo) &&
       StreamFrameIsClientHello(frame->stream_frame) &&
       frame->stream_frame.data_length < data_size) {
     const std::string error_details =
@@ -1569,7 +1569,7 @@ void QuicPacketCreator::Flush() {
   FlushCurrentPacket();
   SendRemainingPendingPadding();
   flusher_attached_ = false;
-  if (GetQuicFlag(FLAGS_quic_export_write_path_stats_at_server)) {
+  if (GetQuicFlag(quic_export_write_path_stats_at_server)) {
     if (!write_start_packet_number_.IsInitialized()) {
       QUIC_BUG(quic_bug_10752_32)
           << ENDPOINT << "write_start_packet_number is not initialized";
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_packet_creator_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_packet_creator_test.cc
index acdd8983606..9bd3b2f6a32 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_packet_creator_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_packet_creator_test.cc
@@ -470,7 +470,7 @@ TEST_P(QuicPacketCreatorTest, StreamFrameConsumption) {
 TEST_P(QuicPacketCreatorTest, CryptoStreamFramePacketPadding) {
   // This test serializes crypto payloads slightly larger than a packet, which
   // Causes the multi-packet ClientHello check to fail.
-  SetQuicFlag(FLAGS_quic_enforce_single_packet_chlo, false);
+  SetQuicFlag(quic_enforce_single_packet_chlo, false);
   // Compute the total overhead for a single frame in packet.
   size_t overhead =
       GetPacketHeaderOverhead(client_framer_.transport_version()) +
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_ping_manager.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_ping_manager.cc
index 961eb8d6dbf..1574632b5a3 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_ping_manager.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_ping_manager.cc
@@ -67,8 +67,7 @@ void QuicPingManager::OnAlarm() {
   // to SetAlarm later.
   if (earliest_deadline == retransmittable_on_wire_deadline_) {
     retransmittable_on_wire_deadline_ = QuicTime::Zero();
-    if (GetQuicFlag(
-            FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count) !=
+    if (GetQuicFlag(quic_max_aggressive_retransmittable_on_wire_ping_count) !=
         0) {
       ++consecutive_retransmittable_on_wire_count_;
     }
@@ -116,7 +115,7 @@ void QuicPingManager::UpdateDeadlines(QuicTime now, bool should_keep_alive,
   if (initial_retransmittable_on_wire_timeout_.IsInfinite() ||
       has_in_flight_packets ||
       retransmittable_on_wire_count_ >
-          GetQuicFlag(FLAGS_quic_max_retransmittable_on_wire_ping_count)) {
+          GetQuicFlag(quic_max_retransmittable_on_wire_ping_count)) {
     // No need to set retransmittable-on-wire timeout.
     retransmittable_on_wire_deadline_ = QuicTime::Zero();
     return;
@@ -127,7 +126,7 @@ void QuicPingManager::UpdateDeadlines(QuicTime now, bool should_keep_alive,
   QuicTime::Delta retransmittable_on_wire_timeout =
       initial_retransmittable_on_wire_timeout_;
   const int max_aggressive_retransmittable_on_wire_count =
-      GetQuicFlag(FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count);
+      GetQuicFlag(quic_max_aggressive_retransmittable_on_wire_ping_count);
   QUICHE_DCHECK_LE(0, max_aggressive_retransmittable_on_wire_count);
   if (consecutive_retransmittable_on_wire_count_ >
       max_aggressive_retransmittable_on_wire_count) {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_ping_manager_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_ping_manager_test.cc
index 509022b6181..d9acc7aa48d 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_ping_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_ping_manager_test.cc
@@ -172,7 +172,7 @@ TEST_F(QuicPingManagerTest, RetransmittableOnWireTimeout) {
 
 TEST_F(QuicPingManagerTest, RetransmittableOnWireTimeoutExponentiallyBackOff) {
   const int kMaxAggressiveRetransmittableOnWireCount = 5;
-  SetQuicFlag(FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count,
+  SetQuicFlag(quic_max_aggressive_retransmittable_on_wire_ping_count,
               kMaxAggressiveRetransmittableOnWireCount);
   const QuicTime::Delta initial_retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(200);
@@ -257,7 +257,7 @@ TEST_F(QuicPingManagerTest, RetransmittableOnWireTimeoutExponentiallyBackOff) {
 TEST_F(QuicPingManagerTest,
        ResetRetransmitableOnWireTimeoutExponentiallyBackOff) {
   const int kMaxAggressiveRetransmittableOnWireCount = 3;
-  SetQuicFlag(FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count,
+  SetQuicFlag(quic_max_aggressive_retransmittable_on_wire_ping_count,
               kMaxAggressiveRetransmittableOnWireCount);
   const QuicTime::Delta initial_retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(200);
@@ -338,7 +338,7 @@ TEST_F(QuicPingManagerTest,
 
 TEST_F(QuicPingManagerTest, RetransmittableOnWireLimit) {
   static constexpr int kMaxRetransmittableOnWirePingCount = 3;
-  SetQuicFlag(FLAGS_quic_max_retransmittable_on_wire_ping_count,
+  SetQuicFlag(quic_max_retransmittable_on_wire_ping_count,
               kMaxRetransmittableOnWirePingCount);
   static constexpr QuicTime::Delta initial_retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(200);
@@ -386,7 +386,7 @@ TEST_F(QuicPingManagerTest, RetransmittableOnWireLimit) {
 TEST_F(QuicPingManagerTest, MaxRetransmittableOnWireDelayShift) {
   QuicPingManagerPeer::SetPerspective(&manager_, Perspective::IS_SERVER);
   const int kMaxAggressiveRetransmittableOnWireCount = 3;
-  SetQuicFlag(FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count,
+  SetQuicFlag(quic_max_aggressive_retransmittable_on_wire_ping_count,
               kMaxAggressiveRetransmittableOnWireCount);
   const QuicTime::Delta initial_retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(200);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_protocol_flags_list.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_protocol_flags_list.h
index c0006f792a4..a94fbc66a1f 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_protocol_flags_list.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_protocol_flags_list.h
@@ -214,4 +214,8 @@ QUIC_PROTOCOL_FLAG(bool, quic_use_lower_server_response_mtu_for_test, false,
 
 QUIC_PROTOCOL_FLAG(bool, quic_enforce_strict_amplification_factor, false,
                    "If true, enforce strict amplification factor")
+
+QUIC_PROTOCOL_FLAG(bool, quic_bounded_crypto_send_buffer, false,
+                   "If true, close the connection if a crypto send buffer "
+                   "exceeds its size limit.")
 #endif
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager.cc
index 0725631a653..88039a5571b 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager.cc
@@ -131,21 +131,6 @@ void QuicSentPacketManager::SetFromConfig(const QuicConfig& config) {
     ignore_ack_delay_ = true;
   }
 
-  if (!remove_blackhole_detection_experiments_) {
-    if (config.HasClientRequestedIndependentOption(kPDP1, perspective)) {
-      num_ptos_for_path_degrading_ = 1;
-    }
-    if (config.HasClientRequestedIndependentOption(kPDP2, perspective)) {
-      num_ptos_for_path_degrading_ = 2;
-    }
-    if (config.HasClientRequestedIndependentOption(kPDP3, perspective)) {
-      num_ptos_for_path_degrading_ = 3;
-    }
-    if (config.HasClientRequestedIndependentOption(kPDP5, perspective)) {
-      num_ptos_for_path_degrading_ = 5;
-    }
-  }
-
   // Configure congestion control.
   if (config.HasClientRequestedIndependentOption(kTBBR, perspective)) {
     SetSendAlgorithm(kBBR);
@@ -165,27 +150,21 @@ void QuicSentPacketManager::SetFromConfig(const QuicConfig& config) {
   }
 
   // Initial window.
-  if (GetQuicReloadableFlag(quic_unified_iw_options)) {
-    if (config.HasClientRequestedIndependentOption(kIW03, perspective)) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_unified_iw_options, 1, 4);
-      initial_congestion_window_ = 3;
-      send_algorithm_->SetInitialCongestionWindowInPackets(3);
-    }
-    if (config.HasClientRequestedIndependentOption(kIW10, perspective)) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_unified_iw_options, 2, 4);
-      initial_congestion_window_ = 10;
-      send_algorithm_->SetInitialCongestionWindowInPackets(10);
-    }
-    if (config.HasClientRequestedIndependentOption(kIW20, perspective)) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_unified_iw_options, 3, 4);
-      initial_congestion_window_ = 20;
-      send_algorithm_->SetInitialCongestionWindowInPackets(20);
-    }
-    if (config.HasClientRequestedIndependentOption(kIW50, perspective)) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_unified_iw_options, 4, 4);
-      initial_congestion_window_ = 50;
-      send_algorithm_->SetInitialCongestionWindowInPackets(50);
-    }
+  if (config.HasClientRequestedIndependentOption(kIW03, perspective)) {
+    initial_congestion_window_ = 3;
+    send_algorithm_->SetInitialCongestionWindowInPackets(3);
+  }
+  if (config.HasClientRequestedIndependentOption(kIW10, perspective)) {
+    initial_congestion_window_ = 10;
+    send_algorithm_->SetInitialCongestionWindowInPackets(10);
+  }
+  if (config.HasClientRequestedIndependentOption(kIW20, perspective)) {
+    initial_congestion_window_ = 20;
+    send_algorithm_->SetInitialCongestionWindowInPackets(20);
+  }
+  if (config.HasClientRequestedIndependentOption(kIW50, perspective)) {
+    initial_congestion_window_ = 50;
+    send_algorithm_->SetInitialCongestionWindowInPackets(50);
   }
   if (config.HasClientRequestedIndependentOption(kBWS5, perspective)) {
     initial_congestion_window_ = 10;
@@ -196,7 +175,7 @@ void QuicSentPacketManager::SetFromConfig(const QuicConfig& config) {
     ignore_pings_ = true;
   }
 
-  using_pacing_ = !GetQuicFlag(FLAGS_quic_disable_pacing_for_perf_tests);
+  using_pacing_ = !GetQuicFlag(quic_disable_pacing_for_perf_tests);
   // Configure loss detection.
   if (config.HasClientRequestedIndependentOption(kILD0, perspective)) {
     uber_loss_algorithm_.SetReorderingShift(kDefaultIetfLossDelayShift);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager.h
index 731bd3defcc..1324ac268e2 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager.h
@@ -465,11 +465,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // kMinUntrustedInitialRoundTripTimeUs if not |trusted|.
   void SetInitialRtt(QuicTime::Delta rtt, bool trusted);
 
-  // Latched value of --quic_remove_blackhole_detection_experiments.
-  bool remove_blackhole_detection_experiments() const {
-    return remove_blackhole_detection_experiments_;
-  }
-
  private:
   friend class test::QuicConnectionPeer;
   friend class test::QuicSentPacketManagerPeer;
@@ -674,9 +669,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
 
   // Whether to ignore the ack_delay in received ACKs.
   bool ignore_ack_delay_;
-
-  const bool remove_blackhole_detection_experiments_ =
-      GetQuicReloadableFlag(quic_remove_blackhole_detection_experiments);
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager_test.cc
index 67605e49cb4..4bc98d52e03 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_sent_packet_manager_test.cc
@@ -2498,38 +2498,6 @@ TEST_F(QuicSentPacketManagerTest, GetPathDegradingDelayDefaultPTO) {
   EXPECT_EQ(expected_delay, manager_.GetPathDegradingDelay());
 }
 
-TEST_F(QuicSentPacketManagerTest, GetPathDegradingDelayUsing2PTO) {
-  if (GetQuicReloadableFlag(quic_remove_blackhole_detection_experiments)) {
-    return;
-  }
-  QuicConfig client_config;
-  QuicTagVector client_options;
-  client_options.push_back(kPDP2);
-  QuicSentPacketManagerPeer::SetPerspective(&manager_, Perspective::IS_CLIENT);
-  client_config.SetClientConnectionOptions(client_options);
-  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
-  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
-  manager_.SetFromConfig(client_config);
-  QuicTime::Delta expected_delay = 2 * manager_.GetPtoDelay();
-  EXPECT_EQ(expected_delay, manager_.GetPathDegradingDelay());
-}
-
-TEST_F(QuicSentPacketManagerTest, GetPathDegradingDelayUsing1PTO) {
-  if (GetQuicReloadableFlag(quic_remove_blackhole_detection_experiments)) {
-    return;
-  }
-  QuicConfig client_config;
-  QuicTagVector client_options;
-  client_options.push_back(kPDP1);
-  QuicSentPacketManagerPeer::SetPerspective(&manager_, Perspective::IS_CLIENT);
-  client_config.SetClientConnectionOptions(client_options);
-  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
-  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
-  manager_.SetFromConfig(client_config);
-  QuicTime::Delta expected_delay = 1 * manager_.GetPtoDelay();
-  EXPECT_EQ(expected_delay, manager_.GetPathDegradingDelay());
-}
-
 TEST_F(QuicSentPacketManagerTest, ClientsIgnorePings) {
   QuicSentPacketManagerPeer::SetPerspective(&manager_, Perspective::IS_CLIENT);
   QuicConfig client_config;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id.cc
index 3618e962960..17233ff1d5e 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id.cc
@@ -6,17 +6,67 @@
 
 #include <string>
 #include <tuple>
+#include <utility>
+
+#include "absl/strings/match.h"
+#include "absl/strings/str_cat.h"
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
+#include "url/third_party/mozilla/url_parse.h"
+#include "quiche/common/platform/api/quiche_logging.h"
 
 namespace quic {
 
+// static
+absl::optional<QuicServerId> QuicServerId::ParseFromHostPortString(
+    absl::string_view host_port_string) {
+  url::Component username_component;
+  url::Component password_component;
+  url::Component host_component;
+  url::Component port_component;
+
+  url::ParseAuthority(host_port_string.data(),
+                      url::Component(0, host_port_string.size()),
+                      &username_component, &password_component, &host_component,
+                      &port_component);
+
+  // Only support "host:port" and nothing more or less.
+  if (username_component.is_valid() || password_component.is_valid() ||
+      !host_component.is_nonempty() || !port_component.is_nonempty()) {
+    QUICHE_DVLOG(1) << "QuicServerId could not be parsed: " << host_port_string;
+    return absl::nullopt;
+  }
+
+  std::string hostname(host_port_string.data() + host_component.begin,
+                       host_component.len);
+
+  int parsed_port_number =
+      url::ParsePort(host_port_string.data(), port_component);
+  // Negative result is either invalid or unspecified, either of which is
+  // disallowed for this parse. Port 0 is technically valid but reserved and not
+  // really usable in practice, so easiest to just disallow it here.
+  if (parsed_port_number <= 0) {
+    QUICHE_DVLOG(1)
+        << "Port could not be parsed while parsing QuicServerId from: "
+        << host_port_string;
+    return absl::nullopt;
+  }
+  QUICHE_DCHECK_LE(parsed_port_number, std::numeric_limits<uint16_t>::max());
+
+  return QuicServerId(std::move(hostname),
+                      static_cast<uint16_t>(parsed_port_number));
+}
+
 QuicServerId::QuicServerId() : QuicServerId("", 0, false) {}
 
-QuicServerId::QuicServerId(const std::string& host, uint16_t port)
-    : QuicServerId(host, port, false) {}
+QuicServerId::QuicServerId(std::string host, uint16_t port)
+    : QuicServerId(std::move(host), port, false) {}
 
-QuicServerId::QuicServerId(const std::string& host, uint16_t port,
+QuicServerId::QuicServerId(std::string host, uint16_t port,
                            bool privacy_mode_enabled)
-    : host_(host), port_(port), privacy_mode_enabled_(privacy_mode_enabled) {}
+    : host_(std::move(host)),
+      port_(port),
+      privacy_mode_enabled_(privacy_mode_enabled) {}
 
 QuicServerId::~QuicServerId() {}
 
@@ -34,4 +84,25 @@ bool QuicServerId::operator!=(const QuicServerId& other) const {
   return !(*this == other);
 }
 
+std::string QuicServerId::ToHostPortString() const {
+  return absl::StrCat(GetHostWithIpv6Brackets(), ":", port_);
+}
+
+absl::string_view QuicServerId::GetHostWithoutIpv6Brackets() const {
+  if (host_.length() > 2 && host_.front() == '[' && host_.back() == ']') {
+    return absl::string_view(host_.data() + 1, host_.length() - 2);
+  } else {
+    return host_;
+  }
+}
+
+std::string QuicServerId::GetHostWithIpv6Brackets() const {
+  if (!absl::StrContains(host_, ':') || host_.length() <= 2 ||
+      (host_.front() == '[' && host_.back() == ']')) {
+    return host_;
+  } else {
+    return absl::StrCat("[", host_, "]");
+  }
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id.h
index 7f226fd06b4..51d055b1a2a 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id.h
@@ -9,6 +9,8 @@
 #include <string>
 
 #include "absl/hash/hash.h"
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
 #include "quiche/quic/platform/api/quic_export.h"
 
 namespace quic {
@@ -17,10 +19,15 @@ namespace quic {
 // privacy_mode.
 class QUIC_EXPORT_PRIVATE QuicServerId {
  public:
+  // Attempts to parse a QuicServerId from a "host:port" string. Returns nullopt
+  // if input could not be parsed. Requires input to contain both host and port
+  // and no other components of a URL authority.
+  static absl::optional<QuicServerId> ParseFromHostPortString(
+      absl::string_view host_port_string);
+
   QuicServerId();
-  QuicServerId(const std::string& host, uint16_t port);
-  QuicServerId(const std::string& host, uint16_t port,
-               bool privacy_mode_enabled);
+  QuicServerId(std::string host, uint16_t port);
+  QuicServerId(std::string host, uint16_t port, bool privacy_mode_enabled);
   ~QuicServerId();
 
   // Needed to be an element of an ordered container.
@@ -35,19 +42,31 @@ class QUIC_EXPORT_PRIVATE QuicServerId {
 
   bool privacy_mode_enabled() const { return privacy_mode_enabled_; }
 
+  // Returns a "host:port" representation. IPv6 literal hosts will always be
+  // bracketed in result.
+  std::string ToHostPortString() const;
+
+  // If host is an IPv6 literal surrounded by [], returns the substring without
+  // []. Otherwise, returns host as is.
+  absl::string_view GetHostWithoutIpv6Brackets() const;
+
+  // If host is an IPv6 literal without surrounding [], returns host wrapped in
+  // []. Otherwise, returns host as is.
+  std::string GetHostWithIpv6Brackets() const;
+
+  template <typename H>
+  friend H AbslHashValue(H h, const QuicServerId& server_id) {
+    return H::combine(std::move(h), server_id.host(), server_id.port(),
+                      server_id.privacy_mode_enabled());
+  }
+
  private:
   std::string host_;
   uint16_t port_;
   bool privacy_mode_enabled_;
 };
 
-class QUIC_EXPORT_PRIVATE QuicServerIdHash {
- public:
-  size_t operator()(const quic::QuicServerId& server_id) const noexcept {
-    return absl::HashOf(server_id.host(), server_id.port(),
-                        server_id.privacy_mode_enabled());
-  }
-};
+using QuicServerIdHash = absl::Hash<QuicServerId>;
 
 }  // namespace quic
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id_test.cc
index 226a5176222..1ca7a70e12a 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_server_id_test.cc
@@ -6,12 +6,16 @@
 
 #include <string>
 
+#include "absl/types/optional.h"
 #include "quiche/quic/platform/api/quic_test.h"
 
 namespace quic::test {
 
 namespace {
 
+using ::testing::Optional;
+using ::testing::Property;
+
 class QuicServerIdTest : public QuicTest {};
 
 TEST_F(QuicServerIdTest, Constructor) {
@@ -119,6 +123,103 @@ TEST_F(QuicServerIdTest, Equals) {
   EXPECT_NE(new_a_10_https_no_private, a_10_https_private);
 }
 
+TEST_F(QuicServerIdTest, Parse) {
+  absl::optional<QuicServerId> server_id =
+      QuicServerId::ParseFromHostPortString("host.test:500");
+
+  EXPECT_THAT(server_id, Optional(Property(&QuicServerId::host, "host.test")));
+  EXPECT_THAT(server_id, Optional(Property(&QuicServerId::port, 500)));
+  EXPECT_THAT(server_id,
+              Optional(Property(&QuicServerId::privacy_mode_enabled, false)));
+}
+
+TEST_F(QuicServerIdTest, CannotParseMissingPort) {
+  absl::optional<QuicServerId> server_id =
+      QuicServerId::ParseFromHostPortString("host.test");
+
+  EXPECT_EQ(server_id, absl::nullopt);
+}
+
+TEST_F(QuicServerIdTest, CannotParseEmptyPort) {
+  absl::optional<QuicServerId> server_id =
+      QuicServerId::ParseFromHostPortString("host.test:");
+
+  EXPECT_EQ(server_id, absl::nullopt);
+}
+
+TEST_F(QuicServerIdTest, CannotParseEmptyHost) {
+  absl::optional<QuicServerId> server_id =
+      QuicServerId::ParseFromHostPortString(":500");
+
+  EXPECT_EQ(server_id, absl::nullopt);
+}
+
+TEST_F(QuicServerIdTest, CannotParseUserInfo) {
+  absl::optional<QuicServerId> server_id =
+      QuicServerId::ParseFromHostPortString("userinfo@host.test:500");
+
+  EXPECT_EQ(server_id, absl::nullopt);
+}
+
+TEST_F(QuicServerIdTest, ParseIpv6Literal) {
+  absl::optional<QuicServerId> server_id =
+      QuicServerId::ParseFromHostPortString("[::1]:400");
+
+  EXPECT_THAT(server_id, Optional(Property(&QuicServerId::host, "[::1]")));
+  EXPECT_THAT(server_id, Optional(Property(&QuicServerId::port, 400)));
+  EXPECT_THAT(server_id,
+              Optional(Property(&QuicServerId::privacy_mode_enabled, false)));
+}
+
+TEST_F(QuicServerIdTest, ParseUnbracketedIpv6Literal) {
+  absl::optional<QuicServerId> server_id =
+      QuicServerId::ParseFromHostPortString("::1:400");
+
+  EXPECT_THAT(server_id, Optional(Property(&QuicServerId::host, "::1")));
+  EXPECT_THAT(server_id, Optional(Property(&QuicServerId::port, 400)));
+  EXPECT_THAT(server_id,
+              Optional(Property(&QuicServerId::privacy_mode_enabled, false)));
+}
+
+TEST_F(QuicServerIdTest, AddBracketsToIpv6) {
+  QuicServerId server_id("::1", 100);
+
+  EXPECT_EQ(server_id.GetHostWithIpv6Brackets(), "[::1]");
+  EXPECT_EQ(server_id.ToHostPortString(), "[::1]:100");
+}
+
+TEST_F(QuicServerIdTest, AddBracketsAlreadyIncluded) {
+  QuicServerId server_id("[::1]", 100);
+
+  EXPECT_EQ(server_id.GetHostWithIpv6Brackets(), "[::1]");
+  EXPECT_EQ(server_id.ToHostPortString(), "[::1]:100");
+}
+
+TEST_F(QuicServerIdTest, AddBracketsNotAddedToNonIpv6) {
+  QuicServerId server_id("host.test", 100);
+
+  EXPECT_EQ(server_id.GetHostWithIpv6Brackets(), "host.test");
+  EXPECT_EQ(server_id.ToHostPortString(), "host.test:100");
+}
+
+TEST_F(QuicServerIdTest, RemoveBracketsFromIpv6) {
+  QuicServerId server_id("[::1]", 100);
+
+  EXPECT_EQ(server_id.GetHostWithoutIpv6Brackets(), "::1");
+}
+
+TEST_F(QuicServerIdTest, RemoveBracketsNotIncluded) {
+  QuicServerId server_id("::1", 100);
+
+  EXPECT_EQ(server_id.GetHostWithoutIpv6Brackets(), "::1");
+}
+
+TEST_F(QuicServerIdTest, RemoveBracketsFromNonIpv6) {
+  QuicServerId server_id("host.test", 100);
+
+  EXPECT_EQ(server_id.GetHostWithoutIpv6Brackets(), "host.test");
+}
+
 }  // namespace
 
 }  // namespace quic::test
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_session.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_session.cc
index 8d87de1f2a6..b6b037171b4 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_session.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_session.cc
@@ -2629,7 +2629,7 @@ bool QuicSession::MigratePath(const QuicSocketAddress& self_address,
 
 bool QuicSession::ValidateToken(absl::string_view token) {
   QUICHE_DCHECK_EQ(perspective_, Perspective::IS_SERVER);
-  if (GetQuicFlag(FLAGS_quic_reject_retry_token_in_initial_packet)) {
+  if (GetQuicFlag(quic_reject_retry_token_in_initial_packet)) {
     return false;
   }
   if (token.empty() || token[0] != kAddressTokenPrefix) {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_session.h b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_session.h
index e749abec6e6..e51d77aa792 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_session.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_session.h
@@ -178,6 +178,10 @@ class QUIC_EXPORT_PRIVATE QuicSession
     return false;
   }
   void OnBandwidthUpdateTimeout() override {}
+  std::unique_ptr<QuicPathValidationContext> CreateContextForMultiPortPath()
+      override {
+    return nullptr;
+  }
 
   // QuicStreamFrameDataProducer
   WriteStreamDataResult WriteStreamData(QuicStreamId id,
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream.cc
index 29990aa4a34..921682d2207 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream.cc
@@ -364,7 +364,7 @@ QuicStream::QuicStream(QuicStreamId id, QuicSession* session,
       add_random_padding_after_fin_(false),
       send_buffer_(
           session->connection()->helper()->GetStreamSendBufferAllocator()),
-      buffered_data_threshold_(GetQuicFlag(FLAGS_quic_buffered_data_threshold)),
+      buffered_data_threshold_(GetQuicFlag(quic_buffered_data_threshold)),
       is_static_(is_static),
       deadline_(QuicTime::Zero()),
       was_draining_(false),
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_id_manager.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_id_manager.cc
index 31ce3e89de1..1443211786c 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_id_manager.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_id_manager.cc
@@ -96,7 +96,7 @@ void QuicStreamIdManager::SetMaxOpenIncomingStreams(
 }
 
 void QuicStreamIdManager::MaybeSendMaxStreamsFrame() {
-  int divisor = GetQuicFlag(FLAGS_quic_max_streams_window_divisor);
+  int divisor = GetQuicFlag(quic_max_streams_window_divisor);
 
   if (divisor > 0) {
     if ((incoming_advertised_max_streams_ - incoming_stream_count_) >
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_id_manager_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_id_manager_test.cc
index c0cab1da97a..5b131123ee2 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_id_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_id_manager_test.cc
@@ -318,7 +318,7 @@ TEST_P(QuicStreamIdManagerTest, MaxStreamsWindow) {
   // Open and then close a number of streams to get close to the threshold of
   // sending a MAX_STREAM_FRAME.
   int stream_count = stream_id_manager_.incoming_initial_max_open_streams() /
-                         GetQuicFlag(FLAGS_quic_max_streams_window_divisor) -
+                         GetQuicFlag(quic_max_streams_window_divisor) -
                      1;
 
   // Should not get a control-frame transmission since the peer should have
@@ -411,7 +411,7 @@ TEST_P(QuicStreamIdManagerTest, MaxStreamsSlidingWindow) {
   // cause a MAX STREAMS frame to be generated.
   int i =
       static_cast<int>(stream_id_manager_.incoming_initial_max_open_streams() /
-                       GetQuicFlag(FLAGS_quic_max_streams_window_divisor));
+                       GetQuicFlag(quic_max_streams_window_divisor));
   QuicStreamId id =
       QuicStreamIdManagerPeer::GetFirstIncomingStreamId(&stream_id_manager_);
   EXPECT_CALL(delegate_, SendMaxStreams(first_advert + i, IsUnidirectional()));
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_send_buffer.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_send_buffer.cc
index c7eb1886f88..a8657b56a36 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_send_buffer.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_send_buffer.cc
@@ -63,7 +63,7 @@ void QuicStreamSendBuffer::SaveStreamData(absl::string_view data) {
 
   // Latch the maximum data slice size.
   const QuicByteCount max_data_slice_size =
-      GetQuicFlag(FLAGS_quic_send_buffer_max_data_slice_size);
+      GetQuicFlag(quic_send_buffer_max_data_slice_size);
   while (!data.empty()) {
     auto slice_len = std::min<absl::string_view::size_type>(
         data.length(), max_data_slice_size);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_send_buffer_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_send_buffer_test.cc
index 7abd791ff98..f4d6b50b94a 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_send_buffer_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_send_buffer_test.cc
@@ -41,7 +41,7 @@ class QuicStreamSendBufferTest : public QuicTest {
     quiche::QuicheMemSlice slice2(std::move(buffer2));
 
     // `data` will be split into two BufferedSlices.
-    SetQuicFlag(FLAGS_quic_send_buffer_max_data_slice_size, 1024);
+    SetQuicFlag(quic_send_buffer_max_data_slice_size, 1024);
     send_buffer_.SaveStreamData(data1);
 
     send_buffer_.SaveMemSlice(std::move(slice1));
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_test.cc
index 1bec69fc399..deb7c983afa 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_stream_test.cc
@@ -1108,7 +1108,7 @@ TEST_P(QuicStreamTest, ConnectionClosed) {
 }
 
 TEST_P(QuicStreamTest, CanWriteNewDataAfterData) {
-  SetQuicFlag(FLAGS_quic_buffered_data_threshold, 100);
+  SetQuicFlag(quic_buffered_data_threshold, 100);
   Initialize();
   EXPECT_TRUE(stream_->CanWriteNewDataAfterData(99));
   EXPECT_FALSE(stream_->CanWriteNewDataAfterData(100));
@@ -1116,7 +1116,7 @@ TEST_P(QuicStreamTest, CanWriteNewDataAfterData) {
 
 TEST_P(QuicStreamTest, WriteBufferedData) {
   // Set buffered data low water mark to be 100.
-  SetQuicFlag(FLAGS_quic_buffered_data_threshold, 100);
+  SetQuicFlag(quic_buffered_data_threshold, 100);
 
   Initialize();
   std::string data(1024, 'a');
@@ -1149,8 +1149,7 @@ TEST_P(QuicStreamTest, WriteBufferedData) {
 
   // Send buffered data to make buffered data size < threshold.
   QuicByteCount data_to_write =
-      3 * data.length() - 200 -
-      GetQuicFlag(FLAGS_quic_buffered_data_threshold) + 1;
+      3 * data.length() - 200 - GetQuicFlag(quic_buffered_data_threshold) + 1;
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _, _))
       .WillOnce(InvokeWithoutArgs([this, data_to_write]() {
         return session_->ConsumeData(stream_->id(), data_to_write, 200u, NO_FIN,
@@ -1159,9 +1158,9 @@ TEST_P(QuicStreamTest, WriteBufferedData) {
   // Buffered data size < threshold, ask upper layer for more data.
   EXPECT_CALL(*stream_, OnCanWriteNewData()).Times(1);
   stream_->OnCanWrite();
-  EXPECT_EQ(static_cast<uint64_t>(
-                GetQuicFlag(FLAGS_quic_buffered_data_threshold) - 1),
-            stream_->BufferedDataBytes());
+  EXPECT_EQ(
+      static_cast<uint64_t>(GetQuicFlag(quic_buffered_data_threshold) - 1),
+      stream_->BufferedDataBytes());
   EXPECT_TRUE(stream_->CanWriteNewData());
 
   // Flush all buffered data.
@@ -1199,8 +1198,7 @@ TEST_P(QuicStreamTest, WriteBufferedData) {
   EXPECT_FALSE(consumed.fin_consumed);
   EXPECT_EQ(data.length(), stream_->BufferedDataBytes());
 
-  data_to_write =
-      data.length() - GetQuicFlag(FLAGS_quic_buffered_data_threshold) + 1;
+  data_to_write = data.length() - GetQuicFlag(quic_buffered_data_threshold) + 1;
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _, _))
       .WillOnce(InvokeWithoutArgs([this, data_to_write]() {
         return session_->ConsumeData(stream_->id(), data_to_write, 0u, NO_FIN,
@@ -1209,9 +1207,9 @@ TEST_P(QuicStreamTest, WriteBufferedData) {
 
   EXPECT_CALL(*stream_, OnCanWriteNewData()).Times(1);
   stream_->OnCanWrite();
-  EXPECT_EQ(static_cast<uint64_t>(
-                GetQuicFlag(FLAGS_quic_buffered_data_threshold) - 1),
-            stream_->BufferedDataBytes());
+  EXPECT_EQ(
+      static_cast<uint64_t>(GetQuicFlag(quic_buffered_data_threshold) - 1),
+      stream_->BufferedDataBytes());
   EXPECT_TRUE(stream_->CanWriteNewData());
 
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _, _)).Times(0);
@@ -1222,7 +1220,7 @@ TEST_P(QuicStreamTest, WriteBufferedData) {
   consumed = stream_->WriteMemSlices(storage3.ToSpan(), false);
   EXPECT_EQ(data.length(), consumed.bytes_consumed);
   EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_EQ(data.length() + GetQuicFlag(FLAGS_quic_buffered_data_threshold) - 1,
+  EXPECT_EQ(data.length() + GetQuicFlag(quic_buffered_data_threshold) - 1,
             stream_->BufferedDataBytes());
   EXPECT_FALSE(stream_->CanWriteNewData());
 }
@@ -1255,7 +1253,7 @@ TEST_P(QuicStreamTest, WritevDataReachStreamLimit) {
 
 TEST_P(QuicStreamTest, WriteMemSlices) {
   // Set buffered data low water mark to be 100.
-  SetQuicFlag(FLAGS_quic_buffered_data_threshold, 100);
+  SetQuicFlag(quic_buffered_data_threshold, 100);
 
   Initialize();
   constexpr QuicByteCount kDataSize = 1024;
@@ -1295,7 +1293,7 @@ TEST_P(QuicStreamTest, WriteMemSlices) {
   EXPECT_FALSE(stream_->fin_buffered());
 
   QuicByteCount data_to_write =
-      2 * kDataSize - 100 - GetQuicFlag(FLAGS_quic_buffered_data_threshold) + 1;
+      2 * kDataSize - 100 - GetQuicFlag(quic_buffered_data_threshold) + 1;
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _, _))
       .WillOnce(InvokeWithoutArgs([this, data_to_write]() {
         return session_->ConsumeData(stream_->id(), data_to_write, 100u, NO_FIN,
@@ -1303,15 +1301,15 @@ TEST_P(QuicStreamTest, WriteMemSlices) {
       }));
   EXPECT_CALL(*stream_, OnCanWriteNewData()).Times(1);
   stream_->OnCanWrite();
-  EXPECT_EQ(static_cast<uint64_t>(
-                GetQuicFlag(FLAGS_quic_buffered_data_threshold) - 1),
-            stream_->BufferedDataBytes());
+  EXPECT_EQ(
+      static_cast<uint64_t>(GetQuicFlag(quic_buffered_data_threshold) - 1),
+      stream_->BufferedDataBytes());
   // Try to write slices2 again.
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _, _)).Times(0);
   consumed = stream_->WriteMemSlices(span2, true);
   EXPECT_EQ(2048u, consumed.bytes_consumed);
   EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_EQ(2 * kDataSize + GetQuicFlag(FLAGS_quic_buffered_data_threshold) - 1,
+  EXPECT_EQ(2 * kDataSize + GetQuicFlag(quic_buffered_data_threshold) - 1,
             stream_->BufferedDataBytes());
   EXPECT_TRUE(stream_->fin_buffered());
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_time_wait_list_manager.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_time_wait_list_manager.cc
index a892b5365d2..d4799738ccc 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_time_wait_list_manager.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_time_wait_list_manager.cc
@@ -71,7 +71,7 @@ QuicTimeWaitListManager::QuicTimeWaitListManager(
     QuicPacketWriter* writer, Visitor* visitor, const QuicClock* clock,
     QuicAlarmFactory* alarm_factory)
     : time_wait_period_(QuicTime::Delta::FromSeconds(
-          GetQuicFlag(FLAGS_quic_time_wait_list_seconds))),
+          GetQuicFlag(quic_time_wait_list_seconds))),
       connection_id_clean_up_alarm_(
           alarm_factory->CreateAlarm(new ConnectionIdCleanUpAlarm(this))),
       clock_(clock),
@@ -130,8 +130,7 @@ void QuicTimeWaitListManager::AddConnectionIdToTimeWait(
     RemoveConnectionDataFromMap(it);
   }
   TrimTimeWaitListIfNeeded();
-  int64_t max_connections =
-      GetQuicFlag(FLAGS_quic_time_wait_list_max_connections);
+  int64_t max_connections = GetQuicFlag(quic_time_wait_list_max_connections);
   QUICHE_DCHECK(connection_id_map_.empty() ||
                 num_connections() < static_cast<size_t>(max_connections));
   if (new_connection_id) {
@@ -357,7 +356,7 @@ bool QuicTimeWaitListManager::SendOrQueuePacket(
     return true;
   }
   if (pending_packets_queue_.size() >=
-      GetQuicFlag(FLAGS_quic_time_wait_list_max_pending_packets)) {
+      GetQuicFlag(quic_time_wait_list_max_pending_packets)) {
     // There are too many pending packets.
     QUIC_CODE_COUNT(quic_too_many_pending_packets_in_time_wait);
     return true;
@@ -456,7 +455,7 @@ void QuicTimeWaitListManager::CleanUpOldConnectionIds() {
 
 void QuicTimeWaitListManager::TrimTimeWaitListIfNeeded() {
   const int64_t kMaxConnections =
-      GetQuicFlag(FLAGS_quic_time_wait_list_max_connections);
+      GetQuicFlag(quic_time_wait_list_max_connections);
   if (kMaxConnections < 0) {
     return;
   }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_time_wait_list_manager_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_time_wait_list_manager_test.cc
index 93f6d87af44..9567519adf0 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_time_wait_list_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_time_wait_list_manager_test.cc
@@ -592,12 +592,12 @@ TEST_F(QuicTimeWaitListManagerTest, ConnectionIdsOrderedByTime) {
 
 TEST_F(QuicTimeWaitListManagerTest, MaxConnectionsTest) {
   // Basically, shut off time-based eviction.
-  SetQuicFlag(FLAGS_quic_time_wait_list_seconds, 10000000000);
-  SetQuicFlag(FLAGS_quic_time_wait_list_max_connections, 5);
+  SetQuicFlag(quic_time_wait_list_seconds, 10000000000);
+  SetQuicFlag(quic_time_wait_list_max_connections, 5);
 
   uint64_t current_conn_id = 0;
   const int64_t kMaxConnections =
-      GetQuicFlag(FLAGS_quic_time_wait_list_max_connections);
+      GetQuicFlag(quic_time_wait_list_max_connections);
   // Add exactly the maximum number of connections
   for (int64_t i = 0; i < kMaxConnections; ++i) {
     ++current_conn_id;
@@ -631,9 +631,9 @@ TEST_F(QuicTimeWaitListManagerTest, MaxConnectionsTest) {
 
 TEST_F(QuicTimeWaitListManagerTest, ZeroMaxConnections) {
   // Basically, shut off time-based eviction.
-  SetQuicFlag(FLAGS_quic_time_wait_list_seconds, 10000000000);
+  SetQuicFlag(quic_time_wait_list_seconds, 10000000000);
   // Keep time wait list empty.
-  SetQuicFlag(FLAGS_quic_time_wait_list_max_connections, 0);
+  SetQuicFlag(quic_time_wait_list_max_connections, 0);
 
   uint64_t current_conn_id = 0;
   // Add exactly the maximum number of connections
@@ -753,7 +753,7 @@ TEST_F(QuicTimeWaitListManagerTest, SendOrQueueNullPacket) {
 }
 
 TEST_F(QuicTimeWaitListManagerTest, TooManyPendingPackets) {
-  SetQuicFlag(FLAGS_quic_time_wait_list_max_pending_packets, 5);
+  SetQuicFlag(quic_time_wait_list_max_pending_packets, 5);
   const size_t kNumOfUnProcessablePackets = 2048;
   EXPECT_CALL(visitor_, OnWriteBlocked(&time_wait_list_manager_))
       .Times(testing::AnyNumber());
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_udp_socket_posix.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_udp_socket_posix.cc
index 400f45b563e..248fee370ff 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_udp_socket_posix.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_udp_socket_posix.cc
@@ -205,10 +205,10 @@ QuicUdpSocketFd QuicUdpSocketApi::Create(int address_family,
   // on ios/osx because CMSG_SPACE isn't a constant expression there.
   QUICHE_DCHECK_GE(kDefaultUdpPacketControlBufferSize, kMinCmsgSpaceForRead);
 
-  absl::StatusOr<SocketFd> socket =
-      socket_api::CreateSocket(FromPlatformAddressFamily(address_family),
-                               socket_api::SocketProtocol::kUdp,
-                               /*blocking=*/false);
+  absl::StatusOr<SocketFd> socket = socket_api::CreateSocket(
+      quiche::FromPlatformAddressFamily(address_family),
+      socket_api::SocketProtocol::kUdp,
+      /*blocking=*/false);
 
   if (!socket.ok()) {
     QUIC_LOG_FIRST_N(ERROR, 100)
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_versions.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_versions.cc
index df43ce74866..cc9065bee9a 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_versions.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_versions.cc
@@ -25,7 +25,7 @@ namespace {
 
 QuicVersionLabel CreateRandomVersionLabelForNegotiation() {
   QuicVersionLabel result;
-  if (!GetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness)) {
+  if (!GetQuicFlag(quic_disable_version_negotiation_grease_randomness)) {
     QuicRandom::GetInstance()->RandBytes(&result, sizeof(result));
   } else {
     result = MakeVersionLabel(0xd1, 0x57, 0x38, 0x3f);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_versions_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_versions_test.cc
index 58bab07c21a..ff57f3fc374 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/quic_versions_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/quic_versions_test.cc
@@ -241,7 +241,7 @@ TEST(QuicVersionsTest, CreateQuicVersionLabel) {
           0x0f0f0f0f);
 
   // Make sure that disabling randomness works.
-  SetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness, true);
+  SetQuicFlag(quic_disable_version_negotiation_grease_randomness, true);
   EXPECT_EQ(0xda5a3a3au, CreateQuicVersionLabel(
                              ParsedQuicVersion::ReservedForNegotiation()));
 }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/socket_factory.h b/chromium/net/third_party/quiche/src/quiche/quic/core/socket_factory.h
new file mode 100644
index 00000000000..d37499d6a0f
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/socket_factory.h
@@ -0,0 +1,47 @@
+// Copyright 2022 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_SOCKET_FACTORY_H_
+#define QUICHE_QUIC_CORE_SOCKET_FACTORY_H_
+
+#include <memory>
+
+#include "quiche/quic/core/connecting_client_socket.h"
+#include "quiche/quic/core/quic_types.h"
+#include "quiche/quic/platform/api/quic_socket_address.h"
+#include "quiche/common/platform/api/quiche_export.h"
+
+namespace quic {
+
+// A factory to create objects of type Socket and derived interfaces.
+class QUICHE_EXPORT_PRIVATE SocketFactory {
+ public:
+  virtual ~SocketFactory() = default;
+
+  // Will use platform default buffer size if `receive_buffer_size` or
+  // `send_buffer_size` is zero. If `async_visitor` is null, async operations
+  // must not be called on the created socket. If `async_visitor` is non-null,
+  // it must outlive the created socket.
+  virtual std::unique_ptr<ConnectingClientSocket> CreateTcpClientSocket(
+      const quic::QuicSocketAddress& peer_address,
+      QuicByteCount receive_buffer_size, QuicByteCount send_buffer_size,
+      ConnectingClientSocket::AsyncVisitor* async_visitor) = 0;
+
+  // Will use platform default buffer size if `receive_buffer_size` or
+  // `send_buffer_size` is zero. If `async_visitor` is null, async operations
+  // must not be called on the created socket. If `async_visitor` is non-null,
+  // it must outlive the created socket.
+  //
+  // TODO(ericorth): Consider creating a sub-interface for connecting UDP
+  // sockets with additional functionality, e.g. sendto, if needed.
+  virtual std::unique_ptr<ConnectingClientSocket>
+  CreateConnectingUdpClientSocket(
+      const quic::QuicSocketAddress& peer_address,
+      QuicByteCount receive_buffer_size, QuicByteCount send_buffer_size,
+      ConnectingClientSocket::AsyncVisitor* async_visitor) = 0;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_SOCKET_FACTORY_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker.cc
index 239de233f73..dbf0808696d 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker.cc
@@ -62,6 +62,7 @@ QuicAsyncStatus
 TlsServerHandshaker::DefaultProofSourceHandle::SelectCertificate(
     const QuicSocketAddress& server_address,
     const QuicSocketAddress& client_address,
+    const QuicConnectionId& /*original_connection_id*/,
     absl::string_view /*ssl_capabilities*/, const std::string& hostname,
     absl::string_view /*client_hello*/, const std::string& /*alpn*/,
     absl::optional<std::string> /*alps*/,
@@ -914,6 +915,7 @@ ssl_select_cert_result_t TlsServerHandshaker::EarlySelectCertCallback(
   const QuicAsyncStatus status = proof_source_handle_->SelectCertificate(
       session()->connection()->self_address().Normalized(),
       session()->connection()->peer_address().Normalized(),
+      session()->connection()->GetOriginalDestinationConnectionId(),
       ssl_capabilities_view, crypto_negotiated_params_->sni,
       absl::string_view(
           reinterpret_cast<const char*>(client_hello->client_hello),
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker.h b/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker.h
index bae7741bca7..f82c0226ab5 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker.h
@@ -13,6 +13,7 @@
 #include "quiche/quic/core/crypto/quic_crypto_server_config.h"
 #include "quiche/quic/core/crypto/tls_server_connection.h"
 #include "quiche/quic/core/proto/cached_network_parameters_proto.h"
+#include "quiche/quic/core/quic_connection_id.h"
 #include "quiche/quic/core/quic_crypto_server_stream_base.h"
 #include "quiche/quic/core/quic_crypto_stream.h"
 #include "quiche/quic/core/quic_time_accumulator.h"
@@ -229,6 +230,7 @@ class QUIC_EXPORT_PRIVATE TlsServerHandshaker
     QuicAsyncStatus SelectCertificate(
         const QuicSocketAddress& server_address,
         const QuicSocketAddress& client_address,
+        const QuicConnectionId& original_connection_id,
         absl::string_view ssl_capabilities, const std::string& hostname,
         absl::string_view client_hello, const std::string& alpn,
         absl::optional<std::string> alps,
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker_test.cc
index e652f052c75..b210c6eca81 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/core/tls_server_handshaker_test.cc
@@ -14,6 +14,7 @@
 #include "quiche/quic/core/crypto/client_proof_source.h"
 #include "quiche/quic/core/crypto/proof_source.h"
 #include "quiche/quic/core/crypto/quic_random.h"
+#include "quiche/quic/core/quic_connection_id.h"
 #include "quiche/quic/core/quic_crypto_client_stream.h"
 #include "quiche/quic/core/quic_session.h"
 #include "quiche/quic/core/quic_types.h"
@@ -169,7 +170,7 @@ class TlsServerHandshakerTest : public QuicTestWithParam<TestParams> {
             QuicCompressedCertsCache::kQuicCompressedCertsCacheSize),
         server_id_(kServerHostname, kServerPort, false),
         supported_versions_({GetParam().version}) {
-    SetQuicFlag(FLAGS_quic_disable_server_tls_resumption,
+    SetQuicFlag(quic_disable_server_tls_resumption,
                 GetParam().disable_resumption);
     client_crypto_config_ = std::make_unique<QuicCryptoClientConfig>(
         crypto_test_utils::ProofVerifierForTesting(),
@@ -600,6 +601,23 @@ TEST_P(TlsServerHandshakerTest, ExtractSNI) {
             "test.example.com");
 }
 
+TEST_P(TlsServerHandshakerTest, ServerConnectionIdPassedToSelectCert) {
+  InitializeServerWithFakeProofSourceHandle();
+
+  // Disable early data.
+  server_session_->set_early_data_enabled(false);
+
+  server_handshaker_->SetupProofSourceHandle(
+      /*select_cert_action=*/FakeProofSourceHandle::Action::DELEGATE_SYNC,
+      /*compute_signature_action=*/FakeProofSourceHandle::Action::
+          DELEGATE_SYNC);
+  InitializeFakeClient();
+  CompleteCryptoHandshake();
+  ExpectHandshakeSuccessful();
+
+  EXPECT_EQ(last_select_cert_args().original_connection_id, TestConnectionId());
+}
+
 TEST_P(TlsServerHandshakerTest, HostnameForCertSelectionAndComputeSignature) {
   // Client uses upper case letters in hostname. It is considered valid by
   // QuicHostnameUtils::IsValidSNI, but it should be normalized for cert
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_config_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_config_test.cc
index c93f1e49cfc..e19a3c9d418 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_config_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_config_test.cc
@@ -149,6 +149,22 @@ TEST_F(LoadBalancerConfigTest, BlockEncryptionExample) {
   EXPECT_EQ(memcmp(result, ptext, sizeof(ptext)), 0);
 }
 
+TEST_F(LoadBalancerConfigTest, ConfigIsCopyable) {
+  const uint8_t ptext[] = {0xed, 0x79, 0x3a, 0x51, 0xd4, 0x9b, 0x8f, 0x5f,
+                           0xee, 0x08, 0x0d, 0xbf, 0x48, 0xc0, 0xd1, 0xe5};
+  const uint8_t ctext[] = {0x4d, 0xd2, 0xd0, 0x5a, 0x7b, 0x0d, 0xe9, 0xb2,
+                           0xb9, 0x90, 0x7a, 0xfb, 0x5e, 0xcf, 0x8c, 0xc3};
+  const char key[] = {0x8f, 0x95, 0xf0, 0x92, 0x45, 0x76, 0x5f, 0x80,
+                      0x25, 0x69, 0x34, 0xe5, 0x0c, 0x66, 0x20, 0x7f};
+  uint8_t result[sizeof(ptext)];
+  auto config = LoadBalancerConfig::Create(0, 8, 8, absl::string_view(key, 16));
+  auto config2 = config;
+  EXPECT_TRUE(config->BlockEncrypt(ptext, result));
+  EXPECT_EQ(memcmp(result, ctext, sizeof(ctext)), 0);
+  EXPECT_TRUE(config2->BlockEncrypt(ptext, result));
+  EXPECT_EQ(memcmp(result, ctext, sizeof(ctext)), 0);
+}
+
 }  // namespace
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder.cc b/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder.cc
index bb9608bc587..9e71d6c4abb 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder.cc
@@ -44,9 +44,6 @@ bool WriteUint128(const absl::uint128 in, uint8_t size, QuicDataWriter &out) {
 
 }  // namespace
 
-constexpr uint8_t kLoadBalancerLengthMask = 0x3f;
-constexpr uint8_t kLoadBalancerUnroutableConfigId = 0xc0;
-
 absl::optional<LoadBalancerEncoder> LoadBalancerEncoder::Create(
     QuicRandom &random, LoadBalancerEncoderVisitorInterface *const visitor,
     const bool len_self_encoded, const uint8_t unroutable_connection_id_len) {
@@ -89,6 +86,7 @@ bool LoadBalancerEncoder::UpdateConfig(const LoadBalancerConfig &config,
   seed_ = absl::MakeUint128(random_.RandUint64(), random_.RandUint64()) %
           NumberOfNonces(config.nonce_len());
   num_nonces_left_ = NumberOfNonces(config.nonce_len());
+  connection_id_lengths_[config.config_id()] = config.total_len();
   return true;
 }
 
@@ -102,10 +100,10 @@ void LoadBalancerEncoder::DeleteConfig() {
 }
 
 QuicConnectionId LoadBalancerEncoder::GenerateConnectionId() {
-  uint8_t length = (config_.has_value()) ? config_->total_len()
-                                         : unroutable_connection_id_len_;
-  uint8_t config_id = config_.has_value() ? (config_->config_id() << 6)
+  uint8_t config_id = config_.has_value() ? config_->config_id()
                                           : kLoadBalancerUnroutableConfigId;
+  uint8_t shifted_config_id = config_id << 6;
+  uint8_t length = connection_id_lengths_[config_id];
   if (config_.has_value() != server_id_.has_value()) {
     QUIC_BUG(quic_bug_435375038_04)
         << "Existence of config and server_id are out of sync";
@@ -114,12 +112,12 @@ QuicConnectionId LoadBalancerEncoder::GenerateConnectionId() {
   uint8_t first_byte;
   // first byte
   if (len_self_encoded_) {
-    first_byte = config_id | (length - 1);
+    first_byte = shifted_config_id | (length - 1);
   } else {
     random_.RandBytes(static_cast<void *>(&first_byte), 1);
-    first_byte = config_id | (first_byte & kLoadBalancerLengthMask);
+    first_byte = shifted_config_id | (first_byte & kLoadBalancerLengthMask);
   }
-  if (config_id == kLoadBalancerUnroutableConfigId) {
+  if (!config_.has_value()) {
     return MakeUnroutableConnectionId(first_byte);
   }
   QuicConnectionId id;
@@ -167,12 +165,38 @@ QuicConnectionId LoadBalancerEncoder::GenerateConnectionId() {
   return id;
 }
 
+absl::optional<QuicConnectionId> LoadBalancerEncoder::GenerateNextConnectionId(
+    [[maybe_unused]] const QuicConnectionId &original) {
+  // Do not allow new connection IDs if linkable.
+  return (IsEncoding() && !IsEncrypted()) ? absl::optional<QuicConnectionId>()
+                                          : GenerateConnectionId();
+}
+
+absl::optional<QuicConnectionId> LoadBalancerEncoder::MaybeReplaceConnectionId(
+    const QuicConnectionId &original, const ParsedQuicVersion &version) {
+  // Pre-IETF versions of QUIC can respond poorly to new connection IDs issued
+  // during the handshake.
+  uint8_t needed_length = config_.has_value()
+                              ? config_->total_len()
+                              : connection_id_lengths_[kNumLoadBalancerConfigs];
+  return (!version.HasIetfQuicFrames() && original.length() == needed_length)
+             ? absl::optional<QuicConnectionId>()
+             : GenerateConnectionId();
+}
+
+uint8_t LoadBalancerEncoder::ConnectionIdLength(uint8_t first_byte) const {
+  if (len_self_encoded()) {
+    return (first_byte &= kLoadBalancerLengthMask) + 1;
+  }
+  return connection_id_lengths_[first_byte >> 6];
+}
+
 QuicConnectionId LoadBalancerEncoder::MakeUnroutableConnectionId(
     uint8_t first_byte) {
   QuicConnectionId id;
-  id.set_length(unroutable_connection_id_len_);
+  id.set_length(connection_id_lengths_[kLoadBalancerUnroutableConfigId]);
   id.mutable_data()[0] = first_byte;
-  random_.RandBytes(&id.mutable_data()[1], unroutable_connection_id_len_ - 1);
+  random_.RandBytes(&id.mutable_data()[1], connection_id_lengths_[3] - 1);
   return id;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder.h b/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder.h
index b48bb19a839..1099d7ac693 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder.h
@@ -5,6 +5,7 @@
 #ifndef QUICHE_QUIC_LOAD_BALANCER_LOAD_BALANCER_ENCODER_H_
 #define QUICHE_QUIC_LOAD_BALANCER_LOAD_BALANCER_ENCODER_H_
 
+#include "quiche/quic/core/connection_id_generator.h"
 #include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/load_balancer/load_balancer_config.h"
 #include "quiche/quic/load_balancer/load_balancer_server_id.h"
@@ -17,6 +18,18 @@ class LoadBalancerEncoderPeer;
 
 // Default length of a 4-tuple connection ID.
 inline constexpr uint8_t kLoadBalancerUnroutableLen = 8;
+// When the encoder is self-encoding the connection ID length, these are the
+// bits of the first byte that do so.
+constexpr uint8_t kLoadBalancerLengthMask = 0x3f;
+// The bits of the connection ID first byte that encode the config ID.
+constexpr uint8_t kLoadBalancerConfigIdMask = 0xc0;
+// The config ID that means the connection ID does not contain routing
+// information.
+constexpr uint8_t kLoadBalancerUnroutableConfigId = kNumLoadBalancerConfigs;
+// The bits of the connection ID first byte that correspond to a connection ID
+// that does not contain routing information.
+constexpr uint8_t kLoadBalancerUnroutablePrefix =
+    kLoadBalancerUnroutableConfigId << 6;
 
 // Interface which receives notifications when the current config is updated.
 class QUIC_EXPORT_PRIVATE LoadBalancerEncoderVisitorInterface {
@@ -50,8 +63,16 @@ class QUIC_EXPORT_PRIVATE LoadBalancerEncoderVisitorInterface {
 
 // Manages QUIC-LB configurations to properly encode a given server ID in a
 // QUIC Connection ID.
-class QUIC_EXPORT_PRIVATE LoadBalancerEncoder {
+class QUIC_EXPORT_PRIVATE LoadBalancerEncoder
+    : public ConnectionIdGeneratorInterface {
  public:
+  LoadBalancerEncoder(QuicRandom& random,
+                      LoadBalancerEncoderVisitorInterface* const visitor,
+                      const bool len_self_encoded)
+      : LoadBalancerEncoder(random, visitor, len_self_encoded,
+                            kLoadBalancerUnroutableLen) {}
+  ~LoadBalancerEncoder() override {}
+
   // Returns a newly created encoder with no active config, if
   // |unroutable_connection_id_length| is valid. |visitor| specifies an optional
   // interface to receive callbacks when config status changes.
@@ -82,40 +103,52 @@ class QUIC_EXPORT_PRIVATE LoadBalancerEncoder {
   // the current config, or 0 if there is no current config.
   absl::uint128 num_nonces_left() const { return num_nonces_left_; }
 
+  // Functions below are declared virtual to enable mocking.
   // Returns true if there is an active configuration.
-  bool IsEncoding() const { return config_.has_value(); }
+  virtual bool IsEncoding() const { return config_.has_value(); }
   // Returns true if there is an active configuration that uses encryption.
-  bool IsEncrypted() const {
+  virtual bool IsEncrypted() const {
     return config_.has_value() && config_->IsEncrypted();
   }
+  virtual bool len_self_encoded() const { return len_self_encoded_; }
 
   // If there's an active config, generates a connection ID using it. If not,
   // generates an unroutable connection_id. If there's an error, returns a zero-
   // length Connection ID.
   QuicConnectionId GenerateConnectionId();
 
- private:
-  friend class test::LoadBalancerEncoderPeer;
+  // Functions from ConnectionIdGeneratorInterface
+  absl::optional<QuicConnectionId> GenerateNextConnectionId(
+      const QuicConnectionId& original) override;
+  absl::optional<QuicConnectionId> MaybeReplaceConnectionId(
+      const QuicConnectionId& original,
+      const ParsedQuicVersion& version) override;
+  uint8_t ConnectionIdLength(uint8_t first_byte) const override;
 
+ protected:
   LoadBalancerEncoder(QuicRandom& random,
                       LoadBalancerEncoderVisitorInterface* const visitor,
                       const bool len_self_encoded,
                       const uint8_t unroutable_connection_id_len)
       : random_(random),
         len_self_encoded_(len_self_encoded),
-        visitor_(visitor),
-        unroutable_connection_id_len_(unroutable_connection_id_len) {}
+        visitor_(visitor) {
+    std::fill_n(connection_id_lengths_, 4, unroutable_connection_id_len);
+  }
+
+ private:
+  friend class test::LoadBalancerEncoderPeer;
 
   QuicConnectionId MakeUnroutableConnectionId(uint8_t first_byte);
 
   QuicRandom& random_;
   const bool len_self_encoded_;
   LoadBalancerEncoderVisitorInterface* const visitor_;
-  const uint8_t unroutable_connection_id_len_;
 
   absl::optional<LoadBalancerConfig> config_;
   absl::uint128 seed_, num_nonces_left_ = 0;
   absl::optional<LoadBalancerServerId> server_id_;
+  uint8_t connection_id_lengths_[kNumLoadBalancerConfigs + 1];
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder_test.cc
index f1df860e053..12d8fc7da03 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/load_balancer/load_balancer_encoder_test.cc
@@ -130,10 +130,10 @@ TEST_F(LoadBalancerEncoderTest, BadUnroutableLength) {
 
 TEST_F(LoadBalancerEncoderTest, BadServerIdLength) {
   auto encoder = LoadBalancerEncoder::Create(random_, nullptr, true);
-  EXPECT_TRUE(encoder.has_value());
+  ASSERT_TRUE(encoder.has_value());
   // Expects a 3 byte server ID and got 4.
   auto config = LoadBalancerConfig::CreateUnencrypted(1, 3, 4);
-  EXPECT_TRUE(config.has_value());
+  ASSERT_TRUE(config.has_value());
   EXPECT_QUIC_BUG(
       EXPECT_FALSE(encoder->UpdateConfig(*config, MakeServerId(kServerId, 4))),
       "Server ID length 4 does not match configured value of 3");
@@ -143,10 +143,9 @@ TEST_F(LoadBalancerEncoderTest, BadServerIdLength) {
 TEST_F(LoadBalancerEncoderTest, FailToUpdateConfigWithSameId) {
   TestLoadBalancerEncoderVisitor visitor;
   auto encoder = LoadBalancerEncoder::Create(random_, &visitor, true);
-  EXPECT_TRUE(encoder.has_value());
-  EXPECT_TRUE(encoder.has_value());
+  ASSERT_TRUE(encoder.has_value());
   auto config = LoadBalancerConfig::CreateUnencrypted(1, 3, 4);
-  EXPECT_TRUE(config.has_value());
+  ASSERT_TRUE(config.has_value());
   EXPECT_TRUE(encoder->UpdateConfig(*config, MakeServerId(kServerId, 3)));
   EXPECT_EQ(visitor.num_adds(), 1u);
   EXPECT_QUIC_BUG(
@@ -199,10 +198,10 @@ TEST_F(LoadBalancerEncoderTest, FollowSpecExample) {
   };
   random_.AddNextValues(0, 0x75c2699c);
   auto encoder = LoadBalancerEncoder::Create(random_, nullptr, true, 8);
-  EXPECT_TRUE(encoder.has_value());
+  ASSERT_TRUE(encoder.has_value());
   auto config = LoadBalancerConfig::Create(config_id, server_id_len, nonce_len,
                                            absl::string_view(raw_key));
-  EXPECT_TRUE(config.has_value());
+  ASSERT_TRUE(config.has_value());
   EXPECT_TRUE(encoder->UpdateConfig(
       *config, *LoadBalancerServerId::Create(raw_server_id)));
   EXPECT_TRUE(encoder->IsEncoding());
@@ -248,7 +247,7 @@ TEST_F(LoadBalancerEncoderTest, EncoderTestVectors) {
   };
   for (const auto &test : test_vectors) {
     auto encoder = LoadBalancerEncoder::Create(random_, nullptr, true, 8);
-    EXPECT_TRUE(encoder.has_value());
+    ASSERT_TRUE(encoder.has_value());
     random_.AddNextValues(kNonceHigh, kNonceLow);
     EXPECT_TRUE(encoder->UpdateConfig(test.config, test.server_id));
     EXPECT_EQ(encoder->GenerateConnectionId(), test.connection_id);
@@ -259,9 +258,9 @@ TEST_F(LoadBalancerEncoderTest, RunOutOfNonces) {
   const uint8_t server_id_len = 3;
   TestLoadBalancerEncoderVisitor visitor;
   auto encoder = LoadBalancerEncoder::Create(random_, &visitor, true, 8);
-  EXPECT_TRUE(encoder.has_value());
+  ASSERT_TRUE(encoder.has_value());
   auto config = LoadBalancerConfig::Create(0, server_id_len, 4, kKey);
-  EXPECT_TRUE(config.has_value());
+  ASSERT_TRUE(config.has_value());
   EXPECT_TRUE(
       encoder->UpdateConfig(*config, MakeServerId(kServerId, server_id_len)));
   EXPECT_EQ(visitor.num_adds(), 1u);
@@ -279,7 +278,7 @@ TEST_F(LoadBalancerEncoderTest, RunOutOfNonces) {
 TEST_F(LoadBalancerEncoderTest, UnroutableConnectionId) {
   random_.AddNextValues(0x83, kNonceHigh);
   auto encoder = LoadBalancerEncoder::Create(random_, nullptr, false);
-  EXPECT_TRUE(encoder.has_value());
+  ASSERT_TRUE(encoder.has_value());
   EXPECT_EQ(encoder->num_nonces_left(), 0);
   auto connection_id = encoder->GenerateConnectionId();
   // The first byte is the config_id (0xc0) xored with (0x83 & 0x3f).
@@ -290,7 +289,7 @@ TEST_F(LoadBalancerEncoderTest, UnroutableConnectionId) {
 
 TEST_F(LoadBalancerEncoderTest, NonDefaultUnroutableConnectionIdLength) {
   auto encoder = LoadBalancerEncoder::Create(random_, nullptr, true, 9);
-  EXPECT_TRUE(encoder.has_value());
+  ASSERT_TRUE(encoder.has_value());
   QuicConnectionId connection_id = encoder->GenerateConnectionId();
   EXPECT_EQ(connection_id.length(), 9);
 }
@@ -298,14 +297,14 @@ TEST_F(LoadBalancerEncoderTest, NonDefaultUnroutableConnectionIdLength) {
 TEST_F(LoadBalancerEncoderTest, DeleteConfigWhenNoConfigExists) {
   TestLoadBalancerEncoderVisitor visitor;
   auto encoder = LoadBalancerEncoder::Create(random_, &visitor, true);
-  EXPECT_TRUE(encoder.has_value());
+  ASSERT_TRUE(encoder.has_value());
   encoder->DeleteConfig();
   EXPECT_EQ(visitor.num_deletes(), 0u);
 }
 
 TEST_F(LoadBalancerEncoderTest, AddConfig) {
   auto config = LoadBalancerConfig::CreateUnencrypted(0, 3, 4);
-  EXPECT_TRUE(config.has_value());
+  ASSERT_TRUE(config.has_value());
   TestLoadBalancerEncoderVisitor visitor;
   auto encoder = LoadBalancerEncoder::Create(random_, &visitor, true);
   EXPECT_TRUE(encoder->UpdateConfig(*config, MakeServerId(kServerId, 3)));
@@ -321,12 +320,12 @@ TEST_F(LoadBalancerEncoderTest, AddConfig) {
 
 TEST_F(LoadBalancerEncoderTest, UpdateConfig) {
   auto config = LoadBalancerConfig::CreateUnencrypted(0, 3, 4);
-  EXPECT_TRUE(config.has_value());
+  ASSERT_TRUE(config.has_value());
   TestLoadBalancerEncoderVisitor visitor;
   auto encoder = LoadBalancerEncoder::Create(random_, &visitor, true);
   EXPECT_TRUE(encoder->UpdateConfig(*config, MakeServerId(kServerId, 3)));
   config = LoadBalancerConfig::Create(1, 4, 4, kKey);
-  EXPECT_TRUE(config.has_value());
+  ASSERT_TRUE(config.has_value());
   EXPECT_TRUE(encoder->UpdateConfig(*config, MakeServerId(kServerId, 4)));
   EXPECT_EQ(visitor.num_adds(), 2u);
   EXPECT_EQ(visitor.num_deletes(), 1u);
@@ -336,7 +335,7 @@ TEST_F(LoadBalancerEncoderTest, UpdateConfig) {
 
 TEST_F(LoadBalancerEncoderTest, DeleteConfig) {
   auto config = LoadBalancerConfig::CreateUnencrypted(0, 3, 4);
-  EXPECT_TRUE(config.has_value());
+  ASSERT_TRUE(config.has_value());
   TestLoadBalancerEncoderVisitor visitor;
   auto encoder = LoadBalancerEncoder::Create(random_, &visitor, true);
   EXPECT_TRUE(encoder->UpdateConfig(*config, MakeServerId(kServerId, 3)));
@@ -350,7 +349,7 @@ TEST_F(LoadBalancerEncoderTest, DeleteConfig) {
 
 TEST_F(LoadBalancerEncoderTest, DeleteConfigNoVisitor) {
   auto config = LoadBalancerConfig::CreateUnencrypted(0, 3, 4);
-  EXPECT_TRUE(config.has_value());
+  ASSERT_TRUE(config.has_value());
   auto encoder = LoadBalancerEncoder::Create(random_, nullptr, true);
   EXPECT_TRUE(encoder->UpdateConfig(*config, MakeServerId(kServerId, 3)));
   encoder->DeleteConfig();
@@ -359,6 +358,92 @@ TEST_F(LoadBalancerEncoderTest, DeleteConfigNoVisitor) {
   EXPECT_EQ(encoder->num_nonces_left(), 0);
 }
 
+TEST_F(LoadBalancerEncoderTest, MaybeReplaceConnectionIdReturnsNoChange) {
+  auto encoder = LoadBalancerEncoder::Create(random_, nullptr, false);
+  ASSERT_TRUE(encoder.has_value());
+  EXPECT_EQ(encoder->MaybeReplaceConnectionId(TestConnectionId(1),
+                                              ParsedQuicVersion::Q050()),
+            absl::nullopt);
+}
+
+TEST_F(LoadBalancerEncoderTest, MaybeReplaceConnectionIdReturnsChange) {
+  random_.AddNextValues(0x83, kNonceHigh);
+  auto encoder = LoadBalancerEncoder::Create(random_, nullptr, false);
+  ASSERT_TRUE(encoder.has_value());
+  // The first byte is the config_id (0xc0) xored with (0x83 & 0x3f).
+  // The remaining bytes are random, and therefore match kNonceHigh.
+  QuicConnectionId expected({0xc3, 0x5d, 0x52, 0xde, 0x4d, 0xe3, 0xe7, 0x21});
+  EXPECT_EQ(*encoder->MaybeReplaceConnectionId(TestConnectionId(1),
+                                               ParsedQuicVersion::RFCv1()),
+            expected);
+}
+
+TEST_F(LoadBalancerEncoderTest, GenerateNextConnectionIdReturnsNoChange) {
+  auto config = LoadBalancerConfig::CreateUnencrypted(0, 3, 4);
+  ASSERT_TRUE(config.has_value());
+  auto encoder = LoadBalancerEncoder::Create(random_, nullptr, true);
+  EXPECT_TRUE(encoder->UpdateConfig(*config, MakeServerId(kServerId, 3)));
+  EXPECT_EQ(encoder->GenerateNextConnectionId(TestConnectionId(1)),
+            absl::nullopt);
+}
+
+TEST_F(LoadBalancerEncoderTest, GenerateNextConnectionIdReturnsChange) {
+  random_.AddNextValues(0x83, kNonceHigh);
+  auto encoder = LoadBalancerEncoder::Create(random_, nullptr, false);
+  ASSERT_TRUE(encoder.has_value());
+  // The first byte is the config_id (0xc0) xored with (0x83 & 0x3f).
+  // The remaining bytes are random, and therefore match kNonceHigh.
+  QuicConnectionId expected({0xc3, 0x5d, 0x52, 0xde, 0x4d, 0xe3, 0xe7, 0x21});
+  EXPECT_EQ(*encoder->GenerateNextConnectionId(TestConnectionId(1)), expected);
+}
+
+TEST_F(LoadBalancerEncoderTest, ConnectionIdLengthsEncoded) {
+  // The first byte literally encodes the length.
+  auto len_encoder = LoadBalancerEncoder::Create(random_, nullptr, true);
+  ASSERT_TRUE(len_encoder.has_value());
+  EXPECT_EQ(len_encoder->ConnectionIdLength(0xc8), 9);
+  EXPECT_EQ(len_encoder->ConnectionIdLength(0x4a), 11);
+  EXPECT_EQ(len_encoder->ConnectionIdLength(0x09), 10);
+  // The length is not self-encoded anymore.
+  auto encoder = LoadBalancerEncoder::Create(random_, nullptr, false);
+  ASSERT_TRUE(encoder.has_value());
+  EXPECT_EQ(encoder->ConnectionIdLength(0xc8), kQuicDefaultConnectionIdLength);
+  EXPECT_EQ(encoder->ConnectionIdLength(0x4a), kQuicDefaultConnectionIdLength);
+  EXPECT_EQ(encoder->ConnectionIdLength(0x09), kQuicDefaultConnectionIdLength);
+  // Add config ID 0, so that ID now returns a different length.
+  uint8_t config_id = 0;
+  uint8_t server_id_len = 3;
+  uint8_t nonce_len = 6;
+  uint8_t config_0_len = server_id_len + nonce_len + 1;
+  auto config0 = LoadBalancerConfig::CreateUnencrypted(config_id, server_id_len,
+                                                       nonce_len);
+  ASSERT_TRUE(config0.has_value());
+  EXPECT_TRUE(
+      encoder->UpdateConfig(*config0, MakeServerId(kServerId, server_id_len)));
+  EXPECT_EQ(encoder->ConnectionIdLength(0xc8), kQuicDefaultConnectionIdLength);
+  EXPECT_EQ(encoder->ConnectionIdLength(0x4a), kQuicDefaultConnectionIdLength);
+  EXPECT_EQ(encoder->ConnectionIdLength(0x09), config_0_len);
+  // Replace config ID 0 with 1. There are probably still packets with config
+  // ID 0 arriving, so keep that length in memory.
+  config_id = 1;
+  nonce_len++;
+  uint8_t config_1_len = server_id_len + nonce_len + 1;
+  auto config1 = LoadBalancerConfig::CreateUnencrypted(config_id, server_id_len,
+                                                       nonce_len);
+  ASSERT_TRUE(config1.has_value());
+  // Old config length still there after replacement
+  EXPECT_TRUE(
+      encoder->UpdateConfig(*config1, MakeServerId(kServerId, server_id_len)));
+  EXPECT_EQ(encoder->ConnectionIdLength(0xc8), kQuicDefaultConnectionIdLength);
+  EXPECT_EQ(encoder->ConnectionIdLength(0x4a), config_1_len);
+  EXPECT_EQ(encoder->ConnectionIdLength(0x09), config_0_len);
+  // Old config length still there after delete
+  encoder->DeleteConfig();
+  EXPECT_EQ(encoder->ConnectionIdLength(0xc8), kQuicDefaultConnectionIdLength);
+  EXPECT_EQ(encoder->ConnectionIdLength(0x4a), config_1_len);
+  EXPECT_EQ(encoder->ConnectionIdLength(0x09), config_0_len);
+}
+
 }  // namespace
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_epoll_client.cc b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client.cc
index 705ea15cd95..b30597ba042 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_epoll_client.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client.cc
@@ -2,28 +2,29 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "quiche/quic/masque/masque_epoll_client.h"
+#include "quiche/quic/masque/masque_client.h"
 
 #include <string>
 
 #include "absl/memory/memory.h"
 #include "quiche/quic/masque/masque_client_session.h"
 #include "quiche/quic/masque/masque_utils.h"
+#include "quiche/quic/tools/quic_name_lookup.h"
 #include "quiche/quic/tools/quic_url.h"
 
 namespace quic {
 
-MasqueEpollClient::MasqueEpollClient(
-    QuicSocketAddress server_address, const QuicServerId& server_id,
-    MasqueMode masque_mode, QuicEpollServer* epoll_server,
-    std::unique_ptr<ProofVerifier> proof_verifier,
-    const std::string& uri_template)
-    : QuicClient(server_address, server_id, MasqueSupportedVersions(),
-                 epoll_server, std::move(proof_verifier)),
+MasqueClient::MasqueClient(QuicSocketAddress server_address,
+                           const QuicServerId& server_id,
+                           MasqueMode masque_mode, QuicEventLoop* event_loop,
+                           std::unique_ptr<ProofVerifier> proof_verifier,
+                           const std::string& uri_template)
+    : QuicDefaultClient(server_address, server_id, MasqueSupportedVersions(),
+                        event_loop, std::move(proof_verifier)),
       masque_mode_(masque_mode),
       uri_template_(uri_template) {}
 
-std::unique_ptr<QuicSession> MasqueEpollClient::CreateQuicClientSession(
+std::unique_ptr<QuicSession> MasqueClient::CreateQuicClientSession(
     const ParsedQuicVersionVector& supported_versions,
     QuicConnection* connection) {
   QUIC_DLOG(INFO) << "Creating MASQUE session for "
@@ -33,24 +34,23 @@ std::unique_ptr<QuicSession> MasqueEpollClient::CreateQuicClientSession(
       server_id(), crypto_config(), push_promise_index(), this);
 }
 
-MasqueClientSession* MasqueEpollClient::masque_client_session() {
-  return static_cast<MasqueClientSession*>(QuicClient::session());
+MasqueClientSession* MasqueClient::masque_client_session() {
+  return static_cast<MasqueClientSession*>(QuicDefaultClient::session());
 }
 
-QuicConnectionId MasqueEpollClient::connection_id() {
+QuicConnectionId MasqueClient::connection_id() {
   return masque_client_session()->connection_id();
 }
 
-std::string MasqueEpollClient::authority() const {
+std::string MasqueClient::authority() const {
   QuicUrl url(uri_template_);
   return absl::StrCat(url.host(), ":", url.port());
 }
 
 // static
-std::unique_ptr<MasqueEpollClient> MasqueEpollClient::Create(
+std::unique_ptr<MasqueClient> MasqueClient::Create(
     const std::string& uri_template, MasqueMode masque_mode,
-    QuicEpollServer* epoll_server,
-    std::unique_ptr<ProofVerifier> proof_verifier) {
+    QuicEventLoop* event_loop, std::unique_ptr<ProofVerifier> proof_verifier) {
   QuicUrl url(uri_template);
   std::string host = url.host();
   uint16_t port = url.port();
@@ -61,12 +61,12 @@ std::unique_ptr<MasqueEpollClient> MasqueEpollClient::Create(
     return nullptr;
   }
   QuicServerId server_id(host, port);
-  // Use absl::WrapUnique(new MasqueEpollClient(...)) instead of
-  // std::make_unique<MasqueEpollClient>(...) because the constructor for
-  // MasqueEpollClient is private and therefore not accessible from make_unique.
+  // Use absl::WrapUnique(new MasqueClient(...)) instead of
+  // std::make_unique<MasqueClient>(...) because the constructor for
+  // MasqueClient is private and therefore not accessible from make_unique.
   auto masque_client = absl::WrapUnique(
-      new MasqueEpollClient(addr, server_id, masque_mode, epoll_server,
-                            std::move(proof_verifier), uri_template));
+      new MasqueClient(addr, server_id, masque_mode, event_loop,
+                       std::move(proof_verifier), uri_template));
 
   if (masque_client == nullptr) {
     QUIC_LOG(ERROR) << "Failed to create masque_client";
@@ -94,9 +94,9 @@ std::unique_ptr<MasqueEpollClient> MasqueEpollClient::Create(
   return masque_client;
 }
 
-void MasqueEpollClient::OnSettingsReceived() { settings_received_ = true; }
+void MasqueClient::OnSettingsReceived() { settings_received_ = true; }
 
-bool MasqueEpollClient::WaitUntilSettingsReceived() {
+bool MasqueClient::WaitUntilSettingsReceived() {
   while (connected() && !settings_received_) {
     network_helper()->RunEventLoop();
   }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_epoll_client.h b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client.h
index 7eff270ee4e..d3332acc2b2 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_epoll_client.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client.h
@@ -2,28 +2,27 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_MASQUE_MASQUE_EPOLL_CLIENT_H_
-#define QUICHE_QUIC_MASQUE_MASQUE_EPOLL_CLIENT_H_
+#ifndef QUICHE_QUIC_MASQUE_MASQUE_CLIENT_H_
+#define QUICHE_QUIC_MASQUE_MASQUE_CLIENT_H_
 
 #include <string>
 
+#include "quiche/quic/core/io/quic_event_loop.h"
 #include "quiche/quic/masque/masque_client_session.h"
 #include "quiche/quic/masque/masque_utils.h"
 #include "quiche/quic/platform/api/quic_export.h"
-#include "quiche/quic/tools/quic_client.h"
-#include "quiche/quic/tools/quic_url.h"
+#include "quiche/quic/tools/quic_default_client.h"
 
 namespace quic {
 
 // QUIC client that implements MASQUE.
-class QUIC_NO_EXPORT MasqueEpollClient : public QuicClient,
-                                         public MasqueClientSession::Owner {
+class QUIC_NO_EXPORT MasqueClient : public QuicDefaultClient,
+                                    public MasqueClientSession::Owner {
  public:
-  // Constructs a MasqueEpollClient, performs a synchronous DNS lookup.
-  static std::unique_ptr<MasqueEpollClient> Create(
+  // Constructs a MasqueClient, performs a synchronous DNS lookup.
+  static std::unique_ptr<MasqueClient> Create(
       const std::string& uri_template, MasqueMode masque_mode,
-      QuicEpollServer* epoll_server,
-      std::unique_ptr<ProofVerifier> proof_verifier);
+      QuicEventLoop* event_loop, std::unique_ptr<ProofVerifier> proof_verifier);
 
   // From QuicClient.
   std::unique_ptr<QuicSession> CreateQuicClientSession(
@@ -43,11 +42,10 @@ class QUIC_NO_EXPORT MasqueEpollClient : public QuicClient,
 
  private:
   // Constructor is private, use Create() instead.
-  MasqueEpollClient(QuicSocketAddress server_address,
-                    const QuicServerId& server_id, MasqueMode masque_mode,
-                    QuicEpollServer* epoll_server,
-                    std::unique_ptr<ProofVerifier> proof_verifier,
-                    const std::string& uri_template);
+  MasqueClient(QuicSocketAddress server_address, const QuicServerId& server_id,
+               MasqueMode masque_mode, QuicEventLoop* event_loop,
+               std::unique_ptr<ProofVerifier> proof_verifier,
+               const std::string& uri_template);
 
   // Wait synchronously until we receive the peer's settings. Returns whether
   // they were received.
@@ -56,8 +54,8 @@ class QUIC_NO_EXPORT MasqueEpollClient : public QuicClient,
   std::string authority() const;
 
   // Disallow copy and assign.
-  MasqueEpollClient(const MasqueEpollClient&) = delete;
-  MasqueEpollClient& operator=(const MasqueEpollClient&) = delete;
+  MasqueClient(const MasqueClient&) = delete;
+  MasqueClient& operator=(const MasqueClient&) = delete;
 
   MasqueMode masque_mode_;
   std::string uri_template_;
@@ -66,4 +64,4 @@ class QUIC_NO_EXPORT MasqueEpollClient : public QuicClient,
 
 }  // namespace quic
 
-#endif  // QUICHE_QUIC_MASQUE_MASQUE_EPOLL_CLIENT_H_
+#endif  // QUICHE_QUIC_MASQUE_MASQUE_CLIENT_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_bin.cc b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_bin.cc
index 2d686dfad08..ae495f87d90 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_bin.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_bin.cc
@@ -13,10 +13,13 @@
 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
 #include "url/third_party/mozilla/url_parse.h"
+#include "quiche/quic/core/io/quic_default_event_loop.h"
+#include "quiche/quic/core/io/quic_event_loop.h"
+#include "quiche/quic/core/quic_default_clock.h"
 #include "quiche/quic/core/quic_server_id.h"
+#include "quiche/quic/masque/masque_client.h"
 #include "quiche/quic/masque/masque_client_tools.h"
-#include "quiche/quic/masque/masque_encapsulated_epoll_client.h"
-#include "quiche/quic/masque/masque_epoll_client.h"
+#include "quiche/quic/masque/masque_encapsulated_client.h"
 #include "quiche/quic/masque/masque_utils.h"
 #include "quiche/quic/platform/api/quic_default_proof_providers.h"
 #include "quiche/quic/platform/api/quic_flags.h"
@@ -38,7 +41,7 @@ namespace quic {
 namespace {
 
 int RunMasqueClient(int argc, char* argv[]) {
-  quiche::QuicheSystemEventLoop event_loop("masque_client");
+  quiche::QuicheSystemEventLoop system_event_loop("masque_client");
   const char* usage = "Usage: masque_client [options] <url>";
 
   // The first non-flag argument is the URI template of the MASQUE server.
@@ -55,7 +58,8 @@ int RunMasqueClient(int argc, char* argv[]) {
 
   const bool disable_certificate_verification =
       quiche::GetQuicheCommandLineFlag(FLAGS_disable_certificate_verification);
-  QuicEpollServer epoll_server;
+  std::unique_ptr<QuicEventLoop> event_loop =
+      GetDefaultEventLoop()->Create(QuicDefaultClock::Get());
 
   std::string uri_template = urls[0];
   if (!absl::StrContains(uri_template, '/')) {
@@ -89,8 +93,8 @@ int RunMasqueClient(int argc, char* argv[]) {
     std::cerr << "Invalid masque_mode \"" << mode_string << "\"" << std::endl;
     return 1;
   }
-  std::unique_ptr<MasqueEpollClient> masque_client = MasqueEpollClient::Create(
-      uri_template, masque_mode, &epoll_server, std::move(proof_verifier));
+  std::unique_ptr<MasqueClient> masque_client = MasqueClient::Create(
+      uri_template, masque_mode, event_loop.get(), std::move(proof_verifier));
   if (masque_client == nullptr) {
     return 1;
   }
@@ -100,7 +104,7 @@ int RunMasqueClient(int argc, char* argv[]) {
 
   for (size_t i = 1; i < urls.size(); ++i) {
     if (!tools::SendEncapsulatedMasqueRequest(
-            masque_client.get(), &epoll_server, urls[i],
+            masque_client.get(), event_loop.get(), urls[i],
             disable_certificate_verification)) {
       return 1;
     }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_tools.cc b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_tools.cc
index 2c21a7739f2..06ca3ef76ab 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_tools.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_tools.cc
@@ -4,18 +4,19 @@
 
 #include "quiche/quic/masque/masque_client_tools.h"
 
-#include "quiche/quic/masque/masque_encapsulated_epoll_client.h"
+#include "quiche/quic/masque/masque_encapsulated_client.h"
 #include "quiche/quic/masque/masque_utils.h"
 #include "quiche/quic/platform/api/quic_default_proof_providers.h"
 #include "quiche/quic/tools/fake_proof_verifier.h"
+#include "quiche/quic/tools/quic_name_lookup.h"
 #include "quiche/quic/tools/quic_url.h"
 #include "quiche/spdy/core/http2_header_block.h"
 
 namespace quic {
 namespace tools {
 
-bool SendEncapsulatedMasqueRequest(MasqueEpollClient* masque_client,
-                                   QuicEpollServer* epoll_server,
+bool SendEncapsulatedMasqueRequest(MasqueClient* masque_client,
+                                   QuicEventLoop* event_loop,
                                    std::string url_string,
                                    bool disable_certificate_verification) {
   const QuicUrl url(url_string, "https");
@@ -34,11 +35,11 @@ bool SendEncapsulatedMasqueRequest(MasqueEpollClient* masque_client,
     return false;
   }
   const QuicServerId server_id(url.host(), url.port());
-  auto client = std::make_unique<MasqueEncapsulatedEpollClient>(
-      addr, server_id, epoll_server, std::move(proof_verifier), masque_client);
+  auto client = std::make_unique<MasqueEncapsulatedClient>(
+      addr, server_id, event_loop, std::move(proof_verifier), masque_client);
 
   if (client == nullptr) {
-    QUIC_LOG(ERROR) << "Failed to create MasqueEncapsulatedEpollClient for "
+    QUIC_LOG(ERROR) << "Failed to create MasqueEncapsulatedClient for "
                     << url_string;
     return false;
   }
@@ -46,7 +47,7 @@ bool SendEncapsulatedMasqueRequest(MasqueEpollClient* masque_client,
   client->set_initial_max_packet_length(kMasqueMaxEncapsulatedPacketSize);
   client->set_drop_response_body(false);
   if (!client->Initialize()) {
-    QUIC_LOG(ERROR) << "Failed to initialize MasqueEncapsulatedEpollClient for "
+    QUIC_LOG(ERROR) << "Failed to initialize MasqueEncapsulatedClient for "
                     << url_string;
     return false;
   }
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_tools.h b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_tools.h
index 0a8a4391f5c..307a09f7ca4 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_tools.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_client_tools.h
@@ -5,17 +5,17 @@
 #ifndef QUICHE_QUIC_MASQUE_MASQUE_CLIENT_TOOLS_H_
 #define QUICHE_QUIC_MASQUE_MASQUE_CLIENT_TOOLS_H_
 
-#include "quiche/quic/masque/masque_epoll_client.h"
+#include "quiche/quic/masque/masque_client.h"
 
 namespace quic {
 namespace tools {
 
 // Sends an HTTP GET request for |url_string|, proxied over the MASQUE
-// connection represented by |masque_client|. A valid and owned |epoll_server|
+// connection represented by |masque_client|. A valid and owned |event_loop|
 // is required. |disable_certificate_verification| allows disabling verification
 // of the HTTP server's TLS certificate.
-bool SendEncapsulatedMasqueRequest(MasqueEpollClient* masque_client,
-                                   QuicEpollServer* epoll_server,
+bool SendEncapsulatedMasqueRequest(MasqueClient* masque_client,
+                                   QuicEventLoop* event_loop,
                                    std::string url_string,
                                    bool disable_certificate_verification);
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_dispatcher.cc b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_dispatcher.cc
index 32776eec197..40ba112d2b1 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_dispatcher.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_dispatcher.cc
@@ -16,11 +16,12 @@ MasqueDispatcher::MasqueDispatcher(
     std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
     std::unique_ptr<QuicAlarmFactory> alarm_factory,
     MasqueServerBackend* masque_server_backend,
-    uint8_t expected_server_connection_id_length)
+    uint8_t expected_server_connection_id_length,
+    ConnectionIdGeneratorInterface& generator)
     : QuicSimpleDispatcher(config, crypto_config, version_manager,
                            std::move(helper), std::move(session_helper),
                            std::move(alarm_factory), masque_server_backend,
-                           expected_server_connection_id_length),
+                           expected_server_connection_id_length, generator),
       masque_mode_(masque_mode),
       event_loop_(event_loop),
       masque_server_backend_(masque_server_backend) {}
@@ -31,11 +32,11 @@ std::unique_ptr<QuicSession> MasqueDispatcher::CreateQuicSession(
     const ParsedQuicVersion& version,
     const ParsedClientHello& /*parsed_chlo*/) {
   // The MasqueServerSession takes ownership of |connection| below.
-  QuicConnection* connection =
-      new QuicConnection(connection_id, self_address, peer_address, helper(),
-                         alarm_factory(), writer(),
-                         /*owns_writer=*/false, Perspective::IS_SERVER,
-                         ParsedQuicVersionVector{version});
+  QuicConnection* connection = new QuicConnection(
+      connection_id, self_address, peer_address, helper(), alarm_factory(),
+      writer(),
+      /*owns_writer=*/false, Perspective::IS_SERVER,
+      ParsedQuicVersionVector{version}, connection_id_generator());
 
   auto session = std::make_unique<MasqueServerSession>(
       masque_mode_, config(), GetSupportedVersions(), connection, this,
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_dispatcher.h b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_dispatcher.h
index 804d2e9421d..8d5a07b2e0b 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_dispatcher.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_dispatcher.h
@@ -27,7 +27,8 @@ class QUIC_NO_EXPORT MasqueDispatcher : public QuicSimpleDispatcher {
       std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
       std::unique_ptr<QuicAlarmFactory> alarm_factory,
       MasqueServerBackend* masque_server_backend,
-      uint8_t expected_server_connection_id_length);
+      uint8_t expected_server_connection_id_length,
+      ConnectionIdGeneratorInterface& generator);
 
   // Disallow copy and assign.
   MasqueDispatcher(const MasqueDispatcher&) = delete;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_encapsulated_epoll_client.cc b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_encapsulated_client.cc
index 242d26594d0..a8d62073bb5 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_encapsulated_epoll_client.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_encapsulated_client.cc
@@ -2,13 +2,14 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "quiche/quic/masque/masque_encapsulated_epoll_client.h"
+#include "quiche/quic/masque/masque_encapsulated_client.h"
 
 #include "quiche/quic/core/quic_utils.h"
+#include "quiche/quic/masque/masque_client.h"
 #include "quiche/quic/masque/masque_client_session.h"
 #include "quiche/quic/masque/masque_encapsulated_client_session.h"
-#include "quiche/quic/masque/masque_epoll_client.h"
 #include "quiche/quic/masque/masque_utils.h"
+#include "quiche/quic/tools/quic_client_default_network_helper.h"
 
 namespace quic {
 
@@ -18,7 +19,7 @@ namespace {
 // packets.
 class MasquePacketWriter : public QuicPacketWriter {
  public:
-  explicit MasquePacketWriter(MasqueEncapsulatedEpollClient* client)
+  explicit MasquePacketWriter(MasqueEncapsulatedClient* client)
       : client_(client) {}
   WriteResult WritePacket(const char* buffer, size_t buf_len,
                           const QuicIpAddress& /*self_address*/,
@@ -38,7 +39,7 @@ class MasquePacketWriter : public QuicPacketWriter {
   void SetWritable() override {}
 
   absl::optional<int> MessageTooBigErrorCode() const override {
-    return EMSGSIZE;
+    return absl::nullopt;
   }
 
   QuicByteCount GetMaxPacketSize(
@@ -58,45 +59,43 @@ class MasquePacketWriter : public QuicPacketWriter {
   WriteResult Flush() override { return WriteResult(WRITE_STATUS_OK, 0); }
 
  private:
-  MasqueEncapsulatedEpollClient* client_;  // Unowned.
+  MasqueEncapsulatedClient* client_;  // Unowned.
 };
 
 // Custom network helper that allows injecting a custom packet writer in order
 // to get all of a connection's outgoing packets.
-class MasqueClientEpollNetworkHelper : public QuicClientEpollNetworkHelper {
+class MasqueClientDefaultNetworkHelper : public QuicClientDefaultNetworkHelper {
  public:
-  MasqueClientEpollNetworkHelper(QuicEpollServer* epoll_server,
-                                 MasqueEncapsulatedEpollClient* client)
-      : QuicClientEpollNetworkHelper(epoll_server, client), client_(client) {}
+  MasqueClientDefaultNetworkHelper(QuicEventLoop* event_loop,
+                                   MasqueEncapsulatedClient* client)
+      : QuicClientDefaultNetworkHelper(event_loop, client), client_(client) {}
   QuicPacketWriter* CreateQuicPacketWriter() override {
     return new MasquePacketWriter(client_);
   }
 
  private:
-  MasqueEncapsulatedEpollClient* client_;  // Unowned.
+  MasqueEncapsulatedClient* client_;  // Unowned.
 };
 
 }  // namespace
 
-MasqueEncapsulatedEpollClient::MasqueEncapsulatedEpollClient(
+MasqueEncapsulatedClient::MasqueEncapsulatedClient(
     QuicSocketAddress server_address, const QuicServerId& server_id,
-    QuicEpollServer* epoll_server,
-    std::unique_ptr<ProofVerifier> proof_verifier,
-    MasqueEpollClient* masque_client)
-    : QuicClient(
+    QuicEventLoop* event_loop, std::unique_ptr<ProofVerifier> proof_verifier,
+    MasqueClient* masque_client)
+    : QuicDefaultClient(
           server_address, server_id, MasqueSupportedVersions(),
-          MasqueEncapsulatedConfig(), epoll_server,
-          std::make_unique<MasqueClientEpollNetworkHelper>(epoll_server, this),
+          MasqueEncapsulatedConfig(), event_loop,
+          std::make_unique<MasqueClientDefaultNetworkHelper>(event_loop, this),
           std::move(proof_verifier)),
       masque_client_(masque_client) {}
 
-MasqueEncapsulatedEpollClient::~MasqueEncapsulatedEpollClient() {
+MasqueEncapsulatedClient::~MasqueEncapsulatedClient() {
   masque_client_->masque_client_session()->CloseConnectUdpStream(
       masque_encapsulated_client_session());
 }
 
-std::unique_ptr<QuicSession>
-MasqueEncapsulatedEpollClient::CreateQuicClientSession(
+std::unique_ptr<QuicSession> MasqueEncapsulatedClient::CreateQuicClientSession(
     const ParsedQuicVersionVector& supported_versions,
     QuicConnection* connection) {
   QUIC_DLOG(INFO) << "Creating MASQUE encapsulated session for "
@@ -107,8 +106,9 @@ MasqueEncapsulatedEpollClient::CreateQuicClientSession(
 }
 
 MasqueEncapsulatedClientSession*
-MasqueEncapsulatedEpollClient::masque_encapsulated_client_session() {
-  return static_cast<MasqueEncapsulatedClientSession*>(QuicClient::session());
+MasqueEncapsulatedClient::masque_encapsulated_client_session() {
+  return static_cast<MasqueEncapsulatedClientSession*>(
+      QuicDefaultClient::session());
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_encapsulated_client.h b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_encapsulated_client.h
new file mode 100644
index 00000000000..42fda869e68
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_encapsulated_client.h
@@ -0,0 +1,47 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_MASQUE_MASQUE_ENCAPSULATED_CLIENT_H_
+#define QUICHE_QUIC_MASQUE_MASQUE_ENCAPSULATED_CLIENT_H_
+
+#include "quiche/quic/core/io/quic_event_loop.h"
+#include "quiche/quic/masque/masque_client.h"
+#include "quiche/quic/masque/masque_encapsulated_client_session.h"
+#include "quiche/quic/platform/api/quic_export.h"
+#include "quiche/quic/tools/quic_default_client.h"
+
+namespace quic {
+
+// QUIC client for QUIC encapsulated in MASQUE.
+class QUIC_NO_EXPORT MasqueEncapsulatedClient : public QuicDefaultClient {
+ public:
+  MasqueEncapsulatedClient(QuicSocketAddress server_address,
+                           const QuicServerId& server_id,
+                           QuicEventLoop* event_loop,
+                           std::unique_ptr<ProofVerifier> proof_verifier,
+                           MasqueClient* masque_client);
+  ~MasqueEncapsulatedClient() override;
+
+  // Disallow copy and assign.
+  MasqueEncapsulatedClient(const MasqueEncapsulatedClient&) = delete;
+  MasqueEncapsulatedClient& operator=(const MasqueEncapsulatedClient&) = delete;
+
+  // From QuicClient.
+  std::unique_ptr<QuicSession> CreateQuicClientSession(
+      const ParsedQuicVersionVector& supported_versions,
+      QuicConnection* connection) override;
+
+  // MASQUE client that this client is encapsulated in.
+  MasqueClient* masque_client() { return masque_client_; }
+
+  // Client session for this client.
+  MasqueEncapsulatedClientSession* masque_encapsulated_client_session();
+
+ private:
+  MasqueClient* masque_client_;  // Unowned.
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_MASQUE_MASQUE_ENCAPSULATED_CLIENT_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_encapsulated_epoll_client.h b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_encapsulated_epoll_client.h
deleted file mode 100644
index 2b98652755a..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_encapsulated_epoll_client.h
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_MASQUE_MASQUE_ENCAPSULATED_EPOLL_CLIENT_H_
-#define QUICHE_QUIC_MASQUE_MASQUE_ENCAPSULATED_EPOLL_CLIENT_H_
-
-#include "quiche/quic/masque/masque_encapsulated_client_session.h"
-#include "quiche/quic/masque/masque_epoll_client.h"
-#include "quiche/quic/platform/api/quic_export.h"
-#include "quiche/quic/tools/quic_client.h"
-
-namespace quic {
-
-// QUIC client for QUIC encapsulated in MASQUE.
-class QUIC_NO_EXPORT MasqueEncapsulatedEpollClient : public QuicClient {
- public:
-  MasqueEncapsulatedEpollClient(QuicSocketAddress server_address,
-                                const QuicServerId& server_id,
-                                QuicEpollServer* epoll_server,
-                                std::unique_ptr<ProofVerifier> proof_verifier,
-                                MasqueEpollClient* masque_client);
-  ~MasqueEncapsulatedEpollClient() override;
-
-  // Disallow copy and assign.
-  MasqueEncapsulatedEpollClient(const MasqueEncapsulatedEpollClient&) = delete;
-  MasqueEncapsulatedEpollClient& operator=(
-      const MasqueEncapsulatedEpollClient&) = delete;
-
-  // From QuicClient.
-  std::unique_ptr<QuicSession> CreateQuicClientSession(
-      const ParsedQuicVersionVector& supported_versions,
-      QuicConnection* connection) override;
-
-  // MASQUE client that this client is encapsulated in.
-  MasqueEpollClient* masque_client() { return masque_client_; }
-
-  // Client session for this client.
-  MasqueEncapsulatedClientSession* masque_encapsulated_client_session();
-
- private:
-  MasqueEpollClient* masque_client_;  // Unowned.
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_MASQUE_MASQUE_ENCAPSULATED_EPOLL_CLIENT_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_epoll_server.cc b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_server.cc
index a67c5077f60..b05e306672f 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_epoll_server.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_server.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "quiche/quic/masque/masque_epoll_server.h"
+#include "quiche/quic/masque/masque_server.h"
 
 #include "quiche/quic/core/quic_default_connection_helper.h"
 #include "quiche/quic/masque/masque_dispatcher.h"
@@ -12,20 +12,20 @@
 
 namespace quic {
 
-MasqueEpollServer::MasqueEpollServer(MasqueMode masque_mode,
-                                     MasqueServerBackend* masque_server_backend)
+MasqueServer::MasqueServer(MasqueMode masque_mode,
+                           MasqueServerBackend* masque_server_backend)
     : QuicServer(CreateDefaultProofSource(), masque_server_backend,
                  MasqueSupportedVersions()),
       masque_mode_(masque_mode),
       masque_server_backend_(masque_server_backend) {}
 
-QuicDispatcher* MasqueEpollServer::CreateQuicDispatcher() {
+QuicDispatcher* MasqueServer::CreateQuicDispatcher() {
   return new MasqueDispatcher(
       masque_mode_, &config(), &crypto_config(), version_manager(),
       event_loop(), std::make_unique<QuicDefaultConnectionHelper>(),
       std::make_unique<QuicSimpleCryptoServerStreamHelper>(),
       event_loop()->CreateAlarmFactory(), masque_server_backend_,
-      expected_server_connection_id_length());
+      expected_server_connection_id_length(), connection_id_generator());
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_epoll_server.h b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_server.h
index 588d0e75488..0d09d7fe6b3 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_epoll_server.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_server.h
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_MASQUE_MASQUE_EPOLL_SERVER_H_
-#define QUICHE_QUIC_MASQUE_MASQUE_EPOLL_SERVER_H_
+#ifndef QUICHE_QUIC_MASQUE_MASQUE_SERVER_H_
+#define QUICHE_QUIC_MASQUE_MASQUE_SERVER_H_
 
 #include "quiche/quic/masque/masque_server_backend.h"
 #include "quiche/quic/masque/masque_utils.h"
@@ -13,14 +13,14 @@
 namespace quic {
 
 // QUIC server that implements MASQUE.
-class QUIC_NO_EXPORT MasqueEpollServer : public QuicServer {
+class QUIC_NO_EXPORT MasqueServer : public QuicServer {
  public:
-  explicit MasqueEpollServer(MasqueMode masque_mode,
-                             MasqueServerBackend* masque_server_backend);
+  explicit MasqueServer(MasqueMode masque_mode,
+                        MasqueServerBackend* masque_server_backend);
 
   // Disallow copy and assign.
-  MasqueEpollServer(const MasqueEpollServer&) = delete;
-  MasqueEpollServer& operator=(const MasqueEpollServer&) = delete;
+  MasqueServer(const MasqueServer&) = delete;
+  MasqueServer& operator=(const MasqueServer&) = delete;
 
   // From QuicServer.
   QuicDispatcher* CreateQuicDispatcher() override;
@@ -32,4 +32,4 @@ class QUIC_NO_EXPORT MasqueEpollServer : public QuicServer {
 
 }  // namespace quic
 
-#endif  // QUICHE_QUIC_MASQUE_MASQUE_EPOLL_SERVER_H_
+#endif  // QUICHE_QUIC_MASQUE_MASQUE_SERVER_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_server_bin.cc b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_server_bin.cc
index 23d9d69c284..148d640b8fd 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_server_bin.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/masque/masque_server_bin.cc
@@ -9,7 +9,7 @@
 
 #include <memory>
 
-#include "quiche/quic/masque/masque_epoll_server.h"
+#include "quiche/quic/masque/masque_server.h"
 #include "quiche/quic/masque/masque_server_backend.h"
 #include "quiche/quic/platform/api/quic_flags.h"
 #include "quiche/quic/platform/api/quic_logging.h"
@@ -57,7 +57,7 @@ int main(int argc, char* argv[]) {
       quiche::GetQuicheCommandLineFlag(FLAGS_cache_dir));
 
   auto server =
-      std::make_unique<quic::MasqueEpollServer>(masque_mode, backend.get());
+      std::make_unique<quic::MasqueServer>(masque_mode, backend.get());
 
   if (!server->CreateUDPSocketAndListen(quic::QuicSocketAddress(
           quic::QuicIpAddress::Any6(),
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_epoll.h b/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_epoll.h
deleted file mode 100644
index 58aa78025a7..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_epoll.h
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_PLATFORM_API_QUIC_EPOLL_H_
-#define QUICHE_QUIC_PLATFORM_API_QUIC_EPOLL_H_
-
-#include "quiche/common/platform/api/quiche_epoll.h"
-
-namespace quic {
-
-using QuicEpollServer = quiche::QuicheEpollServer;
-using QuicEpollEvent = quiche::QuicheEpollEvent;
-using QuicEpollAlarmBase = quiche::QuicheEpollAlarmBase;
-using QuicEpollCallbackInterface = quiche::QuicheEpollCallbackInterface;
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_PLATFORM_API_QUIC_EPOLL_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address.h b/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address.h
index 685cde86715..7f2ed20d571 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address.h
@@ -5,92 +5,11 @@
 #ifndef QUICHE_QUIC_PLATFORM_API_QUIC_IP_ADDRESS_H_
 #define QUICHE_QUIC_PLATFORM_API_QUIC_IP_ADDRESS_H_
 
-#if defined(_WIN32)
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#else
-#include <arpa/inet.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#endif
-
-#include <ostream>
-#include <string>
-
-#include "quiche/quic/platform/api/quic_export.h"
-#include "quiche/quic/platform/api/quic_ip_address_family.h"
+#include "quiche/common/quiche_ip_address.h"
 
 namespace quic {
 
-// Represents an IP address.
-class QUIC_EXPORT_PRIVATE QuicIpAddress {
- public:
-  // Sizes of IP addresses of different types, in bytes.
-  enum : size_t {
-    kIPv4AddressSize = 32 / 8,
-    kIPv6AddressSize = 128 / 8,
-    kMaxAddressSize = kIPv6AddressSize,
-  };
-
-  // TODO(fayang): Remove Loopback*() and use TestLoopback*() in tests.
-  static QuicIpAddress Loopback4();
-  static QuicIpAddress Loopback6();
-  static QuicIpAddress Any4();
-  static QuicIpAddress Any6();
-
-  QuicIpAddress();
-  QuicIpAddress(const QuicIpAddress& other) = default;
-  explicit QuicIpAddress(const in_addr& ipv4_address);
-  explicit QuicIpAddress(const in6_addr& ipv6_address);
-  QuicIpAddress& operator=(const QuicIpAddress& other) = default;
-  QuicIpAddress& operator=(QuicIpAddress&& other) = default;
-  QUIC_EXPORT_PRIVATE friend bool operator==(QuicIpAddress lhs,
-                                             QuicIpAddress rhs);
-  QUIC_EXPORT_PRIVATE friend bool operator!=(QuicIpAddress lhs,
-                                             QuicIpAddress rhs);
-
-  bool IsInitialized() const;
-  IpAddressFamily address_family() const;
-  int AddressFamilyToInt() const;
-  // Returns the address as a sequence of bytes in network-byte-order. IPv4 will
-  // be 4 bytes. IPv6 will be 16 bytes.
-  std::string ToPackedString() const;
-  // Returns string representation of the address.
-  std::string ToString() const;
-  // Normalizes the address representation with respect to IPv4 addresses, i.e,
-  // mapped IPv4 addresses ("::ffff:X.Y.Z.Q") are converted to pure IPv4
-  // addresses.  All other IPv4, IPv6, and empty values are left unchanged.
-  QuicIpAddress Normalized() const;
-  // Returns an address suitable for use in IPv6-aware contexts.  This is the
-  // opposite of NormalizeIPAddress() above.  IPv4 addresses are converted into
-  // their IPv4-mapped address equivalents (e.g. 192.0.2.1 becomes
-  // ::ffff:192.0.2.1).  IPv6 addresses are a noop (they are returned
-  // unchanged).
-  QuicIpAddress DualStacked() const;
-  bool FromPackedString(const char* data, size_t length);
-  bool FromString(std::string str);
-  bool IsIPv4() const;
-  bool IsIPv6() const;
-  bool InSameSubnet(const QuicIpAddress& other, int subnet_length);
-
-  in_addr GetIPv4() const;
-  in6_addr GetIPv6() const;
-
- private:
-  union {
-    in_addr v4;
-    in6_addr v6;
-    uint8_t bytes[kMaxAddressSize];
-    char chars[kMaxAddressSize];
-  } address_;
-  IpAddressFamily family_;
-};
-
-inline std::ostream& operator<<(std::ostream& os, const QuicIpAddress address) {
-  os << address.ToString();
-  return os;
-}
+using QuicIpAddress = ::quiche::QuicheIpAddress;
 
 }  // namespace quic
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address_family.h b/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address_family.h
index ad3963c5452..0aeac174d5a 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address_family.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/platform/api/quic_ip_address_family.h
@@ -5,18 +5,11 @@
 #ifndef QUICHE_QUIC_PLATFORM_API_QUIC_IP_ADDRESS_FAMILY_H_
 #define QUICHE_QUIC_PLATFORM_API_QUIC_IP_ADDRESS_FAMILY_H_
 
-namespace quic {
+#include "quiche/common/quiche_ip_address_family.h"
 
-// IP address family type used in QUIC. This hides platform dependant IP address
-// family types.
-enum class IpAddressFamily {
-  IP_V4,
-  IP_V6,
-  IP_UNSPEC,
-};
+namespace quic {
 
-int ToPlatformAddressFamily(IpAddressFamily family);
-IpAddressFamily FromPlatformAddressFamily(int family);
+using IpAddressFamily = ::quiche::IpAddressFamily;
 
 }  // namespace quic
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable.cc b/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable.cc
index fac964b2d3e..8f85190c0ee 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable.cc
@@ -8,16 +8,18 @@
 
 #include "absl/strings/string_view.h"
 #include "quiche/quic/core/crypto/quic_random.h"
+#include "quiche/quic/core/io/quic_event_loop.h"
 #include "quiche/quic/platform/api/quic_logging.h"
 #include "quiche/quic/platform/api/quic_mutex.h"
 #include "quiche/quic/qbone/platform/icmp_packet.h"
-#include "quiche/common/quiche_endian.h"
+#include "quiche/common/platform/api/quiche_logging.h"
 #include "quiche/common/quiche_text_utils.h"
 
 namespace quic {
 namespace {
 
-constexpr int kEpollFlags = EPOLLIN | EPOLLET;
+constexpr QuicSocketEventMask kEventMask =
+    kSocketEventReadable | kSocketEventWritable;
 constexpr size_t kMtu = 1280;
 
 constexpr size_t kIPv6AddrSize = sizeof(in6_addr);
@@ -28,13 +30,15 @@ const char kUnknownSource[] = "UNKNOWN";
 const char kNoSource[] = "N/A";
 
 IcmpReachable::IcmpReachable(QuicIpAddress source, QuicIpAddress destination,
-                             absl::Duration timeout, KernelInterface* kernel,
-                             QuicEpollServer* epoll_server,
-                             StatsInterface* stats)
+                             QuicTime::Delta timeout, KernelInterface* kernel,
+                             QuicEventLoop* event_loop, StatsInterface* stats)
     : timeout_(timeout),
+      event_loop_(event_loop),
+      clock_(event_loop->GetClock()),
+      alarm_factory_(event_loop->CreateAlarmFactory()),
       cb_(this),
+      alarm_(alarm_factory_->CreateAlarm(new AlarmCallback(this))),
       kernel_(kernel),
-      epoll_server_(epoll_server),
       stats_(stats),
       send_fd_(0),
       recv_fd_(0) {
@@ -50,9 +54,8 @@ IcmpReachable::~IcmpReachable() {
     kernel_->close(send_fd_);
   }
   if (recv_fd_ > 0) {
-    if (!epoll_server_->ShutdownCalled()) {
-      epoll_server_->UnregisterFD(recv_fd_);
-    }
+    bool success = event_loop_->UnregisterSocket(recv_fd_);
+    QUICHE_DCHECK(success);
 
     kernel_->close(recv_fd_);
   }
@@ -93,8 +96,11 @@ bool IcmpReachable::Init() {
     return false;
   }
 
-  epoll_server_->RegisterFD(recv_fd_, &cb_, kEpollFlags);
-  epoll_server_->RegisterAlarm(0, this);
+  if (!event_loop_->RegisterSocket(recv_fd_, kEventMask, &cb_)) {
+    QUIC_LOG(ERROR) << "Unable to register recv ICMP socket";
+    return false;
+  }
+  alarm_->Set(clock_->Now());
 
   QuicWriterMutexLock mu(&header_lock_);
   icmp_header_.icmp6_type = ICMP6_ECHO_REQUEST;
@@ -135,9 +141,8 @@ bool IcmpReachable::OnEvent(int fd) {
                  << " seq: " << icmp_header_.icmp6_seq;
     return true;
   }
-  end_ = absl::Now();
-  QUIC_VLOG(1) << "Received ping response in "
-               << absl::ToInt64Microseconds(end_ - start_) << "us.";
+  end_ = clock_->Now();
+  QUIC_VLOG(1) << "Received ping response in " << (end_ - start_);
 
   std::string source;
   QuicIpAddress source_ip;
@@ -152,14 +157,12 @@ bool IcmpReachable::OnEvent(int fd) {
   return true;
 }
 
-int64 /* allow-non-std-int */ IcmpReachable::OnAlarm() {
-  EpollAlarm::OnAlarm();
-
+void IcmpReachable::OnAlarm() {
   QuicWriterMutexLock mu(&header_lock_);
 
   if (end_ < start_) {
     QUIC_VLOG(1) << "Timed out on sequence: " << icmp_header_.icmp6_seq;
-    stats_->OnEvent({Status::UNREACHABLE, absl::ZeroDuration(), kNoSource});
+    stats_->OnEvent({Status::UNREACHABLE, QuicTime::Delta::Zero(), kNoSource});
   }
 
   icmp_header_.icmp6_seq++;
@@ -175,10 +178,10 @@ int64 /* allow-non-std-int */ IcmpReachable::OnAlarm() {
                      if (size < packet.size()) {
                        stats_->OnWriteError(errno);
                      }
-                     start_ = absl::Now();
+                     start_ = clock_->Now();
                    });
 
-  return absl::ToUnixMicros(absl::Now() + timeout_);
+  alarm_->Set(clock_->ApproximateNow() + timeout_);
 }
 
 absl::string_view IcmpReachable::StatusName(IcmpReachable::Status status) {
@@ -192,19 +195,15 @@ absl::string_view IcmpReachable::StatusName(IcmpReachable::Status status) {
   }
 }
 
-void IcmpReachable::EpollCallback::OnEvent(int fd, QuicEpollEvent* event) {
+void IcmpReachable::EpollCallback::OnSocketEvent(QuicEventLoop* event_loop,
+                                                 QuicUdpSocketFd fd,
+                                                 QuicSocketEventMask events) {
   bool can_read_more = reachable_->OnEvent(fd);
   if (can_read_more) {
-    event->out_ready_mask |= EPOLLIN;
+    bool success =
+        event_loop->ArtificiallyNotifyEvent(fd, kSocketEventReadable);
+    QUICHE_DCHECK(success);
   }
 }
 
-void IcmpReachable::EpollCallback::OnShutdown(QuicEpollServer* eps, int fd) {
-  eps->UnregisterFD(fd);
-}
-
-std::string IcmpReachable::EpollCallback::Name() const {
-  return "ICMP Reachable";
-}
-
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable.h b/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable.h
index a4ecdee01a5..529ccc71327 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable.h
@@ -7,7 +7,14 @@
 
 #include <netinet/icmp6.h>
 
+#include <memory>
+
 #include "absl/strings/string_view.h"
+#include "quiche/quic/core/io/quic_event_loop.h"
+#include "quiche/quic/core/quic_alarm.h"
+#include "quiche/quic/core/quic_alarm_factory.h"
+#include "quiche/quic/core/quic_clock.h"
+#include "quiche/quic/core/quic_time.h"
 #include "quiche/quic/platform/api/quic_ip_address.h"
 #include "quiche/quic/platform/api/quic_mutex.h"
 #include "quiche/quic/qbone/bonnet/icmp_reachable_interface.h"
@@ -29,7 +36,7 @@ class IcmpReachable : public IcmpReachableInterface {
 
   struct ReachableEvent {
     Status status;
-    absl::Duration response_time;
+    QuicTime::Delta response_time;
     std::string source;
   };
 
@@ -65,8 +72,8 @@ class IcmpReachable : public IcmpReachableInterface {
   // |stats| is not owned, but should outlive this instance. It will be called
   //         back on Echo Replies, timeouts, and I/O errors.
   IcmpReachable(QuicIpAddress source, QuicIpAddress destination,
-                absl::Duration timeout, KernelInterface* kernel,
-                QuicEpollServer* epoll_server, StatsInterface* stats);
+                QuicTime::Delta timeout, KernelInterface* kernel,
+                QuicEventLoop* event_loop, StatsInterface* stats);
 
   ~IcmpReachable() override;
 
@@ -74,13 +81,12 @@ class IcmpReachable : public IcmpReachableInterface {
   // |epoll_server|'s thread.
   bool Init() QUIC_LOCKS_EXCLUDED(header_lock_) override;
 
-  int64 /* allow-non-std-int */ OnAlarm()
-      QUIC_LOCKS_EXCLUDED(header_lock_) override;
+  void OnAlarm() QUIC_LOCKS_EXCLUDED(header_lock_);
 
   static absl::string_view StatusName(Status status);
 
  private:
-  class EpollCallback : public QuicEpollCallbackInterface {
+  class EpollCallback : public QuicSocketEventListener {
    public:
     explicit EpollCallback(IcmpReachable* reachable) : reachable_(reachable) {}
 
@@ -90,18 +96,18 @@ class IcmpReachable : public IcmpReachableInterface {
     EpollCallback(EpollCallback&&) = delete;
     EpollCallback& operator=(EpollCallback&&) = delete;
 
-    void OnRegistration(QuicEpollServer* eps, int fd,
-                        int event_mask) override{};
-
-    void OnModification(int fd, int event_mask) override{};
+    void OnSocketEvent(QuicEventLoop* event_loop, QuicUdpSocketFd fd,
+                       QuicSocketEventMask events) override;
 
-    void OnEvent(int fd, QuicEpollEvent* event) override;
-
-    void OnUnregistration(int fd, bool replaced) override{};
+   private:
+    IcmpReachable* reachable_;
+  };
 
-    void OnShutdown(QuicEpollServer* eps, int fd) override;
+  class AlarmCallback : public QuicAlarm::DelegateWithoutContext {
+   public:
+    explicit AlarmCallback(IcmpReachable* reachable) : reachable_(reachable) {}
 
-    std::string Name() const override;
+    void OnAlarm() override { reachable_->OnAlarm(); }
 
    private:
     IcmpReachable* reachable_;
@@ -109,15 +115,19 @@ class IcmpReachable : public IcmpReachableInterface {
 
   bool OnEvent(int fd) QUIC_LOCKS_EXCLUDED(header_lock_);
 
-  const absl::Duration timeout_;
+  const QuicTime::Delta timeout_;
+
+  QuicEventLoop* event_loop_;
+  const QuicClock* clock_;
+  std::unique_ptr<QuicAlarmFactory> alarm_factory_;
 
   EpollCallback cb_;
+  std::unique_ptr<QuicAlarm> alarm_;
 
   sockaddr_in6 src_{};
   sockaddr_in6 dst_{};
 
   KernelInterface* kernel_;
-  QuicEpollServer* epoll_server_;
 
   StatsInterface* stats_;
 
@@ -127,8 +137,8 @@ class IcmpReachable : public IcmpReachableInterface {
   QuicMutex header_lock_;
   icmp6_hdr icmp_header_ QUIC_GUARDED_BY(header_lock_){};
 
-  absl::Time start_ = absl::InfinitePast();
-  absl::Time end_ = absl::InfinitePast();
+  QuicTime start_ = QuicTime::Zero();
+  QuicTime end_ = QuicTime::Zero();
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable_interface.h b/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable_interface.h
index 20bf489dc4c..2426670e445 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable_interface.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable_interface.h
@@ -5,13 +5,12 @@
 #ifndef QUICHE_QUIC_QBONE_BONNET_ICMP_REACHABLE_INTERFACE_H_
 #define QUICHE_QUIC_QBONE_BONNET_ICMP_REACHABLE_INTERFACE_H_
 
-#include "quiche/quic/platform/api/quic_epoll.h"
-
 namespace quic {
 
-class IcmpReachableInterface : public QuicEpollAlarmBase {
+class IcmpReachableInterface {
  public:
   IcmpReachableInterface() = default;
+  virtual ~IcmpReachableInterface() = default;
 
   IcmpReachableInterface(const IcmpReachableInterface&) = delete;
   IcmpReachableInterface& operator=(const IcmpReachableInterface&) = delete;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable_test.cc
index 7a0ebe644de..ae48ddc9bb6 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/qbone/bonnet/icmp_reachable_test.cc
@@ -6,8 +6,12 @@
 
 #include <netinet/ip6.h>
 
+#include <memory>
+
 #include "absl/container/node_hash_map.h"
-#include "quiche/quic/platform/api/quic_epoll.h"
+#include "quiche/quic/core/io/quic_default_event_loop.h"
+#include "quiche/quic/core/io/quic_event_loop.h"
+#include "quiche/quic/core/quic_default_clock.h"
 #include "quiche/quic/platform/api/quic_ip_address.h"
 #include "quiche/quic/platform/api/quic_test.h"
 #include "quiche/quic/qbone/platform/mock_kernel.h"
@@ -79,7 +83,8 @@ class StatsInterface : public IcmpReachable::StatsInterface {
 
 class IcmpReachableTest : public QuicTest {
  public:
-  IcmpReachableTest() {
+  IcmpReachableTest()
+      : event_loop_(GetDefaultEventLoop()->Create(QuicDefaultClock::Get())) {
     QUICHE_CHECK(source_.FromString(kSourceAddress));
     QUICHE_CHECK(destination_.FromString(kDestinationAddress));
 
@@ -113,13 +118,13 @@ class IcmpReachableTest : public QuicTest {
   int read_src_fd_;
 
   StrictMock<MockKernel> kernel_;
-  QuicEpollServer epoll_server_;
+  std::unique_ptr<QuicEventLoop> event_loop_;
   StatsInterface stats_;
 };
 
 TEST_F(IcmpReachableTest, SendsPings) {
-  IcmpReachable reachable(source_, destination_, absl::ZeroDuration(), &kernel_,
-                          &epoll_server_, &stats_);
+  IcmpReachable reachable(source_, destination_, QuicTime::Delta::Zero(),
+                          &kernel_, event_loop_.get(), &stats_);
 
   SetFdExpectations();
   ASSERT_TRUE(reachable.Init());
@@ -133,15 +138,13 @@ TEST_F(IcmpReachableTest, SendsPings) {
         return len;
       }));
 
-  epoll_server_.WaitForEventsAndExecuteCallbacks();
+  event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
   EXPECT_FALSE(stats_.HasWriteErrors());
-
-  epoll_server_.Shutdown();
 }
 
 TEST_F(IcmpReachableTest, HandlesUnreachableEvents) {
-  IcmpReachable reachable(source_, destination_, absl::ZeroDuration(), &kernel_,
-                          &epoll_server_, &stats_);
+  IcmpReachable reachable(source_, destination_, QuicTime::Delta::Zero(),
+                          &kernel_, event_loop_.get(), &stats_);
 
   SetFdExpectations();
   ASSERT_TRUE(reachable.Init());
@@ -152,20 +155,18 @@ TEST_F(IcmpReachableTest, HandlesUnreachableEvents) {
                                 int flags, const struct sockaddr* dest_addr,
                                 socklen_t addrlen) { return len; }));
 
-  epoll_server_.WaitForEventsAndExecuteCallbacks();
+  event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
   EXPECT_EQ(stats_.unreachable_count(), 0);
 
-  epoll_server_.WaitForEventsAndExecuteCallbacks();
+  event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
   EXPECT_FALSE(stats_.HasWriteErrors());
   EXPECT_EQ(stats_.unreachable_count(), 1);
   EXPECT_EQ(stats_.current_source(), kNoSource);
-
-  epoll_server_.Shutdown();
 }
 
 TEST_F(IcmpReachableTest, HandlesReachableEvents) {
-  IcmpReachable reachable(source_, destination_, absl::ZeroDuration(), &kernel_,
-                          &epoll_server_, &stats_);
+  IcmpReachable reachable(source_, destination_, QuicTime::Delta::Zero(),
+                          &kernel_, event_loop_.get(), &stats_);
 
   SetFdExpectations();
   ASSERT_TRUE(reachable.Init());
@@ -193,7 +194,7 @@ TEST_F(IcmpReachableTest, HandlesReachableEvents) {
             return read(sockfd, buf, len);
           }));
 
-  epoll_server_.WaitForEventsAndExecuteCallbacks();
+  event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
   EXPECT_EQ(stats_.reachable_count(), 0);
 
   icmp6_hdr response = last_request_hdr;
@@ -202,18 +203,16 @@ TEST_F(IcmpReachableTest, HandlesReachableEvents) {
   write(read_src_fd_, reinterpret_cast<const void*>(&response),
         sizeof(icmp6_hdr));
 
-  epoll_server_.WaitForEventsAndExecuteCallbacks();
+  event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
   EXPECT_FALSE(stats_.HasReadErrors());
   EXPECT_FALSE(stats_.HasWriteErrors());
   EXPECT_EQ(stats_.reachable_count(), 1);
   EXPECT_EQ(stats_.current_source(), source_.ToString());
-
-  epoll_server_.Shutdown();
 }
 
 TEST_F(IcmpReachableTest, HandlesWriteErrors) {
-  IcmpReachable reachable(source_, destination_, absl::ZeroDuration(), &kernel_,
-                          &epoll_server_, &stats_);
+  IcmpReachable reachable(source_, destination_, QuicTime::Delta::Zero(),
+                          &kernel_, event_loop_.get(), &stats_);
 
   SetFdExpectations();
   ASSERT_TRUE(reachable.Init());
@@ -225,15 +224,13 @@ TEST_F(IcmpReachableTest, HandlesWriteErrors) {
         return 0;
       }));
 
-  epoll_server_.WaitForEventsAndExecuteCallbacks();
+  event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
   EXPECT_EQ(stats_.WriteErrorCount(EAGAIN), 1);
-
-  epoll_server_.Shutdown();
 }
 
 TEST_F(IcmpReachableTest, HandlesReadErrors) {
-  IcmpReachable reachable(source_, destination_, absl::ZeroDuration(), &kernel_,
-                          &epoll_server_, &stats_);
+  IcmpReachable reachable(source_, destination_, QuicTime::Delta::Zero(),
+                          &kernel_, event_loop_.get(), &stats_);
 
   SetFdExpectations();
   ASSERT_TRUE(reachable.Init());
@@ -255,11 +252,9 @@ TEST_F(IcmpReachableTest, HandlesReadErrors) {
   write(read_src_fd_, reinterpret_cast<const void*>(&response),
         sizeof(icmp6_hdr));
 
-  epoll_server_.WaitForEventsAndExecuteCallbacks();
+  event_loop_->RunEventLoopOnce(QuicTime::Delta::FromSeconds(1));
   EXPECT_EQ(stats_.reachable_count(), 0);
   EXPECT_EQ(stats_.ReadErrorCount(EIO), 1);
-
-  epoll_server_.Shutdown();
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client.cc b/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client.cc
index 5744eab321c..ffcfcf0faf3 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client.cc
@@ -7,19 +7,17 @@
 #include <utility>
 
 #include "absl/strings/string_view.h"
-#include "quiche/quic/core/quic_epoll_alarm_factory.h"
-#include "quiche/quic/core/quic_epoll_connection_helper.h"
-#include "quiche/quic/platform/api/quic_epoll.h"
-#include "quiche/quic/platform/api/quic_exported_stats.h"
+#include "quiche/quic/core/io/quic_event_loop.h"
+#include "quiche/quic/core/quic_default_connection_helper.h"
 #include "quiche/quic/platform/api/quic_testvalue.h"
-#include "quiche/quic/qbone/qbone_stream.h"
+#include "quiche/quic/tools/quic_client_default_network_helper.h"
 
 namespace quic {
 namespace {
 std::unique_ptr<QuicClientBase::NetworkHelper> CreateNetworkHelper(
-    QuicEpollServer* epoll_server, QboneClient* client) {
+    QuicEventLoop* event_loop, QboneClient* client) {
   std::unique_ptr<QuicClientBase::NetworkHelper> helper =
-      std::make_unique<QuicClientEpollNetworkHelper>(epoll_server, client);
+      std::make_unique<QuicClientDefaultNetworkHelper>(event_loop, client);
   quic::AdjustTestValue("QboneClient/network_helper", &helper);
   return helper;
 }
@@ -29,17 +27,15 @@ QboneClient::QboneClient(QuicSocketAddress server_address,
                          const QuicServerId& server_id,
                          const ParsedQuicVersionVector& supported_versions,
                          QuicSession::Visitor* session_owner,
-                         const QuicConfig& config,
-                         QuicEpollServer* epoll_server,
+                         const QuicConfig& config, QuicEventLoop* event_loop,
                          std::unique_ptr<ProofVerifier> proof_verifier,
                          QbonePacketWriter* qbone_writer,
                          QboneClientControlStream::Handler* qbone_handler)
-    : QuicClientBase(
-          server_id, supported_versions, config,
-          new QuicEpollConnectionHelper(epoll_server, QuicAllocator::SIMPLE),
-          new QuicEpollAlarmFactory(epoll_server),
-          CreateNetworkHelper(epoll_server, this), std::move(proof_verifier),
-          nullptr),
+    : QuicClientBase(server_id, supported_versions, config,
+                     new QuicDefaultConnectionHelper(),
+                     event_loop->CreateAlarmFactory().release(),
+                     CreateNetworkHelper(event_loop, this),
+                     std::move(proof_verifier), nullptr),
       qbone_writer_(qbone_writer),
       qbone_handler_(qbone_handler),
       session_owner_(session_owner) {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client.h b/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client.h
index 5f52679b326..cda71da3326 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client.h
@@ -6,24 +6,24 @@
 #define QUICHE_QUIC_QBONE_QBONE_CLIENT_H_
 
 #include "absl/strings/string_view.h"
+#include "quiche/quic/core/io/quic_event_loop.h"
 #include "quiche/quic/qbone/qbone_client_interface.h"
 #include "quiche/quic/qbone/qbone_client_session.h"
 #include "quiche/quic/qbone/qbone_packet_writer.h"
 #include "quiche/quic/tools/quic_client_base.h"
-#include "quiche/quic/tools/quic_client_epoll_network_helper.h"
 
 namespace quic {
-// A QboneClient encapsulates connecting to a server via an epoll server
+// A QboneClient encapsulates connecting to a server via an event loop
 // and setting up a QBONE tunnel. See the QboneTestClient in qbone_client_test
 // for usage.
 class QboneClient : public QuicClientBase, public QboneClientInterface {
  public:
-  // Note that the epoll server, QBONE writer, and handler are owned
+  // Note that the event loop, QBONE writer, and handler are owned
   // by the caller.
   QboneClient(QuicSocketAddress server_address, const QuicServerId& server_id,
               const ParsedQuicVersionVector& supported_versions,
               QuicSession::Visitor* session_owner, const QuicConfig& config,
-              QuicEpollServer* epoll_server,
+              QuicEventLoop* event_loop,
               std::unique_ptr<ProofVerifier> proof_verifier,
               QbonePacketWriter* qbone_writer,
               QboneClientControlStream::Handler* qbone_handler);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client_test.cc
index 7d54852abb7..002911507d8 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_client_test.cc
@@ -6,19 +6,19 @@
 
 #include "quiche/quic/qbone/qbone_client.h"
 
+#include <memory>
+
 #include "absl/strings/string_view.h"
+#include "quiche/quic/core/io/quic_default_event_loop.h"
+#include "quiche/quic/core/io/quic_event_loop.h"
 #include "quiche/quic/core/quic_alarm_factory.h"
+#include "quiche/quic/core/quic_default_clock.h"
 #include "quiche/quic/core/quic_default_connection_helper.h"
-#include "quiche/quic/core/quic_default_packet_writer.h"
 #include "quiche/quic/core/quic_dispatcher.h"
-#include "quiche/quic/core/quic_epoll_alarm_factory.h"
-#include "quiche/quic/core/quic_epoll_connection_helper.h"
-#include "quiche/quic/core/quic_packet_reader.h"
 #include "quiche/quic/platform/api/quic_mutex.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/quic/platform/api/quic_test.h"
 #include "quiche/quic/platform/api/quic_test_loopback.h"
-#include "quiche/quic/qbone/qbone_constants.h"
 #include "quiche/quic/qbone/qbone_packet_processor_test_tools.h"
 #include "quiche/quic/qbone/qbone_server_session.h"
 #include "quiche/quic/test_tools/crypto_test_utils.h"
@@ -104,11 +104,11 @@ class QuicQboneDispatcher : public QuicDispatcher {
       std::unique_ptr<QuicConnectionHelperInterface> helper,
       std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
       std::unique_ptr<QuicAlarmFactory> alarm_factory,
-      QbonePacketWriter* writer)
+      QbonePacketWriter* writer, ConnectionIdGeneratorInterface& generator)
       : QuicDispatcher(config, crypto_config, version_manager,
                        std::move(helper), std::move(session_helper),
-                       std::move(alarm_factory),
-                       kQuicDefaultConnectionIdLength),
+                       std::move(alarm_factory), kQuicDefaultConnectionIdLength,
+                       generator),
         writer_(writer) {}
 
   std::unique_ptr<QuicSession> CreateQuicSession(
@@ -120,7 +120,7 @@ class QuicQboneDispatcher : public QuicDispatcher {
     QuicConnection* connection = new QuicConnection(
         id, self_address, peer_address, helper(), alarm_factory(), writer(),
         /* owns_writer= */ false, Perspective::IS_SERVER,
-        ParsedQuicVersionVector{version});
+        ParsedQuicVersionVector{version}, connection_id_generator());
     // The connection owning wrapper owns the connection created.
     auto session = std::make_unique<ConnectionOwningQboneServerSession>(
         GetSupportedVersions(), connection, this, config(), crypto_config(),
@@ -143,7 +143,8 @@ class QboneTestServer : public QuicServer {
         &config(), &crypto_config(), version_manager(),
         std::make_unique<QuicDefaultConnectionHelper>(),
         std::make_unique<QboneCryptoServerStreamHelper>(),
-        event_loop()->CreateAlarmFactory(), &writer_);
+        event_loop()->CreateAlarmFactory(), &writer_,
+        connection_id_generator());
   }
 
   std::vector<std::string> data() { return writer_.data(); }
@@ -157,10 +158,10 @@ class QboneTestClient : public QboneClient {
   QboneTestClient(QuicSocketAddress server_address,
                   const QuicServerId& server_id,
                   const ParsedQuicVersionVector& supported_versions,
-                  QuicEpollServer* epoll_server,
+                  QuicEventLoop* event_loop,
                   std::unique_ptr<ProofVerifier> proof_verifier)
       : QboneClient(server_address, server_id, supported_versions,
-                    /*session_owner=*/nullptr, QuicConfig(), epoll_server,
+                    /*session_owner=*/nullptr, QuicConfig(), event_loop,
                     std::move(proof_verifier), &qbone_writer_, nullptr) {}
 
   ~QboneTestClient() override {}
@@ -214,11 +215,12 @@ TEST_P(QboneClientTest, SendDataFromClient) {
       QuicSocketAddress(server_address.host(), server_thread.GetPort());
   server_thread.Start();
 
-  QuicEpollServer epoll_server;
+  std::unique_ptr<QuicEventLoop> event_loop =
+      GetDefaultEventLoop()->Create(quic::QuicDefaultClock::Get());
   QboneTestClient client(
       server_address,
       QuicServerId("test.example.com", server_address.port(), false),
-      ParsedQuicVersionVector{GetParam()}, &epoll_server,
+      ParsedQuicVersionVector{GetParam()}, event_loop.get(),
       crypto_test_utils::ProofVerifierForTesting());
   ASSERT_TRUE(client.Initialize());
   ASSERT_TRUE(client.Connect());
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_session_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_session_test.cc
index faa1d3a9e75..5ccf3702098 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_session_test.cc
@@ -2,12 +2,15 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include <memory>
 #include <utility>
 
 #include "absl/strings/string_view.h"
+#include "quiche/quic/core/io/quic_default_event_loop.h"
+#include "quiche/quic/core/io/quic_event_loop.h"
 #include "quiche/quic/core/proto/crypto_server_config_proto.h"
 #include "quiche/quic/core/quic_alarm_factory.h"
-#include "quiche/quic/core/quic_epoll_alarm_factory.h"
+#include "quiche/quic/core/quic_default_clock.h"
 #include "quiche/quic/platform/api/quic_expect_bug.h"
 #include "quiche/quic/platform/api/quic_test.h"
 #include "quiche/quic/platform/api/quic_test_loopback.h"
@@ -19,6 +22,7 @@
 #include "quiche/quic/qbone/qbone_server_session.h"
 #include "quiche/quic/test_tools/crypto_test_utils.h"
 #include "quiche/quic/test_tools/mock_clock.h"
+#include "quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "quiche/quic/test_tools/quic_connection_peer.h"
 #include "quiche/quic/test_tools/quic_session_peer.h"
 #include "quiche/quic/test_tools/quic_test_utils.h"
@@ -295,7 +299,8 @@ class QboneSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
                                      bool send_qbone_alpn = true) {
     // Quic crashes if packets are sent at time 0, and the clock defaults to 0.
     helper_.AdvanceTime(QuicTime::Delta::FromMilliseconds(1000));
-    alarm_factory_ = std::make_unique<QuicEpollAlarmFactory>(&epoll_server_);
+    event_loop_ = GetDefaultEventLoop()->Create(QuicDefaultClock::Get());
+    alarm_factory_ = event_loop_->CreateAlarmFactory();
     client_writer_ = std::make_unique<DataSavingQbonePacketWriter>();
     server_writer_ = std::make_unique<DataSavingQbonePacketWriter>();
     client_handler_ =
@@ -314,7 +319,8 @@ class QboneSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
       client_connection_ = new QuicConnection(
           TestConnectionId(), client_address, server_address, &helper_,
           alarm_factory_.get(), new NiceMock<MockPacketWriter>(), true,
-          Perspective::IS_CLIENT, supported_versions_);
+          Perspective::IS_CLIENT, supported_versions_,
+          connection_id_generator_);
       client_connection_->SetSelfAddress(client_address);
       QuicConfig config;
       client_crypto_config_ = std::make_unique<QuicCryptoClientConfig>(
@@ -333,7 +339,8 @@ class QboneSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
       server_connection_ = new QuicConnection(
           TestConnectionId(), server_address, client_address, &helper_,
           alarm_factory_.get(), new NiceMock<MockPacketWriter>(), true,
-          Perspective::IS_SERVER, supported_versions_);
+          Perspective::IS_SERVER, supported_versions_,
+          connection_id_generator_);
       server_connection_->SetSelfAddress(server_address);
       QuicConfig config;
       server_crypto_config_ = std::make_unique<QuicCryptoServerConfig>(
@@ -519,7 +526,7 @@ class QboneSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
 
  protected:
   const ParsedQuicVersionVector supported_versions_;
-  QuicEpollServer epoll_server_;
+  std::unique_ptr<QuicEventLoop> event_loop_;
   std::unique_ptr<QuicAlarmFactory> alarm_factory_;
   FakeTaskRunner runner_;
   MockQuicConnectionHelper helper_;
@@ -538,6 +545,7 @@ class QboneSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
 
   std::unique_ptr<QboneServerSession> server_peer_;
   std::unique_ptr<QboneClientSession> client_peer_;
+  MockConnectionIdGenerator connection_id_generator_;
 };
 
 INSTANTIATE_TEST_SUITE_P(Tests, QboneSessionTest,
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_stream_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_stream_test.cc
index 83924969879..d7e0c815cf1 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/qbone/qbone_stream_test.cc
@@ -15,6 +15,7 @@
 #include "quiche/quic/qbone/qbone_constants.h"
 #include "quiche/quic/qbone/qbone_session_base.h"
 #include "quiche/quic/test_tools/mock_clock.h"
+#include "quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "quiche/quic/test_tools/quic_test_utils.h"
 #include "quiche/common/simple_buffer_allocator.h"
 #include "quiche/spdy/core/spdy_protocol.h"
@@ -145,7 +146,8 @@ class QboneReadOnlyStreamTest : public ::testing::Test,
         QuicSocketAddress(TestLoopback(), 0),
         this /*QuicConnectionHelperInterface*/, alarm_factory_.get(),
         new DummyPacketWriter(), owns_writer, perspective,
-        ParsedVersionOfIndex(CurrentSupportedVersions(), 0)));
+        ParsedVersionOfIndex(CurrentSupportedVersions(), 0),
+        connection_id_generator_));
     clock_.AdvanceTime(QuicTime::Delta::FromSeconds(1));
     session_ = std::make_unique<StrictMock<MockQuicSession>>(connection_.get(),
                                                              QuicConfig());
@@ -178,6 +180,7 @@ class QboneReadOnlyStreamTest : public ::testing::Test,
   MockClock clock_;
   const QuicStreamId kStreamId = QuicUtils::GetFirstUnidirectionalStreamId(
       CurrentSupportedVersions()[0].transport_version, Perspective::IS_CLIENT);
+  quic::test::MockConnectionIdGenerator connection_id_generator_;
 };
 
 // Read an entire string.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/crypto_test_utils.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/crypto_test_utils.h
index d21e8978b4b..d6507061426 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/crypto_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/crypto_test_utils.h
@@ -14,6 +14,7 @@
 #include "absl/strings/string_view.h"
 #include "openssl/evp.h"
 #include "quiche/quic/core/crypto/crypto_framer.h"
+#include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/core/quic_framer.h"
 #include "quiche/quic/core/quic_packets.h"
 #include "quiche/quic/test_tools/quic_test_utils.h"
@@ -29,7 +30,6 @@ class QuicCryptoClientStream;
 class QuicCryptoServerConfig;
 class QuicCryptoServerStreamBase;
 class QuicCryptoStream;
-class QuicRandom;
 class QuicServerId;
 
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/fake_proof_source_handle.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/fake_proof_source_handle.cc
index 07c78fc52a9..ac1f3a5138e 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/fake_proof_source_handle.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/fake_proof_source_handle.cc
@@ -4,6 +4,7 @@
 
 #include "quiche/quic/test_tools/fake_proof_source_handle.h"
 
+#include "quiche/quic/core/quic_connection_id.h"
 #include "quiche/quic/core/quic_types.h"
 #include "quiche/quic/platform/api/quic_bug_tracker.h"
 
@@ -68,18 +69,21 @@ void FakeProofSourceHandle::CloseHandle() {
 
 QuicAsyncStatus FakeProofSourceHandle::SelectCertificate(
     const QuicSocketAddress& server_address,
-    const QuicSocketAddress& client_address, absl::string_view ssl_capabilities,
-    const std::string& hostname, absl::string_view client_hello,
-    const std::string& alpn, absl::optional<std::string> alps,
+    const QuicSocketAddress& client_address,
+    const QuicConnectionId& original_connection_id,
+    absl::string_view ssl_capabilities, const std::string& hostname,
+    absl::string_view client_hello, const std::string& alpn,
+    absl::optional<std::string> alps,
     const std::vector<uint8_t>& quic_transport_params,
     const absl::optional<std::vector<uint8_t>>& early_data_context,
     const QuicSSLConfig& ssl_config) {
   if (select_cert_action_ != Action::FAIL_SYNC_DO_NOT_CHECK_CLOSED) {
     QUICHE_CHECK(!closed_);
   }
-  all_select_cert_args_.push_back(SelectCertArgs(
-      server_address, client_address, ssl_capabilities, hostname, client_hello,
-      alpn, alps, quic_transport_params, early_data_context, ssl_config));
+  all_select_cert_args_.push_back(
+      SelectCertArgs(server_address, client_address, original_connection_id,
+                     ssl_capabilities, hostname, client_hello, alpn, alps,
+                     quic_transport_params, early_data_context, ssl_config));
 
   if (select_cert_action_ == Action::DELEGATE_ASYNC ||
       select_cert_action_ == Action::FAIL_ASYNC) {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/fake_proof_source_handle.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/fake_proof_source_handle.h
index 25a7e27d171..599a1fa538a 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/fake_proof_source_handle.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/fake_proof_source_handle.h
@@ -6,6 +6,7 @@
 #define QUICHE_QUIC_TEST_TOOLS_FAKE_PROOF_SOURCE_HANDLE_H_
 
 #include "quiche/quic/core/crypto/proof_source.h"
+#include "quiche/quic/core/quic_connection_id.h"
 
 namespace quic {
 namespace test {
@@ -43,6 +44,7 @@ class FakeProofSourceHandle : public ProofSourceHandle {
   QuicAsyncStatus SelectCertificate(
       const QuicSocketAddress& server_address,
       const QuicSocketAddress& client_address,
+      const QuicConnectionId& original_connection_id,
       absl::string_view ssl_capabilities, const std::string& hostname,
       absl::string_view client_hello, const std::string& alpn,
       absl::optional<std::string> alps,
@@ -66,6 +68,7 @@ class FakeProofSourceHandle : public ProofSourceHandle {
   struct SelectCertArgs {
     SelectCertArgs(QuicSocketAddress server_address,
                    QuicSocketAddress client_address,
+                   QuicConnectionId original_connection_id,
                    absl::string_view ssl_capabilities, std::string hostname,
                    absl::string_view client_hello, std::string alpn,
                    absl::optional<std::string> alps,
@@ -74,6 +77,7 @@ class FakeProofSourceHandle : public ProofSourceHandle {
                    QuicSSLConfig ssl_config)
         : server_address(server_address),
           client_address(client_address),
+          original_connection_id(original_connection_id),
           ssl_capabilities(ssl_capabilities),
           hostname(hostname),
           client_hello(client_hello),
@@ -85,6 +89,7 @@ class FakeProofSourceHandle : public ProofSourceHandle {
 
     QuicSocketAddress server_address;
     QuicSocketAddress client_address;
+    QuicConnectionId original_connection_id;
     std::string ssl_capabilities;
     std::string hostname;
     std::string client_hello;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/first_flight.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/first_flight.cc
index ed7dd9c00f2..dcdeac3113a 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/first_flight.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/first_flight.cc
@@ -20,6 +20,7 @@
 #include "quiche/quic/platform/api/quic_ip_address.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/quic/test_tools/crypto_test_utils.h"
+#include "quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "quiche/quic/test_tools/quic_test_utils.h"
 
 namespace quic {
@@ -55,13 +56,13 @@ class FirstFlightExtractor : public DelegatedPacketWriter::Delegate {
 
   void GenerateFirstFlight() {
     crypto_config_->set_alpn(AlpnForVersion(version_));
-    connection_ =
-        new QuicConnection(server_connection_id_,
-                           /*initial_self_address=*/QuicSocketAddress(),
-                           QuicSocketAddress(TestPeerIPAddress(), kTestPort),
-                           &connection_helper_, &alarm_factory_, &writer_,
-                           /*owns_writer=*/false, Perspective::IS_CLIENT,
-                           ParsedQuicVersionVector{version_});
+    connection_ = new QuicConnection(
+        server_connection_id_,
+        /*initial_self_address=*/QuicSocketAddress(),
+        QuicSocketAddress(TestPeerIPAddress(), kTestPort), &connection_helper_,
+        &alarm_factory_, &writer_,
+        /*owns_writer=*/false, Perspective::IS_CLIENT,
+        ParsedQuicVersionVector{version_}, connection_id_generator_);
     connection_->set_client_connection_id(client_connection_id_);
     session_ = std::make_unique<QuicSpdyClientSession>(
         config_, ParsedQuicVersionVector{version_},
@@ -106,6 +107,7 @@ class FirstFlightExtractor : public DelegatedPacketWriter::Delegate {
   QuicConnection* connection_;  // Owned by session_.
   std::unique_ptr<QuicSpdyClientSession> session_;
   std::vector<std::unique_ptr<QuicReceivedPacket>> packets_;
+  MockConnectionIdGenerator connection_id_generator_;
 };
 
 std::vector<std::unique_ptr<QuicReceivedPacket>> GetFirstFlightOfPackets(
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_connection_id_generator.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_connection_id_generator.h
new file mode 100644
index 00000000000..42209d68787
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_connection_id_generator.h
@@ -0,0 +1,31 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_TEST_TOOLS_MOCK_CONNECTION_ID_GENERATOR_H_
+#define QUICHE_QUIC_TEST_TOOLS_MOCK_CONNECTION_ID_GENERATOR_H_
+
+#include "quiche/quic/core/connection_id_generator.h"
+#include "quiche/quic/platform/api/quic_test.h"
+
+namespace quic {
+namespace test {
+
+class MockConnectionIdGenerator : public quic::ConnectionIdGeneratorInterface {
+ public:
+  MOCK_METHOD(absl::optional<quic::QuicConnectionId>, GenerateNextConnectionId,
+              (const quic::QuicConnectionId& original), (override));
+
+  MOCK_METHOD(absl::optional<quic::QuicConnectionId>, MaybeReplaceConnectionId,
+              (const quic::QuicConnectionId& original,
+               const quic::ParsedQuicVersion& version),
+              (override));
+
+  MOCK_METHOD(uint8_t, ConnectionIdLength, (uint8_t first_byte),
+              (const, override));
+};
+
+}  // namespace test
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_TEST_TOOLS_MOCK_CONNECTION_ID_GENERATOR_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_quic_dispatcher.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_quic_dispatcher.cc
index fd91281f021..527047e9c7c 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_quic_dispatcher.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_quic_dispatcher.cc
@@ -15,11 +15,12 @@ MockQuicDispatcher::MockQuicDispatcher(
     std::unique_ptr<QuicConnectionHelperInterface> helper,
     std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
     std::unique_ptr<QuicAlarmFactory> alarm_factory,
-    QuicSimpleServerBackend* quic_simple_server_backend)
+    QuicSimpleServerBackend* quic_simple_server_backend,
+    ConnectionIdGeneratorInterface& generator)
     : QuicSimpleDispatcher(config, crypto_config, version_manager,
                            std::move(helper), std::move(session_helper),
                            std::move(alarm_factory), quic_simple_server_backend,
-                           kQuicDefaultConnectionIdLength) {}
+                           kQuicDefaultConnectionIdLength, generator) {}
 
 MockQuicDispatcher::~MockQuicDispatcher() {}
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_quic_dispatcher.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_quic_dispatcher.h
index 4e152e7efe7..32b4c850415 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_quic_dispatcher.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_quic_dispatcher.h
@@ -23,7 +23,8 @@ class MockQuicDispatcher : public QuicSimpleDispatcher {
       std::unique_ptr<QuicConnectionHelperInterface> helper,
       std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
       std::unique_ptr<QuicAlarmFactory> alarm_factory,
-      QuicSimpleServerBackend* quic_simple_server_backend);
+      QuicSimpleServerBackend* quic_simple_server_backend,
+      ConnectionIdGeneratorInterface& generator);
   MockQuicDispatcher(const MockQuicDispatcher&) = delete;
   MockQuicDispatcher& operator=(const MockQuicDispatcher&) = delete;
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_random.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_random.cc
index 2bea7c6d9f8..2c45e65de3d 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_random.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_random.cc
@@ -9,21 +9,33 @@
 namespace quic {
 namespace test {
 
-MockRandom::MockRandom() : base_(0xDEADBEEF), increment_(0) {}
-
-MockRandom::MockRandom(uint32_t base) : base_(base), increment_(0) {}
+using testing::_;
+using testing::Invoke;
+
+MockRandom::MockRandom() : MockRandom(0xDEADBEEF) {}
+
+MockRandom::MockRandom(uint32_t base) : base_(base), increment_(0) {
+  ON_CALL(*this, RandBytes(_, _))
+      .WillByDefault(Invoke(this, &MockRandom::DefaultRandBytes));
+  ON_CALL(*this, RandUint64())
+      .WillByDefault(Invoke(this, &MockRandom::DefaultRandUint64));
+  ON_CALL(*this, InsecureRandBytes(_, _))
+      .WillByDefault(Invoke(this, &MockRandom::DefaultInsecureRandBytes));
+  ON_CALL(*this, InsecureRandUint64())
+      .WillByDefault(Invoke(this, &MockRandom::DefaultInsecureRandUint64));
+}
 
-void MockRandom::RandBytes(void* data, size_t len) {
+void MockRandom::DefaultRandBytes(void* data, size_t len) {
   memset(data, increment_ + static_cast<uint8_t>('r'), len);
 }
 
-uint64_t MockRandom::RandUint64() { return base_ + increment_; }
+uint64_t MockRandom::DefaultRandUint64() { return base_ + increment_; }
 
-void MockRandom::InsecureRandBytes(void* data, size_t len) {
-  RandBytes(data, len);
+void MockRandom::DefaultInsecureRandBytes(void* data, size_t len) {
+  DefaultRandBytes(data, len);
 }
 
-uint64_t MockRandom::InsecureRandUint64() { return RandUint64(); }
+uint64_t MockRandom::DefaultInsecureRandUint64() { return DefaultRandUint64(); }
 
 void MockRandom::ChangeValue() { increment_++; }
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_random.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_random.h
index 03c1f00cf6b..0a4918d0ddc 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_random.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/mock_random.h
@@ -6,6 +6,7 @@
 #define QUICHE_QUIC_TEST_TOOLS_MOCK_RANDOM_H_
 
 #include "quiche/quic/core/crypto/quic_random.h"
+#include "quiche/quic/platform/api/quic_test.h"
 
 namespace quic {
 namespace test {
@@ -18,22 +19,31 @@ class MockRandom : public QuicRandom {
   MockRandom(const MockRandom&) = delete;
   MockRandom& operator=(const MockRandom&) = delete;
 
-  // QuicRandom:
+  MOCK_METHOD(void, RandBytes, (void* data, size_t len), (override));
+  MOCK_METHOD(uint64_t, RandUint64, (), (override));
+  MOCK_METHOD(void, InsecureRandBytes, (void* data, size_t len), (override));
+  MOCK_METHOD(uint64_t, InsecureRandUint64, (), (override));
+
+  // Default QuicRandom implementations. They are used if the caller does not
+  // setup the MockRandom via EXPECT_CALLs.
+
   // Fills the |data| buffer with a repeating byte, initially 'r'.
-  void RandBytes(void* data, size_t len) override;
+  void DefaultRandBytes(void* data, size_t len);
   // Returns base + the current increment.
-  uint64_t RandUint64() override;
+  uint64_t DefaultRandUint64();
 
   // InsecureRandBytes behaves equivalently to RandBytes.
-  void InsecureRandBytes(void* data, size_t len) override;
+  void DefaultInsecureRandBytes(void* data, size_t len);
   // InsecureRandUint64 behaves equivalently to RandUint64.
-  uint64_t InsecureRandUint64() override;
+  uint64_t DefaultInsecureRandUint64();
 
   // ChangeValue increments |increment_|. This causes the value returned by
   // |RandUint64| and the byte that |RandBytes| fills with, to change.
+  // Used by the Default implementations.
   void ChangeValue();
 
   // Sets the base to |base| and resets increment to zero.
+  // Used by the Default implementations.
   void ResetBase(uint32_t base);
 
  private:
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_client_peer.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_client_peer.cc
deleted file mode 100644
index 0b58e22af4a..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_client_peer.cc
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/test_tools/quic_client_peer.h"
-
-#include "quiche/quic/tools/quic_client.h"
-
-namespace quic {
-namespace test {
-
-// static
-bool QuicClientPeer::CreateUDPSocketAndBind(QuicClient* client) {
-  return client->network_helper()->CreateUDPSocketAndBind(
-      client->server_address(), client->bind_to_address(),
-      client->local_port());
-}
-
-// static
-void QuicClientPeer::CleanUpUDPSocket(QuicClient* client, int fd) {
-  client->epoll_network_helper()->CleanUpUDPSocket(fd);
-}
-
-// static
-void QuicClientPeer::SetClientPort(QuicClient* client, int port) {
-  client->epoll_network_helper()->SetClientPort(port);
-}
-
-// static
-void QuicClientPeer::SetWriter(QuicClient* client, QuicPacketWriter* writer) {
-  client->set_writer(writer);
-}
-
-}  // namespace test
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_client_peer.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_client_peer.h
deleted file mode 100644
index 7070779f47c..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_client_peer.h
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_TEST_TOOLS_QUIC_CLIENT_PEER_H_
-#define QUICHE_QUIC_TEST_TOOLS_QUIC_CLIENT_PEER_H_
-
-namespace quic {
-
-class QuicClient;
-class QuicPacketWriter;
-
-namespace test {
-
-class QuicClientPeer {
- public:
-  QuicClientPeer() = delete;
-
-  static bool CreateUDPSocketAndBind(QuicClient* client);
-  static void CleanUpUDPSocket(QuicClient* client, int fd);
-  static void SetClientPort(QuicClient* client, int port);
-  static void SetWriter(QuicClient* client, QuicPacketWriter* writer);
-};
-
-}  // namespace test
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_TEST_TOOLS_QUIC_CLIENT_PEER_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.cc
index db827aa3eb8..eb28e2d5f71 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.cc
@@ -406,6 +406,12 @@ QuicIdleNetworkDetector& QuicConnectionPeer::GetIdleNetworkDetector(
 }
 
 // static
+QuicAlarm* QuicConnectionPeer::GetMultiPortProbingAlarm(
+    QuicConnection* connection) {
+  return connection->multi_port_probing_alarm_.get();
+}
+
+// static
 void QuicConnectionPeer::SetServerConnectionId(
     QuicConnection* connection, const QuicConnectionId& server_connection_id) {
   connection->default_path_.server_connection_id = server_connection_id;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.h
index 7ad551fed64..169a33cd7b4 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_connection_peer.h
@@ -224,6 +224,8 @@ class QuicConnectionPeer {
   static QuicCoalescedPacket& GetCoalescedPacket(QuicConnection* connection);
 
   static void FlushCoalescedPacket(QuicConnection* connection);
+
+  static QuicAlarm* GetMultiPortProbingAlarm(QuicConnection* connection);
 };
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_packet_creator_peer.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_packet_creator_peer.h
index 4607bcd2d7d..b7833a456d0 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_packet_creator_peer.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_packet_creator_peer.h
@@ -5,12 +5,12 @@
 #ifndef QUICHE_QUIC_TEST_TOOLS_QUIC_PACKET_CREATOR_PEER_H_
 #define QUICHE_QUIC_TEST_TOOLS_QUIC_PACKET_CREATOR_PEER_H_
 
+#include "quiche/quic/core/crypto/quic_random.h"
 #include "quiche/quic/core/quic_packets.h"
 
 namespace quic {
 class QuicFramer;
 class QuicPacketCreator;
-class QuicRandom;
 
 namespace test {
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_client.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_client.cc
index 32b61ed285e..2d6de0ddd2d 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_client.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_client.cc
@@ -23,7 +23,6 @@
 #include "quiche/quic/platform/api/quic_logging.h"
 #include "quiche/quic/platform/api/quic_stack_trace.h"
 #include "quiche/quic/test_tools/crypto_test_utils.h"
-#include "quiche/quic/test_tools/quic_client_peer.h"
 #include "quiche/quic/test_tools/quic_connection_peer.h"
 #include "quiche/quic/test_tools/quic_spdy_session_peer.h"
 #include "quiche/quic/test_tools/quic_spdy_stream_peer.h"
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_server.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_server.cc
index b8499ffc360..ad97b4a70c3 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_server.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_server.cc
@@ -73,11 +73,13 @@ class QuicTestDispatcher : public QuicSimpleDispatcher {
       std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
       std::unique_ptr<QuicAlarmFactory> alarm_factory,
       QuicSimpleServerBackend* quic_simple_server_backend,
-      uint8_t expected_server_connection_id_length)
-      : QuicSimpleDispatcher(
-            config, crypto_config, version_manager, std::move(helper),
-            std::move(session_helper), std::move(alarm_factory),
-            quic_simple_server_backend, expected_server_connection_id_length),
+      uint8_t expected_server_connection_id_length,
+      ConnectionIdGeneratorInterface& generator)
+      : QuicSimpleDispatcher(config, crypto_config, version_manager,
+                             std::move(helper), std::move(session_helper),
+                             std::move(alarm_factory),
+                             quic_simple_server_backend,
+                             expected_server_connection_id_length, generator),
         session_factory_(nullptr),
         stream_factory_(nullptr),
         crypto_stream_factory_(nullptr) {}
@@ -92,7 +94,7 @@ class QuicTestDispatcher : public QuicSimpleDispatcher {
     QuicConnection* connection = new QuicConnection(
         id, self_address, peer_address, helper(), alarm_factory(), writer(),
         /* owns_writer= */ false, Perspective::IS_SERVER,
-        ParsedQuicVersionVector{version});
+        ParsedQuicVersionVector{version}, connection_id_generator());
 
     std::unique_ptr<QuicServerSessionBase> session;
     if (session_factory_ == nullptr && stream_factory_ == nullptr &&
@@ -182,7 +184,7 @@ QuicDispatcher* QuicTestServer::CreateQuicDispatcher() {
       std::unique_ptr<QuicCryptoServerStreamBase::Helper>(
           new QuicSimpleCryptoServerStreamHelper()),
       event_loop()->CreateAlarmFactory(), server_backend(),
-      expected_server_connection_id_length());
+      expected_server_connection_id_length(), connection_id_generator());
 }
 
 void QuicTestServer::SetSessionFactory(SessionFactory* factory) {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_utils.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_utils.cc
index 39ba0a737b4..8d1b04119cd 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_utils.cc
@@ -526,7 +526,8 @@ MockQuicConnection::MockQuicConnection(
           /*initial_self_address=*/QuicSocketAddress(QuicIpAddress::Any4(), 5),
           initial_peer_address, helper, alarm_factory,
           new testing::NiceMock<MockPacketWriter>(),
-          /* owns_writer= */ true, perspective, supported_versions) {
+          /* owns_writer= */ true, perspective, supported_versions,
+          connection_id_generator_) {
   ON_CALL(*this, OnError(_))
       .WillByDefault(
           Invoke(this, &PacketSavingConnection::QuicConnection_OnError));
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_utils.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_utils.h
index af9cf2c41e3..9808498e8e3 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/quic_test_utils.h
@@ -37,6 +37,7 @@
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/quic/platform/api/quic_test.h"
 #include "quiche/quic/test_tools/mock_clock.h"
+#include "quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "quiche/quic/test_tools/mock_quic_session_visitor.h"
 #include "quiche/quic/test_tools/mock_random.h"
 #include "quiche/quic/test_tools/quic_framer_peer.h"
@@ -501,6 +502,8 @@ class MockQuicConnectionVisitor : public QuicConnectionVisitorInterface {
   MOCK_METHOD(void, BeforeConnectionCloseSent, (), (override));
   MOCK_METHOD(bool, ValidateToken, (absl::string_view), (override));
   MOCK_METHOD(bool, MaybeSendAddressToken, (), (override));
+  MOCK_METHOD(std::unique_ptr<QuicPathValidationContext>,
+              CreateContextForMultiPortPath, (), (override));
 
   bool IsKnownServerAddress(
       const QuicSocketAddress& /*address*/) const override {
@@ -524,7 +527,7 @@ class MockQuicConnectionHelper : public QuicConnectionHelperInterface {
 
  private:
   MockClock clock_;
-  MockRandom random_generator_;
+  testing::NiceMock<MockRandom> random_generator_;
   quiche::SimpleBufferAllocator buffer_allocator_;
 };
 
@@ -719,6 +722,19 @@ class MockQuicConnection : public QuicConnection {
                                        QuicStreamOffset offset) {
     return QuicConnection::SendCryptoData(level, write_length, offset);
   }
+
+  MockConnectionIdGenerator& connection_id_generator() {
+    return connection_id_generator_;
+  }
+
+ private:
+  // It would be more correct to pass the generator as an argument to the
+  // constructor, particularly in dispatcher tests that keep their own
+  // reference to a generator. But there are many, many instances of derived
+  // test classes that would have to declare a generator. As this object is
+  // public, it is straightforward for the caller to use it as an argument to
+  // EXPECT_CALL.
+  MockConnectionIdGenerator connection_id_generator_;
 };
 
 class PacketSavingConnection : public MockQuicConnection {
@@ -2084,6 +2100,46 @@ class SavingHttp3DatagramVisitor : public QuicSpdyStream::Http3DatagramVisitor {
   std::vector<SavedHttp3Datagram> received_h3_datagrams_;
 };
 
+// Implementation of ConnectIpVisitor which saves all received capsules.
+class SavingConnectIpVisitor : public QuicSpdyStream::ConnectIpVisitor {
+ public:
+  const std::vector<AddressAssignCapsule>& received_address_assign_capsules()
+      const {
+    return received_address_assign_capsules_;
+  }
+  const std::vector<AddressRequestCapsule>& received_address_request_capsules()
+      const {
+    return received_address_request_capsules_;
+  }
+  const std::vector<RouteAdvertisementCapsule>&
+  received_route_advertisement_capsules() const {
+    return received_route_advertisement_capsules_;
+  }
+  bool headers_written() const { return headers_written_; }
+
+  // From QuicSpdyStream::ConnectIpVisitor.
+  bool OnAddressAssignCapsule(const AddressAssignCapsule& capsule) override {
+    received_address_assign_capsules_.push_back(capsule);
+    return true;
+  }
+  bool OnAddressRequestCapsule(const AddressRequestCapsule& capsule) override {
+    received_address_request_capsules_.push_back(capsule);
+    return true;
+  }
+  bool OnRouteAdvertisementCapsule(
+      const RouteAdvertisementCapsule& capsule) override {
+    received_route_advertisement_capsules_.push_back(capsule);
+    return true;
+  }
+  void OnHeadersWritten() override { headers_written_ = true; }
+
+ private:
+  std::vector<AddressAssignCapsule> received_address_assign_capsules_;
+  std::vector<AddressRequestCapsule> received_address_request_capsules_;
+  std::vector<RouteAdvertisementCapsule> received_route_advertisement_capsules_;
+  bool headers_written_ = false;
+};
+
 inline std::string EscapeTestParamName(absl::string_view name) {
   std::string result(name);
   // Escape all characters that are not allowed by gtest ([a-zA-Z0-9_]).
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint.cc
index 64005ece38f..8438432e012 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint.cc
@@ -34,7 +34,8 @@ QuicEndpoint::QuicEndpoint(Simulator* simulator, std::string name,
   connection_ = std::make_unique<QuicConnection>(
       connection_id, GetAddressFromName(name), GetAddressFromName(peer_name),
       simulator, simulator->GetAlarmFactory(), &writer_, false, perspective,
-      ParsedVersionOfIndex(CurrentSupportedVersions(), 0));
+      ParsedVersionOfIndex(CurrentSupportedVersions(), 0),
+      connection_id_generator_);
   connection_->set_visitor(this);
   connection_->SetEncrypter(ENCRYPTION_FORWARD_SECURE,
                             std::make_unique<NullEncrypter>(perspective));
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint.h
index 7654d89f64d..99b39152fbf 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint.h
@@ -109,6 +109,10 @@ class QuicEndpoint : public QuicEndpointBase,
     return false;
   }
   void OnBandwidthUpdateTimeout() override {}
+  std::unique_ptr<QuicPathValidationContext> CreateContextForMultiPortPath()
+      override {
+    return nullptr;
+  }
 
   // End QuicConnectionVisitorInterface implementation.
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint_base.h b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint_base.h
index 8eece0bc06a..540b2852bc8 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint_base.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint_base.h
@@ -15,6 +15,7 @@
 #include "quiche/quic/core/quic_packets.h"
 #include "quiche/quic/core/quic_stream_frame_data_producer.h"
 #include "quiche/quic/core/quic_trace_visitor.h"
+#include "quiche/quic/test_tools/mock_connection_id_generator.h"
 #include "quiche/quic/test_tools/simple_session_notifier.h"
 #include "quiche/quic/test_tools/simulator/link.h"
 #include "quiche/quic/test_tools/simulator/queue.h"
@@ -127,6 +128,8 @@ class QuicEndpointBase : public Endpoint,
   bool drop_next_packet_;
 
   std::unique_ptr<QuicTraceVisitor> trace_visitor_;
+
+  test::MockConnectionIdGenerator connection_id_generator_;
 };
 
 // Multiplexes multiple connections at the same host on the network.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint_test.cc
index 5850a8bdef5..c247eb52aac 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/quic_endpoint_test.cc
@@ -104,7 +104,7 @@ TEST_F(QuicEndpointTest, WriteBlocked) {
       .WillRepeatedly(Return(10 * kDefaultBandwidth));
   EXPECT_CALL(*sender, GetCongestionWindow())
       .WillRepeatedly(Return(kMaxOutgoingPacketSize *
-                             GetQuicFlag(FLAGS_quic_max_congestion_window)));
+                             GetQuicFlag(quic_max_congestion_window)));
   test::QuicConnectionPeer::SetSendAlgorithm(endpoint_a.connection(), sender);
 
   // First transmit a small, packet-size chunk of data.
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/test_harness.cc b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/test_harness.cc
index e3af48e2201..1dfc8a2470e 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/test_harness.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/test_tools/simulator/test_harness.cc
@@ -18,8 +18,8 @@ QuicEndpointWithConnection::QuicEndpointWithConnection(
   connection_ = std::make_unique<QuicConnection>(
       quic::test::TestConnectionId(0x10), GetAddressFromName(name),
       GetAddressFromName(peer_name), simulator, simulator->GetAlarmFactory(),
-      &writer_,
-      /*owns_writer=*/false, perspective, supported_versions);
+      &writer_, /*owns_writer=*/false, perspective, supported_versions,
+      connection_id_generator_);
   connection_->SetSelfAddress(GetAddressFromName(name));
 }
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_server_backend.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_server_backend.cc
index baee9c165c4..646f57520e4 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_server_backend.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_server_backend.cc
@@ -10,7 +10,8 @@
 
 #include "absl/container/flat_hash_set.h"
 #include "absl/strings/string_view.h"
-#include "quiche/quic/core/io/socket_factory.h"
+#include "quiche/quic/core/quic_server_id.h"
+#include "quiche/quic/core/socket_factory.h"
 #include "quiche/quic/tools/connect_tunnel.h"
 #include "quiche/quic/tools/quic_simple_server_backend.h"
 #include "quiche/common/platform/api/quiche_bug_tracker.h"
@@ -34,7 +35,7 @@ void SendErrorResponse(QuicSimpleServerBackend::RequestHandler* request_handler,
 
 ConnectServerBackend::ConnectServerBackend(
     std::unique_ptr<QuicSimpleServerBackend> non_connect_backend,
-    absl::flat_hash_set<ConnectTunnel::HostAndPort> acceptable_destinations)
+    absl::flat_hash_set<QuicServerId> acceptable_destinations)
     : non_connect_backend_(std::move(non_connect_backend)),
       acceptable_destinations_(std::move(acceptable_destinations)) {
   QUICHE_DCHECK(non_connect_backend_);
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_server_backend.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_server_backend.h
index a1cd843b6f8..10eb7c555c2 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_server_backend.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_server_backend.h
@@ -12,8 +12,8 @@
 
 #include "absl/container/flat_hash_map.h"
 #include "absl/container/flat_hash_set.h"
-#include "quiche/quic/core/io/socket_factory.h"
-#include "quiche/quic/core/quic_types.h"
+#include "quiche/quic/core/quic_server_id.h"
+#include "quiche/quic/core/socket_factory.h"
 #include "quiche/quic/tools/connect_tunnel.h"
 #include "quiche/quic/tools/quic_simple_server_backend.h"
 
@@ -25,7 +25,7 @@ class ConnectServerBackend : public QuicSimpleServerBackend {
  public:
   ConnectServerBackend(
       std::unique_ptr<QuicSimpleServerBackend> non_connect_backend,
-      absl::flat_hash_set<ConnectTunnel::HostAndPort> acceptable_destinations);
+      absl::flat_hash_set<QuicServerId> acceptable_destinations);
 
   ConnectServerBackend(const ConnectServerBackend&) = delete;
   ConnectServerBackend& operator=(const ConnectServerBackend&) = delete;
@@ -48,8 +48,7 @@ class ConnectServerBackend : public QuicSimpleServerBackend {
 
  private:
   std::unique_ptr<QuicSimpleServerBackend> non_connect_backend_;
-  const absl::flat_hash_set<ConnectTunnel::HostAndPort>
-      acceptable_destinations_;
+  const absl::flat_hash_set<QuicServerId> acceptable_destinations_;
 
   SocketFactory* socket_factory_;  // unowned
   absl::flat_hash_map<QuicStreamId, std::unique_ptr<ConnectTunnel>> tunnels_;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel.cc
index ef2a5eb00b9..d31e5403eec 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel.cc
@@ -5,7 +5,6 @@
 #include "quiche/quic/tools/connect_tunnel.h"
 
 #include <cstdint>
-#include <limits>
 #include <string>
 #include <utility>
 #include <vector>
@@ -17,12 +16,12 @@
 #include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
 #include "absl/types/span.h"
-#include "url/third_party/mozilla/url_parse.h"
-#include "quiche/quic/core/io/socket_factory.h"
 #include "quiche/quic/core/quic_error_codes.h"
+#include "quiche/quic/core/quic_server_id.h"
+#include "quiche/quic/core/socket_factory.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/quic/tools/quic_backend_response.h"
-#include "quiche/quic/tools/quic_client.h"
+#include "quiche/quic/tools/quic_name_lookup.h"
 #include "quiche/quic/tools/quic_simple_server_backend.h"
 #include "quiche/common/platform/api/quiche_logging.h"
 #include "quiche/common/platform/api/quiche_mem_slice.h"
@@ -35,57 +34,7 @@ namespace {
 // Arbitrarily chosen. No effort has been made to figure out an optimal size.
 constexpr size_t kReadSize = 4 * 1024;
 
-absl::optional<ConnectTunnel::HostAndPort> ValidateAndParseAuthorityString(
-    absl::string_view authority_string) {
-  url::Component username_component;
-  url::Component password_component;
-  url::Component host_component;
-  url::Component port_component;
-
-  url::ParseAuthority(authority_string.data(),
-                      url::Component(0, authority_string.size()),
-                      &username_component, &password_component, &host_component,
-                      &port_component);
-
-  // A valid CONNECT authority must contain host and port and nothing else, per
-  // https://www.rfc-editor.org/rfc/rfc9110.html#name-connect.
-  if (username_component.is_valid() || password_component.is_valid() ||
-      !host_component.is_nonempty() || !port_component.is_nonempty()) {
-    QUICHE_DVLOG(1) << "CONNECT request authority is malformed: "
-                    << authority_string;
-    return absl::nullopt;
-  }
-
-  QUICHE_DCHECK_LT(static_cast<size_t>(host_component.end()),
-                   authority_string.length());
-  if (authority_string.length() > 2 &&
-      authority_string.data()[host_component.begin] == '[' &&
-      authority_string.data()[host_component.end() - 1] == ']') {
-    // Strip "[]" off IPv6 literals.
-    host_component.begin += 1;
-    host_component.len -= 2;
-  }
-  std::string hostname(authority_string.data() + host_component.begin,
-                       host_component.len);
-
-  int parsed_port_number =
-      url::ParsePort(authority_string.data(), port_component);
-  // Negative result is either invalid or unspecified, either of which is
-  // disallowed for a CONNECT authority. Port 0 is technically valid but
-  // reserved and not really usable in practice, so easiest to just disallow it
-  // here.
-  if (parsed_port_number <= 0) {
-    QUICHE_DVLOG(1) << "CONNECT request authority port is malformed: "
-                    << authority_string;
-    return absl::nullopt;
-  }
-  QUICHE_DCHECK_LE(parsed_port_number, std::numeric_limits<uint16_t>::max());
-
-  return ConnectTunnel::HostAndPort(std::move(hostname),
-                                    static_cast<uint16_t>(parsed_port_number));
-}
-
-absl::optional<ConnectTunnel::HostAndPort> ValidateHeadersAndGetAuthority(
+absl::optional<QuicServerId> ValidateHeadersAndGetAuthority(
     const spdy::Http2HeaderBlock& request_headers) {
   QUICHE_DCHECK(request_headers.contains(":method"));
   QUICHE_DCHECK(request_headers.find(":method")->second == "CONNECT");
@@ -111,35 +60,39 @@ absl::optional<ConnectTunnel::HostAndPort> ValidateHeadersAndGetAuthority(
     return absl::nullopt;
   }
 
-  return ValidateAndParseAuthorityString(authority_it->second);
+  // A valid CONNECT authority must contain host and port and nothing else, per
+  // https://www.rfc-editor.org/rfc/rfc9110.html#name-connect. This matches the
+  // host and port parsing rules for QuicServerId.
+  absl::optional<QuicServerId> server_id =
+      QuicServerId::ParseFromHostPortString(authority_it->second);
+  if (!server_id.has_value()) {
+    QUICHE_DVLOG(1) << "CONNECT request authority is malformed: "
+                    << authority_it->second;
+    return absl::nullopt;
+  }
+
+  return server_id;
 }
 
-bool ValidateAuthority(const ConnectTunnel::HostAndPort& authority,
-                       const absl::flat_hash_set<ConnectTunnel::HostAndPort>&
-                           acceptable_destinations) {
+bool ValidateAuthority(
+    const QuicServerId& authority,
+    const absl::flat_hash_set<QuicServerId>& acceptable_destinations) {
   if (acceptable_destinations.contains(authority)) {
     return true;
   }
 
   QUICHE_DVLOG(1) << "CONNECT request authority: "
-                  << absl::StrCat(authority.host, ":", authority.port)
+                  << authority.ToHostPortString()
                   << " is not an acceptable allow-listed destiation ";
   return false;
 }
 
 }  // namespace
 
-ConnectTunnel::HostAndPort::HostAndPort(std::string host, uint16_t port)
-    : host(std::move(host)), port(port) {}
-
-bool ConnectTunnel::HostAndPort::operator==(const HostAndPort& other) const {
-  return host == other.host && port == other.port;
-}
-
 ConnectTunnel::ConnectTunnel(
     QuicSimpleServerBackend::RequestHandler* client_stream_request_handler,
     SocketFactory* socket_factory,
-    absl::flat_hash_set<HostAndPort> acceptable_destinations)
+    absl::flat_hash_set<QuicServerId> acceptable_destinations)
     : acceptable_destinations_(std::move(acceptable_destinations)),
       socket_factory_(socket_factory),
       client_stream_request_handler_(client_stream_request_handler) {
@@ -158,9 +111,9 @@ ConnectTunnel::~ConnectTunnel() {
 void ConnectTunnel::OpenTunnel(const spdy::Http2HeaderBlock& request_headers) {
   QUICHE_DCHECK(!IsConnectedToDestination());
 
-  absl::optional<HostAndPort> authority =
+  absl::optional<QuicServerId> authority =
       ValidateHeadersAndGetAuthority(request_headers);
-  if (!authority) {
+  if (!authority.has_value()) {
     TerminateClientStream(
         "invalid request headers",
         QuicResetStreamError::FromIetf(QuicHttp3ErrorCode::MESSAGE_ERROR));
@@ -174,8 +127,8 @@ void ConnectTunnel::OpenTunnel(const spdy::Http2HeaderBlock& request_headers) {
     return;
   }
 
-  QuicSocketAddress address = tools::LookupAddress(
-      AF_UNSPEC, authority->host, absl::StrCat(authority->port));
+  QuicSocketAddress address =
+      tools::LookupAddress(AF_UNSPEC, authority.value());
   if (!address.IsInitialized()) {
     TerminateClientStream("host resolution error");
     return;
@@ -198,7 +151,7 @@ void ConnectTunnel::OpenTunnel(const spdy::Http2HeaderBlock& request_headers) {
 
   QUICHE_DVLOG(1) << "CONNECT tunnel opened from stream "
                   << client_stream_request_handler_->stream_id() << " to "
-                  << authority->host << ":" << authority->port;
+                  << authority.value().ToHostPortString();
 
   SendConnectResponse();
   BeginAsyncReadFromDestination();
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel.h
index d18d63fef13..259f12542e3 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel.h
@@ -14,9 +14,10 @@
 #include "absl/status/status.h"
 #include "absl/status/statusor.h"
 #include "absl/strings/string_view.h"
-#include "quiche/quic/core/io/socket_factory.h"
-#include "quiche/quic/core/io/stream_client_socket.h"
+#include "quiche/quic/core/connecting_client_socket.h"
 #include "quiche/quic/core/quic_error_codes.h"
+#include "quiche/quic/core/quic_server_id.h"
+#include "quiche/quic/core/socket_factory.h"
 #include "quiche/quic/tools/quic_simple_server_backend.h"
 #include "quiche/common/platform/api/quiche_mem_slice.h"
 #include "quiche/spdy/core/http2_header_block.h"
@@ -24,28 +25,14 @@
 namespace quic {
 
 // Manages a single connection tunneled over a CONNECT proxy.
-class ConnectTunnel : public StreamClientSocket::AsyncVisitor {
+class ConnectTunnel : public ConnectingClientSocket::AsyncVisitor {
  public:
-  struct HostAndPort {
-    HostAndPort(std::string host, uint16_t port);
-
-    bool operator==(const HostAndPort& other) const;
-
-    template <typename H>
-    friend H AbslHashValue(H h, const HostAndPort& host_and_port) {
-      return H::combine(std::move(h), host_and_port.host, host_and_port.port);
-    }
-
-    std::string host;
-    uint16_t port;
-  };
-
   // `client_stream_request_handler` and `socket_factory` must both outlive the
   // created ConnectTunnel.
   ConnectTunnel(
       QuicSimpleServerBackend::RequestHandler* client_stream_request_handler,
       SocketFactory* socket_factory,
-      absl::flat_hash_set<HostAndPort> acceptable_destinations);
+      absl::flat_hash_set<QuicServerId> acceptable_destinations);
   ~ConnectTunnel();
   ConnectTunnel(const ConnectTunnel&) = delete;
   ConnectTunnel& operator=(const ConnectTunnel&) = delete;
@@ -66,7 +53,7 @@ class ConnectTunnel : public StreamClientSocket::AsyncVisitor {
   // interacted with after completion.
   void OnClientStreamClose();
 
-  // StreamClientSocket::AsyncVisitor:
+  // ConnectingClientSocket::AsyncVisitor:
   void ConnectComplete(absl::Status status) override;
   void ReceiveComplete(absl::StatusOr<quiche::QuicheMemSlice> data) override;
   void SendComplete(absl::Status status) override;
@@ -85,14 +72,14 @@ class ConnectTunnel : public StreamClientSocket::AsyncVisitor {
       QuicResetStreamError error_code =
           QuicResetStreamError::FromIetf(QuicHttp3ErrorCode::CONNECT_ERROR));
 
-  const absl::flat_hash_set<HostAndPort> acceptable_destinations_;
+  const absl::flat_hash_set<QuicServerId> acceptable_destinations_;
   SocketFactory* const socket_factory_;
 
   // Null when client stream closed.
   QuicSimpleServerBackend::RequestHandler* client_stream_request_handler_;
 
   // Null when destination connection disconnected.
-  std::unique_ptr<StreamClientSocket> destination_socket_;
+  std::unique_ptr<ConnectingClientSocket> destination_socket_;
 
   bool receive_started_ = false;
 };
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel_test.cc
index a9d4c1dae8b..379da7c4923 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_tunnel_test.cc
@@ -12,11 +12,11 @@
 #include "absl/status/statusor.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
-#include "quiche/quic/core/io/socket_factory.h"
-#include "quiche/quic/core/io/stream_client_socket.h"
+#include "quiche/quic/core/connecting_client_socket.h"
 #include "quiche/quic/core/quic_connection_id.h"
 #include "quiche/quic/core/quic_error_codes.h"
 #include "quiche/quic/core/quic_types.h"
+#include "quiche/quic/core/socket_factory.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/quic/platform/api/quic_test_loopback.h"
 #include "quiche/quic/test_tools/quic_test_utils.h"
@@ -53,6 +53,7 @@ class MockRequestHandler : public QuicSimpleServerBackend::RequestHandler {
   QuicStreamId stream_id() const override { return 100; }
   std::string peer_host() const override { return "127.0.0.1"; }
 
+  MOCK_METHOD(QuicSpdyStream*, GetStream, (), (override));
   MOCK_METHOD(void, OnResponseBackendComplete,
               (const QuicBackendResponse* response), (override));
   MOCK_METHOD(void, SendStreamData, (absl::string_view data, bool close_stream),
@@ -63,19 +64,28 @@ class MockRequestHandler : public QuicSimpleServerBackend::RequestHandler {
 
 class MockSocketFactory : public SocketFactory {
  public:
-  MOCK_METHOD(std::unique_ptr<StreamClientSocket>, CreateTcpClientSocket,
+  MOCK_METHOD(std::unique_ptr<ConnectingClientSocket>, CreateTcpClientSocket,
               (const quic::QuicSocketAddress& peer_address,
                QuicByteCount receive_buffer_size,
                QuicByteCount send_buffer_size,
-               StreamClientSocket::AsyncVisitor* async_visitor),
+               ConnectingClientSocket::AsyncVisitor* async_visitor),
+              (override));
+  MOCK_METHOD(std::unique_ptr<ConnectingClientSocket>,
+              CreateConnectingUdpClientSocket,
+              (const quic::QuicSocketAddress& peer_address,
+               QuicByteCount receive_buffer_size,
+               QuicByteCount send_buffer_size,
+               ConnectingClientSocket::AsyncVisitor* async_visitor),
               (override));
 };
 
-class MockSocket : public StreamClientSocket {
+class MockSocket : public ConnectingClientSocket {
  public:
   MOCK_METHOD(absl::Status, ConnectBlocking, (), (override));
   MOCK_METHOD(void, ConnectAsync, (), (override));
   MOCK_METHOD(void, Disconnect, (), (override));
+  MOCK_METHOD(absl::StatusOr<QuicSocketAddress>, GetLocalAddress, (),
+              (override));
   MOCK_METHOD(absl::StatusOr<quiche::QuicheMemSlice>, ReceiveBlocking,
               (QuicByteCount max_size), (override));
   MOCK_METHOD(void, ReceiveAsync, (QuicByteCount max_size), (override));
@@ -107,12 +117,13 @@ class ConnectTunnelTest : public quiche::test::QuicheTest {
   NiceMock<MockSocketFactory> socket_factory_;
   StrictMock<MockSocket>* socket_;
 
-  ConnectTunnel tunnel_{&request_handler_,
-                        &socket_factory_,
-                        /*acceptable_destinations=*/
-                        {{std::string(kAcceptableDestination), kAcceptablePort},
-                         {TestLoopback4().ToString(), kAcceptablePort},
-                         {TestLoopback6().ToString(), kAcceptablePort}}};
+  ConnectTunnel tunnel_{
+      &request_handler_,
+      &socket_factory_,
+      /*acceptable_destinations=*/
+      {{std::string(kAcceptableDestination), kAcceptablePort},
+       {TestLoopback4().ToString(), kAcceptablePort},
+       {absl::StrCat("[", TestLoopback6().ToString(), "]"), kAcceptablePort}}};
 };
 
 TEST_F(ConnectTunnelTest, OpenTunnel) {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_udp_tunnel.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_udp_tunnel.cc
new file mode 100644
index 00000000000..ebeef8bb236
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_udp_tunnel.cc
@@ -0,0 +1,424 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "quiche/quic/tools/connect_udp_tunnel.h"
+
+#include <cstdint>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "absl/container/flat_hash_set.h"
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/numbers.h"
+#include "absl/strings/str_cat.h"
+#include "absl/strings/str_split.h"
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
+#include "absl/types/span.h"
+#include "url/url_canon.h"
+#include "quiche/quic/core/quic_error_codes.h"
+#include "quiche/quic/core/quic_server_id.h"
+#include "quiche/quic/core/socket_factory.h"
+#include "quiche/quic/platform/api/quic_socket_address.h"
+#include "quiche/quic/tools/quic_backend_response.h"
+#include "quiche/quic/tools/quic_name_lookup.h"
+#include "quiche/quic/tools/quic_simple_server_backend.h"
+#include "quiche/common/masque/connect_udp_datagram_payload.h"
+#include "quiche/common/platform/api/quiche_logging.h"
+#include "quiche/common/platform/api/quiche_mem_slice.h"
+#include "quiche/common/platform/api/quiche_url_utils.h"
+#include "quiche/common/structured_headers.h"
+#include "quiche/spdy/core/http2_header_block.h"
+
+namespace quic {
+
+namespace structured_headers = quiche::structured_headers;
+
+namespace {
+
+// Arbitrarily chosen. No effort has been made to figure out an optimal size.
+constexpr size_t kReadSize = 4 * 1024;
+
+// Only support the default path
+// ("/.well-known/masque/udp/{target_host}/{target_port}/")
+absl::optional<QuicServerId> ValidateAndParseTargetFromPath(
+    absl::string_view path) {
+  std::string canonicalized_path_str;
+  url::StdStringCanonOutput canon_output(&canonicalized_path_str);
+  url::Component path_component;
+  url::CanonicalizePath(path.data(), url::Component(0, path.size()),
+                        &canon_output, &path_component);
+  if (!path_component.is_nonempty()) {
+    QUICHE_DVLOG(1) << "CONNECT-UDP request with non-canonicalizable path: "
+                    << path;
+    return absl::nullopt;
+  }
+  canon_output.Complete();
+  absl::string_view canonicalized_path =
+      absl::string_view(canonicalized_path_str)
+          .substr(path_component.begin, path_component.len);
+
+  std::vector<absl::string_view> path_split =
+      absl::StrSplit(canonicalized_path, '/');
+  if (path_split.size() != 7 || !path_split[0].empty() ||
+      path_split[1] != ".well-known" || path_split[2] != "masque" ||
+      path_split[3] != "udp" || path_split[4].empty() ||
+      path_split[5].empty() || !path_split[6].empty()) {
+    QUICHE_DVLOG(1) << "CONNECT-UDP request with bad path: "
+                    << canonicalized_path;
+    return absl::nullopt;
+  }
+
+  absl::optional<std::string> decoded_host =
+      quiche::AsciiUrlDecode(path_split[4]);
+  if (!decoded_host.has_value()) {
+    QUICHE_DVLOG(1) << "CONNECT-UDP request with undecodable host: "
+                    << path_split[4];
+    return absl::nullopt;
+  }
+  // Empty host checked above after path split. Expect decoding to never result
+  // in an empty decoded host from non-empty encoded host.
+  QUICHE_DCHECK(!decoded_host.value().empty());
+
+  absl::optional<std::string> decoded_port =
+      quiche::AsciiUrlDecode(path_split[5]);
+  if (!decoded_port.has_value()) {
+    QUICHE_DVLOG(1) << "CONNECT-UDP request with undecodable port: "
+                    << path_split[5];
+    return absl::nullopt;
+  }
+  // Empty port checked above after path split. Expect decoding to never result
+  // in an empty decoded port from non-empty encoded port.
+  QUICHE_DCHECK(!decoded_port.value().empty());
+
+  int parsed_port_number =
+      url::ParsePort(decoded_port.value().data(),
+                     url::Component(0, decoded_port.value().size()));
+  // Negative result is either invalid or unspecified, either of which is
+  // disallowed for this parse. Port 0 is technically valid but reserved and not
+  // really usable in practice, so easiest to just disallow it here.
+  if (parsed_port_number <= 0) {
+    QUICHE_DVLOG(1) << "CONNECT-UDP request with bad port: "
+                    << decoded_port.value();
+    return absl::nullopt;
+  }
+  // Expect url::ParsePort() to validate port is uint16_t and otherwise return
+  // negative number checked for above.
+  QUICHE_DCHECK_LE(parsed_port_number, std::numeric_limits<uint16_t>::max());
+
+  return QuicServerId(decoded_host.value(),
+                      static_cast<uint16_t>(parsed_port_number));
+}
+
+// Validate header expectations from RFC 9298, section 3.4.
+absl::optional<QuicServerId> ValidateHeadersAndGetTarget(
+    const spdy::Http2HeaderBlock& request_headers) {
+  QUICHE_DCHECK(request_headers.contains(":method"));
+  QUICHE_DCHECK(request_headers.find(":method")->second == "CONNECT");
+  QUICHE_DCHECK(request_headers.contains(":protocol"));
+  QUICHE_DCHECK(request_headers.find(":protocol")->second == "connect-udp");
+
+  auto authority_it = request_headers.find(":authority");
+  if (authority_it == request_headers.end() || authority_it->second.empty()) {
+    QUICHE_DVLOG(1) << "CONNECT-UDP request missing authority";
+    return absl::nullopt;
+  }
+  // For toy server simplicity, skip validating that the authority matches the
+  // current server.
+
+  auto scheme_it = request_headers.find(":scheme");
+  if (scheme_it == request_headers.end() || scheme_it->second.empty()) {
+    QUICHE_DVLOG(1) << "CONNECT-UDP request missing scheme";
+    return absl::nullopt;
+  } else if (scheme_it->second != "https") {
+    QUICHE_DVLOG(1) << "CONNECT-UDP request contains unexpected scheme: "
+                    << scheme_it->second;
+    return absl::nullopt;
+  }
+
+  auto path_it = request_headers.find(":path");
+  if (path_it == request_headers.end() || path_it->second.empty()) {
+    QUICHE_DVLOG(1) << "CONNECT-UDP request missing path";
+    return absl::nullopt;
+  }
+  absl::optional<QuicServerId> target_server_id =
+      ValidateAndParseTargetFromPath(path_it->second);
+
+  return target_server_id;
+}
+
+bool ValidateTarget(
+    const QuicServerId& target,
+    const absl::flat_hash_set<QuicServerId>& acceptable_targets) {
+  if (acceptable_targets.contains(target)) {
+    return true;
+  }
+
+  QUICHE_DVLOG(1)
+      << "CONNECT-UDP request target is not an acceptable allow-listed target: "
+      << target.ToHostPortString();
+  return false;
+}
+
+}  // namespace
+
+ConnectUdpTunnel::ConnectUdpTunnel(
+    QuicSimpleServerBackend::RequestHandler* client_stream_request_handler,
+    SocketFactory* socket_factory, uint64_t server_label,
+    absl::flat_hash_set<QuicServerId> acceptable_targets)
+    : acceptable_targets_(std::move(acceptable_targets)),
+      socket_factory_(socket_factory),
+      server_label_(server_label),
+      client_stream_request_handler_(client_stream_request_handler) {
+  QUICHE_DCHECK(client_stream_request_handler_);
+  QUICHE_DCHECK(socket_factory_);
+}
+
+ConnectUdpTunnel::~ConnectUdpTunnel() {
+  // Expect client and target sides of tunnel to both be closed before
+  // destruction.
+  QUICHE_DCHECK(!IsTunnelOpenToTarget());
+  QUICHE_DCHECK(!receive_started_);
+  QUICHE_DCHECK(!datagram_visitor_registered_);
+}
+
+void ConnectUdpTunnel::OpenTunnel(
+    const spdy::Http2HeaderBlock& request_headers) {
+  QUICHE_DCHECK(!IsTunnelOpenToTarget());
+
+  absl::optional<QuicServerId> target =
+      ValidateHeadersAndGetTarget(request_headers);
+  if (!target.has_value()) {
+    // Malformed request.
+    TerminateClientStream(
+        "invalid request headers",
+        QuicResetStreamError::FromIetf(QuicHttp3ErrorCode::MESSAGE_ERROR));
+    return;
+  }
+
+  if (!ValidateTarget(target.value(), acceptable_targets_)) {
+    SendErrorResponse("403", "destination_ip_prohibited",
+                      "disallowed proxy target");
+    return;
+  }
+
+  // TODO(ericorth): Validate that the IP address doesn't fall into diallowed
+  // ranges per RFC 9298, Section 7.
+  QuicSocketAddress address = tools::LookupAddress(AF_UNSPEC, target.value());
+  if (!address.IsInitialized()) {
+    SendErrorResponse("500", "dns_error", "host resolution error");
+    return;
+  }
+
+  target_socket_ = socket_factory_->CreateConnectingUdpClientSocket(
+      address,
+      /*receive_buffer_size=*/0,
+      /*send_buffer_size=*/0,
+      /*async_visitor=*/this);
+  QUICHE_DCHECK(target_socket_);
+
+  absl::Status connect_result = target_socket_->ConnectBlocking();
+  if (!connect_result.ok()) {
+    SendErrorResponse(
+        "502", "destination_ip_unroutable",
+        absl::StrCat("UDP socket error: ", connect_result.ToString()));
+    return;
+  }
+
+  QUICHE_DVLOG(1) << "CONNECT-UDP tunnel opened from stream "
+                  << client_stream_request_handler_->stream_id() << " to "
+                  << target.value().ToHostPortString();
+
+  client_stream_request_handler_->GetStream()->RegisterHttp3DatagramVisitor(
+      this);
+  datagram_visitor_registered_ = true;
+
+  SendConnectResponse();
+  BeginAsyncReadFromTarget();
+}
+
+bool ConnectUdpTunnel::IsTunnelOpenToTarget() const { return !!target_socket_; }
+
+void ConnectUdpTunnel::OnClientStreamClose() {
+  QUICHE_CHECK(client_stream_request_handler_);
+
+  QUICHE_DVLOG(1) << "CONNECT-UDP stream "
+                  << client_stream_request_handler_->stream_id() << " closed";
+
+  if (datagram_visitor_registered_) {
+    client_stream_request_handler_->GetStream()
+        ->UnregisterHttp3DatagramVisitor();
+    datagram_visitor_registered_ = false;
+  }
+  client_stream_request_handler_ = nullptr;
+
+  if (IsTunnelOpenToTarget()) {
+    target_socket_->Disconnect();
+  }
+
+  // Clear socket pointer.
+  target_socket_.reset();
+}
+
+void ConnectUdpTunnel::ConnectComplete(absl::Status /*status*/) {
+  // Async connect not expected.
+  QUICHE_NOTREACHED();
+}
+
+void ConnectUdpTunnel::ReceiveComplete(
+    absl::StatusOr<quiche::QuicheMemSlice> data) {
+  QUICHE_DCHECK(IsTunnelOpenToTarget());
+  QUICHE_DCHECK(receive_started_);
+
+  receive_started_ = false;
+
+  if (!data.ok()) {
+    if (client_stream_request_handler_) {
+      QUICHE_LOG(WARNING) << "Error receiving CONNECT-UDP data from target: "
+                          << data.status();
+    } else {
+      // This typically just means a receive operation was cancelled on calling
+      // target_socket_->Disconnect().
+      QUICHE_DVLOG(1) << "Error receiving CONNECT-UDP data from target after "
+                         "stream already closed.";
+    }
+    return;
+  }
+
+  QUICHE_DCHECK(client_stream_request_handler_);
+  quiche::ConnectUdpDatagramUdpPacketPayload payload(
+      data.value().AsStringView());
+  client_stream_request_handler_->GetStream()->SendHttp3Datagram(
+      payload.Serialize());
+
+  BeginAsyncReadFromTarget();
+}
+
+void ConnectUdpTunnel::SendComplete(absl::Status /*status*/) {
+  // Async send not expected.
+  QUICHE_NOTREACHED();
+}
+
+void ConnectUdpTunnel::OnHttp3Datagram(QuicStreamId stream_id,
+                                       absl::string_view payload) {
+  QUICHE_DCHECK(IsTunnelOpenToTarget());
+  QUICHE_DCHECK_EQ(stream_id, client_stream_request_handler_->stream_id());
+  QUICHE_DCHECK(!payload.empty());
+
+  std::unique_ptr<quiche::ConnectUdpDatagramPayload> parsed_payload =
+      quiche::ConnectUdpDatagramPayload::Parse(payload);
+  if (!parsed_payload) {
+    QUICHE_DVLOG(1) << "Ignoring HTTP Datagram payload, due to inability to "
+                       "parse as CONNECT-UDP payload.";
+    return;
+  }
+
+  switch (parsed_payload->GetType()) {
+    case quiche::ConnectUdpDatagramPayload::Type::kUdpPacket:
+      SendUdpPacketToTarget(parsed_payload->GetUdpProxyingPayload());
+      break;
+    case quiche::ConnectUdpDatagramPayload::Type::kUnknown:
+      QUICHE_DVLOG(1)
+          << "Ignoring HTTP Datagram payload with unrecognized context ID.";
+  }
+}
+
+void ConnectUdpTunnel::BeginAsyncReadFromTarget() {
+  QUICHE_DCHECK(IsTunnelOpenToTarget());
+  QUICHE_DCHECK(client_stream_request_handler_);
+  QUICHE_DCHECK(!receive_started_);
+
+  receive_started_ = true;
+  target_socket_->ReceiveAsync(kReadSize);
+}
+
+void ConnectUdpTunnel::SendUdpPacketToTarget(absl::string_view packet) {
+  absl::Status send_result = target_socket_->SendBlocking(std::string(packet));
+  if (!send_result.ok()) {
+    QUICHE_LOG(WARNING) << "Error sending CONNECT-UDP datagram to target: "
+                        << send_result;
+  }
+}
+
+void ConnectUdpTunnel::SendConnectResponse() {
+  QUICHE_DCHECK(IsTunnelOpenToTarget());
+  QUICHE_DCHECK(client_stream_request_handler_);
+
+  spdy::Http2HeaderBlock response_headers;
+  response_headers[":status"] = "200";
+
+  absl::optional<std::string> capsule_protocol_value =
+      structured_headers::SerializeItem(structured_headers::Item(true));
+  QUICHE_CHECK(capsule_protocol_value.has_value());
+  response_headers["Capsule-Protocol"] = capsule_protocol_value.value();
+
+  QuicBackendResponse response;
+  response.set_headers(std::move(response_headers));
+  // Need to leave the stream open after sending the CONNECT response.
+  response.set_response_type(QuicBackendResponse::INCOMPLETE_RESPONSE);
+
+  client_stream_request_handler_->OnResponseBackendComplete(&response);
+}
+
+void ConnectUdpTunnel::SendErrorResponse(absl::string_view status,
+                                         absl::string_view proxy_status_error,
+                                         absl::string_view error_details) {
+  QUICHE_DCHECK(!status.empty());
+  QUICHE_DCHECK(!proxy_status_error.empty());
+  QUICHE_DCHECK(!error_details.empty());
+  QUICHE_DCHECK(client_stream_request_handler_);
+
+#ifndef NDEBUG
+  // Expect a valid status code (number, 100 to 599 inclusive) and not a
+  // Successful code (200 to 299 inclusive).
+  int status_num = 0;
+  bool is_num = absl::SimpleAtoi(status, &status_num);
+  QUICHE_DCHECK(is_num);
+  QUICHE_DCHECK_GE(status_num, 100);
+  QUICHE_DCHECK_LT(status_num, 600);
+  QUICHE_DCHECK(status_num < 200 || status_num >= 300);
+#endif  // !NDEBUG
+
+  spdy::Http2HeaderBlock headers;
+  headers[":status"] = status;
+
+  structured_headers::Item proxy_status_item(
+      absl::StrCat("QuicToyServer", server_label_));
+  structured_headers::Item proxy_status_error_item(
+      std::string{proxy_status_error});
+  structured_headers::Item proxy_status_details_item(
+      std::string{error_details});
+  structured_headers::ParameterizedMember proxy_status_member(
+      std::move(proxy_status_item),
+      {{"error", std::move(proxy_status_error_item)},
+       {"details", std::move(proxy_status_details_item)}});
+  absl::optional<std::string> proxy_status_value =
+      structured_headers::SerializeList({proxy_status_member});
+  QUICHE_CHECK(proxy_status_value.has_value());
+  headers["Proxy-Status"] = proxy_status_value.value();
+
+  QuicBackendResponse response;
+  response.set_headers(std::move(headers));
+
+  client_stream_request_handler_->OnResponseBackendComplete(&response);
+}
+
+void ConnectUdpTunnel::TerminateClientStream(
+    absl::string_view error_description, QuicResetStreamError error_code) {
+  QUICHE_DCHECK(client_stream_request_handler_);
+
+  std::string error_description_str =
+      error_description.empty() ? ""
+                                : absl::StrCat(" due to ", error_description);
+  QUICHE_DVLOG(1) << "Terminating CONNECT stream "
+                  << client_stream_request_handler_->stream_id()
+                  << " with error code " << error_code.ietf_application_code()
+                  << error_description_str;
+
+  client_stream_request_handler_->TerminateStreamWithError(error_code);
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_udp_tunnel.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_udp_tunnel.h
new file mode 100644
index 00000000000..f254b61b5d1
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_udp_tunnel.h
@@ -0,0 +1,97 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_TOOLS_CONNECT_TUNNEL_H_
+#define QUICHE_QUIC_TOOLS_CONNECT_TUNNEL_H_
+
+#include <cstdint>
+#include <memory>
+#include <string>
+#include <utility>
+
+#include "absl/container/flat_hash_set.h"
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "quiche/quic/core/connecting_client_socket.h"
+#include "quiche/quic/core/http/quic_spdy_stream.h"
+#include "quiche/quic/core/quic_error_codes.h"
+#include "quiche/quic/core/quic_server_id.h"
+#include "quiche/quic/core/quic_types.h"
+#include "quiche/quic/core/socket_factory.h"
+#include "quiche/quic/tools/quic_simple_server_backend.h"
+#include "quiche/common/platform/api/quiche_mem_slice.h"
+#include "quiche/spdy/core/http2_header_block.h"
+
+namespace quic {
+
+// Manages a single UDP tunnel for a CONNECT-UDP proxy (see RFC 9298).
+class ConnectUdpTunnel : public ConnectingClientSocket::AsyncVisitor,
+                         public QuicSpdyStream::Http3DatagramVisitor {
+ public:
+  // `client_stream_request_handler` and `socket_factory` must both outlive the
+  // created ConnectUdpTunnel. `server_label` is an identifier (typically
+  // randomly generated) to indentify the server or backend in error headers,
+  // per the requirements of RFC 9209, Section 2.
+  ConnectUdpTunnel(
+      QuicSimpleServerBackend::RequestHandler* client_stream_request_handler,
+      SocketFactory* socket_factory, uint64_t server_label,
+      absl::flat_hash_set<QuicServerId> acceptable_targets);
+  ~ConnectUdpTunnel();
+  ConnectUdpTunnel(const ConnectUdpTunnel&) = delete;
+  ConnectUdpTunnel& operator=(const ConnectUdpTunnel&) = delete;
+
+  // Attempts to open UDP tunnel to target server and then sends appropriate
+  // success/error response to the request stream. `request_headers` must
+  // represent headers from a CONNECT-UDP request, that is ":method"="CONNECT"
+  // and ":protocol"="connect-udp".
+  void OpenTunnel(const spdy::Http2HeaderBlock& request_headers);
+
+  // Returns true iff the tunnel to the target server is currently open
+  bool IsTunnelOpenToTarget() const;
+
+  // Called when the client stream has been closed.  Tunnel to target
+  // server is closed if open.  The RequestHandler will no longer be
+  // interacted with after completion.
+  void OnClientStreamClose();
+
+  // ConnectingClientSocket::AsyncVisitor:
+  void ConnectComplete(absl::Status status) override;
+  void ReceiveComplete(absl::StatusOr<quiche::QuicheMemSlice> data) override;
+  void SendComplete(absl::Status status) override;
+
+  // QuicSpdyStream::Http3DatagramVisitor:
+  void OnHttp3Datagram(QuicStreamId stream_id,
+                       absl::string_view payload) override;
+
+ private:
+  void BeginAsyncReadFromTarget();
+  void OnDataReceivedFromTarget(bool success);
+
+  void SendUdpPacketToTarget(absl::string_view packet);
+
+  void SendConnectResponse();
+  void SendErrorResponse(absl::string_view status,
+                         absl::string_view proxy_status_error,
+                         absl::string_view error_details);
+  void TerminateClientStream(absl::string_view error_description,
+                             QuicResetStreamError error_code);
+
+  const absl::flat_hash_set<QuicServerId> acceptable_targets_;
+  SocketFactory* const socket_factory_;
+  const uint64_t server_label_;
+
+  // Null when client stream closed.
+  QuicSimpleServerBackend::RequestHandler* client_stream_request_handler_;
+
+  // Null when target connection disconnected.
+  std::unique_ptr<ConnectingClientSocket> target_socket_;
+
+  bool receive_started_ = false;
+  bool datagram_visitor_registered_ = false;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_TOOLS_CONNECT_TUNNEL_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_udp_tunnel_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_udp_tunnel_test.cc
new file mode 100644
index 00000000000..23b1c119cc1
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/connect_udp_tunnel_test.cc
@@ -0,0 +1,362 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "quiche/quic/tools/connect_udp_tunnel.h"
+
+#include <memory>
+#include <string>
+
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/str_cat.h"
+#include "absl/strings/string_view.h"
+#include "url/url_canon_stdstring.h"
+#include "url/url_util.h"
+#include "quiche/quic/core/connecting_client_socket.h"
+#include "quiche/quic/core/http/quic_spdy_stream.h"
+#include "quiche/quic/core/quic_connection_id.h"
+#include "quiche/quic/core/quic_error_codes.h"
+#include "quiche/quic/core/quic_types.h"
+#include "quiche/quic/core/socket_factory.h"
+#include "quiche/quic/platform/api/quic_socket_address.h"
+#include "quiche/quic/platform/api/quic_test_loopback.h"
+#include "quiche/quic/test_tools/quic_test_utils.h"
+#include "quiche/quic/tools/quic_simple_server_backend.h"
+#include "quiche/common/masque/connect_udp_datagram_payload.h"
+#include "quiche/common/platform/api/quiche_mem_slice.h"
+#include "quiche/common/platform/api/quiche_test.h"
+
+namespace quic::test {
+namespace {
+
+using ::testing::_;
+using ::testing::AnyOf;
+using ::testing::Eq;
+using ::testing::Ge;
+using ::testing::Gt;
+using ::testing::HasSubstr;
+using ::testing::InvokeWithoutArgs;
+using ::testing::IsEmpty;
+using ::testing::Matcher;
+using ::testing::NiceMock;
+using ::testing::Pair;
+using ::testing::Property;
+using ::testing::Return;
+using ::testing::StrictMock;
+using ::testing::UnorderedElementsAre;
+
+constexpr QuicStreamId kStreamId = 100;
+
+class MockStream : public QuicSpdyStream {
+ public:
+  explicit MockStream(QuicSpdySession* spdy_session)
+      : QuicSpdyStream(kStreamId, spdy_session, BIDIRECTIONAL) {}
+
+  void OnBodyAvailable() override {}
+
+  MOCK_METHOD(MessageStatus, SendHttp3Datagram, (absl::string_view data),
+              (override));
+};
+
+class MockRequestHandler : public QuicSimpleServerBackend::RequestHandler {
+ public:
+  QuicConnectionId connection_id() const override {
+    return TestConnectionId(41212);
+  }
+  QuicStreamId stream_id() const override { return kStreamId; }
+  std::string peer_host() const override { return "127.0.0.1"; }
+
+  MOCK_METHOD(QuicSpdyStream*, GetStream, (), (override));
+  MOCK_METHOD(void, OnResponseBackendComplete,
+              (const QuicBackendResponse* response), (override));
+  MOCK_METHOD(void, SendStreamData, (absl::string_view data, bool close_stream),
+              (override));
+  MOCK_METHOD(void, TerminateStreamWithError, (QuicResetStreamError error),
+              (override));
+};
+
+class MockSocketFactory : public SocketFactory {
+ public:
+  MOCK_METHOD(std::unique_ptr<ConnectingClientSocket>, CreateTcpClientSocket,
+              (const QuicSocketAddress& peer_address,
+               QuicByteCount receive_buffer_size,
+               QuicByteCount send_buffer_size,
+               ConnectingClientSocket::AsyncVisitor* async_visitor),
+              (override));
+  MOCK_METHOD(std::unique_ptr<ConnectingClientSocket>,
+              CreateConnectingUdpClientSocket,
+              (const QuicSocketAddress& peer_address,
+               QuicByteCount receive_buffer_size,
+               QuicByteCount send_buffer_size,
+               ConnectingClientSocket::AsyncVisitor* async_visitor),
+              (override));
+};
+
+class MockSocket : public ConnectingClientSocket {
+ public:
+  MOCK_METHOD(absl::Status, ConnectBlocking, (), (override));
+  MOCK_METHOD(void, ConnectAsync, (), (override));
+  MOCK_METHOD(void, Disconnect, (), (override));
+  MOCK_METHOD(absl::StatusOr<QuicSocketAddress>, GetLocalAddress, (),
+              (override));
+  MOCK_METHOD(absl::StatusOr<quiche::QuicheMemSlice>, ReceiveBlocking,
+              (QuicByteCount max_size), (override));
+  MOCK_METHOD(void, ReceiveAsync, (QuicByteCount max_size), (override));
+  MOCK_METHOD(absl::Status, SendBlocking, (std::string data), (override));
+  MOCK_METHOD(absl::Status, SendBlocking, (quiche::QuicheMemSlice data),
+              (override));
+  MOCK_METHOD(void, SendAsync, (std::string data), (override));
+  MOCK_METHOD(void, SendAsync, (quiche::QuicheMemSlice data), (override));
+};
+
+class ConnectUdpTunnelTest : public quiche::test::QuicheTest {
+ public:
+  void SetUp() override {
+    auto socket = std::make_unique<StrictMock<MockSocket>>();
+    socket_ = socket.get();
+    ON_CALL(socket_factory_,
+            CreateConnectingUdpClientSocket(
+                AnyOf(QuicSocketAddress(TestLoopback4(), kAcceptablePort),
+                      QuicSocketAddress(TestLoopback6(), kAcceptablePort)),
+                _, _, &tunnel_))
+        .WillByDefault(Return(ByMove(std::move(socket))));
+
+    EXPECT_CALL(request_handler_, GetStream()).WillRepeatedly(Return(&stream_));
+  }
+
+ protected:
+  static constexpr absl::string_view kAcceptableTarget = "localhost";
+  static constexpr uint16_t kAcceptablePort = 977;
+
+  NiceMock<MockQuicConnectionHelper> connection_helper_;
+  NiceMock<MockAlarmFactory> alarm_factory_;
+  NiceMock<MockQuicSpdySession> session_{new NiceMock<MockQuicConnection>(
+      &connection_helper_, &alarm_factory_, Perspective::IS_SERVER)};
+  StrictMock<MockStream> stream_{&session_};
+
+  StrictMock<MockRequestHandler> request_handler_;
+  NiceMock<MockSocketFactory> socket_factory_;
+  StrictMock<MockSocket>* socket_;
+
+  ConnectUdpTunnel tunnel_{
+      &request_handler_,
+      &socket_factory_,
+      /*server_label=*/123,
+      /*acceptable_targets=*/
+      {{std::string(kAcceptableTarget), kAcceptablePort},
+       {TestLoopback4().ToString(), kAcceptablePort},
+       {absl::StrCat("[", TestLoopback6().ToString(), "]"), kAcceptablePort}}};
+};
+
+TEST_F(ConnectUdpTunnelTest, OpenTunnel) {
+  EXPECT_CALL(*socket_, ConnectBlocking()).WillOnce(Return(absl::OkStatus()));
+  EXPECT_CALL(*socket_, ReceiveAsync(Gt(0)));
+  EXPECT_CALL(*socket_, Disconnect()).WillOnce(InvokeWithoutArgs([this]() {
+    tunnel_.ReceiveComplete(absl::CancelledError());
+  }));
+
+  EXPECT_CALL(
+      request_handler_,
+      OnResponseBackendComplete(
+          AllOf(Property(&QuicBackendResponse::response_type,
+                         QuicBackendResponse::INCOMPLETE_RESPONSE),
+                Property(&QuicBackendResponse::headers,
+                         UnorderedElementsAre(Pair(":status", "200"),
+                                              Pair("Capsule-Protocol", "?1"))),
+                Property(&QuicBackendResponse::trailers, IsEmpty()),
+                Property(&QuicBackendResponse::body, IsEmpty()))));
+
+  spdy::Http2HeaderBlock request_headers;
+  request_headers[":method"] = "CONNECT";
+  request_headers[":protocol"] = "connect-udp";
+  request_headers[":authority"] = "proxy.test";
+  request_headers[":scheme"] = "https";
+  request_headers[":path"] = absl::StrCat(
+      "/.well-known/masque/udp/", kAcceptableTarget, "/", kAcceptablePort, "/");
+
+  tunnel_.OpenTunnel(request_headers);
+  EXPECT_TRUE(tunnel_.IsTunnelOpenToTarget());
+  tunnel_.OnClientStreamClose();
+  EXPECT_FALSE(tunnel_.IsTunnelOpenToTarget());
+}
+
+TEST_F(ConnectUdpTunnelTest, OpenTunnelToIpv4LiteralTarget) {
+  EXPECT_CALL(*socket_, ConnectBlocking()).WillOnce(Return(absl::OkStatus()));
+  EXPECT_CALL(*socket_, ReceiveAsync(Gt(0)));
+  EXPECT_CALL(*socket_, Disconnect()).WillOnce(InvokeWithoutArgs([this]() {
+    tunnel_.ReceiveComplete(absl::CancelledError());
+  }));
+
+  EXPECT_CALL(
+      request_handler_,
+      OnResponseBackendComplete(
+          AllOf(Property(&QuicBackendResponse::response_type,
+                         QuicBackendResponse::INCOMPLETE_RESPONSE),
+                Property(&QuicBackendResponse::headers,
+                         UnorderedElementsAre(Pair(":status", "200"),
+                                              Pair("Capsule-Protocol", "?1"))),
+                Property(&QuicBackendResponse::trailers, IsEmpty()),
+                Property(&QuicBackendResponse::body, IsEmpty()))));
+
+  spdy::Http2HeaderBlock request_headers;
+  request_headers[":method"] = "CONNECT";
+  request_headers[":protocol"] = "connect-udp";
+  request_headers[":authority"] = "proxy.test";
+  request_headers[":scheme"] = "https";
+  request_headers[":path"] =
+      absl::StrCat("/.well-known/masque/udp/", TestLoopback4().ToString(), "/",
+                   kAcceptablePort, "/");
+
+  tunnel_.OpenTunnel(request_headers);
+  EXPECT_TRUE(tunnel_.IsTunnelOpenToTarget());
+  tunnel_.OnClientStreamClose();
+  EXPECT_FALSE(tunnel_.IsTunnelOpenToTarget());
+}
+
+std::string PercentEncode(absl::string_view input) {
+  std::string encoded;
+  url::StdStringCanonOutput canon_output(&encoded);
+  url::EncodeURIComponent(input.data(), input.size(), &canon_output);
+  canon_output.Complete();
+  return encoded;
+}
+
+TEST_F(ConnectUdpTunnelTest, OpenTunnelToIpv6LiteralTarget) {
+  EXPECT_CALL(*socket_, ConnectBlocking()).WillOnce(Return(absl::OkStatus()));
+  EXPECT_CALL(*socket_, ReceiveAsync(Gt(0)));
+  EXPECT_CALL(*socket_, Disconnect()).WillOnce(InvokeWithoutArgs([this]() {
+    tunnel_.ReceiveComplete(absl::CancelledError());
+  }));
+
+  EXPECT_CALL(
+      request_handler_,
+      OnResponseBackendComplete(
+          AllOf(Property(&QuicBackendResponse::response_type,
+                         QuicBackendResponse::INCOMPLETE_RESPONSE),
+                Property(&QuicBackendResponse::headers,
+                         UnorderedElementsAre(Pair(":status", "200"),
+                                              Pair("Capsule-Protocol", "?1"))),
+                Property(&QuicBackendResponse::trailers, IsEmpty()),
+                Property(&QuicBackendResponse::body, IsEmpty()))));
+
+  spdy::Http2HeaderBlock request_headers;
+  request_headers[":method"] = "CONNECT";
+  request_headers[":protocol"] = "connect-udp";
+  request_headers[":authority"] = "proxy.test";
+  request_headers[":scheme"] = "https";
+  request_headers[":path"] = absl::StrCat(
+      "/.well-known/masque/udp/",
+      PercentEncode(absl::StrCat("[", TestLoopback6().ToString(), "]")), "/",
+      kAcceptablePort, "/");
+
+  tunnel_.OpenTunnel(request_headers);
+  EXPECT_TRUE(tunnel_.IsTunnelOpenToTarget());
+  tunnel_.OnClientStreamClose();
+  EXPECT_FALSE(tunnel_.IsTunnelOpenToTarget());
+}
+
+TEST_F(ConnectUdpTunnelTest, OpenTunnelWithMalformedRequest) {
+  EXPECT_CALL(request_handler_,
+              TerminateStreamWithError(Property(
+                  &QuicResetStreamError::ietf_application_code,
+                  static_cast<uint64_t>(QuicHttp3ErrorCode::MESSAGE_ERROR))));
+
+  spdy::Http2HeaderBlock request_headers;
+  request_headers[":method"] = "CONNECT";
+  request_headers[":protocol"] = "connect-udp";
+  request_headers[":authority"] = "proxy.test";
+  request_headers[":scheme"] = "https";
+  // No ":path" header.
+
+  tunnel_.OpenTunnel(request_headers);
+  EXPECT_FALSE(tunnel_.IsTunnelOpenToTarget());
+  tunnel_.OnClientStreamClose();
+}
+
+TEST_F(ConnectUdpTunnelTest, OpenTunnelWithUnacceptableTarget) {
+  EXPECT_CALL(request_handler_,
+              OnResponseBackendComplete(AllOf(
+                  Property(&QuicBackendResponse::response_type,
+                           QuicBackendResponse::REGULAR_RESPONSE),
+                  Property(&QuicBackendResponse::headers,
+                           UnorderedElementsAre(
+                               Pair(":status", "403"),
+                               Pair("Proxy-Status",
+                                    HasSubstr("destination_ip_prohibited")))),
+                  Property(&QuicBackendResponse::trailers, IsEmpty()))));
+
+  spdy::Http2HeaderBlock request_headers;
+  request_headers[":method"] = "CONNECT";
+  request_headers[":protocol"] = "connect-udp";
+  request_headers[":authority"] = "proxy.test";
+  request_headers[":scheme"] = "https";
+  request_headers[":path"] = "/.well-known/masque/udp/unacceptable.test/100/";
+
+  tunnel_.OpenTunnel(request_headers);
+  EXPECT_FALSE(tunnel_.IsTunnelOpenToTarget());
+  tunnel_.OnClientStreamClose();
+}
+
+TEST_F(ConnectUdpTunnelTest, ReceiveFromTarget) {
+  static constexpr absl::string_view kData = "\x11\x22\x33\x44\x55";
+
+  EXPECT_CALL(*socket_, ConnectBlocking()).WillOnce(Return(absl::OkStatus()));
+  EXPECT_CALL(*socket_, ReceiveAsync(Ge(kData.size()))).Times(2);
+  EXPECT_CALL(*socket_, Disconnect()).WillOnce(InvokeWithoutArgs([this]() {
+    tunnel_.ReceiveComplete(absl::CancelledError());
+  }));
+
+  EXPECT_CALL(request_handler_, OnResponseBackendComplete(_));
+
+  EXPECT_CALL(
+      stream_,
+      SendHttp3Datagram(
+          quiche::ConnectUdpDatagramUdpPacketPayload(kData).Serialize()))
+      .WillOnce(Return(MESSAGE_STATUS_SUCCESS));
+
+  spdy::Http2HeaderBlock request_headers;
+  request_headers[":method"] = "CONNECT";
+  request_headers[":protocol"] = "connect-udp";
+  request_headers[":authority"] = "proxy.test";
+  request_headers[":scheme"] = "https";
+  request_headers[":path"] = absl::StrCat(
+      "/.well-known/masque/udp/", kAcceptableTarget, "/", kAcceptablePort, "/");
+
+  tunnel_.OpenTunnel(request_headers);
+
+  // Simulate receiving `kData`.
+  tunnel_.ReceiveComplete(MemSliceFromString(kData));
+
+  tunnel_.OnClientStreamClose();
+}
+
+TEST_F(ConnectUdpTunnelTest, SendToTarget) {
+  static constexpr absl::string_view kData = "\x11\x22\x33\x44\x55";
+
+  EXPECT_CALL(*socket_, ConnectBlocking()).WillOnce(Return(absl::OkStatus()));
+  EXPECT_CALL(*socket_, ReceiveAsync(Gt(0)));
+  EXPECT_CALL(*socket_, SendBlocking(Matcher<std::string>(Eq(kData))))
+      .WillOnce(Return(absl::OkStatus()));
+  EXPECT_CALL(*socket_, Disconnect()).WillOnce(InvokeWithoutArgs([this]() {
+    tunnel_.ReceiveComplete(absl::CancelledError());
+  }));
+
+  EXPECT_CALL(request_handler_, OnResponseBackendComplete(_));
+
+  spdy::Http2HeaderBlock request_headers;
+  request_headers[":method"] = "CONNECT";
+  request_headers[":protocol"] = "connect-udp";
+  request_headers[":authority"] = "proxy.test";
+  request_headers[":scheme"] = "https";
+  request_headers[":path"] = absl::StrCat(
+      "/.well-known/masque/udp/", kAcceptableTarget, "/", kAcceptablePort, "/");
+
+  tunnel_.OpenTunnel(request_headers);
+  tunnel_.OnHttp3Datagram(
+      kStreamId, quiche::ConnectUdpDatagramUdpPacketPayload(kData).Serialize());
+  tunnel_.OnClientStreamClose();
+}
+
+}  // namespace
+}  // namespace quic::test
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client.cc
deleted file mode 100644
index b3e4705e102..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client.cc
+++ /dev/null
@@ -1,144 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/tools/quic_client.h"
-
-#include <errno.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#include <string.h>
-#include <sys/epoll.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-
-#include <utility>
-
-#include "quiche/quic/core/crypto/quic_random.h"
-#include "quiche/quic/core/http/spdy_utils.h"
-#include "quiche/quic/core/quic_connection.h"
-#include "quiche/quic/core/quic_data_reader.h"
-#include "quiche/quic/core/quic_epoll_alarm_factory.h"
-#include "quiche/quic/core/quic_epoll_connection_helper.h"
-#include "quiche/quic/core/quic_packets.h"
-#include "quiche/quic/core/quic_server_id.h"
-#include "quiche/quic/platform/api/quic_bug_tracker.h"
-#include "quiche/quic/platform/api/quic_logging.h"
-#include "quiche/quic/platform/api/quic_socket_address.h"
-#include "quiche/quic/tools/quic_simple_client_session.h"
-
-namespace quic {
-
-namespace tools {
-
-QuicSocketAddress LookupAddress(int address_family_for_lookup, std::string host,
-                                std::string port) {
-  addrinfo hint;
-  memset(&hint, 0, sizeof(hint));
-  hint.ai_family = address_family_for_lookup;
-  hint.ai_protocol = IPPROTO_UDP;
-
-  addrinfo* info_list = nullptr;
-  int result = getaddrinfo(host.c_str(), port.c_str(), &hint, &info_list);
-  if (result != 0) {
-    QUIC_LOG(ERROR) << "Failed to look up " << host << ": "
-                    << gai_strerror(result);
-    return QuicSocketAddress();
-  }
-
-  QUICHE_CHECK(info_list != nullptr);
-  std::unique_ptr<addrinfo, void (*)(addrinfo*)> info_list_owned(info_list,
-                                                                 freeaddrinfo);
-  return QuicSocketAddress(info_list->ai_addr, info_list->ai_addrlen);
-}
-
-}  // namespace tools
-
-QuicClient::QuicClient(QuicSocketAddress server_address,
-                       const QuicServerId& server_id,
-                       const ParsedQuicVersionVector& supported_versions,
-                       QuicEpollServer* epoll_server,
-                       std::unique_ptr<ProofVerifier> proof_verifier)
-    : QuicClient(
-          server_address, server_id, supported_versions, QuicConfig(),
-          epoll_server,
-          std::make_unique<QuicClientEpollNetworkHelper>(epoll_server, this),
-          std::move(proof_verifier), nullptr) {}
-
-QuicClient::QuicClient(QuicSocketAddress server_address,
-                       const QuicServerId& server_id,
-                       const ParsedQuicVersionVector& supported_versions,
-                       QuicEpollServer* epoll_server,
-                       std::unique_ptr<ProofVerifier> proof_verifier,
-                       std::unique_ptr<SessionCache> session_cache)
-    : QuicClient(
-          server_address, server_id, supported_versions, QuicConfig(),
-          epoll_server,
-          std::make_unique<QuicClientEpollNetworkHelper>(epoll_server, this),
-          std::move(proof_verifier), std::move(session_cache)) {}
-
-QuicClient::QuicClient(QuicSocketAddress server_address,
-                       const QuicServerId& server_id,
-                       const ParsedQuicVersionVector& supported_versions,
-                       const QuicConfig& config, QuicEpollServer* epoll_server,
-                       std::unique_ptr<ProofVerifier> proof_verifier,
-                       std::unique_ptr<SessionCache> session_cache)
-    : QuicClient(
-          server_address, server_id, supported_versions, config, epoll_server,
-          std::make_unique<QuicClientEpollNetworkHelper>(epoll_server, this),
-          std::move(proof_verifier), std::move(session_cache)) {}
-
-QuicClient::QuicClient(
-    QuicSocketAddress server_address, const QuicServerId& server_id,
-    const ParsedQuicVersionVector& supported_versions,
-    QuicEpollServer* epoll_server,
-    std::unique_ptr<QuicClientEpollNetworkHelper> network_helper,
-    std::unique_ptr<ProofVerifier> proof_verifier)
-    : QuicClient(server_address, server_id, supported_versions, QuicConfig(),
-                 epoll_server, std::move(network_helper),
-                 std::move(proof_verifier), nullptr) {}
-
-QuicClient::QuicClient(
-    QuicSocketAddress server_address, const QuicServerId& server_id,
-    const ParsedQuicVersionVector& supported_versions, const QuicConfig& config,
-    QuicEpollServer* epoll_server,
-    std::unique_ptr<QuicClientEpollNetworkHelper> network_helper,
-    std::unique_ptr<ProofVerifier> proof_verifier)
-    : QuicClient(server_address, server_id, supported_versions, config,
-                 epoll_server, std::move(network_helper),
-                 std::move(proof_verifier), nullptr) {}
-
-QuicClient::QuicClient(
-    QuicSocketAddress server_address, const QuicServerId& server_id,
-    const ParsedQuicVersionVector& supported_versions, const QuicConfig& config,
-    QuicEpollServer* epoll_server,
-    std::unique_ptr<QuicClientEpollNetworkHelper> network_helper,
-    std::unique_ptr<ProofVerifier> proof_verifier,
-    std::unique_ptr<SessionCache> session_cache)
-    : QuicSpdyClientBase(
-          server_id, supported_versions, config,
-          new QuicEpollConnectionHelper(epoll_server, QuicAllocator::SIMPLE),
-          new QuicEpollAlarmFactory(epoll_server), std::move(network_helper),
-          std::move(proof_verifier), std::move(session_cache)) {
-  set_server_address(server_address);
-}
-
-QuicClient::~QuicClient() = default;
-
-std::unique_ptr<QuicSession> QuicClient::CreateQuicClientSession(
-    const ParsedQuicVersionVector& supported_versions,
-    QuicConnection* connection) {
-  return std::make_unique<QuicSimpleClientSession>(
-      *config(), supported_versions, connection, server_id(), crypto_config(),
-      push_promise_index(), drop_response_body(), enable_web_transport());
-}
-
-QuicClientEpollNetworkHelper* QuicClient::epoll_network_helper() {
-  return static_cast<QuicClientEpollNetworkHelper*>(network_helper());
-}
-
-const QuicClientEpollNetworkHelper* QuicClient::epoll_network_helper() const {
-  return static_cast<const QuicClientEpollNetworkHelper*>(network_helper());
-}
-
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client.h
deleted file mode 100644
index e0106c79465..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client.h
+++ /dev/null
@@ -1,97 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// A toy client, which connects to a specified port and sends QUIC
-// request to that endpoint.
-
-#ifndef QUICHE_QUIC_TOOLS_QUIC_CLIENT_H_
-#define QUICHE_QUIC_TOOLS_QUIC_CLIENT_H_
-
-#include <cstdint>
-#include <memory>
-#include <string>
-
-#include "quiche/quic/core/http/quic_client_push_promise_index.h"
-#include "quiche/quic/core/http/quic_spdy_client_session.h"
-#include "quiche/quic/core/quic_config.h"
-#include "quiche/quic/core/quic_packet_reader.h"
-#include "quiche/quic/platform/api/quic_epoll.h"
-#include "quiche/quic/tools/quic_client_epoll_network_helper.h"
-#include "quiche/quic/tools/quic_spdy_client_base.h"
-
-namespace quic {
-
-class QuicServerId;
-
-namespace test {
-class QuicClientPeer;
-}  // namespace test
-
-namespace tools {
-
-QuicSocketAddress LookupAddress(int address_family_for_lookup, std::string host,
-                                std::string port);
-
-inline QuicSocketAddress LookupAddress(std::string host, std::string port) {
-  return LookupAddress(0, host, port);
-}
-
-}  // namespace tools
-
-class QuicClient : public QuicSpdyClientBase {
- public:
-  // These will create their own QuicClientEpollNetworkHelper.
-  QuicClient(QuicSocketAddress server_address, const QuicServerId& server_id,
-             const ParsedQuicVersionVector& supported_versions,
-             QuicEpollServer* epoll_server,
-             std::unique_ptr<ProofVerifier> proof_verifier);
-  QuicClient(QuicSocketAddress server_address, const QuicServerId& server_id,
-             const ParsedQuicVersionVector& supported_versions,
-             QuicEpollServer* epoll_server,
-             std::unique_ptr<ProofVerifier> proof_verifier,
-             std::unique_ptr<SessionCache> session_cache);
-  QuicClient(QuicSocketAddress server_address, const QuicServerId& server_id,
-             const ParsedQuicVersionVector& supported_versions,
-             const QuicConfig& config, QuicEpollServer* epoll_server,
-             std::unique_ptr<ProofVerifier> proof_verifier,
-             std::unique_ptr<SessionCache> session_cache);
-  // This will take ownership of a passed in network primitive.
-  QuicClient(QuicSocketAddress server_address, const QuicServerId& server_id,
-             const ParsedQuicVersionVector& supported_versions,
-             QuicEpollServer* epoll_server,
-             std::unique_ptr<QuicClientEpollNetworkHelper> network_helper,
-             std::unique_ptr<ProofVerifier> proof_verifier);
-  QuicClient(QuicSocketAddress server_address, const QuicServerId& server_id,
-             const ParsedQuicVersionVector& supported_versions,
-             const QuicConfig& config, QuicEpollServer* epoll_server,
-             std::unique_ptr<QuicClientEpollNetworkHelper> network_helper,
-             std::unique_ptr<ProofVerifier> proof_verifier);
-  QuicClient(QuicSocketAddress server_address, const QuicServerId& server_id,
-             const ParsedQuicVersionVector& supported_versions,
-             const QuicConfig& config, QuicEpollServer* epoll_server,
-             std::unique_ptr<QuicClientEpollNetworkHelper> network_helper,
-             std::unique_ptr<ProofVerifier> proof_verifier,
-             std::unique_ptr<SessionCache> session_cache);
-  QuicClient(const QuicClient&) = delete;
-  QuicClient& operator=(const QuicClient&) = delete;
-
-  ~QuicClient() override;
-
-  std::unique_ptr<QuicSession> CreateQuicClientSession(
-      const ParsedQuicVersionVector& supported_versions,
-      QuicConnection* connection) override;
-
-  // Exposed for the quic client test.
-  int GetLatestFD() const { return epoll_network_helper()->GetLatestFD(); }
-
-  QuicClientEpollNetworkHelper* epoll_network_helper();
-  const QuicClientEpollNetworkHelper* epoll_network_helper() const;
-
- private:
-  friend class test::QuicClientPeer;
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_TOOLS_QUIC_CLIENT_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_base.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_base.cc
index 3a7dfd6cb0a..9277913eb2d 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_base.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_base.cc
@@ -18,24 +18,6 @@
 
 namespace quic {
 
-// A path context which owns the writer.
-class QUIC_EXPORT_PRIVATE PathMigrationContext
-    : public QuicPathValidationContext {
- public:
-  PathMigrationContext(std::unique_ptr<QuicPacketWriter> writer,
-                       const QuicSocketAddress& self_address,
-                       const QuicSocketAddress& peer_address)
-      : QuicPathValidationContext(self_address, peer_address),
-        alternative_writer_(std::move(writer)) {}
-
-  QuicPacketWriter* WriterToUse() override { return alternative_writer_.get(); }
-
-  QuicPacketWriter* ReleaseWriter() { return alternative_writer_.release(); }
-
- private:
-  std::unique_ptr<QuicPacketWriter> alternative_writer_;
-};
-
 // Implements the basic feature of a result delegate for path validation for
 // connection migration. If the validation succeeds, migrate to the alternative
 // path. Otherwise, stay on the current path.
@@ -67,7 +49,8 @@ class QuicClientSocketMigrationValidationResultDelegate
       std::unique_ptr<QuicPathValidationContext> context) override {
     QUIC_LOG(WARNING) << "Fail to validate path " << *context
                       << ", stop migrating.";
-    client_->session()->connection()->OnPathValidationFailureAtClient();
+    client_->session()->connection()->OnPathValidationFailureAtClient(
+        /*is_multi_port=*/false);
   }
 
  private:
@@ -183,7 +166,7 @@ void QuicClientBase::StartConnect() {
       new QuicConnection(GetNextConnectionId(), QuicSocketAddress(),
                          server_address(), helper(), alarm_factory(), writer,
                          /* owns_writer= */ false, Perspective::IS_CLIENT,
-                         client_supported_versions));
+                         client_supported_versions, connection_id_generator_));
   if (can_reconnect_with_different_version) {
     session()->set_client_original_supported_versions(supported_versions());
   }
@@ -482,7 +465,8 @@ class ValidationResultDelegate : public QuicPathValidator::ResultDelegate {
       std::unique_ptr<QuicPathValidationContext> context) override {
     QUIC_LOG(WARNING) << "Fail to validate path " << *context
                       << ", stop migrating.";
-    client_->session()->connection()->OnPathValidationFailureAtClient();
+    client_->session()->connection()->OnPathValidationFailureAtClient(
+        /*is_multi_port=*/false);
   }
 
  private:
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_base.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_base.h
index 91c597b2a5d..d36eba6c037 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_base.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_base.h
@@ -14,6 +14,7 @@
 #include "absl/base/attributes.h"
 #include "absl/strings/string_view.h"
 #include "quiche/quic/core/crypto/crypto_handshake.h"
+#include "quiche/quic/core/deterministic_connection_id_generator.h"
 #include "quiche/quic/core/http/quic_client_push_promise_index.h"
 #include "quiche/quic/core/http/quic_spdy_client_session.h"
 #include "quiche/quic/core/http/quic_spdy_client_stream.h"
@@ -26,6 +27,24 @@ class ProofVerifier;
 class QuicServerId;
 class SessionCache;
 
+// A path context which owns the writer.
+class QUIC_EXPORT_PRIVATE PathMigrationContext
+    : public QuicPathValidationContext {
+ public:
+  PathMigrationContext(std::unique_ptr<QuicPacketWriter> writer,
+                       const QuicSocketAddress& self_address,
+                       const QuicSocketAddress& peer_address)
+      : QuicPathValidationContext(self_address, peer_address),
+        alternative_writer_(std::move(writer)) {}
+
+  QuicPacketWriter* WriterToUse() override { return alternative_writer_.get(); }
+
+  QuicPacketWriter* ReleaseWriter() { return alternative_writer_.release(); }
+
+ private:
+  std::unique_ptr<QuicPacketWriter> alternative_writer_;
+};
+
 // QuicClientBase handles establishing a connection to the passed in
 // server id, including ensuring that it supports the passed in versions
 // and config.
@@ -330,6 +349,9 @@ class QuicClientBase {
   // Returns true if the corresponding of this client has active requests.
   virtual bool HasActiveRequests() = 0;
 
+  // Allows derived classes to access this when creating connections.
+  ConnectionIdGeneratorInterface& connection_id_generator();
+
  private:
   // Returns true and set |version| if client can reconnect with a different
   // version.
@@ -416,6 +438,9 @@ class QuicClientBase {
   // Stores the interface name to bind. If empty, will not attempt to bind the
   // socket to that interface. Defaults to empty string.
   std::string interface_name_;
+
+  DeterministicConnectionIdGenerator connection_id_generator_{
+      kQuicDefaultConnectionIdLength};
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_default_network_helper.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_default_network_helper.cc
index 24c4b3e8dfc..8a9a347b6ba 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_default_network_helper.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_default_network_helper.cc
@@ -4,6 +4,7 @@
 
 #include "quiche/quic/tools/quic_client_default_network_helper.h"
 
+#include "absl/cleanup/cleanup.h"
 #include "quiche/quic/core/io/quic_event_loop.h"
 #include "quiche/quic/core/quic_default_packet_writer.h"
 #include "quiche/quic/core/quic_packets.h"
@@ -71,6 +72,7 @@ bool QuicClientDefaultNetworkHelper::CreateUDPSocketAndBind(
   if (fd < 0) {
     return false;
   }
+  auto closer = absl::MakeCleanup([fd] { close(fd); });
 
   QuicSocketAddress client_address;
   if (bind_to_address.IsInitialized()) {
@@ -113,10 +115,13 @@ bool QuicClientDefaultNetworkHelper::CreateUDPSocketAndBind(
                     << strerror(errno);
   }
 
-  fd_address_map_[fd] = client_address;
-  bool success = event_loop_->RegisterSocket(
-      fd, kSocketEventReadable | kSocketEventWritable, this);
-  return success;
+  if (event_loop_->RegisterSocket(
+          fd, kSocketEventReadable | kSocketEventWritable, this)) {
+    fd_address_map_[fd] = client_address;
+    std::move(closer).Cancel();
+    return true;
+  }
+  return false;
 }
 
 void QuicClientDefaultNetworkHelper::CleanUpUDPSocket(int fd) {
@@ -134,7 +139,7 @@ void QuicClientDefaultNetworkHelper::CleanUpAllUDPSockets() {
 void QuicClientDefaultNetworkHelper::CleanUpUDPSocketImpl(int fd) {
   if (fd > -1) {
     bool success = event_loop_->UnregisterSocket(fd);
-    QUICHE_DCHECK(success);
+    QUICHE_DCHECK(success || fds_unregistered_externally_);
     int rc = close(fd);
     QUICHE_DCHECK_EQ(0, rc);
   }
@@ -228,6 +233,17 @@ int QuicClientDefaultNetworkHelper::CreateUDPSocket(
 
   *overflow_supported = api.EnableDroppedPacketCount(fd);
   api.EnableReceiveTimestamp(fd);
+
+  std::string interface_name = client_->interface_name();
+  if (!interface_name.empty()) {
+    if (!api.BindInterface(fd, interface_name)) {
+      QUIC_DLOG(WARNING) << "Failed to bind socket (" << fd
+                         << ") to interface (" << interface_name << ").";
+      CleanUpUDPSocket(fd);
+      return kQuicInvalidSocketFd;
+    }
+  }
+
   return fd;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_default_network_helper.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_default_network_helper.h
index ac126189e84..a8ebc9de360 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_default_network_helper.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_default_network_helper.h
@@ -9,8 +9,10 @@
 #include <memory>
 #include <string>
 
+#include "absl/types/optional.h"
 #include "quiche/quic/core/io/quic_event_loop.h"
 #include "quiche/quic/core/quic_packet_reader.h"
+#include "quiche/quic/core/quic_udp_socket.h"
 #include "quiche/quic/tools/quic_client_base.h"
 #include "quiche/common/quiche_linked_hash_map.h"
 
@@ -83,6 +85,14 @@ class QuicClientDefaultNetworkHelper : public QuicClientBase::NetworkHelper,
   // Used for testing.
   void SetClientPort(int port);
 
+  // Indicates that some of the FDs owned by the network helper may be
+  // unregistered by the external code by manually calling
+  // event_loop()->UnregisterSocket() (this is useful for certain scenarios
+  // where an external event loop is used).
+  void AllowFdsToBeUnregisteredExternally() {
+    fds_unregistered_externally_ = true;
+  }
+
  private:
   // Actually clean up |fd|.
   void CleanUpUDPSocketImpl(int fd);
@@ -109,6 +119,10 @@ class QuicClientDefaultNetworkHelper : public QuicClientBase::NetworkHelper,
   QuicClientBase* client_;
 
   int max_reads_per_event_loop_;
+
+  // If true, some of the FDs owned by the network helper may be unregistered by
+  // the external code.
+  bool fds_unregistered_externally_ = false;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_epoll_network_helper.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_epoll_network_helper.cc
deleted file mode 100644
index b9798bdf3cb..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_epoll_network_helper.cc
+++ /dev/null
@@ -1,235 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/tools/quic_client_epoll_network_helper.h"
-
-#include <errno.h>
-#include <netinet/in.h>
-#include <string.h>
-#include <sys/epoll.h>
-#include <sys/socket.h>
-#include <unistd.h>
-
-#include "quiche/quic/core/crypto/quic_random.h"
-#include "quiche/quic/core/http/spdy_utils.h"
-#include "quiche/quic/core/quic_connection.h"
-#include "quiche/quic/core/quic_data_reader.h"
-#include "quiche/quic/core/quic_epoll_alarm_factory.h"
-#include "quiche/quic/core/quic_epoll_connection_helper.h"
-#include "quiche/quic/core/quic_packets.h"
-#include "quiche/quic/core/quic_server_id.h"
-#include "quiche/quic/core/quic_udp_socket.h"
-#include "quiche/quic/platform/api/quic_bug_tracker.h"
-#include "quiche/quic/platform/api/quic_logging.h"
-#include "quiche/common/platform/api/quiche_system_event_loop.h"
-
-namespace quic {
-
-namespace {
-const int kEpollFlags = EPOLLIN | EPOLLOUT | EPOLLET;
-}  // namespace
-
-QuicClientEpollNetworkHelper::QuicClientEpollNetworkHelper(
-    QuicEpollServer* epoll_server, QuicClientBase* client)
-    : epoll_server_(epoll_server),
-      packets_dropped_(0),
-      overflow_supported_(false),
-      packet_reader_(new QuicPacketReader()),
-      client_(client),
-      max_reads_per_epoll_loop_(std::numeric_limits<int>::max()) {}
-
-QuicClientEpollNetworkHelper::~QuicClientEpollNetworkHelper() {
-  if (client_->connected()) {
-    client_->session()->connection()->CloseConnection(
-        QUIC_PEER_GOING_AWAY, "Client being torn down",
-        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-  }
-
-  CleanUpAllUDPSockets();
-}
-
-std::string QuicClientEpollNetworkHelper::Name() const {
-  return "QuicClientEpollNetworkHelper";
-}
-
-bool QuicClientEpollNetworkHelper::CreateUDPSocketAndBind(
-    QuicSocketAddress server_address, QuicIpAddress bind_to_address,
-    int bind_to_port) {
-  epoll_server_->set_timeout_in_us(50 * 1000);
-
-  int fd = CreateUDPSocket(server_address, &overflow_supported_);
-  if (fd < 0) {
-    return false;
-  }
-
-  QuicSocketAddress client_address;
-  if (bind_to_address.IsInitialized()) {
-    client_address = QuicSocketAddress(bind_to_address, client_->local_port());
-  } else if (server_address.host().address_family() == IpAddressFamily::IP_V4) {
-    client_address = QuicSocketAddress(QuicIpAddress::Any4(), bind_to_port);
-  } else {
-    client_address = QuicSocketAddress(QuicIpAddress::Any6(), bind_to_port);
-  }
-
-  // Some platforms expect that the addrlen given to bind() exactly matches the
-  // size of the associated protocol family's sockaddr struct.
-  // TODO(b/179430548): Revert this when affected platforms are updated to
-  // to support binding with an addrelen of sizeof(sockaddr_storage)
-  socklen_t addrlen;
-  switch (client_address.host().address_family()) {
-    case IpAddressFamily::IP_V4:
-      addrlen = sizeof(sockaddr_in);
-      break;
-    case IpAddressFamily::IP_V6:
-      addrlen = sizeof(sockaddr_in6);
-      break;
-    case IpAddressFamily::IP_UNSPEC:
-      addrlen = 0;
-      break;
-  }
-
-  sockaddr_storage addr = client_address.generic_address();
-  int rc = bind(fd, reinterpret_cast<sockaddr*>(&addr), addrlen);
-  if (rc < 0) {
-    QUIC_LOG(ERROR) << "Bind failed: " << strerror(errno)
-                    << " bind_to_address:" << bind_to_address
-                    << ", bind_to_port:" << bind_to_port
-                    << ", client_address:" << client_address;
-    return false;
-  }
-
-  if (client_address.FromSocket(fd) != 0) {
-    QUIC_LOG(ERROR) << "Unable to get self address.  Error: "
-                    << strerror(errno);
-  }
-
-  fd_address_map_[fd] = client_address;
-  epoll_server_->RegisterFD(fd, this, kEpollFlags);
-  return true;
-}
-
-void QuicClientEpollNetworkHelper::CleanUpUDPSocket(int fd) {
-  CleanUpUDPSocketImpl(fd);
-  fd_address_map_.erase(fd);
-}
-
-void QuicClientEpollNetworkHelper::CleanUpAllUDPSockets() {
-  for (std::pair<int, QuicSocketAddress> fd_address : fd_address_map_) {
-    CleanUpUDPSocketImpl(fd_address.first);
-  }
-  fd_address_map_.clear();
-}
-
-void QuicClientEpollNetworkHelper::CleanUpUDPSocketImpl(int fd) {
-  if (fd > -1) {
-    epoll_server_->UnregisterFD(fd);
-    int rc = close(fd);
-    QUICHE_DCHECK_EQ(0, rc);
-  }
-}
-
-void QuicClientEpollNetworkHelper::RunEventLoop() {
-  quiche::QuicheRunSystemEventLoopIteration();
-  epoll_server_->WaitForEventsAndExecuteCallbacks();
-}
-
-void QuicClientEpollNetworkHelper::OnRegistration(QuicEpollServer* /*eps*/,
-                                                  int /*fd*/,
-                                                  int /*event_mask*/) {}
-void QuicClientEpollNetworkHelper::OnModification(int /*fd*/,
-                                                  int /*event_mask*/) {}
-void QuicClientEpollNetworkHelper::OnUnregistration(int /*fd*/,
-                                                    bool /*replaced*/) {}
-void QuicClientEpollNetworkHelper::OnShutdown(QuicEpollServer* /*eps*/,
-                                              int /*fd*/) {}
-
-void QuicClientEpollNetworkHelper::OnEvent(int fd, QuicEpollEvent* event) {
-  if (event->in_events & EPOLLIN) {
-    QUIC_DVLOG(1) << "Read packets on EPOLLIN";
-    int times_to_read = max_reads_per_epoll_loop_;
-    bool more_to_read = true;
-    QuicPacketCount packets_dropped = 0;
-    while (client_->connected() && more_to_read && times_to_read > 0) {
-      more_to_read = packet_reader_->ReadAndDispatchPackets(
-          fd, GetLatestClientAddress().port(), *client_->helper()->GetClock(),
-          this, overflow_supported_ ? &packets_dropped : nullptr);
-      --times_to_read;
-    }
-    if (packets_dropped_ < packets_dropped) {
-      QUIC_LOG(ERROR)
-          << packets_dropped - packets_dropped_
-          << " more packets are dropped in the socket receive buffer.";
-      packets_dropped_ = packets_dropped;
-    }
-    if (client_->connected() && more_to_read) {
-      event->out_ready_mask |= EPOLLIN;
-    }
-  }
-  if (client_->connected() && (event->in_events & EPOLLOUT)) {
-    client_->writer()->SetWritable();
-    client_->session()->connection()->OnCanWrite();
-  }
-  if (event->in_events & EPOLLERR) {
-    QUIC_DLOG(INFO) << "Epollerr";
-  }
-}
-
-QuicPacketWriter* QuicClientEpollNetworkHelper::CreateQuicPacketWriter() {
-  return new QuicDefaultPacketWriter(GetLatestFD());
-}
-
-void QuicClientEpollNetworkHelper::SetClientPort(int port) {
-  fd_address_map_.back().second =
-      QuicSocketAddress(GetLatestClientAddress().host(), port);
-}
-
-QuicSocketAddress QuicClientEpollNetworkHelper::GetLatestClientAddress() const {
-  if (fd_address_map_.empty()) {
-    return QuicSocketAddress();
-  }
-
-  return fd_address_map_.back().second;
-}
-
-int QuicClientEpollNetworkHelper::GetLatestFD() const {
-  if (fd_address_map_.empty()) {
-    return -1;
-  }
-
-  return fd_address_map_.back().first;
-}
-
-void QuicClientEpollNetworkHelper::ProcessPacket(
-    const QuicSocketAddress& self_address,
-    const QuicSocketAddress& peer_address, const QuicReceivedPacket& packet) {
-  client_->session()->ProcessUdpPacket(self_address, peer_address, packet);
-}
-
-int QuicClientEpollNetworkHelper::CreateUDPSocket(
-    QuicSocketAddress server_address, bool* overflow_supported) {
-  QuicUdpSocketApi api;
-  int fd = api.Create(server_address.host().AddressFamilyToInt(),
-                      /*receive_buffer_size =*/kDefaultSocketReceiveBuffer,
-                      /*send_buffer_size =*/kDefaultSocketReceiveBuffer);
-  if (fd < 0) {
-    return fd;
-  }
-
-  *overflow_supported = api.EnableDroppedPacketCount(fd);
-  api.EnableReceiveTimestamp(fd);
-
-  std::string interface_name = client_->interface_name();
-  if (!interface_name.empty()) {
-    if (!api.BindInterface(fd, interface_name)) {
-      QUIC_DLOG(WARNING) << "Failed to bind socket (" << fd
-                         << ") to interface (" << interface_name << ").";
-
-      CleanUpUDPSocket(fd);
-      return kQuicInvalidSocketFd;
-    }
-  }
-
-  return fd;
-}
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_epoll_network_helper.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_epoll_network_helper.h
deleted file mode 100644
index 637af4514eb..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_epoll_network_helper.h
+++ /dev/null
@@ -1,135 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// An implementation of the QuicClientBase::NetworkHelper
-// that is based off the epoll server.
-
-#ifndef QUICHE_QUIC_TOOLS_QUIC_CLIENT_EPOLL_NETWORK_HELPER_H_
-#define QUICHE_QUIC_TOOLS_QUIC_CLIENT_EPOLL_NETWORK_HELPER_H_
-
-#include <cstdint>
-#include <memory>
-#include <string>
-
-#include "quiche/quic/core/http/quic_client_push_promise_index.h"
-#include "quiche/quic/core/quic_config.h"
-#include "quiche/quic/core/quic_packet_reader.h"
-#include "quiche/quic/platform/api/quic_epoll.h"
-#include "quiche/quic/tools/quic_client_base.h"
-#include "quiche/common/quiche_linked_hash_map.h"
-
-namespace quic {
-
-namespace test {
-class QuicClientPeer;
-}  // namespace test
-
-// An implementation of the QuicClientBase::NetworkHelper based off
-// the epoll server.
-class QuicClientEpollNetworkHelper : public QuicClientBase::NetworkHelper,
-                                     public QuicEpollCallbackInterface,
-                                     public ProcessPacketInterface {
- public:
-  // Create a quic client, which will have events managed by an externally owned
-  // EpollServer.
-  QuicClientEpollNetworkHelper(QuicEpollServer* epoll_server,
-                               QuicClientBase* client);
-  QuicClientEpollNetworkHelper(const QuicClientEpollNetworkHelper&) = delete;
-  QuicClientEpollNetworkHelper& operator=(const QuicClientEpollNetworkHelper&) =
-      delete;
-
-  ~QuicClientEpollNetworkHelper() override;
-
-  // Return a name describing the class for use in debug/error reporting.
-  std::string Name() const override;
-
-  // From EpollCallbackInterface
-  void OnRegistration(QuicEpollServer* eps, int fd, int event_mask) override;
-  void OnModification(int fd, int event_mask) override;
-  void OnEvent(int fd, QuicEpollEvent* event) override;
-  // |fd_| can be unregistered without the client being disconnected. This
-  // happens in b3m QuicProber where we unregister |fd_| to feed in events to
-  // the client from the SelectServer.
-  void OnUnregistration(int fd, bool replaced) override;
-  void OnShutdown(QuicEpollServer* eps, int fd) override;
-
-  // From ProcessPacketInterface. This will be called for each received
-  // packet.
-  void ProcessPacket(const QuicSocketAddress& self_address,
-                     const QuicSocketAddress& peer_address,
-                     const QuicReceivedPacket& packet) override;
-
-  // From NetworkHelper.
-  void RunEventLoop() override;
-  bool CreateUDPSocketAndBind(QuicSocketAddress server_address,
-                              QuicIpAddress bind_to_address,
-                              int bind_to_port) override;
-  void CleanUpAllUDPSockets() override;
-  QuicSocketAddress GetLatestClientAddress() const override;
-  QuicPacketWriter* CreateQuicPacketWriter() override;
-
-  // Accessors provided for convenience, not part of any interface.
-
-  QuicEpollServer* epoll_server() { return epoll_server_; }
-
-  const quiche::QuicheLinkedHashMap<int, QuicSocketAddress>& fd_address_map()
-      const {
-    return fd_address_map_;
-  }
-
-  // If the client has at least one UDP socket, return the latest created one.
-  // Otherwise, return -1.
-  int GetLatestFD() const;
-
-  // Create socket for connection to |server_address| with default socket
-  // options.
-  // Return fd index.
-  virtual int CreateUDPSocket(QuicSocketAddress server_address,
-                              bool* overflow_supported);
-
-  QuicClientBase* client() { return client_; }
-
-  void set_max_reads_per_epoll_loop(int num_reads) {
-    max_reads_per_epoll_loop_ = num_reads;
-  }
-  // If |fd| is an open UDP socket, unregister and close it. Otherwise, do
-  // nothing.
-  void CleanUpUDPSocket(int fd);
-
- private:
-  friend class test::QuicClientPeer;
-
-  // Used for testing.
-  void SetClientPort(int port);
-
-  // Actually clean up |fd|.
-  void CleanUpUDPSocketImpl(int fd);
-
-  // Listens for events on the client socket.
-  QuicEpollServer* epoll_server_;
-
-  // Map mapping created UDP sockets to their addresses. By using linked hash
-  // map, the order of socket creation can be recorded.
-  quiche::QuicheLinkedHashMap<int, QuicSocketAddress> fd_address_map_;
-
-  // If overflow_supported_ is true, this will be the number of packets dropped
-  // during the lifetime of the server.
-  QuicPacketCount packets_dropped_;
-
-  // True if the kernel supports SO_RXQ_OVFL, the number of packets dropped
-  // because the socket would otherwise overflow.
-  bool overflow_supported_;
-
-  // Point to a QuicPacketReader object on the heap. The reader allocates more
-  // space than allowed on the stack.
-  std::unique_ptr<QuicPacketReader> packet_reader_;
-
-  QuicClientBase* client_;
-
-  int max_reads_per_epoll_loop_;
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_TOOLS_QUIC_CLIENT_EPOLL_NETWORK_HELPER_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_interop_test_bin.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_interop_test_bin.cc
index 7d204bb8bb4..6fe1a511ba7 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_interop_test_bin.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_interop_test_bin.cc
@@ -9,14 +9,16 @@
 
 #include "absl/strings/str_cat.h"
 #include "quiche/quic/core/crypto/quic_client_session_cache.h"
-#include "quiche/quic/core/quic_epoll_clock.h"
+#include "quiche/quic/core/io/quic_default_event_loop.h"
+#include "quiche/quic/core/io/quic_event_loop.h"
+#include "quiche/quic/core/quic_default_clock.h"
 #include "quiche/quic/core/quic_types.h"
 #include "quiche/quic/core/quic_versions.h"
-#include "quiche/quic/platform/api/quic_epoll.h"
 #include "quiche/quic/test_tools/quic_connection_peer.h"
 #include "quiche/quic/test_tools/quic_session_peer.h"
 #include "quiche/quic/tools/fake_proof_verifier.h"
-#include "quiche/quic/tools/quic_client.h"
+#include "quiche/quic/tools/quic_default_client.h"
+#include "quiche/quic/tools/quic_name_lookup.h"
 #include "quiche/quic/tools/quic_url.h"
 #include "quiche/common/platform/api/quiche_command_line_flags.h"
 #include "quiche/common/platform/api/quiche_system_event_loop.h"
@@ -107,7 +109,8 @@ class QuicClientInteropRunner : QuicConnectionDebugVisitor {
   // Attempts a resumption using |client| by disconnecting and reconnecting. If
   // resumption is successful, |features_| is modified to add
   // Feature::kResumption to it, otherwise it is left unmodified.
-  void AttemptResumption(QuicClient* client, const std::string& authority);
+  void AttemptResumption(QuicDefaultClient* client,
+                         const std::string& authority);
 
   void AttemptRequest(QuicSocketAddress addr, std::string authority,
                       QuicServerId server_id, ParsedQuicVersion version,
@@ -119,7 +122,7 @@ class QuicClientInteropRunner : QuicConnectionDebugVisitor {
   spdy::Http2HeaderBlock ConstructHeaderBlock(const std::string& authority);
 
   // Sends an HTTP request represented by |header_block| using |client|.
-  void SendRequest(QuicClient* client,
+  void SendRequest(QuicDefaultClient* client,
                    const spdy::Http2HeaderBlock& header_block);
 
   void OnConnectionCloseFrame(const QuicConnectionCloseFrame& frame) override {
@@ -157,7 +160,7 @@ class QuicClientInteropRunner : QuicConnectionDebugVisitor {
   std::set<Feature> features_;
 };
 
-void QuicClientInteropRunner::AttemptResumption(QuicClient* client,
+void QuicClientInteropRunner::AttemptResumption(QuicDefaultClient* client,
                                                 const std::string& authority) {
   client->Disconnect();
   if (!client->Initialize()) {
@@ -202,8 +205,6 @@ void QuicClientInteropRunner::AttemptRequest(
 
   auto proof_verifier = std::make_unique<FakeProofVerifier>();
   auto session_cache = std::make_unique<QuicClientSessionCache>();
-  QuicEpollServer epoll_server;
-  QuicEpollClock epoll_clock(&epoll_server);
   QuicConfig config;
   QuicTime::Delta timeout = QuicTime::Delta::FromSeconds(20);
   config.SetIdleNetworkTimeout(timeout);
@@ -216,8 +217,10 @@ void QuicClientInteropRunner::AttemptRequest(
     config.custom_transport_parameters_to_send()[kCustomParameter] =
         custom_value;
   }
-  auto client = std::make_unique<QuicClient>(
-      addr, server_id, versions, config, &epoll_server,
+  std::unique_ptr<QuicEventLoop> event_loop =
+      GetDefaultEventLoop()->Create(QuicDefaultClock::Get());
+  auto client = std::make_unique<QuicDefaultClient>(
+      addr, server_id, versions, config, event_loop.get(),
       std::move(proof_verifier), std::move(session_cache));
   client->set_connection_debug_visitor(this);
   if (!client->Initialize()) {
@@ -339,7 +342,7 @@ spdy::Http2HeaderBlock QuicClientInteropRunner::ConstructHeaderBlock(
 }
 
 void QuicClientInteropRunner::SendRequest(
-    QuicClient* client, const spdy::Http2HeaderBlock& header_block) {
+    QuicDefaultClient* client, const spdy::Http2HeaderBlock& header_block) {
   client->set_store_response(true);
   client->SendRequestAndWaitForResponse(header_block, "", /*fin=*/true);
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_test.cc
deleted file mode 100644
index 5c3aec6c09d..00000000000
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_client_test.cc
+++ /dev/null
@@ -1,134 +0,0 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "quiche/quic/tools/quic_client.h"
-
-#include <dirent.h>
-#include <sys/types.h>
-
-#include <memory>
-#include <utility>
-
-#include "absl/strings/match.h"
-#include "absl/strings/string_view.h"
-#include "quiche/quic/platform/api/quic_epoll.h"
-#include "quiche/quic/platform/api/quic_test.h"
-#include "quiche/quic/platform/api/quic_test_loopback.h"
-#include "quiche/quic/test_tools/crypto_test_utils.h"
-#include "quiche/quic/test_tools/quic_client_peer.h"
-#include "quiche/common/quiche_text_utils.h"
-
-namespace quic {
-namespace test {
-namespace {
-
-const char* kPathToFds = "/proc/self/fd";
-
-// Return the value of a symbolic link in |path|, if |path| is not found, return
-// an empty string.
-std::string ReadLink(const std::string& path) {
-  std::string result(PATH_MAX, '\0');
-  ssize_t result_size = readlink(path.c_str(), &result[0], result.size());
-  if (result_size < 0 && errno == ENOENT) {
-    return "";
-  }
-  QUICHE_CHECK(result_size > 0 &&
-               static_cast<size_t>(result_size) < result.size())
-      << "result_size:" << result_size << ", errno:" << errno
-      << ", path:" << path;
-  result.resize(result_size);
-  return result;
-}
-
-// Counts the number of open sockets for the current process.
-size_t NumOpenSocketFDs() {
-  size_t socket_count = 0;
-  dirent* file;
-  std::unique_ptr<DIR, int (*)(DIR*)> fd_directory(opendir(kPathToFds),
-                                                   closedir);
-  while ((file = readdir(fd_directory.get())) != nullptr) {
-    absl::string_view name(file->d_name);
-    if (name == "." || name == "..") {
-      continue;
-    }
-
-    std::string fd_path = ReadLink(absl::StrCat(kPathToFds, "/", name));
-    if (absl::StartsWith(fd_path, "socket:")) {
-      socket_count++;
-    }
-  }
-  return socket_count;
-}
-
-class QuicClientTest : public QuicTest {
- public:
-  QuicClientTest() {
-    // Creates and destroys a single client first which may open persistent
-    // sockets when initializing platform dependencies like certificate
-    // verifier. Future creation of addtional clients will deterministically
-    // open one socket per client.
-    CreateAndInitializeQuicClient();
-  }
-
-  // Creates a new QuicClient and Initializes it on an unused port.
-  // Caller is responsible for deletion.
-  std::unique_ptr<QuicClient> CreateAndInitializeQuicClient() {
-    QuicSocketAddress server_address(QuicSocketAddress(TestLoopback(), 0));
-    QuicServerId server_id("hostname", server_address.port(), false);
-    ParsedQuicVersionVector versions = AllSupportedVersions();
-    auto client = std::make_unique<QuicClient>(
-        server_address, server_id, versions, &epoll_server_,
-        crypto_test_utils::ProofVerifierForTesting());
-    EXPECT_TRUE(client->Initialize());
-    return client;
-  }
-
- private:
-  QuicEpollServer epoll_server_;
-};
-
-TEST_F(QuicClientTest, DoNotLeakSocketFDs) {
-  // Make sure that the QuicClient doesn't leak socket FDs. Doing so could cause
-  // port exhaustion in long running processes which repeatedly create clients.
-
-  // Record the initial number of FDs.
-  size_t number_of_open_fds = NumOpenSocketFDs();
-
-  // Create a number of clients, initialize them, and verify this has resulted
-  // in additional FDs being opened.
-  const int kNumClients = 50;
-  for (int i = 0; i < kNumClients; ++i) {
-    EXPECT_EQ(number_of_open_fds, NumOpenSocketFDs());
-    std::unique_ptr<QuicClient> client(CreateAndInitializeQuicClient());
-    // Initializing the client will create a new FD.
-    EXPECT_EQ(number_of_open_fds + 1, NumOpenSocketFDs());
-  }
-
-  // The FDs created by the QuicClients should now be closed.
-  EXPECT_EQ(number_of_open_fds, NumOpenSocketFDs());
-}
-
-TEST_F(QuicClientTest, CreateAndCleanUpUDPSockets) {
-  size_t number_of_open_fds = NumOpenSocketFDs();
-
-  std::unique_ptr<QuicClient> client(CreateAndInitializeQuicClient());
-  // Creating and initializing a client will result in one socket being opened.
-  EXPECT_EQ(number_of_open_fds + 1, NumOpenSocketFDs());
-
-  // Create more UDP sockets.
-  EXPECT_TRUE(QuicClientPeer::CreateUDPSocketAndBind(client.get()));
-  EXPECT_EQ(number_of_open_fds + 2, NumOpenSocketFDs());
-  EXPECT_TRUE(QuicClientPeer::CreateUDPSocketAndBind(client.get()));
-  EXPECT_EQ(number_of_open_fds + 3, NumOpenSocketFDs());
-
-  // Clean up UDP sockets.
-  QuicClientPeer::CleanUpUDPSocket(client.get(), client->GetLatestFD());
-  EXPECT_EQ(number_of_open_fds + 2, NumOpenSocketFDs());
-  QuicClientPeer::CleanUpUDPSocket(client.get(), client->GetLatestFD());
-  EXPECT_EQ(number_of_open_fds + 1, NumOpenSocketFDs());
-}
-
-}  // namespace
-}  // namespace test
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_default_client.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_default_client.cc
index de509c52829..0f43aa5fdc5 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_default_client.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_default_client.cc
@@ -86,8 +86,9 @@ std::unique_ptr<QuicSession> QuicDefaultClient::CreateQuicClientSession(
     const ParsedQuicVersionVector& supported_versions,
     QuicConnection* connection) {
   return std::make_unique<QuicSimpleClientSession>(
-      *config(), supported_versions, connection, server_id(), crypto_config(),
-      push_promise_index(), drop_response_body(), enable_web_transport());
+      *config(), supported_versions, connection, network_helper(), server_id(),
+      crypto_config(), push_promise_index(), drop_response_body(),
+      enable_web_transport());
 }
 
 QuicClientDefaultNetworkHelper* QuicDefaultClient::default_network_helper() {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_default_client_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_default_client_test.cc
index 78f6c493cf4..d58a24ae029 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_default_client_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_default_client_test.cc
@@ -22,7 +22,6 @@
 #include "quiche/quic/platform/api/quic_test.h"
 #include "quiche/quic/platform/api/quic_test_loopback.h"
 #include "quiche/quic/test_tools/crypto_test_utils.h"
-#include "quiche/quic/test_tools/quic_client_peer.h"
 #include "quiche/common/quiche_text_utils.h"
 
 namespace quic {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_epoll_client_factory.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_epoll_client_factory.cc
index 590a40861b4..1f667779672 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_epoll_client_factory.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_epoll_client_factory.cc
@@ -4,19 +4,21 @@
 
 #include "quiche/quic/tools/quic_epoll_client_factory.h"
 
-#include <netdb.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-
 #include <utility>
 
 #include "absl/strings/str_cat.h"
+#include "quiche/quic/core/io/quic_default_event_loop.h"
+#include "quiche/quic/core/quic_default_clock.h"
 #include "quiche/quic/core/quic_server_id.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
-#include "quiche/quic/tools/quic_client.h"
+#include "quiche/quic/tools/quic_default_client.h"
+#include "quiche/quic/tools/quic_name_lookup.h"
 
 namespace quic {
 
+QuicEpollClientFactory::QuicEpollClientFactory()
+    : event_loop_(GetDefaultEventLoop()->Create(QuicDefaultClock::Get())) {}
+
 std::unique_ptr<QuicSpdyClientBase> QuicEpollClientFactory::CreateClient(
     std::string host_for_handshake, std::string host_for_lookup,
     int address_family_for_lookup, uint16_t port,
@@ -30,9 +32,9 @@ std::unique_ptr<QuicSpdyClientBase> QuicEpollClientFactory::CreateClient(
     return nullptr;
   }
   QuicServerId server_id(host_for_handshake, port, false);
-  return std::make_unique<QuicClient>(addr, server_id, versions, config,
-                                      &epoll_server_, std::move(verifier),
-                                      std::move(session_cache));
+  return std::make_unique<QuicDefaultClient>(
+      addr, server_id, versions, config, event_loop_.get(), std::move(verifier),
+      std::move(session_cache));
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_epoll_client_factory.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_epoll_client_factory.h
index f2dd7c5b5ec..962a7140095 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_epoll_client_factory.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_epoll_client_factory.h
@@ -5,7 +5,9 @@
 #ifndef QUICHE_QUIC_TOOLS_QUIC_EPOLL_CLIENT_FACTORY_H_
 #define QUICHE_QUIC_TOOLS_QUIC_EPOLL_CLIENT_FACTORY_H_
 
-#include "quiche/quic/platform/api/quic_epoll.h"
+#include <memory>
+
+#include "quiche/quic/core/io/quic_event_loop.h"
 #include "quiche/quic/tools/quic_toy_client.h"
 
 namespace quic {
@@ -13,6 +15,8 @@ namespace quic {
 // Factory creating QuicClient instances.
 class QuicEpollClientFactory : public QuicToyClient::ClientFactory {
  public:
+  QuicEpollClientFactory();
+
   std::unique_ptr<QuicSpdyClientBase> CreateClient(
       std::string host_for_handshake, std::string host_for_lookup,
       int address_family_for_lookup, uint16_t port,
@@ -21,7 +25,7 @@ class QuicEpollClientFactory : public QuicToyClient::ClientFactory {
       std::unique_ptr<SessionCache> session_cache) override;
 
  private:
-  QuicEpollServer epoll_server_;
+  std::unique_ptr<QuicEventLoop> event_loop_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_name_lookup.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_name_lookup.cc
new file mode 100644
index 00000000000..63e063e97e7
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_name_lookup.cc
@@ -0,0 +1,47 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "quiche/quic/tools/quic_name_lookup.h"
+
+#include <netdb.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+
+#include <string>
+
+#include "absl/strings/str_cat.h"
+#include "quiche/quic/core/quic_server_id.h"
+#include "quiche/quic/platform/api/quic_logging.h"
+
+namespace quic::tools {
+
+QuicSocketAddress LookupAddress(int address_family_for_lookup, std::string host,
+                                std::string port) {
+  addrinfo hint;
+  memset(&hint, 0, sizeof(hint));
+  hint.ai_family = address_family_for_lookup;
+  hint.ai_protocol = IPPROTO_UDP;
+
+  addrinfo* info_list = nullptr;
+  int result = getaddrinfo(host.c_str(), port.c_str(), &hint, &info_list);
+  if (result != 0) {
+    QUIC_LOG(ERROR) << "Failed to look up " << host << ": "
+                    << gai_strerror(result);
+    return QuicSocketAddress();
+  }
+
+  QUICHE_CHECK(info_list != nullptr);
+  std::unique_ptr<addrinfo, void (*)(addrinfo*)> info_list_owned(info_list,
+                                                                 freeaddrinfo);
+  return QuicSocketAddress(info_list->ai_addr, info_list->ai_addrlen);
+}
+
+QuicSocketAddress LookupAddress(int address_family_for_lookup,
+                                const QuicServerId& server_id) {
+  return LookupAddress(address_family_for_lookup,
+                       std::string(server_id.GetHostWithoutIpv6Brackets()),
+                       absl::StrCat(server_id.port()));
+}
+
+}  // namespace quic::tools
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_name_lookup.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_name_lookup.h
new file mode 100644
index 00000000000..d9fd8e8c1ed
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_name_lookup.h
@@ -0,0 +1,35 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_TOOLS_QUIC_NAME_LOOKUP_H_
+#define QUICHE_QUIC_TOOLS_QUIC_NAME_LOOKUP_H_
+
+#include <string>
+
+#include "quiche/quic/platform/api/quic_socket_address.h"
+
+namespace quic {
+
+class QuicServerId;
+
+namespace tools {
+
+quic::QuicSocketAddress LookupAddress(int address_family_for_lookup,
+                                      std::string host, std::string port);
+
+quic::QuicSocketAddress LookupAddress(int address_family_for_lookup,
+                                      const QuicServerId& server_id);
+
+inline QuicSocketAddress LookupAddress(std::string host, std::string port) {
+  return LookupAddress(0, host, port);
+}
+
+inline QuicSocketAddress LookupAddress(const QuicServerId& server_id) {
+  return LookupAddress(0, server_id);
+}
+
+}  // namespace tools
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_TOOLS_QUIC_NAME_LOOKUP_H_
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server.cc
index 0c3233a6406..aace378a5c1 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server.cc
@@ -4,13 +4,6 @@
 
 #include "quiche/quic/tools/quic_server.h"
 
-#include <errno.h>
-#include <features.h>
-#include <netinet/in.h>
-#include <string.h>
-#include <sys/epoll.h>
-#include <sys/socket.h>
-
 #include <cstdint>
 #include <memory>
 
@@ -76,7 +69,8 @@ QuicServer::QuicServer(
       packet_reader_(new QuicPacketReader()),
       quic_simple_server_backend_(quic_simple_server_backend),
       expected_server_connection_id_length_(
-          expected_server_connection_id_length) {
+          expected_server_connection_id_length),
+      connection_id_generator_(expected_server_connection_id_length) {
   QUICHE_DCHECK(quic_simple_server_backend_);
   Initialize();
 }
@@ -170,7 +164,7 @@ QuicDispatcher* QuicServer::CreateQuicDispatcher() {
       std::unique_ptr<QuicCryptoServerStreamBase::Helper>(
           new QuicSimpleCryptoServerStreamHelper()),
       event_loop_->CreateAlarmFactory(), quic_simple_server_backend_,
-      expected_server_connection_id_length_);
+      expected_server_connection_id_length_, connection_id_generator_);
 }
 
 std::unique_ptr<QuicEventLoop> QuicServer::CreateEventLoop() {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server.h
index 0e4837167f1..f97a4593082 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server.h
@@ -15,12 +15,13 @@
 
 #include "absl/strings/string_view.h"
 #include "quiche/quic/core/crypto/quic_crypto_server_config.h"
+#include "quiche/quic/core/deterministic_connection_id_generator.h"
 #include "quiche/quic/core/io/quic_event_loop.h"
-#include "quiche/quic/core/io/socket_factory.h"
 #include "quiche/quic/core/quic_config.h"
 #include "quiche/quic/core/quic_packet_writer.h"
 #include "quiche/quic/core/quic_udp_socket.h"
 #include "quiche/quic/core/quic_version_manager.h"
+#include "quiche/quic/core/socket_factory.h"
 #include "quiche/quic/platform/api/quic_socket_address.h"
 #include "quiche/quic/tools/quic_simple_server_backend.h"
 #include "quiche/quic/tools/quic_spdy_server_base.h"
@@ -108,6 +109,10 @@ class QuicServer : public QuicSpdyServerBase, public QuicSocketEventListener {
     return expected_server_connection_id_length_;
   }
 
+  ConnectionIdGeneratorInterface& connection_id_generator() {
+    return connection_id_generator_;
+  }
+
  private:
   friend class quic::test::QuicServerPeer;
 
@@ -160,6 +165,8 @@ class QuicServer : public QuicSpdyServerBase, public QuicSocketEventListener {
 
   // Connection ID length expected to be read on incoming IETF short headers.
   uint8_t expected_server_connection_id_length_;
+
+  DeterministicConnectionIdGenerator connection_id_generator_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server_test.cc
index fe68ba574cd..26075a149cf 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_server_test.cc
@@ -8,6 +8,7 @@
 
 #include "absl/base/macros.h"
 #include "quiche/quic/core/crypto/quic_random.h"
+#include "quiche/quic/core/deterministic_connection_id_generator.h"
 #include "quiche/quic/core/io/quic_default_event_loop.h"
 #include "quiche/quic/core/io/quic_event_loop.h"
 #include "quiche/quic/core/quic_default_clock.h"
@@ -40,11 +41,13 @@ class MockQuicSimpleDispatcher : public QuicSimpleDispatcher {
       std::unique_ptr<QuicConnectionHelperInterface> helper,
       std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
       std::unique_ptr<QuicAlarmFactory> alarm_factory,
-      QuicSimpleServerBackend* quic_simple_server_backend)
-      : QuicSimpleDispatcher(
-            config, crypto_config, version_manager, std::move(helper),
-            std::move(session_helper), std::move(alarm_factory),
-            quic_simple_server_backend, kQuicDefaultConnectionIdLength) {}
+      QuicSimpleServerBackend* quic_simple_server_backend,
+      ConnectionIdGeneratorInterface& generator)
+      : QuicSimpleDispatcher(config, crypto_config, version_manager,
+                             std::move(helper), std::move(session_helper),
+                             std::move(alarm_factory),
+                             quic_simple_server_backend,
+                             kQuicDefaultConnectionIdLength, generator) {}
   ~MockQuicSimpleDispatcher() override = default;
 
   MOCK_METHOD(void, OnCanWrite, (), (override));
@@ -73,7 +76,8 @@ class TestQuicServer : public QuicServer {
         std::make_unique<QuicDefaultConnectionHelper>(),
         std::unique_ptr<QuicCryptoServerStreamBase::Helper>(
             new QuicSimpleCryptoServerStreamHelper()),
-        event_loop()->CreateAlarmFactory(), quic_simple_server_backend_);
+        event_loop()->CreateAlarmFactory(), quic_simple_server_backend_,
+        connection_id_generator());
     return mock_dispatcher_;
   }
 
@@ -169,11 +173,12 @@ class QuicServerDispatchPacketTest : public QuicTest {
                        KeyExchangeSource::Default()),
         version_manager_(AllSupportedVersions()),
         event_loop_(GetDefaultEventLoop()->Create(QuicDefaultClock::Get())),
+        connection_id_generator_(kQuicDefaultConnectionIdLength),
         dispatcher_(&config_, &crypto_config_, &version_manager_,
                     std::make_unique<QuicDefaultConnectionHelper>(),
                     std::make_unique<QuicSimpleCryptoServerStreamHelper>(),
                     event_loop_->CreateAlarmFactory(),
-                    &quic_simple_server_backend_) {
+                    &quic_simple_server_backend_, connection_id_generator_) {
     dispatcher_.InitializeWithWriter(new QuicDefaultPacketWriter(1234));
   }
 
@@ -188,6 +193,7 @@ class QuicServerDispatchPacketTest : public QuicTest {
   QuicVersionManager version_manager_;
   std::unique_ptr<QuicEventLoop> event_loop_;
   QuicMemoryCacheBackend quic_simple_server_backend_;
+  DeterministicConnectionIdGenerator connection_id_generator_;
   MockQuicDispatcher dispatcher_;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_client_session.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_client_session.cc
index 1a001fb414a..013167caa90 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_client_session.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_client_session.cc
@@ -10,22 +10,13 @@ namespace quic {
 
 QuicSimpleClientSession::QuicSimpleClientSession(
     const QuicConfig& config, const ParsedQuicVersionVector& supported_versions,
-    QuicConnection* connection, const QuicServerId& server_id,
-    QuicCryptoClientConfig* crypto_config,
-    QuicClientPushPromiseIndex* push_promise_index, bool drop_response_body)
-    : QuicSimpleClientSession(config, supported_versions, connection, server_id,
-                              crypto_config, push_promise_index,
-                              drop_response_body,
-                              /*enable_web_transport=*/false) {}
-
-QuicSimpleClientSession::QuicSimpleClientSession(
-    const QuicConfig& config, const ParsedQuicVersionVector& supported_versions,
-    QuicConnection* connection, const QuicServerId& server_id,
-    QuicCryptoClientConfig* crypto_config,
+    QuicConnection* connection, QuicClientBase::NetworkHelper* network_helper,
+    const QuicServerId& server_id, QuicCryptoClientConfig* crypto_config,
     QuicClientPushPromiseIndex* push_promise_index, bool drop_response_body,
     bool enable_web_transport)
     : QuicSpdyClientSession(config, supported_versions, connection, server_id,
                             crypto_config, push_promise_index),
+      network_helper_(network_helper),
       drop_response_body_(drop_response_body),
       enable_web_transport_(enable_web_transport) {}
 
@@ -45,4 +36,24 @@ HttpDatagramSupport QuicSimpleClientSession::LocalHttpDatagramSupport() {
                                : HttpDatagramSupport::kNone;
 }
 
+std::unique_ptr<QuicPathValidationContext>
+QuicSimpleClientSession::CreateContextForMultiPortPath() {
+  if (!network_helper_ || !connection()->multi_port_enabled()) {
+    return nullptr;
+  }
+  auto self_address = connection()->self_address();
+  auto server_address = connection()->peer_address();
+  if (!network_helper_->CreateUDPSocketAndBind(
+          server_address, self_address.host(), self_address.port() + 1)) {
+    return nullptr;
+  }
+  QuicPacketWriter* writer = network_helper_->CreateQuicPacketWriter();
+  if (writer == nullptr) {
+    return nullptr;
+  }
+  return std::make_unique<PathMigrationContext>(
+      std::unique_ptr<QuicPacketWriter>(writer),
+      network_helper_->GetLatestClientAddress(), peer_address());
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_client_session.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_client_session.h
index 6b6f4a7437d..763a1a3ecca 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_client_session.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_client_session.h
@@ -6,6 +6,7 @@
 #define QUICHE_QUIC_TOOLS_QUIC_SIMPLE_CLIENT_SESSION_H_
 
 #include "quiche/quic/core/http/quic_spdy_client_session.h"
+#include "quiche/quic/tools/quic_client_base.h"
 #include "quiche/quic/tools/quic_simple_client_stream.h"
 
 namespace quic {
@@ -15,13 +16,7 @@ class QuicSimpleClientSession : public QuicSpdyClientSession {
   QuicSimpleClientSession(const QuicConfig& config,
                           const ParsedQuicVersionVector& supported_versions,
                           QuicConnection* connection,
-                          const QuicServerId& server_id,
-                          QuicCryptoClientConfig* crypto_config,
-                          QuicClientPushPromiseIndex* push_promise_index,
-                          bool drop_response_body);
-  QuicSimpleClientSession(const QuicConfig& config,
-                          const ParsedQuicVersionVector& supported_versions,
-                          QuicConnection* connection,
+                          QuicClientBase::NetworkHelper* network_helper,
                           const QuicServerId& server_id,
                           QuicCryptoClientConfig* crypto_config,
                           QuicClientPushPromiseIndex* push_promise_index,
@@ -30,8 +25,12 @@ class QuicSimpleClientSession : public QuicSpdyClientSession {
   std::unique_ptr<QuicSpdyClientStream> CreateClientStream() override;
   bool ShouldNegotiateWebTransport() override;
   HttpDatagramSupport LocalHttpDatagramSupport() override;
+  std::unique_ptr<QuicPathValidationContext> CreateContextForMultiPortPath()
+      override;
+  bool drop_response_body() const { return drop_response_body_; }
 
  private:
+  QuicClientBase::NetworkHelper* network_helper_;
   const bool drop_response_body_;
   const bool enable_web_transport_;
 };
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_dispatcher.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_dispatcher.cc
index 247e6f77128..50f063697ff 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_dispatcher.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_dispatcher.cc
@@ -16,10 +16,11 @@ QuicSimpleDispatcher::QuicSimpleDispatcher(
     std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
     std::unique_ptr<QuicAlarmFactory> alarm_factory,
     QuicSimpleServerBackend* quic_simple_server_backend,
-    uint8_t expected_server_connection_id_length)
+    uint8_t expected_server_connection_id_length,
+    ConnectionIdGeneratorInterface& generator)
     : QuicDispatcher(config, crypto_config, version_manager, std::move(helper),
                      std::move(session_helper), std::move(alarm_factory),
-                     expected_server_connection_id_length),
+                     expected_server_connection_id_length, generator),
       quic_simple_server_backend_(quic_simple_server_backend) {}
 
 QuicSimpleDispatcher::~QuicSimpleDispatcher() = default;
@@ -49,11 +50,11 @@ std::unique_ptr<QuicSession> QuicSimpleDispatcher::CreateQuicSession(
     const ParsedQuicVersion& version,
     const ParsedClientHello& /*parsed_chlo*/) {
   // The QuicServerSessionBase takes ownership of |connection| below.
-  QuicConnection* connection =
-      new QuicConnection(connection_id, self_address, peer_address, helper(),
-                         alarm_factory(), writer(),
-                         /* owns_writer= */ false, Perspective::IS_SERVER,
-                         ParsedQuicVersionVector{version});
+  QuicConnection* connection = new QuicConnection(
+      connection_id, self_address, peer_address, helper(), alarm_factory(),
+      writer(),
+      /* owns_writer= */ false, Perspective::IS_SERVER,
+      ParsedQuicVersionVector{version}, connection_id_generator());
 
   auto session = std::make_unique<QuicSimpleServerSession>(
       config(), GetSupportedVersions(), connection, this, session_helper(),
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_dispatcher.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_dispatcher.h
index 609e2106910..16f7fd0afc7 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_dispatcher.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_dispatcher.h
@@ -21,7 +21,8 @@ class QuicSimpleDispatcher : public QuicDispatcher {
       std::unique_ptr<QuicCryptoServerStreamBase::Helper> session_helper,
       std::unique_ptr<QuicAlarmFactory> alarm_factory,
       QuicSimpleServerBackend* quic_simple_server_backend,
-      uint8_t expected_server_connection_id_length);
+      uint8_t expected_server_connection_id_length,
+      ConnectionIdGeneratorInterface& generator);
 
   ~QuicSimpleDispatcher() override;
 
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_backend.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_backend.h
index 26eaa65f92d..a142dd85526 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_backend.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_backend.h
@@ -9,9 +9,10 @@
 #include <memory>
 
 #include "absl/strings/string_view.h"
-#include "quiche/quic/core/io/socket_factory.h"
+#include "quiche/quic/core/http/quic_spdy_stream.h"
 #include "quiche/quic/core/quic_error_codes.h"
 #include "quiche/quic/core/quic_types.h"
+#include "quiche/quic/core/socket_factory.h"
 #include "quiche/quic/core/web_transport_interface.h"
 #include "quiche/quic/tools/quic_backend_response.h"
 #include "quiche/spdy/core/http2_header_block.h"
@@ -33,6 +34,7 @@ class QuicSimpleServerBackend {
     virtual QuicConnectionId connection_id() const = 0;
     virtual QuicStreamId stream_id() const = 0;
     virtual std::string peer_host() const = 0;
+    virtual QuicSpdyStream* GetStream() = 0;
     // Called when the response is ready at the backend and can be send back to
     // the QUIC client.
     virtual void OnResponseBackendComplete(
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream.cc
index beea65a993e..f4dec74d5e8 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream.cc
@@ -245,6 +245,8 @@ std::string QuicSimpleServerStream::peer_host() const {
   return spdy_session()->peer_address().host().ToString();
 }
 
+QuicSpdyStream* QuicSimpleServerStream::GetStream() { return this; }
+
 namespace {
 
 class DelayedResponseAlarm : public QuicAlarm::DelegateWithContext {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream.h b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream.h
index 3bcd9edba8a..85ce8b52e90 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream.h
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream.h
@@ -57,6 +57,7 @@ class QuicSimpleServerStream : public QuicSpdyServerStreamBase,
   QuicConnectionId connection_id() const override;
   QuicStreamId stream_id() const override;
   std::string peer_host() const override;
+  QuicSpdyStream* GetStream() override;
   void OnResponseBackendComplete(const QuicBackendResponse* response) override;
   void SendStreamData(absl::string_view data, bool close_stream) override;
   void TerminateStreamWithError(QuicResetStreamError error) override;
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream_test.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream_test.cc
index 92d06bd4996..69851f27c1e 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_stream_test.cc
@@ -261,7 +261,7 @@ class QuicSimpleServerStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
         session_.config(), kMinimumFlowControlSendWindow);
     QuicConfigPeer::SetReceivedMaxUnidirectionalStreams(session_.config(), 10);
     session_.OnConfigNegotiated();
-    connection_->AdvanceTime(QuicTime::Delta::FromSeconds(1));
+    simulator_.RunFor(QuicTime::Delta::FromSeconds(1));
   }
 
   const std::string& StreamBody() { return stream_->body(); }
@@ -703,8 +703,7 @@ TEST_P(QuicSimpleServerStreamTest, InvalidMultipleContentLength) {
   // \000 is a way to write the null byte when followed by a literal digit.
   header_list_.OnHeader("content-length", absl::string_view("11\00012", 5));
 
-  if (GetQuicReloadableFlag(quic_validate_header_field_value_at_spdy_stream) &&
-      session_.version().UsesHttp3()) {
+  if (session_.version().UsesHttp3()) {
     EXPECT_CALL(session_,
                 MaybeSendStopSendingFrame(_, QuicResetStreamError::FromInternal(
                                                  QUIC_STREAM_NO_ERROR)));
@@ -725,8 +724,7 @@ TEST_P(QuicSimpleServerStreamTest, InvalidLeadingNullContentLength) {
   // \000 is a way to write the null byte when followed by a literal digit.
   header_list_.OnHeader("content-length", absl::string_view("\00012", 3));
 
-  if (GetQuicReloadableFlag(quic_validate_header_field_value_at_spdy_stream) &&
-      session_.version().UsesHttp3()) {
+  if (session_.version().UsesHttp3()) {
     EXPECT_CALL(session_,
                 MaybeSendStopSendingFrame(_, QuicResetStreamError::FromInternal(
                                                  QUIC_STREAM_NO_ERROR)));
@@ -747,8 +745,7 @@ TEST_P(QuicSimpleServerStreamTest, InvalidMultipleContentLengthII) {
   // \000 is a way to write the null byte when followed by a literal digit.
   header_list_.OnHeader("content-length", absl::string_view("11\00011", 5));
 
-  if (GetQuicReloadableFlag(quic_validate_header_field_value_at_spdy_stream) &&
-      session_.version().UsesHttp3()) {
+  if (session_.version().UsesHttp3()) {
     EXPECT_CALL(session_,
                 MaybeSendStopSendingFrame(_, QuicResetStreamError::FromInternal(
                                                  QUIC_STREAM_NO_ERROR)));
@@ -760,8 +757,7 @@ TEST_P(QuicSimpleServerStreamTest, InvalidMultipleContentLengthII) {
 
   stream_->OnStreamHeaderList(false, kFakeFrameLen, header_list_);
 
-  if (GetQuicReloadableFlag(quic_validate_header_field_value_at_spdy_stream) &&
-      session_.version().UsesHttp3()) {
+  if (session_.version().UsesHttp3()) {
     EXPECT_TRUE(QuicStreamPeer::read_side_closed(stream_));
     EXPECT_TRUE(stream_->reading_stopped());
     EXPECT_TRUE(stream_->write_side_closed());
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_spdy_client_base.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_spdy_client_base.cc
index 5ffe5718d70..a34472cbc68 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_spdy_client_base.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_spdy_client_base.cc
@@ -105,7 +105,7 @@ std::unique_ptr<QuicSession> QuicSpdyClientBase::CreateQuicClientSession(
 
 void QuicSpdyClientBase::SendRequest(const Http2HeaderBlock& headers,
                                      absl::string_view body, bool fin) {
-  if (GetQuicFlag(FLAGS_quic_client_convert_http_header_name_to_lowercase)) {
+  if (GetQuicFlag(quic_client_convert_http_header_name_to_lowercase)) {
     QUIC_CODE_COUNT(quic_client_convert_http_header_name_to_lowercase);
     Http2HeaderBlock sanitized_headers;
     for (const auto& p : headers) {
diff --git a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_toy_client.cc b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_toy_client.cc
index be51cf33fd8..1c7cdaf9863 100644
--- a/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_toy_client.cc
+++ b/chromium/net/third_party/quiche/src/quiche/quic/tools/quic_toy_client.cc
@@ -467,6 +467,8 @@ int QuicToyClient::SendRequestsAndPrintResponses(
       }
       std::cout << "trailers: " << client->latest_response_trailers()
                 << std::endl;
+      std::cout << "early data accepted: " << client->EarlyDataAccepted()
+                << std::endl;
     }
 
     if (!client->connected()) {
diff --git a/chromium/net/third_party/quiche/src/quiche/spdy/core/http2_header_block_test.cc b/chromium/net/third_party/quiche/src/quiche/spdy/core/http2_header_block_test.cc
index 4624d7ba4c7..1ad045f16cf 100644
--- a/chromium/net/third_party/quiche/src/quiche/spdy/core/http2_header_block_test.cc
+++ b/chromium/net/third_party/quiche/src/quiche/spdy/core/http2_header_block_test.cc
@@ -275,5 +275,21 @@ TEST(Http2HeaderBlockTest, TotalBytesUsed) {
   EXPECT_EQ(block_copy.TotalBytesUsed(), Http2HeaderBlockSize(block_copy));
 }
 
+// The order of header fields is preserved.  Note that all pseudo-header fields
+// must appear before regular header fields, both in HTTP/2 and HTTP/3, see
+// https://www.rfc-editor.org/rfc/rfc9113.html#name-http-control-data and
+// https://www.rfc-editor.org/rfc/rfc9114.html#name-http-control-data.  It is
+// the responsibility of the higher layer to add header fields in the correct
+// order.
+TEST(Http2HeaderBlockTest, OrderPreserved) {
+  Http2HeaderBlock block;
+  block[":method"] = "GET";
+  block["foo"] = "bar";
+  block[":path"] = "/";
+
+  EXPECT_THAT(block, ElementsAre(Pair(":method", "GET"), Pair("foo", "bar"),
+                                 Pair(":path", "/")));
+}
+
 }  // namespace test
 }  // namespace spdy
diff --git a/chromium/net/third_party/quiche/src/quiche/spdy/core/metadata_extension.h b/chromium/net/third_party/quiche/src/quiche/spdy/core/metadata_extension.h
index 6b171b5ccdf..a749904cd0d 100644
--- a/chromium/net/third_party/quiche/src/quiche/spdy/core/metadata_extension.h
+++ b/chromium/net/third_party/quiche/src/quiche/spdy/core/metadata_extension.h
@@ -109,6 +109,8 @@ class QUICHE_EXPORT_PRIVATE MetadataFrameSequence {
   // which case returns nullptr.
   std::unique_ptr<spdy::SpdyFrameIR> Next();
 
+  SpdyStreamId stream_id() const { return stream_id_; }
+
  private:
   SpdyStreamId stream_id_;
   Http2HeaderBlock payload_;
diff --git a/chromium/net/third_party/uri_template/uri_template_fuzzer.cc b/chromium/net/third_party/uri_template/uri_template_fuzzer.cc
index 08731dd1001..d87e46f36a3 100644
--- a/chromium/net/third_party/uri_template/uri_template_fuzzer.cc
+++ b/chromium/net/third_party/uri_template/uri_template_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/build_hpack_constants.py b/chromium/net/tools/build_hpack_constants.py
index 31110781181..ab3ac8edd64 100755
--- a/chromium/net/tools/build_hpack_constants.py
+++ b/chromium/net/tools/build_hpack_constants.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 
-# Copyright 2014 The Chromium Authors. All rights reserved.
+# Copyright 2014 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/cache_transparency/checksum_pervasive_js.py b/chromium/net/tools/cache_transparency/checksum_pervasive_js.py
new file mode 100644
index 00000000000..9482bf5d665
--- /dev/null
+++ b/chromium/net/tools/cache_transparency/checksum_pervasive_js.py
@@ -0,0 +1,40 @@
+# Copyright 2022 The Chromium Authors
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+"""Calculates the checksum for pervasive.js.
+
+Usage:
+  python3 checksum_pervasive_js.py pervasive.js
+
+"""
+
+import re
+import sys
+import pervasive_checksum
+
+
+def main(argv):
+  if len(argv) != 2:
+    print('Supply the path to pervasive.js as the sole command-line argument')
+    sys.exit(1)
+
+  filename = argv[1]
+  with open(filename, mode='rb') as f:
+    raw_body = f.read()
+
+  headers = []
+  with open(f'{filename}.mock-http-headers', mode='r') as lines:
+    for line in lines:
+      if line.startswith('HTTP/'):
+        continue
+      match = re.match(r'^([A-Za-z0-9-]+): *(.*)$', line)
+      if not match:
+        print(f'Failed to parse header line: {line}')
+        continue
+      headers.append((match.group(1), match.group(2)))
+
+  print(pervasive_checksum.calculate_checksum(headers, raw_body))
+
+
+if __name__ == '__main__':
+  main(sys.argv)
diff --git a/chromium/net/tools/cache_transparency/generate_checksums.py b/chromium/net/tools/cache_transparency/generate_checksums.py
index f99a9b5ca94..db755471c46 100644
--- a/chromium/net/tools/cache_transparency/generate_checksums.py
+++ b/chromium/net/tools/cache_transparency/generate_checksums.py
@@ -1,4 +1,4 @@
-# Copyright 2022 The Chromium Authors. All rights reserved.
+# Copyright 2022 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 """Generates checksums for URLs in the Pervasive Payload list."""
@@ -6,27 +6,14 @@
 import argparse
 import csv
 import requests
-import hashlib
 import urllib.parse
-
-INCLUDE_HEADERS = frozenset([
-    "access-control-allow-credentials", "access-control-allow-headers",
-    "access-control-allow-methods", "access-control-allow-origin",
-    "access-control-expose-headers", "access-control-max-age",
-    "access-control-request-headers", "access-control-request-method",
-    "clear-site-data", "content-encoding", "content-security-policy",
-    "content-type", "cross-origin-embedder-policy",
-    "cross-origin-opener-policy", "cross-origin-resource-policy", "location",
-    "sec-websocket-accept", "sec-websocket-extensions", "sec-websocket-key",
-    "sec-websocket-protocol", "sec-websocket-version", "upgrade", "vary"
-])
+import pervasive_checksum
 
 
 def generate_list_with_checksums(data):
   pairs_list = []
   flat_list = []
   for i, url_info in enumerate(data):
-    checksum_input = ""
     url = url_info[0]
     print(f"[{i}/{len(data)}] Fetching {url}")
 
@@ -35,20 +22,9 @@ def generate_list_with_checksums(data):
                       stream=True) as response:
 
       headers = list(response.headers.items())
-      headers = [(name.lower(), value) for name, value in headers]
-      headers.sort()
-
-      for header in headers:
-        if header[0] in INCLUDE_HEADERS:
-          checksum_input += header[0] + ": " + header[1] + "\n"
-
-      checksum_input += "\n"
-      checksum_input = checksum_input.encode()
-
       raw_body = response.raw.data
-      checksum_input += raw_body
 
-    checksum = hashlib.sha256(checksum_input).hexdigest().upper()
+    checksum = pervasive_checksum.calculate_checksum(headers, raw_body)
     pairs_list.append([url, checksum])
     flat_list.append(str(url))
     flat_list.append(str(checksum))
diff --git a/chromium/net/tools/cache_transparency/pervasive_checksum.py b/chromium/net/tools/cache_transparency/pervasive_checksum.py
new file mode 100644
index 00000000000..92915b5f1d3
--- /dev/null
+++ b/chromium/net/tools/cache_transparency/pervasive_checksum.py
@@ -0,0 +1,45 @@
+# Copyright 2022 The Chromium Authors
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+"""Calculates the pervasive payload checksum"""
+
+import hashlib
+
+INCLUDE_HEADERS = frozenset([
+    "access-control-allow-credentials", "access-control-allow-headers",
+    "access-control-allow-methods", "access-control-allow-origin",
+    "access-control-expose-headers", "access-control-max-age",
+    "access-control-request-headers", "access-control-request-method",
+    "clear-site-data", "content-encoding", "content-security-policy",
+    "content-type", "cross-origin-embedder-policy",
+    "cross-origin-opener-policy", "cross-origin-resource-policy", "location",
+    "sec-websocket-accept", "sec-websocket-extensions", "sec-websocket-key",
+    "sec-websocket-protocol", "sec-websocket-version", "upgrade", "vary"
+])
+
+
+def calculate_checksum(headers, raw_body):
+  """Calculates the pervasive payload checksum for a given resource
+
+  `headers` should be a list of name, value tuples.
+  `raw_body` should be the response body exactly as returned by the server,
+  without decompression or other filtering applied.
+  Returns the SHA-256 checksum of the resource, calculated per the cache
+  transparency serialization algorithm.
+  """
+
+  checksum_input = ""
+
+  headers = [(name.lower(), value) for name, value in headers]
+  headers.sort()
+
+  for header in headers:
+    if header[0] in INCLUDE_HEADERS:
+      checksum_input += header[0] + ": " + header[1] + "\n"
+
+  checksum_input += "\n"
+  checksum_input = checksum_input.encode()
+
+  checksum_input += raw_body
+
+  return hashlib.sha256(checksum_input).hexdigest().upper()
diff --git a/chromium/net/tools/cachetool/cachetool.cc b/chromium/net/tools/cachetool/cachetool.cc
index 1735d871d6d..9c70a7f5b5c 100644
--- a/chromium/net/tools/cachetool/cachetool.cc
+++ b/chromium/net/tools/cachetool/cachetool.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/cert_verify_tool/cert_verify_comparision_tool.cc b/chromium/net/tools/cert_verify_tool/cert_verify_comparision_tool.cc
index 3cff9731feb..746513e4bd7 100644
--- a/chromium/net/tools/cert_verify_tool/cert_verify_comparision_tool.cc
+++ b/chromium/net/tools/cert_verify_tool/cert_verify_comparision_tool.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc b/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc
index 8be41b51949..f1328b89ca7 100644
--- a/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc
+++ b/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.cc b/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.cc
index 2bc98a38678..295c48d11a0 100644
--- a/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.cc
+++ b/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.h b/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.h
index f22f5449893..3bf361183eb 100644
--- a/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.h
+++ b/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/cert_verify_tool/dumper.proto b/chromium/net/tools/cert_verify_tool/dumper.proto
index 87ada76110d..e0ff47324d2 100644
--- a/chromium/net/tools/cert_verify_tool/dumper.proto
+++ b/chromium/net/tools/cert_verify_tool/dumper.proto
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/cert_verify_tool/verify_using_cert_verify_proc.cc b/chromium/net/tools/cert_verify_tool/verify_using_cert_verify_proc.cc
index bd722e313e8..cdccee731f3 100644
--- a/chromium/net/tools/cert_verify_tool/verify_using_cert_verify_proc.cc
+++ b/chromium/net/tools/cert_verify_tool/verify_using_cert_verify_proc.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/cert_verify_tool/verify_using_cert_verify_proc.h b/chromium/net/tools/cert_verify_tool/verify_using_cert_verify_proc.h
index d77e8989ea3..1b8062ea891 100644
--- a/chromium/net/tools/cert_verify_tool/verify_using_cert_verify_proc.h
+++ b/chromium/net/tools/cert_verify_tool/verify_using_cert_verify_proc.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/cert_verify_tool/verify_using_path_builder.cc b/chromium/net/tools/cert_verify_tool/verify_using_path_builder.cc
index 49aecf25df9..99d9e39de4e 100644
--- a/chromium/net/tools/cert_verify_tool/verify_using_path_builder.cc
+++ b/chromium/net/tools/cert_verify_tool/verify_using_path_builder.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/cert_verify_tool/verify_using_path_builder.h b/chromium/net/tools/cert_verify_tool/verify_using_path_builder.h
index 1e8e8440c80..01628a54f49 100644
--- a/chromium/net/tools/cert_verify_tool/verify_using_path_builder.h
+++ b/chromium/net/tools/cert_verify_tool/verify_using_path_builder.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/content_decoder_tool/content_decoder_tool.cc b/chromium/net/tools/content_decoder_tool/content_decoder_tool.cc
index e2b6120f55d..f14e7bf313c 100644
--- a/chromium/net/tools/content_decoder_tool/content_decoder_tool.cc
+++ b/chromium/net/tools/content_decoder_tool/content_decoder_tool.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/content_decoder_tool/content_decoder_tool.h b/chromium/net/tools/content_decoder_tool/content_decoder_tool.h
index 32b604a2e24..2ab83ee79b1 100644
--- a/chromium/net/tools/content_decoder_tool/content_decoder_tool.h
+++ b/chromium/net/tools/content_decoder_tool/content_decoder_tool.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/content_decoder_tool/content_decoder_tool_bin.cc b/chromium/net/tools/content_decoder_tool/content_decoder_tool_bin.cc
index 6dc3ea7ad26..d4cab40f953 100644
--- a/chromium/net/tools/content_decoder_tool/content_decoder_tool_bin.cc
+++ b/chromium/net/tools/content_decoder_tool/content_decoder_tool_bin.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/content_decoder_tool/content_decoder_tool_unittest.cc b/chromium/net/tools/content_decoder_tool/content_decoder_tool_unittest.cc
index 83656cfa93d..c2781389444 100644
--- a/chromium/net/tools/content_decoder_tool/content_decoder_tool_unittest.cc
+++ b/chromium/net/tools/content_decoder_tool/content_decoder_tool_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/crash_cache/crash_cache.cc b/chromium/net/tools/crash_cache/crash_cache.cc
index a506819f2f6..ae926bdb0e3 100644
--- a/chromium/net/tools/crash_cache/crash_cache.cc
+++ b/chromium/net/tools/crash_cache/crash_cache.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/dafsa/PRESUBMIT.py b/chromium/net/tools/dafsa/PRESUBMIT.py
index 77daed6f3af..c4d19db6898 100644
--- a/chromium/net/tools/dafsa/PRESUBMIT.py
+++ b/chromium/net/tools/dafsa/PRESUBMIT.py
@@ -1,4 +1,4 @@
-# Copyright 2014 The Chromium Authors. All rights reserved.
+# Copyright 2014 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/dafsa/make_dafsa.py b/chromium/net/tools/dafsa/make_dafsa.py
index eb0094326c1..6361b0b95d8 100755
--- a/chromium/net/tools/dafsa/make_dafsa.py
+++ b/chromium/net/tools/dafsa/make_dafsa.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright 2014 The Chromium Authors. All rights reserved.
+# Copyright 2014 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/dafsa/make_dafsa_unittest.py b/chromium/net/tools/dafsa/make_dafsa_unittest.py
index 42272fe6c0b..e46ff05d8ae 100755
--- a/chromium/net/tools/dafsa/make_dafsa_unittest.py
+++ b/chromium/net/tools/dafsa/make_dafsa_unittest.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright 2014 The Chromium Authors. All rights reserved.
+# Copyright 2014 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/disk_cache_memory_test/disk_cache_memory_test.cc b/chromium/net/tools/disk_cache_memory_test/disk_cache_memory_test.cc
index 9f64051a51c..a1e7d486e5d 100644
--- a/chromium/net/tools/disk_cache_memory_test/disk_cache_memory_test.cc
+++ b/chromium/net/tools/disk_cache_memory_test/disk_cache_memory_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/dump_cache/dump_cache.cc b/chromium/net/tools/dump_cache/dump_cache.cc
index c79a55f0730..16ae2dc042c 100644
--- a/chromium/net/tools/dump_cache/dump_cache.cc
+++ b/chromium/net/tools/dump_cache/dump_cache.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/dump_cache/dump_files.cc b/chromium/net/tools/dump_cache/dump_files.cc
index 037618d6c00..817dbb0067f 100644
--- a/chromium/net/tools/dump_cache/dump_files.cc
+++ b/chromium/net/tools/dump_cache/dump_files.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/dump_cache/dump_files.h b/chromium/net/tools/dump_cache/dump_files.h
index 365d6b0e5fd..8a6c83c1245 100644
--- a/chromium/net/tools/dump_cache/dump_files.h
+++ b/chromium/net/tools/dump_cache/dump_files.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/gssapi/gss_import_name.cc b/chromium/net/tools/gssapi/gss_import_name.cc
index fd5a8ec4cc8..153c3b1e042 100644
--- a/chromium/net/tools/gssapi/gss_import_name.cc
+++ b/chromium/net/tools/gssapi/gss_import_name.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/gssapi/gss_methods.cc b/chromium/net/tools/gssapi/gss_methods.cc
index 6a1647ea879..88d0dd9968a 100644
--- a/chromium/net/tools/gssapi/gss_methods.cc
+++ b/chromium/net/tools/gssapi/gss_methods.cc
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/gssapi/gss_types.h b/chromium/net/tools/gssapi/gss_types.h
index a6431033d78..3b8dac86f1c 100644
--- a/chromium/net/tools/gssapi/gss_types.h
+++ b/chromium/net/tools/gssapi/gss_types.h
@@ -1,4 +1,4 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/BUILD.gn b/chromium/net/tools/huffman_trie/BUILD.gn
index efa731b1013..4e9331ab569 100644
--- a/chromium/net/tools/huffman_trie/BUILD.gn
+++ b/chromium/net/tools/huffman_trie/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2018 The Chromium Authors. All rights reserved.
+# Copyright 2018 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/bit_writer.cc b/chromium/net/tools/huffman_trie/bit_writer.cc
index 077024862a9..33a8fda437e 100644
--- a/chromium/net/tools/huffman_trie/bit_writer.cc
+++ b/chromium/net/tools/huffman_trie/bit_writer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/bit_writer.h b/chromium/net/tools/huffman_trie/bit_writer.h
index e91b487c1b0..7927dec09a1 100644
--- a/chromium/net/tools/huffman_trie/bit_writer.h
+++ b/chromium/net/tools/huffman_trie/bit_writer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/bit_writer_unittest.cc b/chromium/net/tools/huffman_trie/bit_writer_unittest.cc
index deb373167df..88ac1fd5ba7 100644
--- a/chromium/net/tools/huffman_trie/bit_writer_unittest.cc
+++ b/chromium/net/tools/huffman_trie/bit_writer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/huffman/huffman_builder.cc b/chromium/net/tools/huffman_trie/huffman/huffman_builder.cc
index cc7945a1180..dba1427dea6 100644
--- a/chromium/net/tools/huffman_trie/huffman/huffman_builder.cc
+++ b/chromium/net/tools/huffman_trie/huffman/huffman_builder.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/huffman/huffman_builder.h b/chromium/net/tools/huffman_trie/huffman/huffman_builder.h
index 3126650db6f..397863d4bf4 100644
--- a/chromium/net/tools/huffman_trie/huffman/huffman_builder.h
+++ b/chromium/net/tools/huffman_trie/huffman/huffman_builder.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/huffman/huffman_builder_unittest.cc b/chromium/net/tools/huffman_trie/huffman/huffman_builder_unittest.cc
index 249065d218f..7cf3ee92417 100644
--- a/chromium/net/tools/huffman_trie/huffman/huffman_builder_unittest.cc
+++ b/chromium/net/tools/huffman_trie/huffman/huffman_builder_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.cc b/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.cc
index 920f5b616e9..305b0caa310 100644
--- a/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.cc
+++ b/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.h b/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.h
index 02cd1e3f38e..b9d181673a7 100644
--- a/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.h
+++ b/chromium/net/tools/huffman_trie/trie/trie_bit_buffer.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/trie/trie_bit_buffer_unittest.cc b/chromium/net/tools/huffman_trie/trie/trie_bit_buffer_unittest.cc
index 19289a1a1c7..5c4e8f366ff 100644
--- a/chromium/net/tools/huffman_trie/trie/trie_bit_buffer_unittest.cc
+++ b/chromium/net/tools/huffman_trie/trie/trie_bit_buffer_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/trie/trie_writer.cc b/chromium/net/tools/huffman_trie/trie/trie_writer.cc
index 61217051791..296fdd5a417 100644
--- a/chromium/net/tools/huffman_trie/trie/trie_writer.cc
+++ b/chromium/net/tools/huffman_trie/trie/trie_writer.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/trie/trie_writer.h b/chromium/net/tools/huffman_trie/trie/trie_writer.h
index 51863ca22de..612db76cb82 100644
--- a/chromium/net/tools/huffman_trie/trie/trie_writer.h
+++ b/chromium/net/tools/huffman_trie/trie/trie_writer.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/trie_entry.cc b/chromium/net/tools/huffman_trie/trie_entry.cc
index a2dc0e62972..ef47dd0576a 100644
--- a/chromium/net/tools/huffman_trie/trie_entry.cc
+++ b/chromium/net/tools/huffman_trie/trie_entry.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/huffman_trie/trie_entry.h b/chromium/net/tools/huffman_trie/trie_entry.h
index 9cf03587014..6fc6933b0c0 100644
--- a/chromium/net/tools/huffman_trie/trie_entry.h
+++ b/chromium/net/tools/huffman_trie/trie_entry.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/net_docs/net_docs.py b/chromium/net/tools/net_docs/net_docs.py
index 2dd30de87fe..9cadb8730d6 100755
--- a/chromium/net/tools/net_docs/net_docs.py
+++ b/chromium/net/tools/net_docs/net_docs.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright 2015 The Chromium Authors. All rights reserved.
+# Copyright 2015 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/net_watcher/net_watcher.cc b/chromium/net/tools/net_watcher/net_watcher.cc
index 00fbd793dd1..30e2a484ceb 100644
--- a/chromium/net/tools/net_watcher/net_watcher.cc
+++ b/chromium/net/tools/net_watcher/net_watcher.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/print_certificates.py b/chromium/net/tools/print_certificates.py
index 4a0256266b4..323edffec97 100755
--- a/chromium/net/tools/print_certificates.py
+++ b/chromium/net/tools/print_certificates.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/benchmark/run_client.py b/chromium/net/tools/quic/benchmark/run_client.py
index 7df37ab7fa0..dc421018d77 100755
--- a/chromium/net/tools/quic/benchmark/run_client.py
+++ b/chromium/net/tools/quic/benchmark/run_client.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 
-# Copyright 2013 The Chromium Authors. All rights reserved.
+# Copyright 2013 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/certs/generate-certs.sh b/chromium/net/tools/quic/certs/generate-certs.sh
index 11dde0703a6..18799c833cd 100755
--- a/chromium/net/tools/quic/certs/generate-certs.sh
+++ b/chromium/net/tools/quic/certs/generate-certs.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright 2015 The Chromium Authors. All rights reserved.
+# Copyright 2015 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/crypto_message_printer_bin.cc b/chromium/net/tools/quic/crypto_message_printer_bin.cc
index 51156bd5843..ed2581634b0 100644
--- a/chromium/net/tools/quic/crypto_message_printer_bin.cc
+++ b/chromium/net/tools/quic/crypto_message_printer_bin.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_client_message_loop_network_helper.cc b/chromium/net/tools/quic/quic_client_message_loop_network_helper.cc
index fa4e7cd697f..50e90d79442 100644
--- a/chromium/net/tools/quic/quic_client_message_loop_network_helper.cc
+++ b/chromium/net/tools/quic/quic_client_message_loop_network_helper.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -53,7 +53,7 @@ bool QuicClientMessageLooplNetworkHelper::CreateUDPSocketAndBind(
     client_address_ =
         quic::QuicSocketAddress(bind_to_address, client_->local_port());
   } else if (server_address.host().address_family() ==
-             quic::IpAddressFamily::IP_V4) {
+             quiche::IpAddressFamily::IP_V4) {
     client_address_ =
         quic::QuicSocketAddress(quic::QuicIpAddress::Any4(), bind_to_port);
   } else {
diff --git a/chromium/net/tools/quic/quic_client_message_loop_network_helper.h b/chromium/net/tools/quic/quic_client_message_loop_network_helper.h
index e11e4c5a41b..f1c09b71f4d 100644
--- a/chromium/net/tools/quic/quic_client_message_loop_network_helper.h
+++ b/chromium/net/tools/quic/quic_client_message_loop_network_helper.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/tools/quic/quic_simple_client.cc b/chromium/net/tools/quic/quic_simple_client.cc
index ff8703ee7e7..35c8514258c 100644
--- a/chromium/net/tools/quic/quic_simple_client.cc
+++ b/chromium/net/tools/quic/quic_simple_client.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -63,8 +63,9 @@ std::unique_ptr<quic::QuicSession> QuicSimpleClient::CreateQuicClientSession(
     const quic::ParsedQuicVersionVector& supported_versions,
     quic::QuicConnection* connection) {
   return std::make_unique<quic::QuicSimpleClientSession>(
-      *config(), supported_versions, connection, server_id(), crypto_config(),
-      push_promise_index(), drop_response_body());
+      *config(), supported_versions, connection, network_helper(), server_id(),
+      crypto_config(), push_promise_index(), drop_response_body(),
+      /*enable_web_transport=*/false);
 }
 
 QuicChromiumConnectionHelper* QuicSimpleClient::CreateQuicConnectionHelper() {
diff --git a/chromium/net/tools/quic/quic_simple_client.h b/chromium/net/tools/quic/quic_simple_client.h
index 01f8f4cc609..e307bab1ef9 100644
--- a/chromium/net/tools/quic/quic_simple_client.h
+++ b/chromium/net/tools/quic/quic_simple_client.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/tools/quic/quic_simple_client_bin.cc b/chromium/net/tools/quic/quic_simple_client_bin.cc
index a4c88a5fbe6..519d2ec890b 100644
--- a/chromium/net/tools/quic/quic_simple_client_bin.cc
+++ b/chromium/net/tools/quic/quic_simple_client_bin.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_client_test.cc b/chromium/net/tools/quic/quic_simple_client_test.cc
index 8bc6d16a58e..500012bfbb5 100644
--- a/chromium/net/tools/quic/quic_simple_client_test.cc
+++ b/chromium/net/tools/quic/quic_simple_client_test.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_server.cc b/chromium/net/tools/quic/quic_simple_server.cc
index e3fe44894c8..6a28de20020 100644
--- a/chromium/net/tools/quic/quic_simple_server.cc
+++ b/chromium/net/tools/quic/quic_simple_server.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -61,7 +61,8 @@ QuicSimpleServer::QuicSimpleServer(
                      std::move(proof_source),
                      quic::KeyExchangeSource::Default()),
       read_buffer_(base::MakeRefCounted<IOBufferWithSize>(kReadBufferSize)),
-      quic_simple_server_backend_(quic_simple_server_backend) {
+      quic_simple_server_backend_(quic_simple_server_backend),
+      connection_id_generator_(quic::kQuicDefaultConnectionIdLength) {
   DCHECK(quic_simple_server_backend);
   Initialize();
 }
@@ -114,7 +115,8 @@ bool QuicSimpleServer::Listen(const IPEndPoint& address) {
       std::make_unique<QuicSimpleServerSessionHelper>(
           quic::QuicRandom::GetInstance()),
       std::unique_ptr<quic::QuicAlarmFactory>(alarm_factory_),
-      quic_simple_server_backend_, quic::kQuicDefaultConnectionIdLength);
+      quic_simple_server_backend_, quic::kQuicDefaultConnectionIdLength,
+      connection_id_generator_);
   QuicSimpleServerPacketWriter* writer =
       new QuicSimpleServerPacketWriter(socket_.get(), dispatcher_.get());
   dispatcher_->InitializeWithWriter(writer);
diff --git a/chromium/net/tools/quic/quic_simple_server.h b/chromium/net/tools/quic/quic_simple_server.h
index c6f6f4817c6..7b0647f5ee6 100644
--- a/chromium/net/tools/quic/quic_simple_server.h
+++ b/chromium/net/tools/quic/quic_simple_server.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
@@ -16,6 +16,7 @@
 #include "net/quic/quic_chromium_alarm_factory.h"
 #include "net/quic/quic_chromium_connection_helper.h"
 #include "net/third_party/quiche/src/quiche/quic/core/crypto/quic_crypto_server_config.h"
+#include "net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_config.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_version_manager.h"
 #include "net/third_party/quiche/src/quiche/quic/tools/quic_simple_server_backend.h"
@@ -123,6 +124,8 @@ class QuicSimpleServer : public quic::QuicSpdyServerBase {
 
   quic::QuicSimpleServerBackend* quic_simple_server_backend_;
 
+  quic::DeterministicConnectionIdGenerator connection_id_generator_;
+
   base::WeakPtrFactory<QuicSimpleServer> weak_factory_{this};
 };
 
diff --git a/chromium/net/tools/quic/quic_simple_server_backend_factory.cc b/chromium/net/tools/quic/quic_simple_server_backend_factory.cc
index f8d70bcab81..acaa0bf5b8e 100644
--- a/chromium/net/tools/quic/quic_simple_server_backend_factory.cc
+++ b/chromium/net/tools/quic/quic_simple_server_backend_factory.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_server_backend_factory.h b/chromium/net/tools/quic/quic_simple_server_backend_factory.h
index 041f0f2d5fc..c6f24e38fbb 100644
--- a/chromium/net/tools/quic/quic_simple_server_backend_factory.h
+++ b/chromium/net/tools/quic/quic_simple_server_backend_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_server_bin.cc b/chromium/net/tools/quic/quic_simple_server_bin.cc
index 4d847f3107f..d2b3bbeed77 100644
--- a/chromium/net/tools/quic/quic_simple_server_bin.cc
+++ b/chromium/net/tools/quic/quic_simple_server_bin.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_server_packet_writer.cc b/chromium/net/tools/quic/quic_simple_server_packet_writer.cc
index 8d13498040c..306e01d7831 100644
--- a/chromium/net/tools/quic/quic_simple_server_packet_writer.cc
+++ b/chromium/net/tools/quic/quic_simple_server_packet_writer.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_server_packet_writer.h b/chromium/net/tools/quic/quic_simple_server_packet_writer.h
index 667980af838..a026df39026 100644
--- a/chromium/net/tools/quic/quic_simple_server_packet_writer.h
+++ b/chromium/net/tools/quic/quic_simple_server_packet_writer.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_server_session_helper.cc b/chromium/net/tools/quic/quic_simple_server_session_helper.cc
index 80e0ef26882..10f1af2e26b 100644
--- a/chromium/net/tools/quic/quic_simple_server_session_helper.cc
+++ b/chromium/net/tools/quic/quic_simple_server_session_helper.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_server_session_helper.h b/chromium/net/tools/quic/quic_simple_server_session_helper.h
index 664523a9642..6ac57dc2ba5 100644
--- a/chromium/net/tools/quic/quic_simple_server_session_helper.h
+++ b/chromium/net/tools/quic/quic_simple_server_session_helper.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_server_socket.cc b/chromium/net/tools/quic/quic_simple_server_socket.cc
index d500012884a..86912d9594c 100644
--- a/chromium/net/tools/quic/quic_simple_server_socket.cc
+++ b/chromium/net/tools/quic/quic_simple_server_socket.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_server_socket.h b/chromium/net/tools/quic/quic_simple_server_socket.h
index 56cf9d9ceb4..1fe11ab2308 100644
--- a/chromium/net/tools/quic/quic_simple_server_socket.h
+++ b/chromium/net/tools/quic/quic_simple_server_socket.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/quic/quic_simple_server_test.cc b/chromium/net/tools/quic/quic_simple_server_test.cc
index 9681310e155..5bc56f8001e 100644
--- a/chromium/net/tools/quic/quic_simple_server_test.cc
+++ b/chromium/net/tools/quic/quic_simple_server_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -8,6 +8,7 @@
 
 #include "net/quic/address_utils.h"
 #include "net/third_party/quiche/src/quiche/quic/core/crypto/quic_random.h"
+#include "net/third_party/quiche/src/quiche/quic/core/deterministic_connection_id_generator.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_crypto_stream.h"
 #include "net/third_party/quiche/src/quiche/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quiche/quic/platform/api/quic_test.h"
@@ -31,28 +32,32 @@ class QuicChromeServerDispatchPacketTest : public ::testing::Test {
                        quic::test::crypto_test_utils::ProofSourceForTesting(),
                        quic::KeyExchangeSource::Default()),
         version_manager_(quic::AllSupportedVersions()),
-        dispatcher_(&config_,
-                    &crypto_config_,
-                    &version_manager_,
-                    std::make_unique<quic::test::MockQuicConnectionHelper>(),
-                    std::make_unique<QuicSimpleServerSessionHelper>(
-                        quic::QuicRandom::GetInstance()),
-                    std::make_unique<quic::test::MockAlarmFactory>(),
-                    &memory_cache_backend_) {
-    dispatcher_.InitializeWithWriter(nullptr);
+        connection_id_generator_(quic::kQuicDefaultConnectionIdLength),
+        dispatcher_(std::make_unique<quic::test::MockQuicDispatcher>(
+            &config_,
+            &crypto_config_,
+            &version_manager_,
+            std::make_unique<quic::test::MockQuicConnectionHelper>(),
+            std::make_unique<QuicSimpleServerSessionHelper>(
+                quic::QuicRandom::GetInstance()),
+            std::make_unique<quic::test::MockAlarmFactory>(),
+            &memory_cache_backend_,
+            connection_id_generator_)) {
+    dispatcher_->InitializeWithWriter(nullptr);
   }
 
   void DispatchPacket(const quic::QuicReceivedPacket& packet) {
     IPEndPoint client_addr, server_addr;
-    dispatcher_.ProcessPacket(ToQuicSocketAddress(server_addr),
-                              ToQuicSocketAddress(client_addr), packet);
+    dispatcher_->ProcessPacket(ToQuicSocketAddress(server_addr),
+                               ToQuicSocketAddress(client_addr), packet);
   }
 
  protected:
   quic::QuicConfig config_;
   quic::QuicCryptoServerConfig crypto_config_;
   quic::QuicVersionManager version_manager_;
-  quic::test::MockQuicDispatcher dispatcher_;
+  quic::DeterministicConnectionIdGenerator connection_id_generator_;
+  std::unique_ptr<quic::test::MockQuicDispatcher> dispatcher_;
   quic::QuicMemoryCacheBackend memory_cache_backend_;
 };
 
@@ -70,7 +75,7 @@ TEST_F(QuicChromeServerDispatchPacketTest, DispatchPacket) {
       reinterpret_cast<char*>(valid_packet), std::size(valid_packet),
       quic::QuicTime::Zero(), false);
 
-  EXPECT_CALL(dispatcher_, ProcessPacket(_, _, _)).Times(1);
+  EXPECT_CALL(*dispatcher_, ProcessPacket(_, _, _)).Times(1);
   DispatchPacket(encrypted_valid_packet);
 }
 
diff --git a/chromium/net/tools/quic/synchronous_host_resolver.cc b/chromium/net/tools/quic/synchronous_host_resolver.cc
index a205e3f7f48..722d46663c8 100644
--- a/chromium/net/tools/quic/synchronous_host_resolver.cc
+++ b/chromium/net/tools/quic/synchronous_host_resolver.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -67,10 +67,10 @@ void ResolverThread::Run() {
   std::unique_ptr<net::HostResolver> resolver =
       net::HostResolver::CreateStandaloneResolver(NetLog::Get(), options);
 
-  // No need to use a NetworkIsolationKey here, since this is an external tool
-  // not used by net/ consumers.
+  // No need to use a NetworkAnonymizationKey here, since this is an external
+  // tool not used by net/ consumers.
   std::unique_ptr<net::HostResolver::ResolveHostRequest> request =
-      resolver->CreateRequest(scheme_host_port_, NetworkIsolationKey(),
+      resolver->CreateRequest(scheme_host_port_, NetworkAnonymizationKey(),
                               NetLogWithSource(), absl::nullopt);
 
   base::RunLoop run_loop;
diff --git a/chromium/net/tools/quic/synchronous_host_resolver.h b/chromium/net/tools/quic/synchronous_host_resolver.h
index 8bb511d15ed..8b7189431f5 100644
--- a/chromium/net/tools/quic/synchronous_host_resolver.h
+++ b/chromium/net/tools/quic/synchronous_host_resolver.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/tools/root_store_tool/BUILD.gn b/chromium/net/tools/root_store_tool/BUILD.gn
index 51a79d29d0a..8d2572e2727 100644
--- a/chromium/net/tools/root_store_tool/BUILD.gn
+++ b/chromium/net/tools/root_store_tool/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2021 The Chromium Authors. All rights reserved.
+# Copyright 2021 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/root_store_tool/root_store_tool.cc b/chromium/net/tools/root_store_tool/root_store_tool.cc
index 117e05a4b97..09a1b69e3e9 100644
--- a/chromium/net/tools/root_store_tool/root_store_tool.cc
+++ b/chromium/net/tools/root_store_tool/root_store_tool.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -192,6 +192,12 @@ bool WriteEvCppFile(const RootStore& root_store,
   for (auto& anchor : root_store.trust_anchors()) {
     // Every trust anchor at this point should have a DER.
     CHECK(!anchor.der().empty());
+    if (anchor.ev_policy_oids_size() == 0) {
+      // The same input file is used for the Chrome Root Store and EV enabled
+      // certificates. Skip anchors that have no EV policy OIDs when generating
+      // the EV include file.
+      continue;
+    }
 
     std::string sha256_hash = crypto::SHA256HashString(anchor.der());
 
@@ -231,9 +237,6 @@ bool WriteEvCppFile(const RootStore& root_store,
     if (oids_size > kMaxPolicyOids) {
       PLOG(ERROR) << hexencode_hash << " has too many OIDs!";
       return false;
-    } else if (oids_size < 1) {
-      PLOG(ERROR) << hexencode_hash << " has no OIDs!";
-      return false;
     }
     for (int i = 0; i < kMaxPolicyOids; i++) {
       std::string oid;
@@ -255,10 +258,6 @@ bool WriteEvCppFile(const RootStore& root_store,
   return true;
 }
 
-bool ValidCppOutputFormatValue(base::StringPiece value) {
-  return (value == "root" || value == "ev");
-}
-
 }  // namespace
 
 int main(int argc, char** argv) {
@@ -274,23 +273,23 @@ int main(int argc, char** argv) {
 
   base::CommandLine& command_line = *base::CommandLine::ForCurrentProcess();
   base::FilePath proto_path = command_line.GetSwitchValuePath("write-proto");
-  base::FilePath cpp_path = command_line.GetSwitchValuePath("write-cpp");
-  std::string cpp_output_format =
-      command_line.GetSwitchValueASCII("cpp-output-format");
+  base::FilePath root_store_cpp_path =
+      command_line.GetSwitchValuePath("write-cpp-root-store");
+  base::FilePath ev_roots_cpp_path =
+      command_line.GetSwitchValuePath("write-cpp-ev-roots");
   base::FilePath root_store_path =
       command_line.GetSwitchValuePath("root-store");
   base::FilePath certs_path = command_line.GetSwitchValuePath("certs");
 
-  if ((proto_path.empty() && cpp_path.empty()) || root_store_path.empty() ||
-      command_line.HasSwitch("help") ||
-      (!cpp_path.empty() && !ValidCppOutputFormatValue(cpp_output_format))) {
-    std::cerr << cpp_output_format << " ";
+  if ((proto_path.empty() && root_store_cpp_path.empty() &&
+       ev_roots_cpp_path.empty()) ||
+      root_store_path.empty() || command_line.HasSwitch("help")) {
     std::cerr << "Usage: root_store_tool "
               << "--root-store=TEXTPROTO_FILE "
               << "[--certs=CERTS_FILE] "
               << "[--write-proto=PROTO_FILE] "
-              << "[--write-cpp=CPP_FILE --cpp-output-format=[ev|root]] "
-              << std::endl;
+              << "[--write-cpp-root-store=CPP_FILE] "
+              << "[--write-cpp-ev-roots=CPP_FILE] " << std::endl;
     return 1;
   }
 
@@ -317,20 +316,15 @@ int main(int argc, char** argv) {
     }
   }
 
-  if (!cpp_path.empty()) {
-    bool success;
-    if (cpp_output_format == "root") {
-      success = WriteRootCppFile(*root_store, cpp_path);
-    } else if (cpp_output_format == "ev") {
-      success = WriteEvCppFile(*root_store, cpp_path);
-    } else {
-      // Unknown format.
-      success = false;
-    }
-    if (!success) {
-      PLOG(ERROR) << "Error writing cpp include file";
-      return 1;
-    }
+  if (!root_store_cpp_path.empty() &&
+      !WriteRootCppFile(*root_store, root_store_cpp_path)) {
+    PLOG(ERROR) << "Error writing root store C++ include file";
+    return 1;
+  }
+  if (!ev_roots_cpp_path.empty() &&
+      !WriteEvCppFile(*root_store, ev_roots_cpp_path)) {
+    PLOG(ERROR) << "Error writing EV roots C++ include file";
+    return 1;
   }
 
   return 0;
diff --git a/chromium/net/tools/stitch_net_log_files.py b/chromium/net/tools/stitch_net_log_files.py
index d81d792ddf9..97c8d034957 100755
--- a/chromium/net/tools/stitch_net_log_files.py
+++ b/chromium/net/tools/stitch_net_log_files.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/stress_cache/stress_cache.cc b/chromium/net/tools/stress_cache/stress_cache.cc
index 4561e5e0b03..d0a3ba043d7 100644
--- a/chromium/net/tools/stress_cache/stress_cache.cc
+++ b/chromium/net/tools/stress_cache/stress_cache.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/testserver/BUILD.gn b/chromium/net/tools/testserver/BUILD.gn
index 443d1c23b53..cf2aa799224 100644
--- a/chromium/net/tools/testserver/BUILD.gn
+++ b/chromium/net/tools/testserver/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
+# Copyright 2016 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/testserver/backoff_server.py b/chromium/net/tools/testserver/backoff_server.py
index ca2c57cbf12..0a236c124df 100755
--- a/chromium/net/tools/testserver/backoff_server.py
+++ b/chromium/net/tools/testserver/backoff_server.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
+# Copyright 2012 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/testserver/run_testserver.cc b/chromium/net/tools/testserver/run_testserver.cc
index 3bfabcf05d1..d110d2de579 100644
--- a/chromium/net/tools/testserver/run_testserver.cc
+++ b/chromium/net/tools/testserver/run_testserver.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/testserver/testserver.py b/chromium/net/tools/testserver/testserver.py
index 400e5939504..98bdb6af752 100755
--- a/chromium/net/tools/testserver/testserver.py
+++ b/chromium/net/tools/testserver/testserver.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env vpython3
-# Copyright 2013 The Chromium Authors. All rights reserved.
+# Copyright 2013 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/testserver/testserver_base.py b/chromium/net/tools/testserver/testserver_base.py
index 319afd4e76e..d52fc5d1fe1 100644
--- a/chromium/net/tools/testserver/testserver_base.py
+++ b/chromium/net/tools/testserver/testserver_base.py
@@ -1,4 +1,4 @@
-# Copyright 2013 The Chromium Authors. All rights reserved.
+# Copyright 2013 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/tld_cleanup/BUILD.gn b/chromium/net/tools/tld_cleanup/BUILD.gn
index bf89c008bb0..d25e2cb86b9 100644
--- a/chromium/net/tools/tld_cleanup/BUILD.gn
+++ b/chromium/net/tools/tld_cleanup/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2014 The Chromium Authors. All rights reserved.
+# Copyright 2014 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/tld_cleanup/OWNERS b/chromium/net/tools/tld_cleanup/OWNERS
deleted file mode 100644
index f6e734a6894..00000000000
--- a/chromium/net/tools/tld_cleanup/OWNERS
+++ /dev/null
@@ -1 +0,0 @@
-pam@chromium.org
diff --git a/chromium/net/tools/tld_cleanup/tld_cleanup.cc b/chromium/net/tools/tld_cleanup/tld_cleanup.cc
index 2c33e66a7c5..9d7056ab40a 100644
--- a/chromium/net/tools/tld_cleanup/tld_cleanup.cc
+++ b/chromium/net/tools/tld_cleanup/tld_cleanup.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/tld_cleanup/tld_cleanup_util.cc b/chromium/net/tools/tld_cleanup/tld_cleanup_util.cc
index b2eee20f156..d5ea3adc18e 100644
--- a/chromium/net/tools/tld_cleanup/tld_cleanup_util.cc
+++ b/chromium/net/tools/tld_cleanup/tld_cleanup_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -29,7 +29,7 @@ namespace net::tld_cleanup {
 bool WriteRules(const RuleMap& rules, const base::FilePath& outfile) {
   std::string data;
   data.append("%{\n"
-              "// Copyright 2012 The Chromium Authors. All rights reserved.\n"
+              "// Copyright 2012 The Chromium Authors\n"
               "// Use of this source code is governed by a BSD-style license "
               "that can be\n"
               "// found in the LICENSE file.\n\n"
diff --git a/chromium/net/tools/tld_cleanup/tld_cleanup_util.h b/chromium/net/tools/tld_cleanup/tld_cleanup_util.h
index 0919a74d0d3..0e773fc8b47 100644
--- a/chromium/net/tools/tld_cleanup/tld_cleanup_util.h
+++ b/chromium/net/tools/tld_cleanup/tld_cleanup_util.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/tld_cleanup/tld_cleanup_util_unittest.cc b/chromium/net/tools/tld_cleanup/tld_cleanup_util_unittest.cc
index 85f691ce7c9..16033a90f11 100644
--- a/chromium/net/tools/tld_cleanup/tld_cleanup_util_unittest.cc
+++ b/chromium/net/tools/tld_cleanup/tld_cleanup_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/BUILD.gn b/chromium/net/tools/transport_security_state_generator/BUILD.gn
index 1c01def8826..6069a30232c 100644
--- a/chromium/net/tools/transport_security_state_generator/BUILD.gn
+++ b/chromium/net/tools/transport_security_state_generator/BUILD.gn
@@ -1,4 +1,4 @@
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/cert_util.cc b/chromium/net/tools/transport_security_state_generator/cert_util.cc
index 34052f2b6b3..10db0b33b1f 100644
--- a/chromium/net/tools/transport_security_state_generator/cert_util.cc
+++ b/chromium/net/tools/transport_security_state_generator/cert_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/cert_util.h b/chromium/net/tools/transport_security_state_generator/cert_util.h
index 572246d695a..ade91adc87c 100644
--- a/chromium/net/tools/transport_security_state_generator/cert_util.h
+++ b/chromium/net/tools/transport_security_state_generator/cert_util.h
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/cert_util_unittest.cc b/chromium/net/tools/transport_security_state_generator/cert_util_unittest.cc
index 5f741fa114b..5a585faf49b 100644
--- a/chromium/net/tools/transport_security_state_generator/cert_util_unittest.cc
+++ b/chromium/net/tools/transport_security_state_generator/cert_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/input_file_parsers.cc b/chromium/net/tools/transport_security_state_generator/input_file_parsers.cc
index 1edd25ac014..c9d37387df7 100644
--- a/chromium/net/tools/transport_security_state_generator/input_file_parsers.cc
+++ b/chromium/net/tools/transport_security_state_generator/input_file_parsers.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -340,15 +340,15 @@ bool ParseJSON(base::StringPiece json,
     return false;
   }
 
-  const base::Value* preload_entries = value->FindListKey("entries");
-  if (!preload_entries) {
+  const base::Value::List* preload_entries_list =
+      value->GetDict().FindList("entries");
+  if (!preload_entries_list) {
     LOG(ERROR) << "Could not parse the entries in the input JSON";
     return false;
   }
 
-  const auto preload_entries_list = preload_entries->GetListDeprecated();
-  for (size_t i = 0; i < preload_entries_list.size(); ++i) {
-    const base::Value& parsed = preload_entries_list[i];
+  for (size_t i = 0; i < preload_entries_list->size(); ++i) {
+    const base::Value& parsed = (*preload_entries_list)[i];
     if (!parsed.is_dict()) {
       LOG(ERROR) << "Could not parse entry " << base::NumberToString(i)
                  << " in the input JSON";
@@ -411,15 +411,14 @@ bool ParseJSON(base::StringPiece json,
     entries->push_back(std::move(entry));
   }
 
-  base::Value* pinsets_value = value->FindListKey("pinsets");
-  if (!pinsets_value) {
+  base::Value::List* pinsets_list = value->GetDict().FindList("pinsets");
+  if (!pinsets_list) {
     LOG(ERROR) << "Could not parse the pinsets in the input JSON";
     return false;
   }
 
-  const auto pinsets_list = pinsets_value->GetListDeprecated();
-  for (size_t i = 0; i < pinsets_list.size(); ++i) {
-    const base::Value& parsed = pinsets_list[i];
+  for (size_t i = 0; i < pinsets_list->size(); ++i) {
+    const base::Value& parsed = (*pinsets_list)[i];
     if (!parsed.is_dict()) {
       LOG(ERROR) << "Could not parse pinset " << base::NumberToString(i)
                  << " in the input JSON";
@@ -440,10 +439,10 @@ bool ParseJSON(base::StringPiece json,
 
     auto pinset = std::make_unique<Pinset>(name, report_uri);
 
-    const base::Value* pinset_static_hashes_list =
-        parsed.FindListKey("static_spki_hashes");
+    const base::Value::List* pinset_static_hashes_list =
+        parsed.GetDict().FindList("static_spki_hashes");
     if (pinset_static_hashes_list) {
-      for (const auto& hash : pinset_static_hashes_list->GetListDeprecated()) {
+      for (const auto& hash : *pinset_static_hashes_list) {
         if (!hash.is_string()) {
           LOG(ERROR) << "Could not parse static spki hash "
                      << hash.DebugString() << " in the input JSON";
@@ -453,11 +452,10 @@ bool ParseJSON(base::StringPiece json,
       }
     }
 
-    const base::Value* pinset_bad_static_hashes_list =
-        parsed.FindListKey("bad_static_spki_hashes");
+    const base::Value::List* pinset_bad_static_hashes_list =
+        parsed.GetDict().FindList("bad_static_spki_hashes");
     if (pinset_bad_static_hashes_list) {
-      for (const auto& hash :
-           pinset_bad_static_hashes_list->GetListDeprecated()) {
+      for (const auto& hash : *pinset_bad_static_hashes_list) {
         if (!hash.is_string()) {
           LOG(ERROR) << "Could not parse bad static spki hash "
                      << hash.DebugString() << " in the input JSON";
diff --git a/chromium/net/tools/transport_security_state_generator/input_file_parsers.h b/chromium/net/tools/transport_security_state_generator/input_file_parsers.h
index abf5a921279..8d131d9c2ba 100644
--- a/chromium/net/tools/transport_security_state_generator/input_file_parsers.h
+++ b/chromium/net/tools/transport_security_state_generator/input_file_parsers.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/input_file_parsers_unittest.cc b/chromium/net/tools/transport_security_state_generator/input_file_parsers_unittest.cc
index 28980fea2f9..47b4aa5d5ab 100644
--- a/chromium/net/tools/transport_security_state_generator/input_file_parsers_unittest.cc
+++ b/chromium/net/tools/transport_security_state_generator/input_file_parsers_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/pinset.cc b/chromium/net/tools/transport_security_state_generator/pinset.cc
index edef5e6efe1..ba0ab5734e9 100644
--- a/chromium/net/tools/transport_security_state_generator/pinset.cc
+++ b/chromium/net/tools/transport_security_state_generator/pinset.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/pinset.h b/chromium/net/tools/transport_security_state_generator/pinset.h
index e27eb4b9859..b52ce5e040b 100644
--- a/chromium/net/tools/transport_security_state_generator/pinset.h
+++ b/chromium/net/tools/transport_security_state_generator/pinset.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/pinsets.cc b/chromium/net/tools/transport_security_state_generator/pinsets.cc
index d768659788a..f0aa7974d3f 100644
--- a/chromium/net/tools/transport_security_state_generator/pinsets.cc
+++ b/chromium/net/tools/transport_security_state_generator/pinsets.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/pinsets.h b/chromium/net/tools/transport_security_state_generator/pinsets.h
index 89e8e15a53d..04c22a50200 100644
--- a/chromium/net/tools/transport_security_state_generator/pinsets.h
+++ b/chromium/net/tools/transport_security_state_generator/pinsets.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/preloaded_state_generator.cc b/chromium/net/tools/transport_security_state_generator/preloaded_state_generator.cc
index 4023b18f0a9..73f72c4550c 100644
--- a/chromium/net/tools/transport_security_state_generator/preloaded_state_generator.cc
+++ b/chromium/net/tools/transport_security_state_generator/preloaded_state_generator.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/preloaded_state_generator.h b/chromium/net/tools/transport_security_state_generator/preloaded_state_generator.h
index de50e3f29f3..dc5ed17dafe 100644
--- a/chromium/net/tools/transport_security_state_generator/preloaded_state_generator.h
+++ b/chromium/net/tools/transport_security_state_generator/preloaded_state_generator.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/spki_hash.cc b/chromium/net/tools/transport_security_state_generator/spki_hash.cc
index 0474671d686..374d2e57300 100644
--- a/chromium/net/tools/transport_security_state_generator/spki_hash.cc
+++ b/chromium/net/tools/transport_security_state_generator/spki_hash.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/spki_hash.h b/chromium/net/tools/transport_security_state_generator/spki_hash.h
index 93627b08473..270c30420c5 100644
--- a/chromium/net/tools/transport_security_state_generator/spki_hash.h
+++ b/chromium/net/tools/transport_security_state_generator/spki_hash.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/spki_hash_unittest.cc b/chromium/net/tools/transport_security_state_generator/spki_hash_unittest.cc
index 0f46d51d854..f4045ecd153 100644
--- a/chromium/net/tools/transport_security_state_generator/spki_hash_unittest.cc
+++ b/chromium/net/tools/transport_security_state_generator/spki_hash_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/transport_security_state_entry.cc b/chromium/net/tools/transport_security_state_generator/transport_security_state_entry.cc
index 2871b48ca06..36eb8ee081c 100644
--- a/chromium/net/tools/transport_security_state_generator/transport_security_state_entry.cc
+++ b/chromium/net/tools/transport_security_state_generator/transport_security_state_entry.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/transport_security_state_entry.h b/chromium/net/tools/transport_security_state_generator/transport_security_state_entry.h
index 0646bb5cb96..db0e0d589a7 100644
--- a/chromium/net/tools/transport_security_state_generator/transport_security_state_entry.h
+++ b/chromium/net/tools/transport_security_state_generator/transport_security_state_entry.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/transport_security_state_generator/transport_security_state_generator.cc b/chromium/net/tools/transport_security_state_generator/transport_security_state_generator.cc
index d1daa4188b8..c54417be41f 100644
--- a/chromium/net/tools/transport_security_state_generator/transport_security_state_generator.cc
+++ b/chromium/net/tools/transport_security_state_generator/transport_security_state_generator.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/tools/truncate_net_log.py b/chromium/net/tools/truncate_net_log.py
index 1841b08f788..26137e73e36 100755
--- a/chromium/net/tools/truncate_net_log.py
+++ b/chromium/net/tools/truncate_net_log.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/tools/update_ios_bundle_data.py b/chromium/net/tools/update_ios_bundle_data.py
index e09d9d32ec0..cba1d6bc742 100755
--- a/chromium/net/tools/update_ios_bundle_data.py
+++ b/chromium/net/tools/update_ios_bundle_data.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-# Copyright (c) 2017 The Chromium Authors. All rights reserved.
+# Copyright 2017 The Chromium Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
diff --git a/chromium/net/traffic_annotation/network_traffic_annotation.h b/chromium/net/traffic_annotation/network_traffic_annotation.h
index 108717e5ab9..3a1b5fe7afc 100644
--- a/chromium/net/traffic_annotation/network_traffic_annotation.h
+++ b/chromium/net/traffic_annotation/network_traffic_annotation.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/traffic_annotation/network_traffic_annotation_android.cc b/chromium/net/traffic_annotation/network_traffic_annotation_android.cc
index d2f872eff5e..95cbefaa7f5 100644
--- a/chromium/net/traffic_annotation/network_traffic_annotation_android.cc
+++ b/chromium/net/traffic_annotation/network_traffic_annotation_android.cc
@@ -1,4 +1,4 @@
-// Copyright 2021 The Chromium Authors. All rights reserved.
+// Copyright 2021 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/traffic_annotation/network_traffic_annotation_test_helper.h b/chromium/net/traffic_annotation/network_traffic_annotation_test_helper.h
index 82b2ba1ae52..802efc2a91f 100644
--- a/chromium/net/traffic_annotation/network_traffic_annotation_test_helper.h
+++ b/chromium/net/traffic_annotation/network_traffic_annotation_test_helper.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/http_with_dns_over_https_unittest.cc b/chromium/net/url_request/http_with_dns_over_https_unittest.cc
index 3707c5a17c8..db1c4b4e1f8 100644
--- a/chromium/net/url_request/http_with_dns_over_https_unittest.cc
+++ b/chromium/net/url_request/http_with_dns_over_https_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -161,7 +161,8 @@ class DnsOverHttpsIntegrationTest : public TestWithTaskEnvironment {
     // HostResolverManager::HaveTestProcOverride disables the built-in DNS
     // client.
     auto* resolver_raw = resolver.get();
-    resolver->SetProcParamsForTesting(ProcTaskParams(host_resolver_proc_, 1));
+    resolver->SetHostResolverSystemParamsForTest(
+        HostResolverSystemTask::Params(host_resolver_proc_, 1));
 
     auto context_builder = CreateTestURLRequestContextBuilder();
     context_builder->set_host_resolver(std::move(resolver));
@@ -300,7 +301,7 @@ TEST_F(HttpsWithDnsOverHttpsTest, EndToEnd) {
 
   ClientSocketPool::GroupId group_id(
       url::SchemeHostPort(request_info.url), PrivacyMode::PRIVACY_MODE_DISABLED,
-      NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+      NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
   EXPECT_EQ(network_session
                 ->GetSocketPool(HttpNetworkSession::NORMAL_SOCKET_POOL,
                                 ProxyServer::Direct())
@@ -325,9 +326,8 @@ TEST_F(HttpsWithDnsOverHttpsTest, EndToEnd) {
   EXPECT_TRUE(http_server.ShutdownAndWaitUntilComplete());
   EXPECT_TRUE(doh_server_.ShutdownAndWaitUntilComplete());
 
-  // There should be two DoH lookups for kHostname (both A and AAAA records are
-  // queried).
-  EXPECT_EQ(doh_server_.QueriesServed(), 2);
+  // There should be three DoH lookups for kHostname (A, AAAA, and HTTPS).
+  EXPECT_EQ(doh_server_.QueriesServed(), 3);
   // The requests to the DoH server are pooled, so there should only be one
   // insecure lookup for the DoH server hostname.
   EXPECT_EQ(host_resolver_proc_->insecure_queries_served(), 1u);
@@ -369,7 +369,11 @@ TEST_F(HttpsWithDnsOverHttpsTest, EndToEndFail) {
 TEST_F(HttpsWithDnsOverHttpsTest, HttpsUpgrade) {
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
   ResetContext();
 
   GURL https_url = https_server_.GetURL(kHostname, "/test");
@@ -413,7 +417,11 @@ TEST_F(HttpsWithDnsOverHttpsTest, HttpsUpgrade) {
 TEST_F(HttpsWithDnsOverHttpsTest, HttpsMetadata) {
   base::test::ScopedFeatureList features;
   features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
+      features::kUseDnsHttpsSvcb,
+      {// Disable timeouts.
+       {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+       {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}});
   ResetContext();
 
   GURL main_url = https_server_.GetURL(kHostname, "/test");
@@ -468,13 +476,23 @@ TEST_F(DnsOverHttpsIntegrationTest, EncryptedClientHello) {
     SCOPED_TRACE(feature_enabled);
     base::test::ScopedFeatureList features;
     if (feature_enabled) {
-      features.InitWithFeatures(
-          /*enabled_features=*/{features::kUseDnsHttpsSvcb,
-                                features::kEncryptedClientHello},
+      features.InitWithFeaturesAndParameters(
+          /*enabled_features=*/{{features::kUseDnsHttpsSvcb,
+                                 {// Disable timeouts.
+                                  {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+                                  {"UseDnsHttpsSvcbSecureExtraTimePercent",
+                                   "0"},
+                                  {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}}},
+                                {features::kEncryptedClientHello, {}}},
           /*disabled_features=*/{});
     } else {
-      features.InitWithFeatures(
-          /*enabled_features=*/{features::kUseDnsHttpsSvcb},
+      features.InitWithFeaturesAndParameters(
+          /*enabled_features=*/{{features::kUseDnsHttpsSvcb,
+                                 {// Disable timeouts.
+                                  {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+                                  {"UseDnsHttpsSvcbSecureExtraTimePercent",
+                                   "0"},
+                                  {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}}}},
           /*disabled_features=*/{features::kEncryptedClientHello});
     }
 
@@ -512,9 +530,13 @@ TEST_F(DnsOverHttpsIntegrationTest, EncryptedClientHello) {
 // handshake as the public name.
 TEST_F(DnsOverHttpsIntegrationTest, EncryptedClientHelloStaleKey) {
   base::test::ScopedFeatureList features;
-  features.InitWithFeatures(
-      /*enabled_features=*/{features::kEncryptedClientHello,
-                            features::kUseDnsHttpsSvcb},
+  features.InitWithFeaturesAndParameters(
+      /*enabled_features=*/{{features::kEncryptedClientHello, {}},
+                            {features::kUseDnsHttpsSvcb,
+                             {// Disable timeouts.
+                              {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+                              {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+                              {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}}}},
       /*disabled_features=*/{});
   ResetContext();
 
@@ -593,9 +615,13 @@ TEST_F(DnsOverHttpsIntegrationTest, EncryptedClientHelloStaleKey) {
 
 TEST_F(DnsOverHttpsIntegrationTest, EncryptedClientHelloFallback) {
   base::test::ScopedFeatureList features;
-  features.InitWithFeatures(
-      /*enabled_features=*/{features::kEncryptedClientHello,
-                            features::kUseDnsHttpsSvcb},
+  features.InitWithFeaturesAndParameters(
+      /*enabled_features=*/{{features::kEncryptedClientHello, {}},
+                            {features::kUseDnsHttpsSvcb,
+                             {// Disable timeouts.
+                              {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+                              {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+                              {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}}}},
       /*disabled_features=*/{});
   ResetContext();
 
@@ -664,9 +690,13 @@ TEST_F(DnsOverHttpsIntegrationTest, EncryptedClientHelloFallback) {
 
 TEST_F(DnsOverHttpsIntegrationTest, EncryptedClientHelloFallbackTLS12) {
   base::test::ScopedFeatureList features;
-  features.InitWithFeatures(
-      /*enabled_features=*/{features::kEncryptedClientHello,
-                            features::kUseDnsHttpsSvcb},
+  features.InitWithFeaturesAndParameters(
+      /*enabled_features=*/{{features::kEncryptedClientHello, {}},
+                            {features::kUseDnsHttpsSvcb,
+                             {// Disable timeouts.
+                              {"UseDnsHttpsSvcbSecureExtraTimeMax", "0"},
+                              {"UseDnsHttpsSvcbSecureExtraTimePercent", "0"},
+                              {"UseDnsHttpsSvcbSecureExtraTimeMin", "0"}}}},
       /*disabled_features=*/{});
   ResetContext();
 
diff --git a/chromium/net/url_request/redirect_info.cc b/chromium/net/url_request/redirect_info.cc
index 7cb82bb4cba..4042f029b4c 100644
--- a/chromium/net/url_request/redirect_info.cc
+++ b/chromium/net/url_request/redirect_info.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/redirect_info.h b/chromium/net/url_request/redirect_info.h
index 14a26720291..501e82a0bb5 100644
--- a/chromium/net/url_request/redirect_info.h
+++ b/chromium/net/url_request/redirect_info.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/redirect_info_unittest.cc b/chromium/net/url_request/redirect_info_unittest.cc
index f5851fdc597..a4b5d14ee24 100644
--- a/chromium/net/url_request/redirect_info_unittest.cc
+++ b/chromium/net/url_request/redirect_info_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/redirect_util.cc b/chromium/net/url_request/redirect_util.cc
index 97342e8b7d6..6c02aafbf89 100644
--- a/chromium/net/url_request/redirect_util.cc
+++ b/chromium/net/url_request/redirect_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/redirect_util.h b/chromium/net/url_request/redirect_util.h
index bd83a8f64cf..3594f10c1fb 100644
--- a/chromium/net/url_request/redirect_util.h
+++ b/chromium/net/url_request/redirect_util.h
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/redirect_util_unittest.cc b/chromium/net/url_request/redirect_util_unittest.cc
index 5019f2c86a8..e00565985d5 100644
--- a/chromium/net/url_request/redirect_util_unittest.cc
+++ b/chromium/net/url_request/redirect_util_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/referrer_policy.h b/chromium/net/url_request/referrer_policy.h
index 1ac465f2c29..2835db410c6 100644
--- a/chromium/net/url_request/referrer_policy.h
+++ b/chromium/net/url_request/referrer_policy.h
@@ -1,4 +1,4 @@
-// Copyright 2020 The Chromium Authors. All rights reserved.
+// Copyright 2020 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/report_sender.cc b/chromium/net/url_request/report_sender.cc
index e2deec544c7..dfd21c673a6 100644
--- a/chromium/net/url_request/report_sender.cc
+++ b/chromium/net/url_request/report_sender.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -56,12 +56,13 @@ ReportSender::ReportSender(URLRequestContext* request_context,
 
 ReportSender::~ReportSender() = default;
 
-void ReportSender::Send(const GURL& report_uri,
-                        base::StringPiece content_type,
-                        base::StringPiece report,
-                        const NetworkIsolationKey& network_isolation_key,
-                        SuccessCallback success_callback,
-                        ErrorCallback error_callback) {
+void ReportSender::Send(
+    const GURL& report_uri,
+    base::StringPiece content_type,
+    base::StringPiece report,
+    const NetworkAnonymizationKey& network_anonymization_key,
+    SuccessCallback success_callback,
+    ErrorCallback error_callback) {
   DCHECK(!content_type.empty());
   std::unique_ptr<URLRequest> url_request = request_context_->CreateRequest(
       report_uri, DEFAULT_PRIORITY, this, traffic_annotation_);
@@ -70,8 +71,8 @@ void ReportSender::Send(const GURL& report_uri,
                                                     std::move(error_callback)));
   url_request->SetLoadFlags(kLoadFlags);
   url_request->set_allow_credentials(false);
-  url_request->set_isolation_info(IsolationInfo::CreatePartial(
-      IsolationInfo::RequestType::kOther, network_isolation_key));
+  url_request->set_isolation_info_from_network_anonymization_key(
+      network_anonymization_key);
 
   HttpRequestHeaders extra_headers;
   extra_headers.SetHeader(HttpRequestHeaders::kContentType, content_type);
diff --git a/chromium/net/url_request/report_sender.h b/chromium/net/url_request/report_sender.h
index 94eba821e5b..f0eb4d6c960 100644
--- a/chromium/net/url_request/report_sender.h
+++ b/chromium/net/url_request/report_sender.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -19,7 +19,7 @@ class GURL;
 
 namespace net {
 
-class NetworkIsolationKey;
+class NetworkAnonymizationKey;
 class URLRequestContext;
 
 // ReportSender asynchronously sends serialized reports to a URI.
@@ -55,7 +55,7 @@ class NET_EXPORT ReportSender
   void Send(const GURL& report_uri,
             base::StringPiece content_type,
             base::StringPiece report,
-            const NetworkIsolationKey& network_isolation_key,
+            const NetworkAnonymizationKey& network_anonymization_key,
             SuccessCallback success_callback,
             ErrorCallback error_callback) override;
 
diff --git a/chromium/net/url_request/report_sender_unittest.cc b/chromium/net/url_request/report_sender_unittest.cc
index 56eec03aed9..e93081f4224 100644
--- a/chromium/net/url_request/report_sender_unittest.cc
+++ b/chromium/net/url_request/report_sender_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -151,9 +151,9 @@ class TestReportSenderNetworkDelegate : public NetworkDelegateImpl {
     expected_content_type_ = content_type;
   }
 
-  void set_expected_network_isolation_key(
-      const NetworkIsolationKey& expected_network_isolation_key) {
-    expected_network_isolation_key_ = expected_network_isolation_key;
+  void set_expected_network_anonymization_key(
+      const NetworkAnonymizationKey& expected_network_anonymization_key) {
+    expected_network_anonymization_key_ = expected_network_anonymization_key;
   }
 
   // NetworkDelegateImpl implementation.
@@ -166,8 +166,8 @@ class TestReportSenderNetworkDelegate : public NetworkDelegateImpl {
     EXPECT_FALSE(request->allow_credentials());
     EXPECT_TRUE(request->load_flags() & LOAD_DO_NOT_SAVE_COOKIES);
 
-    EXPECT_EQ(expected_network_isolation_key_,
-              request->isolation_info().network_isolation_key());
+    EXPECT_EQ(expected_network_anonymization_key_,
+              request->isolation_info().network_anonymization_key());
     EXPECT_EQ(IsolationInfo::RequestType::kOther,
               request->isolation_info().request_type());
     EXPECT_TRUE(request->site_for_cookies().IsNull());
@@ -198,7 +198,7 @@ class TestReportSenderNetworkDelegate : public NetworkDelegateImpl {
   GURL expect_url_;
   std::set<std::string> expect_reports_;
   std::string expected_content_type_;
-  NetworkIsolationKey expected_network_isolation_key_;
+  NetworkAnonymizationKey expected_network_anonymization_key_;
 };
 
 class ReportSenderTest : public TestWithTaskEnvironment {
@@ -237,8 +237,8 @@ class ReportSenderTest : public TestWithTaskEnvironment {
       size_t request_sequence_number,
       base::OnceCallback<void()> success_callback,
       base::OnceCallback<void(const GURL&, int, int)> error_callback) {
-    NetworkIsolationKey network_isolation_key =
-        NetworkIsolationKey::CreateTransient();
+    NetworkAnonymizationKey network_anonymization_key =
+        NetworkAnonymizationKey::CreateTransient();
 
     base::RunLoop run_loop;
     network_delegate().set_url_request_destroyed_callback(
@@ -247,12 +247,12 @@ class ReportSenderTest : public TestWithTaskEnvironment {
     network_delegate().set_expect_url(url);
     network_delegate().ExpectReport(report);
     network_delegate().set_expected_content_type("application/foobar");
-    network_delegate().set_expected_network_isolation_key(
-        network_isolation_key);
+    network_delegate().set_expected_network_anonymization_key(
+        network_anonymization_key);
 
     EXPECT_EQ(request_sequence_number, network_delegate().num_requests());
 
-    reporter->Send(url, "application/foobar", report, network_isolation_key,
+    reporter->Send(url, "application/foobar", report, network_anonymization_key,
                    std::move(success_callback), std::move(error_callback));
 
     // The report is sent asynchronously, so wait for the report's
@@ -306,11 +306,11 @@ TEST_F(ReportSenderTest, SendMultipleReportsSimultaneously) {
 
   EXPECT_EQ(0u, network_delegate().num_requests());
 
-  reporter.Send(url, "application/foobar", kDummyReport, NetworkIsolationKey(),
-                base::OnceCallback<void()>(),
+  reporter.Send(url, "application/foobar", kDummyReport,
+                NetworkAnonymizationKey(), base::OnceCallback<void()>(),
                 base::OnceCallback<void(const GURL&, int, int)>());
   reporter.Send(url, "application/foobar", kSecondDummyReport,
-                NetworkIsolationKey(), base::OnceCallback<void()>(),
+                NetworkAnonymizationKey(), base::OnceCallback<void()>(),
                 base::OnceCallback<void(const GURL&, int, int)>());
 
   run_loop.Run();
@@ -335,8 +335,8 @@ TEST_F(ReportSenderTest, PendingRequestGetsDeleted) {
 
   auto reporter =
       std::make_unique<ReportSender>(context(), TRAFFIC_ANNOTATION_FOR_TESTS);
-  reporter->Send(url, "application/foobar", kDummyReport, NetworkIsolationKey(),
-                 base::OnceCallback<void()>(),
+  reporter->Send(url, "application/foobar", kDummyReport,
+                 NetworkAnonymizationKey(), base::OnceCallback<void()>(),
                  base::OnceCallback<void(const GURL&, int, int)>());
   reporter.reset();
 
diff --git a/chromium/net/url_request/static_http_user_agent_settings.cc b/chromium/net/url_request/static_http_user_agent_settings.cc
index 7cc1847155b..43b2bca7cec 100644
--- a/chromium/net/url_request/static_http_user_agent_settings.cc
+++ b/chromium/net/url_request/static_http_user_agent_settings.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/static_http_user_agent_settings.h b/chromium/net/url_request/static_http_user_agent_settings.h
index 14c71cc6938..0ab8187b0db 100644
--- a/chromium/net/url_request/static_http_user_agent_settings.h
+++ b/chromium/net/url_request/static_http_user_agent_settings.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request.cc b/chromium/net/url_request/url_request.cc
index ccb85ec9ff8..5d754a7e1c9 100644
--- a/chromium/net/url_request/url_request.cc
+++ b/chromium/net/url_request/url_request.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -105,12 +105,12 @@ void ConvertRealLoadTimesToBlockingTimes(LoadTimingInfo* load_timing_info) {
 
   LoadTimingInfo::ConnectTiming* connect_timing =
       &load_timing_info->connect_timing;
-  if (!connect_timing->dns_start.is_null()) {
-    DCHECK(!connect_timing->dns_end.is_null());
-    if (connect_timing->dns_start < block_on_connect)
-      connect_timing->dns_start = block_on_connect;
-    if (connect_timing->dns_end < block_on_connect)
-      connect_timing->dns_end = block_on_connect;
+  if (!connect_timing->domain_lookup_start.is_null()) {
+    DCHECK(!connect_timing->domain_lookup_end.is_null());
+    if (connect_timing->domain_lookup_start < block_on_connect)
+      connect_timing->domain_lookup_start = block_on_connect;
+    if (connect_timing->domain_lookup_end < block_on_connect)
+      connect_timing->domain_lookup_end = block_on_connect;
   }
 
   if (!connect_timing->connect_start.is_null()) {
@@ -304,6 +304,8 @@ base::Value URLRequest::GetStateAsValue() const {
     dict.Set("delegate_blocked_by", blocked_by_);
 
   dict.Set("method", method_);
+  // TODO(https://crbug.com/1343856): Update "network_isolation_key" to
+  // "network_anonymization_key" and change NetLog viewer.
   dict.Set("network_isolation_key",
            isolation_info_.network_isolation_key().ToDebugString());
   dict.Set("has_upload", has_upload());
@@ -476,6 +478,14 @@ void URLRequest::set_site_for_cookies(const SiteForCookies& site_for_cookies) {
   site_for_cookies_ = site_for_cookies;
 }
 
+void URLRequest::set_isolation_info_from_network_anonymization_key(
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  set_isolation_info(URLRequest::CreateIsolationInfoFromNetworkAnonymizationKey(
+      network_anonymization_key));
+
+  is_created_from_network_anonymization_key_ = true;
+}
+
 void URLRequest::set_first_party_url_policy(
     RedirectInfo::FirstPartyURLPolicy first_party_url_policy) {
   DCHECK(!is_pending_);
@@ -624,6 +634,10 @@ void URLRequest::BeforeRequestComplete(int error) {
 void URLRequest::StartJob(std::unique_ptr<URLRequestJob> job) {
   DCHECK(!is_pending_);
   DCHECK(!job_);
+  if (is_created_from_network_anonymization_key_) {
+    DCHECK(load_flags_ & LOAD_DISABLE_CACHE);
+    DCHECK(!allow_credentials_);
+  }
 
   net_log_.BeginEvent(NetLogEventType::URL_REQUEST_START_JOB, [&] {
     return NetLogURLRequestStartParams(
@@ -1161,6 +1175,48 @@ void URLRequest::RecordReferrerGranularityMetrics(
   }
 }
 
+IsolationInfo URLRequest::CreateIsolationInfoFromNetworkAnonymizationKey(
+    const NetworkAnonymizationKey& network_anonymization_key) {
+  if (!network_anonymization_key.IsFullyPopulated()) {
+    return IsolationInfo();
+  }
+
+  url::Origin top_frame_origin =
+      network_anonymization_key.GetTopFrameSite()->site_as_origin_;
+
+  absl::optional<url::Origin> frame_origin;
+  if (NetworkAnonymizationKey::IsFrameSiteEnabled() &&
+      network_anonymization_key.GetFrameSite().has_value()) {
+    // If frame site is set on the network anonymization key, use it to set the
+    // frame origin on the isolation info.
+    frame_origin = network_anonymization_key.GetFrameSite()->site_as_origin_;
+  } else if (NetworkAnonymizationKey::IsCrossSiteFlagSchemeEnabled() &&
+             network_anonymization_key.GetIsCrossSite().value()) {
+    // If frame site is not set on the network anonymization key but we know
+    // that it is cross site to the top level site, create an empty origin to
+    // use as the frame origin for the isolation info. This should be cross site
+    // with the top level origin.
+    frame_origin = url::Origin();
+  } else {
+    // If frame sit is not set on the network anonymization key and we don't
+    // know that it's cross site to the top level site, use the top frame site
+    // to set the frame origin.
+    frame_origin = top_frame_origin;
+  }
+
+  const base::UnguessableToken* nonce =
+      network_anonymization_key.GetNonce()
+          ? &network_anonymization_key.GetNonce().value()
+          : nullptr;
+
+  auto isolation_info = IsolationInfo::Create(
+      IsolationInfo::RequestType::kOther, top_frame_origin,
+      frame_origin.value(), SiteForCookies(),
+      /*party_context=*/absl::nullopt, nonce);
+  // TODO(crbug/1343856): DCHECK isolation info is fully populated.
+  return isolation_info;
+}
+
 ConnectionAttempts URLRequest::GetConnectionAttempts() const {
   if (job_)
     return job_->GetConnectionAttempts();
diff --git a/chromium/net/url_request/url_request.h b/chromium/net/url_request/url_request.h
index 532ce5207e6..18db4ced45e 100644
--- a/chromium/net/url_request/url_request.h
+++ b/chromium/net/url_request/url_request.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -260,15 +260,28 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   void set_site_for_cookies(const SiteForCookies& site_for_cookies);
 
   // Sets IsolationInfo for the request, which affects whether SameSite cookies
-  // are sent, what NetworkIsolationKey is used for cached resources, and how
-  // that behavior changes when following redirects. This may only be changed
-  // before Start() is called.
+  // are sent, what NetworkAnonymizationKey is used for cached resources, and
+  // how that behavior changes when following redirects. This may only be
+  // changed before Start() is called.
   //
   // TODO(https://crbug.com/1060631): This isn't actually used yet for SameSite
   // cookies. Update consumers and fix that.
   void set_isolation_info(const IsolationInfo& isolation_info) {
     isolation_info_ = isolation_info;
   }
+
+  // This will convert the passed NetworkAnonymizationKey to an IsolationInfo.
+  // This IsolationInfo mmay be assigned an inaccurate frame origin because the
+  // NetworkAnonymizationKey might not contain all the information to populate
+  // it. Additionally the NetworkAnonymizationKey uses sites which will be
+  // converted to origins when set on the IsolationInfo. If using this method it
+  // is required to skip the cache and not use credentials. Before starting the
+  // request, it must have the LoadFlag LOAD_DISABLE_CACHE set, and must be set
+  // to not allow credentials, to ensure that the inaccurate frame origin has no
+  // impact. The request will DCHECK otherwise.
+  void set_isolation_info_from_network_anonymization_key(
+      const NetworkAnonymizationKey& network_anonymization_key);
+
   const IsolationInfo& isolation_info() const { return isolation_info_; }
 
   // Indicate whether SameSite cookies should be attached even though the
@@ -539,6 +552,10 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   // Access the LOAD_* flags modifying this request (see load_flags.h).
   int load_flags() const { return load_flags_; }
 
+  bool is_created_from_network_anonymization_key() const {
+    return is_created_from_network_anonymization_key_;
+  }
+
   // Returns the Secure DNS Policy for the request.
   SecureDnsPolicy secure_dns_policy() const { return secure_dns_policy_; }
 
@@ -731,7 +748,7 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   void SetRequestHeadersCallback(RequestHeadersCallback callback);
 
   // Sets a callback that will be invoked each time the response is received
-  // from the remote party with the actual response headers recieved. Note this
+  // from the remote party with the actual response headers received. Note this
   // is different from response_headers() getter in that in case of revalidation
   // request, the latter will return cached headers, while the callback will be
   // called with a response from the server.
@@ -910,6 +927,11 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   // checking.
   void RecordReferrerGranularityMetrics(bool request_is_same_origin) const;
 
+  // Creates a partial IsolationInfo with the information accessible from the
+  // NetworkAnonymiationKey.
+  net::IsolationInfo CreateIsolationInfoFromNetworkAnonymizationKey(
+      const NetworkAnonymizationKey& network_anonymization_key);
+
   // Contextual information used for this request. Cannot be NULL. This contains
   // most of the dependencies which are shared between requests (disk cache,
   // cookie store, socket pool, etc.)
@@ -955,7 +977,7 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
 
   // Never access methods of the |delegate_| directly. Always use the
   // Notify... methods for this.
-  raw_ptr<Delegate> delegate_;
+  raw_ptr<Delegate, DanglingUntriaged> delegate_;
 
   const bool is_for_websockets_;
 
@@ -972,6 +994,8 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   // have been encountered, this will be the first error encountered.
   int status_ = OK;
 
+  bool is_created_from_network_anonymization_key_ = false;
+
   // The HTTP response info, lazily initialized.
   HttpResponseInfo response_info_;
 
diff --git a/chromium/net/url_request/url_request_context.cc b/chromium/net/url_request/url_request_context.cc
index a2fd9ff84a0..a3ce8f78bdc 100644
--- a/chromium/net/url_request/url_request_context.cc
+++ b/chromium/net/url_request/url_request_context.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -18,14 +18,37 @@
 #include "build/build_config.h"
 #include "build/chromeos_buildflags.h"
 #include "net/base/http_user_agent_settings.h"
+#include "net/base/network_delegate.h"
+#include "net/base/proxy_delegate.h"
+#include "net/cert/cert_verifier.h"
+#include "net/cert/ct_policy_enforcer.h"
+#include "net/cert/sct_auditing_delegate.h"
 #include "net/cookies/cookie_store.h"
 #include "net/dns/host_resolver.h"
+#include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_cache.h"
 #include "net/http/http_network_session.h"
+#include "net/http/http_server_properties.h"
 #include "net/http/http_transaction_factory.h"
+#include "net/http/transport_security_persister.h"
+#include "net/http/transport_security_state.h"
+#include "net/log/net_log.h"
 #include "net/log/net_log_source.h"
+#include "net/nqe/network_quality_estimator.h"
+#include "net/proxy_resolution/proxy_resolution_service.h"
+#include "net/quic/quic_context.h"
+#include "net/socket/client_socket_factory.h"
 #include "net/socket/ssl_client_socket_impl.h"
+#include "net/ssl/ssl_config_service.h"
 #include "net/url_request/url_request.h"
+#include "net/url_request/url_request_job_factory.h"
+#include "net/url_request/url_request_throttler_manager.h"
+
+#if BUILDFLAG(ENABLE_REPORTING)
+#include "net/network_error_logging/network_error_logging_service.h"
+#include "net/network_error_logging/persistent_reporting_and_nel_store.h"
+#include "net/reporting/reporting_service.h"
+#endif  // BUILDFLAG(ENABLE_REPORTING)
 
 namespace net {
 
@@ -36,6 +59,29 @@ URLRequestContext::URLRequestContext(
 
 URLRequestContext::~URLRequestContext() {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+#if BUILDFLAG(ENABLE_REPORTING)
+  // Shut down the NetworkErrorLoggingService so that destroying the
+  // ReportingService (which might abort in-flight URLRequests, generating
+  // network errors) won't recursively try to queue more network error
+  // reports.
+  if (network_error_logging_service())
+    network_error_logging_service()->OnShutdown();
+
+  // Shut down the ReportingService before the rest of the URLRequestContext,
+  // so it cancels any pending requests it may have.
+  if (reporting_service())
+    reporting_service()->OnShutdown();
+#endif  // BUILDFLAG(ENABLE_REPORTING)
+
+  // Shut down the ProxyResolutionService, as it may have pending URLRequests
+  // using this context. Since this cancels requests, it's not safe to
+  // subclass this, as some parts of the URLRequestContext may then be torn
+  // down before this cancels the ProxyResolutionService's URLRequests.
+  proxy_resolution_service()->OnShutdown();
+
+  DCHECK(host_resolver());
+  host_resolver()->OnShutdown();
+
   AssertNoURLRequests();
 }
 
@@ -86,10 +132,6 @@ std::unique_ptr<URLRequest> URLRequestContext::CreateRequest(
                                          net_log_source));
 }
 
-void URLRequestContext::set_cookie_store(CookieStore* cookie_store) {
-  cookie_store_ = cookie_store;
-}
-
 void URLRequestContext::AssertNoURLRequests() const {
   int num_requests = url_requests_->size();
   if (num_requests != 0) {
@@ -105,4 +147,111 @@ void URLRequestContext::AssertNoURLRequests() const {
   }
 }
 
+void URLRequestContext::set_net_log(NetLog* net_log) {
+  net_log_ = net_log;
+}
+void URLRequestContext::set_host_resolver(
+    std::unique_ptr<HostResolver> host_resolver) {
+  DCHECK(host_resolver.get());
+  host_resolver_ = std::move(host_resolver);
+}
+void URLRequestContext::set_cert_verifier(
+    std::unique_ptr<CertVerifier> cert_verifier) {
+  cert_verifier_ = std::move(cert_verifier);
+}
+void URLRequestContext::set_proxy_resolution_service(
+    std::unique_ptr<ProxyResolutionService> proxy_resolution_service) {
+  proxy_resolution_service_ = std::move(proxy_resolution_service);
+}
+void URLRequestContext::set_proxy_delegate(
+    std::unique_ptr<ProxyDelegate> proxy_delegate) {
+  proxy_delegate_ = std::move(proxy_delegate);
+}
+void URLRequestContext::set_ssl_config_service(
+    std::unique_ptr<SSLConfigService> service) {
+  ssl_config_service_ = std::move(service);
+}
+void URLRequestContext::set_http_auth_handler_factory(
+    std::unique_ptr<HttpAuthHandlerFactory> factory) {
+  http_auth_handler_factory_ = std::move(factory);
+}
+void URLRequestContext::set_http_network_session(
+    std::unique_ptr<HttpNetworkSession> http_network_session) {
+  http_network_session_ = std::move(http_network_session);
+}
+void URLRequestContext::set_http_transaction_factory(
+    std::unique_ptr<HttpTransactionFactory> factory) {
+  http_transaction_factory_ = std::move(factory);
+}
+void URLRequestContext::set_network_delegate(
+    std::unique_ptr<NetworkDelegate> network_delegate) {
+  network_delegate_ = std::move(network_delegate);
+}
+void URLRequestContext::set_http_server_properties(
+    std::unique_ptr<HttpServerProperties> http_server_properties) {
+  http_server_properties_ = std::move(http_server_properties);
+}
+void URLRequestContext::set_cookie_store(
+    std::unique_ptr<CookieStore> cookie_store) {
+  cookie_store_ = std::move(cookie_store);
+}
+void URLRequestContext::set_transport_security_state(
+    std::unique_ptr<TransportSecurityState> state) {
+  transport_security_state_ = std::move(state);
+}
+void URLRequestContext::set_ct_policy_enforcer(
+    std::unique_ptr<CTPolicyEnforcer> enforcer) {
+  ct_policy_enforcer_ = std::move(enforcer);
+}
+void URLRequestContext::set_sct_auditing_delegate(
+    std::unique_ptr<SCTAuditingDelegate> delegate) {
+  sct_auditing_delegate_ = std::move(delegate);
+}
+void URLRequestContext::set_job_factory(
+    std::unique_ptr<const URLRequestJobFactory> job_factory) {
+  job_factory_storage_ = std::move(job_factory);
+  job_factory_ = job_factory_storage_.get();
+}
+void URLRequestContext::set_throttler_manager(
+    std::unique_ptr<URLRequestThrottlerManager> throttler_manager) {
+  throttler_manager_ = std::move(throttler_manager);
+}
+void URLRequestContext::set_quic_context(
+    std::unique_ptr<QuicContext> quic_context) {
+  quic_context_ = std::move(quic_context);
+}
+void URLRequestContext::set_http_user_agent_settings(
+    std::unique_ptr<const HttpUserAgentSettings> http_user_agent_settings) {
+  http_user_agent_settings_ = std::move(http_user_agent_settings);
+}
+void URLRequestContext::set_network_quality_estimator(
+    NetworkQualityEstimator* network_quality_estimator) {
+  network_quality_estimator_ = network_quality_estimator;
+}
+void URLRequestContext::set_client_socket_factory(
+    std::unique_ptr<ClientSocketFactory> client_socket_factory) {
+  client_socket_factory_ = std::move(client_socket_factory);
+}
+#if BUILDFLAG(ENABLE_REPORTING)
+void URLRequestContext::set_persistent_reporting_and_nel_store(
+    std::unique_ptr<PersistentReportingAndNelStore>
+        persistent_reporting_and_nel_store) {
+  persistent_reporting_and_nel_store_ =
+      std::move(persistent_reporting_and_nel_store);
+}
+void URLRequestContext::set_reporting_service(
+    std::unique_ptr<ReportingService> reporting_service) {
+  reporting_service_ = std::move(reporting_service);
+}
+void URLRequestContext::set_network_error_logging_service(
+    std::unique_ptr<NetworkErrorLoggingService> network_error_logging_service) {
+  network_error_logging_service_ = std::move(network_error_logging_service);
+}
+#endif  // BUILDFLAG(ENABLE_REPORTING)
+
+void URLRequestContext::set_transport_security_persister(
+    std::unique_ptr<TransportSecurityPersister> transport_security_persister) {
+  transport_security_persister_ = std::move(transport_security_persister);
+}
+
 }  // namespace net
diff --git a/chromium/net/url_request/url_request_context.h b/chromium/net/url_request/url_request_context.h
index 68a212dac89..4ee83f194cb 100644
--- a/chromium/net/url_request/url_request_context.h
+++ b/chromium/net/url_request/url_request_context.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -31,10 +31,12 @@
 
 namespace net {
 class CertVerifier;
+class ClientSocketFactory;
 class CookieStore;
 class CTPolicyEnforcer;
 class HostResolver;
 class HttpAuthHandlerFactory;
+class HttpNetworkSession;
 struct HttpNetworkSessionContext;
 struct HttpNetworkSessionParams;
 class HttpServerProperties;
@@ -42,41 +44,37 @@ class HttpTransactionFactory;
 class HttpUserAgentSettings;
 class NetLog;
 class NetworkDelegate;
-class NetworkErrorLoggingService;
 class NetworkQualityEstimator;
 class ProxyDelegate;
 class ProxyResolutionService;
 class QuicContext;
-class ReportingService;
 class SCTAuditingDelegate;
 class SSLConfigService;
+class TransportSecurityPersister;
 class TransportSecurityState;
 class URLRequest;
 class URLRequestJobFactory;
 class URLRequestThrottlerManager;
-class URLRequestContextStorage;
 class URLRequestContextBuilder;
 
 #if BUILDFLAG(ENABLE_REPORTING)
 class NetworkErrorLoggingService;
+class PersistentReportingAndNelStore;
 class ReportingService;
 #endif  // BUILDFLAG(ENABLE_REPORTING)
 
-// Subclass to provide application-specific context for URLRequest
-// instances. URLRequestContext does not own these member variables, since they
-// may be shared with other contexts. URLRequestContextStorage can be used for
-// automatic lifetime management. Most callers should use an existing
-// URLRequestContext rather than creating a new one, as guaranteeing that the
-// URLRequestContext is destroyed before its members can be difficult.
-class NET_EXPORT URLRequestContext {
+// Class that provides application-specific context for URLRequest
+// instances. May only be created by URLRequestContextBuilder.
+// Owns most of its member variables, except a few that may be shared
+// with other contexts.
+class NET_EXPORT URLRequestContext final {
  public:
   // URLRequestContext must be created by URLRequestContextBuilder.
   explicit URLRequestContext(base::PassKey<URLRequestContextBuilder> pass_key);
-
   URLRequestContext(const URLRequestContext&) = delete;
   URLRequestContext& operator=(const URLRequestContext&) = delete;
 
-  virtual ~URLRequestContext();
+  ~URLRequestContext();
 
   // May return nullptr if this context doesn't have an associated network
   // session.
@@ -129,63 +127,63 @@ class NET_EXPORT URLRequestContext {
 
   NetLog* net_log() const { return net_log_; }
 
-  HostResolver* host_resolver() const {
-    return host_resolver_;
-  }
+  HostResolver* host_resolver() const { return host_resolver_.get(); }
 
-  CertVerifier* cert_verifier() const {
-    return cert_verifier_;
-  }
+  CertVerifier* cert_verifier() const { return cert_verifier_.get(); }
 
   // Get the proxy service for this context.
   ProxyResolutionService* proxy_resolution_service() const {
-    return proxy_resolution_service_;
+    return proxy_resolution_service_.get();
   }
 
-  ProxyDelegate* proxy_delegate() const { return proxy_delegate_; }
+  ProxyDelegate* proxy_delegate() const { return proxy_delegate_.get(); }
 
   // Get the ssl config service for this context.
-  SSLConfigService* ssl_config_service() const { return ssl_config_service_; }
+  SSLConfigService* ssl_config_service() const {
+    return ssl_config_service_.get();
+  }
 
   // Gets the HTTP Authentication Handler Factory for this context.
   // The factory is only valid for the lifetime of this URLRequestContext
   HttpAuthHandlerFactory* http_auth_handler_factory() const {
-    return http_auth_handler_factory_;
+    return http_auth_handler_factory_.get();
   }
 
   // Gets the http transaction factory for this context.
   HttpTransactionFactory* http_transaction_factory() const {
-    return http_transaction_factory_;
+    return http_transaction_factory_.get();
   }
 
-  NetworkDelegate* network_delegate() const { return network_delegate_; }
+  NetworkDelegate* network_delegate() const { return network_delegate_.get(); }
 
   HttpServerProperties* http_server_properties() const {
-    return http_server_properties_;
+    return http_server_properties_.get();
   }
 
   // Gets the cookie store for this context (may be null, in which case
   // cookies are not stored).
-  CookieStore* cookie_store() const { return cookie_store_; }
+  CookieStore* cookie_store() const { return cookie_store_.get(); }
 
   TransportSecurityState* transport_security_state() const {
-    return transport_security_state_;
+    return transport_security_state_.get();
   }
 
-  CTPolicyEnforcer* ct_policy_enforcer() const { return ct_policy_enforcer_; }
+  CTPolicyEnforcer* ct_policy_enforcer() const {
+    return ct_policy_enforcer_.get();
+  }
 
   SCTAuditingDelegate* sct_auditing_delegate() const {
-    return sct_auditing_delegate_;
+    return sct_auditing_delegate_.get();
   }
 
   const URLRequestJobFactory* job_factory() const { return job_factory_; }
 
   // May return nullptr.
   URLRequestThrottlerManager* throttler_manager() const {
-    return throttler_manager_;
+    return throttler_manager_.get();
   }
 
-  QuicContext* quic_context() const { return quic_context_; }
+  QuicContext* quic_context() const { return quic_context_.get(); }
 
   // Gets the URLRequest objects that hold a reference to this
   // URLRequestContext.
@@ -201,20 +199,22 @@ class NET_EXPORT URLRequestContext {
   // Get the underlying |HttpUserAgentSettings| implementation that provides
   // the HTTP Accept-Language and User-Agent header values.
   const HttpUserAgentSettings* http_user_agent_settings() const {
-    return http_user_agent_settings_;
+    return http_user_agent_settings_.get();
   }
 
   // Gets the NetworkQualityEstimator associated with this context.
   // May return nullptr.
   NetworkQualityEstimator* network_quality_estimator() const {
-    return network_quality_estimator_;
+    return network_quality_estimator_.get();
   }
 
 #if BUILDFLAG(ENABLE_REPORTING)
-  ReportingService* reporting_service() const { return reporting_service_; }
+  ReportingService* reporting_service() const {
+    return reporting_service_.get();
+  }
 
   NetworkErrorLoggingService* network_error_logging_service() const {
-    return network_error_logging_service_;
+    return network_error_logging_service_.get();
   }
 #endif  // BUILDFLAG(ENABLE_REPORTING)
 
@@ -241,74 +241,52 @@ class NET_EXPORT URLRequestContext {
   }
 
  private:
-  friend class URLRequestContextStorage;
   friend class URLRequestContextBuilder;
-  void set_net_log(NetLog* net_log) { net_log_ = net_log; }
-  void set_host_resolver(HostResolver* host_resolver) {
-    DCHECK(host_resolver);
-    host_resolver_ = host_resolver;
-  }
-  void set_cert_verifier(CertVerifier* cert_verifier) {
-    cert_verifier_ = cert_verifier;
+
+  HttpNetworkSession* http_network_session() const {
+    return http_network_session_.get();
   }
+
+  void set_net_log(NetLog* net_log);
+  void set_host_resolver(std::unique_ptr<HostResolver> host_resolver);
+  void set_cert_verifier(std::unique_ptr<CertVerifier> cert_verifier);
   void set_proxy_resolution_service(
-      ProxyResolutionService* proxy_resolution_service) {
-    proxy_resolution_service_ = proxy_resolution_service;
-  }
-  void set_proxy_delegate(ProxyDelegate* proxy_delegate) {
-    proxy_delegate_ = proxy_delegate;
-  }
-  void set_ssl_config_service(SSLConfigService* service) {
-    ssl_config_service_ = service;
-  }
-  void set_http_auth_handler_factory(HttpAuthHandlerFactory* factory) {
-    http_auth_handler_factory_ = factory;
-  }
-  void set_http_transaction_factory(HttpTransactionFactory* factory) {
-    http_transaction_factory_ = factory;
-  }
-  void set_network_delegate(NetworkDelegate* network_delegate) {
-    network_delegate_ = network_delegate;
-  }
+      std::unique_ptr<ProxyResolutionService> proxy_resolution_service);
+  void set_proxy_delegate(std::unique_ptr<ProxyDelegate> proxy_delegate);
+  void set_ssl_config_service(std::unique_ptr<SSLConfigService> service);
+  void set_http_auth_handler_factory(
+      std::unique_ptr<HttpAuthHandlerFactory> factory);
+  void set_http_network_session(
+      std::unique_ptr<HttpNetworkSession> http_network_session);
+  void set_http_transaction_factory(
+      std::unique_ptr<HttpTransactionFactory> factory);
+  void set_network_delegate(std::unique_ptr<NetworkDelegate> network_delegate);
   void set_http_server_properties(
-      HttpServerProperties* http_server_properties) {
-    http_server_properties_ = http_server_properties;
-  }
-  void set_cookie_store(CookieStore* cookie_store);
-  void set_transport_security_state(TransportSecurityState* state) {
-    transport_security_state_ = state;
-  }
-  void set_ct_policy_enforcer(CTPolicyEnforcer* enforcer) {
-    ct_policy_enforcer_ = enforcer;
-  }
-  void set_sct_auditing_delegate(SCTAuditingDelegate* delegate) {
-    sct_auditing_delegate_ = delegate;
-  }
-  void set_job_factory(const URLRequestJobFactory* job_factory) {
-    job_factory_ = job_factory;
-  }
-  void set_throttler_manager(URLRequestThrottlerManager* throttler_manager) {
-    throttler_manager_ = throttler_manager;
-  }
-  void set_quic_context(QuicContext* quic_context) {
-    quic_context_ = quic_context;
-  }
+      std::unique_ptr<HttpServerProperties> http_server_properties);
+  void set_cookie_store(std::unique_ptr<CookieStore> cookie_store);
+  void set_transport_security_state(
+      std::unique_ptr<TransportSecurityState> state);
+  void set_ct_policy_enforcer(std::unique_ptr<CTPolicyEnforcer> enforcer);
+  void set_sct_auditing_delegate(std::unique_ptr<SCTAuditingDelegate> delegate);
+  void set_job_factory(std::unique_ptr<const URLRequestJobFactory> job_factory);
+  void set_throttler_manager(
+      std::unique_ptr<URLRequestThrottlerManager> throttler_manager);
+  void set_quic_context(std::unique_ptr<QuicContext> quic_context);
   void set_http_user_agent_settings(
-      const HttpUserAgentSettings* http_user_agent_settings) {
-    http_user_agent_settings_ = http_user_agent_settings;
-  }
+      std::unique_ptr<const HttpUserAgentSettings> http_user_agent_settings);
   void set_network_quality_estimator(
-      NetworkQualityEstimator* network_quality_estimator) {
-    network_quality_estimator_ = network_quality_estimator;
-  }
+      NetworkQualityEstimator* network_quality_estimator);
+  void set_client_socket_factory(
+      std::unique_ptr<ClientSocketFactory> client_socket_factory);
 #if BUILDFLAG(ENABLE_REPORTING)
-  void set_reporting_service(ReportingService* reporting_service) {
-    reporting_service_ = reporting_service;
-  }
+  void set_persistent_reporting_and_nel_store(
+      std::unique_ptr<PersistentReportingAndNelStore>
+          persistent_reporting_and_nel_store);
+  void set_reporting_service(
+      std::unique_ptr<ReportingService> reporting_service);
   void set_network_error_logging_service(
-      NetworkErrorLoggingService* network_error_logging_service) {
-    network_error_logging_service_ = network_error_logging_service;
-  }
+      std::unique_ptr<NetworkErrorLoggingService>
+          network_error_logging_service);
 #endif  // BUILDFLAG(ENABLE_REPORTING)
   void set_enable_brotli(bool enable_brotli) { enable_brotli_ = enable_brotli; }
   void set_check_cleartext_permitted(bool check_cleartext_permitted) {
@@ -321,40 +299,55 @@ class NET_EXPORT URLRequestContext {
     bound_network_ = network;
   }
 
-  // Ownership for these members are not defined here. Clients should either
-  // provide storage elsewhere or have a subclass take ownership.
+  void set_transport_security_persister(
+      std::unique_ptr<TransportSecurityPersister> transport_security_persister);
+
   raw_ptr<NetLog> net_log_ = nullptr;
-  raw_ptr<HostResolver, DanglingUntriaged> host_resolver_ = nullptr;
-  raw_ptr<CertVerifier, DanglingUntriaged> cert_verifier_ = nullptr;
-  raw_ptr<HttpAuthHandlerFactory, DanglingUntriaged>
-      http_auth_handler_factory_ = nullptr;
-  raw_ptr<ProxyResolutionService, DanglingUntriaged> proxy_resolution_service_ =
-      nullptr;
-  raw_ptr<ProxyDelegate> proxy_delegate_ = nullptr;
-  raw_ptr<SSLConfigService, DanglingUntriaged> ssl_config_service_ = nullptr;
-  raw_ptr<NetworkDelegate, DanglingUntriaged> network_delegate_ = nullptr;
-  raw_ptr<HttpServerProperties, DanglingUntriaged> http_server_properties_ =
-      nullptr;
-  raw_ptr<const HttpUserAgentSettings, DanglingUntriaged>
-      http_user_agent_settings_ = nullptr;
-  raw_ptr<CookieStore, DanglingUntriaged> cookie_store_ = nullptr;
-  raw_ptr<TransportSecurityState, DanglingUntriaged> transport_security_state_ =
-      nullptr;
-  raw_ptr<CTPolicyEnforcer, DanglingUntriaged> ct_policy_enforcer_ = nullptr;
-  raw_ptr<SCTAuditingDelegate, DanglingUntriaged> sct_auditing_delegate_ =
-      nullptr;
-  raw_ptr<HttpTransactionFactory, DanglingUntriaged> http_transaction_factory_ =
-      nullptr;
-  raw_ptr<const URLRequestJobFactory, DanglingUntriaged> job_factory_ = nullptr;
-  raw_ptr<URLRequestThrottlerManager> throttler_manager_ = nullptr;
-  raw_ptr<QuicContext, DanglingUntriaged> quic_context_ = nullptr;
-  raw_ptr<NetworkQualityEstimator> network_quality_estimator_ = nullptr;
+
+  std::unique_ptr<HostResolver> host_resolver_;
+  std::unique_ptr<CertVerifier> cert_verifier_;
+  std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_;
+  std::unique_ptr<ProxyDelegate> proxy_delegate_;
+  std::unique_ptr<NetworkDelegate> network_delegate_;
+  std::unique_ptr<ProxyResolutionService> proxy_resolution_service_;
+  std::unique_ptr<SSLConfigService> ssl_config_service_;
+  std::unique_ptr<HttpServerProperties> http_server_properties_;
+  std::unique_ptr<const HttpUserAgentSettings> http_user_agent_settings_;
+  std::unique_ptr<CookieStore> cookie_store_;
+  std::unique_ptr<TransportSecurityState> transport_security_state_;
+  std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
+  std::unique_ptr<SCTAuditingDelegate> sct_auditing_delegate_;
+  std::unique_ptr<QuicContext> quic_context_;
+  std::unique_ptr<ClientSocketFactory> client_socket_factory_;
+
+  // The storage duplication for URLRequestJobFactory is needed because of
+  // SetJobFactoryForTesting. Once this method is removable, we can only store a
+  // unique_ptr similarly to the other fields.
+  std::unique_ptr<const URLRequestJobFactory> job_factory_storage_;
+  raw_ptr<const URLRequestJobFactory> job_factory_ = nullptr;
+
+  std::unique_ptr<URLRequestThrottlerManager> throttler_manager_;
+
 #if BUILDFLAG(ENABLE_REPORTING)
-  raw_ptr<ReportingService, DanglingUntriaged> reporting_service_ = nullptr;
-  raw_ptr<NetworkErrorLoggingService, DanglingUntriaged>
-      network_error_logging_service_ = nullptr;
+  // Must precede |reporting_service_| and |network_error_logging_service_|
+  std::unique_ptr<PersistentReportingAndNelStore>
+      persistent_reporting_and_nel_store_;
+
+  std::unique_ptr<ReportingService> reporting_service_;
+  std::unique_ptr<NetworkErrorLoggingService> network_error_logging_service_;
 #endif  // BUILDFLAG(ENABLE_REPORTING)
 
+  // May be used (but not owned) by the HttpTransactionFactory.
+  std::unique_ptr<HttpNetworkSession> http_network_session_;
+
+  // `http_transaction_factory_` might hold a raw pointer on
+  // `http_network_session_` so it needs to be declared last.
+  std::unique_ptr<HttpTransactionFactory> http_transaction_factory_;
+
+  raw_ptr<NetworkQualityEstimator> network_quality_estimator_ = nullptr;
+
+  std::unique_ptr<TransportSecurityPersister> transport_security_persister_;
+
   std::unique_ptr<std::set<const URLRequest*>> url_requests_;
 
   // Enables Brotli Content-Encoding support.
@@ -363,8 +356,8 @@ class NET_EXPORT URLRequestContext {
   // request. Only used on Android.
   bool check_cleartext_permitted_ = false;
 
-  // Triggers a DCHECK if a NetworkIsolationKey/IsolationInfo is not provided to
-  // a request when true.
+  // Triggers a DCHECK if a NetworkAnonymizationKey/IsolationInfo is not
+  // provided to a request when true.
   bool require_network_isolation_key_ = false;
 
   handles::NetworkHandle bound_network_;
diff --git a/chromium/net/url_request/url_request_context_builder.cc b/chromium/net/url_request/url_request_context_builder.cc
index 50c1b5a964d..84b4cdd9921 100644
--- a/chromium/net/url_request/url_request_context_builder.cc
+++ b/chromium/net/url_request/url_request_context_builder.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -16,6 +16,7 @@
 #include "base/task/single_thread_task_runner.h"
 #include "base/task/thread_pool.h"
 #include "base/threading/thread_task_runner_handle.h"
+#include "base/types/pass_key.h"
 #include "build/build_config.h"
 #include "net/base/cache_type.h"
 #include "net/base/net_errors.h"
@@ -48,7 +49,6 @@
 #include "net/ssl/ssl_config_service_defaults.h"
 #include "net/url_request/static_http_user_agent_settings.h"
 #include "net/url_request/url_request_context.h"
-#include "net/url_request/url_request_context_storage.h"
 #include "net/url_request/url_request_job_factory.h"
 #include "net/url_request/url_request_throttler_manager.h"
 #include "url/url_constants.h"
@@ -66,65 +66,6 @@
 
 namespace net {
 
-namespace {
-
-// A URLRequestContext subclass that owns most of its components
-// via a UrlRequestContextStorage object. When URLRequestContextBuilder::Build()
-// is called, ownership of all URLRequestContext components is passed to the
-// ContainerURLRequestContext. Since this cancels requests in its destructor,
-// it's not safe to subclass this.
-class ContainerURLRequestContext final : public URLRequestContext {
- public:
-  explicit ContainerURLRequestContext(
-      base::PassKey<URLRequestContextBuilder> pass_key)
-      : URLRequestContext(pass_key), storage_(this) {}
-
-  ContainerURLRequestContext(const ContainerURLRequestContext&) = delete;
-  ContainerURLRequestContext& operator=(const ContainerURLRequestContext&) =
-      delete;
-
-  ~ContainerURLRequestContext() override {
-#if BUILDFLAG(ENABLE_REPORTING)
-    // Shut down the NetworkErrorLoggingService so that destroying the
-    // ReportingService (which might abort in-flight URLRequests, generating
-    // network errors) won't recursively try to queue more network error
-    // reports.
-    if (network_error_logging_service())
-      network_error_logging_service()->OnShutdown();
-
-    // Shut down the ReportingService before the rest of the URLRequestContext,
-    // so it cancels any pending requests it may have.
-    if (reporting_service())
-      reporting_service()->OnShutdown();
-#endif  // BUILDFLAG(ENABLE_REPORTING)
-
-    // Shut down the ProxyResolutionService, as it may have pending URLRequests
-    // using this context. Since this cancels requests, it's not safe to
-    // subclass this, as some parts of the URLRequestContext may then be torn
-    // down before this cancels the ProxyResolutionService's URLRequests.
-    proxy_resolution_service()->OnShutdown();
-
-    DCHECK(host_resolver());
-    host_resolver()->OnShutdown();
-
-    AssertNoURLRequests();
-  }
-
-  URLRequestContextStorage* storage() { return &storage_; }
-
-  void set_transport_security_persister(
-      std::unique_ptr<TransportSecurityPersister>
-          transport_security_persister) {
-    transport_security_persister_ = std::move(transport_security_persister);
-  }
-
- private:
-  URLRequestContextStorage storage_;
-  std::unique_ptr<TransportSecurityPersister> transport_security_persister_;
-};
-
-}  // namespace
-
 URLRequestContextBuilder::HttpCacheParams::HttpCacheParams() = default;
 URLRequestContextBuilder::HttpCacheParams::~HttpCacheParams() = default;
 
@@ -329,9 +270,8 @@ void URLRequestContextBuilder::BindToNetwork(
 }
 
 std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
-  auto context = std::make_unique<ContainerURLRequestContext>(
+  auto context = std::make_unique<URLRequestContext>(
       base::PassKey<URLRequestContextBuilder>());
-  URLRequestContextStorage* storage = context->storage();
 
   context->set_enable_brotli(enable_brotli_);
   context->set_check_cleartext_permitted(check_cleartext_permitted_);
@@ -339,16 +279,16 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
   context->set_network_quality_estimator(network_quality_estimator_);
 
   if (http_user_agent_settings_) {
-    storage->set_http_user_agent_settings(std::move(http_user_agent_settings_));
+    context->set_http_user_agent_settings(std::move(http_user_agent_settings_));
   } else {
-    storage->set_http_user_agent_settings(
+    context->set_http_user_agent_settings(
         std::make_unique<StaticHttpUserAgentSettings>(accept_language_,
                                                       user_agent_));
   }
 
   if (!network_delegate_)
     network_delegate_ = std::make_unique<NetworkDelegateImpl>();
-  storage->set_network_delegate(std::move(network_delegate_));
+  context->set_network_delegate(std::move(network_delegate_));
 
   if (net_log_) {
     // Unlike the other builder parameters, |net_log_| is not owned by the
@@ -371,7 +311,7 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
     auto client_socket_factory =
         std::make_unique<NetworkBindingClientSocketFactory>(bound_network_);
     set_client_socket_factory(client_socket_factory.get());
-    storage->set_client_socket_factory(std::move(client_socket_factory));
+    context->set_client_socket_factory(std::move(client_socket_factory));
 
     host_resolver_ = HostResolver::CreateStandaloneNetworkBoundResolver(
         context->net_log(), bound_network_, manager_options_);
@@ -394,7 +334,7 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
   }
 
   if (client_socket_factory_) {
-    storage->set_client_socket_factory(std::move(client_socket_factory_));
+    context->set_client_socket_factory(std::move(client_socket_factory_));
   }
 
   if (host_resolver_) {
@@ -423,32 +363,32 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
     }
   }
   host_resolver_->SetRequestContext(context.get());
-  storage->set_host_resolver(std::move(host_resolver_));
+  context->set_host_resolver(std::move(host_resolver_));
 
   if (ssl_config_service_) {
-    storage->set_ssl_config_service(std::move(ssl_config_service_));
+    context->set_ssl_config_service(std::move(ssl_config_service_));
   } else {
-    storage->set_ssl_config_service(
+    context->set_ssl_config_service(
         std::make_unique<SSLConfigServiceDefaults>());
   }
 
   if (http_auth_handler_factory_) {
-    storage->set_http_auth_handler_factory(
+    context->set_http_auth_handler_factory(
         std::move(http_auth_handler_factory_));
   } else {
-    storage->set_http_auth_handler_factory(
+    context->set_http_auth_handler_factory(
         HttpAuthHandlerRegistryFactory::CreateDefault());
   }
 
   if (cookie_store_set_by_client_) {
-    storage->set_cookie_store(std::move(cookie_store_));
+    context->set_cookie_store(std::move(cookie_store_));
   } else {
-    auto cookie_store = std::make_unique<CookieMonster>(
-        nullptr /* store */, context->net_log(), first_party_sets_enabled_);
-    storage->set_cookie_store(std::move(cookie_store));
+    auto cookie_store = std::make_unique<CookieMonster>(nullptr /* store */,
+                                                        context->net_log());
+    context->set_cookie_store(std::move(cookie_store));
   }
 
-  storage->set_transport_security_state(
+  context->set_transport_security_state(
       std::make_unique<TransportSecurityState>(hsts_policy_bypass_list_));
   if (!transport_security_persister_file_path_.empty()) {
     // Use a low priority because saving this should not block anything
@@ -466,39 +406,39 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
   }
 
   if (http_server_properties_) {
-    storage->set_http_server_properties(std::move(http_server_properties_));
+    context->set_http_server_properties(std::move(http_server_properties_));
   } else {
-    storage->set_http_server_properties(
+    context->set_http_server_properties(
         std::make_unique<HttpServerProperties>());
   }
 
   if (cert_verifier_) {
-    storage->set_cert_verifier(std::move(cert_verifier_));
+    context->set_cert_verifier(std::move(cert_verifier_));
   } else {
     // TODO(mattm): Should URLRequestContextBuilder create a CertNetFetcher?
-    storage->set_cert_verifier(
+    context->set_cert_verifier(
         CertVerifier::CreateDefault(/*cert_net_fetcher=*/nullptr));
   }
 
   if (ct_policy_enforcer_) {
-    storage->set_ct_policy_enforcer(std::move(ct_policy_enforcer_));
+    context->set_ct_policy_enforcer(std::move(ct_policy_enforcer_));
   } else {
-    storage->set_ct_policy_enforcer(
+    context->set_ct_policy_enforcer(
         std::make_unique<DefaultCTPolicyEnforcer>());
   }
 
   if (sct_auditing_delegate_) {
-    storage->set_sct_auditing_delegate(std::move(sct_auditing_delegate_));
+    context->set_sct_auditing_delegate(std::move(sct_auditing_delegate_));
   }
 
   if (quic_context_) {
-    storage->set_quic_context(std::move(quic_context_));
+    context->set_quic_context(std::move(quic_context_));
   } else {
-    storage->set_quic_context(std::make_unique<QuicContext>());
+    context->set_quic_context(std::make_unique<QuicContext>());
   }
 
   if (throttling_enabled_) {
-    storage->set_throttler_manager(
+    context->set_throttler_manager(
         std::make_unique<URLRequestThrottlerManager>());
   }
 
@@ -521,16 +461,16 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
   }
   ProxyResolutionService* proxy_resolution_service =
       proxy_resolution_service_.get();
-  storage->set_proxy_resolution_service(std::move(proxy_resolution_service_));
+  context->set_proxy_resolution_service(std::move(proxy_resolution_service_));
 
 #if BUILDFLAG(ENABLE_REPORTING)
   // Note: ReportingService::Create and NetworkErrorLoggingService::Create can
   // both return nullptr if the corresponding base::Feature is disabled.
 
   if (reporting_service_) {
-    storage->set_reporting_service(std::move(reporting_service_));
+    context->set_reporting_service(std::move(reporting_service_));
   } else if (reporting_policy_) {
-    storage->set_reporting_service(
+    context->set_reporting_service(
         ReportingService::Create(*reporting_policy_, context.get(),
                                  persistent_reporting_and_nel_store_.get()));
   }
@@ -540,12 +480,12 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
       network_error_logging_service_ = NetworkErrorLoggingService::Create(
           persistent_reporting_and_nel_store_.get());
     }
-    storage->set_network_error_logging_service(
+    context->set_network_error_logging_service(
         std::move(network_error_logging_service_));
   }
 
   if (persistent_reporting_and_nel_store_) {
-    storage->set_persistent_reporting_and_nel_store(
+    context->set_persistent_reporting_and_nel_store(
         std::move(persistent_reporting_and_nel_store_));
   }
 
@@ -561,7 +501,7 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
 
   if (proxy_delegate_) {
     proxy_resolution_service->SetProxyDelegate(proxy_delegate_.get());
-    storage->set_proxy_delegate(std::move(proxy_delegate_));
+    context->set_proxy_delegate(std::move(proxy_delegate_));
   }
 
   HttpNetworkSessionContext network_session_context;
@@ -572,7 +512,7 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
       suppress_setting_socket_performance_watcher_factory_for_testing_,
       client_socket_factory_raw_);
 
-  storage->set_http_network_session(std::make_unique<HttpNetworkSession>(
+  context->set_http_network_session(std::make_unique<HttpNetworkSession>(
       http_network_session_params_, network_session_context));
 
   std::unique_ptr<HttpTransactionFactory> http_transaction_factory;
@@ -581,10 +521,10 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
   } else if (!create_http_network_transaction_factory_.is_null()) {
     http_transaction_factory =
         std::move(create_http_network_transaction_factory_)
-            .Run(storage->http_network_session());
+            .Run(context->http_network_session());
   } else {
     http_transaction_factory =
-        std::make_unique<HttpNetworkLayer>(storage->http_network_session());
+        std::make_unique<HttpNetworkLayer>(context->http_network_session());
   }
 
   if (http_cache_enabled_) {
@@ -623,7 +563,7 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
     http_transaction_factory = std::make_unique<HttpCache>(
         std::move(http_transaction_factory), std::move(http_cache_backend));
   }
-  storage->set_http_transaction_factory(std::move(http_transaction_factory));
+  context->set_http_transaction_factory(std::move(http_transaction_factory));
 
   std::unique_ptr<URLRequestJobFactory> job_factory =
       std::make_unique<URLRequestJobFactory>();
@@ -633,9 +573,9 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
   }
   protocol_handlers_.clear();
 
-  storage->set_job_factory(std::move(job_factory));
+  context->set_job_factory(std::move(job_factory));
 
-  return std::move(context);
+  return context;
 }
 
 std::unique_ptr<ProxyResolutionService>
diff --git a/chromium/net/url_request/url_request_context_builder.h b/chromium/net/url_request/url_request_context_builder.h
index cec74606d04..c75a35e5dfb 100644
--- a/chromium/net/url_request/url_request_context_builder.h
+++ b/chromium/net/url_request/url_request_context_builder.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -281,9 +281,6 @@ class NET_EXPORT URLRequestContextBuilder {
   void set_throttling_enabled(bool throttling_enabled) {
     throttling_enabled_ = throttling_enabled;
   }
-  void set_first_party_sets_enabled(bool enabled) {
-    first_party_sets_enabled_ = enabled;
-  }
 
   void set_ct_policy_enforcer(
       std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer);
@@ -345,7 +342,7 @@ class NET_EXPORT URLRequestContextBuilder {
   }
 
   // Sets a ClientSocketFactory when the network service sandbox is enabled. The
-  // unique_ptr is moved to a URLRequestContextStorage once Build() is called.
+  // unique_ptr is moved to a URLRequestContext once Build() is called.
   void set_client_socket_factory(
       std::unique_ptr<ClientSocketFactory> client_socket_factory) {
     set_client_socket_factory(client_socket_factory.get());
@@ -416,7 +413,6 @@ class NET_EXPORT URLRequestContextBuilder {
   bool throttling_enabled_ = false;
   bool cookie_store_set_by_client_ = false;
   bool suppress_setting_socket_performance_watcher_factory_for_testing_ = false;
-  bool first_party_sets_enabled_ = false;
 
   handles::NetworkHandle bound_network_ = handles::kInvalidNetworkHandle;
   // Used only if the context is bound to a network to customize the
diff --git a/chromium/net/url_request/url_request_context_builder_unittest.cc b/chromium/net/url_request/url_request_context_builder_unittest.cc
index effeb506bb1..b37066d8647 100644
--- a/chromium/net/url_request/url_request_context_builder_unittest.cc
+++ b/chromium/net/url_request/url_request_context_builder_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,7 +9,7 @@
 #include "base/task/thread_pool.h"
 #include "build/build_config.h"
 #include "net/base/mock_network_change_notifier.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/request_priority.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/host_resolver.h"
@@ -63,16 +63,17 @@ class MockHttpAuthHandlerFactory : public HttpAuthHandlerFactory {
       : return_code_(return_code), supported_scheme_(supported_scheme) {}
   ~MockHttpAuthHandlerFactory() override = default;
 
-  int CreateAuthHandler(HttpAuthChallengeTokenizer* challenge,
-                        HttpAuth::Target target,
-                        const SSLInfo& ssl_info,
-                        const NetworkIsolationKey& network_isolation_key,
-                        const url::SchemeHostPort& scheme_host_port,
-                        CreateReason reason,
-                        int nonce_count,
-                        const NetLogWithSource& net_log,
-                        HostResolver* host_resolver,
-                        std::unique_ptr<HttpAuthHandler>* handler) override {
+  int CreateAuthHandler(
+      HttpAuthChallengeTokenizer* challenge,
+      HttpAuth::Target target,
+      const SSLInfo& ssl_info,
+      const NetworkAnonymizationKey& network_anonymization_key,
+      const url::SchemeHostPort& scheme_host_port,
+      CreateReason reason,
+      int nonce_count,
+      const NetLogWithSource& net_log,
+      HostResolver* host_resolver,
+      std::unique_ptr<HttpAuthHandler>* handler) override {
     handler->reset();
 
     return challenge->auth_scheme() == supported_scheme_
@@ -144,7 +145,7 @@ TEST_F(URLRequestContextBuilderTest, DefaultHttpAuthHandlerFactory) {
   EXPECT_EQ(OK,
             context->http_auth_handler_factory()->CreateAuthHandlerFromString(
                 "basic", HttpAuth::AUTH_SERVER, null_ssl_info,
-                NetworkIsolationKey(), scheme_host_port, NetLogWithSource(),
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
                 host_resolver_.get(), &handler));
 }
 
@@ -161,21 +162,21 @@ TEST_F(URLRequestContextBuilderTest, CustomHttpAuthHandlerFactory) {
   EXPECT_EQ(kBasicReturnCode,
             context->http_auth_handler_factory()->CreateAuthHandlerFromString(
                 "ExtraScheme", HttpAuth::AUTH_SERVER, null_ssl_info,
-                NetworkIsolationKey(), scheme_host_port, NetLogWithSource(),
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
                 host_resolver_.get(), &handler));
 
   // Verify that the default basic handler isn't present
   EXPECT_EQ(ERR_UNSUPPORTED_AUTH_SCHEME,
             context->http_auth_handler_factory()->CreateAuthHandlerFromString(
                 "basic", HttpAuth::AUTH_SERVER, null_ssl_info,
-                NetworkIsolationKey(), scheme_host_port, NetLogWithSource(),
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
                 host_resolver_.get(), &handler));
 
   // Verify that a handler isn't returned for a bogus scheme.
   EXPECT_EQ(ERR_UNSUPPORTED_AUTH_SCHEME,
             context->http_auth_handler_factory()->CreateAuthHandlerFromString(
                 "Bogus", HttpAuth::AUTH_SERVER, null_ssl_info,
-                NetworkIsolationKey(), scheme_host_port, NetLogWithSource(),
+                NetworkAnonymizationKey(), scheme_host_port, NetLogWithSource(),
                 host_resolver_.get(), &handler));
 }
 
@@ -241,7 +242,7 @@ TEST_F(URLRequestContextBuilderTest, ShutdownHostResolverWithPendingRequest) {
 
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       context->host_resolver()->CreateRequest(
-          HostPortPair("example.com", 1234), NetworkIsolationKey(),
+          HostPortPair("example.com", 1234), NetworkAnonymizationKey(),
           NetLogWithSource(), absl::nullopt);
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
diff --git a/chromium/net/url_request/url_request_context_getter.cc b/chromium/net/url_request/url_request_context_getter.cc
index 65d17a0fefd..a7f6b6bcdfc 100644
--- a/chromium/net/url_request/url_request_context_getter.cc
+++ b/chromium/net/url_request/url_request_context_getter.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_context_getter.h b/chromium/net/url_request/url_request_context_getter.h
index 3896d39a886..0a74dbfa550 100644
--- a/chromium/net/url_request/url_request_context_getter.h
+++ b/chromium/net/url_request/url_request_context_getter.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_context_getter_observer.h b/chromium/net/url_request/url_request_context_getter_observer.h
index 1ebbbb31636..4c499db1978 100644
--- a/chromium/net/url_request/url_request_context_getter_observer.h
+++ b/chromium/net/url_request/url_request_context_getter_observer.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_context_storage.cc b/chromium/net/url_request/url_request_context_storage.cc
deleted file mode 100644
index 64f78f360ee..00000000000
--- a/chromium/net/url_request/url_request_context_storage.cc
+++ /dev/null
@@ -1,181 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/url_request/url_request_context_storage.h"
-
-#include <utility>
-
-#include "base/check.h"
-#include "net/base/http_user_agent_settings.h"
-#include "net/base/network_delegate.h"
-#include "net/base/port_util.h"
-#include "net/base/proxy_delegate.h"
-#include "net/cert/cert_verifier.h"
-#include "net/cert/ct_policy_enforcer.h"
-#include "net/cert/sct_auditing_delegate.h"
-#include "net/cookies/cookie_store.h"
-#include "net/dns/host_resolver.h"
-#include "net/http/http_auth_handler_factory.h"
-#include "net/http/http_network_session.h"
-#include "net/http/http_server_properties.h"
-#include "net/http/http_transaction_factory.h"
-#include "net/http/transport_security_state.h"
-#include "net/proxy_resolution/proxy_resolution_service.h"
-#include "net/quic/quic_context.h"
-#include "net/socket/client_socket_factory.h"
-#include "net/ssl/ssl_config_service.h"
-#include "net/url_request/url_request_context.h"
-#include "net/url_request/url_request_job_factory.h"
-#include "net/url_request/url_request_throttler_manager.h"
-
-#if BUILDFLAG(ENABLE_REPORTING)
-#include "net/network_error_logging/network_error_logging_service.h"
-#include "net/network_error_logging/persistent_reporting_and_nel_store.h"
-#include "net/reporting/reporting_service.h"
-#endif  // BUILDFLAG(ENABLE_REPORTING)
-
-namespace net {
-
-URLRequestContextStorage::URLRequestContextStorage(URLRequestContext* context)
-    : context_(context) {
-  DCHECK(context);
-}
-
-URLRequestContextStorage::~URLRequestContextStorage() = default;
-
-void URLRequestContextStorage::set_host_resolver(
-    std::unique_ptr<HostResolver> host_resolver) {
-  context_->set_host_resolver(host_resolver.get());
-  host_resolver_ = std::move(host_resolver);
-}
-
-void URLRequestContextStorage::set_cert_verifier(
-    std::unique_ptr<CertVerifier> cert_verifier) {
-  context_->set_cert_verifier(cert_verifier.get());
-  cert_verifier_ = std::move(cert_verifier);
-}
-
-void URLRequestContextStorage::set_http_auth_handler_factory(
-    std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory) {
-  context_->set_http_auth_handler_factory(http_auth_handler_factory.get());
-  http_auth_handler_factory_ = std::move(http_auth_handler_factory);
-}
-
-void URLRequestContextStorage::set_proxy_delegate(
-    std::unique_ptr<ProxyDelegate> proxy_delegate) {
-  context_->set_proxy_delegate(proxy_delegate.get());
-  proxy_delegate_ = std::move(proxy_delegate);
-}
-
-void URLRequestContextStorage::set_network_delegate(
-    std::unique_ptr<NetworkDelegate> network_delegate) {
-  context_->set_network_delegate(network_delegate.get());
-  network_delegate_ = std::move(network_delegate);
-}
-
-void URLRequestContextStorage::set_proxy_resolution_service(
-    std::unique_ptr<ProxyResolutionService> proxy_resolution_service) {
-  context_->set_proxy_resolution_service(proxy_resolution_service.get());
-  proxy_resolution_service_ = std::move(proxy_resolution_service);
-}
-
-void URLRequestContextStorage::set_ssl_config_service(
-    std::unique_ptr<SSLConfigService> ssl_config_service) {
-  context_->set_ssl_config_service(ssl_config_service.get());
-  ssl_config_service_ = std::move(ssl_config_service);
-}
-
-void URLRequestContextStorage::set_http_server_properties(
-    std::unique_ptr<HttpServerProperties> http_server_properties) {
-  context_->set_http_server_properties(http_server_properties.get());
-  http_server_properties_ = std::move(http_server_properties);
-}
-
-void URLRequestContextStorage::set_cookie_store(
-    std::unique_ptr<CookieStore> cookie_store) {
-  context_->set_cookie_store(cookie_store.get());
-  cookie_store_ = std::move(cookie_store);
-}
-
-void URLRequestContextStorage::set_transport_security_state(
-    std::unique_ptr<TransportSecurityState> transport_security_state) {
-  context_->set_transport_security_state(transport_security_state.get());
-  transport_security_state_ = std::move(transport_security_state);
-}
-
-void URLRequestContextStorage::set_ct_policy_enforcer(
-    std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer) {
-  context_->set_ct_policy_enforcer(ct_policy_enforcer.get());
-  ct_policy_enforcer_ = std::move(ct_policy_enforcer);
-}
-
-void URLRequestContextStorage::set_sct_auditing_delegate(
-    std::unique_ptr<SCTAuditingDelegate> sct_auditing_delegate) {
-  context_->set_sct_auditing_delegate(sct_auditing_delegate.get());
-  sct_auditing_delegate_ = std::move(sct_auditing_delegate);
-}
-
-void URLRequestContextStorage::set_http_network_session(
-    std::unique_ptr<HttpNetworkSession> http_network_session) {
-  http_network_session_ = std::move(http_network_session);
-}
-
-void URLRequestContextStorage::set_http_transaction_factory(
-    std::unique_ptr<HttpTransactionFactory> http_transaction_factory) {
-  context_->set_http_transaction_factory(http_transaction_factory.get());
-  http_transaction_factory_ = std::move(http_transaction_factory);
-}
-
-void URLRequestContextStorage::set_job_factory(
-    std::unique_ptr<URLRequestJobFactory> job_factory) {
-  context_->set_job_factory(job_factory.get());
-  job_factory_ = std::move(job_factory);
-}
-
-void URLRequestContextStorage::set_throttler_manager(
-    std::unique_ptr<URLRequestThrottlerManager> throttler_manager) {
-  context_->set_throttler_manager(throttler_manager.get());
-  throttler_manager_ = std::move(throttler_manager);
-}
-
-void URLRequestContextStorage::set_quic_context(
-    std::unique_ptr<QuicContext> quic_context) {
-  context_->set_quic_context(quic_context.get());
-  quic_context_ = std::move(quic_context);
-}
-
-void URLRequestContextStorage::set_http_user_agent_settings(
-    std::unique_ptr<HttpUserAgentSettings> http_user_agent_settings) {
-  context_->set_http_user_agent_settings(http_user_agent_settings.get());
-  http_user_agent_settings_ = std::move(http_user_agent_settings);
-}
-
-#if BUILDFLAG(ENABLE_REPORTING)
-void URLRequestContextStorage::set_persistent_reporting_and_nel_store(
-    std::unique_ptr<PersistentReportingAndNelStore>
-        persistent_reporting_and_nel_store) {
-  persistent_reporting_and_nel_store_ =
-      std::move(persistent_reporting_and_nel_store);
-}
-
-void URLRequestContextStorage::set_reporting_service(
-    std::unique_ptr<ReportingService> reporting_service) {
-  context_->set_reporting_service(reporting_service.get());
-  reporting_service_ = std::move(reporting_service);
-}
-
-void URLRequestContextStorage::set_network_error_logging_service(
-    std::unique_ptr<NetworkErrorLoggingService> network_error_logging_service) {
-  context_->set_network_error_logging_service(
-      network_error_logging_service.get());
-  network_error_logging_service_ = std::move(network_error_logging_service);
-}
-#endif  // BUILDFLAG(ENABLE_REPORTING)
-
-void URLRequestContextStorage::set_client_socket_factory(
-    std::unique_ptr<ClientSocketFactory> client_socket_factory) {
-  client_socket_factory_ = std::move(client_socket_factory);
-}
-
-}  // namespace net
diff --git a/chromium/net/url_request/url_request_context_storage.h b/chromium/net/url_request/url_request_context_storage.h
deleted file mode 100644
index 0489dcee451..00000000000
--- a/chromium/net/url_request/url_request_context_storage.h
+++ /dev/null
@@ -1,153 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_URL_REQUEST_URL_REQUEST_CONTEXT_STORAGE_H_
-#define NET_URL_REQUEST_URL_REQUEST_CONTEXT_STORAGE_H_
-
-#include <memory>
-
-#include "base/memory/raw_ptr.h"
-#include "base/memory/ref_counted.h"
-#include "build/buildflag.h"
-#include "net/base/net_export.h"
-#include "net/net_buildflags.h"
-
-namespace net {
-
-class CertVerifier;
-class CookieStore;
-class CTPolicyEnforcer;
-class HostResolver;
-class HttpAuthHandlerFactory;
-class HttpNetworkSession;
-class HttpServerProperties;
-class HttpTransactionFactory;
-class HttpUserAgentSettings;
-class NetworkDelegate;
-class ProxyDelegate;
-class ProxyResolutionService;
-class QuicContext;
-class SCTAuditingDelegate;
-class SSLConfigService;
-class TransportSecurityState;
-class URLRequestContext;
-class ClientSocketFactory;
-class URLRequestJobFactory;
-class URLRequestThrottlerManager;
-
-#if BUILDFLAG(ENABLE_REPORTING)
-class NetworkErrorLoggingService;
-class PersistentReportingAndNelStore;
-class ReportingService;
-#endif  // BUILDFLAG(ENABLE_REPORTING)
-
-// URLRequestContextStorage is a helper class that provides storage for unowned
-// member variables of URLRequestContext.
-class NET_EXPORT URLRequestContextStorage {
- public:
-  // Note that URLRequestContextStorage does not acquire a reference to
-  // URLRequestContext, since it is often designed to be embedded in a
-  // URLRequestContext subclass.
-  explicit URLRequestContextStorage(URLRequestContext* context);
-
-  URLRequestContextStorage(const URLRequestContextStorage&) = delete;
-  URLRequestContextStorage& operator=(const URLRequestContextStorage&) = delete;
-
-  ~URLRequestContextStorage();
-
-  // These setters will set both the member variables and call the setter on the
-  // URLRequestContext object. In all cases, ownership is passed to |this|.
-
-  void set_host_resolver(std::unique_ptr<HostResolver> host_resolver);
-  void set_cert_verifier(std::unique_ptr<CertVerifier> cert_verifier);
-  void set_http_auth_handler_factory(
-      std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory);
-  void set_proxy_delegate(std::unique_ptr<ProxyDelegate> proxy_delegate);
-  void set_network_delegate(std::unique_ptr<NetworkDelegate> network_delegate);
-  void set_proxy_resolution_service(
-      std::unique_ptr<ProxyResolutionService> proxy_resolution_service);
-  void set_ssl_config_service(
-      std::unique_ptr<SSLConfigService> ssl_config_service);
-  void set_http_server_properties(
-      std::unique_ptr<HttpServerProperties> http_server_properties);
-  void set_cookie_store(std::unique_ptr<CookieStore> cookie_store);
-  void set_transport_security_state(
-      std::unique_ptr<TransportSecurityState> transport_security_state);
-  void set_ct_policy_enforcer(
-      std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer);
-  void set_sct_auditing_delegate(
-      std::unique_ptr<SCTAuditingDelegate> sct_auditing_delegate);
-  void set_http_network_session(
-      std::unique_ptr<HttpNetworkSession> http_network_session);
-  void set_http_transaction_factory(
-      std::unique_ptr<HttpTransactionFactory> http_transaction_factory);
-  void set_job_factory(std::unique_ptr<URLRequestJobFactory> job_factory);
-  void set_throttler_manager(
-      std::unique_ptr<URLRequestThrottlerManager> throttler_manager);
-  void set_quic_context(std::unique_ptr<QuicContext> quic_context);
-  void set_http_user_agent_settings(
-      std::unique_ptr<HttpUserAgentSettings> http_user_agent_settings);
-
-#if BUILDFLAG(ENABLE_REPORTING)
-  void set_persistent_reporting_and_nel_store(
-      std::unique_ptr<PersistentReportingAndNelStore>
-          persistent_reporting_and_nel_store);
-  void set_reporting_service(
-      std::unique_ptr<ReportingService> reporting_service);
-  void set_network_error_logging_service(
-      std::unique_ptr<NetworkErrorLoggingService>
-          network_error_logging_service);
-#endif  // BUILDFLAG(ENABLE_REPORTING)
-
-  void set_client_socket_factory(
-      std::unique_ptr<ClientSocketFactory> client_socket_factory);
-
-  // Everything else can be access through the URLRequestContext, but this
-  // cannot.  Having an accessor for it makes usage a little cleaner.
-  HttpNetworkSession* http_network_session() const {
-    return http_network_session_.get();
-  }
-
- private:
-  // Not owned.
-  const raw_ptr<URLRequestContext> context_;
-
-  // Owned members.
-  std::unique_ptr<HostResolver> host_resolver_;
-  std::unique_ptr<CertVerifier> cert_verifier_;
-  std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_;
-  std::unique_ptr<ProxyDelegate> proxy_delegate_;
-  std::unique_ptr<NetworkDelegate> network_delegate_;
-  std::unique_ptr<ProxyResolutionService> proxy_resolution_service_;
-  std::unique_ptr<SSLConfigService> ssl_config_service_;
-  std::unique_ptr<HttpServerProperties> http_server_properties_;
-  std::unique_ptr<HttpUserAgentSettings> http_user_agent_settings_;
-  std::unique_ptr<CookieStore> cookie_store_;
-  std::unique_ptr<TransportSecurityState> transport_security_state_;
-  std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
-  std::unique_ptr<SCTAuditingDelegate> sct_auditing_delegate_;
-  std::unique_ptr<QuicContext> quic_context_;
-  std::unique_ptr<ClientSocketFactory> client_socket_factory_;
-
-  // Not actually pointed at by the URLRequestContext, but may be used (but not
-  // owned) by the HttpTransactionFactory.
-  std::unique_ptr<HttpNetworkSession> http_network_session_;
-
-  std::unique_ptr<HttpTransactionFactory> http_transaction_factory_;
-  std::unique_ptr<URLRequestJobFactory> job_factory_;
-  std::unique_ptr<URLRequestThrottlerManager> throttler_manager_;
-
-#if BUILDFLAG(ENABLE_REPORTING)
-  // Must precede |reporting_service_| and |network_error_logging_service_|
-  std::unique_ptr<PersistentReportingAndNelStore>
-      persistent_reporting_and_nel_store_;
-
-  std::unique_ptr<ReportingService> reporting_service_;
-  std::unique_ptr<NetworkErrorLoggingService> network_error_logging_service_;
-#endif  // BUILDFLAG(ENABLE_REPORTING)
-};
-
-}  // namespace net
-
-#endif  // NET_URL_REQUEST_URL_REQUEST_CONTEXT_STORAGE_H_
diff --git a/chromium/net/url_request/url_request_error_job.cc b/chromium/net/url_request/url_request_error_job.cc
index eb3a3032d59..b896193b6c8 100644
--- a/chromium/net/url_request/url_request_error_job.cc
+++ b/chromium/net/url_request/url_request_error_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_error_job.h b/chromium/net/url_request/url_request_error_job.h
index 205b150c5e8..5542ab157fe 100644
--- a/chromium/net/url_request/url_request_error_job.h
+++ b/chromium/net/url_request/url_request_error_job.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
diff --git a/chromium/net/url_request/url_request_filter.cc b/chromium/net/url_request/url_request_filter.cc
index a07bf8301a6..5689d01bfba 100644
--- a/chromium/net/url_request/url_request_filter.cc
+++ b/chromium/net/url_request/url_request_filter.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_filter.h b/chromium/net/url_request/url_request_filter.h
index 48d7a7e9ad3..9d137f20190 100644
--- a/chromium/net/url_request/url_request_filter.h
+++ b/chromium/net/url_request/url_request_filter.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #ifndef NET_URL_REQUEST_URL_REQUEST_FILTER_H_
diff --git a/chromium/net/url_request/url_request_filter_unittest.cc b/chromium/net/url_request/url_request_filter_unittest.cc
index 0da85940f27..769004998e0 100644
--- a/chromium/net/url_request/url_request_filter_unittest.cc
+++ b/chromium/net/url_request/url_request_filter_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_fuzzer.cc b/chromium/net/url_request/url_request_fuzzer.cc
index fca705d2f43..af64d56c5b7 100644
--- a/chromium/net/url_request/url_request_fuzzer.cc
+++ b/chromium/net/url_request/url_request_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_http_job.cc b/chromium/net/url_request/url_request_http_job.cc
index bd336369896..0a622f7f994 100644
--- a/chromium/net/url_request/url_request_http_job.cc
+++ b/chromium/net/url_request/url_request_http_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -25,13 +25,13 @@
 #include "base/metrics/histogram_macros.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/rand_util.h"
-#include "base/stl_util.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/task/single_thread_task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/time.h"
 #include "base/trace_event/trace_event.h"
+#include "base/types/optional_util.h"
 #include "base/values.h"
 #include "build/build_config.h"
 #include "net/base/features.h"
@@ -39,6 +39,7 @@
 #include "net/base/http_user_agent_settings.h"
 #include "net/base/load_flags.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/network_delegate.h"
 #include "net/base/network_isolation_key.h"
 #include "net/base/privacy_mode.h"
@@ -53,13 +54,13 @@
 #include "net/cookies/cookie_constants.h"
 #include "net/cookies/cookie_store.h"
 #include "net/cookies/cookie_util.h"
-#include "net/cookies/first_party_set_metadata.h"
 #include "net/cookies/parsed_cookie.h"
-#include "net/cookies/same_party_context.h"
 #include "net/filter/brotli_source_stream.h"
 #include "net/filter/filter_source_stream.h"
 #include "net/filter/gzip_source_stream.h"
 #include "net/filter/source_stream.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
+#include "net/first_party_sets/same_party_context.h"
 #include "net/http/http_content_disposition.h"
 #include "net/http/http_log_util.h"
 #include "net/http/http_network_session.h"
@@ -257,6 +258,8 @@ void URLRequestHttpJob::Start() {
 
   request_info_.network_isolation_key =
       request_->isolation_info().network_isolation_key();
+  request_info_.network_anonymization_key =
+      request_->isolation_info().network_anonymization_key();
   request_info_.possibly_top_frame_origin =
       request_->isolation_info().top_frame_origin();
   request_info_.is_subframe_document_resource =
@@ -298,6 +301,30 @@ void URLRequestHttpJob::Start() {
 void URLRequestHttpJob::OnGotFirstPartySetMetadata(
     FirstPartySetMetadata first_party_set_metadata) {
   first_party_set_metadata_ = std::move(first_party_set_metadata);
+
+  if (!request()->network_delegate()) {
+    OnGotFirstPartySetCacheFilterMatchInfo(
+        net::FirstPartySetsCacheFilter::MatchInfo());
+    return;
+  }
+  absl::optional<FirstPartySetsCacheFilter::MatchInfo> match_info =
+      request()
+          ->network_delegate()
+          ->GetFirstPartySetsCacheFilterMatchInfoMaybeAsync(
+              SchemefulSite(request()->url()),
+              base::BindOnce(
+                  &URLRequestHttpJob::OnGotFirstPartySetCacheFilterMatchInfo,
+                  weak_factory_.GetWeakPtr()));
+
+  if (match_info.has_value())
+    OnGotFirstPartySetCacheFilterMatchInfo(std::move(match_info.value()));
+}
+
+void URLRequestHttpJob::OnGotFirstPartySetCacheFilterMatchInfo(
+    FirstPartySetsCacheFilter::MatchInfo match_info) {
+  request_info_.fps_cache_filter = match_info.clear_at_run_id;
+  request_info_.browser_run_id = match_info.browser_run_id;
+
   // Privacy mode could still be disabled in SetCookieHeaderAndStart if we are
   // going to send previously saved cookies.
   request_info_.privacy_mode = DeterminePrivacyMode();
@@ -335,7 +362,7 @@ void URLRequestHttpJob::OnGotFirstPartySetMetadata(
 
     cookie_partition_key_ = CookiePartitionKey::FromNetworkIsolationKey(
         request_->isolation_info().network_isolation_key(),
-        base::OptionalOrNullptr(
+        base::OptionalToPtr(
             first_party_set_metadata_.top_frame_entry().has_value()
                 ? absl::make_optional(
                       first_party_set_metadata_.top_frame_entry()->primary())
@@ -799,7 +826,8 @@ void URLRequestHttpJob::AnnotateAndMoveUserBlockedCookies(
   if (request()->network_delegate()) {
     can_get_cookies =
         request()->network_delegate()->AnnotateAndMoveUserBlockedCookies(
-            *request(), maybe_included_cookies, excluded_cookies);
+            *request(), first_party_set_metadata_, maybe_included_cookies,
+            excluded_cookies);
   }
 
   if (!can_get_cookies) {
@@ -999,7 +1027,7 @@ void URLRequestHttpJob::ProcessExpectCTHeader() {
   if (has_expect_ct_header) {
     security_state->ProcessExpectCTHeader(
         value, HostPortPair::FromURL(request_info_.url), ssl_info,
-        request_->isolation_info().network_isolation_key());
+        request_->isolation_info().network_anonymization_key());
   }
 }
 
@@ -1078,7 +1106,6 @@ void URLRequestHttpJob::OnStartCompleted(int result) {
   } else if (result == ERR_DNS_NAME_HTTPS_ONLY) {
     // If DNS indicated the name is HTTPS-only, synthesize a redirect to either
     // HTTPS or WSS.
-    DCHECK(features::kUseDnsHttpsSvcbHttpUpgrade.Get());
     DCHECK(!request_->url().SchemeIsCryptographic());
 
     base::Time request_time =
diff --git a/chromium/net/url_request/url_request_http_job.h b/chromium/net/url_request/url_request_http_job.h
index 9d9e968d01a..866c8287a9b 100644
--- a/chromium/net/url_request/url_request_http_job.h
+++ b/chromium/net/url_request/url_request_http_job.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -24,7 +24,8 @@
 #include "net/base/privacy_mode.h"
 #include "net/cookies/cookie_inclusion_status.h"
 #include "net/cookies/cookie_partition_key.h"
-#include "net/cookies/first_party_set_metadata.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
+#include "net/first_party_sets/first_party_sets_cache_filter.h"
 #include "net/http/http_request_info.h"
 #include "net/socket/connection_attempts.h"
 #include "net/url_request/url_request_job.h"
@@ -220,6 +221,11 @@ class NET_EXPORT_PRIVATE URLRequestHttpJob : public URLRequestJob {
   void OnGotFirstPartySetMetadata(
       FirstPartySetMetadata first_party_set_metadata);
 
+  // Called after getting the FirstPartySetsCacheFilter match info during Start
+  // for this job.
+  void OnGotFirstPartySetCacheFilterMatchInfo(
+      FirstPartySetsCacheFilter::MatchInfo match_info);
+
   // Returns true iff this request leg should include the Cookie header. Note
   // that cookies may still be eventually blocked by the CookieAccessDelegate
   // even if this method returns true.
diff --git a/chromium/net/url_request/url_request_http_job_unittest.cc b/chromium/net/url_request/url_request_http_job_unittest.cc
index 22f7ad48487..223ef8ada75 100644
--- a/chromium/net/url_request/url_request_http_job_unittest.cc
+++ b/chromium/net/url_request/url_request_http_job_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -25,7 +25,7 @@
 #include "net/base/auth.h"
 #include "net/base/features.h"
 #include "net/base/isolation_info.h"
-#include "net/base/network_isolation_key.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/proxy_server.h"
 #include "net/base/proxy_string_util.h"
 #include "net/base/request_priority.h"
@@ -383,10 +383,14 @@ class URLRequestHttpJobWithMockSocketsTest : public TestWithTaskEnvironment {
     auto context_builder = CreateTestURLRequestContextBuilder();
     context_builder->set_client_socket_factory_for_testing(&socket_factory_);
     context_ = context_builder->Build();
+    scoped_feature_list_.InitAndEnableFeature(kDynamicExpectCTFeature);
   }
 
   MockClientSocketFactory socket_factory_;
   std::unique_ptr<URLRequestContext> context_;
+
+ private:
+  base::test::ScopedFeatureList scoped_feature_list_;
 };
 
 TEST_F(URLRequestHttpJobWithMockSocketsTest,
@@ -919,25 +923,25 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
       const X509Certificate* served_certificate_chain,
       const SignedCertificateTimestampAndStatusList&
           signed_certificate_timestamps,
-      const NetworkIsolationKey& network_isolation_key) override {
+      const NetworkAnonymizationKey& network_anonymization_key) override {
     num_failures_++;
-    network_isolation_key_ = network_isolation_key;
+    network_anonymization_key_ = network_anonymization_key;
   }
 
   int num_failures() const { return num_failures_; }
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
   }
 
  private:
   int num_failures_ = 0;
-  NetworkIsolationKey network_isolation_key_;
+  NetworkAnonymizationKey network_anonymization_key_;
 };
 
 }  // namespace
 
 TEST_F(URLRequestHttpJobWithMockSocketsTest,
-       TestHttpJobSendsNetworkIsolationKeyWhenProcessingExpectCTHeader) {
+       TestHttpJobSendsNetworkAnonymizationKeyWhenProcessingExpectCTHeader) {
   SSLSocketDataProvider ssl_socket_data(net::ASYNC, net::OK);
   ssl_socket_data.ssl_info.cert =
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
@@ -974,8 +978,8 @@ TEST_F(URLRequestHttpJobWithMockSocketsTest,
   EXPECT_THAT(delegate.request_status(), IsOk());
 
   ASSERT_EQ(1, reporter.num_failures());
-  EXPECT_EQ(isolation_info.network_isolation_key(),
-            reporter.network_isolation_key());
+  EXPECT_EQ(isolation_info.network_anonymization_key(),
+            reporter.network_anonymization_key());
 }
 
 TEST_F(URLRequestHttpJobWithMockSocketsTest, EncodingAdvertisementOnRange) {
@@ -1596,8 +1600,7 @@ TEST_F(URLRequestHttpJobTest, CookieSchemeRequestSchemeHistogram) {
 
   auto context_builder = CreateTestURLRequestContextBuilder();
   context_builder->SetCookieStore(std::make_unique<CookieMonster>(
-      /*store=*/nullptr, /*net_log=*/nullptr,
-      /*first_party_sets_enabled=*/false));
+      /*store=*/nullptr, /*net_log=*/nullptr));
   auto context = context_builder->Build();
 
   auto* cookie_store = static_cast<CookieMonster*>(context->cookie_store());
@@ -1691,8 +1694,7 @@ TEST_F(URLRequestHttpJobTest, PrivacyMode_ExclusionReason) {
 
   auto context_builder = CreateTestURLRequestContextBuilder();
   context_builder->SetCookieStore(std::make_unique<CookieMonster>(
-      /*store=*/nullptr, /*net_log=*/nullptr,
-      /*first_party_sets_enabled=*/false));
+      /*store=*/nullptr, /*net_log=*/nullptr));
   auto& network_delegate = *context_builder->set_network_delegate(
       std::make_unique<FilteringTestNetworkDelegate>());
   auto context = context_builder->Build();
@@ -1763,8 +1765,7 @@ TEST_F(URLRequestHttpJobTest, IndividuallyBlockedCookies) {
   network_delegate->SetCookieFilter("blocked_");
   auto context_builder = CreateTestURLRequestContextBuilder();
   context_builder->SetCookieStore(std::make_unique<CookieMonster>(
-      /*store=*/nullptr, /*net_log=*/nullptr,
-      /*first_party_sets_enabled=*/false));
+      /*store=*/nullptr, /*net_log=*/nullptr));
   context_builder->set_network_delegate(std::move(network_delegate));
   auto context = context_builder->Build();
 
@@ -1811,6 +1812,74 @@ TEST_F(URLRequestHttpJobTest, IndividuallyBlockedCookies) {
               MatchesCookieAccessResult(IsInclude(), _, _, _))));
 }
 
+namespace {
+
+int content_count = 0;
+std::unique_ptr<test_server::HttpResponse> IncreaseOnRequest(
+    const test_server::HttpRequest& request) {
+  auto http_response = std::make_unique<test_server::BasicHttpResponse>();
+  http_response->set_content(base::NumberToString(content_count));
+  content_count++;
+  return std::move(http_response);
+}
+
+void ResetContentCount() {
+  content_count = 0;
+}
+
+}  // namespace
+
+TEST_F(URLRequestHttpJobTest, GetFirstPartySetsCacheFilterMatchInfo) {
+  EmbeddedTestServer https_test(EmbeddedTestServer::TYPE_HTTPS);
+  https_test.AddDefaultHandlers(base::FilePath());
+  https_test.RegisterRequestHandler(base::BindRepeating(&IncreaseOnRequest));
+  ASSERT_TRUE(https_test.Start());
+
+  auto context_builder = CreateTestURLRequestContextBuilder();
+  auto* network_delegate = context_builder->set_network_delegate(
+      std::make_unique<TestNetworkDelegate>());
+  auto context = context_builder->Build();
+
+  const GURL kTestUrl = https_test.GetURL("/");
+  {
+    TestDelegate delegate;
+    std::unique_ptr<URLRequest> req(context->CreateRequest(
+        kTestUrl, DEFAULT_PRIORITY, &delegate, TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->Start();
+    delegate.RunUntilComplete();
+    EXPECT_EQ("0", delegate.data_received());
+  }
+  {  // Test using the cached response.
+    TestDelegate delegate;
+    std::unique_ptr<URLRequest> req(context->CreateRequest(
+        kTestUrl, DEFAULT_PRIORITY, &delegate, TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->SetLoadFlags(LOAD_SKIP_CACHE_VALIDATION);
+    req->Start();
+    delegate.RunUntilComplete();
+    EXPECT_EQ("0", delegate.data_received());
+  }
+
+  // Set cache filter and test cache is bypassed because the request site has a
+  // matched entry in the filter and its response cache was stored before being
+  // marked to clear.
+  const int64_t kClearAtRunId = 3;
+  const int64_t kBrowserRunId = 3;
+  FirstPartySetsCacheFilter cache_filter(
+      {{SchemefulSite(kTestUrl), kClearAtRunId}}, kBrowserRunId);
+  network_delegate->set_fps_cache_filter(std::move(cache_filter));
+  {
+    TestDelegate delegate;
+    std::unique_ptr<URLRequest> req(context->CreateRequest(
+        kTestUrl, DEFAULT_PRIORITY, &delegate, TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->SetLoadFlags(LOAD_SKIP_CACHE_VALIDATION);
+    req->Start();
+    delegate.RunUntilComplete();
+    EXPECT_EQ("1", delegate.data_received());
+  }
+
+  ResetContentCount();
+}
+
 class PartitionedCookiesURLRequestHttpJobTest
     : public URLRequestHttpJobTest,
       public testing::WithParamInterface<bool> {
@@ -1839,8 +1908,7 @@ TEST_P(PartitionedCookiesURLRequestHttpJobTest, SetPartitionedCookie) {
 
   auto context_builder = CreateTestURLRequestContextBuilder();
   context_builder->SetCookieStore(std::make_unique<CookieMonster>(
-      /*store=*/nullptr, /*net_log=*/nullptr,
-      /*first_party_sets_enabled=*/false));
+      /*store=*/nullptr, /*net_log=*/nullptr));
   auto context = context_builder->Build();
 
   const url::Origin kTopFrameOrigin =
@@ -1922,8 +1990,7 @@ TEST_P(PartitionedCookiesURLRequestHttpJobTest,
 
   auto context_builder = CreateTestURLRequestContextBuilder();
   auto cookie_monster = std::make_unique<CookieMonster>(
-      /*store=*/nullptr, /*net_log=*/nullptr,
-      /*first_party_sets_enabled=*/false);
+      /*store=*/nullptr, /*net_log=*/nullptr);
   auto cookie_access_delegate = std::make_unique<TestCookieAccessDelegate>();
   cookie_access_delegate->SetFirstPartySets({
       {kOwnerSite, net::FirstPartySetEntry(kOwnerSite, net::SiteType::kPrimary,
@@ -2027,8 +2094,7 @@ TEST_P(PartitionedCookiesURLRequestHttpJobTest, PrivacyMode) {
 
   auto context_builder = CreateTestURLRequestContextBuilder();
   context_builder->SetCookieStore(
-      std::make_unique<CookieMonster>(/*store=*/nullptr, /*net_log=*/nullptr,
-                                      /*first_party_sets_enabled=*/false));
+      std::make_unique<CookieMonster>(/*store=*/nullptr, /*net_log=*/nullptr));
   auto& network_delegate = *context_builder->set_network_delegate(
       std::make_unique<FilteringTestNetworkDelegate>());
   auto context = context_builder->Build();
@@ -2140,8 +2206,7 @@ TEST_P(PartitionedCookiesURLRequestHttpJobTest,
 
   auto context_builder = CreateTestURLRequestContextBuilder();
   context_builder->SetCookieStore(
-      std::make_unique<CookieMonster>(/*store=*/nullptr, /*net_log=*/nullptr,
-                                      /*first_party_sets_enabled=*/false));
+      std::make_unique<CookieMonster>(/*store=*/nullptr, /*net_log=*/nullptr));
   auto context = context_builder->Build();
 
   const url::Origin kTopFrameOrigin =
diff --git a/chromium/net/url_request/url_request_interceptor.cc b/chromium/net/url_request/url_request_interceptor.cc
index fda25533e66..c58bb6f5a92 100644
--- a/chromium/net/url_request/url_request_interceptor.cc
+++ b/chromium/net/url_request/url_request_interceptor.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_interceptor.h b/chromium/net/url_request/url_request_interceptor.h
index 35cdf09c548..1d217213c1b 100644
--- a/chromium/net/url_request/url_request_interceptor.h
+++ b/chromium/net/url_request/url_request_interceptor.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_job.cc b/chromium/net/url_request/url_request_job.cc
index b788b8a3c89..0127bbcf864 100644
--- a/chromium/net/url_request/url_request_job.cc
+++ b/chromium/net/url_request/url_request_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_job.h b/chromium/net/url_request/url_request_job.h
index 0f55a00b381..6f53a222214 100644
--- a/chromium/net/url_request/url_request_job.h
+++ b/chromium/net/url_request/url_request_job.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -242,7 +242,7 @@ class NET_EXPORT URLRequestJob {
   virtual void SetRequestHeadersCallback(RequestHeadersCallback callback) {}
 
   // Sets a callback that will be invoked each time the response is received
-  // from the remote party with the actual response headers recieved.
+  // from the remote party with the actual response headers received.
   virtual void SetResponseHeadersCallback(ResponseHeadersCallback callback) {}
 
   // Sets a callback that will be invoked each time a 103 Early Hints response
diff --git a/chromium/net/url_request/url_request_job_factory.cc b/chromium/net/url_request/url_request_job_factory.cc
index 079187d608d..68b4dae4b2e 100644
--- a/chromium/net/url_request/url_request_job_factory.cc
+++ b/chromium/net/url_request/url_request_job_factory.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_job_factory.h b/chromium/net/url_request/url_request_job_factory.h
index b2c41834bc2..41bf54404c5 100644
--- a/chromium/net/url_request/url_request_job_factory.h
+++ b/chromium/net/url_request/url_request_job_factory.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_job_factory_unittest.cc b/chromium/net/url_request/url_request_job_factory_unittest.cc
index f52c6635289..a0f0ea752aa 100644
--- a/chromium/net/url_request/url_request_job_factory_unittest.cc
+++ b/chromium/net/url_request/url_request_job_factory_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_job_unittest.cc b/chromium/net/url_request/url_request_job_unittest.cc
index 6eacf022b58..536c23433b5 100644
--- a/chromium/net/url_request/url_request_job_unittest.cc
+++ b/chromium/net/url_request/url_request_job_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -24,6 +24,7 @@
 #include "net/url_request/url_request_test_util.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/url_util.h"
 
 using net::test::IsError;
@@ -118,6 +119,8 @@ const MockTransaction kNoFilterTransaction = {
     base::Time(),
     "hello",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     nullptr,
     nullptr,
@@ -140,6 +143,8 @@ const MockTransaction kNoFilterTransactionWithInvalidLength = {
     base::Time(),
     "hello",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     nullptr,
     nullptr,
@@ -163,6 +168,8 @@ const MockTransaction kGZipTransaction = {
     base::Time(),
     "",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     &GZipServer,
     nullptr,
@@ -186,6 +193,8 @@ const MockTransaction kGzipSlowTransaction = {
     base::Time(),
     "",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_SLOW_READ,
     &GZipHelloServer,
     nullptr,
@@ -210,6 +219,8 @@ const MockTransaction kRedirectTransaction = {
     base::Time(),
     "hello",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     nullptr,
     nullptr,
@@ -232,6 +243,8 @@ const MockTransaction kEmptyBodyGzipTransaction = {
     base::Time(),
     "",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     nullptr,
     nullptr,
@@ -255,6 +268,8 @@ const MockTransaction kInvalidContentGZipTransaction = {
     base::Time(),
     "not a valid gzip body",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_NORMAL,
     nullptr,
     nullptr,
@@ -279,6 +294,8 @@ const MockTransaction kBrotliSlowTransaction = {
     base::Time(),
     "",
     {},
+    absl::nullopt,
+    absl::nullopt,
     TEST_MODE_SLOW_READ,
     &BrotliHelloServer,
     nullptr,
diff --git a/chromium/net/url_request/url_request_netlog_params.cc b/chromium/net/url_request/url_request_netlog_params.cc
index cec31242801..1e05d6ec2da 100644
--- a/chromium/net/url_request/url_request_netlog_params.cc
+++ b/chromium/net/url_request/url_request_netlog_params.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_netlog_params.h b/chromium/net/url_request/url_request_netlog_params.h
index ae999f74a5a..f4ca28666b7 100644
--- a/chromium/net/url_request/url_request_netlog_params.h
+++ b/chromium/net/url_request/url_request_netlog_params.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_quic_perftest.cc b/chromium/net/url_request/url_request_quic_perftest.cc
index 56f9a4c29b5..e576d80582a 100644
--- a/chromium/net/url_request/url_request_quic_perftest.cc
+++ b/chromium/net/url_request/url_request_quic_perftest.cc
@@ -1,4 +1,4 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2017 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_quic_unittest.cc b/chromium/net/url_request/url_request_quic_unittest.cc
index b6736ea9a6b..2dc06971e2d 100644
--- a/chromium/net/url_request/url_request_quic_unittest.cc
+++ b/chromium/net/url_request/url_request_quic_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -17,8 +17,8 @@
 #include "net/base/features.h"
 #include "net/base/isolation_info.h"
 #include "net/base/load_timing_info.h"
+#include "net/base/network_anonymization_key.h"
 #include "net/base/network_delegate.h"
-#include "net/base/network_isolation_key.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_policy_status.h"
 #include "net/cert/mock_cert_verifier.h"
@@ -102,23 +102,23 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
       const X509Certificate* served_certificate_chain,
       const SignedCertificateTimestampAndStatusList&
           signed_certificate_timestamps,
-      const NetworkIsolationKey& network_isolation_key) override {
+      const NetworkAnonymizationKey& network_anonymization_key) override {
     num_failures_++;
     report_uri_ = report_uri;
-    network_isolation_key_ = network_isolation_key;
+    network_anonymization_key_ = network_anonymization_key;
   }
 
   int num_failures() const { return num_failures_; }
   const GURL& report_uri() const { return report_uri_; }
-  const NetworkIsolationKey& network_isolation_key() const {
-    return network_isolation_key_;
+  const NetworkAnonymizationKey& network_anonymization_key() const {
+    return network_anonymization_key_;
   }
 
  private:
   int num_failures_ = 0;
 
   GURL report_uri_;
-  NetworkIsolationKey network_isolation_key_;
+  NetworkAnonymizationKey network_anonymization_key_;
 };
 
 class URLRequestQuicTest
@@ -150,6 +150,8 @@ class URLRequestQuicTest
     context_builder_->set_http_network_session_params(params);
     context_builder_->SetCertVerifier(std::move(cert_verifier));
     context_builder_->set_net_log(NetLog::Get());
+
+    scoped_feature_list_.InitAndEnableFeature(kDynamicExpectCTFeature);
   }
 
   void TearDown() override {
@@ -285,6 +287,7 @@ class URLRequestQuicTest
   quic::QuicMemoryCacheBackend memory_cache_backend_;
   std::unique_ptr<URLRequestContextBuilder> context_builder_;
   quic::test::QuicFlagSaver flags_;  // Save/restore all QUIC flag values.
+  base::test::ScopedFeatureList scoped_feature_list_;
 };
 
 // A URLRequest::Delegate that checks LoadTimingInfo when response headers are
@@ -324,9 +327,9 @@ class CheckLoadTimingDelegate : public TestDelegate {
     EXPECT_EQ(load_timing_info.connect_timing.connect_end,
               load_timing_info.connect_timing.ssl_end);
     EXPECT_EQ(session_reused,
-              load_timing_info.connect_timing.dns_start.is_null());
+              load_timing_info.connect_timing.domain_lookup_start.is_null());
     EXPECT_EQ(session_reused,
-              load_timing_info.connect_timing.dns_end.is_null());
+              load_timing_info.connect_timing.domain_lookup_end.is_null());
   }
 
   bool session_reused_;
@@ -500,7 +503,7 @@ TEST_P(URLRequestQuicTest, ExpectCT) {
   IsolationInfo isolation_info = IsolationInfo::CreateTransient();
   context->transport_security_state()->AddExpectCT(
       kTestServerHost, base::Time::Now() + base::Days(1), true /* enforce */,
-      report_uri, isolation_info.network_isolation_key());
+      report_uri, isolation_info.network_anonymization_key());
 
   base::RunLoop run_loop;
   TestDelegate delegate;
@@ -513,8 +516,8 @@ TEST_P(URLRequestQuicTest, ExpectCT) {
   EXPECT_EQ(ERR_QUIC_PROTOCOL_ERROR, delegate.request_status());
   ASSERT_EQ(1, expect_ct_reporter()->num_failures());
   EXPECT_EQ(report_uri, expect_ct_reporter()->report_uri());
-  EXPECT_EQ(isolation_info.network_isolation_key(),
-            expect_ct_reporter()->network_isolation_key());
+  EXPECT_EQ(isolation_info.network_anonymization_key(),
+            expect_ct_reporter()->network_anonymization_key());
 }
 
 }  // namespace net
diff --git a/chromium/net/url_request/url_request_redirect_job.cc b/chromium/net/url_request/url_request_redirect_job.cc
index ce3e80e2022..52dabbfc774 100644
--- a/chromium/net/url_request/url_request_redirect_job.cc
+++ b/chromium/net/url_request/url_request_redirect_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_redirect_job.h b/chromium/net/url_request/url_request_redirect_job.h
index 6e185dff74f..0a560d0a0b6 100644
--- a/chromium/net/url_request/url_request_redirect_job.h
+++ b/chromium/net/url_request/url_request_redirect_job.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_test_job.cc b/chromium/net/url_request/url_request_test_job.cc
index f2578e40263..fed4e970216 100644
--- a/chromium/net/url_request/url_request_test_job.cc
+++ b/chromium/net/url_request/url_request_test_job.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_test_job.h b/chromium/net/url_request/url_request_test_job.h
index d405ed7a435..d464244f23e 100644
--- a/chromium/net/url_request/url_request_test_job.h
+++ b/chromium/net/url_request/url_request_test_job.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_test_util.cc b/chromium/net/url_request/url_request_test_util.cc
index 2c0b36aab42..83ae112f401 100644
--- a/chromium/net/url_request/url_request_test_util.cc
+++ b/chromium/net/url_request/url_request_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -19,8 +19,8 @@
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/do_nothing_ct_verifier.h"
-#include "net/cookies/same_party_context.h"
 #include "net/dns/mock_host_resolver.h"
+#include "net/first_party_sets/same_party_context.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_server_properties.h"
@@ -84,10 +84,8 @@ std::unique_ptr<URLRequestContextBuilder> CreateTestURLRequestContextBuilder() {
   builder->SetHttpAuthHandlerFactory(HttpAuthHandlerFactory::CreateDefault());
   builder->SetHttpServerProperties(std::make_unique<HttpServerProperties>());
   builder->set_quic_context(std::make_unique<QuicContext>());
-  builder->SetCookieStore(
-      std::make_unique<CookieMonster>(/*store=*/nullptr,
-                                      /*netlog=*/nullptr,
-                                      /*first_party_sets_enabled=*/false));
+  builder->SetCookieStore(std::make_unique<CookieMonster>(/*store=*/nullptr,
+                                                          /*netlog=*/nullptr));
   builder->set_http_user_agent_settings(
       std::make_unique<StaticHttpUserAgentSettings>("en-us,fr", std::string()));
   return builder;
@@ -501,6 +499,7 @@ void TestNetworkDelegate::OnURLRequestDestroyed(URLRequest* request) {
 
 bool TestNetworkDelegate::OnAnnotateAndMoveUserBlockedCookies(
     const URLRequest& request,
+    const net::FirstPartySetMetadata& first_party_set_metadata,
     net::CookieAccessResultList& maybe_included_cookies,
     net::CookieAccessResultList& excluded_cookies) {
   bool allow = true;
@@ -547,6 +546,14 @@ bool TestNetworkDelegate::OnCancelURLRequestWithPolicyViolatingReferrerHeader(
   return cancel_request_with_policy_violating_referrer_;
 }
 
+absl::optional<FirstPartySetsCacheFilter::MatchInfo>
+TestNetworkDelegate::OnGetFirstPartySetsCacheFilterMatchInfoMaybeAsync(
+    const SchemefulSite& request_site,
+    base::OnceCallback<void(FirstPartySetsCacheFilter::MatchInfo)> callback)
+    const {
+  return fps_cache_filter_.GetMatchInfo(request_site);
+}
+
 int TestNetworkDelegate::GetRequestId(URLRequest* request) {
   TestRequestId* test_request_id = reinterpret_cast<TestRequestId*>(
       request->GetUserData(kTestNetworkDelegateRequestIdKey));
@@ -597,6 +604,7 @@ FilteringTestNetworkDelegate::OnForcePrivacyMode(
 
 bool FilteringTestNetworkDelegate::OnAnnotateAndMoveUserBlockedCookies(
     const URLRequest& request,
+    const net::FirstPartySetMetadata& first_party_set_metadata,
     net::CookieAccessResultList& maybe_included_cookies,
     net::CookieAccessResultList& excluded_cookies) {
   // Filter out cookies if |block_annotate_cookies_| is set and
@@ -630,7 +638,8 @@ bool FilteringTestNetworkDelegate::OnAnnotateAndMoveUserBlockedCookies(
 
   // Call the nested delegate's method first to avoid a short circuit.
   return TestNetworkDelegate::OnAnnotateAndMoveUserBlockedCookies(
-             request, maybe_included_cookies, excluded_cookies) &&
+             request, first_party_set_metadata, maybe_included_cookies,
+             excluded_cookies) &&
          allowed;
 }
 
diff --git a/chromium/net/url_request/url_request_test_util.h b/chromium/net/url_request/url_request_test_util.h
index e8fa60fb4c2..67d4d21ab66 100644
--- a/chromium/net/url_request/url_request_test_util.h
+++ b/chromium/net/url_request/url_request_test_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -30,8 +30,10 @@
 #include "net/cert/cert_verifier.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cookies/cookie_monster.h"
-#include "net/cookies/same_party_context.h"
 #include "net/disk_cache/disk_cache.h"
+#include "net/first_party_sets/first_party_set_metadata.h"
+#include "net/first_party_sets/first_party_sets_cache_filter.h"
+#include "net/first_party_sets/same_party_context.h"
 #include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_cache.h"
 #include "net/http/http_network_layer.h"
@@ -45,7 +47,6 @@
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_getter.h"
-#include "net/url_request/url_request_context_storage.h"
 #include "net/url_request/url_request_interceptor.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 #include "url/url_util.h"
@@ -288,6 +289,10 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
     before_start_transaction_fails_ = true;
   }
 
+  void set_fps_cache_filter(FirstPartySetsCacheFilter cache_filter) {
+    fps_cache_filter_ = std::move(cache_filter);
+  }
+
  protected:
   // NetworkDelegate:
   int OnBeforeURLRequest(URLRequest* request,
@@ -310,6 +315,7 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
   void OnURLRequestDestroyed(URLRequest* request) override;
   bool OnAnnotateAndMoveUserBlockedCookies(
       const URLRequest& request,
+      const net::FirstPartySetMetadata& first_party_set_metadata,
       net::CookieAccessResultList& maybe_included_cookies,
       net::CookieAccessResultList& excluded_cookies) override;
   NetworkDelegate::PrivacySetting OnForcePrivacyMode(
@@ -324,6 +330,11 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
       const URLRequest& request,
       const GURL& target_url,
       const GURL& referrer_url) const override;
+  absl::optional<FirstPartySetsCacheFilter::MatchInfo>
+  OnGetFirstPartySetsCacheFilterMatchInfoMaybeAsync(
+      const SchemefulSite& request_site,
+      base::OnceCallback<void(FirstPartySetsCacheFilter::MatchInfo)> callback)
+      const override;
 
   void InitRequestStatesIfNew(int request_id);
 
@@ -367,6 +378,8 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
   bool before_start_transaction_fails_ = false;
   bool add_header_to_first_response_ = false;
   int next_request_id_ = 0;
+
+  FirstPartySetsCacheFilter fps_cache_filter_;
 };
 
 // ----------------------------------------------------------------------------
@@ -394,6 +407,7 @@ class FilteringTestNetworkDelegate : public TestNetworkDelegate {
 
   bool OnAnnotateAndMoveUserBlockedCookies(
       const URLRequest& request,
+      const net::FirstPartySetMetadata& first_party_set_metadata,
       net::CookieAccessResultList& maybe_included_cookies,
       net::CookieAccessResultList& excluded_cookies) override;
 
diff --git a/chromium/net/url_request/url_request_throttler_entry.cc b/chromium/net/url_request/url_request_throttler_entry.cc
index ddfbf2f4387..02055a63dd0 100644
--- a/chromium/net/url_request/url_request_throttler_entry.cc
+++ b/chromium/net/url_request/url_request_throttler_entry.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_throttler_entry.h b/chromium/net/url_request/url_request_throttler_entry.h
index 48d41f0ca8a..b08e5decb7f 100644
--- a/chromium/net/url_request/url_request_throttler_entry.h
+++ b/chromium/net/url_request/url_request_throttler_entry.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_throttler_entry_interface.h b/chromium/net/url_request/url_request_throttler_entry_interface.h
index 0e15419ba54..c9e7ca728af 100644
--- a/chromium/net/url_request/url_request_throttler_entry_interface.h
+++ b/chromium/net/url_request/url_request_throttler_entry_interface.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_throttler_manager.cc b/chromium/net/url_request/url_request_throttler_manager.cc
index fc91eceff29..a535e3202a4 100644
--- a/chromium/net/url_request/url_request_throttler_manager.cc
+++ b/chromium/net/url_request/url_request_throttler_manager.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_throttler_manager.h b/chromium/net/url_request/url_request_throttler_manager.h
index e32ecbdca92..a65002e2f5c 100644
--- a/chromium/net/url_request/url_request_throttler_manager.h
+++ b/chromium/net/url_request/url_request_throttler_manager.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -102,7 +102,9 @@ class NET_EXPORT_PRIVATE URLRequestThrottlerManager
   void OnNetworkChange();
 
   // Used by tests.
-  int GetNumberOfEntriesForTests() const { return url_entries_.size(); }
+  int GetNumberOfEntriesForTests() const {
+    return static_cast<int>(url_entries_.size());
+  }
 
  private:
   // From each URL we generate an ID composed of the scheme, host, port and path
diff --git a/chromium/net/url_request/url_request_throttler_simulation_unittest.cc b/chromium/net/url_request/url_request_throttler_simulation_unittest.cc
index 9d79f695a3b..e35f38a0222 100644
--- a/chromium/net/url_request/url_request_throttler_simulation_unittest.cc
+++ b/chromium/net/url_request/url_request_throttler_simulation_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_throttler_test_support.cc b/chromium/net/url_request/url_request_throttler_test_support.cc
index 530612bae60..a8915a4b184 100644
--- a/chromium/net/url_request/url_request_throttler_test_support.cc
+++ b/chromium/net/url_request/url_request_throttler_test_support.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_throttler_test_support.h b/chromium/net/url_request/url_request_throttler_test_support.h
index 93da3eb0d24..b620db691ee 100644
--- a/chromium/net/url_request/url_request_throttler_test_support.h
+++ b/chromium/net/url_request/url_request_throttler_test_support.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright 2011 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_throttler_unittest.cc b/chromium/net/url_request/url_request_throttler_unittest.cc
index 0297899726f..7fca11719ed 100644
--- a/chromium/net/url_request/url_request_throttler_unittest.cc
+++ b/chromium/net/url_request/url_request_throttler_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/url_request_unittest.cc b/chromium/net/url_request/url_request_unittest.cc
index 9c45ace4a25..4892eb28081 100644
--- a/chromium/net/url_request/url_request_unittest.cc
+++ b/chromium/net/url_request/url_request_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -97,8 +97,8 @@
 #include "net/cookies/cookie_store_test_helpers.h"
 #include "net/cookies/test_cookie_access_delegate.h"
 #include "net/disk_cache/disk_cache.h"
-#include "net/dns/host_resolver_results.h"
 #include "net/dns/mock_host_resolver.h"
+#include "net/dns/public/host_resolver_results.h"
 #include "net/dns/public/secure_dns_policy.h"
 #include "net/http/http_byte_range.h"
 #include "net/http/http_cache.h"
@@ -602,26 +602,26 @@ class MockCertificateReportSender
       const GURL& report_uri,
       base::StringPiece content_type,
       base::StringPiece report,
-      const NetworkIsolationKey& network_isolation_key,
+      const NetworkAnonymizationKey& network_anonymization_key,
       base::OnceCallback<void()> success_callback,
       base::OnceCallback<void(const GURL&, int, int)> error_callback) override {
     latest_report_uri_ = report_uri;
     latest_report_.assign(report.data(), report.size());
     latest_content_type_.assign(content_type.data(), content_type.size());
-    latest_network_isolation_key_ = network_isolation_key;
+    latest_network_anonymization_key_ = network_anonymization_key;
   }
   const GURL& latest_report_uri() { return latest_report_uri_; }
   const std::string& latest_report() { return latest_report_; }
   const std::string& latest_content_type() { return latest_content_type_; }
-  const NetworkIsolationKey& latest_network_isolation_key() {
-    return latest_network_isolation_key_;
+  const NetworkAnonymizationKey& latest_network_anonymization_key() {
+    return latest_network_anonymization_key_;
   }
 
  private:
   GURL latest_report_uri_;
   std::string latest_report_;
   std::string latest_content_type_;
-  NetworkIsolationKey latest_network_isolation_key_;
+  NetworkAnonymizationKey latest_network_anonymization_key_;
 };
 
 // OCSPErrorTestDelegate caches the SSLInfo passed to OnSSLCertificateError.
@@ -1081,8 +1081,8 @@ LoadTimingInfo NormalLoadTimingInfo(base::TimeTicks now,
 
   LoadTimingInfo::ConnectTiming& connect_timing = load_timing.connect_timing;
   if (connect_time_flags & CONNECT_TIMING_HAS_DNS_TIMES) {
-    connect_timing.dns_start = now + base::Days(3);
-    connect_timing.dns_end = now + base::Days(4);
+    connect_timing.domain_lookup_start = now + base::Days(3);
+    connect_timing.domain_lookup_end = now + base::Days(4);
   }
   connect_timing.connect_start = now + base::Days(5);
   if (connect_time_flags & CONNECT_TIMING_HAS_SSL_TIMES) {
@@ -1161,10 +1161,10 @@ TEST_F(URLRequestLoadTimingTest, InterceptLoadTiming) {
             load_timing_result.proxy_resolve_start);
   EXPECT_EQ(job_load_timing.proxy_resolve_end,
             load_timing_result.proxy_resolve_end);
-  EXPECT_EQ(job_load_timing.connect_timing.dns_start,
-            load_timing_result.connect_timing.dns_start);
-  EXPECT_EQ(job_load_timing.connect_timing.dns_end,
-            load_timing_result.connect_timing.dns_end);
+  EXPECT_EQ(job_load_timing.connect_timing.domain_lookup_start,
+            load_timing_result.connect_timing.domain_lookup_start);
+  EXPECT_EQ(job_load_timing.connect_timing.domain_lookup_end,
+            load_timing_result.connect_timing.domain_lookup_end);
   EXPECT_EQ(job_load_timing.connect_timing.connect_start,
             load_timing_result.connect_timing.connect_start);
   EXPECT_EQ(job_load_timing.connect_timing.connect_end,
@@ -1192,10 +1192,10 @@ TEST_F(URLRequestLoadTimingTest, InterceptLoadTimingProxy) {
             load_timing_result.proxy_resolve_start);
   EXPECT_EQ(job_load_timing.proxy_resolve_end,
             load_timing_result.proxy_resolve_end);
-  EXPECT_EQ(job_load_timing.connect_timing.dns_start,
-            load_timing_result.connect_timing.dns_start);
-  EXPECT_EQ(job_load_timing.connect_timing.dns_end,
-            load_timing_result.connect_timing.dns_end);
+  EXPECT_EQ(job_load_timing.connect_timing.domain_lookup_start,
+            load_timing_result.connect_timing.domain_lookup_start);
+  EXPECT_EQ(job_load_timing.connect_timing.domain_lookup_end,
+            load_timing_result.connect_timing.domain_lookup_end);
   EXPECT_EQ(job_load_timing.connect_timing.connect_start,
             load_timing_result.connect_timing.connect_start);
   EXPECT_EQ(job_load_timing.connect_timing.connect_end,
@@ -1222,8 +1222,8 @@ TEST_F(URLRequestLoadTimingTest, InterceptLoadTimingEarlyProxyResolution) {
       NormalLoadTimingInfo(now, CONNECT_TIMING_HAS_DNS_TIMES, true);
   job_load_timing.proxy_resolve_start = now - base::Days(6);
   job_load_timing.proxy_resolve_end = now - base::Days(5);
-  job_load_timing.connect_timing.dns_start = now - base::Days(4);
-  job_load_timing.connect_timing.dns_end = now - base::Days(3);
+  job_load_timing.connect_timing.domain_lookup_start = now - base::Days(4);
+  job_load_timing.connect_timing.domain_lookup_end = now - base::Days(3);
   job_load_timing.connect_timing.connect_start = now - base::Days(2);
   job_load_timing.connect_timing.connect_end = now - base::Days(1);
 
@@ -1237,9 +1237,9 @@ TEST_F(URLRequestLoadTimingTest, InterceptLoadTimingEarlyProxyResolution) {
   EXPECT_EQ(load_timing_result.request_start,
             load_timing_result.proxy_resolve_end);
   EXPECT_EQ(load_timing_result.request_start,
-            load_timing_result.connect_timing.dns_start);
+            load_timing_result.connect_timing.domain_lookup_start);
   EXPECT_EQ(load_timing_result.request_start,
-            load_timing_result.connect_timing.dns_end);
+            load_timing_result.connect_timing.domain_lookup_end);
   EXPECT_EQ(load_timing_result.request_start,
             load_timing_result.connect_timing.connect_start);
   EXPECT_EQ(load_timing_result.request_start,
@@ -1366,10 +1366,6 @@ TEST_F(URLRequestTest, NetworkDelegateProxyError) {
 // Test that when host resolution fails with `ERR_DNS_NAME_HTTPS_ONLY` for
 // "http://" requests, scheme is upgraded to "https://".
 TEST_F(URLRequestTest, DnsNameHttpsOnlyErrorCausesSchemeUpgrade) {
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
-
   EmbeddedTestServer https_server(EmbeddedTestServer::TYPE_HTTPS);
   https_server.SetSSLConfig(EmbeddedTestServer::CERT_TEST_NAMES);
   RegisterDefaultHandlers(&https_server);
@@ -1426,10 +1422,6 @@ TEST_F(URLRequestTest, DnsNameHttpsOnlyErrorCausesSchemeUpgrade) {
 
 // Test that DNS-based scheme upgrade supports deferred redirect.
 TEST_F(URLRequestTest, DnsNameHttpsOnlyErrorCausesSchemeUpgradeDeferred) {
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
-
   EmbeddedTestServer https_server(EmbeddedTestServer::TYPE_HTTPS);
   https_server.SetSSLConfig(EmbeddedTestServer::CERT_TEST_NAMES);
   RegisterDefaultHandlers(&https_server);
@@ -1492,10 +1484,6 @@ TEST_F(URLRequestTest, DnsNameHttpsOnlyErrorCausesSchemeUpgradeDeferred) {
 // Test that requests with "ws" scheme are upgraded to "wss" when DNS
 // indicates that the name is HTTPS-only.
 TEST_F(URLRequestTest, DnsHttpsRecordPresentCausesWsSchemeUpgrade) {
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
-
   EmbeddedTestServer https_server(EmbeddedTestServer::TYPE_HTTPS);
   https_server.SetSSLConfig(EmbeddedTestServer::CERT_TEST_NAMES);
   RegisterDefaultHandlers(&https_server);
@@ -1558,10 +1546,6 @@ TEST_F(URLRequestTest, DnsHttpsRecordPresentCausesWsSchemeUpgrade) {
 #endif  // BUILDFLAG(ENABLE_WEBSOCKETS)
 
 TEST_F(URLRequestTest, DnsHttpsRecordAbsentNoSchemeUpgrade) {
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
-
   EmbeddedTestServer http_server(EmbeddedTestServer::TYPE_HTTP);
   RegisterDefaultHandlers(&http_server);
   ASSERT_TRUE(http_server.Start());
@@ -1984,8 +1968,7 @@ TEST_F(URLRequestTest, DelayedCookieCallbackAsync) {
       url, "AlreadySetCookie=1;Secure", base::Time::Now(),
       absl::nullopt /* server_time */,
       absl::nullopt /* cookie_partition_key */);
-  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr,
-                                            /*first_party_sets_enabled=*/false);
+  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr);
   cm->SetCanonicalCookieAsync(std::move(cookie2), url,
                               net::CookieOptions::MakeAllInclusive(),
                               CookieStore::SetCookiesCallback());
@@ -3191,8 +3174,7 @@ TEST_P(URLRequestSameSiteCookiesTest, SameSiteCookiesSpecialScheme) {
   // Set up special schemes
   auto cad = std::make_unique<TestCookieAccessDelegate>();
   cad->SetIgnoreSameSiteRestrictionsScheme("chrome", true);
-  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr,
-                                            /*first_party_sets_enabled=*/false);
+  auto cm = std::make_unique<CookieMonster>(nullptr, nullptr);
   cm->SetCookieAccessDelegate(std::move(cad));
 
   auto context_builder = CreateTestURLRequestContextBuilder();
@@ -3856,8 +3838,8 @@ class URLRequestTestHTTP : public URLRequestTest {
         isolation_info1_(IsolationInfo::CreateForInternalRequest(origin1_)),
         isolation_info2_(IsolationInfo::CreateForInternalRequest(origin2_)),
         test_server_(base::FilePath(kTestFilePath)) {
-    // Needed for NetworkIsolationKey to make it down to the socket layer, for
-    // the PKP violation report test.
+    // Needed for NetworkAnonymizationKey to make it down to the socket layer,
+    // for the PKP violation report test.
     feature_list_.InitAndEnableFeature(
         net::features::kPartitionConnectionsByNetworkIsolationKey);
   }
@@ -6228,8 +6210,8 @@ TEST_F(URLRequestTestHTTP, ProcessPKPAndSendReport) {
   std::string* report_hostname = report_dict->FindString("hostname");
   ASSERT_TRUE(report_hostname);
   EXPECT_EQ(test_server_hostname, *report_hostname);
-  EXPECT_EQ(isolation_info.network_isolation_key(),
-            mock_report_sender.latest_network_isolation_key());
+  EXPECT_EQ(isolation_info.network_anonymization_key(),
+            mock_report_sender.latest_network_anonymization_key());
 }
 
 // Tests that reports do not get sent on requests to static pkp hosts that
@@ -6285,8 +6267,8 @@ TEST_F(URLRequestTestHTTP, ProcessPKPWithNoViolation) {
   EXPECT_EQ(OK, d.request_status());
   EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
   EXPECT_EQ(std::string(), mock_report_sender.latest_report());
-  EXPECT_EQ(NetworkIsolationKey(),
-            mock_report_sender.latest_network_isolation_key());
+  EXPECT_EQ(NetworkAnonymizationKey(),
+            mock_report_sender.latest_network_anonymization_key());
   TransportSecurityState::PKPState pkp_state;
   EXPECT_TRUE(context->transport_security_state()->GetStaticPKPState(
       test_server_hostname, &pkp_state));
@@ -6345,8 +6327,8 @@ TEST_F(URLRequestTestHTTP, PKPBypassRecorded) {
   EXPECT_EQ(OK, d.request_status());
   EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri());
   EXPECT_EQ(std::string(), mock_report_sender.latest_report());
-  EXPECT_EQ(NetworkIsolationKey(),
-            mock_report_sender.latest_network_isolation_key());
+  EXPECT_EQ(NetworkAnonymizationKey(),
+            mock_report_sender.latest_network_anonymization_key());
   TransportSecurityState::PKPState pkp_state;
   EXPECT_TRUE(context->transport_security_state()->GetStaticPKPState(
       test_server_hostname, &pkp_state));
@@ -6398,7 +6380,7 @@ class MockExpectCTReporter : public TransportSecurityState::ExpectCTReporter {
       const X509Certificate* served_certificate_chain,
       const SignedCertificateTimestampAndStatusList&
           signed_certificate_timestamps,
-      const NetworkIsolationKey& network_isolation_key) override {
+      const NetworkAnonymizationKey& network_anonymization_key) override {
     num_failures_++;
   }
 
@@ -6490,8 +6472,7 @@ TEST_F(URLRequestTestHTTP, PreloadExpectCTHeader) {
 // Tests that Expect CT HTTP headers are processed correctly.
 TEST_F(URLRequestTestHTTP, ExpectCTHeader) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   EmbeddedTestServer https_test_server(net::EmbeddedTestServer::TYPE_HTTPS);
   https_test_server.SetSSLConfig(
@@ -6531,7 +6512,7 @@ TEST_F(URLRequestTestHTTP, ExpectCTHeader) {
 
   TransportSecurityState::ExpectCTState state;
   ASSERT_TRUE(context->transport_security_state()->GetDynamicExpectCTState(
-      url.host(), NetworkIsolationKey(), &state));
+      url.host(), NetworkAnonymizationKey(), &state));
   EXPECT_TRUE(state.enforce);
   EXPECT_EQ(GURL("https://example.test"), state.report_uri);
 }
@@ -6540,8 +6521,7 @@ TEST_F(URLRequestTestHTTP, ExpectCTHeader) {
 // processed.
 TEST_F(URLRequestTestHTTP, MultipleExpectCTHeaders) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      TransportSecurityState::kDynamicExpectCTFeature);
+  feature_list.InitAndEnableFeature(kDynamicExpectCTFeature);
 
   EmbeddedTestServer https_test_server(net::EmbeddedTestServer::TYPE_HTTPS);
   https_test_server.SetSSLConfig(
@@ -6582,7 +6562,7 @@ TEST_F(URLRequestTestHTTP, MultipleExpectCTHeaders) {
 
   TransportSecurityState::ExpectCTState state;
   ASSERT_TRUE(context->transport_security_state()->GetDynamicExpectCTState(
-      url.host(), NetworkIsolationKey(), &state));
+      url.host(), NetworkAnonymizationKey(), &state));
   EXPECT_TRUE(state.enforce);
   EXPECT_EQ(GURL("https://example.test"), state.report_uri);
 }
@@ -7740,20 +7720,20 @@ TEST_F(URLRequestTestHTTP, IsolationInfoUpdatedOnRedirect) {
   }
 }
 
-// Tests that |key_auth_cache_by_network_isolation_key| is respected.
-TEST_F(URLRequestTestHTTP, AuthWithNetworkIsolationKey) {
+// Tests that |key_auth_cache_by_network_anonymization_key| is respected.
+TEST_F(URLRequestTestHTTP, AuthWithNetworkAnonymizationKey) {
   ASSERT_TRUE(http_test_server()->Start());
 
-  for (bool key_auth_cache_by_network_isolation_key : {false, true}) {
+  for (bool key_auth_cache_by_network_anonymization_key : {false, true}) {
     auto context_builder = CreateTestURLRequestContextBuilder();
     HttpNetworkSessionParams network_session_params;
     network_session_params
-        .key_auth_cache_server_entries_by_network_isolation_key =
-        key_auth_cache_by_network_isolation_key;
+        .key_auth_cache_server_entries_by_network_anonymization_key =
+        key_auth_cache_by_network_anonymization_key;
     context_builder->set_http_network_session_params(network_session_params);
     auto context = context_builder->Build();
 
-    // Populate the auth cache using one NetworkIsolationKey.
+    // Populate the auth cache using one NetworkAnonymizationKey.
     {
       TestDelegate d;
       GURL url(base::StringPrintf(
@@ -7774,9 +7754,9 @@ TEST_F(URLRequestTestHTTP, AuthWithNetworkIsolationKey) {
       EXPECT_TRUE(d.data_received().find("user/secret") != std::string::npos);
     }
 
-    // Make a request with another NetworkIsolationKey. This may or may not use
-    // the cached auth credentials, depending on whether or not the
-    // HttpAuthCache is configured to respect the NetworkIsolationKey.
+    // Make a request with another NetworkAnonymizationKey. This may or may not
+    // use the cached auth credentials, depending on whether or not the
+    // HttpAuthCache is configured to respect the NetworkAnonymizationKey.
     {
       TestDelegate d;
 
@@ -7791,13 +7771,13 @@ TEST_F(URLRequestTestHTTP, AuthWithNetworkIsolationKey) {
 
       EXPECT_THAT(d.request_status(), IsOk());
       ASSERT_TRUE(r->response_headers());
-      if (key_auth_cache_by_network_isolation_key) {
+      if (key_auth_cache_by_network_anonymization_key) {
         EXPECT_EQ(401, r->response_headers()->response_code());
       } else {
         EXPECT_EQ(200, r->response_headers()->response_code());
       }
 
-      EXPECT_EQ(!key_auth_cache_by_network_isolation_key,
+      EXPECT_EQ(!key_auth_cache_by_network_anonymization_key,
                 d.data_received().find("user/secret") != std::string::npos);
     }
   }
@@ -7978,8 +7958,8 @@ TEST_F(URLRequestTest, NoCookieInclusionStatusWarningIfWouldBeExcludedAnyway) {
   auto& network_delegate = *context_builder->set_network_delegate(
       std::make_unique<FilteringTestNetworkDelegate>());
   network_delegate.SetCookieFilter("blockeduserpreference");
-  context_builder->SetCookieStore(std::make_unique<CookieMonster>(
-      nullptr, nullptr, /*first_party_sets_enabled=*/false));
+  context_builder->SetCookieStore(
+      std::make_unique<CookieMonster>(nullptr, nullptr));
   auto context = context_builder->Build();
   auto& cm = *static_cast<CookieMonster*>(context->cookie_store());
 
@@ -8228,8 +8208,8 @@ TEST_F(URLRequestTestHTTP, AuthChallengeWithFilteredCookies) {
     auto& filtering_network_delegate = *context_builder->set_network_delegate(
         std::make_unique<FilteringTestNetworkDelegate>());
     filtering_network_delegate.set_block_annotate_cookies();
-    context_builder->SetCookieStore(std::make_unique<CookieMonster>(
-        nullptr, nullptr, /*first_party_sets_enabled=*/false));
+    context_builder->SetCookieStore(
+        std::make_unique<CookieMonster>(nullptr, nullptr));
     auto context = context_builder->Build();
 
     auto* cm = static_cast<CookieMonster*>(context->cookie_store());
@@ -8652,8 +8632,8 @@ TEST_F(URLRequestTestHTTP, RedirectWithFilteredCookies) {
     auto& filtering_network_delegate = *context_builder->set_network_delegate(
         std::make_unique<FilteringTestNetworkDelegate>());
     filtering_network_delegate.set_block_annotate_cookies();
-    context_builder->SetCookieStore(std::make_unique<CookieMonster>(
-        nullptr, nullptr, /*first_party_sets_enabled=*/false));
+    context_builder->SetCookieStore(
+        std::make_unique<CookieMonster>(nullptr, nullptr));
     auto context = context_builder->Build();
 
     auto* cm = static_cast<CookieMonster*>(context->cookie_store());
@@ -10765,10 +10745,6 @@ static bool UsingBuiltinCertVerifier() {
 #if BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
   return true;
 #else
-#if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
-  if (base::FeatureList::IsEnabled(features::kCertVerifierBuiltinFeature))
-    return true;
-#endif
 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
   if (base::FeatureList::IsEnabled(features::kChromeRootStoreUsed))
     return true;
@@ -13111,6 +13087,246 @@ TEST_F(URLRequestTest, SetURLChain) {
   }
 }
 
+TEST_F(URLRequestTest, SetIsolationInfoFromNakTripleNikTripleNak) {
+  base::test::ScopedFeatureList scoped_feature_list_;
+  std::vector<base::test::FeatureRef> enabled_features = {};
+  std::vector<base::test::FeatureRef> disabled_features = {
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey,
+      net::features::kForceIsolationInfoFrameOriginToTopLevelFrame,
+      net::features::kEnableCrossSiteFlagNetworkAnonymizationKey};
+  scoped_feature_list_.InitWithFeatures(enabled_features, disabled_features);
+
+  TestDelegate d;
+  SchemefulSite site_a = SchemefulSite(GURL("https://a.com/"));
+  SchemefulSite site_b = SchemefulSite(GURL("https://b.com/"));
+  base::UnguessableToken nak_nonce = base::UnguessableToken::Create();
+  NetworkAnonymizationKey populated_cross_site_nak(site_a, site_b, true,
+                                                   nak_nonce);
+  IsolationInfo expected_isolation_info_populated_cross_site_nak =
+      IsolationInfo::Create(IsolationInfo::RequestType::kOther,
+                            url::Origin::Create(GURL("https://a.com/")),
+                            url::Origin::Create(GURL("https://b.com/")),
+                            SiteForCookies(),
+                            /*party_context=*/absl::nullopt, &nak_nonce);
+
+  NetworkAnonymizationKey populated_same_site_nak(site_a, site_a, false,
+                                                  nak_nonce);
+  IsolationInfo expected_isolation_info_populated_same_site_nak =
+      IsolationInfo::Create(IsolationInfo::RequestType::kOther,
+                            url::Origin::Create(GURL("https://a.com/")),
+                            url::Origin::Create(GURL("https://a.com/")),
+                            SiteForCookies(),
+                            /*party_context=*/absl::nullopt, &nak_nonce);
+
+  NetworkAnonymizationKey empty_nak;
+  GURL original_url("http://localhost");
+  std::unique_ptr<URLRequest> r(default_context().CreateRequest(
+      original_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  r->set_isolation_info_from_network_anonymization_key(
+      populated_cross_site_nak);
+  r->SetLoadFlags(LOAD_DISABLE_CACHE);
+  r->set_allow_credentials(false);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_EQ(r->isolation_info().network_anonymization_key(),
+            populated_cross_site_nak);
+  EXPECT_TRUE(r->isolation_info().IsEqualForTesting(
+      expected_isolation_info_populated_cross_site_nak));
+
+  r->set_isolation_info_from_network_anonymization_key(populated_same_site_nak);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_EQ(r->isolation_info().network_anonymization_key(),
+            populated_same_site_nak);
+  EXPECT_TRUE(r->isolation_info().IsEqualForTesting(
+      expected_isolation_info_populated_same_site_nak));
+
+  r->set_isolation_info_from_network_anonymization_key(empty_nak);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_EQ(r->isolation_info().network_anonymization_key(), empty_nak);
+  EXPECT_TRUE(r->isolation_info().IsEqualForTesting(net::IsolationInfo()));
+  r->Start();
+  d.RunUntilComplete();
+}
+
+TEST_F(URLRequestTest, SetIsolationInfoFromNakDoubleNikDoubleNak) {
+  base::test::ScopedFeatureList scoped_feature_list_;
+  std::vector<base::test::FeatureRef> enabled_features = {
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey,
+      net::features::kForceIsolationInfoFrameOriginToTopLevelFrame};
+  std::vector<base::test::FeatureRef> disabled_features = {
+      net::features::kEnableCrossSiteFlagNetworkAnonymizationKey};
+  scoped_feature_list_.InitWithFeatures(enabled_features, disabled_features);
+
+  TestDelegate d;
+  SchemefulSite site_a = SchemefulSite(GURL("https://a.com/"));
+  SchemefulSite site_b = SchemefulSite(GURL("https://b.com/"));
+  base::UnguessableToken nak_nonce = base::UnguessableToken::Create();
+  NetworkAnonymizationKey populated_cross_site_nak(site_a, site_b, true,
+                                                   nak_nonce);
+  NetworkAnonymizationKey populated_same_site_nak(site_a, site_a, false,
+                                                  nak_nonce);
+  // Frame site should be set to the top level sites value even though NAK is
+  // double keyed.
+  IsolationInfo expected_isolation_info_populated_same_site_nak =
+      IsolationInfo::Create(IsolationInfo::RequestType::kOther,
+                            url::Origin::Create(GURL("https://a.com/")),
+                            url::Origin::Create(GURL("https://a.com/")),
+                            SiteForCookies(),
+                            /*party_context=*/absl::nullopt, &nak_nonce);
+  NetworkAnonymizationKey empty_nak;
+
+  GURL original_url("http://localhost");
+  std::unique_ptr<URLRequest> r(default_context().CreateRequest(
+      original_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  r->set_isolation_info_from_network_anonymization_key(
+      populated_cross_site_nak);
+  r->SetLoadFlags(LOAD_DISABLE_CACHE);
+  r->set_allow_credentials(false);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_EQ(r->isolation_info().network_anonymization_key(),
+            populated_cross_site_nak);
+  // We do not know the frame_site other than that it will be cross site.
+  EXPECT_EQ(r->isolation_info().top_frame_origin(),
+            url::Origin::Create(GURL("https://a.com/")));
+
+  r->set_isolation_info_from_network_anonymization_key(populated_same_site_nak);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_EQ(r->isolation_info().network_anonymization_key(),
+            populated_same_site_nak);
+  EXPECT_TRUE(r->isolation_info().IsEqualForTesting(
+      expected_isolation_info_populated_same_site_nak));
+
+  r->set_isolation_info_from_network_anonymization_key(empty_nak);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_TRUE(r->load_flags() & LOAD_DISABLE_CACHE);
+  EXPECT_EQ(r->isolation_info().network_anonymization_key(), empty_nak);
+  EXPECT_TRUE(r->isolation_info().IsEqualForTesting(net::IsolationInfo()));
+  r->Start();
+  d.RunUntilComplete();
+}
+
+TEST_F(URLRequestTest, SetIsolationInfoFromNakTripleNikDoubleNak) {
+  base::test::ScopedFeatureList scoped_feature_list_;
+  std::vector<base::test::FeatureRef> enabled_features = {
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey};
+  std::vector<base::test::FeatureRef> disabled_features = {
+      net::features::kForceIsolationInfoFrameOriginToTopLevelFrame,
+      net::features::kEnableCrossSiteFlagNetworkAnonymizationKey};
+  scoped_feature_list_.InitWithFeatures(enabled_features, disabled_features);
+
+  TestDelegate d;
+  SchemefulSite site_a = SchemefulSite(GURL("https://a.com/"));
+  SchemefulSite site_b = SchemefulSite(GURL("https://b.com/"));
+  base::UnguessableToken nak_nonce = base::UnguessableToken::Create();
+  NetworkAnonymizationKey populated_cross_site_nak(site_a, site_b, true,
+                                                   nak_nonce);
+  NetworkAnonymizationKey populated_same_site_nak(site_a, site_a, false,
+                                                  nak_nonce);
+  IsolationInfo expected_isolation_info_populated_same_site_nak =
+      IsolationInfo::Create(IsolationInfo::RequestType::kOther,
+                            url::Origin::Create(GURL("https://a.com/")),
+                            url::Origin::Create(GURL("https://a.com/")),
+                            SiteForCookies(),
+                            /*party_context=*/absl::nullopt, &nak_nonce);
+  NetworkAnonymizationKey empty_nak;
+
+  GURL original_url("http://localhost");
+  std::unique_ptr<URLRequest> r(default_context().CreateRequest(
+      original_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  r->set_isolation_info_from_network_anonymization_key(
+      populated_cross_site_nak);
+  r->SetLoadFlags(LOAD_DISABLE_CACHE);
+  r->set_allow_credentials(false);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_EQ(r->isolation_info().network_anonymization_key(),
+            populated_cross_site_nak);
+  EXPECT_EQ(r->isolation_info().top_frame_origin(),
+            url::Origin::Create(GURL("https://a.com/")));
+  // When double key is enabled for NAK but not for NIK, the frame site of the
+  // IsolationInfo will be set to the top level site.
+  EXPECT_EQ(r->isolation_info().frame_origin(),
+            url::Origin::Create(GURL("https://a.com/")));
+
+  r->set_isolation_info_from_network_anonymization_key(populated_same_site_nak);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_TRUE(r->load_flags() & LOAD_DISABLE_CACHE);
+  EXPECT_EQ(r->isolation_info().network_anonymization_key(),
+            populated_same_site_nak);
+  EXPECT_TRUE(r->isolation_info().IsEqualForTesting(
+      expected_isolation_info_populated_same_site_nak));
+
+  r->set_isolation_info_from_network_anonymization_key(empty_nak);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_TRUE(r->load_flags() & LOAD_DISABLE_CACHE);
+  EXPECT_EQ(r->isolation_info().network_anonymization_key(), empty_nak);
+  EXPECT_FALSE(r->isolation_info().top_frame_origin());
+  EXPECT_FALSE(r->isolation_info().frame_origin());
+  r->Start();
+  d.RunUntilComplete();
+}
+
+TEST_F(URLRequestTest,
+       SetIsolationInfoFromNakTripleNikDoubleWithCrossSiteFlagNak) {
+  base::test::ScopedFeatureList scoped_feature_list_;
+  std::vector<base::test::FeatureRef> enabled_features = {
+      net::features::kEnableDoubleKeyNetworkAnonymizationKey,
+      net::features::kEnableCrossSiteFlagNetworkAnonymizationKey};
+  std::vector<base::test::FeatureRef> disabled_features = {
+      net::features::kForceIsolationInfoFrameOriginToTopLevelFrame};
+  scoped_feature_list_.InitWithFeatures(enabled_features, disabled_features);
+
+  TestDelegate d;
+  SchemefulSite site_a = SchemefulSite(GURL("https://a.com/"));
+  SchemefulSite site_b = SchemefulSite(GURL("https://b.com/"));
+  base::UnguessableToken nak_nonce = base::UnguessableToken::Create();
+  NetworkAnonymizationKey populated_cross_site_nak(
+      site_a, site_b, /*is_cross_site=*/true, nak_nonce);
+  NetworkAnonymizationKey populated_same_site_nak(
+      site_a, site_a, /*is_cross_site=*/false, nak_nonce);
+
+  NetworkAnonymizationKey empty_nak;
+  GURL original_url("http://localhost");
+  std::unique_ptr<URLRequest> r(default_context().CreateRequest(
+      original_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  r->set_isolation_info_from_network_anonymization_key(
+      populated_cross_site_nak);
+  r->SetLoadFlags(LOAD_DISABLE_CACHE);
+  r->set_allow_credentials(false);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_TRUE(r->load_flags() & LOAD_DISABLE_CACHE);
+  EXPECT_EQ(r->isolation_info().network_anonymization_key().ToDebugString(),
+            populated_cross_site_nak.ToDebugString());
+  EXPECT_EQ(r->isolation_info().top_frame_origin(),
+            url::Origin::Create(GURL("https://a.com/")));
+  // When double key is enabled for NAK but not for NIK, the frame site of the
+  // IsolationInfo will be set to the top level site.
+  EXPECT_TRUE(r->isolation_info().frame_origin());
+
+  r->set_isolation_info_from_network_anonymization_key(populated_same_site_nak);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_TRUE(r->load_flags() & LOAD_DISABLE_CACHE);
+  EXPECT_EQ(r->isolation_info().network_anonymization_key().ToDebugString(),
+            populated_same_site_nak.ToDebugString());
+  EXPECT_EQ(r->isolation_info().top_frame_origin(),
+            url::Origin::Create(GURL("https://a.com/")));
+  // Cross site double keyed NAKs should set a cross site dummy origin on the
+  // IsolationInfo.
+  EXPECT_TRUE(r->isolation_info().frame_origin());
+
+  r->set_isolation_info_from_network_anonymization_key(empty_nak);
+  EXPECT_TRUE(r->is_created_from_network_anonymization_key());
+  EXPECT_TRUE(r->load_flags() & LOAD_DISABLE_CACHE);
+  EXPECT_EQ(r->isolation_info().network_anonymization_key(), empty_nak);
+  EXPECT_FALSE(r->isolation_info().top_frame_origin());
+  EXPECT_FALSE(r->isolation_info().frame_origin());
+
+  r->Start();
+  d.RunUntilComplete();
+}
+
 class URLRequestMaybeAsyncFirstPartySetsTest
     : public URLRequestTest,
       public testing::WithParamInterface<bool> {
@@ -13118,10 +13334,8 @@ class URLRequestMaybeAsyncFirstPartySetsTest
   URLRequestMaybeAsyncFirstPartySetsTest() { CHECK(test_server_.Start()); }
 
   std::unique_ptr<CookieStore> CreateCookieStore() {
-    auto cookie_monster =
-        std::make_unique<CookieMonster>(/*store=*/nullptr,
-                                        /*net_log=*/nullptr,
-                                        /*first_party_sets_enabled=*/true);
+    auto cookie_monster = std::make_unique<CookieMonster>(/*store=*/nullptr,
+                                                          /*net_log=*/nullptr);
     auto cookie_access_delegate = std::make_unique<TestCookieAccessDelegate>();
     cookie_access_delegate->set_invoke_callbacks_asynchronously(
         invoke_callbacks_asynchronously());
diff --git a/chromium/net/url_request/view_cache_helper.cc b/chromium/net/url_request/view_cache_helper.cc
index dd52540e12b..136423ea5cd 100644
--- a/chromium/net/url_request/view_cache_helper.cc
+++ b/chromium/net/url_request/view_cache_helper.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/view_cache_helper.h b/chromium/net/url_request/view_cache_helper.h
index 897a59d4a7a..ae049266f0e 100644
--- a/chromium/net/url_request/view_cache_helper.h
+++ b/chromium/net/url_request/view_cache_helper.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/view_cache_helper_unittest.cc b/chromium/net/url_request/view_cache_helper_unittest.cc
index 8aad4412aa1..51acd9e9b65 100644
--- a/chromium/net/url_request/view_cache_helper_unittest.cc
+++ b/chromium/net/url_request/view_cache_helper_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/websocket_handshake_userdata_key.cc b/chromium/net/url_request/websocket_handshake_userdata_key.cc
index 8a37de5b883..a4c7968de1c 100644
--- a/chromium/net/url_request/websocket_handshake_userdata_key.cc
+++ b/chromium/net/url_request/websocket_handshake_userdata_key.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/url_request/websocket_handshake_userdata_key.h b/chromium/net/url_request/websocket_handshake_userdata_key.h
index 63b75b79402..a448808392b 100644
--- a/chromium/net/url_request/websocket_handshake_userdata_key.h
+++ b/chromium/net/url_request/websocket_handshake_userdata_key.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/OWNERS b/chromium/net/websockets/OWNERS
index 3dc0bbfbdc1..3c89006df0a 100644
--- a/chromium/net/websockets/OWNERS
+++ b/chromium/net/websockets/OWNERS
@@ -1,3 +1,2 @@
 ricea@chromium.org
-yhirano@chromium.org
 yoichio@chromium.org
diff --git a/chromium/net/websockets/websocket_basic_handshake_stream.cc b/chromium/net/websockets/websocket_basic_handshake_stream.cc
index c8bdabfa03a..387ac70a13f 100644
--- a/chromium/net/websockets/websocket_basic_handshake_stream.cc
+++ b/chromium/net/websockets/websocket_basic_handshake_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_basic_handshake_stream.h b/chromium/net/websockets/websocket_basic_handshake_stream.h
index 56fc995979d..067a9704688 100644
--- a/chromium/net/websockets/websocket_basic_handshake_stream.h
+++ b/chromium/net/websockets/websocket_basic_handshake_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -125,7 +125,8 @@ class NET_EXPORT_PRIVATE WebSocketBasicHandshakeStream final
 
   // Owned by another object.
   // |connect_delegate| will live during the lifetime of this object.
-  const raw_ptr<WebSocketStream::ConnectDelegate> connect_delegate_;
+  const raw_ptr<WebSocketStream::ConnectDelegate, DanglingUntriaged>
+      connect_delegate_;
 
   // This is stored in SendRequest() for use by ReadResponseHeaders().
   raw_ptr<HttpResponseInfo> http_response_info_ = nullptr;
@@ -153,7 +154,7 @@ class NET_EXPORT_PRIVATE WebSocketBasicHandshakeStream final
   // to avoid including extension-related header files here.
   std::unique_ptr<WebSocketExtensionParams> extension_params_;
 
-  const raw_ptr<WebSocketStreamRequestAPI> stream_request_;
+  const raw_ptr<WebSocketStreamRequestAPI, DanglingUntriaged> stream_request_;
 
   const raw_ptr<WebSocketEndpointLockManager> websocket_endpoint_lock_manager_;
 
diff --git a/chromium/net/websockets/websocket_basic_handshake_stream_test.cc b/chromium/net/websockets/websocket_basic_handshake_stream_test.cc
index e67cb6a6cd1..b39d71d0117 100644
--- a/chromium/net/websockets/websocket_basic_handshake_stream_test.cc
+++ b/chromium/net/websockets/websocket_basic_handshake_stream_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_basic_stream.cc b/chromium/net/websockets/websocket_basic_stream.cc
index 9df4137dc30..177059f67c4 100644
--- a/chromium/net/websockets/websocket_basic_stream.cc
+++ b/chromium/net/websockets/websocket_basic_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_basic_stream.h b/chromium/net/websockets/websocket_basic_stream.h
index b672aba5a07..80e88afeebc 100644
--- a/chromium/net/websockets/websocket_basic_stream.h
+++ b/chromium/net/websockets/websocket_basic_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_basic_stream_adapters.cc b/chromium/net/websockets/websocket_basic_stream_adapters.cc
index 734336a797d..a2b3efff5f8 100644
--- a/chromium/net/websockets/websocket_basic_stream_adapters.cc
+++ b/chromium/net/websockets/websocket_basic_stream_adapters.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_basic_stream_adapters.h b/chromium/net/websockets/websocket_basic_stream_adapters.h
index e522abacefb..538e7f81f9c 100644
--- a/chromium/net/websockets/websocket_basic_stream_adapters.h
+++ b/chromium/net/websockets/websocket_basic_stream_adapters.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_basic_stream_adapters_test.cc b/chromium/net/websockets/websocket_basic_stream_adapters_test.cc
index 28738759b58..1294283b510 100644
--- a/chromium/net/websockets/websocket_basic_stream_adapters_test.cc
+++ b/chromium/net/websockets/websocket_basic_stream_adapters_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -73,7 +73,7 @@ class WebSocketClientSocketHandleAdapterTest : public TestWithTaskEnvironment {
     int rv = connection->Init(
         ClientSocketPool::GroupId(
             url::SchemeHostPort(url::kHttpsScheme, "www.example.org", 443),
-            PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+            PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
             SecureDnsPolicy::kAllow),
         socks_params, TRAFFIC_ANNOTATION_FOR_TESTS /* proxy_annotation_tag */,
         MEDIUM, SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
@@ -289,7 +289,7 @@ class WebSocketSpdyStreamAdapterTest : public TestWithTaskEnvironment {
              PRIVACY_MODE_DISABLED,
              SpdySessionKey::IsProxySession::kFalse,
              SocketTag(),
-             NetworkIsolationKey(),
+             NetworkAnonymizationKey(),
              SecureDnsPolicy::kAllow),
         session_(SpdySessionDependencies::SpdyCreateSession(&session_deps_)),
         ssl_(SYNCHRONOUS, OK) {}
diff --git a/chromium/net/websockets/websocket_basic_stream_test.cc b/chromium/net/websockets/websocket_basic_stream_test.cc
index 1786a4e86fd..fe5586127a0 100644
--- a/chromium/net/websockets/websocket_basic_stream_test.cc
+++ b/chromium/net/websockets/websocket_basic_stream_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
@@ -148,7 +148,7 @@ class WebSocketBasicStreamSocketTest : public TestWithTaskEnvironment {
     scoped_refptr<ClientSocketPool::SocketParams> null_params;
     ClientSocketPool::GroupId group_id(
         url::SchemeHostPort(url::kHttpScheme, "a", 80),
-        PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+        PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
         SecureDnsPolicy::kAllow);
     transport_socket->Init(
         group_id, null_params, absl::nullopt /* proxy_annotation_tag */, MEDIUM,
diff --git a/chromium/net/websockets/websocket_channel.cc b/chromium/net/websockets/websocket_channel.cc
index 4d9392fc182..da21937d2ee 100644
--- a/chromium/net/websockets/websocket_channel.cc
+++ b/chromium/net/websockets/websocket_channel.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -958,7 +958,7 @@ bool WebSocketChannel::ParseClose(base::span<const char> payload,
 
     DVLOG(1) << "Close frame with payload size " << size << " received "
              << "(the first byte is " << std::hex
-             << static_cast<int>(payload.data()[0]) << ")";
+             << static_cast<int>(payload[0]) << ")";
     *code = kWebSocketErrorProtocolError;
     *message =
         "Received a broken close frame containing an invalid size body.";
diff --git a/chromium/net/websockets/websocket_channel.h b/chromium/net/websockets/websocket_channel.h
index c8d969097b5..954c94b5660 100644
--- a/chromium/net/websockets/websocket_channel.h
+++ b/chromium/net/websockets/websocket_channel.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_channel_test.cc b/chromium/net/websockets/websocket_channel_test.cc
index 13bc5f43660..cb8a8f5f60d 100644
--- a/chromium/net/websockets/websocket_channel_test.cc
+++ b/chromium/net/websockets/websocket_channel_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_parameters.cc b/chromium/net/websockets/websocket_deflate_parameters.cc
index 1aa3f1341c3..3fd41f0b714 100644
--- a/chromium/net/websockets/websocket_deflate_parameters.cc
+++ b/chromium/net/websockets/websocket_deflate_parameters.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_parameters.h b/chromium/net/websockets/websocket_deflate_parameters.h
index f5653e28006..cc4849a862c 100644
--- a/chromium/net/websockets/websocket_deflate_parameters.h
+++ b/chromium/net/websockets/websocket_deflate_parameters.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_parameters_test.cc b/chromium/net/websockets/websocket_deflate_parameters_test.cc
index 404c73d426f..6f8288cadc3 100644
--- a/chromium/net/websockets/websocket_deflate_parameters_test.cc
+++ b/chromium/net/websockets/websocket_deflate_parameters_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_predictor.h b/chromium/net/websockets/websocket_deflate_predictor.h
index 50b3f37991d..13b1f8b17c4 100644
--- a/chromium/net/websockets/websocket_deflate_predictor.h
+++ b/chromium/net/websockets/websocket_deflate_predictor.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_predictor_impl.cc b/chromium/net/websockets/websocket_deflate_predictor_impl.cc
index 60120008aa0..01ba833cf66 100644
--- a/chromium/net/websockets/websocket_deflate_predictor_impl.cc
+++ b/chromium/net/websockets/websocket_deflate_predictor_impl.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_predictor_impl.h b/chromium/net/websockets/websocket_deflate_predictor_impl.h
index 39472ec84f7..7b299bf4be4 100644
--- a/chromium/net/websockets/websocket_deflate_predictor_impl.h
+++ b/chromium/net/websockets/websocket_deflate_predictor_impl.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_predictor_impl_test.cc b/chromium/net/websockets/websocket_deflate_predictor_impl_test.cc
index 9a4546741b3..1c38d342978 100644
--- a/chromium/net/websockets/websocket_deflate_predictor_impl_test.cc
+++ b/chromium/net/websockets/websocket_deflate_predictor_impl_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_stream.cc b/chromium/net/websockets/websocket_deflate_stream.cc
index 5755c7f39e0..00ab6206d27 100644
--- a/chromium/net/websockets/websocket_deflate_stream.cc
+++ b/chromium/net/websockets/websocket_deflate_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_stream.h b/chromium/net/websockets/websocket_deflate_stream.h
index ad5f087226c..ebeff9e1bf7 100644
--- a/chromium/net/websockets/websocket_deflate_stream.h
+++ b/chromium/net/websockets/websocket_deflate_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_stream_fuzzer.cc b/chromium/net/websockets/websocket_deflate_stream_fuzzer.cc
index 07204240709..07e817c3df2 100644
--- a/chromium/net/websockets/websocket_deflate_stream_fuzzer.cc
+++ b/chromium/net/websockets/websocket_deflate_stream_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflate_stream_test.cc b/chromium/net/websockets/websocket_deflate_stream_test.cc
index c3a3b125657..11bfbdf5ff0 100644
--- a/chromium/net/websockets/websocket_deflate_stream_test.cc
+++ b/chromium/net/websockets/websocket_deflate_stream_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflater.cc b/chromium/net/websockets/websocket_deflater.cc
index 983398dd625..0a66a662491 100644
--- a/chromium/net/websockets/websocket_deflater.cc
+++ b/chromium/net/websockets/websocket_deflater.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflater.h b/chromium/net/websockets/websocket_deflater.h
index ab99aefc318..4983a3d76de 100644
--- a/chromium/net/websockets/websocket_deflater.h
+++ b/chromium/net/websockets/websocket_deflater.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_deflater_test.cc b/chromium/net/websockets/websocket_deflater_test.cc
index 2501d745a0c..6e27103c658 100644
--- a/chromium/net/websockets/websocket_deflater_test.cc
+++ b/chromium/net/websockets/websocket_deflater_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_end_to_end_test.cc b/chromium/net/websockets/websocket_end_to_end_test.cc
index 87b07b110e8..d4ad872d48c 100644
--- a/chromium/net/websockets/websocket_end_to_end_test.cc
+++ b/chromium/net/websockets/websocket_end_to_end_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -638,10 +638,6 @@ TEST_F(WebSocketEndToEndTest, HeaderContinuations) {
 // Test that ws->wss scheme upgrade is supported on receiving a DNS HTTPS
 // record.
 TEST_F(WebSocketEndToEndTest, DnsSchemeUpgradeSupported) {
-  base::test::ScopedFeatureList features;
-  features.InitAndEnableFeatureWithParameters(
-      features::kUseDnsHttpsSvcb, {{"UseDnsHttpsSvcbHttpUpgrade", "true"}});
-
   SpawnedTestServer wss_server(SpawnedTestServer::TYPE_WSS,
                                SpawnedTestServer::SSLOptions(base::FilePath(
                                    FILE_PATH_LITERAL("test_names.pem"))),
diff --git a/chromium/net/websockets/websocket_errors.cc b/chromium/net/websockets/websocket_errors.cc
index eeb0bf52e52..2b95b6ac177 100644
--- a/chromium/net/websockets/websocket_errors.cc
+++ b/chromium/net/websockets/websocket_errors.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_errors.h b/chromium/net/websockets/websocket_errors.h
index cf2b2b3366e..9bf55c6a452 100644
--- a/chromium/net/websockets/websocket_errors.h
+++ b/chromium/net/websockets/websocket_errors.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_errors_test.cc b/chromium/net/websockets/websocket_errors_test.cc
index 95147c70b88..a81b800cfed 100644
--- a/chromium/net/websockets/websocket_errors_test.cc
+++ b/chromium/net/websockets/websocket_errors_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_event_interface.h b/chromium/net/websockets/websocket_event_interface.h
index 956732de1ce..451152393b9 100644
--- a/chromium/net/websockets/websocket_event_interface.h
+++ b/chromium/net/websockets/websocket_event_interface.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_extension.cc b/chromium/net/websockets/websocket_extension.cc
index 96435856b37..84ef0e606d9 100644
--- a/chromium/net/websockets/websocket_extension.cc
+++ b/chromium/net/websockets/websocket_extension.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_extension.h b/chromium/net/websockets/websocket_extension.h
index 4c42a76f310..67eb4609da6 100644
--- a/chromium/net/websockets/websocket_extension.h
+++ b/chromium/net/websockets/websocket_extension.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_extension_parser.cc b/chromium/net/websockets/websocket_extension_parser.cc
index c37362fff4c..41152cb5a1a 100644
--- a/chromium/net/websockets/websocket_extension_parser.cc
+++ b/chromium/net/websockets/websocket_extension_parser.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_extension_parser.h b/chromium/net/websockets/websocket_extension_parser.h
index 54f7a7f57df..d96e1019e00 100644
--- a/chromium/net/websockets/websocket_extension_parser.h
+++ b/chromium/net/websockets/websocket_extension_parser.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_extension_parser_fuzzer.cc b/chromium/net/websockets/websocket_extension_parser_fuzzer.cc
index 120ee6ada6b..f5af44401eb 100644
--- a/chromium/net/websockets/websocket_extension_parser_fuzzer.cc
+++ b/chromium/net/websockets/websocket_extension_parser_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
+// Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_extension_parser_test.cc b/chromium/net/websockets/websocket_extension_parser_test.cc
index ab4caef6bc2..69f5123aba7 100644
--- a/chromium/net/websockets/websocket_extension_parser_test.cc
+++ b/chromium/net/websockets/websocket_extension_parser_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_extension_test.cc b/chromium/net/websockets/websocket_extension_test.cc
index 86819b669c6..f56c59bda51 100644
--- a/chromium/net/websockets/websocket_extension_test.cc
+++ b/chromium/net/websockets/websocket_extension_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_frame.cc b/chromium/net/websockets/websocket_frame.cc
index 1f931e6ca2c..5a2a0182d21 100644
--- a/chromium/net/websockets/websocket_frame.cc
+++ b/chromium/net/websockets/websocket_frame.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_frame.h b/chromium/net/websockets/websocket_frame.h
index a6ca5ab48d8..0499275a84a 100644
--- a/chromium/net/websockets/websocket_frame.h
+++ b/chromium/net/websockets/websocket_frame.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_frame_parser.cc b/chromium/net/websockets/websocket_frame_parser.cc
index 52c89b958c8..b5829d6c082 100644
--- a/chromium/net/websockets/websocket_frame_parser.cc
+++ b/chromium/net/websockets/websocket_frame_parser.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_frame_parser.h b/chromium/net/websockets/websocket_frame_parser.h
index bcffd1b9c99..24f6cdde938 100644
--- a/chromium/net/websockets/websocket_frame_parser.h
+++ b/chromium/net/websockets/websocket_frame_parser.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_frame_parser_fuzzer.cc b/chromium/net/websockets/websocket_frame_parser_fuzzer.cc
index aa927a7609f..f4f9d6c729c 100644
--- a/chromium/net/websockets/websocket_frame_parser_fuzzer.cc
+++ b/chromium/net/websockets/websocket_frame_parser_fuzzer.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_frame_parser_test.cc b/chromium/net/websockets/websocket_frame_parser_test.cc
index c7a9ca47d9a..f2aef4a9f8d 100644
--- a/chromium/net/websockets/websocket_frame_parser_test.cc
+++ b/chromium/net/websockets/websocket_frame_parser_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_frame_perftest.cc b/chromium/net/websockets/websocket_frame_perftest.cc
index 3129380d3c9..60b935b0724 100644
--- a/chromium/net/websockets/websocket_frame_perftest.cc
+++ b/chromium/net/websockets/websocket_frame_perftest.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_frame_test.cc b/chromium/net/websockets/websocket_frame_test.cc
index 268a476e099..4148c0babe4 100644
--- a/chromium/net/websockets/websocket_frame_test.cc
+++ b/chromium/net/websockets/websocket_frame_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_challenge.cc b/chromium/net/websockets/websocket_handshake_challenge.cc
index 0e8ced61405..913009c0366 100644
--- a/chromium/net/websockets/websocket_handshake_challenge.cc
+++ b/chromium/net/websockets/websocket_handshake_challenge.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_challenge.h b/chromium/net/websockets/websocket_handshake_challenge.h
index e21f2b00f67..5ff3192355f 100644
--- a/chromium/net/websockets/websocket_handshake_challenge.h
+++ b/chromium/net/websockets/websocket_handshake_challenge.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_challenge_test.cc b/chromium/net/websockets/websocket_handshake_challenge_test.cc
index d7e45ca92fa..6ecb0af795c 100644
--- a/chromium/net/websockets/websocket_handshake_challenge_test.cc
+++ b/chromium/net/websockets/websocket_handshake_challenge_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_constants.cc b/chromium/net/websockets/websocket_handshake_constants.cc
index 8b90373be2f..32239d1d27e 100644
--- a/chromium/net/websockets/websocket_handshake_constants.cc
+++ b/chromium/net/websockets/websocket_handshake_constants.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_constants.h b/chromium/net/websockets/websocket_handshake_constants.h
index 89c92612ff6..1a5955a4163 100644
--- a/chromium/net/websockets/websocket_handshake_constants.h
+++ b/chromium/net/websockets/websocket_handshake_constants.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_request_info.cc b/chromium/net/websockets/websocket_handshake_request_info.cc
index ba0cd66c0a1..0a8f5220b71 100644
--- a/chromium/net/websockets/websocket_handshake_request_info.cc
+++ b/chromium/net/websockets/websocket_handshake_request_info.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_request_info.h b/chromium/net/websockets/websocket_handshake_request_info.h
index b416a63f76e..2fd4b649741 100644
--- a/chromium/net/websockets/websocket_handshake_request_info.h
+++ b/chromium/net/websockets/websocket_handshake_request_info.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_response_info.cc b/chromium/net/websockets/websocket_handshake_response_info.cc
index 90ca0e1cc04..42c484d4625 100644
--- a/chromium/net/websockets/websocket_handshake_response_info.cc
+++ b/chromium/net/websockets/websocket_handshake_response_info.cc
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_response_info.h b/chromium/net/websockets/websocket_handshake_response_info.h
index 1a745fe8f39..af1e91742d0 100644
--- a/chromium/net/websockets/websocket_handshake_response_info.h
+++ b/chromium/net/websockets/websocket_handshake_response_info.h
@@ -1,4 +1,4 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
+// Copyright 2014 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_stream_base.cc b/chromium/net/websockets/websocket_handshake_stream_base.cc
index 16b4db5952b..2ee5990cf6b 100644
--- a/chromium/net/websockets/websocket_handshake_stream_base.cc
+++ b/chromium/net/websockets/websocket_handshake_stream_base.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_stream_base.h b/chromium/net/websockets/websocket_handshake_stream_base.h
index 9cb7f0949cc..b9409d579bd 100644
--- a/chromium/net/websockets/websocket_handshake_stream_base.h
+++ b/chromium/net/websockets/websocket_handshake_stream_base.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_stream_create_helper.cc b/chromium/net/websockets/websocket_handshake_stream_create_helper.cc
index 44ca0f9fa4c..38606f99b72 100644
--- a/chromium/net/websockets/websocket_handshake_stream_create_helper.cc
+++ b/chromium/net/websockets/websocket_handshake_stream_create_helper.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_handshake_stream_create_helper.h b/chromium/net/websockets/websocket_handshake_stream_create_helper.h
index 1b7083b25d8..1291a2c812b 100644
--- a/chromium/net/websockets/websocket_handshake_stream_create_helper.h
+++ b/chromium/net/websockets/websocket_handshake_stream_create_helper.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -58,9 +58,10 @@ class NET_EXPORT_PRIVATE WebSocketHandshakeStreamCreateHelper
       std::set<std::string> dns_aliases) override;
 
  private:
-  const raw_ptr<WebSocketStream::ConnectDelegate> connect_delegate_;
+  const raw_ptr<WebSocketStream::ConnectDelegate, DanglingUntriaged>
+      connect_delegate_;
   const std::vector<std::string> requested_subprotocols_;
-  const raw_ptr<WebSocketStreamRequestAPI> request_;
+  const raw_ptr<WebSocketStreamRequestAPI, DanglingUntriaged> request_;
 };
 
 }  // namespace net
diff --git a/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc b/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc
index 9b1baf00068..3982e7ee317 100644
--- a/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc
+++ b/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -98,7 +98,7 @@ class MockClientSocketHandleFactory {
     socket_handle->Init(
         ClientSocketPool::GroupId(
             url::SchemeHostPort(url::kHttpScheme, "a", 80),
-            PrivacyMode::PRIVACY_MODE_DISABLED, NetworkIsolationKey(),
+            PrivacyMode::PRIVACY_MODE_DISABLED, NetworkAnonymizationKey(),
             SecureDnsPolicy::kAllow),
         scoped_refptr<ClientSocketPool::SocketParams>(),
         absl::nullopt /* proxy_annotation_tag */, MEDIUM, SocketTag(),
@@ -268,7 +268,7 @@ class WebSocketHandshakeStreamCreateHelperTest
         const SpdySessionKey key(
             HostPortPair::FromURL(url), ProxyServer::Direct(),
             PRIVACY_MODE_DISABLED, SpdySessionKey::IsProxySession::kFalse,
-            SocketTag(), NetworkIsolationKey(), SecureDnsPolicy::kAllow);
+            SocketTag(), NetworkAnonymizationKey(), SecureDnsPolicy::kAllow);
         base::WeakPtr<SpdySession> spdy_session =
             CreateSpdySession(http_network_session.get(), key, net_log);
         std::unique_ptr<WebSocketHandshakeStreamBase> handshake =
diff --git a/chromium/net/websockets/websocket_http2_handshake_stream.cc b/chromium/net/websockets/websocket_http2_handshake_stream.cc
index f8fa7e1abe8..0dd56a547be 100644
--- a/chromium/net/websockets/websocket_http2_handshake_stream.cc
+++ b/chromium/net/websockets/websocket_http2_handshake_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_http2_handshake_stream.h b/chromium/net/websockets/websocket_http2_handshake_stream.h
index feec88f7020..25c8c2287c6 100644
--- a/chromium/net/websockets/websocket_http2_handshake_stream.h
+++ b/chromium/net/websockets/websocket_http2_handshake_stream.h
@@ -1,4 +1,4 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
+// Copyright 2018 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_inflater.cc b/chromium/net/websockets/websocket_inflater.cc
index 9244754646c..ac4f6934a99 100644
--- a/chromium/net/websockets/websocket_inflater.cc
+++ b/chromium/net/websockets/websocket_inflater.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_inflater.h b/chromium/net/websockets/websocket_inflater.h
index 540aeac5b97..c89d7b5c10f 100644
--- a/chromium/net/websockets/websocket_inflater.h
+++ b/chromium/net/websockets/websocket_inflater.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_inflater_test.cc b/chromium/net/websockets/websocket_inflater_test.cc
index ad2eda35a71..d4e68cb09bc 100644
--- a/chromium/net/websockets/websocket_inflater_test.cc
+++ b/chromium/net/websockets/websocket_inflater_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_stream.cc b/chromium/net/websockets/websocket_stream.cc
index 762c8aeda6f..64ace353f92 100644
--- a/chromium/net/websockets/websocket_stream.cc
+++ b/chromium/net/websockets/websocket_stream.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_stream.h b/chromium/net/websockets/websocket_stream.h
index 14db067575d..ed0efdec3b2 100644
--- a/chromium/net/websockets/websocket_stream.h
+++ b/chromium/net/websockets/websocket_stream.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Copyright 2012 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_stream_cookie_test.cc b/chromium/net/websockets/websocket_stream_cookie_test.cc
index b657bf90543..1692b79d1fd 100644
--- a/chromium/net/websockets/websocket_stream_cookie_test.cc
+++ b/chromium/net/websockets/websocket_stream_cookie_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_stream_create_test_base.cc b/chromium/net/websockets/websocket_stream_create_test_base.cc
index 08f27ae76cd..27ea50269b2 100644
--- a/chromium/net/websockets/websocket_stream_create_test_base.cc
+++ b/chromium/net/websockets/websocket_stream_create_test_base.cc
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_stream_create_test_base.h b/chromium/net/websockets/websocket_stream_create_test_base.h
index 8e36af76ddf..be4eba9b452 100644
--- a/chromium/net/websockets/websocket_stream_create_test_base.h
+++ b/chromium/net/websockets/websocket_stream_create_test_base.h
@@ -1,4 +1,4 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
+// Copyright 2015 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_stream_test.cc b/chromium/net/websockets/websocket_stream_test.cc
index 1b7c0e817fa..7e45388638d 100644
--- a/chromium/net/websockets/websocket_stream_test.cc
+++ b/chromium/net/websockets/websocket_stream_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_test_util.cc b/chromium/net/websockets/websocket_test_util.cc
index 6d8a39da150..3b4ae7a1c01 100644
--- a/chromium/net/websockets/websocket_test_util.cc
+++ b/chromium/net/websockets/websocket_test_util.cc
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
diff --git a/chromium/net/websockets/websocket_test_util.h b/chromium/net/websockets/websocket_test_util.h
index 82dff864a8d..4363f9c760c 100644
--- a/chromium/net/websockets/websocket_test_util.h
+++ b/chromium/net/websockets/websocket_test_util.h
@@ -1,4 +1,4 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
+// Copyright 2013 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.